1256 files changed, 339388 insertions, 1 deletions

diff --git a/COPYING b/COPYING
new file mode 100644
index 00000000..5b6e7c66
--- /dev/null
+++ b/COPYING
@@ -0,0 +1,340 @@
+		    GNU GENERAL PUBLIC LICENSE
+		       Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+                       59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+			    Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.  This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it.  (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.)  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+  To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have.  You must make sure that they, too, receive or can get the
+source code.  And you must show them these terms so they know their
+rights.
+
+  We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+  Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software.  If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+  Finally, any free program is threatened constantly by software
+patents.  We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary.  To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+		    GNU GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License.  The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language.  (Hereinafter, translation is included without limitation in
+the term "modification".)  Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+  1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+  2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any
+    part thereof, to be licensed as a whole at no charge to all third
+    parties under the terms of this License.
+
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a
+    notice that there is no warranty (or else, saying that you provide
+    a warranty) and that users may redistribute the program under
+    these conditions, and telling the user how to view a copy of this
+    License.  (Exception: if the Program itself is interactive but
+    does not normally print such an announcement, your work based on
+    the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections
+    1 and 2 above on a medium customarily used for software interchange; or,
+
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your
+    cost of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+
+    c) Accompany it with the information you received as to the offer
+    to distribute corresponding source code.  (This alternative is
+    allowed only for noncommercial distribution and only if you
+    received the program in object code or executable form with such
+    an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it.  For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.  However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License.  Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+  5. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Program or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+  6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+  7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+  9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation.  If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission.  For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this.  Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+			    NO WARRANTY
+
+  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+		     END OF TERMS AND CONDITIONS
+
+	    How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+    Gnomovision version 69, Copyright (C) year name of author
+    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary.  Here is a sample; alter the names:
+
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+  `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+  <signature of Ty Coon>, 1 April 1989
+  Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs.  If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library.  If this is what you want to do, use the GNU Library General
+Public License instead of this License.
diff --git a/Changelog b/Changelog
new file mode 100644
index 00000000..59a89e02
--- /dev/null
+++ b/Changelog
@@ -0,0 +1,925 @@
+* Wed Feb 15 2012 Chris PeBenito <selinux@tresys.com> - 2.20120215
+- Sshd usage of mkhomedir_helper via oddjob, from Sven Vermeulen.
+- Add slim and lxdm file contexts to xserver, from Sven Vermeulen.
+- Add userdom interfaces for user application domains, user tmp files,
+  and user tmpfs files.
+- Asterisk administration fixes from Sven Vermeulen.
+- Fix makefiles to install files with the correct DAC permissions if the
+  umask is not 022.
+- Remove deprecated support macros.
+- Remove rolemap and per-role template support.
+- Change corenetwork port declaration to apply the reserved port type
+  attribute only, when the type has ports above and below 1024.
+- Change secure_mode_policyload to disable only toggling of this Boolean
+  rather than disabling all Boolean toggling permissions.
+- Use role attributes to assist with domain transitions in interactive
+  programs.
+- Milter ports patch from Paul Howarth.
+- Separate portage fetch rules out of portage_run() and portage_domtrans()
+  from Sven Vermeulen.
+- Enhance corenetwork network_port() macro to support ports that do not have
+  a well defined port number, such as stunnel.
+- Opendkim support in dkim module from Paul Howarth.
+- Wireshark updates from Sven Vermeulen.
+- Change secure_mode_insmod to control sys_module capability rather than
+  controlling domain transitions to insmod.
+- Openrc and portage updates from Sven Vermeulen.
+- Allow user and role changes on dynamic transitions with the same
+  constraints as regular transitions.
+- New git service features from Dominick Grift.
+- Corenetwork policy size optimization from Dan Walsh.
+- Silence spurious udp_socket listen denials.
+- Fix unexpanded MLS/MCS fields in monolithic seusers file.
+- Type transition fix in Postgresql database objects from KaiGai Kohei.
+- Support for file context path substitutions (file_contexts.subs).
+- Added contrib modules:
+	glance (Dan Walsh)
+	rhsmcertd (Dan Walsh)
+	sanlock (Dan Walsh)
+	sblim (Dan Walsh)
+	uuidd (Dan Walsh)
+	vdagent (Dan Walsh)
+
+* Tue Jul 26 2011 Chris PeBenito <selinux@tresys.com> - 2.20110726
+- Fix role declarations to handle role attribute compilers.
+- Rename audioentropy module to entropyd due to haveged support.
+- Add haveged support from Sven Vermeulen.
+- Authentication file patch from Matthew Ife.
+- Add agent support to zabbix from Sven Vermeulen.
+- Cyrus file context update for Gentoo from Corentin Labbe.
+- Portage updates from Sven Vermeulen.
+- Fix init_system_domain() description, pointed out by Elia Pinto.
+- Postgresql selabel_lookup update from KaiGai Kohei.
+- Dovecot managesieve support from Mika Pfluger.
+- Semicolon after interface/template calls cleanup from Elia Pinto.
+- Gentoo courier updates from Sven Vermeulen.
+- Amavis patch for connecting to nslcd from Miroslav Grepl.
+- Shorewall patch from Miroslav Grepl.
+- Cpufreqselector dbus patch from Guido Trentalancia.
+- Cron pam_namespace and pam_loginuid support from Harry Ciao.
+- Xserver update for startx from Sven Vermeulen.
+- Fix MLS constraint for contains permission from Harry Ciao.
+- Apache user webpages fix from Dominick Grift.
+- Change default build.conf to modular policy from Stephen Smalley.
+- Xen refinement patch from Stephen Smalley.
+- Sudo timestamp file location update from Sven Vermeulen.
+- XServer keyboard event patch from Sven Vermeulen.
+- RAID uevent patch from Sven Vermeulen.
+- Gentoo ALSA init script usage patch from Sven Vermeulen.
+- LVM semaphore usage patch from Sven Vermeulen.
+- Module load request patch for insmod from Sven Vermeulen.
+- Cron default contexts fix from Harry Ciao.
+- Man page fixes from Justin Mattock.
+- Add syslog capability.
+- Support for logging in to /dev/console, from Harry Ciao.
+- Database object class updates and associated SEPostgreSQL changes from
+  KaiGai Kohei.
+- IPSEC SPD and Hadoop IPSEC updates from Paul Nuzzi.
+- Mount updates from Harry Ciao.
+- Semanage update for MLS systems from Harry Ciao.
+- Vlock terminal use update from Harry Ciao.
+- Hadoop CDH3 updates from Paul Nuzzi.
+- Add sepgsql_contexts appconfig files from KaiGai Kohei.
+- Added modules:
+	aiccu
+	bugzilla (Dan Walsh)
+	colord (Dan Walsh)
+	cmirrord (Miroslav Grepl)
+	mediawiki (Miroslav Grepl)
+	mpd (Miroslav Grepl)
+	ncftool
+	passenger (Miroslav Grepl)
+	qpid (Dan Walsh)
+	samhain (Harry Ciao)
+	telepathy (Dominick Grift)
+	tcsd (Stephen Smalley)
+	vnstatd (Dan Walsh)
+	zarafa (Miroslav Grepl)
+
+* Mon Dec 13 2010 Chris PeBenito <selinux@tresys.com> - 2.20101213
+- Git man page from Dominick Grift.
+- Alsa and oident home content cleanup from Dominick Grift.
+- Add support for custom build options.
+- Unconditional staff and user oidentd home config access from Dominick Grift.
+- Conditional mmap_zero support from Dominick Grift.
+- Added devtmpfs support.
+- Dbadm updates from KaiGai Kohei.
+- Virtio disk file context update from Mika Pfluger.
+- Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh.
+- Add JIT usage for freshclam.
+- Remove ethereal module since the application was renamed to wireshark.
+- Remove duplicate/redundant rules, from Russell Coker.
+- Increased default number of categories to 1024, from Russell Coker.
+- Added modules:
+	accountsd (Dan Walsh)
+	cgroup (Dominick Grift)
+	hadoop (Paul Nuzzi)
+	kdumpgui (Dan Walsh)
+	livecd (Dan Walsh)
+	mojomojo (Iain Arnell)
+	sambagui (Dan Walsh)
+	shutdown (Dan Walsh)
+	sosreport (Dan Walsh)
+	vlock (Harry Ciao)
+
+* Mon May 24 2010 Chris PeBenito <selinux@tresys.com> - 2.20100524
+- Merged a significant portion of Fedora policy.
+- Move rules from mta mailserver delivery from interface to .te to use
+  attributes.
+- Remove concept of users from terminal module interfaces since the
+  attributes are not specific to users.
+- Add non-drawing X client support, for consolekit usage.
+- Misc Gentoo fixes from Chris Richards.
+- AFS and abrt fixes from Dominick Grift.
+- Improved the XML docs of 55 most-used interfaces.
+- Apcupsd and amavis fixes from Dominick Grift.
+- Fix network_port() in corenetwork to correctly handle port ranges.
+- SE-Postgresql updates from KaiGai Kohei.
+- X object manager revisions from Eamon Walsh.
+- Added modules:
+	aisexec (Dan Walsh)
+	chronyd (Miroslav Grepl)
+	cobbler (Dominick Grift)
+	corosync (Dan Walsh)
+	dbadm (KaiGai Kohei)
+	denyhosts (Dan Walsh)
+	nut (Stefan Schulze Frielinghaus, Miroslav Grepl)
+	likewise (Scott Salley)
+	plymouthd (Dan Walsh)
+	pyicqt (Stefan Schulze Frielinghaus)
+	rhcs (Dan Walsh)
+	rgmanager (Dan Walsh)
+	sectoolm (Miroslav Grepl)
+	usbmuxd (Dan Walsh)
+	vhostmd (Dan Walsh)
+
+* Tue Nov 17 2009 Chris PeBenito <selinux@tresys.com> - 2.20091117
+- Add separate x_pointer and x_keyboard classes inheriting from x_device. 
+  From Eamon Walsh.
+- Deprecated the userdom_xwindows_client_template().
+- Misc Gentoo fixes from Corentin Labbe.
+- Debian policykit fixes from Martin Orr.
+- Fix unconfined_r use of unconfined_java_t.
+- Add missing x_device rules for XI2 functions, from Eamon Walsh.
+- Add missing rules to make unconfined_cronjob_t a valid cron job domain.
+- Add btrfs and ext4 to labeling targets.
+- Fix infrastructure to expand macros in initrc_context when installing.
+- Handle unix_chkpwd usage by useradd and groupadd.
+- Add missing compatibility aliases for xdm_xserver*_t types.
+- Added modules:
+	abrt (Dan Walsh)
+	dkim (Stefan Schulze Frielinghaus)
+	gitosis (Miroslav Grepl)
+	gnomeclock (Dan Walsh)
+	hddtemp (Dan Walsh)
+	kdump (Dan Walsh)
+	modemmanager(Dan Walsh)
+	nslcd (Dan Walsh)
+	puppet (Craig Grube)
+	rtkit (Dan Walsh)
+	seunshare (Dan Walsh)
+	shorewall (Dan Walsh)
+	tgtd (Matthew Ife)
+	tuned (Miroslav Grepl)
+	xscreensaver (Corentin Labbe)
+
+* Thu Jul 30 2009 Chris PeBenito <selinux@tresys.com> - 2.20090730
+- Gentoo fixes for init scripts and system startup.
+- Remove read_default_t tunable.
+- Greylist milter from Paul Howarth.
+- Crack db access for su to handle password expiration, from Brandon Whalen.
+- Misc fixes for unix_update from Brandon Whalen.
+- Add x_device permissions for XI2 functions, from Eamon Walsh.
+- MLS constraints for the x_selection class, from Eamon Walsh.
+- Postgresql updates from KaiGai Kohei.
+- Milter state directory patch from Paul Howarth.
+- Add MLS constrains for ingress/egress and secmark from Paul Moore.
+- Drop write permission from fs_read_rpc_sockets().
+- Remove unused udev_runtime_t type.
+- Patch for RadSec port from Glen Turner.
+- Enable network_peer_controls policy capability from Paul Moore.
+- Btrfs xattr support from Paul Moore.
+- Add db_procedure install permission from KaiGai Kohei.
+- Add support for network interfaces with access controlled by a Boolean
+  from the CLIP project.
+- Several fixes from the CLIP project.
+- Add support for labeled Booleans.
+- Remove node definitions and change node usage to generic nodes.
+- Add kernel_service access vectors, from Stephen Smalley.
+- Added modules:
+	certmaster (Dan Walsh)
+	cpufreqselector (Dan Walsh)
+	devicekit (Dan Walsh)
+	fprintd (Dan Walsh)
+	git (Dan Walsh)
+	gpsd (Miroslav Grepl)
+	guest (Dan Walsh)
+	ifplugd (Dan Walsh)
+	lircd (Miroslav Grepl)
+	logadm (Dan Walsh)
+	pads (Dan Walsh)
+	pingd (Dan Walsh)
+	policykit (Dan Walsh)
+	pulseaudio (Dan Walsh)
+	psad (Dan Walsh)
+	portreserve (Dan Walsh)
+	sssd (Dan Walsh)
+	ulogd (Dan Walsh)
+	varnishd (Dan Walsh)
+	webadm (Dan Walsh)
+	wm (Dan Walsh)
+	xguest (Dan Walsh)
+	zosremote (Dan Walsh)
+
+* Wed Dec 10 2008 Chris PeBenito <selinux@tresys.com> - 2.20081210
+- Fix consistency of audioentropy and iscsi module naming.
+- Debian file context fix for xen from Russell Coker.
+- Xserver MLS fix from Eamon Walsh.
+- Add omapi port for dhcpcd.
+- Deprecate per-role templates and rolemap support.
+- Implement user-based access control for use as role separations.
+- Move shared library calls from individual modules to the domain module.
+- Enable open permission checks policy capability.
+- Remove hierarchy from portage module as it is not a good example of
+  hieararchy.
+- Remove enableaudit target from modular build as semodule -DB supplants it.
+- Added modules:
+	milter (Paul Howarth)
+
+* Tue Oct 14 2008 Chris PeBenito <selinux@tresys.com> - 20081014
+- Debian update for NetworkManager/wpa_supplicant from Martin Orr.
+- Logrotate and Bind updates from Vaclav Ovsik.
+- Init script file and domain support.
+- Glibc 2.7 fix from Vaclav Ovsik.
+- Samba/winbind update from Mike Edenfield.
+- Policy size optimization with a non-security file attribute from James
+  Carter.
+- Database labeled networking update from KaiGai Kohei.
+- Several misc changes from the Fedora policy, cherry picked by David
+  Hardeman.
+- Large whitespace fix from Dominick Grift.
+- Pam_mount fix for local login from Stefan Schulze Frielinghaus.
+- Issuing commands to upstart is over a datagram socket, not the initctl
+  named pipe.  Updated init_telinit() to match.
+- Added modules:
+	cyphesis (Dan Walsh)
+	memcached (Dan Walsh)
+	oident (Dominick Grift)
+	w3c (Dan Walsh)
+
+* Wed Jul 02 2008 Chris PeBenito <selinux@tresys.com> - 20080702
+- Fix httpd_enable_homedirs to actually provide the access it is supposed to
+  provide.
+- Add unused interface/template parameter metadata in XML.
+- Patch to handle postfix data_directory from Vaclav Ovsik.
+- SE-Postgresql policy from KaiGai Kohei.
+- Patch for X.org dbus support from Martin Orr.
+- Patch for labeled networking controls in 2.6.25 from Paul Moore.
+- Module loading now requires setsched on kernel threads.
+- Patch to allow gpg agent --write-env-file option from Vaclav Ovsik.
+- X application data class from Eamon Walsh and Ted Toth.
+- Move user roles into individual modules.
+- Make hald_log_t a log file.
+- Cryptsetup runs shell scripts.  Patch from Martin Orr.
+- Add file for enabling policy capabilities.
+- Patch to fix leaky interface/template call depth calculator from Vaclav
+  Ovsik.
+- Added modules:
+	kerneloops (Dan Walsh)
+	kismet (Dan Walsh)
+	podsleuth (Dan Walsh)
+	prelude (Dan Walsh)
+	qemu (Dan Walsh)
+	virt (Dan Walsh)
+
+* Wed Apr 02 2008 Chris PeBenito <selinux@tresys.com> - 20080402
+- Add core Security Enhanced X Windows support.
+- Fix winbind socket connection interface for default location of the
+  sock_file.
+- Add wireshark module based on ethereal module.
+- Revise upstart support in init module to use a tunable, as upstart is now
+  used in Fedora too.
+- Add iferror.m4 rather generate it out of the Makefiles.
+- Definitions for open permisson on file and similar objects from Eric
+  Paris.
+- Apt updates for ptys and logs, from Martin Orr.
+- RPC update from Vaclav Ovsik.
+- Exim updates on Debian from Devin Carrawy.
+- Pam and samba updates from Stefan Schulze Frielinghaus.
+- Backup update on Debian from Vaclav Ovsik.
+- Cracklib update on Debian from Vaclav Ovsik.
+- Label /proc/kallsyms with system_map_t.
+- 64-bit capabilities from Stephen Smalley.
+- Labeled networking peer object class updates.
+
+* Fri Dec 14 2007 Chris PeBenito <selinux@tresys.com> - 20071214
+- Patch for debian logrotate to handle syslogd-listfiles, from Vaclav Ovsik.
+- Improve several tunables descriptions from Dan Walsh.
+- Patch to clean up ns switch usage in the policy from Dan Walsh.
+- More complete labeled networking infrastructure from KaiGai Kohei.
+- Add interface for libselinux constructor, for libselinux-linked
+  SELinux-enabled programs.
+- Patch to restructure user role templates to create restricted user roles
+  from Dan Walsh.
+- Russian man page translations from Andrey Markelov.
+- Remove unused types from dbus.
+- Add infrastructure for managing all user web content.
+- Deprecate some old file and dir permission set macros in favor of the
+  newer, more consistently-named macros.
+- Patch to clean up unescaped periods in several file context entries from
+  Jan-Frode Myklebust.
+- Merge shlib_t into lib_t.
+- Merge strict and targeted policies.  The policy will now behave like the
+  strict policy if the unconfined module is not present.  If it is, it will
+  behave like the targeted policy.  Added an unconfined role to have a mix
+  of confined and unconfined users.
+- Added modules:
+	exim (Dan Walsh)
+	postfixpolicyd (Jan-Frode Myklebust)
+
+* Fri Sep 28 2007 Chris PeBenito <selinux@tresys.com> - 20070928
+- Add support for setting the unknown permissions handling.
+- Fix XML building for external reference builds and headers builds.
+- Patch to add missing requirements in userdomain interfaces from Shintaro
+  Fujiwara.
+- Add tcpd_wrapped_domain() for services that use tcp wrappers.
+- Update MLS constraints from LSPP evaluated policy.
+- Allow initrc_t file descriptors to be inherited regardless of MLS level.
+  Accordingly drop MLS permissions from daemons that inherit from any level.
+- Files and radvd updates from Stefan Schulze Frielinghaus.
+- Deprecate mls_file_write_down() and mls_file_read_up(), replaced with
+  mls_write_all_levels() and mls_read_all_levels(), for consistency.
+- Add make kernel and init ranged interfaces pass the range transition MLS
+  constraints.  Also remove calls to mls_rangetrans_target() in modules that use
+  the kernel and init interfaces, since its redundant.
+- Add interfaces for all MLS attributes except X object classes.
+- Require all sensitivities and categories for MLS and MCS policies, not just
+  the low and high sensitivity and category.
+- Database userspace object manager classes from KaiGai Kohei.
+- Add third-party interface for Apache CGI.
+- Add getserv and shmemserv nscd permissions.
+- Add debian apcupsd binary location, from Stefan Schulze Frielinghaus.
+- Added modules:
+	application
+	awstats (Stefan Schulze Frielinghaus)
+	bitlbee (Devin Carraway)
+	brctl (Dan Walsh)
+
+* Fri Jun 29 2007 Chris PeBenito <selinux@tresys.com> - 20070629
+- Fix incorrectly named files_lib_filetrans_shared_lib() interface in the
+  libraries module.
+- Unified labeled networking policy from Paul Moore.
+- Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.
+- Xen updates from Dan Walsh.
+- Filesystem updates from Dan Walsh.
+- Large samba update from Dan Walsh.
+- Drop snmpd_etc_t.
+- Confine sendmail and logrotate on targeted.
+- Tunable connection to postgresql for users from KaiGai Kohei.
+- Memprotect support patch from Stephen Smalley.
+- Add logging_send_audit_msgs() interface and deprecate
+  send_audit_msgs_pattern().
+- Openct updates patch from Dan Walsh.
+- Merge restorecon into setfiles.
+- Patch to begin separating out hald helper programs from Dan Walsh.
+- Fixes for squid, dovecot, and snmp from Dan Walsh.
+- Miscellaneous consolekit fixes from Dan Walsh.
+- Patch to have avahi use the nsswitch interface rather than individual
+  permissions from Dan Walsh.
+- Patch to dontaudit logrotate searching avahi pid directory from Dan Walsh.
+- Patch to allow insmod to mount kvmfs and dontaudit rw unconfined_t pipes
+  to handle usage from userhelper from Dan Walsh.
+- Patch to allow amavis to read spamassassin libraries from Dan Walsh.
+- Patch to allow slocate to getattr other filesystems and directories on those
+  filesystems from Dan Walsh.
+- Fixes for RHEL4 from the CLIP project.
+- Replace the old lrrd fc entries with munin ones.
+- Move program admin template usage out of userdom_admin_user_template() to
+  sysadm policy in userdomain.te to fix usage of the template for third
+  parties.
+- Fix clockspeed_run_cli() declaration, it was incorrectly defined as a
+  template instead of an interface.
+- Added modules:
+	amtu (Dan Walsh)
+	apcupsd (Dan Walsh)
+	rpcbind (Dan Walsh)
+	rwho (Nalin Dahyabhai)
+
+* Tue Apr 17 2007 Chris PeBenito <selinux@tresys.com> - 20070417
+- Patch for sasl's use of kerberos from Dan Walsh.
+- Patches to confine ldconfig, udev, and insmod in the targeted policy from Dan Walsh.
+- Man page updates from Dan Walsh.
+- Two patches from Paul Moore to for ipsec to remove redundant rules and
+  have setkey read the config file.
+- Move booleans and tunables to modules when it is only used in a single
+  module.
+- Add support for tunables and booleans local to a module.
+- Merge sbin_t and ls_exec_t into bin_t.
+- Remove disable_trans booleans.
+- Output different header sets for kernel and userland from flask headers.
+- Marked the pax class as deprecated, changed it to userland so
+  it will be removed from the kernel.
+- Stop including netfilter contexts by default.
+- Add dontaudits for init fds and console to init_daemon_domain().
+- Patch to allow gpg to create user keys dir.
+- Patch to support kvmfs from Dan Walsh.
+- Patch for misc fixes in sudo from Dan Walsh.
+- Patch to fix netlabel recvfrom MLS constraint from Paul Moore.
+- Patch for handling restart of nscd when ran from useradd, groupadd, and
+  admin passwd, from Dan Walsh.
+- Patch for procmail, spamassassin, and pyzor updates from Dan Walsh.
+- Patch for setroubleshoot for validating file contexts from Dan Walsh.
+- Patch for gssd fixes from Dan Walsh.
+- Patch for lvm fixes from Dan Walsh.
+- Patch for ricci fixes from Dan Walsh.
+- Patch for postfix lmtp labeling and pickup rule fix from Dan Walsh.
+- Patch for kerberized telnet fixes from Dan Walsh.
+- Patch for kerberized ftp and other ftp fixes from Dan Walsh.
+- Patch for an additional wine executable from Dan Walsh.
+- Eight patches for file contexts in games, wine, networkmanager, miscfiles,
+  corecommands, devices, and java from Dan Walsh.
+- Add support for libselinux 2.0.5 init_selinuxmnt() changes.
+- Patch for misc fixes to bluetooth from Dan Walsh.
+- Patch for misc fixes to kerberos from Dan Walsh.
+- Patch to start deprecating usercanread attribute from Ryan Bradetich.
+- Add dccp_socket object class which was added in kernel 2.6.20.
+- Patch for prelink relabefrom it's temp files from Dan Walsh.
+- Patch for capability fix for auditd and networking fix for syslogd from
+  Dan Walsh.
+- Patch to remove redundant mls_trusted_object() call from Dan Walsh.
+- Patch for misc fixes to nis ypxfr policy from Dan Walsh.
+- Patch to allow apmd to telinit from Dan Walsh.
+- Patch for additional labeling of samba files from Stefan Schulze
+  Frielinghaus.
+- Patch to remove incorrect cron labeling in apache.fc from Ryan Bradetich.
+- Fix ptys and ttys to be device nodes.
+- Fix explicit use of httpd_t in openca_domtrans().
+- Clean up file context regexes in apache and java, from Eamon Walsh.
+- Patches from Dan Walsh:
+	Thu, 25 Jan 2007
+- Added modules:
+	consolekit (Dan Walsh)
+	fail2ban (Dan Walsh)
+	zabbix (Dan Walsh)
+
+* Tue Dec 12 2006 Chris PeBenito <selinux@tresys.com> - 20061212
+- Add policy patterns support macros.  This changes the behavior of
+  the create_dir_perms and create_file_perms permission sets.
+- Association polmatch MLS constraint making unlabeled_t an exception
+  is no longer needed, patch from Venkat Yekkirala.
+- Context contains checking for PAM and cron from James Antill.
+- Add a reload target to Modules.devel and change the load
+  target to only insert modules that were changed.
+- Allow semanage to read from /root on strict non-MLS for
+  local policy modules.
+- Gentoo init script fixes for udev.
+- Allow udev to read kernel modules.inputmap.
+- Dnsmasq fixes from testing.
+- Allow kernel NFS server to getattr filesystems so df can work
+  on clients.
+- Patch from Matt Anderson for a MLS constraint exemption on a
+  file that can be written to from a subject whose range is
+  within the object's range.
+- Enhanced setransd support from Darrel Goeddel.
+- Patches from Dan Walsh:
+	Tue, 24 Oct 2006
+	Wed, 29 Nov 2006
+- Added modules:
+	aide (Matt Anderson)
+	ccs (Dan Walsh)
+	iscsi (Dan Walsh)
+	ricci (Dan Walsh)
+
+* Wed Oct 18 2006 Chris PeBenito <selinux@tresys.com> - 20061018
+- Patch from Russell Coker Thu, 5 Oct 2006
+- Move range transitions to modules.
+- Make number of MLS sensitivities, and number of MLS and MCS
+  categories configurable as build options.
+- Add role infrastructure.
+- Debian updates from Erich Schubert.
+- Add nscd_socket_use() to auth_use_nsswitch().
+- Remove old selopt rules.
+- Full support for netfilter_contexts.
+- MRTG patch for daemon operation from Stefan.
+- Add authlogin interface to abstract common access for login programs.
+- Remove setbool auditallow, except for RHEL4.
+- Change eventpollfs to task SID labeling.
+- Add key support from Michael LeMay.
+- Add ftpdctl domain to ftp, from Paul Howarth.
+- Fix build system to not move type declarations out of optionals.
+- Add gcc-config domain to portage.
+- Add packet object class and support in corenetwork.
+- Add a copy of genhomedircon for monolithic policy building, so that a
+  policycoreutils package update is not required for RHEL4 systems.
+- Add appletalk sockets for use in cups.
+- Add Make target to validate module linking.
+- Make duplicate template and interface declarations a fatal error.
+- Patch to stabilize modules.conf `make conf` output, from Erich Schubert.
+- Move xconsole_device_t from devices to xserver since it is
+  not actually a device, it is a named pipe.
+- Handle nonexistant .fc and .if files in devel Makefile by
+  automatically creating empty files.
+- Remove unused devfs_control_t.
+- Add rhel4 distro, which also implies redhat distro.
+- Remove unneeded range_transition for su_exec_t and move the
+  type declaration back to the su module.
+- Constrain transitions in MCS so unconfined_t cannot have
+  arbitrary category sets.
+- Change reiserfs from xattr filesystem to genfscon as it's xattrs
+  are currently nonfunctional.
+- Change files and filesystem modules to use their own interfaces.
+- Add user fonts to xserver.
+- Additional interfaces in corecommands, miscfiles, and userdomain
+  from Joy Latten.
+- Miscellaneous fixes from Thomas Bleher.
+- Deprecate module name as first parameter of optional_policy()
+  now that optionals are allowed everywhere.
+- Enable optional blocks in base module and monolithic policy.
+  This requires checkpolicy 1.30.1.
+- Fix vpn module declaration.
+- Numerous fixes from Dan Walsh.
+- Change build order to preserve m4 line number information so policy
+  compile errors are useful again.
+- Additional MLS interfaces from Chad Hanson.
+- Move some rules out of domain_type() and domain_base_type()
+  to the TE file, to use the domain attribute to take advantage
+  of space savings from attribute use.
+- Add global stack smashing protector rule for urandom access from
+  Petre Rodan.
+- Fix temporary rules at the bottom of portmap.
+- Updated comments in mls file from Chad Hanson.
+- Patches from Dan Walsh:
+	Fri, 17 Mar 2006
+	Wed, 29 Mar 2006
+	Tue, 11 Apr 2006
+	Fri, 14 Apr 2006
+	Tue, 18 Apr 2006
+	Thu, 20 Apr 2006
+	Tue, 02 May 2006
+	Mon, 15 May 2006
+	Thu, 18 May 2006
+	Tue, 06 Jun 2006
+	Mon, 12 Jun 2006
+	Tue, 20 Jun 2006
+	Wed, 26 Jul 2006
+	Wed, 23 Aug 2006
+	Thu, 31 Aug 2006
+	Fri, 01 Sep 2006
+	Tue, 05 Sep 2006
+	Wed, 20 Sep 2006
+	Fri, 22 Sep 2006
+	Mon, 25 Sep 2006
+- Added modules:
+	afs
+	amavis (Erich Schubert)
+	apt (Erich Schubert)
+	asterisk
+	audioentropy
+	authbind
+	backup
+	calamaris
+	cipe
+	clamav (Erich Schubert)
+	clockspeed (Petre Rodan)
+	courier
+	dante
+	dcc
+	ddclient
+	dpkg (Erich Schubert)
+	dnsmasq
+	ethereal
+	evolution
+	games
+	gatekeeper
+	gift
+	gnome (James Carter)
+	imaze
+	ircd
+	jabber
+	monop
+	mozilla
+	mplayer
+	munin
+	nagios
+	nessus
+	netlabel (Paul Moore)
+	nsd
+	ntop
+	nx
+	oav
+	oddjob (Dan Walsh)
+	openca
+	openvpn (Petre Rodan)
+	perdition
+	portslave
+	postgrey
+	pxe
+	pyzor (Dan Walsh)
+	qmail (Petre Rodan)
+	razor
+	resmgr
+	rhgb
+	rssh
+	snort
+	soundserver
+	speedtouch
+	sxid
+	thunderbird
+	tor (Erich Schubert)
+	transproxy
+	tripwire
+	uptime
+	uwimap
+	vmware
+	watchdog
+	xen (Dan Walsh)
+	xprint
+	yam
+
+* Tue Mar 07 2006 Chris PeBenito <selinux@tresys.com> - 20060307
+- Make all interface parameters required.
+- Move boot_t, system_map_t, and modules_object_t to files module,
+  and move bootloader to admin layer.
+- Add semanage policy for semodule from Dan Walsh.
+- Remove allow_execmem from targeted policy domain_base_type().
+- Add users_extra and seusers support.
+- Postfix fixes from Serge Hallyn.
+- Run python and shell directly to interpret scripts so policy
+  sources need not be executable.
+- Add desc tag XML to booleans and tunables, and add summary
+  to param XML tag, to make future translations possible.
+- Remove unused lvm_vg_t.
+- Many interface renames to improve naming consistency.
+- Merge xdm into xserver.
+- Remove kernel module reversed interfaces.
+- Add filename attribute to module XML tag and lineno attribute to
+  interface XML tag.
+- Changed QUIET build option to a yes or no option.
+- Add a Makefile used for compiling loadable modules in a
+  user's development environment, building against policy headers.
+- Add Make target for installing policy headers.
+- Separate per-userdomain template expansion from the userdomain
+  module and add infrastructure to expand templates in the modules
+  that own the template.
+- Enable secadm only for MLS policies.
+- Remove role change rules in su and sudo since this functionality has been
+  removed from these programs.
+- Add ctags Make target from Thomas Bleher.
+- Collapse commands with grep piped to sed into one sed command.
+- Fix type_change bug in term_user_pty().
+- Move ice_tmp_t from miscfiles to xserver.
+- Login fixes from Serge Hallyn.
+- Move xserver_log_t from xdm to xserver.
+- Add lpr per-userdomain policy to lpd.
+- Miscellaneous fixes from Dan Walsh.
+- Change initrc_var_run_t interface noun from script_pid to utmp,
+  for greater clarity.
+- Added modules:
+	certwatch
+	mono (Dan Walsh)
+	mrtg
+	portage
+	tvtime
+	userhelper
+	usernetctl
+	wine (Dan Walsh)
+	xserver
+
+* Tue Jan 17 2006 Chris PeBenito <selinux@tresys.com> - 20060117
+- Adds support for generating corenetwork interfaces based on attributes 
+  in addition to types.
+- Permits the listing of multiple nodes in a network_node() that will be
+  given the same type.
+- Add two new permission sets for stream sockets.
+- Rename file type transition interfaces verb from create to
+  filetrans to differentiate it from create interfaces without
+  type transitions.
+- Fix expansion of interfaces from disabled modules.
+- Rsync can be long running from init,
+  added rules to allow this.
+- Add polyinstantiation build option.
+- Add setcontext to the association object class.
+- Add apache relay and db connect tunables.
+- Rename texrel_shlib_t to textrel_shlib_t.
+- Add swat to samba module.
+- Numerous miscellaneous fixes from Dan Walsh.
+- Added modules:
+	alsa
+	automount
+	cdrecord
+	daemontools (Petre Rodan)
+	ddcprobe
+	djbdns (Petre Rodan)
+	fetchmail
+	irc
+	java
+	lockdev
+	logwatch (Dan Walsh)
+	openct
+	prelink (Dan Walsh)
+	publicfile (Petre Rodan)
+	readahead
+	roundup
+	screen
+	slocate (Dan Walsh)
+	slrnpull
+	smartmon
+	sysstat
+	ucspitcp (Petre Rodan)
+	usbmodules
+	vbetool (Dan Walsh)
+
+* Wed Dec 07 2005 Chris PeBenito <selinux@tresys.com> - 20051207
+- Add unlabeled IPSEC association rule to domains with
+  networking permissions.
+- Merge systemuser back in to users, as these files
+  do not need to be split.
+- Add check for duplicate interface/template definitions.
+- Move domain, files, and corecommands modules to kernel
+  layer to resolve some layering inconsistencies.
+- Move policy build options out of Makefile into build.conf.
+- Add yppasswd to nis module.
+- Change optional_policy() to refer to the module name
+  rather than modulename.te.
+- Fix labeling targets to use installed file_contexts rather
+  than partial file_contexts in the policy source directory.
+- Fix build process to use make's internal vpath functions
+  to detect modules rather than using subshells and find.
+- Add install target for modular policy.
+- Add load target for modular policy.
+- Add appconfig dependency to the load target.
+- Miscellaneous fixes from Dan Walsh.
+- Fix corenetwork gen_context()'s to expand during the policy
+  build phase instead of during the generation phase.  
+- Added policies:
+	amanda
+	avahi
+	canna
+	cyrus
+	dbskk
+	dovecot
+	distcc
+	i18n_input
+	irqbalance
+	lpd
+	networkmanager
+	pegasus
+	postfix
+	procmail
+	radius
+	rdisc
+	rpc
+	spamassassin
+	timidity
+	xdm
+	xfs
+
+* Wed Oct 19 2005 Chris PeBenito <selinux@tresys.com> - 20051019
+- Many fixes to make loadable modules build.
+- Add targets for sechecker.
+- Updated to sedoctool to read bool files and tunable
+  files separately.
+- Changed the xml tag of <boolean> to <bool> to be consistent
+  with gen_bool().
+- Modified the implementation of segenxml to use regular
+  expressions.
+- Rename context_template() to gen_context() to clarify
+  that its not a Reference Policy template, but a support
+  macro.
+- Add disable_*_trans bool support for targeted policy.
+- Add MLS module to handle MLS constraint exceptions,
+  such as reading up and writing down.
+- Fix errors uncovered by sediff.
+- Added policies:
+	anaconda
+	apache
+	apm
+	arpwatch
+	bluetooth
+	dmidecode
+	finger
+	ftp
+	kudzu
+	mailman
+	ppp
+	radvd
+	sasl
+	webalizer
+
+* Thu Sep 22 2005 Chris PeBenito <selinux@tresys.com> - 20050922
+- Make logrotate, sendmail, sshd, and rpm policies
+  unconfined in the targeted policy so no special
+  modules.conf is required.
+- Add experimental MCS support.
+- Add appconfig for MLS.
+- Add equivalents for old can_resolve(), can_ldap(), and
+  can_portmap() to sysnetwork.
+- Fix base module compile issues.
+- Added policies:
+	cpucontrol
+	cvs
+	ktalk
+	portmap
+	postgresql
+	rlogin
+	samba
+	snmp
+	stunnel
+	telnet
+	tftp
+	uucp
+	vpn
+	zebra
+
+* Wed Sep 07 2005 Chris PeBenito <selinux@tresys.com> - 20050907
+- Fix errors uncovered by sediff.
+- Doc tool will explicitly say a module does not have interfaces
+  or templates on the module page.
+- Added policies:
+	comsat
+	dbus
+	dhcp
+	dictd
+	hal
+	inn
+	ntp
+	squid
+
+* Fri Aug 26 2005 Chris PeBenito <selinux@tresys.com> - 20050826
+- Add Makefile support for building loadable modules.
+- Add genclassperms.py tool to add require blocks
+  for loadable modules.
+- Change sedoctool to make required modules part of base
+  by default, otherwise make as modules, in modules.conf.
+- Fix segenxml to handle modules with no interfaces.
+- Rename ipsec connect interface for consistency.
+- Add missing parts of unix stream socket connect interface
+  of ipsec.
+- Rename inetd connect interface for consistency.
+- Rename interface for purging contents of tmp, for clarity,
+  since it allows deletion of classes other than file.
+- Misc. cleanups.
+- Added policies:
+	acct
+	bind
+	firstboot
+	gpm
+	howl
+	ldap
+	loadkeys
+	mysql
+	privoxy
+	quota
+	rshd
+	rsync
+	su
+	sudo
+	tcpd
+	tmpreaper
+	updfstab
+
+* Tue Aug 2 2005 Chris PeBenito <selinux@tresys.com> - 20050802
+- Fix comparison bug in fc_sort.
+- Fix handling of ordered and unordered HTML lists.
+- Corenetwork now supports multiple network interfaces having the
+  same type.
+- Doc tool now creates pages for global Booleans and global tunables.
+- Doc tool now links directly to the interface/template in the
+  module page when it is selected in the interface/template index.
+- Added support for layer summaries.
+- Added policies:
+	ipsec
+	nscd
+	pcmcia
+	raid
+
+* Thu Jul 7 2005 Chris PeBenito <selinux@tresys.com> - 20050707
+- Changed xml to have modules encapsulated by layer tags, rather
+  than putting layer="foo" in the module tags.  Also in the future
+  we can put a summary and description for each layer.
+- Added tool to infer interface, module, and layer tags.  This will
+  now list all interfaces, even if they are missing xml docs.
+- Shortened xml tag names.
+- Added macros to declare interfaces and templates.
+- Added interface call trace.
+- Updated all xml documentation for shorter and inferred tags.
+- Doc tool now displays templates in the web pages.
+- Doc tool retains the user's settings in modules.conf and
+  tunables.conf if the files already exist.
+- Modules.conf behavior has been changed to be a list of all
+  available modules, and the user can specify if the module is
+  built as a loadable module, included in the monolithic policy,
+  or excluded.
+- Added policies:
+	fstools (fsck, mkfs, swapon, etc. tools)
+	logrotate
+	inetd
+	kerberos
+	nis (ypbind and ypserv)
+	ssh (server, client, and agent)
+	unconfined
+- Added infrastructure for targeted policy support, only missing
+	transition boolean support.
+
+* Wed Jun 15 2005 Chris PeBenito <selinux@tresys.com> - 20050615
+	- Initial release
diff --git a/INSTALL b/INSTALL
new file mode 100644
index 00000000..d2ab5cb5
--- /dev/null
+++ b/INSTALL
@@ -0,0 +1,42 @@
+Reference Policy has the following build requirements:
+	* libsepol 2.1.0
+	* libsemanage 2.1.0
+	* checkpolicy 2.1.0
+	* policycoreutils 2.1.0
+	* Python PyXML
+	* GCC
+
+To install Reference Policy sources into /etc/selinux/refpolicy/src/policy:
+
+	make install-src
+
+This will back up a pre-existing source policy to the
+/etc/selinux/refpolicy/src/policy.bak directory.
+
+If you do not have a modules.conf, one can be generated:
+
+	make conf
+
+This will create a default modules.conf.  Options for the policy
+build process can be found in build.conf.  After installing the policy sources,
+the old Make targets have been maintained for the monolithic policy:
+
+Local policy development:
+
+	make policy
+
+Compile and install the policy:
+
+	make install
+
+Compile, install, and load the policy:
+
+	make load
+
+Filesystem labeling:
+
+	make relabel
+	make checklabels
+	make restorelabels
+
+See the README for more information on available make targets.
diff --git a/Makefile b/Makefile
new file mode 100644
index 00000000..39a3d408
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,637 @@
+#
+# Makefile for the security policy.
+#
+# Targets:
+# 
+# install       - compile and install the policy configuration, and context files.
+# load          - compile, install, and load the policy configuration.
+# reload        - compile, install, and load/reload the policy configuration.
+# relabel       - relabel filesystems based on the file contexts configuration.
+# checklabels   - check filesystems against the file context configuration
+# restorelabels - check filesystems against the file context configuration
+#                 and restore the label of files with incorrect labels
+# policy        - compile the policy configuration locally for testing/development.
+#
+# The default target is 'policy'.
+#
+#
+# Please see build.conf for policy build options.
+#
+
+########################################
+#
+# NO OPTIONS BELOW HERE
+#
+
+# Include the local build.conf if it exists, otherwise
+# include the configuration of the root directory.
+include build.conf
+
+ifdef LOCAL_ROOT
+	-include $(LOCAL_ROOT)/build.conf
+endif
+
+# refpolicy version
+version = $(shell cat VERSION)
+
+ifdef LOCAL_ROOT
+builddir := $(LOCAL_ROOT)/
+tmpdir := $(LOCAL_ROOT)/tmp
+tags := $(LOCAL_ROOT)/tags
+else
+tmpdir := tmp
+tags := tags
+endif
+
+# executable paths
+BINDIR ?= /usr/bin
+SBINDIR ?= /usr/sbin
+ifdef TEST_TOOLCHAIN
+tc_usrbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(BINDIR)
+tc_usrsbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(SBINDIR)
+tc_sbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)/sbin
+else
+tc_usrbindir := $(BINDIR)
+tc_usrsbindir := $(SBINDIR)
+tc_sbindir := /sbin
+endif
+CHECKPOLICY ?= $(tc_usrbindir)/checkpolicy
+CHECKMODULE ?= $(tc_usrbindir)/checkmodule
+SEMODULE ?= $(tc_usrsbindir)/semodule
+SEMOD_PKG ?= $(tc_usrbindir)/semodule_package
+SEMOD_LNK ?= $(tc_usrbindir)/semodule_link
+SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand
+LOADPOLICY ?= $(tc_usrsbindir)/load_policy
+SETFILES ?= $(tc_sbindir)/setfiles
+XMLLINT ?= $(BINDIR)/xmllint
+SECHECK ?= $(BINDIR)/sechecker
+
+# interpreters and aux tools
+AWK ?= gawk
+GREP ?= egrep
+INSTALL ?= install
+M4 ?= m4
+PYTHON ?= python
+SED ?= sed
+SORT ?= LC_ALL=C sort
+UMASK ?= umask
+
+CFLAGS += -Wall
+
+# policy source layout
+poldir := policy
+moddir := $(poldir)/modules
+flaskdir := $(poldir)/flask
+secclass := $(flaskdir)/security_classes
+isids := $(flaskdir)/initial_sids
+avs := $(flaskdir)/access_vectors
+
+# local source layout
+ifdef LOCAL_ROOT
+local_poldir := $(LOCAL_ROOT)/policy
+local_moddir := $(local_poldir)/modules
+endif
+
+# policy building support tools
+support := support
+genxml := $(PYTHON) -E $(support)/segenxml.py
+gendoc := $(PYTHON) -E $(support)/sedoctool.py
+genperm := $(PYTHON) -E $(support)/genclassperms.py
+fcsort := $(tmpdir)/fc_sort
+setbools := $(AWK) -f $(support)/set_bools_tuns.awk
+get_type_attr_decl := $(SED) -r -f $(support)/get_type_attr_decl.sed
+comment_move_decl := $(SED) -r -f $(support)/comment_move_decl.sed
+gennetfilter := $(PYTHON) -E $(support)/gennetfilter.py
+m4iferror := $(support)/iferror.m4
+m4divert := $(support)/divert.m4
+m4undivert := $(support)/undivert.m4
+# use our own genhomedircon to make sure we have a known usable one,
+# so policycoreutils updates are not required (RHEL4)
+genhomedircon := $(PYTHON) -E $(support)/genhomedircon
+
+# documentation paths
+docs := doc
+xmldtd = $(docs)/policy.dtd
+metaxml = metadata.xml
+doctemplate = $(docs)/templates
+docfiles = $(docs)/Makefile.example $(addprefix $(docs)/,example.te example.if example.fc)
+
+ifndef LOCAL_ROOT
+polxml = $(docs)/policy.xml
+tunxml = $(docs)/global_tunables.xml
+boolxml = $(docs)/global_booleans.xml
+htmldir = $(docs)/html
+else
+polxml = $(LOCAL_ROOT)/doc/policy.xml
+tunxml = $(LOCAL_ROOT)/doc/global_tunables.xml
+boolxml = $(LOCAL_ROOT)/doc/global_booleans.xml
+htmldir = $(LOCAL_ROOT)/doc/html
+endif
+
+# config file paths
+globaltun = $(poldir)/global_tunables
+globalbool = $(poldir)/global_booleans
+user_files := $(poldir)/users
+policycaps := $(poldir)/policy_capabilities
+
+# local config file paths
+ifndef LOCAL_ROOT
+mod_conf = $(poldir)/modules.conf
+booleans = $(poldir)/booleans.conf
+tunables = $(poldir)/tunables.conf
+else
+mod_conf = $(local_poldir)/modules.conf
+booleans = $(local_poldir)/booleans.conf
+tunables = $(local_poldir)/tunables.conf
+endif
+
+# install paths
+PKGNAME ?= refpolicy-$(version)
+prefix = $(DESTDIR)/usr
+topdir = $(DESTDIR)/etc/selinux
+installdir = $(topdir)/$(strip $(NAME))
+srcpath = $(installdir)/src
+userpath = $(installdir)/users
+policypath = $(installdir)/policy
+contextpath = $(installdir)/contexts
+homedirpath = $(contextpath)/files/homedir_template
+fcpath = $(contextpath)/files/file_contexts
+fcsubspath = $(contextpath)/files/file_contexts.subs_dist
+ncpath = $(contextpath)/netfilter_contexts
+sharedir = $(prefix)/share/selinux
+modpkgdir = $(sharedir)/$(strip $(NAME))
+headerdir = $(modpkgdir)/include
+docsdir = $(prefix)/share/doc/$(PKGNAME)
+
+# enable MLS if requested.
+ifeq "$(TYPE)" "mls"
+	M4PARAM += -D enable_mls
+	CHECKPOLICY += -M
+	CHECKMODULE += -M
+	gennetfilter += -m
+endif
+
+# enable MLS if MCS requested.
+ifeq "$(TYPE)" "mcs"
+	M4PARAM += -D enable_mcs
+	CHECKPOLICY += -M
+	CHECKMODULE += -M
+	gennetfilter += -c
+endif
+
+# enable distribution-specific policy
+ifneq ($(DISTRO),)
+	M4PARAM += -D distro_$(DISTRO)
+endif
+
+# rhel4 also implies redhat
+ifeq "$(DISTRO)" "rhel4"
+	M4PARAM += -D distro_redhat
+endif
+
+ifeq "$(DISTRO)" "ubuntu"
+	M4PARAM += -D distro_debian
+endif
+
+ifneq ($(OUTPUT_POLICY),)
+	CHECKPOLICY += -c $(OUTPUT_POLICY)
+endif
+
+ifneq "$(CUSTOM_BUILDOPT)" ""
+	M4PARAM += $(foreach opt,$(CUSTOM_BUILDOPT),-D $(opt))
+endif
+
+# if not set, use the type as the name.
+NAME ?= $(TYPE)
+
+# default unknown permissions setting
+#UNK_PERMS ?= deny
+
+ifeq ($(DIRECT_INITRC),y)
+	M4PARAM += -D direct_sysadm_daemon
+endif
+
+ifeq "$(UBAC)" "y"
+	M4PARAM += -D enable_ubac
+endif
+
+# default MLS/MCS sensitivity and category settings.
+MLS_SENS ?= 16
+MLS_CATS ?= 1024
+MCS_CATS ?= 1024
+
+ifeq ($(QUIET),y)
+	verbose = @
+endif
+
+M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D mcs_num_cats=$(MCS_CATS) -D hide_broken_symptoms
+
+# we need exuberant ctags; unfortunately it is named
+# differently on different distros
+ifeq ($(DISTRO),debian)
+	CTAGS := ctags-exuberant
+endif
+
+ifeq ($(DISTRO),gentoo)
+	CTAGS := exuberant-ctags	
+endif
+
+CTAGS ?= ctags
+
+m4support := $(m4divert) $(wildcard $(poldir)/support/*.spt)
+ifdef LOCAL_ROOT
+m4support += $(wildcard $(local_poldir)/support/*.spt)
+endif
+m4support += $(m4undivert)
+
+appconf := config/appconfig-$(TYPE)
+seusers := $(appconf)/seusers
+appdir := $(contextpath)
+user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
+user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_domain_context virtual_image_context) $(contextpath)/files/media $(fcsubspath) $(user_default_contexts_names)
+net_contexts := $(builddir)net_contexts
+
+all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
+ifdef LOCAL_ROOT
+all_layers += $(shell find $(wildcard $(local_moddir)/*) -maxdepth 0 -type d)
+endif
+
+generated_te := $(basename $(foreach dir,$(all_layers),$(wildcard $(dir)/*.te.in)))
+generated_if := $(basename $(foreach dir,$(all_layers),$(wildcard $(dir)/*.if.in)))
+generated_fc := $(basename $(foreach dir,$(all_layers),$(wildcard $(dir)/*.fc.in)))
+
+# sort here since it removes duplicates, which can happen
+# when a generated file is already generated
+detected_mods := $(sort $(foreach dir,$(all_layers),$(wildcard $(dir)/*.te)) $(generated_te))
+
+modxml := $(addprefix $(tmpdir)/, $(detected_mods:.te=.xml))
+layerxml := $(sort $(addprefix $(tmpdir)/, $(notdir $(addsuffix .xml,$(all_layers)))))
+layer_names := $(sort $(notdir $(all_layers)))
+all_metaxml = $(call detect-metaxml, $(layer_names))
+
+# modules.conf setting for base module
+configbase := base
+
+# modules.conf setting for loadable module
+configmod := module
+
+# modules.conf setting for unused module
+configoff := off
+
+# test for module overrides from command line
+mod_test = $(filter $(APPS_OFF), $(APPS_BASE) $(APPS_MODS))
+mod_test += $(filter $(APPS_MODS), $(APPS_BASE))
+ifneq "$(strip $(mod_test))" ""
+        $(error Applications must be base, module, or off, and not in more than one list! $(strip $(mod_test)) found in multiple lists!)
+endif
+
+# add on suffix to modules specified on command line
+cmdline_base := $(addsuffix .te,$(APPS_BASE))
+cmdline_mods := $(addsuffix .te,$(APPS_MODS))
+cmdline_off := $(addsuffix .te,$(APPS_OFF))
+
+# extract settings from modules.conf
+mod_conf_base := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configbase)") print $$1 }' $(mod_conf) 2> /dev/null)))
+mod_conf_mods := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configmod)") print $$1 }' $(mod_conf) 2> /dev/null)))
+mod_conf_off := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configoff)") print $$1 }' $(mod_conf) 2> /dev/null)))
+
+base_mods := $(cmdline_base)
+mod_mods := $(cmdline_mods)
+off_mods := $(cmdline_off)
+
+base_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_conf_base))
+mod_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_conf_mods))
+off_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_conf_off))
+
+# add modules not in modules.conf to the off list
+off_mods += $(filter-out $(base_mods) $(mod_mods) $(off_mods),$(notdir $(detected_mods)))
+
+# filesystems to be used in labeling targets
+filesystems = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[234]|btrfs| xfs| jfs).*rw/{print $$3}';)
+fs_names := "btrfs ext2 ext3 ext4 xfs jfs"
+
+########################################
+#
+# Functions
+#
+
+# detect-metaxml layer_names
+ifdef LOCAL_ROOT
+define detect-metaxml
+	$(shell for i in $1; do \
+		if [ -d $(moddir)/$$i -a -d $(local_moddir)/$$i ]; then \
+			if [ -f $(local_moddir)/$$i/$(metaxml) ]; then \
+				echo $(local_moddir)/$$i/$(metaxml) ;\
+			else \
+				echo $(moddir)/$$i/$(metaxml) ;\
+			fi \
+		elif [ -d $(local_moddir)/$$i ]; then
+			echo $(local_moddir)/$$i/$(metaxml) ;\
+		else \
+			echo $(moddir)/$$i/$(metaxml) ;\
+		fi \
+	done )
+endef
+else
+define detect-metaxml
+	$(shell for i in $1; do echo $(moddir)/$$i/$(metaxml); done)
+endef
+endif
+
+########################################
+#
+# Load appropriate rules
+#
+
+ifeq ($(MONOLITHIC),y)
+	include Rules.monolithic
+else
+	include Rules.modular
+endif
+
+########################################
+#
+# Generated files
+#
+# NOTE: There is no "local" version of these files.
+#
+generate: $(generated_te) $(generated_if) $(generated_fc)
+
+$(moddir)/kernel/corenetwork.if: $(moddir)/kernel/corenetwork.te.in $(moddir)/kernel/corenetwork.if.m4 $(moddir)/kernel/corenetwork.if.in
+	@echo "#" > $@
+	@echo "# This is a generated file!  Instead of modifying this file, the" >> $@
+	@echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
+	@echo "#" >> $@
+	$(verbose) cat $@.in >> $@
+	$(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)(_controlled)?\(.*\)" $< \
+		| $(M4) -D self_contained_policy $(M4PARAM) $(m4divert) $@.m4 $(m4undivert) - \
+		| $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
+
+$(moddir)/kernel/corenetwork.te: $(m4divert) $(moddir)/kernel/corenetwork.te.m4 $(m4undivert) $(moddir)/kernel/corenetwork.te.in
+	@echo "#" > $@
+	@echo "# This is a generated file!  Instead of modifying this file, the" >> $@
+	@echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
+	@echo "#" >> $@
+	$(verbose) $(M4) -D self_contained_policy $(M4PARAM) $^ \
+		| $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
+
+########################################
+#
+# Network packet labeling
+#
+$(net_contexts): $(moddir)/kernel/corenetwork.te.in
+	@echo "Creating netfilter network labeling rules"
+	$(verbose) $(gennetfilter) $^ > $@
+
+########################################
+#
+# Create config files
+#
+conf: $(mod_conf) $(booleans) $(generated_te) $(generated_if) $(generated_fc)
+
+$(mod_conf) $(booleans): $(polxml)
+	@echo "Updating $(mod_conf) and $(booleans)"
+	$(verbose) $(gendoc) -b $(booleans) -m $(mod_conf) -x $(polxml)
+
+########################################
+#
+# Generate the fc_sort program
+#
+$(fcsort) : $(support)/fc_sort.c
+	$(verbose) $(CC) $(CFLAGS) $^ -o $@
+
+########################################
+#
+# Documentation generation
+#
+$(layerxml): %.xml: $(all_metaxml) $(filter $(addprefix $(moddir)/, $(notdir $*))%, $(detected_mods)) $(subst .te,.if, $(filter $(addprefix $(moddir)/, $(notdir $*))%, $(detected_mods)))
+	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+	$(verbose) cat $(filter %$(notdir $*)/$(metaxml), $(all_metaxml)) > $@
+	$(verbose) for i in $(basename $(filter $(addprefix $(moddir)/, $(notdir $*))%, $(detected_mods))); do $(genxml) -w -m $$i >> $@; done
+ifdef LOCAL_ROOT
+	$(verbose) for i in $(basename $(filter $(addprefix $(local_moddir)/, $(notdir $*))%, $(detected_mods))); do $(genxml) -w -m $$i >> $@; done
+endif	
+
+$(tunxml): $(globaltun)
+	$(verbose) $(genxml) -w -t $< > $@
+
+$(boolxml): $(globalbool)
+	$(verbose) $(genxml) -w -b $< > $@
+
+$(polxml): $(layerxml) $(tunxml) $(boolxml)
+	@echo "Creating $(@F)"
+	@test -d $(dir $(polxml)) || mkdir -p $(dir $(polxml))
+	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+	$(verbose) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
+	$(verbose) echo '<!DOCTYPE policy SYSTEM "$(notdir $(xmldtd))">' >> $@
+	$(verbose) echo '<policy>' >> $@
+	$(verbose) for i in $(basename $(notdir $(layerxml))); do echo "<layer name=\"$$i\">" >> $@; cat $(tmpdir)/$$i.xml >> $@; echo "</layer>" >> $@; done
+	$(verbose) cat $(tunxml) $(boolxml) >> $@
+	$(verbose) echo '</policy>' >> $@
+	$(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
+		$(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\
+	fi
+
+xml: $(polxml)
+
+html $(tmpdir)/html: $(polxml)
+	@echo "Building html interface reference documentation in $(htmldir)"
+	@test -d $(htmldir) || mkdir -p $(htmldir)
+	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+	$(verbose) $(gendoc) -d $(htmldir) -T $(doctemplate) -x $(polxml)
+	$(verbose) cp $(doctemplate)/*.css $(htmldir)
+	@touch $(tmpdir)/html
+
+########################################
+#
+# Runtime binary policy patching of users
+#
+$(userpath)/system.users: $(m4support) $(tmpdir)/generated_definitions.conf $(user_files)
+	@mkdir -p $(tmpdir)
+	@echo "Installing system.users"
+	@echo "# " > $(tmpdir)/system.users
+	@echo "# Do not edit this file. " >> $(tmpdir)/system.users
+	@echo "# This file is replaced on reinstalls of this policy." >> $(tmpdir)/system.users
+	@echo "# Please edit local.users to make local changes." >> $(tmpdir)/system.users
+	@echo "#" >> $(tmpdir)/system.users
+	$(verbose) $(M4) -D self_contained_policy $(M4PARAM) $^ | $(SED) -r -e 's/^[[:blank:]]+//' \
+		-e '/^[[:blank:]]*($$|#)/d' >> $(tmpdir)/system.users
+	@$(INSTALL) -d -m 0755 $(@D)
+	$(verbose) $(INSTALL) -m 0644 $(tmpdir)/system.users $@
+
+$(userpath)/local.users: config/local.users
+	@echo "Installing local.users"
+	@$(INSTALL) -d -m 0755 $(@D)
+	$(verbose) $(INSTALL) -b -m 0644 $< $@
+
+########################################
+#
+# Build Appconfig files
+#
+$(tmpdir)/initrc_context: $(appconf)/initrc_context
+	@mkdir -p $(tmpdir)
+	$(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z]' > $@
+
+########################################
+#
+# Install Appconfig files
+#
+install-appconfig: $(appfiles)
+
+$(installdir)/booleans: $(booleans)
+	@mkdir -p $(tmpdir)
+	$(verbose) $(SED) -r -e 's/false/0/g' -e 's/true/1/g' \
+		-e '/^[[:blank:]]*($$|#)/d' $(booleans) | $(SORT) > $(tmpdir)/booleans
+	@$(INSTALL) -d -m 0755 $(@D)
+	$(verbose) $(INSTALL) -m 0644 $(tmpdir)/booleans $@
+
+$(contextpath)/files/media: $(appconf)/media
+	@$(INSTALL) -d -m 0755 $(@D)
+	$(verbose) $(INSTALL) -m 0644 $< $@
+
+$(fcsubspath): config/file_contexts.subs_dist
+	@$(INSTALL) -d -m 0755 $(@D)
+	$(verbose) $(INSTALL) -m 0644 $< $@
+
+$(contextpath)/users/%: $(appconf)/%_default_contexts
+	@$(INSTALL) -d -m 0755 $(@D)
+	$(verbose) $(INSTALL) -m 0644 $^ $@
+
+$(appdir)/%: $(appconf)/%
+	$(verbose) $(M4) $(M4PARAM) $(m4support) $< > $(tmpdir)/$(@F)
+	@$(INSTALL) -d -m 0755 $(@D)
+	$(verbose) $(INSTALL) -m 0644 $(tmpdir)/$(@F) $@
+
+########################################
+#
+# Install policy headers
+#
+install-headers: $(layerxml) $(tunxml) $(boolxml)
+	@mkdir -p $(headerdir)
+	@echo "Installing $(NAME) policy headers."
+	$(verbose) $(INSTALL) -m 644 $^ $(headerdir)
+	$(verbose) mkdir -p $(headerdir)/support
+	$(verbose) $(INSTALL) -m 644 $(m4support) $(word $(words $(genxml)),$(genxml)) $(xmldtd) $(headerdir)/support
+	$(verbose) $(genperm) $(avs) $(secclass) > $(headerdir)/support/all_perms.spt
+	$(verbose) for i in $(notdir $(all_layers)); do \
+		mkdir -p $(headerdir)/$$i ;\
+		$(INSTALL) -m 644 $(moddir)/$$i/*.if $(headerdir)/$$i ;\
+	done
+	$(verbose) echo "TYPE ?= $(TYPE)" > $(headerdir)/build.conf
+	$(verbose) echo "NAME ?= $(NAME)" >> $(headerdir)/build.conf
+ifneq "$(DISTRO)" ""
+	$(verbose) echo "DISTRO ?= $(DISTRO)" >> $(headerdir)/build.conf
+endif
+	$(verbose) echo "MONOLITHIC ?= n" >> $(headerdir)/build.conf
+	$(verbose) echo "DIRECT_INITRC ?= $(DIRECT_INITRC)" >> $(headerdir)/build.conf
+	$(verbose) echo "override UBAC := $(UBAC)" >> $(headerdir)/build.conf
+	$(verbose) echo "override MLS_SENS := $(MLS_SENS)" >> $(headerdir)/build.conf
+	$(verbose) echo "override MLS_CATS := $(MLS_CATS)" >> $(headerdir)/build.conf
+	$(verbose) echo "override MCS_CATS := $(MCS_CATS)" >> $(headerdir)/build.conf
+	$(verbose) $(INSTALL) -m 644 $(support)/Makefile.devel $(headerdir)/Makefile
+
+########################################
+#
+# Install policy documentation
+#
+install-docs: $(tmpdir)/html
+	@mkdir -p $(docsdir)/html
+	@echo "Installing policy documentation"
+	$(verbose) $(INSTALL) -m 644 $(docfiles) $(docsdir)
+	$(verbose) $(INSTALL) -m 644 $(wildcard $(htmldir)/*) $(docsdir)/html
+
+########################################
+#
+# Install policy sources
+#
+install-src:
+	rm -rf $(srcpath)/policy.old
+	-mv $(srcpath)/policy $(srcpath)/policy.old
+	mkdir -p $(srcpath)/policy
+	cp -R . $(srcpath)/policy
+
+########################################
+#
+# Generate tags file
+#
+tags: $(tags)
+$(tags):
+	@($(CTAGS) --version | grep -q Exuberant) || (echo ERROR: Need exuberant-ctags to function!; exit 1)
+	@LC_ALL=C $(CTAGS) -f $(tags) --langdef=te --langmap=te:..te.if.spt \
+	 --regex-te='/^type[ \t]+(\w+)(,|;)/\1/t,type/' \
+	 --regex-te='/^typealias[ \t]+\w+[ \t+]+alias[ \t]+(\w+);/\1/t,type/' \
+	 --regex-te='/^attribute[ \t]+(\w+);/\1/a,attribute/' \
+	 --regex-te='/^[ \t]*define\(`(\w+)/\1/d,define/' \
+	 --regex-te='/^[ \t]*interface\(`(\w+)/\1/i,interface/' \
+	 --regex-te='/^[ \t]*template\(`(\w+)/\1/i,template/' \
+	 --regex-te='/^[ \t]*bool[ \t]+(\w+)/\1/b,bool/' policy/modules/*/*.{if,te} policy/support/*.spt
+
+########################################
+#
+# Filesystem labeling
+#
+checklabels:
+	@echo "Checking labels on filesystem types: $(fs_names)"
+	@if test -z "$(filesystems)"; then \
+		echo "No filesystems with extended attributes found!" ;\
+		false ;\
+	fi
+	$(verbose) $(SETFILES) -v -n $(fcpath) $(filesystems)
+
+restorelabels:
+	@echo "Restoring labels on filesystem types: $(fs_names)"
+	@if test -z "$(filesystems)"; then \
+		echo "No filesystems with extended attributes found!" ;\
+		false ;\
+	fi
+	$(verbose) $(SETFILES) -v $(fcpath) $(filesystems)
+
+relabel:
+	@echo "Relabeling filesystem types: $(fs_names)"
+	@if test -z "$(filesystems)"; then \
+		echo "No filesystems with extended attributes found!" ;\
+		false ;\
+	fi
+	$(verbose) $(SETFILES) $(fcpath) $(filesystems)
+
+resetlabels:
+	@echo "Resetting labels on filesystem types: $(fs_names)"
+	@if test -z "$(filesystems)"; then \
+		echo "No filesystems with extended attributes found!" ;\
+		false ;\
+	fi
+	$(verbose) $(SETFILES) -F $(fcpath) $(filesystems)
+
+########################################
+#
+# Clean everything
+#
+bare: clean
+	rm -f $(polxml)
+	rm -f $(layerxml)
+	rm -f $(modxml)
+	rm -f $(tunxml)
+	rm -f $(boolxml)
+	rm -f $(mod_conf)
+	rm -f $(booleans)
+	rm -fR $(htmldir)
+	rm -f $(tags)
+# don't remove these files if we're given a local root
+ifndef LOCAL_ROOT
+	rm -f $(fcsort)
+	rm -f $(support)/*.pyc
+ifneq ($(generated_te),)
+	rm -f $(generated_te)
+endif
+ifneq ($(generated_if),)
+	rm -f $(generated_if)
+endif
+ifneq ($(generated_fc),)
+	rm -f $(generated_fc)
+endif
+endif
+
+.PHONY: install-src install-appconfig install-headers generate xml conf html bare tags
+.SUFFIXES:
+.SUFFIXES: .c
diff --git a/Makefile.orig b/Makefile.orig
new file mode 100644
index 00000000..5a439192
--- /dev/null
+++ b/Makefile.orig
@@ -0,0 +1,637 @@
+#
+# Makefile for the security policy.
+#
+# Targets:
+# 
+# install       - compile and install the policy configuration, and context files.
+# load          - compile, install, and load the policy configuration.
+# reload        - compile, install, and load/reload the policy configuration.
+# relabel       - relabel filesystems based on the file contexts configuration.
+# checklabels   - check filesystems against the file context configuration
+# restorelabels - check filesystems against the file context configuration
+#                 and restore the label of files with incorrect labels
+# policy        - compile the policy configuration locally for testing/development.
+#
+# The default target is 'policy'.
+#
+#
+# Please see build.conf for policy build options.
+#
+
+########################################
+#
+# NO OPTIONS BELOW HERE
+#
+
+# Include the local build.conf if it exists, otherwise
+# include the configuration of the root directory.
+include build.conf
+
+ifdef LOCAL_ROOT
+	-include $(LOCAL_ROOT)/build.conf
+endif
+
+# refpolicy version
+version = $(shell cat VERSION)
+
+ifdef LOCAL_ROOT
+builddir := $(LOCAL_ROOT)/
+tmpdir := $(LOCAL_ROOT)/tmp
+tags := $(LOCAL_ROOT)/tags
+else
+tmpdir := tmp
+tags := tags
+endif
+
+# executable paths
+BINDIR ?= /usr/bin
+SBINDIR ?= /usr/sbin
+ifdef TEST_TOOLCHAIN
+tc_usrbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(BINDIR)
+tc_usrsbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(SBINDIR)
+tc_sbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)/sbin
+else
+tc_usrbindir := $(BINDIR)
+tc_usrsbindir := $(SBINDIR)
+tc_sbindir := /sbin
+endif
+CHECKPOLICY ?= $(tc_usrbindir)/checkpolicy
+CHECKMODULE ?= $(tc_usrbindir)/checkmodule
+SEMODULE ?= $(tc_usrsbindir)/semodule
+SEMOD_PKG ?= $(tc_usrbindir)/semodule_package
+SEMOD_LNK ?= $(tc_usrbindir)/semodule_link
+SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand
+LOADPOLICY ?= $(tc_usrsbindir)/load_policy
+SETFILES ?= $(tc_sbindir)/setfiles
+XMLLINT ?= $(BINDIR)/xmllint
+SECHECK ?= $(BINDIR)/sechecker
+
+# interpreters and aux tools
+AWK ?= gawk
+GREP ?= egrep
+INSTALL ?= install
+M4 ?= m4
+PYTHON ?= python
+SED ?= sed
+SORT ?= LC_ALL=C sort
+UMASK ?= umask
+
+CFLAGS += -Wall
+
+# policy source layout
+poldir := policy
+moddir := $(poldir)/modules
+flaskdir := $(poldir)/flask
+secclass := $(flaskdir)/security_classes
+isids := $(flaskdir)/initial_sids
+avs := $(flaskdir)/access_vectors
+
+# local source layout
+ifdef LOCAL_ROOT
+local_poldir := $(LOCAL_ROOT)/policy
+local_moddir := $(local_poldir)/modules
+endif
+
+# policy building support tools
+support := support
+genxml := $(PYTHON) -E $(support)/segenxml.py
+gendoc := $(PYTHON) -E $(support)/sedoctool.py
+genperm := $(PYTHON) -E $(support)/genclassperms.py
+fcsort := $(tmpdir)/fc_sort
+setbools := $(AWK) -f $(support)/set_bools_tuns.awk
+get_type_attr_decl := $(SED) -r -f $(support)/get_type_attr_decl.sed
+comment_move_decl := $(SED) -r -f $(support)/comment_move_decl.sed
+gennetfilter := $(PYTHON) -E $(support)/gennetfilter.py
+m4iferror := $(support)/iferror.m4
+m4divert := $(support)/divert.m4
+m4undivert := $(support)/undivert.m4
+# use our own genhomedircon to make sure we have a known usable one,
+# so policycoreutils updates are not required (RHEL4)
+genhomedircon := $(PYTHON) -E $(support)/genhomedircon
+
+# documentation paths
+docs := doc
+xmldtd = $(docs)/policy.dtd
+metaxml = metadata.xml
+doctemplate = $(docs)/templates
+docfiles = $(docs)/Makefile.example $(addprefix $(docs)/,example.te example.if example.fc)
+
+ifndef LOCAL_ROOT
+polxml = $(docs)/policy.xml
+tunxml = $(docs)/global_tunables.xml
+boolxml = $(docs)/global_booleans.xml
+htmldir = $(docs)/html
+else
+polxml = $(LOCAL_ROOT)/doc/policy.xml
+tunxml = $(LOCAL_ROOT)/doc/global_tunables.xml
+boolxml = $(LOCAL_ROOT)/doc/global_booleans.xml
+htmldir = $(LOCAL_ROOT)/doc/html
+endif
+
+# config file paths
+globaltun = $(poldir)/global_tunables
+globalbool = $(poldir)/global_booleans
+user_files := $(poldir)/users
+policycaps := $(poldir)/policy_capabilities
+
+# local config file paths
+ifndef LOCAL_ROOT
+mod_conf = $(poldir)/modules.conf
+booleans = $(poldir)/booleans.conf
+tunables = $(poldir)/tunables.conf
+else
+mod_conf = $(local_poldir)/modules.conf
+booleans = $(local_poldir)/booleans.conf
+tunables = $(local_poldir)/tunables.conf
+endif
+
+# install paths
+PKGNAME ?= refpolicy-$(version)
+prefix = $(DESTDIR)/usr
+topdir = $(DESTDIR)/etc/selinux
+installdir = $(topdir)/$(strip $(NAME))
+srcpath = $(installdir)/src
+userpath = $(installdir)/users
+policypath = $(installdir)/policy
+contextpath = $(installdir)/contexts
+homedirpath = $(contextpath)/files/homedir_template
+fcpath = $(contextpath)/files/file_contexts
+fcsubspath = $(contextpath)/files/file_contexts.subs_dist
+ncpath = $(contextpath)/netfilter_contexts
+sharedir = $(prefix)/share/selinux
+modpkgdir = $(sharedir)/$(strip $(NAME))
+headerdir = $(modpkgdir)/include
+docsdir = $(prefix)/share/doc/$(PKGNAME)
+
+# enable MLS if requested.
+ifeq "$(TYPE)" "mls"
+	M4PARAM += -D enable_mls
+	CHECKPOLICY += -M
+	CHECKMODULE += -M
+	gennetfilter += -m
+endif
+
+# enable MLS if MCS requested.
+ifeq "$(TYPE)" "mcs"
+	M4PARAM += -D enable_mcs
+	CHECKPOLICY += -M
+	CHECKMODULE += -M
+	gennetfilter += -c
+endif
+
+# enable distribution-specific policy
+ifneq ($(DISTRO),)
+	M4PARAM += -D distro_$(DISTRO)
+endif
+
+# rhel4 also implies redhat
+ifeq "$(DISTRO)" "rhel4"
+	M4PARAM += -D distro_redhat
+endif
+
+ifeq "$(DISTRO)" "ubuntu"
+	M4PARAM += -D distro_debian
+endif
+
+ifneq ($(OUTPUT_POLICY),)
+	CHECKPOLICY += -c $(OUTPUT_POLICY)
+endif
+
+ifneq "$(CUSTOM_BUILDOPT)" ""
+	M4PARAM += $(foreach opt,$(CUSTOM_BUILDOPT),-D $(opt))
+endif
+
+# if not set, use the type as the name.
+NAME ?= $(TYPE)
+
+# default unknown permissions setting
+#UNK_PERMS ?= deny
+
+ifeq ($(DIRECT_INITRC),y)
+	M4PARAM += -D direct_sysadm_daemon
+endif
+
+ifeq "$(UBAC)" "y"
+	M4PARAM += -D enable_ubac
+endif
+
+# default MLS/MCS sensitivity and category settings.
+MLS_SENS ?= 16
+MLS_CATS ?= 1024
+MCS_CATS ?= 1024
+
+ifeq ($(QUIET),y)
+	verbose = @
+endif
+
+M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D mcs_num_cats=$(MCS_CATS) -D hide_broken_symptoms
+
+# we need exuberant ctags; unfortunately it is named
+# differently on different distros
+ifeq ($(DISTRO),debian)
+	CTAGS := ctags-exuberant
+endif
+
+ifeq ($(DISTRO),gentoo)
+	CTAGS := exuberant-ctags	
+endif
+
+CTAGS ?= ctags
+
+m4support := $(m4divert) $(wildcard $(poldir)/support/*.spt)
+ifdef LOCAL_ROOT
+m4support += $(wildcard $(local_poldir)/support/*.spt)
+endif
+m4support += $(m4undivert)
+
+appconf := config/appconfig-$(TYPE)
+seusers := $(appconf)/seusers
+appdir := $(contextpath)
+user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
+user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(fcsubspath) $(user_default_contexts_names)
+net_contexts := $(builddir)net_contexts
+
+all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
+ifdef LOCAL_ROOT
+all_layers += $(shell find $(wildcard $(local_moddir)/*) -maxdepth 0 -type d)
+endif
+
+generated_te := $(basename $(foreach dir,$(all_layers),$(wildcard $(dir)/*.te.in)))
+generated_if := $(basename $(foreach dir,$(all_layers),$(wildcard $(dir)/*.if.in)))
+generated_fc := $(basename $(foreach dir,$(all_layers),$(wildcard $(dir)/*.fc.in)))
+
+# sort here since it removes duplicates, which can happen
+# when a generated file is already generated
+detected_mods := $(sort $(foreach dir,$(all_layers),$(wildcard $(dir)/*.te)) $(generated_te))
+
+modxml := $(addprefix $(tmpdir)/, $(detected_mods:.te=.xml))
+layerxml := $(sort $(addprefix $(tmpdir)/, $(notdir $(addsuffix .xml,$(all_layers)))))
+layer_names := $(sort $(notdir $(all_layers)))
+all_metaxml = $(call detect-metaxml, $(layer_names))
+
+# modules.conf setting for base module
+configbase := base
+
+# modules.conf setting for loadable module
+configmod := module
+
+# modules.conf setting for unused module
+configoff := off
+
+# test for module overrides from command line
+mod_test = $(filter $(APPS_OFF), $(APPS_BASE) $(APPS_MODS))
+mod_test += $(filter $(APPS_MODS), $(APPS_BASE))
+ifneq "$(strip $(mod_test))" ""
+        $(error Applications must be base, module, or off, and not in more than one list! $(strip $(mod_test)) found in multiple lists!)
+endif
+
+# add on suffix to modules specified on command line
+cmdline_base := $(addsuffix .te,$(APPS_BASE))
+cmdline_mods := $(addsuffix .te,$(APPS_MODS))
+cmdline_off := $(addsuffix .te,$(APPS_OFF))
+
+# extract settings from modules.conf
+mod_conf_base := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configbase)") print $$1 }' $(mod_conf) 2> /dev/null)))
+mod_conf_mods := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configmod)") print $$1 }' $(mod_conf) 2> /dev/null)))
+mod_conf_off := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configoff)") print $$1 }' $(mod_conf) 2> /dev/null)))
+
+base_mods := $(cmdline_base)
+mod_mods := $(cmdline_mods)
+off_mods := $(cmdline_off)
+
+base_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_conf_base))
+mod_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_conf_mods))
+off_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_conf_off))
+
+# add modules not in modules.conf to the off list
+off_mods += $(filter-out $(base_mods) $(mod_mods) $(off_mods),$(notdir $(detected_mods)))
+
+# filesystems to be used in labeling targets
+filesystems = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[234]|btrfs| xfs| jfs).*rw/{print $$3}';)
+fs_names := "btrfs ext2 ext3 ext4 xfs jfs"
+
+########################################
+#
+# Functions
+#
+
+# detect-metaxml layer_names
+ifdef LOCAL_ROOT
+define detect-metaxml
+	$(shell for i in $1; do \
+		if [ -d $(moddir)/$$i -a -d $(local_moddir)/$$i ]; then \
+			if [ -f $(local_moddir)/$$i/$(metaxml) ]; then \
+				echo $(local_moddir)/$$i/$(metaxml) ;\
+			else \
+				echo $(moddir)/$$i/$(metaxml) ;\
+			fi \
+		elif [ -d $(local_moddir)/$$i ]; then
+			echo $(local_moddir)/$$i/$(metaxml) ;\
+		else \
+			echo $(moddir)/$$i/$(metaxml) ;\
+		fi \
+	done )
+endef
+else
+define detect-metaxml
+	$(shell for i in $1; do echo $(moddir)/$$i/$(metaxml); done)
+endef
+endif
+
+########################################
+#
+# Load appropriate rules
+#
+
+ifeq ($(MONOLITHIC),y)
+	include Rules.monolithic
+else
+	include Rules.modular
+endif
+
+########################################
+#
+# Generated files
+#
+# NOTE: There is no "local" version of these files.
+#
+generate: $(generated_te) $(generated_if) $(generated_fc)
+
+$(moddir)/kernel/corenetwork.if: $(moddir)/kernel/corenetwork.te.in $(moddir)/kernel/corenetwork.if.m4 $(moddir)/kernel/corenetwork.if.in
+	@echo "#" > $@
+	@echo "# This is a generated file!  Instead of modifying this file, the" >> $@
+	@echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
+	@echo "#" >> $@
+	$(verbose) cat $@.in >> $@
+	$(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)(_controlled)?\(.*\)" $< \
+		| $(M4) -D self_contained_policy $(M4PARAM) $(m4divert) $@.m4 $(m4undivert) - \
+		| $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
+
+$(moddir)/kernel/corenetwork.te: $(m4divert) $(moddir)/kernel/corenetwork.te.m4 $(m4undivert) $(moddir)/kernel/corenetwork.te.in
+	@echo "#" > $@
+	@echo "# This is a generated file!  Instead of modifying this file, the" >> $@
+	@echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
+	@echo "#" >> $@
+	$(verbose) $(M4) -D self_contained_policy $(M4PARAM) $^ \
+		| $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
+
+########################################
+#
+# Network packet labeling
+#
+$(net_contexts): $(moddir)/kernel/corenetwork.te.in
+	@echo "Creating netfilter network labeling rules"
+	$(verbose) $(gennetfilter) $^ > $@
+
+########################################
+#
+# Create config files
+#
+conf: $(mod_conf) $(booleans) $(generated_te) $(generated_if) $(generated_fc)
+
+$(mod_conf) $(booleans): $(polxml)
+	@echo "Updating $(mod_conf) and $(booleans)"
+	$(verbose) $(gendoc) -b $(booleans) -m $(mod_conf) -x $(polxml)
+
+########################################
+#
+# Generate the fc_sort program
+#
+$(fcsort) : $(support)/fc_sort.c
+	$(verbose) $(CC) $(CFLAGS) $^ -o $@
+
+########################################
+#
+# Documentation generation
+#
+$(layerxml): %.xml: $(all_metaxml) $(filter $(addprefix $(moddir)/, $(notdir $*))%, $(detected_mods)) $(subst .te,.if, $(filter $(addprefix $(moddir)/, $(notdir $*))%, $(detected_mods)))
+	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+	$(verbose) cat $(filter %$(notdir $*)/$(metaxml), $(all_metaxml)) > $@
+	$(verbose) for i in $(basename $(filter $(addprefix $(moddir)/, $(notdir $*))%, $(detected_mods))); do $(genxml) -w -m $$i >> $@; done
+ifdef LOCAL_ROOT
+	$(verbose) for i in $(basename $(filter $(addprefix $(local_moddir)/, $(notdir $*))%, $(detected_mods))); do $(genxml) -w -m $$i >> $@; done
+endif	
+
+$(tunxml): $(globaltun)
+	$(verbose) $(genxml) -w -t $< > $@
+
+$(boolxml): $(globalbool)
+	$(verbose) $(genxml) -w -b $< > $@
+
+$(polxml): $(layerxml) $(tunxml) $(boolxml)
+	@echo "Creating $(@F)"
+	@test -d $(dir $(polxml)) || mkdir -p $(dir $(polxml))
+	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+	$(verbose) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
+	$(verbose) echo '<!DOCTYPE policy SYSTEM "$(notdir $(xmldtd))">' >> $@
+	$(verbose) echo '<policy>' >> $@
+	$(verbose) for i in $(basename $(notdir $(layerxml))); do echo "<layer name=\"$$i\">" >> $@; cat $(tmpdir)/$$i.xml >> $@; echo "</layer>" >> $@; done
+	$(verbose) cat $(tunxml) $(boolxml) >> $@
+	$(verbose) echo '</policy>' >> $@
+	$(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
+		$(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\
+	fi
+
+xml: $(polxml)
+
+html $(tmpdir)/html: $(polxml)
+	@echo "Building html interface reference documentation in $(htmldir)"
+	@test -d $(htmldir) || mkdir -p $(htmldir)
+	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+	$(verbose) $(gendoc) -d $(htmldir) -T $(doctemplate) -x $(polxml)
+	$(verbose) cp $(doctemplate)/*.css $(htmldir)
+	@touch $(tmpdir)/html
+
+########################################
+#
+# Runtime binary policy patching of users
+#
+$(userpath)/system.users: $(m4support) $(tmpdir)/generated_definitions.conf $(user_files)
+	@mkdir -p $(tmpdir)
+	@echo "Installing system.users"
+	@echo "# " > $(tmpdir)/system.users
+	@echo "# Do not edit this file. " >> $(tmpdir)/system.users
+	@echo "# This file is replaced on reinstalls of this policy." >> $(tmpdir)/system.users
+	@echo "# Please edit local.users to make local changes." >> $(tmpdir)/system.users
+	@echo "#" >> $(tmpdir)/system.users
+	$(verbose) $(M4) -D self_contained_policy $(M4PARAM) $^ | $(SED) -r -e 's/^[[:blank:]]+//' \
+		-e '/^[[:blank:]]*($$|#)/d' >> $(tmpdir)/system.users
+	@$(INSTALL) -d -m 0755 $(@D)
+	$(verbose) $(INSTALL) -m 0644 $(tmpdir)/system.users $@
+
+$(userpath)/local.users: config/local.users
+	@echo "Installing local.users"
+	@$(INSTALL) -d -m 0755 $(@D)
+	$(verbose) $(INSTALL) -b -m 0644 $< $@
+
+########################################
+#
+# Build Appconfig files
+#
+$(tmpdir)/initrc_context: $(appconf)/initrc_context
+	@mkdir -p $(tmpdir)
+	$(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z]' > $@
+
+########################################
+#
+# Install Appconfig files
+#
+install-appconfig: $(appfiles)
+
+$(installdir)/booleans: $(booleans)
+	@mkdir -p $(tmpdir)
+	$(verbose) $(SED) -r -e 's/false/0/g' -e 's/true/1/g' \
+		-e '/^[[:blank:]]*($$|#)/d' $(booleans) | $(SORT) > $(tmpdir)/booleans
+	@$(INSTALL) -d -m 0755 $(@D)
+	$(verbose) $(INSTALL) -m 0644 $(tmpdir)/booleans $@
+
+$(contextpath)/files/media: $(appconf)/media
+	@$(INSTALL) -d -m 0755 $(@D)
+	$(verbose) $(INSTALL) -m 0644 $< $@
+
+$(fcsubspath): config/file_contexts.subs_dist
+	@$(INSTALL) -d -m 0755 $(@D)
+	$(verbose) $(INSTALL) -m 0644 $< $@
+
+$(contextpath)/users/%: $(appconf)/%_default_contexts
+	@$(INSTALL) -d -m 0755 $(@D)
+	$(verbose) $(INSTALL) -m 0644 $^ $@
+
+$(appdir)/%: $(appconf)/%
+	$(verbose) $(M4) $(M4PARAM) $(m4support) $< > $(tmpdir)/$(@F)
+	@$(INSTALL) -d -m 0755 $(@D)
+	$(verbose) $(INSTALL) -m 0644 $(tmpdir)/$(@F) $@
+
+########################################
+#
+# Install policy headers
+#
+install-headers: $(layerxml) $(tunxml) $(boolxml)
+	@mkdir -p $(headerdir)
+	@echo "Installing $(NAME) policy headers."
+	$(verbose) $(INSTALL) -m 644 $^ $(headerdir)
+	$(verbose) mkdir -p $(headerdir)/support
+	$(verbose) $(INSTALL) -m 644 $(m4support) $(word $(words $(genxml)),$(genxml)) $(xmldtd) $(headerdir)/support
+	$(verbose) $(genperm) $(avs) $(secclass) > $(headerdir)/support/all_perms.spt
+	$(verbose) for i in $(notdir $(all_layers)); do \
+		mkdir -p $(headerdir)/$$i ;\
+		$(INSTALL) -m 644 $(moddir)/$$i/*.if $(headerdir)/$$i ;\
+	done
+	$(verbose) echo "TYPE ?= $(TYPE)" > $(headerdir)/build.conf
+	$(verbose) echo "NAME ?= $(NAME)" >> $(headerdir)/build.conf
+ifneq "$(DISTRO)" ""
+	$(verbose) echo "DISTRO ?= $(DISTRO)" >> $(headerdir)/build.conf
+endif
+	$(verbose) echo "MONOLITHIC ?= n" >> $(headerdir)/build.conf
+	$(verbose) echo "DIRECT_INITRC ?= $(DIRECT_INITRC)" >> $(headerdir)/build.conf
+	$(verbose) echo "override UBAC := $(UBAC)" >> $(headerdir)/build.conf
+	$(verbose) echo "override MLS_SENS := $(MLS_SENS)" >> $(headerdir)/build.conf
+	$(verbose) echo "override MLS_CATS := $(MLS_CATS)" >> $(headerdir)/build.conf
+	$(verbose) echo "override MCS_CATS := $(MCS_CATS)" >> $(headerdir)/build.conf
+	$(verbose) $(INSTALL) -m 644 $(support)/Makefile.devel $(headerdir)/Makefile
+
+########################################
+#
+# Install policy documentation
+#
+install-docs: $(tmpdir)/html
+	@mkdir -p $(docsdir)/html
+	@echo "Installing policy documentation"
+	$(verbose) $(INSTALL) -m 644 $(docfiles) $(docsdir)
+	$(verbose) $(INSTALL) -m 644 $(wildcard $(htmldir)/*) $(docsdir)/html
+
+########################################
+#
+# Install policy sources
+#
+install-src:
+	rm -rf $(srcpath)/policy.old
+	-mv $(srcpath)/policy $(srcpath)/policy.old
+	mkdir -p $(srcpath)/policy
+	cp -R . $(srcpath)/policy
+
+########################################
+#
+# Generate tags file
+#
+tags: $(tags)
+$(tags):
+	@($(CTAGS) --version | grep -q Exuberant) || (echo ERROR: Need exuberant-ctags to function!; exit 1)
+	@LC_ALL=C $(CTAGS) -f $(tags) --langdef=te --langmap=te:..te.if.spt \
+	 --regex-te='/^type[ \t]+(\w+)(,|;)/\1/t,type/' \
+	 --regex-te='/^typealias[ \t]+\w+[ \t+]+alias[ \t]+(\w+);/\1/t,type/' \
+	 --regex-te='/^attribute[ \t]+(\w+);/\1/a,attribute/' \
+	 --regex-te='/^[ \t]*define\(`(\w+)/\1/d,define/' \
+	 --regex-te='/^[ \t]*interface\(`(\w+)/\1/i,interface/' \
+	 --regex-te='/^[ \t]*template\(`(\w+)/\1/i,template/' \
+	 --regex-te='/^[ \t]*bool[ \t]+(\w+)/\1/b,bool/' policy/modules/*/*.{if,te} policy/support/*.spt
+
+########################################
+#
+# Filesystem labeling
+#
+checklabels:
+	@echo "Checking labels on filesystem types: $(fs_names)"
+	@if test -z "$(filesystems)"; then \
+		echo "No filesystems with extended attributes found!" ;\
+		false ;\
+	fi
+	$(verbose) $(SETFILES) -v -n $(fcpath) $(filesystems)
+
+restorelabels:
+	@echo "Restoring labels on filesystem types: $(fs_names)"
+	@if test -z "$(filesystems)"; then \
+		echo "No filesystems with extended attributes found!" ;\
+		false ;\
+	fi
+	$(verbose) $(SETFILES) -v $(fcpath) $(filesystems)
+
+relabel:
+	@echo "Relabeling filesystem types: $(fs_names)"
+	@if test -z "$(filesystems)"; then \
+		echo "No filesystems with extended attributes found!" ;\
+		false ;\
+	fi
+	$(verbose) $(SETFILES) $(fcpath) $(filesystems)
+
+resetlabels:
+	@echo "Resetting labels on filesystem types: $(fs_names)"
+	@if test -z "$(filesystems)"; then \
+		echo "No filesystems with extended attributes found!" ;\
+		false ;\
+	fi
+	$(verbose) $(SETFILES) -F $(fcpath) $(filesystems)
+
+########################################
+#
+# Clean everything
+#
+bare: clean
+	rm -f $(polxml)
+	rm -f $(layerxml)
+	rm -f $(modxml)
+	rm -f $(tunxml)
+	rm -f $(boolxml)
+	rm -f $(mod_conf)
+	rm -f $(booleans)
+	rm -fR $(htmldir)
+	rm -f $(tags)
+# don't remove these files if we're given a local root
+ifndef LOCAL_ROOT
+	rm -f $(fcsort)
+	rm -f $(support)/*.pyc
+ifneq ($(generated_te),)
+	rm -f $(generated_te)
+endif
+ifneq ($(generated_if),)
+	rm -f $(generated_if)
+endif
+ifneq ($(generated_fc),)
+	rm -f $(generated_fc)
+endif
+endif
+
+.PHONY: install-src install-appconfig install-headers generate xml conf html bare tags
+.SUFFIXES:
+.SUFFIXES: .c
diff --git a/README b/README
index 345e6aef..a3e8082a 100644
--- a/README
+++ b/README
@@ -1 +1,264 @@
-Test
+1) Reference Policy make targets:
+
+General Make targets:
+
+install-src		Install the policy sources into
+			/etc/selinux/NAME/src/policy, where NAME is defined in
+			the Makefile.  If not defined, the TYPE, as defined in
+			the Makefile, is used.  The default NAME is refpolicy.
+			A pre-existing source policy will be moved to
+			/etc/selinux/NAME/src/policy.bak.
+
+conf			Regenerate policy.xml, and update/create modules.conf
+			and booleans.conf.  This should be done after adding
+			or removing modules, or after running the bare target.
+			If the configuration files exist, their settings will
+			be preserved.  This must be ran on policy sources that
+			are checked out from the CVS repository before they can
+			be used.
+
+clean			Delete all temporary files, compiled policies,
+			and file_contexts.  Configuration files are left intact.
+
+bare			Do the clean make target and also delete configuration
+			files, web page documentation, and policy.xml.
+
+html			Regenerate policy.xml and create web page documentation
+			in the doc/html directory.
+
+Make targets specific to modular (loadable modules) policies:
+
+base			Compile and package the base module.  This is the
+			default target for modular policies.
+
+modules			Compile and package all Reference Policy modules
+			configured to be built as loadable modules.
+
+MODULENAME.pp		Compile and package the MODULENAME Reference Policy
+			module.
+
+all			Compile and package the base module and all Reference
+			Policy modules configured to be built as loadable
+			modules.
+
+install			Compile, package, and install the base module and
+			Reference Policy modules configured to be built as
+			loadable modules.
+
+load			Compile, package, and install the base module and
+			Reference Policy modules configured to be built as
+			loadable modules, then insert them into the module
+			store.
+
+validate		Validate if the configured modules can successfully
+			link and expand.
+
+install-headers		Install the policy headers into /usr/share/selinux/NAME.
+			The headers are sufficient for building a policy
+			module locally, without requiring the complete
+			Reference Policy sources.  The build.conf settings
+			for this policy configuration should be set before
+			using this target.
+
+Make targets specific to monolithic policies:
+
+policy			Compile a policy locally for development and testing.
+			This is the default target for monolithic policies.
+
+install			Compile and install the policy and file contexts.
+
+load			Compile and install the policy and file contexts, then
+			load the policy.
+
+enableaudit		Remove all dontaudit rules from policy.conf.
+
+relabel			Relabel the filesystem.
+
+checklabels		Check the labels on the filesystem, and report when
+			a file would be relabeled, but do not change its label.
+
+restorelabels		Relabel the filesystem and report each file that is
+			relabeled.
+
+
+2) Reference Policy Build Options (build.conf)
+
+TYPE			String.  Available options are standard, mls, and mcs.
+			For a type enforcement only system, set standard.
+			This optionally enables multi-level security (MLS) or
+			multi-category security (MCS) features.  This option
+			controls enable_mls, and enable_mcs policy blocks.
+
+NAME			String (optional).  Sets the name of the policy; the
+			NAME is used when installing files to e.g.,
+			/etc/selinux/NAME and /usr/share/selinux/NAME.  If not
+			set, the policy type (TYPE) is used.
+
+DISTRO			String (optional).  Enable distribution-specific policy.
+			Available options are redhat, rhel4, gentoo, debian,
+			and suse.  This option controls distro_redhat,
+			distro_rhel4, distro_gentoo, distro_debian, and
+			distro_suse policy blocks.
+
+MONOLITHIC		Boolean.  If set, a monolithic policy is built,
+			otherwise a modular policy is built.
+
+DIRECT_INITRC		Boolean.  If set, sysadm will be allowed to directly
+			run init scripts, instead of requiring the run_init
+			tool.  This is a build option instead of a tunable since
+			role transitions do not work in conditional policy.
+			This option controls direct_sysadm_daemon policy
+			blocks.
+
+OUTPUT_POLICY		Integer.  Set the version of the policy created when
+			building a monolithic policy.  This option has no effect
+			on modular policy.
+
+UNK_PERMS		String.  Set the kernel behavior for handling of
+			permissions defined in the kernel but missing from the
+			policy.  The permissions can either be allowed, denied,
+			or the policy loading can be rejected.
+
+UBAC			Boolean.  If set, the SELinux user will be used
+			additionally for approximate role separation.
+
+MLS_SENS		Integer.  Set the number of sensitivities in the MLS
+			policy.  Ignored on standard and MCS policies.
+
+MLS_CATS		Integer.  Set the number of categories in the MLS
+			policy.  Ignored on standard and MCS policies.
+
+MCS_CATS		Integer.  Set the number of categories in the MCS
+			policy.  Ignored on standard and MLS policies.
+
+QUIET			Boolean.  If set, the build system will only display
+			status messages and error messages.  This option has no
+			effect on policy.
+
+
+3) Reference Policy Files and Directories
+All directories relative to the root of the Reference Policy sources directory.
+
+Makefile		General rules for building the policy.
+
+Rules.modular		Makefile rules specific to building loadable module
+			policies.
+
+Rules.monolithic	Makefile rules specific to building monolithic policies.
+
+build.conf		Options which influence the building of the policy,
+			such as the policy type and distribution.
+
+config/appconfig-*	Application configuration files for all configurations
+			of the Reference Policy (targeted/strict with or without
+			MLS or MCS).  These are used by SELinux-aware programs.
+
+config/local.users	The file read by load policy for adding SELinux users
+			to the policy on the fly.
+
+doc/html/*		This contains the contents of the in-policy XML
+			documentation, presented in web page form.
+
+doc/policy.dtd		The doc/policy.xml file is validated against this DTD.
+
+doc/policy.xml		This file is generated/updated by the conf and html make
+			targets.  It contains the complete XML documentation
+			included in the policy.
+
+doc/templates/*		Templates used for documentation web pages.
+
+policy/booleans.conf	This file is generated/updated by the conf make target.
+			It contains the booleans in the policy, and their
+			default values.  If tunables are implemented as
+			booleans, tunables will also be included.  This file
+			will be installed as the /etc/selinux/NAME/booleans
+			file.
+
+policy/constraints	This file defines additional constraints on permissions
+			in the form of boolean expressions that must be
+			satisfied in order for specified permissions to be
+			granted.  These constraints are used to further refine
+			the type enforcement rules and the role allow rules.
+			Typically, these constraints are used to restrict
+			changes in user identity or role to certain domains.
+
+policy/global_booleans	This file defines all booleans that have a global scope,
+			their default value, and documentation.
+
+policy/global_tunables	This file defines all tunables that have a global scope,
+			their default value, and documentation.
+
+policy/flask/initial_sids  This file has declarations for each initial SID.
+
+policy/flask/security_classes  This file has declarations for each security class.
+
+policy/flask/access_vectors  This file defines the access vectors.  Common
+			prefixes for access vectors may be defined at the
+			beginning of the file.  After the common prefixes are
+			defined, an access vector may be defined for each
+			security class.
+
+policy/mcs		The multi-category security (MCS) configuration.
+
+policy/mls		The multi-level security (MLS) configuration.
+
+policy/modules/*	Each directory represents a layer in Reference Policy
+			all of the modules are contained in one of these layers.
+
+policy/modules.conf	This file contains a listing of available modules, and
+			how they will be used when building Reference Policy. To
+			prevent a module from  being used, set the module to
+			"off".  For monolithic policies, modules set to "base"
+			and "module" will be included in the policy.  For
+			modular policies, modules set to "base"	will be included
+			in the base module; those set to "module" will be
+			compiled as individual loadable	modules.
+
+policy/support/*	Support macros.
+
+policy/users		This file defines the users included in the policy.
+
+support/*		Tools used in the build process.
+
+
+4) Building policy modules using Reference Policy headers:
+
+The system must first have the Reference Policy headers installed, typically
+by the distribution.  Otherwise, the headers can be installed using the
+install-headers target from the full Reference Policy sources.
+
+To set up a directory to build a local module, one must simply place a .te
+file in a directory.  A sample Makefile to use in the directory is the
+Makefile.example in the doc directory.  This may be installed in
+/usr/share/doc, under the directory for the distribution's policy. 
+Alternatively, the primary Makefile in the headers directory (typically
+/usr/share/selinux/NAME/Makefile) can be called directly, using make's -f
+option.
+
+Larger projects can set up a structure of layers, just as in Reference
+Policy, by creating policy/modules/LAYERNAME directories.  Each layer also
+must have a metadata.xml file which is an XML file with a summary tag and
+optional desc (long description) tag.  This should describe the purpose of
+the layer.
+
+Metadata.xml example:
+
+<summary>ABC modules for the XYZ components.</summary>
+
+Make targets for modules built from headers:
+
+MODULENAME.pp		Compile and package the MODULENAME local module.
+
+all			Compile and package the modules in the current
+			directory.
+
+load			Compile and package the modules in the current
+			directory, then insert them into the module store.
+
+refresh			Attempts to reinsert all modules that are currently
+			in the module store from the local and system module
+			packages.
+
+xml			Build a policy.xml from the XML included with the
+			base policy headers and any XML in the modules in
+			the current directory.
diff --git a/Rules.modular b/Rules.modular
new file mode 100644
index 00000000..313d8375
--- /dev/null
+++ b/Rules.modular
@@ -0,0 +1,217 @@
+########################################
+#
+# Rules and Targets for building modular policies
+#
+
+all_modules := $(base_mods) $(mod_mods) $(off_mods)
+all_interfaces := $(all_modules:.te=.if)
+
+base_pkg := $(builddir)base.pp
+base_fc := $(builddir)base.fc
+base_conf := $(builddir)base.conf
+base_mod := $(tmpdir)/base.mod
+
+users_extra := $(tmpdir)/users_extra
+
+base_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf
+
+base_pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs $(policycaps)
+base_te_files := $(base_mods)
+base_post_te_files := $(user_files) $(poldir)/constraints
+base_fc_files := $(base_mods:.te=.fc)
+
+mod_pkgs := $(addprefix $(builddir),$(notdir $(mod_mods:.te=.pp)))
+
+# policy packages to install
+instpkg := $(addprefix $(modpkgdir)/,$(notdir $(base_pkg)) $(mod_pkgs))
+
+# search layer dirs for source files
+vpath %.te $(all_layers)
+vpath %.if $(all_layers)
+vpath %.fc $(all_layers)
+
+.SECONDARY: $(addprefix $(tmpdir)/,$(mod_pkgs:.pp=.mod)) $(addprefix $(tmpdir)/,$(mod_pkgs:.pp=.mod.fc))
+
+########################################
+#
+# default action: create all module packages
+#
+default: policy
+
+all policy: base modules
+
+base: $(base_pkg)
+
+modules: $(mod_pkgs)
+
+install: $(instpkg) $(appfiles)
+
+########################################
+#
+# Load all configured modules
+#
+load: $(instpkg) $(appfiles)
+# make sure two directories exist since they are not
+# created by semanage
+	@echo "Loading configured modules."
+	@$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath))
+	$(verbose) $(SEMODULE) -s $(NAME) -b $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod))
+
+########################################
+#
+# Install policy packages
+#
+$(modpkgdir)/%.pp: $(builddir)%.pp
+	@echo "Installing $(NAME) $(@F) policy package."
+	@$(INSTALL) -d -m 0755 $(@D)
+	$(verbose) $(INSTALL) -m 0644 $^ $(modpkgdir)
+
+########################################
+#
+# Build module packages
+#
+$(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
+	@echo "Compliling $(NAME) $(@F) module"
+	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+	$(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
+	$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
+
+$(tmpdir)/%.mod.fc: $(m4support) %.fc
+	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+	$(verbose) $(M4) $(M4PARAM) $(m4support) $^ > $@
+
+$(builddir)%.pp: $(tmpdir)/%.mod $(tmpdir)/%.mod.fc
+	@echo "Creating $(NAME) $(@F) policy package"
+	@test -d $(builddir) || mkdir -p $(builddir)
+	$(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc
+
+########################################
+#
+# Create a base module package
+#
+$(base_pkg): $(base_mod) $(base_fc) $(users_extra) $(tmpdir)/seusers
+	@echo "Creating $(NAME) base module package"
+	@test -d $(builddir) || mkdir -p $(builddir)
+	$(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(tmpdir)/seusers
+
+ifneq "$(UNK_PERMS)" ""
+$(base_mod): CHECKMODULE += -U $(UNK_PERMS)
+endif
+$(base_mod): $(base_conf)
+	@echo "Compiling $(NAME) base module"
+	$(verbose) $(CHECKMODULE) $^ -o $@
+
+$(tmpdir)/seusers: $(seusers)
+	@mkdir -p $(tmpdir)
+	$(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z_]' > $@
+
+$(users_extra): $(m4support) $(user_files)
+	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+	$(verbose) $(M4) $(M4PARAM) -D users_extra $^ | \
+		$(SED) -r -n -e 's/^[[:blank:]]*//g' -e '/^user/p' > $@
+
+########################################
+#
+# Construct a base.conf
+#
+$(base_conf): $(base_sections)
+	@echo "Creating $(NAME) base module $(@F)"
+	@test -d $(@D) || mkdir -p $(@D)
+	$(verbose) cat $^ > $@
+
+$(tmpdir)/pre_te_files.conf: M4PARAM += -D self_contained_policy
+$(tmpdir)/pre_te_files.conf: $(base_pre_te_files)
+	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+	$(verbose) $(M4) $(M4PARAM) $^ > $@
+
+$(tmpdir)/generated_definitions.conf:
+	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+# define all available object classes
+	$(verbose) $(genperm) $(avs) $(secclass) > $@
+	$(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
+	$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
+
+$(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
+$(tmpdir)/global_bools.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(globalbool) $(globaltun)
+	$(verbose) $(M4) $(M4PARAM) $^ > $@
+
+$(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces) $(m4iferror)
+	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+	@echo "divert(-1)" > $@
+	$(verbose) $(M4) $^ >> $(tmpdir)/$(@F).tmp
+	$(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(tmpdir)/$(@F).tmp >> $@
+	@echo "divert" >> $@
+
+$(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
+$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files)
+ifeq "$(strip $(base_te_files))" ""
+	$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
+endif
+	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+	$(verbose) $(M4) $(M4PARAM) -s $^ > $@
+
+$(tmpdir)/post_te_files.conf: M4PARAM += -D self_contained_policy
+$(tmpdir)/post_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(base_post_te_files)
+	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+	$(verbose) $(M4) $(M4PARAM) $^ > $@
+
+# extract attributes and put them first. extract post te stuff
+# like genfscon and put last.
+$(tmpdir)/all_attrs_types.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf
+	$(verbose) $(get_type_attr_decl) $(tmpdir)/all_te_files.conf | $(SORT) > $(tmpdir)/all_attrs_types.conf
+	$(verbose) cat $(tmpdir)/post_te_files.conf > $(tmpdir)/all_post.conf
+# these have to run individually because order matters:
+	$(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+	$(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+	$(verbose) $(GREP) ^genfscon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+	$(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+	$(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+	$(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+	$(verbose) $(comment_move_decl) $(tmpdir)/all_te_files.conf > $(tmpdir)/only_te_rules.conf
+
+########################################
+#
+# Construct a base.fc
+#
+$(base_fc): $(tmpdir)/$(notdir $(base_fc)).tmp $(fcsort)
+	$(verbose) $(fcsort) $< $@
+
+$(tmpdir)/$(notdir $(base_fc)).tmp: $(m4support) $(tmpdir)/generated_definitions.conf $(base_fc_files)
+ifeq ($(base_fc_files),)
+	$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
+endif
+	@echo "Creating $(NAME) base module file contexts."
+	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+	$(verbose) $(M4) $(M4PARAM) $^ > $@
+
+########################################
+#
+# Appconfig files
+#
+$(appdir)/customizable_types: $(base_conf)
+	$(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(tmpdir)/customizable_types
+	@$(INSTALL) -d -m 0755 $(@D)
+	$(verbose) $(INSTALL) -m 0644 $(tmpdir)/customizable_types $@
+
+########################################
+#
+# Validate linking and expanding of modules
+#
+validate: $(base_pkg) $(mod_pkgs)
+	@echo "Validating policy linking."
+	$(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^
+	$(verbose) $(SEMOD_EXP) $(tmpdir)/test.lnk $(tmpdir)/policy.bin
+	@echo "Success."
+
+########################################
+#
+# Clean the sources
+#
+clean:
+	rm -f $(base_conf)
+	rm -f $(base_fc)
+	rm -f $(builddir)*.pp
+	rm -f $(net_contexts)
+	rm -fR $(tmpdir)
+
+.PHONY: default all policy base modules install load clean validate
diff --git a/Rules.monolithic b/Rules.monolithic
new file mode 100644
index 00000000..7c4d0355
--- /dev/null
+++ b/Rules.monolithic
@@ -0,0 +1,256 @@
+########################################
+#
+# Rules and Targets for building monolithic policies
+#
+
+# determine the policy version and current kernel version if possible
+pv := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
+kv := $(shell cat /selinux/policyvers)
+
+# dont print version warnings if we are unable to determine
+# the currently running kernel's policy version
+ifeq "$(kv)" ""
+	kv := $(pv)
+endif
+
+policy_conf = $(builddir)policy.conf
+fc = $(builddir)file_contexts
+polver = $(builddir)policy.$(pv)
+homedir_template = $(builddir)homedir_template
+
+M4PARAM += -D self_contained_policy
+
+# install paths
+loadpath = $(policypath)/$(notdir $(polver))
+
+appfiles += $(installdir)/booleans $(installdir)/seusers $(userpath)/local.users
+
+# for monolithic policy use all base and module to create policy
+all_modules := $(strip $(base_mods) $(mod_mods))
+# off module interfaces included to make sure all interfaces are expanded.
+all_interfaces := $(all_modules:.te=.if) $(off_mods:.te=.if)
+all_te_files := $(all_modules)
+all_fc_files := $(all_modules:.te=.fc)
+
+pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs $(policycaps)
+post_te_files := $(user_files) $(poldir)/constraints
+
+policy_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf
+
+# search layer dirs for source files
+vpath %.te $(all_layers)
+vpath %.if $(all_layers)
+vpath %.fc $(all_layers)
+
+########################################
+#
+# default action: build policy locally
+#
+default: policy
+
+policy: $(polver)
+
+install: $(loadpath) $(fcpath) $(appfiles)
+
+load: $(tmpdir)/load
+
+checklabels: $(fcpath)
+restorelabels: $(fcpath)
+relabel:  $(fcpath)
+resetlabels:  $(fcpath)
+
+########################################
+#
+# Build a binary policy locally
+#
+ifneq "$(UNK_PERMS)" ""
+$(polver): CHECKPOLICY += -U $(UNK_PERMS)
+endif
+$(polver): $(policy_conf)
+	@echo "Compiling $(NAME) $(polver)"
+ifneq ($(pv),$(kv))
+	@echo
+	@echo "WARNING: Policy version mismatch!  Is your OUTPUT_POLICY set correctly?"
+	@echo
+endif
+	$(verbose) $(CHECKPOLICY) $^ -o $@
+
+########################################
+#
+# Install a binary policy
+#
+ifneq "$(UNK_PERMS)" ""
+$(loadpath): CHECKPOLICY += -U $(UNK_PERMS)
+endif
+$(loadpath): $(policy_conf)
+	@echo "Compiling and installing $(NAME) $(loadpath)"
+ifneq ($(pv),$(kv))
+	@echo
+	@echo "WARNING: Policy version mismatch!  Is your OUTPUT_POLICY set correctly?"
+	@echo
+endif
+	@$(INSTALL) -d -m 0755 $(@D)
+	$(verbose) $(CHECKPOLICY) $^ -o $@
+
+########################################
+#
+# Load the binary policy
+#
+reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles)
+	@echo "Loading $(NAME) $(loadpath)"
+	$(verbose) $(LOADPOLICY) -q $(loadpath)
+	@touch $(tmpdir)/load
+
+########################################
+#
+# Construct a monolithic policy.conf
+#
+$(policy_conf): $(policy_sections)
+	@echo "Creating $(NAME) $(@F)"
+	@test -d $(@D) || mkdir -p $(@D)
+	$(verbose) cat $^ > $@
+
+$(tmpdir)/pre_te_files.conf: $(pre_te_files)
+	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+	$(verbose) $(M4) $(M4PARAM) $^ > $@
+
+$(tmpdir)/generated_definitions.conf: $(all_te_files)
+	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+# define all available object classes
+	$(verbose) $(genperm) $(avs) $(secclass) > $@
+	$(verbose) $(call create-base-per-role-tmpl,$(basename $(notdir $(all_modules))),$@)
+	$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
+
+$(tmpdir)/global_bools.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(globalbool) $(globaltun)
+	$(verbose) $(M4) $(M4PARAM) $^ > $@
+
+$(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces) $(m4iferror)
+	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+	@echo "divert(-1)" > $@
+	$(verbose) $(M4) $^ >> $(tmpdir)/$(@F).tmp
+	$(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(tmpdir)/$(@F).tmp >> $@
+	@echo "divert" >> $@
+
+$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(all_te_files)
+ifeq "$(strip $(all_te_files))" ""
+	$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
+endif
+	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+	$(verbose) $(M4) $(M4PARAM) -s $^ > $@
+
+$(tmpdir)/post_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(post_te_files)
+	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+	$(verbose) $(M4) $(M4PARAM) $^ > $@
+
+# extract attributes and put them first. extract post te stuff
+# like genfscon and put last.
+$(tmpdir)/all_attrs_types.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf
+	$(verbose) $(get_type_attr_decl) $(tmpdir)/all_te_files.conf | $(SORT) > $(tmpdir)/all_attrs_types.conf
+	$(verbose) cat $(tmpdir)/post_te_files.conf > $(tmpdir)/all_post.conf
+# these have to run individually because order matters:
+	$(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+	$(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+	$(verbose) $(GREP) ^genfscon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+	$(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+	$(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+	$(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+	$(verbose) $(comment_move_decl) $(tmpdir)/all_te_files.conf > $(tmpdir)/only_te_rules.conf
+
+########################################
+#
+# Remove the dontaudit rules from the policy.conf
+#
+enableaudit: $(policy_conf)
+	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+	@echo "Removing dontaudit rules from $(notdir $(policy_conf))"
+	$(verbose) $(GREP) -v dontaudit $^ > $(tmpdir)/policy.audit
+	$(verbose) mv $(tmpdir)/policy.audit $(policy_conf)
+
+########################################
+#
+# Construct file_contexts
+#
+$(fc): $(tmpdir)/$(notdir $(fc)).tmp $(fcsort)
+	$(verbose) $(fcsort) $< $@
+	$(verbose) $(GREP) -e HOME -e ROLE -e USER $@ > $(homedir_template)
+	$(verbose) $(SED) -i -e /HOME/d -e /ROLE/d -e /USER/d $@
+
+$(tmpdir)/$(notdir $(fc)).tmp: $(m4support) $(tmpdir)/generated_definitions.conf $(all_fc_files)
+ifeq ($(all_fc_files),)
+	$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
+endif
+	@echo "Creating $(NAME) file_contexts."
+	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+	$(verbose) $(M4) $(M4PARAM) $^ > $@
+
+$(homedir_template): $(fc)
+
+########################################
+#
+# Install file_contexts
+#
+$(fcpath): $(fc) $(loadpath) $(userpath)/system.users
+	@echo "Validating $(NAME) file_contexts."
+	$(verbose) $(SETFILES) -q -c $(loadpath) $(fc)
+	@echo "Installing file_contexts."
+	@$(INSTALL) -d -m 0755 $(@D)
+	$(verbose) $(INSTALL) -m 0644 $(fc) $(fcpath)
+	$(verbose) $(INSTALL) -m 0644 $(homedir_template) $(homedirpath)
+	$(verbose) $(UMASK) 022 ; $(genhomedircon) -d $(topdir) -t $(NAME) $(USEPWD)
+ifeq "$(DISTRO)" "rhel4"
+# Setfiles in RHEL4 does not look at file_contexts.homedirs.
+	$(verbose) cat $@.homedirs >> $@
+# Delete the file_contexts.homedirs in case the toolchain has
+# been updated, to prevent duplicate match errors.
+	$(verbose) rm -f $@.homedirs
+endif
+
+########################################
+#
+# Intall netfilter_contexts
+#
+$(ncpath): $(net_contexts)
+	@echo "Installing $(NAME) netfilter_contexts."
+	@$(INSTALL) -d -m 0755 $(@D)
+	$(verbose) $(INSTALL) -m 0644 $^ $@
+
+########################################
+#
+# Run policy source checks
+#
+check: $(builddir)check.res
+$(builddir)check.res: $(policy_conf) $(fc)
+	$(SECHECK) -s --profile=development --policy=$(policy_conf) --fcfile=$(fc) > $@
+
+longcheck: $(builddir)longcheck.res
+$(builddir)longcheck.res: $(policy_conf) $(fc)
+	$(SECHECK) -s --profile=all --policy=$(policy_conf) --fcfile=$(fc) > $@
+
+########################################
+#
+# Appconfig files
+#
+$(appdir)/customizable_types: $(policy_conf)
+	$(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(tmpdir)/customizable_types
+	@$(INSTALL) -d -m 0755 $(@D)
+	$(verbose) $(INSTALL) -m 0644 $(tmpdir)/customizable_types $@
+
+$(installdir)/seusers: $(seusers)
+	$(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z_]' > $(tmpdir)/seusers
+	@$(INSTALL) -d -m 0755 $(@D)
+	$(verbose) $(INSTALL) -m 0644 $(tmpdir)/seusers $@
+
+########################################
+#
+# Clean the sources
+#
+clean:
+	rm -f $(policy_conf)
+	rm -f $(polver)
+	rm -f $(fc)
+	rm -f $(homedir_template)
+	rm -f $(net_contexts)
+	rm -f *.res
+	rm -fR $(tmpdir)
+
+.PHONY: default policy install load reload enableaudit checklabels restorelabels relabel check longcheck clean
diff --git a/VERSION b/VERSION
new file mode 100644
index 00000000..04d1dd01
--- /dev/null
+++ b/VERSION
@@ -0,0 +1 @@
+2.20120215
diff --git a/build.conf b/build.conf
new file mode 100644
index 00000000..5a521c46
--- /dev/null
+++ b/build.conf
@@ -0,0 +1,77 @@
+########################################
+#
+# Policy build options
+#
+
+# Policy version
+# By default, checkpolicy will create the highest
+# version policy it supports.  Setting this will
+# override the version.  This only has an
+# effect for monolithic policies.
+#OUTPUT_POLICY = 18
+
+# Policy Type
+# standard, mls, mcs
+TYPE = standard
+
+# Policy Name
+# If set, this will be used as the policy
+# name.  Otherwise the policy type will be
+# used for the name.
+NAME = refpolicy
+
+# Distribution
+# Some distributions have portions of policy
+# for programs or configurations specific to the
+# distribution.  Setting this will enable options
+# for the distribution.
+# redhat, gentoo, debian, suse, and rhel4 are current options.
+# Fedora users should enable redhat.
+#DISTRO = redhat
+
+# Unknown Permissions Handling
+# The behavior for handling permissions defined in the
+# kernel but missing from the policy.  The permissions
+# can either be allowed, denied, or the policy loading
+# can be rejected.
+# allow, deny, and reject are current options.
+#UNK_PERMS = deny
+
+# Direct admin init
+# Setting this will allow sysadm to directly
+# run init scripts, instead of requring run_init.
+# This is a build option, as role transitions do
+# not work in conditional policy.
+DIRECT_INITRC = n
+
+# Build monolithic policy.  Putting y here
+# will build a monolithic policy.
+MONOLITHIC = n
+
+# User-based access control (UBAC)
+# Enable UBAC for role separations.
+UBAC = y
+
+# Custom build options.  This field enables custom
+# build options.  Putting foo here will enable
+# build option blocks named foo.  Options should be
+# separated by spaces.
+CUSTOM_BUILDOPT =
+
+# Number of MLS Sensitivities
+# The sensitivities will be s0 to s(MLS_SENS-1).
+# Dominance will be in increasing numerical order
+# with s0 being lowest.
+MLS_SENS = 16
+
+# Number of MLS Categories
+# The categories will be c0 to c(MLS_CATS-1).
+MLS_CATS = 1024
+
+# Number of MCS Categories
+# The categories will be c0 to c(MLS_CATS-1).
+MCS_CATS = 1024
+
+# Set this to y to only display status messages
+# during build.
+QUIET = n
diff --git a/config/appconfig-mcs/dbus_contexts b/config/appconfig-mcs/dbus_contexts
new file mode 100644
index 00000000..116e684f
--- /dev/null
+++ b/config/appconfig-mcs/dbus_contexts
@@ -0,0 +1,6 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+  <selinux>
+  </selinux>
+</busconfig>
diff --git a/config/appconfig-mcs/default_contexts b/config/appconfig-mcs/default_contexts
new file mode 100644
index 00000000..801d97b6
--- /dev/null
+++ b/config/appconfig-mcs/default_contexts
@@ -0,0 +1,15 @@
+system_r:crond_t:s0		user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:local_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:remote_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
+system_r:sshd_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:sulogin_t:s0		sysadm_r:sysadm_t:s0
+system_r:xdm_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+
+staff_r:staff_su_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+staff_r:staff_sudo_t:s0		sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
+
+sysadm_r:sysadm_su_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_sudo_t:s0	sysadm_r:sysadm_t:s0
+
+user_r:user_su_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+user_r:user_sudo_t:s0		sysadm_r:sysadm_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-mcs/default_type b/config/appconfig-mcs/default_type
new file mode 100644
index 00000000..33528d61
--- /dev/null
+++ b/config/appconfig-mcs/default_type
@@ -0,0 +1,6 @@
+auditadm_r:auditadm_t
+secadm_r:secadm_t
+sysadm_r:sysadm_t
+staff_r:staff_t
+unconfined_r:unconfined_t
+user_r:user_t
diff --git a/config/appconfig-mcs/failsafe_context b/config/appconfig-mcs/failsafe_context
new file mode 100644
index 00000000..999abd9a
--- /dev/null
+++ b/config/appconfig-mcs/failsafe_context
@@ -0,0 +1 @@
+sysadm_r:sysadm_t:s0
diff --git a/config/appconfig-mcs/guest_u_default_contexts b/config/appconfig-mcs/guest_u_default_contexts
new file mode 100644
index 00000000..90e52627
--- /dev/null
+++ b/config/appconfig-mcs/guest_u_default_contexts
@@ -0,0 +1,6 @@
+guest_r:guest_t:s0		guest_r:guest_t:s0
+system_r:crond_t:s0		guest_r:guest_t:s0
+system_r:initrc_su_t:s0		guest_r:guest_t:s0
+system_r:local_login_t:s0	guest_r:guest_t:s0
+system_r:remote_login_t:s0	guest_r:guest_t:s0
+system_r:sshd_t:s0		guest_r:guest_t:s0
diff --git a/config/appconfig-mcs/initrc_context b/config/appconfig-mcs/initrc_context
new file mode 100644
index 00000000..30ab971d
--- /dev/null
+++ b/config/appconfig-mcs/initrc_context
@@ -0,0 +1 @@
+system_u:system_r:initrc_t:s0
diff --git a/config/appconfig-mcs/media b/config/appconfig-mcs/media
new file mode 100644
index 00000000..81f3463e
--- /dev/null
+++ b/config/appconfig-mcs/media
@@ -0,0 +1,3 @@
+cdrom system_u:object_r:removable_device_t:s0
+floppy system_u:object_r:removable_device_t:s0
+disk system_u:object_r:fixed_disk_device_t:s0
diff --git a/config/appconfig-mcs/removable_context b/config/appconfig-mcs/removable_context
new file mode 100644
index 00000000..7fcc56e4
--- /dev/null
+++ b/config/appconfig-mcs/removable_context
@@ -0,0 +1 @@
+system_u:object_r:removable_t:s0
diff --git a/config/appconfig-mcs/root_default_contexts b/config/appconfig-mcs/root_default_contexts
new file mode 100644
index 00000000..7805778a
--- /dev/null
+++ b/config/appconfig-mcs/root_default_contexts
@@ -0,0 +1,11 @@
+system_r:crond_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
+system_r:local_login_t:s0	unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+
+staff_r:staff_su_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+sysadm_r:sysadm_su_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+user_r:user_su_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+
+#
+# Uncomment if you want to automatically login as sysadm_r
+#
+#system_r:sshd_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-mcs/securetty_types b/config/appconfig-mcs/securetty_types
new file mode 100644
index 00000000..527d8358
--- /dev/null
+++ b/config/appconfig-mcs/securetty_types
@@ -0,0 +1 @@
+user_tty_device_t
diff --git a/config/appconfig-mcs/sepgsql_contexts b/config/appconfig-mcs/sepgsql_contexts
new file mode 100644
index 00000000..f8e9b1cd
--- /dev/null
+++ b/config/appconfig-mcs/sepgsql_contexts
@@ -0,0 +1,40 @@
+#
+# Initial security label for SE-PostgreSQL (MCS)
+#
+
+# <databases>
+db_database	*			system_u:object_r:sepgsql_db_t:s0
+
+# <schemas>
+db_schema	*.*			system_u:object_r:sepgsql_schema_t:s0
+
+# <tables>
+db_table	*.pg_catalog.*		system_u:object_r:sepgsql_sysobj_t:s0
+db_table	*.*.*			system_u:object_r:sepgsql_table_t:s0
+
+# <column>
+db_column	*.pg_catalog.*.*	system_u:object_r:sepgsql_sysobj_t:s0
+db_column	*.*.*.*			system_u:object_r:sepgsql_table_t:s0
+
+# <sequences>
+db_sequence	*.*.*			system_u:object_r:sepgsql_seq_t:s0
+
+# <views>
+db_view		*.*.*			system_u:object_r:sepgsql_view_t:s0
+
+# <procedures>
+db_procedure	*.*.*			system_u:object_r:sepgsql_proc_exec_t:s0
+
+# <tuples>
+db_tuple	*.pg_catalog.*		system_u:object_r:sepgsql_sysobj_t:s0
+db_tuple	*.*.*			system_u:object_r:sepgsql_table_t:s0
+
+# <blobs>
+db_blob		*.*			system_u:object_r:sepgsql_blob_t:s0
+
+# <language>
+db_language	*.sql			system_u:object_r:sepgsql_safe_lang_t:s0
+db_language	*.plpgsql		system_u:object_r:sepgsql_safe_lang_t:s0
+db_language	*.pltcl			system_u:object_r:sepgsql_safe_lang_t:s0
+db_language	*.plperl		system_u:object_r:sepgsql_safe_lang_t:s0
+db_language	*.*			system_u:object_r:sepgsql_lang_t:s0
diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers
new file mode 100644
index 00000000..dc5f1e42
--- /dev/null
+++ b/config/appconfig-mcs/seusers
@@ -0,0 +1,3 @@
+system_u:system_u:s0-mcs_systemhigh
+root:root:s0-mcs_systemhigh
+__default__:user_u:s0
diff --git a/config/appconfig-mcs/staff_u_default_contexts b/config/appconfig-mcs/staff_u_default_contexts
new file mode 100644
index 00000000..881a292e
--- /dev/null
+++ b/config/appconfig-mcs/staff_u_default_contexts
@@ -0,0 +1,10 @@
+system_r:local_login_t:s0	staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:remote_login_t:s0	staff_r:staff_t:s0
+system_r:sshd_t:s0		staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:crond_t:s0		staff_r:cronjob_t:s0
+system_r:xdm_t:s0		staff_r:staff_t:s0
+staff_r:staff_su_t:s0		staff_r:staff_t:s0
+staff_r:staff_sudo_t:s0		staff_r:staff_t:s0
+sysadm_r:sysadm_su_t:s0		sysadm_r:sysadm_t:s0 
+sysadm_r:sysadm_sudo_t:s0	sysadm_r:sysadm_t:s0
+
diff --git a/config/appconfig-mcs/unconfined_u_default_contexts b/config/appconfig-mcs/unconfined_u_default_contexts
new file mode 100644
index 00000000..106e093d
--- /dev/null
+++ b/config/appconfig-mcs/unconfined_u_default_contexts
@@ -0,0 +1,9 @@
+system_r:crond_t:s0		unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:initrc_t:s0		unconfined_r:unconfined_t:s0
+system_r:local_login_t:s0	unconfined_r:unconfined_t:s0
+system_r:remote_login_t:s0	unconfined_r:unconfined_t:s0
+system_r:rshd_t:s0		unconfined_r:unconfined_t:s0
+system_r:sshd_t:s0		unconfined_r:unconfined_t:s0
+system_r:sysadm_su_t:s0		unconfined_r:unconfined_t:s0
+system_r:unconfined_t:s0	unconfined_r:unconfined_t:s0
+system_r:xdm_t:s0		unconfined_r:unconfined_t:s0
diff --git a/config/appconfig-mcs/user_u_default_contexts b/config/appconfig-mcs/user_u_default_contexts
new file mode 100644
index 00000000..cacbc939
--- /dev/null
+++ b/config/appconfig-mcs/user_u_default_contexts
@@ -0,0 +1,8 @@
+system_r:local_login_t:s0	user_r:user_t:s0
+system_r:remote_login_t:s0	user_r:user_t:s0
+system_r:sshd_t:s0		user_r:user_t:s0
+system_r:crond_t:s0		user_r:cronjob_t:s0
+system_r:xdm_t:s0		user_r:user_t:s0
+user_r:user_su_t:s0		user_r:user_t:s0
+user_r:user_sudo_t:s0		user_r:user_t:s0
+
diff --git a/config/appconfig-mcs/userhelper_context b/config/appconfig-mcs/userhelper_context
new file mode 100644
index 00000000..dc37a69b
--- /dev/null
+++ b/config/appconfig-mcs/userhelper_context
@@ -0,0 +1 @@
+system_u:sysadm_r:sysadm_t:s0
diff --git a/config/appconfig-mcs/virtual_domain_context b/config/appconfig-mcs/virtual_domain_context
new file mode 100644
index 00000000..d387b428
--- /dev/null
+++ b/config/appconfig-mcs/virtual_domain_context
@@ -0,0 +1 @@
+system_u:system_r:svirt_t:s0
diff --git a/config/appconfig-mcs/virtual_image_context b/config/appconfig-mcs/virtual_image_context
new file mode 100644
index 00000000..8ab1e27e
--- /dev/null
+++ b/config/appconfig-mcs/virtual_image_context
@@ -0,0 +1,2 @@
+system_u:object_r:svirt_image_t:s0
+system_u:object_r:virt_content_t:s0
diff --git a/config/appconfig-mcs/x_contexts b/config/appconfig-mcs/x_contexts
new file mode 100644
index 00000000..0b320443
--- /dev/null
+++ b/config/appconfig-mcs/x_contexts
@@ -0,0 +1,105 @@
+#
+# Config file for XSELinux extension
+#
+
+
+#
+##
+### Rules for X Clients
+##
+#
+
+#
+# The default client rule defines a context to be used for all clients
+# connecting to the server from a remote host.
+#
+client	*				system_u:object_r:remote_t:s0
+
+
+#
+##
+### Rules for X Properties
+##
+#
+
+#
+# Property rules map a property name to a context.  A default property
+# rule indicated by an asterisk should follow all other property rules.
+#
+# Properties that normal clients may only read
+property _SELINUX_*			system_u:object_r:seclabel_xproperty_t:s0
+
+# Clipboard and selection properties
+property CUT_BUFFER?			system_u:object_r:clipboard_xproperty_t:s0
+
+# Default fallback type
+property *	   			system_u:object_r:xproperty_t:s0
+
+
+#
+##
+### Rules for X Extensions
+##
+#
+
+#
+# Extension rules map an extension name to a context.  A default extension
+# rule indicated by an asterisk should follow all other extension rules.
+#
+# Restricted extensions
+extension SELinux			system_u:object_r:security_xextension_t:s0
+
+# Standard extensions
+extension *	   			system_u:object_r:xextension_t:s0
+
+
+#
+##
+### Rules for X Selections
+##
+#
+
+# Selection rules map a selection name to a context.  A default selection
+# rule indicated by an asterisk should follow all other selection rules.
+#
+# Standard selections
+selection PRIMARY			system_u:object_r:clipboard_xselection_t:s0
+selection CLIPBOARD			system_u:object_r:clipboard_xselection_t:s0
+
+# Default fallback type
+selection *				system_u:object_r:xselection_t:s0
+
+
+#
+##
+### Rules for X Events
+##
+#
+
+#
+# Event rules map an event protocol name to a context.  A default event
+# rule indicated by an asterisk should follow all other event rules.
+#
+# Input events
+event X11:KeyPress			system_u:object_r:input_xevent_t:s0
+event X11:KeyRelease			system_u:object_r:input_xevent_t:s0
+event X11:ButtonPress			system_u:object_r:input_xevent_t:s0
+event X11:ButtonRelease			system_u:object_r:input_xevent_t:s0
+event X11:MotionNotify			system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceKeyPress	system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceKeyRelease	system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceButtonPress	system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceButtonRelease	system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceMotionNotify	system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceValuator	system_u:object_r:input_xevent_t:s0
+event XInputExtension:ProximityIn	system_u:object_r:input_xevent_t:s0
+event XInputExtension:ProximityOut	system_u:object_r:input_xevent_t:s0
+
+# Client message events
+event X11:ClientMessage			system_u:object_r:client_xevent_t:s0
+event X11:SelectionNotify		system_u:object_r:client_xevent_t:s0
+event X11:UnmapNotify			system_u:object_r:client_xevent_t:s0
+event X11:ConfigureNotify		system_u:object_r:client_xevent_t:s0
+
+# Default fallback type
+event *					system_u:object_r:xevent_t:s0
diff --git a/config/appconfig-mcs/xguest_u_default_contexts b/config/appconfig-mcs/xguest_u_default_contexts
new file mode 100644
index 00000000..574363b5
--- /dev/null
+++ b/config/appconfig-mcs/xguest_u_default_contexts
@@ -0,0 +1,7 @@
+system_r:crond_t:s0		xguest_r:xguest_t:s0
+system_r:initrc_su_t:s0		xguest_r:xguest_t:s0
+system_r:local_login_t:s0	xguest_r:xguest_t:s0
+system_r:remote_login_t:s0	xguest_r:xguest_t:s0
+system_r:sshd_t:s0		xguest_r:xguest_t:s0
+system_r:xdm_t:s0		xguest_r:xguest_t:s0
+xguest_r:xguest_t:s0		xguest_r:xguest_t:s0
diff --git a/config/appconfig-mls/dbus_contexts b/config/appconfig-mls/dbus_contexts
new file mode 100644
index 00000000..116e684f
--- /dev/null
+++ b/config/appconfig-mls/dbus_contexts
@@ -0,0 +1,6 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+  <selinux>
+  </selinux>
+</busconfig>
diff --git a/config/appconfig-mls/default_contexts b/config/appconfig-mls/default_contexts
new file mode 100644
index 00000000..801d97b6
--- /dev/null
+++ b/config/appconfig-mls/default_contexts
@@ -0,0 +1,15 @@
+system_r:crond_t:s0		user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:local_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:remote_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
+system_r:sshd_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:sulogin_t:s0		sysadm_r:sysadm_t:s0
+system_r:xdm_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+
+staff_r:staff_su_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+staff_r:staff_sudo_t:s0		sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
+
+sysadm_r:sysadm_su_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_sudo_t:s0	sysadm_r:sysadm_t:s0
+
+user_r:user_su_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+user_r:user_sudo_t:s0		sysadm_r:sysadm_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-mls/default_type b/config/appconfig-mls/default_type
new file mode 100644
index 00000000..33528d61
--- /dev/null
+++ b/config/appconfig-mls/default_type
@@ -0,0 +1,6 @@
+auditadm_r:auditadm_t
+secadm_r:secadm_t
+sysadm_r:sysadm_t
+staff_r:staff_t
+unconfined_r:unconfined_t
+user_r:user_t
diff --git a/config/appconfig-mls/failsafe_context b/config/appconfig-mls/failsafe_context
new file mode 100644
index 00000000..999abd9a
--- /dev/null
+++ b/config/appconfig-mls/failsafe_context
@@ -0,0 +1 @@
+sysadm_r:sysadm_t:s0
diff --git a/config/appconfig-mls/guest_u_default_contexts b/config/appconfig-mls/guest_u_default_contexts
new file mode 100644
index 00000000..e2106efa
--- /dev/null
+++ b/config/appconfig-mls/guest_u_default_contexts
@@ -0,0 +1,5 @@
+guest_r:guest_t:s0		guest_r:guest_t:s0
+system_r:crond_t:s0		guest_r:guest_t:s0
+system_r:local_login_t:s0	guest_r:guest_t:s0
+system_r:remote_login_t:s0	guest_r:guest_t:s0
+system_r:sshd_t:s0		guest_r:guest_t:s0
diff --git a/config/appconfig-mls/initrc_context b/config/appconfig-mls/initrc_context
new file mode 100644
index 00000000..4598f92e
--- /dev/null
+++ b/config/appconfig-mls/initrc_context
@@ -0,0 +1 @@
+system_u:system_r:initrc_t:s0-mls_systemhigh
diff --git a/config/appconfig-mls/media b/config/appconfig-mls/media
new file mode 100644
index 00000000..81f3463e
--- /dev/null
+++ b/config/appconfig-mls/media
@@ -0,0 +1,3 @@
+cdrom system_u:object_r:removable_device_t:s0
+floppy system_u:object_r:removable_device_t:s0
+disk system_u:object_r:fixed_disk_device_t:s0
diff --git a/config/appconfig-mls/removable_context b/config/appconfig-mls/removable_context
new file mode 100644
index 00000000..7fcc56e4
--- /dev/null
+++ b/config/appconfig-mls/removable_context
@@ -0,0 +1 @@
+system_u:object_r:removable_t:s0
diff --git a/config/appconfig-mls/root_default_contexts b/config/appconfig-mls/root_default_contexts
new file mode 100644
index 00000000..7805778a
--- /dev/null
+++ b/config/appconfig-mls/root_default_contexts
@@ -0,0 +1,11 @@
+system_r:crond_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
+system_r:local_login_t:s0	unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+
+staff_r:staff_su_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+sysadm_r:sysadm_su_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+user_r:user_su_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+
+#
+# Uncomment if you want to automatically login as sysadm_r
+#
+#system_r:sshd_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-mls/securetty_types b/config/appconfig-mls/securetty_types
new file mode 100644
index 00000000..527d8358
--- /dev/null
+++ b/config/appconfig-mls/securetty_types
@@ -0,0 +1 @@
+user_tty_device_t
diff --git a/config/appconfig-mls/sepgsql_contexts b/config/appconfig-mls/sepgsql_contexts
new file mode 100644
index 00000000..76ff21cd
--- /dev/null
+++ b/config/appconfig-mls/sepgsql_contexts
@@ -0,0 +1,40 @@
+#
+# Initial security label for SE-PostgreSQL (MLS)
+#
+
+# <databases>
+db_database	*			system_u:object_r:sepgsql_db_t:s0
+
+# <schemas>
+db_schema	*.*			system_u:object_r:sepgsql_schema_t:s0
+
+# <tables>
+db_table	*.pg_catalog.*		system_u:object_r:sepgsql_sysobj_t:s0
+db_table	*.*.*			system_u:object_r:sepgsql_table_t:s0
+
+# <column>
+db_column	*.pg_catalog.*.*	system_u:object_r:sepgsql_sysobj_t:s0
+db_column	*.*.*.*			system_u:object_r:sepgsql_table_t:s0
+
+# <sequences>
+db_sequence	*.*.*			system_u:object_r:sepgsql_seq_t:s0
+
+# <views>
+db_view		*.*.*			system_u:object_r:sepgsql_view_t:s0
+
+# <procedures>
+db_procedure	*.*.*			system_u:object_r:sepgsql_proc_exec_t:s0
+
+# <tuples>
+db_tuple	*.pg_catalog.*		system_u:object_r:sepgsql_sysobj_t:s0
+db_tuple	*.*.*			system_u:object_r:sepgsql_table_t:s0
+
+# <blobs>
+db_blob		*.*			system_u:object_r:sepgsql_blob_t:s0
+
+# <language>
+db_language	*.sql			system_u:object_r:sepgsql_safe_lang_t:s0
+db_language	*.plpgsql		system_u:object_r:sepgsql_safe_lang_t:s0
+db_language	*.pltcl			system_u:object_r:sepgsql_safe_lang_t:s0
+db_language	*.plperl		system_u:object_r:sepgsql_safe_lang_t:s0
+db_language	*.*			system_u:object_r:sepgsql_lang_t:s0
diff --git a/config/appconfig-mls/seusers b/config/appconfig-mls/seusers
new file mode 100644
index 00000000..dc156bfa
--- /dev/null
+++ b/config/appconfig-mls/seusers
@@ -0,0 +1,3 @@
+system_u:system_u:s0-mls_systemhigh
+root:root:s0-mls_systemhigh
+__default__:user_u:s0
diff --git a/config/appconfig-mls/staff_u_default_contexts b/config/appconfig-mls/staff_u_default_contexts
new file mode 100644
index 00000000..881a292e
--- /dev/null
+++ b/config/appconfig-mls/staff_u_default_contexts
@@ -0,0 +1,10 @@
+system_r:local_login_t:s0	staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:remote_login_t:s0	staff_r:staff_t:s0
+system_r:sshd_t:s0		staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:crond_t:s0		staff_r:cronjob_t:s0
+system_r:xdm_t:s0		staff_r:staff_t:s0
+staff_r:staff_su_t:s0		staff_r:staff_t:s0
+staff_r:staff_sudo_t:s0		staff_r:staff_t:s0
+sysadm_r:sysadm_su_t:s0		sysadm_r:sysadm_t:s0 
+sysadm_r:sysadm_sudo_t:s0	sysadm_r:sysadm_t:s0
+
diff --git a/config/appconfig-mls/unconfined_u_default_contexts b/config/appconfig-mls/unconfined_u_default_contexts
new file mode 100644
index 00000000..106e093d
--- /dev/null
+++ b/config/appconfig-mls/unconfined_u_default_contexts
@@ -0,0 +1,9 @@
+system_r:crond_t:s0		unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:initrc_t:s0		unconfined_r:unconfined_t:s0
+system_r:local_login_t:s0	unconfined_r:unconfined_t:s0
+system_r:remote_login_t:s0	unconfined_r:unconfined_t:s0
+system_r:rshd_t:s0		unconfined_r:unconfined_t:s0
+system_r:sshd_t:s0		unconfined_r:unconfined_t:s0
+system_r:sysadm_su_t:s0		unconfined_r:unconfined_t:s0
+system_r:unconfined_t:s0	unconfined_r:unconfined_t:s0
+system_r:xdm_t:s0		unconfined_r:unconfined_t:s0
diff --git a/config/appconfig-mls/user_u_default_contexts b/config/appconfig-mls/user_u_default_contexts
new file mode 100644
index 00000000..cacbc939
--- /dev/null
+++ b/config/appconfig-mls/user_u_default_contexts
@@ -0,0 +1,8 @@
+system_r:local_login_t:s0	user_r:user_t:s0
+system_r:remote_login_t:s0	user_r:user_t:s0
+system_r:sshd_t:s0		user_r:user_t:s0
+system_r:crond_t:s0		user_r:cronjob_t:s0
+system_r:xdm_t:s0		user_r:user_t:s0
+user_r:user_su_t:s0		user_r:user_t:s0
+user_r:user_sudo_t:s0		user_r:user_t:s0
+
diff --git a/config/appconfig-mls/userhelper_context b/config/appconfig-mls/userhelper_context
new file mode 100644
index 00000000..dc37a69b
--- /dev/null
+++ b/config/appconfig-mls/userhelper_context
@@ -0,0 +1 @@
+system_u:sysadm_r:sysadm_t:s0
diff --git a/config/appconfig-mls/virtual_domain_context b/config/appconfig-mls/virtual_domain_context
new file mode 100644
index 00000000..d387b428
--- /dev/null
+++ b/config/appconfig-mls/virtual_domain_context
@@ -0,0 +1 @@
+system_u:system_r:svirt_t:s0
diff --git a/config/appconfig-mls/virtual_image_context b/config/appconfig-mls/virtual_image_context
new file mode 100644
index 00000000..8ab1e27e
--- /dev/null
+++ b/config/appconfig-mls/virtual_image_context
@@ -0,0 +1,2 @@
+system_u:object_r:svirt_image_t:s0
+system_u:object_r:virt_content_t:s0
diff --git a/config/appconfig-mls/x_contexts b/config/appconfig-mls/x_contexts
new file mode 100644
index 00000000..0b320443
--- /dev/null
+++ b/config/appconfig-mls/x_contexts
@@ -0,0 +1,105 @@
+#
+# Config file for XSELinux extension
+#
+
+
+#
+##
+### Rules for X Clients
+##
+#
+
+#
+# The default client rule defines a context to be used for all clients
+# connecting to the server from a remote host.
+#
+client	*				system_u:object_r:remote_t:s0
+
+
+#
+##
+### Rules for X Properties
+##
+#
+
+#
+# Property rules map a property name to a context.  A default property
+# rule indicated by an asterisk should follow all other property rules.
+#
+# Properties that normal clients may only read
+property _SELINUX_*			system_u:object_r:seclabel_xproperty_t:s0
+
+# Clipboard and selection properties
+property CUT_BUFFER?			system_u:object_r:clipboard_xproperty_t:s0
+
+# Default fallback type
+property *	   			system_u:object_r:xproperty_t:s0
+
+
+#
+##
+### Rules for X Extensions
+##
+#
+
+#
+# Extension rules map an extension name to a context.  A default extension
+# rule indicated by an asterisk should follow all other extension rules.
+#
+# Restricted extensions
+extension SELinux			system_u:object_r:security_xextension_t:s0
+
+# Standard extensions
+extension *	   			system_u:object_r:xextension_t:s0
+
+
+#
+##
+### Rules for X Selections
+##
+#
+
+# Selection rules map a selection name to a context.  A default selection
+# rule indicated by an asterisk should follow all other selection rules.
+#
+# Standard selections
+selection PRIMARY			system_u:object_r:clipboard_xselection_t:s0
+selection CLIPBOARD			system_u:object_r:clipboard_xselection_t:s0
+
+# Default fallback type
+selection *				system_u:object_r:xselection_t:s0
+
+
+#
+##
+### Rules for X Events
+##
+#
+
+#
+# Event rules map an event protocol name to a context.  A default event
+# rule indicated by an asterisk should follow all other event rules.
+#
+# Input events
+event X11:KeyPress			system_u:object_r:input_xevent_t:s0
+event X11:KeyRelease			system_u:object_r:input_xevent_t:s0
+event X11:ButtonPress			system_u:object_r:input_xevent_t:s0
+event X11:ButtonRelease			system_u:object_r:input_xevent_t:s0
+event X11:MotionNotify			system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceKeyPress	system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceKeyRelease	system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceButtonPress	system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceButtonRelease	system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceMotionNotify	system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceValuator	system_u:object_r:input_xevent_t:s0
+event XInputExtension:ProximityIn	system_u:object_r:input_xevent_t:s0
+event XInputExtension:ProximityOut	system_u:object_r:input_xevent_t:s0
+
+# Client message events
+event X11:ClientMessage			system_u:object_r:client_xevent_t:s0
+event X11:SelectionNotify		system_u:object_r:client_xevent_t:s0
+event X11:UnmapNotify			system_u:object_r:client_xevent_t:s0
+event X11:ConfigureNotify		system_u:object_r:client_xevent_t:s0
+
+# Default fallback type
+event *					system_u:object_r:xevent_t:s0
diff --git a/config/appconfig-mls/xguest_u_default_contexts b/config/appconfig-mls/xguest_u_default_contexts
new file mode 100644
index 00000000..574363b5
--- /dev/null
+++ b/config/appconfig-mls/xguest_u_default_contexts
@@ -0,0 +1,7 @@
+system_r:crond_t:s0		xguest_r:xguest_t:s0
+system_r:initrc_su_t:s0		xguest_r:xguest_t:s0
+system_r:local_login_t:s0	xguest_r:xguest_t:s0
+system_r:remote_login_t:s0	xguest_r:xguest_t:s0
+system_r:sshd_t:s0		xguest_r:xguest_t:s0
+system_r:xdm_t:s0		xguest_r:xguest_t:s0
+xguest_r:xguest_t:s0		xguest_r:xguest_t:s0
diff --git a/config/appconfig-standard/dbus_contexts b/config/appconfig-standard/dbus_contexts
new file mode 100644
index 00000000..116e684f
--- /dev/null
+++ b/config/appconfig-standard/dbus_contexts
@@ -0,0 +1,6 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+  <selinux>
+  </selinux>
+</busconfig>
diff --git a/config/appconfig-standard/default_contexts b/config/appconfig-standard/default_contexts
new file mode 100644
index 00000000..64a0a90c
--- /dev/null
+++ b/config/appconfig-standard/default_contexts
@@ -0,0 +1,15 @@
+system_r:crond_t	user_r:cronjob_t staff_r:cronjob_t sysadm_r:cronjob_t system_r:system_cronjob_t unconfined_r:unconfined_cronjob_t
+system_r:local_login_t	user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
+system_r:remote_login_t	user_r:user_t staff_r:staff_t unconfined_r:unconfined_t
+system_r:sshd_t		user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
+system_r:sulogin_t	sysadm_r:sysadm_t
+system_r:xdm_t		user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
+
+staff_r:staff_su_t	user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
+staff_r:staff_sudo_t	sysadm_r:sysadm_t staff_r:staff_t
+
+sysadm_r:sysadm_su_t	user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
+sysadm_r:sysadm_sudo_t	sysadm_r:sysadm_t
+
+user_r:user_su_t	user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
+user_r:user_sudo_t	sysadm_r:sysadm_t user_r:user_t
diff --git a/config/appconfig-standard/default_type b/config/appconfig-standard/default_type
new file mode 100644
index 00000000..33528d61
--- /dev/null
+++ b/config/appconfig-standard/default_type
@@ -0,0 +1,6 @@
+auditadm_r:auditadm_t
+secadm_r:secadm_t
+sysadm_r:sysadm_t
+staff_r:staff_t
+unconfined_r:unconfined_t
+user_r:user_t
diff --git a/config/appconfig-standard/failsafe_context b/config/appconfig-standard/failsafe_context
new file mode 100644
index 00000000..2f96c9fd
--- /dev/null
+++ b/config/appconfig-standard/failsafe_context
@@ -0,0 +1 @@
+sysadm_r:sysadm_t
diff --git a/config/appconfig-standard/guest_u_default_contexts b/config/appconfig-standard/guest_u_default_contexts
new file mode 100644
index 00000000..85a35fb1
--- /dev/null
+++ b/config/appconfig-standard/guest_u_default_contexts
@@ -0,0 +1,7 @@
+guest_r:guest_t			guest_r:guest_t
+system_r:crond_t		guest_r:guest_t
+system_r:initrc_su_t		guest_r:guest_t
+system_r:local_login_t		guest_r:guest_t
+system_r:remote_login_t		guest_r:guest_t
+system_r:sshd_t			guest_r:guest_t
+
diff --git a/config/appconfig-standard/initrc_context b/config/appconfig-standard/initrc_context
new file mode 100644
index 00000000..7fcf70bd
--- /dev/null
+++ b/config/appconfig-standard/initrc_context
@@ -0,0 +1 @@
+system_u:system_r:initrc_t
diff --git a/config/appconfig-standard/media b/config/appconfig-standard/media
new file mode 100644
index 00000000..de2a6527
--- /dev/null
+++ b/config/appconfig-standard/media
@@ -0,0 +1,3 @@
+cdrom system_u:object_r:removable_device_t
+floppy system_u:object_r:removable_device_t
+disk system_u:object_r:fixed_disk_device_t
diff --git a/config/appconfig-standard/removable_context b/config/appconfig-standard/removable_context
new file mode 100644
index 00000000..d4921f03
--- /dev/null
+++ b/config/appconfig-standard/removable_context
@@ -0,0 +1 @@
+system_u:object_r:removable_t
diff --git a/config/appconfig-standard/root_default_contexts b/config/appconfig-standard/root_default_contexts
new file mode 100644
index 00000000..f5225686
--- /dev/null
+++ b/config/appconfig-standard/root_default_contexts
@@ -0,0 +1,11 @@
+system_r:crond_t	unconfined_r:unconfined_t sysadm_r:cronjob_t staff_r:cronjob_t user_r:cronjob_t
+system_r:local_login_t  unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+
+staff_r:staff_su_t	unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+sysadm_r:sysadm_su_t	unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+user_r:user_su_t	unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+
+#
+# Uncomment if you want to automatically login as sysadm_r
+#
+#system_r:sshd_t	unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
diff --git a/config/appconfig-standard/securetty_types b/config/appconfig-standard/securetty_types
new file mode 100644
index 00000000..527d8358
--- /dev/null
+++ b/config/appconfig-standard/securetty_types
@@ -0,0 +1 @@
+user_tty_device_t
diff --git a/config/appconfig-standard/sepgsql_contexts b/config/appconfig-standard/sepgsql_contexts
new file mode 100644
index 00000000..c7281512
--- /dev/null
+++ b/config/appconfig-standard/sepgsql_contexts
@@ -0,0 +1,40 @@
+#
+# Initial security label for SE-PostgreSQL (none-MLS)
+#
+
+# <databases>
+db_database	*			system_u:object_r:sepgsql_db_t
+
+# <schemas>
+db_schema	*.*			system_u:object_r:sepgsql_schema_t
+
+# <tables>
+db_table	*.pg_catalog.*		system_u:object_r:sepgsql_sysobj_t
+db_table	*.*.*			system_u:object_r:sepgsql_table_t
+
+# <column>
+db_column	*.pg_catalog.*.*	system_u:object_r:sepgsql_sysobj_t
+db_column	*.*.*.*			system_u:object_r:sepgsql_table_t
+
+# <sequences>
+db_sequence	*.*.*			system_u:object_r:sepgsql_seq_t
+
+# <views>
+db_view		*.*.*			system_u:object_r:sepgsql_view_t
+
+# <procedures>
+db_procedure	*.*.*			system_u:object_r:sepgsql_proc_exec_t
+
+# <tuples>
+db_tuple	*.pg_catalog.*		system_u:object_r:sepgsql_sysobj_t
+db_tuple	*.*.*			system_u:object_r:sepgsql_table_t
+
+# <blobs>
+db_blob		*.*			system_u:object_r:sepgsql_blob_t
+
+# <language>
+db_language	*.sql			system_u:object_r:sepgsql_safe_lang_t
+db_language	*.plpgsql		system_u:object_r:sepgsql_safe_lang_t
+db_language	*.pltcl			system_u:object_r:sepgsql_safe_lang_t
+db_language	*.plperl		system_u:object_r:sepgsql_safe_lang_t
+db_language	*.*			system_u:object_r:sepgsql_lang_t
diff --git a/config/appconfig-standard/seusers b/config/appconfig-standard/seusers
new file mode 100644
index 00000000..36b193b1
--- /dev/null
+++ b/config/appconfig-standard/seusers
@@ -0,0 +1,3 @@
+system_u:system_u
+root:root
+__default__:user_u
diff --git a/config/appconfig-standard/staff_u_default_contexts b/config/appconfig-standard/staff_u_default_contexts
new file mode 100644
index 00000000..c2a5ea87
--- /dev/null
+++ b/config/appconfig-standard/staff_u_default_contexts
@@ -0,0 +1,10 @@
+system_r:local_login_t		staff_r:staff_t sysadm_r:sysadm_t
+system_r:remote_login_t		staff_r:staff_t
+system_r:sshd_t			staff_r:staff_t sysadm_r:sysadm_t
+system_r:crond_t		staff_r:cronjob_t
+system_r:xdm_t			staff_r:staff_t
+staff_r:staff_su_t		staff_r:staff_t
+staff_r:staff_sudo_t		staff_r:staff_t
+sysadm_r:sysadm_su_t		sysadm_r:sysadm_t 
+sysadm_r:sysadm_sudo_t		sysadm_r:sysadm_t
+
diff --git a/config/appconfig-standard/unconfined_u_default_contexts b/config/appconfig-standard/unconfined_u_default_contexts
new file mode 100644
index 00000000..e340b219
--- /dev/null
+++ b/config/appconfig-standard/unconfined_u_default_contexts
@@ -0,0 +1,9 @@
+system_r:crond_t		unconfined_r:unconfined_t unconfined_r:unconfined_cronjob_t
+system_r:initrc_t		unconfined_r:unconfined_t
+system_r:local_login_t		unconfined_r:unconfined_t
+system_r:remote_login_t		unconfined_r:unconfined_t
+system_r:rshd_t			unconfined_r:unconfined_t
+system_r:sshd_t			unconfined_r:unconfined_t
+system_r:sysadm_su_t		unconfined_r:unconfined_t
+system_r:unconfined_t		unconfined_r:unconfined_t
+system_r:xdm_t			unconfined_r:unconfined_t
diff --git a/config/appconfig-standard/user_u_default_contexts b/config/appconfig-standard/user_u_default_contexts
new file mode 100644
index 00000000..f5bfac34
--- /dev/null
+++ b/config/appconfig-standard/user_u_default_contexts
@@ -0,0 +1,8 @@
+system_r:local_login_t		user_r:user_t
+system_r:remote_login_t		user_r:user_t
+system_r:sshd_t			user_r:user_t
+system_r:crond_t		user_r:cronjob_t
+system_r:xdm_t			user_r:user_t
+user_r:user_su_t		user_r:user_t
+user_r:user_sudo_t		user_r:user_t
+
diff --git a/config/appconfig-standard/userhelper_context b/config/appconfig-standard/userhelper_context
new file mode 100644
index 00000000..081e93b4
--- /dev/null
+++ b/config/appconfig-standard/userhelper_context
@@ -0,0 +1 @@
+system_u:sysadm_r:sysadm_t
diff --git a/config/appconfig-standard/virtual_domain_context b/config/appconfig-standard/virtual_domain_context
new file mode 100644
index 00000000..c049e104
--- /dev/null
+++ b/config/appconfig-standard/virtual_domain_context
@@ -0,0 +1 @@
+system_u:system_r:svirt_t
diff --git a/config/appconfig-standard/virtual_image_context b/config/appconfig-standard/virtual_image_context
new file mode 100644
index 00000000..fca6046d
--- /dev/null
+++ b/config/appconfig-standard/virtual_image_context
@@ -0,0 +1,2 @@
+system_u:object_r:svirt_image_t
+system_u:object_r:virt_content_t
diff --git a/config/appconfig-standard/x_contexts b/config/appconfig-standard/x_contexts
new file mode 100644
index 00000000..5b752f85
--- /dev/null
+++ b/config/appconfig-standard/x_contexts
@@ -0,0 +1,105 @@
+#
+# Config file for XSELinux extension
+#
+
+
+#
+##
+### Rules for X Clients
+##
+#
+
+#
+# The default client rule defines a context to be used for all clients
+# connecting to the server from a remote host.
+#
+client	*				system_u:object_r:remote_t
+
+
+#
+##
+### Rules for X Properties
+##
+#
+
+#
+# Property rules map a property name to a context.  A default property
+# rule indicated by an asterisk should follow all other property rules.
+#
+# Properties that normal clients may only read
+property _SELINUX_*			system_u:object_r:seclabel_xproperty_t
+
+# Clipboard and selection properties
+property CUT_BUFFER?			system_u:object_r:clipboard_xproperty_t
+
+# Default fallback type
+property *	   			system_u:object_r:xproperty_t
+
+
+#
+##
+### Rules for X Extensions
+##
+#
+
+#
+# Extension rules map an extension name to a context.  A default extension
+# rule indicated by an asterisk should follow all other extension rules.
+#
+# Restricted extensions
+extension SELinux			system_u:object_r:security_xextension_t
+
+# Standard extensions
+extension *	   			system_u:object_r:xextension_t
+
+
+#
+##
+### Rules for X Selections
+##
+#
+
+# Selection rules map a selection name to a context.  A default selection
+# rule indicated by an asterisk should follow all other selection rules.
+#
+# Standard selections
+selection PRIMARY			system_u:object_r:clipboard_xselection_t
+selection CLIPBOARD			system_u:object_r:clipboard_xselection_t
+
+# Default fallback type
+selection *				system_u:object_r:xselection_t
+
+
+#
+##
+### Rules for X Events
+##
+#
+
+#
+# Event rules map an event protocol name to a context.  A default event
+# rule indicated by an asterisk should follow all other event rules.
+#
+# Input events
+event X11:KeyPress			system_u:object_r:input_xevent_t
+event X11:KeyRelease			system_u:object_r:input_xevent_t
+event X11:ButtonPress			system_u:object_r:input_xevent_t
+event X11:ButtonRelease			system_u:object_r:input_xevent_t
+event X11:MotionNotify			system_u:object_r:input_xevent_t
+event XInputExtension:DeviceKeyPress	system_u:object_r:input_xevent_t
+event XInputExtension:DeviceKeyRelease	system_u:object_r:input_xevent_t
+event XInputExtension:DeviceButtonPress	system_u:object_r:input_xevent_t
+event XInputExtension:DeviceButtonRelease	system_u:object_r:input_xevent_t
+event XInputExtension:DeviceMotionNotify	system_u:object_r:input_xevent_t
+event XInputExtension:DeviceValuator	system_u:object_r:input_xevent_t
+event XInputExtension:ProximityIn	system_u:object_r:input_xevent_t
+event XInputExtension:ProximityOut	system_u:object_r:input_xevent_t
+
+# Client message events
+event X11:ClientMessage			system_u:object_r:client_xevent_t
+event X11:SelectionNotify		system_u:object_r:client_xevent_t
+event X11:UnmapNotify			system_u:object_r:client_xevent_t
+event X11:ConfigureNotify		system_u:object_r:client_xevent_t
+
+# Default fallback type
+event *					system_u:object_r:xevent_t
diff --git a/config/appconfig-standard/xguest_u_default_contexts b/config/appconfig-standard/xguest_u_default_contexts
new file mode 100644
index 00000000..55d44d1b
--- /dev/null
+++ b/config/appconfig-standard/xguest_u_default_contexts
@@ -0,0 +1,7 @@
+system_r:crond_t	xguest_r:xguest_t
+system_r:initrc_su_t	xguest_r:xguest_t
+system_r:local_login_t	xguest_r:xguest_t
+system_r:remote_login_t	xguest_r:xguest_t
+system_r:sshd_t		xguest_r:xguest_t
+system_r:xdm_t		xguest_r:xguest_t
+xguest_r:xguest_t	xguest_r:xguest_t
diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
new file mode 100644
index 00000000..32b87a4f
--- /dev/null
+++ b/config/file_contexts.subs_dist
@@ -0,0 +1,7 @@
+/lib32 /lib
+/lib64 /lib
+/run /var/run
+/run/lock /var/lock
+/usr/lib32 /usr/lib
+/usr/lib64 /usr/lib
+/var/run/lock /var/lock
diff --git a/config/local.users b/config/local.users
new file mode 100644
index 00000000..7e2bf7aa
--- /dev/null
+++ b/config/local.users
@@ -0,0 +1,21 @@
+##################################
+#
+# User configuration.
+#
+# This file defines additional users recognized by the system security policy.
+# Only the user identities defined in this file and the system.users file
+# may be used as the user attribute in a security context.
+#
+# Each user has a set of roles that may be entered by processes
+# with the users identity.  The syntax of a user declaration is:
+#
+# 	user username roles role_set [ level default_level range allowed_range ];
+#
+# The MLS default level and allowed range should only be specified if 
+# MLS was enabled in the policy.
+
+# sample for administrative user
+# user jadmin roles { staff_r sysadm_r };
+
+# sample for regular user
+#user jdoe roles { user_r }; 
diff --git a/doc/Makefile.example b/doc/Makefile.example
new file mode 100644
index 00000000..9f2a8d52
--- /dev/null
+++ b/doc/Makefile.example
@@ -0,0 +1,8 @@
+
+AWK ?= gawk
+
+NAME ?= $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config)
+SHAREDIR ?= /usr/share/selinux
+HEADERDIR := $(SHAREDIR)/$(NAME)/include
+
+include $(HEADERDIR)/Makefile
diff --git a/doc/example.fc b/doc/example.fc
new file mode 100644
index 00000000..9cf7c4c1
--- /dev/null
+++ b/doc/example.fc
@@ -0,0 +1,6 @@
+# myapp executable will have:
+# label: system_u:object_r:myapp_exec_t
+# MLS sensitivity: s0
+# MCS categories: <none>
+
+/usr/sbin/myapp		--	gen_context(system_u:object_r:myapp_exec_t,s0)
diff --git a/doc/example.if b/doc/example.if
new file mode 100644
index 00000000..54d42ae6
--- /dev/null
+++ b/doc/example.if
@@ -0,0 +1,54 @@
+## <summary>Myapp example policy</summary>
+## <desc>
+##	<p>
+##		More descriptive text about myapp.  The desc
+##		tag can also use p, ul, and ol
+##		html tags for formatting.
+##	</p>
+##	<p>
+##		This policy supports the following myapp features:
+##		<ul>
+##		<li>Feature A</li>
+##		<li>Feature B</li>
+##		<li>Feature C</li>
+##		</ul>
+##	</p>
+## </desc>
+#
+
+########################################
+## <summary>
+##	Execute a domain transition to run myapp.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`myapp_domtrans',`
+	gen_require(`
+		type myapp_t, myapp_exec_t;
+	')
+
+	domtrans_pattern($1,myapp_exec_t,myapp_t)
+')
+
+########################################
+## <summary>
+##	Read myapp log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to read the log files.
+##	</summary>
+## </param>
+#
+interface(`myapp_read_log',`
+	gen_require(`
+		type myapp_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 myapp_log_t:file read_file_perms;
+')
diff --git a/doc/example.te b/doc/example.te
new file mode 100644
index 00000000..82383553
--- /dev/null
+++ b/doc/example.te
@@ -0,0 +1,28 @@
+
+policy_module(myapp,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type myapp_t;
+type myapp_exec_t;
+domain_type(myapp_t)
+domain_entry_file(myapp_t, myapp_exec_t)
+
+type myapp_log_t;
+logging_log_file(myapp_log_t)
+
+type myapp_tmp_t;
+files_tmp_file(myapp_tmp_t)
+
+########################################
+#
+# Myapp local policy
+#
+
+allow myapp_t myapp_log_t:file { read_file_perms append_file_perms };
+
+allow myapp_t myapp_tmp_t:file manage_file_perms;
+files_tmp_filetrans(myapp_t,myapp_tmp_t,file)
diff --git a/doc/global_booleans.xml b/doc/global_booleans.xml
new file mode 100644
index 00000000..76c5a81a
--- /dev/null
+++ b/doc/global_booleans.xml
@@ -0,0 +1,9 @@
+<bool name="secure_mode" dftval="false">
+<desc>
+<p>
+Enabling secure mode disallows programs, such as
+newrole, from transitioning to administrative
+user domains.
+</p>
+</desc>
+</bool>
diff --git a/doc/global_tunables.xml b/doc/global_tunables.xml
new file mode 100644
index 00000000..c026deaf
--- /dev/null
+++ b/doc/global_tunables.xml
@@ -0,0 +1,108 @@
+<tunable name="allow_execheap" dftval="false">
+<desc>
+<p>
+Allow unconfined executables to make their heap memory executable.  Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
+</p>
+</desc>
+</tunable>
+<tunable name="allow_execmem" dftval="false">
+<desc>
+<p>
+Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")
+</p>
+</desc>
+</tunable>
+<tunable name="allow_execmod" dftval="false">
+<desc>
+<p>
+Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")
+</p>
+</desc>
+</tunable>
+<tunable name="allow_execstack" dftval="false">
+<desc>
+<p>
+Allow unconfined executables to make their stack executable.  This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")
+</p>
+</desc>
+</tunable>
+<tunable name="allow_polyinstantiation" dftval="false">
+<desc>
+<p>
+Enable polyinstantiated directory support.
+</p>
+</desc>
+</tunable>
+<tunable name="allow_ypbind" dftval="false">
+<desc>
+<p>
+Allow system to run with NIS
+</p>
+</desc>
+</tunable>
+<tunable name="console_login" dftval="true">
+<desc>
+<p>
+Allow logging in and using the system from /dev/console.
+</p>
+</desc>
+</tunable>
+<tunable name="global_ssp" dftval="false">
+<desc>
+<p>
+Enable reading of urandom for all domains.
+</p>
+<p>
+This should be enabled when all programs
+are compiled with ProPolice/SSP
+stack smashing protection.  All domains will
+be allowed to read from /dev/urandom.
+</p>
+</desc>
+</tunable>
+<tunable name="mail_read_content" dftval="false">
+<desc>
+<p>
+Allow email client to various content.
+nfs, samba, removable devices, and user temp
+files
+</p>
+</desc>
+</tunable>
+<tunable name="nfs_export_all_rw" dftval="false">
+<desc>
+<p>
+Allow any files/directories to be exported read/write via NFS.
+</p>
+</desc>
+</tunable>
+<tunable name="nfs_export_all_ro" dftval="false">
+<desc>
+<p>
+Allow any files/directories to be exported read/only via NFS.
+</p>
+</desc>
+</tunable>
+<tunable name="use_nfs_home_dirs" dftval="false">
+<desc>
+<p>
+Support NFS home directories
+</p>
+</desc>
+</tunable>
+<tunable name="use_samba_home_dirs" dftval="false">
+<desc>
+<p>
+Support SAMBA home directories
+</p>
+</desc>
+</tunable>
+<tunable name="user_tcp_server" dftval="false">
+<desc>
+<p>
+Allow users to run TCP servers (bind to ports and accept connection from
+the same domain and outside users)  disabling this forces FTP passive mode
+and may change other protocols.
+</p>
+</desc>
+</tunable>
diff --git a/doc/policy.dtd b/doc/policy.dtd
new file mode 100644
index 00000000..b797f712
--- /dev/null
+++ b/doc/policy.dtd
@@ -0,0 +1,44 @@
+<!ENTITY  % inline.class  "pre|p|ul|ol|li">
+
+<!ELEMENT policy (layer+,(tunable|bool)*)>
+<!ELEMENT layer (summary,module+)>
+<!ATTLIST layer
+      name CDATA #REQUIRED>
+<!ELEMENT module (summary,desc?,required?,(interface|template)*,(bool|tunable)*)>
+<!ATTLIST module 
+      name CDATA #REQUIRED
+      filename CDATA #REQUIRED>
+<!ELEMENT required (#PCDATA)>
+<!ATTLIST required
+      val (true|false) "false">
+<!ELEMENT tunable (desc)>
+<!ATTLIST tunable
+      name CDATA #REQUIRED
+      dftval CDATA #REQUIRED>
+<!ELEMENT bool (desc)>
+<!ATTLIST bool
+      name CDATA #REQUIRED
+      dftval CDATA #REQUIRED>
+<!ELEMENT summary (#PCDATA)>
+<!ELEMENT interface (summary,desc?,param+,infoflow?,(rolebase|rolecap)?)>
+<!ATTLIST interface name CDATA #REQUIRED lineno CDATA #REQUIRED>
+<!ELEMENT template (summary,desc?,param+,(rolebase|rolecap)?)>
+<!ATTLIST template name CDATA #REQUIRED lineno CDATA #REQUIRED>
+<!ELEMENT desc (#PCDATA|%inline.class;)*>
+<!ELEMENT param (summary)>
+<!ATTLIST param 
+      name CDATA #REQUIRED
+      optional (true|false) "false"
+      unused (true|false) "false">
+<!ELEMENT infoflow EMPTY>
+<!ATTLIST infoflow 
+      type CDATA #REQUIRED
+      weight CDATA #IMPLIED>
+<!ELEMENT rolebase EMPTY>
+<!ELEMENT rolecap EMPTY>
+
+<!ATTLIST pre caption CDATA #IMPLIED>
+<!ELEMENT p (#PCDATA|%inline.class;)*>
+<!ELEMENT ul (li+)>
+<!ELEMENT ol (li+)>
+<!ELEMENT li (#PCDATA|%inline.class;)*>
diff --git a/doc/policy.xml b/doc/policy.xml
new file mode 100644
index 00000000..92615add
--- /dev/null
+++ b/doc/policy.xml
@@ -0,0 +1,91784 @@
+<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>
+<!DOCTYPE policy SYSTEM "policy.dtd">
+<policy>
+<layer name="admin">
+<summary>
+	Policy modules for administrative functions, such as package management.
+</summary>
+<module name="bootloader" filename="policy/modules/admin/bootloader.if">
+<summary>Policy for the kernel modules, kernel image, and bootloader.</summary>
+<interface name="bootloader_domtrans" lineno="13">
+<summary>
+Execute bootloader in the bootloader domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="bootloader_run" lineno="39">
+<summary>
+Execute bootloader interactively and do
+a domain transition to the bootloader domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="bootloader_read_config" lineno="58">
+<summary>
+Read the bootloader configuration file.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bootloader_rw_config" lineno="78">
+<summary>
+Read and write the bootloader
+configuration file.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="bootloader_rw_tmp_files" lineno="97">
+<summary>
+Read and write the bootloader
+temporary data in /tmp.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bootloader_create_runtime_file" lineno="117">
+<summary>
+Read and write the bootloader
+temporary data in /tmp.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="consoletype" filename="policy/modules/admin/consoletype.if">
+<summary>
+Determine of the console connected to the controlling terminal.
+</summary>
+<interface name="consoletype_domtrans" lineno="15">
+<summary>
+Execute consoletype in the consoletype domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="consoletype_run" lineno="44">
+<summary>
+Execute consoletype in the consoletype domain, and
+allow the specified role the consoletype domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+<interface name="consoletype_exec" lineno="64">
+<summary>
+Execute consoletype in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="dmesg" filename="policy/modules/admin/dmesg.if">
+<summary>Policy for dmesg.</summary>
+<interface name="dmesg_domtrans" lineno="13">
+<summary>
+Execute dmesg in the dmesg domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="dmesg_exec" lineno="33">
+<summary>
+Execute dmesg in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="netutils" filename="policy/modules/admin/netutils.if">
+<summary>Network analysis utilities</summary>
+<interface name="netutils_domtrans" lineno="13">
+<summary>
+Execute network utilities in the netutils domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="netutils_run" lineno="39">
+<summary>
+Execute network utilities in the netutils domain, and
+allow the specified role the netutils domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="netutils_exec" lineno="58">
+<summary>
+Execute network utilities in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="netutils_signal" lineno="77">
+<summary>
+Send generic signals to network utilities.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="netutils_domtrans_ping" lineno="95">
+<summary>
+Execute ping in the ping domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="netutils_kill_ping" lineno="114">
+<summary>
+Send a kill (SIGKILL) signal to ping.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="netutils_signal_ping" lineno="132">
+<summary>
+Send generic signals to ping.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="netutils_run_ping" lineno="157">
+<summary>
+Execute ping in the ping domain, and
+allow the specified role the ping domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="netutils_run_ping_cond" lineno="183">
+<summary>
+Conditionally execute ping in the ping domain, and
+allow the specified role the ping domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="netutils_exec_ping" lineno="206">
+<summary>
+Execute ping in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="netutils_domtrans_traceroute" lineno="225">
+<summary>
+Execute traceroute in the traceroute domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="netutils_run_traceroute" lineno="251">
+<summary>
+Execute traceroute in the traceroute domain, and
+allow the specified role the traceroute domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="netutils_run_traceroute_cond" lineno="277">
+<summary>
+Conditionally execute traceroute in the traceroute domain, and
+allow the specified role the traceroute domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="netutils_exec_traceroute" lineno="300">
+<summary>
+Execute traceroute in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<tunable name="user_ping" dftval="false">
+<desc>
+<p>
+Control users use of ping and traceroute
+</p>
+</desc>
+</tunable>
+</module>
+<module name="su" filename="policy/modules/admin/su.if">
+<summary>Run shells with substitute user and group</summary>
+<template name="su_restricted_domain_template" lineno="31">
+<summary>
+Restricted su domain template.
+</summary>
+<desc>
+<p>
+This template creates a derived domain which is allowed
+to change the linux user id, to run shells as a different
+user.
+</p>
+</desc>
+<param name="userdomain_prefix">
+<summary>
+The prefix of the user domain (e.g., user
+is the prefix for user_t).
+</summary>
+</param>
+<param name="user_domain">
+<summary>
+The type of the user domain.
+</summary>
+</param>
+<param name="user_role">
+<summary>
+The role associated with the user domain.
+</summary>
+</param>
+</template>
+<template name="su_role_template" lineno="162">
+<summary>
+The role template for the su module.
+</summary>
+<param name="role_prefix">
+<summary>
+The prefix of the user role (e.g., user
+is the prefix for user_r).
+</summary>
+</param>
+<param name="user_role">
+<summary>
+The role associated with the user domain.
+</summary>
+</param>
+<param name="user_domain">
+<summary>
+The type of the user domain.
+</summary>
+</param>
+</template>
+<interface name="su_exec" lineno="328">
+<summary>
+Execute su in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="sudo" filename="policy/modules/admin/sudo.if">
+<summary>Execute a command with a substitute user</summary>
+<template name="sudo_role_template" lineno="31">
+<summary>
+The role template for the sudo module.
+</summary>
+<desc>
+<p>
+This template creates a derived domain which is allowed
+to change the linux user id, to run commands as a different
+user.
+</p>
+</desc>
+<param name="role_prefix">
+<summary>
+The prefix of the user role (e.g., user
+is the prefix for user_r).
+</summary>
+</param>
+<param name="user_role">
+<summary>
+The user role.
+</summary>
+</param>
+<param name="user_domain">
+<summary>
+The user domain associated with the role.
+</summary>
+</param>
+</template>
+<interface name="sudo_sigchld" lineno="172">
+<summary>
+Send a SIGCHLD signal to the sudo domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="usermanage" filename="policy/modules/admin/usermanage.if">
+<summary>Policy for managing user accounts.</summary>
+<interface name="usermanage_domtrans_chfn" lineno="13">
+<summary>
+Execute chfn in the chfn domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="usermanage_run_chfn" lineno="42">
+<summary>
+Execute chfn in the chfn domain, and
+allow the specified role the chfn domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+<interface name="usermanage_domtrans_groupadd" lineno="61">
+<summary>
+Execute groupadd in the groupadd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="usermanage_run_groupadd" lineno="91">
+<summary>
+Execute groupadd in the groupadd domain, and
+allow the specified role the groupadd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="usermanage_domtrans_passwd" lineno="110">
+<summary>
+Execute passwd in the passwd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="usermanage_kill_passwd" lineno="133">
+<summary>
+Send sigkills to passwd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="usermanage_run_passwd" lineno="157">
+<summary>
+Execute passwd in the passwd domain, and
+allow the specified role the passwd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+<interface name="usermanage_domtrans_admin_passwd" lineno="177">
+<summary>
+Execute password admin functions in
+the admin passwd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="usermanage_run_admin_passwd" lineno="204">
+<summary>
+Execute passwd admin functions in the admin
+passwd domain, and allow the specified role
+the admin passwd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="usermanage_dontaudit_use_useradd_fds" lineno="223">
+<summary>
+Do not audit attempts to use useradd fds.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="usermanage_domtrans_useradd" lineno="241">
+<summary>
+Execute useradd in the useradd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="usermanage_run_useradd" lineno="271">
+<summary>
+Execute useradd in the useradd domain, and
+allow the specified role the useradd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="usermanage_read_crack_db" lineno="290">
+<summary>
+Read the crack database.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+</layer>
+<layer name="apps">
+<summary>Policy modules for applications</summary>
+<module name="seunshare" filename="policy/modules/apps/seunshare.if">
+<summary>Filesystem namespacing/polyinstantiation application.</summary>
+<interface name="seunshare_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run seunshare.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="seunshare_run" lineno="37">
+<summary>
+Execute seunshare in the seunshare domain, and
+allow the specified role the seunshare domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+<interface name="seunshare_role" lineno="69">
+<summary>
+Role access for seunshare
+</summary>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role.
+</summary>
+</param>
+</interface>
+</module>
+</layer>
+<layer name="contrib">
+<summary>Contributed Reference Policy modules.</summary>
+<module name="abrt" filename="policy/modules/contrib/abrt.if">
+<summary>ABRT - automated bug-reporting tool</summary>
+<interface name="abrt_domtrans" lineno="13">
+<summary>
+Execute abrt in the abrt domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="abrt_exec" lineno="32">
+<summary>
+Execute abrt in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="abrt_signull" lineno="51">
+<summary>
+Send a null signal to abrt.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="abrt_read_state" lineno="69">
+<summary>
+Allow the domain to read abrt state files in /proc.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="abrt_stream_connect" lineno="87">
+<summary>
+Connect to abrt over an unix stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="abrt_dbus_chat" lineno="107">
+<summary>
+Send and receive messages from
+abrt over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="abrt_domtrans_helper" lineno="127">
+<summary>
+Execute abrt-helper in the abrt-helper domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="abrt_run_helper" lineno="152">
+<summary>
+Execute abrt helper in the abrt_helper domain, and
+allow the specified role the abrt_helper domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="abrt_cache_manage" lineno="172">
+<summary>
+Send and receive messages from
+abrt over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="abrt_read_config" lineno="190">
+<summary>
+Read abrt configuration file.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="abrt_read_log" lineno="209">
+<summary>
+Read abrt logs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="abrt_read_pid_files" lineno="228">
+<summary>
+Read abrt PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="abrt_manage_pid_files" lineno="247">
+<summary>
+Create, read, write, and delete abrt PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="abrt_admin" lineno="273">
+<summary>
+All of the rules required to administrate
+an abrt environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the abrt domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="accountsd" filename="policy/modules/contrib/accountsd.if">
+<summary>AccountsService and daemon for manipulating user account information via D-Bus</summary>
+<interface name="accountsd_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run accountsd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="accountsd_dontaudit_rw_fifo_file" lineno="32">
+<summary>
+Do not audit attempts to read and write Accounts Daemon
+fifo file.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="accountsd_dbus_chat" lineno="51">
+<summary>
+Send and receive messages from
+accountsd over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="accountsd_search_lib" lineno="71">
+<summary>
+Search accountsd lib directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="accountsd_read_lib_files" lineno="90">
+<summary>
+Read accountsd lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="accountsd_manage_lib_files" lineno="110">
+<summary>
+Create, read, write, and delete
+accountsd lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="accountsd_admin" lineno="136">
+<summary>
+All of the rules required to administrate
+an accountsd environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="acct" filename="policy/modules/contrib/acct.if">
+<summary>Berkeley process accounting</summary>
+<interface name="acct_domtrans" lineno="13">
+<summary>
+Transition to the accounting management domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="acct_exec" lineno="32">
+<summary>
+Execute accounting management tools in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="acct_exec_data" lineno="53">
+<summary>
+Execute accounting management data in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="acct_manage_data" lineno="72">
+<summary>
+Create, read, write, and delete process accounting data.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="ada" filename="policy/modules/contrib/ada.if">
+<summary>GNAT Ada95 compiler</summary>
+<interface name="ada_domtrans" lineno="13">
+<summary>
+Execute the ada program in the ada domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="ada_run" lineno="38">
+<summary>
+Execute ada in the ada domain, and
+allow the specified role the ada domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="afs" filename="policy/modules/contrib/afs.if">
+<summary>Andrew Filesystem server</summary>
+<interface name="afs_domtrans" lineno="14">
+<summary>
+Execute a domain transition to run the
+afs client.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="afs_rw_udp_sockets" lineno="33">
+<summary>
+Read and write afs client UDP sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="afs_rw_cache" lineno="51">
+<summary>
+read/write afs cache files
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="afs_initrc_domtrans" lineno="70">
+<summary>
+Execute afs server in the afs domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="afs_admin" lineno="95">
+<summary>
+All of the rules required to administrate
+an afs environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the afs domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="aiccu" filename="policy/modules/contrib/aiccu.if">
+<summary>Automatic IPv6 Connectivity Client Utility.</summary>
+<interface name="aiccu_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run aiccu.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="aiccu_initrc_domtrans" lineno="32">
+<summary>
+Execute aiccu server in the aiccu domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="aiccu_read_pid_files" lineno="50">
+<summary>
+Read aiccu PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="aiccu_admin" lineno="76">
+<summary>
+All of the rules required to administrate
+an aiccu environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="aide" filename="policy/modules/contrib/aide.if">
+<summary>Aide filesystem integrity checker</summary>
+<interface name="aide_domtrans" lineno="13">
+<summary>
+Execute aide in the aide domain
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="aide_run" lineno="37">
+<summary>
+Execute aide programs in the AIDE domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to allow the AIDE domain.
+</summary>
+</param>
+</interface>
+<interface name="aide_admin" lineno="58">
+<summary>
+All of the rules required to administrate
+an aide environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="aisexec" filename="policy/modules/contrib/aisexec.if">
+<summary>Aisexec Cluster Engine</summary>
+<interface name="aisexec_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run aisexec.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="aisexec_stream_connect" lineno="32">
+<summary>
+Connect to aisexec over a unix domain
+stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="aisexec_read_log" lineno="51">
+<summary>
+Allow the specified domain to read aisexec's log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="aisexecd_admin" lineno="78">
+<summary>
+All of the rules required to administrate
+an aisexec environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the aisexecd domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="alsa" filename="policy/modules/contrib/alsa.if">
+<summary>Ainit ALSA configuration tool.</summary>
+<interface name="alsa_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run Alsa.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="alsa_run" lineno="39">
+<summary>
+Execute a domain transition to run
+Alsa, and allow the specified role
+the Alsa domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+<interface name="alsa_rw_semaphores" lineno="58">
+<summary>
+Read and write Alsa semaphores.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="alsa_rw_shared_mem" lineno="76">
+<summary>
+Read and write Alsa shared memory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="alsa_read_rw_config" lineno="94">
+<summary>
+Read writable Alsa config files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="alsa_manage_rw_config" lineno="119">
+<summary>
+Manage writable Alsa config files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="alsa_manage_home_files" lineno="144">
+<summary>
+Manage alsa home files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="alsa_read_home_files" lineno="163">
+<summary>
+Read Alsa home files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="alsa_relabel_home_files" lineno="182">
+<summary>
+Relabel alsa home files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="alsa_read_lib" lineno="201">
+<summary>
+Read Alsa lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="amanda" filename="policy/modules/contrib/amanda.if">
+<summary>Advanced Maryland Automatic Network Disk Archiver.</summary>
+<interface name="amanda_domtrans_recover" lineno="14">
+<summary>
+Execute a domain transition to run
+Amanda recover.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="amanda_run_recover" lineno="41">
+<summary>
+Execute a domain transition to run
+Amanda recover, and allow the specified
+role the Amanda recover domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="amanda_search_lib" lineno="60">
+<summary>
+Search Amanda library directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="amanda_dontaudit_read_dumpdates" lineno="79">
+<summary>
+Do not audit attempts to read /etc/dumpdates.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="amanda_rw_dumpdates_files" lineno="97">
+<summary>
+Read and write /etc/dumpdates.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="amanda_manage_lib" lineno="116">
+<summary>
+Search Amanda library directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="amanda_append_log_files" lineno="135">
+<summary>
+Read and append amanda logs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="amanda_search_var_lib" lineno="154">
+<summary>
+Search Amanda var library directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="amavis" filename="policy/modules/contrib/amavis.if">
+<summary>
+Daemon that interfaces mail transfer agents and content
+checkers, such as virus scanners.
+</summary>
+<interface name="amavis_domtrans" lineno="16">
+<summary>
+Execute a domain transition to run amavis.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="amavis_initrc_domtrans" lineno="35">
+<summary>
+Execute amavis server in the amavis domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="amavis_read_spool_files" lineno="53">
+<summary>
+Read amavis spool files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="amavis_manage_spool_files" lineno="72">
+<summary>
+Manage amavis spool files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="amavis_spool_filetrans" lineno="103">
+<summary>
+Create objects in the amavis spool directories
+with a private type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="private_type">
+<summary>
+Private file type.
+</summary>
+</param>
+<param name="object_class">
+<summary>
+Class of the object being created.
+</summary>
+</param>
+</interface>
+<interface name="amavis_search_lib" lineno="122">
+<summary>
+Search amavis lib directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="amavis_read_lib_files" lineno="141">
+<summary>
+Read amavis lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="amavis_manage_lib_files" lineno="162">
+<summary>
+Create, read, write, and delete
+amavis lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="amavis_setattr_pid_files" lineno="181">
+<summary>
+Set the attributes of amavis pid files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="amavis_create_pid_files" lineno="200">
+<summary>
+Create of amavis pid files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="amavis_admin" lineno="226">
+<summary>
+All of the rules required to administrate
+an amavis environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="amtu" filename="policy/modules/contrib/amtu.if">
+<summary>Abstract Machine Test Utility.</summary>
+<interface name="amtu_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run Amtu.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="amtu_run" lineno="39">
+<summary>
+Execute a domain transition to run
+Amtu, and allow the specified role
+the Amtu domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="anaconda" filename="policy/modules/contrib/anaconda.if">
+<summary>Anaconda installer.</summary>
+</module>
+<module name="apache" filename="policy/modules/contrib/apache.if">
+<summary>Apache web server</summary>
+<template name="apache_content_template" lineno="14">
+<summary>
+Create a set of derived types for apache
+web content.
+</summary>
+<param name="prefix">
+<summary>
+The prefix to be used for deriving type names.
+</summary>
+</param>
+</template>
+<interface name="apache_role" lineno="211">
+<summary>
+Role access for apache
+</summary>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role
+</summary>
+</param>
+</interface>
+<interface name="apache_read_user_scripts" lineno="271">
+<summary>
+Read httpd user scripts executables.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_read_user_content" lineno="291">
+<summary>
+Read user web content.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_domtrans" lineno="311">
+<summary>
+Transition to apache.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="apache_signal" lineno="330">
+<summary>
+Send a generic signal to apache.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_signull" lineno="348">
+<summary>
+Send a null signal to apache.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_sigchld" lineno="366">
+<summary>
+Send a SIGCHLD signal to apache.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_use_fds" lineno="384">
+<summary>
+Inherit and use file descriptors from Apache.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_dontaudit_rw_fifo_file" lineno="403">
+<summary>
+Do not audit attempts to read and write Apache
+unnamed pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="apache_dontaudit_rw_stream_sockets" lineno="422">
+<summary>
+Do not audit attempts to read and write Apache
+unix domain stream sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="apache_dontaudit_rw_tcp_sockets" lineno="441">
+<summary>
+Do not audit attempts to read and write Apache
+TCP sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="apache_manage_all_content" lineno="460">
+<summary>
+Create, read, write, and delete all web content.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="apache_setattr_cache_dirs" lineno="485">
+<summary>
+Allow domain to  set the attributes
+of the APACHE cache directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_list_cache" lineno="504">
+<summary>
+Allow the specified domain to list
+Apache cache.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_rw_cache_files" lineno="523">
+<summary>
+Allow the specified domain to read
+and write Apache cache files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_delete_cache_files" lineno="542">
+<summary>
+Allow the specified domain to delete
+Apache cache.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_read_config" lineno="562">
+<summary>
+Allow the specified domain to read
+apache configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="apache_manage_config" lineno="584">
+<summary>
+Allow the specified domain to manage
+apache configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_domtrans_helper" lineno="606">
+<summary>
+Execute the Apache helper program with
+a domain transition.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_run_helper" lineno="633">
+<summary>
+Execute the Apache helper program with
+a domain transition, and allow the
+specified role the Apache helper domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="apache_read_log" lineno="654">
+<summary>
+Allow the specified domain to read
+apache log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="apache_append_log" lineno="676">
+<summary>
+Allow the specified domain to append
+to apache log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_dontaudit_append_log" lineno="697">
+<summary>
+Do not audit attempts to append to the
+Apache logs.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="apache_manage_log" lineno="716">
+<summary>
+Allow the specified domain to manage
+to apache log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_dontaudit_search_modules" lineno="738">
+<summary>
+Do not audit attempts to search Apache
+module directories.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="apache_list_modules" lineno="758">
+<summary>
+Allow the specified domain to list
+the contents of the apache modules
+directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_exec_modules" lineno="777">
+<summary>
+Allow the specified domain to execute
+apache modules.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_domtrans_rotatelogs" lineno="797">
+<summary>
+Execute a domain transition to run httpd_rotatelogs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="apache_list_sys_content" lineno="816">
+<summary>
+Allow the specified domain to list
+apache system content files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_manage_sys_content" lineno="838">
+<summary>
+Allow the specified domain to manage
+apache system content files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="apache_domtrans_sys_script" lineno="862">
+<summary>
+Execute all web scripts in the system
+script domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="apache_dontaudit_rw_sys_script_stream_sockets" lineno="884">
+<summary>
+Do not audit attempts to read and write Apache
+system script unix domain stream sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="apache_domtrans_all_scripts" lineno="903">
+<summary>
+Execute all user scripts in the user
+script domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="apache_run_all_scripts" lineno="928">
+<summary>
+Execute all user scripts in the user
+script domain.  Add user script domains
+to the specified role.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access..
+</summary>
+</param>
+</interface>
+<interface name="apache_read_squirrelmail_data" lineno="948">
+<summary>
+Allow the specified domain to read
+apache squirrelmail data.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_append_squirrelmail_data" lineno="967">
+<summary>
+Allow the specified domain to append
+apache squirrelmail data.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_search_sys_content" lineno="985">
+<summary>
+Search apache system content.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_read_sys_content" lineno="1003">
+<summary>
+Read apache system content.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_search_sys_scripts" lineno="1023">
+<summary>
+Search apache system CGI directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_manage_all_user_content" lineno="1042">
+<summary>
+Create, read, write, and delete all user web content.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="apache_search_sys_script_state" lineno="1066">
+<summary>
+Search system script state directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_read_tmp_files" lineno="1085">
+<summary>
+Allow the specified domain to read
+apache tmp files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_dontaudit_write_tmp_files" lineno="1105">
+<summary>
+Dontaudit attempts to write
+apache tmp files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="apache_cgi_domain" lineno="1138">
+<summary>
+Execute CGI in the specified domain.
+</summary>
+<desc>
+<p>
+Execute CGI in the specified domain.
+</p>
+<p>
+This is an interface to support third party modules
+and its use is not allowed in upstream reference
+policy.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain run the cgi script in.
+</summary>
+</param>
+<param name="entrypoint">
+<summary>
+Type of the executable to enter the cgi domain.
+</summary>
+</param>
+</interface>
+<interface name="apache_admin" lineno="1171">
+<summary>
+All of the rules required to administrate an apache environment
+</summary>
+<param name="prefix">
+<summary>
+Prefix of the domain. Example, user would be
+the prefix for the uder_t domain.
+</summary>
+</param>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<tunable name="allow_httpd_anon_write" dftval="false">
+<desc>
+<p>
+Allow Apache to modify public files
+used for public file transfer services. Directories/Files must
+be labeled public_content_rw_t.
+</p>
+</desc>
+</tunable>
+<tunable name="allow_httpd_mod_auth_pam" dftval="false">
+<desc>
+<p>
+Allow Apache to use mod_auth_pam
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_builtin_scripting" dftval="false">
+<desc>
+<p>
+Allow httpd to use built in scripting (usually php)
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_can_network_connect" dftval="false">
+<desc>
+<p>
+Allow HTTPD scripts and modules to connect to the network using TCP.
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_can_network_connect_db" dftval="false">
+<desc>
+<p>
+Allow HTTPD scripts and modules to connect to databases over the network.
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_can_network_relay" dftval="false">
+<desc>
+<p>
+Allow httpd to act as a relay
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_can_sendmail" dftval="false">
+<desc>
+<p>
+Allow http daemon to send mail
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_dbus_avahi" dftval="false">
+<desc>
+<p>
+Allow Apache to communicate with avahi service via dbus
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_enable_cgi" dftval="false">
+<desc>
+<p>
+Allow httpd cgi support
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_enable_ftp_server" dftval="false">
+<desc>
+<p>
+Allow httpd to act as a FTP server by
+listening on the ftp port.
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_enable_homedirs" dftval="false">
+<desc>
+<p>
+Allow httpd to read home directories
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_ssi_exec" dftval="false">
+<desc>
+<p>
+Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_tty_comm" dftval="false">
+<desc>
+<p>
+Unify HTTPD to communicate with the terminal.
+Needed for entering the passphrase for certificates at
+the terminal.
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_unified" dftval="false">
+<desc>
+<p>
+Unify HTTPD handling of all content files.
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_use_cifs" dftval="false">
+<desc>
+<p>
+Allow httpd to access cifs file systems
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_use_gpg" dftval="false">
+<desc>
+<p>
+Allow httpd to run gpg
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_use_nfs" dftval="false">
+<desc>
+<p>
+Allow httpd to access nfs file systems
+</p>
+</desc>
+</tunable>
+</module>
+<module name="apcupsd" filename="policy/modules/contrib/apcupsd.if">
+<summary>APC UPS monitoring daemon</summary>
+<interface name="apcupsd_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run apcupsd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="apcupsd_initrc_domtrans" lineno="32">
+<summary>
+Execute apcupsd server in the apcupsd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="apcupsd_read_pid_files" lineno="50">
+<summary>
+Read apcupsd PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apcupsd_read_log" lineno="70">
+<summary>
+Allow the specified domain to read apcupsd's log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="apcupsd_append_log" lineno="91">
+<summary>
+Allow the specified domain to append
+apcupsd log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apcupsd_cgi_script_domtrans" lineno="111">
+<summary>
+Execute a domain transition to run httpd_apcupsd_cgi_script.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="apcupsd_admin" lineno="141">
+<summary>
+All of the rules required to administrate
+an apcupsd environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the apcupsd domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="apm" filename="policy/modules/contrib/apm.if">
+<summary>Advanced power management daemon</summary>
+<interface name="apm_domtrans_client" lineno="13">
+<summary>
+Execute APM in the apm domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="apm_use_fds" lineno="32">
+<summary>
+Use file descriptors for apmd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apm_write_pipes" lineno="50">
+<summary>
+Write to apmd unnamed pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apm_rw_stream_sockets" lineno="68">
+<summary>
+Read and write to an apm unix stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apm_append_log" lineno="86">
+<summary>
+Append to apm's log file.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apm_stream_connect" lineno="105">
+<summary>
+Connect to apmd over an unix stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="apt" filename="policy/modules/contrib/apt.if">
+<summary>APT advanced package tool.</summary>
+<interface name="apt_domtrans" lineno="13">
+<summary>
+Execute apt programs in the apt domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="apt_run" lineno="39">
+<summary>
+Execute apt programs in the apt domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to allow the apt domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="apt_use_fds" lineno="59">
+<summary>
+Inherit and use file descriptors from apt.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apt_dontaudit_use_fds" lineno="78">
+<summary>
+Do not audit attempts to use file descriptors from apt.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="apt_read_pipes" lineno="96">
+<summary>
+Read from an unnamed apt pipe.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apt_rw_pipes" lineno="115">
+<summary>
+Read and write an unnamed apt pipe.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apt_use_ptys" lineno="134">
+<summary>
+Read from and write to apt ptys.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apt_read_cache" lineno="152">
+<summary>
+Read the apt package cache.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apt_read_db" lineno="173">
+<summary>
+Read the apt package database.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apt_manage_db" lineno="194">
+<summary>
+Create, read, write, and delete the apt package database.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apt_dontaudit_manage_db" lineno="217">
+<summary>
+Do not audit attempts to create, read,
+write, and delete the apt package database.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+</module>
+<module name="arpwatch" filename="policy/modules/contrib/arpwatch.if">
+<summary>Ethernet activity monitor.</summary>
+<interface name="arpwatch_initrc_domtrans" lineno="13">
+<summary>
+Execute arpwatch server in the arpwatch domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="arpwatch_search_data" lineno="31">
+<summary>
+Search arpwatch's data file directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="arpwatch_manage_data_files" lineno="50">
+<summary>
+Create arpwatch data files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="arpwatch_rw_tmp_files" lineno="69">
+<summary>
+Read and write arpwatch temporary files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="arpwatch_manage_tmp_files" lineno="88">
+<summary>
+Read and write arpwatch temporary files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="arpwatch_dontaudit_rw_packet_sockets" lineno="108">
+<summary>
+Do not audit attempts to read and write
+arpwatch packet sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="arpwatch_admin" lineno="133">
+<summary>
+All of the rules required to administrate
+an arpwatch environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the arpwatch domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="asterisk" filename="policy/modules/contrib/asterisk.if">
+<summary>Asterisk IP telephony server</summary>
+<interface name="asterisk_domtrans" lineno="13">
+<summary>
+Execute asterisk in the asterisk domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="asterisk_stream_connect" lineno="33">
+<summary>
+Connect to asterisk over a unix domain
+stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="asterisk_admin" lineno="59">
+<summary>
+All of the rules required to administrate
+an asterisk environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the asterisk domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="authbind" filename="policy/modules/contrib/authbind.if">
+<summary>Tool for non-root processes to bind to reserved ports</summary>
+<interface name="authbind_domtrans" lineno="13">
+<summary>
+Use authbind to bind to a reserved port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+</module>
+<module name="automount" filename="policy/modules/contrib/automount.if">
+<summary>Filesystem automounter service.</summary>
+<interface name="automount_domtrans" lineno="13">
+<summary>
+Execute automount in the automount domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="automount_signal" lineno="33">
+<summary>
+Send automount a signal
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="automount_exec_config" lineno="51">
+<summary>
+Execute automount in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="automount_read_state" lineno="66">
+<summary>
+Allow the domain to read state files in /proc.
+</summary>
+<param name="domain">
+<summary>
+Domain to allow access.
+</summary>
+</param>
+</interface>
+<interface name="automount_dontaudit_use_fds" lineno="84">
+<summary>
+Do not audit attempts to file descriptors for automount.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="automount_dontaudit_write_pipes" lineno="102">
+<summary>
+Do not audit attempts to write automount daemon unnamed pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="automount_dontaudit_getattr_tmp_dirs" lineno="121">
+<summary>
+Do not audit attempts to get the attributes
+of automount temporary directories.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="automount_admin" lineno="146">
+<summary>
+All of the rules required to administrate
+an automount environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the automount domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="avahi" filename="policy/modules/contrib/avahi.if">
+<summary>mDNS/DNS-SD daemon implementing Apple ZeroConf architecture</summary>
+<interface name="avahi_domtrans" lineno="13">
+<summary>
+Execute avahi server in the avahi domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="avahi_signal" lineno="32">
+<summary>
+Send avahi a signal
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="avahi_kill" lineno="50">
+<summary>
+Send avahi a kill signal.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="avahi_signull" lineno="68">
+<summary>
+Send avahi a signull
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="avahi_dbus_chat" lineno="87">
+<summary>
+Send and receive messages from
+avahi over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="avahi_stream_connect" lineno="107">
+<summary>
+Connect to avahi using a unix domain stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="avahi_dontaudit_search_pid" lineno="126">
+<summary>
+Do not audit attempts to search the avahi pid directory.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="avahi_admin" lineno="151">
+<summary>
+All of the rules required to administrate
+an avahi environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the avahi domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="awstats" filename="policy/modules/contrib/awstats.if">
+<summary>
+AWStats is a free powerful and featureful tool that generates advanced
+web, streaming, ftp or mail server statistics, graphically.
+</summary>
+<interface name="awstats_rw_pipes" lineno="16">
+<summary>
+Read and write awstats unnamed pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="awstats_cgi_exec" lineno="34">
+<summary>
+Execute awstats cgi scripts in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="backup" filename="policy/modules/contrib/backup.if">
+<summary>System backup scripts</summary>
+<interface name="backup_domtrans" lineno="13">
+<summary>
+Execute backup in the backup domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="backup_run" lineno="38">
+<summary>
+Execute backup in the backup domain, and
+allow the specified role the backup domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="bind" filename="policy/modules/contrib/bind.if">
+<summary>Berkeley internet name domain DNS server.</summary>
+<interface name="bind_initrc_domtrans" lineno="13">
+<summary>
+Execute bind server in the bind domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="bind_domtrans_ndc" lineno="31">
+<summary>
+Execute ndc in the ndc domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="bind_signal" lineno="49">
+<summary>
+Send generic signals to BIND.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bind_signull" lineno="67">
+<summary>
+Send null sigals to BIND.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bind_kill" lineno="85">
+<summary>
+Send BIND the kill signal
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bind_run_ndc" lineno="110">
+<summary>
+Execute ndc in the ndc domain, and
+allow the specified role the ndc domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="bind_domtrans" lineno="129">
+<summary>
+Execute bind in the named domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="bind_read_dnssec_keys" lineno="147">
+<summary>
+Read DNSSEC keys.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bind_read_config" lineno="165">
+<summary>
+Read BIND named configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bind_write_config" lineno="183">
+<summary>
+Write BIND named configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bind_manage_config_dirs" lineno="203">
+<summary>
+Create, read, write, and delete
+BIND configuration directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bind_search_cache" lineno="221">
+<summary>
+Search the BIND cache directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bind_manage_cache" lineno="243">
+<summary>
+Create, read, write, and delete
+BIND cache files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bind_setattr_pid_dirs" lineno="264">
+<summary>
+Set the attributes of the BIND pid directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bind_setattr_zone_dirs" lineno="282">
+<summary>
+Set the attributes of the BIND zone directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bind_read_zone" lineno="300">
+<summary>
+Read BIND zone files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bind_manage_zone" lineno="319">
+<summary>
+Manage BIND zone files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bind_udp_chat_named" lineno="338">
+<summary>
+Send and receive datagrams to and from named.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bind_admin" lineno="359">
+<summary>
+All of the rules required to administrate
+an bind environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the bind domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<tunable name="named_write_master_zones" dftval="false">
+<desc>
+<p>
+Allow BIND to write the master zone files.
+Generally this is used for dynamic DNS or zone transfers.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="bitlbee" filename="policy/modules/contrib/bitlbee.if">
+<summary>Bitlbee service</summary>
+<interface name="bitlbee_read_config" lineno="13">
+<summary>
+Read bitlbee configuration files
+</summary>
+<param name="domain">
+<summary>
+Domain allowed accesss.
+</summary>
+</param>
+</interface>
+<interface name="bitlbee_admin" lineno="40">
+<summary>
+All of the rules required to administrate
+an bitlbee environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the bitlbee domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="bluetooth" filename="policy/modules/contrib/bluetooth.if">
+<summary>Bluetooth tools and system services.</summary>
+<interface name="bluetooth_role" lineno="18">
+<summary>
+Role access for bluetooth
+</summary>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role
+</summary>
+</param>
+</interface>
+<interface name="bluetooth_stream_connect" lineno="51">
+<summary>
+Connect to bluetooth over a unix domain
+stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bluetooth_domtrans" lineno="71">
+<summary>
+Execute bluetooth in the bluetooth domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="bluetooth_read_config" lineno="89">
+<summary>
+Read bluetooth daemon configuration.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bluetooth_dbus_chat" lineno="108">
+<summary>
+Send and receive messages from
+bluetooth over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bluetooth_domtrans_helper" lineno="128">
+<summary>
+Execute bluetooth_helper in the bluetooth_helper domain.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="bluetooth_run_helper" lineno="154">
+<summary>
+Execute bluetooth_helper in the bluetooth_helper domain, and
+allow the specified role the bluetooth_helper domain.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<param name="terminal">
+<summary>
+The type of the terminal allow the bluetooth_helper domain to use.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="bluetooth_dontaudit_read_helper_state" lineno="168">
+<summary>
+Read bluetooth helper state files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="bluetooth_admin" lineno="194">
+<summary>
+All of the rules required to administrate
+an bluetooth environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the bluetooth domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="brctl" filename="policy/modules/contrib/brctl.if">
+<summary>Utilities for configuring the linux ethernet bridge</summary>
+<interface name="brctl_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run brctl.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+</module>
+<module name="bugzilla" filename="policy/modules/contrib/bugzilla.if">
+<summary>Bugzilla server</summary>
+<interface name="bugzilla_search_content" lineno="14">
+<summary>
+Allow the specified domain to search
+bugzilla directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bugzilla_dontaudit_rw_stream_sockets" lineno="33">
+<summary>
+Do not audit attempts to read and write
+bugzilla script unix domain stream sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="bugzilla_admin" lineno="58">
+<summary>
+All of the rules required to administrate
+an bugzilla environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the bugzilla domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="calamaris" filename="policy/modules/contrib/calamaris.if">
+<summary>Squid log analysis</summary>
+<interface name="calamaris_read_www_files" lineno="13">
+<summary>
+Allow domain to read calamaris www files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="canna" filename="policy/modules/contrib/canna.if">
+<summary>Canna - kana-kanji conversion server</summary>
+<interface name="canna_stream_connect" lineno="13">
+<summary>
+Connect to Canna using a unix domain stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="canna_admin" lineno="39">
+<summary>
+All of the rules required to administrate
+an canna environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the canna domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="ccs" filename="policy/modules/contrib/ccs.if">
+<summary>Cluster Configuration System</summary>
+<interface name="ccs_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run ccs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="ccs_stream_connect" lineno="31">
+<summary>
+Connect to ccs over an unix stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ccs_read_config" lineno="50">
+<summary>
+Read cluster configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ccs_manage_config" lineno="68">
+<summary>
+Manage cluster configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="cdrecord" filename="policy/modules/contrib/cdrecord.if">
+<summary>Policy for cdrecord</summary>
+<interface name="cdrecord_role" lineno="18">
+<summary>
+Role access for cdrecord
+</summary>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role
+</summary>
+</param>
+</interface>
+<tunable name="cdrecord_read_content" dftval="false">
+<desc>
+<p>
+Allow cdrecord to read various content.
+nfs, samba, removable devices, user temp
+and untrusted content files
+</p>
+</desc>
+</tunable>
+</module>
+<module name="certmaster" filename="policy/modules/contrib/certmaster.if">
+<summary>Certmaster SSL certificate distribution service</summary>
+<interface name="certmaster_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run certmaster.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="certmaster_exec" lineno="31">
+<summary>
+Execute certmaster in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="certmaster_read_log" lineno="50">
+<summary>
+read certmaster logs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="certmaster_append_log" lineno="69">
+<summary>
+Append to certmaster logs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="certmaster_manage_log" lineno="89">
+<summary>
+Create, read, write, and delete
+certmaster logs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="certmaster_admin" lineno="116">
+<summary>
+All of the rules required to administrate
+an snort environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the syslog domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="certmonger" filename="policy/modules/contrib/certmonger.if">
+<summary>Certificate status monitor and PKI enrollment client</summary>
+<interface name="certmonger_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run certmonger.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="certmonger_dbus_chat" lineno="32">
+<summary>
+Send and receive messages from
+certmonger over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="certmonger_initrc_domtrans" lineno="52">
+<summary>
+Execute certmonger server in the certmonger domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="certmonger_read_pid_files" lineno="70">
+<summary>
+Read certmonger PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="certmonger_search_lib" lineno="89">
+<summary>
+Search certmonger lib directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="certmonger_read_lib_files" lineno="108">
+<summary>
+Read certmonger lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="certmonger_manage_lib_files" lineno="128">
+<summary>
+Create, read, write, and delete
+certmonger lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="certmonger_admin" lineno="154">
+<summary>
+All of the rules required to administrate
+an certmonger environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="certwatch" filename="policy/modules/contrib/certwatch.if">
+<summary>Digital Certificate Tracking</summary>
+<interface name="certwatch_domtrans" lineno="13">
+<summary>
+Domain transition to certwatch.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="certwatch_run" lineno="42">
+<summary>
+Execute certwatch in the certwatch domain, and
+allow the specified role the certwatch domain,
+and use the caller's terminal. Has a sigchld
+backchannel.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="certwatach_run" lineno="75">
+<summary>
+Execute certwatch in the certwatch domain, and
+allow the specified role the certwatch domain,
+and use the caller's terminal. Has a sigchld
+backchannel.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<param name="terminal">
+<summary>
+The type of the terminal allow the certwatch domain to use.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="cgroup" filename="policy/modules/contrib/cgroup.if">
+<summary>libcg is a library that abstracts the control group file system in Linux.</summary>
+<interface name="cgroup_domtrans_cgclear" lineno="14">
+<summary>
+Execute a domain transition to run
+CG Clear.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="cgroup_domtrans_cgconfig" lineno="34">
+<summary>
+Execute a domain transition to run
+CG config parser.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="cgroup_initrc_domtrans_cgconfig" lineno="54">
+<summary>
+Execute a domain transition to run
+CG config parser.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="cgroup_domtrans_cgred" lineno="73">
+<summary>
+Execute a domain transition to run
+CG rules engine daemon.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="cgroup_initrc_domtrans_cgred" lineno="94">
+<summary>
+Execute a domain transition to run
+CG rules engine daemon.
+domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="cgroup_run_cgclear" lineno="121">
+<summary>
+Execute a domain transition to
+run CG Clear and allow the
+specified role the CG Clear
+domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="cgroup_stream_connect_cgred" lineno="141">
+<summary>
+Connect to CG rules engine daemon
+over unix stream sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cgroup_admin" lineno="167">
+<summary>
+All of the rules required to administrate
+an cgroup environment.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="chronyd" filename="policy/modules/contrib/chronyd.if">
+<summary>Chrony NTP background daemon</summary>
+<interface name="chronyd_domtrans" lineno="13">
+<summary>
+Execute chronyd in the chronyd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="chronyd_exec" lineno="32">
+<summary>
+Execute chronyd
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="chronyd_read_log" lineno="50">
+<summary>
+Read chronyd logs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="chronyd_admin" lineno="76">
+<summary>
+All of the rules required to administrate
+an chronyd environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the chronyd domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="cipe" filename="policy/modules/contrib/cipe.if">
+<summary>Encrypted tunnel daemon</summary>
+</module>
+<module name="clamav" filename="policy/modules/contrib/clamav.if">
+<summary>ClamAV Virus Scanner</summary>
+<interface name="clamav_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run clamd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="clamav_stream_connect" lineno="31">
+<summary>
+Connect to run clamd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="clamav_append_log" lineno="50">
+<summary>
+Allow the specified domain to append
+to clamav log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="clamav_read_config" lineno="70">
+<summary>
+Read clamav configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="clamav_search_lib" lineno="89">
+<summary>
+Search clamav libraries directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="clamav_domtrans_clamscan" lineno="108">
+<summary>
+Execute a domain transition to run clamscan.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="clamav_exec_clamscan" lineno="126">
+<summary>
+Execute clamscan without a transition.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="clamav_admin" lineno="151">
+<summary>
+All of the rules required to administrate
+an clamav environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the clamav domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<tunable name="clamd_use_jit" dftval="false">
+<desc>
+<p>
+Allow clamd to use JIT compiler
+</p>
+</desc>
+</tunable>
+</module>
+<module name="clockspeed" filename="policy/modules/contrib/clockspeed.if">
+<summary>Clockspeed simple network time protocol client</summary>
+<interface name="clockspeed_domtrans_cli" lineno="13">
+<summary>
+Execute clockspeed utilities in the clockspeed_cli domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="clockspeed_run_cli" lineno="37">
+<summary>
+Allow the specified role the clockspeed_cli domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="clogd" filename="policy/modules/contrib/clogd.if">
+<summary>clogd - Clustered Mirror Log Server</summary>
+<interface name="clogd_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run clogd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="clogd_stream_connect" lineno="33">
+<summary>
+Connect to clogd over a unix domain
+stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="clogd_rw_semaphores" lineno="52">
+<summary>
+Allow read and write access to clogd semaphores.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="clogd_rw_shm" lineno="70">
+<summary>
+Read and write to group shared memory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="cmirrord" filename="policy/modules/contrib/cmirrord.if">
+<summary>Cluster mirror log daemon</summary>
+<interface name="cmirrord_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run cmirrord.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="cmirrord_initrc_domtrans" lineno="31">
+<summary>
+Execute cmirrord server in the cmirrord domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="cmirrord_read_pid_files" lineno="49">
+<summary>
+Read cmirrord PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cmirrord_rw_shm" lineno="68">
+<summary>
+Read and write to cmirrord shared memory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cmirrord_admin" lineno="98">
+<summary>
+All of the rules required to administrate
+an cmirrord environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="cobbler" filename="policy/modules/contrib/cobbler.if">
+<summary>Cobbler installation server.</summary>
+<desc>
+<p>
+Cobbler is a Linux installation server that allows for
+rapid setup of network installation environments. It
+glues together and automates many associated Linux
+tasks so you do not have to hop between lots of various
+commands and applications when rolling out new systems,
+and, in some cases, changing existing ones.
+</p>
+</desc>
+<interface name="cobblerd_domtrans" lineno="23">
+<summary>
+Execute a domain transition to run cobblerd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="cobblerd_initrc_domtrans" lineno="41">
+<summary>
+Execute cobblerd server in the cobblerd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="cobbler_read_config" lineno="59">
+<summary>
+Read Cobbler content in /etc
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cobbler_dontaudit_rw_log" lineno="79">
+<summary>
+Do not audit attempts to read and write
+Cobbler log files (leaked fd).
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="cobbler_search_lib" lineno="97">
+<summary>
+Search cobbler dirs in /var/lib
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cobbler_read_lib_files" lineno="116">
+<summary>
+Read cobbler files in /var/lib
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cobbler_manage_lib_files" lineno="135">
+<summary>
+Manage cobbler files in /var/lib
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cobblerd_admin" lineno="161">
+<summary>
+All of the rules required to administrate
+an cobblerd environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<tunable name="cobbler_anon_write" dftval="false">
+<desc>
+<p>
+Allow Cobbler to modify public files
+used for public file transfer services.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="colord" filename="policy/modules/contrib/colord.if">
+<summary>GNOME color manager</summary>
+<interface name="colord_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run colord.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="colord_dbus_chat" lineno="32">
+<summary>
+Send and receive messages from
+colord over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="colord_read_lib_files" lineno="52">
+<summary>
+Read colord lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="comsat" filename="policy/modules/contrib/comsat.if">
+<summary>Comsat, a biff server.</summary>
+</module>
+<module name="consolekit" filename="policy/modules/contrib/consolekit.if">
+<summary>Framework for facilitating multiple user sessions on desktops.</summary>
+<interface name="consolekit_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run consolekit.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="consolekit_dbus_chat" lineno="32">
+<summary>
+Send and receive messages from
+consolekit over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="consolekit_read_log" lineno="52">
+<summary>
+Read consolekit log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="consolekit_manage_log" lineno="71">
+<summary>
+Manage consolekit log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="consolekit_read_pid_files" lineno="90">
+<summary>
+Read consolekit PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="corosync" filename="policy/modules/contrib/corosync.if">
+<summary>Corosync Cluster Engine</summary>
+<interface name="corosync_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run corosync.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="corosync_read_log" lineno="31">
+<summary>
+Allow the specified domain to read corosync's log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corosync_stream_connect" lineno="52">
+<summary>
+Connect to corosync over a unix domain
+stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corosyncd_admin" lineno="78">
+<summary>
+All of the rules required to administrate
+an corosync environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the corosyncd domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="courier" filename="policy/modules/contrib/courier.if">
+<summary>Courier IMAP and POP3 email servers</summary>
+<template name="courier_domain_template" lineno="13">
+<summary>
+Template for creating courier server processes.
+</summary>
+<param name="prefix">
+<summary>
+Prefix name of the server process.
+</summary>
+</param>
+</template>
+<interface name="courier_domtrans_authdaemon" lineno="99">
+<summary>
+Execute the courier authentication daemon with
+a domain transition.
+</summary>
+<param name="prefix">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="courier_domtrans_pop" lineno="118">
+<summary>
+Execute the courier POP3 and IMAP server with
+a domain transition.
+</summary>
+<param name="prefix">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="courier_read_config" lineno="136">
+<summary>
+Read courier config files
+</summary>
+<param name="prefix">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="courier_manage_spool_dirs" lineno="155">
+<summary>
+Create, read, write, and delete courier
+spool directories.
+</summary>
+<param name="prefix">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="courier_manage_spool_files" lineno="174">
+<summary>
+Create, read, write, and delete courier
+spool files.
+</summary>
+<param name="prefix">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="courier_read_spool" lineno="192">
+<summary>
+Read courier spool files.
+</summary>
+<param name="prefix">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="courier_rw_spool_pipes" lineno="210">
+<summary>
+Read and write to courier spool pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="cpucontrol" filename="policy/modules/contrib/cpucontrol.if">
+<summary>Services for loading CPU microcode and CPU frequency scaling.</summary>
+<interface name="cpucontrol_stub" lineno="13">
+<summary>
+CPUcontrol stub interface.  No access allowed.
+</summary>
+<param name="domain" unused="true">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="cpufreqselector" filename="policy/modules/contrib/cpufreqselector.if">
+<summary>Command-line CPU frequency settings.</summary>
+<interface name="cpufreqselector_dbus_chat" lineno="14">
+<summary>
+Send and receive messages from
+cpufreq-selector over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="cron" filename="policy/modules/contrib/cron.if">
+<summary>Periodic execution of scheduled commands.</summary>
+<template name="cron_common_crontab_template" lineno="14">
+<summary>
+The common rules for a crontab domain.
+</summary>
+<param name="userdomain_prefix">
+<summary>
+The prefix of the user domain (e.g., user
+is the prefix for user_t).
+</summary>
+</param>
+</template>
+<interface name="cron_role" lineno="105">
+<summary>
+Role access for cron
+</summary>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role
+</summary>
+</param>
+</interface>
+<interface name="cron_unconfined_role" lineno="154">
+<summary>
+Role access for unconfined cronjobs
+</summary>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role
+</summary>
+</param>
+</interface>
+<interface name="cron_admin_role" lineno="203">
+<summary>
+Role access for cron
+</summary>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role
+</summary>
+</param>
+</interface>
+<interface name="cron_system_entry" lineno="257">
+<summary>
+Make the specified program domain accessable
+from the system cron jobs.
+</summary>
+<param name="domain">
+<summary>
+The type of the process to transition to.
+</summary>
+</param>
+<param name="entrypoint">
+<summary>
+The type of the file used as an entrypoint to this domain.
+</summary>
+</param>
+</interface>
+<interface name="cron_domtrans" lineno="278">
+<summary>
+Execute cron in the cron system domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="cron_exec" lineno="296">
+<summary>
+Execute crond_exec_t
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cron_initrc_domtrans" lineno="314">
+<summary>
+Execute crond server in the nscd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="cron_use_fds" lineno="333">
+<summary>
+Inherit and use a file descriptor
+from the cron daemon.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cron_sigchld" lineno="351">
+<summary>
+Send a SIGCHLD signal to the cron daemon.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cron_read_pipes" lineno="369">
+<summary>
+Read a cron daemon unnamed pipe.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cron_dontaudit_write_pipes" lineno="387">
+<summary>
+Do not audit attempts to write cron daemon unnamed pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="cron_rw_pipes" lineno="405">
+<summary>
+Read and write a cron daemon unnamed pipe.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cron_rw_tcp_sockets" lineno="423">
+<summary>
+Read, and write cron daemon TCP sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cron_dontaudit_rw_tcp_sockets" lineno="441">
+<summary>
+Dontaudit Read, and write cron daemon TCP sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="cron_search_spool" lineno="459">
+<summary>
+Search the directory containing user cron tables.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cron_manage_pid_files" lineno="478">
+<summary>
+Manage pid files used by cron
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cron_anacron_domtrans_system_job" lineno="496">
+<summary>
+Execute anacron in the cron system domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="cron_use_system_job_fds" lineno="515">
+<summary>
+Inherit and use a file descriptor
+from system cron jobs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cron_write_system_job_pipes" lineno="533">
+<summary>
+Write a system cron job unnamed pipe.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cron_rw_system_job_pipes" lineno="551">
+<summary>
+Read and write a system cron job unnamed pipe.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cron_rw_system_job_stream_sockets" lineno="569">
+<summary>
+Allow read/write unix stream sockets from the system cron jobs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cron_read_system_job_tmp_files" lineno="587">
+<summary>
+Read temporary files from the system cron jobs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cron_dontaudit_append_system_job_tmp_files" lineno="607">
+<summary>
+Do not audit attempts to append temporary
+files from the system cron jobs.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="cron_dontaudit_write_system_job_tmp_files" lineno="626">
+<summary>
+Do not audit attempts to write temporary
+files from the system cron jobs.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<tunable name="cron_can_relabel" dftval="false">
+<desc>
+<p>
+Allow system cron jobs to relabel filesystem
+for restoring file contexts.
+</p>
+</desc>
+</tunable>
+<tunable name="fcron_crond" dftval="false">
+<desc>
+<p>
+Enable extra rules in the cron domain
+to support fcron.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="cups" filename="policy/modules/contrib/cups.if">
+<summary>Common UNIX printing system</summary>
+<interface name="cups_backend" lineno="13">
+<summary>
+Setup cups to transtion to the cups backend domain
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cups_domtrans" lineno="40">
+<summary>
+Execute cups in the cups domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="cups_stream_connect" lineno="58">
+<summary>
+Connect to cupsd over an unix domain stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cups_tcp_connect" lineno="77">
+<summary>
+Connect to cups over TCP.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cups_dbus_chat" lineno="92">
+<summary>
+Send and receive messages from
+cups over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cups_read_pid_files" lineno="112">
+<summary>
+Read cups PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cups_domtrans_config" lineno="131">
+<summary>
+Execute cups_config in the cups_config domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="cups_signal_config" lineno="150">
+<summary>
+Send generic signals to the cups
+configuration daemon.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cups_dbus_chat_config" lineno="169">
+<summary>
+Send and receive messages from
+cupsd_config over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cups_read_config" lineno="190">
+<summary>
+Read cups configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="cups_read_rw_config" lineno="211">
+<summary>
+Read cups-writable configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="cups_read_log" lineno="231">
+<summary>
+Read cups log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="cups_append_log" lineno="250">
+<summary>
+Append cups log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cups_write_log" lineno="269">
+<summary>
+Write cups log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cups_stream_connect_ptal" lineno="288">
+<summary>
+Connect to ptal over an unix domain stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cups_admin" lineno="314">
+<summary>
+All of the rules required to administrate
+an cups environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the cups domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="cvs" filename="policy/modules/contrib/cvs.if">
+<summary>Concurrent versions system</summary>
+<interface name="cvs_read_data" lineno="13">
+<summary>
+Read the CVS data and metadata.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cvs_exec" lineno="34">
+<summary>
+Allow the specified domain to execute cvs
+in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cvs_admin" lineno="59">
+<summary>
+All of the rules required to administrate
+an cvs environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the cvs domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<tunable name="allow_cvs_read_shadow" dftval="false">
+<desc>
+<p>
+Allow cvs daemon to read shadow
+</p>
+</desc>
+</tunable>
+</module>
+<module name="cyphesis" filename="policy/modules/contrib/cyphesis.if">
+<summary>Cyphesis WorldForge game server</summary>
+<interface name="cyphesis_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run cyphesis.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+</module>
+<module name="cyrus" filename="policy/modules/contrib/cyrus.if">
+<summary>Cyrus is an IMAP service intended to be run on sealed servers</summary>
+<interface name="cyrus_manage_data" lineno="14">
+<summary>
+Allow caller to create, read, write,
+and delete cyrus data files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cyrus_stream_connect" lineno="33">
+<summary>
+Connect to Cyrus using a unix domain stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cyrus_admin" lineno="59">
+<summary>
+All of the rules required to administrate
+an cyrus environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the cyrus domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="daemontools" filename="policy/modules/contrib/daemontools.if">
+<summary>Collection of tools for managing UNIX services</summary>
+<desc>
+<p>
+Policy for DJB's daemontools
+</p>
+</desc>
+<interface name="daemontools_ipc_domain" lineno="18">
+<summary>
+An ipc channel between the supervised domain and svc_start_t
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="daemontools_service_domain" lineno="44">
+<summary>
+Define a specified domain as a supervised service.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="entrypoint">
+<summary>
+The type associated with the process program.
+</summary>
+</param>
+</interface>
+<interface name="daemontools_domtrans_start" lineno="66">
+<summary>
+Execute in the svc_start_t domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="daemonstools_run_start" lineno="91">
+<summary>
+Execute svc_start in the svc_start domain, and
+allow the specified role the svc_start domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed the svc_start domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="daemontools_domtrans_run" lineno="110">
+<summary>
+Execute in the svc_run_t domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="daemontools_sigchld_run" lineno="128">
+<summary>
+Send a SIGCHLD signal to svc_run domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="daemontools_domtrans_multilog" lineno="146">
+<summary>
+Execute in the svc_multilog_t domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="daemontools_search_svc_dir" lineno="164">
+<summary>
+Search svc_svc_t  directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="daemontools_read_svc" lineno="183">
+<summary>
+Allow a domain to read svc_svc_t files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="daemontools_manage_svc" lineno="203">
+<summary>
+Allow a domain to create svc_svc_t files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="dante" filename="policy/modules/contrib/dante.if">
+<summary>Dante msproxy and socks4/5 proxy server</summary>
+</module>
+<module name="dbadm" filename="policy/modules/contrib/dbadm.if">
+<summary>Database administrator role</summary>
+<interface name="dbadm_role_change" lineno="14">
+<summary>
+Change to the database administrator role.
+</summary>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="dbadm_role_change_to" lineno="44">
+<summary>
+Change from the database administrator role.
+</summary>
+<desc>
+<p>
+Change from the database administrator role to
+the specified role.
+</p>
+<p>
+This is an interface to support third party modules
+and its use is not allowed in upstream reference
+policy.
+</p>
+</desc>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<tunable name="dbadm_manage_user_files" dftval="false">
+<desc>
+<p>
+Allow dbadm to manage files in users home directories
+</p>
+</desc>
+</tunable>
+<tunable name="dbadm_read_user_files" dftval="false">
+<desc>
+<p>
+Allow dbadm to read files in users home directories
+</p>
+</desc>
+</tunable>
+</module>
+<module name="dbskk" filename="policy/modules/contrib/dbskk.if">
+<summary>Dictionary server for the SKK Japanese input method system.</summary>
+</module>
+<module name="dbus" filename="policy/modules/contrib/dbus.if">
+<summary>Desktop messaging bus</summary>
+<interface name="dbus_stub" lineno="13">
+<summary>
+DBUS stub interface.  No access allowed.
+</summary>
+<param name="domain" unused="true">
+<summary>
+Domain allowed access
+</summary>
+</param>
+</interface>
+<template name="dbus_role_template" lineno="41">
+<summary>
+Role access for dbus
+</summary>
+<param name="role_prefix">
+<summary>
+The prefix of the user role (e.g., user
+is the prefix for user_r).
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role
+</summary>
+</param>
+</template>
+<interface name="dbus_system_bus_client" lineno="179">
+<summary>
+Template for creating connections to
+the system DBUS.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dbus_session_bus_client" lineno="210">
+<summary>
+Template for creating connections to
+a user DBUS.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dbus_send_session_bus" lineno="233">
+<summary>
+Send a message the session DBUS.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dbus_read_config" lineno="252">
+<summary>
+Read dbus configuration.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dbus_read_lib_files" lineno="271">
+<summary>
+Read system dbus lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dbus_manage_lib_files" lineno="291">
+<summary>
+Create, read, write, and delete
+system dbus lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dbus_connect_session_bus" lineno="311">
+<summary>
+Connect to the system DBUS
+for service (acquire_svc).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dbus_session_domain" lineno="337">
+<summary>
+Allow a application domain to be started
+by the session dbus.
+</summary>
+<param name="domain">
+<summary>
+Type to be used as a domain.
+</summary>
+</param>
+<param name="entry_point">
+<summary>
+Type of the program to be used as an
+entry point to this domain.
+</summary>
+</param>
+</interface>
+<interface name="dbus_connect_system_bus" lineno="359">
+<summary>
+Connect to the system DBUS
+for service (acquire_svc).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dbus_send_system_bus" lineno="378">
+<summary>
+Send a message on the system DBUS.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dbus_system_bus_unconfined" lineno="397">
+<summary>
+Allow unconfined access to the system DBUS.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dbus_system_domain" lineno="422">
+<summary>
+Create a domain for processes
+which can be started by the system dbus
+</summary>
+<param name="domain">
+<summary>
+Type to be used as a domain.
+</summary>
+</param>
+<param name="entry_point">
+<summary>
+Type of the program to be used as an entry point to this domain.
+</summary>
+</param>
+</interface>
+<interface name="dbus_use_system_bus_fds" lineno="457">
+<summary>
+Use and inherit system DBUS file descriptors.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dbus_dontaudit_system_bus_rw_tcp_sockets" lineno="475">
+<summary>
+Dontaudit Read, and write system dbus TCP sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dbus_unconfined" lineno="494">
+<summary>
+Allow unconfined access to the system DBUS.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="dcc" filename="policy/modules/contrib/dcc.if">
+<summary>Distributed checksum clearinghouse spam filtering</summary>
+<interface name="dcc_domtrans_cdcc" lineno="13">
+<summary>
+Execute cdcc in the cdcc domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="dcc_run_cdcc" lineno="39">
+<summary>
+Execute cdcc in the cdcc domain, and
+allow the specified role the cdcc domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="dcc_domtrans_client" lineno="58">
+<summary>
+Execute dcc_client in the dcc_client domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="dcc_signal_client" lineno="77">
+<summary>
+Send a signal to the dcc_client.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dcc_run_client" lineno="102">
+<summary>
+Execute dcc_client in the dcc_client domain, and
+allow the specified role the dcc_client domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="dcc_domtrans_dbclean" lineno="121">
+<summary>
+Execute dbclean in the dcc_dbclean domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="dcc_run_dbclean" lineno="147">
+<summary>
+Execute dbclean in the dcc_dbclean domain, and
+allow the specified role the dcc_dbclean domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="dcc_stream_connect_dccifd" lineno="166">
+<summary>
+Connect to dccifd over a unix domain stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="ddclient" filename="policy/modules/contrib/ddclient.if">
+<summary>Update dynamic IP address at DynDNS.org</summary>
+<interface name="ddclient_domtrans" lineno="13">
+<summary>
+Execute ddclient in the ddclient domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="ddclient_run" lineno="38">
+<summary>
+Execute ddclient daemon on behalf of a user or staff type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="ddclient_admin" lineno="64">
+<summary>
+All of the rules required to administrate
+an ddclient environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the ddclient domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="ddcprobe" filename="policy/modules/contrib/ddcprobe.if">
+<summary>ddcprobe retrieves monitor and graphics card information</summary>
+<interface name="ddcprobe_domtrans" lineno="13">
+<summary>
+Execute ddcprobe in the ddcprobe domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="ddcprobe_run" lineno="38">
+<summary>
+Execute ddcprobe in the ddcprobe domain, and
+allow the specified role the ddcprobe domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role to be authenticated for ddcprobe domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="denyhosts" filename="policy/modules/contrib/denyhosts.if">
+<summary>DenyHosts SSH dictionary attack mitigation</summary>
+<desc>
+<p>
+DenyHosts is a script intended to be run by Linux
+system administrators to help thwart SSH server attacks
+(also known as dictionary based attacks and brute force
+attacks).
+</p>
+</desc>
+<interface name="denyhosts_domtrans" lineno="21">
+<summary>
+Execute a domain transition to run denyhosts.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="denyhosts_initrc_domtrans" lineno="39">
+<summary>
+Execute denyhost server in the denyhost domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="denyhosts_admin" lineno="63">
+<summary>
+All of the rules required to administrate
+an denyhosts environment.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="devicekit" filename="policy/modules/contrib/devicekit.if">
+<summary>Devicekit modular hardware abstraction layer</summary>
+<interface name="devicekit_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run devicekit.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="devicekit_dgram_send" lineno="32">
+<summary>
+Send to devicekit over a unix domain
+datagram socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="devicekit_dbus_chat" lineno="51">
+<summary>
+Send and receive messages from
+devicekit over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="devicekit_dbus_chat_disk" lineno="72">
+<summary>
+Send and receive messages from
+devicekit disk over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="devicekit_signal_power" lineno="92">
+<summary>
+Send signal devicekit power
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="devicekit_dbus_chat_power" lineno="111">
+<summary>
+Send and receive messages from
+devicekit power over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="devicekit_read_pid_files" lineno="131">
+<summary>
+Read devicekit PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="devicekit_admin" lineno="162">
+<summary>
+All of the rules required to administrate
+an devicekit environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the devicekit domain.
+</summary>
+</param>
+<param name="terminal">
+<summary>
+The type of the user terminal.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="dhcp" filename="policy/modules/contrib/dhcp.if">
+<summary>Dynamic host configuration protocol (DHCP) server</summary>
+<interface name="dhcpd_domtrans" lineno="13">
+<summary>
+Transition to dhcpd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="dhcpd_setattr_state_files" lineno="33">
+<summary>
+Set the attributes of the DCHP
+server state files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dhcpd_initrc_domtrans" lineno="53">
+<summary>
+Execute dhcp server in the dhcp domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="dhcpd_admin" lineno="78">
+<summary>
+All of the rules required to administrate
+an dhcp environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the dhcp domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="dictd" filename="policy/modules/contrib/dictd.if">
+<summary>Dictionary daemon</summary>
+<interface name="dictd_tcp_connect" lineno="14">
+<summary>
+Use dictionary services by connecting
+over TCP.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dictd_admin" lineno="35">
+<summary>
+All of the rules required to administrate
+an dictd environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the dictd domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="distcc" filename="policy/modules/contrib/distcc.if">
+<summary>Distributed compiler daemon</summary>
+</module>
+<module name="djbdns" filename="policy/modules/contrib/djbdns.if">
+<summary>small and secure DNS daemon</summary>
+<template name="djbdns_daemontools_domain_template" lineno="14">
+<summary>
+Create a set of derived types for djbdns
+components that are directly supervised by daemontools.
+</summary>
+<param name="prefix">
+<summary>
+The prefix to be used for deriving type names.
+</summary>
+</param>
+</template>
+<interface name="djbdns_search_tinydns_keys" lineno="66">
+<summary>
+Allow search the djbdns-tinydns key ring.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="djbdns_link_tinydns_keys" lineno="84">
+<summary>
+Allow link to the djbdns-tinydns key ring.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="dkim" filename="policy/modules/contrib/dkim.if">
+<summary>DomainKeys Identified Mail milter.</summary>
+</module>
+<module name="dmidecode" filename="policy/modules/contrib/dmidecode.if">
+<summary>Decode DMI data for x86/ia64 bioses.</summary>
+<interface name="dmidecode_domtrans" lineno="13">
+<summary>
+Execute dmidecode in the dmidecode domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="dmidecode_run" lineno="43">
+<summary>
+Execute dmidecode in the dmidecode domain, and
+allow the specified role the dmidecode domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="dnsmasq" filename="policy/modules/contrib/dnsmasq.if">
+<summary>dnsmasq DNS forwarder and DHCP server</summary>
+<interface name="dnsmasq_domtrans" lineno="14">
+<summary>
+Execute dnsmasq server in the dnsmasq domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="dnsmasq_initrc_domtrans" lineno="34">
+<summary>
+Execute the dnsmasq init script in the init script domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="dnsmasq_signal" lineno="53">
+<summary>
+Send dnsmasq a signal
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dnsmasq_signull" lineno="72">
+<summary>
+Send dnsmasq a signull
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dnsmasq_kill" lineno="91">
+<summary>
+Send dnsmasq a kill signal.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dnsmasq_read_config" lineno="109">
+<summary>
+Read dnsmasq config files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dnsmasq_write_config" lineno="128">
+<summary>
+Write to dnsmasq config files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dnsmasq_delete_pid_files" lineno="148">
+<summary>
+Delete dnsmasq pid files
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dnsmasq_read_pid_files" lineno="167">
+<summary>
+Read dnsmasq pid files
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dnsmasq_admin" lineno="192">
+<summary>
+All of the rules required to administrate
+an dnsmasq environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the dnsmasq domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="dovecot" filename="policy/modules/contrib/dovecot.if">
+<summary>Dovecot POP and IMAP mail server</summary>
+<interface name="dovecot_stream_connect_auth" lineno="14">
+<summary>
+Connect to dovecot auth unix domain stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="dovecot_domtrans_deliver" lineno="32">
+<summary>
+Execute dovecot_deliver in the dovecot_deliver domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="dovecot_manage_spool" lineno="50">
+<summary>
+Create, read, write, and delete the dovecot spool files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dovecot_dontaudit_unlink_lib_files" lineno="69">
+<summary>
+Do not audit attempts to delete dovecot lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dovecot_admin" lineno="94">
+<summary>
+All of the rules required to administrate
+an dovecot environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the dovecot domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="dpkg" filename="policy/modules/contrib/dpkg.if">
+<summary>Policy for the Debian package manager.</summary>
+<interface name="dpkg_domtrans" lineno="15">
+<summary>
+Execute dpkg programs in the dpkg domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="dpkg_domtrans_script" lineno="35">
+<summary>
+Execute dpkg_script programs in the dpkg_script domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="dpkg_run" lineno="63">
+<summary>
+Execute dpkg programs in the dpkg domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to allow the dpkg domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="dpkg_use_fds" lineno="82">
+<summary>
+Inherit and use file descriptors from dpkg.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dpkg_read_pipes" lineno="100">
+<summary>
+Read from an unnamed dpkg pipe.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dpkg_rw_pipes" lineno="118">
+<summary>
+Read and write an unnamed dpkg pipe.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dpkg_use_script_fds" lineno="136">
+<summary>
+Inherit and use file descriptors from dpkg scripts.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dpkg_read_db" lineno="154">
+<summary>
+Read the dpkg package database.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dpkg_manage_db" lineno="175">
+<summary>
+Create, read, write, and delete the dpkg package database.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dpkg_dontaudit_manage_db" lineno="196">
+<summary>
+Do not audit attempts to create, read,
+write, and delete the dpkg package database.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dpkg_lock_db" lineno="216">
+<summary>
+Lock the dpkg package database.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="entropyd" filename="policy/modules/contrib/entropyd.if">
+<summary>Generate entropy from audio input</summary>
+<tunable name="entropyd_use_audio" dftval="false">
+<desc>
+<p>
+Allow the use of the audio devices as the source for the entropy feeds
+</p>
+</desc>
+</tunable>
+</module>
+<module name="evolution" filename="policy/modules/contrib/evolution.if">
+<summary>Evolution email client</summary>
+<interface name="evolution_role" lineno="18">
+<summary>
+Role access for evolution
+</summary>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role
+</summary>
+</param>
+</interface>
+<interface name="evolution_home_filetrans" lineno="85">
+<summary>
+Create objects in users evolution home folders.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="file_type">
+<summary>
+Private file type.
+</summary>
+</param>
+<param name="class">
+<summary>
+The object class of the object being created.
+</summary>
+</param>
+</interface>
+<interface name="evolution_stream_connect" lineno="104">
+<summary>
+Connect to evolution unix stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="evolution_dbus_chat" lineno="124">
+<summary>
+Send and receive messages from
+evolution over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="evolution_alarm_dbus_chat" lineno="145">
+<summary>
+Send and receive messages from
+evolution_alarm over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="exim" filename="policy/modules/contrib/exim.if">
+<summary>Exim mail transfer agent</summary>
+<interface name="exim_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run exim.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="exim_dontaudit_read_tmp_files" lineno="32">
+<summary>
+Do not audit attempts to read,
+exim tmp files
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="exim_read_tmp_files" lineno="50">
+<summary>
+Allow domain to read, exim tmp files
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="exim_read_pid_files" lineno="69">
+<summary>
+Read exim PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="exim_read_log" lineno="89">
+<summary>
+Allow the specified domain to read exim's log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="exim_append_log" lineno="109">
+<summary>
+Allow the specified domain to append
+exim log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="exim_manage_log" lineno="129">
+<summary>
+Allow the specified domain to manage exim's log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="exim_manage_spool_dirs" lineno="149">
+<summary>
+Create, read, write, and delete
+exim spool dirs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="exim_read_spool_files" lineno="168">
+<summary>
+Read exim spool files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="exim_manage_spool_files" lineno="189">
+<summary>
+Create, read, write, and delete
+exim spool files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<tunable name="exim_can_connect_db" dftval="false">
+<desc>
+<p>
+Allow exim to connect to databases (postgres, mysql)
+</p>
+</desc>
+</tunable>
+<tunable name="exim_read_user_files" dftval="false">
+<desc>
+<p>
+Allow exim to read unprivileged user files.
+</p>
+</desc>
+</tunable>
+<tunable name="exim_manage_user_files" dftval="false">
+<desc>
+<p>
+Allow exim to create, read, write, and delete
+unprivileged user files.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="fail2ban" filename="policy/modules/contrib/fail2ban.if">
+<summary>Update firewall filtering to ban IP addresses with too many password failures.</summary>
+<interface name="fail2ban_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run fail2ban.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="fail2ban_stream_connect" lineno="32">
+<summary>
+Connect to fail2ban over a unix domain
+stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fail2ban_rw_stream_sockets" lineno="51">
+<summary>
+Read and write to an fail2ban unix stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fail2ban_read_lib_files" lineno="69">
+<summary>
+Read fail2ban lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fail2ban_read_log" lineno="89">
+<summary>
+Allow the specified domain to read fail2ban's log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="fail2ban_append_log" lineno="110">
+<summary>
+Allow the specified domain to append
+fail2ban log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fail2ban_read_pid_files" lineno="130">
+<summary>
+Read fail2ban PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fail2ban_admin" lineno="156">
+<summary>
+All of the rules required to administrate
+an fail2ban environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the fail2ban domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="fetchmail" filename="policy/modules/contrib/fetchmail.if">
+<summary>Remote-mail retrieval and forwarding utility</summary>
+<interface name="fetchmail_admin" lineno="15">
+<summary>
+All of the rules required to administrate
+an fetchmail environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="finger" filename="policy/modules/contrib/finger.if">
+<summary>Finger user information service.</summary>
+<interface name="finger_domtrans" lineno="13">
+<summary>
+Execute fingerd in the fingerd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="finger_tcp_connect" lineno="31">
+<summary>
+Allow the specified domain to connect to fingerd with a tcp socket.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="firstboot" filename="policy/modules/contrib/firstboot.if">
+<summary>
+Final system configuration run during the first boot
+after installation of Red Hat/Fedora systems.
+</summary>
+<interface name="firstboot_domtrans" lineno="16">
+<summary>
+Execute firstboot in the firstboot domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="firstboot_run" lineno="40">
+<summary>
+Execute firstboot in the firstboot domain, and
+allow the specified role the firstboot domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+<interface name="firstboot_use_fds" lineno="59">
+<summary>
+Inherit and use a file descriptor from firstboot.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="firstboot_dontaudit_use_fds" lineno="78">
+<summary>
+Do not audit attempts to inherit a
+file descriptor from firstboot.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="firstboot_write_pipes" lineno="96">
+<summary>
+Write to a firstboot unnamed pipe.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="firstboot_rw_pipes" lineno="114">
+<summary>
+Read and Write to a firstboot unnamed pipe.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="firstboot_dontaudit_rw_pipes" lineno="132">
+<summary>
+Do not audit attemps to read and write to a firstboot unnamed pipe.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="firstboot_dontaudit_rw_stream_sockets" lineno="151">
+<summary>
+Do not audit attemps to read and write to a firstboot
+unix domain stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+</module>
+<module name="fprintd" filename="policy/modules/contrib/fprintd.if">
+<summary>DBus fingerprint reader service</summary>
+<interface name="fprintd_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run fprintd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="fprintd_dbus_chat" lineno="32">
+<summary>
+Send and receive messages from
+fprintd over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="ftp" filename="policy/modules/contrib/ftp.if">
+<summary>File transfer protocol service</summary>
+<interface name="ftp_dyntrans_anon_sftpd" lineno="13">
+<summary>
+Allow domain dyntransition to sftpd_anon domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="ftp_tcp_connect" lineno="31">
+<summary>
+Use ftp by connecting over TCP.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ftp_read_config" lineno="45">
+<summary>
+Read ftpd etc files
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ftp_check_exec" lineno="64">
+<summary>
+Execute FTP daemon entry point programs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ftp_read_log" lineno="83">
+<summary>
+Read FTP transfer logs
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ftp_domtrans_ftpdctl" lineno="102">
+<summary>
+Execute the ftpdctl program in the ftpdctl domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="ftp_run_ftpdctl" lineno="127">
+<summary>
+Execute the ftpdctl program in the ftpdctl domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to allow the ftpdctl domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="ftp_dyntrans_sftpd" lineno="146">
+<summary>
+Allow domain dyntransition to sftpd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="ftp_admin" lineno="171">
+<summary>
+All of the rules required to administrate
+an ftp environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the ftp domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<tunable name="allow_ftpd_anon_write" dftval="false">
+<desc>
+<p>
+Allow ftp servers to upload files,  used for public file
+transfer services. Directories must be labeled
+public_content_rw_t.
+</p>
+</desc>
+</tunable>
+<tunable name="allow_ftpd_full_access" dftval="false">
+<desc>
+<p>
+Allow ftp servers to login to local users and
+read/write all files on the system, governed by DAC.
+</p>
+</desc>
+</tunable>
+<tunable name="allow_ftpd_use_cifs" dftval="false">
+<desc>
+<p>
+Allow ftp servers to use cifs
+used for public file transfer services.
+</p>
+</desc>
+</tunable>
+<tunable name="allow_ftpd_use_nfs" dftval="false">
+<desc>
+<p>
+Allow ftp servers to use nfs
+used for public file transfer services.
+</p>
+</desc>
+</tunable>
+<tunable name="ftp_home_dir" dftval="false">
+<desc>
+<p>
+Allow ftp to read and write files in the user home directories
+</p>
+</desc>
+</tunable>
+<tunable name="sftpd_anon_write" dftval="false">
+<desc>
+<p>
+Allow anon internal-sftp to upload files, used for
+public file transfer services. Directories must be labeled
+public_content_rw_t.
+</p>
+</desc>
+</tunable>
+<tunable name="sftpd_enable_homedirs" dftval="false">
+<desc>
+<p>
+Allow sftp-internal to read and write files
+in the user home directories
+</p>
+</desc>
+</tunable>
+<tunable name="sftpd_full_access" dftval="false">
+<desc>
+<p>
+Allow sftp-internal to login to local users and
+read/write all files on the system, governed by DAC.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="games" filename="policy/modules/contrib/games.if">
+<summary>Games</summary>
+<interface name="games_role" lineno="18">
+<summary>
+Role access for games
+</summary>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role
+</summary>
+</param>
+</interface>
+<interface name="games_rw_data" lineno="45">
+<summary>
+Allow the specified domain to read/write
+games data.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="gatekeeper" filename="policy/modules/contrib/gatekeeper.if">
+<summary>OpenH.323 Voice-Over-IP Gatekeeper</summary>
+</module>
+<module name="gift" filename="policy/modules/contrib/gift.if">
+<summary>giFT peer to peer file sharing tool</summary>
+<interface name="gift_role" lineno="18">
+<summary>
+Role access for gift
+</summary>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role
+</summary>
+</param>
+</interface>
+</module>
+<module name="git" filename="policy/modules/contrib/git.if">
+<summary>GIT revision control system.</summary>
+<template name="git_role" lineno="18">
+<summary>
+Role access for Git session.
+</summary>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role.
+</summary>
+</param>
+</template>
+<tunable name="git_cgi_enable_homedirs" dftval="false">
+<desc>
+<p>
+Determine whether Git CGI
+can search home directories.
+</p>
+</desc>
+</tunable>
+<tunable name="git_cgi_use_cifs" dftval="false">
+<desc>
+<p>
+Determine whether Git CGI
+can access cifs file systems.
+</p>
+</desc>
+</tunable>
+<tunable name="git_cgi_use_nfs" dftval="false">
+<desc>
+<p>
+Determine whether Git CGI
+can access nfs file systems.
+</p>
+</desc>
+</tunable>
+<tunable name="git_session_users" dftval="false">
+<desc>
+<p>
+Determine whether calling user domains
+can execute Git daemon in the
+git_session_t domain.
+</p>
+</desc>
+</tunable>
+<tunable name="git_session_send_syslog_msg" dftval="false">
+<desc>
+<p>
+Determine whether Git session daemons
+can send syslog messages.
+</p>
+</desc>
+</tunable>
+<tunable name="git_system_enable_homedirs" dftval="false">
+<desc>
+<p>
+Determine whether Git system daemon
+can search home directories.
+</p>
+</desc>
+</tunable>
+<tunable name="git_system_use_cifs" dftval="false">
+<desc>
+<p>
+Determine whether Git system daemon
+can access cifs file systems.
+</p>
+</desc>
+</tunable>
+<tunable name="git_system_use_nfs" dftval="false">
+<desc>
+<p>
+Determine whether Git system daemon
+can access nfs file systems.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="gitosis" filename="policy/modules/contrib/gitosis.if">
+<summary>Tools for managing and hosting git repositories.</summary>
+<interface name="gitosis_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run gitosis.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="gitosis_run" lineno="37">
+<summary>
+Execute gitosis-serve in the gitosis domain, and
+allow the specified role the gitosis domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+<interface name="gitosis_read_lib_files" lineno="57">
+<summary>
+Allow the specified domain to read
+gitosis lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="gitosis_manage_lib_files" lineno="79">
+<summary>
+Allow the specified domain to manage
+gitosis lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="glance" filename="policy/modules/contrib/glance.if">
+<summary>policy for glance</summary>
+<interface name="glance_domtrans_registry" lineno="13">
+<summary>
+Transition to glance registry.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="glance_domtrans_api" lineno="32">
+<summary>
+Transition to glance api.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="glance_read_log" lineno="52">
+<summary>
+Read glance's log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="glance_append_log" lineno="71">
+<summary>
+Append to glance log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="glance_manage_log" lineno="90">
+<summary>
+Manage glance log files
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="glance_search_lib" lineno="111">
+<summary>
+Search glance lib directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="glance_read_lib_files" lineno="130">
+<summary>
+Read glance lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="glance_manage_lib_files" lineno="149">
+<summary>
+Manage glance lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="glance_manage_lib_dirs" lineno="168">
+<summary>
+Manage glance lib directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="glance_read_pid_files" lineno="187">
+<summary>
+Read glance PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="glance_manage_pid_files" lineno="206">
+<summary>
+Manage glance PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="glance_admin" lineno="232">
+<summary>
+All of the rules required to administrate
+an glance environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="gnome" filename="policy/modules/contrib/gnome.if">
+<summary>GNU network object model environment (GNOME)</summary>
+<interface name="gnome_role" lineno="18">
+<summary>
+Role access for gnome
+</summary>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role
+</summary>
+</param>
+</interface>
+<interface name="gnome_exec_gconf" lineno="49">
+<summary>
+Execute gconf programs in
+in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<template name="gnome_read_gconf_config" lineno="67">
+<summary>
+Read gconf config files.
+</summary>
+<param name="user_domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</template>
+<interface name="gnome_manage_gconf_config" lineno="87">
+<summary>
+Create, read, write, and delete gconf config files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="gnome_stream_connect_gconf" lineno="106">
+<summary>
+gconf connection template.
+</summary>
+<param name="user_domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="gnome_domtrans_gconfd" lineno="125">
+<summary>
+Run gconfd in gconfd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="gnome_setattr_config_dirs" lineno="143">
+<summary>
+Set attributes of Gnome config dirs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<template name="gnome_read_config" lineno="162">
+<summary>
+Read gnome homedir content (.config)
+</summary>
+<param name="user_domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</template>
+<interface name="gnome_manage_config" lineno="182">
+<summary>
+manage gnome homedir content (.config)
+</summary>
+<param name="user_domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="gnomeclock" filename="policy/modules/contrib/gnomeclock.if">
+<summary>Gnome clock handler for setting the time.</summary>
+<interface name="gnomeclock_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run gnomeclock.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="gnomeclock_run" lineno="37">
+<summary>
+Execute gnomeclock in the gnomeclock domain, and
+allow the specified role the gnomeclock domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+<interface name="gnomeclock_dbus_chat" lineno="57">
+<summary>
+Send and receive messages from
+gnomeclock over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="gpg" filename="policy/modules/contrib/gpg.if">
+<summary>Policy for GNU Privacy Guard and related programs.</summary>
+<interface name="gpg_role" lineno="18">
+<summary>
+Role access for gpg
+</summary>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role
+</summary>
+</param>
+</interface>
+<interface name="gpg_domtrans" lineno="80">
+<summary>
+Transition to a user gpg domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="gpg_exec" lineno="98">
+<summary>
+Execute the gpg application without transitioning
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to execute gpg
+</summary>
+</param>
+</interface>
+<interface name="gpg_signal" lineno="116">
+<summary>
+Send generic signals to user gpg processes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="gpg_rw_agent_pipes" lineno="134">
+<summary>
+Read and write GPG agent pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="gpg_pinentry_dbus_chat" lineno="154">
+<summary>
+Send messages to and from GPG
+Pinentry over DBUS.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="gpg_list_user_secrets" lineno="174">
+<summary>
+List Gnu Privacy Guard user secrets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<tunable name="gpg_agent_env_file" dftval="false">
+<desc>
+<p>
+Allow usage of the gpg-agent --write-env-file option.
+This also allows gpg-agent to manage user files.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="gpm" filename="policy/modules/contrib/gpm.if">
+<summary>General Purpose Mouse driver</summary>
+<interface name="gpm_stream_connect" lineno="14">
+<summary>
+Connect to GPM over a unix domain
+stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="gpm_getattr_gpmctl" lineno="34">
+<summary>
+Get the attributes of the GPM
+control channel named socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="gpm_dontaudit_getattr_gpmctl" lineno="55">
+<summary>
+Do not audit attempts to get the
+attributes of the GPM control channel
+named socket.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="gpm_setattr_gpmctl" lineno="74">
+<summary>
+Set the attributes of the GPM
+control channel named socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="gpsd" filename="policy/modules/contrib/gpsd.if">
+<summary>gpsd monitor daemon</summary>
+<interface name="gpsd_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run gpsd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="gpsd_run" lineno="37">
+<summary>
+Execute gpsd in the gpsd domain, and
+allow the specified role the gpsd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+<interface name="gpsd_rw_shm" lineno="56">
+<summary>
+Read and write gpsd shared memory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="guest" filename="policy/modules/contrib/guest.if">
+<summary>Least privledge terminal user role</summary>
+<interface name="guest_role_change" lineno="14">
+<summary>
+Change to the guest role.
+</summary>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="guest_role_change_to" lineno="44">
+<summary>
+Change from the guest role.
+</summary>
+<desc>
+<p>
+Change from the guest role to
+the specified role.
+</p>
+<p>
+This is an interface to support third party modules
+and its use is not allowed in upstream reference
+policy.
+</p>
+</desc>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="hadoop" filename="policy/modules/contrib/hadoop.if">
+<summary>Software for reliable, scalable, distributed computing.</summary>
+<template name="hadoop_domain_template" lineno="13">
+<summary>
+The template to define a hadoop domain.
+</summary>
+<param name="domain_prefix">
+<summary>
+Domain prefix to be used.
+</summary>
+</param>
+</template>
+<interface name="hadoop_role" lineno="219">
+<summary>
+Role access for hadoop.
+</summary>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="hadoop_domtrans" lineno="248">
+<summary>
+Execute hadoop in the
+hadoop domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="hadoop_recvfrom" lineno="268">
+<summary>
+Give permission to a domain to
+recvfrom hadoop_t
+</summary>
+<param name="domain">
+<summary>
+Domain needing recvfrom
+permission
+</summary>
+</param>
+</interface>
+<interface name="hadoop_domtrans_zookeeper_client" lineno="287">
+<summary>
+Execute zookeeper client in the
+zookeeper client domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="hadoop_recvfrom_zookeeper_client" lineno="308">
+<summary>
+Give permission to a domain to
+recvfrom zookeeper_t
+</summary>
+<param name="domain">
+<summary>
+Domain needing recvfrom
+permission
+</summary>
+</param>
+</interface>
+<interface name="hadoop_domtrans_zookeeper_server" lineno="327">
+<summary>
+Execute zookeeper server in the
+zookeeper server domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="hadoop_recvfrom_zookeeper_server" lineno="348">
+<summary>
+Give permission to a domain to
+recvfrom zookeeper_server_t
+</summary>
+<param name="domain">
+<summary>
+Domain needing recvfrom
+permission
+</summary>
+</param>
+</interface>
+<interface name="hadoop_initrc_domtrans_zookeeper_server" lineno="367">
+<summary>
+Execute zookeeper server in the
+zookeeper domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="hadoop_recvfrom_datanode" lineno="387">
+<summary>
+Give permission to a domain to
+recvfrom hadoop_datanode_t
+</summary>
+<param name="domain">
+<summary>
+Domain needing recvfrom
+permission
+</summary>
+</param>
+</interface>
+<interface name="hadoop_read_config" lineno="406">
+<summary>
+Give permission to a domain to read
+hadoop_etc_t
+</summary>
+<param name="domain">
+<summary>
+Domain needing read permission
+</summary>
+</param>
+</interface>
+<interface name="hadoop_exec_config" lineno="427">
+<summary>
+Give permission to a domain to
+execute hadoop_etc_t
+</summary>
+<param name="domain">
+<summary>
+Domain needing read and execute
+permission
+</summary>
+</param>
+</interface>
+<interface name="hadoop_recvfrom_jobtracker" lineno="448">
+<summary>
+Give permission to a domain to
+recvfrom hadoop_jobtracker_t
+</summary>
+<param name="domain">
+<summary>
+Domain needing recvfrom
+permission
+</summary>
+</param>
+</interface>
+<interface name="hadoop_match_lan_spd" lineno="468">
+<summary>
+Give permission to a domain to
+polmatch on hadoop_lan_t
+</summary>
+<param name="domain">
+<summary>
+Domain needing polmatch
+permission
+</summary>
+</param>
+</interface>
+<interface name="hadoop_recvfrom_namenode" lineno="488">
+<summary>
+Give permission to a domain to
+recvfrom hadoop_namenode_t
+</summary>
+<param name="domain">
+<summary>
+Domain needing recvfrom
+permission
+</summary>
+</param>
+</interface>
+<interface name="hadoop_recvfrom_secondarynamenode" lineno="508">
+<summary>
+Give permission to a domain to
+recvfrom hadoop_secondarynamenode_t
+</summary>
+<param name="domain">
+<summary>
+Domain needing recvfrom
+permission
+</summary>
+</param>
+</interface>
+<interface name="hadoop_recvfrom_tasktracker" lineno="528">
+<summary>
+Give permission to a domain to
+recvfrom hadoop_tasktracker_t
+</summary>
+<param name="domain">
+<summary>
+Domain needing recvfrom
+permission
+</summary>
+</param>
+</interface>
+</module>
+<module name="hal" filename="policy/modules/contrib/hal.if">
+<summary>Hardware abstraction layer</summary>
+<interface name="hal_domtrans" lineno="13">
+<summary>
+Execute hal in the hal domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="hal_getattr" lineno="31">
+<summary>
+Get the attributes of a hal process.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="hal_read_state" lineno="49">
+<summary>
+Read hal system state
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="hal_ptrace" lineno="67">
+<summary>
+Allow ptrace of hal domain
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="hal_use_fds" lineno="85">
+<summary>
+Allow domain to use file descriptors from hal.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="hal_dontaudit_use_fds" lineno="103">
+<summary>
+Do not audit attempts to use file descriptors from hal.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="hal_rw_pipes" lineno="122">
+<summary>
+Allow attempts to read and write to
+hald unnamed pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="hal_dontaudit_rw_pipes" lineno="141">
+<summary>
+Do not audit attempts to read and write to
+hald unnamed pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="hal_dgram_send" lineno="160">
+<summary>
+Send to hal over a unix domain
+datagram socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="hal_stream_connect" lineno="179">
+<summary>
+Send to hal over a unix domain
+stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="hal_dontaudit_rw_dgram_sockets" lineno="197">
+<summary>
+Dontaudit read/write to a hal unix datagram socket.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="hal_dbus_send" lineno="215">
+<summary>
+Send a dbus message to hal.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="hal_dbus_chat" lineno="235">
+<summary>
+Send and receive messages from
+hal over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="hal_domtrans_mac" lineno="255">
+<summary>
+Execute hal mac in the hal mac domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="hal_write_log" lineno="274">
+<summary>
+Allow attempts to write the hal
+log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="hal_dontaudit_write_log" lineno="294">
+<summary>
+Do not audit attempts to write the hal
+log files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="hal_manage_log" lineno="312">
+<summary>
+Manage hald log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="hal_read_tmp_files" lineno="332">
+<summary>
+Read hald tmp files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="hal_dontaudit_append_lib_files" lineno="351">
+<summary>
+Do not audit attempts to read or write
+HAL libraries files
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="hal_read_pid_files" lineno="369">
+<summary>
+Read hald PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="hal_rw_pid_files" lineno="388">
+<summary>
+Read/Write hald PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="hal_manage_pid_dirs" lineno="407">
+<summary>
+Manage hald PID dirs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="hal_manage_pid_files" lineno="426">
+<summary>
+Manage hald PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="hddtemp" filename="policy/modules/contrib/hddtemp.if">
+<summary>hddtemp hard disk temperature tool running as a daemon.</summary>
+<interface name="hddtemp_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run hddtemp.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="hddtemp_exec" lineno="32">
+<summary>
+Execute hddtemp.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="hddtemp_admin" lineno="58">
+<summary>
+All of the rules required to
+administrate an hddtemp environment.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="howl" filename="policy/modules/contrib/howl.if">
+<summary>Port of Apple Rendezvous multicast DNS</summary>
+<interface name="howl_signal" lineno="13">
+<summary>
+Send generic signals to howl.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="i18n_input" filename="policy/modules/contrib/i18n_input.if">
+<summary>IIIMF htt server</summary>
+<interface name="i18n_use" lineno="13">
+<summary>
+Use i18n_input over a TCP connection.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="icecast" filename="policy/modules/contrib/icecast.if">
+<summary> ShoutCast compatible streaming media server</summary>
+<interface name="icecast_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run icecast.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="icecast_signal" lineno="31">
+<summary>
+Allow domain signal icecast
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="icecast_initrc_domtrans" lineno="49">
+<summary>
+Execute icecast server in the icecast domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="icecast_read_pid_files" lineno="67">
+<summary>
+Read icecast PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="icecast_manage_pid_files" lineno="86">
+<summary>
+Manage icecast pid files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="icecast_read_log" lineno="106">
+<summary>
+Allow the specified domain to read icecast's log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="icecast_append_log" lineno="126">
+<summary>
+Allow the specified domain to append
+icecast log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="icecast_manage_log" lineno="145">
+<summary>
+Allow domain to manage icecast log files
+</summary>
+<param name="domain">
+<summary>
+Domain allow access.
+</summary>
+</param>
+</interface>
+<interface name="icecast_admin" lineno="171">
+<summary>
+All of the rules required to administrate
+an icecast environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="ifplugd" filename="policy/modules/contrib/ifplugd.if">
+<summary>Bring up/down ethernet interfaces based on cable detection.</summary>
+<interface name="ifplugd_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run ifplugd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="ifplugd_signal" lineno="31">
+<summary>
+Send a generic signal to ifplugd
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ifplugd_read_config" lineno="49">
+<summary>
+Read ifplugd etc configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ifplugd_manage_config" lineno="68">
+<summary>
+Manage ifplugd etc configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ifplugd_read_pid_files" lineno="88">
+<summary>
+Read ifplugd PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ifplugd_admin" lineno="114">
+<summary>
+All of the rules required to administrate
+an ifplugd environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the ifplugd domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="imaze" filename="policy/modules/contrib/imaze.if">
+<summary>iMaze game server</summary>
+</module>
+<module name="inetd" filename="policy/modules/contrib/inetd.if">
+<summary>Internet services daemon.</summary>
+<interface name="inetd_core_service_domain" lineno="27">
+<summary>
+Define the specified domain as a inetd service.
+</summary>
+<desc>
+<p>
+Define the specified domain as a inetd service.  The
+inetd_service_domain(), inetd_tcp_service_domain(),
+or inetd_udp_service_domain() interfaces should be used
+instead of this interface, as this interface only provides
+the common rules to these three interfaces.
+</p>
+</desc>
+<param name="domain">
+<summary>
+The type associated with the inetd service process.
+</summary>
+</param>
+<param name="entrypoint">
+<summary>
+The type associated with the process program.
+</summary>
+</param>
+</interface>
+<interface name="inetd_tcp_service_domain" lineno="57">
+<summary>
+Define the specified domain as a TCP inetd service.
+</summary>
+<param name="domain">
+<summary>
+The type associated with the inetd service process.
+</summary>
+</param>
+<param name="entrypoint">
+<summary>
+The type associated with the process program.
+</summary>
+</param>
+</interface>
+<interface name="inetd_udp_service_domain" lineno="83">
+<summary>
+Define the specified domain as a UDP inetd service.
+</summary>
+<param name="domain">
+<summary>
+The type associated with the inetd service process.
+</summary>
+</param>
+<param name="entrypoint">
+<summary>
+The type associated with the process program.
+</summary>
+</param>
+</interface>
+<interface name="inetd_service_domain" lineno="108">
+<summary>
+Define the specified domain as a TCP and UDP inetd service.
+</summary>
+<param name="domain">
+<summary>
+The type associated with the inetd service process.
+</summary>
+</param>
+<param name="entrypoint">
+<summary>
+The type associated with the process program.
+</summary>
+</param>
+</interface>
+<interface name="inetd_use_fds" lineno="134">
+<summary>
+Inherit and use file descriptors from inetd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="inetd_tcp_connect" lineno="152">
+<summary>
+Connect to the inetd service using a TCP connection.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="inetd_domtrans_child" lineno="166">
+<summary>
+Run inetd child process in the inet child domain
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="inetd_udp_send" lineno="185">
+<summary>
+Send UDP network traffic to inetd.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="inetd_rw_tcp_sockets" lineno="199">
+<summary>
+Read and write inetd TCP sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="inn" filename="policy/modules/contrib/inn.if">
+<summary>Internet News NNTP server</summary>
+<interface name="inn_exec" lineno="14">
+<summary>
+Allow the specified domain to execute innd
+in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="inn_exec_config" lineno="33">
+<summary>
+Allow the specified domain to execute
+inn configuration files in /etc.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="inn_manage_log" lineno="51">
+<summary>
+Create, read, write, and delete the innd log.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="inn_manage_pid" lineno="70">
+<summary>
+Create, read, write, and delete the innd pid files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="inn_read_config" lineno="91">
+<summary>
+Read innd configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="inn_read_news_lib" lineno="111">
+<summary>
+Read innd news library files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="inn_read_news_spool" lineno="131">
+<summary>
+Read innd news library files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="inn_dgram_send" lineno="151">
+<summary>
+Send to a innd unix dgram socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="inn_domtrans" lineno="169">
+<summary>
+Execute inn in the inn domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="inn_admin" lineno="195">
+<summary>
+All of the rules required to administrate
+an inn environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the inn domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="irc" filename="policy/modules/contrib/irc.if">
+<summary>IRC client policy</summary>
+<interface name="irc_role" lineno="18">
+<summary>
+Role access for IRC
+</summary>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role
+</summary>
+</param>
+</interface>
+</module>
+<module name="ircd" filename="policy/modules/contrib/ircd.if">
+<summary>IRC server</summary>
+</module>
+<module name="irqbalance" filename="policy/modules/contrib/irqbalance.if">
+<summary>IRQ balancing daemon</summary>
+</module>
+<module name="iscsi" filename="policy/modules/contrib/iscsi.if">
+<summary>Establish connections to iSCSI devices</summary>
+<interface name="iscsid_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run iscsid.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="iscsi_manage_semaphores" lineno="31">
+<summary>
+Manage iscsid sempaphores.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="iscsi_stream_connect" lineno="49">
+<summary>
+Connect to ISCSI using a unix domain stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="iscsi_read_lib_files" lineno="68">
+<summary>
+Read iscsi lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="jabber" filename="policy/modules/contrib/jabber.if">
+<summary>Jabber instant messaging server</summary>
+<interface name="jabber_tcp_connect" lineno="13">
+<summary>
+Connect to jabber over a TCP socket  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="jabber_admin" lineno="34">
+<summary>
+All of the rules required to administrate
+an jabber environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the jabber domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="java" filename="policy/modules/contrib/java.if">
+<summary>Java virtual machine</summary>
+<interface name="java_role" lineno="18">
+<summary>
+Role access for java
+</summary>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role
+</summary>
+</param>
+</interface>
+<template name="java_role_template" lineno="63">
+<summary>
+The role template for the java module.
+</summary>
+<desc>
+<p>
+This template creates a derived domains which are used
+for java applications.
+</p>
+</desc>
+<param name="role_prefix">
+<summary>
+The prefix of the user domain (e.g., user
+is the prefix for user_t).
+</summary>
+</param>
+<param name="user_role">
+<summary>
+The role associated with the user domain.
+</summary>
+</param>
+<param name="user_domain">
+<summary>
+The type of the user domain.
+</summary>
+</param>
+</template>
+<template name="java_domtrans" lineno="108">
+<summary>
+Run java in javaplugin domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</template>
+<interface name="java_run" lineno="132">
+<summary>
+Execute java in the java domain, and
+allow the specified role the java domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+<interface name="java_domtrans_unconfined" lineno="151">
+<summary>
+Execute the java program in the unconfined java domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="java_run_unconfined" lineno="175">
+<summary>
+Execute the java program in the unconfined java domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+<interface name="java_exec" lineno="194">
+<summary>
+Execute the java program in the java domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<tunable name="allow_java_execstack" dftval="false">
+<desc>
+<p>
+Allow java executable stack
+</p>
+</desc>
+</tunable>
+</module>
+<module name="kdump" filename="policy/modules/contrib/kdump.if">
+<summary>Kernel crash dumping mechanism</summary>
+<interface name="kdump_domtrans" lineno="13">
+<summary>
+Execute kdump in the kdump domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="kdump_initrc_domtrans" lineno="32">
+<summary>
+Execute kdump in the kdump domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="kdump_read_config" lineno="50">
+<summary>
+Read kdump configuration file.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kdump_manage_config" lineno="69">
+<summary>
+Manage kdump configuration file.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kdump_admin" lineno="95">
+<summary>
+All of the rules required to administrate
+an kdump environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the kdump domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="kdumpgui" filename="policy/modules/contrib/kdumpgui.if">
+<summary>system-config-kdump GUI</summary>
+</module>
+<module name="kerberos" filename="policy/modules/contrib/kerberos.if">
+<summary>MIT Kerberos admin and KDC</summary>
+<desc>
+<p>
+This policy supports:
+</p>
+<p>
+Servers:
+<ul>
+<li>kadmind</li>
+<li>krb5kdc</li>
+</ul>
+</p>
+<p>
+Clients:
+<ul>
+<li>kinit</li>
+<li>kdestroy</li>
+<li>klist</li>
+<li>ksu (incomplete)</li>
+</ul>
+</p>
+</desc>
+<interface name="kerberos_exec_kadmind" lineno="34">
+<summary>
+Execute kadmind in the current domain
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kerberos_domtrans_kpropd" lineno="52">
+<summary>
+Execute a domain transition to run kpropd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="kerberos_use" lineno="70">
+<summary>
+Use kerberos services
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kerberos_read_config" lineno="131">
+<summary>
+Read the kerberos configuration file (/etc/krb5.conf).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="kerberos_dontaudit_write_config" lineno="152">
+<summary>
+Do not audit attempts to write the kerberos
+configuration file (/etc/krb5.conf).
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="kerberos_rw_config" lineno="171">
+<summary>
+Read and write the kerberos configuration file (/etc/krb5.conf).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="kerberos_read_keytab" lineno="191">
+<summary>
+Read the kerberos key table.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="kerberos_rw_keytab" lineno="210">
+<summary>
+Read/Write the kerberos key table.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<template name="kerberos_keytab_template" lineno="234">
+<summary>
+Create a derived type for kerberos keytab
+</summary>
+<param name="prefix">
+<summary>
+The prefix to be used for deriving type names.
+</summary>
+</param>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</template>
+<interface name="kerberos_read_kdc_config" lineno="255">
+<summary>
+Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="kerberos_manage_host_rcache" lineno="275">
+<summary>
+Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="kerberos_connect_524" lineno="307">
+<summary>
+Connect to krb524 service
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kerberos_admin" lineno="336">
+<summary>
+All of the rules required to administrate
+an kerberos environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the kerberos domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<tunable name="allow_kerberos" dftval="false">
+<desc>
+<p>
+Allow confined applications to run with kerberos.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="kerneloops" filename="policy/modules/contrib/kerneloops.if">
+<summary>Service for reporting kernel oopses to kerneloops.org</summary>
+<interface name="kerneloops_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run kerneloops.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="kerneloops_dbus_chat" lineno="33">
+<summary>
+Send and receive messages from
+kerneloops over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kerneloops_dontaudit_dbus_chat" lineno="54">
+<summary>
+dontaudit attempts to Send and receive messages from
+kerneloops over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="kerneloops_manage_tmp_files" lineno="74">
+<summary>
+Allow domain to manage kerneloops tmp files
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kerneloops_admin" lineno="100">
+<summary>
+All of the rules required to administrate
+an kerneloops environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the kerneloops domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="kismet" filename="policy/modules/contrib/kismet.if">
+<summary>Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.</summary>
+<interface name="kismet_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run kismet.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="kismet_run" lineno="38">
+<summary>
+Execute kismet in the kismet domain, and
+allow the specified role the kismet domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kismet_read_pid_files" lineno="57">
+<summary>
+Read kismet PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kismet_manage_pid_files" lineno="76">
+<summary>
+Manage kismet var_run files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kismet_search_lib" lineno="95">
+<summary>
+Search kismet lib directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kismet_read_lib_files" lineno="114">
+<summary>
+Read kismet lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kismet_manage_lib_files" lineno="135">
+<summary>
+Create, read, write, and delete
+kismet lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kismet_manage_lib" lineno="154">
+<summary>
+Manage kismet var_lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kismet_read_log" lineno="175">
+<summary>
+Allow the specified domain to read kismet's log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="kismet_append_log" lineno="195">
+<summary>
+Allow the specified domain to append
+kismet log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kismet_manage_log" lineno="214">
+<summary>
+Allow domain to manage kismet log files
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kismet_admin" lineno="236">
+<summary>
+All of the rules required to administrate an kismet environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="ksmtuned" filename="policy/modules/contrib/ksmtuned.if">
+<summary>Kernel Samepage Merging (KSM) Tuning Daemon</summary>
+<interface name="ksmtuned_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run ksmtuned.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="ksmtuned_initrc_domtrans" lineno="31">
+<summary>
+Execute ksmtuned server in the ksmtuned domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="ksmtuned_admin" lineno="56">
+<summary>
+All of the rules required to administrate
+an ksmtuned environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="ktalk" filename="policy/modules/contrib/ktalk.if">
+<summary>KDE Talk daemon</summary>
+</module>
+<module name="kudzu" filename="policy/modules/contrib/kudzu.if">
+<summary>Hardware detection and configuration tools</summary>
+<interface name="kudzu_domtrans" lineno="13">
+<summary>
+Execute kudzu in the kudzu domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="kudzu_run" lineno="38">
+<summary>
+Execute kudzu in the kudzu domain, and
+allow the specified role the kudzu domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="kudzu_getattr_exec_files" lineno="58">
+<summary>
+Get attributes of kudzu executable.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="ldap" filename="policy/modules/contrib/ldap.if">
+<summary>OpenLDAP directory server</summary>
+<interface name="ldap_list_db" lineno="14">
+<summary>
+Read the contents of the OpenLDAP
+database directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ldap_read_config" lineno="33">
+<summary>
+Read the OpenLDAP configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="ldap_use" lineno="52">
+<summary>
+Use LDAP over TCP connection.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ldap_stream_connect" lineno="66">
+<summary>
+Connect to slapd over an unix stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ldap_admin" lineno="93">
+<summary>
+All of the rules required to administrate
+an ldap environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the ldap domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="likewise" filename="policy/modules/contrib/likewise.if">
+<summary>Likewise Active Directory support for UNIX.</summary>
+<desc>
+<p>
+Likewise Open is a free, open source application that joins Linux, Unix,
+and Mac machines to Microsoft Active Directory to securely authenticate
+users with their domain credentials.
+</p>
+</desc>
+<template name="likewise_domain_template" lineno="26">
+<summary>
+The template to define a likewise domain.
+</summary>
+<desc>
+<p>
+This template creates a domain to be used for
+a new likewise daemon.
+</p>
+</desc>
+<param name="userdomain_prefix">
+<summary>
+The type of daemon to be used.
+</summary>
+</param>
+</template>
+<interface name="likewise_stream_connect_lsassd" lineno="98">
+<summary>
+Connect to lsassd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="lircd" filename="policy/modules/contrib/lircd.if">
+<summary>Linux infared remote control daemon</summary>
+<interface name="lircd_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run lircd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="lircd_stream_connect" lineno="33">
+<summary>
+Connect to lircd over a unix domain
+stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="lircd_read_config" lineno="52">
+<summary>
+Read lircd etc file
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="lircd_admin" lineno="77">
+<summary>
+All of the rules required to administrate
+a lircd environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the syslog domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="livecd" filename="policy/modules/contrib/livecd.if">
+<summary>Livecd tool for building alternate livecd for different os and policy versions.</summary>
+<interface name="livecd_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run livecd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="livecd_run" lineno="37">
+<summary>
+Execute livecd in the livecd domain, and
+allow the specified role the livecd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+<interface name="livecd_read_tmp_files" lineno="56">
+<summary>
+Read livecd temporary files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="livecd_rw_tmp_files" lineno="75">
+<summary>
+Read and write livecd temporary files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="livecd_rw_semaphores" lineno="94">
+<summary>
+Allow read and write access to livecd semaphores.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="loadkeys" filename="policy/modules/contrib/loadkeys.if">
+<summary>Load keyboard mappings.</summary>
+<interface name="loadkeys_domtrans" lineno="13">
+<summary>
+Execute the loadkeys program in the loadkeys domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="loadkeys_run" lineno="42">
+<summary>
+Execute the loadkeys program in the loadkeys domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to allow the loadkeys domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="loadkeys_exec" lineno="61">
+<summary>
+Execute the loadkeys program in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="lockdev" filename="policy/modules/contrib/lockdev.if">
+<summary>device locking policy for lockdev</summary>
+<interface name="lockdev_role" lineno="18">
+<summary>
+Role access for lockdev
+</summary>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role
+</summary>
+</param>
+</interface>
+</module>
+<module name="logrotate" filename="policy/modules/contrib/logrotate.if">
+<summary>Rotate and archive system logs</summary>
+<interface name="logrotate_domtrans" lineno="13">
+<summary>
+Execute logrotate in the logrotate domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="logrotate_run" lineno="39">
+<summary>
+Execute logrotate in the logrotate domain, and
+allow the specified role the logrotate domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="logrotate_exec" lineno="58">
+<summary>
+Execute logrotate in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="logrotate_use_fds" lineno="77">
+<summary>
+Inherit and use logrotate file descriptors.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="logrotate_dontaudit_use_fds" lineno="95">
+<summary>
+Do not audit attempts to inherit logrotate file descriptors.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="logrotate_read_tmp_files" lineno="113">
+<summary>
+Read a logrotate temporary files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="logwatch" filename="policy/modules/contrib/logwatch.if">
+<summary>System log analyzer and reporter</summary>
+<interface name="logwatch_read_tmp_files" lineno="13">
+<summary>
+Read logwatch temporary files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="logwatch_search_cache_dir" lineno="32">
+<summary>
+Search logwatch cache directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="lpd" filename="policy/modules/contrib/lpd.if">
+<summary>Line printer daemon</summary>
+<interface name="lpd_role" lineno="18">
+<summary>
+Role access for lpd
+</summary>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role
+</summary>
+</param>
+</interface>
+<interface name="lpd_domtrans_checkpc" lineno="47">
+<summary>
+Execute lpd in the lpd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="lpd_run_checkpc" lineno="72">
+<summary>
+Execute amrecover in the lpd domain, and
+allow the specified role the lpd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="lpd_list_spool" lineno="91">
+<summary>
+List the contents of the printer spool directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="lpd_read_spool" lineno="110">
+<summary>
+Read the printer spool files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="lpd_manage_spool" lineno="129">
+<summary>
+Create, read, write, and delete printer spool files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="lpd_relabel_spool" lineno="150">
+<summary>
+Relabel from and to the spool files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="lpd_read_config" lineno="170">
+<summary>
+List the contents of the printer spool directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<template name="lpd_domtrans_lpr" lineno="189">
+<summary>
+Transition to a user lpr domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</template>
+<interface name="lpd_exec_lpr" lineno="208">
+<summary>
+Allow the specified domain to execute lpr
+in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<tunable name="use_lpd_server" dftval="false">
+<desc>
+<p>
+Use lpd server instead of cups
+</p>
+</desc>
+</tunable>
+</module>
+<module name="mailman" filename="policy/modules/contrib/mailman.if">
+<summary>Mailman is for managing electronic mail discussion and e-newsletter lists</summary>
+<template name="mailman_domain_template" lineno="19">
+<summary>
+The template to define a mailmain domain.
+</summary>
+<desc>
+<p>
+This template creates a domain to be used for
+a new mailman daemon.
+</p>
+</desc>
+<param name="userdomain_prefix">
+<summary>
+The type of daemon to be used eg, cgi would give mailman_cgi_
+</summary>
+</param>
+</template>
+<interface name="mailman_domtrans" lineno="103">
+<summary>
+Execute mailman in the mailman domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="mailman_domtrans_cgi" lineno="122">
+<summary>
+Execute mailman CGI scripts in the
+mailman CGI domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="mailman_exec" lineno="140">
+<summary>
+Execute mailman in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowd access.
+</summary>
+</param>
+</interface>
+<interface name="mailman_signal_cgi" lineno="158">
+<summary>
+Send generic signals to the mailman cgi domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mailman_search_data" lineno="176">
+<summary>
+Allow domain to search data directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mailman_read_data_files" lineno="194">
+<summary>
+Allow domain to to read mailman data files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mailman_manage_data_files" lineno="215">
+<summary>
+Allow domain to to create mailman data files
+and write the directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mailman_list_data" lineno="234">
+<summary>
+List the contents of mailman data directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mailman_read_data_symlinks" lineno="252">
+<summary>
+Allow read acces to mailman data symbolic links.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mailman_read_log" lineno="270">
+<summary>
+Read mailman logs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mailman_append_log" lineno="288">
+<summary>
+Append to mailman logs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mailman_manage_log" lineno="307">
+<summary>
+Create, read, write, and delete
+mailman logs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mailman_read_archive" lineno="326">
+<summary>
+Allow domain to read mailman archive files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mailman_domtrans_queue" lineno="346">
+<summary>
+Execute mailman_queue in the mailman_queue domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+</module>
+<module name="mcelog" filename="policy/modules/contrib/mcelog.if">
+<summary>policy for mcelog</summary>
+<interface name="mcelog_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run mcelog.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+</module>
+<module name="mediawiki" filename="policy/modules/contrib/mediawiki.if">
+<summary>Mediawiki policy</summary>
+</module>
+<module name="memcached" filename="policy/modules/contrib/memcached.if">
+<summary>high-performance memory object caching system</summary>
+<interface name="memcached_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run memcached.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="memcached_read_pid_files" lineno="32">
+<summary>
+Read memcached PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="memcached_admin" lineno="58">
+<summary>
+All of the rules required to administrate
+an memcached environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the memcached domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="milter" filename="policy/modules/contrib/milter.if">
+<summary>Milter mail filters</summary>
+<template name="milter_template" lineno="14">
+<summary>
+Create a set of derived types for various
+mail filter applications using the milter interface.
+</summary>
+<param name="milter_name">
+<summary>
+The name to be used for deriving type names.
+</summary>
+</param>
+</template>
+<interface name="milter_stream_connect_all" lineno="59">
+<summary>
+MTA communication with milter sockets
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="milter_getattr_all_sockets" lineno="78">
+<summary>
+Allow getattr of milter sockets
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="milter_manage_spamass_state" lineno="97">
+<summary>
+Manage spamassassin milter state
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="modemmanager" filename="policy/modules/contrib/modemmanager.if">
+<summary>Provides a DBus interface to communicate with mobile broadband (GSM, CDMA, UMTS, ...) cards.</summary>
+<interface name="modemmanager_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run modemmanager.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="modemmanager_dbus_chat" lineno="32">
+<summary>
+Send and receive messages from
+modemmanager over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="mojomojo" filename="policy/modules/contrib/mojomojo.if">
+<summary>MojoMojo Wiki</summary>
+<interface name="mojomojo_admin" lineno="20">
+<summary>
+All of the rules required to administrate
+an mojomojo environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="mono" filename="policy/modules/contrib/mono.if">
+<summary>Run .NET server and client applications on Linux.</summary>
+<template name="mono_role_template" lineno="30">
+<summary>
+The role template for the mono module.
+</summary>
+<desc>
+<p>
+This template creates a derived domains which are used
+for mono applications.
+</p>
+</desc>
+<param name="role_prefix">
+<summary>
+The prefix of the user domain (e.g., user
+is the prefix for user_t).
+</summary>
+</param>
+<param name="user_role">
+<summary>
+The role associated with the user domain.
+</summary>
+</param>
+<param name="user_domain">
+<summary>
+The type of the user domain.
+</summary>
+</param>
+</template>
+<interface name="mono_domtrans" lineno="69">
+<summary>
+Execute the mono program in the mono domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="mono_run" lineno="94">
+<summary>
+Execute mono in the mono domain, and
+allow the specified role the mono domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mono_exec" lineno="113">
+<summary>
+Execute the mono program in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mono_rw_shm" lineno="132">
+<summary>
+Read and write to mono shared memory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="monop" filename="policy/modules/contrib/monop.if">
+<summary>Monopoly daemon</summary>
+</module>
+<module name="mozilla" filename="policy/modules/contrib/mozilla.if">
+<summary>Policy for Mozilla and related web browsers</summary>
+<interface name="mozilla_role" lineno="18">
+<summary>
+Role access for mozilla
+</summary>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role
+</summary>
+</param>
+</interface>
+<interface name="mozilla_read_user_home_files" lineno="62">
+<summary>
+Read mozilla home directory content
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mozilla_write_user_home_files" lineno="83">
+<summary>
+Write mozilla home directory content
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mozilla_dontaudit_rw_user_home_files" lineno="102">
+<summary>
+Dontaudit attempts to read/write mozilla home directory content
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="mozilla_dontaudit_manage_user_home_files" lineno="120">
+<summary>
+Dontaudit attempts to write mozilla home directory content
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="mozilla_exec_user_home_files" lineno="139">
+<summary>
+Execute mozilla home directory content.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mozilla_execmod_user_home_files" lineno="157">
+<summary>
+Execmod mozilla home directory content.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mozilla_domtrans" lineno="175">
+<summary>
+Run mozilla in the mozilla domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="mozilla_domtrans_plugin" lineno="193">
+<summary>
+Execute a domain transition to run mozilla_plugin.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mozilla_run_plugin" lineno="219">
+<summary>
+Execute mozilla_plugin in the mozilla_plugin domain, and
+allow the specified role the mozilla_plugin domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed the mozilla_plugin domain.
+</summary>
+</param>
+</interface>
+<interface name="mozilla_dbus_chat" lineno="239">
+<summary>
+Send and receive messages from
+mozilla over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mozilla_rw_tcp_sockets" lineno="259">
+<summary>
+read/write mozilla per user tcp_socket
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mozilla_plugin_read_tmpfs_files" lineno="277">
+<summary>
+Read mozilla_plugin tmpfs files
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access
+</summary>
+</param>
+</interface>
+<interface name="mozilla_plugin_delete_tmpfs_files" lineno="295">
+<summary>
+Delete mozilla_plugin tmpfs files
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access
+</summary>
+</param>
+</interface>
+<tunable name="mozilla_read_content" dftval="false">
+<desc>
+<p>
+Allow confined web browsers to read home directory content
+</p>
+</desc>
+</tunable>
+</module>
+<module name="mpd" filename="policy/modules/contrib/mpd.if">
+<summary>Music Player Daemon</summary>
+<interface name="mpd_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run mpd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="mpd_initrc_domtrans" lineno="31">
+<summary>
+Execute mpd server in the mpd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="mpd_read_data_files" lineno="49">
+<summary>
+Read mpd data files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mpd_manage_data_files" lineno="68">
+<summary>
+Manage mpd data files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mpd_read_tmpfs_files" lineno="87">
+<summary>
+Read mpd tmpfs files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mpd_manage_tmpfs_files" lineno="106">
+<summary>
+Manage mpd tmpfs files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mpd_search_lib" lineno="126">
+<summary>
+Search mpd lib directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mpd_read_lib_files" lineno="145">
+<summary>
+Read mpd lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mpd_manage_lib_files" lineno="165">
+<summary>
+Create, read, write, and delete
+mpd lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mpd_var_lib_filetrans" lineno="195">
+<summary>
+Create an object in the root directory, with a private
+type using a type transition.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="private type">
+<summary>
+The type of the object to be created.
+</summary>
+</param>
+<param name="object">
+<summary>
+The object class of the object being created.
+</summary>
+</param>
+</interface>
+<interface name="mpd_manage_lib_dirs" lineno="214">
+<summary>
+Manage mpd lib dirs files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mpd_admin" lineno="240">
+<summary>
+All of the rules required to administrate
+an mpd environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="mplayer" filename="policy/modules/contrib/mplayer.if">
+<summary>Mplayer media player and encoder</summary>
+<interface name="mplayer_role" lineno="18">
+<summary>
+Role access for mplayer
+</summary>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role
+</summary>
+</param>
+</interface>
+<interface name="mplayer_domtrans" lineno="60">
+<summary>
+Run mplayer in mplayer domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="mplayer_exec" lineno="79">
+<summary>
+Execute mplayer in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mplayer_read_user_home_files" lineno="97">
+<summary>
+Read mplayer per user homedir
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<tunable name="allow_mplayer_execstack" dftval="false">
+<desc>
+<p>
+Allow mplayer executable stack
+</p>
+</desc>
+</tunable>
+</module>
+<module name="mrtg" filename="policy/modules/contrib/mrtg.if">
+<summary>Network traffic graphing</summary>
+<interface name="mrtg_append_create_logs" lineno="13">
+<summary>
+Create and append mrtg logs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="mta" filename="policy/modules/contrib/mta.if">
+<summary>Policy common to all email tranfer agents.</summary>
+<interface name="mta_stub" lineno="13">
+<summary>
+MTA stub interface.  No access allowed.
+</summary>
+<param name="domain" unused="true">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<template name="mta_base_mail_template" lineno="41">
+<summary>
+Basic mail transfer agent domain template.
+</summary>
+<desc>
+<p>
+This template creates a derived domain which is
+a email transfer agent, which sends mail on
+behalf of the user.
+</p>
+<p>
+This is the basic types and rules, common
+to the system agent and user agents.
+</p>
+</desc>
+<param name="domain_prefix">
+<summary>
+The prefix of the domain (e.g., user
+is the prefix for user_t).
+</summary>
+</param>
+</template>
+<interface name="mta_role" lineno="162">
+<summary>
+Role access for mta
+</summary>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role
+</summary>
+</param>
+</interface>
+<interface name="mta_mailserver" lineno="194">
+<summary>
+Make the specified domain usable for a mail server.
+</summary>
+<param name="type">
+<summary>
+Type to be used as a mail server domain.
+</summary>
+</param>
+<param name="entry_point">
+<summary>
+Type of the program to be used as an entry point to this domain.
+</summary>
+</param>
+</interface>
+<interface name="mta_agent_executable" lineno="213">
+<summary>
+Make the specified type a MTA executable file.
+</summary>
+<param name="type">
+<summary>
+Type to be used as a mail client.
+</summary>
+</param>
+</interface>
+<interface name="mta_system_content" lineno="233">
+<summary>
+Make the specified type by a system MTA.
+</summary>
+<param name="type">
+<summary>
+Type to be used as a mail client.
+</summary>
+</param>
+</interface>
+<interface name="mta_sendmail_mailserver" lineno="266">
+<summary>
+Modified mailserver interface for
+sendmail daemon use.
+</summary>
+<desc>
+<p>
+A modified MTA mail server interface for
+the sendmail program.  It's design does
+not fit well with policy, and using the
+regular interface causes a type_transition
+conflict if direct running of init scripts
+is enabled.
+</p>
+<p>
+This interface should most likely only be used
+by the sendmail policy.
+</p>
+</desc>
+<param name="domain">
+<summary>
+The type to be used for the mail server.
+</summary>
+</param>
+</interface>
+<interface name="mta_mailserver_sender" lineno="287">
+<summary>
+Make a type a mailserver type used
+for sending mail.
+</summary>
+<param name="domain">
+<summary>
+Mail server domain type used for sending mail.
+</summary>
+</param>
+</interface>
+<interface name="mta_mailserver_delivery" lineno="306">
+<summary>
+Make a type a mailserver type used
+for delivering mail to local users.
+</summary>
+<param name="domain">
+<summary>
+Mail server domain type used for delivering mail.
+</summary>
+</param>
+</interface>
+<interface name="mta_mailserver_user_agent" lineno="327">
+<summary>
+Make a type a mailserver type used
+for sending mail on behalf of local
+users to the local mail spool.
+</summary>
+<param name="domain">
+<summary>
+Mail server domain type used for sending local mail.
+</summary>
+</param>
+</interface>
+<interface name="mta_send_mail" lineno="351">
+<summary>
+Send mail from the system.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="mta_sendmail_domtrans" lineno="392">
+<summary>
+Execute send mail in a specified domain.
+</summary>
+<desc>
+<p>
+Execute send mail in a specified domain.
+</p>
+<p>
+No interprocess communication (signals, pipes,
+etc.) is provided by this interface since
+the domains are not owned by this module.
+</p>
+</desc>
+<param name="source_domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="target_domain">
+<summary>
+Domain to transition to.
+</summary>
+</param>
+</interface>
+<interface name="mta_signal_system_mail" lineno="413">
+<summary>
+Send system mail client a signal
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mta_sendmail_exec" lineno="431">
+<summary>
+Execute sendmail in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mta_read_config" lineno="450">
+<summary>
+Read mail server configuration.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mta_write_config" lineno="472">
+<summary>
+write mail server configuration.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mta_read_aliases" lineno="490">
+<summary>
+Read mail address aliases.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mta_manage_aliases" lineno="509">
+<summary>
+Create, read, write, and delete mail address aliases.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mta_etc_filetrans_aliases" lineno="530">
+<summary>
+Type transition files created in /etc
+to the mail address aliases type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mta_rw_aliases" lineno="549">
+<summary>
+Read and write mail aliases.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mta_dontaudit_rw_delivery_tcp_sockets" lineno="569">
+<summary>
+Do not audit attempts to read and write TCP
+sockets of mail delivery domains.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="mta_tcp_connect_all_mailservers" lineno="587">
+<summary>
+Connect to all mail servers over TCP.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mta_dontaudit_read_spool_symlinks" lineno="602">
+<summary>
+Do not audit attempts to read a symlink
+in the mail spool.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="mta_getattr_spool" lineno="620">
+<summary>
+Get the attributes of mail spool files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mta_dontaudit_getattr_spool_files" lineno="642">
+<summary>
+Do not audit attempts to get the attributes
+of mail spool files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="mta_spool_filetrans" lineno="674">
+<summary>
+Create private objects in the
+mail spool directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="private type">
+<summary>
+The type of the object to be created.
+</summary>
+</param>
+<param name="object">
+<summary>
+The object class of the object being created.
+</summary>
+</param>
+</interface>
+<interface name="mta_rw_spool" lineno="693">
+<summary>
+Read and write the mail spool.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mta_append_spool" lineno="715">
+<summary>
+Create, read, and write the mail spool.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mta_delete_spool" lineno="737">
+<summary>
+Delete from the mail spool.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mta_manage_spool" lineno="756">
+<summary>
+Create, read, write, and delete mail spool files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mta_search_queue" lineno="777">
+<summary>
+Search mail queue dirs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mta_list_queue" lineno="796">
+<summary>
+List the mail queue.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mta_read_queue" lineno="815">
+<summary>
+Read the mail queue.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mta_dontaudit_rw_queue" lineno="835">
+<summary>
+Do not audit attempts to read and
+write the mail queue.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="mta_manage_queue" lineno="855">
+<summary>
+Create, read, write, and delete
+mail queue files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mta_read_sendmail_bin" lineno="876">
+<summary>
+Read sendmail binary.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mta_rw_user_mail_stream_sockets" lineno="895">
+<summary>
+Read and write unix domain stream sockets
+of user mail domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="munin" filename="policy/modules/contrib/munin.if">
+<summary>Munin network-wide load graphing (formerly LRRD)</summary>
+<template name="munin_plugin_template" lineno="14">
+<summary>
+Create a set of derived types for various
+munin plugins,
+</summary>
+<param name="prefix">
+<summary>
+The name to be used for deriving type names.
+</summary>
+</param>
+</template>
+<interface name="munin_stream_connect" lineno="63">
+<summary>
+Connect to munin over a unix domain
+stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="munin_read_config" lineno="84">
+<summary>
+Read munin configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="munin_append_log" lineno="106">
+<summary>
+Append to the munin log.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="munin_search_lib" lineno="126">
+<summary>
+Search munin library directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="munin_dontaudit_search_lib" lineno="146">
+<summary>
+Do not audit attempts to search
+munin library directories.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="munin_admin" lineno="171">
+<summary>
+All of the rules required to administrate
+an munin environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the munin domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="mysql" filename="policy/modules/contrib/mysql.if">
+<summary>Policy for MySQL</summary>
+<interface name="mysql_domtrans" lineno="13">
+<summary>
+Execute MySQL in the mysql domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="mysql_signal" lineno="31">
+<summary>
+Send a generic signal to MySQL.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mysql_tcp_connect" lineno="49">
+<summary>
+Allow the specified domain to connect to postgresql with a tcp socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mysql_stream_connect" lineno="71">
+<summary>
+Connect to MySQL using a unix domain stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mysql_read_config" lineno="91">
+<summary>
+Read MySQL configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mysql_search_db" lineno="114">
+<summary>
+Search the directories that contain MySQL
+database storage.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mysql_rw_db_dirs" lineno="133">
+<summary>
+Read and write to the MySQL database directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mysql_manage_db_dirs" lineno="152">
+<summary>
+Create, read, write, and delete MySQL database directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mysql_append_db_files" lineno="171">
+<summary>
+Append to the MySQL database directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mysql_rw_db_files" lineno="190">
+<summary>
+Read and write to the MySQL database directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mysql_manage_db_files" lineno="209">
+<summary>
+Create, read, write, and delete MySQL database files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mysql_rw_db_sockets" lineno="229">
+<summary>
+Read and write to the MySQL database
+named socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mysql_write_log" lineno="249">
+<summary>
+Write to the MySQL log.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mysql_domtrans_mysql_safe" lineno="268">
+<summary>
+Execute MySQL server in the mysql domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="mysql_read_pid_files" lineno="286">
+<summary>
+Read MySQL PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mysql_search_pid_files" lineno="306">
+<summary>
+Search MySQL PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+
+</interface>
+<interface name="mysql_admin" lineno="330">
+<summary>
+All of the rules required to administrate an mysql environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the mysql domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<tunable name="mysql_connect_any" dftval="false">
+<desc>
+<p>
+Allow mysqld to connect to all ports
+</p>
+</desc>
+</tunable>
+</module>
+<module name="nagios" filename="policy/modules/contrib/nagios.if">
+<summary>Net Saint / NAGIOS - network monitoring server</summary>
+<template name="nagios_plugin_template" lineno="14">
+<summary>
+Create a set of derived types for various
+nagios plugins,
+</summary>
+<param name="plugins_group_name">
+<summary>
+The name to be used for deriving type names.
+</summary>
+</param>
+</template>
+<interface name="nagios_dontaudit_rw_pipes" lineno="54">
+<summary>
+Do not audit attempts to read or write nagios
+unnamed pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="nagios_read_config" lineno="74">
+<summary>
+Allow the specified domain to read
+nagios configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="nagios_read_log" lineno="94">
+<summary>
+Read nagios logs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="nagios_dontaudit_rw_log" lineno="113">
+<summary>
+Do not audit attempts to read or write nagios logs.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="nagios_search_spool" lineno="131">
+<summary>
+Search nagios spool directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="nagios_read_tmp_files" lineno="151">
+<summary>
+Allow the specified domain to read
+nagios temporary files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="nagios_domtrans_nrpe" lineno="171">
+<summary>
+Execute the nagios NRPE with
+a domain transition.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="nagios_admin" lineno="196">
+<summary>
+All of the rules required to administrate
+an nagios environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the nagios domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="ncftool" filename="policy/modules/contrib/ncftool.if">
+<summary>Netcf network configuration tool (ncftool).</summary>
+<interface name="ncftool_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run ncftool.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="ncftool_run" lineno="37">
+<summary>
+Execute ncftool in the ncftool domain, and
+allow the specified role the ncftool domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed the ncftool domain.
+</summary>
+</param>
+</interface>
+</module>
+<module name="nessus" filename="policy/modules/contrib/nessus.if">
+<summary>Nessus network scanning daemon</summary>
+<interface name="nessus_tcp_connect" lineno="13">
+<summary>
+Connect to nessus over a TCP socket  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="networkmanager" filename="policy/modules/contrib/networkmanager.if">
+<summary>Manager for dynamically switching between networks.</summary>
+<interface name="networkmanager_rw_udp_sockets" lineno="14">
+<summary>
+Read and write NetworkManager UDP sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="networkmanager_rw_packet_sockets" lineno="33">
+<summary>
+Read and write NetworkManager packet sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="networkmanager_attach_tun_iface" lineno="51">
+<summary>
+Allow caller to relabel tun_socket
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="networkmanager_rw_routing_sockets" lineno="72">
+<summary>
+Read and write NetworkManager netlink
+routing sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="networkmanager_domtrans" lineno="90">
+<summary>
+Execute NetworkManager with a domain transition.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="networkmanager_initrc_domtrans" lineno="109">
+<summary>
+Execute NetworkManager scripts with an automatic domain transition to initrc.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="networkmanager_dbus_chat" lineno="128">
+<summary>
+Send and receive messages from
+NetworkManager over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="networkmanager_signal" lineno="148">
+<summary>
+Send a generic signal to NetworkManager
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="networkmanager_read_lib_files" lineno="166">
+<summary>
+Read NetworkManager lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="networkmanager_read_pid_files" lineno="186">
+<summary>
+Read NetworkManager PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="nis" filename="policy/modules/contrib/nis.if">
+<summary>Policy for NIS (YP) servers and clients</summary>
+<interface name="nis_use_ypbind_uncond" lineno="26">
+<summary>
+Use the ypbind service to access NIS services
+unconditionally.
+</summary>
+<desc>
+<p>
+Use the ypbind service to access NIS services
+unconditionally.
+</p>
+<p>
+This interface was added because of apache and
+spamassassin, to fix a nested conditionals problem.
+When that support is added, this should be removed,
+and the regular	interface should be used.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="nis_use_ypbind" lineno="90">
+<summary>
+Use the ypbind service to access NIS services.
+</summary>
+<desc>
+<p>
+Allow the specified domain to use the ypbind service
+to access Network Information Service (NIS) services.
+Information that can be retreived from NIS includes
+usernames, passwords, home directories, and groups.
+If the network is configured to have a single sign-on
+using NIS, it is likely that any program that does
+authentication will need this access.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+<rolecap/>
+</interface>
+<interface name="nis_authenticate" lineno="107">
+<summary>
+Use the nis to authenticate passwords
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="nis_domtrans_ypbind" lineno="125">
+<summary>
+Execute ypbind in the ypbind domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="nis_run_ypbind" lineno="151">
+<summary>
+Execute ypbind in the ypbind domain, and
+allow the specified role the ypbind domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="nis_signal_ypbind" lineno="170">
+<summary>
+Send generic signals to ypbind.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="nis_list_var_yp" lineno="188">
+<summary>
+List the contents of the NIS data directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="nis_udp_send_ypbind" lineno="207">
+<summary>
+Send UDP network traffic to NIS clients.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="nis_tcp_connect_ypbind" lineno="221">
+<summary>
+Connect to ypbind over TCP.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="nis_read_ypbind_pid" lineno="235">
+<summary>
+Read ypbind pid files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="nis_delete_ypbind_pid" lineno="254">
+<summary>
+Delete ypbind pid files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="nis_read_ypserv_config" lineno="273">
+<summary>
+Read ypserv configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="nis_domtrans_ypxfr" lineno="292">
+<summary>
+Execute ypxfr in the ypxfr domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="nis_initrc_domtrans" lineno="312">
+<summary>
+Execute nis server in the nis domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="nis_initrc_domtrans_ypbind" lineno="330">
+<summary>
+Execute nis server in the nis domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="nis_admin" lineno="355">
+<summary>
+All of the rules required to administrate
+an nis environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="nscd" filename="policy/modules/contrib/nscd.if">
+<summary>Name service cache daemon</summary>
+<interface name="nscd_signal" lineno="13">
+<summary>
+Send generic signals to NSCD.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="nscd_kill" lineno="31">
+<summary>
+Send NSCD the kill signal.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="nscd_signull" lineno="49">
+<summary>
+Send signulls to NSCD.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="nscd_domtrans" lineno="67">
+<summary>
+Execute NSCD in the nscd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="nscd_exec" lineno="87">
+<summary>
+Allow the specified domain to execute nscd
+in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="nscd_socket_use" lineno="106">
+<summary>
+Use NSCD services by connecting using
+a unix stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="nscd_shm_use" lineno="133">
+<summary>
+Use NSCD services by mapping the database from
+an inherited NSCD file descriptor.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="nscd_dontaudit_search_pid" lineno="166">
+<summary>
+Do not audit attempts to search the NSCD pid directory.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="nscd_read_pid" lineno="184">
+<summary>
+Read NSCD pid file.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="nscd_unconfined" lineno="203">
+<summary>
+Unconfined access to NSCD services.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="nscd_run" lineno="228">
+<summary>
+Execute nscd in the nscd domain, and
+allow the specified role the nscd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+<interface name="nscd_initrc_domtrans" lineno="247">
+<summary>
+Execute the nscd server init script.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="nscd_admin" lineno="272">
+<summary>
+All of the rules required to administrate
+an nscd environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the nscd domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="nsd" filename="policy/modules/contrib/nsd.if">
+<summary>Authoritative only name server</summary>
+<interface name="nsd_udp_chat" lineno="13">
+<summary>
+Send and receive datagrams from NSD.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="nsd_tcp_connect" lineno="27">
+<summary>
+Connect to NSD over a TCP socket  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="nslcd" filename="policy/modules/contrib/nslcd.if">
+<summary>nslcd - local LDAP name service daemon.</summary>
+<interface name="nslcd_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run nslcd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="nslcd_initrc_domtrans" lineno="31">
+<summary>
+Execute nslcd server in the nslcd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="nslcd_read_pid_files" lineno="49">
+<summary>
+Read nslcd PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="nslcd_stream_connect" lineno="68">
+<summary>
+Connect to nslcd over an unix stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="nslcd_admin" lineno="94">
+<summary>
+All of the rules required to administrate
+an nslcd environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="ntop" filename="policy/modules/contrib/ntop.if">
+<summary>Network Top</summary>
+</module>
+<module name="ntp" filename="policy/modules/contrib/ntp.if">
+<summary>Network time protocol daemon</summary>
+<interface name="ntp_stub" lineno="13">
+<summary>
+NTP stub interface.  No access allowed.
+</summary>
+<param name="domain" unused="true">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ntp_domtrans" lineno="29">
+<summary>
+Execute ntp server in the ntpd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="ntp_run" lineno="55">
+<summary>
+Execute ntp in the ntp domain, and
+allow the specified role the ntp domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="ntp_domtrans_ntpdate" lineno="74">
+<summary>
+Execute ntp server in the ntpd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="ntp_initrc_domtrans" lineno="93">
+<summary>
+Execute ntp server in the ntpd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="ntp_rw_shm" lineno="111">
+<summary>
+Read and write ntpd shared memory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ntp_admin" lineno="140">
+<summary>
+All of the rules required to administrate
+an ntp environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the ntp domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="nut" filename="policy/modules/contrib/nut.if">
+<summary>nut - Network UPS Tools </summary>
+</module>
+<module name="nx" filename="policy/modules/contrib/nx.if">
+<summary>NX remote desktop</summary>
+<interface name="nx_spec_domtrans_server" lineno="13">
+<summary>
+Transition to NX server.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="nx_read_home_files" lineno="31">
+<summary>
+Read nx home directory content
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="nx_search_var_lib" lineno="50">
+<summary>
+Read nx /var/lib content
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="nx_var_lib_filetrans" lineno="79">
+<summary>
+Create an object in the root directory, with a private
+type using a type transition.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="private type">
+<summary>
+The type of the object to be created.
+</summary>
+</param>
+<param name="object">
+<summary>
+The object class of the object being created.
+</summary>
+</param>
+</interface>
+</module>
+<module name="oav" filename="policy/modules/contrib/oav.if">
+<summary>Open AntiVirus scannerdaemon and signature update</summary>
+<interface name="oav_domtrans_update" lineno="13">
+<summary>
+Execute oav_update in the oav_update domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="oav_run_update" lineno="39">
+<summary>
+Execute oav_update in the oav_update domain, and
+allow the specified role the oav_update domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="oddjob" filename="policy/modules/contrib/oddjob.if">
+<summary>
+Oddjob provides a mechanism by which unprivileged applications can
+request that specified privileged operations be performed on their
+behalf.
+</summary>
+<interface name="oddjob_domtrans" lineno="17">
+<summary>
+Execute a domain transition to run oddjob.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="oddjob_system_entry" lineno="41">
+<summary>
+Make the specified program domain accessable
+from the oddjob.
+</summary>
+<param name="domain">
+<summary>
+The type of the process to transition to.
+</summary>
+</param>
+<param name="entrypoint">
+<summary>
+The type of the file used as an entrypoint to this domain.
+</summary>
+</param>
+</interface>
+<interface name="oddjob_dbus_chat" lineno="60">
+<summary>
+Send and receive messages from
+oddjob over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="oddjob_domtrans_mkhomedir" lineno="80">
+<summary>
+Execute a domain transition to run oddjob_mkhomedir.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="oddjob_run_mkhomedir" lineno="104">
+<summary>
+Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="oident" filename="policy/modules/contrib/oident.if">
+<summary>SELinux policy for Oident daemon.</summary>
+<desc>
+<p>
+Oident daemon is a server that implements the TCP/IP
+standard IDENT user identification protocol as
+specified in the RFC 1413 document.
+</p>
+</desc>
+<interface name="oident_read_user_content" lineno="21">
+<summary>
+Allow the specified domain to read
+Oidentd personal configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="oident_manage_user_content" lineno="41">
+<summary>
+Allow the specified domain to create, read, write, and delete
+Oidentd personal configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="oident_relabel_user_content" lineno="61">
+<summary>
+Allow the specified domain to relabel
+Oidentd personal configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="openca" filename="policy/modules/contrib/openca.if">
+<summary>OpenCA - Open Certificate Authority</summary>
+<interface name="openca_domtrans" lineno="14">
+<summary>
+Execute the OpenCA program with
+a domain transition.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="openca_signal" lineno="34">
+<summary>
+Send OpenCA generic signals.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="openca_sigstop" lineno="52">
+<summary>
+Send OpenCA stop signals.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="openca_kill" lineno="70">
+<summary>
+Kill OpenCA.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="openct" filename="policy/modules/contrib/openct.if">
+<summary>Service for handling smart card readers.</summary>
+<interface name="openct_signull" lineno="13">
+<summary>
+Send openct a null signal.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="openct_exec" lineno="31">
+<summary>
+Execute openct in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="openct_domtrans" lineno="50">
+<summary>
+Execute a domain transition to run openct.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="openct_read_pid_files" lineno="69">
+<summary>
+Read openct PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="openct_stream_connect" lineno="88">
+<summary>
+Connect to openct over an unix stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="openvpn" filename="policy/modules/contrib/openvpn.if">
+<summary>full-featured SSL VPN solution</summary>
+<interface name="openvpn_domtrans" lineno="13">
+<summary>
+Execute OPENVPN clients in the openvpn domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="openvpn_run" lineno="38">
+<summary>
+Execute OPENVPN clients in the openvpn domain, and
+allow the specified role the openvpn domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="openvpn_kill" lineno="57">
+<summary>
+Send OPENVPN clients the kill signal.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="openvpn_signal" lineno="75">
+<summary>
+Send generic signals to OPENVPN clients.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="openvpn_signull" lineno="93">
+<summary>
+Send signulls to OPENVPN clients.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="openvpn_read_config" lineno="113">
+<summary>
+Allow the specified domain to read
+OpenVPN configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="openvpn_admin" lineno="141">
+<summary>
+All of the rules required to administrate
+an openvpn environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the openvpn domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<tunable name="openvpn_enable_homedirs" dftval="false">
+<desc>
+<p>
+Allow openvpn to read home directories
+</p>
+</desc>
+</tunable>
+</module>
+<module name="pads" filename="policy/modules/contrib/pads.if">
+<summary>Passive Asset Detection System</summary>
+<desc>
+<p>
+PADS is a libpcap based detection engine used to
+passively detect network assets.  It is designed to
+complement IDS technology by providing context to IDS
+alerts.
+</p>
+</desc>
+<interface name="pads_admin" lineno="28">
+<summary>
+All of the rules required to administrate
+an pads environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="passenger" filename="policy/modules/contrib/passenger.if">
+<summary>Ruby on rails deployment for Apache and Nginx servers.</summary>
+<interface name="passenger_domtrans" lineno="13">
+<summary>
+Execute passenger in the passenger domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="passenger_read_lib_files" lineno="31">
+<summary>
+Read passenger lib files
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="pcmcia" filename="policy/modules/contrib/pcmcia.if">
+<summary>PCMCIA card management services</summary>
+<interface name="pcmcia_stub" lineno="13">
+<summary>
+PCMCIA stub interface.  No access allowed.
+</summary>
+<param name="domain" unused="true">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="pcmcia_domtrans_cardmgr" lineno="29">
+<summary>
+Execute cardmgr in the cardmgr domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="pcmcia_use_cardmgr_fds" lineno="47">
+<summary>
+Inherit and use file descriptors from cardmgr.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="pcmcia_domtrans_cardctl" lineno="65">
+<summary>
+Execute cardctl in the cardmgr domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="pcmcia_run_cardctl" lineno="90">
+<summary>
+Execute cardmgr in the cardctl domain, and
+allow the specified role the cardmgr domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="pcmcia_read_pid" lineno="109">
+<summary>
+Read cardmgr pid files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="pcmcia_manage_pid" lineno="129">
+<summary>
+Create, read, write, and delete
+cardmgr pid files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="pcmcia_manage_pid_chr_files" lineno="149">
+<summary>
+Create, read, write, and delete
+cardmgr runtime character nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="pcscd" filename="policy/modules/contrib/pcscd.if">
+<summary>PCSC smart card service</summary>
+<interface name="pcscd_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run pcscd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="pcscd_read_pub_files" lineno="31">
+<summary>
+Read pcscd pub files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="pcscd_manage_pub_files" lineno="50">
+<summary>
+Manage pcscd pub files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="pcscd_manage_pub_pipes" lineno="69">
+<summary>
+Manage pcscd pub fifo files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="pcscd_stream_connect" lineno="88">
+<summary>
+Connect to pcscd over an unix stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="pegasus" filename="policy/modules/contrib/pegasus.if">
+<summary>The Open Group Pegasus CIM/WBEM Server.</summary>
+</module>
+<module name="perdition" filename="policy/modules/contrib/perdition.if">
+<summary>Perdition POP and IMAP proxy</summary>
+<interface name="perdition_tcp_connect" lineno="13">
+<summary>
+Connect to perdition over a TCP socket  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="pingd" filename="policy/modules/contrib/pingd.if">
+<summary>Pingd of the Whatsup cluster node up/down detection utility</summary>
+<interface name="pingd_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run pingd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="pingd_read_config" lineno="31">
+<summary>
+Read pingd etc configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="pingd_manage_config" lineno="50">
+<summary>
+Manage pingd etc configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="pingd_admin" lineno="78">
+<summary>
+All of the rules required to administrate
+an pingd environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the pingd domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="plymouthd" filename="policy/modules/contrib/plymouthd.if">
+<summary>Plymouth graphical boot</summary>
+<interface name="plymouthd_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run plymouthd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="plymouthd_exec" lineno="31">
+<summary>
+Execute the plymoth daemon in the current domain
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="plymouthd_stream_connect" lineno="50">
+<summary>
+Allow domain to Stream socket connect
+to Plymouth daemon.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="plymouthd_exec_plymouth" lineno="68">
+<summary>
+Execute the plymoth command in the current domain
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="plymouthd_domtrans_plymouth" lineno="86">
+<summary>
+Execute a domain transition to run plymouthd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="plymouthd_search_spool" lineno="104">
+<summary>
+Search plymouthd spool directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="plymouthd_read_spool_files" lineno="123">
+<summary>
+Read plymouthd spool files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="plymouthd_manage_spool_files" lineno="143">
+<summary>
+Create, read, write, and delete
+plymouthd spool files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="plymouthd_search_lib" lineno="162">
+<summary>
+Search plymouthd lib directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="plymouthd_read_lib_files" lineno="181">
+<summary>
+Read plymouthd lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="plymouthd_manage_lib_files" lineno="201">
+<summary>
+Create, read, write, and delete
+plymouthd lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="plymouthd_read_pid_files" lineno="220">
+<summary>
+Read plymouthd PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="plymouthd_admin" lineno="246">
+<summary>
+All of the rules required to administrate
+an plymouthd environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="podsleuth" filename="policy/modules/contrib/podsleuth.if">
+<summary>Podsleuth is a tool to get information about an Apple (TM) iPod (TM)</summary>
+<interface name="podsleuth_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run podsleuth.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="podsleuth_run" lineno="38">
+<summary>
+Execute podsleuth in the podsleuth domain, and
+allow the specified role the podsleuth domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="policykit" filename="policy/modules/contrib/policykit.if">
+<summary>Policy framework for controlling privileges for system-wide services.</summary>
+<interface name="policykit_dbus_chat" lineno="14">
+<summary>
+Send and receive messages from
+policykit over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="policykit_domtrans_auth" lineno="34">
+<summary>
+Execute a domain transition to run polkit_auth.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="policykit_run_auth" lineno="58">
+<summary>
+Execute a policy_auth in the policy_auth domain, and
+allow the specified role the policy_auth domain,
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+<interface name="policykit_domtrans_grant" lineno="77">
+<summary>
+Execute a domain transition to run polkit_grant.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="policykit_run_grant" lineno="102">
+<summary>
+Execute a policy_grant in the policy_grant domain, and
+allow the specified role the policy_grant domain,
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="policykit_read_reload" lineno="125">
+<summary>
+read policykit reload files
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="policykit_rw_reload" lineno="144">
+<summary>
+rw policykit reload files
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="policykit_domtrans_resolve" lineno="163">
+<summary>
+Execute a domain transition to run polkit_resolve.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="policykit_search_lib" lineno="183">
+<summary>
+Search policykit lib directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="policykit_read_lib" lineno="202">
+<summary>
+read policykit lib files
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="portage" filename="policy/modules/contrib/portage.if">
+<summary>
+Portage Package Management System. The primary package management and
+distribution system for Gentoo.
+</summary>
+<interface name="portage_domtrans" lineno="16">
+<summary>
+Execute emerge in the portage domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="portage_run" lineno="44">
+<summary>
+Execute emerge in the portage domain, and
+allow the specified role the portage domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to allow the portage domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="portage_compile_domain" lineno="69">
+<summary>
+Template for portage sandbox.
+</summary>
+<desc>
+<p>
+Template for portage sandbox.  Portage
+does all compiling in the sandbox.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain Allowed Access
+</summary>
+</param>
+</interface>
+<interface name="portage_domtrans_fetch" lineno="222">
+<summary>
+Execute tree management functions (fetching, layman, ...)
+in the portage_fetch_t domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="portage_run_fetch" lineno="251">
+<summary>
+Execute tree management functions (fetching, layman, ...)
+in the portage_fetch_t domain, and allow the specified role
+the portage_fetch_t domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to allow the portage_fetch domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="portage_domtrans_gcc_config" lineno="271">
+<summary>
+Execute gcc-config in the gcc_config domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="portage_run_gcc_config" lineno="299">
+<summary>
+Execute gcc-config in the gcc_config domain, and
+allow the specified role the gcc_config domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to allow the gcc_config domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="portage_dontaudit_use_fds" lineno="319">
+<summary>
+Do not audit attempts to use
+portage file descriptors.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="portage_dontaudit_search_tmp" lineno="338">
+<summary>
+Do not audit attempts to search the
+portage temporary directories.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="portage_dontaudit_rw_tmp_files" lineno="357">
+<summary>
+Do not audit attempts to read and write
+the portage temporary files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<tunable name="portage_use_nfs" dftval="false">
+<desc>
+<p>
+Allow the portage domains to use NFS mounts (regular nfs_t)
+</p>
+</desc>
+</tunable>
+</module>
+<module name="portmap" filename="policy/modules/contrib/portmap.if">
+<summary>RPC port mapping service.</summary>
+<interface name="portmap_domtrans_helper" lineno="13">
+<summary>
+Execute portmap_helper in the helper domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="portmap_run_helper" lineno="40">
+<summary>
+Execute portmap helper in the helper domain, and
+allow the specified role the helper domain.
+Communicate with portmap.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="portmap_udp_send" lineno="59">
+<summary>
+Send UDP network traffic to portmap.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="portmap_udp_chat" lineno="73">
+<summary>
+Send and receive UDP network traffic from portmap.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="portmap_tcp_connect" lineno="87">
+<summary>
+Connect to portmap over a TCP socket  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="portreserve" filename="policy/modules/contrib/portreserve.if">
+<summary>Reserve well-known ports in the RPC port range.</summary>
+<interface name="portreserve_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run portreserve.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="portreserve_read_config" lineno="33">
+<summary>
+Allow the specified domain to read
+portreserve etcuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="portreserve_manage_config" lineno="55">
+<summary>
+Allow the specified domain to manage
+portreserve etcuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="portreserve_initrc_domtrans" lineno="76">
+<summary>
+Execute portreserve in the portreserve domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="portreserve_admin" lineno="101">
+<summary>
+All of the rules required to administrate
+an portreserve environment.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="portslave" filename="policy/modules/contrib/portslave.if">
+<summary>Portslave terminal server software</summary>
+<interface name="portslave_domtrans" lineno="13">
+<summary>
+Execute portslave with a domain transition.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+</module>
+<module name="postfix" filename="policy/modules/contrib/postfix.if">
+<summary>Postfix email server</summary>
+<interface name="postfix_stub" lineno="13">
+<summary>
+Postfix stub interface.  No access allowed.
+</summary>
+<param name="domain" unused="true">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<template name="postfix_domain_template" lineno="30">
+<summary>
+Creates types and rules for a basic
+postfix process domain.
+</summary>
+<param name="prefix">
+<summary>
+Prefix for the domain.
+</summary>
+</param>
+</template>
+<template name="postfix_server_domain_template" lineno="112">
+<summary>
+Creates a postfix server process domain.
+</summary>
+<param name="prefix">
+<summary>
+Prefix of the domain.
+</summary>
+</param>
+</template>
+<template name="postfix_user_domain_template" lineno="154">
+<summary>
+Creates a process domain for programs
+that are ran by users.
+</summary>
+<param name="prefix">
+<summary>
+Prefix of the domain.
+</summary>
+</param>
+</template>
+<interface name="postfix_read_config" lineno="181">
+<summary>
+Read postfix configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="postfix_config_filetrans" lineno="212">
+<summary>
+Create files with the specified type in
+the postfix configuration directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="private type">
+<summary>
+The type of the object to be created.
+</summary>
+</param>
+<param name="object">
+<summary>
+The object class of the object being created.
+</summary>
+</param>
+</interface>
+<interface name="postfix_dontaudit_rw_local_tcp_sockets" lineno="233">
+<summary>
+Do not audit attempts to read and
+write postfix local delivery
+TCP sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="postfix_rw_local_pipes" lineno="252">
+<summary>
+Allow read/write postfix local pipes
+TCP sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="postfix_read_local_state" lineno="270">
+<summary>
+Allow domain to read postfix local process state
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="postfix_read_master_state" lineno="288">
+<summary>
+Allow domain to read postfix master process state
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="postfix_dontaudit_use_fds" lineno="308">
+<summary>
+Do not audit attempts to use
+postfix master process file
+file descriptors.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="postfix_domtrans_map" lineno="326">
+<summary>
+Execute postfix_map in the postfix_map domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="postfix_run_map" lineno="351">
+<summary>
+Execute postfix_map in the postfix_map domain, and
+allow the specified role the postfix_map domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="postfix_domtrans_master" lineno="371">
+<summary>
+Execute the master postfix program in the
+postfix_master domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="postfix_exec_master" lineno="390">
+<summary>
+Execute the master postfix program in the
+caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="postfix_stream_connect_master" lineno="409">
+<summary>
+Connect to postfix master process using a unix domain stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="postfix_domtrans_postdrop" lineno="428">
+<summary>
+Execute the master postdrop in the
+postfix_postdrop domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="postfix_domtrans_postqueue" lineno="447">
+<summary>
+Execute the master postqueue in the
+postfix_postqueue domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="posftix_exec_postqueue" lineno="465">
+<summary>
+Execute the master postqueue in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="postfix_create_private_sockets" lineno="483">
+<summary>
+Create a named socket in a postfix private directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="postfix_manage_private_sockets" lineno="502">
+<summary>
+manage named socket in a postfix private directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="postfix_domtrans_smtp" lineno="522">
+<summary>
+Execute the master postfix program in the
+postfix_master domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="postfix_search_spool" lineno="540">
+<summary>
+Search postfix mail spool directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="postfix_list_spool" lineno="559">
+<summary>
+List postfix mail spool directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="postfix_read_spool_files" lineno="578">
+<summary>
+Read postfix mail spool files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="postfix_manage_spool_files" lineno="597">
+<summary>
+Create, read, write, and delete postfix mail spool files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="postfix_domtrans_user_mail_handler" lineno="617">
+<summary>
+Execute postfix user mail programs
+in their respective domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="postfixpolicyd" filename="policy/modules/contrib/postfixpolicyd.if">
+<summary>Postfix policy server</summary>
+<interface name="postfixpolicyd_admin" lineno="20">
+<summary>
+All of the rules required to administrate
+an postfixpolicyd environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the postfixpolicyd domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="postgrey" filename="policy/modules/contrib/postgrey.if">
+<summary>Postfix grey-listing server</summary>
+<interface name="postgrey_stream_connect" lineno="13">
+<summary>
+Write to postgrey socket
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="postgrey_search_spool" lineno="33">
+<summary>
+Search the spool directory
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="postgrey_admin" lineno="58">
+<summary>
+All of the rules required to administrate
+an postgrey environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the postgrey domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="ppp" filename="policy/modules/contrib/ppp.if">
+<summary>Point to Point Protocol daemon creates links in ppp networks</summary>
+<interface name="ppp_use_fds" lineno="13">
+<summary>
+Use PPP file discriptors.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ppp_dontaudit_use_fds" lineno="32">
+<summary>
+Do not audit attempts to inherit
+and use PPP file discriptors.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="ppp_sigchld" lineno="50">
+<summary>
+Send a SIGCHLD signal to PPP.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ppp_kill" lineno="70">
+<summary>
+Send ppp a kill signal
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ppp_signal" lineno="88">
+<summary>
+Send a generic signal to PPP.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ppp_signull" lineno="106">
+<summary>
+Send a generic signull to PPP.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ppp_domtrans" lineno="124">
+<summary>
+Execute domain in the ppp domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="ppp_run_cond" lineno="149">
+<summary>
+Conditionally execute ppp daemon on behalf of a user or staff type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to allow the ppp domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="ppp_run" lineno="177">
+<summary>
+Unconditionally execute ppp daemon on behalf of a user or staff type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to allow the ppp domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="ppp_exec" lineno="196">
+<summary>
+Execute domain in the ppp caller.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ppp_read_config" lineno="215">
+<summary>
+Read ppp configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ppp_read_rw_config" lineno="234">
+<summary>
+Read PPP-writable configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ppp_read_secrets" lineno="254">
+<summary>
+Read PPP secrets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ppp_read_pid_files" lineno="274">
+<summary>
+Read PPP pid files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ppp_manage_pid_files" lineno="292">
+<summary>
+Create, read, write, and delete PPP pid files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ppp_pid_filetrans" lineno="310">
+<summary>
+Create, read, write, and delete PPP pid files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ppp_initrc_domtrans" lineno="328">
+<summary>
+Execute ppp server in the ntpd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="ppp_admin" lineno="348">
+<summary>
+All of the rules required to administrate
+an ppp environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<tunable name="pppd_can_insmod" dftval="false">
+<desc>
+<p>
+Allow pppd to load kernel modules for certain modems
+</p>
+</desc>
+</tunable>
+<tunable name="pppd_for_user" dftval="false">
+<desc>
+<p>
+Allow pppd to be run for a regular user
+</p>
+</desc>
+</tunable>
+</module>
+<module name="prelink" filename="policy/modules/contrib/prelink.if">
+<summary>Prelink ELF shared library mappings.</summary>
+<interface name="prelink_domtrans" lineno="13">
+<summary>
+Execute the prelink program in the prelink domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="prelink_exec" lineno="37">
+<summary>
+Execute the prelink program in the current domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="prelink_run" lineno="62">
+<summary>
+Execute the prelink program in the prelink domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to allow the prelink domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="prelink_object_file" lineno="82">
+<summary>
+Make the specified file type prelinkable.
+</summary>
+<param name="file_type">
+<summary>
+File type to be prelinked.
+</summary>
+</param>
+</interface>
+<interface name="prelink_read_cache" lineno="100">
+<summary>
+Read the prelink cache.
+</summary>
+<param name="file_type">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="prelink_delete_cache" lineno="119">
+<summary>
+Delete the prelink cache.
+</summary>
+<param name="file_type">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="prelink_manage_log" lineno="139">
+<summary>
+Create, read, write, and delete
+prelink log files.
+</summary>
+<param name="file_type">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="prelink_manage_lib" lineno="159">
+<summary>
+Create, read, write, and delete
+prelink var_lib files.
+</summary>
+<param name="file_type">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="prelink_relabelfrom_lib" lineno="178">
+<summary>
+Relabel from files in the /boot directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="prelink_relabel_lib" lineno="197">
+<summary>
+Relabel from files in the /boot directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="prelude" filename="policy/modules/contrib/prelude.if">
+<summary>Prelude hybrid intrusion detection system</summary>
+<interface name="prelude_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run prelude.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="prelude_domtrans_audisp" lineno="31">
+<summary>
+Execute a domain transition to run prelude_audisp.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="prelude_signal_audisp" lineno="49">
+<summary>
+Signal the prelude_audisp domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed acccess.
+</summary>
+</param>
+</interface>
+<interface name="prelude_read_spool" lineno="67">
+<summary>
+Read the prelude spool files
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="prelude_manage_spool" lineno="86">
+<summary>
+Manage to prelude-manager spool files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="prelude_admin" lineno="113">
+<summary>
+All of the rules required to administrate
+an prelude environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="privoxy" filename="policy/modules/contrib/privoxy.if">
+<summary>Privacy enhancing web proxy.</summary>
+<interface name="privoxy_admin" lineno="20">
+<summary>
+All of the rules required to administrate
+an privoxy environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<tunable name="privoxy_connect_any" dftval="false">
+<desc>
+<p>
+Allow privoxy to connect to all ports, not just
+HTTP, FTP, and Gopher ports.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="procmail" filename="policy/modules/contrib/procmail.if">
+<summary>Procmail mail delivery agent</summary>
+<interface name="procmail_domtrans" lineno="13">
+<summary>
+Execute procmail with a domain transition.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="procmail_exec" lineno="33">
+<summary>
+Execute procmail in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="procmail_read_tmp_files" lineno="53">
+<summary>
+Read procmail tmp files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="procmail_rw_tmp_files" lineno="72">
+<summary>
+Read/write procmail tmp files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="psad" filename="policy/modules/contrib/psad.if">
+<summary>Intrusion Detection and Log Analysis with iptables</summary>
+<interface name="psad_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run psad.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="psad_signal" lineno="31">
+<summary>
+Send a generic signal to psad
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="psad_signull" lineno="49">
+<summary>
+Send a null signal to psad.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="psad_read_config" lineno="67">
+<summary>
+Read psad etc configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="psad_manage_config" lineno="86">
+<summary>
+Manage psad etc configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="psad_read_pid_files" lineno="107">
+<summary>
+Read psad PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="psad_rw_pid_files" lineno="126">
+<summary>
+Read psad PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="psad_read_log" lineno="146">
+<summary>
+Allow the specified domain to read psad's log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="psad_append_log" lineno="167">
+<summary>
+Allow the specified domain to append to psad's log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="psad_rw_fifo_file" lineno="187">
+<summary>
+Read and write psad fifo files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="psad_rw_tmp_files" lineno="207">
+<summary>
+Read and write psad tmp files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="psad_admin" lineno="233">
+<summary>
+All of the rules required to administrate
+an psad environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the syslog domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="ptchown" filename="policy/modules/contrib/ptchown.if">
+<summary>helper function for grantpt(3), changes ownship and permissions of pseudotty</summary>
+<interface name="ptchown_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run ptchown.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="ptchown_run" lineno="37">
+<summary>
+Execute ptchown in the ptchown domain, and
+allow the specified role the ptchown domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="publicfile" filename="policy/modules/contrib/publicfile.if">
+<summary>publicfile supplies files to the public through HTTP and FTP</summary>
+</module>
+<module name="pulseaudio" filename="policy/modules/contrib/pulseaudio.if">
+<summary>Pulseaudio network sound server.</summary>
+<interface name="pulseaudio_role" lineno="18">
+<summary>
+Role access for pulseaudio
+</summary>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role
+</summary>
+</param>
+</interface>
+<interface name="pulseaudio_domtrans" lineno="52">
+<summary>
+Execute a domain transition to run pulseaudio.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="pulseaudio_run" lineno="76">
+<summary>
+Execute pulseaudio in the pulseaudio domain, and
+allow the specified role the pulseaudio domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+<interface name="pulseaudio_exec" lineno="95">
+<summary>
+Execute a pulseaudio in the current domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="pulseaudio_dontaudit_exec" lineno="113">
+<summary>
+Do not audit to execute a pulseaudio.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="pulseaudio_signull" lineno="132">
+<summary>
+Send signull signal to pulseaudio
+processes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="pulseaudio_stream_connect" lineno="151">
+<summary>
+Connect to pulseaudio over a unix domain
+stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="pulseaudio_dbus_chat" lineno="173">
+<summary>
+Send and receive messages from
+pulseaudio over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="pulseaudio_setattr_home_dir" lineno="193">
+<summary>
+Set the attributes of the pulseaudio homedir.
+</summary>
+<param name="user_domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="pulseaudio_read_home_files" lineno="211">
+<summary>
+Read pulseaudio homedir files.
+</summary>
+<param name="user_domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="pulseaudio_rw_home_files" lineno="231">
+<summary>
+Read and write Pulse Audio files.
+</summary>
+<param name="user_domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="pulseaudio_manage_home_files" lineno="252">
+<summary>
+Create, read, write, and delete pulseaudio
+home directory files.
+</summary>
+<param name="user_domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="puppet" filename="policy/modules/contrib/puppet.if">
+<summary>Puppet client daemon</summary>
+<desc>
+<p>
+Puppet is a configuration management system written in Ruby.
+The client daemon is responsible for periodically requesting the
+desired system state from the server and ensuring the state of
+the client system matches.
+</p>
+</desc>
+<interface name="puppet_rw_tmp" lineno="24">
+<summary>
+Read / Write to Puppet temp files.  Puppet uses
+some system binaries (groupadd, etc) that run in
+a non-puppet domain and redirects output into temp
+files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<tunable name="puppet_manage_all_files" dftval="false">
+<desc>
+<p>
+Allow Puppet client to manage all file
+types.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="pxe" filename="policy/modules/contrib/pxe.if">
+<summary>Server for the PXE network boot protocol</summary>
+</module>
+<module name="pyicqt" filename="policy/modules/contrib/pyicqt.if">
+<summary>PyICQt is an ICQ transport for XMPP server.</summary>
+</module>
+<module name="pyzor" filename="policy/modules/contrib/pyzor.if">
+<summary>Pyzor is a distributed, collaborative spam detection and filtering network.</summary>
+<interface name="pyzor_role" lineno="18">
+<summary>
+Role access for pyzor
+</summary>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role
+</summary>
+</param>
+</interface>
+<interface name="pyzor_signal" lineno="44">
+<summary>
+Send generic signals to pyzor
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="pyzor_domtrans" lineno="62">
+<summary>
+Execute pyzor with a domain transition.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="pyzor_exec" lineno="82">
+<summary>
+Execute pyzor in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="qemu" filename="policy/modules/contrib/qemu.if">
+<summary>QEMU machine emulator and virtualizer</summary>
+<template name="qemu_domain_template" lineno="14">
+<summary>
+Creates types and rules for a basic
+qemu process domain.
+</summary>
+<param name="prefix">
+<summary>
+Prefix for the domain.
+</summary>
+</param>
+</template>
+<template name="qemu_role" lineno="127">
+<summary>
+The per role template for the qemu module.
+</summary>
+<desc>
+<p>
+This template creates a derived domains which are used
+for qemu web browser.
+</p>
+<p>
+This template is invoked automatically for each user, and
+generally does not need to be invoked directly
+by policy writers.
+</p>
+</desc>
+<param name="user_role">
+<summary>
+The role associated with the user domain.
+</summary>
+</param>
+<param name="user_domain">
+<summary>
+The type of the user domain.
+</summary>
+</param>
+</template>
+<interface name="qemu_domtrans" lineno="150">
+<summary>
+Execute a domain transition to run qemu.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="qemu_run" lineno="174">
+<summary>
+Execute qemu in the qemu domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to allow the qemu domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="qemu_read_state" lineno="195">
+<summary>
+Allow the domain to read state files in /proc.
+</summary>
+<param name="domain">
+<summary>
+Domain to allow access.
+</summary>
+</param>
+</interface>
+<interface name="qemu_setsched" lineno="213">
+<summary>
+Set the schedule on qemu.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="qemu_signal" lineno="231">
+<summary>
+Send a signal to qemu.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="qemu_kill" lineno="249">
+<summary>
+Send a sigill to qemu
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="qemu_domtrans_unconfined" lineno="267">
+<summary>
+Execute a domain transition to run qemu unconfined.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="qemu_manage_tmp_dirs" lineno="285">
+<summary>
+Manage qemu temporary dirs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="qemu_manage_tmp_files" lineno="303">
+<summary>
+Manage qemu temporary files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<tunable name="qemu_full_network" dftval="false">
+<desc>
+<p>
+Allow qemu to connect fully to the network
+</p>
+</desc>
+</tunable>
+<tunable name="qemu_use_cifs" dftval="true">
+<desc>
+<p>
+Allow qemu to use cifs/Samba file systems
+</p>
+</desc>
+</tunable>
+<tunable name="qemu_use_comm" dftval="false">
+<desc>
+<p>
+Allow qemu to use serial/parallel communication ports
+</p>
+</desc>
+</tunable>
+<tunable name="qemu_use_nfs" dftval="true">
+<desc>
+<p>
+Allow qemu to use nfs file systems
+</p>
+</desc>
+</tunable>
+<tunable name="qemu_use_usb" dftval="true">
+<desc>
+<p>
+Allow qemu to use usb devices
+</p>
+</desc>
+</tunable>
+</module>
+<module name="qmail" filename="policy/modules/contrib/qmail.if">
+<summary>Qmail Mail Server</summary>
+<template name="qmail_child_domain_template" lineno="18">
+<summary>
+Template for qmail parent/sub-domain pairs
+</summary>
+<param name="child_prefix">
+<summary>
+The prefix of the child domain
+</summary>
+</param>
+<param name="parent_domain">
+<summary>
+The name of the parent domain.
+</summary>
+</param>
+</template>
+<interface name="qmail_domtrans_inject" lineno="60">
+<summary>
+Transition to qmail_inject_t
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="qmail_domtrans_queue" lineno="86">
+<summary>
+Transition to qmail_queue_t
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="qmail_read_config" lineno="113">
+<summary>
+Read qmail configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="qmail_smtpd_service_domain" lineno="145">
+<summary>
+Define the specified domain as a qmail-smtp service.
+Needed by antivirus/antispam filters.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access
+</summary>
+</param>
+<param name="entrypoint">
+<summary>
+The type associated with the process program.
+</summary>
+</param>
+</interface>
+</module>
+<module name="qpid" filename="policy/modules/contrib/qpid.if">
+<summary>Apache QPID AMQP messaging server.</summary>
+<interface name="qpidd_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run qpidd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="qpidd_rw_semaphores" lineno="31">
+<summary>
+Allow read and write access to qpidd semaphores.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="qpidd_rw_shm" lineno="49">
+<summary>
+Read and write to qpidd shared memory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="qpidd_initrc_domtrans" lineno="67">
+<summary>
+Execute qpidd server in the qpidd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="qpidd_read_pid_files" lineno="85">
+<summary>
+Read qpidd PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="qpidd_search_lib" lineno="104">
+<summary>
+Search qpidd lib directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="qpidd_read_lib_files" lineno="123">
+<summary>
+Read qpidd lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="qpidd_manage_lib_files" lineno="143">
+<summary>
+Create, read, write, and delete
+qpidd lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="qpidd_admin" lineno="169">
+<summary>
+All of the rules required to administrate
+an qpidd environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="quota" filename="policy/modules/contrib/quota.if">
+<summary>File system quota management</summary>
+<interface name="quota_domtrans" lineno="13">
+<summary>
+Execute quota management tools in the quota domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="quota_run" lineno="39">
+<summary>
+Execute quota management tools in the quota domain, and
+allow the specified role the quota domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="quota_dontaudit_getattr_db" lineno="59">
+<summary>
+Do not audit attempts to get the attributes
+of filesystem quota data files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="quota_manage_flags" lineno="78">
+<summary>
+Create, read, write, and delete quota
+flag files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="radius" filename="policy/modules/contrib/radius.if">
+<summary>RADIUS authentication and accounting server.</summary>
+<interface name="radius_use" lineno="13">
+<summary>
+Use radius over a UDP connection.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="radius_admin" lineno="34">
+<summary>
+All of the rules required to administrate
+an radius environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="radvd" filename="policy/modules/contrib/radvd.if">
+<summary>IPv6 router advertisement daemon</summary>
+<interface name="radvd_admin" lineno="20">
+<summary>
+All of the rules required to administrate
+an radvd environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="raid" filename="policy/modules/contrib/raid.if">
+<summary>RAID array management tools</summary>
+<interface name="raid_domtrans_mdadm" lineno="13">
+<summary>
+Execute software raid tools in the mdadm domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="raid_run_mdadm" lineno="39">
+<summary>
+Execute a domain transition to mdadm_t for the
+specified role, allowing it to use the mdadm_t
+domain
+</summary>
+<param name="role">
+<summary>
+Role allowed to access mdadm_t domain
+</summary>
+</param>
+<param name="domain">
+<summary>
+Domain allowed to transition to mdadm_t
+</summary>
+</param>
+</interface>
+<interface name="raid_manage_mdadm_pid" lineno="66">
+<summary>
+Create, read, write, and delete the mdadm pid files.
+</summary>
+<desc>
+<p>
+Create, read, write, and delete the mdadm pid files.
+</p>
+<p>
+Added for use in the init module.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="razor" filename="policy/modules/contrib/razor.if">
+<summary>A distributed, collaborative, spam detection and filtering network.</summary>
+<desc>
+<p>
+A distributed, collaborative, spam detection and filtering network.
+</p>
+<p>
+This policy will work with either the ATrpms provided config
+file in /etc/razor, or with the default of dumping everything into
+$HOME/.razor.
+</p>
+</desc>
+<template name="razor_common_domain_template" lineno="25">
+<summary>
+Template to create types and rules common to
+all razor domains.
+</summary>
+<param name="prefix">
+<summary>
+The prefix of the domain (e.g., user
+is the prefix for user_t).
+</summary>
+</param>
+</template>
+<interface name="razor_role" lineno="121">
+<summary>
+Role access for razor
+</summary>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role
+</summary>
+</param>
+</interface>
+<interface name="razor_domtrans" lineno="153">
+<summary>
+Execute razor in the system razor domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+</module>
+<module name="rdisc" filename="policy/modules/contrib/rdisc.if">
+<summary>Network router discovery daemon</summary>
+<interface name="rdisc_exec" lineno="13">
+<summary>
+Execute rdisc in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="readahead" filename="policy/modules/contrib/readahead.if">
+<summary>Readahead, read files into page cache for improved performance</summary>
+</module>
+<module name="remotelogin" filename="policy/modules/contrib/remotelogin.if">
+<summary>Policy for rshd, rlogind, and telnetd.</summary>
+<interface name="remotelogin_domtrans" lineno="13">
+<summary>
+Domain transition to the remote login domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="remotelogin_signal" lineno="31">
+<summary>
+allow Domain to signal remote login domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="resmgr" filename="policy/modules/contrib/resmgr.if">
+<summary>Resource management daemon</summary>
+<interface name="resmgr_stream_connect" lineno="14">
+<summary>
+Connect to resmgrd over a unix domain
+stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="rgmanager" filename="policy/modules/contrib/rgmanager.if">
+<summary>rgmanager - Resource Group Manager</summary>
+<interface name="rgmanager_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run rgmanager.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="rgmanager_stream_connect" lineno="32">
+<summary>
+Connect to rgmanager over an unix stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rgmanager_manage_tmp_files" lineno="51">
+<summary>
+Allow manage rgmanager tmp files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rgmanager_manage_tmpfs_files" lineno="70">
+<summary>
+Allow manage rgmanager tmpfs files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<tunable name="rgmanager_can_network_connect" dftval="false">
+<desc>
+<p>
+Allow rgmanager domain to connect to the network using TCP.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="rhcs" filename="policy/modules/contrib/rhcs.if">
+<summary>RHCS - Red Hat Cluster Suite</summary>
+<template name="rhcs_domain_template" lineno="14">
+<summary>
+Creates types and rules for a basic
+rhcs init daemon domain.
+</summary>
+<param name="prefix">
+<summary>
+Prefix for the domain.
+</summary>
+</param>
+</template>
+<interface name="rhcs_domtrans_dlm_controld" lineno="67">
+<summary>
+Execute a domain transition to run dlm_controld.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="rhcs_stream_connect_dlm_controld" lineno="87">
+<summary>
+Connect to dlm_controld over a unix domain
+stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rhcs_rw_dlm_controld_semaphores" lineno="106">
+<summary>
+Allow read and write access to dlm_controld semaphores.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rhcs_domtrans_fenced" lineno="127">
+<summary>
+Execute a domain transition to run fenced.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="rhcs_rw_fenced_semaphores" lineno="146">
+<summary>
+Allow read and write access to fenced semaphores.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rhcs_stream_connect_fenced" lineno="167">
+<summary>
+Connect to fenced over an unix domain stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rhcs_domtrans_gfs_controld" lineno="187">
+<summary>
+Execute a domain transition to run gfs_controld.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="rhcs_rw_gfs_controld_semaphores" lineno="206">
+<summary>
+Allow read and write access to gfs_controld semaphores.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rhcs_rw_gfs_controld_shm" lineno="227">
+<summary>
+Read and write to gfs_controld_t shared memory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rhcs_stream_connect_gfs_controld" lineno="248">
+<summary>
+Connect to gfs_controld_t over an unix domain stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rhcs_domtrans_groupd" lineno="267">
+<summary>
+Execute a domain transition to run groupd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="rhcs_stream_connect_groupd" lineno="287">
+<summary>
+Connect to groupd over a unix domain
+stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rhcs_rw_groupd_semaphores" lineno="306">
+<summary>
+Allow read and write access to groupd semaphores.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rhcs_rw_groupd_shm" lineno="327">
+<summary>
+Read and write to group shared memory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rhcs_domtrans_qdiskd" lineno="348">
+<summary>
+Execute a domain transition to run qdiskd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<tunable name="fenced_can_network_connect" dftval="false">
+<desc>
+<p>
+Allow fenced domain to connect to the network using TCP.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="rhgb" filename="policy/modules/contrib/rhgb.if">
+<summary> Red Hat Graphical Boot </summary>
+<interface name="rhgb_stub" lineno="13">
+<summary>
+RHGB stub interface.  No access allowed.
+</summary>
+<param name="domain" unused="true">
+<summary>
+N/A
+</summary>
+</param>
+</interface>
+<interface name="rhgb_use_fds" lineno="29">
+<summary>
+Use a rhgb file descriptor.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rhgb_getpgid" lineno="47">
+<summary>
+Get the process group of rhgb.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rhgb_signal" lineno="65">
+<summary>
+Send a signal to rhgb.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rhgb_rw_stream_sockets" lineno="83">
+<summary>
+Read and write to unix stream sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rhgb_dontaudit_rw_stream_sockets" lineno="102">
+<summary>
+Do not audit attempts to read and write
+rhgb unix domain stream sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="rhgb_stream_connect" lineno="120">
+<summary>
+Connected to rhgb unix stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rhgb_rw_shm" lineno="138">
+<summary>
+Read and write to rhgb shared memory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rhgb_use_ptys" lineno="156">
+<summary>
+Read from and write to the rhgb devpts.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rhgb_dontaudit_use_ptys" lineno="174">
+<summary>
+dontaudit Read from and write to the rhgb devpts.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="rhgb_rw_tmpfs_files" lineno="192">
+<summary>
+Read and write to rhgb temporary file system.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="rhsmcertd" filename="policy/modules/contrib/rhsmcertd.if">
+<summary>Subscription Management Certificate Daemon policy</summary>
+<interface name="rhsmcertd_domtrans" lineno="13">
+<summary>
+Transition to rhsmcertd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="rhsmcertd_initrc_domtrans" lineno="32">
+<summary>
+Execute rhsmcertd server in the rhsmcertd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rhsmcertd_read_log" lineno="51">
+<summary>
+Read rhsmcertd's log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="rhsmcertd_append_log" lineno="70">
+<summary>
+Append to rhsmcertd log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rhsmcertd_manage_log" lineno="89">
+<summary>
+Manage rhsmcertd log files
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rhsmcertd_search_lib" lineno="110">
+<summary>
+Search rhsmcertd lib directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rhsmcertd_read_lib_files" lineno="129">
+<summary>
+Read rhsmcertd lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rhsmcertd_manage_lib_files" lineno="148">
+<summary>
+Manage rhsmcertd lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rhsmcertd_manage_lib_dirs" lineno="167">
+<summary>
+Manage rhsmcertd lib directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rhsmcertd_read_pid_files" lineno="186">
+<summary>
+Read rhsmcertd PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rhsmcertd_stream_connect" lineno="206">
+<summary>
+Connect to rhsmcertd over a unix domain
+stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rhsmcertd_dbus_chat" lineno="226">
+<summary>
+Send and receive messages from
+rhsmcertd over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rhsmcertd_dontaudit_dbus_chat" lineno="247">
+<summary>
+Dontaudit Send and receive messages from
+rhsmcertd over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rhsmcertd_admin" lineno="274">
+<summary>
+All of the rules required to administrate
+an rhsmcertd environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="ricci" filename="policy/modules/contrib/ricci.if">
+<summary>Ricci cluster management agent</summary>
+<interface name="ricci_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run ricci.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="ricci_domtrans_modcluster" lineno="31">
+<summary>
+Execute a domain transition to run ricci_modcluster.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="ricci_dontaudit_use_modcluster_fds" lineno="50">
+<summary>
+Do not audit attempts to use
+ricci_modcluster file descriptors.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="ricci_dontaudit_rw_modcluster_pipes" lineno="69">
+<summary>
+Do not audit attempts to read write
+ricci_modcluster unamed pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="ricci_stream_connect_modclusterd" lineno="87">
+<summary>
+Connect to ricci_modclusterd over an unix stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ricci_domtrans_modlog" lineno="107">
+<summary>
+Execute a domain transition to run ricci_modlog.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="ricci_domtrans_modrpm" lineno="125">
+<summary>
+Execute a domain transition to run ricci_modrpm.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="ricci_domtrans_modservice" lineno="143">
+<summary>
+Execute a domain transition to run ricci_modservice.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="ricci_domtrans_modstorage" lineno="161">
+<summary>
+Execute a domain transition to run ricci_modstorage.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+</module>
+<module name="rlogin" filename="policy/modules/contrib/rlogin.if">
+<summary>Remote login daemon</summary>
+<interface name="rlogin_domtrans" lineno="13">
+<summary>
+Execute rlogind in the rlogin domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<template name="rlogin_read_home_content" lineno="38">
+<summary>
+read rlogin homedir content (.config)
+</summary>
+<param name="userdomain_prefix">
+<summary>
+The prefix of the user domain (e.g., user
+is the prefix for user_t).
+</summary>
+</param>
+<param name="user_domain">
+<summary>
+The type of the user domain.
+</summary>
+</param>
+</template>
+</module>
+<module name="roundup" filename="policy/modules/contrib/roundup.if">
+<summary>Roundup Issue Tracking System policy</summary>
+<interface name="roundup_admin" lineno="20">
+<summary>
+All of the rules required to administrate
+an roundup environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the roundup domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="rpc" filename="policy/modules/contrib/rpc.if">
+<summary>Remote Procedure Call Daemon for managment of network based process communication</summary>
+<interface name="rpc_stub" lineno="13">
+<summary>
+RPC stub interface.  No access allowed.
+</summary>
+<param name="domain" unused="true">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<template name="rpc_domain_template" lineno="35">
+<summary>
+The template to define a rpc domain.
+</summary>
+<desc>
+<p>
+This template creates a domain to be used for
+a new rpc daemon.
+</p>
+</desc>
+<param name="userdomain_prefix">
+<summary>
+The type of daemon to be used.
+</summary>
+</param>
+</template>
+<interface name="rpc_udp_send" lineno="135">
+<summary>
+Send UDP network traffic to rpc and recieve UDP traffic from rpc.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rpc_dontaudit_getattr_exports" lineno="150">
+<summary>
+Do not audit attempts to get the attributes
+of the NFS export file.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="rpc_read_exports" lineno="168">
+<summary>
+Allow read access to exports.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rpc_write_exports" lineno="186">
+<summary>
+Allow write access to exports.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rpc_domtrans_nfsd" lineno="204">
+<summary>
+Execute domain in nfsd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="rpc_initrc_domtrans_nfsd" lineno="222">
+<summary>
+Execute domain in nfsd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="rpc_domtrans_rpcd" lineno="240">
+<summary>
+Execute domain in rpcd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="rpc_initrc_domtrans_rpcd" lineno="259">
+<summary>
+Execute domain in rpcd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="rpc_read_nfs_content" lineno="278">
+<summary>
+Read NFS exported content.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="rpc_manage_nfs_rw_content" lineno="299">
+<summary>
+Allow domain to create read and write NFS directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="rpc_manage_nfs_ro_content" lineno="320">
+<summary>
+Allow domain to create read and write NFS directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="rpc_tcp_rw_nfs_sockets" lineno="340">
+<summary>
+Allow domain to read and write to an NFS TCP socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rpc_udp_rw_nfs_sockets" lineno="358">
+<summary>
+Allow domain to read and write to an NFS UDP socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rpc_udp_send_nfs" lineno="376">
+<summary>
+Send UDP traffic to NFSd.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rpc_search_nfs_state_data" lineno="390">
+<summary>
+Search NFS state data in /var/lib/nfs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rpc_read_nfs_state_data" lineno="409">
+<summary>
+Read NFS state data in /var/lib/nfs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rpc_manage_nfs_state_data" lineno="428">
+<summary>
+Manage NFS state data in /var/lib/nfs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<tunable name="allow_gssd_read_tmp" dftval="true">
+<desc>
+<p>
+Allow gssd to read temp directory.  For access to kerberos tgt.
+</p>
+</desc>
+</tunable>
+<tunable name="allow_nfsd_anon_write" dftval="false">
+<desc>
+<p>
+Allow nfs servers to modify public files
+used for public file transfer services.  Files/Directories must be
+labeled public_content_rw_t.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="rpcbind" filename="policy/modules/contrib/rpcbind.if">
+<summary>Universal Addresses to RPC Program Number Mapper</summary>
+<interface name="rpcbind_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run rpcbind.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="rpcbind_stream_connect" lineno="31">
+<summary>
+Connect to rpcbindd over an unix stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rpcbind_read_pid_files" lineno="51">
+<summary>
+Read rpcbind PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rpcbind_search_lib" lineno="70">
+<summary>
+Search rpcbind lib directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rpcbind_read_lib_files" lineno="89">
+<summary>
+Read rpcbind lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rpcbind_manage_lib_files" lineno="109">
+<summary>
+Create, read, write, and delete
+rpcbind lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rpcbind_admin" lineno="135">
+<summary>
+All of the rules required to administrate
+an rpcbind environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the rpcbind domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="rpm" filename="policy/modules/contrib/rpm.if">
+<summary>Policy for the RPM package manager.</summary>
+<interface name="rpm_domtrans" lineno="13">
+<summary>
+Execute rpm programs in the rpm domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="rpm_debuginfo_domtrans" lineno="32">
+<summary>
+Execute debuginfo_install programs in the rpm domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="rpm_domtrans_script" lineno="51">
+<summary>
+Execute rpm_script programs in the rpm_script domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="rpm_run" lineno="79">
+<summary>
+Execute RPM programs in the RPM domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to allow the RPM domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="rpm_exec" lineno="98">
+<summary>
+Execute the rpm client in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rpm_signull" lineno="117">
+<summary>
+Send a null signal to rpm.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rpm_use_fds" lineno="135">
+<summary>
+Inherit and use file descriptors from RPM.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rpm_read_pipes" lineno="153">
+<summary>
+Read from an unnamed RPM pipe.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rpm_rw_pipes" lineno="171">
+<summary>
+Read and write an unnamed RPM pipe.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rpm_dbus_chat" lineno="190">
+<summary>
+Send and receive messages from
+rpm over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rpm_dontaudit_dbus_chat" lineno="211">
+<summary>
+Do not audit attempts to send and
+receive messages from rpm over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="rpm_script_dbus_chat" lineno="232">
+<summary>
+Send and receive messages from
+rpm_script over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rpm_search_log" lineno="252">
+<summary>
+Search RPM log directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rpm_append_log" lineno="272">
+<summary>
+Allow the specified domain to append
+to rpm log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rpm_manage_log" lineno="291">
+<summary>
+Create, read, write, and delete the RPM log.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rpm_use_script_fds" lineno="310">
+<summary>
+Inherit and use file descriptors from RPM scripts.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rpm_manage_script_tmp_files" lineno="329">
+<summary>
+Create, read, write, and delete RPM
+script temporary files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rpm_append_tmp_files" lineno="349">
+<summary>
+Allow the specified domain to append
+to rpm tmp files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rpm_manage_tmp_files" lineno="369">
+<summary>
+Create, read, write, and delete RPM
+temporary files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rpm_read_script_tmp_files" lineno="388">
+<summary>
+Read RPM script temporary files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rpm_read_cache" lineno="408">
+<summary>
+Read the RPM cache.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rpm_manage_cache" lineno="429">
+<summary>
+Create, read, write, and delete the RPM package database.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rpm_read_db" lineno="450">
+<summary>
+Read the RPM package database.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rpm_delete_db" lineno="471">
+<summary>
+Delete the RPM package database.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rpm_manage_db" lineno="490">
+<summary>
+Create, read, write, and delete the RPM package database.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rpm_dontaudit_manage_db" lineno="511">
+<summary>
+Do not audit attempts to create, read,
+write, and delete the RPM package database.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="rpm_read_pid_files" lineno="531">
+<summary>
+Read rpm pid files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rpm_manage_pid_files" lineno="550">
+<summary>
+Create, read, write, and delete rpm pid files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rpm_pid_filetrans" lineno="569">
+<summary>
+Create files in /var/run with the rpm pid file type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="rshd" filename="policy/modules/contrib/rshd.if">
+<summary>Remote shell service.</summary>
+<interface name="rshd_domtrans" lineno="13">
+<summary>
+Domain transition to rshd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+</module>
+<module name="rssh" filename="policy/modules/contrib/rssh.if">
+<summary>Restricted (scp/sftp) only shell</summary>
+<interface name="rssh_role" lineno="18">
+<summary>
+Role access for rssh
+</summary>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role
+</summary>
+</param>
+</interface>
+<interface name="rssh_spec_domtrans" lineno="40">
+<summary>
+Transition to all user rssh domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="rssh_exec" lineno="59">
+<summary>
+Execute the rssh program
+in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rssh_domtrans_chroot_helper" lineno="77">
+<summary>
+Execute a domain transition to run rssh_chroot_helper.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rssh_read_ro_content" lineno="95">
+<summary>
+Read all users rssh read-only content.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="rsync" filename="policy/modules/contrib/rsync.if">
+<summary>Fast incremental file transfer for synchronization</summary>
+<interface name="rsync_entry_type" lineno="14">
+<summary>
+Make rsync an entry point for
+the specified domain.
+</summary>
+<param name="domain">
+<summary>
+The domain for which init scripts are an entrypoint.
+</summary>
+</param>
+</interface>
+<interface name="rsync_entry_spec_domtrans" lineno="47">
+<summary>
+Execute a rsync in a specified domain.
+</summary>
+<desc>
+<p>
+Execute a rsync in a specified domain.
+</p>
+<p>
+No interprocess communication (signals, pipes,
+etc.) is provided by this interface since
+the domains are not owned by this module.
+</p>
+</desc>
+<param name="source_domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="target_domain">
+<summary>
+Domain to transition to.
+</summary>
+</param>
+</interface>
+<interface name="rsync_entry_domtrans" lineno="80">
+<summary>
+Execute a rsync in a specified domain.
+</summary>
+<desc>
+<p>
+Execute a rsync in a specified domain.
+</p>
+<p>
+No interprocess communication (signals, pipes,
+etc.) is provided by this interface since
+the domains are not owned by this module.
+</p>
+</desc>
+<param name="source_domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="target_domain">
+<summary>
+Domain to transition to.
+</summary>
+</param>
+</interface>
+<interface name="rsync_exec" lineno="99">
+<summary>
+Execute rsync in the caller domain domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="rsync_read_config" lineno="117">
+<summary>
+Read rsync config files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rsync_write_config" lineno="136">
+<summary>
+Write to rsync config files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<tunable name="rsync_export_all_ro" dftval="false">
+<desc>
+<p>
+Allow rsync to export any files/directories read only.
+</p>
+</desc>
+</tunable>
+<tunable name="allow_rsync_anon_write" dftval="false">
+<desc>
+<p>
+Allow rsync to modify public files
+used for public file transfer services.  Files/Directories must be
+labeled public_content_rw_t.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="rtkit" filename="policy/modules/contrib/rtkit.if">
+<summary>Realtime scheduling for user processes.</summary>
+<interface name="rtkit_daemon_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run rtkit_daemon.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="rtkit_daemon_dbus_chat" lineno="32">
+<summary>
+Send and receive messages from
+rtkit_daemon over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rtkit_scheduled" lineno="52">
+<summary>
+Allow rtkit to control scheduling for your process
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="rwho" filename="policy/modules/contrib/rwho.if">
+<summary>Who is logged in on other machines?</summary>
+<interface name="rwho_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run rwho.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="rwho_search_log" lineno="31">
+<summary>
+Search rwho log directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rwho_read_log_files" lineno="50">
+<summary>
+Read rwho log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rwho_search_spool" lineno="70">
+<summary>
+Search rwho spool directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rwho_read_spool_files" lineno="89">
+<summary>
+Read rwho spool files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rwho_manage_spool_files" lineno="109">
+<summary>
+Create, read, write, and delete
+rwho spool files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="rwho_admin" lineno="135">
+<summary>
+All of the rules required to administrate
+an rwho environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="samba" filename="policy/modules/contrib/samba.if">
+<summary>
+SMB and CIFS client/server programs for UNIX and
+name  Service  Switch  daemon for resolving names
+from Windows NT servers.
+</summary>
+<interface name="samba_domtrans_nmbd" lineno="17">
+<summary>
+Execute nmbd net in the nmbd_t domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="samba_signal_nmbd" lineno="36">
+<summary>
+Allow domain to signal samba
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="samba_initrc_domtrans" lineno="53">
+<summary>
+Execute samba server in the samba domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="samba_domtrans_net" lineno="71">
+<summary>
+Execute samba net in the samba_net domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="samba_run_net" lineno="97">
+<summary>
+Execute samba net in the samba_net domain, and
+allow the specified role the samba_net domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="samba_domtrans_smbmount" lineno="116">
+<summary>
+Execute smbmount in the smbmount domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="samba_run_smbmount" lineno="142">
+<summary>
+Execute smbmount interactively and do
+a domain transition to the smbmount domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="samba_read_config" lineno="163">
+<summary>
+Allow the specified domain to read
+samba configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="samba_rw_config" lineno="184">
+<summary>
+Allow the specified domain to read
+and write samba configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="samba_manage_config" lineno="205">
+<summary>
+Allow the specified domain to read
+and write samba configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="samba_read_log" lineno="226">
+<summary>
+Allow the specified domain to read samba's log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="samba_append_log" lineno="247">
+<summary>
+Allow the specified domain to append to samba's log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="samba_exec_log" lineno="267">
+<summary>
+Execute samba log in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="samba_read_secrets" lineno="286">
+<summary>
+Allow the specified domain to read samba's secrets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="samba_read_share_files" lineno="305">
+<summary>
+Allow the specified domain to read samba's shares
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="samba_search_var" lineno="325">
+<summary>
+Allow the specified domain to search
+samba /var directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="samba_read_var_files" lineno="346">
+<summary>
+Allow the specified domain to
+read samba /var files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="samba_dontaudit_write_var_files" lineno="367">
+<summary>
+Do not audit attempts to write samba
+/var files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="samba_rw_var_files" lineno="386">
+<summary>
+Allow the specified domain to
+read and write samba /var files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="samba_manage_var_files" lineno="407">
+<summary>
+Allow the specified domain to
+read and write samba /var files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="samba_domtrans_smbcontrol" lineno="427">
+<summary>
+Execute a domain transition to run smbcontrol.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="samba_run_smbcontrol" lineno="452">
+<summary>
+Execute smbcontrol in the smbcontrol domain, and
+allow the specified role the smbcontrol domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+<interface name="samba_domtrans_smbd" lineno="471">
+<summary>
+Execute smbd in the smbd_t domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="samba_signal_smbd" lineno="490">
+<summary>
+Allow domain to signal samba
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="samba_dontaudit_use_fds" lineno="507">
+<summary>
+Do not audit attempts to use file descriptors from samba.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="samba_write_smbmount_tcp_sockets" lineno="525">
+<summary>
+Allow the specified domain to write to smbmount tcp sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="samba_rw_smbmount_tcp_sockets" lineno="543">
+<summary>
+Allow the specified domain to read and write to smbmount tcp sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="samba_domtrans_winbind_helper" lineno="561">
+<summary>
+Execute winbind_helper in the winbind_helper domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="samba_run_winbind_helper" lineno="586">
+<summary>
+Execute winbind_helper in the winbind_helper domain, and
+allow the specified role the winbind_helper domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="samba_read_winbind_pid" lineno="605">
+<summary>
+Allow the specified domain to read the winbind pid files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="samba_stream_connect_winbind" lineno="624">
+<summary>
+Connect to winbind.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="samba_admin" lineno="662">
+<summary>
+All of the rules required to administrate
+an samba environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the samba domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<tunable name="allow_smbd_anon_write" dftval="false">
+<desc>
+<p>
+Allow samba to modify public files used for public file
+transfer services.  Files/Directories must be labeled
+public_content_rw_t.
+</p>
+</desc>
+</tunable>
+<tunable name="samba_create_home_dirs" dftval="false">
+<desc>
+<p>
+Allow samba to create new home directories (e.g. via PAM)
+</p>
+</desc>
+</tunable>
+<tunable name="samba_domain_controller" dftval="false">
+<desc>
+<p>
+Allow samba to act as the domain controller, add users,
+groups and change passwords.
+
+</p>
+</desc>
+</tunable>
+<tunable name="samba_enable_home_dirs" dftval="false">
+<desc>
+<p>
+Allow samba to share users home directories.
+</p>
+</desc>
+</tunable>
+<tunable name="samba_export_all_ro" dftval="false">
+<desc>
+<p>
+Allow samba to share any file/directory read only.
+</p>
+</desc>
+</tunable>
+<tunable name="samba_export_all_rw" dftval="false">
+<desc>
+<p>
+Allow samba to share any file/directory read/write.
+</p>
+</desc>
+</tunable>
+<tunable name="samba_run_unconfined" dftval="false">
+<desc>
+<p>
+Allow samba to run unconfined scripts
+</p>
+</desc>
+</tunable>
+<tunable name="samba_share_nfs" dftval="false">
+<desc>
+<p>
+Allow samba to export NFS volumes.
+</p>
+</desc>
+</tunable>
+<tunable name="samba_share_fusefs" dftval="false">
+<desc>
+<p>
+Allow samba to export ntfs/fusefs volumes.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="sambagui" filename="policy/modules/contrib/sambagui.if">
+<summary>system-config-samba dbus service policy</summary>
+</module>
+<module name="samhain" filename="policy/modules/contrib/samhain.if">
+<summary>Samhain - check file integrity</summary>
+<template name="samhain_service_template" lineno="17">
+<summary>
+The template containing the most basic rules
+common to the samhain domains.
+</summary>
+<param name="samhaindomain_prefix">
+<summary>
+The prefix of the samhain domains(e.g., samhain
+for the domain of command line access, samhaind
+for the domain started by init script).
+</summary>
+</param>
+<rolebase/>
+</template>
+<interface name="samhain_domtrans" lineno="104">
+<summary>
+Execute samhain in the samhain domain
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="samhain_run" lineno="141">
+<summary>
+Execute samhain in the samhain domain with the clearance security
+level and allow the specifiled role the samhain domain.
+</summary>
+<desc>
+<p>
+Execute samhain in the samhain domain with the clearance security
+level and allow the specifiled role the samhain domain.
+</p>
+<p>
+The range_transition rule used in this interface requires that
+the calling domain should have the clearance security level
+otherwise the MLS constraint for process transition would fail.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed to access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="samhain_manage_config_files" lineno="164">
+<summary>
+Manage samhain configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="samhain_manage_db_files" lineno="183">
+<summary>
+Manage samhain database files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="samhain_manage_init_script_files" lineno="202">
+<summary>
+Manage samhain init script files
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="samhain_manage_log_files" lineno="221">
+<summary>
+Manage samhain log and log.lock files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="samhain_manage_pid_files" lineno="240">
+<summary>
+Manage samhain pid files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="samhain_admin" lineno="268">
+<summary>
+All of the rules required to administrate
+the samhain environment.
+</summary>
+<desc>
+<p>
+This interface assumes that the calling domain has been able to
+remove an entry from /var/lib/ or /var/log/ and belongs to the
+mlsfilewrite attribute, since samhain files may be of clearance
+security level while their parent directories are of s0.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="sanlock" filename="policy/modules/contrib/sanlock.if">
+<summary>policy for sanlock</summary>
+<interface name="sanlock_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run sanlock.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sanlock_initrc_domtrans" lineno="31">
+<summary>
+Execute sanlock server in the sanlock domain.
+</summary>
+<param name="domain">
+<summary>
+The type of the process performing this action.
+</summary>
+</param>
+</interface>
+<interface name="sanlock_manage_pid_files" lineno="49">
+<summary>
+Create, read, write, and delete sanlock PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sanlock_stream_connect" lineno="68">
+<summary>
+Connect to sanlock over an unix stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sanlock_admin" lineno="94">
+<summary>
+All of the rules required to administrate
+an sanlock environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<tunable name="sanlock_use_nfs" dftval="false">
+<desc>
+<p>
+Allow confined virtual guests to manage nfs files
+</p>
+</desc>
+</tunable>
+<tunable name="sanlock_use_samba" dftval="false">
+<desc>
+<p>
+Allow confined virtual guests to manage cifs files
+</p>
+</desc>
+</tunable>
+</module>
+<module name="sasl" filename="policy/modules/contrib/sasl.if">
+<summary>SASL authentication server</summary>
+<interface name="sasl_connect" lineno="13">
+<summary>
+Connect to SASL.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sasl_admin" lineno="39">
+<summary>
+All of the rules required to administrate
+an sasl environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<tunable name="allow_saslauthd_read_shadow" dftval="false">
+<desc>
+<p>
+Allow sasl to read shadow
+</p>
+</desc>
+</tunable>
+</module>
+<module name="sblim" filename="policy/modules/contrib/sblim.if">
+<summary> policy for SBLIM Gatherer </summary>
+<interface name="sblim_domtrans_gatherd" lineno="13">
+<summary>
+Transition to gatherd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="sblim_read_pid_files" lineno="32">
+<summary>
+Read gatherd PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sblim_admin" lineno="58">
+<summary>
+All of the rules required to administrate
+an gatherd environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="screen" filename="policy/modules/contrib/screen.if">
+<summary>GNU terminal multiplexer</summary>
+<template name="screen_role_template" lineno="24">
+<summary>
+The role template for the screen module.
+</summary>
+<param name="role_prefix">
+<summary>
+The prefix of the user role (e.g., user
+is the prefix for user_r).
+</summary>
+</param>
+<param name="user_role">
+<summary>
+The role associated with the user domain.
+</summary>
+</param>
+<param name="user_domain">
+<summary>
+The type of the user domain.
+</summary>
+</param>
+</template>
+</module>
+<module name="sectoolm" filename="policy/modules/contrib/sectoolm.if">
+<summary>Sectool security audit tool</summary>
+</module>
+<module name="sendmail" filename="policy/modules/contrib/sendmail.if">
+<summary>Policy for sendmail.</summary>
+<interface name="sendmail_stub" lineno="13">
+<summary>
+Sendmail stub interface.  No access allowed.
+</summary>
+<param name="domain" unused="true">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sendmail_rw_pipes" lineno="30">
+<summary>
+Allow attempts to read and write to
+sendmail unnamed pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sendmail_domtrans" lineno="48">
+<summary>
+Domain transition to sendmail.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="sendmail_run" lineno="76">
+<summary>
+Execute the sendmail program in the sendmail domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to allow the sendmail domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="sendmail_signal" lineno="95">
+<summary>
+Send generic signals to sendmail.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sendmail_rw_tcp_sockets" lineno="113">
+<summary>
+Read and write sendmail TCP sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sendmail_dontaudit_rw_tcp_sockets" lineno="132">
+<summary>
+Do not audit attempts to read and write
+sendmail TCP sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="sendmail_rw_unix_stream_sockets" lineno="150">
+<summary>
+Read and write sendmail unix_stream_sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sendmail_dontaudit_rw_unix_stream_sockets" lineno="169">
+<summary>
+Do not audit attempts to read and write
+sendmail unix_stream_sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="sendmail_read_log" lineno="188">
+<summary>
+Read sendmail logs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="sendmail_manage_log" lineno="208">
+<summary>
+Create, read, write, and delete sendmail logs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="sendmail_create_log" lineno="227">
+<summary>
+Create sendmail logs with the correct type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sendmail_manage_tmp_files" lineno="245">
+<summary>
+Manage sendmail tmp files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sendmail_domtrans_unconfined" lineno="264">
+<summary>
+Execute sendmail in the unconfined sendmail domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="sendmail_run_unconfined" lineno="290">
+<summary>
+Execute sendmail in the unconfined sendmail domain, and
+allow the specified role the unconfined sendmail domain,
+and use the caller's terminal.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="setroubleshoot" filename="policy/modules/contrib/setroubleshoot.if">
+<summary>SELinux troubleshooting service</summary>
+<interface name="setroubleshoot_stream_connect" lineno="13">
+<summary>
+Connect to setroubleshootd over an unix stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="setroubleshoot_dontaudit_stream_connect" lineno="34">
+<summary>
+Dontaudit attempts to connect to setroubleshootd
+over an unix stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="setroubleshoot_dbus_chat" lineno="54">
+<summary>
+Send and receive messages from
+setroubleshoot over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="setroubleshoot_dontaudit_dbus_chat" lineno="75">
+<summary>
+Do not audit send and receive messages from
+setroubleshoot over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="setroubleshoot_dbus_chat_fixit" lineno="96">
+<summary>
+Send and receive messages from
+setroubleshoot fixit over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="setroubleshoot_admin" lineno="118">
+<summary>
+All of the rules required to administrate
+an setroubleshoot environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="shorewall" filename="policy/modules/contrib/shorewall.if">
+<summary>Shoreline Firewall high-level tool for configuring netfilter</summary>
+<interface name="shorewall_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run shorewall.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="shorewall_lib_domtrans" lineno="31">
+<summary>
+Execute a domain transition to run shorewall.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="shorewall_read_config" lineno="49">
+<summary>
+Read shorewall etc configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="shorewall_read_pid_files" lineno="68">
+<summary>
+Read shorewall PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="shorewall_rw_pid_files" lineno="87">
+<summary>
+Read and write shorewall PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="shorewall_read_lib_files" lineno="106">
+<summary>
+Read shorewall /var/lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="shorewall_rw_lib_files" lineno="126">
+<summary>
+Read and write shorewall /var/lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="shorewall_read_tmp_files" lineno="146">
+<summary>
+Read shorewall tmp files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="shorewall_admin" lineno="172">
+<summary>
+All of the rules required to administrate
+an shorewall environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the syslog domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="shutdown" filename="policy/modules/contrib/shutdown.if">
+<summary>System shutdown command</summary>
+<interface name="shutdown_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run shutdown.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="shutdown_run" lineno="43">
+<summary>
+Execute shutdown in the shutdown domain, and
+allow the specified role the shutdown domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+<interface name="shutdown_getattr_exec_files" lineno="62">
+<summary>
+Get attributes of shutdown executable.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="slocate" filename="policy/modules/contrib/slocate.if">
+<summary>Update database for mlocate</summary>
+<interface name="slocate_create_append_log" lineno="13">
+<summary>
+Create the locate log with append mode.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="locate_read_lib_files" lineno="33">
+<summary>
+Read locate lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="slrnpull" filename="policy/modules/contrib/slrnpull.if">
+<summary>Service for downloading news feeds the slrn newsreader.</summary>
+<interface name="slrnpull_search_spool" lineno="13">
+<summary>
+Allow the domain to search slrnpull spools.
+</summary>
+<param name="pty_type">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="slrnpull_manage_spool" lineno="33">
+<summary>
+Allow the domain to create, read,
+write, and delete slrnpull spools.
+</summary>
+<param name="pty_type">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="smartmon" filename="policy/modules/contrib/smartmon.if">
+<summary>Smart disk monitoring daemon policy</summary>
+<interface name="smartmon_read_tmp_files" lineno="13">
+<summary>
+Allow caller to read smartmon temporary files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="smartmon_admin" lineno="38">
+<summary>
+All of the rules required to administrate
+an smartmon environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<tunable name="smartmon_3ware" dftval="false">
+<desc>
+<p>
+Enable additional permissions needed to support
+devices on 3ware controllers.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="smokeping" filename="policy/modules/contrib/smokeping.if">
+<summary>Smokeping network latency measurement.</summary>
+<interface name="smokeping_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run smokeping.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="smokeping_initrc_domtrans" lineno="31">
+<summary>
+Execute smokeping server in the smokeping domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="smokeping_read_pid_files" lineno="49">
+<summary>
+Read smokeping PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="smokeping_manage_pid_files" lineno="68">
+<summary>
+Manage smokeping PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="smokeping_getattr_lib_files" lineno="87">
+<summary>
+Get attributes of smokeping lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="smokeping_read_lib_files" lineno="106">
+<summary>
+Read smokeping lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="smokeping_manage_lib_files" lineno="125">
+<summary>
+Manage smokeping lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="smokeping_admin" lineno="151">
+<summary>
+All of the rules required to administrate
+a smokeping environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="smoltclient" filename="policy/modules/contrib/smoltclient.if">
+<summary>The Fedora hardware profiler client</summary>
+</module>
+<module name="snmp" filename="policy/modules/contrib/snmp.if">
+<summary>Simple network management protocol services</summary>
+<interface name="snmp_stream_connect" lineno="13">
+<summary>
+Connect to snmpd using a unix domain stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="snmp_tcp_connect" lineno="32">
+<summary>
+Use snmp over a TCP connection.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="snmp_udp_chat" lineno="46">
+<summary>
+Send and receive UDP traffic to SNMP  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="snmp_read_snmp_var_lib_files" lineno="60">
+<summary>
+Read snmpd libraries.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="snmp_dontaudit_read_snmp_var_lib_files" lineno="80">
+<summary>
+dontaudit Read snmpd libraries.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="snmp_dontaudit_write_snmp_var_lib_files" lineno="99">
+<summary>
+dontaudit write snmpd libraries files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="snmp_admin" lineno="124">
+<summary>
+All of the rules required to administrate
+an snmp environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the snmp domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="snort" filename="policy/modules/contrib/snort.if">
+<summary>Snort network intrusion detection system</summary>
+<interface name="snort_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run snort.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="snort_admin" lineno="38">
+<summary>
+All of the rules required to administrate
+an snort environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the snort domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="sosreport" filename="policy/modules/contrib/sosreport.if">
+<summary>sosreport - Generate debugging information for system</summary>
+<interface name="sosreport_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run sosreport.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="sosreport_run" lineno="37">
+<summary>
+Execute sosreport in the sosreport domain, and
+allow the specified role the sosreport domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sosreport_role" lineno="61">
+<summary>
+Role access for sosreport
+</summary>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role
+</summary>
+</param>
+</interface>
+<interface name="sosreport_read_tmp_files" lineno="85">
+<summary>
+Allow the specified domain to read
+sosreport tmp files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sosreport_append_tmp_files" lineno="104">
+<summary>
+Append sosreport tmp files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sosreport_delete_tmp_files" lineno="122">
+<summary>
+Delete sosreport tmp files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="soundserver" filename="policy/modules/contrib/soundserver.if">
+<summary>sound server for network audio server programs, nasd, yiff, etc</summary>
+<interface name="soundserver_tcp_connect" lineno="13">
+<summary>
+Connect to the sound server over a TCP socket  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="soundserver_admin" lineno="34">
+<summary>
+All of the rules required to administrate
+an soundd environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the soundd domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="spamassassin" filename="policy/modules/contrib/spamassassin.if">
+<summary>Filter used for removing unsolicited email.</summary>
+<interface name="spamassassin_role" lineno="18">
+<summary>
+Role access for spamassassin
+</summary>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role
+</summary>
+</param>
+</interface>
+<interface name="spamassassin_exec" lineno="52">
+<summary>
+Execute the standalone spamassassin
+program in the caller directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="spamassassin_signal_spamd" lineno="71">
+<summary>
+Singnal the spam assassin daemon
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="spamassassin_exec_spamd" lineno="90">
+<summary>
+Execute the spamassassin daemon
+program in the caller directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="spamassassin_domtrans_client" lineno="108">
+<summary>
+Execute spamassassin client in the spamassassin client domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="spamassassin_exec_client" lineno="127">
+<summary>
+Execute the spamassassin client
+program in the caller directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="spamassassin_domtrans_local_client" lineno="145">
+<summary>
+Execute spamassassin standalone client in the user spamassassin domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="spamassassin_read_lib_files" lineno="163">
+<summary>
+read spamd lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="spamassassin_manage_lib_files" lineno="183">
+<summary>
+Create, read, write, and delete
+spamd lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="spamassassin_read_spamd_tmp_files" lineno="202">
+<summary>
+Read temporary spamd file.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="spamassassin_dontaudit_getattr_spamd_tmp_sockets" lineno="221">
+<summary>
+Do not audit attempts to get attributes of temporary
+spamd sockets/
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<tunable name="spamassassin_can_network" dftval="false">
+<desc>
+<p>
+Allow user spamassassin clients to use the network.
+</p>
+</desc>
+</tunable>
+<tunable name="spamd_enable_home_dirs" dftval="true">
+<desc>
+<p>
+Allow spamd to read/write user home directories.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="speedtouch" filename="policy/modules/contrib/speedtouch.if">
+<summary>Alcatel speedtouch USB ADSL modem</summary>
+</module>
+<module name="squid" filename="policy/modules/contrib/squid.if">
+<summary>Squid caching http proxy server</summary>
+<interface name="squid_domtrans" lineno="13">
+<summary>
+Execute squid in the squid domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="squid_exec" lineno="32">
+<summary>
+Execute squid
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="squid_signal" lineno="50">
+<summary>
+Send generic signals to squid.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="squid_rw_stream_sockets" lineno="69">
+<summary>
+Allow read and write squid
+unix domain stream sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="squid_dontaudit_search_cache" lineno="88">
+<summary>
+Do not audit attempts to search squid cache dirs
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="squid_read_config" lineno="107">
+<summary>
+Read squid configuration file.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="squid_read_log" lineno="127">
+<summary>
+Append squid logs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="squid_append_log" lineno="146">
+<summary>
+Append squid logs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="squid_manage_logs" lineno="167">
+<summary>
+Create, read, write, and delete
+squid logs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="squid_use" lineno="186">
+<summary>
+Use squid services by connecting over TCP.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="squid_admin" lineno="207">
+<summary>
+All of the rules required to administrate
+an squid environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the squid domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<tunable name="squid_connect_any" dftval="false">
+<desc>
+<p>
+Allow squid to connect to all ports, not just
+HTTP, FTP, and Gopher ports.
+</p>
+</desc>
+</tunable>
+<tunable name="squid_use_tproxy" dftval="false">
+<desc>
+<p>
+Allow squid to run as a transparent proxy (TPROXY)
+</p>
+</desc>
+</tunable>
+</module>
+<module name="sssd" filename="policy/modules/contrib/sssd.if">
+<summary>System Security Services Daemon</summary>
+<interface name="sssd_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run sssd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="sssd_initrc_domtrans" lineno="31">
+<summary>
+Execute sssd server in the sssd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="sssd_read_public_files" lineno="49">
+<summary>
+Read sssd public files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sssd_read_pid_files" lineno="68">
+<summary>
+Read sssd PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sssd_manage_pids" lineno="87">
+<summary>
+Manage sssd var_run files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sssd_search_lib" lineno="106">
+<summary>
+Search sssd lib directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sssd_dontaudit_search_lib" lineno="125">
+<summary>
+Do not audit attempts to search sssd lib directories.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="sssd_read_lib_files" lineno="144">
+<summary>
+Read sssd lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sssd_manage_lib_files" lineno="164">
+<summary>
+Create, read, write, and delete
+sssd lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sssd_dbus_chat" lineno="184">
+<summary>
+Send and receive messages from
+sssd over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sssd_stream_connect" lineno="204">
+<summary>
+Connect to sssd over an unix stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sssd_admin" lineno="235">
+<summary>
+All of the rules required to administrate
+an sssd environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the sssd domain.
+</summary>
+</param>
+<param name="terminal">
+<summary>
+The type of the user terminal.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="stunnel" filename="policy/modules/contrib/stunnel.if">
+<summary>SSL Tunneling Proxy</summary>
+<interface name="stunnel_service_domain" lineno="18">
+<summary>
+Define the specified domain as a stunnel inetd service.
+</summary>
+<param name="domain">
+<summary>
+The type associated with the stunnel inetd service process.
+</summary>
+</param>
+<param name="entrypoint">
+<summary>
+The type associated with the process program.
+</summary>
+</param>
+</interface>
+</module>
+<module name="sxid" filename="policy/modules/contrib/sxid.if">
+<summary>SUID/SGID program monitoring</summary>
+<interface name="sxid_read_log" lineno="15">
+<summary>
+Allow the specified domain to read
+sxid log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="sysstat" filename="policy/modules/contrib/sysstat.if">
+<summary>Policy for sysstat. Reports on various system states</summary>
+<interface name="sysstat_manage_log" lineno="14">
+<summary>
+Manage sysstat logs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="tcpd" filename="policy/modules/contrib/tcpd.if">
+<summary>Policy for TCP daemon.</summary>
+<interface name="tcpd_domtrans" lineno="13">
+<summary>
+Execute tcpd in the tcpd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="tcpd_wrapped_domain" lineno="37">
+<summary>
+Create a domain for services that
+utilize tcp wrappers.
+</summary>
+<param name="domain">
+<summary>
+Type to be used as a domain.
+</summary>
+</param>
+<param name="entry_point">
+<summary>
+Type of the program to be used as an entry point to this domain.
+</summary>
+</param>
+</interface>
+</module>
+<module name="tcsd" filename="policy/modules/contrib/tcsd.if">
+<summary>TSS Core Services (TCS) daemon (tcsd) policy</summary>
+<interface name="tcsd_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run tcsd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="tcsd_initrc_domtrans" lineno="31">
+<summary>
+Execute tcsd server in the tcsd domain.
+</summary>
+<param name="domain">
+<summary>
+The type of the process performing this action.
+</summary>
+</param>
+</interface>
+<interface name="tcsd_search_lib" lineno="49">
+<summary>
+Search tcsd lib directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="tcsd_manage_lib_dirs" lineno="68">
+<summary>
+Manage tcsd lib dirs files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="tcsd_read_lib_files" lineno="87">
+<summary>
+Read tcsd lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="tcsd_manage_lib_files" lineno="107">
+<summary>
+Create, read, write, and delete
+tcsd lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="tcsd_admin" lineno="133">
+<summary>
+All of the rules required to administrate
+an tcsd environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="telepathy" filename="policy/modules/contrib/telepathy.if">
+<summary>Telepathy communications framework.</summary>
+<template name="telepathy_domain_template" lineno="15">
+<summary>
+Creates basic types for telepathy
+domain
+</summary>
+<param name="prefix">
+<summary>
+Prefix for the domain.
+</summary>
+</param>
+</template>
+<template name="telepathy_role" lineno="45">
+<summary>
+Role access for telepathy domains
+</summary>
+<param name="user_role">
+<summary>
+The role associated with the user domain.
+</summary>
+</param>
+<param name="user_domain">
+<summary>
+The type of the user domain.
+</summary>
+</param>
+</template>
+<interface name="telepathy_gabble_stream_connect" lineno="88">
+<summary>
+Stream connect to Telepathy Gabble
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="telepathy_gabble_dbus_chat" lineno="108">
+<summary>
+Send DBus messages to and from
+Telepathy Gabble.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="telepathy_mission_control_read_state" lineno="133">
+<summary>
+Read telepathy mission control state.
+</summary>
+<param name="role_prefix">
+<summary>
+Prefix to be used.
+</summary>
+</param>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="telepathy_msn_stream_connect" lineno="152">
+<summary>
+Stream connect to telepathy MSN managers
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="telepathy_salut_stream_connect" lineno="171">
+<summary>
+Stream connect to Telepathy Salut
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<tunable name="telepathy_tcp_connect_generic_network_ports" dftval="false">
+<desc>
+<p>
+Allow the Telepathy connection managers
+to connect to any generic TCP port.
+</p>
+</desc>
+</tunable>
+<tunable name="telepathy_connect_all_ports" dftval="false">
+<desc>
+<p>
+Allow the Telepathy connection managers
+to connect to any network port.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="telnet" filename="policy/modules/contrib/telnet.if">
+<summary>Telnet daemon</summary>
+</module>
+<module name="tftp" filename="policy/modules/contrib/tftp.if">
+<summary>Trivial file transfer protocol daemon</summary>
+<interface name="tftp_read_content" lineno="13">
+<summary>
+Read tftp content
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="tftp_manage_rw_content" lineno="31">
+<summary>
+Manage tftp /var/lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="tftp_admin" lineno="53">
+<summary>
+All of the rules required to administrate
+an tftp environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<tunable name="tftp_anon_write" dftval="false">
+<desc>
+<p>
+Allow tftp to modify public files
+used for public file transfer services.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="tgtd" filename="policy/modules/contrib/tgtd.if">
+<summary>Linux Target Framework Daemon.</summary>
+<desc>
+<p>
+Linux target framework (tgt) aims to simplify various
+SCSI target driver (iSCSI, Fibre Channel, SRP, etc) creation
+and maintenance. Our key goals are the clean integration into
+the scsi-mid layer and implementing a great portion of tgt
+in user space.
+</p>
+</desc>
+<interface name="tgtd_rw_semaphores" lineno="22">
+<summary>
+Allow read and write access to tgtd semaphores.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="tgtd_manage_semaphores" lineno="40">
+<summary>
+Manage tgtd sempaphores.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="thunderbird" filename="policy/modules/contrib/thunderbird.if">
+<summary>Thunderbird email client</summary>
+<interface name="thunderbird_role" lineno="18">
+<summary>
+Role access for thunderbird
+</summary>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role
+</summary>
+</param>
+</interface>
+<interface name="thunderbird_domtrans" lineno="57">
+<summary>
+Run thunderbird in the user thunderbird domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+</module>
+<module name="timidity" filename="policy/modules/contrib/timidity.if">
+<summary>MIDI to WAV converter and player configured as a service</summary>
+</module>
+<module name="tmpreaper" filename="policy/modules/contrib/tmpreaper.if">
+<summary>Manage temporary directory sizes and file ages</summary>
+<interface name="tmpreaper_exec" lineno="13">
+<summary>
+Execute tmpreaper in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="tor" filename="policy/modules/contrib/tor.if">
+<summary>TOR, the onion router</summary>
+<interface name="tor_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run TOR.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="tor_admin" lineno="38">
+<summary>
+All of the rules required to administrate
+an tor environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the tor domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<tunable name="tor_bind_all_unreserved_ports" dftval="false">
+<desc>
+<p>
+Allow tor daemon to bind
+tcp sockets to all unreserved ports.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="transproxy" filename="policy/modules/contrib/transproxy.if">
+<summary>HTTP transperant proxy</summary>
+</module>
+<module name="tripwire" filename="policy/modules/contrib/tripwire.if">
+<summary>Tripwire file integrity checker.</summary>
+<desc>
+<p>
+Tripwire file integrity checker.
+</p>
+<p>
+NOTE: Tripwire creates temp file in its current working directory.
+This policy does not allow write access to home directories, so
+users will need to either cd to a directory where they have write
+permission, or set the TEMPDIRECTORY variable in the tripwire config
+file.  The latter is preferable, as then the file_type_auto_trans
+rules will kick in and label the files as private to tripwire.
+</p>
+</desc>
+<interface name="tripwire_domtrans_tripwire" lineno="26">
+<summary>
+Execute tripwire in the tripwire domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="tripwire_run_tripwire" lineno="51">
+<summary>
+Execute tripwire in the tripwire domain, and
+allow the specified role the tripwire domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="tripwire_domtrans_twadmin" lineno="70">
+<summary>
+Execute twadmin in the twadmin domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="tripwire_run_twadmin" lineno="95">
+<summary>
+Execute twadmin in the twadmin domain, and
+allow the specified role the twadmin domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="tripwire_domtrans_twprint" lineno="114">
+<summary>
+Execute twprint in the twprint domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="tripwire_run_twprint" lineno="139">
+<summary>
+Execute twprint in the twprint domain, and
+allow the specified role the twprint domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="tripwire_domtrans_siggen" lineno="158">
+<summary>
+Execute siggen in the siggen domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="tripwire_run_siggen" lineno="183">
+<summary>
+Execute siggen in the siggen domain, and
+allow the specified role the siggen domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="tuned" filename="policy/modules/contrib/tuned.if">
+<summary>Dynamic adaptive system tuning daemon</summary>
+<interface name="tuned_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run tuned.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="tuned_exec" lineno="31">
+<summary>
+Execute tuned in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="tuned_read_pid_files" lineno="50">
+<summary>
+Read tuned PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="tuned_manage_pid_files" lineno="69">
+<summary>
+Manage tuned PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="tuned_initrc_domtrans" lineno="88">
+<summary>
+Execute tuned server in the tuned domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="tuned_admin" lineno="113">
+<summary>
+All of the rules required to administrate
+an tuned environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="tvtime" filename="policy/modules/contrib/tvtime.if">
+<summary> tvtime - a high quality television application </summary>
+<interface name="tvtime_role" lineno="18">
+<summary>
+Role access for tvtime
+</summary>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role
+</summary>
+</param>
+</interface>
+</module>
+<module name="tzdata" filename="policy/modules/contrib/tzdata.if">
+<summary>Time zone updater</summary>
+<interface name="tzdata_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run tzdata.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="tzdata_run" lineno="38">
+<summary>
+Execute the tzdata program in the tzdata domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to allow the tzdata domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="ucspitcp" filename="policy/modules/contrib/ucspitcp.if">
+<summary>ucspitcp policy</summary>
+<desc>
+<p>
+Policy for DJB's ucspi-tcpd
+</p>
+</desc>
+<interface name="ucspitcp_service_domain" lineno="23">
+<summary>
+Define a specified domain as a ucspitcp service.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="entrypoint">
+<summary>
+The type associated with the process program.
+</summary>
+</param>
+</interface>
+</module>
+<module name="ulogd" filename="policy/modules/contrib/ulogd.if">
+<summary>Iptables/netfilter userspace logging daemon.</summary>
+<interface name="ulogd_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run ulogd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="ulogd_read_config" lineno="33">
+<summary>
+Allow the specified domain to read
+ulogd configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="ulogd_read_log" lineno="53">
+<summary>
+Allow the specified domain to read ulogd's log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="ulogd_search_log" lineno="73">
+<summary>
+Allow the specified domain to search ulogd's log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ulogd_append_log" lineno="93">
+<summary>
+Allow the specified domain to append to ulogd's log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="ulogd_admin" lineno="120">
+<summary>
+All of the rules required to administrate
+an ulogd environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the syslog domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="uml" filename="policy/modules/contrib/uml.if">
+<summary>Policy for UML</summary>
+<interface name="uml_role" lineno="18">
+<summary>
+Role access for uml
+</summary>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role
+</summary>
+</param>
+</interface>
+<interface name="uml_setattr_util_sockets" lineno="74">
+<summary>
+Set attributes on uml utility socket files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="uml_manage_util_files" lineno="92">
+<summary>
+Manage uml utility files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="updfstab" filename="policy/modules/contrib/updfstab.if">
+<summary>Red Hat utility to change /etc/fstab.</summary>
+<interface name="updfstab_domtrans" lineno="13">
+<summary>
+Execute updfstab in the updfstab domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+</module>
+<module name="uptime" filename="policy/modules/contrib/uptime.if">
+<summary>Uptime daemon</summary>
+</module>
+<module name="usbmodules" filename="policy/modules/contrib/usbmodules.if">
+<summary>List kernel modules of USB devices</summary>
+<interface name="usbmodules_domtrans" lineno="13">
+<summary>
+Execute usbmodules in the usbmodules domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="usbmodules_run" lineno="39">
+<summary>
+Execute usbmodules in the usbmodules domain, and
+allow the specified role the usbmodules domain,
+and use the caller's terminal.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="usbmuxd" filename="policy/modules/contrib/usbmuxd.if">
+<summary>USB multiplexing daemon for communicating with Apple iPod Touch and iPhone</summary>
+<interface name="usbmuxd_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run usbmuxd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="usbmuxd_stream_connect" lineno="32">
+<summary>
+Connect to usbmuxd over a unix domain
+stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="userhelper" filename="policy/modules/contrib/userhelper.if">
+<summary>SELinux utility to run a shell with a new role</summary>
+<template name="userhelper_role_template" lineno="24">
+<summary>
+The role template for the userhelper module.
+</summary>
+<param name="userrole_prefix">
+<summary>
+The prefix of the user role (e.g., user
+is the prefix for user_r).
+</summary>
+</param>
+<param name="user_role">
+<summary>
+The user role.
+</summary>
+</param>
+<param name="user_domain">
+<summary>
+The user domain associated with the role.
+</summary>
+</param>
+</template>
+<interface name="userhelper_search_config" lineno="178">
+<summary>
+Search the userhelper configuration directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userhelper_dontaudit_search_config" lineno="197">
+<summary>
+Do not audit attempts to search
+the userhelper configuration directory.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="userhelper_use_fd" lineno="215">
+<summary>
+Allow domain to use userhelper file descriptor.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userhelper_sigchld" lineno="233">
+<summary>
+Allow domain to send sigchld to userhelper.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userhelper_exec" lineno="251">
+<summary>
+Execute the userhelper program in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="usernetctl" filename="policy/modules/contrib/usernetctl.if">
+<summary>User network interface configuration helper</summary>
+<interface name="usernetctl_domtrans" lineno="13">
+<summary>
+Execute usernetctl in the usernetctl domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="usernetctl_run" lineno="38">
+<summary>
+Execute usernetctl in the usernetctl domain, and
+allow the specified role the usernetctl domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="uucp" filename="policy/modules/contrib/uucp.if">
+<summary>Unix to Unix Copy</summary>
+<interface name="uucp_domtrans" lineno="14">
+<summary>
+Execute the uucico program in the
+uucpd_t domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="uucp_append_log" lineno="33">
+<summary>
+Allow the specified domain to append
+to uucp log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="uucp_manage_spool" lineno="53">
+<summary>
+Create, read, write, and delete uucp spool files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="uucp_domtrans_uux" lineno="75">
+<summary>
+Execute the master uux program in the
+uux_t domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="uucp_admin" lineno="95">
+<summary>
+All of the rules required to administrate
+an uucp environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="uuidd" filename="policy/modules/contrib/uuidd.if">
+<summary>policy for uuidd</summary>
+<interface name="uuidd_domtrans" lineno="13">
+<summary>
+Transition to uuidd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="uuidd_initrc_domtrans" lineno="32">
+<summary>
+Execute uuidd server in the uuidd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="uuidd_search_lib" lineno="50">
+<summary>
+Search uuidd lib directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="uuidd_read_lib_files" lineno="69">
+<summary>
+Read uuidd lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="uuidd_manage_lib_files" lineno="88">
+<summary>
+Manage uuidd lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="uuidd_manage_lib_dirs" lineno="107">
+<summary>
+Manage uuidd lib directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="uuidd_read_pid_files" lineno="126">
+<summary>
+Read uuidd PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="uuidd_stream_connect_manager" lineno="145">
+<summary>
+Connect to uuidd over an unix stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="uuidd_admin" lineno="171">
+<summary>
+All of the rules required to administrate
+an uuidd environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="uwimap" filename="policy/modules/contrib/uwimap.if">
+<summary>University of Washington IMAP toolkit POP3 and IMAP mail server</summary>
+<interface name="uwimap_domtrans" lineno="13">
+<summary>
+Execute the UW IMAP/POP3 servers with a domain transition.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+</module>
+<module name="varnishd" filename="policy/modules/contrib/varnishd.if">
+<summary>Varnishd http accelerator daemon</summary>
+<interface name="varnishd_domtrans" lineno="13">
+<summary>
+Execute varnishd in the varnishd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="varnishd_exec" lineno="32">
+<summary>
+Execute varnishd
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="varnishd_read_config" lineno="50">
+<summary>
+Read varnishd configuration file.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="varnishd_read_lib_files" lineno="69">
+<summary>
+Read varnish lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="varnishd_read_log" lineno="88">
+<summary>
+Read varnish logs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="varnishd_append_log" lineno="107">
+<summary>
+Append varnish logs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="varnishd_manage_log" lineno="126">
+<summary>
+Manage varnish logs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="varnishd_admin_varnishlog" lineno="152">
+<summary>
+All of the rules required to administrate
+an varnishlog environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the varnishlog domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="varnishd_admin" lineno="190">
+<summary>
+All of the rules required to administrate
+an varnishd environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the varnishd domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<tunable name="varnishd_connect_any" dftval="false">
+<desc>
+<p>
+Allow varnishd to connect to all ports,
+not just HTTP.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="vbetool" filename="policy/modules/contrib/vbetool.if">
+<summary>run real-mode video BIOS code to alter hardware state</summary>
+<interface name="vbetool_domtrans" lineno="13">
+<summary>
+Execute vbetool application in the vbetool domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="vbetool_run" lineno="38">
+<summary>
+Execute vbetool in the vbetool domain, and
+allow the specified role the vbetool domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+<tunable name="vbetool_mmap_zero_ignore" dftval="false">
+<desc>
+<p>
+Ignore vbetool mmap_zero errors.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="vdagent" filename="policy/modules/contrib/vdagent.if">
+<summary>policy for vdagent</summary>
+<interface name="vdagent_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run vdagent.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="vdagent_getattr_exec_files" lineno="31">
+<summary>
+Getattr on vdagent executable.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="vdagent_getattr_log" lineno="49">
+<summary>
+Get the attributes of vdagent logs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="vdagent_read_pid_files" lineno="68">
+<summary>
+Read vdagent PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="vdagent_stream_connect" lineno="88">
+<summary>
+Connect to vdagent over a unix domain
+stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="vdagent_admin" lineno="114">
+<summary>
+All of the rules required to administrate
+an vdagent environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="vhostmd" filename="policy/modules/contrib/vhostmd.if">
+<summary>Virtual host metrics daemon</summary>
+<interface name="vhostmd_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run vhostmd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="vhostmd_initrc_domtrans" lineno="31">
+<summary>
+Execute vhostmd server in the vhostmd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="vhostmd_read_tmpfs_files" lineno="49">
+<summary>
+Allow domain to read, vhostmd tmpfs files
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="vhostmd_dontaudit_read_tmpfs_files" lineno="69">
+<summary>
+Do not audit attempts to read,
+vhostmd tmpfs files
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="vhostmd_rw_tmpfs_files" lineno="87">
+<summary>
+Allow domain to read and write vhostmd tmpfs files
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="vhostmd_manage_tmpfs_files" lineno="106">
+<summary>
+Create, read, write, and delete vhostmd tmpfs files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="vhostmd_read_pid_files" lineno="125">
+<summary>
+Read vhostmd PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="vhostmd_manage_pid_files" lineno="144">
+<summary>
+Manage vhostmd var_run files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="vhostmd_stream_connect" lineno="162">
+<summary>
+Connect to vhostmd over an unix domain stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="vhostmd_dontaudit_rw_stream_connect" lineno="182">
+<summary>
+Dontaudit read and write to vhostmd
+over an unix domain stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="vhostmd_admin" lineno="207">
+<summary>
+All of the rules required to administrate
+an vhostmd environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="virt" filename="policy/modules/contrib/virt.if">
+<summary>Libvirt virtualization API</summary>
+<template name="virt_domain_template" lineno="14">
+<summary>
+Creates types and rules for a basic
+qemu process domain.
+</summary>
+<param name="prefix">
+<summary>
+Prefix for the domain.
+</summary>
+</param>
+</template>
+<interface name="virt_image" lineno="87">
+<summary>
+Make the specified type usable as a virt image
+</summary>
+<param name="type">
+<summary>
+Type to be used as a virtual image
+</summary>
+</param>
+</interface>
+<interface name="virt_domtrans" lineno="109">
+<summary>
+Execute a domain transition to run virt.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="virt_stream_connect" lineno="127">
+<summary>
+Connect to virt over an unix domain stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="virt_attach_tun_iface" lineno="146">
+<summary>
+Allow domain to attach to virt TUN devices
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="virt_read_config" lineno="165">
+<summary>
+Read virt config files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="virt_manage_config" lineno="186">
+<summary>
+manage virt config files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="virt_read_content" lineno="207">
+<summary>
+Allow domain to manage virt image files
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="virt_read_pid_files" lineno="242">
+<summary>
+Read virt PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="virt_manage_pid_files" lineno="261">
+<summary>
+Manage virt pid files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="virt_search_lib" lineno="280">
+<summary>
+Search virt lib directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="virt_read_lib_files" lineno="299">
+<summary>
+Read virt lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="virt_manage_lib_files" lineno="320">
+<summary>
+Create, read, write, and delete
+virt lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="virt_read_log" lineno="340">
+<summary>
+Allow the specified domain to read virt's log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="virt_append_log" lineno="360">
+<summary>
+Allow the specified domain to append
+virt log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="virt_manage_log" lineno="379">
+<summary>
+Allow domain to manage virt log files
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="virt_read_images" lineno="399">
+<summary>
+Allow domain to read virt image files
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="virt_manage_svirt_cache" lineno="436">
+<summary>
+Create, read, write, and delete
+svirt cache files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="virt_manage_images" lineno="457">
+<summary>
+Allow domain to manage virt image files
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="virt_admin" lineno="500">
+<summary>
+All of the rules required to administrate
+an virt environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<tunable name="virt_use_comm" dftval="false">
+<desc>
+<p>
+Allow virt to use serial/parallell communication ports
+</p>
+</desc>
+</tunable>
+<tunable name="virt_use_fusefs" dftval="false">
+<desc>
+<p>
+Allow virt to read fuse files
+</p>
+</desc>
+</tunable>
+<tunable name="virt_use_nfs" dftval="false">
+<desc>
+<p>
+Allow virt to manage nfs files
+</p>
+</desc>
+</tunable>
+<tunable name="virt_use_samba" dftval="false">
+<desc>
+<p>
+Allow virt to manage cifs files
+</p>
+</desc>
+</tunable>
+<tunable name="virt_use_sysfs" dftval="false">
+<desc>
+<p>
+Allow virt to manage device configuration, (pci)
+</p>
+</desc>
+</tunable>
+<tunable name="virt_use_usb" dftval="true">
+<desc>
+<p>
+Allow virt to use usb devices
+</p>
+</desc>
+</tunable>
+</module>
+<module name="vlock" filename="policy/modules/contrib/vlock.if">
+<summary>Lock one or more sessions on the Linux console.</summary>
+<interface name="vlock_domtrans" lineno="13">
+<summary>
+Execute vlock in the vlock domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="vlock_run" lineno="39">
+<summary>
+Execute vlock in the vlock domain, and
+allow the specified role the vlock domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed to access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="vmware" filename="policy/modules/contrib/vmware.if">
+<summary>VMWare Workstation virtual machines</summary>
+<interface name="vmware_role" lineno="18">
+<summary>
+Role access for vmware
+</summary>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role
+</summary>
+</param>
+</interface>
+<interface name="vmware_exec_host" lineno="43">
+<summary>
+Execute vmware host executables
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="vmware_read_system_config" lineno="61">
+<summary>
+Read VMWare system configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="vmware_append_system_config" lineno="79">
+<summary>
+Append to VMWare system configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="vmware_append_log" lineno="97">
+<summary>
+Append to VMWare log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="vnstatd" filename="policy/modules/contrib/vnstatd.if">
+<summary>Console network traffic monitor.</summary>
+<interface name="vnstatd_domtrans_vnstat" lineno="13">
+<summary>
+Execute a domain transition to run vnstat.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="vnstatd_domtrans" lineno="31">
+<summary>
+Execute a domain transition to run vnstatd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="vnstatd_search_lib" lineno="49">
+<summary>
+Search vnstatd lib directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="vnstatd_manage_lib_dirs" lineno="68">
+<summary>
+Manage vnstatd lib dirs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="vnstatd_read_lib_files" lineno="87">
+<summary>
+Read vnstatd lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="vnstatd_manage_lib_files" lineno="107">
+<summary>
+Create, read, write, and delete
+vnstatd lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="vnstatd_admin" lineno="133">
+<summary>
+All of the rules required to administrate
+an vnstatd environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="vpn" filename="policy/modules/contrib/vpn.if">
+<summary>Virtual Private Networking client</summary>
+<interface name="vpn_domtrans" lineno="13">
+<summary>
+Execute VPN clients in the vpnc domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="vpn_run" lineno="38">
+<summary>
+Execute VPN clients in the vpnc domain, and
+allow the specified role the vpnc domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="vpn_kill" lineno="57">
+<summary>
+Send VPN clients the kill signal.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="vpn_signal" lineno="75">
+<summary>
+Send generic signals to VPN clients.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="vpn_signull" lineno="93">
+<summary>
+Send signull to VPN clients.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="vpn_dbus_chat" lineno="112">
+<summary>
+Send and receive messages from
+Vpnc over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="vpn_relabelfrom_tun_socket" lineno="132">
+<summary>
+Relabelfrom from vpnc socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="w3c" filename="policy/modules/contrib/w3c.if">
+<summary>W3C Markup Validator</summary>
+</module>
+<module name="watchdog" filename="policy/modules/contrib/watchdog.if">
+<summary>Software watchdog</summary>
+</module>
+<module name="webadm" filename="policy/modules/contrib/webadm.if">
+<summary>Web administrator role</summary>
+<interface name="webadm_role_change" lineno="14">
+<summary>
+Change to the web administrator role.
+</summary>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="webadm_role_change_to" lineno="44">
+<summary>
+Change from the web administrator role.
+</summary>
+<desc>
+<p>
+Change from the web administrator role to
+the specified role.
+</p>
+<p>
+This is an interface to support third party modules
+and its use is not allowed in upstream reference
+policy.
+</p>
+</desc>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<tunable name="webadm_manage_user_files" dftval="false">
+<desc>
+<p>
+Allow webadm to manage files in users home directories
+</p>
+</desc>
+</tunable>
+<tunable name="webadm_read_user_files" dftval="false">
+<desc>
+<p>
+Allow webadm to read files in users home directories
+</p>
+</desc>
+</tunable>
+</module>
+<module name="webalizer" filename="policy/modules/contrib/webalizer.if">
+<summary>Web server log analysis</summary>
+<interface name="webalizer_domtrans" lineno="13">
+<summary>
+Execute webalizer in the webalizer domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="webalizer_run" lineno="38">
+<summary>
+Execute webalizer in the webalizer domain, and
+allow the specified role the webalizer domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="wine" filename="policy/modules/contrib/wine.if">
+<summary>Wine Is Not an Emulator.  Run Windows programs in Linux.</summary>
+<template name="wine_role" lineno="30">
+<summary>
+The per role template for the wine module.
+</summary>
+<desc>
+<p>
+This template creates a derived domains which are used
+for wine applications.
+</p>
+</desc>
+<param name="userdomain_prefix">
+<summary>
+The prefix of the user domain (e.g., user
+is the prefix for user_t).
+</summary>
+</param>
+<param name="user_domain">
+<summary>
+The type of the user domain.
+</summary>
+</param>
+<param name="user_role">
+<summary>
+The role associated with the user domain.
+</summary>
+</param>
+</template>
+<template name="wine_role_template" lineno="87">
+<summary>
+The role template for the wine module.
+</summary>
+<desc>
+<p>
+This template creates a derived domains which are used
+for wine applications.
+</p>
+</desc>
+<param name="role_prefix">
+<summary>
+The prefix of the user domain (e.g., user
+is the prefix for user_t).
+</summary>
+</param>
+<param name="user_role">
+<summary>
+The role associated with the user domain.
+</summary>
+</param>
+<param name="user_domain">
+<summary>
+The type of the user domain.
+</summary>
+</param>
+</template>
+<interface name="wine_domtrans" lineno="127">
+<summary>
+Execute the wine program in the wine domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="wine_run" lineno="152">
+<summary>
+Execute wine in the wine domain, and
+allow the specified role the wine domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+<interface name="wine_rw_shm" lineno="172">
+<summary>
+Read and write wine Shared
+memory segments.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<tunable name="wine_mmap_zero_ignore" dftval="false">
+<desc>
+<p>
+Ignore wine mmap_zero errors.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="wireshark" filename="policy/modules/contrib/wireshark.if">
+<summary>Wireshark packet capture tool.</summary>
+<interface name="wireshark_role" lineno="18">
+<summary>
+Role access for wireshark
+</summary>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role
+</summary>
+</param>
+</interface>
+<interface name="wireshark_domtrans" lineno="49">
+<summary>
+Run wireshark in wireshark domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+</module>
+<module name="wm" filename="policy/modules/contrib/wm.if">
+<summary>X Window Managers</summary>
+<template name="wm_role_template" lineno="30">
+<summary>
+The role template for the wm module.
+</summary>
+<desc>
+<p>
+This template creates a derived domains which are used
+for window manager applications.
+</p>
+</desc>
+<param name="role_prefix">
+<summary>
+The prefix of the user domain (e.g., user
+is the prefix for user_t).
+</summary>
+</param>
+<param name="user_role">
+<summary>
+The role associated with the user domain.
+</summary>
+</param>
+<param name="user_domain">
+<summary>
+The type of the user domain.
+</summary>
+</param>
+</template>
+<interface name="wm_exec" lineno="105">
+<summary>
+Execute the wm program in the wm domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="xen" filename="policy/modules/contrib/xen.if">
+<summary>Xen hypervisor</summary>
+<interface name="xen_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run xend.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="xen_use_fds" lineno="31">
+<summary>
+Inherit and use xen file descriptors.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="xen_dontaudit_use_fds" lineno="50">
+<summary>
+Do not audit attempts to inherit
+xen file descriptors.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="xen_read_image_files" lineno="68">
+<summary>
+Read xend image files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="xen_rw_image_files" lineno="90">
+<summary>
+Allow the specified domain to read/write
+xend image files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="xen_append_log" lineno="111">
+<summary>
+Allow the specified domain to append
+xend log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="xen_manage_log" lineno="132">
+<summary>
+Create, read, write, and delete the
+xend log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="xen_dontaudit_rw_unix_stream_sockets" lineno="154">
+<summary>
+Do not audit attempts to read and write
+Xen unix domain stream sockets.  These
+are leaked file descriptors.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="xen_stream_connect_xenstore" lineno="172">
+<summary>
+Connect to xenstored over an unix stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="xen_stream_connect" lineno="191">
+<summary>
+Connect to xend over an unix domain stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="xen_domtrans_xm" lineno="213">
+<summary>
+Execute a domain transition to run xm.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="xen_stream_connect_xm" lineno="231">
+<summary>
+Connect to xm over an unix stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<tunable name="xend_run_blktap" dftval="true">
+<desc>
+<p>
+Allow xend to run blktapctrl/tapdisk.
+Not required if using dedicated logical volumes for disk images.
+</p>
+</desc>
+</tunable>
+<tunable name="xend_run_qemu" dftval="true">
+<desc>
+<p>
+Allow xend to run qemu-dm.
+Not required if using paravirt and no vfb.
+</p>
+</desc>
+</tunable>
+<tunable name="xen_use_nfs" dftval="false">
+<desc>
+<p>
+Allow xen to manage nfs files
+</p>
+</desc>
+</tunable>
+</module>
+<module name="xfs" filename="policy/modules/contrib/xfs.if">
+<summary>X Windows Font Server </summary>
+<interface name="xfs_read_sockets" lineno="13">
+<summary>
+Read a X font server named socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="xfs_stream_connect" lineno="33">
+<summary>
+Connect to a X font server over
+a unix domain stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="xfs_exec" lineno="53">
+<summary>
+Allow the specified domain to execute xfs
+in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="xguest" filename="policy/modules/contrib/xguest.if">
+<summary>Least privledge xwindows user role</summary>
+<interface name="xguest_role_change" lineno="14">
+<summary>
+Change to the xguest role.
+</summary>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="xguest_role_change_to" lineno="44">
+<summary>
+Change from the xguest role.
+</summary>
+<desc>
+<p>
+Change from the xguest role to
+the specified role.
+</p>
+<p>
+This is an interface to support third party modules
+and its use is not allowed in upstream reference
+policy.
+</p>
+</desc>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<tunable name="xguest_mount_media" dftval="true">
+<desc>
+<p>
+Allow xguest users to mount removable media
+</p>
+</desc>
+</tunable>
+<tunable name="xguest_connect_network" dftval="true">
+<desc>
+<p>
+Allow xguest to configure Network Manager
+</p>
+</desc>
+</tunable>
+<tunable name="xguest_use_bluetooth" dftval="true">
+<desc>
+<p>
+Allow xguest to use blue tooth devices
+</p>
+</desc>
+</tunable>
+</module>
+<module name="xprint" filename="policy/modules/contrib/xprint.if">
+<summary>X print server</summary>
+</module>
+<module name="xscreensaver" filename="policy/modules/contrib/xscreensaver.if">
+<summary>X Screensaver</summary>
+<interface name="xscreensaver_role" lineno="18">
+<summary>
+Role access for xscreensaver
+</summary>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role
+</summary>
+</param>
+</interface>
+</module>
+<module name="yam" filename="policy/modules/contrib/yam.if">
+<summary>Yum/Apt Mirroring</summary>
+<interface name="yam_domtrans" lineno="13">
+<summary>
+Execute yam in the yam domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="yam_run" lineno="39">
+<summary>
+Execute yam in the yam domain, and
+allow the specified role the yam domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="yam_read_content" lineno="58">
+<summary>
+Read yam content.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="zabbix" filename="policy/modules/contrib/zabbix.if">
+<summary>Distributed infrastructure monitoring</summary>
+<interface name="zabbix_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run zabbix.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="zabbix_tcp_connect" lineno="31">
+<summary>
+Allow connectivity to the zabbix server
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="zabbix_read_log" lineno="53">
+<summary>
+Allow the specified domain to read zabbix's log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="zabbix_append_log" lineno="73">
+<summary>
+Allow the specified domain to append
+zabbix log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="zabbix_read_pid_files" lineno="92">
+<summary>
+Read zabbix PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="zabbix_agent_tcp_connect" lineno="111">
+<summary>
+Allow connectivity to a zabbix agent
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="zabbix_admin" lineno="139">
+<summary>
+All of the rules required to administrate
+an zabbix environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the zabbix domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="zarafa" filename="policy/modules/contrib/zarafa.if">
+<summary>Zarafa collaboration platform.</summary>
+<template name="zarafa_domain_template" lineno="14">
+<summary>
+Creates types and rules for a basic
+zararfa init daemon domain.
+</summary>
+<param name="prefix">
+<summary>
+Prefix for the domain.
+</summary>
+</param>
+</template>
+<interface name="zarafa_search_config" lineno="58">
+<summary>
+Allow the specified domain to search
+zarafa configuration dirs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="zarafa_domtrans_deliver" lineno="77">
+<summary>
+Execute a domain transition to run zarafa_deliver.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="zarafa_domtrans_server" lineno="95">
+<summary>
+Execute a domain transition to run zarafa_server.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="zarafa_stream_connect_server" lineno="113">
+<summary>
+Connect to zarafa-server unix domain stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="zebra" filename="policy/modules/contrib/zebra.if">
+<summary>Zebra border gateway protocol network routing service</summary>
+<interface name="zebra_read_config" lineno="14">
+<summary>
+Read the configuration files for zebra.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="zebra_stream_connect" lineno="35">
+<summary>
+Connect to zebra over an unix stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="zebra_admin" lineno="62">
+<summary>
+All of the rules required to administrate
+an zebra environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the zebra domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<tunable name="allow_zebra_write_config" dftval="false">
+<desc>
+<p>
+Allow zebra daemon to write it configuration files
+</p>
+</desc>
+</tunable>
+</module>
+<module name="zosremote" filename="policy/modules/contrib/zosremote.if">
+<summary>policy for z/OS Remote-services Audit dispatcher plugin</summary>
+<interface name="zosremote_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run audispd-zos-remote.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="zosremote_run" lineno="38">
+<summary>
+Allow specified type and role to transition and
+run in the zos_remote_t domain. Allow specified type
+to use zos_remote_t terminal.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+</module>
+</layer>
+<layer name="kernel">
+<summary>Policy modules for kernel resources.</summary>
+<module name="corecommands" filename="policy/modules/kernel/corecommands.if">
+<summary>
+Core policy for shells, and generic programs
+in /bin, /sbin, /usr/bin, and /usr/sbin.
+</summary>
+<required val="true">
+Contains the base bin and sbin directory types
+which need to be searched for the kernel to
+run init.
+</required>
+<interface name="corecmd_executable_file" lineno="23">
+<summary>
+Make the specified type usable for files
+that are exectuables, such as binary programs.
+This does not include shared libraries.
+</summary>
+<param name="type">
+<summary>
+Type to be used for files.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_bin_alias" lineno="53">
+<summary>
+Create a aliased type to generic bin files.  (Deprecated)
+</summary>
+<desc>
+<p>
+Create a aliased type to generic bin files.  (Deprecated)
+</p>
+<p>
+This is added to support targeted policy.  Its
+use should be limited.  It has no effect
+on the strict policy.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Alias type for bin_t.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_bin_entry_type" lineno="68">
+<summary>
+Make general progams in bin an entrypoint for
+the specified domain.
+</summary>
+<param name="domain">
+<summary>
+The domain for which bin_t is an entrypoint.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_sbin_entry_type" lineno="87">
+<summary>
+Make general progams in sbin an entrypoint for
+the specified domain.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+The domain for which sbin programs are an entrypoint.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_shell_entry_type" lineno="102">
+<summary>
+Make the shell an entrypoint for the specified domain.
+</summary>
+<param name="domain">
+<summary>
+The domain for which the shell is an entrypoint.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_search_bin" lineno="120">
+<summary>
+Search the contents of bin directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_dontaudit_search_bin" lineno="138">
+<summary>
+Do not audit attempts to search the contents of bin directories.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_list_bin" lineno="156">
+<summary>
+List the contents of bin directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_dontaudit_write_bin_dirs" lineno="174">
+<summary>
+Do not audit attempts to write bin directories.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_getattr_bin_files" lineno="192">
+<summary>
+Get the attributes of files in bin directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_dontaudit_getattr_bin_files" lineno="210">
+<summary>
+Get the attributes of files in bin directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_read_bin_files" lineno="229">
+<summary>
+Read files in bin directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_dontaudit_write_bin_files" lineno="247">
+<summary>
+Do not audit attempts to write bin files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_read_bin_symlinks" lineno="265">
+<summary>
+Read symbolic links in bin directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_read_bin_pipes" lineno="283">
+<summary>
+Read pipes in bin directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_read_bin_sockets" lineno="301">
+<summary>
+Read named sockets in bin directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_exec_bin" lineno="340">
+<summary>
+Execute generic programs in bin directories,
+in the caller domain.
+</summary>
+<desc>
+<p>
+Allow the specified domain to execute generic programs
+in system bin directories (/bin, /sbin, /usr/bin,
+/usr/sbin) a without domain transition.
+</p>
+<p>
+Typically, this interface should be used when the domain
+executes general system progams within the privileges
+of the source domain.  Some examples of these programs
+are ls, cp, sed, python, and tar. This does not include
+shells, such as bash.
+</p>
+<p>
+Related interface:
+</p>
+<ul>
+<li>corecmd_exec_shell()</li>
+</ul>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_manage_bin_files" lineno="360">
+<summary>
+Create, read, write, and delete bin files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_relabel_bin_files" lineno="378">
+<summary>
+Relabel to and from the bin type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_mmap_bin_files" lineno="396">
+<summary>
+Mmap a bin file as executable.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_bin_spec_domtrans" lineno="440">
+<summary>
+Execute a file in a bin directory
+in the specified domain but do not
+do it automatically. This is an explicit
+transition, requiring the caller to use setexeccon().
+</summary>
+<desc>
+<p>
+Execute a file in a bin directory
+in the specified domain.  This allows
+the specified domain to execute any file
+on these filesystems in the specified
+domain.  This is not suggested.
+</p>
+<p>
+No interprocess communication (signals, pipes,
+etc.) is provided by this interface since
+the domains are not owned by this module.
+</p>
+<p>
+This interface was added to handle
+the userhelper policy.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="target_domain">
+<summary>
+The type of the new process.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_bin_domtrans" lineno="483">
+<summary>
+Execute a file in a bin directory
+in the specified domain.
+</summary>
+<desc>
+<p>
+Execute a file in a bin directory
+in the specified domain.  This allows
+the specified domain to execute any file
+on these filesystems in the specified
+domain.  This is not suggested.
+</p>
+<p>
+No interprocess communication (signals, pipes,
+etc.) is provided by this interface since
+the domains are not owned by this module.
+</p>
+<p>
+This interface was added to handle
+the ssh-agent policy.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="target_domain">
+<summary>
+The type of the new process.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_search_sbin" lineno="502">
+<summary>
+Search the contents of sbin directories.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_dontaudit_search_sbin" lineno="518">
+<summary>
+Do not audit attempts to search
+sbin directories.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_list_sbin" lineno="533">
+<summary>
+List the contents of sbin directories.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_dontaudit_write_sbin_dirs" lineno="549">
+<summary>
+Do not audit attempts to write
+sbin directories.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_getattr_sbin_files" lineno="564">
+<summary>
+Get the attributes of sbin files.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_dontaudit_getattr_sbin_files" lineno="580">
+<summary>
+Do not audit attempts to get the attibutes
+of sbin files.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_read_sbin_files" lineno="595">
+<summary>
+Read files in sbin directories.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_read_sbin_symlinks" lineno="610">
+<summary>
+Read symbolic links in sbin directories.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_read_sbin_pipes" lineno="625">
+<summary>
+Read named pipes in sbin directories.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_read_sbin_sockets" lineno="640">
+<summary>
+Read named sockets in sbin directories.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_exec_sbin" lineno="656">
+<summary>
+Execute generic programs in sbin directories,
+in the caller domain.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_manage_sbin_files" lineno="672">
+<summary>
+Create, read, write, and delete sbin files.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_relabel_sbin_files" lineno="688">
+<summary>
+Relabel to and from the sbin type.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_mmap_sbin_files" lineno="704">
+<summary>
+Mmap a sbin file as executable.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_sbin_domtrans" lineno="743">
+<summary>
+Execute a file in a sbin directory
+in the specified domain.  (Deprecated)
+</summary>
+<desc>
+<p>
+Execute a file in a sbin directory
+in the specified domain.  This allows
+the specified domain to execute any file
+on these filesystems in the specified
+domain.  This is not suggested.  (Deprecated)
+</p>
+<p>
+No interprocess communication (signals, pipes,
+etc.) is provided by this interface since
+the domains are not owned by this module.
+</p>
+<p>
+This interface was added to handle
+the ssh-agent policy.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="target_domain">
+<summary>
+The type of the new process.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_sbin_spec_domtrans" lineno="784">
+<summary>
+Execute a file in a sbin directory
+in the specified domain but do not
+do it automatically. This is an explicit
+transition, requiring the caller to use setexeccon().  (Deprecated)
+</summary>
+<desc>
+<p>
+Execute a file in a sbin directory
+in the specified domain.  This allows
+the specified domain to execute any file
+on these filesystems in the specified
+domain.  This is not suggested.  (Deprecated)
+</p>
+<p>
+No interprocess communication (signals, pipes,
+etc.) is provided by this interface since
+the domains are not owned by this module.
+</p>
+<p>
+This interface was added to handle
+the userhelper policy.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="target_domain">
+<summary>
+The type of the new process.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_check_exec_shell" lineno="799">
+<summary>
+Check if a shell is executable (DAC-wise).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_exec_shell" lineno="837">
+<summary>
+Execute shells in the caller domain.
+</summary>
+<desc>
+<p>
+Allow the specified domain to execute shells without
+a domain transition.
+</p>
+<p>
+Typically, this interface should be used when the domain
+executes shells within the privileges
+of the source domain.  Some examples of these programs
+are bash, tcsh, and zsh.
+</p>
+<p>
+Related interface:
+</p>
+<ul>
+<li>corecmd_exec_bin()</li>
+</ul>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_exec_ls" lineno="857">
+<summary>
+Execute ls in the caller domain.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_shell_spec_domtrans" lineno="891">
+<summary>
+Execute a shell in the target domain.  This
+is an explicit transition, requiring the
+caller to use setexeccon().
+</summary>
+<desc>
+<p>
+Execute a shell in the target domain.  This
+is an explicit transition, requiring the
+caller to use setexeccon().
+</p>
+<p>
+No interprocess communication (signals, pipes,
+etc.) is provided by this interface since
+the domains are not owned by this module.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="target_domain">
+<summary>
+The type of the shell process.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_shell_domtrans" lineno="926">
+<summary>
+Execute a shell in the specified domain.
+</summary>
+<desc>
+<p>
+Execute a shell in the specified domain.
+</p>
+<p>
+No interprocess communication (signals, pipes,
+etc.) is provided by this interface since
+the domains are not owned by this module.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="target_domain">
+<summary>
+The type of the shell process.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_exec_chroot" lineno="945">
+<summary>
+Execute chroot in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_getattr_all_executables" lineno="966">
+<summary>
+Get the attributes of all executable files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="corecmd_read_all_executables" lineno="987">
+<summary>
+Read all executable files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="corecmd_exec_all_executables" lineno="1006">
+<summary>
+Execute all executable files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="corecmd_dontaudit_exec_all_executables" lineno="1027">
+<summary>
+Do not audit attempts to execute all executables.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_manage_all_executables" lineno="1046">
+<summary>
+Create, read, write, and all executable files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="corecmd_relabel_all_executables" lineno="1067">
+<summary>
+Relabel to and from the bin type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="corecmd_mmap_all_executables" lineno="1086">
+<summary>
+Mmap all executables as executable.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="corenetwork" filename="policy/modules/kernel/corenetwork.if">
+<summary>Policy controlling access to network objects</summary>
+<required val="true">
+Contains the initial SIDs for network objects.
+</required>
+<interface name="corenet_port" lineno="29">
+<summary>
+Define type to be a network port type
+</summary>
+<desc>
+<p>
+Define type to be a network port type
+</p>
+<p>
+This is for supporting third party modules and its
+use is not allowed in upstream reference policy.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Type to be used for network ports.
+</summary>
+</param>
+</interface>
+<interface name="corenet_reserved_port" lineno="56">
+<summary>
+Define network type to be a reserved port (lt 1024)
+</summary>
+<desc>
+<p>
+Define network type to be a reserved port (lt 1024)
+</p>
+<p>
+This is for supporting third party modules and its
+use is not allowed in upstream reference policy.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Type to be used for network ports.
+</summary>
+</param>
+</interface>
+<interface name="corenet_rpc_port" lineno="83">
+<summary>
+Define network type to be a rpc port ( 512 lt PORT lt 1024)
+</summary>
+<desc>
+<p>
+Define network type to be a rpc port ( 512 lt PORT lt 1024)
+</p>
+<p>
+This is for supporting third party modules and its
+use is not allowed in upstream reference policy.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Type to be used for network ports.
+</summary>
+</param>
+</interface>
+<interface name="corenet_node" lineno="110">
+<summary>
+Define type to be a network node type
+</summary>
+<desc>
+<p>
+Define type to be a network node type
+</p>
+<p>
+This is for supporting third party modules and its
+use is not allowed in upstream reference policy.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Type to be used for network nodes.
+</summary>
+</param>
+</interface>
+<interface name="corenet_packet" lineno="137">
+<summary>
+Define type to be a network packet type
+</summary>
+<desc>
+<p>
+Define type to be a network packet type
+</p>
+<p>
+This is for supporting third party modules and its
+use is not allowed in upstream reference policy.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Type to be used for a network packet.
+</summary>
+</param>
+</interface>
+<interface name="corenet_client_packet" lineno="164">
+<summary>
+Define type to be a network client packet type
+</summary>
+<desc>
+<p>
+Define type to be a network client packet type
+</p>
+<p>
+This is for supporting third party modules and its
+use is not allowed in upstream reference policy.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Type to be used for a network client packet.
+</summary>
+</param>
+</interface>
+<interface name="corenet_server_packet" lineno="191">
+<summary>
+Define type to be a network server packet type
+</summary>
+<desc>
+<p>
+Define type to be a network server packet type
+</p>
+<p>
+This is for supporting third party modules and its
+use is not allowed in upstream reference policy.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Type to be used for a network server packet.
+</summary>
+</param>
+</interface>
+<interface name="corenet_spd_type" lineno="210">
+<summary>
+Make the specified type usable
+for labeled ipsec.
+</summary>
+<param name="domain">
+<summary>
+Type to be used for labeled ipsec.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_generic_if" lineno="256">
+<summary>
+Send and receive TCP network traffic on generic interfaces.
+</summary>
+<desc>
+<p>
+Allow the specified domain to send and receive TCP network
+traffic on generic network interfaces.
+</p>
+<p>
+Related interface:
+</p>
+<ul>
+<li>corenet_all_recvfrom_unlabeled()</li>
+<li>corenet_tcp_sendrecv_generic_node()</li>
+<li>corenet_tcp_sendrecv_all_ports()</li>
+<li>corenet_tcp_connect_all_ports()</li>
+</ul>
+<p>
+Example client being able to connect to all ports over
+generic nodes, without labeled networking:
+</p>
+<p>
+allow myclient_t self:tcp_socket create_stream_socket_perms;
+corenet_tcp_sendrecv_generic_if(myclient_t)
+corenet_tcp_sendrecv_generic_node(myclient_t)
+corenet_tcp_sendrecv_all_ports(myclient_t)
+corenet_tcp_connect_all_ports(myclient_t)
+corenet_all_recvfrom_unlabeled(myclient_t)
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_generic_if" lineno="274">
+<summary>
+Send UDP network traffic on generic interfaces.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_dontaudit_udp_send_generic_if" lineno="293">
+<summary>
+Dontaudit attempts to send UDP network traffic
+on generic interfaces.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="corenet_udp_receive_generic_if" lineno="311">
+<summary>
+Receive UDP network traffic on generic interfaces.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_generic_if" lineno="330">
+<summary>
+Do not audit attempts to receive UDP network
+traffic on generic interfaces.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="corenet_udp_sendrecv_generic_if" lineno="374">
+<summary>
+Send and receive UDP network traffic on generic interfaces.
+</summary>
+<desc>
+<p>
+Allow the specified domain to send and receive UDP network
+traffic on generic network interfaces.
+</p>
+<p>
+Related interface:
+</p>
+<ul>
+<li>corenet_all_recvfrom_unlabeled()</li>
+<li>corenet_udp_sendrecv_generic_node()</li>
+<li>corenet_udp_sendrecv_all_ports()</li>
+</ul>
+<p>
+Example client being able to send to all ports over
+generic nodes, without labeled networking:
+</p>
+<p>
+allow myclient_t self:udp_socket create_socket_perms;
+corenet_udp_sendrecv_generic_if(myclient_t)
+corenet_udp_sendrecv_generic_node(myclient_t)
+corenet_udp_sendrecv_all_ports(myclient_t)
+corenet_all_recvfrom_unlabeled(myclient_t)
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_generic_if" lineno="390">
+<summary>
+Do not audit attempts to send and receive UDP network
+traffic on generic interfaces.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="corenet_raw_send_generic_if" lineno="405">
+<summary>
+Send raw IP packets on generic interfaces.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_raw_receive_generic_if" lineno="423">
+<summary>
+Receive raw IP packets on generic interfaces.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_raw_sendrecv_generic_if" lineno="441">
+<summary>
+Send and receive raw IP packets on generic interfaces.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_out_generic_if" lineno="457">
+<summary>
+Allow outgoing network traffic on the generic interfaces.
+</summary>
+<param name="domain">
+<summary>
+The peer label of the outgoing network traffic.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_in_generic_if" lineno="476">
+<summary>
+Allow incoming traffic on the generic interfaces.
+</summary>
+<param name="domain">
+<summary>
+The peer label of the incoming network traffic.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_inout_generic_if" lineno="495">
+<summary>
+Allow incoming and outgoing network traffic on the generic interfaces.
+</summary>
+<param name="domain">
+<summary>
+The peer label of the network traffic.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_tcp_sendrecv_all_if" lineno="510">
+<summary>
+Send and receive TCP network traffic on all interfaces.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_udp_send_all_if" lineno="528">
+<summary>
+Send UDP network traffic on all interfaces.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_udp_receive_all_if" lineno="546">
+<summary>
+Receive UDP network traffic on all interfaces.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_udp_sendrecv_all_if" lineno="564">
+<summary>
+Send and receive UDP network traffic on all interfaces.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_raw_send_all_if" lineno="579">
+<summary>
+Send raw IP packets on all interfaces.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_raw_receive_all_if" lineno="597">
+<summary>
+Receive raw IP packets on all interfaces.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_raw_sendrecv_all_if" lineno="615">
+<summary>
+Send and receive raw IP packets on all interfaces.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_generic_node" lineno="658">
+<summary>
+Send and receive TCP network traffic on generic nodes.
+</summary>
+<desc>
+<p>
+Allow the specified domain to send and receive TCP network
+traffic to/from generic network nodes (hostnames/networks).
+</p>
+<p>
+Related interface:
+</p>
+<ul>
+<li>corenet_all_recvfrom_unlabeled()</li>
+<li>corenet_tcp_sendrecv_generic_if()</li>
+<li>corenet_tcp_sendrecv_all_ports()</li>
+<li>corenet_tcp_connect_all_ports()</li>
+</ul>
+<p>
+Example client being able to connect to all ports over
+generic nodes, without labeled networking:
+</p>
+<p>
+allow myclient_t self:tcp_socket create_stream_socket_perms;
+corenet_tcp_sendrecv_generic_if(myclient_t)
+corenet_tcp_sendrecv_generic_node(myclient_t)
+corenet_tcp_sendrecv_all_ports(myclient_t)
+corenet_tcp_connect_all_ports(myclient_t)
+corenet_all_recvfrom_unlabeled(myclient_t)
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_generic_node" lineno="676">
+<summary>
+Send UDP network traffic on generic nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_udp_receive_generic_node" lineno="694">
+<summary>
+Receive UDP network traffic on generic nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_udp_sendrecv_generic_node" lineno="738">
+<summary>
+Send and receive UDP network traffic on generic nodes.
+</summary>
+<desc>
+<p>
+Allow the specified domain to send and receive UDP network
+traffic to/from generic network nodes (hostnames/networks).
+</p>
+<p>
+Related interface:
+</p>
+<ul>
+<li>corenet_all_recvfrom_unlabeled()</li>
+<li>corenet_udp_sendrecv_generic_if()</li>
+<li>corenet_udp_sendrecv_all_ports()</li>
+</ul>
+<p>
+Example client being able to send to all ports over
+generic nodes, without labeled networking:
+</p>
+<p>
+allow myclient_t self:udp_socket create_socket_perms;
+corenet_udp_sendrecv_generic_if(myclient_t)
+corenet_udp_sendrecv_generic_node(myclient_t)
+corenet_udp_sendrecv_all_ports(myclient_t)
+corenet_all_recvfrom_unlabeled(myclient_t)
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_raw_send_generic_node" lineno="753">
+<summary>
+Send raw IP packets on generic nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_raw_receive_generic_node" lineno="771">
+<summary>
+Receive raw IP packets on generic nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_raw_sendrecv_generic_node" lineno="789">
+<summary>
+Send and receive raw IP packets on generic nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_bind_generic_node" lineno="819">
+<summary>
+Bind TCP sockets to generic nodes.
+</summary>
+<desc>
+<p>
+Bind TCP sockets to generic nodes.  This is
+necessary for binding a socket so it
+can be used for servers to listen
+for incoming connections.
+</p>
+<p>
+Related interface:
+</p>
+<ul>
+<li>corenet_udp_bind_generic_node()</li>
+</ul>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="1"/>
+</interface>
+<interface name="corenet_udp_bind_generic_node" lineno="852">
+<summary>
+Bind UDP sockets to generic nodes.
+</summary>
+<desc>
+<p>
+Bind UDP sockets to generic nodes.  This is
+necessary for binding a socket so it
+can be used for servers to listen
+for incoming connections.
+</p>
+<p>
+Related interface:
+</p>
+<ul>
+<li>corenet_tcp_bind_generic_node()</li>
+</ul>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="1"/>
+</interface>
+<interface name="corenet_raw_bind_generic_node" lineno="871">
+<summary>
+Bind raw sockets to genric nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_out_generic_node" lineno="890">
+<summary>
+Allow outgoing network traffic to generic nodes.
+</summary>
+<param name="domain">
+<summary>
+The peer label of the outgoing network traffic.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_in_generic_node" lineno="909">
+<summary>
+Allow incoming network traffic from generic nodes.
+</summary>
+<param name="domain">
+<summary>
+The peer label of the incoming network traffic.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_inout_generic_node" lineno="928">
+<summary>
+Allow incoming and outgoing network traffic with generic nodes.
+</summary>
+<param name="domain">
+<summary>
+The peer label of the network traffic.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_tcp_sendrecv_all_nodes" lineno="943">
+<summary>
+Send and receive TCP network traffic on all nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_udp_send_all_nodes" lineno="961">
+<summary>
+Send UDP network traffic on all nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_dontaudit_udp_send_all_nodes" lineno="980">
+<summary>
+Do not audit attempts to send UDP network
+traffic on any nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="corenet_udp_receive_all_nodes" lineno="998">
+<summary>
+Receive UDP network traffic on all nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_all_nodes" lineno="1017">
+<summary>
+Do not audit attempts to receive UDP
+network traffic on all nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="corenet_udp_sendrecv_all_nodes" lineno="1035">
+<summary>
+Send and receive UDP network traffic on all nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_all_nodes" lineno="1051">
+<summary>
+Do not audit attempts to send and receive UDP
+network traffic on any nodes nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="corenet_raw_send_all_nodes" lineno="1066">
+<summary>
+Send raw IP packets on all nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_raw_receive_all_nodes" lineno="1084">
+<summary>
+Receive raw IP packets on all nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_raw_sendrecv_all_nodes" lineno="1102">
+<summary>
+Send and receive raw IP packets on all nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_bind_all_nodes" lineno="1117">
+<summary>
+Bind TCP sockets to all nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_udp_bind_all_nodes" lineno="1135">
+<summary>
+Bind UDP sockets to all nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_raw_bind_all_nodes" lineno="1154">
+<summary>
+Bind raw sockets to all nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_generic_port" lineno="1172">
+<summary>
+Send and receive TCP network traffic on generic ports.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_dontaudit_tcp_sendrecv_generic_port" lineno="1190">
+<summary>
+Do not audit send and receive TCP network traffic on generic ports.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_udp_send_generic_port" lineno="1208">
+<summary>
+Send UDP network traffic on generic ports.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_udp_receive_generic_port" lineno="1226">
+<summary>
+Receive UDP network traffic on generic ports.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_udp_sendrecv_generic_port" lineno="1244">
+<summary>
+Send and receive UDP network traffic on generic ports.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_bind_generic_port" lineno="1259">
+<summary>
+Bind TCP sockets to generic ports.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_dontaudit_tcp_bind_generic_port" lineno="1279">
+<summary>
+Do not audit bind TCP sockets to generic ports.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="corenet_udp_bind_generic_port" lineno="1297">
+<summary>
+Bind UDP sockets to generic ports.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_connect_generic_port" lineno="1317">
+<summary>
+Connect TCP sockets to generic ports.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_all_ports" lineno="1361">
+<summary>
+Send and receive TCP network traffic on all ports.
+</summary>
+<desc>
+<p>
+Send and receive TCP network traffic on all ports.
+Related interfaces:
+</p>
+<ul>
+<li>corenet_all_recvfrom_unlabeled()</li>
+<li>corenet_tcp_sendrecv_generic_if()</li>
+<li>corenet_tcp_sendrecv_generic_node()</li>
+<li>corenet_tcp_connect_all_ports()</li>
+<li>corenet_tcp_bind_all_ports()</li>
+</ul>
+<p>
+Example client being able to connect to all ports over
+generic nodes, without labeled networking:
+</p>
+<p>
+allow myclient_t self:tcp_socket create_stream_socket_perms;
+corenet_tcp_sendrecv_generic_if(myclient_t)
+corenet_tcp_sendrecv_generic_node(myclient_t)
+corenet_tcp_sendrecv_all_ports(myclient_t)
+corenet_tcp_connect_all_ports(myclient_t)
+corenet_all_recvfrom_unlabeled(myclient_t)
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_all_ports" lineno="1379">
+<summary>
+Send UDP network traffic on all ports.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_udp_receive_all_ports" lineno="1397">
+<summary>
+Receive UDP network traffic on all ports.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_udp_sendrecv_all_ports" lineno="1439">
+<summary>
+Send and receive UDP network traffic on all ports.
+</summary>
+<desc>
+<p>
+Send and receive UDP network traffic on all ports.
+Related interfaces:
+</p>
+<ul>
+<li>corenet_all_recvfrom_unlabeled()</li>
+<li>corenet_udp_sendrecv_generic_if()</li>
+<li>corenet_udp_sendrecv_generic_node()</li>
+<li>corenet_udp_bind_all_ports()</li>
+</ul>
+<p>
+Example client being able to send to all ports over
+generic nodes, without labeled networking:
+</p>
+<p>
+allow myclient_t self:udp_socket create_socket_perms;
+corenet_udp_sendrecv_generic_if(myclient_t)
+corenet_udp_sendrecv_generic_node(myclient_t)
+corenet_udp_sendrecv_all_ports(myclient_t)
+corenet_all_recvfrom_unlabeled(myclient_t)
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_tcp_bind_all_ports" lineno="1454">
+<summary>
+Bind TCP sockets to all ports.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_dontaudit_tcp_bind_all_ports" lineno="1473">
+<summary>
+Do not audit attepts to bind TCP sockets to any ports.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="corenet_udp_bind_all_ports" lineno="1491">
+<summary>
+Bind UDP sockets to all ports.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_dontaudit_udp_bind_all_ports" lineno="1510">
+<summary>
+Do not audit attepts to bind UDP sockets to any ports.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_connect_all_ports" lineno="1556">
+<summary>
+Connect TCP sockets to all ports.
+</summary>
+<desc>
+<p>
+Connect TCP sockets to all ports
+</p>
+<p>
+Related interfaces:
+</p>
+<ul>
+<li>corenet_all_recvfrom_unlabeled()</li>
+<li>corenet_tcp_sendrecv_generic_if()</li>
+<li>corenet_tcp_sendrecv_generic_node()</li>
+<li>corenet_tcp_sendrecv_all_ports()</li>
+<li>corenet_tcp_bind_all_ports()</li>
+</ul>
+<p>
+Example client being able to connect to all ports over
+generic nodes, without labeled networking:
+</p>
+<p>
+allow myclient_t self:tcp_socket create_stream_socket_perms;
+corenet_tcp_sendrecv_generic_if(myclient_t)
+corenet_tcp_sendrecv_generic_node(myclient_t)
+corenet_tcp_sendrecv_all_ports(myclient_t)
+corenet_tcp_connect_all_ports(myclient_t)
+corenet_all_recvfrom_unlabeled(myclient_t)
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="1"/>
+</interface>
+<interface name="corenet_dontaudit_tcp_connect_all_ports" lineno="1575">
+<summary>
+Do not audit attempts to connect TCP sockets
+to all ports.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_reserved_port" lineno="1593">
+<summary>
+Send and receive TCP network traffic on generic reserved ports.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_udp_send_reserved_port" lineno="1611">
+<summary>
+Send UDP network traffic on generic reserved ports.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_udp_receive_reserved_port" lineno="1629">
+<summary>
+Receive UDP network traffic on generic reserved ports.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_udp_sendrecv_reserved_port" lineno="1647">
+<summary>
+Send and receive UDP network traffic on generic reserved ports.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_bind_reserved_port" lineno="1662">
+<summary>
+Bind TCP sockets to generic reserved ports.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_udp_bind_reserved_port" lineno="1681">
+<summary>
+Bind UDP sockets to generic reserved ports.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_connect_reserved_port" lineno="1700">
+<summary>
+Connect TCP sockets to generic reserved ports.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_all_reserved_ports" lineno="1718">
+<summary>
+Send and receive TCP network traffic on all reserved ports.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_udp_send_all_reserved_ports" lineno="1736">
+<summary>
+Send UDP network traffic on all reserved ports.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_udp_receive_all_reserved_ports" lineno="1754">
+<summary>
+Receive UDP network traffic on all reserved ports.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_udp_sendrecv_all_reserved_ports" lineno="1772">
+<summary>
+Send and receive UDP network traffic on all reserved ports.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_bind_all_reserved_ports" lineno="1787">
+<summary>
+Bind TCP sockets to all reserved ports.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_dontaudit_tcp_bind_all_reserved_ports" lineno="1806">
+<summary>
+Do not audit attempts to bind TCP sockets to all reserved ports.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="corenet_udp_bind_all_reserved_ports" lineno="1824">
+<summary>
+Bind UDP sockets to all reserved ports.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_dontaudit_udp_bind_all_reserved_ports" lineno="1843">
+<summary>
+Do not audit attempts to bind UDP sockets to all reserved ports.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_bind_all_unreserved_ports" lineno="1861">
+<summary>
+Bind TCP sockets to all ports > 1024.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_udp_bind_all_unreserved_ports" lineno="1879">
+<summary>
+Bind UDP sockets to all ports > 1024.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_connect_all_reserved_ports" lineno="1897">
+<summary>
+Connect TCP sockets to reserved ports.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_connect_all_unreserved_ports" lineno="1915">
+<summary>
+Connect TCP sockets to all ports > 1024.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_dontaudit_tcp_connect_all_reserved_ports" lineno="1934">
+<summary>
+Do not audit attempts to connect TCP sockets
+all reserved ports.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_connect_all_rpc_ports" lineno="1952">
+<summary>
+Connect TCP sockets to rpc ports.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_dontaudit_tcp_connect_all_rpc_ports" lineno="1971">
+<summary>
+Do not audit attempts to connect TCP sockets
+all rpc ports.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="corenet_rw_tun_tap_dev" lineno="1989">
+<summary>
+Read and write the TUN/TAP virtual network device.
+</summary>
+<param name="domain">
+<summary>
+The domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_dontaudit_rw_tun_tap_dev" lineno="2009">
+<summary>
+Do not audit attempts to read or write the TUN/TAP
+virtual network device.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="corenet_getattr_ppp_dev" lineno="2027">
+<summary>
+Getattr the point-to-point device.
+</summary>
+<param name="domain">
+<summary>
+The domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_rw_ppp_dev" lineno="2045">
+<summary>
+Read and write the point-to-point device.
+</summary>
+<param name="domain">
+<summary>
+The domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_bind_all_rpc_ports" lineno="2064">
+<summary>
+Bind TCP sockets to all RPC ports.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_dontaudit_tcp_bind_all_rpc_ports" lineno="2083">
+<summary>
+Do not audit attempts to bind TCP sockets to all RPC ports.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="corenet_udp_bind_all_rpc_ports" lineno="2101">
+<summary>
+Bind UDP sockets to all RPC ports.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_dontaudit_udp_bind_all_rpc_ports" lineno="2120">
+<summary>
+Do not audit attempts to bind UDP sockets to all RPC ports.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="corenet_non_ipsec_sendrecv" lineno="2151">
+<summary>
+Send and receive messages on a
+non-encrypted (no IPSEC) network
+session.
+</summary>
+<desc>
+<p>
+Send and receive messages on a
+non-encrypted (no IPSEC) network
+session.  (Deprecated)
+</p>
+<p>
+The corenet_all_recvfrom_unlabeled() interface should be used instead
+of this one.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_dontaudit_non_ipsec_sendrecv" lineno="2179">
+<summary>
+Do not audit attempts to send and receive
+messages on a non-encrypted (no IPSEC) network
+session.
+</summary>
+<desc>
+<p>
+Do not audit attempts to send and receive
+messages on a non-encrypted (no IPSEC) network
+session.
+</p>
+<p>
+The corenet_dontaudit_all_recvfrom_unlabeled() interface should be
+used instead of this one.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_recv_netlabel" lineno="2194">
+<summary>
+Receive TCP packets from a NetLabel connection.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_recvfrom_netlabel" lineno="2209">
+<summary>
+Receive TCP packets from a NetLabel connection.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_recvfrom_unlabeled" lineno="2228">
+<summary>
+Receive TCP packets from an unlabled connection.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_dontaudit_tcp_recv_netlabel" lineno="2249">
+<summary>
+Do not audit attempts to receive TCP packets from a NetLabel
+connection.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="corenet_dontaudit_tcp_recvfrom_netlabel" lineno="2265">
+<summary>
+Do not audit attempts to receive TCP packets from a NetLabel
+connection.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="corenet_dontaudit_tcp_recvfrom_unlabeled" lineno="2285">
+<summary>
+Do not audit attempts to receive TCP packets from an unlabeled
+connection.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="corenet_udp_recv_netlabel" lineno="2305">
+<summary>
+Receive UDP packets from a NetLabel connection.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_udp_recvfrom_netlabel" lineno="2320">
+<summary>
+Receive UDP packets from a NetLabel connection.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_udp_recvfrom_unlabeled" lineno="2339">
+<summary>
+Receive UDP packets from an unlabeled connection.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_dontaudit_udp_recv_netlabel" lineno="2360">
+<summary>
+Do not audit attempts to receive UDP packets from a NetLabel
+connection.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="corenet_dontaudit_udp_recvfrom_netlabel" lineno="2376">
+<summary>
+Do not audit attempts to receive UDP packets from a NetLabel
+connection.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="corenet_dontaudit_udp_recvfrom_unlabeled" lineno="2396">
+<summary>
+Do not audit attempts to receive UDP packets from an unlabeled
+connection.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="corenet_raw_recv_netlabel" lineno="2416">
+<summary>
+Receive Raw IP packets from a NetLabel connection.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_raw_recvfrom_netlabel" lineno="2431">
+<summary>
+Receive Raw IP packets from a NetLabel connection.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_raw_recvfrom_unlabeled" lineno="2450">
+<summary>
+Receive Raw IP packets from an unlabeled connection.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_dontaudit_raw_recv_netlabel" lineno="2471">
+<summary>
+Do not audit attempts to receive Raw IP packets from a NetLabel
+connection.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="corenet_dontaudit_raw_recvfrom_netlabel" lineno="2487">
+<summary>
+Do not audit attempts to receive Raw IP packets from a NetLabel
+connection.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="corenet_dontaudit_raw_recvfrom_unlabeled" lineno="2507">
+<summary>
+Do not audit attempts to receive Raw IP packets from an unlabeled
+connection.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="corenet_all_recvfrom_unlabeled" lineno="2539">
+<summary>
+Receive packets from an unlabeled connection.
+</summary>
+<desc>
+<p>
+Allow the specified domain to receive packets from an
+unlabeled connection.  On machines that do not utilize
+labeled networking, this will be required on all
+networking domains.  On machines tha do utilize
+labeled networking, this will be required for any
+networking domain that is allowed to receive
+network traffic that does not have a label.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_all_recvfrom_netlabel" lineno="2572">
+<summary>
+Receive packets from a NetLabel connection.
+</summary>
+<desc>
+<p>
+Allow the specified domain to receive NetLabel
+network traffic, which utilizes the Commercial IP
+Security Option (CIPSO) to set the MLS level
+of the network packets.  This is required for
+all networking domains that receive NetLabel
+network traffic.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_all_recvfrom_unlabeled" lineno="2591">
+<summary>
+Do not audit attempts to receive packets from an unlabeled connection.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_dontaudit_all_recvfrom_netlabel" lineno="2614">
+<summary>
+Do not audit attempts to receive packets from a NetLabel
+connection.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_recvfrom_labeled" lineno="2646">
+<summary>
+Rules for receiving labeled TCP packets.
+</summary>
+<desc>
+<p>
+Rules for receiving labeled TCP packets.
+</p>
+<p>
+Due to the nature of TCP, this is bidirectional.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="peer_domain">
+<summary>
+Peer domain.
+</summary>
+</param>
+</interface>
+<interface name="corenet_udp_recvfrom_labeled" lineno="2674">
+<summary>
+Rules for receiving labeled UDP packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="peer_domain">
+<summary>
+Peer domain.
+</summary>
+</param>
+</interface>
+<interface name="corenet_raw_recvfrom_labeled" lineno="2699">
+<summary>
+Rules for receiving labeled raw IP packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="peer_domain">
+<summary>
+Peer domain.
+</summary>
+</param>
+</interface>
+<interface name="corenet_all_recvfrom_labeled" lineno="2733">
+<summary>
+Rules for receiving labeled packets via TCP, UDP and raw IP.
+</summary>
+<desc>
+<p>
+Rules for receiving labeled packets via TCP, UDP and raw IP.
+</p>
+<p>
+Due to the nature of TCP, the rules (for TCP
+networking only) are bidirectional.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="peer_domain">
+<summary>
+Peer domain.
+</summary>
+</param>
+</interface>
+<interface name="corenet_setcontext_all_spds" lineno="2750">
+<summary>
+Make the specified type usable
+for labeled ipsec.
+</summary>
+<param name="domain">
+<summary>
+Type to be used for labeled ipsec.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_generic_client_packets" lineno="2768">
+<summary>
+Send generic client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_receive_generic_client_packets" lineno="2786">
+<summary>
+Receive generic client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_sendrecv_generic_client_packets" lineno="2804">
+<summary>
+Send and receive generic client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_relabelto_generic_client_packets" lineno="2819">
+<summary>
+Relabel packets to the generic client packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_generic_server_packets" lineno="2837">
+<summary>
+Send generic server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_receive_generic_server_packets" lineno="2855">
+<summary>
+Receive generic server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_sendrecv_generic_server_packets" lineno="2873">
+<summary>
+Send and receive generic server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_relabelto_generic_server_packets" lineno="2888">
+<summary>
+Relabel packets to the generic server packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_sendrecv_unlabeled_packets" lineno="2913">
+<summary>
+Send and receive unlabeled packets.
+</summary>
+<desc>
+<p>
+Send and receive unlabeled packets.
+These packets do not match any netfilter
+SECMARK rules.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_all_client_packets" lineno="2927">
+<summary>
+Send all client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_receive_all_client_packets" lineno="2945">
+<summary>
+Receive all client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_sendrecv_all_client_packets" lineno="2963">
+<summary>
+Send and receive all client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_relabelto_all_client_packets" lineno="2978">
+<summary>
+Relabel packets to any client packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_all_server_packets" lineno="2996">
+<summary>
+Send all server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_receive_all_server_packets" lineno="3014">
+<summary>
+Receive all server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_sendrecv_all_server_packets" lineno="3032">
+<summary>
+Send and receive all server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_relabelto_all_server_packets" lineno="3047">
+<summary>
+Relabel packets to any server packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_all_packets" lineno="3065">
+<summary>
+Send all packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_receive_all_packets" lineno="3083">
+<summary>
+Receive all packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_sendrecv_all_packets" lineno="3101">
+<summary>
+Send and receive all packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_relabelto_all_packets" lineno="3116">
+<summary>
+Relabel packets to any packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_unconfined" lineno="3134">
+<summary>
+Unconfined access to network objects.
+</summary>
+<param name="domain">
+<summary>
+The domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_afs_bos_port" lineno="3154">
+<summary>
+Send and receive TCP traffic on the afs_bos port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_afs_bos_port" lineno="3173">
+<summary>
+Send UDP traffic on the afs_bos port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_afs_bos_port" lineno="3192">
+<summary>
+Do not audit attempts to send UDP traffic on the afs_bos port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_afs_bos_port" lineno="3211">
+<summary>
+Receive UDP traffic on the afs_bos port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_afs_bos_port" lineno="3230">
+<summary>
+Do not audit attempts to receive UDP traffic on the afs_bos port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_afs_bos_port" lineno="3249">
+<summary>
+Send and receive UDP traffic on the afs_bos port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_afs_bos_port" lineno="3266">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the afs_bos port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_afs_bos_port" lineno="3282">
+<summary>
+Bind TCP sockets to the afs_bos port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_afs_bos_port" lineno="3302">
+<summary>
+Bind UDP sockets to the afs_bos port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_afs_bos_port" lineno="3321">
+<summary>
+Make a TCP connection to the afs_bos port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_afs_bos_client_packets" lineno="3341">
+<summary>
+Send afs_bos_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_afs_bos_client_packets" lineno="3360">
+<summary>
+Do not audit attempts to send afs_bos_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_afs_bos_client_packets" lineno="3379">
+<summary>
+Receive afs_bos_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_afs_bos_client_packets" lineno="3398">
+<summary>
+Do not audit attempts to receive afs_bos_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_afs_bos_client_packets" lineno="3417">
+<summary>
+Send and receive afs_bos_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_afs_bos_client_packets" lineno="3433">
+<summary>
+Do not audit attempts to send and receive afs_bos_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_afs_bos_client_packets" lineno="3448">
+<summary>
+Relabel packets to afs_bos_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_afs_bos_server_packets" lineno="3468">
+<summary>
+Send afs_bos_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_afs_bos_server_packets" lineno="3487">
+<summary>
+Do not audit attempts to send afs_bos_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_afs_bos_server_packets" lineno="3506">
+<summary>
+Receive afs_bos_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_afs_bos_server_packets" lineno="3525">
+<summary>
+Do not audit attempts to receive afs_bos_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_afs_bos_server_packets" lineno="3544">
+<summary>
+Send and receive afs_bos_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_afs_bos_server_packets" lineno="3560">
+<summary>
+Do not audit attempts to send and receive afs_bos_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_afs_bos_server_packets" lineno="3575">
+<summary>
+Relabel packets to afs_bos_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_afs_fs_port" lineno="3597">
+<summary>
+Send and receive TCP traffic on the afs_fs port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_afs_fs_port" lineno="3616">
+<summary>
+Send UDP traffic on the afs_fs port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_afs_fs_port" lineno="3635">
+<summary>
+Do not audit attempts to send UDP traffic on the afs_fs port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_afs_fs_port" lineno="3654">
+<summary>
+Receive UDP traffic on the afs_fs port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_afs_fs_port" lineno="3673">
+<summary>
+Do not audit attempts to receive UDP traffic on the afs_fs port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_afs_fs_port" lineno="3692">
+<summary>
+Send and receive UDP traffic on the afs_fs port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_afs_fs_port" lineno="3709">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the afs_fs port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_afs_fs_port" lineno="3725">
+<summary>
+Bind TCP sockets to the afs_fs port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_afs_fs_port" lineno="3745">
+<summary>
+Bind UDP sockets to the afs_fs port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_afs_fs_port" lineno="3764">
+<summary>
+Make a TCP connection to the afs_fs port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_afs_fs_client_packets" lineno="3784">
+<summary>
+Send afs_fs_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_afs_fs_client_packets" lineno="3803">
+<summary>
+Do not audit attempts to send afs_fs_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_afs_fs_client_packets" lineno="3822">
+<summary>
+Receive afs_fs_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_afs_fs_client_packets" lineno="3841">
+<summary>
+Do not audit attempts to receive afs_fs_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_afs_fs_client_packets" lineno="3860">
+<summary>
+Send and receive afs_fs_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_afs_fs_client_packets" lineno="3876">
+<summary>
+Do not audit attempts to send and receive afs_fs_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_afs_fs_client_packets" lineno="3891">
+<summary>
+Relabel packets to afs_fs_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_afs_fs_server_packets" lineno="3911">
+<summary>
+Send afs_fs_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_afs_fs_server_packets" lineno="3930">
+<summary>
+Do not audit attempts to send afs_fs_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_afs_fs_server_packets" lineno="3949">
+<summary>
+Receive afs_fs_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_afs_fs_server_packets" lineno="3968">
+<summary>
+Do not audit attempts to receive afs_fs_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_afs_fs_server_packets" lineno="3987">
+<summary>
+Send and receive afs_fs_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_afs_fs_server_packets" lineno="4003">
+<summary>
+Do not audit attempts to send and receive afs_fs_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_afs_fs_server_packets" lineno="4018">
+<summary>
+Relabel packets to afs_fs_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_afs_ka_port" lineno="4040">
+<summary>
+Send and receive TCP traffic on the afs_ka port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_afs_ka_port" lineno="4059">
+<summary>
+Send UDP traffic on the afs_ka port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_afs_ka_port" lineno="4078">
+<summary>
+Do not audit attempts to send UDP traffic on the afs_ka port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_afs_ka_port" lineno="4097">
+<summary>
+Receive UDP traffic on the afs_ka port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_afs_ka_port" lineno="4116">
+<summary>
+Do not audit attempts to receive UDP traffic on the afs_ka port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_afs_ka_port" lineno="4135">
+<summary>
+Send and receive UDP traffic on the afs_ka port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_afs_ka_port" lineno="4152">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the afs_ka port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_afs_ka_port" lineno="4168">
+<summary>
+Bind TCP sockets to the afs_ka port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_afs_ka_port" lineno="4188">
+<summary>
+Bind UDP sockets to the afs_ka port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_afs_ka_port" lineno="4207">
+<summary>
+Make a TCP connection to the afs_ka port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_afs_ka_client_packets" lineno="4227">
+<summary>
+Send afs_ka_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_afs_ka_client_packets" lineno="4246">
+<summary>
+Do not audit attempts to send afs_ka_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_afs_ka_client_packets" lineno="4265">
+<summary>
+Receive afs_ka_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_afs_ka_client_packets" lineno="4284">
+<summary>
+Do not audit attempts to receive afs_ka_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_afs_ka_client_packets" lineno="4303">
+<summary>
+Send and receive afs_ka_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_afs_ka_client_packets" lineno="4319">
+<summary>
+Do not audit attempts to send and receive afs_ka_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_afs_ka_client_packets" lineno="4334">
+<summary>
+Relabel packets to afs_ka_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_afs_ka_server_packets" lineno="4354">
+<summary>
+Send afs_ka_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_afs_ka_server_packets" lineno="4373">
+<summary>
+Do not audit attempts to send afs_ka_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_afs_ka_server_packets" lineno="4392">
+<summary>
+Receive afs_ka_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_afs_ka_server_packets" lineno="4411">
+<summary>
+Do not audit attempts to receive afs_ka_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_afs_ka_server_packets" lineno="4430">
+<summary>
+Send and receive afs_ka_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_afs_ka_server_packets" lineno="4446">
+<summary>
+Do not audit attempts to send and receive afs_ka_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_afs_ka_server_packets" lineno="4461">
+<summary>
+Relabel packets to afs_ka_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_afs_pt_port" lineno="4483">
+<summary>
+Send and receive TCP traffic on the afs_pt port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_afs_pt_port" lineno="4502">
+<summary>
+Send UDP traffic on the afs_pt port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_afs_pt_port" lineno="4521">
+<summary>
+Do not audit attempts to send UDP traffic on the afs_pt port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_afs_pt_port" lineno="4540">
+<summary>
+Receive UDP traffic on the afs_pt port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_afs_pt_port" lineno="4559">
+<summary>
+Do not audit attempts to receive UDP traffic on the afs_pt port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_afs_pt_port" lineno="4578">
+<summary>
+Send and receive UDP traffic on the afs_pt port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_afs_pt_port" lineno="4595">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the afs_pt port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_afs_pt_port" lineno="4611">
+<summary>
+Bind TCP sockets to the afs_pt port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_afs_pt_port" lineno="4631">
+<summary>
+Bind UDP sockets to the afs_pt port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_afs_pt_port" lineno="4650">
+<summary>
+Make a TCP connection to the afs_pt port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_afs_pt_client_packets" lineno="4670">
+<summary>
+Send afs_pt_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_afs_pt_client_packets" lineno="4689">
+<summary>
+Do not audit attempts to send afs_pt_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_afs_pt_client_packets" lineno="4708">
+<summary>
+Receive afs_pt_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_afs_pt_client_packets" lineno="4727">
+<summary>
+Do not audit attempts to receive afs_pt_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_afs_pt_client_packets" lineno="4746">
+<summary>
+Send and receive afs_pt_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_afs_pt_client_packets" lineno="4762">
+<summary>
+Do not audit attempts to send and receive afs_pt_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_afs_pt_client_packets" lineno="4777">
+<summary>
+Relabel packets to afs_pt_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_afs_pt_server_packets" lineno="4797">
+<summary>
+Send afs_pt_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_afs_pt_server_packets" lineno="4816">
+<summary>
+Do not audit attempts to send afs_pt_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_afs_pt_server_packets" lineno="4835">
+<summary>
+Receive afs_pt_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_afs_pt_server_packets" lineno="4854">
+<summary>
+Do not audit attempts to receive afs_pt_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_afs_pt_server_packets" lineno="4873">
+<summary>
+Send and receive afs_pt_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_afs_pt_server_packets" lineno="4889">
+<summary>
+Do not audit attempts to send and receive afs_pt_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_afs_pt_server_packets" lineno="4904">
+<summary>
+Relabel packets to afs_pt_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_afs_vl_port" lineno="4926">
+<summary>
+Send and receive TCP traffic on the afs_vl port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_afs_vl_port" lineno="4945">
+<summary>
+Send UDP traffic on the afs_vl port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_afs_vl_port" lineno="4964">
+<summary>
+Do not audit attempts to send UDP traffic on the afs_vl port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_afs_vl_port" lineno="4983">
+<summary>
+Receive UDP traffic on the afs_vl port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_afs_vl_port" lineno="5002">
+<summary>
+Do not audit attempts to receive UDP traffic on the afs_vl port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_afs_vl_port" lineno="5021">
+<summary>
+Send and receive UDP traffic on the afs_vl port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_afs_vl_port" lineno="5038">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the afs_vl port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_afs_vl_port" lineno="5054">
+<summary>
+Bind TCP sockets to the afs_vl port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_afs_vl_port" lineno="5074">
+<summary>
+Bind UDP sockets to the afs_vl port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_afs_vl_port" lineno="5093">
+<summary>
+Make a TCP connection to the afs_vl port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_afs_vl_client_packets" lineno="5113">
+<summary>
+Send afs_vl_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_afs_vl_client_packets" lineno="5132">
+<summary>
+Do not audit attempts to send afs_vl_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_afs_vl_client_packets" lineno="5151">
+<summary>
+Receive afs_vl_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_afs_vl_client_packets" lineno="5170">
+<summary>
+Do not audit attempts to receive afs_vl_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_afs_vl_client_packets" lineno="5189">
+<summary>
+Send and receive afs_vl_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_afs_vl_client_packets" lineno="5205">
+<summary>
+Do not audit attempts to send and receive afs_vl_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_afs_vl_client_packets" lineno="5220">
+<summary>
+Relabel packets to afs_vl_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_afs_vl_server_packets" lineno="5240">
+<summary>
+Send afs_vl_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_afs_vl_server_packets" lineno="5259">
+<summary>
+Do not audit attempts to send afs_vl_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_afs_vl_server_packets" lineno="5278">
+<summary>
+Receive afs_vl_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_afs_vl_server_packets" lineno="5297">
+<summary>
+Do not audit attempts to receive afs_vl_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_afs_vl_server_packets" lineno="5316">
+<summary>
+Send and receive afs_vl_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_afs_vl_server_packets" lineno="5332">
+<summary>
+Do not audit attempts to send and receive afs_vl_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_afs_vl_server_packets" lineno="5347">
+<summary>
+Relabel packets to afs_vl_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_agentx_port" lineno="5369">
+<summary>
+Send and receive TCP traffic on the agentx port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_agentx_port" lineno="5388">
+<summary>
+Send UDP traffic on the agentx port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_agentx_port" lineno="5407">
+<summary>
+Do not audit attempts to send UDP traffic on the agentx port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_agentx_port" lineno="5426">
+<summary>
+Receive UDP traffic on the agentx port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_agentx_port" lineno="5445">
+<summary>
+Do not audit attempts to receive UDP traffic on the agentx port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_agentx_port" lineno="5464">
+<summary>
+Send and receive UDP traffic on the agentx port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_agentx_port" lineno="5481">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the agentx port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_agentx_port" lineno="5497">
+<summary>
+Bind TCP sockets to the agentx port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_agentx_port" lineno="5517">
+<summary>
+Bind UDP sockets to the agentx port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_agentx_port" lineno="5536">
+<summary>
+Make a TCP connection to the agentx port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_agentx_client_packets" lineno="5556">
+<summary>
+Send agentx_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_agentx_client_packets" lineno="5575">
+<summary>
+Do not audit attempts to send agentx_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_agentx_client_packets" lineno="5594">
+<summary>
+Receive agentx_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_agentx_client_packets" lineno="5613">
+<summary>
+Do not audit attempts to receive agentx_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_agentx_client_packets" lineno="5632">
+<summary>
+Send and receive agentx_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_agentx_client_packets" lineno="5648">
+<summary>
+Do not audit attempts to send and receive agentx_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_agentx_client_packets" lineno="5663">
+<summary>
+Relabel packets to agentx_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_agentx_server_packets" lineno="5683">
+<summary>
+Send agentx_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_agentx_server_packets" lineno="5702">
+<summary>
+Do not audit attempts to send agentx_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_agentx_server_packets" lineno="5721">
+<summary>
+Receive agentx_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_agentx_server_packets" lineno="5740">
+<summary>
+Do not audit attempts to receive agentx_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_agentx_server_packets" lineno="5759">
+<summary>
+Send and receive agentx_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_agentx_server_packets" lineno="5775">
+<summary>
+Do not audit attempts to send and receive agentx_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_agentx_server_packets" lineno="5790">
+<summary>
+Relabel packets to agentx_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_amanda_port" lineno="5812">
+<summary>
+Send and receive TCP traffic on the amanda port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_amanda_port" lineno="5831">
+<summary>
+Send UDP traffic on the amanda port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_amanda_port" lineno="5850">
+<summary>
+Do not audit attempts to send UDP traffic on the amanda port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_amanda_port" lineno="5869">
+<summary>
+Receive UDP traffic on the amanda port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_amanda_port" lineno="5888">
+<summary>
+Do not audit attempts to receive UDP traffic on the amanda port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_amanda_port" lineno="5907">
+<summary>
+Send and receive UDP traffic on the amanda port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_amanda_port" lineno="5924">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the amanda port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_amanda_port" lineno="5940">
+<summary>
+Bind TCP sockets to the amanda port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_amanda_port" lineno="5960">
+<summary>
+Bind UDP sockets to the amanda port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_amanda_port" lineno="5979">
+<summary>
+Make a TCP connection to the amanda port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_amanda_client_packets" lineno="5999">
+<summary>
+Send amanda_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_amanda_client_packets" lineno="6018">
+<summary>
+Do not audit attempts to send amanda_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_amanda_client_packets" lineno="6037">
+<summary>
+Receive amanda_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_amanda_client_packets" lineno="6056">
+<summary>
+Do not audit attempts to receive amanda_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_amanda_client_packets" lineno="6075">
+<summary>
+Send and receive amanda_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_amanda_client_packets" lineno="6091">
+<summary>
+Do not audit attempts to send and receive amanda_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_amanda_client_packets" lineno="6106">
+<summary>
+Relabel packets to amanda_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_amanda_server_packets" lineno="6126">
+<summary>
+Send amanda_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_amanda_server_packets" lineno="6145">
+<summary>
+Do not audit attempts to send amanda_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_amanda_server_packets" lineno="6164">
+<summary>
+Receive amanda_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_amanda_server_packets" lineno="6183">
+<summary>
+Do not audit attempts to receive amanda_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_amanda_server_packets" lineno="6202">
+<summary>
+Send and receive amanda_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_amanda_server_packets" lineno="6218">
+<summary>
+Do not audit attempts to send and receive amanda_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_amanda_server_packets" lineno="6233">
+<summary>
+Relabel packets to amanda_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_amavisd_recv_port" lineno="6255">
+<summary>
+Send and receive TCP traffic on the amavisd_recv port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_amavisd_recv_port" lineno="6274">
+<summary>
+Send UDP traffic on the amavisd_recv port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_amavisd_recv_port" lineno="6293">
+<summary>
+Do not audit attempts to send UDP traffic on the amavisd_recv port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_amavisd_recv_port" lineno="6312">
+<summary>
+Receive UDP traffic on the amavisd_recv port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_amavisd_recv_port" lineno="6331">
+<summary>
+Do not audit attempts to receive UDP traffic on the amavisd_recv port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_amavisd_recv_port" lineno="6350">
+<summary>
+Send and receive UDP traffic on the amavisd_recv port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_amavisd_recv_port" lineno="6367">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the amavisd_recv port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_amavisd_recv_port" lineno="6383">
+<summary>
+Bind TCP sockets to the amavisd_recv port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_amavisd_recv_port" lineno="6403">
+<summary>
+Bind UDP sockets to the amavisd_recv port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_amavisd_recv_port" lineno="6422">
+<summary>
+Make a TCP connection to the amavisd_recv port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_amavisd_recv_client_packets" lineno="6442">
+<summary>
+Send amavisd_recv_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_amavisd_recv_client_packets" lineno="6461">
+<summary>
+Do not audit attempts to send amavisd_recv_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_amavisd_recv_client_packets" lineno="6480">
+<summary>
+Receive amavisd_recv_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_amavisd_recv_client_packets" lineno="6499">
+<summary>
+Do not audit attempts to receive amavisd_recv_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_amavisd_recv_client_packets" lineno="6518">
+<summary>
+Send and receive amavisd_recv_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_amavisd_recv_client_packets" lineno="6534">
+<summary>
+Do not audit attempts to send and receive amavisd_recv_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_amavisd_recv_client_packets" lineno="6549">
+<summary>
+Relabel packets to amavisd_recv_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_amavisd_recv_server_packets" lineno="6569">
+<summary>
+Send amavisd_recv_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_amavisd_recv_server_packets" lineno="6588">
+<summary>
+Do not audit attempts to send amavisd_recv_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_amavisd_recv_server_packets" lineno="6607">
+<summary>
+Receive amavisd_recv_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_amavisd_recv_server_packets" lineno="6626">
+<summary>
+Do not audit attempts to receive amavisd_recv_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_amavisd_recv_server_packets" lineno="6645">
+<summary>
+Send and receive amavisd_recv_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_amavisd_recv_server_packets" lineno="6661">
+<summary>
+Do not audit attempts to send and receive amavisd_recv_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_amavisd_recv_server_packets" lineno="6676">
+<summary>
+Relabel packets to amavisd_recv_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_amavisd_send_port" lineno="6698">
+<summary>
+Send and receive TCP traffic on the amavisd_send port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_amavisd_send_port" lineno="6717">
+<summary>
+Send UDP traffic on the amavisd_send port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_amavisd_send_port" lineno="6736">
+<summary>
+Do not audit attempts to send UDP traffic on the amavisd_send port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_amavisd_send_port" lineno="6755">
+<summary>
+Receive UDP traffic on the amavisd_send port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_amavisd_send_port" lineno="6774">
+<summary>
+Do not audit attempts to receive UDP traffic on the amavisd_send port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_amavisd_send_port" lineno="6793">
+<summary>
+Send and receive UDP traffic on the amavisd_send port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_amavisd_send_port" lineno="6810">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the amavisd_send port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_amavisd_send_port" lineno="6826">
+<summary>
+Bind TCP sockets to the amavisd_send port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_amavisd_send_port" lineno="6846">
+<summary>
+Bind UDP sockets to the amavisd_send port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_amavisd_send_port" lineno="6865">
+<summary>
+Make a TCP connection to the amavisd_send port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_amavisd_send_client_packets" lineno="6885">
+<summary>
+Send amavisd_send_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_amavisd_send_client_packets" lineno="6904">
+<summary>
+Do not audit attempts to send amavisd_send_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_amavisd_send_client_packets" lineno="6923">
+<summary>
+Receive amavisd_send_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_amavisd_send_client_packets" lineno="6942">
+<summary>
+Do not audit attempts to receive amavisd_send_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_amavisd_send_client_packets" lineno="6961">
+<summary>
+Send and receive amavisd_send_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_amavisd_send_client_packets" lineno="6977">
+<summary>
+Do not audit attempts to send and receive amavisd_send_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_amavisd_send_client_packets" lineno="6992">
+<summary>
+Relabel packets to amavisd_send_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_amavisd_send_server_packets" lineno="7012">
+<summary>
+Send amavisd_send_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_amavisd_send_server_packets" lineno="7031">
+<summary>
+Do not audit attempts to send amavisd_send_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_amavisd_send_server_packets" lineno="7050">
+<summary>
+Receive amavisd_send_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_amavisd_send_server_packets" lineno="7069">
+<summary>
+Do not audit attempts to receive amavisd_send_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_amavisd_send_server_packets" lineno="7088">
+<summary>
+Send and receive amavisd_send_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_amavisd_send_server_packets" lineno="7104">
+<summary>
+Do not audit attempts to send and receive amavisd_send_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_amavisd_send_server_packets" lineno="7119">
+<summary>
+Relabel packets to amavisd_send_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_amqp_port" lineno="7141">
+<summary>
+Send and receive TCP traffic on the amqp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_amqp_port" lineno="7160">
+<summary>
+Send UDP traffic on the amqp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_amqp_port" lineno="7179">
+<summary>
+Do not audit attempts to send UDP traffic on the amqp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_amqp_port" lineno="7198">
+<summary>
+Receive UDP traffic on the amqp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_amqp_port" lineno="7217">
+<summary>
+Do not audit attempts to receive UDP traffic on the amqp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_amqp_port" lineno="7236">
+<summary>
+Send and receive UDP traffic on the amqp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_amqp_port" lineno="7253">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the amqp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_amqp_port" lineno="7269">
+<summary>
+Bind TCP sockets to the amqp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_amqp_port" lineno="7289">
+<summary>
+Bind UDP sockets to the amqp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_amqp_port" lineno="7308">
+<summary>
+Make a TCP connection to the amqp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_amqp_client_packets" lineno="7328">
+<summary>
+Send amqp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_amqp_client_packets" lineno="7347">
+<summary>
+Do not audit attempts to send amqp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_amqp_client_packets" lineno="7366">
+<summary>
+Receive amqp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_amqp_client_packets" lineno="7385">
+<summary>
+Do not audit attempts to receive amqp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_amqp_client_packets" lineno="7404">
+<summary>
+Send and receive amqp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_amqp_client_packets" lineno="7420">
+<summary>
+Do not audit attempts to send and receive amqp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_amqp_client_packets" lineno="7435">
+<summary>
+Relabel packets to amqp_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_amqp_server_packets" lineno="7455">
+<summary>
+Send amqp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_amqp_server_packets" lineno="7474">
+<summary>
+Do not audit attempts to send amqp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_amqp_server_packets" lineno="7493">
+<summary>
+Receive amqp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_amqp_server_packets" lineno="7512">
+<summary>
+Do not audit attempts to receive amqp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_amqp_server_packets" lineno="7531">
+<summary>
+Send and receive amqp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_amqp_server_packets" lineno="7547">
+<summary>
+Do not audit attempts to send and receive amqp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_amqp_server_packets" lineno="7562">
+<summary>
+Relabel packets to amqp_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_aol_port" lineno="7584">
+<summary>
+Send and receive TCP traffic on the aol port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_aol_port" lineno="7603">
+<summary>
+Send UDP traffic on the aol port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_aol_port" lineno="7622">
+<summary>
+Do not audit attempts to send UDP traffic on the aol port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_aol_port" lineno="7641">
+<summary>
+Receive UDP traffic on the aol port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_aol_port" lineno="7660">
+<summary>
+Do not audit attempts to receive UDP traffic on the aol port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_aol_port" lineno="7679">
+<summary>
+Send and receive UDP traffic on the aol port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_aol_port" lineno="7696">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the aol port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_aol_port" lineno="7712">
+<summary>
+Bind TCP sockets to the aol port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_aol_port" lineno="7732">
+<summary>
+Bind UDP sockets to the aol port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_aol_port" lineno="7751">
+<summary>
+Make a TCP connection to the aol port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_aol_client_packets" lineno="7771">
+<summary>
+Send aol_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_aol_client_packets" lineno="7790">
+<summary>
+Do not audit attempts to send aol_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_aol_client_packets" lineno="7809">
+<summary>
+Receive aol_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_aol_client_packets" lineno="7828">
+<summary>
+Do not audit attempts to receive aol_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_aol_client_packets" lineno="7847">
+<summary>
+Send and receive aol_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_aol_client_packets" lineno="7863">
+<summary>
+Do not audit attempts to send and receive aol_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_aol_client_packets" lineno="7878">
+<summary>
+Relabel packets to aol_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_aol_server_packets" lineno="7898">
+<summary>
+Send aol_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_aol_server_packets" lineno="7917">
+<summary>
+Do not audit attempts to send aol_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_aol_server_packets" lineno="7936">
+<summary>
+Receive aol_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_aol_server_packets" lineno="7955">
+<summary>
+Do not audit attempts to receive aol_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_aol_server_packets" lineno="7974">
+<summary>
+Send and receive aol_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_aol_server_packets" lineno="7990">
+<summary>
+Do not audit attempts to send and receive aol_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_aol_server_packets" lineno="8005">
+<summary>
+Relabel packets to aol_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_apcupsd_port" lineno="8027">
+<summary>
+Send and receive TCP traffic on the apcupsd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_apcupsd_port" lineno="8046">
+<summary>
+Send UDP traffic on the apcupsd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_apcupsd_port" lineno="8065">
+<summary>
+Do not audit attempts to send UDP traffic on the apcupsd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_apcupsd_port" lineno="8084">
+<summary>
+Receive UDP traffic on the apcupsd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_apcupsd_port" lineno="8103">
+<summary>
+Do not audit attempts to receive UDP traffic on the apcupsd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_apcupsd_port" lineno="8122">
+<summary>
+Send and receive UDP traffic on the apcupsd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_apcupsd_port" lineno="8139">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the apcupsd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_apcupsd_port" lineno="8155">
+<summary>
+Bind TCP sockets to the apcupsd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_apcupsd_port" lineno="8175">
+<summary>
+Bind UDP sockets to the apcupsd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_apcupsd_port" lineno="8194">
+<summary>
+Make a TCP connection to the apcupsd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_apcupsd_client_packets" lineno="8214">
+<summary>
+Send apcupsd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_apcupsd_client_packets" lineno="8233">
+<summary>
+Do not audit attempts to send apcupsd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_apcupsd_client_packets" lineno="8252">
+<summary>
+Receive apcupsd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_apcupsd_client_packets" lineno="8271">
+<summary>
+Do not audit attempts to receive apcupsd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_apcupsd_client_packets" lineno="8290">
+<summary>
+Send and receive apcupsd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_apcupsd_client_packets" lineno="8306">
+<summary>
+Do not audit attempts to send and receive apcupsd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_apcupsd_client_packets" lineno="8321">
+<summary>
+Relabel packets to apcupsd_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_apcupsd_server_packets" lineno="8341">
+<summary>
+Send apcupsd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_apcupsd_server_packets" lineno="8360">
+<summary>
+Do not audit attempts to send apcupsd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_apcupsd_server_packets" lineno="8379">
+<summary>
+Receive apcupsd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_apcupsd_server_packets" lineno="8398">
+<summary>
+Do not audit attempts to receive apcupsd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_apcupsd_server_packets" lineno="8417">
+<summary>
+Send and receive apcupsd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_apcupsd_server_packets" lineno="8433">
+<summary>
+Do not audit attempts to send and receive apcupsd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_apcupsd_server_packets" lineno="8448">
+<summary>
+Relabel packets to apcupsd_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_asterisk_port" lineno="8470">
+<summary>
+Send and receive TCP traffic on the asterisk port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_asterisk_port" lineno="8489">
+<summary>
+Send UDP traffic on the asterisk port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_asterisk_port" lineno="8508">
+<summary>
+Do not audit attempts to send UDP traffic on the asterisk port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_asterisk_port" lineno="8527">
+<summary>
+Receive UDP traffic on the asterisk port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_asterisk_port" lineno="8546">
+<summary>
+Do not audit attempts to receive UDP traffic on the asterisk port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_asterisk_port" lineno="8565">
+<summary>
+Send and receive UDP traffic on the asterisk port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_asterisk_port" lineno="8582">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the asterisk port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_asterisk_port" lineno="8598">
+<summary>
+Bind TCP sockets to the asterisk port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_asterisk_port" lineno="8618">
+<summary>
+Bind UDP sockets to the asterisk port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_asterisk_port" lineno="8637">
+<summary>
+Make a TCP connection to the asterisk port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_asterisk_client_packets" lineno="8657">
+<summary>
+Send asterisk_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_asterisk_client_packets" lineno="8676">
+<summary>
+Do not audit attempts to send asterisk_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_asterisk_client_packets" lineno="8695">
+<summary>
+Receive asterisk_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_asterisk_client_packets" lineno="8714">
+<summary>
+Do not audit attempts to receive asterisk_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_asterisk_client_packets" lineno="8733">
+<summary>
+Send and receive asterisk_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_asterisk_client_packets" lineno="8749">
+<summary>
+Do not audit attempts to send and receive asterisk_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_asterisk_client_packets" lineno="8764">
+<summary>
+Relabel packets to asterisk_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_asterisk_server_packets" lineno="8784">
+<summary>
+Send asterisk_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_asterisk_server_packets" lineno="8803">
+<summary>
+Do not audit attempts to send asterisk_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_asterisk_server_packets" lineno="8822">
+<summary>
+Receive asterisk_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_asterisk_server_packets" lineno="8841">
+<summary>
+Do not audit attempts to receive asterisk_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_asterisk_server_packets" lineno="8860">
+<summary>
+Send and receive asterisk_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_asterisk_server_packets" lineno="8876">
+<summary>
+Do not audit attempts to send and receive asterisk_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_asterisk_server_packets" lineno="8891">
+<summary>
+Relabel packets to asterisk_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_audit_port" lineno="8913">
+<summary>
+Send and receive TCP traffic on the audit port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_audit_port" lineno="8932">
+<summary>
+Send UDP traffic on the audit port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_audit_port" lineno="8951">
+<summary>
+Do not audit attempts to send UDP traffic on the audit port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_audit_port" lineno="8970">
+<summary>
+Receive UDP traffic on the audit port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_audit_port" lineno="8989">
+<summary>
+Do not audit attempts to receive UDP traffic on the audit port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_audit_port" lineno="9008">
+<summary>
+Send and receive UDP traffic on the audit port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_audit_port" lineno="9025">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the audit port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_audit_port" lineno="9041">
+<summary>
+Bind TCP sockets to the audit port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_audit_port" lineno="9061">
+<summary>
+Bind UDP sockets to the audit port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_audit_port" lineno="9080">
+<summary>
+Make a TCP connection to the audit port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_audit_client_packets" lineno="9100">
+<summary>
+Send audit_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_audit_client_packets" lineno="9119">
+<summary>
+Do not audit attempts to send audit_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_audit_client_packets" lineno="9138">
+<summary>
+Receive audit_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_audit_client_packets" lineno="9157">
+<summary>
+Do not audit attempts to receive audit_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_audit_client_packets" lineno="9176">
+<summary>
+Send and receive audit_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_audit_client_packets" lineno="9192">
+<summary>
+Do not audit attempts to send and receive audit_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_audit_client_packets" lineno="9207">
+<summary>
+Relabel packets to audit_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_audit_server_packets" lineno="9227">
+<summary>
+Send audit_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_audit_server_packets" lineno="9246">
+<summary>
+Do not audit attempts to send audit_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_audit_server_packets" lineno="9265">
+<summary>
+Receive audit_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_audit_server_packets" lineno="9284">
+<summary>
+Do not audit attempts to receive audit_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_audit_server_packets" lineno="9303">
+<summary>
+Send and receive audit_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_audit_server_packets" lineno="9319">
+<summary>
+Do not audit attempts to send and receive audit_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_audit_server_packets" lineno="9334">
+<summary>
+Relabel packets to audit_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_auth_port" lineno="9356">
+<summary>
+Send and receive TCP traffic on the auth port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_auth_port" lineno="9375">
+<summary>
+Send UDP traffic on the auth port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_auth_port" lineno="9394">
+<summary>
+Do not audit attempts to send UDP traffic on the auth port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_auth_port" lineno="9413">
+<summary>
+Receive UDP traffic on the auth port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_auth_port" lineno="9432">
+<summary>
+Do not audit attempts to receive UDP traffic on the auth port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_auth_port" lineno="9451">
+<summary>
+Send and receive UDP traffic on the auth port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_auth_port" lineno="9468">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the auth port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_auth_port" lineno="9484">
+<summary>
+Bind TCP sockets to the auth port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_auth_port" lineno="9504">
+<summary>
+Bind UDP sockets to the auth port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_auth_port" lineno="9523">
+<summary>
+Make a TCP connection to the auth port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_auth_client_packets" lineno="9543">
+<summary>
+Send auth_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_auth_client_packets" lineno="9562">
+<summary>
+Do not audit attempts to send auth_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_auth_client_packets" lineno="9581">
+<summary>
+Receive auth_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_auth_client_packets" lineno="9600">
+<summary>
+Do not audit attempts to receive auth_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_auth_client_packets" lineno="9619">
+<summary>
+Send and receive auth_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_auth_client_packets" lineno="9635">
+<summary>
+Do not audit attempts to send and receive auth_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_auth_client_packets" lineno="9650">
+<summary>
+Relabel packets to auth_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_auth_server_packets" lineno="9670">
+<summary>
+Send auth_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_auth_server_packets" lineno="9689">
+<summary>
+Do not audit attempts to send auth_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_auth_server_packets" lineno="9708">
+<summary>
+Receive auth_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_auth_server_packets" lineno="9727">
+<summary>
+Do not audit attempts to receive auth_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_auth_server_packets" lineno="9746">
+<summary>
+Send and receive auth_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_auth_server_packets" lineno="9762">
+<summary>
+Do not audit attempts to send and receive auth_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_auth_server_packets" lineno="9777">
+<summary>
+Relabel packets to auth_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_bgp_port" lineno="9799">
+<summary>
+Send and receive TCP traffic on the bgp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_bgp_port" lineno="9818">
+<summary>
+Send UDP traffic on the bgp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_bgp_port" lineno="9837">
+<summary>
+Do not audit attempts to send UDP traffic on the bgp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_bgp_port" lineno="9856">
+<summary>
+Receive UDP traffic on the bgp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_bgp_port" lineno="9875">
+<summary>
+Do not audit attempts to receive UDP traffic on the bgp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_bgp_port" lineno="9894">
+<summary>
+Send and receive UDP traffic on the bgp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_bgp_port" lineno="9911">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the bgp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_bgp_port" lineno="9927">
+<summary>
+Bind TCP sockets to the bgp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_bgp_port" lineno="9947">
+<summary>
+Bind UDP sockets to the bgp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_bgp_port" lineno="9966">
+<summary>
+Make a TCP connection to the bgp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_bgp_client_packets" lineno="9986">
+<summary>
+Send bgp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_bgp_client_packets" lineno="10005">
+<summary>
+Do not audit attempts to send bgp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_bgp_client_packets" lineno="10024">
+<summary>
+Receive bgp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_bgp_client_packets" lineno="10043">
+<summary>
+Do not audit attempts to receive bgp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_bgp_client_packets" lineno="10062">
+<summary>
+Send and receive bgp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_bgp_client_packets" lineno="10078">
+<summary>
+Do not audit attempts to send and receive bgp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_bgp_client_packets" lineno="10093">
+<summary>
+Relabel packets to bgp_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_bgp_server_packets" lineno="10113">
+<summary>
+Send bgp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_bgp_server_packets" lineno="10132">
+<summary>
+Do not audit attempts to send bgp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_bgp_server_packets" lineno="10151">
+<summary>
+Receive bgp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_bgp_server_packets" lineno="10170">
+<summary>
+Do not audit attempts to receive bgp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_bgp_server_packets" lineno="10189">
+<summary>
+Send and receive bgp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_bgp_server_packets" lineno="10205">
+<summary>
+Do not audit attempts to send and receive bgp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_bgp_server_packets" lineno="10220">
+<summary>
+Relabel packets to bgp_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_boinc_port" lineno="10242">
+<summary>
+Send and receive TCP traffic on the boinc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_boinc_port" lineno="10261">
+<summary>
+Send UDP traffic on the boinc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_boinc_port" lineno="10280">
+<summary>
+Do not audit attempts to send UDP traffic on the boinc port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_boinc_port" lineno="10299">
+<summary>
+Receive UDP traffic on the boinc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_boinc_port" lineno="10318">
+<summary>
+Do not audit attempts to receive UDP traffic on the boinc port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_boinc_port" lineno="10337">
+<summary>
+Send and receive UDP traffic on the boinc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_boinc_port" lineno="10354">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the boinc port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_boinc_port" lineno="10370">
+<summary>
+Bind TCP sockets to the boinc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_boinc_port" lineno="10390">
+<summary>
+Bind UDP sockets to the boinc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_boinc_port" lineno="10409">
+<summary>
+Make a TCP connection to the boinc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_boinc_client_packets" lineno="10429">
+<summary>
+Send boinc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_boinc_client_packets" lineno="10448">
+<summary>
+Do not audit attempts to send boinc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_boinc_client_packets" lineno="10467">
+<summary>
+Receive boinc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_boinc_client_packets" lineno="10486">
+<summary>
+Do not audit attempts to receive boinc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_boinc_client_packets" lineno="10505">
+<summary>
+Send and receive boinc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_boinc_client_packets" lineno="10521">
+<summary>
+Do not audit attempts to send and receive boinc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_boinc_client_packets" lineno="10536">
+<summary>
+Relabel packets to boinc_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_boinc_server_packets" lineno="10556">
+<summary>
+Send boinc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_boinc_server_packets" lineno="10575">
+<summary>
+Do not audit attempts to send boinc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_boinc_server_packets" lineno="10594">
+<summary>
+Receive boinc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_boinc_server_packets" lineno="10613">
+<summary>
+Do not audit attempts to receive boinc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_boinc_server_packets" lineno="10632">
+<summary>
+Send and receive boinc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_boinc_server_packets" lineno="10648">
+<summary>
+Do not audit attempts to send and receive boinc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_boinc_server_packets" lineno="10663">
+<summary>
+Relabel packets to boinc_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_biff_port" lineno="10685">
+<summary>
+Send and receive TCP traffic on the biff port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_biff_port" lineno="10704">
+<summary>
+Send UDP traffic on the biff port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_biff_port" lineno="10723">
+<summary>
+Do not audit attempts to send UDP traffic on the biff port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_biff_port" lineno="10742">
+<summary>
+Receive UDP traffic on the biff port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_biff_port" lineno="10761">
+<summary>
+Do not audit attempts to receive UDP traffic on the biff port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_biff_port" lineno="10780">
+<summary>
+Send and receive UDP traffic on the biff port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_biff_port" lineno="10797">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the biff port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_biff_port" lineno="10813">
+<summary>
+Bind TCP sockets to the biff port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_biff_port" lineno="10833">
+<summary>
+Bind UDP sockets to the biff port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_biff_port" lineno="10852">
+<summary>
+Make a TCP connection to the biff port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_biff_client_packets" lineno="10872">
+<summary>
+Send biff_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_biff_client_packets" lineno="10891">
+<summary>
+Do not audit attempts to send biff_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_biff_client_packets" lineno="10910">
+<summary>
+Receive biff_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_biff_client_packets" lineno="10929">
+<summary>
+Do not audit attempts to receive biff_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_biff_client_packets" lineno="10948">
+<summary>
+Send and receive biff_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_biff_client_packets" lineno="10964">
+<summary>
+Do not audit attempts to send and receive biff_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_biff_client_packets" lineno="10979">
+<summary>
+Relabel packets to biff_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_biff_server_packets" lineno="10999">
+<summary>
+Send biff_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_biff_server_packets" lineno="11018">
+<summary>
+Do not audit attempts to send biff_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_biff_server_packets" lineno="11037">
+<summary>
+Receive biff_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_biff_server_packets" lineno="11056">
+<summary>
+Do not audit attempts to receive biff_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_biff_server_packets" lineno="11075">
+<summary>
+Send and receive biff_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_biff_server_packets" lineno="11091">
+<summary>
+Do not audit attempts to send and receive biff_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_biff_server_packets" lineno="11106">
+<summary>
+Relabel packets to biff_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_certmaster_port" lineno="11128">
+<summary>
+Send and receive TCP traffic on the certmaster port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_certmaster_port" lineno="11147">
+<summary>
+Send UDP traffic on the certmaster port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_certmaster_port" lineno="11166">
+<summary>
+Do not audit attempts to send UDP traffic on the certmaster port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_certmaster_port" lineno="11185">
+<summary>
+Receive UDP traffic on the certmaster port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_certmaster_port" lineno="11204">
+<summary>
+Do not audit attempts to receive UDP traffic on the certmaster port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_certmaster_port" lineno="11223">
+<summary>
+Send and receive UDP traffic on the certmaster port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_certmaster_port" lineno="11240">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the certmaster port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_certmaster_port" lineno="11256">
+<summary>
+Bind TCP sockets to the certmaster port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_certmaster_port" lineno="11276">
+<summary>
+Bind UDP sockets to the certmaster port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_certmaster_port" lineno="11295">
+<summary>
+Make a TCP connection to the certmaster port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_certmaster_client_packets" lineno="11315">
+<summary>
+Send certmaster_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_certmaster_client_packets" lineno="11334">
+<summary>
+Do not audit attempts to send certmaster_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_certmaster_client_packets" lineno="11353">
+<summary>
+Receive certmaster_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_certmaster_client_packets" lineno="11372">
+<summary>
+Do not audit attempts to receive certmaster_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_certmaster_client_packets" lineno="11391">
+<summary>
+Send and receive certmaster_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_certmaster_client_packets" lineno="11407">
+<summary>
+Do not audit attempts to send and receive certmaster_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_certmaster_client_packets" lineno="11422">
+<summary>
+Relabel packets to certmaster_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_certmaster_server_packets" lineno="11442">
+<summary>
+Send certmaster_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_certmaster_server_packets" lineno="11461">
+<summary>
+Do not audit attempts to send certmaster_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_certmaster_server_packets" lineno="11480">
+<summary>
+Receive certmaster_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_certmaster_server_packets" lineno="11499">
+<summary>
+Do not audit attempts to receive certmaster_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_certmaster_server_packets" lineno="11518">
+<summary>
+Send and receive certmaster_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_certmaster_server_packets" lineno="11534">
+<summary>
+Do not audit attempts to send and receive certmaster_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_certmaster_server_packets" lineno="11549">
+<summary>
+Relabel packets to certmaster_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_chronyd_port" lineno="11571">
+<summary>
+Send and receive TCP traffic on the chronyd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_chronyd_port" lineno="11590">
+<summary>
+Send UDP traffic on the chronyd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_chronyd_port" lineno="11609">
+<summary>
+Do not audit attempts to send UDP traffic on the chronyd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_chronyd_port" lineno="11628">
+<summary>
+Receive UDP traffic on the chronyd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_chronyd_port" lineno="11647">
+<summary>
+Do not audit attempts to receive UDP traffic on the chronyd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_chronyd_port" lineno="11666">
+<summary>
+Send and receive UDP traffic on the chronyd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_chronyd_port" lineno="11683">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the chronyd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_chronyd_port" lineno="11699">
+<summary>
+Bind TCP sockets to the chronyd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_chronyd_port" lineno="11719">
+<summary>
+Bind UDP sockets to the chronyd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_chronyd_port" lineno="11738">
+<summary>
+Make a TCP connection to the chronyd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_chronyd_client_packets" lineno="11758">
+<summary>
+Send chronyd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_chronyd_client_packets" lineno="11777">
+<summary>
+Do not audit attempts to send chronyd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_chronyd_client_packets" lineno="11796">
+<summary>
+Receive chronyd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_chronyd_client_packets" lineno="11815">
+<summary>
+Do not audit attempts to receive chronyd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_chronyd_client_packets" lineno="11834">
+<summary>
+Send and receive chronyd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_chronyd_client_packets" lineno="11850">
+<summary>
+Do not audit attempts to send and receive chronyd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_chronyd_client_packets" lineno="11865">
+<summary>
+Relabel packets to chronyd_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_chronyd_server_packets" lineno="11885">
+<summary>
+Send chronyd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_chronyd_server_packets" lineno="11904">
+<summary>
+Do not audit attempts to send chronyd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_chronyd_server_packets" lineno="11923">
+<summary>
+Receive chronyd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_chronyd_server_packets" lineno="11942">
+<summary>
+Do not audit attempts to receive chronyd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_chronyd_server_packets" lineno="11961">
+<summary>
+Send and receive chronyd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_chronyd_server_packets" lineno="11977">
+<summary>
+Do not audit attempts to send and receive chronyd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_chronyd_server_packets" lineno="11992">
+<summary>
+Relabel packets to chronyd_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_clamd_port" lineno="12014">
+<summary>
+Send and receive TCP traffic on the clamd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_clamd_port" lineno="12033">
+<summary>
+Send UDP traffic on the clamd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_clamd_port" lineno="12052">
+<summary>
+Do not audit attempts to send UDP traffic on the clamd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_clamd_port" lineno="12071">
+<summary>
+Receive UDP traffic on the clamd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_clamd_port" lineno="12090">
+<summary>
+Do not audit attempts to receive UDP traffic on the clamd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_clamd_port" lineno="12109">
+<summary>
+Send and receive UDP traffic on the clamd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_clamd_port" lineno="12126">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the clamd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_clamd_port" lineno="12142">
+<summary>
+Bind TCP sockets to the clamd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_clamd_port" lineno="12162">
+<summary>
+Bind UDP sockets to the clamd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_clamd_port" lineno="12181">
+<summary>
+Make a TCP connection to the clamd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_clamd_client_packets" lineno="12201">
+<summary>
+Send clamd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_clamd_client_packets" lineno="12220">
+<summary>
+Do not audit attempts to send clamd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_clamd_client_packets" lineno="12239">
+<summary>
+Receive clamd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_clamd_client_packets" lineno="12258">
+<summary>
+Do not audit attempts to receive clamd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_clamd_client_packets" lineno="12277">
+<summary>
+Send and receive clamd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_clamd_client_packets" lineno="12293">
+<summary>
+Do not audit attempts to send and receive clamd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_clamd_client_packets" lineno="12308">
+<summary>
+Relabel packets to clamd_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_clamd_server_packets" lineno="12328">
+<summary>
+Send clamd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_clamd_server_packets" lineno="12347">
+<summary>
+Do not audit attempts to send clamd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_clamd_server_packets" lineno="12366">
+<summary>
+Receive clamd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_clamd_server_packets" lineno="12385">
+<summary>
+Do not audit attempts to receive clamd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_clamd_server_packets" lineno="12404">
+<summary>
+Send and receive clamd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_clamd_server_packets" lineno="12420">
+<summary>
+Do not audit attempts to send and receive clamd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_clamd_server_packets" lineno="12435">
+<summary>
+Relabel packets to clamd_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_clockspeed_port" lineno="12457">
+<summary>
+Send and receive TCP traffic on the clockspeed port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_clockspeed_port" lineno="12476">
+<summary>
+Send UDP traffic on the clockspeed port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_clockspeed_port" lineno="12495">
+<summary>
+Do not audit attempts to send UDP traffic on the clockspeed port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_clockspeed_port" lineno="12514">
+<summary>
+Receive UDP traffic on the clockspeed port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_clockspeed_port" lineno="12533">
+<summary>
+Do not audit attempts to receive UDP traffic on the clockspeed port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_clockspeed_port" lineno="12552">
+<summary>
+Send and receive UDP traffic on the clockspeed port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_clockspeed_port" lineno="12569">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the clockspeed port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_clockspeed_port" lineno="12585">
+<summary>
+Bind TCP sockets to the clockspeed port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_clockspeed_port" lineno="12605">
+<summary>
+Bind UDP sockets to the clockspeed port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_clockspeed_port" lineno="12624">
+<summary>
+Make a TCP connection to the clockspeed port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_clockspeed_client_packets" lineno="12644">
+<summary>
+Send clockspeed_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_clockspeed_client_packets" lineno="12663">
+<summary>
+Do not audit attempts to send clockspeed_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_clockspeed_client_packets" lineno="12682">
+<summary>
+Receive clockspeed_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_clockspeed_client_packets" lineno="12701">
+<summary>
+Do not audit attempts to receive clockspeed_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_clockspeed_client_packets" lineno="12720">
+<summary>
+Send and receive clockspeed_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_clockspeed_client_packets" lineno="12736">
+<summary>
+Do not audit attempts to send and receive clockspeed_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_clockspeed_client_packets" lineno="12751">
+<summary>
+Relabel packets to clockspeed_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_clockspeed_server_packets" lineno="12771">
+<summary>
+Send clockspeed_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_clockspeed_server_packets" lineno="12790">
+<summary>
+Do not audit attempts to send clockspeed_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_clockspeed_server_packets" lineno="12809">
+<summary>
+Receive clockspeed_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_clockspeed_server_packets" lineno="12828">
+<summary>
+Do not audit attempts to receive clockspeed_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_clockspeed_server_packets" lineno="12847">
+<summary>
+Send and receive clockspeed_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_clockspeed_server_packets" lineno="12863">
+<summary>
+Do not audit attempts to send and receive clockspeed_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_clockspeed_server_packets" lineno="12878">
+<summary>
+Relabel packets to clockspeed_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_cluster_port" lineno="12900">
+<summary>
+Send and receive TCP traffic on the cluster port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_cluster_port" lineno="12919">
+<summary>
+Send UDP traffic on the cluster port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_cluster_port" lineno="12938">
+<summary>
+Do not audit attempts to send UDP traffic on the cluster port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_cluster_port" lineno="12957">
+<summary>
+Receive UDP traffic on the cluster port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_cluster_port" lineno="12976">
+<summary>
+Do not audit attempts to receive UDP traffic on the cluster port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_cluster_port" lineno="12995">
+<summary>
+Send and receive UDP traffic on the cluster port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_cluster_port" lineno="13012">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the cluster port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_cluster_port" lineno="13028">
+<summary>
+Bind TCP sockets to the cluster port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_cluster_port" lineno="13048">
+<summary>
+Bind UDP sockets to the cluster port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_cluster_port" lineno="13067">
+<summary>
+Make a TCP connection to the cluster port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_cluster_client_packets" lineno="13087">
+<summary>
+Send cluster_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_cluster_client_packets" lineno="13106">
+<summary>
+Do not audit attempts to send cluster_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_cluster_client_packets" lineno="13125">
+<summary>
+Receive cluster_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_cluster_client_packets" lineno="13144">
+<summary>
+Do not audit attempts to receive cluster_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_cluster_client_packets" lineno="13163">
+<summary>
+Send and receive cluster_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_cluster_client_packets" lineno="13179">
+<summary>
+Do not audit attempts to send and receive cluster_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_cluster_client_packets" lineno="13194">
+<summary>
+Relabel packets to cluster_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_cluster_server_packets" lineno="13214">
+<summary>
+Send cluster_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_cluster_server_packets" lineno="13233">
+<summary>
+Do not audit attempts to send cluster_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_cluster_server_packets" lineno="13252">
+<summary>
+Receive cluster_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_cluster_server_packets" lineno="13271">
+<summary>
+Do not audit attempts to receive cluster_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_cluster_server_packets" lineno="13290">
+<summary>
+Send and receive cluster_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_cluster_server_packets" lineno="13306">
+<summary>
+Do not audit attempts to send and receive cluster_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_cluster_server_packets" lineno="13321">
+<summary>
+Relabel packets to cluster_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_cobbler_port" lineno="13343">
+<summary>
+Send and receive TCP traffic on the cobbler port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_cobbler_port" lineno="13362">
+<summary>
+Send UDP traffic on the cobbler port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_cobbler_port" lineno="13381">
+<summary>
+Do not audit attempts to send UDP traffic on the cobbler port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_cobbler_port" lineno="13400">
+<summary>
+Receive UDP traffic on the cobbler port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_cobbler_port" lineno="13419">
+<summary>
+Do not audit attempts to receive UDP traffic on the cobbler port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_cobbler_port" lineno="13438">
+<summary>
+Send and receive UDP traffic on the cobbler port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_cobbler_port" lineno="13455">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the cobbler port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_cobbler_port" lineno="13471">
+<summary>
+Bind TCP sockets to the cobbler port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_cobbler_port" lineno="13491">
+<summary>
+Bind UDP sockets to the cobbler port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_cobbler_port" lineno="13510">
+<summary>
+Make a TCP connection to the cobbler port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_cobbler_client_packets" lineno="13530">
+<summary>
+Send cobbler_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_cobbler_client_packets" lineno="13549">
+<summary>
+Do not audit attempts to send cobbler_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_cobbler_client_packets" lineno="13568">
+<summary>
+Receive cobbler_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_cobbler_client_packets" lineno="13587">
+<summary>
+Do not audit attempts to receive cobbler_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_cobbler_client_packets" lineno="13606">
+<summary>
+Send and receive cobbler_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_cobbler_client_packets" lineno="13622">
+<summary>
+Do not audit attempts to send and receive cobbler_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_cobbler_client_packets" lineno="13637">
+<summary>
+Relabel packets to cobbler_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_cobbler_server_packets" lineno="13657">
+<summary>
+Send cobbler_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_cobbler_server_packets" lineno="13676">
+<summary>
+Do not audit attempts to send cobbler_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_cobbler_server_packets" lineno="13695">
+<summary>
+Receive cobbler_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_cobbler_server_packets" lineno="13714">
+<summary>
+Do not audit attempts to receive cobbler_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_cobbler_server_packets" lineno="13733">
+<summary>
+Send and receive cobbler_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_cobbler_server_packets" lineno="13749">
+<summary>
+Do not audit attempts to send and receive cobbler_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_cobbler_server_packets" lineno="13764">
+<summary>
+Relabel packets to cobbler_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_comsat_port" lineno="13786">
+<summary>
+Send and receive TCP traffic on the comsat port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_comsat_port" lineno="13805">
+<summary>
+Send UDP traffic on the comsat port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_comsat_port" lineno="13824">
+<summary>
+Do not audit attempts to send UDP traffic on the comsat port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_comsat_port" lineno="13843">
+<summary>
+Receive UDP traffic on the comsat port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_comsat_port" lineno="13862">
+<summary>
+Do not audit attempts to receive UDP traffic on the comsat port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_comsat_port" lineno="13881">
+<summary>
+Send and receive UDP traffic on the comsat port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_comsat_port" lineno="13898">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the comsat port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_comsat_port" lineno="13914">
+<summary>
+Bind TCP sockets to the comsat port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_comsat_port" lineno="13934">
+<summary>
+Bind UDP sockets to the comsat port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_comsat_port" lineno="13953">
+<summary>
+Make a TCP connection to the comsat port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_comsat_client_packets" lineno="13973">
+<summary>
+Send comsat_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_comsat_client_packets" lineno="13992">
+<summary>
+Do not audit attempts to send comsat_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_comsat_client_packets" lineno="14011">
+<summary>
+Receive comsat_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_comsat_client_packets" lineno="14030">
+<summary>
+Do not audit attempts to receive comsat_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_comsat_client_packets" lineno="14049">
+<summary>
+Send and receive comsat_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_comsat_client_packets" lineno="14065">
+<summary>
+Do not audit attempts to send and receive comsat_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_comsat_client_packets" lineno="14080">
+<summary>
+Relabel packets to comsat_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_comsat_server_packets" lineno="14100">
+<summary>
+Send comsat_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_comsat_server_packets" lineno="14119">
+<summary>
+Do not audit attempts to send comsat_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_comsat_server_packets" lineno="14138">
+<summary>
+Receive comsat_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_comsat_server_packets" lineno="14157">
+<summary>
+Do not audit attempts to receive comsat_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_comsat_server_packets" lineno="14176">
+<summary>
+Send and receive comsat_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_comsat_server_packets" lineno="14192">
+<summary>
+Do not audit attempts to send and receive comsat_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_comsat_server_packets" lineno="14207">
+<summary>
+Relabel packets to comsat_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_cvs_port" lineno="14229">
+<summary>
+Send and receive TCP traffic on the cvs port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_cvs_port" lineno="14248">
+<summary>
+Send UDP traffic on the cvs port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_cvs_port" lineno="14267">
+<summary>
+Do not audit attempts to send UDP traffic on the cvs port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_cvs_port" lineno="14286">
+<summary>
+Receive UDP traffic on the cvs port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_cvs_port" lineno="14305">
+<summary>
+Do not audit attempts to receive UDP traffic on the cvs port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_cvs_port" lineno="14324">
+<summary>
+Send and receive UDP traffic on the cvs port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_cvs_port" lineno="14341">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the cvs port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_cvs_port" lineno="14357">
+<summary>
+Bind TCP sockets to the cvs port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_cvs_port" lineno="14377">
+<summary>
+Bind UDP sockets to the cvs port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_cvs_port" lineno="14396">
+<summary>
+Make a TCP connection to the cvs port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_cvs_client_packets" lineno="14416">
+<summary>
+Send cvs_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_cvs_client_packets" lineno="14435">
+<summary>
+Do not audit attempts to send cvs_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_cvs_client_packets" lineno="14454">
+<summary>
+Receive cvs_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_cvs_client_packets" lineno="14473">
+<summary>
+Do not audit attempts to receive cvs_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_cvs_client_packets" lineno="14492">
+<summary>
+Send and receive cvs_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_cvs_client_packets" lineno="14508">
+<summary>
+Do not audit attempts to send and receive cvs_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_cvs_client_packets" lineno="14523">
+<summary>
+Relabel packets to cvs_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_cvs_server_packets" lineno="14543">
+<summary>
+Send cvs_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_cvs_server_packets" lineno="14562">
+<summary>
+Do not audit attempts to send cvs_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_cvs_server_packets" lineno="14581">
+<summary>
+Receive cvs_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_cvs_server_packets" lineno="14600">
+<summary>
+Do not audit attempts to receive cvs_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_cvs_server_packets" lineno="14619">
+<summary>
+Send and receive cvs_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_cvs_server_packets" lineno="14635">
+<summary>
+Do not audit attempts to send and receive cvs_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_cvs_server_packets" lineno="14650">
+<summary>
+Relabel packets to cvs_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_cyphesis_port" lineno="14672">
+<summary>
+Send and receive TCP traffic on the cyphesis port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_cyphesis_port" lineno="14691">
+<summary>
+Send UDP traffic on the cyphesis port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_cyphesis_port" lineno="14710">
+<summary>
+Do not audit attempts to send UDP traffic on the cyphesis port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_cyphesis_port" lineno="14729">
+<summary>
+Receive UDP traffic on the cyphesis port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_cyphesis_port" lineno="14748">
+<summary>
+Do not audit attempts to receive UDP traffic on the cyphesis port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_cyphesis_port" lineno="14767">
+<summary>
+Send and receive UDP traffic on the cyphesis port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_cyphesis_port" lineno="14784">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the cyphesis port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_cyphesis_port" lineno="14800">
+<summary>
+Bind TCP sockets to the cyphesis port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_cyphesis_port" lineno="14820">
+<summary>
+Bind UDP sockets to the cyphesis port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_cyphesis_port" lineno="14839">
+<summary>
+Make a TCP connection to the cyphesis port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_cyphesis_client_packets" lineno="14859">
+<summary>
+Send cyphesis_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_cyphesis_client_packets" lineno="14878">
+<summary>
+Do not audit attempts to send cyphesis_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_cyphesis_client_packets" lineno="14897">
+<summary>
+Receive cyphesis_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_cyphesis_client_packets" lineno="14916">
+<summary>
+Do not audit attempts to receive cyphesis_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_cyphesis_client_packets" lineno="14935">
+<summary>
+Send and receive cyphesis_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_cyphesis_client_packets" lineno="14951">
+<summary>
+Do not audit attempts to send and receive cyphesis_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_cyphesis_client_packets" lineno="14966">
+<summary>
+Relabel packets to cyphesis_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_cyphesis_server_packets" lineno="14986">
+<summary>
+Send cyphesis_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_cyphesis_server_packets" lineno="15005">
+<summary>
+Do not audit attempts to send cyphesis_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_cyphesis_server_packets" lineno="15024">
+<summary>
+Receive cyphesis_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_cyphesis_server_packets" lineno="15043">
+<summary>
+Do not audit attempts to receive cyphesis_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_cyphesis_server_packets" lineno="15062">
+<summary>
+Send and receive cyphesis_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_cyphesis_server_packets" lineno="15078">
+<summary>
+Do not audit attempts to send and receive cyphesis_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_cyphesis_server_packets" lineno="15093">
+<summary>
+Relabel packets to cyphesis_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_daap_port" lineno="15115">
+<summary>
+Send and receive TCP traffic on the daap port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_daap_port" lineno="15134">
+<summary>
+Send UDP traffic on the daap port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_daap_port" lineno="15153">
+<summary>
+Do not audit attempts to send UDP traffic on the daap port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_daap_port" lineno="15172">
+<summary>
+Receive UDP traffic on the daap port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_daap_port" lineno="15191">
+<summary>
+Do not audit attempts to receive UDP traffic on the daap port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_daap_port" lineno="15210">
+<summary>
+Send and receive UDP traffic on the daap port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_daap_port" lineno="15227">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the daap port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_daap_port" lineno="15243">
+<summary>
+Bind TCP sockets to the daap port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_daap_port" lineno="15263">
+<summary>
+Bind UDP sockets to the daap port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_daap_port" lineno="15282">
+<summary>
+Make a TCP connection to the daap port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_daap_client_packets" lineno="15302">
+<summary>
+Send daap_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_daap_client_packets" lineno="15321">
+<summary>
+Do not audit attempts to send daap_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_daap_client_packets" lineno="15340">
+<summary>
+Receive daap_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_daap_client_packets" lineno="15359">
+<summary>
+Do not audit attempts to receive daap_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_daap_client_packets" lineno="15378">
+<summary>
+Send and receive daap_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_daap_client_packets" lineno="15394">
+<summary>
+Do not audit attempts to send and receive daap_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_daap_client_packets" lineno="15409">
+<summary>
+Relabel packets to daap_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_daap_server_packets" lineno="15429">
+<summary>
+Send daap_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_daap_server_packets" lineno="15448">
+<summary>
+Do not audit attempts to send daap_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_daap_server_packets" lineno="15467">
+<summary>
+Receive daap_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_daap_server_packets" lineno="15486">
+<summary>
+Do not audit attempts to receive daap_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_daap_server_packets" lineno="15505">
+<summary>
+Send and receive daap_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_daap_server_packets" lineno="15521">
+<summary>
+Do not audit attempts to send and receive daap_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_daap_server_packets" lineno="15536">
+<summary>
+Relabel packets to daap_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_dbskkd_port" lineno="15558">
+<summary>
+Send and receive TCP traffic on the dbskkd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_dbskkd_port" lineno="15577">
+<summary>
+Send UDP traffic on the dbskkd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_dbskkd_port" lineno="15596">
+<summary>
+Do not audit attempts to send UDP traffic on the dbskkd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_dbskkd_port" lineno="15615">
+<summary>
+Receive UDP traffic on the dbskkd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_dbskkd_port" lineno="15634">
+<summary>
+Do not audit attempts to receive UDP traffic on the dbskkd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_dbskkd_port" lineno="15653">
+<summary>
+Send and receive UDP traffic on the dbskkd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_dbskkd_port" lineno="15670">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the dbskkd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_dbskkd_port" lineno="15686">
+<summary>
+Bind TCP sockets to the dbskkd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_dbskkd_port" lineno="15706">
+<summary>
+Bind UDP sockets to the dbskkd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_dbskkd_port" lineno="15725">
+<summary>
+Make a TCP connection to the dbskkd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_dbskkd_client_packets" lineno="15745">
+<summary>
+Send dbskkd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_dbskkd_client_packets" lineno="15764">
+<summary>
+Do not audit attempts to send dbskkd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_dbskkd_client_packets" lineno="15783">
+<summary>
+Receive dbskkd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_dbskkd_client_packets" lineno="15802">
+<summary>
+Do not audit attempts to receive dbskkd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_dbskkd_client_packets" lineno="15821">
+<summary>
+Send and receive dbskkd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_dbskkd_client_packets" lineno="15837">
+<summary>
+Do not audit attempts to send and receive dbskkd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_dbskkd_client_packets" lineno="15852">
+<summary>
+Relabel packets to dbskkd_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_dbskkd_server_packets" lineno="15872">
+<summary>
+Send dbskkd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_dbskkd_server_packets" lineno="15891">
+<summary>
+Do not audit attempts to send dbskkd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_dbskkd_server_packets" lineno="15910">
+<summary>
+Receive dbskkd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_dbskkd_server_packets" lineno="15929">
+<summary>
+Do not audit attempts to receive dbskkd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_dbskkd_server_packets" lineno="15948">
+<summary>
+Send and receive dbskkd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_dbskkd_server_packets" lineno="15964">
+<summary>
+Do not audit attempts to send and receive dbskkd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_dbskkd_server_packets" lineno="15979">
+<summary>
+Relabel packets to dbskkd_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_dcc_port" lineno="16001">
+<summary>
+Send and receive TCP traffic on the dcc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_dcc_port" lineno="16020">
+<summary>
+Send UDP traffic on the dcc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_dcc_port" lineno="16039">
+<summary>
+Do not audit attempts to send UDP traffic on the dcc port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_dcc_port" lineno="16058">
+<summary>
+Receive UDP traffic on the dcc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_dcc_port" lineno="16077">
+<summary>
+Do not audit attempts to receive UDP traffic on the dcc port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_dcc_port" lineno="16096">
+<summary>
+Send and receive UDP traffic on the dcc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_dcc_port" lineno="16113">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the dcc port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_dcc_port" lineno="16129">
+<summary>
+Bind TCP sockets to the dcc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_dcc_port" lineno="16149">
+<summary>
+Bind UDP sockets to the dcc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_dcc_port" lineno="16168">
+<summary>
+Make a TCP connection to the dcc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_dcc_client_packets" lineno="16188">
+<summary>
+Send dcc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_dcc_client_packets" lineno="16207">
+<summary>
+Do not audit attempts to send dcc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_dcc_client_packets" lineno="16226">
+<summary>
+Receive dcc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_dcc_client_packets" lineno="16245">
+<summary>
+Do not audit attempts to receive dcc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_dcc_client_packets" lineno="16264">
+<summary>
+Send and receive dcc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_dcc_client_packets" lineno="16280">
+<summary>
+Do not audit attempts to send and receive dcc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_dcc_client_packets" lineno="16295">
+<summary>
+Relabel packets to dcc_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_dcc_server_packets" lineno="16315">
+<summary>
+Send dcc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_dcc_server_packets" lineno="16334">
+<summary>
+Do not audit attempts to send dcc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_dcc_server_packets" lineno="16353">
+<summary>
+Receive dcc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_dcc_server_packets" lineno="16372">
+<summary>
+Do not audit attempts to receive dcc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_dcc_server_packets" lineno="16391">
+<summary>
+Send and receive dcc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_dcc_server_packets" lineno="16407">
+<summary>
+Do not audit attempts to send and receive dcc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_dcc_server_packets" lineno="16422">
+<summary>
+Relabel packets to dcc_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_dccm_port" lineno="16444">
+<summary>
+Send and receive TCP traffic on the dccm port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_dccm_port" lineno="16463">
+<summary>
+Send UDP traffic on the dccm port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_dccm_port" lineno="16482">
+<summary>
+Do not audit attempts to send UDP traffic on the dccm port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_dccm_port" lineno="16501">
+<summary>
+Receive UDP traffic on the dccm port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_dccm_port" lineno="16520">
+<summary>
+Do not audit attempts to receive UDP traffic on the dccm port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_dccm_port" lineno="16539">
+<summary>
+Send and receive UDP traffic on the dccm port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_dccm_port" lineno="16556">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the dccm port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_dccm_port" lineno="16572">
+<summary>
+Bind TCP sockets to the dccm port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_dccm_port" lineno="16592">
+<summary>
+Bind UDP sockets to the dccm port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_dccm_port" lineno="16611">
+<summary>
+Make a TCP connection to the dccm port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_dccm_client_packets" lineno="16631">
+<summary>
+Send dccm_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_dccm_client_packets" lineno="16650">
+<summary>
+Do not audit attempts to send dccm_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_dccm_client_packets" lineno="16669">
+<summary>
+Receive dccm_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_dccm_client_packets" lineno="16688">
+<summary>
+Do not audit attempts to receive dccm_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_dccm_client_packets" lineno="16707">
+<summary>
+Send and receive dccm_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_dccm_client_packets" lineno="16723">
+<summary>
+Do not audit attempts to send and receive dccm_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_dccm_client_packets" lineno="16738">
+<summary>
+Relabel packets to dccm_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_dccm_server_packets" lineno="16758">
+<summary>
+Send dccm_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_dccm_server_packets" lineno="16777">
+<summary>
+Do not audit attempts to send dccm_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_dccm_server_packets" lineno="16796">
+<summary>
+Receive dccm_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_dccm_server_packets" lineno="16815">
+<summary>
+Do not audit attempts to receive dccm_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_dccm_server_packets" lineno="16834">
+<summary>
+Send and receive dccm_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_dccm_server_packets" lineno="16850">
+<summary>
+Do not audit attempts to send and receive dccm_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_dccm_server_packets" lineno="16865">
+<summary>
+Relabel packets to dccm_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_dhcpc_port" lineno="16887">
+<summary>
+Send and receive TCP traffic on the dhcpc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_dhcpc_port" lineno="16906">
+<summary>
+Send UDP traffic on the dhcpc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_dhcpc_port" lineno="16925">
+<summary>
+Do not audit attempts to send UDP traffic on the dhcpc port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_dhcpc_port" lineno="16944">
+<summary>
+Receive UDP traffic on the dhcpc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_dhcpc_port" lineno="16963">
+<summary>
+Do not audit attempts to receive UDP traffic on the dhcpc port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_dhcpc_port" lineno="16982">
+<summary>
+Send and receive UDP traffic on the dhcpc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_dhcpc_port" lineno="16999">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the dhcpc port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_dhcpc_port" lineno="17015">
+<summary>
+Bind TCP sockets to the dhcpc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_dhcpc_port" lineno="17035">
+<summary>
+Bind UDP sockets to the dhcpc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_dhcpc_port" lineno="17054">
+<summary>
+Make a TCP connection to the dhcpc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_dhcpc_client_packets" lineno="17074">
+<summary>
+Send dhcpc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_dhcpc_client_packets" lineno="17093">
+<summary>
+Do not audit attempts to send dhcpc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_dhcpc_client_packets" lineno="17112">
+<summary>
+Receive dhcpc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_dhcpc_client_packets" lineno="17131">
+<summary>
+Do not audit attempts to receive dhcpc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_dhcpc_client_packets" lineno="17150">
+<summary>
+Send and receive dhcpc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_dhcpc_client_packets" lineno="17166">
+<summary>
+Do not audit attempts to send and receive dhcpc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_dhcpc_client_packets" lineno="17181">
+<summary>
+Relabel packets to dhcpc_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_dhcpc_server_packets" lineno="17201">
+<summary>
+Send dhcpc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_dhcpc_server_packets" lineno="17220">
+<summary>
+Do not audit attempts to send dhcpc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_dhcpc_server_packets" lineno="17239">
+<summary>
+Receive dhcpc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_dhcpc_server_packets" lineno="17258">
+<summary>
+Do not audit attempts to receive dhcpc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_dhcpc_server_packets" lineno="17277">
+<summary>
+Send and receive dhcpc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_dhcpc_server_packets" lineno="17293">
+<summary>
+Do not audit attempts to send and receive dhcpc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_dhcpc_server_packets" lineno="17308">
+<summary>
+Relabel packets to dhcpc_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_dhcpd_port" lineno="17330">
+<summary>
+Send and receive TCP traffic on the dhcpd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_dhcpd_port" lineno="17349">
+<summary>
+Send UDP traffic on the dhcpd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_dhcpd_port" lineno="17368">
+<summary>
+Do not audit attempts to send UDP traffic on the dhcpd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_dhcpd_port" lineno="17387">
+<summary>
+Receive UDP traffic on the dhcpd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_dhcpd_port" lineno="17406">
+<summary>
+Do not audit attempts to receive UDP traffic on the dhcpd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_dhcpd_port" lineno="17425">
+<summary>
+Send and receive UDP traffic on the dhcpd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_dhcpd_port" lineno="17442">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the dhcpd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_dhcpd_port" lineno="17458">
+<summary>
+Bind TCP sockets to the dhcpd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_dhcpd_port" lineno="17478">
+<summary>
+Bind UDP sockets to the dhcpd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_dhcpd_port" lineno="17497">
+<summary>
+Make a TCP connection to the dhcpd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_dhcpd_client_packets" lineno="17517">
+<summary>
+Send dhcpd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_dhcpd_client_packets" lineno="17536">
+<summary>
+Do not audit attempts to send dhcpd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_dhcpd_client_packets" lineno="17555">
+<summary>
+Receive dhcpd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_dhcpd_client_packets" lineno="17574">
+<summary>
+Do not audit attempts to receive dhcpd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_dhcpd_client_packets" lineno="17593">
+<summary>
+Send and receive dhcpd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_dhcpd_client_packets" lineno="17609">
+<summary>
+Do not audit attempts to send and receive dhcpd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_dhcpd_client_packets" lineno="17624">
+<summary>
+Relabel packets to dhcpd_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_dhcpd_server_packets" lineno="17644">
+<summary>
+Send dhcpd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_dhcpd_server_packets" lineno="17663">
+<summary>
+Do not audit attempts to send dhcpd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_dhcpd_server_packets" lineno="17682">
+<summary>
+Receive dhcpd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_dhcpd_server_packets" lineno="17701">
+<summary>
+Do not audit attempts to receive dhcpd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_dhcpd_server_packets" lineno="17720">
+<summary>
+Send and receive dhcpd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_dhcpd_server_packets" lineno="17736">
+<summary>
+Do not audit attempts to send and receive dhcpd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_dhcpd_server_packets" lineno="17751">
+<summary>
+Relabel packets to dhcpd_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_dict_port" lineno="17773">
+<summary>
+Send and receive TCP traffic on the dict port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_dict_port" lineno="17792">
+<summary>
+Send UDP traffic on the dict port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_dict_port" lineno="17811">
+<summary>
+Do not audit attempts to send UDP traffic on the dict port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_dict_port" lineno="17830">
+<summary>
+Receive UDP traffic on the dict port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_dict_port" lineno="17849">
+<summary>
+Do not audit attempts to receive UDP traffic on the dict port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_dict_port" lineno="17868">
+<summary>
+Send and receive UDP traffic on the dict port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_dict_port" lineno="17885">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the dict port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_dict_port" lineno="17901">
+<summary>
+Bind TCP sockets to the dict port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_dict_port" lineno="17921">
+<summary>
+Bind UDP sockets to the dict port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_dict_port" lineno="17940">
+<summary>
+Make a TCP connection to the dict port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_dict_client_packets" lineno="17960">
+<summary>
+Send dict_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_dict_client_packets" lineno="17979">
+<summary>
+Do not audit attempts to send dict_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_dict_client_packets" lineno="17998">
+<summary>
+Receive dict_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_dict_client_packets" lineno="18017">
+<summary>
+Do not audit attempts to receive dict_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_dict_client_packets" lineno="18036">
+<summary>
+Send and receive dict_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_dict_client_packets" lineno="18052">
+<summary>
+Do not audit attempts to send and receive dict_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_dict_client_packets" lineno="18067">
+<summary>
+Relabel packets to dict_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_dict_server_packets" lineno="18087">
+<summary>
+Send dict_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_dict_server_packets" lineno="18106">
+<summary>
+Do not audit attempts to send dict_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_dict_server_packets" lineno="18125">
+<summary>
+Receive dict_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_dict_server_packets" lineno="18144">
+<summary>
+Do not audit attempts to receive dict_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_dict_server_packets" lineno="18163">
+<summary>
+Send and receive dict_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_dict_server_packets" lineno="18179">
+<summary>
+Do not audit attempts to send and receive dict_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_dict_server_packets" lineno="18194">
+<summary>
+Relabel packets to dict_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_distccd_port" lineno="18216">
+<summary>
+Send and receive TCP traffic on the distccd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_distccd_port" lineno="18235">
+<summary>
+Send UDP traffic on the distccd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_distccd_port" lineno="18254">
+<summary>
+Do not audit attempts to send UDP traffic on the distccd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_distccd_port" lineno="18273">
+<summary>
+Receive UDP traffic on the distccd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_distccd_port" lineno="18292">
+<summary>
+Do not audit attempts to receive UDP traffic on the distccd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_distccd_port" lineno="18311">
+<summary>
+Send and receive UDP traffic on the distccd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_distccd_port" lineno="18328">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the distccd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_distccd_port" lineno="18344">
+<summary>
+Bind TCP sockets to the distccd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_distccd_port" lineno="18364">
+<summary>
+Bind UDP sockets to the distccd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_distccd_port" lineno="18383">
+<summary>
+Make a TCP connection to the distccd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_distccd_client_packets" lineno="18403">
+<summary>
+Send distccd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_distccd_client_packets" lineno="18422">
+<summary>
+Do not audit attempts to send distccd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_distccd_client_packets" lineno="18441">
+<summary>
+Receive distccd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_distccd_client_packets" lineno="18460">
+<summary>
+Do not audit attempts to receive distccd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_distccd_client_packets" lineno="18479">
+<summary>
+Send and receive distccd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_distccd_client_packets" lineno="18495">
+<summary>
+Do not audit attempts to send and receive distccd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_distccd_client_packets" lineno="18510">
+<summary>
+Relabel packets to distccd_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_distccd_server_packets" lineno="18530">
+<summary>
+Send distccd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_distccd_server_packets" lineno="18549">
+<summary>
+Do not audit attempts to send distccd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_distccd_server_packets" lineno="18568">
+<summary>
+Receive distccd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_distccd_server_packets" lineno="18587">
+<summary>
+Do not audit attempts to receive distccd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_distccd_server_packets" lineno="18606">
+<summary>
+Send and receive distccd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_distccd_server_packets" lineno="18622">
+<summary>
+Do not audit attempts to send and receive distccd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_distccd_server_packets" lineno="18637">
+<summary>
+Relabel packets to distccd_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_dns_port" lineno="18659">
+<summary>
+Send and receive TCP traffic on the dns port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_dns_port" lineno="18678">
+<summary>
+Send UDP traffic on the dns port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_dns_port" lineno="18697">
+<summary>
+Do not audit attempts to send UDP traffic on the dns port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_dns_port" lineno="18716">
+<summary>
+Receive UDP traffic on the dns port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_dns_port" lineno="18735">
+<summary>
+Do not audit attempts to receive UDP traffic on the dns port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_dns_port" lineno="18754">
+<summary>
+Send and receive UDP traffic on the dns port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_dns_port" lineno="18771">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the dns port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_dns_port" lineno="18787">
+<summary>
+Bind TCP sockets to the dns port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_dns_port" lineno="18807">
+<summary>
+Bind UDP sockets to the dns port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_dns_port" lineno="18826">
+<summary>
+Make a TCP connection to the dns port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_dns_client_packets" lineno="18846">
+<summary>
+Send dns_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_dns_client_packets" lineno="18865">
+<summary>
+Do not audit attempts to send dns_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_dns_client_packets" lineno="18884">
+<summary>
+Receive dns_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_dns_client_packets" lineno="18903">
+<summary>
+Do not audit attempts to receive dns_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_dns_client_packets" lineno="18922">
+<summary>
+Send and receive dns_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_dns_client_packets" lineno="18938">
+<summary>
+Do not audit attempts to send and receive dns_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_dns_client_packets" lineno="18953">
+<summary>
+Relabel packets to dns_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_dns_server_packets" lineno="18973">
+<summary>
+Send dns_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_dns_server_packets" lineno="18992">
+<summary>
+Do not audit attempts to send dns_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_dns_server_packets" lineno="19011">
+<summary>
+Receive dns_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_dns_server_packets" lineno="19030">
+<summary>
+Do not audit attempts to receive dns_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_dns_server_packets" lineno="19049">
+<summary>
+Send and receive dns_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_dns_server_packets" lineno="19065">
+<summary>
+Do not audit attempts to send and receive dns_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_dns_server_packets" lineno="19080">
+<summary>
+Relabel packets to dns_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_epmap_port" lineno="19102">
+<summary>
+Send and receive TCP traffic on the epmap port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_epmap_port" lineno="19121">
+<summary>
+Send UDP traffic on the epmap port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_epmap_port" lineno="19140">
+<summary>
+Do not audit attempts to send UDP traffic on the epmap port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_epmap_port" lineno="19159">
+<summary>
+Receive UDP traffic on the epmap port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_epmap_port" lineno="19178">
+<summary>
+Do not audit attempts to receive UDP traffic on the epmap port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_epmap_port" lineno="19197">
+<summary>
+Send and receive UDP traffic on the epmap port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_epmap_port" lineno="19214">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the epmap port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_epmap_port" lineno="19230">
+<summary>
+Bind TCP sockets to the epmap port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_epmap_port" lineno="19250">
+<summary>
+Bind UDP sockets to the epmap port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_epmap_port" lineno="19269">
+<summary>
+Make a TCP connection to the epmap port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_epmap_client_packets" lineno="19289">
+<summary>
+Send epmap_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_epmap_client_packets" lineno="19308">
+<summary>
+Do not audit attempts to send epmap_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_epmap_client_packets" lineno="19327">
+<summary>
+Receive epmap_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_epmap_client_packets" lineno="19346">
+<summary>
+Do not audit attempts to receive epmap_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_epmap_client_packets" lineno="19365">
+<summary>
+Send and receive epmap_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_epmap_client_packets" lineno="19381">
+<summary>
+Do not audit attempts to send and receive epmap_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_epmap_client_packets" lineno="19396">
+<summary>
+Relabel packets to epmap_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_epmap_server_packets" lineno="19416">
+<summary>
+Send epmap_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_epmap_server_packets" lineno="19435">
+<summary>
+Do not audit attempts to send epmap_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_epmap_server_packets" lineno="19454">
+<summary>
+Receive epmap_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_epmap_server_packets" lineno="19473">
+<summary>
+Do not audit attempts to receive epmap_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_epmap_server_packets" lineno="19492">
+<summary>
+Send and receive epmap_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_epmap_server_packets" lineno="19508">
+<summary>
+Do not audit attempts to send and receive epmap_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_epmap_server_packets" lineno="19523">
+<summary>
+Relabel packets to epmap_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_fingerd_port" lineno="19545">
+<summary>
+Send and receive TCP traffic on the fingerd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_fingerd_port" lineno="19564">
+<summary>
+Send UDP traffic on the fingerd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_fingerd_port" lineno="19583">
+<summary>
+Do not audit attempts to send UDP traffic on the fingerd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_fingerd_port" lineno="19602">
+<summary>
+Receive UDP traffic on the fingerd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_fingerd_port" lineno="19621">
+<summary>
+Do not audit attempts to receive UDP traffic on the fingerd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_fingerd_port" lineno="19640">
+<summary>
+Send and receive UDP traffic on the fingerd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_fingerd_port" lineno="19657">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the fingerd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_fingerd_port" lineno="19673">
+<summary>
+Bind TCP sockets to the fingerd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_fingerd_port" lineno="19693">
+<summary>
+Bind UDP sockets to the fingerd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_fingerd_port" lineno="19712">
+<summary>
+Make a TCP connection to the fingerd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_fingerd_client_packets" lineno="19732">
+<summary>
+Send fingerd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_fingerd_client_packets" lineno="19751">
+<summary>
+Do not audit attempts to send fingerd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_fingerd_client_packets" lineno="19770">
+<summary>
+Receive fingerd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_fingerd_client_packets" lineno="19789">
+<summary>
+Do not audit attempts to receive fingerd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_fingerd_client_packets" lineno="19808">
+<summary>
+Send and receive fingerd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_fingerd_client_packets" lineno="19824">
+<summary>
+Do not audit attempts to send and receive fingerd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_fingerd_client_packets" lineno="19839">
+<summary>
+Relabel packets to fingerd_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_fingerd_server_packets" lineno="19859">
+<summary>
+Send fingerd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_fingerd_server_packets" lineno="19878">
+<summary>
+Do not audit attempts to send fingerd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_fingerd_server_packets" lineno="19897">
+<summary>
+Receive fingerd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_fingerd_server_packets" lineno="19916">
+<summary>
+Do not audit attempts to receive fingerd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_fingerd_server_packets" lineno="19935">
+<summary>
+Send and receive fingerd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_fingerd_server_packets" lineno="19951">
+<summary>
+Do not audit attempts to send and receive fingerd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_fingerd_server_packets" lineno="19966">
+<summary>
+Relabel packets to fingerd_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_ftp_port" lineno="19988">
+<summary>
+Send and receive TCP traffic on the ftp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_ftp_port" lineno="20007">
+<summary>
+Send UDP traffic on the ftp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_ftp_port" lineno="20026">
+<summary>
+Do not audit attempts to send UDP traffic on the ftp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_ftp_port" lineno="20045">
+<summary>
+Receive UDP traffic on the ftp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_ftp_port" lineno="20064">
+<summary>
+Do not audit attempts to receive UDP traffic on the ftp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_ftp_port" lineno="20083">
+<summary>
+Send and receive UDP traffic on the ftp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_ftp_port" lineno="20100">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the ftp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_ftp_port" lineno="20116">
+<summary>
+Bind TCP sockets to the ftp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_ftp_port" lineno="20136">
+<summary>
+Bind UDP sockets to the ftp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_ftp_port" lineno="20155">
+<summary>
+Make a TCP connection to the ftp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_ftp_client_packets" lineno="20175">
+<summary>
+Send ftp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_ftp_client_packets" lineno="20194">
+<summary>
+Do not audit attempts to send ftp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_ftp_client_packets" lineno="20213">
+<summary>
+Receive ftp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_ftp_client_packets" lineno="20232">
+<summary>
+Do not audit attempts to receive ftp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_ftp_client_packets" lineno="20251">
+<summary>
+Send and receive ftp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_ftp_client_packets" lineno="20267">
+<summary>
+Do not audit attempts to send and receive ftp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_ftp_client_packets" lineno="20282">
+<summary>
+Relabel packets to ftp_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_ftp_server_packets" lineno="20302">
+<summary>
+Send ftp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_ftp_server_packets" lineno="20321">
+<summary>
+Do not audit attempts to send ftp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_ftp_server_packets" lineno="20340">
+<summary>
+Receive ftp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_ftp_server_packets" lineno="20359">
+<summary>
+Do not audit attempts to receive ftp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_ftp_server_packets" lineno="20378">
+<summary>
+Send and receive ftp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_ftp_server_packets" lineno="20394">
+<summary>
+Do not audit attempts to send and receive ftp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_ftp_server_packets" lineno="20409">
+<summary>
+Relabel packets to ftp_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_ftp_data_port" lineno="20431">
+<summary>
+Send and receive TCP traffic on the ftp_data port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_ftp_data_port" lineno="20450">
+<summary>
+Send UDP traffic on the ftp_data port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_ftp_data_port" lineno="20469">
+<summary>
+Do not audit attempts to send UDP traffic on the ftp_data port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_ftp_data_port" lineno="20488">
+<summary>
+Receive UDP traffic on the ftp_data port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_ftp_data_port" lineno="20507">
+<summary>
+Do not audit attempts to receive UDP traffic on the ftp_data port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_ftp_data_port" lineno="20526">
+<summary>
+Send and receive UDP traffic on the ftp_data port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_ftp_data_port" lineno="20543">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the ftp_data port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_ftp_data_port" lineno="20559">
+<summary>
+Bind TCP sockets to the ftp_data port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_ftp_data_port" lineno="20579">
+<summary>
+Bind UDP sockets to the ftp_data port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_ftp_data_port" lineno="20598">
+<summary>
+Make a TCP connection to the ftp_data port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_ftp_data_client_packets" lineno="20618">
+<summary>
+Send ftp_data_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_ftp_data_client_packets" lineno="20637">
+<summary>
+Do not audit attempts to send ftp_data_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_ftp_data_client_packets" lineno="20656">
+<summary>
+Receive ftp_data_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_ftp_data_client_packets" lineno="20675">
+<summary>
+Do not audit attempts to receive ftp_data_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_ftp_data_client_packets" lineno="20694">
+<summary>
+Send and receive ftp_data_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_ftp_data_client_packets" lineno="20710">
+<summary>
+Do not audit attempts to send and receive ftp_data_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_ftp_data_client_packets" lineno="20725">
+<summary>
+Relabel packets to ftp_data_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_ftp_data_server_packets" lineno="20745">
+<summary>
+Send ftp_data_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_ftp_data_server_packets" lineno="20764">
+<summary>
+Do not audit attempts to send ftp_data_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_ftp_data_server_packets" lineno="20783">
+<summary>
+Receive ftp_data_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_ftp_data_server_packets" lineno="20802">
+<summary>
+Do not audit attempts to receive ftp_data_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_ftp_data_server_packets" lineno="20821">
+<summary>
+Send and receive ftp_data_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_ftp_data_server_packets" lineno="20837">
+<summary>
+Do not audit attempts to send and receive ftp_data_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_ftp_data_server_packets" lineno="20852">
+<summary>
+Relabel packets to ftp_data_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_gatekeeper_port" lineno="20874">
+<summary>
+Send and receive TCP traffic on the gatekeeper port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_gatekeeper_port" lineno="20893">
+<summary>
+Send UDP traffic on the gatekeeper port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_gatekeeper_port" lineno="20912">
+<summary>
+Do not audit attempts to send UDP traffic on the gatekeeper port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_gatekeeper_port" lineno="20931">
+<summary>
+Receive UDP traffic on the gatekeeper port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_gatekeeper_port" lineno="20950">
+<summary>
+Do not audit attempts to receive UDP traffic on the gatekeeper port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_gatekeeper_port" lineno="20969">
+<summary>
+Send and receive UDP traffic on the gatekeeper port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_gatekeeper_port" lineno="20986">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the gatekeeper port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_gatekeeper_port" lineno="21002">
+<summary>
+Bind TCP sockets to the gatekeeper port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_gatekeeper_port" lineno="21022">
+<summary>
+Bind UDP sockets to the gatekeeper port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_gatekeeper_port" lineno="21041">
+<summary>
+Make a TCP connection to the gatekeeper port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_gatekeeper_client_packets" lineno="21061">
+<summary>
+Send gatekeeper_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_gatekeeper_client_packets" lineno="21080">
+<summary>
+Do not audit attempts to send gatekeeper_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_gatekeeper_client_packets" lineno="21099">
+<summary>
+Receive gatekeeper_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_gatekeeper_client_packets" lineno="21118">
+<summary>
+Do not audit attempts to receive gatekeeper_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_gatekeeper_client_packets" lineno="21137">
+<summary>
+Send and receive gatekeeper_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_gatekeeper_client_packets" lineno="21153">
+<summary>
+Do not audit attempts to send and receive gatekeeper_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_gatekeeper_client_packets" lineno="21168">
+<summary>
+Relabel packets to gatekeeper_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_gatekeeper_server_packets" lineno="21188">
+<summary>
+Send gatekeeper_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_gatekeeper_server_packets" lineno="21207">
+<summary>
+Do not audit attempts to send gatekeeper_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_gatekeeper_server_packets" lineno="21226">
+<summary>
+Receive gatekeeper_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_gatekeeper_server_packets" lineno="21245">
+<summary>
+Do not audit attempts to receive gatekeeper_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_gatekeeper_server_packets" lineno="21264">
+<summary>
+Send and receive gatekeeper_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_gatekeeper_server_packets" lineno="21280">
+<summary>
+Do not audit attempts to send and receive gatekeeper_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_gatekeeper_server_packets" lineno="21295">
+<summary>
+Relabel packets to gatekeeper_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_giftd_port" lineno="21317">
+<summary>
+Send and receive TCP traffic on the giftd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_giftd_port" lineno="21336">
+<summary>
+Send UDP traffic on the giftd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_giftd_port" lineno="21355">
+<summary>
+Do not audit attempts to send UDP traffic on the giftd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_giftd_port" lineno="21374">
+<summary>
+Receive UDP traffic on the giftd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_giftd_port" lineno="21393">
+<summary>
+Do not audit attempts to receive UDP traffic on the giftd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_giftd_port" lineno="21412">
+<summary>
+Send and receive UDP traffic on the giftd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_giftd_port" lineno="21429">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the giftd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_giftd_port" lineno="21445">
+<summary>
+Bind TCP sockets to the giftd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_giftd_port" lineno="21465">
+<summary>
+Bind UDP sockets to the giftd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_giftd_port" lineno="21484">
+<summary>
+Make a TCP connection to the giftd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_giftd_client_packets" lineno="21504">
+<summary>
+Send giftd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_giftd_client_packets" lineno="21523">
+<summary>
+Do not audit attempts to send giftd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_giftd_client_packets" lineno="21542">
+<summary>
+Receive giftd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_giftd_client_packets" lineno="21561">
+<summary>
+Do not audit attempts to receive giftd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_giftd_client_packets" lineno="21580">
+<summary>
+Send and receive giftd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_giftd_client_packets" lineno="21596">
+<summary>
+Do not audit attempts to send and receive giftd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_giftd_client_packets" lineno="21611">
+<summary>
+Relabel packets to giftd_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_giftd_server_packets" lineno="21631">
+<summary>
+Send giftd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_giftd_server_packets" lineno="21650">
+<summary>
+Do not audit attempts to send giftd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_giftd_server_packets" lineno="21669">
+<summary>
+Receive giftd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_giftd_server_packets" lineno="21688">
+<summary>
+Do not audit attempts to receive giftd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_giftd_server_packets" lineno="21707">
+<summary>
+Send and receive giftd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_giftd_server_packets" lineno="21723">
+<summary>
+Do not audit attempts to send and receive giftd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_giftd_server_packets" lineno="21738">
+<summary>
+Relabel packets to giftd_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_git_port" lineno="21760">
+<summary>
+Send and receive TCP traffic on the git port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_git_port" lineno="21779">
+<summary>
+Send UDP traffic on the git port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_git_port" lineno="21798">
+<summary>
+Do not audit attempts to send UDP traffic on the git port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_git_port" lineno="21817">
+<summary>
+Receive UDP traffic on the git port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_git_port" lineno="21836">
+<summary>
+Do not audit attempts to receive UDP traffic on the git port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_git_port" lineno="21855">
+<summary>
+Send and receive UDP traffic on the git port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_git_port" lineno="21872">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the git port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_git_port" lineno="21888">
+<summary>
+Bind TCP sockets to the git port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_git_port" lineno="21908">
+<summary>
+Bind UDP sockets to the git port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_git_port" lineno="21927">
+<summary>
+Make a TCP connection to the git port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_git_client_packets" lineno="21947">
+<summary>
+Send git_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_git_client_packets" lineno="21966">
+<summary>
+Do not audit attempts to send git_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_git_client_packets" lineno="21985">
+<summary>
+Receive git_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_git_client_packets" lineno="22004">
+<summary>
+Do not audit attempts to receive git_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_git_client_packets" lineno="22023">
+<summary>
+Send and receive git_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_git_client_packets" lineno="22039">
+<summary>
+Do not audit attempts to send and receive git_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_git_client_packets" lineno="22054">
+<summary>
+Relabel packets to git_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_git_server_packets" lineno="22074">
+<summary>
+Send git_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_git_server_packets" lineno="22093">
+<summary>
+Do not audit attempts to send git_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_git_server_packets" lineno="22112">
+<summary>
+Receive git_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_git_server_packets" lineno="22131">
+<summary>
+Do not audit attempts to receive git_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_git_server_packets" lineno="22150">
+<summary>
+Send and receive git_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_git_server_packets" lineno="22166">
+<summary>
+Do not audit attempts to send and receive git_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_git_server_packets" lineno="22181">
+<summary>
+Relabel packets to git_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_glance_registry_port" lineno="22203">
+<summary>
+Send and receive TCP traffic on the glance_registry port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_glance_registry_port" lineno="22222">
+<summary>
+Send UDP traffic on the glance_registry port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_glance_registry_port" lineno="22241">
+<summary>
+Do not audit attempts to send UDP traffic on the glance_registry port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_glance_registry_port" lineno="22260">
+<summary>
+Receive UDP traffic on the glance_registry port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_glance_registry_port" lineno="22279">
+<summary>
+Do not audit attempts to receive UDP traffic on the glance_registry port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_glance_registry_port" lineno="22298">
+<summary>
+Send and receive UDP traffic on the glance_registry port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_glance_registry_port" lineno="22315">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the glance_registry port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_glance_registry_port" lineno="22331">
+<summary>
+Bind TCP sockets to the glance_registry port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_glance_registry_port" lineno="22351">
+<summary>
+Bind UDP sockets to the glance_registry port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_glance_registry_port" lineno="22370">
+<summary>
+Make a TCP connection to the glance_registry port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_glance_registry_client_packets" lineno="22390">
+<summary>
+Send glance_registry_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_glance_registry_client_packets" lineno="22409">
+<summary>
+Do not audit attempts to send glance_registry_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_glance_registry_client_packets" lineno="22428">
+<summary>
+Receive glance_registry_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_glance_registry_client_packets" lineno="22447">
+<summary>
+Do not audit attempts to receive glance_registry_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_glance_registry_client_packets" lineno="22466">
+<summary>
+Send and receive glance_registry_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_glance_registry_client_packets" lineno="22482">
+<summary>
+Do not audit attempts to send and receive glance_registry_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_glance_registry_client_packets" lineno="22497">
+<summary>
+Relabel packets to glance_registry_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_glance_registry_server_packets" lineno="22517">
+<summary>
+Send glance_registry_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_glance_registry_server_packets" lineno="22536">
+<summary>
+Do not audit attempts to send glance_registry_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_glance_registry_server_packets" lineno="22555">
+<summary>
+Receive glance_registry_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_glance_registry_server_packets" lineno="22574">
+<summary>
+Do not audit attempts to receive glance_registry_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_glance_registry_server_packets" lineno="22593">
+<summary>
+Send and receive glance_registry_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_glance_registry_server_packets" lineno="22609">
+<summary>
+Do not audit attempts to send and receive glance_registry_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_glance_registry_server_packets" lineno="22624">
+<summary>
+Relabel packets to glance_registry_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_gopher_port" lineno="22646">
+<summary>
+Send and receive TCP traffic on the gopher port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_gopher_port" lineno="22665">
+<summary>
+Send UDP traffic on the gopher port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_gopher_port" lineno="22684">
+<summary>
+Do not audit attempts to send UDP traffic on the gopher port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_gopher_port" lineno="22703">
+<summary>
+Receive UDP traffic on the gopher port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_gopher_port" lineno="22722">
+<summary>
+Do not audit attempts to receive UDP traffic on the gopher port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_gopher_port" lineno="22741">
+<summary>
+Send and receive UDP traffic on the gopher port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_gopher_port" lineno="22758">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the gopher port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_gopher_port" lineno="22774">
+<summary>
+Bind TCP sockets to the gopher port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_gopher_port" lineno="22794">
+<summary>
+Bind UDP sockets to the gopher port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_gopher_port" lineno="22813">
+<summary>
+Make a TCP connection to the gopher port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_gopher_client_packets" lineno="22833">
+<summary>
+Send gopher_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_gopher_client_packets" lineno="22852">
+<summary>
+Do not audit attempts to send gopher_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_gopher_client_packets" lineno="22871">
+<summary>
+Receive gopher_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_gopher_client_packets" lineno="22890">
+<summary>
+Do not audit attempts to receive gopher_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_gopher_client_packets" lineno="22909">
+<summary>
+Send and receive gopher_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_gopher_client_packets" lineno="22925">
+<summary>
+Do not audit attempts to send and receive gopher_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_gopher_client_packets" lineno="22940">
+<summary>
+Relabel packets to gopher_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_gopher_server_packets" lineno="22960">
+<summary>
+Send gopher_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_gopher_server_packets" lineno="22979">
+<summary>
+Do not audit attempts to send gopher_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_gopher_server_packets" lineno="22998">
+<summary>
+Receive gopher_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_gopher_server_packets" lineno="23017">
+<summary>
+Do not audit attempts to receive gopher_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_gopher_server_packets" lineno="23036">
+<summary>
+Send and receive gopher_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_gopher_server_packets" lineno="23052">
+<summary>
+Do not audit attempts to send and receive gopher_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_gopher_server_packets" lineno="23067">
+<summary>
+Relabel packets to gopher_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_gpsd_port" lineno="23089">
+<summary>
+Send and receive TCP traffic on the gpsd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_gpsd_port" lineno="23108">
+<summary>
+Send UDP traffic on the gpsd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_gpsd_port" lineno="23127">
+<summary>
+Do not audit attempts to send UDP traffic on the gpsd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_gpsd_port" lineno="23146">
+<summary>
+Receive UDP traffic on the gpsd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_gpsd_port" lineno="23165">
+<summary>
+Do not audit attempts to receive UDP traffic on the gpsd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_gpsd_port" lineno="23184">
+<summary>
+Send and receive UDP traffic on the gpsd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_gpsd_port" lineno="23201">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the gpsd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_gpsd_port" lineno="23217">
+<summary>
+Bind TCP sockets to the gpsd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_gpsd_port" lineno="23237">
+<summary>
+Bind UDP sockets to the gpsd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_gpsd_port" lineno="23256">
+<summary>
+Make a TCP connection to the gpsd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_gpsd_client_packets" lineno="23276">
+<summary>
+Send gpsd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_gpsd_client_packets" lineno="23295">
+<summary>
+Do not audit attempts to send gpsd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_gpsd_client_packets" lineno="23314">
+<summary>
+Receive gpsd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_gpsd_client_packets" lineno="23333">
+<summary>
+Do not audit attempts to receive gpsd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_gpsd_client_packets" lineno="23352">
+<summary>
+Send and receive gpsd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_gpsd_client_packets" lineno="23368">
+<summary>
+Do not audit attempts to send and receive gpsd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_gpsd_client_packets" lineno="23383">
+<summary>
+Relabel packets to gpsd_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_gpsd_server_packets" lineno="23403">
+<summary>
+Send gpsd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_gpsd_server_packets" lineno="23422">
+<summary>
+Do not audit attempts to send gpsd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_gpsd_server_packets" lineno="23441">
+<summary>
+Receive gpsd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_gpsd_server_packets" lineno="23460">
+<summary>
+Do not audit attempts to receive gpsd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_gpsd_server_packets" lineno="23479">
+<summary>
+Send and receive gpsd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_gpsd_server_packets" lineno="23495">
+<summary>
+Do not audit attempts to send and receive gpsd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_gpsd_server_packets" lineno="23510">
+<summary>
+Relabel packets to gpsd_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_hadoop_datanode_port" lineno="23532">
+<summary>
+Send and receive TCP traffic on the hadoop_datanode port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_hadoop_datanode_port" lineno="23551">
+<summary>
+Send UDP traffic on the hadoop_datanode port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_hadoop_datanode_port" lineno="23570">
+<summary>
+Do not audit attempts to send UDP traffic on the hadoop_datanode port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_hadoop_datanode_port" lineno="23589">
+<summary>
+Receive UDP traffic on the hadoop_datanode port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_hadoop_datanode_port" lineno="23608">
+<summary>
+Do not audit attempts to receive UDP traffic on the hadoop_datanode port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_hadoop_datanode_port" lineno="23627">
+<summary>
+Send and receive UDP traffic on the hadoop_datanode port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_hadoop_datanode_port" lineno="23644">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the hadoop_datanode port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_hadoop_datanode_port" lineno="23660">
+<summary>
+Bind TCP sockets to the hadoop_datanode port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_hadoop_datanode_port" lineno="23680">
+<summary>
+Bind UDP sockets to the hadoop_datanode port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_hadoop_datanode_port" lineno="23699">
+<summary>
+Make a TCP connection to the hadoop_datanode port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_hadoop_datanode_client_packets" lineno="23719">
+<summary>
+Send hadoop_datanode_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_hadoop_datanode_client_packets" lineno="23738">
+<summary>
+Do not audit attempts to send hadoop_datanode_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_hadoop_datanode_client_packets" lineno="23757">
+<summary>
+Receive hadoop_datanode_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_hadoop_datanode_client_packets" lineno="23776">
+<summary>
+Do not audit attempts to receive hadoop_datanode_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_hadoop_datanode_client_packets" lineno="23795">
+<summary>
+Send and receive hadoop_datanode_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_hadoop_datanode_client_packets" lineno="23811">
+<summary>
+Do not audit attempts to send and receive hadoop_datanode_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_hadoop_datanode_client_packets" lineno="23826">
+<summary>
+Relabel packets to hadoop_datanode_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_hadoop_datanode_server_packets" lineno="23846">
+<summary>
+Send hadoop_datanode_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_hadoop_datanode_server_packets" lineno="23865">
+<summary>
+Do not audit attempts to send hadoop_datanode_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_hadoop_datanode_server_packets" lineno="23884">
+<summary>
+Receive hadoop_datanode_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_hadoop_datanode_server_packets" lineno="23903">
+<summary>
+Do not audit attempts to receive hadoop_datanode_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_hadoop_datanode_server_packets" lineno="23922">
+<summary>
+Send and receive hadoop_datanode_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_hadoop_datanode_server_packets" lineno="23938">
+<summary>
+Do not audit attempts to send and receive hadoop_datanode_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_hadoop_datanode_server_packets" lineno="23953">
+<summary>
+Relabel packets to hadoop_datanode_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_hadoop_namenode_port" lineno="23975">
+<summary>
+Send and receive TCP traffic on the hadoop_namenode port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_hadoop_namenode_port" lineno="23994">
+<summary>
+Send UDP traffic on the hadoop_namenode port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_hadoop_namenode_port" lineno="24013">
+<summary>
+Do not audit attempts to send UDP traffic on the hadoop_namenode port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_hadoop_namenode_port" lineno="24032">
+<summary>
+Receive UDP traffic on the hadoop_namenode port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_hadoop_namenode_port" lineno="24051">
+<summary>
+Do not audit attempts to receive UDP traffic on the hadoop_namenode port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_hadoop_namenode_port" lineno="24070">
+<summary>
+Send and receive UDP traffic on the hadoop_namenode port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_hadoop_namenode_port" lineno="24087">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the hadoop_namenode port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_hadoop_namenode_port" lineno="24103">
+<summary>
+Bind TCP sockets to the hadoop_namenode port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_hadoop_namenode_port" lineno="24123">
+<summary>
+Bind UDP sockets to the hadoop_namenode port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_hadoop_namenode_port" lineno="24142">
+<summary>
+Make a TCP connection to the hadoop_namenode port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_hadoop_namenode_client_packets" lineno="24162">
+<summary>
+Send hadoop_namenode_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_hadoop_namenode_client_packets" lineno="24181">
+<summary>
+Do not audit attempts to send hadoop_namenode_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_hadoop_namenode_client_packets" lineno="24200">
+<summary>
+Receive hadoop_namenode_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_hadoop_namenode_client_packets" lineno="24219">
+<summary>
+Do not audit attempts to receive hadoop_namenode_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_hadoop_namenode_client_packets" lineno="24238">
+<summary>
+Send and receive hadoop_namenode_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_hadoop_namenode_client_packets" lineno="24254">
+<summary>
+Do not audit attempts to send and receive hadoop_namenode_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_hadoop_namenode_client_packets" lineno="24269">
+<summary>
+Relabel packets to hadoop_namenode_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_hadoop_namenode_server_packets" lineno="24289">
+<summary>
+Send hadoop_namenode_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_hadoop_namenode_server_packets" lineno="24308">
+<summary>
+Do not audit attempts to send hadoop_namenode_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_hadoop_namenode_server_packets" lineno="24327">
+<summary>
+Receive hadoop_namenode_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_hadoop_namenode_server_packets" lineno="24346">
+<summary>
+Do not audit attempts to receive hadoop_namenode_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_hadoop_namenode_server_packets" lineno="24365">
+<summary>
+Send and receive hadoop_namenode_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_hadoop_namenode_server_packets" lineno="24381">
+<summary>
+Do not audit attempts to send and receive hadoop_namenode_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_hadoop_namenode_server_packets" lineno="24396">
+<summary>
+Relabel packets to hadoop_namenode_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_hddtemp_port" lineno="24418">
+<summary>
+Send and receive TCP traffic on the hddtemp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_hddtemp_port" lineno="24437">
+<summary>
+Send UDP traffic on the hddtemp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_hddtemp_port" lineno="24456">
+<summary>
+Do not audit attempts to send UDP traffic on the hddtemp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_hddtemp_port" lineno="24475">
+<summary>
+Receive UDP traffic on the hddtemp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_hddtemp_port" lineno="24494">
+<summary>
+Do not audit attempts to receive UDP traffic on the hddtemp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_hddtemp_port" lineno="24513">
+<summary>
+Send and receive UDP traffic on the hddtemp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_hddtemp_port" lineno="24530">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the hddtemp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_hddtemp_port" lineno="24546">
+<summary>
+Bind TCP sockets to the hddtemp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_hddtemp_port" lineno="24566">
+<summary>
+Bind UDP sockets to the hddtemp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_hddtemp_port" lineno="24585">
+<summary>
+Make a TCP connection to the hddtemp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_hddtemp_client_packets" lineno="24605">
+<summary>
+Send hddtemp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_hddtemp_client_packets" lineno="24624">
+<summary>
+Do not audit attempts to send hddtemp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_hddtemp_client_packets" lineno="24643">
+<summary>
+Receive hddtemp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_hddtemp_client_packets" lineno="24662">
+<summary>
+Do not audit attempts to receive hddtemp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_hddtemp_client_packets" lineno="24681">
+<summary>
+Send and receive hddtemp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_hddtemp_client_packets" lineno="24697">
+<summary>
+Do not audit attempts to send and receive hddtemp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_hddtemp_client_packets" lineno="24712">
+<summary>
+Relabel packets to hddtemp_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_hddtemp_server_packets" lineno="24732">
+<summary>
+Send hddtemp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_hddtemp_server_packets" lineno="24751">
+<summary>
+Do not audit attempts to send hddtemp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_hddtemp_server_packets" lineno="24770">
+<summary>
+Receive hddtemp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_hddtemp_server_packets" lineno="24789">
+<summary>
+Do not audit attempts to receive hddtemp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_hddtemp_server_packets" lineno="24808">
+<summary>
+Send and receive hddtemp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_hddtemp_server_packets" lineno="24824">
+<summary>
+Do not audit attempts to send and receive hddtemp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_hddtemp_server_packets" lineno="24839">
+<summary>
+Relabel packets to hddtemp_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_howl_port" lineno="24861">
+<summary>
+Send and receive TCP traffic on the howl port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_howl_port" lineno="24880">
+<summary>
+Send UDP traffic on the howl port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_howl_port" lineno="24899">
+<summary>
+Do not audit attempts to send UDP traffic on the howl port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_howl_port" lineno="24918">
+<summary>
+Receive UDP traffic on the howl port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_howl_port" lineno="24937">
+<summary>
+Do not audit attempts to receive UDP traffic on the howl port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_howl_port" lineno="24956">
+<summary>
+Send and receive UDP traffic on the howl port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_howl_port" lineno="24973">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the howl port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_howl_port" lineno="24989">
+<summary>
+Bind TCP sockets to the howl port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_howl_port" lineno="25009">
+<summary>
+Bind UDP sockets to the howl port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_howl_port" lineno="25028">
+<summary>
+Make a TCP connection to the howl port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_howl_client_packets" lineno="25048">
+<summary>
+Send howl_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_howl_client_packets" lineno="25067">
+<summary>
+Do not audit attempts to send howl_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_howl_client_packets" lineno="25086">
+<summary>
+Receive howl_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_howl_client_packets" lineno="25105">
+<summary>
+Do not audit attempts to receive howl_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_howl_client_packets" lineno="25124">
+<summary>
+Send and receive howl_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_howl_client_packets" lineno="25140">
+<summary>
+Do not audit attempts to send and receive howl_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_howl_client_packets" lineno="25155">
+<summary>
+Relabel packets to howl_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_howl_server_packets" lineno="25175">
+<summary>
+Send howl_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_howl_server_packets" lineno="25194">
+<summary>
+Do not audit attempts to send howl_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_howl_server_packets" lineno="25213">
+<summary>
+Receive howl_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_howl_server_packets" lineno="25232">
+<summary>
+Do not audit attempts to receive howl_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_howl_server_packets" lineno="25251">
+<summary>
+Send and receive howl_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_howl_server_packets" lineno="25267">
+<summary>
+Do not audit attempts to send and receive howl_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_howl_server_packets" lineno="25282">
+<summary>
+Relabel packets to howl_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_hplip_port" lineno="25304">
+<summary>
+Send and receive TCP traffic on the hplip port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_hplip_port" lineno="25323">
+<summary>
+Send UDP traffic on the hplip port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_hplip_port" lineno="25342">
+<summary>
+Do not audit attempts to send UDP traffic on the hplip port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_hplip_port" lineno="25361">
+<summary>
+Receive UDP traffic on the hplip port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_hplip_port" lineno="25380">
+<summary>
+Do not audit attempts to receive UDP traffic on the hplip port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_hplip_port" lineno="25399">
+<summary>
+Send and receive UDP traffic on the hplip port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_hplip_port" lineno="25416">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the hplip port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_hplip_port" lineno="25432">
+<summary>
+Bind TCP sockets to the hplip port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_hplip_port" lineno="25452">
+<summary>
+Bind UDP sockets to the hplip port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_hplip_port" lineno="25471">
+<summary>
+Make a TCP connection to the hplip port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_hplip_client_packets" lineno="25491">
+<summary>
+Send hplip_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_hplip_client_packets" lineno="25510">
+<summary>
+Do not audit attempts to send hplip_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_hplip_client_packets" lineno="25529">
+<summary>
+Receive hplip_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_hplip_client_packets" lineno="25548">
+<summary>
+Do not audit attempts to receive hplip_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_hplip_client_packets" lineno="25567">
+<summary>
+Send and receive hplip_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_hplip_client_packets" lineno="25583">
+<summary>
+Do not audit attempts to send and receive hplip_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_hplip_client_packets" lineno="25598">
+<summary>
+Relabel packets to hplip_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_hplip_server_packets" lineno="25618">
+<summary>
+Send hplip_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_hplip_server_packets" lineno="25637">
+<summary>
+Do not audit attempts to send hplip_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_hplip_server_packets" lineno="25656">
+<summary>
+Receive hplip_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_hplip_server_packets" lineno="25675">
+<summary>
+Do not audit attempts to receive hplip_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_hplip_server_packets" lineno="25694">
+<summary>
+Send and receive hplip_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_hplip_server_packets" lineno="25710">
+<summary>
+Do not audit attempts to send and receive hplip_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_hplip_server_packets" lineno="25725">
+<summary>
+Relabel packets to hplip_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_http_port" lineno="25747">
+<summary>
+Send and receive TCP traffic on the http port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_http_port" lineno="25766">
+<summary>
+Send UDP traffic on the http port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_http_port" lineno="25785">
+<summary>
+Do not audit attempts to send UDP traffic on the http port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_http_port" lineno="25804">
+<summary>
+Receive UDP traffic on the http port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_http_port" lineno="25823">
+<summary>
+Do not audit attempts to receive UDP traffic on the http port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_http_port" lineno="25842">
+<summary>
+Send and receive UDP traffic on the http port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_http_port" lineno="25859">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the http port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_http_port" lineno="25875">
+<summary>
+Bind TCP sockets to the http port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_http_port" lineno="25895">
+<summary>
+Bind UDP sockets to the http port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_http_port" lineno="25914">
+<summary>
+Make a TCP connection to the http port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_http_client_packets" lineno="25934">
+<summary>
+Send http_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_http_client_packets" lineno="25953">
+<summary>
+Do not audit attempts to send http_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_http_client_packets" lineno="25972">
+<summary>
+Receive http_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_http_client_packets" lineno="25991">
+<summary>
+Do not audit attempts to receive http_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_http_client_packets" lineno="26010">
+<summary>
+Send and receive http_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_http_client_packets" lineno="26026">
+<summary>
+Do not audit attempts to send and receive http_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_http_client_packets" lineno="26041">
+<summary>
+Relabel packets to http_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_http_server_packets" lineno="26061">
+<summary>
+Send http_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_http_server_packets" lineno="26080">
+<summary>
+Do not audit attempts to send http_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_http_server_packets" lineno="26099">
+<summary>
+Receive http_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_http_server_packets" lineno="26118">
+<summary>
+Do not audit attempts to receive http_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_http_server_packets" lineno="26137">
+<summary>
+Send and receive http_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_http_server_packets" lineno="26153">
+<summary>
+Do not audit attempts to send and receive http_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_http_server_packets" lineno="26168">
+<summary>
+Relabel packets to http_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_http_cache_port" lineno="26190">
+<summary>
+Send and receive TCP traffic on the http_cache port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_http_cache_port" lineno="26209">
+<summary>
+Send UDP traffic on the http_cache port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_http_cache_port" lineno="26228">
+<summary>
+Do not audit attempts to send UDP traffic on the http_cache port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_http_cache_port" lineno="26247">
+<summary>
+Receive UDP traffic on the http_cache port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_http_cache_port" lineno="26266">
+<summary>
+Do not audit attempts to receive UDP traffic on the http_cache port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_http_cache_port" lineno="26285">
+<summary>
+Send and receive UDP traffic on the http_cache port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_http_cache_port" lineno="26302">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the http_cache port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_http_cache_port" lineno="26318">
+<summary>
+Bind TCP sockets to the http_cache port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_http_cache_port" lineno="26338">
+<summary>
+Bind UDP sockets to the http_cache port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_http_cache_port" lineno="26357">
+<summary>
+Make a TCP connection to the http_cache port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_http_cache_client_packets" lineno="26377">
+<summary>
+Send http_cache_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_http_cache_client_packets" lineno="26396">
+<summary>
+Do not audit attempts to send http_cache_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_http_cache_client_packets" lineno="26415">
+<summary>
+Receive http_cache_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_http_cache_client_packets" lineno="26434">
+<summary>
+Do not audit attempts to receive http_cache_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_http_cache_client_packets" lineno="26453">
+<summary>
+Send and receive http_cache_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_http_cache_client_packets" lineno="26469">
+<summary>
+Do not audit attempts to send and receive http_cache_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_http_cache_client_packets" lineno="26484">
+<summary>
+Relabel packets to http_cache_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_http_cache_server_packets" lineno="26504">
+<summary>
+Send http_cache_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_http_cache_server_packets" lineno="26523">
+<summary>
+Do not audit attempts to send http_cache_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_http_cache_server_packets" lineno="26542">
+<summary>
+Receive http_cache_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_http_cache_server_packets" lineno="26561">
+<summary>
+Do not audit attempts to receive http_cache_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_http_cache_server_packets" lineno="26580">
+<summary>
+Send and receive http_cache_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_http_cache_server_packets" lineno="26596">
+<summary>
+Do not audit attempts to send and receive http_cache_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_http_cache_server_packets" lineno="26611">
+<summary>
+Relabel packets to http_cache_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_i18n_input_port" lineno="26633">
+<summary>
+Send and receive TCP traffic on the i18n_input port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_i18n_input_port" lineno="26652">
+<summary>
+Send UDP traffic on the i18n_input port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_i18n_input_port" lineno="26671">
+<summary>
+Do not audit attempts to send UDP traffic on the i18n_input port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_i18n_input_port" lineno="26690">
+<summary>
+Receive UDP traffic on the i18n_input port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_i18n_input_port" lineno="26709">
+<summary>
+Do not audit attempts to receive UDP traffic on the i18n_input port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_i18n_input_port" lineno="26728">
+<summary>
+Send and receive UDP traffic on the i18n_input port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_i18n_input_port" lineno="26745">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the i18n_input port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_i18n_input_port" lineno="26761">
+<summary>
+Bind TCP sockets to the i18n_input port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_i18n_input_port" lineno="26781">
+<summary>
+Bind UDP sockets to the i18n_input port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_i18n_input_port" lineno="26800">
+<summary>
+Make a TCP connection to the i18n_input port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_i18n_input_client_packets" lineno="26820">
+<summary>
+Send i18n_input_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_i18n_input_client_packets" lineno="26839">
+<summary>
+Do not audit attempts to send i18n_input_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_i18n_input_client_packets" lineno="26858">
+<summary>
+Receive i18n_input_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_i18n_input_client_packets" lineno="26877">
+<summary>
+Do not audit attempts to receive i18n_input_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_i18n_input_client_packets" lineno="26896">
+<summary>
+Send and receive i18n_input_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_i18n_input_client_packets" lineno="26912">
+<summary>
+Do not audit attempts to send and receive i18n_input_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_i18n_input_client_packets" lineno="26927">
+<summary>
+Relabel packets to i18n_input_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_i18n_input_server_packets" lineno="26947">
+<summary>
+Send i18n_input_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_i18n_input_server_packets" lineno="26966">
+<summary>
+Do not audit attempts to send i18n_input_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_i18n_input_server_packets" lineno="26985">
+<summary>
+Receive i18n_input_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_i18n_input_server_packets" lineno="27004">
+<summary>
+Do not audit attempts to receive i18n_input_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_i18n_input_server_packets" lineno="27023">
+<summary>
+Send and receive i18n_input_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_i18n_input_server_packets" lineno="27039">
+<summary>
+Do not audit attempts to send and receive i18n_input_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_i18n_input_server_packets" lineno="27054">
+<summary>
+Relabel packets to i18n_input_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_imaze_port" lineno="27076">
+<summary>
+Send and receive TCP traffic on the imaze port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_imaze_port" lineno="27095">
+<summary>
+Send UDP traffic on the imaze port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_imaze_port" lineno="27114">
+<summary>
+Do not audit attempts to send UDP traffic on the imaze port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_imaze_port" lineno="27133">
+<summary>
+Receive UDP traffic on the imaze port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_imaze_port" lineno="27152">
+<summary>
+Do not audit attempts to receive UDP traffic on the imaze port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_imaze_port" lineno="27171">
+<summary>
+Send and receive UDP traffic on the imaze port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_imaze_port" lineno="27188">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the imaze port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_imaze_port" lineno="27204">
+<summary>
+Bind TCP sockets to the imaze port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_imaze_port" lineno="27224">
+<summary>
+Bind UDP sockets to the imaze port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_imaze_port" lineno="27243">
+<summary>
+Make a TCP connection to the imaze port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_imaze_client_packets" lineno="27263">
+<summary>
+Send imaze_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_imaze_client_packets" lineno="27282">
+<summary>
+Do not audit attempts to send imaze_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_imaze_client_packets" lineno="27301">
+<summary>
+Receive imaze_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_imaze_client_packets" lineno="27320">
+<summary>
+Do not audit attempts to receive imaze_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_imaze_client_packets" lineno="27339">
+<summary>
+Send and receive imaze_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_imaze_client_packets" lineno="27355">
+<summary>
+Do not audit attempts to send and receive imaze_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_imaze_client_packets" lineno="27370">
+<summary>
+Relabel packets to imaze_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_imaze_server_packets" lineno="27390">
+<summary>
+Send imaze_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_imaze_server_packets" lineno="27409">
+<summary>
+Do not audit attempts to send imaze_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_imaze_server_packets" lineno="27428">
+<summary>
+Receive imaze_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_imaze_server_packets" lineno="27447">
+<summary>
+Do not audit attempts to receive imaze_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_imaze_server_packets" lineno="27466">
+<summary>
+Send and receive imaze_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_imaze_server_packets" lineno="27482">
+<summary>
+Do not audit attempts to send and receive imaze_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_imaze_server_packets" lineno="27497">
+<summary>
+Relabel packets to imaze_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_inetd_child_port" lineno="27519">
+<summary>
+Send and receive TCP traffic on the inetd_child port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_inetd_child_port" lineno="27538">
+<summary>
+Send UDP traffic on the inetd_child port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_inetd_child_port" lineno="27557">
+<summary>
+Do not audit attempts to send UDP traffic on the inetd_child port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_inetd_child_port" lineno="27576">
+<summary>
+Receive UDP traffic on the inetd_child port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_inetd_child_port" lineno="27595">
+<summary>
+Do not audit attempts to receive UDP traffic on the inetd_child port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_inetd_child_port" lineno="27614">
+<summary>
+Send and receive UDP traffic on the inetd_child port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_inetd_child_port" lineno="27631">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the inetd_child port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_inetd_child_port" lineno="27647">
+<summary>
+Bind TCP sockets to the inetd_child port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_inetd_child_port" lineno="27667">
+<summary>
+Bind UDP sockets to the inetd_child port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_inetd_child_port" lineno="27686">
+<summary>
+Make a TCP connection to the inetd_child port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_inetd_child_client_packets" lineno="27706">
+<summary>
+Send inetd_child_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_inetd_child_client_packets" lineno="27725">
+<summary>
+Do not audit attempts to send inetd_child_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_inetd_child_client_packets" lineno="27744">
+<summary>
+Receive inetd_child_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_inetd_child_client_packets" lineno="27763">
+<summary>
+Do not audit attempts to receive inetd_child_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_inetd_child_client_packets" lineno="27782">
+<summary>
+Send and receive inetd_child_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_inetd_child_client_packets" lineno="27798">
+<summary>
+Do not audit attempts to send and receive inetd_child_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_inetd_child_client_packets" lineno="27813">
+<summary>
+Relabel packets to inetd_child_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_inetd_child_server_packets" lineno="27833">
+<summary>
+Send inetd_child_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_inetd_child_server_packets" lineno="27852">
+<summary>
+Do not audit attempts to send inetd_child_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_inetd_child_server_packets" lineno="27871">
+<summary>
+Receive inetd_child_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_inetd_child_server_packets" lineno="27890">
+<summary>
+Do not audit attempts to receive inetd_child_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_inetd_child_server_packets" lineno="27909">
+<summary>
+Send and receive inetd_child_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_inetd_child_server_packets" lineno="27925">
+<summary>
+Do not audit attempts to send and receive inetd_child_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_inetd_child_server_packets" lineno="27940">
+<summary>
+Relabel packets to inetd_child_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_innd_port" lineno="27962">
+<summary>
+Send and receive TCP traffic on the innd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_innd_port" lineno="27981">
+<summary>
+Send UDP traffic on the innd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_innd_port" lineno="28000">
+<summary>
+Do not audit attempts to send UDP traffic on the innd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_innd_port" lineno="28019">
+<summary>
+Receive UDP traffic on the innd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_innd_port" lineno="28038">
+<summary>
+Do not audit attempts to receive UDP traffic on the innd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_innd_port" lineno="28057">
+<summary>
+Send and receive UDP traffic on the innd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_innd_port" lineno="28074">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the innd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_innd_port" lineno="28090">
+<summary>
+Bind TCP sockets to the innd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_innd_port" lineno="28110">
+<summary>
+Bind UDP sockets to the innd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_innd_port" lineno="28129">
+<summary>
+Make a TCP connection to the innd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_innd_client_packets" lineno="28149">
+<summary>
+Send innd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_innd_client_packets" lineno="28168">
+<summary>
+Do not audit attempts to send innd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_innd_client_packets" lineno="28187">
+<summary>
+Receive innd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_innd_client_packets" lineno="28206">
+<summary>
+Do not audit attempts to receive innd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_innd_client_packets" lineno="28225">
+<summary>
+Send and receive innd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_innd_client_packets" lineno="28241">
+<summary>
+Do not audit attempts to send and receive innd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_innd_client_packets" lineno="28256">
+<summary>
+Relabel packets to innd_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_innd_server_packets" lineno="28276">
+<summary>
+Send innd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_innd_server_packets" lineno="28295">
+<summary>
+Do not audit attempts to send innd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_innd_server_packets" lineno="28314">
+<summary>
+Receive innd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_innd_server_packets" lineno="28333">
+<summary>
+Do not audit attempts to receive innd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_innd_server_packets" lineno="28352">
+<summary>
+Send and receive innd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_innd_server_packets" lineno="28368">
+<summary>
+Do not audit attempts to send and receive innd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_innd_server_packets" lineno="28383">
+<summary>
+Relabel packets to innd_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_ipmi_port" lineno="28405">
+<summary>
+Send and receive TCP traffic on the ipmi port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_ipmi_port" lineno="28424">
+<summary>
+Send UDP traffic on the ipmi port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_ipmi_port" lineno="28443">
+<summary>
+Do not audit attempts to send UDP traffic on the ipmi port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_ipmi_port" lineno="28462">
+<summary>
+Receive UDP traffic on the ipmi port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_ipmi_port" lineno="28481">
+<summary>
+Do not audit attempts to receive UDP traffic on the ipmi port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_ipmi_port" lineno="28500">
+<summary>
+Send and receive UDP traffic on the ipmi port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_ipmi_port" lineno="28517">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the ipmi port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_ipmi_port" lineno="28533">
+<summary>
+Bind TCP sockets to the ipmi port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_ipmi_port" lineno="28553">
+<summary>
+Bind UDP sockets to the ipmi port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_ipmi_port" lineno="28572">
+<summary>
+Make a TCP connection to the ipmi port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_ipmi_client_packets" lineno="28592">
+<summary>
+Send ipmi_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_ipmi_client_packets" lineno="28611">
+<summary>
+Do not audit attempts to send ipmi_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_ipmi_client_packets" lineno="28630">
+<summary>
+Receive ipmi_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_ipmi_client_packets" lineno="28649">
+<summary>
+Do not audit attempts to receive ipmi_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_ipmi_client_packets" lineno="28668">
+<summary>
+Send and receive ipmi_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_ipmi_client_packets" lineno="28684">
+<summary>
+Do not audit attempts to send and receive ipmi_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_ipmi_client_packets" lineno="28699">
+<summary>
+Relabel packets to ipmi_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_ipmi_server_packets" lineno="28719">
+<summary>
+Send ipmi_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_ipmi_server_packets" lineno="28738">
+<summary>
+Do not audit attempts to send ipmi_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_ipmi_server_packets" lineno="28757">
+<summary>
+Receive ipmi_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_ipmi_server_packets" lineno="28776">
+<summary>
+Do not audit attempts to receive ipmi_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_ipmi_server_packets" lineno="28795">
+<summary>
+Send and receive ipmi_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_ipmi_server_packets" lineno="28811">
+<summary>
+Do not audit attempts to send and receive ipmi_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_ipmi_server_packets" lineno="28826">
+<summary>
+Relabel packets to ipmi_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_ipp_port" lineno="28848">
+<summary>
+Send and receive TCP traffic on the ipp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_ipp_port" lineno="28867">
+<summary>
+Send UDP traffic on the ipp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_ipp_port" lineno="28886">
+<summary>
+Do not audit attempts to send UDP traffic on the ipp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_ipp_port" lineno="28905">
+<summary>
+Receive UDP traffic on the ipp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_ipp_port" lineno="28924">
+<summary>
+Do not audit attempts to receive UDP traffic on the ipp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_ipp_port" lineno="28943">
+<summary>
+Send and receive UDP traffic on the ipp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_ipp_port" lineno="28960">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the ipp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_ipp_port" lineno="28976">
+<summary>
+Bind TCP sockets to the ipp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_ipp_port" lineno="28996">
+<summary>
+Bind UDP sockets to the ipp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_ipp_port" lineno="29015">
+<summary>
+Make a TCP connection to the ipp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_ipp_client_packets" lineno="29035">
+<summary>
+Send ipp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_ipp_client_packets" lineno="29054">
+<summary>
+Do not audit attempts to send ipp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_ipp_client_packets" lineno="29073">
+<summary>
+Receive ipp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_ipp_client_packets" lineno="29092">
+<summary>
+Do not audit attempts to receive ipp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_ipp_client_packets" lineno="29111">
+<summary>
+Send and receive ipp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_ipp_client_packets" lineno="29127">
+<summary>
+Do not audit attempts to send and receive ipp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_ipp_client_packets" lineno="29142">
+<summary>
+Relabel packets to ipp_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_ipp_server_packets" lineno="29162">
+<summary>
+Send ipp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_ipp_server_packets" lineno="29181">
+<summary>
+Do not audit attempts to send ipp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_ipp_server_packets" lineno="29200">
+<summary>
+Receive ipp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_ipp_server_packets" lineno="29219">
+<summary>
+Do not audit attempts to receive ipp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_ipp_server_packets" lineno="29238">
+<summary>
+Send and receive ipp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_ipp_server_packets" lineno="29254">
+<summary>
+Do not audit attempts to send and receive ipp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_ipp_server_packets" lineno="29269">
+<summary>
+Relabel packets to ipp_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_ipsecnat_port" lineno="29291">
+<summary>
+Send and receive TCP traffic on the ipsecnat port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_ipsecnat_port" lineno="29310">
+<summary>
+Send UDP traffic on the ipsecnat port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_ipsecnat_port" lineno="29329">
+<summary>
+Do not audit attempts to send UDP traffic on the ipsecnat port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_ipsecnat_port" lineno="29348">
+<summary>
+Receive UDP traffic on the ipsecnat port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_ipsecnat_port" lineno="29367">
+<summary>
+Do not audit attempts to receive UDP traffic on the ipsecnat port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_ipsecnat_port" lineno="29386">
+<summary>
+Send and receive UDP traffic on the ipsecnat port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_ipsecnat_port" lineno="29403">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the ipsecnat port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_ipsecnat_port" lineno="29419">
+<summary>
+Bind TCP sockets to the ipsecnat port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_ipsecnat_port" lineno="29439">
+<summary>
+Bind UDP sockets to the ipsecnat port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_ipsecnat_port" lineno="29458">
+<summary>
+Make a TCP connection to the ipsecnat port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_ipsecnat_client_packets" lineno="29478">
+<summary>
+Send ipsecnat_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_ipsecnat_client_packets" lineno="29497">
+<summary>
+Do not audit attempts to send ipsecnat_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_ipsecnat_client_packets" lineno="29516">
+<summary>
+Receive ipsecnat_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_ipsecnat_client_packets" lineno="29535">
+<summary>
+Do not audit attempts to receive ipsecnat_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_ipsecnat_client_packets" lineno="29554">
+<summary>
+Send and receive ipsecnat_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_ipsecnat_client_packets" lineno="29570">
+<summary>
+Do not audit attempts to send and receive ipsecnat_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_ipsecnat_client_packets" lineno="29585">
+<summary>
+Relabel packets to ipsecnat_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_ipsecnat_server_packets" lineno="29605">
+<summary>
+Send ipsecnat_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_ipsecnat_server_packets" lineno="29624">
+<summary>
+Do not audit attempts to send ipsecnat_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_ipsecnat_server_packets" lineno="29643">
+<summary>
+Receive ipsecnat_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_ipsecnat_server_packets" lineno="29662">
+<summary>
+Do not audit attempts to receive ipsecnat_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_ipsecnat_server_packets" lineno="29681">
+<summary>
+Send and receive ipsecnat_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_ipsecnat_server_packets" lineno="29697">
+<summary>
+Do not audit attempts to send and receive ipsecnat_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_ipsecnat_server_packets" lineno="29712">
+<summary>
+Relabel packets to ipsecnat_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_ircd_port" lineno="29734">
+<summary>
+Send and receive TCP traffic on the ircd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_ircd_port" lineno="29753">
+<summary>
+Send UDP traffic on the ircd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_ircd_port" lineno="29772">
+<summary>
+Do not audit attempts to send UDP traffic on the ircd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_ircd_port" lineno="29791">
+<summary>
+Receive UDP traffic on the ircd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_ircd_port" lineno="29810">
+<summary>
+Do not audit attempts to receive UDP traffic on the ircd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_ircd_port" lineno="29829">
+<summary>
+Send and receive UDP traffic on the ircd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_ircd_port" lineno="29846">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the ircd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_ircd_port" lineno="29862">
+<summary>
+Bind TCP sockets to the ircd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_ircd_port" lineno="29882">
+<summary>
+Bind UDP sockets to the ircd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_ircd_port" lineno="29901">
+<summary>
+Make a TCP connection to the ircd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_ircd_client_packets" lineno="29921">
+<summary>
+Send ircd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_ircd_client_packets" lineno="29940">
+<summary>
+Do not audit attempts to send ircd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_ircd_client_packets" lineno="29959">
+<summary>
+Receive ircd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_ircd_client_packets" lineno="29978">
+<summary>
+Do not audit attempts to receive ircd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_ircd_client_packets" lineno="29997">
+<summary>
+Send and receive ircd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_ircd_client_packets" lineno="30013">
+<summary>
+Do not audit attempts to send and receive ircd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_ircd_client_packets" lineno="30028">
+<summary>
+Relabel packets to ircd_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_ircd_server_packets" lineno="30048">
+<summary>
+Send ircd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_ircd_server_packets" lineno="30067">
+<summary>
+Do not audit attempts to send ircd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_ircd_server_packets" lineno="30086">
+<summary>
+Receive ircd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_ircd_server_packets" lineno="30105">
+<summary>
+Do not audit attempts to receive ircd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_ircd_server_packets" lineno="30124">
+<summary>
+Send and receive ircd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_ircd_server_packets" lineno="30140">
+<summary>
+Do not audit attempts to send and receive ircd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_ircd_server_packets" lineno="30155">
+<summary>
+Relabel packets to ircd_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_isakmp_port" lineno="30177">
+<summary>
+Send and receive TCP traffic on the isakmp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_isakmp_port" lineno="30196">
+<summary>
+Send UDP traffic on the isakmp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_isakmp_port" lineno="30215">
+<summary>
+Do not audit attempts to send UDP traffic on the isakmp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_isakmp_port" lineno="30234">
+<summary>
+Receive UDP traffic on the isakmp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_isakmp_port" lineno="30253">
+<summary>
+Do not audit attempts to receive UDP traffic on the isakmp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_isakmp_port" lineno="30272">
+<summary>
+Send and receive UDP traffic on the isakmp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_isakmp_port" lineno="30289">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the isakmp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_isakmp_port" lineno="30305">
+<summary>
+Bind TCP sockets to the isakmp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_isakmp_port" lineno="30325">
+<summary>
+Bind UDP sockets to the isakmp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_isakmp_port" lineno="30344">
+<summary>
+Make a TCP connection to the isakmp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_isakmp_client_packets" lineno="30364">
+<summary>
+Send isakmp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_isakmp_client_packets" lineno="30383">
+<summary>
+Do not audit attempts to send isakmp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_isakmp_client_packets" lineno="30402">
+<summary>
+Receive isakmp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_isakmp_client_packets" lineno="30421">
+<summary>
+Do not audit attempts to receive isakmp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_isakmp_client_packets" lineno="30440">
+<summary>
+Send and receive isakmp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_isakmp_client_packets" lineno="30456">
+<summary>
+Do not audit attempts to send and receive isakmp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_isakmp_client_packets" lineno="30471">
+<summary>
+Relabel packets to isakmp_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_isakmp_server_packets" lineno="30491">
+<summary>
+Send isakmp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_isakmp_server_packets" lineno="30510">
+<summary>
+Do not audit attempts to send isakmp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_isakmp_server_packets" lineno="30529">
+<summary>
+Receive isakmp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_isakmp_server_packets" lineno="30548">
+<summary>
+Do not audit attempts to receive isakmp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_isakmp_server_packets" lineno="30567">
+<summary>
+Send and receive isakmp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_isakmp_server_packets" lineno="30583">
+<summary>
+Do not audit attempts to send and receive isakmp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_isakmp_server_packets" lineno="30598">
+<summary>
+Relabel packets to isakmp_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_iscsi_port" lineno="30620">
+<summary>
+Send and receive TCP traffic on the iscsi port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_iscsi_port" lineno="30639">
+<summary>
+Send UDP traffic on the iscsi port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_iscsi_port" lineno="30658">
+<summary>
+Do not audit attempts to send UDP traffic on the iscsi port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_iscsi_port" lineno="30677">
+<summary>
+Receive UDP traffic on the iscsi port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_iscsi_port" lineno="30696">
+<summary>
+Do not audit attempts to receive UDP traffic on the iscsi port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_iscsi_port" lineno="30715">
+<summary>
+Send and receive UDP traffic on the iscsi port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_iscsi_port" lineno="30732">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the iscsi port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_iscsi_port" lineno="30748">
+<summary>
+Bind TCP sockets to the iscsi port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_iscsi_port" lineno="30768">
+<summary>
+Bind UDP sockets to the iscsi port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_iscsi_port" lineno="30787">
+<summary>
+Make a TCP connection to the iscsi port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_iscsi_client_packets" lineno="30807">
+<summary>
+Send iscsi_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_iscsi_client_packets" lineno="30826">
+<summary>
+Do not audit attempts to send iscsi_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_iscsi_client_packets" lineno="30845">
+<summary>
+Receive iscsi_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_iscsi_client_packets" lineno="30864">
+<summary>
+Do not audit attempts to receive iscsi_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_iscsi_client_packets" lineno="30883">
+<summary>
+Send and receive iscsi_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_iscsi_client_packets" lineno="30899">
+<summary>
+Do not audit attempts to send and receive iscsi_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_iscsi_client_packets" lineno="30914">
+<summary>
+Relabel packets to iscsi_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_iscsi_server_packets" lineno="30934">
+<summary>
+Send iscsi_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_iscsi_server_packets" lineno="30953">
+<summary>
+Do not audit attempts to send iscsi_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_iscsi_server_packets" lineno="30972">
+<summary>
+Receive iscsi_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_iscsi_server_packets" lineno="30991">
+<summary>
+Do not audit attempts to receive iscsi_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_iscsi_server_packets" lineno="31010">
+<summary>
+Send and receive iscsi_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_iscsi_server_packets" lineno="31026">
+<summary>
+Do not audit attempts to send and receive iscsi_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_iscsi_server_packets" lineno="31041">
+<summary>
+Relabel packets to iscsi_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_isns_port" lineno="31063">
+<summary>
+Send and receive TCP traffic on the isns port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_isns_port" lineno="31082">
+<summary>
+Send UDP traffic on the isns port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_isns_port" lineno="31101">
+<summary>
+Do not audit attempts to send UDP traffic on the isns port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_isns_port" lineno="31120">
+<summary>
+Receive UDP traffic on the isns port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_isns_port" lineno="31139">
+<summary>
+Do not audit attempts to receive UDP traffic on the isns port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_isns_port" lineno="31158">
+<summary>
+Send and receive UDP traffic on the isns port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_isns_port" lineno="31175">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the isns port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_isns_port" lineno="31191">
+<summary>
+Bind TCP sockets to the isns port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_isns_port" lineno="31211">
+<summary>
+Bind UDP sockets to the isns port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_isns_port" lineno="31230">
+<summary>
+Make a TCP connection to the isns port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_isns_client_packets" lineno="31250">
+<summary>
+Send isns_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_isns_client_packets" lineno="31269">
+<summary>
+Do not audit attempts to send isns_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_isns_client_packets" lineno="31288">
+<summary>
+Receive isns_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_isns_client_packets" lineno="31307">
+<summary>
+Do not audit attempts to receive isns_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_isns_client_packets" lineno="31326">
+<summary>
+Send and receive isns_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_isns_client_packets" lineno="31342">
+<summary>
+Do not audit attempts to send and receive isns_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_isns_client_packets" lineno="31357">
+<summary>
+Relabel packets to isns_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_isns_server_packets" lineno="31377">
+<summary>
+Send isns_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_isns_server_packets" lineno="31396">
+<summary>
+Do not audit attempts to send isns_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_isns_server_packets" lineno="31415">
+<summary>
+Receive isns_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_isns_server_packets" lineno="31434">
+<summary>
+Do not audit attempts to receive isns_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_isns_server_packets" lineno="31453">
+<summary>
+Send and receive isns_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_isns_server_packets" lineno="31469">
+<summary>
+Do not audit attempts to send and receive isns_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_isns_server_packets" lineno="31484">
+<summary>
+Relabel packets to isns_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_jabber_client_port" lineno="31506">
+<summary>
+Send and receive TCP traffic on the jabber_client port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_jabber_client_port" lineno="31525">
+<summary>
+Send UDP traffic on the jabber_client port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_jabber_client_port" lineno="31544">
+<summary>
+Do not audit attempts to send UDP traffic on the jabber_client port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_jabber_client_port" lineno="31563">
+<summary>
+Receive UDP traffic on the jabber_client port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_jabber_client_port" lineno="31582">
+<summary>
+Do not audit attempts to receive UDP traffic on the jabber_client port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_jabber_client_port" lineno="31601">
+<summary>
+Send and receive UDP traffic on the jabber_client port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_jabber_client_port" lineno="31618">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the jabber_client port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_jabber_client_port" lineno="31634">
+<summary>
+Bind TCP sockets to the jabber_client port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_jabber_client_port" lineno="31654">
+<summary>
+Bind UDP sockets to the jabber_client port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_jabber_client_port" lineno="31673">
+<summary>
+Make a TCP connection to the jabber_client port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_jabber_client_client_packets" lineno="31693">
+<summary>
+Send jabber_client_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_jabber_client_client_packets" lineno="31712">
+<summary>
+Do not audit attempts to send jabber_client_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_jabber_client_client_packets" lineno="31731">
+<summary>
+Receive jabber_client_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_jabber_client_client_packets" lineno="31750">
+<summary>
+Do not audit attempts to receive jabber_client_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_jabber_client_client_packets" lineno="31769">
+<summary>
+Send and receive jabber_client_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_jabber_client_client_packets" lineno="31785">
+<summary>
+Do not audit attempts to send and receive jabber_client_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_jabber_client_client_packets" lineno="31800">
+<summary>
+Relabel packets to jabber_client_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_jabber_client_server_packets" lineno="31820">
+<summary>
+Send jabber_client_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_jabber_client_server_packets" lineno="31839">
+<summary>
+Do not audit attempts to send jabber_client_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_jabber_client_server_packets" lineno="31858">
+<summary>
+Receive jabber_client_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_jabber_client_server_packets" lineno="31877">
+<summary>
+Do not audit attempts to receive jabber_client_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_jabber_client_server_packets" lineno="31896">
+<summary>
+Send and receive jabber_client_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_jabber_client_server_packets" lineno="31912">
+<summary>
+Do not audit attempts to send and receive jabber_client_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_jabber_client_server_packets" lineno="31927">
+<summary>
+Relabel packets to jabber_client_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_jabber_interserver_port" lineno="31949">
+<summary>
+Send and receive TCP traffic on the jabber_interserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_jabber_interserver_port" lineno="31968">
+<summary>
+Send UDP traffic on the jabber_interserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_jabber_interserver_port" lineno="31987">
+<summary>
+Do not audit attempts to send UDP traffic on the jabber_interserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_jabber_interserver_port" lineno="32006">
+<summary>
+Receive UDP traffic on the jabber_interserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_jabber_interserver_port" lineno="32025">
+<summary>
+Do not audit attempts to receive UDP traffic on the jabber_interserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_jabber_interserver_port" lineno="32044">
+<summary>
+Send and receive UDP traffic on the jabber_interserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_jabber_interserver_port" lineno="32061">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the jabber_interserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_jabber_interserver_port" lineno="32077">
+<summary>
+Bind TCP sockets to the jabber_interserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_jabber_interserver_port" lineno="32097">
+<summary>
+Bind UDP sockets to the jabber_interserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_jabber_interserver_port" lineno="32116">
+<summary>
+Make a TCP connection to the jabber_interserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_jabber_interserver_client_packets" lineno="32136">
+<summary>
+Send jabber_interserver_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_jabber_interserver_client_packets" lineno="32155">
+<summary>
+Do not audit attempts to send jabber_interserver_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_jabber_interserver_client_packets" lineno="32174">
+<summary>
+Receive jabber_interserver_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_jabber_interserver_client_packets" lineno="32193">
+<summary>
+Do not audit attempts to receive jabber_interserver_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_jabber_interserver_client_packets" lineno="32212">
+<summary>
+Send and receive jabber_interserver_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_jabber_interserver_client_packets" lineno="32228">
+<summary>
+Do not audit attempts to send and receive jabber_interserver_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_jabber_interserver_client_packets" lineno="32243">
+<summary>
+Relabel packets to jabber_interserver_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_jabber_interserver_server_packets" lineno="32263">
+<summary>
+Send jabber_interserver_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_jabber_interserver_server_packets" lineno="32282">
+<summary>
+Do not audit attempts to send jabber_interserver_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_jabber_interserver_server_packets" lineno="32301">
+<summary>
+Receive jabber_interserver_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_jabber_interserver_server_packets" lineno="32320">
+<summary>
+Do not audit attempts to receive jabber_interserver_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_jabber_interserver_server_packets" lineno="32339">
+<summary>
+Send and receive jabber_interserver_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_jabber_interserver_server_packets" lineno="32355">
+<summary>
+Do not audit attempts to send and receive jabber_interserver_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_jabber_interserver_server_packets" lineno="32370">
+<summary>
+Relabel packets to jabber_interserver_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_kerberos_port" lineno="32392">
+<summary>
+Send and receive TCP traffic on the kerberos port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_kerberos_port" lineno="32411">
+<summary>
+Send UDP traffic on the kerberos port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_kerberos_port" lineno="32430">
+<summary>
+Do not audit attempts to send UDP traffic on the kerberos port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_kerberos_port" lineno="32449">
+<summary>
+Receive UDP traffic on the kerberos port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_kerberos_port" lineno="32468">
+<summary>
+Do not audit attempts to receive UDP traffic on the kerberos port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_kerberos_port" lineno="32487">
+<summary>
+Send and receive UDP traffic on the kerberos port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_kerberos_port" lineno="32504">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the kerberos port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_kerberos_port" lineno="32520">
+<summary>
+Bind TCP sockets to the kerberos port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_kerberos_port" lineno="32540">
+<summary>
+Bind UDP sockets to the kerberos port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_kerberos_port" lineno="32559">
+<summary>
+Make a TCP connection to the kerberos port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_kerberos_client_packets" lineno="32579">
+<summary>
+Send kerberos_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_kerberos_client_packets" lineno="32598">
+<summary>
+Do not audit attempts to send kerberos_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_kerberos_client_packets" lineno="32617">
+<summary>
+Receive kerberos_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_kerberos_client_packets" lineno="32636">
+<summary>
+Do not audit attempts to receive kerberos_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_kerberos_client_packets" lineno="32655">
+<summary>
+Send and receive kerberos_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_kerberos_client_packets" lineno="32671">
+<summary>
+Do not audit attempts to send and receive kerberos_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_kerberos_client_packets" lineno="32686">
+<summary>
+Relabel packets to kerberos_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_kerberos_server_packets" lineno="32706">
+<summary>
+Send kerberos_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_kerberos_server_packets" lineno="32725">
+<summary>
+Do not audit attempts to send kerberos_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_kerberos_server_packets" lineno="32744">
+<summary>
+Receive kerberos_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_kerberos_server_packets" lineno="32763">
+<summary>
+Do not audit attempts to receive kerberos_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_kerberos_server_packets" lineno="32782">
+<summary>
+Send and receive kerberos_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_kerberos_server_packets" lineno="32798">
+<summary>
+Do not audit attempts to send and receive kerberos_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_kerberos_server_packets" lineno="32813">
+<summary>
+Relabel packets to kerberos_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_kerberos_admin_port" lineno="32835">
+<summary>
+Send and receive TCP traffic on the kerberos_admin port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_kerberos_admin_port" lineno="32854">
+<summary>
+Send UDP traffic on the kerberos_admin port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_kerberos_admin_port" lineno="32873">
+<summary>
+Do not audit attempts to send UDP traffic on the kerberos_admin port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_kerberos_admin_port" lineno="32892">
+<summary>
+Receive UDP traffic on the kerberos_admin port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_kerberos_admin_port" lineno="32911">
+<summary>
+Do not audit attempts to receive UDP traffic on the kerberos_admin port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_kerberos_admin_port" lineno="32930">
+<summary>
+Send and receive UDP traffic on the kerberos_admin port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_kerberos_admin_port" lineno="32947">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the kerberos_admin port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_kerberos_admin_port" lineno="32963">
+<summary>
+Bind TCP sockets to the kerberos_admin port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_kerberos_admin_port" lineno="32983">
+<summary>
+Bind UDP sockets to the kerberos_admin port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_kerberos_admin_port" lineno="33002">
+<summary>
+Make a TCP connection to the kerberos_admin port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_kerberos_admin_client_packets" lineno="33022">
+<summary>
+Send kerberos_admin_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_kerberos_admin_client_packets" lineno="33041">
+<summary>
+Do not audit attempts to send kerberos_admin_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_kerberos_admin_client_packets" lineno="33060">
+<summary>
+Receive kerberos_admin_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_kerberos_admin_client_packets" lineno="33079">
+<summary>
+Do not audit attempts to receive kerberos_admin_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_kerberos_admin_client_packets" lineno="33098">
+<summary>
+Send and receive kerberos_admin_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_kerberos_admin_client_packets" lineno="33114">
+<summary>
+Do not audit attempts to send and receive kerberos_admin_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_kerberos_admin_client_packets" lineno="33129">
+<summary>
+Relabel packets to kerberos_admin_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_kerberos_admin_server_packets" lineno="33149">
+<summary>
+Send kerberos_admin_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_kerberos_admin_server_packets" lineno="33168">
+<summary>
+Do not audit attempts to send kerberos_admin_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_kerberos_admin_server_packets" lineno="33187">
+<summary>
+Receive kerberos_admin_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_kerberos_admin_server_packets" lineno="33206">
+<summary>
+Do not audit attempts to receive kerberos_admin_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_kerberos_admin_server_packets" lineno="33225">
+<summary>
+Send and receive kerberos_admin_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_kerberos_admin_server_packets" lineno="33241">
+<summary>
+Do not audit attempts to send and receive kerberos_admin_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_kerberos_admin_server_packets" lineno="33256">
+<summary>
+Relabel packets to kerberos_admin_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_kerberos_master_port" lineno="33278">
+<summary>
+Send and receive TCP traffic on the kerberos_master port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_kerberos_master_port" lineno="33297">
+<summary>
+Send UDP traffic on the kerberos_master port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_kerberos_master_port" lineno="33316">
+<summary>
+Do not audit attempts to send UDP traffic on the kerberos_master port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_kerberos_master_port" lineno="33335">
+<summary>
+Receive UDP traffic on the kerberos_master port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_kerberos_master_port" lineno="33354">
+<summary>
+Do not audit attempts to receive UDP traffic on the kerberos_master port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_kerberos_master_port" lineno="33373">
+<summary>
+Send and receive UDP traffic on the kerberos_master port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_kerberos_master_port" lineno="33390">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the kerberos_master port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_kerberos_master_port" lineno="33406">
+<summary>
+Bind TCP sockets to the kerberos_master port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_kerberos_master_port" lineno="33426">
+<summary>
+Bind UDP sockets to the kerberos_master port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_kerberos_master_port" lineno="33445">
+<summary>
+Make a TCP connection to the kerberos_master port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_kerberos_master_client_packets" lineno="33465">
+<summary>
+Send kerberos_master_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_kerberos_master_client_packets" lineno="33484">
+<summary>
+Do not audit attempts to send kerberos_master_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_kerberos_master_client_packets" lineno="33503">
+<summary>
+Receive kerberos_master_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_kerberos_master_client_packets" lineno="33522">
+<summary>
+Do not audit attempts to receive kerberos_master_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_kerberos_master_client_packets" lineno="33541">
+<summary>
+Send and receive kerberos_master_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_kerberos_master_client_packets" lineno="33557">
+<summary>
+Do not audit attempts to send and receive kerberos_master_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_kerberos_master_client_packets" lineno="33572">
+<summary>
+Relabel packets to kerberos_master_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_kerberos_master_server_packets" lineno="33592">
+<summary>
+Send kerberos_master_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_kerberos_master_server_packets" lineno="33611">
+<summary>
+Do not audit attempts to send kerberos_master_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_kerberos_master_server_packets" lineno="33630">
+<summary>
+Receive kerberos_master_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_kerberos_master_server_packets" lineno="33649">
+<summary>
+Do not audit attempts to receive kerberos_master_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_kerberos_master_server_packets" lineno="33668">
+<summary>
+Send and receive kerberos_master_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_kerberos_master_server_packets" lineno="33684">
+<summary>
+Do not audit attempts to send and receive kerberos_master_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_kerberos_master_server_packets" lineno="33699">
+<summary>
+Relabel packets to kerberos_master_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_kismet_port" lineno="33721">
+<summary>
+Send and receive TCP traffic on the kismet port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_kismet_port" lineno="33740">
+<summary>
+Send UDP traffic on the kismet port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_kismet_port" lineno="33759">
+<summary>
+Do not audit attempts to send UDP traffic on the kismet port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_kismet_port" lineno="33778">
+<summary>
+Receive UDP traffic on the kismet port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_kismet_port" lineno="33797">
+<summary>
+Do not audit attempts to receive UDP traffic on the kismet port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_kismet_port" lineno="33816">
+<summary>
+Send and receive UDP traffic on the kismet port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_kismet_port" lineno="33833">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the kismet port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_kismet_port" lineno="33849">
+<summary>
+Bind TCP sockets to the kismet port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_kismet_port" lineno="33869">
+<summary>
+Bind UDP sockets to the kismet port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_kismet_port" lineno="33888">
+<summary>
+Make a TCP connection to the kismet port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_kismet_client_packets" lineno="33908">
+<summary>
+Send kismet_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_kismet_client_packets" lineno="33927">
+<summary>
+Do not audit attempts to send kismet_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_kismet_client_packets" lineno="33946">
+<summary>
+Receive kismet_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_kismet_client_packets" lineno="33965">
+<summary>
+Do not audit attempts to receive kismet_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_kismet_client_packets" lineno="33984">
+<summary>
+Send and receive kismet_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_kismet_client_packets" lineno="34000">
+<summary>
+Do not audit attempts to send and receive kismet_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_kismet_client_packets" lineno="34015">
+<summary>
+Relabel packets to kismet_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_kismet_server_packets" lineno="34035">
+<summary>
+Send kismet_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_kismet_server_packets" lineno="34054">
+<summary>
+Do not audit attempts to send kismet_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_kismet_server_packets" lineno="34073">
+<summary>
+Receive kismet_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_kismet_server_packets" lineno="34092">
+<summary>
+Do not audit attempts to receive kismet_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_kismet_server_packets" lineno="34111">
+<summary>
+Send and receive kismet_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_kismet_server_packets" lineno="34127">
+<summary>
+Do not audit attempts to send and receive kismet_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_kismet_server_packets" lineno="34142">
+<summary>
+Relabel packets to kismet_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_kprop_port" lineno="34164">
+<summary>
+Send and receive TCP traffic on the kprop port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_kprop_port" lineno="34183">
+<summary>
+Send UDP traffic on the kprop port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_kprop_port" lineno="34202">
+<summary>
+Do not audit attempts to send UDP traffic on the kprop port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_kprop_port" lineno="34221">
+<summary>
+Receive UDP traffic on the kprop port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_kprop_port" lineno="34240">
+<summary>
+Do not audit attempts to receive UDP traffic on the kprop port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_kprop_port" lineno="34259">
+<summary>
+Send and receive UDP traffic on the kprop port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_kprop_port" lineno="34276">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the kprop port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_kprop_port" lineno="34292">
+<summary>
+Bind TCP sockets to the kprop port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_kprop_port" lineno="34312">
+<summary>
+Bind UDP sockets to the kprop port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_kprop_port" lineno="34331">
+<summary>
+Make a TCP connection to the kprop port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_kprop_client_packets" lineno="34351">
+<summary>
+Send kprop_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_kprop_client_packets" lineno="34370">
+<summary>
+Do not audit attempts to send kprop_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_kprop_client_packets" lineno="34389">
+<summary>
+Receive kprop_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_kprop_client_packets" lineno="34408">
+<summary>
+Do not audit attempts to receive kprop_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_kprop_client_packets" lineno="34427">
+<summary>
+Send and receive kprop_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_kprop_client_packets" lineno="34443">
+<summary>
+Do not audit attempts to send and receive kprop_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_kprop_client_packets" lineno="34458">
+<summary>
+Relabel packets to kprop_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_kprop_server_packets" lineno="34478">
+<summary>
+Send kprop_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_kprop_server_packets" lineno="34497">
+<summary>
+Do not audit attempts to send kprop_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_kprop_server_packets" lineno="34516">
+<summary>
+Receive kprop_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_kprop_server_packets" lineno="34535">
+<summary>
+Do not audit attempts to receive kprop_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_kprop_server_packets" lineno="34554">
+<summary>
+Send and receive kprop_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_kprop_server_packets" lineno="34570">
+<summary>
+Do not audit attempts to send and receive kprop_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_kprop_server_packets" lineno="34585">
+<summary>
+Relabel packets to kprop_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_ktalkd_port" lineno="34607">
+<summary>
+Send and receive TCP traffic on the ktalkd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_ktalkd_port" lineno="34626">
+<summary>
+Send UDP traffic on the ktalkd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_ktalkd_port" lineno="34645">
+<summary>
+Do not audit attempts to send UDP traffic on the ktalkd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_ktalkd_port" lineno="34664">
+<summary>
+Receive UDP traffic on the ktalkd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_ktalkd_port" lineno="34683">
+<summary>
+Do not audit attempts to receive UDP traffic on the ktalkd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_ktalkd_port" lineno="34702">
+<summary>
+Send and receive UDP traffic on the ktalkd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_ktalkd_port" lineno="34719">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the ktalkd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_ktalkd_port" lineno="34735">
+<summary>
+Bind TCP sockets to the ktalkd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_ktalkd_port" lineno="34755">
+<summary>
+Bind UDP sockets to the ktalkd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_ktalkd_port" lineno="34774">
+<summary>
+Make a TCP connection to the ktalkd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_ktalkd_client_packets" lineno="34794">
+<summary>
+Send ktalkd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_ktalkd_client_packets" lineno="34813">
+<summary>
+Do not audit attempts to send ktalkd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_ktalkd_client_packets" lineno="34832">
+<summary>
+Receive ktalkd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_ktalkd_client_packets" lineno="34851">
+<summary>
+Do not audit attempts to receive ktalkd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_ktalkd_client_packets" lineno="34870">
+<summary>
+Send and receive ktalkd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_ktalkd_client_packets" lineno="34886">
+<summary>
+Do not audit attempts to send and receive ktalkd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_ktalkd_client_packets" lineno="34901">
+<summary>
+Relabel packets to ktalkd_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_ktalkd_server_packets" lineno="34921">
+<summary>
+Send ktalkd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_ktalkd_server_packets" lineno="34940">
+<summary>
+Do not audit attempts to send ktalkd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_ktalkd_server_packets" lineno="34959">
+<summary>
+Receive ktalkd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_ktalkd_server_packets" lineno="34978">
+<summary>
+Do not audit attempts to receive ktalkd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_ktalkd_server_packets" lineno="34997">
+<summary>
+Send and receive ktalkd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_ktalkd_server_packets" lineno="35013">
+<summary>
+Do not audit attempts to send and receive ktalkd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_ktalkd_server_packets" lineno="35028">
+<summary>
+Relabel packets to ktalkd_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_ldap_port" lineno="35050">
+<summary>
+Send and receive TCP traffic on the ldap port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_ldap_port" lineno="35069">
+<summary>
+Send UDP traffic on the ldap port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_ldap_port" lineno="35088">
+<summary>
+Do not audit attempts to send UDP traffic on the ldap port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_ldap_port" lineno="35107">
+<summary>
+Receive UDP traffic on the ldap port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_ldap_port" lineno="35126">
+<summary>
+Do not audit attempts to receive UDP traffic on the ldap port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_ldap_port" lineno="35145">
+<summary>
+Send and receive UDP traffic on the ldap port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_ldap_port" lineno="35162">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the ldap port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_ldap_port" lineno="35178">
+<summary>
+Bind TCP sockets to the ldap port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_ldap_port" lineno="35198">
+<summary>
+Bind UDP sockets to the ldap port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_ldap_port" lineno="35217">
+<summary>
+Make a TCP connection to the ldap port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_ldap_client_packets" lineno="35237">
+<summary>
+Send ldap_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_ldap_client_packets" lineno="35256">
+<summary>
+Do not audit attempts to send ldap_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_ldap_client_packets" lineno="35275">
+<summary>
+Receive ldap_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_ldap_client_packets" lineno="35294">
+<summary>
+Do not audit attempts to receive ldap_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_ldap_client_packets" lineno="35313">
+<summary>
+Send and receive ldap_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_ldap_client_packets" lineno="35329">
+<summary>
+Do not audit attempts to send and receive ldap_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_ldap_client_packets" lineno="35344">
+<summary>
+Relabel packets to ldap_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_ldap_server_packets" lineno="35364">
+<summary>
+Send ldap_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_ldap_server_packets" lineno="35383">
+<summary>
+Do not audit attempts to send ldap_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_ldap_server_packets" lineno="35402">
+<summary>
+Receive ldap_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_ldap_server_packets" lineno="35421">
+<summary>
+Do not audit attempts to receive ldap_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_ldap_server_packets" lineno="35440">
+<summary>
+Send and receive ldap_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_ldap_server_packets" lineno="35456">
+<summary>
+Do not audit attempts to send and receive ldap_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_ldap_server_packets" lineno="35471">
+<summary>
+Relabel packets to ldap_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_lirc_port" lineno="35493">
+<summary>
+Send and receive TCP traffic on the lirc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_lirc_port" lineno="35512">
+<summary>
+Send UDP traffic on the lirc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_lirc_port" lineno="35531">
+<summary>
+Do not audit attempts to send UDP traffic on the lirc port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_lirc_port" lineno="35550">
+<summary>
+Receive UDP traffic on the lirc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_lirc_port" lineno="35569">
+<summary>
+Do not audit attempts to receive UDP traffic on the lirc port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_lirc_port" lineno="35588">
+<summary>
+Send and receive UDP traffic on the lirc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_lirc_port" lineno="35605">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the lirc port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_lirc_port" lineno="35621">
+<summary>
+Bind TCP sockets to the lirc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_lirc_port" lineno="35641">
+<summary>
+Bind UDP sockets to the lirc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_lirc_port" lineno="35660">
+<summary>
+Make a TCP connection to the lirc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_lirc_client_packets" lineno="35680">
+<summary>
+Send lirc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_lirc_client_packets" lineno="35699">
+<summary>
+Do not audit attempts to send lirc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_lirc_client_packets" lineno="35718">
+<summary>
+Receive lirc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_lirc_client_packets" lineno="35737">
+<summary>
+Do not audit attempts to receive lirc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_lirc_client_packets" lineno="35756">
+<summary>
+Send and receive lirc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_lirc_client_packets" lineno="35772">
+<summary>
+Do not audit attempts to send and receive lirc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_lirc_client_packets" lineno="35787">
+<summary>
+Relabel packets to lirc_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_lirc_server_packets" lineno="35807">
+<summary>
+Send lirc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_lirc_server_packets" lineno="35826">
+<summary>
+Do not audit attempts to send lirc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_lirc_server_packets" lineno="35845">
+<summary>
+Receive lirc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_lirc_server_packets" lineno="35864">
+<summary>
+Do not audit attempts to receive lirc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_lirc_server_packets" lineno="35883">
+<summary>
+Send and receive lirc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_lirc_server_packets" lineno="35899">
+<summary>
+Do not audit attempts to send and receive lirc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_lirc_server_packets" lineno="35914">
+<summary>
+Relabel packets to lirc_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_lmtp_port" lineno="35936">
+<summary>
+Send and receive TCP traffic on the lmtp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_lmtp_port" lineno="35955">
+<summary>
+Send UDP traffic on the lmtp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_lmtp_port" lineno="35974">
+<summary>
+Do not audit attempts to send UDP traffic on the lmtp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_lmtp_port" lineno="35993">
+<summary>
+Receive UDP traffic on the lmtp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_lmtp_port" lineno="36012">
+<summary>
+Do not audit attempts to receive UDP traffic on the lmtp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_lmtp_port" lineno="36031">
+<summary>
+Send and receive UDP traffic on the lmtp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_lmtp_port" lineno="36048">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the lmtp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_lmtp_port" lineno="36064">
+<summary>
+Bind TCP sockets to the lmtp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_lmtp_port" lineno="36084">
+<summary>
+Bind UDP sockets to the lmtp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_lmtp_port" lineno="36103">
+<summary>
+Make a TCP connection to the lmtp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_lmtp_client_packets" lineno="36123">
+<summary>
+Send lmtp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_lmtp_client_packets" lineno="36142">
+<summary>
+Do not audit attempts to send lmtp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_lmtp_client_packets" lineno="36161">
+<summary>
+Receive lmtp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_lmtp_client_packets" lineno="36180">
+<summary>
+Do not audit attempts to receive lmtp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_lmtp_client_packets" lineno="36199">
+<summary>
+Send and receive lmtp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_lmtp_client_packets" lineno="36215">
+<summary>
+Do not audit attempts to send and receive lmtp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_lmtp_client_packets" lineno="36230">
+<summary>
+Relabel packets to lmtp_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_lmtp_server_packets" lineno="36250">
+<summary>
+Send lmtp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_lmtp_server_packets" lineno="36269">
+<summary>
+Do not audit attempts to send lmtp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_lmtp_server_packets" lineno="36288">
+<summary>
+Receive lmtp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_lmtp_server_packets" lineno="36307">
+<summary>
+Do not audit attempts to receive lmtp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_lmtp_server_packets" lineno="36326">
+<summary>
+Send and receive lmtp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_lmtp_server_packets" lineno="36342">
+<summary>
+Do not audit attempts to send and receive lmtp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_lmtp_server_packets" lineno="36357">
+<summary>
+Relabel packets to lmtp_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_lrrd_port" lineno="36379">
+<summary>
+Send and receive TCP traffic on the lrrd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_lrrd_port" lineno="36398">
+<summary>
+Send UDP traffic on the lrrd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_lrrd_port" lineno="36417">
+<summary>
+Do not audit attempts to send UDP traffic on the lrrd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_lrrd_port" lineno="36436">
+<summary>
+Receive UDP traffic on the lrrd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_lrrd_port" lineno="36455">
+<summary>
+Do not audit attempts to receive UDP traffic on the lrrd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_lrrd_port" lineno="36474">
+<summary>
+Send and receive UDP traffic on the lrrd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_lrrd_port" lineno="36491">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the lrrd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_lrrd_port" lineno="36507">
+<summary>
+Bind TCP sockets to the lrrd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_lrrd_port" lineno="36527">
+<summary>
+Bind UDP sockets to the lrrd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_lrrd_port" lineno="36546">
+<summary>
+Make a TCP connection to the lrrd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_lrrd_client_packets" lineno="36566">
+<summary>
+Send lrrd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_lrrd_client_packets" lineno="36585">
+<summary>
+Do not audit attempts to send lrrd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_lrrd_client_packets" lineno="36604">
+<summary>
+Receive lrrd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_lrrd_client_packets" lineno="36623">
+<summary>
+Do not audit attempts to receive lrrd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_lrrd_client_packets" lineno="36642">
+<summary>
+Send and receive lrrd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_lrrd_client_packets" lineno="36658">
+<summary>
+Do not audit attempts to send and receive lrrd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_lrrd_client_packets" lineno="36673">
+<summary>
+Relabel packets to lrrd_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_lrrd_server_packets" lineno="36693">
+<summary>
+Send lrrd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_lrrd_server_packets" lineno="36712">
+<summary>
+Do not audit attempts to send lrrd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_lrrd_server_packets" lineno="36731">
+<summary>
+Receive lrrd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_lrrd_server_packets" lineno="36750">
+<summary>
+Do not audit attempts to receive lrrd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_lrrd_server_packets" lineno="36769">
+<summary>
+Send and receive lrrd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_lrrd_server_packets" lineno="36785">
+<summary>
+Do not audit attempts to send and receive lrrd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_lrrd_server_packets" lineno="36800">
+<summary>
+Relabel packets to lrrd_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_mail_port" lineno="36822">
+<summary>
+Send and receive TCP traffic on the mail port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_mail_port" lineno="36841">
+<summary>
+Send UDP traffic on the mail port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_mail_port" lineno="36860">
+<summary>
+Do not audit attempts to send UDP traffic on the mail port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_mail_port" lineno="36879">
+<summary>
+Receive UDP traffic on the mail port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_mail_port" lineno="36898">
+<summary>
+Do not audit attempts to receive UDP traffic on the mail port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_mail_port" lineno="36917">
+<summary>
+Send and receive UDP traffic on the mail port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_mail_port" lineno="36934">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the mail port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_mail_port" lineno="36950">
+<summary>
+Bind TCP sockets to the mail port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_mail_port" lineno="36970">
+<summary>
+Bind UDP sockets to the mail port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_mail_port" lineno="36989">
+<summary>
+Make a TCP connection to the mail port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_mail_client_packets" lineno="37009">
+<summary>
+Send mail_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_mail_client_packets" lineno="37028">
+<summary>
+Do not audit attempts to send mail_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_mail_client_packets" lineno="37047">
+<summary>
+Receive mail_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_mail_client_packets" lineno="37066">
+<summary>
+Do not audit attempts to receive mail_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_mail_client_packets" lineno="37085">
+<summary>
+Send and receive mail_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_mail_client_packets" lineno="37101">
+<summary>
+Do not audit attempts to send and receive mail_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_mail_client_packets" lineno="37116">
+<summary>
+Relabel packets to mail_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_mail_server_packets" lineno="37136">
+<summary>
+Send mail_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_mail_server_packets" lineno="37155">
+<summary>
+Do not audit attempts to send mail_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_mail_server_packets" lineno="37174">
+<summary>
+Receive mail_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_mail_server_packets" lineno="37193">
+<summary>
+Do not audit attempts to receive mail_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_mail_server_packets" lineno="37212">
+<summary>
+Send and receive mail_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_mail_server_packets" lineno="37228">
+<summary>
+Do not audit attempts to send and receive mail_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_mail_server_packets" lineno="37243">
+<summary>
+Relabel packets to mail_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_matahari_port" lineno="37265">
+<summary>
+Send and receive TCP traffic on the matahari port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_matahari_port" lineno="37284">
+<summary>
+Send UDP traffic on the matahari port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_matahari_port" lineno="37303">
+<summary>
+Do not audit attempts to send UDP traffic on the matahari port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_matahari_port" lineno="37322">
+<summary>
+Receive UDP traffic on the matahari port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_matahari_port" lineno="37341">
+<summary>
+Do not audit attempts to receive UDP traffic on the matahari port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_matahari_port" lineno="37360">
+<summary>
+Send and receive UDP traffic on the matahari port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_matahari_port" lineno="37377">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the matahari port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_matahari_port" lineno="37393">
+<summary>
+Bind TCP sockets to the matahari port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_matahari_port" lineno="37413">
+<summary>
+Bind UDP sockets to the matahari port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_matahari_port" lineno="37432">
+<summary>
+Make a TCP connection to the matahari port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_matahari_client_packets" lineno="37452">
+<summary>
+Send matahari_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_matahari_client_packets" lineno="37471">
+<summary>
+Do not audit attempts to send matahari_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_matahari_client_packets" lineno="37490">
+<summary>
+Receive matahari_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_matahari_client_packets" lineno="37509">
+<summary>
+Do not audit attempts to receive matahari_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_matahari_client_packets" lineno="37528">
+<summary>
+Send and receive matahari_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_matahari_client_packets" lineno="37544">
+<summary>
+Do not audit attempts to send and receive matahari_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_matahari_client_packets" lineno="37559">
+<summary>
+Relabel packets to matahari_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_matahari_server_packets" lineno="37579">
+<summary>
+Send matahari_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_matahari_server_packets" lineno="37598">
+<summary>
+Do not audit attempts to send matahari_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_matahari_server_packets" lineno="37617">
+<summary>
+Receive matahari_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_matahari_server_packets" lineno="37636">
+<summary>
+Do not audit attempts to receive matahari_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_matahari_server_packets" lineno="37655">
+<summary>
+Send and receive matahari_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_matahari_server_packets" lineno="37671">
+<summary>
+Do not audit attempts to send and receive matahari_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_matahari_server_packets" lineno="37686">
+<summary>
+Relabel packets to matahari_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_memcache_port" lineno="37708">
+<summary>
+Send and receive TCP traffic on the memcache port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_memcache_port" lineno="37727">
+<summary>
+Send UDP traffic on the memcache port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_memcache_port" lineno="37746">
+<summary>
+Do not audit attempts to send UDP traffic on the memcache port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_memcache_port" lineno="37765">
+<summary>
+Receive UDP traffic on the memcache port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_memcache_port" lineno="37784">
+<summary>
+Do not audit attempts to receive UDP traffic on the memcache port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_memcache_port" lineno="37803">
+<summary>
+Send and receive UDP traffic on the memcache port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_memcache_port" lineno="37820">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the memcache port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_memcache_port" lineno="37836">
+<summary>
+Bind TCP sockets to the memcache port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_memcache_port" lineno="37856">
+<summary>
+Bind UDP sockets to the memcache port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_memcache_port" lineno="37875">
+<summary>
+Make a TCP connection to the memcache port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_memcache_client_packets" lineno="37895">
+<summary>
+Send memcache_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_memcache_client_packets" lineno="37914">
+<summary>
+Do not audit attempts to send memcache_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_memcache_client_packets" lineno="37933">
+<summary>
+Receive memcache_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_memcache_client_packets" lineno="37952">
+<summary>
+Do not audit attempts to receive memcache_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_memcache_client_packets" lineno="37971">
+<summary>
+Send and receive memcache_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_memcache_client_packets" lineno="37987">
+<summary>
+Do not audit attempts to send and receive memcache_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_memcache_client_packets" lineno="38002">
+<summary>
+Relabel packets to memcache_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_memcache_server_packets" lineno="38022">
+<summary>
+Send memcache_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_memcache_server_packets" lineno="38041">
+<summary>
+Do not audit attempts to send memcache_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_memcache_server_packets" lineno="38060">
+<summary>
+Receive memcache_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_memcache_server_packets" lineno="38079">
+<summary>
+Do not audit attempts to receive memcache_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_memcache_server_packets" lineno="38098">
+<summary>
+Send and receive memcache_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_memcache_server_packets" lineno="38114">
+<summary>
+Do not audit attempts to send and receive memcache_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_memcache_server_packets" lineno="38129">
+<summary>
+Relabel packets to memcache_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_milter_port" lineno="38151">
+<summary>
+Send and receive TCP traffic on the milter port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_milter_port" lineno="38170">
+<summary>
+Send UDP traffic on the milter port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_milter_port" lineno="38189">
+<summary>
+Do not audit attempts to send UDP traffic on the milter port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_milter_port" lineno="38208">
+<summary>
+Receive UDP traffic on the milter port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_milter_port" lineno="38227">
+<summary>
+Do not audit attempts to receive UDP traffic on the milter port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_milter_port" lineno="38246">
+<summary>
+Send and receive UDP traffic on the milter port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_milter_port" lineno="38263">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the milter port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_milter_port" lineno="38279">
+<summary>
+Bind TCP sockets to the milter port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_milter_port" lineno="38299">
+<summary>
+Bind UDP sockets to the milter port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_milter_port" lineno="38318">
+<summary>
+Make a TCP connection to the milter port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_milter_client_packets" lineno="38338">
+<summary>
+Send milter_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_milter_client_packets" lineno="38357">
+<summary>
+Do not audit attempts to send milter_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_milter_client_packets" lineno="38376">
+<summary>
+Receive milter_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_milter_client_packets" lineno="38395">
+<summary>
+Do not audit attempts to receive milter_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_milter_client_packets" lineno="38414">
+<summary>
+Send and receive milter_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_milter_client_packets" lineno="38430">
+<summary>
+Do not audit attempts to send and receive milter_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_milter_client_packets" lineno="38445">
+<summary>
+Relabel packets to milter_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_milter_server_packets" lineno="38465">
+<summary>
+Send milter_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_milter_server_packets" lineno="38484">
+<summary>
+Do not audit attempts to send milter_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_milter_server_packets" lineno="38503">
+<summary>
+Receive milter_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_milter_server_packets" lineno="38522">
+<summary>
+Do not audit attempts to receive milter_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_milter_server_packets" lineno="38541">
+<summary>
+Send and receive milter_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_milter_server_packets" lineno="38557">
+<summary>
+Do not audit attempts to send and receive milter_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_milter_server_packets" lineno="38572">
+<summary>
+Relabel packets to milter_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_mmcc_port" lineno="38594">
+<summary>
+Send and receive TCP traffic on the mmcc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_mmcc_port" lineno="38613">
+<summary>
+Send UDP traffic on the mmcc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_mmcc_port" lineno="38632">
+<summary>
+Do not audit attempts to send UDP traffic on the mmcc port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_mmcc_port" lineno="38651">
+<summary>
+Receive UDP traffic on the mmcc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_mmcc_port" lineno="38670">
+<summary>
+Do not audit attempts to receive UDP traffic on the mmcc port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_mmcc_port" lineno="38689">
+<summary>
+Send and receive UDP traffic on the mmcc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_mmcc_port" lineno="38706">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the mmcc port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_mmcc_port" lineno="38722">
+<summary>
+Bind TCP sockets to the mmcc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_mmcc_port" lineno="38742">
+<summary>
+Bind UDP sockets to the mmcc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_mmcc_port" lineno="38761">
+<summary>
+Make a TCP connection to the mmcc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_mmcc_client_packets" lineno="38781">
+<summary>
+Send mmcc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_mmcc_client_packets" lineno="38800">
+<summary>
+Do not audit attempts to send mmcc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_mmcc_client_packets" lineno="38819">
+<summary>
+Receive mmcc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_mmcc_client_packets" lineno="38838">
+<summary>
+Do not audit attempts to receive mmcc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_mmcc_client_packets" lineno="38857">
+<summary>
+Send and receive mmcc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_mmcc_client_packets" lineno="38873">
+<summary>
+Do not audit attempts to send and receive mmcc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_mmcc_client_packets" lineno="38888">
+<summary>
+Relabel packets to mmcc_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_mmcc_server_packets" lineno="38908">
+<summary>
+Send mmcc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_mmcc_server_packets" lineno="38927">
+<summary>
+Do not audit attempts to send mmcc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_mmcc_server_packets" lineno="38946">
+<summary>
+Receive mmcc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_mmcc_server_packets" lineno="38965">
+<summary>
+Do not audit attempts to receive mmcc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_mmcc_server_packets" lineno="38984">
+<summary>
+Send and receive mmcc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_mmcc_server_packets" lineno="39000">
+<summary>
+Do not audit attempts to send and receive mmcc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_mmcc_server_packets" lineno="39015">
+<summary>
+Relabel packets to mmcc_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_monopd_port" lineno="39037">
+<summary>
+Send and receive TCP traffic on the monopd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_monopd_port" lineno="39056">
+<summary>
+Send UDP traffic on the monopd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_monopd_port" lineno="39075">
+<summary>
+Do not audit attempts to send UDP traffic on the monopd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_monopd_port" lineno="39094">
+<summary>
+Receive UDP traffic on the monopd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_monopd_port" lineno="39113">
+<summary>
+Do not audit attempts to receive UDP traffic on the monopd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_monopd_port" lineno="39132">
+<summary>
+Send and receive UDP traffic on the monopd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_monopd_port" lineno="39149">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the monopd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_monopd_port" lineno="39165">
+<summary>
+Bind TCP sockets to the monopd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_monopd_port" lineno="39185">
+<summary>
+Bind UDP sockets to the monopd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_monopd_port" lineno="39204">
+<summary>
+Make a TCP connection to the monopd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_monopd_client_packets" lineno="39224">
+<summary>
+Send monopd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_monopd_client_packets" lineno="39243">
+<summary>
+Do not audit attempts to send monopd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_monopd_client_packets" lineno="39262">
+<summary>
+Receive monopd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_monopd_client_packets" lineno="39281">
+<summary>
+Do not audit attempts to receive monopd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_monopd_client_packets" lineno="39300">
+<summary>
+Send and receive monopd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_monopd_client_packets" lineno="39316">
+<summary>
+Do not audit attempts to send and receive monopd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_monopd_client_packets" lineno="39331">
+<summary>
+Relabel packets to monopd_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_monopd_server_packets" lineno="39351">
+<summary>
+Send monopd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_monopd_server_packets" lineno="39370">
+<summary>
+Do not audit attempts to send monopd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_monopd_server_packets" lineno="39389">
+<summary>
+Receive monopd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_monopd_server_packets" lineno="39408">
+<summary>
+Do not audit attempts to receive monopd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_monopd_server_packets" lineno="39427">
+<summary>
+Send and receive monopd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_monopd_server_packets" lineno="39443">
+<summary>
+Do not audit attempts to send and receive monopd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_monopd_server_packets" lineno="39458">
+<summary>
+Relabel packets to monopd_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_mpd_port" lineno="39480">
+<summary>
+Send and receive TCP traffic on the mpd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_mpd_port" lineno="39499">
+<summary>
+Send UDP traffic on the mpd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_mpd_port" lineno="39518">
+<summary>
+Do not audit attempts to send UDP traffic on the mpd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_mpd_port" lineno="39537">
+<summary>
+Receive UDP traffic on the mpd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_mpd_port" lineno="39556">
+<summary>
+Do not audit attempts to receive UDP traffic on the mpd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_mpd_port" lineno="39575">
+<summary>
+Send and receive UDP traffic on the mpd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_mpd_port" lineno="39592">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the mpd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_mpd_port" lineno="39608">
+<summary>
+Bind TCP sockets to the mpd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_mpd_port" lineno="39628">
+<summary>
+Bind UDP sockets to the mpd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_mpd_port" lineno="39647">
+<summary>
+Make a TCP connection to the mpd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_mpd_client_packets" lineno="39667">
+<summary>
+Send mpd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_mpd_client_packets" lineno="39686">
+<summary>
+Do not audit attempts to send mpd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_mpd_client_packets" lineno="39705">
+<summary>
+Receive mpd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_mpd_client_packets" lineno="39724">
+<summary>
+Do not audit attempts to receive mpd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_mpd_client_packets" lineno="39743">
+<summary>
+Send and receive mpd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_mpd_client_packets" lineno="39759">
+<summary>
+Do not audit attempts to send and receive mpd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_mpd_client_packets" lineno="39774">
+<summary>
+Relabel packets to mpd_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_mpd_server_packets" lineno="39794">
+<summary>
+Send mpd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_mpd_server_packets" lineno="39813">
+<summary>
+Do not audit attempts to send mpd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_mpd_server_packets" lineno="39832">
+<summary>
+Receive mpd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_mpd_server_packets" lineno="39851">
+<summary>
+Do not audit attempts to receive mpd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_mpd_server_packets" lineno="39870">
+<summary>
+Send and receive mpd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_mpd_server_packets" lineno="39886">
+<summary>
+Do not audit attempts to send and receive mpd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_mpd_server_packets" lineno="39901">
+<summary>
+Relabel packets to mpd_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_msnp_port" lineno="39923">
+<summary>
+Send and receive TCP traffic on the msnp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_msnp_port" lineno="39942">
+<summary>
+Send UDP traffic on the msnp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_msnp_port" lineno="39961">
+<summary>
+Do not audit attempts to send UDP traffic on the msnp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_msnp_port" lineno="39980">
+<summary>
+Receive UDP traffic on the msnp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_msnp_port" lineno="39999">
+<summary>
+Do not audit attempts to receive UDP traffic on the msnp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_msnp_port" lineno="40018">
+<summary>
+Send and receive UDP traffic on the msnp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_msnp_port" lineno="40035">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the msnp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_msnp_port" lineno="40051">
+<summary>
+Bind TCP sockets to the msnp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_msnp_port" lineno="40071">
+<summary>
+Bind UDP sockets to the msnp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_msnp_port" lineno="40090">
+<summary>
+Make a TCP connection to the msnp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_msnp_client_packets" lineno="40110">
+<summary>
+Send msnp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_msnp_client_packets" lineno="40129">
+<summary>
+Do not audit attempts to send msnp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_msnp_client_packets" lineno="40148">
+<summary>
+Receive msnp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_msnp_client_packets" lineno="40167">
+<summary>
+Do not audit attempts to receive msnp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_msnp_client_packets" lineno="40186">
+<summary>
+Send and receive msnp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_msnp_client_packets" lineno="40202">
+<summary>
+Do not audit attempts to send and receive msnp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_msnp_client_packets" lineno="40217">
+<summary>
+Relabel packets to msnp_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_msnp_server_packets" lineno="40237">
+<summary>
+Send msnp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_msnp_server_packets" lineno="40256">
+<summary>
+Do not audit attempts to send msnp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_msnp_server_packets" lineno="40275">
+<summary>
+Receive msnp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_msnp_server_packets" lineno="40294">
+<summary>
+Do not audit attempts to receive msnp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_msnp_server_packets" lineno="40313">
+<summary>
+Send and receive msnp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_msnp_server_packets" lineno="40329">
+<summary>
+Do not audit attempts to send and receive msnp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_msnp_server_packets" lineno="40344">
+<summary>
+Relabel packets to msnp_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_mssql_port" lineno="40366">
+<summary>
+Send and receive TCP traffic on the mssql port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_mssql_port" lineno="40385">
+<summary>
+Send UDP traffic on the mssql port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_mssql_port" lineno="40404">
+<summary>
+Do not audit attempts to send UDP traffic on the mssql port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_mssql_port" lineno="40423">
+<summary>
+Receive UDP traffic on the mssql port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_mssql_port" lineno="40442">
+<summary>
+Do not audit attempts to receive UDP traffic on the mssql port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_mssql_port" lineno="40461">
+<summary>
+Send and receive UDP traffic on the mssql port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_mssql_port" lineno="40478">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the mssql port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_mssql_port" lineno="40494">
+<summary>
+Bind TCP sockets to the mssql port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_mssql_port" lineno="40514">
+<summary>
+Bind UDP sockets to the mssql port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_mssql_port" lineno="40533">
+<summary>
+Make a TCP connection to the mssql port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_mssql_client_packets" lineno="40553">
+<summary>
+Send mssql_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_mssql_client_packets" lineno="40572">
+<summary>
+Do not audit attempts to send mssql_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_mssql_client_packets" lineno="40591">
+<summary>
+Receive mssql_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_mssql_client_packets" lineno="40610">
+<summary>
+Do not audit attempts to receive mssql_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_mssql_client_packets" lineno="40629">
+<summary>
+Send and receive mssql_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_mssql_client_packets" lineno="40645">
+<summary>
+Do not audit attempts to send and receive mssql_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_mssql_client_packets" lineno="40660">
+<summary>
+Relabel packets to mssql_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_mssql_server_packets" lineno="40680">
+<summary>
+Send mssql_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_mssql_server_packets" lineno="40699">
+<summary>
+Do not audit attempts to send mssql_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_mssql_server_packets" lineno="40718">
+<summary>
+Receive mssql_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_mssql_server_packets" lineno="40737">
+<summary>
+Do not audit attempts to receive mssql_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_mssql_server_packets" lineno="40756">
+<summary>
+Send and receive mssql_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_mssql_server_packets" lineno="40772">
+<summary>
+Do not audit attempts to send and receive mssql_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_mssql_server_packets" lineno="40787">
+<summary>
+Relabel packets to mssql_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_munin_port" lineno="40809">
+<summary>
+Send and receive TCP traffic on the munin port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_munin_port" lineno="40828">
+<summary>
+Send UDP traffic on the munin port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_munin_port" lineno="40847">
+<summary>
+Do not audit attempts to send UDP traffic on the munin port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_munin_port" lineno="40866">
+<summary>
+Receive UDP traffic on the munin port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_munin_port" lineno="40885">
+<summary>
+Do not audit attempts to receive UDP traffic on the munin port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_munin_port" lineno="40904">
+<summary>
+Send and receive UDP traffic on the munin port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_munin_port" lineno="40921">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the munin port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_munin_port" lineno="40937">
+<summary>
+Bind TCP sockets to the munin port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_munin_port" lineno="40957">
+<summary>
+Bind UDP sockets to the munin port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_munin_port" lineno="40976">
+<summary>
+Make a TCP connection to the munin port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_munin_client_packets" lineno="40996">
+<summary>
+Send munin_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_munin_client_packets" lineno="41015">
+<summary>
+Do not audit attempts to send munin_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_munin_client_packets" lineno="41034">
+<summary>
+Receive munin_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_munin_client_packets" lineno="41053">
+<summary>
+Do not audit attempts to receive munin_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_munin_client_packets" lineno="41072">
+<summary>
+Send and receive munin_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_munin_client_packets" lineno="41088">
+<summary>
+Do not audit attempts to send and receive munin_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_munin_client_packets" lineno="41103">
+<summary>
+Relabel packets to munin_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_munin_server_packets" lineno="41123">
+<summary>
+Send munin_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_munin_server_packets" lineno="41142">
+<summary>
+Do not audit attempts to send munin_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_munin_server_packets" lineno="41161">
+<summary>
+Receive munin_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_munin_server_packets" lineno="41180">
+<summary>
+Do not audit attempts to receive munin_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_munin_server_packets" lineno="41199">
+<summary>
+Send and receive munin_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_munin_server_packets" lineno="41215">
+<summary>
+Do not audit attempts to send and receive munin_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_munin_server_packets" lineno="41230">
+<summary>
+Relabel packets to munin_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_mysqld_port" lineno="41252">
+<summary>
+Send and receive TCP traffic on the mysqld port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_mysqld_port" lineno="41271">
+<summary>
+Send UDP traffic on the mysqld port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_mysqld_port" lineno="41290">
+<summary>
+Do not audit attempts to send UDP traffic on the mysqld port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_mysqld_port" lineno="41309">
+<summary>
+Receive UDP traffic on the mysqld port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_mysqld_port" lineno="41328">
+<summary>
+Do not audit attempts to receive UDP traffic on the mysqld port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_mysqld_port" lineno="41347">
+<summary>
+Send and receive UDP traffic on the mysqld port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_mysqld_port" lineno="41364">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the mysqld port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_mysqld_port" lineno="41380">
+<summary>
+Bind TCP sockets to the mysqld port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_mysqld_port" lineno="41400">
+<summary>
+Bind UDP sockets to the mysqld port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_mysqld_port" lineno="41419">
+<summary>
+Make a TCP connection to the mysqld port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_mysqld_client_packets" lineno="41439">
+<summary>
+Send mysqld_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_mysqld_client_packets" lineno="41458">
+<summary>
+Do not audit attempts to send mysqld_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_mysqld_client_packets" lineno="41477">
+<summary>
+Receive mysqld_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_mysqld_client_packets" lineno="41496">
+<summary>
+Do not audit attempts to receive mysqld_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_mysqld_client_packets" lineno="41515">
+<summary>
+Send and receive mysqld_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_mysqld_client_packets" lineno="41531">
+<summary>
+Do not audit attempts to send and receive mysqld_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_mysqld_client_packets" lineno="41546">
+<summary>
+Relabel packets to mysqld_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_mysqld_server_packets" lineno="41566">
+<summary>
+Send mysqld_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_mysqld_server_packets" lineno="41585">
+<summary>
+Do not audit attempts to send mysqld_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_mysqld_server_packets" lineno="41604">
+<summary>
+Receive mysqld_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_mysqld_server_packets" lineno="41623">
+<summary>
+Do not audit attempts to receive mysqld_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_mysqld_server_packets" lineno="41642">
+<summary>
+Send and receive mysqld_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_mysqld_server_packets" lineno="41658">
+<summary>
+Do not audit attempts to send and receive mysqld_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_mysqld_server_packets" lineno="41673">
+<summary>
+Relabel packets to mysqld_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_mysqlmanagerd_port" lineno="41695">
+<summary>
+Send and receive TCP traffic on the mysqlmanagerd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_mysqlmanagerd_port" lineno="41714">
+<summary>
+Send UDP traffic on the mysqlmanagerd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_mysqlmanagerd_port" lineno="41733">
+<summary>
+Do not audit attempts to send UDP traffic on the mysqlmanagerd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_mysqlmanagerd_port" lineno="41752">
+<summary>
+Receive UDP traffic on the mysqlmanagerd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_mysqlmanagerd_port" lineno="41771">
+<summary>
+Do not audit attempts to receive UDP traffic on the mysqlmanagerd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_mysqlmanagerd_port" lineno="41790">
+<summary>
+Send and receive UDP traffic on the mysqlmanagerd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_mysqlmanagerd_port" lineno="41807">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the mysqlmanagerd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_mysqlmanagerd_port" lineno="41823">
+<summary>
+Bind TCP sockets to the mysqlmanagerd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_mysqlmanagerd_port" lineno="41843">
+<summary>
+Bind UDP sockets to the mysqlmanagerd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_mysqlmanagerd_port" lineno="41862">
+<summary>
+Make a TCP connection to the mysqlmanagerd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_mysqlmanagerd_client_packets" lineno="41882">
+<summary>
+Send mysqlmanagerd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_mysqlmanagerd_client_packets" lineno="41901">
+<summary>
+Do not audit attempts to send mysqlmanagerd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_mysqlmanagerd_client_packets" lineno="41920">
+<summary>
+Receive mysqlmanagerd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_mysqlmanagerd_client_packets" lineno="41939">
+<summary>
+Do not audit attempts to receive mysqlmanagerd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_mysqlmanagerd_client_packets" lineno="41958">
+<summary>
+Send and receive mysqlmanagerd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_mysqlmanagerd_client_packets" lineno="41974">
+<summary>
+Do not audit attempts to send and receive mysqlmanagerd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_mysqlmanagerd_client_packets" lineno="41989">
+<summary>
+Relabel packets to mysqlmanagerd_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_mysqlmanagerd_server_packets" lineno="42009">
+<summary>
+Send mysqlmanagerd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_mysqlmanagerd_server_packets" lineno="42028">
+<summary>
+Do not audit attempts to send mysqlmanagerd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_mysqlmanagerd_server_packets" lineno="42047">
+<summary>
+Receive mysqlmanagerd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_mysqlmanagerd_server_packets" lineno="42066">
+<summary>
+Do not audit attempts to receive mysqlmanagerd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_mysqlmanagerd_server_packets" lineno="42085">
+<summary>
+Send and receive mysqlmanagerd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_mysqlmanagerd_server_packets" lineno="42101">
+<summary>
+Do not audit attempts to send and receive mysqlmanagerd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_mysqlmanagerd_server_packets" lineno="42116">
+<summary>
+Relabel packets to mysqlmanagerd_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_nessus_port" lineno="42138">
+<summary>
+Send and receive TCP traffic on the nessus port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_nessus_port" lineno="42157">
+<summary>
+Send UDP traffic on the nessus port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_nessus_port" lineno="42176">
+<summary>
+Do not audit attempts to send UDP traffic on the nessus port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_nessus_port" lineno="42195">
+<summary>
+Receive UDP traffic on the nessus port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_nessus_port" lineno="42214">
+<summary>
+Do not audit attempts to receive UDP traffic on the nessus port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_nessus_port" lineno="42233">
+<summary>
+Send and receive UDP traffic on the nessus port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_nessus_port" lineno="42250">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the nessus port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_nessus_port" lineno="42266">
+<summary>
+Bind TCP sockets to the nessus port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_nessus_port" lineno="42286">
+<summary>
+Bind UDP sockets to the nessus port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_nessus_port" lineno="42305">
+<summary>
+Make a TCP connection to the nessus port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_nessus_client_packets" lineno="42325">
+<summary>
+Send nessus_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_nessus_client_packets" lineno="42344">
+<summary>
+Do not audit attempts to send nessus_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_nessus_client_packets" lineno="42363">
+<summary>
+Receive nessus_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_nessus_client_packets" lineno="42382">
+<summary>
+Do not audit attempts to receive nessus_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_nessus_client_packets" lineno="42401">
+<summary>
+Send and receive nessus_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_nessus_client_packets" lineno="42417">
+<summary>
+Do not audit attempts to send and receive nessus_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_nessus_client_packets" lineno="42432">
+<summary>
+Relabel packets to nessus_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_nessus_server_packets" lineno="42452">
+<summary>
+Send nessus_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_nessus_server_packets" lineno="42471">
+<summary>
+Do not audit attempts to send nessus_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_nessus_server_packets" lineno="42490">
+<summary>
+Receive nessus_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_nessus_server_packets" lineno="42509">
+<summary>
+Do not audit attempts to receive nessus_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_nessus_server_packets" lineno="42528">
+<summary>
+Send and receive nessus_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_nessus_server_packets" lineno="42544">
+<summary>
+Do not audit attempts to send and receive nessus_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_nessus_server_packets" lineno="42559">
+<summary>
+Relabel packets to nessus_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_netport_port" lineno="42581">
+<summary>
+Send and receive TCP traffic on the netport port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_netport_port" lineno="42600">
+<summary>
+Send UDP traffic on the netport port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_netport_port" lineno="42619">
+<summary>
+Do not audit attempts to send UDP traffic on the netport port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_netport_port" lineno="42638">
+<summary>
+Receive UDP traffic on the netport port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_netport_port" lineno="42657">
+<summary>
+Do not audit attempts to receive UDP traffic on the netport port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_netport_port" lineno="42676">
+<summary>
+Send and receive UDP traffic on the netport port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_netport_port" lineno="42693">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the netport port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_netport_port" lineno="42709">
+<summary>
+Bind TCP sockets to the netport port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_netport_port" lineno="42729">
+<summary>
+Bind UDP sockets to the netport port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_netport_port" lineno="42748">
+<summary>
+Make a TCP connection to the netport port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_netport_client_packets" lineno="42768">
+<summary>
+Send netport_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_netport_client_packets" lineno="42787">
+<summary>
+Do not audit attempts to send netport_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_netport_client_packets" lineno="42806">
+<summary>
+Receive netport_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_netport_client_packets" lineno="42825">
+<summary>
+Do not audit attempts to receive netport_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_netport_client_packets" lineno="42844">
+<summary>
+Send and receive netport_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_netport_client_packets" lineno="42860">
+<summary>
+Do not audit attempts to send and receive netport_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_netport_client_packets" lineno="42875">
+<summary>
+Relabel packets to netport_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_netport_server_packets" lineno="42895">
+<summary>
+Send netport_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_netport_server_packets" lineno="42914">
+<summary>
+Do not audit attempts to send netport_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_netport_server_packets" lineno="42933">
+<summary>
+Receive netport_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_netport_server_packets" lineno="42952">
+<summary>
+Do not audit attempts to receive netport_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_netport_server_packets" lineno="42971">
+<summary>
+Send and receive netport_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_netport_server_packets" lineno="42987">
+<summary>
+Do not audit attempts to send and receive netport_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_netport_server_packets" lineno="43002">
+<summary>
+Relabel packets to netport_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_netsupport_port" lineno="43024">
+<summary>
+Send and receive TCP traffic on the netsupport port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_netsupport_port" lineno="43043">
+<summary>
+Send UDP traffic on the netsupport port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_netsupport_port" lineno="43062">
+<summary>
+Do not audit attempts to send UDP traffic on the netsupport port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_netsupport_port" lineno="43081">
+<summary>
+Receive UDP traffic on the netsupport port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_netsupport_port" lineno="43100">
+<summary>
+Do not audit attempts to receive UDP traffic on the netsupport port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_netsupport_port" lineno="43119">
+<summary>
+Send and receive UDP traffic on the netsupport port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_netsupport_port" lineno="43136">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the netsupport port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_netsupport_port" lineno="43152">
+<summary>
+Bind TCP sockets to the netsupport port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_netsupport_port" lineno="43172">
+<summary>
+Bind UDP sockets to the netsupport port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_netsupport_port" lineno="43191">
+<summary>
+Make a TCP connection to the netsupport port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_netsupport_client_packets" lineno="43211">
+<summary>
+Send netsupport_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_netsupport_client_packets" lineno="43230">
+<summary>
+Do not audit attempts to send netsupport_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_netsupport_client_packets" lineno="43249">
+<summary>
+Receive netsupport_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_netsupport_client_packets" lineno="43268">
+<summary>
+Do not audit attempts to receive netsupport_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_netsupport_client_packets" lineno="43287">
+<summary>
+Send and receive netsupport_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_netsupport_client_packets" lineno="43303">
+<summary>
+Do not audit attempts to send and receive netsupport_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_netsupport_client_packets" lineno="43318">
+<summary>
+Relabel packets to netsupport_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_netsupport_server_packets" lineno="43338">
+<summary>
+Send netsupport_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_netsupport_server_packets" lineno="43357">
+<summary>
+Do not audit attempts to send netsupport_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_netsupport_server_packets" lineno="43376">
+<summary>
+Receive netsupport_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_netsupport_server_packets" lineno="43395">
+<summary>
+Do not audit attempts to receive netsupport_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_netsupport_server_packets" lineno="43414">
+<summary>
+Send and receive netsupport_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_netsupport_server_packets" lineno="43430">
+<summary>
+Do not audit attempts to send and receive netsupport_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_netsupport_server_packets" lineno="43445">
+<summary>
+Relabel packets to netsupport_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_nmbd_port" lineno="43467">
+<summary>
+Send and receive TCP traffic on the nmbd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_nmbd_port" lineno="43486">
+<summary>
+Send UDP traffic on the nmbd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_nmbd_port" lineno="43505">
+<summary>
+Do not audit attempts to send UDP traffic on the nmbd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_nmbd_port" lineno="43524">
+<summary>
+Receive UDP traffic on the nmbd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_nmbd_port" lineno="43543">
+<summary>
+Do not audit attempts to receive UDP traffic on the nmbd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_nmbd_port" lineno="43562">
+<summary>
+Send and receive UDP traffic on the nmbd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_nmbd_port" lineno="43579">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the nmbd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_nmbd_port" lineno="43595">
+<summary>
+Bind TCP sockets to the nmbd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_nmbd_port" lineno="43615">
+<summary>
+Bind UDP sockets to the nmbd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_nmbd_port" lineno="43634">
+<summary>
+Make a TCP connection to the nmbd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_nmbd_client_packets" lineno="43654">
+<summary>
+Send nmbd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_nmbd_client_packets" lineno="43673">
+<summary>
+Do not audit attempts to send nmbd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_nmbd_client_packets" lineno="43692">
+<summary>
+Receive nmbd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_nmbd_client_packets" lineno="43711">
+<summary>
+Do not audit attempts to receive nmbd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_nmbd_client_packets" lineno="43730">
+<summary>
+Send and receive nmbd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_nmbd_client_packets" lineno="43746">
+<summary>
+Do not audit attempts to send and receive nmbd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_nmbd_client_packets" lineno="43761">
+<summary>
+Relabel packets to nmbd_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_nmbd_server_packets" lineno="43781">
+<summary>
+Send nmbd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_nmbd_server_packets" lineno="43800">
+<summary>
+Do not audit attempts to send nmbd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_nmbd_server_packets" lineno="43819">
+<summary>
+Receive nmbd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_nmbd_server_packets" lineno="43838">
+<summary>
+Do not audit attempts to receive nmbd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_nmbd_server_packets" lineno="43857">
+<summary>
+Send and receive nmbd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_nmbd_server_packets" lineno="43873">
+<summary>
+Do not audit attempts to send and receive nmbd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_nmbd_server_packets" lineno="43888">
+<summary>
+Relabel packets to nmbd_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_ntop_port" lineno="43910">
+<summary>
+Send and receive TCP traffic on the ntop port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_ntop_port" lineno="43929">
+<summary>
+Send UDP traffic on the ntop port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_ntop_port" lineno="43948">
+<summary>
+Do not audit attempts to send UDP traffic on the ntop port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_ntop_port" lineno="43967">
+<summary>
+Receive UDP traffic on the ntop port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_ntop_port" lineno="43986">
+<summary>
+Do not audit attempts to receive UDP traffic on the ntop port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_ntop_port" lineno="44005">
+<summary>
+Send and receive UDP traffic on the ntop port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_ntop_port" lineno="44022">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the ntop port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_ntop_port" lineno="44038">
+<summary>
+Bind TCP sockets to the ntop port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_ntop_port" lineno="44058">
+<summary>
+Bind UDP sockets to the ntop port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_ntop_port" lineno="44077">
+<summary>
+Make a TCP connection to the ntop port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_ntop_client_packets" lineno="44097">
+<summary>
+Send ntop_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_ntop_client_packets" lineno="44116">
+<summary>
+Do not audit attempts to send ntop_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_ntop_client_packets" lineno="44135">
+<summary>
+Receive ntop_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_ntop_client_packets" lineno="44154">
+<summary>
+Do not audit attempts to receive ntop_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_ntop_client_packets" lineno="44173">
+<summary>
+Send and receive ntop_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_ntop_client_packets" lineno="44189">
+<summary>
+Do not audit attempts to send and receive ntop_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_ntop_client_packets" lineno="44204">
+<summary>
+Relabel packets to ntop_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_ntop_server_packets" lineno="44224">
+<summary>
+Send ntop_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_ntop_server_packets" lineno="44243">
+<summary>
+Do not audit attempts to send ntop_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_ntop_server_packets" lineno="44262">
+<summary>
+Receive ntop_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_ntop_server_packets" lineno="44281">
+<summary>
+Do not audit attempts to receive ntop_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_ntop_server_packets" lineno="44300">
+<summary>
+Send and receive ntop_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_ntop_server_packets" lineno="44316">
+<summary>
+Do not audit attempts to send and receive ntop_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_ntop_server_packets" lineno="44331">
+<summary>
+Relabel packets to ntop_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_ntp_port" lineno="44353">
+<summary>
+Send and receive TCP traffic on the ntp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_ntp_port" lineno="44372">
+<summary>
+Send UDP traffic on the ntp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_ntp_port" lineno="44391">
+<summary>
+Do not audit attempts to send UDP traffic on the ntp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_ntp_port" lineno="44410">
+<summary>
+Receive UDP traffic on the ntp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_ntp_port" lineno="44429">
+<summary>
+Do not audit attempts to receive UDP traffic on the ntp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_ntp_port" lineno="44448">
+<summary>
+Send and receive UDP traffic on the ntp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_ntp_port" lineno="44465">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the ntp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_ntp_port" lineno="44481">
+<summary>
+Bind TCP sockets to the ntp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_ntp_port" lineno="44501">
+<summary>
+Bind UDP sockets to the ntp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_ntp_port" lineno="44520">
+<summary>
+Make a TCP connection to the ntp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_ntp_client_packets" lineno="44540">
+<summary>
+Send ntp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_ntp_client_packets" lineno="44559">
+<summary>
+Do not audit attempts to send ntp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_ntp_client_packets" lineno="44578">
+<summary>
+Receive ntp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_ntp_client_packets" lineno="44597">
+<summary>
+Do not audit attempts to receive ntp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_ntp_client_packets" lineno="44616">
+<summary>
+Send and receive ntp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_ntp_client_packets" lineno="44632">
+<summary>
+Do not audit attempts to send and receive ntp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_ntp_client_packets" lineno="44647">
+<summary>
+Relabel packets to ntp_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_ntp_server_packets" lineno="44667">
+<summary>
+Send ntp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_ntp_server_packets" lineno="44686">
+<summary>
+Do not audit attempts to send ntp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_ntp_server_packets" lineno="44705">
+<summary>
+Receive ntp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_ntp_server_packets" lineno="44724">
+<summary>
+Do not audit attempts to receive ntp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_ntp_server_packets" lineno="44743">
+<summary>
+Send and receive ntp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_ntp_server_packets" lineno="44759">
+<summary>
+Do not audit attempts to send and receive ntp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_ntp_server_packets" lineno="44774">
+<summary>
+Relabel packets to ntp_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_oracledb_port" lineno="44796">
+<summary>
+Send and receive TCP traffic on the oracledb port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_oracledb_port" lineno="44815">
+<summary>
+Send UDP traffic on the oracledb port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_oracledb_port" lineno="44834">
+<summary>
+Do not audit attempts to send UDP traffic on the oracledb port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_oracledb_port" lineno="44853">
+<summary>
+Receive UDP traffic on the oracledb port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_oracledb_port" lineno="44872">
+<summary>
+Do not audit attempts to receive UDP traffic on the oracledb port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_oracledb_port" lineno="44891">
+<summary>
+Send and receive UDP traffic on the oracledb port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_oracledb_port" lineno="44908">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the oracledb port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_oracledb_port" lineno="44924">
+<summary>
+Bind TCP sockets to the oracledb port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_oracledb_port" lineno="44944">
+<summary>
+Bind UDP sockets to the oracledb port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_oracledb_port" lineno="44963">
+<summary>
+Make a TCP connection to the oracledb port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_oracledb_client_packets" lineno="44983">
+<summary>
+Send oracledb_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_oracledb_client_packets" lineno="45002">
+<summary>
+Do not audit attempts to send oracledb_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_oracledb_client_packets" lineno="45021">
+<summary>
+Receive oracledb_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_oracledb_client_packets" lineno="45040">
+<summary>
+Do not audit attempts to receive oracledb_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_oracledb_client_packets" lineno="45059">
+<summary>
+Send and receive oracledb_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_oracledb_client_packets" lineno="45075">
+<summary>
+Do not audit attempts to send and receive oracledb_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_oracledb_client_packets" lineno="45090">
+<summary>
+Relabel packets to oracledb_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_oracledb_server_packets" lineno="45110">
+<summary>
+Send oracledb_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_oracledb_server_packets" lineno="45129">
+<summary>
+Do not audit attempts to send oracledb_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_oracledb_server_packets" lineno="45148">
+<summary>
+Receive oracledb_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_oracledb_server_packets" lineno="45167">
+<summary>
+Do not audit attempts to receive oracledb_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_oracledb_server_packets" lineno="45186">
+<summary>
+Send and receive oracledb_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_oracledb_server_packets" lineno="45202">
+<summary>
+Do not audit attempts to send and receive oracledb_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_oracledb_server_packets" lineno="45217">
+<summary>
+Relabel packets to oracledb_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_ocsp_port" lineno="45239">
+<summary>
+Send and receive TCP traffic on the ocsp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_ocsp_port" lineno="45258">
+<summary>
+Send UDP traffic on the ocsp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_ocsp_port" lineno="45277">
+<summary>
+Do not audit attempts to send UDP traffic on the ocsp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_ocsp_port" lineno="45296">
+<summary>
+Receive UDP traffic on the ocsp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_ocsp_port" lineno="45315">
+<summary>
+Do not audit attempts to receive UDP traffic on the ocsp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_ocsp_port" lineno="45334">
+<summary>
+Send and receive UDP traffic on the ocsp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_ocsp_port" lineno="45351">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the ocsp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_ocsp_port" lineno="45367">
+<summary>
+Bind TCP sockets to the ocsp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_ocsp_port" lineno="45387">
+<summary>
+Bind UDP sockets to the ocsp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_ocsp_port" lineno="45406">
+<summary>
+Make a TCP connection to the ocsp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_ocsp_client_packets" lineno="45426">
+<summary>
+Send ocsp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_ocsp_client_packets" lineno="45445">
+<summary>
+Do not audit attempts to send ocsp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_ocsp_client_packets" lineno="45464">
+<summary>
+Receive ocsp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_ocsp_client_packets" lineno="45483">
+<summary>
+Do not audit attempts to receive ocsp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_ocsp_client_packets" lineno="45502">
+<summary>
+Send and receive ocsp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_ocsp_client_packets" lineno="45518">
+<summary>
+Do not audit attempts to send and receive ocsp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_ocsp_client_packets" lineno="45533">
+<summary>
+Relabel packets to ocsp_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_ocsp_server_packets" lineno="45553">
+<summary>
+Send ocsp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_ocsp_server_packets" lineno="45572">
+<summary>
+Do not audit attempts to send ocsp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_ocsp_server_packets" lineno="45591">
+<summary>
+Receive ocsp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_ocsp_server_packets" lineno="45610">
+<summary>
+Do not audit attempts to receive ocsp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_ocsp_server_packets" lineno="45629">
+<summary>
+Send and receive ocsp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_ocsp_server_packets" lineno="45645">
+<summary>
+Do not audit attempts to send and receive ocsp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_ocsp_server_packets" lineno="45660">
+<summary>
+Relabel packets to ocsp_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_openvpn_port" lineno="45682">
+<summary>
+Send and receive TCP traffic on the openvpn port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_openvpn_port" lineno="45701">
+<summary>
+Send UDP traffic on the openvpn port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_openvpn_port" lineno="45720">
+<summary>
+Do not audit attempts to send UDP traffic on the openvpn port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_openvpn_port" lineno="45739">
+<summary>
+Receive UDP traffic on the openvpn port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_openvpn_port" lineno="45758">
+<summary>
+Do not audit attempts to receive UDP traffic on the openvpn port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_openvpn_port" lineno="45777">
+<summary>
+Send and receive UDP traffic on the openvpn port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_openvpn_port" lineno="45794">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the openvpn port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_openvpn_port" lineno="45810">
+<summary>
+Bind TCP sockets to the openvpn port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_openvpn_port" lineno="45830">
+<summary>
+Bind UDP sockets to the openvpn port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_openvpn_port" lineno="45849">
+<summary>
+Make a TCP connection to the openvpn port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_openvpn_client_packets" lineno="45869">
+<summary>
+Send openvpn_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_openvpn_client_packets" lineno="45888">
+<summary>
+Do not audit attempts to send openvpn_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_openvpn_client_packets" lineno="45907">
+<summary>
+Receive openvpn_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_openvpn_client_packets" lineno="45926">
+<summary>
+Do not audit attempts to receive openvpn_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_openvpn_client_packets" lineno="45945">
+<summary>
+Send and receive openvpn_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_openvpn_client_packets" lineno="45961">
+<summary>
+Do not audit attempts to send and receive openvpn_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_openvpn_client_packets" lineno="45976">
+<summary>
+Relabel packets to openvpn_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_openvpn_server_packets" lineno="45996">
+<summary>
+Send openvpn_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_openvpn_server_packets" lineno="46015">
+<summary>
+Do not audit attempts to send openvpn_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_openvpn_server_packets" lineno="46034">
+<summary>
+Receive openvpn_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_openvpn_server_packets" lineno="46053">
+<summary>
+Do not audit attempts to receive openvpn_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_openvpn_server_packets" lineno="46072">
+<summary>
+Send and receive openvpn_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_openvpn_server_packets" lineno="46088">
+<summary>
+Do not audit attempts to send and receive openvpn_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_openvpn_server_packets" lineno="46103">
+<summary>
+Relabel packets to openvpn_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_pegasus_http_port" lineno="46125">
+<summary>
+Send and receive TCP traffic on the pegasus_http port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_pegasus_http_port" lineno="46144">
+<summary>
+Send UDP traffic on the pegasus_http port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_pegasus_http_port" lineno="46163">
+<summary>
+Do not audit attempts to send UDP traffic on the pegasus_http port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_pegasus_http_port" lineno="46182">
+<summary>
+Receive UDP traffic on the pegasus_http port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_pegasus_http_port" lineno="46201">
+<summary>
+Do not audit attempts to receive UDP traffic on the pegasus_http port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_pegasus_http_port" lineno="46220">
+<summary>
+Send and receive UDP traffic on the pegasus_http port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_pegasus_http_port" lineno="46237">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the pegasus_http port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_pegasus_http_port" lineno="46253">
+<summary>
+Bind TCP sockets to the pegasus_http port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_pegasus_http_port" lineno="46273">
+<summary>
+Bind UDP sockets to the pegasus_http port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_pegasus_http_port" lineno="46292">
+<summary>
+Make a TCP connection to the pegasus_http port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_pegasus_http_client_packets" lineno="46312">
+<summary>
+Send pegasus_http_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_pegasus_http_client_packets" lineno="46331">
+<summary>
+Do not audit attempts to send pegasus_http_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_pegasus_http_client_packets" lineno="46350">
+<summary>
+Receive pegasus_http_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_pegasus_http_client_packets" lineno="46369">
+<summary>
+Do not audit attempts to receive pegasus_http_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_pegasus_http_client_packets" lineno="46388">
+<summary>
+Send and receive pegasus_http_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_pegasus_http_client_packets" lineno="46404">
+<summary>
+Do not audit attempts to send and receive pegasus_http_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_pegasus_http_client_packets" lineno="46419">
+<summary>
+Relabel packets to pegasus_http_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_pegasus_http_server_packets" lineno="46439">
+<summary>
+Send pegasus_http_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_pegasus_http_server_packets" lineno="46458">
+<summary>
+Do not audit attempts to send pegasus_http_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_pegasus_http_server_packets" lineno="46477">
+<summary>
+Receive pegasus_http_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_pegasus_http_server_packets" lineno="46496">
+<summary>
+Do not audit attempts to receive pegasus_http_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_pegasus_http_server_packets" lineno="46515">
+<summary>
+Send and receive pegasus_http_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_pegasus_http_server_packets" lineno="46531">
+<summary>
+Do not audit attempts to send and receive pegasus_http_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_pegasus_http_server_packets" lineno="46546">
+<summary>
+Relabel packets to pegasus_http_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_pegasus_https_port" lineno="46568">
+<summary>
+Send and receive TCP traffic on the pegasus_https port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_pegasus_https_port" lineno="46587">
+<summary>
+Send UDP traffic on the pegasus_https port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_pegasus_https_port" lineno="46606">
+<summary>
+Do not audit attempts to send UDP traffic on the pegasus_https port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_pegasus_https_port" lineno="46625">
+<summary>
+Receive UDP traffic on the pegasus_https port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_pegasus_https_port" lineno="46644">
+<summary>
+Do not audit attempts to receive UDP traffic on the pegasus_https port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_pegasus_https_port" lineno="46663">
+<summary>
+Send and receive UDP traffic on the pegasus_https port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_pegasus_https_port" lineno="46680">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the pegasus_https port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_pegasus_https_port" lineno="46696">
+<summary>
+Bind TCP sockets to the pegasus_https port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_pegasus_https_port" lineno="46716">
+<summary>
+Bind UDP sockets to the pegasus_https port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_pegasus_https_port" lineno="46735">
+<summary>
+Make a TCP connection to the pegasus_https port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_pegasus_https_client_packets" lineno="46755">
+<summary>
+Send pegasus_https_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_pegasus_https_client_packets" lineno="46774">
+<summary>
+Do not audit attempts to send pegasus_https_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_pegasus_https_client_packets" lineno="46793">
+<summary>
+Receive pegasus_https_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_pegasus_https_client_packets" lineno="46812">
+<summary>
+Do not audit attempts to receive pegasus_https_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_pegasus_https_client_packets" lineno="46831">
+<summary>
+Send and receive pegasus_https_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_pegasus_https_client_packets" lineno="46847">
+<summary>
+Do not audit attempts to send and receive pegasus_https_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_pegasus_https_client_packets" lineno="46862">
+<summary>
+Relabel packets to pegasus_https_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_pegasus_https_server_packets" lineno="46882">
+<summary>
+Send pegasus_https_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_pegasus_https_server_packets" lineno="46901">
+<summary>
+Do not audit attempts to send pegasus_https_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_pegasus_https_server_packets" lineno="46920">
+<summary>
+Receive pegasus_https_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_pegasus_https_server_packets" lineno="46939">
+<summary>
+Do not audit attempts to receive pegasus_https_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_pegasus_https_server_packets" lineno="46958">
+<summary>
+Send and receive pegasus_https_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_pegasus_https_server_packets" lineno="46974">
+<summary>
+Do not audit attempts to send and receive pegasus_https_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_pegasus_https_server_packets" lineno="46989">
+<summary>
+Relabel packets to pegasus_https_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_pgpkeyserver_port" lineno="47011">
+<summary>
+Send and receive TCP traffic on the pgpkeyserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_pgpkeyserver_port" lineno="47030">
+<summary>
+Send UDP traffic on the pgpkeyserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_pgpkeyserver_port" lineno="47049">
+<summary>
+Do not audit attempts to send UDP traffic on the pgpkeyserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_pgpkeyserver_port" lineno="47068">
+<summary>
+Receive UDP traffic on the pgpkeyserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_pgpkeyserver_port" lineno="47087">
+<summary>
+Do not audit attempts to receive UDP traffic on the pgpkeyserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_pgpkeyserver_port" lineno="47106">
+<summary>
+Send and receive UDP traffic on the pgpkeyserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_pgpkeyserver_port" lineno="47123">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the pgpkeyserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_pgpkeyserver_port" lineno="47139">
+<summary>
+Bind TCP sockets to the pgpkeyserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_pgpkeyserver_port" lineno="47159">
+<summary>
+Bind UDP sockets to the pgpkeyserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_pgpkeyserver_port" lineno="47178">
+<summary>
+Make a TCP connection to the pgpkeyserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_pgpkeyserver_client_packets" lineno="47198">
+<summary>
+Send pgpkeyserver_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_pgpkeyserver_client_packets" lineno="47217">
+<summary>
+Do not audit attempts to send pgpkeyserver_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_pgpkeyserver_client_packets" lineno="47236">
+<summary>
+Receive pgpkeyserver_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_pgpkeyserver_client_packets" lineno="47255">
+<summary>
+Do not audit attempts to receive pgpkeyserver_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_pgpkeyserver_client_packets" lineno="47274">
+<summary>
+Send and receive pgpkeyserver_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_pgpkeyserver_client_packets" lineno="47290">
+<summary>
+Do not audit attempts to send and receive pgpkeyserver_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_pgpkeyserver_client_packets" lineno="47305">
+<summary>
+Relabel packets to pgpkeyserver_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_pgpkeyserver_server_packets" lineno="47325">
+<summary>
+Send pgpkeyserver_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_pgpkeyserver_server_packets" lineno="47344">
+<summary>
+Do not audit attempts to send pgpkeyserver_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_pgpkeyserver_server_packets" lineno="47363">
+<summary>
+Receive pgpkeyserver_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_pgpkeyserver_server_packets" lineno="47382">
+<summary>
+Do not audit attempts to receive pgpkeyserver_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_pgpkeyserver_server_packets" lineno="47401">
+<summary>
+Send and receive pgpkeyserver_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_pgpkeyserver_server_packets" lineno="47417">
+<summary>
+Do not audit attempts to send and receive pgpkeyserver_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_pgpkeyserver_server_packets" lineno="47432">
+<summary>
+Relabel packets to pgpkeyserver_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_pingd_port" lineno="47454">
+<summary>
+Send and receive TCP traffic on the pingd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_pingd_port" lineno="47473">
+<summary>
+Send UDP traffic on the pingd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_pingd_port" lineno="47492">
+<summary>
+Do not audit attempts to send UDP traffic on the pingd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_pingd_port" lineno="47511">
+<summary>
+Receive UDP traffic on the pingd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_pingd_port" lineno="47530">
+<summary>
+Do not audit attempts to receive UDP traffic on the pingd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_pingd_port" lineno="47549">
+<summary>
+Send and receive UDP traffic on the pingd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_pingd_port" lineno="47566">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the pingd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_pingd_port" lineno="47582">
+<summary>
+Bind TCP sockets to the pingd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_pingd_port" lineno="47602">
+<summary>
+Bind UDP sockets to the pingd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_pingd_port" lineno="47621">
+<summary>
+Make a TCP connection to the pingd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_pingd_client_packets" lineno="47641">
+<summary>
+Send pingd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_pingd_client_packets" lineno="47660">
+<summary>
+Do not audit attempts to send pingd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_pingd_client_packets" lineno="47679">
+<summary>
+Receive pingd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_pingd_client_packets" lineno="47698">
+<summary>
+Do not audit attempts to receive pingd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_pingd_client_packets" lineno="47717">
+<summary>
+Send and receive pingd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_pingd_client_packets" lineno="47733">
+<summary>
+Do not audit attempts to send and receive pingd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_pingd_client_packets" lineno="47748">
+<summary>
+Relabel packets to pingd_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_pingd_server_packets" lineno="47768">
+<summary>
+Send pingd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_pingd_server_packets" lineno="47787">
+<summary>
+Do not audit attempts to send pingd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_pingd_server_packets" lineno="47806">
+<summary>
+Receive pingd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_pingd_server_packets" lineno="47825">
+<summary>
+Do not audit attempts to receive pingd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_pingd_server_packets" lineno="47844">
+<summary>
+Send and receive pingd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_pingd_server_packets" lineno="47860">
+<summary>
+Do not audit attempts to send and receive pingd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_pingd_server_packets" lineno="47875">
+<summary>
+Relabel packets to pingd_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_pop_port" lineno="47897">
+<summary>
+Send and receive TCP traffic on the pop port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_pop_port" lineno="47916">
+<summary>
+Send UDP traffic on the pop port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_pop_port" lineno="47935">
+<summary>
+Do not audit attempts to send UDP traffic on the pop port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_pop_port" lineno="47954">
+<summary>
+Receive UDP traffic on the pop port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_pop_port" lineno="47973">
+<summary>
+Do not audit attempts to receive UDP traffic on the pop port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_pop_port" lineno="47992">
+<summary>
+Send and receive UDP traffic on the pop port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_pop_port" lineno="48009">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the pop port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_pop_port" lineno="48025">
+<summary>
+Bind TCP sockets to the pop port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_pop_port" lineno="48045">
+<summary>
+Bind UDP sockets to the pop port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_pop_port" lineno="48064">
+<summary>
+Make a TCP connection to the pop port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_pop_client_packets" lineno="48084">
+<summary>
+Send pop_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_pop_client_packets" lineno="48103">
+<summary>
+Do not audit attempts to send pop_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_pop_client_packets" lineno="48122">
+<summary>
+Receive pop_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_pop_client_packets" lineno="48141">
+<summary>
+Do not audit attempts to receive pop_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_pop_client_packets" lineno="48160">
+<summary>
+Send and receive pop_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_pop_client_packets" lineno="48176">
+<summary>
+Do not audit attempts to send and receive pop_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_pop_client_packets" lineno="48191">
+<summary>
+Relabel packets to pop_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_pop_server_packets" lineno="48211">
+<summary>
+Send pop_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_pop_server_packets" lineno="48230">
+<summary>
+Do not audit attempts to send pop_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_pop_server_packets" lineno="48249">
+<summary>
+Receive pop_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_pop_server_packets" lineno="48268">
+<summary>
+Do not audit attempts to receive pop_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_pop_server_packets" lineno="48287">
+<summary>
+Send and receive pop_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_pop_server_packets" lineno="48303">
+<summary>
+Do not audit attempts to send and receive pop_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_pop_server_packets" lineno="48318">
+<summary>
+Relabel packets to pop_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_portmap_port" lineno="48340">
+<summary>
+Send and receive TCP traffic on the portmap port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_portmap_port" lineno="48359">
+<summary>
+Send UDP traffic on the portmap port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_portmap_port" lineno="48378">
+<summary>
+Do not audit attempts to send UDP traffic on the portmap port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_portmap_port" lineno="48397">
+<summary>
+Receive UDP traffic on the portmap port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_portmap_port" lineno="48416">
+<summary>
+Do not audit attempts to receive UDP traffic on the portmap port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_portmap_port" lineno="48435">
+<summary>
+Send and receive UDP traffic on the portmap port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_portmap_port" lineno="48452">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the portmap port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_portmap_port" lineno="48468">
+<summary>
+Bind TCP sockets to the portmap port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_portmap_port" lineno="48488">
+<summary>
+Bind UDP sockets to the portmap port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_portmap_port" lineno="48507">
+<summary>
+Make a TCP connection to the portmap port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_portmap_client_packets" lineno="48527">
+<summary>
+Send portmap_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_portmap_client_packets" lineno="48546">
+<summary>
+Do not audit attempts to send portmap_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_portmap_client_packets" lineno="48565">
+<summary>
+Receive portmap_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_portmap_client_packets" lineno="48584">
+<summary>
+Do not audit attempts to receive portmap_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_portmap_client_packets" lineno="48603">
+<summary>
+Send and receive portmap_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_portmap_client_packets" lineno="48619">
+<summary>
+Do not audit attempts to send and receive portmap_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_portmap_client_packets" lineno="48634">
+<summary>
+Relabel packets to portmap_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_portmap_server_packets" lineno="48654">
+<summary>
+Send portmap_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_portmap_server_packets" lineno="48673">
+<summary>
+Do not audit attempts to send portmap_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_portmap_server_packets" lineno="48692">
+<summary>
+Receive portmap_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_portmap_server_packets" lineno="48711">
+<summary>
+Do not audit attempts to receive portmap_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_portmap_server_packets" lineno="48730">
+<summary>
+Send and receive portmap_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_portmap_server_packets" lineno="48746">
+<summary>
+Do not audit attempts to send and receive portmap_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_portmap_server_packets" lineno="48761">
+<summary>
+Relabel packets to portmap_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_postfix_policyd_port" lineno="48783">
+<summary>
+Send and receive TCP traffic on the postfix_policyd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_postfix_policyd_port" lineno="48802">
+<summary>
+Send UDP traffic on the postfix_policyd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_postfix_policyd_port" lineno="48821">
+<summary>
+Do not audit attempts to send UDP traffic on the postfix_policyd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_postfix_policyd_port" lineno="48840">
+<summary>
+Receive UDP traffic on the postfix_policyd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_postfix_policyd_port" lineno="48859">
+<summary>
+Do not audit attempts to receive UDP traffic on the postfix_policyd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_postfix_policyd_port" lineno="48878">
+<summary>
+Send and receive UDP traffic on the postfix_policyd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_postfix_policyd_port" lineno="48895">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the postfix_policyd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_postfix_policyd_port" lineno="48911">
+<summary>
+Bind TCP sockets to the postfix_policyd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_postfix_policyd_port" lineno="48931">
+<summary>
+Bind UDP sockets to the postfix_policyd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_postfix_policyd_port" lineno="48950">
+<summary>
+Make a TCP connection to the postfix_policyd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_postfix_policyd_client_packets" lineno="48970">
+<summary>
+Send postfix_policyd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_postfix_policyd_client_packets" lineno="48989">
+<summary>
+Do not audit attempts to send postfix_policyd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_postfix_policyd_client_packets" lineno="49008">
+<summary>
+Receive postfix_policyd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_postfix_policyd_client_packets" lineno="49027">
+<summary>
+Do not audit attempts to receive postfix_policyd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_postfix_policyd_client_packets" lineno="49046">
+<summary>
+Send and receive postfix_policyd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_postfix_policyd_client_packets" lineno="49062">
+<summary>
+Do not audit attempts to send and receive postfix_policyd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_postfix_policyd_client_packets" lineno="49077">
+<summary>
+Relabel packets to postfix_policyd_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_postfix_policyd_server_packets" lineno="49097">
+<summary>
+Send postfix_policyd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_postfix_policyd_server_packets" lineno="49116">
+<summary>
+Do not audit attempts to send postfix_policyd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_postfix_policyd_server_packets" lineno="49135">
+<summary>
+Receive postfix_policyd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_postfix_policyd_server_packets" lineno="49154">
+<summary>
+Do not audit attempts to receive postfix_policyd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_postfix_policyd_server_packets" lineno="49173">
+<summary>
+Send and receive postfix_policyd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_postfix_policyd_server_packets" lineno="49189">
+<summary>
+Do not audit attempts to send and receive postfix_policyd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_postfix_policyd_server_packets" lineno="49204">
+<summary>
+Relabel packets to postfix_policyd_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_postgresql_port" lineno="49226">
+<summary>
+Send and receive TCP traffic on the postgresql port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_postgresql_port" lineno="49245">
+<summary>
+Send UDP traffic on the postgresql port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_postgresql_port" lineno="49264">
+<summary>
+Do not audit attempts to send UDP traffic on the postgresql port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_postgresql_port" lineno="49283">
+<summary>
+Receive UDP traffic on the postgresql port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_postgresql_port" lineno="49302">
+<summary>
+Do not audit attempts to receive UDP traffic on the postgresql port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_postgresql_port" lineno="49321">
+<summary>
+Send and receive UDP traffic on the postgresql port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_postgresql_port" lineno="49338">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the postgresql port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_postgresql_port" lineno="49354">
+<summary>
+Bind TCP sockets to the postgresql port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_postgresql_port" lineno="49374">
+<summary>
+Bind UDP sockets to the postgresql port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_postgresql_port" lineno="49393">
+<summary>
+Make a TCP connection to the postgresql port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_postgresql_client_packets" lineno="49413">
+<summary>
+Send postgresql_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_postgresql_client_packets" lineno="49432">
+<summary>
+Do not audit attempts to send postgresql_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_postgresql_client_packets" lineno="49451">
+<summary>
+Receive postgresql_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_postgresql_client_packets" lineno="49470">
+<summary>
+Do not audit attempts to receive postgresql_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_postgresql_client_packets" lineno="49489">
+<summary>
+Send and receive postgresql_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_postgresql_client_packets" lineno="49505">
+<summary>
+Do not audit attempts to send and receive postgresql_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_postgresql_client_packets" lineno="49520">
+<summary>
+Relabel packets to postgresql_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_postgresql_server_packets" lineno="49540">
+<summary>
+Send postgresql_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_postgresql_server_packets" lineno="49559">
+<summary>
+Do not audit attempts to send postgresql_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_postgresql_server_packets" lineno="49578">
+<summary>
+Receive postgresql_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_postgresql_server_packets" lineno="49597">
+<summary>
+Do not audit attempts to receive postgresql_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_postgresql_server_packets" lineno="49616">
+<summary>
+Send and receive postgresql_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_postgresql_server_packets" lineno="49632">
+<summary>
+Do not audit attempts to send and receive postgresql_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_postgresql_server_packets" lineno="49647">
+<summary>
+Relabel packets to postgresql_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_postgrey_port" lineno="49669">
+<summary>
+Send and receive TCP traffic on the postgrey port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_postgrey_port" lineno="49688">
+<summary>
+Send UDP traffic on the postgrey port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_postgrey_port" lineno="49707">
+<summary>
+Do not audit attempts to send UDP traffic on the postgrey port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_postgrey_port" lineno="49726">
+<summary>
+Receive UDP traffic on the postgrey port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_postgrey_port" lineno="49745">
+<summary>
+Do not audit attempts to receive UDP traffic on the postgrey port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_postgrey_port" lineno="49764">
+<summary>
+Send and receive UDP traffic on the postgrey port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_postgrey_port" lineno="49781">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the postgrey port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_postgrey_port" lineno="49797">
+<summary>
+Bind TCP sockets to the postgrey port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_postgrey_port" lineno="49817">
+<summary>
+Bind UDP sockets to the postgrey port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_postgrey_port" lineno="49836">
+<summary>
+Make a TCP connection to the postgrey port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_postgrey_client_packets" lineno="49856">
+<summary>
+Send postgrey_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_postgrey_client_packets" lineno="49875">
+<summary>
+Do not audit attempts to send postgrey_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_postgrey_client_packets" lineno="49894">
+<summary>
+Receive postgrey_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_postgrey_client_packets" lineno="49913">
+<summary>
+Do not audit attempts to receive postgrey_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_postgrey_client_packets" lineno="49932">
+<summary>
+Send and receive postgrey_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_postgrey_client_packets" lineno="49948">
+<summary>
+Do not audit attempts to send and receive postgrey_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_postgrey_client_packets" lineno="49963">
+<summary>
+Relabel packets to postgrey_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_postgrey_server_packets" lineno="49983">
+<summary>
+Send postgrey_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_postgrey_server_packets" lineno="50002">
+<summary>
+Do not audit attempts to send postgrey_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_postgrey_server_packets" lineno="50021">
+<summary>
+Receive postgrey_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_postgrey_server_packets" lineno="50040">
+<summary>
+Do not audit attempts to receive postgrey_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_postgrey_server_packets" lineno="50059">
+<summary>
+Send and receive postgrey_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_postgrey_server_packets" lineno="50075">
+<summary>
+Do not audit attempts to send and receive postgrey_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_postgrey_server_packets" lineno="50090">
+<summary>
+Relabel packets to postgrey_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_prelude_port" lineno="50112">
+<summary>
+Send and receive TCP traffic on the prelude port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_prelude_port" lineno="50131">
+<summary>
+Send UDP traffic on the prelude port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_prelude_port" lineno="50150">
+<summary>
+Do not audit attempts to send UDP traffic on the prelude port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_prelude_port" lineno="50169">
+<summary>
+Receive UDP traffic on the prelude port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_prelude_port" lineno="50188">
+<summary>
+Do not audit attempts to receive UDP traffic on the prelude port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_prelude_port" lineno="50207">
+<summary>
+Send and receive UDP traffic on the prelude port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_prelude_port" lineno="50224">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the prelude port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_prelude_port" lineno="50240">
+<summary>
+Bind TCP sockets to the prelude port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_prelude_port" lineno="50260">
+<summary>
+Bind UDP sockets to the prelude port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_prelude_port" lineno="50279">
+<summary>
+Make a TCP connection to the prelude port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_prelude_client_packets" lineno="50299">
+<summary>
+Send prelude_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_prelude_client_packets" lineno="50318">
+<summary>
+Do not audit attempts to send prelude_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_prelude_client_packets" lineno="50337">
+<summary>
+Receive prelude_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_prelude_client_packets" lineno="50356">
+<summary>
+Do not audit attempts to receive prelude_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_prelude_client_packets" lineno="50375">
+<summary>
+Send and receive prelude_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_prelude_client_packets" lineno="50391">
+<summary>
+Do not audit attempts to send and receive prelude_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_prelude_client_packets" lineno="50406">
+<summary>
+Relabel packets to prelude_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_prelude_server_packets" lineno="50426">
+<summary>
+Send prelude_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_prelude_server_packets" lineno="50445">
+<summary>
+Do not audit attempts to send prelude_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_prelude_server_packets" lineno="50464">
+<summary>
+Receive prelude_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_prelude_server_packets" lineno="50483">
+<summary>
+Do not audit attempts to receive prelude_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_prelude_server_packets" lineno="50502">
+<summary>
+Send and receive prelude_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_prelude_server_packets" lineno="50518">
+<summary>
+Do not audit attempts to send and receive prelude_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_prelude_server_packets" lineno="50533">
+<summary>
+Relabel packets to prelude_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_presence_port" lineno="50555">
+<summary>
+Send and receive TCP traffic on the presence port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_presence_port" lineno="50574">
+<summary>
+Send UDP traffic on the presence port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_presence_port" lineno="50593">
+<summary>
+Do not audit attempts to send UDP traffic on the presence port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_presence_port" lineno="50612">
+<summary>
+Receive UDP traffic on the presence port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_presence_port" lineno="50631">
+<summary>
+Do not audit attempts to receive UDP traffic on the presence port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_presence_port" lineno="50650">
+<summary>
+Send and receive UDP traffic on the presence port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_presence_port" lineno="50667">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the presence port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_presence_port" lineno="50683">
+<summary>
+Bind TCP sockets to the presence port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_presence_port" lineno="50703">
+<summary>
+Bind UDP sockets to the presence port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_presence_port" lineno="50722">
+<summary>
+Make a TCP connection to the presence port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_presence_client_packets" lineno="50742">
+<summary>
+Send presence_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_presence_client_packets" lineno="50761">
+<summary>
+Do not audit attempts to send presence_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_presence_client_packets" lineno="50780">
+<summary>
+Receive presence_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_presence_client_packets" lineno="50799">
+<summary>
+Do not audit attempts to receive presence_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_presence_client_packets" lineno="50818">
+<summary>
+Send and receive presence_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_presence_client_packets" lineno="50834">
+<summary>
+Do not audit attempts to send and receive presence_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_presence_client_packets" lineno="50849">
+<summary>
+Relabel packets to presence_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_presence_server_packets" lineno="50869">
+<summary>
+Send presence_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_presence_server_packets" lineno="50888">
+<summary>
+Do not audit attempts to send presence_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_presence_server_packets" lineno="50907">
+<summary>
+Receive presence_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_presence_server_packets" lineno="50926">
+<summary>
+Do not audit attempts to receive presence_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_presence_server_packets" lineno="50945">
+<summary>
+Send and receive presence_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_presence_server_packets" lineno="50961">
+<summary>
+Do not audit attempts to send and receive presence_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_presence_server_packets" lineno="50976">
+<summary>
+Relabel packets to presence_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_printer_port" lineno="50998">
+<summary>
+Send and receive TCP traffic on the printer port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_printer_port" lineno="51017">
+<summary>
+Send UDP traffic on the printer port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_printer_port" lineno="51036">
+<summary>
+Do not audit attempts to send UDP traffic on the printer port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_printer_port" lineno="51055">
+<summary>
+Receive UDP traffic on the printer port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_printer_port" lineno="51074">
+<summary>
+Do not audit attempts to receive UDP traffic on the printer port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_printer_port" lineno="51093">
+<summary>
+Send and receive UDP traffic on the printer port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_printer_port" lineno="51110">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the printer port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_printer_port" lineno="51126">
+<summary>
+Bind TCP sockets to the printer port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_printer_port" lineno="51146">
+<summary>
+Bind UDP sockets to the printer port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_printer_port" lineno="51165">
+<summary>
+Make a TCP connection to the printer port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_printer_client_packets" lineno="51185">
+<summary>
+Send printer_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_printer_client_packets" lineno="51204">
+<summary>
+Do not audit attempts to send printer_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_printer_client_packets" lineno="51223">
+<summary>
+Receive printer_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_printer_client_packets" lineno="51242">
+<summary>
+Do not audit attempts to receive printer_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_printer_client_packets" lineno="51261">
+<summary>
+Send and receive printer_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_printer_client_packets" lineno="51277">
+<summary>
+Do not audit attempts to send and receive printer_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_printer_client_packets" lineno="51292">
+<summary>
+Relabel packets to printer_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_printer_server_packets" lineno="51312">
+<summary>
+Send printer_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_printer_server_packets" lineno="51331">
+<summary>
+Do not audit attempts to send printer_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_printer_server_packets" lineno="51350">
+<summary>
+Receive printer_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_printer_server_packets" lineno="51369">
+<summary>
+Do not audit attempts to receive printer_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_printer_server_packets" lineno="51388">
+<summary>
+Send and receive printer_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_printer_server_packets" lineno="51404">
+<summary>
+Do not audit attempts to send and receive printer_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_printer_server_packets" lineno="51419">
+<summary>
+Relabel packets to printer_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_ptal_port" lineno="51441">
+<summary>
+Send and receive TCP traffic on the ptal port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_ptal_port" lineno="51460">
+<summary>
+Send UDP traffic on the ptal port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_ptal_port" lineno="51479">
+<summary>
+Do not audit attempts to send UDP traffic on the ptal port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_ptal_port" lineno="51498">
+<summary>
+Receive UDP traffic on the ptal port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_ptal_port" lineno="51517">
+<summary>
+Do not audit attempts to receive UDP traffic on the ptal port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_ptal_port" lineno="51536">
+<summary>
+Send and receive UDP traffic on the ptal port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_ptal_port" lineno="51553">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the ptal port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_ptal_port" lineno="51569">
+<summary>
+Bind TCP sockets to the ptal port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_ptal_port" lineno="51589">
+<summary>
+Bind UDP sockets to the ptal port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_ptal_port" lineno="51608">
+<summary>
+Make a TCP connection to the ptal port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_ptal_client_packets" lineno="51628">
+<summary>
+Send ptal_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_ptal_client_packets" lineno="51647">
+<summary>
+Do not audit attempts to send ptal_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_ptal_client_packets" lineno="51666">
+<summary>
+Receive ptal_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_ptal_client_packets" lineno="51685">
+<summary>
+Do not audit attempts to receive ptal_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_ptal_client_packets" lineno="51704">
+<summary>
+Send and receive ptal_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_ptal_client_packets" lineno="51720">
+<summary>
+Do not audit attempts to send and receive ptal_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_ptal_client_packets" lineno="51735">
+<summary>
+Relabel packets to ptal_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_ptal_server_packets" lineno="51755">
+<summary>
+Send ptal_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_ptal_server_packets" lineno="51774">
+<summary>
+Do not audit attempts to send ptal_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_ptal_server_packets" lineno="51793">
+<summary>
+Receive ptal_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_ptal_server_packets" lineno="51812">
+<summary>
+Do not audit attempts to receive ptal_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_ptal_server_packets" lineno="51831">
+<summary>
+Send and receive ptal_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_ptal_server_packets" lineno="51847">
+<summary>
+Do not audit attempts to send and receive ptal_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_ptal_server_packets" lineno="51862">
+<summary>
+Relabel packets to ptal_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_pulseaudio_port" lineno="51884">
+<summary>
+Send and receive TCP traffic on the pulseaudio port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_pulseaudio_port" lineno="51903">
+<summary>
+Send UDP traffic on the pulseaudio port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_pulseaudio_port" lineno="51922">
+<summary>
+Do not audit attempts to send UDP traffic on the pulseaudio port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_pulseaudio_port" lineno="51941">
+<summary>
+Receive UDP traffic on the pulseaudio port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_pulseaudio_port" lineno="51960">
+<summary>
+Do not audit attempts to receive UDP traffic on the pulseaudio port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_pulseaudio_port" lineno="51979">
+<summary>
+Send and receive UDP traffic on the pulseaudio port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_pulseaudio_port" lineno="51996">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the pulseaudio port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_pulseaudio_port" lineno="52012">
+<summary>
+Bind TCP sockets to the pulseaudio port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_pulseaudio_port" lineno="52032">
+<summary>
+Bind UDP sockets to the pulseaudio port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_pulseaudio_port" lineno="52051">
+<summary>
+Make a TCP connection to the pulseaudio port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_pulseaudio_client_packets" lineno="52071">
+<summary>
+Send pulseaudio_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_pulseaudio_client_packets" lineno="52090">
+<summary>
+Do not audit attempts to send pulseaudio_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_pulseaudio_client_packets" lineno="52109">
+<summary>
+Receive pulseaudio_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_pulseaudio_client_packets" lineno="52128">
+<summary>
+Do not audit attempts to receive pulseaudio_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_pulseaudio_client_packets" lineno="52147">
+<summary>
+Send and receive pulseaudio_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_pulseaudio_client_packets" lineno="52163">
+<summary>
+Do not audit attempts to send and receive pulseaudio_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_pulseaudio_client_packets" lineno="52178">
+<summary>
+Relabel packets to pulseaudio_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_pulseaudio_server_packets" lineno="52198">
+<summary>
+Send pulseaudio_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_pulseaudio_server_packets" lineno="52217">
+<summary>
+Do not audit attempts to send pulseaudio_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_pulseaudio_server_packets" lineno="52236">
+<summary>
+Receive pulseaudio_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_pulseaudio_server_packets" lineno="52255">
+<summary>
+Do not audit attempts to receive pulseaudio_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_pulseaudio_server_packets" lineno="52274">
+<summary>
+Send and receive pulseaudio_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_pulseaudio_server_packets" lineno="52290">
+<summary>
+Do not audit attempts to send and receive pulseaudio_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_pulseaudio_server_packets" lineno="52305">
+<summary>
+Relabel packets to pulseaudio_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_puppet_port" lineno="52327">
+<summary>
+Send and receive TCP traffic on the puppet port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_puppet_port" lineno="52346">
+<summary>
+Send UDP traffic on the puppet port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_puppet_port" lineno="52365">
+<summary>
+Do not audit attempts to send UDP traffic on the puppet port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_puppet_port" lineno="52384">
+<summary>
+Receive UDP traffic on the puppet port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_puppet_port" lineno="52403">
+<summary>
+Do not audit attempts to receive UDP traffic on the puppet port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_puppet_port" lineno="52422">
+<summary>
+Send and receive UDP traffic on the puppet port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_puppet_port" lineno="52439">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the puppet port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_puppet_port" lineno="52455">
+<summary>
+Bind TCP sockets to the puppet port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_puppet_port" lineno="52475">
+<summary>
+Bind UDP sockets to the puppet port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_puppet_port" lineno="52494">
+<summary>
+Make a TCP connection to the puppet port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_puppet_client_packets" lineno="52514">
+<summary>
+Send puppet_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_puppet_client_packets" lineno="52533">
+<summary>
+Do not audit attempts to send puppet_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_puppet_client_packets" lineno="52552">
+<summary>
+Receive puppet_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_puppet_client_packets" lineno="52571">
+<summary>
+Do not audit attempts to receive puppet_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_puppet_client_packets" lineno="52590">
+<summary>
+Send and receive puppet_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_puppet_client_packets" lineno="52606">
+<summary>
+Do not audit attempts to send and receive puppet_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_puppet_client_packets" lineno="52621">
+<summary>
+Relabel packets to puppet_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_puppet_server_packets" lineno="52641">
+<summary>
+Send puppet_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_puppet_server_packets" lineno="52660">
+<summary>
+Do not audit attempts to send puppet_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_puppet_server_packets" lineno="52679">
+<summary>
+Receive puppet_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_puppet_server_packets" lineno="52698">
+<summary>
+Do not audit attempts to receive puppet_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_puppet_server_packets" lineno="52717">
+<summary>
+Send and receive puppet_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_puppet_server_packets" lineno="52733">
+<summary>
+Do not audit attempts to send and receive puppet_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_puppet_server_packets" lineno="52748">
+<summary>
+Relabel packets to puppet_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_pxe_port" lineno="52770">
+<summary>
+Send and receive TCP traffic on the pxe port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_pxe_port" lineno="52789">
+<summary>
+Send UDP traffic on the pxe port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_pxe_port" lineno="52808">
+<summary>
+Do not audit attempts to send UDP traffic on the pxe port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_pxe_port" lineno="52827">
+<summary>
+Receive UDP traffic on the pxe port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_pxe_port" lineno="52846">
+<summary>
+Do not audit attempts to receive UDP traffic on the pxe port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_pxe_port" lineno="52865">
+<summary>
+Send and receive UDP traffic on the pxe port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_pxe_port" lineno="52882">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the pxe port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_pxe_port" lineno="52898">
+<summary>
+Bind TCP sockets to the pxe port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_pxe_port" lineno="52918">
+<summary>
+Bind UDP sockets to the pxe port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_pxe_port" lineno="52937">
+<summary>
+Make a TCP connection to the pxe port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_pxe_client_packets" lineno="52957">
+<summary>
+Send pxe_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_pxe_client_packets" lineno="52976">
+<summary>
+Do not audit attempts to send pxe_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_pxe_client_packets" lineno="52995">
+<summary>
+Receive pxe_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_pxe_client_packets" lineno="53014">
+<summary>
+Do not audit attempts to receive pxe_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_pxe_client_packets" lineno="53033">
+<summary>
+Send and receive pxe_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_pxe_client_packets" lineno="53049">
+<summary>
+Do not audit attempts to send and receive pxe_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_pxe_client_packets" lineno="53064">
+<summary>
+Relabel packets to pxe_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_pxe_server_packets" lineno="53084">
+<summary>
+Send pxe_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_pxe_server_packets" lineno="53103">
+<summary>
+Do not audit attempts to send pxe_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_pxe_server_packets" lineno="53122">
+<summary>
+Receive pxe_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_pxe_server_packets" lineno="53141">
+<summary>
+Do not audit attempts to receive pxe_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_pxe_server_packets" lineno="53160">
+<summary>
+Send and receive pxe_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_pxe_server_packets" lineno="53176">
+<summary>
+Do not audit attempts to send and receive pxe_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_pxe_server_packets" lineno="53191">
+<summary>
+Relabel packets to pxe_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_pyzor_port" lineno="53213">
+<summary>
+Send and receive TCP traffic on the pyzor port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_pyzor_port" lineno="53232">
+<summary>
+Send UDP traffic on the pyzor port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_pyzor_port" lineno="53251">
+<summary>
+Do not audit attempts to send UDP traffic on the pyzor port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_pyzor_port" lineno="53270">
+<summary>
+Receive UDP traffic on the pyzor port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_pyzor_port" lineno="53289">
+<summary>
+Do not audit attempts to receive UDP traffic on the pyzor port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_pyzor_port" lineno="53308">
+<summary>
+Send and receive UDP traffic on the pyzor port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_pyzor_port" lineno="53325">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the pyzor port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_pyzor_port" lineno="53341">
+<summary>
+Bind TCP sockets to the pyzor port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_pyzor_port" lineno="53361">
+<summary>
+Bind UDP sockets to the pyzor port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_pyzor_port" lineno="53380">
+<summary>
+Make a TCP connection to the pyzor port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_pyzor_client_packets" lineno="53400">
+<summary>
+Send pyzor_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_pyzor_client_packets" lineno="53419">
+<summary>
+Do not audit attempts to send pyzor_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_pyzor_client_packets" lineno="53438">
+<summary>
+Receive pyzor_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_pyzor_client_packets" lineno="53457">
+<summary>
+Do not audit attempts to receive pyzor_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_pyzor_client_packets" lineno="53476">
+<summary>
+Send and receive pyzor_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_pyzor_client_packets" lineno="53492">
+<summary>
+Do not audit attempts to send and receive pyzor_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_pyzor_client_packets" lineno="53507">
+<summary>
+Relabel packets to pyzor_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_pyzor_server_packets" lineno="53527">
+<summary>
+Send pyzor_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_pyzor_server_packets" lineno="53546">
+<summary>
+Do not audit attempts to send pyzor_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_pyzor_server_packets" lineno="53565">
+<summary>
+Receive pyzor_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_pyzor_server_packets" lineno="53584">
+<summary>
+Do not audit attempts to receive pyzor_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_pyzor_server_packets" lineno="53603">
+<summary>
+Send and receive pyzor_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_pyzor_server_packets" lineno="53619">
+<summary>
+Do not audit attempts to send and receive pyzor_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_pyzor_server_packets" lineno="53634">
+<summary>
+Relabel packets to pyzor_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_radacct_port" lineno="53656">
+<summary>
+Send and receive TCP traffic on the radacct port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_radacct_port" lineno="53675">
+<summary>
+Send UDP traffic on the radacct port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_radacct_port" lineno="53694">
+<summary>
+Do not audit attempts to send UDP traffic on the radacct port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_radacct_port" lineno="53713">
+<summary>
+Receive UDP traffic on the radacct port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_radacct_port" lineno="53732">
+<summary>
+Do not audit attempts to receive UDP traffic on the radacct port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_radacct_port" lineno="53751">
+<summary>
+Send and receive UDP traffic on the radacct port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_radacct_port" lineno="53768">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the radacct port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_radacct_port" lineno="53784">
+<summary>
+Bind TCP sockets to the radacct port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_radacct_port" lineno="53804">
+<summary>
+Bind UDP sockets to the radacct port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_radacct_port" lineno="53823">
+<summary>
+Make a TCP connection to the radacct port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_radacct_client_packets" lineno="53843">
+<summary>
+Send radacct_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_radacct_client_packets" lineno="53862">
+<summary>
+Do not audit attempts to send radacct_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_radacct_client_packets" lineno="53881">
+<summary>
+Receive radacct_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_radacct_client_packets" lineno="53900">
+<summary>
+Do not audit attempts to receive radacct_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_radacct_client_packets" lineno="53919">
+<summary>
+Send and receive radacct_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_radacct_client_packets" lineno="53935">
+<summary>
+Do not audit attempts to send and receive radacct_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_radacct_client_packets" lineno="53950">
+<summary>
+Relabel packets to radacct_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_radacct_server_packets" lineno="53970">
+<summary>
+Send radacct_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_radacct_server_packets" lineno="53989">
+<summary>
+Do not audit attempts to send radacct_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_radacct_server_packets" lineno="54008">
+<summary>
+Receive radacct_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_radacct_server_packets" lineno="54027">
+<summary>
+Do not audit attempts to receive radacct_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_radacct_server_packets" lineno="54046">
+<summary>
+Send and receive radacct_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_radacct_server_packets" lineno="54062">
+<summary>
+Do not audit attempts to send and receive radacct_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_radacct_server_packets" lineno="54077">
+<summary>
+Relabel packets to radacct_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_radius_port" lineno="54099">
+<summary>
+Send and receive TCP traffic on the radius port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_radius_port" lineno="54118">
+<summary>
+Send UDP traffic on the radius port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_radius_port" lineno="54137">
+<summary>
+Do not audit attempts to send UDP traffic on the radius port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_radius_port" lineno="54156">
+<summary>
+Receive UDP traffic on the radius port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_radius_port" lineno="54175">
+<summary>
+Do not audit attempts to receive UDP traffic on the radius port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_radius_port" lineno="54194">
+<summary>
+Send and receive UDP traffic on the radius port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_radius_port" lineno="54211">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the radius port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_radius_port" lineno="54227">
+<summary>
+Bind TCP sockets to the radius port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_radius_port" lineno="54247">
+<summary>
+Bind UDP sockets to the radius port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_radius_port" lineno="54266">
+<summary>
+Make a TCP connection to the radius port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_radius_client_packets" lineno="54286">
+<summary>
+Send radius_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_radius_client_packets" lineno="54305">
+<summary>
+Do not audit attempts to send radius_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_radius_client_packets" lineno="54324">
+<summary>
+Receive radius_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_radius_client_packets" lineno="54343">
+<summary>
+Do not audit attempts to receive radius_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_radius_client_packets" lineno="54362">
+<summary>
+Send and receive radius_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_radius_client_packets" lineno="54378">
+<summary>
+Do not audit attempts to send and receive radius_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_radius_client_packets" lineno="54393">
+<summary>
+Relabel packets to radius_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_radius_server_packets" lineno="54413">
+<summary>
+Send radius_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_radius_server_packets" lineno="54432">
+<summary>
+Do not audit attempts to send radius_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_radius_server_packets" lineno="54451">
+<summary>
+Receive radius_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_radius_server_packets" lineno="54470">
+<summary>
+Do not audit attempts to receive radius_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_radius_server_packets" lineno="54489">
+<summary>
+Send and receive radius_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_radius_server_packets" lineno="54505">
+<summary>
+Do not audit attempts to send and receive radius_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_radius_server_packets" lineno="54520">
+<summary>
+Relabel packets to radius_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_radsec_port" lineno="54542">
+<summary>
+Send and receive TCP traffic on the radsec port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_radsec_port" lineno="54561">
+<summary>
+Send UDP traffic on the radsec port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_radsec_port" lineno="54580">
+<summary>
+Do not audit attempts to send UDP traffic on the radsec port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_radsec_port" lineno="54599">
+<summary>
+Receive UDP traffic on the radsec port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_radsec_port" lineno="54618">
+<summary>
+Do not audit attempts to receive UDP traffic on the radsec port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_radsec_port" lineno="54637">
+<summary>
+Send and receive UDP traffic on the radsec port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_radsec_port" lineno="54654">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the radsec port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_radsec_port" lineno="54670">
+<summary>
+Bind TCP sockets to the radsec port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_radsec_port" lineno="54690">
+<summary>
+Bind UDP sockets to the radsec port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_radsec_port" lineno="54709">
+<summary>
+Make a TCP connection to the radsec port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_radsec_client_packets" lineno="54729">
+<summary>
+Send radsec_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_radsec_client_packets" lineno="54748">
+<summary>
+Do not audit attempts to send radsec_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_radsec_client_packets" lineno="54767">
+<summary>
+Receive radsec_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_radsec_client_packets" lineno="54786">
+<summary>
+Do not audit attempts to receive radsec_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_radsec_client_packets" lineno="54805">
+<summary>
+Send and receive radsec_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_radsec_client_packets" lineno="54821">
+<summary>
+Do not audit attempts to send and receive radsec_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_radsec_client_packets" lineno="54836">
+<summary>
+Relabel packets to radsec_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_radsec_server_packets" lineno="54856">
+<summary>
+Send radsec_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_radsec_server_packets" lineno="54875">
+<summary>
+Do not audit attempts to send radsec_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_radsec_server_packets" lineno="54894">
+<summary>
+Receive radsec_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_radsec_server_packets" lineno="54913">
+<summary>
+Do not audit attempts to receive radsec_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_radsec_server_packets" lineno="54932">
+<summary>
+Send and receive radsec_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_radsec_server_packets" lineno="54948">
+<summary>
+Do not audit attempts to send and receive radsec_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_radsec_server_packets" lineno="54963">
+<summary>
+Relabel packets to radsec_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_razor_port" lineno="54985">
+<summary>
+Send and receive TCP traffic on the razor port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_razor_port" lineno="55004">
+<summary>
+Send UDP traffic on the razor port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_razor_port" lineno="55023">
+<summary>
+Do not audit attempts to send UDP traffic on the razor port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_razor_port" lineno="55042">
+<summary>
+Receive UDP traffic on the razor port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_razor_port" lineno="55061">
+<summary>
+Do not audit attempts to receive UDP traffic on the razor port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_razor_port" lineno="55080">
+<summary>
+Send and receive UDP traffic on the razor port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_razor_port" lineno="55097">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the razor port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_razor_port" lineno="55113">
+<summary>
+Bind TCP sockets to the razor port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_razor_port" lineno="55133">
+<summary>
+Bind UDP sockets to the razor port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_razor_port" lineno="55152">
+<summary>
+Make a TCP connection to the razor port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_razor_client_packets" lineno="55172">
+<summary>
+Send razor_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_razor_client_packets" lineno="55191">
+<summary>
+Do not audit attempts to send razor_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_razor_client_packets" lineno="55210">
+<summary>
+Receive razor_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_razor_client_packets" lineno="55229">
+<summary>
+Do not audit attempts to receive razor_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_razor_client_packets" lineno="55248">
+<summary>
+Send and receive razor_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_razor_client_packets" lineno="55264">
+<summary>
+Do not audit attempts to send and receive razor_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_razor_client_packets" lineno="55279">
+<summary>
+Relabel packets to razor_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_razor_server_packets" lineno="55299">
+<summary>
+Send razor_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_razor_server_packets" lineno="55318">
+<summary>
+Do not audit attempts to send razor_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_razor_server_packets" lineno="55337">
+<summary>
+Receive razor_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_razor_server_packets" lineno="55356">
+<summary>
+Do not audit attempts to receive razor_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_razor_server_packets" lineno="55375">
+<summary>
+Send and receive razor_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_razor_server_packets" lineno="55391">
+<summary>
+Do not audit attempts to send and receive razor_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_razor_server_packets" lineno="55406">
+<summary>
+Relabel packets to razor_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_repository_port" lineno="55428">
+<summary>
+Send and receive TCP traffic on the repository port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_repository_port" lineno="55447">
+<summary>
+Send UDP traffic on the repository port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_repository_port" lineno="55466">
+<summary>
+Do not audit attempts to send UDP traffic on the repository port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_repository_port" lineno="55485">
+<summary>
+Receive UDP traffic on the repository port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_repository_port" lineno="55504">
+<summary>
+Do not audit attempts to receive UDP traffic on the repository port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_repository_port" lineno="55523">
+<summary>
+Send and receive UDP traffic on the repository port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_repository_port" lineno="55540">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the repository port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_repository_port" lineno="55556">
+<summary>
+Bind TCP sockets to the repository port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_repository_port" lineno="55576">
+<summary>
+Bind UDP sockets to the repository port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_repository_port" lineno="55595">
+<summary>
+Make a TCP connection to the repository port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_repository_client_packets" lineno="55615">
+<summary>
+Send repository_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_repository_client_packets" lineno="55634">
+<summary>
+Do not audit attempts to send repository_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_repository_client_packets" lineno="55653">
+<summary>
+Receive repository_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_repository_client_packets" lineno="55672">
+<summary>
+Do not audit attempts to receive repository_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_repository_client_packets" lineno="55691">
+<summary>
+Send and receive repository_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_repository_client_packets" lineno="55707">
+<summary>
+Do not audit attempts to send and receive repository_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_repository_client_packets" lineno="55722">
+<summary>
+Relabel packets to repository_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_repository_server_packets" lineno="55742">
+<summary>
+Send repository_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_repository_server_packets" lineno="55761">
+<summary>
+Do not audit attempts to send repository_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_repository_server_packets" lineno="55780">
+<summary>
+Receive repository_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_repository_server_packets" lineno="55799">
+<summary>
+Do not audit attempts to receive repository_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_repository_server_packets" lineno="55818">
+<summary>
+Send and receive repository_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_repository_server_packets" lineno="55834">
+<summary>
+Do not audit attempts to send and receive repository_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_repository_server_packets" lineno="55849">
+<summary>
+Relabel packets to repository_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_ricci_port" lineno="55871">
+<summary>
+Send and receive TCP traffic on the ricci port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_ricci_port" lineno="55890">
+<summary>
+Send UDP traffic on the ricci port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_ricci_port" lineno="55909">
+<summary>
+Do not audit attempts to send UDP traffic on the ricci port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_ricci_port" lineno="55928">
+<summary>
+Receive UDP traffic on the ricci port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_ricci_port" lineno="55947">
+<summary>
+Do not audit attempts to receive UDP traffic on the ricci port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_ricci_port" lineno="55966">
+<summary>
+Send and receive UDP traffic on the ricci port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_ricci_port" lineno="55983">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the ricci port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_ricci_port" lineno="55999">
+<summary>
+Bind TCP sockets to the ricci port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_ricci_port" lineno="56019">
+<summary>
+Bind UDP sockets to the ricci port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_ricci_port" lineno="56038">
+<summary>
+Make a TCP connection to the ricci port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_ricci_client_packets" lineno="56058">
+<summary>
+Send ricci_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_ricci_client_packets" lineno="56077">
+<summary>
+Do not audit attempts to send ricci_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_ricci_client_packets" lineno="56096">
+<summary>
+Receive ricci_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_ricci_client_packets" lineno="56115">
+<summary>
+Do not audit attempts to receive ricci_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_ricci_client_packets" lineno="56134">
+<summary>
+Send and receive ricci_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_ricci_client_packets" lineno="56150">
+<summary>
+Do not audit attempts to send and receive ricci_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_ricci_client_packets" lineno="56165">
+<summary>
+Relabel packets to ricci_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_ricci_server_packets" lineno="56185">
+<summary>
+Send ricci_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_ricci_server_packets" lineno="56204">
+<summary>
+Do not audit attempts to send ricci_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_ricci_server_packets" lineno="56223">
+<summary>
+Receive ricci_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_ricci_server_packets" lineno="56242">
+<summary>
+Do not audit attempts to receive ricci_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_ricci_server_packets" lineno="56261">
+<summary>
+Send and receive ricci_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_ricci_server_packets" lineno="56277">
+<summary>
+Do not audit attempts to send and receive ricci_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_ricci_server_packets" lineno="56292">
+<summary>
+Relabel packets to ricci_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_ricci_modcluster_port" lineno="56314">
+<summary>
+Send and receive TCP traffic on the ricci_modcluster port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_ricci_modcluster_port" lineno="56333">
+<summary>
+Send UDP traffic on the ricci_modcluster port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_ricci_modcluster_port" lineno="56352">
+<summary>
+Do not audit attempts to send UDP traffic on the ricci_modcluster port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_ricci_modcluster_port" lineno="56371">
+<summary>
+Receive UDP traffic on the ricci_modcluster port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_ricci_modcluster_port" lineno="56390">
+<summary>
+Do not audit attempts to receive UDP traffic on the ricci_modcluster port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_ricci_modcluster_port" lineno="56409">
+<summary>
+Send and receive UDP traffic on the ricci_modcluster port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_ricci_modcluster_port" lineno="56426">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the ricci_modcluster port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_ricci_modcluster_port" lineno="56442">
+<summary>
+Bind TCP sockets to the ricci_modcluster port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_ricci_modcluster_port" lineno="56462">
+<summary>
+Bind UDP sockets to the ricci_modcluster port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_ricci_modcluster_port" lineno="56481">
+<summary>
+Make a TCP connection to the ricci_modcluster port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_ricci_modcluster_client_packets" lineno="56501">
+<summary>
+Send ricci_modcluster_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_ricci_modcluster_client_packets" lineno="56520">
+<summary>
+Do not audit attempts to send ricci_modcluster_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_ricci_modcluster_client_packets" lineno="56539">
+<summary>
+Receive ricci_modcluster_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_ricci_modcluster_client_packets" lineno="56558">
+<summary>
+Do not audit attempts to receive ricci_modcluster_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_ricci_modcluster_client_packets" lineno="56577">
+<summary>
+Send and receive ricci_modcluster_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_ricci_modcluster_client_packets" lineno="56593">
+<summary>
+Do not audit attempts to send and receive ricci_modcluster_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_ricci_modcluster_client_packets" lineno="56608">
+<summary>
+Relabel packets to ricci_modcluster_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_ricci_modcluster_server_packets" lineno="56628">
+<summary>
+Send ricci_modcluster_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_ricci_modcluster_server_packets" lineno="56647">
+<summary>
+Do not audit attempts to send ricci_modcluster_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_ricci_modcluster_server_packets" lineno="56666">
+<summary>
+Receive ricci_modcluster_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_ricci_modcluster_server_packets" lineno="56685">
+<summary>
+Do not audit attempts to receive ricci_modcluster_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_ricci_modcluster_server_packets" lineno="56704">
+<summary>
+Send and receive ricci_modcluster_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_ricci_modcluster_server_packets" lineno="56720">
+<summary>
+Do not audit attempts to send and receive ricci_modcluster_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_ricci_modcluster_server_packets" lineno="56735">
+<summary>
+Relabel packets to ricci_modcluster_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_rlogind_port" lineno="56757">
+<summary>
+Send and receive TCP traffic on the rlogind port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_rlogind_port" lineno="56776">
+<summary>
+Send UDP traffic on the rlogind port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_rlogind_port" lineno="56795">
+<summary>
+Do not audit attempts to send UDP traffic on the rlogind port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_rlogind_port" lineno="56814">
+<summary>
+Receive UDP traffic on the rlogind port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_rlogind_port" lineno="56833">
+<summary>
+Do not audit attempts to receive UDP traffic on the rlogind port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_rlogind_port" lineno="56852">
+<summary>
+Send and receive UDP traffic on the rlogind port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_rlogind_port" lineno="56869">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the rlogind port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_rlogind_port" lineno="56885">
+<summary>
+Bind TCP sockets to the rlogind port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_rlogind_port" lineno="56905">
+<summary>
+Bind UDP sockets to the rlogind port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_rlogind_port" lineno="56924">
+<summary>
+Make a TCP connection to the rlogind port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_rlogind_client_packets" lineno="56944">
+<summary>
+Send rlogind_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_rlogind_client_packets" lineno="56963">
+<summary>
+Do not audit attempts to send rlogind_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_rlogind_client_packets" lineno="56982">
+<summary>
+Receive rlogind_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_rlogind_client_packets" lineno="57001">
+<summary>
+Do not audit attempts to receive rlogind_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_rlogind_client_packets" lineno="57020">
+<summary>
+Send and receive rlogind_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_rlogind_client_packets" lineno="57036">
+<summary>
+Do not audit attempts to send and receive rlogind_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_rlogind_client_packets" lineno="57051">
+<summary>
+Relabel packets to rlogind_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_rlogind_server_packets" lineno="57071">
+<summary>
+Send rlogind_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_rlogind_server_packets" lineno="57090">
+<summary>
+Do not audit attempts to send rlogind_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_rlogind_server_packets" lineno="57109">
+<summary>
+Receive rlogind_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_rlogind_server_packets" lineno="57128">
+<summary>
+Do not audit attempts to receive rlogind_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_rlogind_server_packets" lineno="57147">
+<summary>
+Send and receive rlogind_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_rlogind_server_packets" lineno="57163">
+<summary>
+Do not audit attempts to send and receive rlogind_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_rlogind_server_packets" lineno="57178">
+<summary>
+Relabel packets to rlogind_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_rndc_port" lineno="57200">
+<summary>
+Send and receive TCP traffic on the rndc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_rndc_port" lineno="57219">
+<summary>
+Send UDP traffic on the rndc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_rndc_port" lineno="57238">
+<summary>
+Do not audit attempts to send UDP traffic on the rndc port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_rndc_port" lineno="57257">
+<summary>
+Receive UDP traffic on the rndc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_rndc_port" lineno="57276">
+<summary>
+Do not audit attempts to receive UDP traffic on the rndc port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_rndc_port" lineno="57295">
+<summary>
+Send and receive UDP traffic on the rndc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_rndc_port" lineno="57312">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the rndc port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_rndc_port" lineno="57328">
+<summary>
+Bind TCP sockets to the rndc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_rndc_port" lineno="57348">
+<summary>
+Bind UDP sockets to the rndc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_rndc_port" lineno="57367">
+<summary>
+Make a TCP connection to the rndc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_rndc_client_packets" lineno="57387">
+<summary>
+Send rndc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_rndc_client_packets" lineno="57406">
+<summary>
+Do not audit attempts to send rndc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_rndc_client_packets" lineno="57425">
+<summary>
+Receive rndc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_rndc_client_packets" lineno="57444">
+<summary>
+Do not audit attempts to receive rndc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_rndc_client_packets" lineno="57463">
+<summary>
+Send and receive rndc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_rndc_client_packets" lineno="57479">
+<summary>
+Do not audit attempts to send and receive rndc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_rndc_client_packets" lineno="57494">
+<summary>
+Relabel packets to rndc_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_rndc_server_packets" lineno="57514">
+<summary>
+Send rndc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_rndc_server_packets" lineno="57533">
+<summary>
+Do not audit attempts to send rndc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_rndc_server_packets" lineno="57552">
+<summary>
+Receive rndc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_rndc_server_packets" lineno="57571">
+<summary>
+Do not audit attempts to receive rndc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_rndc_server_packets" lineno="57590">
+<summary>
+Send and receive rndc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_rndc_server_packets" lineno="57606">
+<summary>
+Do not audit attempts to send and receive rndc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_rndc_server_packets" lineno="57621">
+<summary>
+Relabel packets to rndc_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_router_port" lineno="57643">
+<summary>
+Send and receive TCP traffic on the router port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_router_port" lineno="57662">
+<summary>
+Send UDP traffic on the router port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_router_port" lineno="57681">
+<summary>
+Do not audit attempts to send UDP traffic on the router port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_router_port" lineno="57700">
+<summary>
+Receive UDP traffic on the router port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_router_port" lineno="57719">
+<summary>
+Do not audit attempts to receive UDP traffic on the router port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_router_port" lineno="57738">
+<summary>
+Send and receive UDP traffic on the router port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_router_port" lineno="57755">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the router port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_router_port" lineno="57771">
+<summary>
+Bind TCP sockets to the router port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_router_port" lineno="57791">
+<summary>
+Bind UDP sockets to the router port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_router_port" lineno="57810">
+<summary>
+Make a TCP connection to the router port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_router_client_packets" lineno="57830">
+<summary>
+Send router_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_router_client_packets" lineno="57849">
+<summary>
+Do not audit attempts to send router_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_router_client_packets" lineno="57868">
+<summary>
+Receive router_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_router_client_packets" lineno="57887">
+<summary>
+Do not audit attempts to receive router_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_router_client_packets" lineno="57906">
+<summary>
+Send and receive router_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_router_client_packets" lineno="57922">
+<summary>
+Do not audit attempts to send and receive router_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_router_client_packets" lineno="57937">
+<summary>
+Relabel packets to router_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_router_server_packets" lineno="57957">
+<summary>
+Send router_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_router_server_packets" lineno="57976">
+<summary>
+Do not audit attempts to send router_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_router_server_packets" lineno="57995">
+<summary>
+Receive router_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_router_server_packets" lineno="58014">
+<summary>
+Do not audit attempts to receive router_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_router_server_packets" lineno="58033">
+<summary>
+Send and receive router_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_router_server_packets" lineno="58049">
+<summary>
+Do not audit attempts to send and receive router_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_router_server_packets" lineno="58064">
+<summary>
+Relabel packets to router_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_rsh_port" lineno="58086">
+<summary>
+Send and receive TCP traffic on the rsh port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_rsh_port" lineno="58105">
+<summary>
+Send UDP traffic on the rsh port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_rsh_port" lineno="58124">
+<summary>
+Do not audit attempts to send UDP traffic on the rsh port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_rsh_port" lineno="58143">
+<summary>
+Receive UDP traffic on the rsh port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_rsh_port" lineno="58162">
+<summary>
+Do not audit attempts to receive UDP traffic on the rsh port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_rsh_port" lineno="58181">
+<summary>
+Send and receive UDP traffic on the rsh port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_rsh_port" lineno="58198">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the rsh port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_rsh_port" lineno="58214">
+<summary>
+Bind TCP sockets to the rsh port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_rsh_port" lineno="58234">
+<summary>
+Bind UDP sockets to the rsh port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_rsh_port" lineno="58253">
+<summary>
+Make a TCP connection to the rsh port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_rsh_client_packets" lineno="58273">
+<summary>
+Send rsh_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_rsh_client_packets" lineno="58292">
+<summary>
+Do not audit attempts to send rsh_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_rsh_client_packets" lineno="58311">
+<summary>
+Receive rsh_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_rsh_client_packets" lineno="58330">
+<summary>
+Do not audit attempts to receive rsh_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_rsh_client_packets" lineno="58349">
+<summary>
+Send and receive rsh_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_rsh_client_packets" lineno="58365">
+<summary>
+Do not audit attempts to send and receive rsh_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_rsh_client_packets" lineno="58380">
+<summary>
+Relabel packets to rsh_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_rsh_server_packets" lineno="58400">
+<summary>
+Send rsh_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_rsh_server_packets" lineno="58419">
+<summary>
+Do not audit attempts to send rsh_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_rsh_server_packets" lineno="58438">
+<summary>
+Receive rsh_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_rsh_server_packets" lineno="58457">
+<summary>
+Do not audit attempts to receive rsh_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_rsh_server_packets" lineno="58476">
+<summary>
+Send and receive rsh_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_rsh_server_packets" lineno="58492">
+<summary>
+Do not audit attempts to send and receive rsh_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_rsh_server_packets" lineno="58507">
+<summary>
+Relabel packets to rsh_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_rsync_port" lineno="58529">
+<summary>
+Send and receive TCP traffic on the rsync port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_rsync_port" lineno="58548">
+<summary>
+Send UDP traffic on the rsync port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_rsync_port" lineno="58567">
+<summary>
+Do not audit attempts to send UDP traffic on the rsync port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_rsync_port" lineno="58586">
+<summary>
+Receive UDP traffic on the rsync port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_rsync_port" lineno="58605">
+<summary>
+Do not audit attempts to receive UDP traffic on the rsync port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_rsync_port" lineno="58624">
+<summary>
+Send and receive UDP traffic on the rsync port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_rsync_port" lineno="58641">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the rsync port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_rsync_port" lineno="58657">
+<summary>
+Bind TCP sockets to the rsync port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_rsync_port" lineno="58677">
+<summary>
+Bind UDP sockets to the rsync port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_rsync_port" lineno="58696">
+<summary>
+Make a TCP connection to the rsync port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_rsync_client_packets" lineno="58716">
+<summary>
+Send rsync_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_rsync_client_packets" lineno="58735">
+<summary>
+Do not audit attempts to send rsync_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_rsync_client_packets" lineno="58754">
+<summary>
+Receive rsync_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_rsync_client_packets" lineno="58773">
+<summary>
+Do not audit attempts to receive rsync_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_rsync_client_packets" lineno="58792">
+<summary>
+Send and receive rsync_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_rsync_client_packets" lineno="58808">
+<summary>
+Do not audit attempts to send and receive rsync_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_rsync_client_packets" lineno="58823">
+<summary>
+Relabel packets to rsync_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_rsync_server_packets" lineno="58843">
+<summary>
+Send rsync_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_rsync_server_packets" lineno="58862">
+<summary>
+Do not audit attempts to send rsync_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_rsync_server_packets" lineno="58881">
+<summary>
+Receive rsync_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_rsync_server_packets" lineno="58900">
+<summary>
+Do not audit attempts to receive rsync_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_rsync_server_packets" lineno="58919">
+<summary>
+Send and receive rsync_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_rsync_server_packets" lineno="58935">
+<summary>
+Do not audit attempts to send and receive rsync_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_rsync_server_packets" lineno="58950">
+<summary>
+Relabel packets to rsync_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_rwho_port" lineno="58972">
+<summary>
+Send and receive TCP traffic on the rwho port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_rwho_port" lineno="58991">
+<summary>
+Send UDP traffic on the rwho port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_rwho_port" lineno="59010">
+<summary>
+Do not audit attempts to send UDP traffic on the rwho port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_rwho_port" lineno="59029">
+<summary>
+Receive UDP traffic on the rwho port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_rwho_port" lineno="59048">
+<summary>
+Do not audit attempts to receive UDP traffic on the rwho port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_rwho_port" lineno="59067">
+<summary>
+Send and receive UDP traffic on the rwho port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_rwho_port" lineno="59084">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the rwho port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_rwho_port" lineno="59100">
+<summary>
+Bind TCP sockets to the rwho port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_rwho_port" lineno="59120">
+<summary>
+Bind UDP sockets to the rwho port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_rwho_port" lineno="59139">
+<summary>
+Make a TCP connection to the rwho port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_rwho_client_packets" lineno="59159">
+<summary>
+Send rwho_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_rwho_client_packets" lineno="59178">
+<summary>
+Do not audit attempts to send rwho_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_rwho_client_packets" lineno="59197">
+<summary>
+Receive rwho_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_rwho_client_packets" lineno="59216">
+<summary>
+Do not audit attempts to receive rwho_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_rwho_client_packets" lineno="59235">
+<summary>
+Send and receive rwho_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_rwho_client_packets" lineno="59251">
+<summary>
+Do not audit attempts to send and receive rwho_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_rwho_client_packets" lineno="59266">
+<summary>
+Relabel packets to rwho_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_rwho_server_packets" lineno="59286">
+<summary>
+Send rwho_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_rwho_server_packets" lineno="59305">
+<summary>
+Do not audit attempts to send rwho_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_rwho_server_packets" lineno="59324">
+<summary>
+Receive rwho_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_rwho_server_packets" lineno="59343">
+<summary>
+Do not audit attempts to receive rwho_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_rwho_server_packets" lineno="59362">
+<summary>
+Send and receive rwho_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_rwho_server_packets" lineno="59378">
+<summary>
+Do not audit attempts to send and receive rwho_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_rwho_server_packets" lineno="59393">
+<summary>
+Relabel packets to rwho_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_sap_port" lineno="59415">
+<summary>
+Send and receive TCP traffic on the sap port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_sap_port" lineno="59434">
+<summary>
+Send UDP traffic on the sap port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_sap_port" lineno="59453">
+<summary>
+Do not audit attempts to send UDP traffic on the sap port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_sap_port" lineno="59472">
+<summary>
+Receive UDP traffic on the sap port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_sap_port" lineno="59491">
+<summary>
+Do not audit attempts to receive UDP traffic on the sap port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_sap_port" lineno="59510">
+<summary>
+Send and receive UDP traffic on the sap port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_sap_port" lineno="59527">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the sap port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_sap_port" lineno="59543">
+<summary>
+Bind TCP sockets to the sap port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_sap_port" lineno="59563">
+<summary>
+Bind UDP sockets to the sap port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_sap_port" lineno="59582">
+<summary>
+Make a TCP connection to the sap port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_sap_client_packets" lineno="59602">
+<summary>
+Send sap_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_sap_client_packets" lineno="59621">
+<summary>
+Do not audit attempts to send sap_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_sap_client_packets" lineno="59640">
+<summary>
+Receive sap_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_sap_client_packets" lineno="59659">
+<summary>
+Do not audit attempts to receive sap_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_sap_client_packets" lineno="59678">
+<summary>
+Send and receive sap_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_sap_client_packets" lineno="59694">
+<summary>
+Do not audit attempts to send and receive sap_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_sap_client_packets" lineno="59709">
+<summary>
+Relabel packets to sap_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_sap_server_packets" lineno="59729">
+<summary>
+Send sap_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_sap_server_packets" lineno="59748">
+<summary>
+Do not audit attempts to send sap_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_sap_server_packets" lineno="59767">
+<summary>
+Receive sap_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_sap_server_packets" lineno="59786">
+<summary>
+Do not audit attempts to receive sap_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_sap_server_packets" lineno="59805">
+<summary>
+Send and receive sap_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_sap_server_packets" lineno="59821">
+<summary>
+Do not audit attempts to send and receive sap_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_sap_server_packets" lineno="59836">
+<summary>
+Relabel packets to sap_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_sieve_port" lineno="59858">
+<summary>
+Send and receive TCP traffic on the sieve port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_sieve_port" lineno="59877">
+<summary>
+Send UDP traffic on the sieve port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_sieve_port" lineno="59896">
+<summary>
+Do not audit attempts to send UDP traffic on the sieve port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_sieve_port" lineno="59915">
+<summary>
+Receive UDP traffic on the sieve port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_sieve_port" lineno="59934">
+<summary>
+Do not audit attempts to receive UDP traffic on the sieve port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_sieve_port" lineno="59953">
+<summary>
+Send and receive UDP traffic on the sieve port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_sieve_port" lineno="59970">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the sieve port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_sieve_port" lineno="59986">
+<summary>
+Bind TCP sockets to the sieve port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_sieve_port" lineno="60006">
+<summary>
+Bind UDP sockets to the sieve port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_sieve_port" lineno="60025">
+<summary>
+Make a TCP connection to the sieve port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_sieve_client_packets" lineno="60045">
+<summary>
+Send sieve_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_sieve_client_packets" lineno="60064">
+<summary>
+Do not audit attempts to send sieve_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_sieve_client_packets" lineno="60083">
+<summary>
+Receive sieve_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_sieve_client_packets" lineno="60102">
+<summary>
+Do not audit attempts to receive sieve_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_sieve_client_packets" lineno="60121">
+<summary>
+Send and receive sieve_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_sieve_client_packets" lineno="60137">
+<summary>
+Do not audit attempts to send and receive sieve_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_sieve_client_packets" lineno="60152">
+<summary>
+Relabel packets to sieve_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_sieve_server_packets" lineno="60172">
+<summary>
+Send sieve_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_sieve_server_packets" lineno="60191">
+<summary>
+Do not audit attempts to send sieve_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_sieve_server_packets" lineno="60210">
+<summary>
+Receive sieve_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_sieve_server_packets" lineno="60229">
+<summary>
+Do not audit attempts to receive sieve_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_sieve_server_packets" lineno="60248">
+<summary>
+Send and receive sieve_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_sieve_server_packets" lineno="60264">
+<summary>
+Do not audit attempts to send and receive sieve_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_sieve_server_packets" lineno="60279">
+<summary>
+Relabel packets to sieve_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_sip_port" lineno="60301">
+<summary>
+Send and receive TCP traffic on the sip port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_sip_port" lineno="60320">
+<summary>
+Send UDP traffic on the sip port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_sip_port" lineno="60339">
+<summary>
+Do not audit attempts to send UDP traffic on the sip port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_sip_port" lineno="60358">
+<summary>
+Receive UDP traffic on the sip port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_sip_port" lineno="60377">
+<summary>
+Do not audit attempts to receive UDP traffic on the sip port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_sip_port" lineno="60396">
+<summary>
+Send and receive UDP traffic on the sip port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_sip_port" lineno="60413">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the sip port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_sip_port" lineno="60429">
+<summary>
+Bind TCP sockets to the sip port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_sip_port" lineno="60449">
+<summary>
+Bind UDP sockets to the sip port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_sip_port" lineno="60468">
+<summary>
+Make a TCP connection to the sip port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_sip_client_packets" lineno="60488">
+<summary>
+Send sip_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_sip_client_packets" lineno="60507">
+<summary>
+Do not audit attempts to send sip_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_sip_client_packets" lineno="60526">
+<summary>
+Receive sip_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_sip_client_packets" lineno="60545">
+<summary>
+Do not audit attempts to receive sip_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_sip_client_packets" lineno="60564">
+<summary>
+Send and receive sip_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_sip_client_packets" lineno="60580">
+<summary>
+Do not audit attempts to send and receive sip_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_sip_client_packets" lineno="60595">
+<summary>
+Relabel packets to sip_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_sip_server_packets" lineno="60615">
+<summary>
+Send sip_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_sip_server_packets" lineno="60634">
+<summary>
+Do not audit attempts to send sip_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_sip_server_packets" lineno="60653">
+<summary>
+Receive sip_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_sip_server_packets" lineno="60672">
+<summary>
+Do not audit attempts to receive sip_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_sip_server_packets" lineno="60691">
+<summary>
+Send and receive sip_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_sip_server_packets" lineno="60707">
+<summary>
+Do not audit attempts to send and receive sip_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_sip_server_packets" lineno="60722">
+<summary>
+Relabel packets to sip_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_sixxsconfig_port" lineno="60744">
+<summary>
+Send and receive TCP traffic on the sixxsconfig port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_sixxsconfig_port" lineno="60763">
+<summary>
+Send UDP traffic on the sixxsconfig port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_sixxsconfig_port" lineno="60782">
+<summary>
+Do not audit attempts to send UDP traffic on the sixxsconfig port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_sixxsconfig_port" lineno="60801">
+<summary>
+Receive UDP traffic on the sixxsconfig port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_sixxsconfig_port" lineno="60820">
+<summary>
+Do not audit attempts to receive UDP traffic on the sixxsconfig port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_sixxsconfig_port" lineno="60839">
+<summary>
+Send and receive UDP traffic on the sixxsconfig port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_sixxsconfig_port" lineno="60856">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the sixxsconfig port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_sixxsconfig_port" lineno="60872">
+<summary>
+Bind TCP sockets to the sixxsconfig port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_sixxsconfig_port" lineno="60892">
+<summary>
+Bind UDP sockets to the sixxsconfig port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_sixxsconfig_port" lineno="60911">
+<summary>
+Make a TCP connection to the sixxsconfig port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_sixxsconfig_client_packets" lineno="60931">
+<summary>
+Send sixxsconfig_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_sixxsconfig_client_packets" lineno="60950">
+<summary>
+Do not audit attempts to send sixxsconfig_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_sixxsconfig_client_packets" lineno="60969">
+<summary>
+Receive sixxsconfig_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_sixxsconfig_client_packets" lineno="60988">
+<summary>
+Do not audit attempts to receive sixxsconfig_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_sixxsconfig_client_packets" lineno="61007">
+<summary>
+Send and receive sixxsconfig_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_sixxsconfig_client_packets" lineno="61023">
+<summary>
+Do not audit attempts to send and receive sixxsconfig_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_sixxsconfig_client_packets" lineno="61038">
+<summary>
+Relabel packets to sixxsconfig_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_sixxsconfig_server_packets" lineno="61058">
+<summary>
+Send sixxsconfig_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_sixxsconfig_server_packets" lineno="61077">
+<summary>
+Do not audit attempts to send sixxsconfig_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_sixxsconfig_server_packets" lineno="61096">
+<summary>
+Receive sixxsconfig_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_sixxsconfig_server_packets" lineno="61115">
+<summary>
+Do not audit attempts to receive sixxsconfig_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_sixxsconfig_server_packets" lineno="61134">
+<summary>
+Send and receive sixxsconfig_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_sixxsconfig_server_packets" lineno="61150">
+<summary>
+Do not audit attempts to send and receive sixxsconfig_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_sixxsconfig_server_packets" lineno="61165">
+<summary>
+Relabel packets to sixxsconfig_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_smbd_port" lineno="61187">
+<summary>
+Send and receive TCP traffic on the smbd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_smbd_port" lineno="61206">
+<summary>
+Send UDP traffic on the smbd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_smbd_port" lineno="61225">
+<summary>
+Do not audit attempts to send UDP traffic on the smbd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_smbd_port" lineno="61244">
+<summary>
+Receive UDP traffic on the smbd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_smbd_port" lineno="61263">
+<summary>
+Do not audit attempts to receive UDP traffic on the smbd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_smbd_port" lineno="61282">
+<summary>
+Send and receive UDP traffic on the smbd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_smbd_port" lineno="61299">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the smbd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_smbd_port" lineno="61315">
+<summary>
+Bind TCP sockets to the smbd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_smbd_port" lineno="61335">
+<summary>
+Bind UDP sockets to the smbd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_smbd_port" lineno="61354">
+<summary>
+Make a TCP connection to the smbd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_smbd_client_packets" lineno="61374">
+<summary>
+Send smbd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_smbd_client_packets" lineno="61393">
+<summary>
+Do not audit attempts to send smbd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_smbd_client_packets" lineno="61412">
+<summary>
+Receive smbd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_smbd_client_packets" lineno="61431">
+<summary>
+Do not audit attempts to receive smbd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_smbd_client_packets" lineno="61450">
+<summary>
+Send and receive smbd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_smbd_client_packets" lineno="61466">
+<summary>
+Do not audit attempts to send and receive smbd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_smbd_client_packets" lineno="61481">
+<summary>
+Relabel packets to smbd_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_smbd_server_packets" lineno="61501">
+<summary>
+Send smbd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_smbd_server_packets" lineno="61520">
+<summary>
+Do not audit attempts to send smbd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_smbd_server_packets" lineno="61539">
+<summary>
+Receive smbd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_smbd_server_packets" lineno="61558">
+<summary>
+Do not audit attempts to receive smbd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_smbd_server_packets" lineno="61577">
+<summary>
+Send and receive smbd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_smbd_server_packets" lineno="61593">
+<summary>
+Do not audit attempts to send and receive smbd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_smbd_server_packets" lineno="61608">
+<summary>
+Relabel packets to smbd_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_smtp_port" lineno="61630">
+<summary>
+Send and receive TCP traffic on the smtp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_smtp_port" lineno="61649">
+<summary>
+Send UDP traffic on the smtp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_smtp_port" lineno="61668">
+<summary>
+Do not audit attempts to send UDP traffic on the smtp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_smtp_port" lineno="61687">
+<summary>
+Receive UDP traffic on the smtp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_smtp_port" lineno="61706">
+<summary>
+Do not audit attempts to receive UDP traffic on the smtp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_smtp_port" lineno="61725">
+<summary>
+Send and receive UDP traffic on the smtp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_smtp_port" lineno="61742">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the smtp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_smtp_port" lineno="61758">
+<summary>
+Bind TCP sockets to the smtp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_smtp_port" lineno="61778">
+<summary>
+Bind UDP sockets to the smtp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_smtp_port" lineno="61797">
+<summary>
+Make a TCP connection to the smtp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_smtp_client_packets" lineno="61817">
+<summary>
+Send smtp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_smtp_client_packets" lineno="61836">
+<summary>
+Do not audit attempts to send smtp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_smtp_client_packets" lineno="61855">
+<summary>
+Receive smtp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_smtp_client_packets" lineno="61874">
+<summary>
+Do not audit attempts to receive smtp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_smtp_client_packets" lineno="61893">
+<summary>
+Send and receive smtp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_smtp_client_packets" lineno="61909">
+<summary>
+Do not audit attempts to send and receive smtp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_smtp_client_packets" lineno="61924">
+<summary>
+Relabel packets to smtp_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_smtp_server_packets" lineno="61944">
+<summary>
+Send smtp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_smtp_server_packets" lineno="61963">
+<summary>
+Do not audit attempts to send smtp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_smtp_server_packets" lineno="61982">
+<summary>
+Receive smtp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_smtp_server_packets" lineno="62001">
+<summary>
+Do not audit attempts to receive smtp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_smtp_server_packets" lineno="62020">
+<summary>
+Send and receive smtp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_smtp_server_packets" lineno="62036">
+<summary>
+Do not audit attempts to send and receive smtp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_smtp_server_packets" lineno="62051">
+<summary>
+Relabel packets to smtp_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_snmp_port" lineno="62073">
+<summary>
+Send and receive TCP traffic on the snmp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_snmp_port" lineno="62092">
+<summary>
+Send UDP traffic on the snmp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_snmp_port" lineno="62111">
+<summary>
+Do not audit attempts to send UDP traffic on the snmp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_snmp_port" lineno="62130">
+<summary>
+Receive UDP traffic on the snmp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_snmp_port" lineno="62149">
+<summary>
+Do not audit attempts to receive UDP traffic on the snmp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_snmp_port" lineno="62168">
+<summary>
+Send and receive UDP traffic on the snmp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_snmp_port" lineno="62185">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the snmp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_snmp_port" lineno="62201">
+<summary>
+Bind TCP sockets to the snmp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_snmp_port" lineno="62221">
+<summary>
+Bind UDP sockets to the snmp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_snmp_port" lineno="62240">
+<summary>
+Make a TCP connection to the snmp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_snmp_client_packets" lineno="62260">
+<summary>
+Send snmp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_snmp_client_packets" lineno="62279">
+<summary>
+Do not audit attempts to send snmp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_snmp_client_packets" lineno="62298">
+<summary>
+Receive snmp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_snmp_client_packets" lineno="62317">
+<summary>
+Do not audit attempts to receive snmp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_snmp_client_packets" lineno="62336">
+<summary>
+Send and receive snmp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_snmp_client_packets" lineno="62352">
+<summary>
+Do not audit attempts to send and receive snmp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_snmp_client_packets" lineno="62367">
+<summary>
+Relabel packets to snmp_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_snmp_server_packets" lineno="62387">
+<summary>
+Send snmp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_snmp_server_packets" lineno="62406">
+<summary>
+Do not audit attempts to send snmp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_snmp_server_packets" lineno="62425">
+<summary>
+Receive snmp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_snmp_server_packets" lineno="62444">
+<summary>
+Do not audit attempts to receive snmp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_snmp_server_packets" lineno="62463">
+<summary>
+Send and receive snmp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_snmp_server_packets" lineno="62479">
+<summary>
+Do not audit attempts to send and receive snmp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_snmp_server_packets" lineno="62494">
+<summary>
+Relabel packets to snmp_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_socks_port" lineno="62516">
+<summary>
+Send and receive TCP traffic on the socks port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_socks_port" lineno="62535">
+<summary>
+Send UDP traffic on the socks port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_socks_port" lineno="62554">
+<summary>
+Do not audit attempts to send UDP traffic on the socks port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_socks_port" lineno="62573">
+<summary>
+Receive UDP traffic on the socks port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_socks_port" lineno="62592">
+<summary>
+Do not audit attempts to receive UDP traffic on the socks port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_socks_port" lineno="62611">
+<summary>
+Send and receive UDP traffic on the socks port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_socks_port" lineno="62628">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the socks port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_socks_port" lineno="62644">
+<summary>
+Bind TCP sockets to the socks port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_socks_port" lineno="62664">
+<summary>
+Bind UDP sockets to the socks port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_socks_port" lineno="62683">
+<summary>
+Make a TCP connection to the socks port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_socks_client_packets" lineno="62703">
+<summary>
+Send socks_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_socks_client_packets" lineno="62722">
+<summary>
+Do not audit attempts to send socks_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_socks_client_packets" lineno="62741">
+<summary>
+Receive socks_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_socks_client_packets" lineno="62760">
+<summary>
+Do not audit attempts to receive socks_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_socks_client_packets" lineno="62779">
+<summary>
+Send and receive socks_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_socks_client_packets" lineno="62795">
+<summary>
+Do not audit attempts to send and receive socks_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_socks_client_packets" lineno="62810">
+<summary>
+Relabel packets to socks_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_socks_server_packets" lineno="62830">
+<summary>
+Send socks_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_socks_server_packets" lineno="62849">
+<summary>
+Do not audit attempts to send socks_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_socks_server_packets" lineno="62868">
+<summary>
+Receive socks_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_socks_server_packets" lineno="62887">
+<summary>
+Do not audit attempts to receive socks_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_socks_server_packets" lineno="62906">
+<summary>
+Send and receive socks_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_socks_server_packets" lineno="62922">
+<summary>
+Do not audit attempts to send and receive socks_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_socks_server_packets" lineno="62937">
+<summary>
+Relabel packets to socks_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_soundd_port" lineno="62959">
+<summary>
+Send and receive TCP traffic on the soundd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_soundd_port" lineno="62978">
+<summary>
+Send UDP traffic on the soundd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_soundd_port" lineno="62997">
+<summary>
+Do not audit attempts to send UDP traffic on the soundd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_soundd_port" lineno="63016">
+<summary>
+Receive UDP traffic on the soundd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_soundd_port" lineno="63035">
+<summary>
+Do not audit attempts to receive UDP traffic on the soundd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_soundd_port" lineno="63054">
+<summary>
+Send and receive UDP traffic on the soundd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_soundd_port" lineno="63071">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the soundd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_soundd_port" lineno="63087">
+<summary>
+Bind TCP sockets to the soundd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_soundd_port" lineno="63107">
+<summary>
+Bind UDP sockets to the soundd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_soundd_port" lineno="63126">
+<summary>
+Make a TCP connection to the soundd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_soundd_client_packets" lineno="63146">
+<summary>
+Send soundd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_soundd_client_packets" lineno="63165">
+<summary>
+Do not audit attempts to send soundd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_soundd_client_packets" lineno="63184">
+<summary>
+Receive soundd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_soundd_client_packets" lineno="63203">
+<summary>
+Do not audit attempts to receive soundd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_soundd_client_packets" lineno="63222">
+<summary>
+Send and receive soundd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_soundd_client_packets" lineno="63238">
+<summary>
+Do not audit attempts to send and receive soundd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_soundd_client_packets" lineno="63253">
+<summary>
+Relabel packets to soundd_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_soundd_server_packets" lineno="63273">
+<summary>
+Send soundd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_soundd_server_packets" lineno="63292">
+<summary>
+Do not audit attempts to send soundd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_soundd_server_packets" lineno="63311">
+<summary>
+Receive soundd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_soundd_server_packets" lineno="63330">
+<summary>
+Do not audit attempts to receive soundd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_soundd_server_packets" lineno="63349">
+<summary>
+Send and receive soundd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_soundd_server_packets" lineno="63365">
+<summary>
+Do not audit attempts to send and receive soundd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_soundd_server_packets" lineno="63380">
+<summary>
+Relabel packets to soundd_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_spamd_port" lineno="63402">
+<summary>
+Send and receive TCP traffic on the spamd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_spamd_port" lineno="63421">
+<summary>
+Send UDP traffic on the spamd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_spamd_port" lineno="63440">
+<summary>
+Do not audit attempts to send UDP traffic on the spamd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_spamd_port" lineno="63459">
+<summary>
+Receive UDP traffic on the spamd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_spamd_port" lineno="63478">
+<summary>
+Do not audit attempts to receive UDP traffic on the spamd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_spamd_port" lineno="63497">
+<summary>
+Send and receive UDP traffic on the spamd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_spamd_port" lineno="63514">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the spamd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_spamd_port" lineno="63530">
+<summary>
+Bind TCP sockets to the spamd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_spamd_port" lineno="63550">
+<summary>
+Bind UDP sockets to the spamd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_spamd_port" lineno="63569">
+<summary>
+Make a TCP connection to the spamd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_spamd_client_packets" lineno="63589">
+<summary>
+Send spamd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_spamd_client_packets" lineno="63608">
+<summary>
+Do not audit attempts to send spamd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_spamd_client_packets" lineno="63627">
+<summary>
+Receive spamd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_spamd_client_packets" lineno="63646">
+<summary>
+Do not audit attempts to receive spamd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_spamd_client_packets" lineno="63665">
+<summary>
+Send and receive spamd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_spamd_client_packets" lineno="63681">
+<summary>
+Do not audit attempts to send and receive spamd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_spamd_client_packets" lineno="63696">
+<summary>
+Relabel packets to spamd_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_spamd_server_packets" lineno="63716">
+<summary>
+Send spamd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_spamd_server_packets" lineno="63735">
+<summary>
+Do not audit attempts to send spamd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_spamd_server_packets" lineno="63754">
+<summary>
+Receive spamd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_spamd_server_packets" lineno="63773">
+<summary>
+Do not audit attempts to receive spamd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_spamd_server_packets" lineno="63792">
+<summary>
+Send and receive spamd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_spamd_server_packets" lineno="63808">
+<summary>
+Do not audit attempts to send and receive spamd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_spamd_server_packets" lineno="63823">
+<summary>
+Relabel packets to spamd_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_speech_port" lineno="63845">
+<summary>
+Send and receive TCP traffic on the speech port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_speech_port" lineno="63864">
+<summary>
+Send UDP traffic on the speech port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_speech_port" lineno="63883">
+<summary>
+Do not audit attempts to send UDP traffic on the speech port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_speech_port" lineno="63902">
+<summary>
+Receive UDP traffic on the speech port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_speech_port" lineno="63921">
+<summary>
+Do not audit attempts to receive UDP traffic on the speech port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_speech_port" lineno="63940">
+<summary>
+Send and receive UDP traffic on the speech port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_speech_port" lineno="63957">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the speech port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_speech_port" lineno="63973">
+<summary>
+Bind TCP sockets to the speech port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_speech_port" lineno="63993">
+<summary>
+Bind UDP sockets to the speech port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_speech_port" lineno="64012">
+<summary>
+Make a TCP connection to the speech port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_speech_client_packets" lineno="64032">
+<summary>
+Send speech_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_speech_client_packets" lineno="64051">
+<summary>
+Do not audit attempts to send speech_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_speech_client_packets" lineno="64070">
+<summary>
+Receive speech_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_speech_client_packets" lineno="64089">
+<summary>
+Do not audit attempts to receive speech_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_speech_client_packets" lineno="64108">
+<summary>
+Send and receive speech_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_speech_client_packets" lineno="64124">
+<summary>
+Do not audit attempts to send and receive speech_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_speech_client_packets" lineno="64139">
+<summary>
+Relabel packets to speech_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_speech_server_packets" lineno="64159">
+<summary>
+Send speech_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_speech_server_packets" lineno="64178">
+<summary>
+Do not audit attempts to send speech_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_speech_server_packets" lineno="64197">
+<summary>
+Receive speech_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_speech_server_packets" lineno="64216">
+<summary>
+Do not audit attempts to receive speech_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_speech_server_packets" lineno="64235">
+<summary>
+Send and receive speech_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_speech_server_packets" lineno="64251">
+<summary>
+Do not audit attempts to send and receive speech_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_speech_server_packets" lineno="64266">
+<summary>
+Relabel packets to speech_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_squid_port" lineno="64288">
+<summary>
+Send and receive TCP traffic on the squid port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_squid_port" lineno="64307">
+<summary>
+Send UDP traffic on the squid port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_squid_port" lineno="64326">
+<summary>
+Do not audit attempts to send UDP traffic on the squid port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_squid_port" lineno="64345">
+<summary>
+Receive UDP traffic on the squid port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_squid_port" lineno="64364">
+<summary>
+Do not audit attempts to receive UDP traffic on the squid port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_squid_port" lineno="64383">
+<summary>
+Send and receive UDP traffic on the squid port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_squid_port" lineno="64400">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the squid port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_squid_port" lineno="64416">
+<summary>
+Bind TCP sockets to the squid port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_squid_port" lineno="64436">
+<summary>
+Bind UDP sockets to the squid port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_squid_port" lineno="64455">
+<summary>
+Make a TCP connection to the squid port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_squid_client_packets" lineno="64475">
+<summary>
+Send squid_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_squid_client_packets" lineno="64494">
+<summary>
+Do not audit attempts to send squid_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_squid_client_packets" lineno="64513">
+<summary>
+Receive squid_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_squid_client_packets" lineno="64532">
+<summary>
+Do not audit attempts to receive squid_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_squid_client_packets" lineno="64551">
+<summary>
+Send and receive squid_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_squid_client_packets" lineno="64567">
+<summary>
+Do not audit attempts to send and receive squid_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_squid_client_packets" lineno="64582">
+<summary>
+Relabel packets to squid_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_squid_server_packets" lineno="64602">
+<summary>
+Send squid_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_squid_server_packets" lineno="64621">
+<summary>
+Do not audit attempts to send squid_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_squid_server_packets" lineno="64640">
+<summary>
+Receive squid_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_squid_server_packets" lineno="64659">
+<summary>
+Do not audit attempts to receive squid_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_squid_server_packets" lineno="64678">
+<summary>
+Send and receive squid_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_squid_server_packets" lineno="64694">
+<summary>
+Do not audit attempts to send and receive squid_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_squid_server_packets" lineno="64709">
+<summary>
+Relabel packets to squid_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_ssh_port" lineno="64731">
+<summary>
+Send and receive TCP traffic on the ssh port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_ssh_port" lineno="64750">
+<summary>
+Send UDP traffic on the ssh port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_ssh_port" lineno="64769">
+<summary>
+Do not audit attempts to send UDP traffic on the ssh port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_ssh_port" lineno="64788">
+<summary>
+Receive UDP traffic on the ssh port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_ssh_port" lineno="64807">
+<summary>
+Do not audit attempts to receive UDP traffic on the ssh port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_ssh_port" lineno="64826">
+<summary>
+Send and receive UDP traffic on the ssh port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_ssh_port" lineno="64843">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the ssh port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_ssh_port" lineno="64859">
+<summary>
+Bind TCP sockets to the ssh port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_ssh_port" lineno="64879">
+<summary>
+Bind UDP sockets to the ssh port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_ssh_port" lineno="64898">
+<summary>
+Make a TCP connection to the ssh port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_ssh_client_packets" lineno="64918">
+<summary>
+Send ssh_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_ssh_client_packets" lineno="64937">
+<summary>
+Do not audit attempts to send ssh_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_ssh_client_packets" lineno="64956">
+<summary>
+Receive ssh_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_ssh_client_packets" lineno="64975">
+<summary>
+Do not audit attempts to receive ssh_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_ssh_client_packets" lineno="64994">
+<summary>
+Send and receive ssh_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_ssh_client_packets" lineno="65010">
+<summary>
+Do not audit attempts to send and receive ssh_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_ssh_client_packets" lineno="65025">
+<summary>
+Relabel packets to ssh_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_ssh_server_packets" lineno="65045">
+<summary>
+Send ssh_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_ssh_server_packets" lineno="65064">
+<summary>
+Do not audit attempts to send ssh_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_ssh_server_packets" lineno="65083">
+<summary>
+Receive ssh_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_ssh_server_packets" lineno="65102">
+<summary>
+Do not audit attempts to receive ssh_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_ssh_server_packets" lineno="65121">
+<summary>
+Send and receive ssh_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_ssh_server_packets" lineno="65137">
+<summary>
+Do not audit attempts to send and receive ssh_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_ssh_server_packets" lineno="65152">
+<summary>
+Relabel packets to ssh_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_stunnel_port" lineno="65174">
+<summary>
+Send and receive TCP traffic on the stunnel port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_stunnel_port" lineno="65193">
+<summary>
+Send UDP traffic on the stunnel port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_stunnel_port" lineno="65212">
+<summary>
+Do not audit attempts to send UDP traffic on the stunnel port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_stunnel_port" lineno="65231">
+<summary>
+Receive UDP traffic on the stunnel port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_stunnel_port" lineno="65250">
+<summary>
+Do not audit attempts to receive UDP traffic on the stunnel port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_stunnel_port" lineno="65269">
+<summary>
+Send and receive UDP traffic on the stunnel port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_stunnel_port" lineno="65286">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the stunnel port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_stunnel_port" lineno="65302">
+<summary>
+Bind TCP sockets to the stunnel port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_stunnel_port" lineno="65322">
+<summary>
+Bind UDP sockets to the stunnel port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_stunnel_port" lineno="65341">
+<summary>
+Make a TCP connection to the stunnel port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_stunnel_client_packets" lineno="65361">
+<summary>
+Send stunnel_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_stunnel_client_packets" lineno="65380">
+<summary>
+Do not audit attempts to send stunnel_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_stunnel_client_packets" lineno="65399">
+<summary>
+Receive stunnel_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_stunnel_client_packets" lineno="65418">
+<summary>
+Do not audit attempts to receive stunnel_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_stunnel_client_packets" lineno="65437">
+<summary>
+Send and receive stunnel_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_stunnel_client_packets" lineno="65453">
+<summary>
+Do not audit attempts to send and receive stunnel_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_stunnel_client_packets" lineno="65468">
+<summary>
+Relabel packets to stunnel_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_stunnel_server_packets" lineno="65488">
+<summary>
+Send stunnel_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_stunnel_server_packets" lineno="65507">
+<summary>
+Do not audit attempts to send stunnel_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_stunnel_server_packets" lineno="65526">
+<summary>
+Receive stunnel_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_stunnel_server_packets" lineno="65545">
+<summary>
+Do not audit attempts to receive stunnel_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_stunnel_server_packets" lineno="65564">
+<summary>
+Send and receive stunnel_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_stunnel_server_packets" lineno="65580">
+<summary>
+Do not audit attempts to send and receive stunnel_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_stunnel_server_packets" lineno="65595">
+<summary>
+Relabel packets to stunnel_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_swat_port" lineno="65617">
+<summary>
+Send and receive TCP traffic on the swat port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_swat_port" lineno="65636">
+<summary>
+Send UDP traffic on the swat port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_swat_port" lineno="65655">
+<summary>
+Do not audit attempts to send UDP traffic on the swat port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_swat_port" lineno="65674">
+<summary>
+Receive UDP traffic on the swat port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_swat_port" lineno="65693">
+<summary>
+Do not audit attempts to receive UDP traffic on the swat port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_swat_port" lineno="65712">
+<summary>
+Send and receive UDP traffic on the swat port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_swat_port" lineno="65729">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the swat port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_swat_port" lineno="65745">
+<summary>
+Bind TCP sockets to the swat port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_swat_port" lineno="65765">
+<summary>
+Bind UDP sockets to the swat port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_swat_port" lineno="65784">
+<summary>
+Make a TCP connection to the swat port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_swat_client_packets" lineno="65804">
+<summary>
+Send swat_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_swat_client_packets" lineno="65823">
+<summary>
+Do not audit attempts to send swat_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_swat_client_packets" lineno="65842">
+<summary>
+Receive swat_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_swat_client_packets" lineno="65861">
+<summary>
+Do not audit attempts to receive swat_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_swat_client_packets" lineno="65880">
+<summary>
+Send and receive swat_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_swat_client_packets" lineno="65896">
+<summary>
+Do not audit attempts to send and receive swat_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_swat_client_packets" lineno="65911">
+<summary>
+Relabel packets to swat_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_swat_server_packets" lineno="65931">
+<summary>
+Send swat_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_swat_server_packets" lineno="65950">
+<summary>
+Do not audit attempts to send swat_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_swat_server_packets" lineno="65969">
+<summary>
+Receive swat_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_swat_server_packets" lineno="65988">
+<summary>
+Do not audit attempts to receive swat_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_swat_server_packets" lineno="66007">
+<summary>
+Send and receive swat_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_swat_server_packets" lineno="66023">
+<summary>
+Do not audit attempts to send and receive swat_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_swat_server_packets" lineno="66038">
+<summary>
+Relabel packets to swat_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_syslogd_port" lineno="66060">
+<summary>
+Send and receive TCP traffic on the syslogd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_syslogd_port" lineno="66079">
+<summary>
+Send UDP traffic on the syslogd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_syslogd_port" lineno="66098">
+<summary>
+Do not audit attempts to send UDP traffic on the syslogd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_syslogd_port" lineno="66117">
+<summary>
+Receive UDP traffic on the syslogd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_syslogd_port" lineno="66136">
+<summary>
+Do not audit attempts to receive UDP traffic on the syslogd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_syslogd_port" lineno="66155">
+<summary>
+Send and receive UDP traffic on the syslogd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_syslogd_port" lineno="66172">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the syslogd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_syslogd_port" lineno="66188">
+<summary>
+Bind TCP sockets to the syslogd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_syslogd_port" lineno="66208">
+<summary>
+Bind UDP sockets to the syslogd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_syslogd_port" lineno="66227">
+<summary>
+Make a TCP connection to the syslogd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_syslogd_client_packets" lineno="66247">
+<summary>
+Send syslogd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_syslogd_client_packets" lineno="66266">
+<summary>
+Do not audit attempts to send syslogd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_syslogd_client_packets" lineno="66285">
+<summary>
+Receive syslogd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_syslogd_client_packets" lineno="66304">
+<summary>
+Do not audit attempts to receive syslogd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_syslogd_client_packets" lineno="66323">
+<summary>
+Send and receive syslogd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_syslogd_client_packets" lineno="66339">
+<summary>
+Do not audit attempts to send and receive syslogd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_syslogd_client_packets" lineno="66354">
+<summary>
+Relabel packets to syslogd_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_syslogd_server_packets" lineno="66374">
+<summary>
+Send syslogd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_syslogd_server_packets" lineno="66393">
+<summary>
+Do not audit attempts to send syslogd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_syslogd_server_packets" lineno="66412">
+<summary>
+Receive syslogd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_syslogd_server_packets" lineno="66431">
+<summary>
+Do not audit attempts to receive syslogd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_syslogd_server_packets" lineno="66450">
+<summary>
+Send and receive syslogd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_syslogd_server_packets" lineno="66466">
+<summary>
+Do not audit attempts to send and receive syslogd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_syslogd_server_packets" lineno="66481">
+<summary>
+Relabel packets to syslogd_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_tcs_port" lineno="66503">
+<summary>
+Send and receive TCP traffic on the tcs port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_tcs_port" lineno="66522">
+<summary>
+Send UDP traffic on the tcs port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_tcs_port" lineno="66541">
+<summary>
+Do not audit attempts to send UDP traffic on the tcs port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_tcs_port" lineno="66560">
+<summary>
+Receive UDP traffic on the tcs port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_tcs_port" lineno="66579">
+<summary>
+Do not audit attempts to receive UDP traffic on the tcs port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_tcs_port" lineno="66598">
+<summary>
+Send and receive UDP traffic on the tcs port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_tcs_port" lineno="66615">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the tcs port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_tcs_port" lineno="66631">
+<summary>
+Bind TCP sockets to the tcs port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_tcs_port" lineno="66651">
+<summary>
+Bind UDP sockets to the tcs port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_tcs_port" lineno="66670">
+<summary>
+Make a TCP connection to the tcs port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_tcs_client_packets" lineno="66690">
+<summary>
+Send tcs_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_tcs_client_packets" lineno="66709">
+<summary>
+Do not audit attempts to send tcs_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_tcs_client_packets" lineno="66728">
+<summary>
+Receive tcs_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_tcs_client_packets" lineno="66747">
+<summary>
+Do not audit attempts to receive tcs_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_tcs_client_packets" lineno="66766">
+<summary>
+Send and receive tcs_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_tcs_client_packets" lineno="66782">
+<summary>
+Do not audit attempts to send and receive tcs_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_tcs_client_packets" lineno="66797">
+<summary>
+Relabel packets to tcs_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_tcs_server_packets" lineno="66817">
+<summary>
+Send tcs_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_tcs_server_packets" lineno="66836">
+<summary>
+Do not audit attempts to send tcs_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_tcs_server_packets" lineno="66855">
+<summary>
+Receive tcs_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_tcs_server_packets" lineno="66874">
+<summary>
+Do not audit attempts to receive tcs_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_tcs_server_packets" lineno="66893">
+<summary>
+Send and receive tcs_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_tcs_server_packets" lineno="66909">
+<summary>
+Do not audit attempts to send and receive tcs_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_tcs_server_packets" lineno="66924">
+<summary>
+Relabel packets to tcs_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_telnetd_port" lineno="66946">
+<summary>
+Send and receive TCP traffic on the telnetd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_telnetd_port" lineno="66965">
+<summary>
+Send UDP traffic on the telnetd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_telnetd_port" lineno="66984">
+<summary>
+Do not audit attempts to send UDP traffic on the telnetd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_telnetd_port" lineno="67003">
+<summary>
+Receive UDP traffic on the telnetd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_telnetd_port" lineno="67022">
+<summary>
+Do not audit attempts to receive UDP traffic on the telnetd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_telnetd_port" lineno="67041">
+<summary>
+Send and receive UDP traffic on the telnetd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_telnetd_port" lineno="67058">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the telnetd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_telnetd_port" lineno="67074">
+<summary>
+Bind TCP sockets to the telnetd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_telnetd_port" lineno="67094">
+<summary>
+Bind UDP sockets to the telnetd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_telnetd_port" lineno="67113">
+<summary>
+Make a TCP connection to the telnetd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_telnetd_client_packets" lineno="67133">
+<summary>
+Send telnetd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_telnetd_client_packets" lineno="67152">
+<summary>
+Do not audit attempts to send telnetd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_telnetd_client_packets" lineno="67171">
+<summary>
+Receive telnetd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_telnetd_client_packets" lineno="67190">
+<summary>
+Do not audit attempts to receive telnetd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_telnetd_client_packets" lineno="67209">
+<summary>
+Send and receive telnetd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_telnetd_client_packets" lineno="67225">
+<summary>
+Do not audit attempts to send and receive telnetd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_telnetd_client_packets" lineno="67240">
+<summary>
+Relabel packets to telnetd_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_telnetd_server_packets" lineno="67260">
+<summary>
+Send telnetd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_telnetd_server_packets" lineno="67279">
+<summary>
+Do not audit attempts to send telnetd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_telnetd_server_packets" lineno="67298">
+<summary>
+Receive telnetd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_telnetd_server_packets" lineno="67317">
+<summary>
+Do not audit attempts to receive telnetd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_telnetd_server_packets" lineno="67336">
+<summary>
+Send and receive telnetd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_telnetd_server_packets" lineno="67352">
+<summary>
+Do not audit attempts to send and receive telnetd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_telnetd_server_packets" lineno="67367">
+<summary>
+Relabel packets to telnetd_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_tftp_port" lineno="67389">
+<summary>
+Send and receive TCP traffic on the tftp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_tftp_port" lineno="67408">
+<summary>
+Send UDP traffic on the tftp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_tftp_port" lineno="67427">
+<summary>
+Do not audit attempts to send UDP traffic on the tftp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_tftp_port" lineno="67446">
+<summary>
+Receive UDP traffic on the tftp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_tftp_port" lineno="67465">
+<summary>
+Do not audit attempts to receive UDP traffic on the tftp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_tftp_port" lineno="67484">
+<summary>
+Send and receive UDP traffic on the tftp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_tftp_port" lineno="67501">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the tftp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_tftp_port" lineno="67517">
+<summary>
+Bind TCP sockets to the tftp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_tftp_port" lineno="67537">
+<summary>
+Bind UDP sockets to the tftp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_tftp_port" lineno="67556">
+<summary>
+Make a TCP connection to the tftp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_tftp_client_packets" lineno="67576">
+<summary>
+Send tftp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_tftp_client_packets" lineno="67595">
+<summary>
+Do not audit attempts to send tftp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_tftp_client_packets" lineno="67614">
+<summary>
+Receive tftp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_tftp_client_packets" lineno="67633">
+<summary>
+Do not audit attempts to receive tftp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_tftp_client_packets" lineno="67652">
+<summary>
+Send and receive tftp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_tftp_client_packets" lineno="67668">
+<summary>
+Do not audit attempts to send and receive tftp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_tftp_client_packets" lineno="67683">
+<summary>
+Relabel packets to tftp_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_tftp_server_packets" lineno="67703">
+<summary>
+Send tftp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_tftp_server_packets" lineno="67722">
+<summary>
+Do not audit attempts to send tftp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_tftp_server_packets" lineno="67741">
+<summary>
+Receive tftp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_tftp_server_packets" lineno="67760">
+<summary>
+Do not audit attempts to receive tftp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_tftp_server_packets" lineno="67779">
+<summary>
+Send and receive tftp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_tftp_server_packets" lineno="67795">
+<summary>
+Do not audit attempts to send and receive tftp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_tftp_server_packets" lineno="67810">
+<summary>
+Relabel packets to tftp_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_tor_port" lineno="67832">
+<summary>
+Send and receive TCP traffic on the tor port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_tor_port" lineno="67851">
+<summary>
+Send UDP traffic on the tor port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_tor_port" lineno="67870">
+<summary>
+Do not audit attempts to send UDP traffic on the tor port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_tor_port" lineno="67889">
+<summary>
+Receive UDP traffic on the tor port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_tor_port" lineno="67908">
+<summary>
+Do not audit attempts to receive UDP traffic on the tor port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_tor_port" lineno="67927">
+<summary>
+Send and receive UDP traffic on the tor port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_tor_port" lineno="67944">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the tor port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_tor_port" lineno="67960">
+<summary>
+Bind TCP sockets to the tor port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_tor_port" lineno="67980">
+<summary>
+Bind UDP sockets to the tor port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_tor_port" lineno="67999">
+<summary>
+Make a TCP connection to the tor port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_tor_client_packets" lineno="68019">
+<summary>
+Send tor_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_tor_client_packets" lineno="68038">
+<summary>
+Do not audit attempts to send tor_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_tor_client_packets" lineno="68057">
+<summary>
+Receive tor_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_tor_client_packets" lineno="68076">
+<summary>
+Do not audit attempts to receive tor_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_tor_client_packets" lineno="68095">
+<summary>
+Send and receive tor_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_tor_client_packets" lineno="68111">
+<summary>
+Do not audit attempts to send and receive tor_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_tor_client_packets" lineno="68126">
+<summary>
+Relabel packets to tor_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_tor_server_packets" lineno="68146">
+<summary>
+Send tor_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_tor_server_packets" lineno="68165">
+<summary>
+Do not audit attempts to send tor_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_tor_server_packets" lineno="68184">
+<summary>
+Receive tor_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_tor_server_packets" lineno="68203">
+<summary>
+Do not audit attempts to receive tor_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_tor_server_packets" lineno="68222">
+<summary>
+Send and receive tor_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_tor_server_packets" lineno="68238">
+<summary>
+Do not audit attempts to send and receive tor_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_tor_server_packets" lineno="68253">
+<summary>
+Relabel packets to tor_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_traceroute_port" lineno="68275">
+<summary>
+Send and receive TCP traffic on the traceroute port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_traceroute_port" lineno="68294">
+<summary>
+Send UDP traffic on the traceroute port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_traceroute_port" lineno="68313">
+<summary>
+Do not audit attempts to send UDP traffic on the traceroute port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_traceroute_port" lineno="68332">
+<summary>
+Receive UDP traffic on the traceroute port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_traceroute_port" lineno="68351">
+<summary>
+Do not audit attempts to receive UDP traffic on the traceroute port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_traceroute_port" lineno="68370">
+<summary>
+Send and receive UDP traffic on the traceroute port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_traceroute_port" lineno="68387">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the traceroute port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_traceroute_port" lineno="68403">
+<summary>
+Bind TCP sockets to the traceroute port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_traceroute_port" lineno="68423">
+<summary>
+Bind UDP sockets to the traceroute port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_traceroute_port" lineno="68442">
+<summary>
+Make a TCP connection to the traceroute port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_traceroute_client_packets" lineno="68462">
+<summary>
+Send traceroute_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_traceroute_client_packets" lineno="68481">
+<summary>
+Do not audit attempts to send traceroute_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_traceroute_client_packets" lineno="68500">
+<summary>
+Receive traceroute_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_traceroute_client_packets" lineno="68519">
+<summary>
+Do not audit attempts to receive traceroute_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_traceroute_client_packets" lineno="68538">
+<summary>
+Send and receive traceroute_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_traceroute_client_packets" lineno="68554">
+<summary>
+Do not audit attempts to send and receive traceroute_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_traceroute_client_packets" lineno="68569">
+<summary>
+Relabel packets to traceroute_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_traceroute_server_packets" lineno="68589">
+<summary>
+Send traceroute_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_traceroute_server_packets" lineno="68608">
+<summary>
+Do not audit attempts to send traceroute_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_traceroute_server_packets" lineno="68627">
+<summary>
+Receive traceroute_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_traceroute_server_packets" lineno="68646">
+<summary>
+Do not audit attempts to receive traceroute_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_traceroute_server_packets" lineno="68665">
+<summary>
+Send and receive traceroute_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_traceroute_server_packets" lineno="68681">
+<summary>
+Do not audit attempts to send and receive traceroute_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_traceroute_server_packets" lineno="68696">
+<summary>
+Relabel packets to traceroute_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_transproxy_port" lineno="68718">
+<summary>
+Send and receive TCP traffic on the transproxy port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_transproxy_port" lineno="68737">
+<summary>
+Send UDP traffic on the transproxy port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_transproxy_port" lineno="68756">
+<summary>
+Do not audit attempts to send UDP traffic on the transproxy port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_transproxy_port" lineno="68775">
+<summary>
+Receive UDP traffic on the transproxy port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_transproxy_port" lineno="68794">
+<summary>
+Do not audit attempts to receive UDP traffic on the transproxy port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_transproxy_port" lineno="68813">
+<summary>
+Send and receive UDP traffic on the transproxy port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_transproxy_port" lineno="68830">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the transproxy port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_transproxy_port" lineno="68846">
+<summary>
+Bind TCP sockets to the transproxy port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_transproxy_port" lineno="68866">
+<summary>
+Bind UDP sockets to the transproxy port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_transproxy_port" lineno="68885">
+<summary>
+Make a TCP connection to the transproxy port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_transproxy_client_packets" lineno="68905">
+<summary>
+Send transproxy_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_transproxy_client_packets" lineno="68924">
+<summary>
+Do not audit attempts to send transproxy_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_transproxy_client_packets" lineno="68943">
+<summary>
+Receive transproxy_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_transproxy_client_packets" lineno="68962">
+<summary>
+Do not audit attempts to receive transproxy_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_transproxy_client_packets" lineno="68981">
+<summary>
+Send and receive transproxy_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_transproxy_client_packets" lineno="68997">
+<summary>
+Do not audit attempts to send and receive transproxy_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_transproxy_client_packets" lineno="69012">
+<summary>
+Relabel packets to transproxy_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_transproxy_server_packets" lineno="69032">
+<summary>
+Send transproxy_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_transproxy_server_packets" lineno="69051">
+<summary>
+Do not audit attempts to send transproxy_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_transproxy_server_packets" lineno="69070">
+<summary>
+Receive transproxy_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_transproxy_server_packets" lineno="69089">
+<summary>
+Do not audit attempts to receive transproxy_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_transproxy_server_packets" lineno="69108">
+<summary>
+Send and receive transproxy_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_transproxy_server_packets" lineno="69124">
+<summary>
+Do not audit attempts to send and receive transproxy_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_transproxy_server_packets" lineno="69139">
+<summary>
+Relabel packets to transproxy_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_ups_port" lineno="69161">
+<summary>
+Send and receive TCP traffic on the ups port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_ups_port" lineno="69180">
+<summary>
+Send UDP traffic on the ups port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_ups_port" lineno="69199">
+<summary>
+Do not audit attempts to send UDP traffic on the ups port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_ups_port" lineno="69218">
+<summary>
+Receive UDP traffic on the ups port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_ups_port" lineno="69237">
+<summary>
+Do not audit attempts to receive UDP traffic on the ups port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_ups_port" lineno="69256">
+<summary>
+Send and receive UDP traffic on the ups port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_ups_port" lineno="69273">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the ups port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_ups_port" lineno="69289">
+<summary>
+Bind TCP sockets to the ups port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_ups_port" lineno="69309">
+<summary>
+Bind UDP sockets to the ups port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_ups_port" lineno="69328">
+<summary>
+Make a TCP connection to the ups port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_ups_client_packets" lineno="69348">
+<summary>
+Send ups_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_ups_client_packets" lineno="69367">
+<summary>
+Do not audit attempts to send ups_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_ups_client_packets" lineno="69386">
+<summary>
+Receive ups_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_ups_client_packets" lineno="69405">
+<summary>
+Do not audit attempts to receive ups_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_ups_client_packets" lineno="69424">
+<summary>
+Send and receive ups_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_ups_client_packets" lineno="69440">
+<summary>
+Do not audit attempts to send and receive ups_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_ups_client_packets" lineno="69455">
+<summary>
+Relabel packets to ups_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_ups_server_packets" lineno="69475">
+<summary>
+Send ups_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_ups_server_packets" lineno="69494">
+<summary>
+Do not audit attempts to send ups_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_ups_server_packets" lineno="69513">
+<summary>
+Receive ups_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_ups_server_packets" lineno="69532">
+<summary>
+Do not audit attempts to receive ups_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_ups_server_packets" lineno="69551">
+<summary>
+Send and receive ups_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_ups_server_packets" lineno="69567">
+<summary>
+Do not audit attempts to send and receive ups_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_ups_server_packets" lineno="69582">
+<summary>
+Relabel packets to ups_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_utcpserver_port" lineno="69604">
+<summary>
+Send and receive TCP traffic on the utcpserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_utcpserver_port" lineno="69623">
+<summary>
+Send UDP traffic on the utcpserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_utcpserver_port" lineno="69642">
+<summary>
+Do not audit attempts to send UDP traffic on the utcpserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_utcpserver_port" lineno="69661">
+<summary>
+Receive UDP traffic on the utcpserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_utcpserver_port" lineno="69680">
+<summary>
+Do not audit attempts to receive UDP traffic on the utcpserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_utcpserver_port" lineno="69699">
+<summary>
+Send and receive UDP traffic on the utcpserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_utcpserver_port" lineno="69716">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the utcpserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_utcpserver_port" lineno="69732">
+<summary>
+Bind TCP sockets to the utcpserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_utcpserver_port" lineno="69752">
+<summary>
+Bind UDP sockets to the utcpserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_utcpserver_port" lineno="69771">
+<summary>
+Make a TCP connection to the utcpserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_utcpserver_client_packets" lineno="69791">
+<summary>
+Send utcpserver_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_utcpserver_client_packets" lineno="69810">
+<summary>
+Do not audit attempts to send utcpserver_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_utcpserver_client_packets" lineno="69829">
+<summary>
+Receive utcpserver_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_utcpserver_client_packets" lineno="69848">
+<summary>
+Do not audit attempts to receive utcpserver_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_utcpserver_client_packets" lineno="69867">
+<summary>
+Send and receive utcpserver_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_utcpserver_client_packets" lineno="69883">
+<summary>
+Do not audit attempts to send and receive utcpserver_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_utcpserver_client_packets" lineno="69898">
+<summary>
+Relabel packets to utcpserver_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_utcpserver_server_packets" lineno="69918">
+<summary>
+Send utcpserver_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_utcpserver_server_packets" lineno="69937">
+<summary>
+Do not audit attempts to send utcpserver_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_utcpserver_server_packets" lineno="69956">
+<summary>
+Receive utcpserver_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_utcpserver_server_packets" lineno="69975">
+<summary>
+Do not audit attempts to receive utcpserver_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_utcpserver_server_packets" lineno="69994">
+<summary>
+Send and receive utcpserver_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_utcpserver_server_packets" lineno="70010">
+<summary>
+Do not audit attempts to send and receive utcpserver_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_utcpserver_server_packets" lineno="70025">
+<summary>
+Relabel packets to utcpserver_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_uucpd_port" lineno="70047">
+<summary>
+Send and receive TCP traffic on the uucpd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_uucpd_port" lineno="70066">
+<summary>
+Send UDP traffic on the uucpd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_uucpd_port" lineno="70085">
+<summary>
+Do not audit attempts to send UDP traffic on the uucpd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_uucpd_port" lineno="70104">
+<summary>
+Receive UDP traffic on the uucpd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_uucpd_port" lineno="70123">
+<summary>
+Do not audit attempts to receive UDP traffic on the uucpd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_uucpd_port" lineno="70142">
+<summary>
+Send and receive UDP traffic on the uucpd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_uucpd_port" lineno="70159">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the uucpd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_uucpd_port" lineno="70175">
+<summary>
+Bind TCP sockets to the uucpd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_uucpd_port" lineno="70195">
+<summary>
+Bind UDP sockets to the uucpd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_uucpd_port" lineno="70214">
+<summary>
+Make a TCP connection to the uucpd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_uucpd_client_packets" lineno="70234">
+<summary>
+Send uucpd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_uucpd_client_packets" lineno="70253">
+<summary>
+Do not audit attempts to send uucpd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_uucpd_client_packets" lineno="70272">
+<summary>
+Receive uucpd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_uucpd_client_packets" lineno="70291">
+<summary>
+Do not audit attempts to receive uucpd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_uucpd_client_packets" lineno="70310">
+<summary>
+Send and receive uucpd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_uucpd_client_packets" lineno="70326">
+<summary>
+Do not audit attempts to send and receive uucpd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_uucpd_client_packets" lineno="70341">
+<summary>
+Relabel packets to uucpd_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_uucpd_server_packets" lineno="70361">
+<summary>
+Send uucpd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_uucpd_server_packets" lineno="70380">
+<summary>
+Do not audit attempts to send uucpd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_uucpd_server_packets" lineno="70399">
+<summary>
+Receive uucpd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_uucpd_server_packets" lineno="70418">
+<summary>
+Do not audit attempts to receive uucpd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_uucpd_server_packets" lineno="70437">
+<summary>
+Send and receive uucpd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_uucpd_server_packets" lineno="70453">
+<summary>
+Do not audit attempts to send and receive uucpd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_uucpd_server_packets" lineno="70468">
+<summary>
+Relabel packets to uucpd_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_varnishd_port" lineno="70490">
+<summary>
+Send and receive TCP traffic on the varnishd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_varnishd_port" lineno="70509">
+<summary>
+Send UDP traffic on the varnishd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_varnishd_port" lineno="70528">
+<summary>
+Do not audit attempts to send UDP traffic on the varnishd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_varnishd_port" lineno="70547">
+<summary>
+Receive UDP traffic on the varnishd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_varnishd_port" lineno="70566">
+<summary>
+Do not audit attempts to receive UDP traffic on the varnishd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_varnishd_port" lineno="70585">
+<summary>
+Send and receive UDP traffic on the varnishd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_varnishd_port" lineno="70602">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the varnishd port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_varnishd_port" lineno="70618">
+<summary>
+Bind TCP sockets to the varnishd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_varnishd_port" lineno="70638">
+<summary>
+Bind UDP sockets to the varnishd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_varnishd_port" lineno="70657">
+<summary>
+Make a TCP connection to the varnishd port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_varnishd_client_packets" lineno="70677">
+<summary>
+Send varnishd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_varnishd_client_packets" lineno="70696">
+<summary>
+Do not audit attempts to send varnishd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_varnishd_client_packets" lineno="70715">
+<summary>
+Receive varnishd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_varnishd_client_packets" lineno="70734">
+<summary>
+Do not audit attempts to receive varnishd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_varnishd_client_packets" lineno="70753">
+<summary>
+Send and receive varnishd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_varnishd_client_packets" lineno="70769">
+<summary>
+Do not audit attempts to send and receive varnishd_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_varnishd_client_packets" lineno="70784">
+<summary>
+Relabel packets to varnishd_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_varnishd_server_packets" lineno="70804">
+<summary>
+Send varnishd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_varnishd_server_packets" lineno="70823">
+<summary>
+Do not audit attempts to send varnishd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_varnishd_server_packets" lineno="70842">
+<summary>
+Receive varnishd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_varnishd_server_packets" lineno="70861">
+<summary>
+Do not audit attempts to receive varnishd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_varnishd_server_packets" lineno="70880">
+<summary>
+Send and receive varnishd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_varnishd_server_packets" lineno="70896">
+<summary>
+Do not audit attempts to send and receive varnishd_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_varnishd_server_packets" lineno="70911">
+<summary>
+Relabel packets to varnishd_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_virt_port" lineno="70933">
+<summary>
+Send and receive TCP traffic on the virt port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_virt_port" lineno="70952">
+<summary>
+Send UDP traffic on the virt port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_virt_port" lineno="70971">
+<summary>
+Do not audit attempts to send UDP traffic on the virt port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_virt_port" lineno="70990">
+<summary>
+Receive UDP traffic on the virt port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_virt_port" lineno="71009">
+<summary>
+Do not audit attempts to receive UDP traffic on the virt port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_virt_port" lineno="71028">
+<summary>
+Send and receive UDP traffic on the virt port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_virt_port" lineno="71045">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the virt port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_virt_port" lineno="71061">
+<summary>
+Bind TCP sockets to the virt port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_virt_port" lineno="71081">
+<summary>
+Bind UDP sockets to the virt port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_virt_port" lineno="71100">
+<summary>
+Make a TCP connection to the virt port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_virt_client_packets" lineno="71120">
+<summary>
+Send virt_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_virt_client_packets" lineno="71139">
+<summary>
+Do not audit attempts to send virt_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_virt_client_packets" lineno="71158">
+<summary>
+Receive virt_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_virt_client_packets" lineno="71177">
+<summary>
+Do not audit attempts to receive virt_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_virt_client_packets" lineno="71196">
+<summary>
+Send and receive virt_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_virt_client_packets" lineno="71212">
+<summary>
+Do not audit attempts to send and receive virt_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_virt_client_packets" lineno="71227">
+<summary>
+Relabel packets to virt_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_virt_server_packets" lineno="71247">
+<summary>
+Send virt_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_virt_server_packets" lineno="71266">
+<summary>
+Do not audit attempts to send virt_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_virt_server_packets" lineno="71285">
+<summary>
+Receive virt_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_virt_server_packets" lineno="71304">
+<summary>
+Do not audit attempts to receive virt_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_virt_server_packets" lineno="71323">
+<summary>
+Send and receive virt_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_virt_server_packets" lineno="71339">
+<summary>
+Do not audit attempts to send and receive virt_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_virt_server_packets" lineno="71354">
+<summary>
+Relabel packets to virt_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_virt_migration_port" lineno="71376">
+<summary>
+Send and receive TCP traffic on the virt_migration port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_virt_migration_port" lineno="71395">
+<summary>
+Send UDP traffic on the virt_migration port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_virt_migration_port" lineno="71414">
+<summary>
+Do not audit attempts to send UDP traffic on the virt_migration port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_virt_migration_port" lineno="71433">
+<summary>
+Receive UDP traffic on the virt_migration port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_virt_migration_port" lineno="71452">
+<summary>
+Do not audit attempts to receive UDP traffic on the virt_migration port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_virt_migration_port" lineno="71471">
+<summary>
+Send and receive UDP traffic on the virt_migration port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_virt_migration_port" lineno="71488">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the virt_migration port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_virt_migration_port" lineno="71504">
+<summary>
+Bind TCP sockets to the virt_migration port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_virt_migration_port" lineno="71524">
+<summary>
+Bind UDP sockets to the virt_migration port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_virt_migration_port" lineno="71543">
+<summary>
+Make a TCP connection to the virt_migration port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_virt_migration_client_packets" lineno="71563">
+<summary>
+Send virt_migration_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_virt_migration_client_packets" lineno="71582">
+<summary>
+Do not audit attempts to send virt_migration_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_virt_migration_client_packets" lineno="71601">
+<summary>
+Receive virt_migration_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_virt_migration_client_packets" lineno="71620">
+<summary>
+Do not audit attempts to receive virt_migration_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_virt_migration_client_packets" lineno="71639">
+<summary>
+Send and receive virt_migration_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_virt_migration_client_packets" lineno="71655">
+<summary>
+Do not audit attempts to send and receive virt_migration_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_virt_migration_client_packets" lineno="71670">
+<summary>
+Relabel packets to virt_migration_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_virt_migration_server_packets" lineno="71690">
+<summary>
+Send virt_migration_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_virt_migration_server_packets" lineno="71709">
+<summary>
+Do not audit attempts to send virt_migration_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_virt_migration_server_packets" lineno="71728">
+<summary>
+Receive virt_migration_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_virt_migration_server_packets" lineno="71747">
+<summary>
+Do not audit attempts to receive virt_migration_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_virt_migration_server_packets" lineno="71766">
+<summary>
+Send and receive virt_migration_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_virt_migration_server_packets" lineno="71782">
+<summary>
+Do not audit attempts to send and receive virt_migration_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_virt_migration_server_packets" lineno="71797">
+<summary>
+Relabel packets to virt_migration_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_vnc_port" lineno="71819">
+<summary>
+Send and receive TCP traffic on the vnc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_vnc_port" lineno="71838">
+<summary>
+Send UDP traffic on the vnc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_vnc_port" lineno="71857">
+<summary>
+Do not audit attempts to send UDP traffic on the vnc port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_vnc_port" lineno="71876">
+<summary>
+Receive UDP traffic on the vnc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_vnc_port" lineno="71895">
+<summary>
+Do not audit attempts to receive UDP traffic on the vnc port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_vnc_port" lineno="71914">
+<summary>
+Send and receive UDP traffic on the vnc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_vnc_port" lineno="71931">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the vnc port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_vnc_port" lineno="71947">
+<summary>
+Bind TCP sockets to the vnc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_vnc_port" lineno="71967">
+<summary>
+Bind UDP sockets to the vnc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_vnc_port" lineno="71986">
+<summary>
+Make a TCP connection to the vnc port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_vnc_client_packets" lineno="72006">
+<summary>
+Send vnc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_vnc_client_packets" lineno="72025">
+<summary>
+Do not audit attempts to send vnc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_vnc_client_packets" lineno="72044">
+<summary>
+Receive vnc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_vnc_client_packets" lineno="72063">
+<summary>
+Do not audit attempts to receive vnc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_vnc_client_packets" lineno="72082">
+<summary>
+Send and receive vnc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_vnc_client_packets" lineno="72098">
+<summary>
+Do not audit attempts to send and receive vnc_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_vnc_client_packets" lineno="72113">
+<summary>
+Relabel packets to vnc_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_vnc_server_packets" lineno="72133">
+<summary>
+Send vnc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_vnc_server_packets" lineno="72152">
+<summary>
+Do not audit attempts to send vnc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_vnc_server_packets" lineno="72171">
+<summary>
+Receive vnc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_vnc_server_packets" lineno="72190">
+<summary>
+Do not audit attempts to receive vnc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_vnc_server_packets" lineno="72209">
+<summary>
+Send and receive vnc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_vnc_server_packets" lineno="72225">
+<summary>
+Do not audit attempts to send and receive vnc_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_vnc_server_packets" lineno="72240">
+<summary>
+Relabel packets to vnc_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_wccp_port" lineno="72262">
+<summary>
+Send and receive TCP traffic on the wccp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_wccp_port" lineno="72281">
+<summary>
+Send UDP traffic on the wccp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_wccp_port" lineno="72300">
+<summary>
+Do not audit attempts to send UDP traffic on the wccp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_wccp_port" lineno="72319">
+<summary>
+Receive UDP traffic on the wccp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_wccp_port" lineno="72338">
+<summary>
+Do not audit attempts to receive UDP traffic on the wccp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_wccp_port" lineno="72357">
+<summary>
+Send and receive UDP traffic on the wccp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_wccp_port" lineno="72374">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the wccp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_wccp_port" lineno="72390">
+<summary>
+Bind TCP sockets to the wccp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_wccp_port" lineno="72410">
+<summary>
+Bind UDP sockets to the wccp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_wccp_port" lineno="72429">
+<summary>
+Make a TCP connection to the wccp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_wccp_client_packets" lineno="72449">
+<summary>
+Send wccp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_wccp_client_packets" lineno="72468">
+<summary>
+Do not audit attempts to send wccp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_wccp_client_packets" lineno="72487">
+<summary>
+Receive wccp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_wccp_client_packets" lineno="72506">
+<summary>
+Do not audit attempts to receive wccp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_wccp_client_packets" lineno="72525">
+<summary>
+Send and receive wccp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_wccp_client_packets" lineno="72541">
+<summary>
+Do not audit attempts to send and receive wccp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_wccp_client_packets" lineno="72556">
+<summary>
+Relabel packets to wccp_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_wccp_server_packets" lineno="72576">
+<summary>
+Send wccp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_wccp_server_packets" lineno="72595">
+<summary>
+Do not audit attempts to send wccp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_wccp_server_packets" lineno="72614">
+<summary>
+Receive wccp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_wccp_server_packets" lineno="72633">
+<summary>
+Do not audit attempts to receive wccp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_wccp_server_packets" lineno="72652">
+<summary>
+Send and receive wccp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_wccp_server_packets" lineno="72668">
+<summary>
+Do not audit attempts to send and receive wccp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_wccp_server_packets" lineno="72683">
+<summary>
+Relabel packets to wccp_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_whois_port" lineno="72705">
+<summary>
+Send and receive TCP traffic on the whois port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_whois_port" lineno="72724">
+<summary>
+Send UDP traffic on the whois port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_whois_port" lineno="72743">
+<summary>
+Do not audit attempts to send UDP traffic on the whois port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_whois_port" lineno="72762">
+<summary>
+Receive UDP traffic on the whois port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_whois_port" lineno="72781">
+<summary>
+Do not audit attempts to receive UDP traffic on the whois port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_whois_port" lineno="72800">
+<summary>
+Send and receive UDP traffic on the whois port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_whois_port" lineno="72817">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the whois port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_whois_port" lineno="72833">
+<summary>
+Bind TCP sockets to the whois port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_whois_port" lineno="72853">
+<summary>
+Bind UDP sockets to the whois port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_whois_port" lineno="72872">
+<summary>
+Make a TCP connection to the whois port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_whois_client_packets" lineno="72892">
+<summary>
+Send whois_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_whois_client_packets" lineno="72911">
+<summary>
+Do not audit attempts to send whois_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_whois_client_packets" lineno="72930">
+<summary>
+Receive whois_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_whois_client_packets" lineno="72949">
+<summary>
+Do not audit attempts to receive whois_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_whois_client_packets" lineno="72968">
+<summary>
+Send and receive whois_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_whois_client_packets" lineno="72984">
+<summary>
+Do not audit attempts to send and receive whois_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_whois_client_packets" lineno="72999">
+<summary>
+Relabel packets to whois_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_whois_server_packets" lineno="73019">
+<summary>
+Send whois_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_whois_server_packets" lineno="73038">
+<summary>
+Do not audit attempts to send whois_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_whois_server_packets" lineno="73057">
+<summary>
+Receive whois_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_whois_server_packets" lineno="73076">
+<summary>
+Do not audit attempts to receive whois_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_whois_server_packets" lineno="73095">
+<summary>
+Send and receive whois_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_whois_server_packets" lineno="73111">
+<summary>
+Do not audit attempts to send and receive whois_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_whois_server_packets" lineno="73126">
+<summary>
+Relabel packets to whois_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_xdmcp_port" lineno="73148">
+<summary>
+Send and receive TCP traffic on the xdmcp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_xdmcp_port" lineno="73167">
+<summary>
+Send UDP traffic on the xdmcp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_xdmcp_port" lineno="73186">
+<summary>
+Do not audit attempts to send UDP traffic on the xdmcp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_xdmcp_port" lineno="73205">
+<summary>
+Receive UDP traffic on the xdmcp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_xdmcp_port" lineno="73224">
+<summary>
+Do not audit attempts to receive UDP traffic on the xdmcp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_xdmcp_port" lineno="73243">
+<summary>
+Send and receive UDP traffic on the xdmcp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_xdmcp_port" lineno="73260">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the xdmcp port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_xdmcp_port" lineno="73276">
+<summary>
+Bind TCP sockets to the xdmcp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_xdmcp_port" lineno="73296">
+<summary>
+Bind UDP sockets to the xdmcp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_xdmcp_port" lineno="73315">
+<summary>
+Make a TCP connection to the xdmcp port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_xdmcp_client_packets" lineno="73335">
+<summary>
+Send xdmcp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_xdmcp_client_packets" lineno="73354">
+<summary>
+Do not audit attempts to send xdmcp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_xdmcp_client_packets" lineno="73373">
+<summary>
+Receive xdmcp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_xdmcp_client_packets" lineno="73392">
+<summary>
+Do not audit attempts to receive xdmcp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_xdmcp_client_packets" lineno="73411">
+<summary>
+Send and receive xdmcp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_xdmcp_client_packets" lineno="73427">
+<summary>
+Do not audit attempts to send and receive xdmcp_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_xdmcp_client_packets" lineno="73442">
+<summary>
+Relabel packets to xdmcp_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_xdmcp_server_packets" lineno="73462">
+<summary>
+Send xdmcp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_xdmcp_server_packets" lineno="73481">
+<summary>
+Do not audit attempts to send xdmcp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_xdmcp_server_packets" lineno="73500">
+<summary>
+Receive xdmcp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_xdmcp_server_packets" lineno="73519">
+<summary>
+Do not audit attempts to receive xdmcp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_xdmcp_server_packets" lineno="73538">
+<summary>
+Send and receive xdmcp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_xdmcp_server_packets" lineno="73554">
+<summary>
+Do not audit attempts to send and receive xdmcp_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_xdmcp_server_packets" lineno="73569">
+<summary>
+Relabel packets to xdmcp_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_xen_port" lineno="73591">
+<summary>
+Send and receive TCP traffic on the xen port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_xen_port" lineno="73610">
+<summary>
+Send UDP traffic on the xen port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_xen_port" lineno="73629">
+<summary>
+Do not audit attempts to send UDP traffic on the xen port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_xen_port" lineno="73648">
+<summary>
+Receive UDP traffic on the xen port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_xen_port" lineno="73667">
+<summary>
+Do not audit attempts to receive UDP traffic on the xen port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_xen_port" lineno="73686">
+<summary>
+Send and receive UDP traffic on the xen port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_xen_port" lineno="73703">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the xen port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_xen_port" lineno="73719">
+<summary>
+Bind TCP sockets to the xen port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_xen_port" lineno="73739">
+<summary>
+Bind UDP sockets to the xen port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_xen_port" lineno="73758">
+<summary>
+Make a TCP connection to the xen port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_xen_client_packets" lineno="73778">
+<summary>
+Send xen_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_xen_client_packets" lineno="73797">
+<summary>
+Do not audit attempts to send xen_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_xen_client_packets" lineno="73816">
+<summary>
+Receive xen_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_xen_client_packets" lineno="73835">
+<summary>
+Do not audit attempts to receive xen_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_xen_client_packets" lineno="73854">
+<summary>
+Send and receive xen_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_xen_client_packets" lineno="73870">
+<summary>
+Do not audit attempts to send and receive xen_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_xen_client_packets" lineno="73885">
+<summary>
+Relabel packets to xen_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_xen_server_packets" lineno="73905">
+<summary>
+Send xen_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_xen_server_packets" lineno="73924">
+<summary>
+Do not audit attempts to send xen_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_xen_server_packets" lineno="73943">
+<summary>
+Receive xen_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_xen_server_packets" lineno="73962">
+<summary>
+Do not audit attempts to receive xen_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_xen_server_packets" lineno="73981">
+<summary>
+Send and receive xen_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_xen_server_packets" lineno="73997">
+<summary>
+Do not audit attempts to send and receive xen_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_xen_server_packets" lineno="74012">
+<summary>
+Relabel packets to xen_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_xfs_port" lineno="74034">
+<summary>
+Send and receive TCP traffic on the xfs port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_xfs_port" lineno="74053">
+<summary>
+Send UDP traffic on the xfs port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_xfs_port" lineno="74072">
+<summary>
+Do not audit attempts to send UDP traffic on the xfs port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_xfs_port" lineno="74091">
+<summary>
+Receive UDP traffic on the xfs port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_xfs_port" lineno="74110">
+<summary>
+Do not audit attempts to receive UDP traffic on the xfs port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_xfs_port" lineno="74129">
+<summary>
+Send and receive UDP traffic on the xfs port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_xfs_port" lineno="74146">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the xfs port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_xfs_port" lineno="74162">
+<summary>
+Bind TCP sockets to the xfs port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_xfs_port" lineno="74182">
+<summary>
+Bind UDP sockets to the xfs port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_xfs_port" lineno="74201">
+<summary>
+Make a TCP connection to the xfs port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_xfs_client_packets" lineno="74221">
+<summary>
+Send xfs_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_xfs_client_packets" lineno="74240">
+<summary>
+Do not audit attempts to send xfs_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_xfs_client_packets" lineno="74259">
+<summary>
+Receive xfs_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_xfs_client_packets" lineno="74278">
+<summary>
+Do not audit attempts to receive xfs_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_xfs_client_packets" lineno="74297">
+<summary>
+Send and receive xfs_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_xfs_client_packets" lineno="74313">
+<summary>
+Do not audit attempts to send and receive xfs_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_xfs_client_packets" lineno="74328">
+<summary>
+Relabel packets to xfs_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_xfs_server_packets" lineno="74348">
+<summary>
+Send xfs_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_xfs_server_packets" lineno="74367">
+<summary>
+Do not audit attempts to send xfs_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_xfs_server_packets" lineno="74386">
+<summary>
+Receive xfs_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_xfs_server_packets" lineno="74405">
+<summary>
+Do not audit attempts to receive xfs_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_xfs_server_packets" lineno="74424">
+<summary>
+Send and receive xfs_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_xfs_server_packets" lineno="74440">
+<summary>
+Do not audit attempts to send and receive xfs_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_xfs_server_packets" lineno="74455">
+<summary>
+Relabel packets to xfs_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_xserver_port" lineno="74477">
+<summary>
+Send and receive TCP traffic on the xserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_xserver_port" lineno="74496">
+<summary>
+Send UDP traffic on the xserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_xserver_port" lineno="74515">
+<summary>
+Do not audit attempts to send UDP traffic on the xserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_xserver_port" lineno="74534">
+<summary>
+Receive UDP traffic on the xserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_xserver_port" lineno="74553">
+<summary>
+Do not audit attempts to receive UDP traffic on the xserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_xserver_port" lineno="74572">
+<summary>
+Send and receive UDP traffic on the xserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_xserver_port" lineno="74589">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the xserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_xserver_port" lineno="74605">
+<summary>
+Bind TCP sockets to the xserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_xserver_port" lineno="74625">
+<summary>
+Bind UDP sockets to the xserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_xserver_port" lineno="74644">
+<summary>
+Make a TCP connection to the xserver port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_xserver_client_packets" lineno="74664">
+<summary>
+Send xserver_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_xserver_client_packets" lineno="74683">
+<summary>
+Do not audit attempts to send xserver_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_xserver_client_packets" lineno="74702">
+<summary>
+Receive xserver_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_xserver_client_packets" lineno="74721">
+<summary>
+Do not audit attempts to receive xserver_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_xserver_client_packets" lineno="74740">
+<summary>
+Send and receive xserver_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_xserver_client_packets" lineno="74756">
+<summary>
+Do not audit attempts to send and receive xserver_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_xserver_client_packets" lineno="74771">
+<summary>
+Relabel packets to xserver_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_xserver_server_packets" lineno="74791">
+<summary>
+Send xserver_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_xserver_server_packets" lineno="74810">
+<summary>
+Do not audit attempts to send xserver_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_xserver_server_packets" lineno="74829">
+<summary>
+Receive xserver_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_xserver_server_packets" lineno="74848">
+<summary>
+Do not audit attempts to receive xserver_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_xserver_server_packets" lineno="74867">
+<summary>
+Send and receive xserver_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_xserver_server_packets" lineno="74883">
+<summary>
+Do not audit attempts to send and receive xserver_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_xserver_server_packets" lineno="74898">
+<summary>
+Relabel packets to xserver_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_zarafa_port" lineno="74920">
+<summary>
+Send and receive TCP traffic on the zarafa port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_zarafa_port" lineno="74939">
+<summary>
+Send UDP traffic on the zarafa port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_zarafa_port" lineno="74958">
+<summary>
+Do not audit attempts to send UDP traffic on the zarafa port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_zarafa_port" lineno="74977">
+<summary>
+Receive UDP traffic on the zarafa port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_zarafa_port" lineno="74996">
+<summary>
+Do not audit attempts to receive UDP traffic on the zarafa port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_zarafa_port" lineno="75015">
+<summary>
+Send and receive UDP traffic on the zarafa port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_zarafa_port" lineno="75032">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the zarafa port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_zarafa_port" lineno="75048">
+<summary>
+Bind TCP sockets to the zarafa port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_zarafa_port" lineno="75068">
+<summary>
+Bind UDP sockets to the zarafa port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_zarafa_port" lineno="75087">
+<summary>
+Make a TCP connection to the zarafa port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_zarafa_client_packets" lineno="75107">
+<summary>
+Send zarafa_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_zarafa_client_packets" lineno="75126">
+<summary>
+Do not audit attempts to send zarafa_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_zarafa_client_packets" lineno="75145">
+<summary>
+Receive zarafa_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_zarafa_client_packets" lineno="75164">
+<summary>
+Do not audit attempts to receive zarafa_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_zarafa_client_packets" lineno="75183">
+<summary>
+Send and receive zarafa_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_zarafa_client_packets" lineno="75199">
+<summary>
+Do not audit attempts to send and receive zarafa_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_zarafa_client_packets" lineno="75214">
+<summary>
+Relabel packets to zarafa_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_zarafa_server_packets" lineno="75234">
+<summary>
+Send zarafa_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_zarafa_server_packets" lineno="75253">
+<summary>
+Do not audit attempts to send zarafa_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_zarafa_server_packets" lineno="75272">
+<summary>
+Receive zarafa_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_zarafa_server_packets" lineno="75291">
+<summary>
+Do not audit attempts to receive zarafa_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_zarafa_server_packets" lineno="75310">
+<summary>
+Send and receive zarafa_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_zarafa_server_packets" lineno="75326">
+<summary>
+Do not audit attempts to send and receive zarafa_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_zarafa_server_packets" lineno="75341">
+<summary>
+Relabel packets to zarafa_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_zabbix_port" lineno="75363">
+<summary>
+Send and receive TCP traffic on the zabbix port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_zabbix_port" lineno="75382">
+<summary>
+Send UDP traffic on the zabbix port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_zabbix_port" lineno="75401">
+<summary>
+Do not audit attempts to send UDP traffic on the zabbix port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_zabbix_port" lineno="75420">
+<summary>
+Receive UDP traffic on the zabbix port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_zabbix_port" lineno="75439">
+<summary>
+Do not audit attempts to receive UDP traffic on the zabbix port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_zabbix_port" lineno="75458">
+<summary>
+Send and receive UDP traffic on the zabbix port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_zabbix_port" lineno="75475">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the zabbix port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_zabbix_port" lineno="75491">
+<summary>
+Bind TCP sockets to the zabbix port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_zabbix_port" lineno="75511">
+<summary>
+Bind UDP sockets to the zabbix port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_zabbix_port" lineno="75530">
+<summary>
+Make a TCP connection to the zabbix port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_zabbix_client_packets" lineno="75550">
+<summary>
+Send zabbix_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_zabbix_client_packets" lineno="75569">
+<summary>
+Do not audit attempts to send zabbix_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_zabbix_client_packets" lineno="75588">
+<summary>
+Receive zabbix_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_zabbix_client_packets" lineno="75607">
+<summary>
+Do not audit attempts to receive zabbix_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_zabbix_client_packets" lineno="75626">
+<summary>
+Send and receive zabbix_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_zabbix_client_packets" lineno="75642">
+<summary>
+Do not audit attempts to send and receive zabbix_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_zabbix_client_packets" lineno="75657">
+<summary>
+Relabel packets to zabbix_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_zabbix_server_packets" lineno="75677">
+<summary>
+Send zabbix_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_zabbix_server_packets" lineno="75696">
+<summary>
+Do not audit attempts to send zabbix_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_zabbix_server_packets" lineno="75715">
+<summary>
+Receive zabbix_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_zabbix_server_packets" lineno="75734">
+<summary>
+Do not audit attempts to receive zabbix_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_zabbix_server_packets" lineno="75753">
+<summary>
+Send and receive zabbix_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_zabbix_server_packets" lineno="75769">
+<summary>
+Do not audit attempts to send and receive zabbix_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_zabbix_server_packets" lineno="75784">
+<summary>
+Relabel packets to zabbix_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_zabbix_agent_port" lineno="75806">
+<summary>
+Send and receive TCP traffic on the zabbix_agent port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_zabbix_agent_port" lineno="75825">
+<summary>
+Send UDP traffic on the zabbix_agent port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_zabbix_agent_port" lineno="75844">
+<summary>
+Do not audit attempts to send UDP traffic on the zabbix_agent port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_zabbix_agent_port" lineno="75863">
+<summary>
+Receive UDP traffic on the zabbix_agent port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_zabbix_agent_port" lineno="75882">
+<summary>
+Do not audit attempts to receive UDP traffic on the zabbix_agent port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_zabbix_agent_port" lineno="75901">
+<summary>
+Send and receive UDP traffic on the zabbix_agent port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_zabbix_agent_port" lineno="75918">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the zabbix_agent port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_zabbix_agent_port" lineno="75934">
+<summary>
+Bind TCP sockets to the zabbix_agent port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_zabbix_agent_port" lineno="75954">
+<summary>
+Bind UDP sockets to the zabbix_agent port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_zabbix_agent_port" lineno="75973">
+<summary>
+Make a TCP connection to the zabbix_agent port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_zabbix_agent_client_packets" lineno="75993">
+<summary>
+Send zabbix_agent_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_zabbix_agent_client_packets" lineno="76012">
+<summary>
+Do not audit attempts to send zabbix_agent_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_zabbix_agent_client_packets" lineno="76031">
+<summary>
+Receive zabbix_agent_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_zabbix_agent_client_packets" lineno="76050">
+<summary>
+Do not audit attempts to receive zabbix_agent_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_zabbix_agent_client_packets" lineno="76069">
+<summary>
+Send and receive zabbix_agent_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_zabbix_agent_client_packets" lineno="76085">
+<summary>
+Do not audit attempts to send and receive zabbix_agent_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_zabbix_agent_client_packets" lineno="76100">
+<summary>
+Relabel packets to zabbix_agent_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_zabbix_agent_server_packets" lineno="76120">
+<summary>
+Send zabbix_agent_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_zabbix_agent_server_packets" lineno="76139">
+<summary>
+Do not audit attempts to send zabbix_agent_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_zabbix_agent_server_packets" lineno="76158">
+<summary>
+Receive zabbix_agent_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_zabbix_agent_server_packets" lineno="76177">
+<summary>
+Do not audit attempts to receive zabbix_agent_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_zabbix_agent_server_packets" lineno="76196">
+<summary>
+Send and receive zabbix_agent_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_zabbix_agent_server_packets" lineno="76212">
+<summary>
+Do not audit attempts to send and receive zabbix_agent_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_zabbix_agent_server_packets" lineno="76227">
+<summary>
+Relabel packets to zabbix_agent_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_zookeeper_client_port" lineno="76249">
+<summary>
+Send and receive TCP traffic on the zookeeper_client port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_zookeeper_client_port" lineno="76268">
+<summary>
+Send UDP traffic on the zookeeper_client port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_zookeeper_client_port" lineno="76287">
+<summary>
+Do not audit attempts to send UDP traffic on the zookeeper_client port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_zookeeper_client_port" lineno="76306">
+<summary>
+Receive UDP traffic on the zookeeper_client port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_zookeeper_client_port" lineno="76325">
+<summary>
+Do not audit attempts to receive UDP traffic on the zookeeper_client port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_zookeeper_client_port" lineno="76344">
+<summary>
+Send and receive UDP traffic on the zookeeper_client port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_zookeeper_client_port" lineno="76361">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the zookeeper_client port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_zookeeper_client_port" lineno="76377">
+<summary>
+Bind TCP sockets to the zookeeper_client port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_zookeeper_client_port" lineno="76397">
+<summary>
+Bind UDP sockets to the zookeeper_client port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_zookeeper_client_port" lineno="76416">
+<summary>
+Make a TCP connection to the zookeeper_client port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_zookeeper_client_client_packets" lineno="76436">
+<summary>
+Send zookeeper_client_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_zookeeper_client_client_packets" lineno="76455">
+<summary>
+Do not audit attempts to send zookeeper_client_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_zookeeper_client_client_packets" lineno="76474">
+<summary>
+Receive zookeeper_client_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_zookeeper_client_client_packets" lineno="76493">
+<summary>
+Do not audit attempts to receive zookeeper_client_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_zookeeper_client_client_packets" lineno="76512">
+<summary>
+Send and receive zookeeper_client_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_zookeeper_client_client_packets" lineno="76528">
+<summary>
+Do not audit attempts to send and receive zookeeper_client_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_zookeeper_client_client_packets" lineno="76543">
+<summary>
+Relabel packets to zookeeper_client_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_zookeeper_client_server_packets" lineno="76563">
+<summary>
+Send zookeeper_client_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_zookeeper_client_server_packets" lineno="76582">
+<summary>
+Do not audit attempts to send zookeeper_client_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_zookeeper_client_server_packets" lineno="76601">
+<summary>
+Receive zookeeper_client_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_zookeeper_client_server_packets" lineno="76620">
+<summary>
+Do not audit attempts to receive zookeeper_client_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_zookeeper_client_server_packets" lineno="76639">
+<summary>
+Send and receive zookeeper_client_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_zookeeper_client_server_packets" lineno="76655">
+<summary>
+Do not audit attempts to send and receive zookeeper_client_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_zookeeper_client_server_packets" lineno="76670">
+<summary>
+Relabel packets to zookeeper_client_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_zookeeper_election_port" lineno="76692">
+<summary>
+Send and receive TCP traffic on the zookeeper_election port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_zookeeper_election_port" lineno="76711">
+<summary>
+Send UDP traffic on the zookeeper_election port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_zookeeper_election_port" lineno="76730">
+<summary>
+Do not audit attempts to send UDP traffic on the zookeeper_election port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_zookeeper_election_port" lineno="76749">
+<summary>
+Receive UDP traffic on the zookeeper_election port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_zookeeper_election_port" lineno="76768">
+<summary>
+Do not audit attempts to receive UDP traffic on the zookeeper_election port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_zookeeper_election_port" lineno="76787">
+<summary>
+Send and receive UDP traffic on the zookeeper_election port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_zookeeper_election_port" lineno="76804">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the zookeeper_election port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_zookeeper_election_port" lineno="76820">
+<summary>
+Bind TCP sockets to the zookeeper_election port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_zookeeper_election_port" lineno="76840">
+<summary>
+Bind UDP sockets to the zookeeper_election port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_zookeeper_election_port" lineno="76859">
+<summary>
+Make a TCP connection to the zookeeper_election port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_zookeeper_election_client_packets" lineno="76879">
+<summary>
+Send zookeeper_election_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_zookeeper_election_client_packets" lineno="76898">
+<summary>
+Do not audit attempts to send zookeeper_election_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_zookeeper_election_client_packets" lineno="76917">
+<summary>
+Receive zookeeper_election_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_zookeeper_election_client_packets" lineno="76936">
+<summary>
+Do not audit attempts to receive zookeeper_election_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_zookeeper_election_client_packets" lineno="76955">
+<summary>
+Send and receive zookeeper_election_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_zookeeper_election_client_packets" lineno="76971">
+<summary>
+Do not audit attempts to send and receive zookeeper_election_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_zookeeper_election_client_packets" lineno="76986">
+<summary>
+Relabel packets to zookeeper_election_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_zookeeper_election_server_packets" lineno="77006">
+<summary>
+Send zookeeper_election_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_zookeeper_election_server_packets" lineno="77025">
+<summary>
+Do not audit attempts to send zookeeper_election_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_zookeeper_election_server_packets" lineno="77044">
+<summary>
+Receive zookeeper_election_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_zookeeper_election_server_packets" lineno="77063">
+<summary>
+Do not audit attempts to receive zookeeper_election_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_zookeeper_election_server_packets" lineno="77082">
+<summary>
+Send and receive zookeeper_election_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_zookeeper_election_server_packets" lineno="77098">
+<summary>
+Do not audit attempts to send and receive zookeeper_election_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_zookeeper_election_server_packets" lineno="77113">
+<summary>
+Relabel packets to zookeeper_election_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_zookeeper_leader_port" lineno="77135">
+<summary>
+Send and receive TCP traffic on the zookeeper_leader port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_zookeeper_leader_port" lineno="77154">
+<summary>
+Send UDP traffic on the zookeeper_leader port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_zookeeper_leader_port" lineno="77173">
+<summary>
+Do not audit attempts to send UDP traffic on the zookeeper_leader port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_zookeeper_leader_port" lineno="77192">
+<summary>
+Receive UDP traffic on the zookeeper_leader port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_zookeeper_leader_port" lineno="77211">
+<summary>
+Do not audit attempts to receive UDP traffic on the zookeeper_leader port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_zookeeper_leader_port" lineno="77230">
+<summary>
+Send and receive UDP traffic on the zookeeper_leader port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_zookeeper_leader_port" lineno="77247">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the zookeeper_leader port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_zookeeper_leader_port" lineno="77263">
+<summary>
+Bind TCP sockets to the zookeeper_leader port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_zookeeper_leader_port" lineno="77283">
+<summary>
+Bind UDP sockets to the zookeeper_leader port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_zookeeper_leader_port" lineno="77302">
+<summary>
+Make a TCP connection to the zookeeper_leader port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_zookeeper_leader_client_packets" lineno="77322">
+<summary>
+Send zookeeper_leader_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_zookeeper_leader_client_packets" lineno="77341">
+<summary>
+Do not audit attempts to send zookeeper_leader_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_zookeeper_leader_client_packets" lineno="77360">
+<summary>
+Receive zookeeper_leader_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_zookeeper_leader_client_packets" lineno="77379">
+<summary>
+Do not audit attempts to receive zookeeper_leader_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_zookeeper_leader_client_packets" lineno="77398">
+<summary>
+Send and receive zookeeper_leader_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_zookeeper_leader_client_packets" lineno="77414">
+<summary>
+Do not audit attempts to send and receive zookeeper_leader_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_zookeeper_leader_client_packets" lineno="77429">
+<summary>
+Relabel packets to zookeeper_leader_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_zookeeper_leader_server_packets" lineno="77449">
+<summary>
+Send zookeeper_leader_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_zookeeper_leader_server_packets" lineno="77468">
+<summary>
+Do not audit attempts to send zookeeper_leader_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_zookeeper_leader_server_packets" lineno="77487">
+<summary>
+Receive zookeeper_leader_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_zookeeper_leader_server_packets" lineno="77506">
+<summary>
+Do not audit attempts to receive zookeeper_leader_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_zookeeper_leader_server_packets" lineno="77525">
+<summary>
+Send and receive zookeeper_leader_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_zookeeper_leader_server_packets" lineno="77541">
+<summary>
+Do not audit attempts to send and receive zookeeper_leader_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_zookeeper_leader_server_packets" lineno="77556">
+<summary>
+Relabel packets to zookeeper_leader_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_zebra_port" lineno="77578">
+<summary>
+Send and receive TCP traffic on the zebra port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_zebra_port" lineno="77597">
+<summary>
+Send UDP traffic on the zebra port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_zebra_port" lineno="77616">
+<summary>
+Do not audit attempts to send UDP traffic on the zebra port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_zebra_port" lineno="77635">
+<summary>
+Receive UDP traffic on the zebra port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_zebra_port" lineno="77654">
+<summary>
+Do not audit attempts to receive UDP traffic on the zebra port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_zebra_port" lineno="77673">
+<summary>
+Send and receive UDP traffic on the zebra port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_zebra_port" lineno="77690">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the zebra port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_zebra_port" lineno="77706">
+<summary>
+Bind TCP sockets to the zebra port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_zebra_port" lineno="77726">
+<summary>
+Bind UDP sockets to the zebra port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_zebra_port" lineno="77745">
+<summary>
+Make a TCP connection to the zebra port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_zebra_client_packets" lineno="77765">
+<summary>
+Send zebra_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_zebra_client_packets" lineno="77784">
+<summary>
+Do not audit attempts to send zebra_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_zebra_client_packets" lineno="77803">
+<summary>
+Receive zebra_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_zebra_client_packets" lineno="77822">
+<summary>
+Do not audit attempts to receive zebra_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_zebra_client_packets" lineno="77841">
+<summary>
+Send and receive zebra_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_zebra_client_packets" lineno="77857">
+<summary>
+Do not audit attempts to send and receive zebra_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_zebra_client_packets" lineno="77872">
+<summary>
+Relabel packets to zebra_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_zebra_server_packets" lineno="77892">
+<summary>
+Send zebra_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_zebra_server_packets" lineno="77911">
+<summary>
+Do not audit attempts to send zebra_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_zebra_server_packets" lineno="77930">
+<summary>
+Receive zebra_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_zebra_server_packets" lineno="77949">
+<summary>
+Do not audit attempts to receive zebra_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_zebra_server_packets" lineno="77968">
+<summary>
+Send and receive zebra_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_zebra_server_packets" lineno="77984">
+<summary>
+Do not audit attempts to send and receive zebra_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_zebra_server_packets" lineno="77999">
+<summary>
+Relabel packets to zebra_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_zope_port" lineno="78021">
+<summary>
+Send and receive TCP traffic on the zope port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_zope_port" lineno="78040">
+<summary>
+Send UDP traffic on the zope port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_send_zope_port" lineno="78059">
+<summary>
+Do not audit attempts to send UDP traffic on the zope port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_zope_port" lineno="78078">
+<summary>
+Receive UDP traffic on the zope port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_zope_port" lineno="78097">
+<summary>
+Do not audit attempts to receive UDP traffic on the zope port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_zope_port" lineno="78116">
+<summary>
+Send and receive UDP traffic on the zope port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_zope_port" lineno="78133">
+<summary>
+Do not audit attempts to send and receive
+UDP traffic on the zope port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_zope_port" lineno="78149">
+<summary>
+Bind TCP sockets to the zope port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_bind_zope_port" lineno="78169">
+<summary>
+Bind UDP sockets to the zope port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_zope_port" lineno="78188">
+<summary>
+Make a TCP connection to the zope port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_zope_client_packets" lineno="78208">
+<summary>
+Send zope_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_zope_client_packets" lineno="78227">
+<summary>
+Do not audit attempts to send zope_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_zope_client_packets" lineno="78246">
+<summary>
+Receive zope_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_zope_client_packets" lineno="78265">
+<summary>
+Do not audit attempts to receive zope_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_zope_client_packets" lineno="78284">
+<summary>
+Send and receive zope_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_zope_client_packets" lineno="78300">
+<summary>
+Do not audit attempts to send and receive zope_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_zope_client_packets" lineno="78315">
+<summary>
+Relabel packets to zope_client the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_send_zope_server_packets" lineno="78335">
+<summary>
+Send zope_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_zope_server_packets" lineno="78354">
+<summary>
+Do not audit attempts to send zope_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_zope_server_packets" lineno="78373">
+<summary>
+Receive zope_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_zope_server_packets" lineno="78392">
+<summary>
+Do not audit attempts to receive zope_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_zope_server_packets" lineno="78411">
+<summary>
+Send and receive zope_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_zope_server_packets" lineno="78427">
+<summary>
+Do not audit attempts to send and receive zope_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_zope_server_packets" lineno="78442">
+<summary>
+Relabel packets to zope_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_tcp_sendrecv_lo_if" lineno="78465">
+<summary>
+Send and receive TCP network traffic on the lo interface.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_lo_if" lineno="78484">
+<summary>
+Send UDP network traffic on the lo interface.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_udp_receive_lo_if" lineno="78503">
+<summary>
+Receive UDP network traffic on the lo interface.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_udp_sendrecv_lo_if" lineno="78522">
+<summary>
+Send and receive UDP network traffic on the lo interface.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_raw_send_lo_if" lineno="78538">
+<summary>
+Send raw IP packets on the lo interface.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_raw_receive_lo_if" lineno="78557">
+<summary>
+Receive raw IP packets on the lo interface.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_raw_sendrecv_lo_if" lineno="78576">
+<summary>
+Send and receive raw IP packets on the lo interface.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+</module>
+<module name="devices" filename="policy/modules/kernel/devices.if">
+<summary>
+Device nodes and interfaces for many basic system devices.
+</summary>
+<desc>
+<p>
+This module creates the device node concept and provides
+the policy for many of the device files. Notable exceptions are
+the mass storage and terminal devices that are covered by other
+modules.
+</p>
+<p>
+This module creates the concept of a device node. That is a
+char or block device file, usually in /dev. All types that
+are used to label device nodes should use the dev_node macro.
+</p>
+<p>
+Additionally, this module controls access to three things:
+<ul>
+<li>the device directories containing device nodes</li>
+<li>device nodes as a group</li>
+<li>individual access to specific device nodes covered by
+this module.</li>
+</ul>
+</p>
+</desc>
+<required val="true">
+Depended on by other required modules.
+</required>
+<interface name="dev_node" lineno="66">
+<summary>
+Make the specified type usable for device
+nodes in a filesystem.
+</summary>
+<desc>
+<p>
+Make the specified type usable for device nodes
+in a filesystem.  Types used for device nodes that
+do not use this interface, or an interface that
+calls this one, will have unexpected behaviors
+while the system is running.
+</p>
+<p>
+Example:
+</p>
+<p>
+type mydev_t;
+dev_node(mydev_t)
+allow mydomain_t mydev_t:chr_file read_chr_file_perms;
+</p>
+<p>
+Related interfaces:
+</p>
+<ul>
+<li>term_tty()</li>
+<li>term_pty()</li>
+</ul>
+</desc>
+<param name="type">
+<summary>
+Type to be used for device nodes.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="dev_associate" lineno="84">
+<summary>
+Associate the specified file type with device filesystem.
+</summary>
+<param name="file_type">
+<summary>
+The type of the file to be associated.
+</summary>
+</param>
+</interface>
+<interface name="dev_getattr_fs" lineno="103">
+<summary>
+Get attributes of device filesystems.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_mounton" lineno="121">
+<summary>
+Mount a filesystem on /dev
+</summary>
+<param name="domain">
+<summary>
+Domain allow access.
+</summary>
+</param>
+</interface>
+<interface name="dev_relabel_all_dev_nodes" lineno="140">
+<summary>
+Allow full relabeling (to and from) of all device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="dev_list_all_dev_nodes" lineno="165">
+<summary>
+List all of the device nodes in a device directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_setattr_generic_dirs" lineno="184">
+<summary>
+Set the attributes of /dev directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_list_all_dev_nodes" lineno="202">
+<summary>
+Dontaudit attempts to list all device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_add_entry_generic_dirs" lineno="220">
+<summary>
+Add entries to directories in /dev.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_remove_entry_generic_dirs" lineno="238">
+<summary>
+Add entries to directories in /dev.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_create_generic_dirs" lineno="256">
+<summary>
+Create a directory in the device directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_delete_generic_dirs" lineno="275">
+<summary>
+Delete a directory in the device directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_manage_generic_dirs" lineno="293">
+<summary>
+Manage of directories in /dev.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_relabel_generic_dev_dirs" lineno="311">
+<summary>
+Allow full relabeling (to and from) of directories in /dev.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_getattr_generic_files" lineno="329">
+<summary>
+dontaudit getattr generic files in /dev.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_read_generic_files" lineno="347">
+<summary>
+Read generic files in /dev.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_generic_files" lineno="365">
+<summary>
+Read and write generic files in /dev.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_delete_generic_files" lineno="383">
+<summary>
+Delete generic files in /dev.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_manage_generic_files" lineno="401">
+<summary>
+Create a file in the device directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_getattr_generic_pipes" lineno="419">
+<summary>
+Dontaudit getattr on generic pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_write_generic_sockets" lineno="437">
+<summary>
+Write generic socket files in /dev.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_getattr_generic_blk_files" lineno="455">
+<summary>
+Allow getattr on generic block devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_getattr_generic_blk_files" lineno="473">
+<summary>
+Dontaudit getattr on generic block devices.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_setattr_generic_blk_files" lineno="491">
+<summary>
+Dontaudit setattr on generic block devices.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_create_generic_blk_files" lineno="509">
+<summary>
+Create generic block device files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_delete_generic_blk_files" lineno="527">
+<summary>
+Delete generic block device files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_getattr_generic_chr_files" lineno="545">
+<summary>
+Allow getattr for generic character device files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_getattr_generic_chr_files" lineno="563">
+<summary>
+Dontaudit getattr for generic character device files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_setattr_generic_chr_files" lineno="581">
+<summary>
+Dontaudit setattr for generic character device files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_read_generic_chr_files" lineno="599">
+<summary>
+Read generic character device files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_generic_chr_files" lineno="617">
+<summary>
+Read and write generic character device files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_generic_blk_files" lineno="635">
+<summary>
+Read and write generic block device files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_rw_generic_chr_files" lineno="653">
+<summary>
+Dontaudit attempts to read/write generic character device files.
+</summary>
+<param name="domain">
+<summary>
+Domain to dontaudit access.
+</summary>
+</param>
+</interface>
+<interface name="dev_create_generic_chr_files" lineno="671">
+<summary>
+Create generic character device files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_delete_generic_chr_files" lineno="689">
+<summary>
+Delete generic character device files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_relabelfrom_generic_chr_files" lineno="707">
+<summary>
+Relabel from generic character device files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_setattr_generic_symlinks" lineno="726">
+<summary>
+Do not audit attempts to set the attributes
+of symbolic links in device directories (/dev).
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_read_generic_symlinks" lineno="744">
+<summary>
+Read symbolic links in device directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_create_generic_symlinks" lineno="762">
+<summary>
+Create symbolic links in device directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_delete_generic_symlinks" lineno="780">
+<summary>
+Delete symbolic links in device directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_manage_generic_symlinks" lineno="798">
+<summary>
+Create, delete, read, and write symbolic links in device directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_relabel_generic_symlinks" lineno="816">
+<summary>
+Relabel symbolic links in device directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_manage_all_dev_nodes" lineno="834">
+<summary>
+Create, delete, read, and write device nodes in device directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_rw_generic_dev_nodes" lineno="870">
+<summary>
+Dontaudit getattr for generic device files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_manage_generic_blk_files" lineno="888">
+<summary>
+Create, delete, read, and write block device files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_manage_generic_chr_files" lineno="906">
+<summary>
+Create, delete, read, and write character device files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_filetrans" lineno="936">
+<summary>
+Create, read, and write device nodes. The node
+will be transitioned to the type provided.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="file">
+<summary>
+Type to which the created node will be transitioned.
+</summary>
+</param>
+<param name="objectclass(es)">
+<summary>
+Object class(es) (single or set including {}) for which this
+the transition will occur.
+</summary>
+</param>
+</interface>
+<interface name="dev_tmpfs_filetrans_dev" lineno="966">
+<summary>
+Create, read, and write device nodes. The node
+will be transitioned to the type provided.  This is
+a temporary interface until devtmpfs functionality
+fixed.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="objectclass(es)">
+<summary>
+Object class(es) (single or set including {}) for which this
+the transition will occur.
+</summary>
+</param>
+</interface>
+<interface name="dev_getattr_all_blk_files" lineno="985">
+<summary>
+Getattr on all block file device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="dev_dontaudit_getattr_all_blk_files" lineno="1004">
+<summary>
+Dontaudit getattr on all block file device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_getattr_all_chr_files" lineno="1024">
+<summary>
+Getattr on all character file device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="dev_dontaudit_getattr_all_chr_files" lineno="1042">
+<summary>
+Dontaudit getattr on all character file device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_setattr_all_blk_files" lineno="1062">
+<summary>
+Setattr on all block file device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="dev_setattr_all_chr_files" lineno="1081">
+<summary>
+Setattr on all character file device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="dev_dontaudit_read_all_blk_files" lineno="1099">
+<summary>
+Dontaudit read on all block file device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_write_all_blk_files" lineno="1117">
+<summary>
+Dontaudit write on all block file device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_read_all_chr_files" lineno="1135">
+<summary>
+Dontaudit read on all character file device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_write_all_chr_files" lineno="1153">
+<summary>
+Dontaudit write on all character file device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_create_all_blk_files" lineno="1171">
+<summary>
+Create all block device files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_create_all_chr_files" lineno="1189">
+<summary>
+Create all character device files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_delete_all_blk_files" lineno="1207">
+<summary>
+Delete all block device files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_delete_all_chr_files" lineno="1225">
+<summary>
+Delete all character device files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rename_all_blk_files" lineno="1243">
+<summary>
+Rename all block device files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rename_all_chr_files" lineno="1261">
+<summary>
+Rename all character device files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_manage_all_blk_files" lineno="1279">
+<summary>
+Read, write, create, and delete all block device files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_manage_all_chr_files" lineno="1303">
+<summary>
+Read, write, create, and delete all character device files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_getattr_agp_dev" lineno="1323">
+<summary>
+Getattr the agp devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_agp" lineno="1341">
+<summary>
+Read and write the agp devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_getattr_apm_bios_dev" lineno="1359">
+<summary>
+Get the attributes of the apm bios device node.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_getattr_apm_bios_dev" lineno="1378">
+<summary>
+Do not audit attempts to get the attributes of
+the apm bios device node.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_setattr_apm_bios_dev" lineno="1396">
+<summary>
+Set the attributes of the apm bios device node.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_setattr_apm_bios_dev" lineno="1415">
+<summary>
+Do not audit attempts to set the attributes of
+the apm bios device node.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_apm_bios" lineno="1433">
+<summary>
+Read and write the apm bios.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_getattr_autofs_dev" lineno="1451">
+<summary>
+Get the attributes of the autofs device node.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_getattr_autofs_dev" lineno="1470">
+<summary>
+Do not audit attempts to get the attributes of
+the autofs device node.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_setattr_autofs_dev" lineno="1488">
+<summary>
+Set the attributes of the autofs device node.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_setattr_autofs_dev" lineno="1507">
+<summary>
+Do not audit attempts to set the attributes of
+the autofs device node.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_autofs" lineno="1525">
+<summary>
+Read and write the autofs device.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_relabel_autofs_dev" lineno="1543">
+<summary>
+Relabel the autofs device node.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_cardmgr" lineno="1561">
+<summary>
+Read and write the PCMCIA card manager device.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_rw_cardmgr" lineno="1580">
+<summary>
+Do not audit attempts to read and
+write the PCMCIA card manager device.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_create_cardmgr_dev" lineno="1600">
+<summary>
+Create, read, write, and delete
+the PCMCIA card manager device
+with the correct type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_manage_cardmgr_dev" lineno="1620">
+<summary>
+Create, read, write, and delete
+the PCMCIA card manager device.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_filetrans_cardmgr" lineno="1641">
+<summary>
+Automatic type transition to the type
+for PCMCIA card manager device nodes when
+created in /dev.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_getattr_cpu_dev" lineno="1660">
+<summary>
+Get the attributes of the CPU
+microcode and id interfaces.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_setattr_cpu_dev" lineno="1679">
+<summary>
+Set the attributes of the CPU
+microcode and id interfaces.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_read_cpuid" lineno="1697">
+<summary>
+Read the CPU identity.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_cpu_microcode" lineno="1716">
+<summary>
+Read and write the the CPU microcode device. This
+is required to load CPU microcode.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_read_crash" lineno="1734">
+<summary>
+Read the kernel crash device
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_crypto" lineno="1752">
+<summary>
+Read and write the the hardware SSL accelerator.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_setattr_dlm_control" lineno="1770">
+<summary>
+Set the attributes of the dlm control devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_dlm_control" lineno="1788">
+<summary>
+Read and write the the dlm control device
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_getattr_dri_dev" lineno="1806">
+<summary>
+getattr the dri devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_setattr_dri_dev" lineno="1824">
+<summary>
+Setattr the dri devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_dri" lineno="1842">
+<summary>
+Read and write the dri devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_rw_dri" lineno="1860">
+<summary>
+Dontaudit read and write on the dri devices.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_manage_dri_dev" lineno="1878">
+<summary>
+Create, read, write, and delete the dri devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_filetrans_dri" lineno="1897">
+<summary>
+Automatic type transition to the type
+for DRI device nodes when created in /dev.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_getattr_input_dev" lineno="1915">
+<summary>
+Get the attributes of the event devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_setattr_input_dev" lineno="1934">
+<summary>
+Set the attributes of the event devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_read_input" lineno="1953">
+<summary>
+Read input event devices (/dev/input).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_input_dev" lineno="1971">
+<summary>
+Read input event devices (/dev/input).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_getattr_framebuffer_dev" lineno="1989">
+<summary>
+Get the attributes of the framebuffer device node.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_setattr_framebuffer_dev" lineno="2007">
+<summary>
+Set the attributes of the framebuffer device node.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_setattr_framebuffer_dev" lineno="2026">
+<summary>
+Dot not audit attempts to set the attributes
+of the framebuffer device node.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_read_framebuffer" lineno="2044">
+<summary>
+Read the framebuffer.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_read_framebuffer" lineno="2062">
+<summary>
+Do not audit attempts to read the framebuffer.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_write_framebuffer" lineno="2080">
+<summary>
+Write the framebuffer.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_framebuffer" lineno="2098">
+<summary>
+Read and write the framebuffer.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_read_kmsg" lineno="2116">
+<summary>
+Read the kernel messages
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_read_kmsg" lineno="2134">
+<summary>
+Do not audit attempts to read the kernel messages
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_write_kmsg" lineno="2152">
+<summary>
+Write to the kernel messages device
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_getattr_ksm_dev" lineno="2170">
+<summary>
+Get the attributes of the ksm devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_setattr_ksm_dev" lineno="2188">
+<summary>
+Set the attributes of the ksm devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_read_ksm" lineno="2206">
+<summary>
+Read the ksm devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_ksm" lineno="2224">
+<summary>
+Read and write to ksm devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_getattr_kvm_dev" lineno="2242">
+<summary>
+Get the attributes of the kvm devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_setattr_kvm_dev" lineno="2260">
+<summary>
+Set the attributes of the kvm devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_read_kvm" lineno="2278">
+<summary>
+Read the kvm devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_kvm" lineno="2296">
+<summary>
+Read and write to kvm devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_read_lirc" lineno="2314">
+<summary>
+Read the lirc device.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_lirc" lineno="2332">
+<summary>
+Read and write the lirc device.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_filetrans_lirc" lineno="2351">
+<summary>
+Automatic type transition to the type
+for lirc device nodes when created in /dev.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_getattr_lvm_control" lineno="2369">
+<summary>
+Get the attributes of the lvm comtrol device.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_read_lvm_control" lineno="2387">
+<summary>
+Read the lvm comtrol device.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_lvm_control" lineno="2405">
+<summary>
+Read and write the lvm control device.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_rw_lvm_control" lineno="2423">
+<summary>
+Do not audit attempts to read and write lvm control device.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_delete_lvm_control_dev" lineno="2441">
+<summary>
+Delete the lvm control device.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_getattr_memory_dev" lineno="2459">
+<summary>
+dontaudit getattr raw memory devices (e.g. /dev/mem).
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_read_raw_memory" lineno="2477">
+<summary>
+Read raw memory devices (e.g. /dev/mem).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_read_raw_memory" lineno="2500">
+<summary>
+Do not audit attempts to read raw memory devices
+(e.g. /dev/mem).
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_write_raw_memory" lineno="2518">
+<summary>
+Write raw memory devices (e.g. /dev/mem).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rx_raw_memory" lineno="2540">
+<summary>
+Read and execute raw memory devices (e.g. /dev/mem).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_wx_raw_memory" lineno="2559">
+<summary>
+Write and execute raw memory devices (e.g. /dev/mem).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_getattr_misc_dev" lineno="2578">
+<summary>
+Get the attributes of miscellaneous devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_getattr_misc_dev" lineno="2597">
+<summary>
+Do not audit attempts to get the attributes
+of miscellaneous devices.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_setattr_misc_dev" lineno="2615">
+<summary>
+Set the attributes of miscellaneous devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_setattr_misc_dev" lineno="2634">
+<summary>
+Do not audit attempts to set the attributes
+of miscellaneous devices.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_read_misc" lineno="2652">
+<summary>
+Read miscellaneous devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_write_misc" lineno="2670">
+<summary>
+Write miscellaneous devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_rw_misc" lineno="2688">
+<summary>
+Do not audit attempts to read and write miscellaneous devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_getattr_modem_dev" lineno="2706">
+<summary>
+Get the attributes of the modem devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_setattr_modem_dev" lineno="2724">
+<summary>
+Set the attributes of the modem devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_read_modem" lineno="2742">
+<summary>
+Read the modem devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_modem" lineno="2760">
+<summary>
+Read and write to modem devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_getattr_mouse_dev" lineno="2778">
+<summary>
+Get the attributes of the mouse devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_setattr_mouse_dev" lineno="2796">
+<summary>
+Set the attributes of the mouse devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_read_mouse" lineno="2814">
+<summary>
+Read the mouse devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_mouse" lineno="2832">
+<summary>
+Read and write to mouse devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_getattr_mtrr_dev" lineno="2851">
+<summary>
+Get the attributes of the memory type range
+registers (MTRR) device.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_read_mtrr" lineno="2884">
+<summary>
+Read the memory type range
+registers (MTRR).  (Deprecated)
+</summary>
+<desc>
+<p>
+Read the memory type range
+registers (MTRR).  This interface has
+been deprecated, dev_rw_mtrr() should be
+used instead.
+</p>
+<p>
+The MTRR device ioctls can be used for
+reading and writing; thus, read access to the
+device cannot be separated from write access.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_write_mtrr" lineno="2913">
+<summary>
+Write the memory type range
+registers (MTRR).  (Deprecated)
+</summary>
+<desc>
+<p>
+Write the memory type range
+registers (MTRR).  This interface has
+been deprecated, dev_rw_mtrr() should be
+used instead.
+</p>
+<p>
+The MTRR device ioctls can be used for
+reading and writing; thus, write access to the
+device cannot be separated from read access.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_write_mtrr" lineno="2929">
+<summary>
+Do not audit attempts to write the memory type
+range registers (MTRR).
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_mtrr" lineno="2948">
+<summary>
+Read and write the memory type range registers (MTRR).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_getattr_netcontrol_dev" lineno="2967">
+<summary>
+Get the attributes of the network control device
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_read_netcontrol" lineno="2985">
+<summary>
+Read the network control identity.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_netcontrol" lineno="3003">
+<summary>
+Read and write the the network control device.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_getattr_null_dev" lineno="3021">
+<summary>
+Get the attributes of the null device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_setattr_null_dev" lineno="3039">
+<summary>
+Set the attributes of the null device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_delete_null" lineno="3057">
+<summary>
+Delete the null device (/dev/null).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_null" lineno="3075">
+<summary>
+Read and write to the null device (/dev/null).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_create_null_dev" lineno="3093">
+<summary>
+Create the null device (/dev/null).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_getattr_nvram_dev" lineno="3112">
+<summary>
+Do not audit attempts to get the attributes
+of the BIOS non-volatile RAM device.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_nvram" lineno="3130">
+<summary>
+Read and write BIOS non-volatile RAM.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_getattr_printer_dev" lineno="3148">
+<summary>
+Get the attributes of the printer device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_setattr_printer_dev" lineno="3166">
+<summary>
+Set the attributes of the printer device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_append_printer" lineno="3185">
+<summary>
+Append the printer device.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_printer" lineno="3203">
+<summary>
+Read and write the printer device.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_read_printk" lineno="3221">
+<summary>
+Read printk devices (e.g., /dev/kmsg /dev/mcelog)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_getattr_qemu_dev" lineno="3240">
+<summary>
+Get the attributes of the QEMU
+microcode and id interfaces.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_setattr_qemu_dev" lineno="3259">
+<summary>
+Set the attributes of the QEMU
+microcode and id interfaces.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_read_qemu" lineno="3277">
+<summary>
+Read the QEMU device
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_qemu" lineno="3295">
+<summary>
+Read and write the the QEMU device.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_read_rand" lineno="3329">
+<summary>
+Read from random number generator
+devices (e.g., /dev/random).
+</summary>
+<desc>
+<p>
+Allow the specified domain to read from random number
+generator devices (e.g., /dev/random).  Typically this is
+used in situations when a cryptographically secure random
+number is needed.
+</p>
+<p>
+Related interface:
+</p>
+<ul>
+<li>dev_read_urand()</li>
+</ul>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="dev_dontaudit_read_rand" lineno="3348">
+<summary>
+Do not audit attempts to read from random
+number generator devices (e.g., /dev/random)
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_append_rand" lineno="3367">
+<summary>
+Do not audit attempts to append to random
+number generator devices (e.g., /dev/random)
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_write_rand" lineno="3387">
+<summary>
+Write to the random device (e.g., /dev/random). This adds
+entropy used to generate the random data read from the
+random device.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_read_realtime_clock" lineno="3405">
+<summary>
+Read the realtime clock (/dev/rtc).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_write_realtime_clock" lineno="3423">
+<summary>
+Set the realtime clock (/dev/rtc).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_realtime_clock" lineno="3443">
+<summary>
+Read and set the realtime clock (/dev/rtc).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_getattr_scanner_dev" lineno="3458">
+<summary>
+Get the attributes of the scanner device.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_getattr_scanner_dev" lineno="3477">
+<summary>
+Do not audit attempts to get the attributes of
+the scanner device.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_setattr_scanner_dev" lineno="3495">
+<summary>
+Set the attributes of the scanner device.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_setattr_scanner_dev" lineno="3514">
+<summary>
+Do not audit attempts to set the attributes of
+the scanner device.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_scanner" lineno="3532">
+<summary>
+Read and write the scanner device.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_getattr_sound_dev" lineno="3550">
+<summary>
+Get the attributes of the sound devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_setattr_sound_dev" lineno="3568">
+<summary>
+Set the attributes of the sound devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_read_sound" lineno="3586">
+<summary>
+Read the sound devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_write_sound" lineno="3604">
+<summary>
+Write the sound devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_read_sound_mixer" lineno="3622">
+<summary>
+Read the sound mixer devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_write_sound_mixer" lineno="3640">
+<summary>
+Write the sound mixer devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_getattr_power_mgmt_dev" lineno="3658">
+<summary>
+Get the attributes of the the power management device.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_setattr_power_mgmt_dev" lineno="3676">
+<summary>
+Set the attributes of the the power management device.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_power_management" lineno="3694">
+<summary>
+Read and write the the power management device.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_getattr_smartcard_dev" lineno="3712">
+<summary>
+Getattr on smartcard devices
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_getattr_smartcard_dev" lineno="3731">
+<summary>
+dontaudit getattr on smartcard devices
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_smartcard" lineno="3750">
+<summary>
+Read and write smartcard devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_manage_smartcard" lineno="3768">
+<summary>
+Create, read, write, and delete smartcard devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_associate_sysfs" lineno="3786">
+<summary>
+Associate a file to a sysfs filesystem.
+</summary>
+<param name="file_type">
+<summary>
+The type of the file to be associated to sysfs.
+</summary>
+</param>
+</interface>
+<interface name="dev_getattr_sysfs_dirs" lineno="3804">
+<summary>
+Get the attributes of sysfs directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_search_sysfs" lineno="3822">
+<summary>
+Search the sysfs directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_search_sysfs" lineno="3840">
+<summary>
+Do not audit attempts to search sysfs.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_list_sysfs" lineno="3858">
+<summary>
+List the contents of the sysfs directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_write_sysfs_dirs" lineno="3877">
+<summary>
+Write in a sysfs directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_write_sysfs_dirs" lineno="3895">
+<summary>
+Do not audit attempts to write in a sysfs directory.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_manage_sysfs_dirs" lineno="3914">
+<summary>
+Create, read, write, and delete sysfs
+directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_read_sysfs" lineno="3941">
+<summary>
+Read hardware state information.
+</summary>
+<desc>
+<p>
+Allow the specified domain to read the contents of
+the sysfs filesystem.  This filesystem contains
+information, parameters, and other settings on the
+hardware installed on the system.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="dev_rw_sysfs" lineno="3962">
+<summary>
+Allow caller to modify hardware state information.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_tpm" lineno="3983">
+<summary>
+Read and write the TPM device.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_read_urand" lineno="4024">
+<summary>
+Read from pseudo random number generator devices (e.g., /dev/urandom).
+</summary>
+<desc>
+<p>
+Allow the specified domain to read from pseudo random number
+generator devices (e.g., /dev/urandom).  Typically this is
+used in situations when a cryptographically secure random
+number is not necessarily needed.  One example is the Stack
+Smashing Protector (SSP, formerly known as ProPolice) support
+that may be compiled into programs.
+</p>
+<p>
+Related interface:
+</p>
+<ul>
+<li>dev_read_rand()</li>
+</ul>
+<p>
+Related tunable:
+</p>
+<ul>
+<li>global_ssp</li>
+</ul>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="dev_dontaudit_read_urand" lineno="4043">
+<summary>
+Do not audit attempts to read from pseudo
+random devices (e.g., /dev/urandom)
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_write_urand" lineno="4062">
+<summary>
+Write to the pseudo random device (e.g., /dev/urandom). This
+sets the random number generator seed.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_getattr_generic_usb_dev" lineno="4080">
+<summary>
+Getattr generic the USB devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_setattr_generic_usb_dev" lineno="4098">
+<summary>
+Setattr generic the USB devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_read_generic_usb_dev" lineno="4116">
+<summary>
+Read generic the USB devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_generic_usb_dev" lineno="4134">
+<summary>
+Read and write generic the USB devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_read_usbmon_dev" lineno="4152">
+<summary>
+Read USB monitor devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_write_usbmon_dev" lineno="4170">
+<summary>
+Write USB monitor devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_mount_usbfs" lineno="4188">
+<summary>
+Mount a usbfs filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_associate_usbfs" lineno="4206">
+<summary>
+Associate a file to a usbfs filesystem.
+</summary>
+<param name="file_type">
+<summary>
+The type of the file to be associated to usbfs.
+</summary>
+</param>
+</interface>
+<interface name="dev_getattr_usbfs_dirs" lineno="4224">
+<summary>
+Get the attributes of a directory in the usb filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_getattr_usbfs_dirs" lineno="4243">
+<summary>
+Do not audit attempts to get the attributes
+of a directory in the usb filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_search_usbfs" lineno="4261">
+<summary>
+Search the directory containing USB hardware information.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_list_usbfs" lineno="4279">
+<summary>
+Allow caller to get a list of usb hardware.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_setattr_usbfs_files" lineno="4300">
+<summary>
+Set the attributes of usbfs filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_read_usbfs" lineno="4320">
+<summary>
+Read USB hardware information using
+the usbfs filesystem interface.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_usbfs" lineno="4340">
+<summary>
+Allow caller to modify usb hardware configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_getattr_video_dev" lineno="4360">
+<summary>
+Get the attributes of video4linux devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_userio_dev" lineno="4378">
+<summary>
+Read and write userio device.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_getattr_video_dev" lineno="4397">
+<summary>
+Do not audit attempts to get the attributes
+of video4linux device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_setattr_video_dev" lineno="4415">
+<summary>
+Set the attributes of video4linux device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_setattr_video_dev" lineno="4434">
+<summary>
+Do not audit attempts to set the attributes
+of video4linux device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="dev_read_video_dev" lineno="4452">
+<summary>
+Read the video4linux devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_write_video_dev" lineno="4470">
+<summary>
+Write the video4linux devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_vhost" lineno="4488">
+<summary>
+Allow read/write the vhost net device
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_vmware" lineno="4506">
+<summary>
+Read and write VMWare devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rwx_vmware" lineno="4524">
+<summary>
+Read, write, and mmap VMWare devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_read_watchdog" lineno="4543">
+<summary>
+Read from watchdog devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_write_watchdog" lineno="4561">
+<summary>
+Write to watchdog devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_wireless" lineno="4579">
+<summary>
+Read and write the the wireless device.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_xen" lineno="4597">
+<summary>
+Read and write Xen devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_manage_xen" lineno="4615">
+<summary>
+Create, read, write, and delete Xen devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_filetrans_xen" lineno="4634">
+<summary>
+Automatic type transition to the type
+for xen device nodes when created in /dev.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_getattr_xserver_misc_dev" lineno="4652">
+<summary>
+Get the attributes of X server miscellaneous devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_setattr_xserver_misc_dev" lineno="4670">
+<summary>
+Set the attributes of X server miscellaneous devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_xserver_misc" lineno="4688">
+<summary>
+Read and write X server miscellaneous devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_zero" lineno="4706">
+<summary>
+Read and write to the zero device (/dev/zero).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rwx_zero" lineno="4724">
+<summary>
+Read, write, and execute the zero device (/dev/zero).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_execmod_zero" lineno="4743">
+<summary>
+Execmod the zero device (/dev/zero).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_create_zero_dev" lineno="4762">
+<summary>
+Create the zero device (/dev/zero).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_unconfined" lineno="4780">
+<summary>
+Unconfined access to devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="domain" filename="policy/modules/kernel/domain.if">
+<summary>Core policy for domains.</summary>
+<required val="true">
+Contains the concept of a domain.
+</required>
+<interface name="domain_base_type" lineno="26">
+<summary>
+Make the specified type usable as a basic domain.
+</summary>
+<desc>
+<p>
+Make the specified type usable as a basic domain.
+</p>
+<p>
+This is primarily used for kernel threads;
+generally the domain_type() interface is
+more appropriate for userland processes.
+</p>
+</desc>
+<param name="type">
+<summary>
+Type to be used as a basic domain type.
+</summary>
+</param>
+</interface>
+<interface name="domain_type" lineno="75">
+<summary>
+Make the specified type usable as a domain.
+</summary>
+<desc>
+<p>
+Make the specified type usable as a domain.  This,
+or an interface that calls this interface, must be
+used on all types that are used as domains.
+</p>
+<p>
+Related interfaces:
+</p>
+<ul>
+<li>application_domain()</li>
+<li>init_daemon_domain()</li>
+<li>init_domaion()</li>
+<li>init_ranged_daemon_domain()</li>
+<li>init_ranged_domain()</li>
+<li>init_ranged_system_domain()</li>
+<li>init_script_domain()</li>
+<li>init_system_domain()</li>
+</ul>
+<p>
+Example:
+</p>
+<p>
+type mydomain_t;
+domain_type(mydomain_t)
+type myfile_t;
+files_type(myfile_t)
+allow mydomain_t myfile_t:file read_file_perms;
+</p>
+</desc>
+<param name="type">
+<summary>
+Type to be used as a domain type.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="domain_entry_file" lineno="125">
+<summary>
+Make the specified type usable as
+an entry point for the domain.
+</summary>
+<param name="domain">
+<summary>
+Domain to be entered.
+</summary>
+</param>
+<param name="type">
+<summary>
+Type of program used for entering
+the domain.
+</summary>
+</param>
+</interface>
+<interface name="domain_interactive_fd" lineno="149">
+<summary>
+Make the file descriptors of the specified
+domain for interactive use (widely inheritable)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="domain_dyntrans_type" lineno="178">
+<summary>
+Allow the specified domain to perform
+dynamic transitions.
+</summary>
+<desc>
+<p>
+Allow the specified domain to perform
+dynamic transitions.
+</p>
+<p>
+This violates process tranquility, and it
+is strongly suggested that this not be used.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="domain_system_change_exemption" lineno="198">
+<summary>
+Makes caller and execption to the constraint
+preventing changing to the system user
+identity and system role.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="domain_subj_id_change_exemption" lineno="217">
+<summary>
+Makes caller an exception to the constraint preventing
+changing of user identity.
+</summary>
+<param name="domain">
+<summary>
+The process type to make an exception to the constraint.
+</summary>
+</param>
+</interface>
+<interface name="domain_role_change_exemption" lineno="236">
+<summary>
+Makes caller an exception to the constraint preventing
+changing of role.
+</summary>
+<param name="domain">
+<summary>
+The process type to make an exception to the constraint.
+</summary>
+</param>
+</interface>
+<interface name="domain_obj_id_change_exemption" lineno="256">
+<summary>
+Makes caller an exception to the constraint preventing
+changing the user identity in object contexts.
+</summary>
+<param name="domain">
+<summary>
+The process type to make an exception to the constraint.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="domain_user_exemption_target" lineno="291">
+<summary>
+Make the specified domain the target of
+the user domain exception of the
+SELinux role and identity change
+constraints.
+</summary>
+<desc>
+<p>
+Make the specified domain the target of
+the user domain exception of the
+SELinux role and identity change
+constraints.
+</p>
+<p>
+This interface is needed to decouple
+the user domains from the base module.
+It should not be used other than on
+user domains.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain target for user exemption.
+</summary>
+</param>
+</interface>
+<interface name="domain_cron_exemption_source" lineno="326">
+<summary>
+Make the specified domain the source of
+the cron domain exception of the
+SELinux role and identity change
+constraints.
+</summary>
+<desc>
+<p>
+Make the specified domain the source of
+the cron domain exception of the
+SELinux role and identity change
+constraints.
+</p>
+<p>
+This interface is needed to decouple
+the cron domains from the base module.
+It should not be used other than on
+cron domains.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain target for user exemption.
+</summary>
+</param>
+</interface>
+<interface name="domain_cron_exemption_target" lineno="361">
+<summary>
+Make the specified domain the target of
+the cron domain exception of the
+SELinux role and identity change
+constraints.
+</summary>
+<desc>
+<p>
+Make the specified domain the target of
+the cron domain exception of the
+SELinux role and identity change
+constraints.
+</p>
+<p>
+This interface is needed to decouple
+the cron domains from the base module.
+It should not be used other than on
+user cron jobs.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain target for user exemption.
+</summary>
+</param>
+</interface>
+<interface name="domain_use_interactive_fds" lineno="389">
+<summary>
+Inherit and use file descriptors from
+domains with interactive programs.
+</summary>
+<desc>
+<p>
+Allow the specified domain to inherit and use file
+descriptors from domains with interactive programs.
+This does not allow access to the objects being referenced
+by the file descriptors.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="1"/>
+</interface>
+<interface name="domain_dontaudit_use_interactive_fds" lineno="409">
+<summary>
+Do not audit attempts to inherit file
+descriptors from domains with interactive
+programs.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="domain_sigchld_interactive_fds" lineno="429">
+<summary>
+Send a SIGCHLD signal to domains whose file
+discriptors are widely inheritable.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="domain_setpriority_all_domains" lineno="448">
+<summary>
+Set the nice level of all domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="domain_signal_all_domains" lineno="467">
+<summary>
+Send general signals to all domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="domain_dontaudit_signal_all_domains" lineno="487">
+<summary>
+Do not audit attempts to send general
+signals to all domains.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="domain_signull_all_domains" lineno="506">
+<summary>
+Send a null signal to all domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="domain_sigstop_all_domains" lineno="525">
+<summary>
+Send a stop signal to all domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="domain_sigchld_all_domains" lineno="544">
+<summary>
+Send a child terminated signal to all domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="domain_kill_all_domains" lineno="563">
+<summary>
+Send a kill signal to all domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="domain_search_all_domains_state" lineno="582">
+<summary>
+Search the process state directory (/proc/pid) of all domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="domain_dontaudit_search_all_domains_state" lineno="602">
+<summary>
+Do not audit attempts to search the process
+state directory (/proc/pid) of all domains.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="domain_read_all_domains_state" lineno="621">
+<summary>
+Read the process state (/proc/pid) of all domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="domain_getattr_all_domains" lineno="643">
+<summary>
+Get the attributes of all domains of all domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="domain_dontaudit_getattr_all_domains" lineno="662">
+<summary>
+Do not audit attempts to get the attributes
+of all domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="domain_read_confined_domains_state" lineno="681">
+<summary>
+Read the process state (/proc/pid) of all confined domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="domain_getattr_confined_domains" lineno="707">
+<summary>
+Get the attributes of all confined domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="domain_ptrace_all_domains" lineno="726">
+<summary>
+Ptrace all domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="domain_dontaudit_ptrace_all_domains" lineno="755">
+<summary>
+Do not audit attempts to ptrace all domains.
+</summary>
+<desc>
+<p>
+Do not audit attempts to ptrace all domains.
+</p>
+<p>
+Generally this needs to be suppressed because procps tries to access
+/proc/pid/environ and this now triggers a ptrace check in recent kernels
+(2.4 and 2.6).
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="domain_dontaudit_ptrace_confined_domains" lineno="783">
+<summary>
+Do not audit attempts to ptrace confined domains.
+</summary>
+<desc>
+<p>
+Do not audit attempts to ptrace confined domains.
+</p>
+<p>
+Generally this needs to be suppressed because procps tries to access
+/proc/pid/environ and this now triggers a ptrace check in recent kernels
+(2.4 and 2.6).
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="domain_dontaudit_read_all_domains_state" lineno="802">
+<summary>
+Do not audit attempts to read the process
+state (/proc/pid) of all domains.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="domain_dontaudit_list_all_domains_state" lineno="827">
+<summary>
+Do not audit attempts to read the process state
+directories of all domains.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="domain_getsession_all_domains" lineno="845">
+<summary>
+Get the session ID of all domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="domain_dontaudit_getsession_all_domains" lineno="864">
+<summary>
+Do not audit attempts to get the
+session ID of all domains.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="domain_getpgid_all_domains" lineno="882">
+<summary>
+Get the process group ID of all domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="domain_getsched_all_domains" lineno="900">
+<summary>
+Get the scheduler information of all domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="domain_getcap_all_domains" lineno="918">
+<summary>
+Get the capability information of all domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="domain_getattr_all_sockets" lineno="947">
+<summary>
+Get the attributes of all domains
+sockets, for all socket types.
+</summary>
+<desc>
+<p>
+Get the attributes of all domains
+sockets, for all socket types.
+</p>
+<p>
+This is commonly used for domains
+that can use lsof on all domains.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="domain_dontaudit_getattr_all_sockets" lineno="976">
+<summary>
+Do not audit attempts to get the attributes
+of all domains sockets, for all socket types.
+</summary>
+<desc>
+<p>
+Do not audit attempts to get the attributes
+of all domains sockets, for all socket types.
+</p>
+<p>
+This interface was added for PCMCIA cardmgr
+and is probably excessive.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="domain_dontaudit_getattr_all_tcp_sockets" lineno="995">
+<summary>
+Do not audit attempts to get the attributes
+of all domains TCP sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="domain_dontaudit_getattr_all_udp_sockets" lineno="1014">
+<summary>
+Do not audit attempts to get the attributes
+of all domains UDP sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="domain_dontaudit_rw_all_udp_sockets" lineno="1033">
+<summary>
+Do not audit attempts to read or write
+all domains UDP sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="domain_dontaudit_getattr_all_key_sockets" lineno="1052">
+<summary>
+Do not audit attempts to get attribues of
+all domains IPSEC key management sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="domain_dontaudit_getattr_all_packet_sockets" lineno="1071">
+<summary>
+Do not audit attempts to get attribues of
+all domains packet sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="domain_dontaudit_getattr_all_raw_sockets" lineno="1090">
+<summary>
+Do not audit attempts to get attribues of
+all domains raw sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="domain_dontaudit_rw_all_key_sockets" lineno="1109">
+<summary>
+Do not audit attempts to read or write
+all domains key sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="domain_dontaudit_getattr_all_dgram_sockets" lineno="1128">
+<summary>
+Do not audit attempts to get the attributes
+of all domains unix datagram sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="domain_getattr_all_stream_sockets" lineno="1147">
+<summary>
+Get the attributes
+of all domains unix datagram sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="domain_dontaudit_getattr_all_stream_sockets" lineno="1166">
+<summary>
+Do not audit attempts to get the attributes
+of all domains unix datagram sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="domain_getattr_all_pipes" lineno="1195">
+<summary>
+Get the attributes of all domains
+unnamed pipes.
+</summary>
+<desc>
+<p>
+Get the attributes of all domains
+unnamed pipes.
+</p>
+<p>
+This is commonly used for domains
+that can use lsof on all domains.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="domain_dontaudit_getattr_all_pipes" lineno="1214">
+<summary>
+Do not audit attempts to get the attributes
+of all domains unnamed pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="domain_ipsec_setcontext_all_domains" lineno="1233">
+<summary>
+Allow specified type to set context of all
+domains IPSEC associations.
+</summary>
+<param name="type">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="domain_getattr_all_entry_files" lineno="1252">
+<summary>
+Get the attributes of entry point
+files for all domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="domain_dontaudit_getattr_all_entry_files" lineno="1272">
+<summary>
+Do not audit attempts to get the attributes
+of all entry point files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="domain_read_all_entry_files" lineno="1290">
+<summary>
+Read the entry point files for all domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="domain_exec_all_entry_files" lineno="1311">
+<summary>
+Execute the entry point files for all
+domains in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="domain_dontaudit_exec_all_entry_files" lineno="1329">
+<summary>
+dontaudit checking for execute on all entry point files
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="domain_manage_all_entry_files" lineno="1349">
+<summary>
+Create, read, write, and delete all
+entrypoint files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="domain_relabel_all_entry_files" lineno="1369">
+<summary>
+Relabel to and from all entry point
+file types.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="domain_mmap_all_entry_files" lineno="1388">
+<summary>
+Mmap all entry point files as executable.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="domain_entry_file_spec_domtrans" lineno="1412">
+<summary>
+Execute an entry_type in the specified domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="target_domain">
+<summary>
+The type of the new process.
+</summary>
+</param>
+</interface>
+<interface name="domain_mmap_low" lineno="1434">
+<summary>
+Ability to mmap a low area of the address
+space conditionally, as configured by
+/proc/sys/kernel/mmap_min_addr.
+Preventing such mappings helps protect against
+exploiting null deref bugs in the kernel.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="domain_mmap_low_uncond" lineno="1461">
+<summary>
+Ability to mmap a low area of the address
+space unconditionally, as configured
+by /proc/sys/kernel/mmap_min_addr.
+Preventing such mappings helps protect against
+exploiting null deref bugs in the kernel.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="domain_all_recvfrom_all_domains" lineno="1483">
+<summary>
+Allow specified type to receive labeled
+networking packets from all domains, over
+all protocols (TCP, UDP, etc)
+</summary>
+<param name="type">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="domain_unconfined_signal" lineno="1501">
+<summary>
+Send generic signals to the unconfined domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="domain_unconfined" lineno="1519">
+<summary>
+Unconfined access to domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<tunable name="mmap_low_allowed" dftval="false">
+<desc>
+<p>
+Control the ability to mmap a low area of the address space,
+as configured by /proc/sys/kernel/mmap_min_addr.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="files" filename="policy/modules/kernel/files.if">
+<summary>
+Basic filesystem types and interfaces.
+</summary>
+<desc>
+<p>
+This module contains basic filesystem types and interfaces. This
+includes:
+<ul>
+<li>The concept of different file types including basic
+files, mount points, tmp files, etc.</li>
+<li>Access to groups of files and all files.</li>
+<li>Types and interfaces for the basic filesystem layout
+(/, /etc, /tmp, /usr, etc.).</li>
+</ul>
+</p>
+</desc>
+<required val="true">
+Contains the concept of a file.
+Comains the file initial SID.
+</required>
+<interface name="files_type" lineno="79">
+<summary>
+Make the specified type usable for files
+in a filesystem.
+</summary>
+<desc>
+<p>
+Make the specified type usable for files
+in a filesystem.  Types used for files that
+do not use this interface, or an interface that
+calls this one, will have unexpected behaviors
+while the system is running. If the type is used
+for device nodes (character or block files), then
+the dev_node() interface is more appropriate.
+</p>
+<p>
+Related interfaces:
+</p>
+<ul>
+<li>application_domain()</li>
+<li>application_executable_file()</li>
+<li>corecmd_executable_file()</li>
+<li>init_daemon_domain()</li>
+<li>init_domaion()</li>
+<li>init_ranged_daemon_domain()</li>
+<li>init_ranged_domain()</li>
+<li>init_ranged_system_domain()</li>
+<li>init_script_file()</li>
+<li>init_script_domain()</li>
+<li>init_system_domain()</li>
+<li>files_config_files()</li>
+<li>files_lock_file()</li>
+<li>files_mountpoint()</li>
+<li>files_pid_file()</li>
+<li>files_security_file()</li>
+<li>files_security_mountpoint()</li>
+<li>files_tmp_file()</li>
+<li>files_tmpfs_file()</li>
+<li>logging_log_file()</li>
+<li>userdom_user_home_content()</li>
+</ul>
+<p>
+Example:
+</p>
+<p>
+type myfile_t;
+files_type(myfile_t)
+allow mydomain_t myfile_t:file read_file_perms;
+</p>
+</desc>
+<param name="type">
+<summary>
+Type to be used for files.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="files_security_file" lineno="100">
+<summary>
+Make the specified type a file that
+should not be dontaudited from
+browsing from user domains.
+</summary>
+<param name="file_type">
+<summary>
+Type of the file to be used as a
+member directory.
+</summary>
+</param>
+</interface>
+<interface name="files_lock_file" lineno="119">
+<summary>
+Make the specified type usable for
+lock files.
+</summary>
+<param name="type">
+<summary>
+Type to be used for lock files.
+</summary>
+</param>
+</interface>
+<interface name="files_mountpoint" lineno="139">
+<summary>
+Make the specified type usable for
+filesystem mount points.
+</summary>
+<param name="type">
+<summary>
+Type to be used for mount points.
+</summary>
+</param>
+</interface>
+<interface name="files_security_mountpoint" lineno="159">
+<summary>
+Make the specified type usable for
+security file filesystem mount points.
+</summary>
+<param name="type">
+<summary>
+Type to be used for mount points.
+</summary>
+</param>
+</interface>
+<interface name="files_pid_file" lineno="207">
+<summary>
+Make the specified type usable for
+runtime process ID files.
+</summary>
+<desc>
+<p>
+Make the specified type usable for runtime process ID files,
+typically found in /var/run.
+This will also make the type usable for files, making
+calls to files_type() redundant.  Failure to use this interface
+for a PID file type may result in problems with starting
+or stopping services.
+</p>
+<p>
+Related interfaces:
+</p>
+<ul>
+<li>files_pid_filetrans()</li>
+</ul>
+<p>
+Example usage with a domain that can create and
+write its PID file with a private PID file type in the
+/var/run directory:
+</p>
+<p>
+type mypidfile_t;
+files_pid_file(mypidfile_t)
+allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
+files_pid_filetrans(mydomain_t, mypidfile_t, file)
+</p>
+</desc>
+<param name="type">
+<summary>
+Type to be used for PID files.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="files_config_file" lineno="247">
+<summary>
+Make the specified type a
+configuration file.
+</summary>
+<desc>
+<p>
+Make the specified type usable for configuration files.
+This will also make the type usable for files, making
+calls to files_type() redundant.  Failure to use this interface
+for a temporary file may result in problems with
+configuration management tools.
+</p>
+<p>
+Example usage with a domain that can read
+its configuration file /etc:
+</p>
+<p>
+type myconffile_t;
+files_config_file(myconffile_t)
+allow mydomain_t myconffile_t:file read_file_perms;
+files_search_etc(mydomain_t)
+</p>
+</desc>
+<param name="file_type">
+<summary>
+Type to be used as a configuration file.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="files_poly" lineno="267">
+<summary>
+Make the specified type a
+polyinstantiated directory.
+</summary>
+<param name="file_type">
+<summary>
+Type of the file to be used as a
+polyinstantiated directory.
+</summary>
+</param>
+</interface>
+<interface name="files_poly_parent" lineno="288">
+<summary>
+Make the specified type a parent
+of a polyinstantiated directory.
+</summary>
+<param name="file_type">
+<summary>
+Type of the file to be used as a
+parent directory.
+</summary>
+</param>
+</interface>
+<interface name="files_poly_member" lineno="309">
+<summary>
+Make the specified type a
+polyinstantiation member directory.
+</summary>
+<param name="file_type">
+<summary>
+Type of the file to be used as a
+member directory.
+</summary>
+</param>
+</interface>
+<interface name="files_poly_member_tmp" lineno="336">
+<summary>
+Make the domain use the specified
+type of polyinstantiated directory.
+</summary>
+<param name="domain">
+<summary>
+Domain using the polyinstantiated
+directory.
+</summary>
+</param>
+<param name="file_type">
+<summary>
+Type of the file to be used as a
+member directory.
+</summary>
+</param>
+</interface>
+<interface name="files_tmp_file" lineno="383">
+<summary>
+Make the specified type a file
+used for temporary files.
+</summary>
+<desc>
+<p>
+Make the specified type usable for temporary files.
+This will also make the type usable for files, making
+calls to files_type() redundant.  Failure to use this interface
+for a temporary file may result in problems with
+purging temporary files.
+</p>
+<p>
+Related interfaces:
+</p>
+<ul>
+<li>files_tmp_filetrans()</li>
+</ul>
+<p>
+Example usage with a domain that can create and
+write its temporary file in the system temporary file
+directories (/tmp or /var/tmp):
+</p>
+<p>
+type mytmpfile_t;
+files_tmp_file(mytmpfile_t)
+allow mydomain_t mytmpfile_t:file { create_file_perms write_file_perms };
+files_tmp_filetrans(mydomain_t, mytmpfile_t, file)
+</p>
+</desc>
+<param name="file_type">
+<summary>
+Type of the file to be used as a
+temporary file.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="files_tmpfs_file" lineno="405">
+<summary>
+Transform the type into a file, for use on a
+virtual memory filesystem (tmpfs).
+</summary>
+<param name="type">
+<summary>
+The type to be transformed.
+</summary>
+</param>
+</interface>
+<interface name="files_getattr_all_dirs" lineno="424">
+<summary>
+Get the attributes of all directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_getattr_all_dirs" lineno="443">
+<summary>
+Do not audit attempts to get the attributes
+of all directories.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_list_non_security" lineno="461">
+<summary>
+List all non-security directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_list_non_security" lineno="480">
+<summary>
+Do not audit attempts to list all
+non-security directories.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_mounton_non_security" lineno="499">
+<summary>
+Mount a filesystem on all non-security
+directories and files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_write_non_security_dirs" lineno="518">
+<summary>
+Allow attempts to modify any directory
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_manage_non_security_dirs" lineno="536">
+<summary>
+Allow attempts to manage non-security directories
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_getattr_all_files" lineno="554">
+<summary>
+Get the attributes of all files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_getattr_all_files" lineno="574">
+<summary>
+Do not audit attempts to get the attributes
+of all files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_getattr_non_security_files" lineno="593">
+<summary>
+Do not audit attempts to get the attributes
+of non security files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_read_all_files" lineno="611">
+<summary>
+Read all files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_execmod_all_files" lineno="642">
+<summary>
+Allow shared library text relocations in all files.
+</summary>
+<desc>
+<p>
+Allow shared library text relocations in all files.
+</p>
+<p>
+This is added to support WINE policy.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_read_non_security_files" lineno="661">
+<summary>
+Read all non-security files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="files_read_all_dirs_except" lineno="687">
+<summary>
+Read all directories on the filesystem, except
+the listed exceptions.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="exception_types" optional="true">
+<summary>
+The types to be excluded.  Each type or attribute
+must be negated by the caller.
+</summary>
+</param>
+</interface>
+<interface name="files_read_all_files_except" lineno="712">
+<summary>
+Read all files on the filesystem, except
+the listed exceptions.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="exception_types" optional="true">
+<summary>
+The types to be excluded.  Each type or attribute
+must be negated by the caller.
+</summary>
+</param>
+</interface>
+<interface name="files_read_all_symlinks_except" lineno="737">
+<summary>
+Read all symbolic links on the filesystem, except
+the listed exceptions.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="exception_types" optional="true">
+<summary>
+The types to be excluded.  Each type or attribute
+must be negated by the caller.
+</summary>
+</param>
+</interface>
+<interface name="files_getattr_all_symlinks" lineno="755">
+<summary>
+Get the attributes of all symbolic links.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_getattr_all_symlinks" lineno="774">
+<summary>
+Do not audit attempts to get the attributes
+of all symbolic links.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_read_all_symlinks" lineno="792">
+<summary>
+Do not audit attempts to read all symbolic links.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_getattr_non_security_symlinks" lineno="811">
+<summary>
+Do not audit attempts to get the attributes
+of non security symbolic links.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_getattr_non_security_blk_files" lineno="830">
+<summary>
+Do not audit attempts to get the attributes
+of non security block devices.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_getattr_non_security_chr_files" lineno="849">
+<summary>
+Do not audit attempts to get the attributes
+of non security character devices.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_read_all_symlinks" lineno="868">
+<summary>
+Read all symbolic links.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="files_getattr_all_pipes" lineno="887">
+<summary>
+Get the attributes of all named pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_getattr_all_pipes" lineno="907">
+<summary>
+Do not audit attempts to get the attributes
+of all named pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_getattr_non_security_pipes" lineno="926">
+<summary>
+Do not audit attempts to get the attributes
+of non security named pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_getattr_all_sockets" lineno="944">
+<summary>
+Get the attributes of all named sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_getattr_all_sockets" lineno="964">
+<summary>
+Do not audit attempts to get the attributes
+of all named sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_getattr_non_security_sockets" lineno="983">
+<summary>
+Do not audit attempts to get the attributes
+of non security named sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_read_all_blk_files" lineno="1001">
+<summary>
+Read all block nodes with file types.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_read_all_chr_files" lineno="1019">
+<summary>
+Read all character nodes with file types.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_relabel_all_files" lineno="1045">
+<summary>
+Relabel all files on the filesystem, except
+the listed exceptions.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="exception_types" optional="true">
+<summary>
+The types to be excluded.  Each type or attribute
+must be negated by the caller.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="files_rw_all_files" lineno="1083">
+<summary>
+rw all files on the filesystem, except
+the listed exceptions.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="exception_types" optional="true">
+<summary>
+The types to be excluded.  Each type or attribute
+must be negated by the caller.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="files_manage_all_files" lineno="1109">
+<summary>
+Manage all files on the filesystem, except
+the listed exceptions.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="exception_types" optional="true">
+<summary>
+The types to be excluded.  Each type or attribute
+must be negated by the caller.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="files_search_all" lineno="1136">
+<summary>
+Search the contents of all directories on
+extended attribute filesystems.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_list_all" lineno="1155">
+<summary>
+List the contents of all directories on
+extended attribute filesystems.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_search_all_dirs" lineno="1175">
+<summary>
+Do not audit attempts to search the
+contents of any directories on extended
+attribute filesystems.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_getattr_all_file_type_fs" lineno="1198">
+<summary>
+Get the attributes of all filesystems
+with the type of a file.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_relabelto_all_file_type_fs" lineno="1216">
+<summary>
+Relabel a filesystem to the type of a file.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_relabel_all_file_type_fs" lineno="1234">
+<summary>
+Relabel a filesystem to the type of a file.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_mount_all_file_type_fs" lineno="1252">
+<summary>
+Mount all filesystems with the type of a file.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_unmount_all_file_type_fs" lineno="1270">
+<summary>
+Unmount all filesystems with the type of a file.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_manage_config_dirs" lineno="1289">
+<summary>
+Manage all configuration directories on filesystem
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+
+</interface>
+<interface name="files_relabel_config_dirs" lineno="1308">
+<summary>
+Relabel configuration directories
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+
+</interface>
+<interface name="files_read_config_files" lineno="1326">
+<summary>
+Read config files in /etc.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_manage_config_files" lineno="1347">
+<summary>
+Manage all configuration files on filesystem
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+
+</interface>
+<interface name="files_relabel_config_files" lineno="1366">
+<summary>
+Relabel configuration files
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+
+</interface>
+<interface name="files_mounton_all_mountpoints" lineno="1384">
+<summary>
+Mount a filesystem on all mount points.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_getattr_all_mountpoints" lineno="1403">
+<summary>
+Get the attributes of all mount points.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_setattr_all_mountpoints" lineno="1421">
+<summary>
+Set the attributes of all mount points.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_search_all_mountpoints" lineno="1439">
+<summary>
+Search all mount points.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_search_all_mountpoints" lineno="1457">
+<summary>
+Do not audit searching of all mount points.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_list_all_mountpoints" lineno="1475">
+<summary>
+Do not audit listing of all mount points.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_list_root" lineno="1493">
+<summary>
+List the contents of the root directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_write_root_dirs" lineno="1512">
+<summary>
+Do not audit attempts to write to / dirs.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_rw_root_dir" lineno="1531">
+<summary>
+Do not audit attempts to write
+files in the root directory.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_root_filetrans" lineno="1560">
+<summary>
+Create an object in the root directory, with a private
+type using a type transition.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="private type">
+<summary>
+The type of the object to be created.
+</summary>
+</param>
+<param name="object">
+<summary>
+The object class of the object being created.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_read_root_files" lineno="1579">
+<summary>
+Do not audit attempts to read files in
+the root directory.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_rw_root_files" lineno="1598">
+<summary>
+Do not audit attempts to read or write
+files in the root directory.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_rw_root_chr_files" lineno="1617">
+<summary>
+Do not audit attempts to read or write
+character device nodes in the root directory.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_delete_root_files" lineno="1635">
+<summary>
+Delete files in the root directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_delete_root_dir_entry" lineno="1653">
+<summary>
+Remove entries from the root directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_unmount_rootfs" lineno="1671">
+<summary>
+Unmount a rootfs filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_getattr_boot_dirs" lineno="1689">
+<summary>
+Get attributes of the /boot directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_getattr_boot_dirs" lineno="1708">
+<summary>
+Do not audit attempts to get attributes
+of the /boot directory.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_search_boot" lineno="1726">
+<summary>
+Search the /boot directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_search_boot" lineno="1744">
+<summary>
+Do not audit attempts to search the /boot directory.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_list_boot" lineno="1762">
+<summary>
+List the /boot directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_list_boot" lineno="1780">
+<summary>
+Do not audit attempts to list the /boot directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_create_boot_dirs" lineno="1798">
+<summary>
+Create directories in /boot
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_manage_boot_dirs" lineno="1817">
+<summary>
+Create, read, write, and delete
+directories in /boot.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_boot_filetrans" lineno="1846">
+<summary>
+Create a private type object in boot
+with an automatic type transition
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="private_type">
+<summary>
+The type of the object to be created.
+</summary>
+</param>
+<param name="object_class">
+<summary>
+The object class of the object being created.
+</summary>
+</param>
+</interface>
+<interface name="files_read_boot_files" lineno="1865">
+<summary>
+read files in the /boot directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="files_manage_boot_files" lineno="1885">
+<summary>
+Create, read, write, and delete files
+in the /boot directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="files_relabelfrom_boot_files" lineno="1903">
+<summary>
+Relabel from files in the /boot directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_read_boot_symlinks" lineno="1921">
+<summary>
+Read symbolic links in the /boot directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_rw_boot_symlinks" lineno="1940">
+<summary>
+Read and write symbolic links
+in the /boot directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_manage_boot_symlinks" lineno="1960">
+<summary>
+Create, read, write, and delete symbolic links
+in the /boot directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_read_kernel_img" lineno="1978">
+<summary>
+Read kernel files in the /boot directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_create_kernel_img" lineno="1999">
+<summary>
+Install a kernel into the /boot directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="files_delete_kernel" lineno="2019">
+<summary>
+Delete a kernel from /boot.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="files_getattr_default_dirs" lineno="2037">
+<summary>
+Getattr of directories with the default file type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_getattr_default_dirs" lineno="2056">
+<summary>
+Do not audit attempts to get the attributes of
+directories with the default file type.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_search_default" lineno="2074">
+<summary>
+Search the contents of directories with the default file type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_list_default" lineno="2092">
+<summary>
+List contents of directories with the default file type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_list_default" lineno="2111">
+<summary>
+Do not audit attempts to list contents of
+directories with the default file type.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_manage_default_dirs" lineno="2130">
+<summary>
+Create, read, write, and delete directories with
+the default file type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_mounton_default" lineno="2148">
+<summary>
+Mount a filesystem on a directory with the default file type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_getattr_default_files" lineno="2167">
+<summary>
+Do not audit attempts to get the attributes of
+files with the default file type.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_read_default_files" lineno="2185">
+<summary>
+Read files with the default file type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_read_default_files" lineno="2204">
+<summary>
+Do not audit attempts to read files
+with the default file type.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_manage_default_files" lineno="2223">
+<summary>
+Create, read, write, and delete files with
+the default file type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_read_default_symlinks" lineno="2241">
+<summary>
+Read symbolic links with the default file type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_read_default_sockets" lineno="2259">
+<summary>
+Read sockets with the default file type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_read_default_pipes" lineno="2277">
+<summary>
+Read named pipes with the default file type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_search_etc" lineno="2295">
+<summary>
+Search the contents of /etc directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_setattr_etc_dirs" lineno="2313">
+<summary>
+Set the attributes of the /etc directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_list_etc" lineno="2331">
+<summary>
+List the contents of /etc directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_write_etc_dirs" lineno="2349">
+<summary>
+Do not audit attempts to write to /etc dirs.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_rw_etc_dirs" lineno="2367">
+<summary>
+Add and remove entries from /etc directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_manage_etc_dirs" lineno="2386">
+<summary>
+Manage generic directories in /etc
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access
+</summary>
+</param>
+
+</interface>
+<interface name="files_read_etc_files" lineno="2438">
+<summary>
+Read generic files in /etc.
+</summary>
+<desc>
+<p>
+Allow the specified domain to read generic
+files in /etc. These files are typically
+general system configuration files that do
+not have more specific SELinux types.  Some
+examples of these files are:
+</p>
+<ul>
+<li>/etc/fstab</li>
+<li>/etc/passwd</li>
+<li>/etc/services</li>
+<li>/etc/shells</li>
+</ul>
+<p>
+This interface does not include access to /etc/shadow.
+</p>
+<p>
+Generally, it is safe for many domains to have
+this access.  However, since this interface provides
+access to the /etc/passwd file, caution must be
+exercised, as user account names can be leaked
+through this access.
+</p>
+<p>
+Related interfaces:
+</p>
+<ul>
+<li>auth_read_shadow()</li>
+<li>files_read_etc_runtime_files()</li>
+<li>seutil_read_config()</li>
+</ul>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="files_dontaudit_write_etc_files" lineno="2458">
+<summary>
+Do not audit attempts to write generic files in /etc.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_rw_etc_files" lineno="2477">
+<summary>
+Read and write generic files in /etc.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="files_manage_etc_files" lineno="2499">
+<summary>
+Create, read, write, and delete generic
+files in /etc.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="files_delete_etc_files" lineno="2518">
+<summary>
+Delete system configuration files in /etc.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_exec_etc_files" lineno="2536">
+<summary>
+Execute generic files in /etc.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_relabel_etc_files" lineno="2556">
+<summary>
+Relabel from and to generic files in /etc.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_read_etc_symlinks" lineno="2575">
+<summary>
+Read symbolic links in /etc.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_manage_etc_symlinks" lineno="2593">
+<summary>
+Create, read, write, and delete symbolic links in /etc.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_etc_filetrans" lineno="2622">
+<summary>
+Create objects in /etc with a private
+type using a type_transition.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="file_type">
+<summary>
+Private file type.
+</summary>
+</param>
+<param name="class">
+<summary>
+Object classes to be created.
+</summary>
+</param>
+</interface>
+<interface name="files_create_boot_flag" lineno="2647">
+<summary>
+Create a boot flag.
+</summary>
+<desc>
+<p>
+Create a boot flag, such as
+/.autorelabel and /.autofsck.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="files_delete_boot_flag" lineno="2673">
+<summary>
+Delete a boot flag.
+</summary>
+<desc>
+<p>
+Delete a boot flag, such as
+/.autorelabel and /.autofsck.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="files_dontaudit_setattr_etc_runtime_files" lineno="2691">
+<summary>
+Do not audit attempts to set the attributes of the etc_runtime files
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_read_etc_runtime_files" lineno="2729">
+<summary>
+Read files in /etc that are dynamically
+created on boot, such as mtab.
+</summary>
+<desc>
+<p>
+Allow the specified domain to read dynamically created
+configuration files in /etc. These files are typically
+general system configuration files that do
+not have more specific SELinux types.  Some
+examples of these files are:
+</p>
+<ul>
+<li>/etc/motd</li>
+<li>/etc/mtab</li>
+<li>/etc/nologin</li>
+</ul>
+<p>
+This interface does not include access to /etc/shadow.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10" />
+<rolecap/>
+</interface>
+<interface name="files_dontaudit_read_etc_runtime_files" lineno="2751">
+<summary>
+Do not audit attempts to read files
+in /etc that are dynamically
+created on boot, such as mtab.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_rw_etc_runtime_files" lineno="2771">
+<summary>
+Read and write files in /etc that are dynamically
+created on boot, such as mtab.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="files_manage_etc_runtime_files" lineno="2793">
+<summary>
+Create, read, write, and delete files in
+/etc that are dynamically created on boot,
+such as mtab.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="files_etc_filetrans_etc_runtime" lineno="2817">
+<summary>
+Create, etc runtime objects with an automatic
+type transition.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="object">
+<summary>
+The class of the object being created.
+</summary>
+</param>
+</interface>
+<interface name="files_getattr_isid_type_dirs" lineno="2836">
+<summary>
+Getattr of directories on new filesystems
+that have not yet been labeled.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_search_isid_type_dirs" lineno="2855">
+<summary>
+Do not audit attempts to search directories on new filesystems
+that have not yet been labeled.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_list_isid_type_dirs" lineno="2874">
+<summary>
+List the contents of directories on new filesystems
+that have not yet been labeled.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_rw_isid_type_dirs" lineno="2893">
+<summary>
+Read and write directories on new filesystems
+that have not yet been labeled.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_delete_isid_type_dirs" lineno="2912">
+<summary>
+Delete directories on new filesystems
+that have not yet been labeled.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_manage_isid_type_dirs" lineno="2931">
+<summary>
+Create, read, write, and delete directories
+on new filesystems that have not yet been labeled.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_mounton_isid_type_dirs" lineno="2950">
+<summary>
+Mount a filesystem on a directory on new filesystems
+that has not yet been labeled.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_read_isid_type_files" lineno="2969">
+<summary>
+Read files on new filesystems
+that have not yet been labeled.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_delete_isid_type_files" lineno="2988">
+<summary>
+Delete files on new filesystems
+that have not yet been labeled.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_delete_isid_type_symlinks" lineno="3007">
+<summary>
+Delete symbolic links on new filesystems
+that have not yet been labeled.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_delete_isid_type_fifo_files" lineno="3026">
+<summary>
+Delete named pipes on new filesystems
+that have not yet been labeled.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_delete_isid_type_sock_files" lineno="3045">
+<summary>
+Delete named sockets on new filesystems
+that have not yet been labeled.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_delete_isid_type_blk_files" lineno="3064">
+<summary>
+Delete block files on new filesystems
+that have not yet been labeled.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_write_isid_chr_files" lineno="3083">
+<summary>
+Do not audit attempts to write to character
+files that have not yet been labeled.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_delete_isid_type_chr_files" lineno="3102">
+<summary>
+Delete chr files on new filesystems
+that have not yet been labeled.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_manage_isid_type_files" lineno="3121">
+<summary>
+Create, read, write, and delete files
+on new filesystems that have not yet been labeled.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_manage_isid_type_symlinks" lineno="3140">
+<summary>
+Create, read, write, and delete symbolic links
+on new filesystems that have not yet been labeled.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_rw_isid_type_blk_files" lineno="3159">
+<summary>
+Read and write block device nodes on new filesystems
+that have not yet been labeled.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_manage_isid_type_blk_files" lineno="3178">
+<summary>
+Create, read, write, and delete block device nodes
+on new filesystems that have not yet been labeled.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_manage_isid_type_chr_files" lineno="3197">
+<summary>
+Create, read, write, and delete character device nodes
+on new filesystems that have not yet been labeled.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_getattr_home_dir" lineno="3216">
+<summary>
+Get the attributes of the home directories root
+(/home).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_getattr_home_dir" lineno="3237">
+<summary>
+Do not audit attempts to get the
+attributes of the home directories root
+(/home).
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_search_home" lineno="3256">
+<summary>
+Search home directories root (/home).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_search_home" lineno="3276">
+<summary>
+Do not audit attempts to search
+home directories root (/home).
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_list_home" lineno="3296">
+<summary>
+Do not audit attempts to list
+home directories root (/home).
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_list_home" lineno="3315">
+<summary>
+Get listing of home directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_relabelto_home" lineno="3334">
+<summary>
+Relabel to user home root (/home).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_home_filetrans" lineno="3362">
+<summary>
+Create objects in /home.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="home_type">
+<summary>
+The private type.
+</summary>
+</param>
+<param name="object">
+<summary>
+The class of the object being created.
+</summary>
+</param>
+</interface>
+<interface name="files_getattr_lost_found_dirs" lineno="3380">
+<summary>
+Get the attributes of lost+found directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_getattr_lost_found_dirs" lineno="3399">
+<summary>
+Do not audit attempts to get the attributes of
+lost+found directories.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_list_lost_found" lineno="3417">
+<summary>
+List the contents of lost+found directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_manage_lost_found" lineno="3437">
+<summary>
+Create, read, write, and delete objects in
+lost+found directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="files_search_mnt" lineno="3459">
+<summary>
+Search the contents of /mnt.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_search_mnt" lineno="3477">
+<summary>
+Do not audit attempts to search /mnt.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_list_mnt" lineno="3495">
+<summary>
+List the contents of /mnt.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_list_mnt" lineno="3513">
+<summary>
+Do not audit attempts to list the contents of /mnt.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_mounton_mnt" lineno="3531">
+<summary>
+Mount a filesystem on /mnt.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_manage_mnt_dirs" lineno="3550">
+<summary>
+Create, read, write, and delete directories in /mnt.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="files_manage_mnt_files" lineno="3568">
+<summary>
+Create, read, write, and delete files in /mnt.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_read_mnt_files" lineno="3586">
+<summary>
+read files in /mnt.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_read_mnt_symlinks" lineno="3604">
+<summary>
+Read symbolic links in /mnt.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_manage_mnt_symlinks" lineno="3622">
+<summary>
+Create, read, write, and delete symbolic links in /mnt.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_search_kernel_modules" lineno="3640">
+<summary>
+Search the contents of the kernel module directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_list_kernel_modules" lineno="3659">
+<summary>
+List the contents of the kernel module directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_getattr_kernel_modules" lineno="3677">
+<summary>
+Get the attributes of kernel module files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_read_kernel_modules" lineno="3695">
+<summary>
+Read kernel module files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_write_kernel_modules" lineno="3715">
+<summary>
+Write kernel module files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_delete_kernel_modules" lineno="3734">
+<summary>
+Delete kernel module files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_manage_kernel_modules" lineno="3754">
+<summary>
+Create, read, write, and delete
+kernel module files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="files_relabel_kernel_modules" lineno="3772">
+<summary>
+Relabel from and to kernel module files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_kernel_modules_filetrans" lineno="3802">
+<summary>
+Create objects in the kernel module directories
+with a private type via an automatic type transition.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="private_type">
+<summary>
+The type of the object to be created.
+</summary>
+</param>
+<param name="object_class">
+<summary>
+The object class of the object being created.
+</summary>
+</param>
+</interface>
+<interface name="files_list_world_readable" lineno="3821">
+<summary>
+List world-readable directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="files_read_world_readable_files" lineno="3840">
+<summary>
+Read world-readable files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="files_read_world_readable_symlinks" lineno="3859">
+<summary>
+Read world-readable symbolic links.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="files_read_world_readable_pipes" lineno="3877">
+<summary>
+Read world-readable named pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_read_world_readable_sockets" lineno="3895">
+<summary>
+Read world-readable sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_associate_tmp" lineno="3915">
+<summary>
+Allow the specified type to associate
+to a filesystem with the type of the
+temporary directory (/tmp).
+</summary>
+<param name="file_type">
+<summary>
+Type of the file to associate.
+</summary>
+</param>
+</interface>
+<interface name="files_getattr_tmp_dirs" lineno="3933">
+<summary>
+Get the	attributes of the tmp directory (/tmp).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_getattr_tmp_dirs" lineno="3952">
+<summary>
+Do not audit attempts to get the
+attributes of the tmp directory (/tmp).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_search_tmp" lineno="3970">
+<summary>
+Search the tmp directory (/tmp).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_search_tmp" lineno="3988">
+<summary>
+Do not audit attempts to search the tmp directory (/tmp).
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_list_tmp" lineno="4006">
+<summary>
+Read the tmp directory (/tmp).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_list_tmp" lineno="4024">
+<summary>
+Do not audit listing of the tmp directory (/tmp).
+</summary>
+<param name="domain">
+<summary>
+Domain not to audit.
+</summary>
+</param>
+</interface>
+<interface name="files_delete_tmp_dir_entry" lineno="4042">
+<summary>
+Remove entries from the tmp directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_read_generic_tmp_files" lineno="4060">
+<summary>
+Read files in the tmp directory (/tmp).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_manage_generic_tmp_dirs" lineno="4078">
+<summary>
+Manage temporary directories in /tmp.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_manage_generic_tmp_files" lineno="4096">
+<summary>
+Manage temporary files and directories in /tmp.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_read_generic_tmp_symlinks" lineno="4114">
+<summary>
+Read symbolic links in the tmp directory (/tmp).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_rw_generic_tmp_sockets" lineno="4132">
+<summary>
+Read and write generic named sockets in the tmp directory (/tmp).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_setattr_all_tmp_dirs" lineno="4150">
+<summary>
+Set the attributes of all tmp directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_list_all_tmp" lineno="4168">
+<summary>
+List all tmp directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_relabel_all_tmp_dirs" lineno="4188">
+<summary>
+Relabel to and from all temporary
+directory types.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="files_dontaudit_getattr_all_tmp_files" lineno="4209">
+<summary>
+Do not audit attempts to get the attributes
+of all tmp files.
+</summary>
+<param name="domain">
+<summary>
+Domain not to audit.
+</summary>
+</param>
+</interface>
+<interface name="files_getattr_all_tmp_files" lineno="4228">
+<summary>
+Allow attempts to get the attributes
+of all tmp files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_relabel_all_tmp_files" lineno="4248">
+<summary>
+Relabel to and from all temporary
+file types.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="files_dontaudit_getattr_all_tmp_sockets" lineno="4269">
+<summary>
+Do not audit attempts to get the attributes
+of all tmp sock_file.
+</summary>
+<param name="domain">
+<summary>
+Domain not to audit.
+</summary>
+</param>
+</interface>
+<interface name="files_read_all_tmp_files" lineno="4287">
+<summary>
+Read all tmp files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_tmp_filetrans" lineno="4316">
+<summary>
+Create an object in the tmp directories, with a private
+type using a type transition.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="private type">
+<summary>
+The type of the object to be created.
+</summary>
+</param>
+<param name="object">
+<summary>
+The object class of the object being created.
+</summary>
+</param>
+</interface>
+<interface name="files_purge_tmp" lineno="4334">
+<summary>
+Delete the contents of /tmp.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_setattr_usr_dirs" lineno="4357">
+<summary>
+Set the attributes of the /usr directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_search_usr" lineno="4375">
+<summary>
+Search the content of /usr.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_list_usr" lineno="4394">
+<summary>
+List the contents of generic
+directories in /usr.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_write_usr_dirs" lineno="4412">
+<summary>
+Do not audit write of /usr dirs
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_rw_usr_dirs" lineno="4430">
+<summary>
+Add and remove entries from /usr directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_rw_usr_dirs" lineno="4449">
+<summary>
+Do not audit attempts to add and remove
+entries from /usr directories.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_delete_usr_dirs" lineno="4467">
+<summary>
+Delete generic directories in /usr in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_delete_usr_files" lineno="4485">
+<summary>
+Delete generic files in /usr in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_getattr_usr_files" lineno="4503">
+<summary>
+Get the attributes of files in /usr.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_read_usr_files" lineno="4539">
+<summary>
+Read generic files in /usr.
+</summary>
+<desc>
+<p>
+Allow the specified domain to read generic
+files in /usr. These files are various program
+files that do not have more specific SELinux types.
+Some examples of these files are:
+</p>
+<ul>
+<li>/usr/include/*</li>
+<li>/usr/share/doc/*</li>
+<li>/usr/share/info/*</li>
+</ul>
+<p>
+Generally, it is safe for many domains to have
+this access.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="files_exec_usr_files" lineno="4559">
+<summary>
+Execute generic programs in /usr in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_write_usr_files" lineno="4579">
+<summary>
+dontaudit write of /usr files
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_manage_usr_files" lineno="4597">
+<summary>
+Create, read, write, and delete files in the /usr directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_relabelto_usr_files" lineno="4615">
+<summary>
+Relabel a file to the type used in /usr.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_relabelfrom_usr_files" lineno="4633">
+<summary>
+Relabel a file from the type used in /usr.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_read_usr_symlinks" lineno="4651">
+<summary>
+Read symbolic links in /usr.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_usr_filetrans" lineno="4679">
+<summary>
+Create objects in the /usr directory
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="file_type">
+<summary>
+The type of the object to be created
+</summary>
+</param>
+<param name="object_class">
+<summary>
+The object class.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_search_src" lineno="4697">
+<summary>
+Do not audit attempts to search /usr/src.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_getattr_usr_src_files" lineno="4715">
+<summary>
+Get the attributes of files in /usr/src.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_read_usr_src_files" lineno="4736">
+<summary>
+Read files in /usr/src.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_exec_usr_src_files" lineno="4757">
+<summary>
+Execute programs in /usr/src in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_create_kernel_symbol_table" lineno="4777">
+<summary>
+Install a system.map into the /boot directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_read_kernel_symbol_table" lineno="4796">
+<summary>
+Read system.map in the /boot directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_delete_kernel_symbol_table" lineno="4815">
+<summary>
+Delete a system.map in the /boot directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_search_var" lineno="4834">
+<summary>
+Search the contents of /var.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_write_var_dirs" lineno="4852">
+<summary>
+Do not audit attempts to write to /var.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_write_var_dirs" lineno="4870">
+<summary>
+Allow attempts to write to /var.dirs
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_search_var" lineno="4889">
+<summary>
+Do not audit attempts to search
+the contents of /var.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_list_var" lineno="4907">
+<summary>
+List the contents of /var.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_manage_var_dirs" lineno="4926">
+<summary>
+Create, read, write, and delete directories
+in the /var directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_read_var_files" lineno="4944">
+<summary>
+Read files in the /var directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_append_var_files" lineno="4962">
+<summary>
+Append files in the /var directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_rw_var_files" lineno="4980">
+<summary>
+Read and write files in the /var directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_rw_var_files" lineno="4999">
+<summary>
+Do not audit attempts to read and write
+files in the /var directory.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_manage_var_files" lineno="5017">
+<summary>
+Create, read, write, and delete files in the /var directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_read_var_symlinks" lineno="5035">
+<summary>
+Read symbolic links in the /var directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_manage_var_symlinks" lineno="5054">
+<summary>
+Create, read, write, and delete symbolic
+links in the /var directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_var_filetrans" lineno="5082">
+<summary>
+Create objects in the /var directory
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="file_type">
+<summary>
+The type of the object to be created
+</summary>
+</param>
+<param name="object_class">
+<summary>
+The object class.
+</summary>
+</param>
+</interface>
+<interface name="files_getattr_var_lib_dirs" lineno="5100">
+<summary>
+Get the attributes of the /var/lib directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_search_var_lib" lineno="5132">
+<summary>
+Search the /var/lib directory.
+</summary>
+<desc>
+<p>
+Search the /var/lib directory.  This is
+necessary to access files or directories under
+/var/lib that have a private type.  For example, a
+domain accessing a private library file in the
+/var/lib directory:
+</p>
+<p>
+allow mydomain_t mylibfile_t:file read_file_perms;
+files_search_var_lib(mydomain_t)
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="5"/>
+</interface>
+<interface name="files_dontaudit_search_var_lib" lineno="5152">
+<summary>
+Do not audit attempts to search the
+contents of /var/lib.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="read" weight="5"/>
+</interface>
+<interface name="files_list_var_lib" lineno="5170">
+<summary>
+List the contents of the /var/lib directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_rw_var_lib_dirs" lineno="5188">
+<summary>
+Read-write /var/lib directories
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_var_lib_filetrans" lineno="5216">
+<summary>
+Create objects in the /var/lib directory
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="file_type">
+<summary>
+The type of the object to be created
+</summary>
+</param>
+<param name="object_class">
+<summary>
+The object class.
+</summary>
+</param>
+</interface>
+<interface name="files_read_var_lib_files" lineno="5235">
+<summary>
+Read generic files in /var/lib.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_read_var_lib_symlinks" lineno="5254">
+<summary>
+Read generic symbolic links in /var/lib
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_manage_urandom_seed" lineno="5276">
+<summary>
+Create, read, write, and delete the
+pseudorandom number generator seed.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_manage_mounttab" lineno="5296">
+<summary>
+Allow domain to manage mount tables
+necessary for rpcd, nfsd, etc.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_search_locks" lineno="5315">
+<summary>
+Search the locks directory (/var/lock).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_search_locks" lineno="5335">
+<summary>
+Do not audit attempts to search the
+locks directory (/var/lock).
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_list_locks" lineno="5354">
+<summary>
+List generic lock directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_rw_lock_dirs" lineno="5374">
+<summary>
+Add and remove entries in the /var/lock
+directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_relabel_all_lock_dirs" lineno="5394">
+<summary>
+Relabel to and from all lock directory types.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="files_getattr_generic_locks" lineno="5415">
+<summary>
+Get the attributes of generic lock files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_delete_generic_locks" lineno="5436">
+<summary>
+Delete generic lock files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_manage_generic_locks" lineno="5457">
+<summary>
+Create, read, write, and delete generic
+lock files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_delete_all_locks" lineno="5478">
+<summary>
+Delete all lock files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="files_read_all_locks" lineno="5499">
+<summary>
+Read all lock files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_manage_all_locks" lineno="5522">
+<summary>
+manage all lock files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_lock_filetrans" lineno="5556">
+<summary>
+Create an object in the locks directory, with a private
+type using a type transition.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="private type">
+<summary>
+The type of the object to be created.
+</summary>
+</param>
+<param name="object">
+<summary>
+The object class of the object being created.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_getattr_pid_dirs" lineno="5577">
+<summary>
+Do not audit attempts to get the attributes
+of the /var/run directory.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_setattr_pid_dirs" lineno="5596">
+<summary>
+Set the attributes of the /var/run directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_search_pids" lineno="5616">
+<summary>
+Search the contents of runtime process
+ID directories (/var/run).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_search_pids" lineno="5636">
+<summary>
+Do not audit attempts to search
+the /var/run directory.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_list_pids" lineno="5656">
+<summary>
+List the contents of the runtime process
+ID directories (/var/run).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_read_generic_pids" lineno="5675">
+<summary>
+Read generic process ID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_write_generic_pid_pipes" lineno="5695">
+<summary>
+Write named generic process ID pipes
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_pid_filetrans" lineno="5751">
+<summary>
+Create an object in the process ID directory, with a private type.
+</summary>
+<desc>
+<p>
+Create an object in the process ID directory (e.g., /var/run)
+with a private type.  Typically this is used for creating
+private PID files in /var/run with the private type instead
+of the general PID file type. To accomplish this goal,
+either the program must be SELinux-aware, or use this interface.
+</p>
+<p>
+Related interfaces:
+</p>
+<ul>
+<li>files_pid_file()</li>
+</ul>
+<p>
+Example usage with a domain that can create and
+write its PID file with a private PID file type in the
+/var/run directory:
+</p>
+<p>
+type mypidfile_t;
+files_pid_file(mypidfile_t)
+allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
+files_pid_filetrans(mydomain_t, mypidfile_t, file)
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="private type">
+<summary>
+The type of the object to be created.
+</summary>
+</param>
+<param name="object">
+<summary>
+The object class of the object being created.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="files_rw_generic_pids" lineno="5771">
+<summary>
+Read and write generic process ID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_getattr_all_pids" lineno="5792">
+<summary>
+Do not audit attempts to get the attributes of
+daemon runtime data files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_write_all_pids" lineno="5812">
+<summary>
+Do not audit attempts to write to daemon runtime data files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_ioctl_all_pids" lineno="5831">
+<summary>
+Do not audit attempts to ioctl daemon runtime data files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_read_all_pids" lineno="5852">
+<summary>
+Read all process ID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="files_mounton_all_poly_members" lineno="5874">
+<summary>
+Mount filesystems on all polyinstantiation
+member directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_delete_all_pids" lineno="5893">
+<summary>
+Delete all process IDs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="files_delete_all_pid_dirs" lineno="5918">
+<summary>
+Delete all process ID directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_search_spool" lineno="5940">
+<summary>
+Search the contents of generic spool
+directories (/var/spool).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_search_spool" lineno="5959">
+<summary>
+Do not audit attempts to search generic
+spool directories.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_list_spool" lineno="5978">
+<summary>
+List the contents of generic spool
+(/var/spool) directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_manage_generic_spool_dirs" lineno="5997">
+<summary>
+Create, read, write, and delete generic
+spool directories (/var/spool).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_read_generic_spool" lineno="6016">
+<summary>
+Read generic spool files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_manage_generic_spool" lineno="6036">
+<summary>
+Create, read, write, and delete generic
+spool files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_spool_filetrans" lineno="6067">
+<summary>
+Create objects in the spool directory
+with a private type with a type transition.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="file">
+<summary>
+Type to which the created node will be transitioned.
+</summary>
+</param>
+<param name="class">
+<summary>
+Object class(es) (single or set including {}) for which this
+the transition will occur.
+</summary>
+</param>
+</interface>
+<interface name="files_polyinstantiate_all" lineno="6087">
+<summary>
+Allow access to manage all polyinstantiated
+directories on the system.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_unconfined" lineno="6141">
+<summary>
+Unconfined access to files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="filesystem" filename="policy/modules/kernel/filesystem.if">
+<summary>Policy for filesystems.</summary>
+<required val="true">
+Contains the initial SID for the filesystems.
+</required>
+<interface name="fs_type" lineno="16">
+<summary>
+Transform specified type into a filesystem type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_noxattr_type" lineno="36">
+<summary>
+Transform specified type into a filesystem
+type which does not have extended attribute
+support.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_associate" lineno="59">
+<summary>
+Associate the specified file type to persistent
+filesystems with extended attributes.  This
+allows a file of this type to be created on
+a filesystem such as ext3, JFS, and XFS.
+</summary>
+<param name="file_type">
+<summary>
+The type of the to be associated.
+</summary>
+</param>
+</interface>
+<interface name="fs_associate_noxattr" lineno="81">
+<summary>
+Associate the specified file type to
+filesystems which lack extended attributes
+support.  This allows a file of this type
+to be created on a filesystem such as
+FAT32, and NFS.
+</summary>
+<param name="file_type">
+<summary>
+The type of the to be associated.
+</summary>
+</param>
+</interface>
+<interface name="fs_exec_noxattr" lineno="101">
+<summary>
+Execute files on a filesystem that does
+not support extended attributes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="fs_mount_xattr_fs" lineno="121">
+<summary>
+Mount a persistent filesystem which
+has extended attributes, such as
+ext3, JFS, or XFS.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_remount_xattr_fs" lineno="142">
+<summary>
+Remount a persistent filesystem which
+has extended attributes, such as
+ext3, JFS, or XFS.  This allows
+some mount options to be changed.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_unmount_xattr_fs" lineno="162">
+<summary>
+Unmount a persistent filesystem which
+has extended attributes, such as
+ext3, JFS, or XFS.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_getattr_xattr_fs" lineno="198">
+<summary>
+Get the attributes of persistent
+filesystems which have extended
+attributes, such as ext3, JFS, or XFS.
+</summary>
+<desc>
+<p>
+Allow the specified domain to
+get the attributes of a persistent
+filesystems which have extended
+attributes, such as ext3, JFS, or XFS.
+Example attributes:
+</p>
+<ul>
+<li>Type of the file system (e.g., ext3)</li>
+<li>Size of the file system</li>
+<li>Available space on the file system</li>
+</ul>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="5"/>
+<rolecap/>
+</interface>
+<interface name="fs_dontaudit_getattr_xattr_fs" lineno="219">
+<summary>
+Do not audit attempts to
+get the attributes of a persistent
+filesystem which has extended
+attributes, such as ext3, JFS, or XFS.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_relabelfrom_xattr_fs" lineno="239">
+<summary>
+Allow changing of the label of a
+filesystem with extended attributes
+using the context= mount option.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_get_xattr_fs_quotas" lineno="259">
+<summary>
+Get the filesystem quotas of a filesystem
+with extended attributes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="fs_set_xattr_fs_quotas" lineno="279">
+<summary>
+Set the filesystem quotas of a filesystem
+with extended attributes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="fs_read_anon_inodefs_files" lineno="297">
+<summary>
+Read files on anon_inodefs file systems.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_rw_anon_inodefs_files" lineno="317">
+<summary>
+Read and write files on anon_inodefs
+file systems.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_dontaudit_rw_anon_inodefs_files" lineno="337">
+<summary>
+Do not audit attempts to read or write files on
+anon_inodefs file systems.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_mount_autofs" lineno="356">
+<summary>
+Mount an automount pseudo filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_remount_autofs" lineno="375">
+<summary>
+Remount an automount pseudo filesystem
+This allows some mount options to be changed.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_unmount_autofs" lineno="393">
+<summary>
+Unmount an automount pseudo filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_getattr_autofs" lineno="412">
+<summary>
+Get the attributes of an automount
+pseudo filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_search_auto_mountpoints" lineno="439">
+<summary>
+Search automount filesystem to use automatically
+mounted filesystems.
+</summary>
+<desc>
+Allow the specified domain to search mount points
+that have filesystems that are mounted by
+the automount service.  Generally this will
+be required for any domain that accesses objects
+on these filesystems.
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="5"/>
+</interface>
+<interface name="fs_list_auto_mountpoints" lineno="459">
+<summary>
+Read directories of automatically
+mounted filesystems.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="fs_dontaudit_list_auto_mountpoints" lineno="478">
+<summary>
+Do not audit attempts to list directories of automatically
+mounted filesystems.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_manage_autofs_symlinks" lineno="497">
+<summary>
+Create, read, write, and delete symbolic links
+on an autofs filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_getattr_binfmt_misc_dirs" lineno="516">
+<summary>
+Get the attributes of directories on
+binfmt_misc filesystems.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_register_binary_executable_type" lineno="552">
+<summary>
+Register an interpreter for new binary
+file types, using the kernel binfmt_misc
+support.
+</summary>
+<desc>
+<p>
+Register an interpreter for new binary
+file types, using the kernel binfmt_misc
+support.
+</p>
+<p>
+A common use for this is to
+register a JVM as an interpreter for
+Java byte code.  Registered binaries
+can be directly executed on a command line
+without specifying the interpreter.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="fs_mount_cgroup" lineno="570">
+<summary>
+Mount cgroup filesystems.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_remount_cgroup" lineno="588">
+<summary>
+Remount cgroup filesystems.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_unmount_cgroup" lineno="606">
+<summary>
+Unmount cgroup filesystems.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_getattr_cgroup" lineno="624">
+<summary>
+Get attributes of cgroup filesystems.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_search_cgroup_dirs" lineno="642">
+<summary>
+Search cgroup directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_list_cgroup_dirs" lineno="662">
+<summary>
+list cgroup directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_delete_cgroup_dirs" lineno="681">
+<summary>
+Delete cgroup directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_manage_cgroup_dirs" lineno="700">
+<summary>
+Manage cgroup directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_read_cgroup_files" lineno="720">
+<summary>
+Read cgroup files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_write_cgroup_files" lineno="740">
+<summary>
+Write cgroup files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_rw_cgroup_files" lineno="759">
+<summary>
+Read and write cgroup files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_dontaudit_rw_cgroup_files" lineno="781">
+<summary>
+Do not audit attempts to open,
+get attributes, read and write
+cgroup files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_manage_cgroup_files" lineno="799">
+<summary>
+Manage cgroup files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_mounton_cgroup" lineno="819">
+<summary>
+Mount on cgroup directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_dontaudit_list_cifs_dirs" lineno="838">
+<summary>
+Do not audit attempts to read
+dirs on a CIFS or SMB filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_mount_cifs" lineno="856">
+<summary>
+Mount a CIFS or SMB network filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_remount_cifs" lineno="875">
+<summary>
+Remount a CIFS or SMB network filesystem.
+This allows some mount options to be changed.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_unmount_cifs" lineno="893">
+<summary>
+Unmount a CIFS or SMB network filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_getattr_cifs" lineno="913">
+<summary>
+Get the attributes of a CIFS or
+SMB network filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="fs_search_cifs" lineno="931">
+<summary>
+Search directories on a CIFS or SMB filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_list_cifs" lineno="950">
+<summary>
+List the contents of directories on a
+CIFS or SMB filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_dontaudit_list_cifs" lineno="969">
+<summary>
+Do not audit attempts to list the contents
+of directories on a CIFS or SMB filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_mounton_cifs" lineno="987">
+<summary>
+Mounton a CIFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_read_cifs_files" lineno="1006">
+<summary>
+Read files on a CIFS or SMB filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="fs_getattr_noxattr_fs" lineno="1027">
+<summary>
+Get the attributes of filesystems that
+do not have extended attribute support.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="fs_list_noxattr_fs" lineno="1045">
+<summary>
+Read all noxattrfs directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_dontaudit_list_noxattr_fs" lineno="1064">
+<summary>
+Do not audit attempts to list all
+noxattrfs directories.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_manage_noxattr_fs_dirs" lineno="1082">
+<summary>
+Create, read, write, and delete all noxattrfs directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_read_noxattr_fs_files" lineno="1100">
+<summary>
+Read all noxattrfs files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_dontaudit_read_noxattr_fs_files" lineno="1119">
+<summary>
+Do not audit attempts to read all
+noxattrfs files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_dontaudit_write_noxattr_fs_files" lineno="1137">
+<summary>
+Dont audit attempts to write to noxattrfs files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_manage_noxattr_fs_files" lineno="1155">
+<summary>
+Create, read, write, and delete all noxattrfs files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_read_noxattr_fs_symlinks" lineno="1173">
+<summary>
+Read all noxattrfs symbolic links.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_relabelfrom_noxattr_fs" lineno="1192">
+<summary>
+Relabel all objets from filesystems that
+do not support extended attributes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_dontaudit_read_cifs_files" lineno="1218">
+<summary>
+Do not audit attempts to read
+files on a CIFS or SMB filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_append_cifs_files" lineno="1238">
+<summary>
+Append files
+on a CIFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="fs_dontaudit_append_cifs_files" lineno="1258">
+<summary>
+dontaudit Append files
+on a CIFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="fs_dontaudit_rw_cifs_files" lineno="1277">
+<summary>
+Do not audit attempts to read or
+write files on a CIFS or SMB filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_read_cifs_symlinks" lineno="1295">
+<summary>
+Read symbolic links on a CIFS or SMB filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_read_cifs_named_pipes" lineno="1315">
+<summary>
+Read named pipes
+on a CIFS or SMB network filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_read_cifs_named_sockets" lineno="1334">
+<summary>
+Read named pipes
+on a CIFS or SMB network filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_exec_cifs_files" lineno="1355">
+<summary>
+Execute files on a CIFS or SMB
+network filesystem, in the caller
+domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="fs_manage_cifs_dirs" lineno="1376">
+<summary>
+Create, read, write, and delete directories
+on a CIFS or SMB network filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="fs_dontaudit_manage_cifs_dirs" lineno="1396">
+<summary>
+Do not audit attempts to create, read,
+write, and delete directories
+on a CIFS or SMB network filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_manage_cifs_files" lineno="1416">
+<summary>
+Create, read, write, and delete files
+on a CIFS or SMB network filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="fs_dontaudit_manage_cifs_files" lineno="1436">
+<summary>
+Do not audit attempts to create, read,
+write, and delete files
+on a CIFS or SMB network filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_manage_cifs_symlinks" lineno="1455">
+<summary>
+Create, read, write, and delete symbolic links
+on a CIFS or SMB network filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_manage_cifs_named_pipes" lineno="1474">
+<summary>
+Create, read, write, and delete named pipes
+on a CIFS or SMB network filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_manage_cifs_named_sockets" lineno="1493">
+<summary>
+Create, read, write, and delete named sockets
+on a CIFS or SMB network filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_cifs_domtrans" lineno="1536">
+<summary>
+Execute a file on a CIFS or SMB filesystem
+in the specified domain.
+</summary>
+<desc>
+<p>
+Execute a file on a CIFS or SMB filesystem
+in the specified domain.  This allows
+the specified domain to execute any file
+on these filesystems in the specified
+domain.  This is not suggested.
+</p>
+<p>
+No interprocess communication (signals, pipes,
+etc.) is provided by this interface since
+the domains are not owned by this module.
+</p>
+<p>
+This interface was added to handle
+home directories on CIFS/SMB filesystems,
+in particular used by the ssh-agent policy.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="target_domain">
+<summary>
+The type of the new process.
+</summary>
+</param>
+</interface>
+<interface name="fs_manage_configfs_dirs" lineno="1556">
+<summary>
+Create, read, write, and delete dirs
+on a configfs filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_manage_configfs_files" lineno="1575">
+<summary>
+Create, read, write, and delete files
+on a configfs filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_mount_dos_fs" lineno="1594">
+<summary>
+Mount a DOS filesystem, such as
+FAT32 or NTFS.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_remount_dos_fs" lineno="1614">
+<summary>
+Remount a DOS filesystem, such as
+FAT32 or NTFS.  This allows
+some mount options to be changed.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_unmount_dos_fs" lineno="1633">
+<summary>
+Unmount a DOS filesystem, such as
+FAT32 or NTFS.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_getattr_dos_fs" lineno="1653">
+<summary>
+Get the attributes of a DOS
+filesystem, such as FAT32 or NTFS.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="fs_relabelfrom_dos_fs" lineno="1672">
+<summary>
+Allow changing of the label of a
+DOS filesystem using the context= mount option.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_search_dos" lineno="1690">
+<summary>
+Search dosfs filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_list_dos" lineno="1708">
+<summary>
+List dirs DOS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_manage_dos_dirs" lineno="1727">
+<summary>
+Create, read, write, and delete dirs
+on a DOS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_read_dos_files" lineno="1745">
+<summary>
+Read files on a DOS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_manage_dos_files" lineno="1764">
+<summary>
+Create, read, write, and delete files
+on a DOS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_read_eventpollfs" lineno="1792">
+<summary>
+Read eventpollfs files.
+</summary>
+<desc>
+<p>
+Read eventpollfs files
+</p>
+<p>
+This interface has been deprecated, and will
+be removed in the future.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_mount_fusefs" lineno="1806">
+<summary>
+Mount a FUSE filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_unmount_fusefs" lineno="1824">
+<summary>
+Unmount a FUSE filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_mounton_fusefs" lineno="1842">
+<summary>
+Mounton a FUSEFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_search_fusefs" lineno="1862">
+<summary>
+Search directories
+on a FUSEFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="fs_dontaudit_list_fusefs" lineno="1881">
+<summary>
+Do not audit attempts to list the contents
+of directories on a FUSEFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_manage_fusefs_dirs" lineno="1901">
+<summary>
+Create, read, write, and delete directories
+on a FUSEFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="fs_dontaudit_manage_fusefs_dirs" lineno="1921">
+<summary>
+Do not audit attempts to create, read,
+write, and delete directories
+on a FUSEFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_read_fusefs_files" lineno="1940">
+<summary>
+Read, a FUSEFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="fs_exec_fusefs_files" lineno="1959">
+<summary>
+Execute files on a FUSEFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="fs_manage_fusefs_files" lineno="1979">
+<summary>
+Create, read, write, and delete files
+on a FUSEFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="fs_dontaudit_manage_fusefs_files" lineno="1999">
+<summary>
+Do not audit attempts to create,
+read, write, and delete files
+on a FUSEFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_read_fusefs_symlinks" lineno="2017">
+<summary>
+Read symbolic links on a FUSEFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_getattr_hugetlbfs" lineno="2037">
+<summary>
+Get the attributes of an hugetlbfs
+filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_list_hugetlbfs" lineno="2055">
+<summary>
+List hugetlbfs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_manage_hugetlbfs_dirs" lineno="2073">
+<summary>
+Manage hugetlbfs dirs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_rw_hugetlbfs_files" lineno="2091">
+<summary>
+Read and write hugetlbfs files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_associate_hugetlbfs" lineno="2109">
+<summary>
+Allow the type to associate to hugetlbfs filesystems.
+</summary>
+<param name="type">
+<summary>
+The type of the object to be associated.
+</summary>
+</param>
+</interface>
+<interface name="fs_search_inotifyfs" lineno="2127">
+<summary>
+Search inotifyfs filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_list_inotifyfs" lineno="2145">
+<summary>
+List inotifyfs filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_dontaudit_list_inotifyfs" lineno="2163">
+<summary>
+Dontaudit List inotifyfs filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_hugetlbfs_filetrans" lineno="2192">
+<summary>
+Create an object in a hugetlbfs filesystem, with a private
+type using a type transition.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="private type">
+<summary>
+The type of the object to be created.
+</summary>
+</param>
+<param name="object">
+<summary>
+The object class of the object being created.
+</summary>
+</param>
+</interface>
+<interface name="fs_mount_iso9660_fs" lineno="2212">
+<summary>
+Mount an iso9660 filesystem, which
+is usually used on CDs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_remount_iso9660_fs" lineno="2232">
+<summary>
+Remount an iso9660 filesystem, which
+is usually used on CDs.  This allows
+some mount options to be changed.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_unmount_iso9660_fs" lineno="2251">
+<summary>
+Unmount an iso9660 filesystem, which
+is usually used on CDs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_getattr_iso9660_fs" lineno="2271">
+<summary>
+Get the attributes of an iso9660
+filesystem, which is usually used on CDs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="fs_getattr_iso9660_files" lineno="2290">
+<summary>
+Read files on an iso9660 filesystem, which
+is usually used on CDs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_read_iso9660_files" lineno="2310">
+<summary>
+Read files on an iso9660 filesystem, which
+is usually used on CDs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_mount_nfs" lineno="2330">
+<summary>
+Mount a NFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_remount_nfs" lineno="2349">
+<summary>
+Remount a NFS filesystem.  This allows
+some mount options to be changed.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_unmount_nfs" lineno="2367">
+<summary>
+Unmount a NFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_getattr_nfs" lineno="2386">
+<summary>
+Get the attributes of a NFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="fs_search_nfs" lineno="2404">
+<summary>
+Search directories on a NFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_list_nfs" lineno="2422">
+<summary>
+List NFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_dontaudit_list_nfs" lineno="2441">
+<summary>
+Do not audit attempts to list the contents
+of directories on a NFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_mounton_nfs" lineno="2459">
+<summary>
+Mounton a NFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_read_nfs_files" lineno="2478">
+<summary>
+Read files on a NFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="fs_dontaudit_read_nfs_files" lineno="2498">
+<summary>
+Do not audit attempts to read
+files on a NFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_write_nfs_files" lineno="2516">
+<summary>
+Read files on a NFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_exec_nfs_files" lineno="2536">
+<summary>
+Execute files on a NFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="fs_append_nfs_files" lineno="2557">
+<summary>
+Append files
+on a NFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="fs_dontaudit_append_nfs_files" lineno="2577">
+<summary>
+dontaudit Append files
+on a NFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="fs_dontaudit_rw_nfs_files" lineno="2596">
+<summary>
+Do not audit attempts to read or
+write files on a NFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_read_nfs_symlinks" lineno="2614">
+<summary>
+Read symbolic links on a NFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_dontaudit_read_nfs_symlinks" lineno="2633">
+<summary>
+Dontaudit read symbolic links on a NFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_read_nfs_named_sockets" lineno="2651">
+<summary>
+Read named sockets on a NFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_read_nfs_named_pipes" lineno="2670">
+<summary>
+Read named pipes on a NFS network filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="fs_getattr_rpc_dirs" lineno="2688">
+<summary>
+Read directories of RPC file system pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_search_rpc" lineno="2707">
+<summary>
+Search directories of RPC file system pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_search_removable" lineno="2725">
+<summary>
+Search removable storage directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_dontaudit_list_removable" lineno="2743">
+<summary>
+Do not audit attempts to list removable storage directories.
+</summary>
+<param name="domain">
+<summary>
+Domain not to audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_read_removable_files" lineno="2761">
+<summary>
+Read removable storage files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_dontaudit_read_removable_files" lineno="2779">
+<summary>
+Do not audit attempts to read removable storage files.
+</summary>
+<param name="domain">
+<summary>
+Domain not to audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_dontaudit_write_removable_files" lineno="2797">
+<summary>
+Do not audit attempts to write removable storage files.
+</summary>
+<param name="domain">
+<summary>
+Domain not to audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_read_removable_symlinks" lineno="2815">
+<summary>
+Read removable storage symbolic links.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_read_removable_blk_files" lineno="2833">
+<summary>
+Read block nodes on removable filesystems.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_rw_removable_blk_files" lineno="2852">
+<summary>
+Read and write block nodes on removable filesystems.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_list_rpc" lineno="2871">
+<summary>
+Read directories of RPC file system pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_read_rpc_files" lineno="2889">
+<summary>
+Read files of RPC file system pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_read_rpc_symlinks" lineno="2907">
+<summary>
+Read symbolic links of RPC file system pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_read_rpc_sockets" lineno="2925">
+<summary>
+Read sockets of RPC file system pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_rw_rpc_sockets" lineno="2943">
+<summary>
+Read and write sockets of RPC file system pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_manage_nfs_dirs" lineno="2963">
+<summary>
+Create, read, write, and delete directories
+on a NFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="fs_dontaudit_manage_nfs_dirs" lineno="2983">
+<summary>
+Do not audit attempts to create, read,
+write, and delete directories
+on a NFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_manage_nfs_files" lineno="3003">
+<summary>
+Create, read, write, and delete files
+on a NFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="fs_dontaudit_manage_nfs_files" lineno="3023">
+<summary>
+Do not audit attempts to create,
+read, write, and delete files
+on a NFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_manage_nfs_symlinks" lineno="3043">
+<summary>
+Create, read, write, and delete symbolic links
+on a NFS network filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="fs_manage_nfs_named_pipes" lineno="3062">
+<summary>
+Create, read, write, and delete named pipes
+on a NFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_manage_nfs_named_sockets" lineno="3081">
+<summary>
+Create, read, write, and delete named sockets
+on a NFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_nfs_domtrans" lineno="3124">
+<summary>
+Execute a file on a NFS filesystem
+in the specified domain.
+</summary>
+<desc>
+<p>
+Execute a file on a NFS filesystem
+in the specified domain.  This allows
+the specified domain to execute any file
+on a NFS filesystem in the specified
+domain.  This is not suggested.
+</p>
+<p>
+No interprocess communication (signals, pipes,
+etc.) is provided by this interface since
+the domains are not owned by this module.
+</p>
+<p>
+This interface was added to handle
+home directories on NFS filesystems,
+in particular used by the ssh-agent policy.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="target_domain">
+<summary>
+The type of the new process.
+</summary>
+</param>
+</interface>
+<interface name="fs_mount_nfsd_fs" lineno="3143">
+<summary>
+Mount a NFS server pseudo filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_remount_nfsd_fs" lineno="3162">
+<summary>
+Mount a NFS server pseudo filesystem.
+This allows some mount options to be changed.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_unmount_nfsd_fs" lineno="3180">
+<summary>
+Unmount a NFS server pseudo filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_getattr_nfsd_fs" lineno="3199">
+<summary>
+Get the attributes of a NFS server
+pseudo filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_search_nfsd_fs" lineno="3217">
+<summary>
+Search NFS server directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_list_nfsd_fs" lineno="3235">
+<summary>
+List NFS server directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_getattr_nfsd_files" lineno="3253">
+<summary>
+Getattr files on an nfsd filesystem
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_rw_nfsd_fs" lineno="3271">
+<summary>
+Read and write NFS server files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_associate_ramfs" lineno="3289">
+<summary>
+Allow the type to associate to ramfs filesystems.
+</summary>
+<param name="type">
+<summary>
+The type of the object to be associated.
+</summary>
+</param>
+</interface>
+<interface name="fs_mount_ramfs" lineno="3307">
+<summary>
+Mount a RAM filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_remount_ramfs" lineno="3326">
+<summary>
+Remount a RAM filesystem.  This allows
+some mount options to be changed.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_unmount_ramfs" lineno="3344">
+<summary>
+Unmount a RAM filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_getattr_ramfs" lineno="3362">
+<summary>
+Get the attributes of a RAM filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_search_ramfs" lineno="3380">
+<summary>
+Search directories on a ramfs
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_dontaudit_search_ramfs" lineno="3398">
+<summary>
+Dontaudit Search directories on a ramfs
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_manage_ramfs_dirs" lineno="3417">
+<summary>
+Create, read, write, and delete
+directories on a ramfs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_dontaudit_read_ramfs_files" lineno="3435">
+<summary>
+Dontaudit read on a ramfs files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_dontaudit_read_ramfs_pipes" lineno="3453">
+<summary>
+Dontaudit read on a ramfs fifo_files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_manage_ramfs_files" lineno="3472">
+<summary>
+Create, read, write, and delete
+files on a ramfs filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_write_ramfs_pipes" lineno="3490">
+<summary>
+Write to named pipe on a ramfs filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_dontaudit_write_ramfs_pipes" lineno="3509">
+<summary>
+Do not audit attempts to write to named
+pipes on a ramfs filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_rw_ramfs_pipes" lineno="3527">
+<summary>
+Read and write a named pipe on a ramfs filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_manage_ramfs_pipes" lineno="3546">
+<summary>
+Create, read, write, and delete
+named pipes on a ramfs filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_write_ramfs_sockets" lineno="3564">
+<summary>
+Write to named socket on a ramfs filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_manage_ramfs_sockets" lineno="3583">
+<summary>
+Create, read, write, and delete
+named sockets on a ramfs filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_mount_romfs" lineno="3601">
+<summary>
+Mount a ROM filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_remount_romfs" lineno="3620">
+<summary>
+Remount a ROM filesystem.  This allows
+some mount options to be changed.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_unmount_romfs" lineno="3638">
+<summary>
+Unmount a ROM filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_getattr_romfs" lineno="3657">
+<summary>
+Get the attributes of a ROM
+filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_mount_rpc_pipefs" lineno="3675">
+<summary>
+Mount a RPC pipe filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_remount_rpc_pipefs" lineno="3694">
+<summary>
+Remount a RPC pipe filesystem.  This
+allows some mount option to be changed.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_unmount_rpc_pipefs" lineno="3712">
+<summary>
+Unmount a RPC pipe filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_getattr_rpc_pipefs" lineno="3731">
+<summary>
+Get the attributes of a RPC pipe
+filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_rw_rpc_named_pipes" lineno="3749">
+<summary>
+Read and write RPC pipe filesystem named pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_mount_tmpfs" lineno="3767">
+<summary>
+Mount a tmpfs filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_remount_tmpfs" lineno="3785">
+<summary>
+Remount a tmpfs filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_unmount_tmpfs" lineno="3803">
+<summary>
+Unmount a tmpfs filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_getattr_tmpfs" lineno="3823">
+<summary>
+Get the attributes of a tmpfs
+filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="fs_associate_tmpfs" lineno="3841">
+<summary>
+Allow the type to associate to tmpfs filesystems.
+</summary>
+<param name="type">
+<summary>
+The type of the object to be associated.
+</summary>
+</param>
+</interface>
+<interface name="fs_getattr_tmpfs_dirs" lineno="3859">
+<summary>
+Get the attributes of tmpfs directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_dontaudit_getattr_tmpfs_dirs" lineno="3878">
+<summary>
+Do not audit attempts to get the attributes
+of tmpfs directories.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_setattr_tmpfs_dirs" lineno="3896">
+<summary>
+Set the attributes of tmpfs directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_search_tmpfs" lineno="3914">
+<summary>
+Search tmpfs directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_list_tmpfs" lineno="3932">
+<summary>
+List the contents of generic tmpfs directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_dontaudit_list_tmpfs" lineno="3951">
+<summary>
+Do not audit attempts to list the
+contents of generic tmpfs directories.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_manage_tmpfs_dirs" lineno="3970">
+<summary>
+Create, read, write, and delete
+tmpfs directories
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_dontaudit_write_tmpfs_dirs" lineno="3989">
+<summary>
+Do not audit attempts to write
+tmpfs directories
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_tmpfs_filetrans" lineno="4018">
+<summary>
+Create an object in a tmpfs filesystem, with a private
+type using a type transition.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="private type">
+<summary>
+The type of the object to be created.
+</summary>
+</param>
+<param name="object">
+<summary>
+The object class of the object being created.
+</summary>
+</param>
+</interface>
+<interface name="fs_dontaudit_getattr_tmpfs_files" lineno="4038">
+<summary>
+Do not audit attempts to getattr
+generic tmpfs files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_dontaudit_rw_tmpfs_files" lineno="4057">
+<summary>
+Do not audit attempts to read or write
+generic tmpfs files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_manage_auto_mountpoints" lineno="4076">
+<summary>
+Create, read, write, and delete
+auto moutpoints.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_read_tmpfs_files" lineno="4094">
+<summary>
+Read generic tmpfs files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_rw_tmpfs_files" lineno="4112">
+<summary>
+Read and write generic tmpfs files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_read_tmpfs_symlinks" lineno="4130">
+<summary>
+Read tmpfs link files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_rw_tmpfs_chr_files" lineno="4148">
+<summary>
+Read and write character nodes on tmpfs filesystems.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_dontaudit_use_tmpfs_chr_dev" lineno="4167">
+<summary>
+dontaudit Read and write character nodes on tmpfs filesystems.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_relabel_tmpfs_chr_file" lineno="4186">
+<summary>
+Relabel character nodes on tmpfs filesystems.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_rw_tmpfs_blk_files" lineno="4205">
+<summary>
+Read and write block nodes on tmpfs filesystems.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_relabel_tmpfs_blk_file" lineno="4224">
+<summary>
+Relabel block nodes on tmpfs filesystems.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_manage_tmpfs_files" lineno="4244">
+<summary>
+Read and write, create and delete generic
+files on tmpfs filesystems.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_manage_tmpfs_symlinks" lineno="4263">
+<summary>
+Read and write, create and delete symbolic
+links on tmpfs filesystems.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_manage_tmpfs_sockets" lineno="4282">
+<summary>
+Read and write, create and delete socket
+files on tmpfs filesystems.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_manage_tmpfs_chr_files" lineno="4301">
+<summary>
+Read and write, create and delete character
+nodes on tmpfs filesystems.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_manage_tmpfs_blk_files" lineno="4320">
+<summary>
+Read and write, create and delete block nodes
+on tmpfs filesystems.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_mount_xenfs" lineno="4338">
+<summary>
+Mount a XENFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_search_xenfs" lineno="4356">
+<summary>
+Search the XENFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_manage_xenfs_dirs" lineno="4376">
+<summary>
+Create, read, write, and delete directories
+on a XENFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="fs_dontaudit_manage_xenfs_dirs" lineno="4396">
+<summary>
+Do not audit attempts to create, read,
+write, and delete directories
+on a XENFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_manage_xenfs_files" lineno="4416">
+<summary>
+Create, read, write, and delete files
+on a XENFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="fs_dontaudit_manage_xenfs_files" lineno="4436">
+<summary>
+Do not audit attempts to create,
+read, write, and delete files
+on a XENFS filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_mount_all_fs" lineno="4454">
+<summary>
+Mount all filesystems.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_remount_all_fs" lineno="4473">
+<summary>
+Remount all filesystems.  This
+allows some mount options to be changed.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_unmount_all_fs" lineno="4491">
+<summary>
+Unmount all filesystems.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_getattr_all_fs" lineno="4523">
+<summary>
+Get the attributes of all filesystems.
+</summary>
+<desc>
+<p>
+Allow the specified domain to
+et the attributes of all filesystems.
+Example attributes:
+</p>
+<ul>
+<li>Type of the file system (e.g., ext3)</li>
+<li>Size of the file system</li>
+<li>Available space on the file system</li>
+</ul>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="5"/>
+<rolecap/>
+</interface>
+<interface name="fs_dontaudit_getattr_all_fs" lineno="4543">
+<summary>
+Do not audit attempts to get the attributes
+all filesystems.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_get_all_fs_quotas" lineno="4562">
+<summary>
+Get the quotas of all filesystems.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="fs_set_all_quotas" lineno="4581">
+<summary>
+Set the quotas of all filesystems.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="fs_relabelfrom_all_fs" lineno="4599">
+<summary>
+Relabelfrom all filesystems.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_getattr_all_dirs" lineno="4618">
+<summary>
+Get the attributes of all directories
+with a filesystem type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_search_all" lineno="4636">
+<summary>
+Search all directories with a filesystem type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_list_all" lineno="4654">
+<summary>
+List all directories with a filesystem type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_getattr_all_files" lineno="4673">
+<summary>
+Get the attributes of all files with
+a filesystem type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_dontaudit_getattr_all_files" lineno="4692">
+<summary>
+Do not audit attempts to get the attributes
+of all files with a filesystem type.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_getattr_all_symlinks" lineno="4711">
+<summary>
+Get the attributes of all symbolic links with
+a filesystem type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_dontaudit_getattr_all_symlinks" lineno="4730">
+<summary>
+Do not audit attempts to get the attributes
+of all symbolic links with a filesystem type.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_getattr_all_pipes" lineno="4749">
+<summary>
+Get the attributes of all named pipes with
+a filesystem type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_dontaudit_getattr_all_pipes" lineno="4768">
+<summary>
+Do not audit attempts to get the attributes
+of all named pipes with a filesystem type.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_getattr_all_sockets" lineno="4787">
+<summary>
+Get the attributes of all named sockets with
+a filesystem type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_dontaudit_getattr_all_sockets" lineno="4806">
+<summary>
+Do not audit attempts to get the attributes
+of all named sockets with a filesystem type.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="fs_getattr_all_blk_files" lineno="4825">
+<summary>
+Get the attributes of all block device nodes with
+a filesystem type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_getattr_all_chr_files" lineno="4844">
+<summary>
+Get the attributes of all character device nodes with
+a filesystem type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_unconfined" lineno="4862">
+<summary>
+Unconfined access to filesystems
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="kernel" filename="policy/modules/kernel/kernel.if">
+<summary>
+Policy for kernel threads, proc filesystem,
+and unlabeled processes and objects.
+</summary>
+<required val="true">
+This module has initial SIDs.
+</required>
+<interface name="kernel_domtrans_to" lineno="25">
+<summary>
+Allows to start userland processes
+by transitioning to the specified domain.
+</summary>
+<param name="domain">
+<summary>
+The process type entered by kernel.
+</summary>
+</param>
+<param name="entrypoint">
+<summary>
+The executable type for the entrypoint.
+</summary>
+</param>
+</interface>
+<interface name="kernel_ranged_domtrans_to" lineno="55">
+<summary>
+Allows to start userland processes
+by transitioning to the specified domain,
+with a range transition.
+</summary>
+<param name="domain">
+<summary>
+The process type entered by kernel.
+</summary>
+</param>
+<param name="entrypoint">
+<summary>
+The executable type for the entrypoint.
+</summary>
+</param>
+<param name="range">
+<summary>
+Range for the domain.
+</summary>
+</param>
+</interface>
+<interface name="kernel_rootfs_mountpoint" lineno="83">
+<summary>
+Allows the kernel to mount filesystems on
+the specified directory type.
+</summary>
+<param name="directory_type">
+<summary>
+The type of the directory to use as a mountpoint.
+</summary>
+</param>
+</interface>
+<interface name="kernel_setpgid" lineno="101">
+<summary>
+Set the process group of kernel threads.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_setsched" lineno="119">
+<summary>
+Set the priority of kernel threads.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_sigchld" lineno="137">
+<summary>
+Send a SIGCHLD signal to kernel threads.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_kill" lineno="155">
+<summary>
+Send a kill signal to kernel threads.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_signal" lineno="173">
+<summary>
+Send a generic signal to kernel threads.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_share_state" lineno="192">
+<summary>
+Allows the kernel to share state information with
+the caller.
+</summary>
+<param name="domain">
+<summary>
+The type of the process with which to share state information.
+</summary>
+</param>
+</interface>
+<interface name="kernel_use_fds" lineno="210">
+<summary>
+Permits caller to use kernel file descriptors.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_dontaudit_use_fds" lineno="229">
+<summary>
+Do not audit attempts to use
+kernel file descriptors.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="kernel_rw_pipes" lineno="247">
+<summary>
+Read and write kernel unnamed pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_rw_unix_dgram_sockets" lineno="265">
+<summary>
+Read and write kernel unix datagram sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_dgram_send" lineno="283">
+<summary>
+Send messages to kernel unix datagram sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_tcp_recvfrom" lineno="301">
+<summary>
+Receive messages from kernel TCP sockets.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_udp_send" lineno="315">
+<summary>
+Send UDP network traffic to the kernel.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_udp_recvfrom" lineno="329">
+<summary>
+Receive messages from kernel UDP sockets.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_load_module" lineno="343">
+<summary>
+Allows caller to load kernel modules
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_search_key" lineno="361">
+<summary>
+Allow search the kernel key ring.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_dontaudit_search_key" lineno="379">
+<summary>
+dontaudit search the kernel key ring.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="kernel_link_key" lineno="397">
+<summary>
+Allow link to the kernel key ring.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_dontaudit_link_key" lineno="415">
+<summary>
+dontaudit link to the kernel key ring.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="kernel_read_ring_buffer" lineno="434">
+<summary>
+Allows caller to read the ring buffer.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="kernel_dontaudit_read_ring_buffer" lineno="453">
+<summary>
+Do not audit attempts to read the ring buffer.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="kernel_change_ring_buffer_level" lineno="472">
+<summary>
+Change the level of kernel messages logged to the console.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="kernel_clear_ring_buffer" lineno="500">
+<summary>
+Allows the caller to clear the ring buffer.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="kernel_request_load_module" lineno="540">
+<summary>
+Allows caller to request the kernel to load a module
+</summary>
+<desc>
+<p>
+Allow the specified domain to request that the kernel
+load a kernel module.  An example of this is the
+auto-loading of network drivers when doing an
+ioctl() on a network interface.
+</p>
+<p>
+In the specific case of a module loading request
+on a network interface, the domain will also
+need the net_admin capability.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_dontaudit_request_load_module" lineno="558">
+<summary>
+Do not audit requests to the kernel to load a module.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="kernel_get_sysvipc_info" lineno="576">
+<summary>
+Get information on all System V IPC objects.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_getattr_debugfs" lineno="594">
+<summary>
+Get the attributes of a kernel debugging filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_mount_debugfs" lineno="612">
+<summary>
+Mount a kernel debugging filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_unmount_debugfs" lineno="630">
+<summary>
+Unmount a kernel debugging filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_remount_debugfs" lineno="648">
+<summary>
+Remount a kernel debugging filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_search_debugfs" lineno="666">
+<summary>
+Search the contents of a kernel debugging filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_dontaudit_search_debugfs" lineno="684">
+<summary>
+Do not audit attempts to search the kernel debugging filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="kernel_read_debugfs" lineno="702">
+<summary>
+Read information from the debugging filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_dontaudit_write_debugfs_dirs" lineno="722">
+<summary>
+Do not audit attempts to write kernel debugging filesystem dirs.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="kernel_manage_debugfs" lineno="740">
+<summary>
+Manage information from the debugging filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_mount_kvmfs" lineno="760">
+<summary>
+Mount a kernel VM filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_unmount_proc" lineno="778">
+<summary>
+Unmount the proc filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_getattr_proc" lineno="796">
+<summary>
+Get the attributes of the proc filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_dontaudit_setattr_proc_dirs" lineno="815">
+<summary>
+Do not audit attempts to set the
+attributes of directories in /proc.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="kernel_search_proc" lineno="833">
+<summary>
+Search directories in /proc.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_list_proc" lineno="851">
+<summary>
+List the contents of directories in /proc.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_dontaudit_list_proc" lineno="870">
+<summary>
+Do not audit attempts to list the
+contents of directories in /proc.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="kernel_dontaudit_write_proc_dirs" lineno="889">
+<summary>
+Do not audit attempts to write the
+directories in /proc.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="kernel_getattr_proc_files" lineno="907">
+<summary>
+Get the attributes of files in /proc.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_read_proc_symlinks" lineno="934">
+<summary>
+Read generic symbolic links in /proc.
+</summary>
+<desc>
+<p>
+Allow the specified domain to read (follow) generic
+symbolic links (symlinks) in the proc filesystem (/proc).
+This interface does not include access to the targets of
+these links.  An example symlink is /proc/self.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="kernel_read_system_state" lineno="973">
+<summary>
+Allows caller to read system state information in /proc.
+</summary>
+<desc>
+<p>
+Allow the specified domain to read general system
+state information from the proc filesystem (/proc).
+</p>
+<p>
+Generally it should be safe to allow this access.  Some
+example files that can be read based on this interface:
+</p>
+<ul>
+<li>/proc/cpuinfo</li>
+<li>/proc/meminfo</li>
+<li>/proc/uptime</li>
+</ul>
+<p>
+This does not allow access to sysctl entries (/proc/sys/*)
+nor process state information (/proc/pid).
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+<rolecap/>
+</interface>
+<interface name="kernel_write_proc_files" lineno="999">
+<summary>
+Write to generic proc entries.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="kernel_dontaudit_read_system_state" lineno="1018">
+<summary>
+Do not audit attempts by caller to
+read system state information in proc.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="kernel_dontaudit_read_proc_symlinks" lineno="1037">
+<summary>
+Do not audit attempts by caller to
+read system state information in proc.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="kernel_rw_afs_state" lineno="1056">
+<summary>
+Allow caller to read and write state information for AFS.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="kernel_read_software_raid_state" lineno="1076">
+<summary>
+Allow caller to read the state information for software raid.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="kernel_rw_software_raid_state" lineno="1096">
+<summary>
+Allow caller to read and set the state information for software raid.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_getattr_core_if" lineno="1116">
+<summary>
+Allows caller to get attribues of core kernel interface.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_dontaudit_getattr_core_if" lineno="1137">
+<summary>
+Do not audit attempts to get the attributes of
+core kernel interfaces.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="kernel_read_core_if" lineno="1155">
+<summary>
+Allows caller to read the core kernel interface.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_read_messages" lineno="1179">
+<summary>
+Allow caller to read kernel messages
+using the /proc/kmsg interface.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_getattr_message_if" lineno="1201">
+<summary>
+Allow caller to get the attributes of kernel message
+interface (/proc/kmsg).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_dontaudit_getattr_message_if" lineno="1220">
+<summary>
+Do not audit attempts by caller to get the attributes of kernel
+message interfaces.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="kernel_dontaudit_search_network_state" lineno="1240">
+<summary>
+Do not audit attempts to search the network
+state directory.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+
+</interface>
+<interface name="kernel_search_network_state" lineno="1259">
+<summary>
+Allow searching of network state directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+
+</interface>
+<interface name="kernel_read_network_state" lineno="1289">
+<summary>
+Read the network state information.
+</summary>
+<desc>
+<p>
+Allow the specified domain to read the networking
+state information. This includes several pieces
+of networking information, such as network interface
+names, netfilter (iptables) statistics, protocol
+information, routes, and remote procedure call (RPC)
+information.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+<rolecap/>
+</interface>
+<interface name="kernel_read_network_state_symlinks" lineno="1310">
+<summary>
+Allow caller to read the network state symbolic links.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_search_xen_state" lineno="1331">
+<summary>
+Allow searching of xen state directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+
+</interface>
+<interface name="kernel_dontaudit_search_xen_state" lineno="1351">
+<summary>
+Do not audit attempts to search the xen
+state directory.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+
+</interface>
+<interface name="kernel_read_xen_state" lineno="1370">
+<summary>
+Allow caller to read the xen state information.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+
+</interface>
+<interface name="kernel_read_xen_state_symlinks" lineno="1392">
+<summary>
+Allow caller to read the xen state symbolic links.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+
+</interface>
+<interface name="kernel_write_xen_state" lineno="1413">
+<summary>
+Allow caller to write xen state information.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+
+</interface>
+<interface name="kernel_list_all_proc" lineno="1431">
+<summary>
+Allow attempts to list all proc directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_dontaudit_list_all_proc" lineno="1450">
+<summary>
+Do not audit attempts to list all proc directories.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="kernel_dontaudit_search_sysctl" lineno="1471">
+<summary>
+Do not audit attempts by caller to search
+the base directory of sysctls.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+
+</interface>
+<interface name="kernel_read_sysctl" lineno="1490">
+<summary>
+Allow access to read sysctl directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+
+</interface>
+<interface name="kernel_read_device_sysctls" lineno="1510">
+<summary>
+Allow caller to read the device sysctls.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="kernel_rw_device_sysctls" lineno="1531">
+<summary>
+Read and write device sysctls.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="kernel_search_vm_sysctl" lineno="1551">
+<summary>
+Allow caller to search virtual memory sysctls.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_read_vm_sysctls" lineno="1570">
+<summary>
+Allow caller to read virtual memory sysctls.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="kernel_rw_vm_sysctls" lineno="1591">
+<summary>
+Read and write virtual memory sysctls.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="kernel_search_network_sysctl" lineno="1613">
+<summary>
+Search network sysctl directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_dontaudit_search_network_sysctl" lineno="1631">
+<summary>
+Do not audit attempts by caller to search network sysctl directories.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="kernel_read_net_sysctls" lineno="1650">
+<summary>
+Allow caller to read network sysctls.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="kernel_rw_net_sysctls" lineno="1671">
+<summary>
+Allow caller to modiry contents of sysctl network files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="kernel_read_unix_sysctls" lineno="1693">
+<summary>
+Allow caller to read unix domain
+socket sysctls.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="kernel_rw_unix_sysctls" lineno="1715">
+<summary>
+Read and write unix domain
+socket sysctls.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="kernel_read_hotplug_sysctls" lineno="1736">
+<summary>
+Read the hotplug sysctl.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="kernel_rw_hotplug_sysctls" lineno="1757">
+<summary>
+Read and write the hotplug sysctl.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="kernel_read_modprobe_sysctls" lineno="1778">
+<summary>
+Read the modprobe sysctl.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="kernel_rw_modprobe_sysctls" lineno="1799">
+<summary>
+Read and write the modprobe sysctl.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="kernel_dontaudit_search_kernel_sysctl" lineno="1819">
+<summary>
+Do not audit attempts to search generic kernel sysctls.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="kernel_read_crypto_sysctls" lineno="1837">
+<summary>
+Read generic crypto sysctls.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_read_kernel_sysctls" lineno="1878">
+<summary>
+Read general kernel sysctls.
+</summary>
+<desc>
+<p>
+Allow the specified domain to read general
+kernel sysctl settings. These settings are typically
+read using the sysctl program.  The settings
+that are included by this interface are prefixed
+with "kernel.", for example, kernel.sysrq.
+</p>
+<p>
+This does not include access to the hotplug
+handler setting (kernel.hotplug)
+nor the module installer handler setting
+(kernel.modprobe).
+</p>
+<p>
+Related interfaces:
+</p>
+<ul>
+<li>kernel_rw_kernel_sysctl()</li>
+</ul>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="kernel_dontaudit_write_kernel_sysctl" lineno="1898">
+<summary>
+Do not audit attempts to write generic kernel sysctls.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="kernel_rw_kernel_sysctl" lineno="1917">
+<summary>
+Read and write generic kernel sysctls.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="kernel_read_fs_sysctls" lineno="1938">
+<summary>
+Read filesystem sysctls.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="kernel_rw_fs_sysctls" lineno="1959">
+<summary>
+Read and write fileystem sysctls.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="kernel_read_irq_sysctls" lineno="1980">
+<summary>
+Read IRQ sysctls.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="kernel_rw_irq_sysctls" lineno="2001">
+<summary>
+Read and write IRQ sysctls.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="kernel_read_rpc_sysctls" lineno="2022">
+<summary>
+Read RPC sysctls.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="kernel_rw_rpc_sysctls" lineno="2043">
+<summary>
+Read and write RPC sysctls.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="kernel_dontaudit_list_all_sysctls" lineno="2063">
+<summary>
+Do not audit attempts to list all sysctl directories.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="kernel_read_all_sysctls" lineno="2083">
+<summary>
+Allow caller to read all sysctls.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="kernel_rw_all_sysctls" lineno="2106">
+<summary>
+Read and write all sysctls.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="kernel_kill_unlabeled" lineno="2130">
+<summary>
+Send a kill signal to unlabeled processes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_mount_unlabeled" lineno="2148">
+<summary>
+Mount a kernel unlabeled filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_unmount_unlabeled" lineno="2166">
+<summary>
+Unmount a kernel unlabeled filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_signal_unlabeled" lineno="2184">
+<summary>
+Send general signals to unlabeled processes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_signull_unlabeled" lineno="2202">
+<summary>
+Send a null signal to unlabeled processes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_sigstop_unlabeled" lineno="2220">
+<summary>
+Send a stop signal to unlabeled processes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_sigchld_unlabeled" lineno="2238">
+<summary>
+Send a child terminated signal to unlabeled processes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_list_unlabeled" lineno="2256">
+<summary>
+List unlabeled directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_read_unlabeled_state" lineno="2274">
+<summary>
+Read the process state (/proc/pid) of all unlabeled_t.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_dontaudit_list_unlabeled" lineno="2294">
+<summary>
+Do not audit attempts to list unlabeled directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_rw_unlabeled_dirs" lineno="2312">
+<summary>
+Read and write unlabeled directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_rw_unlabeled_files" lineno="2330">
+<summary>
+Read and write unlabeled files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_dontaudit_getattr_unlabeled_files" lineno="2349">
+<summary>
+Do not audit attempts by caller to get the
+attributes of an unlabeled file.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="kernel_dontaudit_read_unlabeled_files" lineno="2368">
+<summary>
+Do not audit attempts by caller to
+read an unlabeled file.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="kernel_dontaudit_getattr_unlabeled_symlinks" lineno="2387">
+<summary>
+Do not audit attempts by caller to get the
+attributes of unlabeled symbolic links.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="kernel_dontaudit_getattr_unlabeled_pipes" lineno="2406">
+<summary>
+Do not audit attempts by caller to get the
+attributes of unlabeled named pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="kernel_dontaudit_getattr_unlabeled_sockets" lineno="2425">
+<summary>
+Do not audit attempts by caller to get the
+attributes of unlabeled named sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="kernel_dontaudit_getattr_unlabeled_blk_files" lineno="2444">
+<summary>
+Do not audit attempts by caller to get attributes for
+unlabeled block devices.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="kernel_rw_unlabeled_blk_files" lineno="2462">
+<summary>
+Read and write unlabeled block device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_dontaudit_getattr_unlabeled_chr_files" lineno="2481">
+<summary>
+Do not audit attempts by caller to get attributes for
+unlabeled character devices.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="kernel_relabelfrom_unlabeled_dirs" lineno="2499">
+<summary>
+Allow caller to relabel unlabeled directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_relabelfrom_unlabeled_files" lineno="2517">
+<summary>
+Allow caller to relabel unlabeled files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_relabelfrom_unlabeled_symlinks" lineno="2536">
+<summary>
+Allow caller to relabel unlabeled symbolic links.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_relabelfrom_unlabeled_pipes" lineno="2555">
+<summary>
+Allow caller to relabel unlabeled named pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_relabelfrom_unlabeled_sockets" lineno="2574">
+<summary>
+Allow caller to relabel unlabeled named sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_sendrecv_unlabeled_association" lineno="2608">
+<summary>
+Send and receive messages from an
+unlabeled IPSEC association.
+</summary>
+<desc>
+<p>
+Send and receive messages from an
+unlabeled IPSEC association.  Network
+connections that are not protected
+by IPSEC have use an unlabeled
+assocation.
+</p>
+<p>
+The corenetwork interface
+corenet_non_ipsec_sendrecv() should
+be used instead of this one.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_dontaudit_sendrecv_unlabeled_association" lineno="2644">
+<summary>
+Do not audit attempts to send and receive messages
+from an	unlabeled IPSEC association.
+</summary>
+<desc>
+<p>
+Do not audit attempts to send and receive messages
+from an	unlabeled IPSEC association.  Network
+connections that are not protected
+by IPSEC have use an unlabeled
+assocation.
+</p>
+<p>
+The corenetwork interface
+corenet_dontaudit_non_ipsec_sendrecv() should
+be used instead of this one.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="kernel_tcp_recvfrom_unlabeled" lineno="2671">
+<summary>
+Receive TCP packets from an unlabeled connection.
+</summary>
+<desc>
+<p>
+Receive TCP packets from an unlabeled connection.
+</p>
+<p>
+The corenetwork interface corenet_tcp_recv_unlabeled() should
+be used instead of this one.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_dontaudit_tcp_recvfrom_unlabeled" lineno="2700">
+<summary>
+Do not audit attempts to receive TCP packets from an unlabeled
+connection.
+</summary>
+<desc>
+<p>
+Do not audit attempts to receive TCP packets from an unlabeled
+connection.
+</p>
+<p>
+The corenetwork interface corenet_dontaudit_tcp_recv_unlabeled()
+should be used instead of this one.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="kernel_udp_recvfrom_unlabeled" lineno="2727">
+<summary>
+Receive UDP packets from an unlabeled connection.
+</summary>
+<desc>
+<p>
+Receive UDP packets from an unlabeled connection.
+</p>
+<p>
+The corenetwork interface corenet_udp_recv_unlabeled() should
+be used instead of this one.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_dontaudit_udp_recvfrom_unlabeled" lineno="2756">
+<summary>
+Do not audit attempts to receive UDP packets from an unlabeled
+connection.
+</summary>
+<desc>
+<p>
+Do not audit attempts to receive UDP packets from an unlabeled
+connection.
+</p>
+<p>
+The corenetwork interface corenet_dontaudit_udp_recv_unlabeled()
+should be used instead of this one.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="kernel_raw_recvfrom_unlabeled" lineno="2783">
+<summary>
+Receive Raw IP packets from an unlabeled connection.
+</summary>
+<desc>
+<p>
+Receive Raw IP packets from an unlabeled connection.
+</p>
+<p>
+The corenetwork interface corenet_raw_recv_unlabeled() should
+be used instead of this one.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_dontaudit_raw_recvfrom_unlabeled" lineno="2812">
+<summary>
+Do not audit attempts to receive Raw IP packets from an unlabeled
+connection.
+</summary>
+<desc>
+<p>
+Do not audit attempts to receive Raw IP packets from an unlabeled
+connection.
+</p>
+<p>
+The corenetwork interface corenet_dontaudit_raw_recv_unlabeled()
+should be used instead of this one.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="kernel_sendrecv_unlabeled_packets" lineno="2842">
+<summary>
+Send and receive unlabeled packets.
+</summary>
+<desc>
+<p>
+Send and receive unlabeled packets.
+These packets do not match any netfilter
+SECMARK rules.
+</p>
+<p>
+The corenetwork interface
+corenet_sendrecv_unlabeled_packets() should
+be used instead of this one.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_recvfrom_unlabeled_peer" lineno="2870">
+<summary>
+Receive packets from an unlabeled peer.
+</summary>
+<desc>
+<p>
+Receive packets from an unlabeled peer, these packets do not have any
+peer labeling information present.
+</p>
+<p>
+The corenetwork interface corenet_recvfrom_unlabeled_peer() should
+be used instead of this one.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_dontaudit_recvfrom_unlabeled_peer" lineno="2898">
+<summary>
+Do not audit attempts to receive packets from an unlabeled peer.
+</summary>
+<desc>
+<p>
+Do not audit attempts to receive packets from an unlabeled peer,
+these packets do not have any peer labeling information present.
+</p>
+<p>
+The corenetwork interface corenet_dontaudit_*_recvfrom_unlabeled()
+should be used instead of this one.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="kernel_relabelfrom_unlabeled_database" lineno="2916">
+<summary>
+Relabel from unlabeled database objects.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_unconfined" lineno="2953">
+<summary>
+Unconfined access to kernel module resources.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<bool name="secure_mode_insmod" dftval="false">
+<desc>
+<p>
+Disable kernel module loading.
+</p>
+</desc>
+</bool>
+</module>
+<module name="mcs" filename="policy/modules/kernel/mcs.if">
+<summary>Multicategory security policy</summary>
+<required val="true">
+Contains attributes used in MCS policy.
+</required>
+<interface name="mcs_file_read_all" lineno="18">
+<summary>
+This domain is allowed to read files and directories
+regardless of their MCS category set.
+</summary>
+<param name="domain">
+<summary>
+Domain target for user exemption.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mcs_file_write_all" lineno="38">
+<summary>
+This domain is allowed to write files and directories
+regardless of their MCS category set.
+</summary>
+<param name="domain">
+<summary>
+Domain target for user exemption.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mcs_killall" lineno="58">
+<summary>
+This domain is allowed to sigkill and sigstop
+all domains regardless of their MCS category set.
+</summary>
+<param name="domain">
+<summary>
+Domain target for user exemption.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mcs_ptrace_all" lineno="78">
+<summary>
+This domain is allowed to ptrace
+all domains regardless of their MCS
+category set.
+</summary>
+<param name="domain">
+<summary>
+Domain target for user exemption.
+</summary>
+</param>
+</interface>
+<interface name="mcs_process_set_categories" lineno="98">
+<summary>
+Make specified domain MCS trusted
+for setting any category set for
+the processes it executes.
+</summary>
+<param name="domain">
+<summary>
+Domain target for user exemption.
+</summary>
+</param>
+</interface>
+</module>
+<module name="mls" filename="policy/modules/kernel/mls.if">
+<summary>Multilevel security policy</summary>
+<desc>
+<p>
+This module contains interfaces for handling multilevel
+security.  The interfaces allow the specified subjects
+and objects to be allowed certain privileges in the
+MLS rules.
+</p>
+</desc>
+<required val="true">
+Contains attributes used in MLS policy.
+</required>
+<interface name="mls_file_read_to_clearance" lineno="26">
+<summary>
+Make specified domain MLS trusted
+for reading from files up to its clearance.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mls_file_read_up" lineno="55">
+<summary>
+Make specified domain MLS trusted
+for reading from files at all levels.  (Deprecated)
+</summary>
+<desc>
+<p>
+Make specified domain MLS trusted
+for reading from files at all levels.
+</p>
+<p>
+This interface has been deprecated, please use
+mls_file_read_all_levels() instead.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mls_file_read_all_levels" lineno="72">
+<summary>
+Make specified domain MLS trusted
+for reading from files at all levels.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mls_file_write_to_clearance" lineno="92">
+<summary>
+Make specified domain MLS trusted
+for write to files up to its clearance.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mls_file_write_down" lineno="121">
+<summary>
+Make specified domain MLS trusted
+for writing to files at all levels.  (Deprecated)
+</summary>
+<desc>
+<p>
+Make specified domain MLS trusted
+for writing to files at all levels.
+</p>
+<p>
+This interface has been deprecated, please use
+mls_file_write_all_levels() instead.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mls_file_write_all_levels" lineno="138">
+<summary>
+Make specified domain MLS trusted
+for writing to files at all levels.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mls_file_upgrade" lineno="158">
+<summary>
+Make specified domain MLS trusted
+for raising the level of files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mls_file_downgrade" lineno="178">
+<summary>
+Make specified domain MLS trusted
+for lowering the level of files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mls_file_write_within_range" lineno="200">
+<summary>
+Make specified domain trusted to
+be written to within its MLS range.
+The subject's MLS range must be a
+proper subset of the object's MLS range.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mls_socket_read_all_levels" lineno="220">
+<summary>
+Make specified domain MLS trusted
+for reading from sockets at any level.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mls_socket_read_to_clearance" lineno="241">
+<summary>
+Make specified domain MLS trusted
+for reading from sockets at any level
+that is dominated by the process clearance.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mls_socket_write_to_clearance" lineno="262">
+<summary>
+Make specified domain MLS trusted
+for writing to sockets up to
+its clearance.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mls_socket_write_all_levels" lineno="282">
+<summary>
+Make specified domain MLS trusted
+for writing to sockets at any level.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mls_net_receive_all_levels" lineno="303">
+<summary>
+Make specified domain MLS trusted
+for receiving network data from
+network interfaces or hosts at any level.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mls_net_write_within_range" lineno="325">
+<summary>
+Make specified domain trusted to
+write to network objects within its MLS range.
+The subject's MLS range must be a
+proper subset of the object's MLS range.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mls_net_inbound_all_levels" lineno="346">
+<summary>
+Make specified domain trusted to
+write inbound packets regardless of the
+network's or node's MLS range.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mls_net_outbound_all_levels" lineno="367">
+<summary>
+Make specified domain trusted to
+write outbound packets regardless of the
+network's or node's MLS range.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mls_sysvipc_read_to_clearance" lineno="388">
+<summary>
+Make specified domain MLS trusted
+for reading from System V IPC objects
+up to its clearance.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mls_sysvipc_read_all_levels" lineno="409">
+<summary>
+Make specified domain MLS trusted
+for reading from System V IPC objects
+at any level.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mls_sysvipc_write_to_clearance" lineno="430">
+<summary>
+Make specified domain MLS trusted
+for writing to System V IPC objects
+up to its clearance.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mls_sysvipc_write_all_levels" lineno="451">
+<summary>
+Make specified domain MLS trusted
+for writing to System V IPC objects
+at any level.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mls_rangetrans_source" lineno="471">
+<summary>
+Allow the specified domain to do a MLS
+range transition that changes
+the current level.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mls_rangetrans_target" lineno="491">
+<summary>
+Make specified domain a target domain
+for MLS range transitions that change
+the current level.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mls_process_read_to_clearance" lineno="512">
+<summary>
+Make specified domain MLS trusted
+for reading from processes up to
+its clearance.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mls_process_read_up" lineno="541">
+<summary>
+Make specified domain MLS trusted
+for reading from processes at all levels.  (Deprecated)
+</summary>
+<desc>
+<p>
+Make specified domain MLS trusted
+for reading from processes at all levels.
+</p>
+<p>
+This interface has been deprecated, please use
+mls_process_read_all_levels() instead.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mls_process_read_all_levels" lineno="558">
+<summary>
+Make specified domain MLS trusted
+for reading from processes at all levels.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mls_process_write_to_clearance" lineno="579">
+<summary>
+Make specified domain MLS trusted
+for writing to processes up to
+its clearance.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mls_process_write_down" lineno="608">
+<summary>
+Make specified domain MLS trusted
+for writing to processes at all levels.  (Deprecated)
+</summary>
+<desc>
+<p>
+Make specified domain MLS trusted
+for writing to processes at all levels.
+</p>
+<p>
+This interface has been deprecated, please use
+mls_process_write_all_levels() instead.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mls_process_write_all_levels" lineno="625">
+<summary>
+Make specified domain MLS trusted
+for writing to processes at all levels.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mls_process_set_level" lineno="646">
+<summary>
+Make specified domain MLS trusted
+for setting the level of processes
+it executes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mls_xwin_read_to_clearance" lineno="666">
+<summary>
+Make specified domain MLS trusted
+for reading from X objects up to its clearance.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mls_xwin_read_all_levels" lineno="686">
+<summary>
+Make specified domain MLS trusted
+for reading from X objects at any level.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mls_xwin_write_to_clearance" lineno="706">
+<summary>
+Make specified domain MLS trusted
+for write to X objects up to its clearance.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mls_xwin_write_all_levels" lineno="726">
+<summary>
+Make specified domain MLS trusted
+for writing to X objects at any level.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mls_colormap_read_all_levels" lineno="746">
+<summary>
+Make specified domain MLS trusted
+for reading from X colormaps at any level.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mls_colormap_write_all_levels" lineno="766">
+<summary>
+Make specified domain MLS trusted
+for writing to X colormaps at any level.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mls_trusted_object" lineno="795">
+<summary>
+Make specified object MLS trusted.
+</summary>
+<desc>
+<p>
+Make specified object MLS trusted.  This
+allows all levels to read and write the
+object.
+</p>
+<p>
+This currently only applies to filesystem
+objects, for example, files and directories.
+</p>
+</desc>
+<param name="domain">
+<summary>
+The type of the object.
+</summary>
+</param>
+</interface>
+<interface name="mls_fd_use_all_levels" lineno="816">
+<summary>
+Make the specified domain trusted
+to inherit and use file descriptors
+from all levels.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mls_fd_share_all_levels" lineno="837">
+<summary>
+Make the file descriptors from the
+specifed domain inheritable by
+all levels.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mls_context_translate_all_levels" lineno="857">
+<summary>
+Make specified domain MLS trusted
+for translating contexts at all levels.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mls_db_read_all_levels" lineno="877">
+<summary>
+Make specified domain MLS trusted
+for reading from databases at any level.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mls_db_write_all_levels" lineno="897">
+<summary>
+Make specified domain MLS trusted
+for writing to databases at any level.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mls_db_upgrade" lineno="917">
+<summary>
+Make specified domain MLS trusted
+for raising the level of databases.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mls_db_downgrade" lineno="937">
+<summary>
+Make specified domain MLS trusted
+for lowering the level of databases.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mls_dbus_send_all_levels" lineno="957">
+<summary>
+Make specified domain MLS trusted
+for sending dbus messages to
+all levels.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mls_dbus_recv_all_levels" lineno="978">
+<summary>
+Make specified domain MLS trusted
+for receiving dbus messages from
+all levels.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="selinux" filename="policy/modules/kernel/selinux.if">
+<summary>
+Policy for kernel security interface, in particular, selinuxfs.
+</summary>
+<required val="true">
+Contains the policy for the kernel SELinux security interface.
+</required>
+<interface name="selinux_labeled_boolean" lineno="34">
+<summary>
+Make the specified type used for labeling SELinux Booleans.
+This interface is only usable in the base module.
+</summary>
+<desc>
+<p>
+Make the specified type used for labeling SELinux Booleans.
+</p>
+<p>
+This makes use of genfscon statements, which are only
+available in the base module.  Thus any module which calls this
+interface must be included in the base module.
+</p>
+</desc>
+<param name="type">
+<summary>
+Type used for labeling a Boolean.
+</summary>
+</param>
+<param name="boolean">
+<summary>
+Name of the Boolean.
+</summary>
+</param>
+</interface>
+<interface name="selinux_get_fs_mount" lineno="56">
+<summary>
+Get the mountpoint of the selinuxfs filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="selinux_dontaudit_get_fs_mount" lineno="82">
+<summary>
+Do not audit attempts to get the mountpoint
+of the selinuxfs filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="selinux_mount_fs" lineno="107">
+<summary>
+Mount the selinuxfs filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="selinux_remount_fs" lineno="126">
+<summary>
+Remount the selinuxfs filesystem.
+This allows some mount options to be changed.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="selinux_unmount_fs" lineno="144">
+<summary>
+Unmount the selinuxfs filesystem.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="selinux_getattr_fs" lineno="162">
+<summary>
+Get the attributes of the selinuxfs filesystem
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="selinux_dontaudit_getattr_fs" lineno="181">
+<summary>
+Do not audit attempts to get the
+attributes of the selinuxfs filesystem
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="selinux_dontaudit_getattr_dir" lineno="200">
+<summary>
+Do not audit attempts to get the
+attributes of the selinuxfs directory.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="selinux_search_fs" lineno="218">
+<summary>
+Search selinuxfs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="selinux_dontaudit_search_fs" lineno="236">
+<summary>
+Do not audit attempts to search selinuxfs.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="selinux_dontaudit_read_fs" lineno="255">
+<summary>
+Do not audit attempts to read
+generic selinuxfs entries
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="selinux_get_enforce_mode" lineno="276">
+<summary>
+Allows the caller to get the mode of policy enforcement
+(enforcing or permissive mode).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="selinux_set_enforce_mode" lineno="307">
+<summary>
+Allow caller to set the mode of policy enforcement
+(enforcing or permissive mode).
+</summary>
+<desc>
+<p>
+Allow caller to set the mode of policy enforcement
+(enforcing or permissive mode).
+</p>
+<p>
+Since this is a security event, this action is
+always audited.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="selinux_load_policy" lineno="338">
+<summary>
+Allow caller to load the policy into the kernel.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="selinux_read_policy" lineno="369">
+<summary>
+Allow caller to read the policy from the kernel.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="selinux_set_boolean" lineno="406">
+<summary>
+Allow caller to set the state of Booleans to
+enable or disable conditional portions of the policy.  (Deprecated)
+</summary>
+<desc>
+<p>
+Allow caller to set the state of Booleans to
+enable or disable conditional portions of the policy.
+</p>
+<p>
+Since this is a security event, this action is
+always audited.
+</p>
+<p>
+This interface has been deprecated.  Please use
+selinux_set_generic_booleans() or selinux_set_all_booleans()
+instead.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="selinux_set_generic_booleans" lineno="433">
+<summary>
+Allow caller to set the state of generic Booleans to
+enable or disable conditional portions of the policy.
+</summary>
+<desc>
+<p>
+Allow caller to set the state of generic Booleans to
+enable or disable conditional portions of the policy.
+</p>
+<p>
+Since this is a security event, this action is
+always audited.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="selinux_set_all_booleans" lineno="471">
+<summary>
+Allow caller to set the state of all Booleans to
+enable or disable conditional portions of the policy.
+</summary>
+<desc>
+<p>
+Allow caller to set the state of all Booleans to
+enable or disable conditional portions of the policy.
+</p>
+<p>
+Since this is a security event, this action is
+always audited.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="selinux_set_parameters" lineno="516">
+<summary>
+Allow caller to set SELinux access vector cache parameters.
+</summary>
+<desc>
+<p>
+Allow caller to set SELinux access vector cache parameters.
+The allows the domain to set performance related parameters
+of the AVC, such as cache threshold.
+</p>
+<p>
+Since this is a security event, this action is
+always audited.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="selinux_validate_context" lineno="540">
+<summary>
+Allows caller to validate security contexts.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="selinux_dontaudit_validate_context" lineno="561">
+<summary>
+Do not audit attempts to validate security contexts.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="selinux_compute_access_vector" lineno="582">
+<summary>
+Allows caller to compute an access vector.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="selinux_compute_create_context" lineno="603">
+<summary>
+Calculate the default type for object creation.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="selinux_compute_member" lineno="624">
+<summary>
+Allows caller to compute polyinstatntiated
+directory members.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="selinux_compute_relabel_context" lineno="653">
+<summary>
+Calculate the context for relabeling objects.
+</summary>
+<desc>
+<p>
+Calculate the context for relabeling objects.
+This is determined by using the type_change
+rules in the policy, and is generally used
+for determining the context for relabeling
+a terminal when a user logs in.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="selinux_compute_user_contexts" lineno="673">
+<summary>
+Allows caller to compute possible contexts for a user.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="selinux_unconfined" lineno="693">
+<summary>
+Unconfined access to the SELinux kernel security server.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<bool name="secure_mode_policyload" dftval="false">
+<desc>
+<p>
+Boolean to determine whether the system permits loading policy, setting
+enforcing mode, and changing boolean values.  Set this to true and you
+have to reboot to set it back.
+</p>
+</desc>
+</bool>
+</module>
+<module name="storage" filename="policy/modules/kernel/storage.if">
+<summary>Policy controlling access to storage devices</summary>
+<interface name="storage_getattr_fixed_disk_dev" lineno="14">
+<summary>
+Allow the caller to get the attributes of fixed disk
+device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="storage_dontaudit_getattr_fixed_disk_dev" lineno="34">
+<summary>
+Do not audit attempts made by the caller to get
+the attributes of fixed disk device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="storage_setattr_fixed_disk_dev" lineno="54">
+<summary>
+Allow the caller to set the attributes of fixed disk
+device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="storage_dontaudit_setattr_fixed_disk_dev" lineno="74">
+<summary>
+Do not audit attempts made by the caller to set
+the attributes of fixed disk device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="storage_raw_read_fixed_disk" lineno="95">
+<summary>
+Allow the caller to directly read from a fixed disk.
+This is extremly dangerous as it can bypass the
+SELinux protections for filesystem objects, and
+should only be used by trusted domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="storage_dontaudit_read_fixed_disk" lineno="118">
+<summary>
+Do not audit attempts made by the caller to read
+fixed disk device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="storage_raw_write_fixed_disk" lineno="141">
+<summary>
+Allow the caller to directly write to a fixed disk.
+This is extremly dangerous as it can bypass the
+SELinux protections for filesystem objects, and
+should only be used by trusted domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="storage_dontaudit_write_fixed_disk" lineno="164">
+<summary>
+Do not audit attempts made by the caller to write
+fixed disk device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="storage_raw_rw_fixed_disk" lineno="186">
+<summary>
+Allow the caller to directly read and write to a fixed disk.
+This is extremly dangerous as it can bypass the
+SELinux protections for filesystem objects, and
+should only be used by trusted domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="storage_create_fixed_disk_dev" lineno="201">
+<summary>
+Allow the caller to create fixed disk device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="storage_delete_fixed_disk_dev" lineno="221">
+<summary>
+Allow the caller to create fixed disk device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="storage_manage_fixed_disk" lineno="240">
+<summary>
+Create, read, write, and delete fixed disk device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="storage_dev_filetrans_fixed_disk" lineno="264">
+<summary>
+Create block devices in /dev with the fixed disk type
+via an automatic type transition.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="storage_tmpfs_filetrans_fixed_disk" lineno="283">
+<summary>
+Create block devices in on a tmpfs filesystem with the
+fixed disk type via an automatic type transition.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="storage_relabel_fixed_disk" lineno="301">
+<summary>
+Relabel fixed disk device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="storage_swapon_fixed_disk" lineno="320">
+<summary>
+Enable a fixed disk device as swap space
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="storage_getattr_fuse_dev" lineno="340">
+<summary>
+Allow the caller to get the attributes
+of device nodes of fuse devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="storage_rw_fuse" lineno="359">
+<summary>
+read or write fuse device interfaces.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="storage_dontaudit_rw_fuse" lineno="378">
+<summary>
+Do not audit attempts to read or write
+fuse device interfaces.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="storage_getattr_scsi_generic_dev" lineno="397">
+<summary>
+Allow the caller to get the attributes of
+the generic SCSI interface device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="storage_setattr_scsi_generic_dev" lineno="417">
+<summary>
+Allow the caller to set the attributes of
+the generic SCSI interface device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="storage_read_scsi_generic" lineno="440">
+<summary>
+Allow the caller to directly read, in a
+generic fashion, from any SCSI device.
+This is extremly dangerous as it can bypass the
+SELinux protections for filesystem objects, and
+should only be used by trusted domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="storage_write_scsi_generic" lineno="465">
+<summary>
+Allow the caller to directly write, in a
+generic fashion, from any SCSI device.
+This is extremly dangerous as it can bypass the
+SELinux protections for filesystem objects, and
+should only be used by trusted domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="storage_setattr_scsi_generic_dev_dev" lineno="487">
+<summary>
+Set attributes of the device nodes
+for the SCSI generic inerface.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="storage_dontaudit_rw_scsi_generic" lineno="507">
+<summary>
+Do not audit attempts to read or write
+SCSI generic device interfaces.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="storage_getattr_removable_dev" lineno="526">
+<summary>
+Allow the caller to get the attributes of removable
+devices device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="storage_dontaudit_getattr_removable_dev" lineno="546">
+<summary>
+Do not audit attempts made by the caller to get
+the attributes of removable devices device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="storage_dontaudit_read_removable_device" lineno="565">
+<summary>
+Do not audit attempts made by the caller to read
+removable devices device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="storage_dontaudit_write_removable_device" lineno="585">
+<summary>
+Do not audit attempts made by the caller to write
+removable devices device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="storage_setattr_removable_dev" lineno="604">
+<summary>
+Allow the caller to set the attributes of removable
+devices device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="storage_dontaudit_setattr_removable_dev" lineno="624">
+<summary>
+Do not audit attempts made by the caller to set
+the attributes of removable devices device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="storage_raw_read_removable_device" lineno="646">
+<summary>
+Allow the caller to directly read from
+a removable device.
+This is extremly dangerous as it can bypass the
+SELinux protections for filesystem objects, and
+should only be used by trusted domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="storage_dontaudit_raw_read_removable_device" lineno="665">
+<summary>
+Do not audit attempts to directly read removable devices.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="storage_raw_write_removable_device" lineno="687">
+<summary>
+Allow the caller to directly write to
+a removable device.
+This is extremly dangerous as it can bypass the
+SELinux protections for filesystem objects, and
+should only be used by trusted domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="storage_dontaudit_raw_write_removable_device" lineno="706">
+<summary>
+Do not audit attempts to directly write removable devices.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="storage_read_tape" lineno="725">
+<summary>
+Allow the caller to directly read
+a tape device.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="storage_write_tape" lineno="745">
+<summary>
+Allow the caller to directly read
+a tape device.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="storage_getattr_tape_dev" lineno="765">
+<summary>
+Allow the caller to get the attributes
+of device nodes of tape devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="storage_setattr_tape_dev" lineno="785">
+<summary>
+Allow the caller to set the attributes
+of device nodes of tape devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="storage_unconfined" lineno="804">
+<summary>
+Unconfined access to storage devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="terminal" filename="policy/modules/kernel/terminal.if">
+<summary>Policy for terminals.</summary>
+<required val="true">
+Depended on by other required modules.
+</required>
+<interface name="term_pty" lineno="16">
+<summary>
+Transform specified type into a pty type.
+</summary>
+<param name="pty_type">
+<summary>
+An object type that will applied to a pty.
+</summary>
+</param>
+</interface>
+<interface name="term_user_pty" lineno="45">
+<summary>
+Transform specified type into an user
+pty type. This allows it to be relabeled via
+type change by login programs such as ssh.
+</summary>
+<param name="userdomain">
+<summary>
+The type of the user domain associated with
+this pty.
+</summary>
+</param>
+<param name="object_type">
+<summary>
+An object type that will applied to a pty.
+</summary>
+</param>
+</interface>
+<interface name="term_login_pty" lineno="65">
+<summary>
+Transform specified type into a pty type
+used by login programs, such as sshd.
+</summary>
+<param name="pty_type">
+<summary>
+An object type that will applied to a pty.
+</summary>
+</param>
+</interface>
+<interface name="term_tty" lineno="84">
+<summary>
+Transform specified type into a tty type.
+</summary>
+<param name="tty_type">
+<summary>
+An object type that will applied to a tty.
+</summary>
+</param>
+</interface>
+<interface name="term_user_tty" lineno="110">
+<summary>
+Transform specified type into a user tty type.
+</summary>
+<param name="domain">
+<summary>
+User domain that is related to this tty.
+</summary>
+</param>
+<param name="tty_type">
+<summary>
+An object type that will applied to a tty.
+</summary>
+</param>
+</interface>
+<interface name="term_create_pty" lineno="149">
+<summary>
+Create a pty in the /dev/pts directory.
+</summary>
+<param name="domain">
+<summary>
+The type of the process creating the pty.
+</summary>
+</param>
+<param name="pty_type">
+<summary>
+The type of the pty.
+</summary>
+</param>
+</interface>
+<interface name="term_write_all_terms" lineno="175">
+<summary>
+Write the console, all
+ttys and all ptys.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="term_use_all_terms" lineno="198">
+<summary>
+Read and write the console, all
+ttys and all ptys.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="term_write_console" lineno="220">
+<summary>
+Write to the console.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="term_read_console" lineno="240">
+<summary>
+Read from the console.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="term_dontaudit_read_console" lineno="260">
+<summary>
+Do not audit attempts to read from the console.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="term_use_console" lineno="279">
+<summary>
+Read from and write to the console.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="term_dontaudit_use_console" lineno="299">
+<summary>
+Do not audit attemtps to read from
+or write to the console.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="term_setattr_console" lineno="319">
+<summary>
+Set the attributes of the console
+device node.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="term_relabel_console" lineno="338">
+<summary>
+Relabel from and to the console type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="term_create_console_dev" lineno="357">
+<summary>
+Create the console device (/dev/console).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="term_getattr_pty_fs" lineno="377">
+<summary>
+Get the attributes of a pty filesystem
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="term_dontaudit_getattr_pty_dirs" lineno="396">
+<summary>
+Do not audit attempts to get the
+attributes of the /dev/pts directory.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="term_search_ptys" lineno="414">
+<summary>
+Search the contents of the /dev/pts directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="term_dontaudit_search_ptys" lineno="434">
+<summary>
+Do not audit attempts to search the
+contents of the /dev/pts directory.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="term_list_ptys" lineno="454">
+<summary>
+Read the /dev/pts directory to
+list all ptys.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="term_dontaudit_list_ptys" lineno="474">
+<summary>
+Do not audit attempts to read the
+/dev/pts directory.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="term_dontaudit_manage_pty_dirs" lineno="493">
+<summary>
+Do not audit attempts to create, read,
+write, or delete the /dev/pts directory.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="term_dontaudit_getattr_generic_ptys" lineno="512">
+<summary>
+Do not audit attempts to get the attributes
+of generic pty devices.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="term_ioctl_generic_ptys" lineno="530">
+<summary>
+ioctl of generic pty devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="term_setattr_generic_ptys" lineno="552">
+<summary>
+Allow setting the attributes of
+generic pty devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="term_dontaudit_setattr_generic_ptys" lineno="572">
+<summary>
+Dontaudit setting the attributes of
+generic pty devices.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="term_use_generic_ptys" lineno="592">
+<summary>
+Read and write the generic pty
+type.  This is generally only used in
+the targeted policy.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="term_dontaudit_use_generic_ptys" lineno="614">
+<summary>
+Dot not audit attempts to read and
+write the generic pty type.  This is
+generally only used in the targeted policy.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="term_setattr_controlling_term" lineno="632">
+<summary>
+Set the attributes of the tty device
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="term_use_controlling_term" lineno="652">
+<summary>
+Read and write the controlling
+terminal (/dev/tty).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="term_getattr_ptmx" lineno="671">
+<summary>
+Get the attributes of the pty multiplexor (/dev/ptmx).
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="term_dontaudit_getattr_ptmx" lineno="690">
+<summary>
+Do not audit attempts to get attributes
+on the pty multiplexor (/dev/ptmx).
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="term_use_ptmx" lineno="708">
+<summary>
+Read and write the pty multiplexor (/dev/ptmx).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="term_dontaudit_use_ptmx" lineno="728">
+<summary>
+Do not audit attempts to read and
+write the pty multiplexor (/dev/ptmx).
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="term_getattr_all_ptys" lineno="748">
+<summary>
+Get the attributes of all
+pty device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="term_dontaudit_getattr_all_ptys" lineno="771">
+<summary>
+Do not audit attempts to get the
+attributes of any pty
+device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="term_setattr_all_ptys" lineno="791">
+<summary>
+Set the attributes of all
+pty device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="term_relabelto_all_ptys" lineno="812">
+<summary>
+Relabel to all ptys.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="term_write_all_ptys" lineno="830">
+<summary>
+Write to all ptys.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="term_use_all_ptys" lineno="850">
+<summary>
+Read and write all ptys.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="term_dontaudit_use_all_ptys" lineno="871">
+<summary>
+Do not audit attempts to read or write any ptys.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="term_relabel_all_ptys" lineno="889">
+<summary>
+Relabel from and to all pty device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="term_getattr_all_user_ptys" lineno="911">
+<summary>
+Get the attributes of all user
+pty device nodes. (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="term_dontaudit_getattr_all_user_ptys" lineno="928">
+<summary>
+Do not audit attempts to get the
+attributes of any user pty
+device nodes. (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="term_setattr_all_user_ptys" lineno="945">
+<summary>
+Set the attributes of all user
+pty device nodes. (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="term_relabelto_all_user_ptys" lineno="960">
+<summary>
+Relabel to all user ptys. (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="term_write_all_user_ptys" lineno="975">
+<summary>
+Write to all user ptys. (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="term_use_all_user_ptys" lineno="991">
+<summary>
+Read and write all user ptys. (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="term_dontaudit_use_all_user_ptys" lineno="1007">
+<summary>
+Do not audit attempts to read any
+user ptys. (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="term_relabel_all_user_ptys" lineno="1023">
+<summary>
+Relabel from and to all user
+user pty device nodes. (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="term_getattr_unallocated_ttys" lineno="1040">
+<summary>
+Get the attributes of all unallocated
+tty device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="term_dontaudit_getattr_unallocated_ttys" lineno="1060">
+<summary>
+Do not audit attempts to get the attributes
+of all unallocated tty device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="term_setattr_unallocated_ttys" lineno="1080">
+<summary>
+Set the attributes of all unallocated
+tty device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="term_dontaudit_setattr_unallocated_ttys" lineno="1100">
+<summary>
+Do not audit attempts to set the attributes
+of unallocated tty device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="term_dontaudit_ioctl_unallocated_ttys" lineno="1119">
+<summary>
+Do not audit attempts to ioctl
+unallocated tty device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="term_relabel_unallocated_ttys" lineno="1138">
+<summary>
+Relabel from and to the unallocated
+tty type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="term_reset_tty_labels" lineno="1158">
+<summary>
+Relabel from all user tty types to
+the unallocated tty type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="term_append_unallocated_ttys" lineno="1179">
+<summary>
+Append to unallocated ttys.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="term_write_unallocated_ttys" lineno="1198">
+<summary>
+Write to unallocated ttys.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="term_use_unallocated_ttys" lineno="1218">
+<summary>
+Read and write unallocated ttys.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="term_dontaudit_use_unallocated_ttys" lineno="1238">
+<summary>
+Do not audit attempts to read or
+write unallocated ttys.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="term_getattr_all_ttys" lineno="1257">
+<summary>
+Get the attributes of all tty device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="term_dontaudit_getattr_all_ttys" lineno="1277">
+<summary>
+Do not audit attempts to get the
+attributes of any tty device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="term_setattr_all_ttys" lineno="1297">
+<summary>
+Set the attributes of all tty device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="term_relabel_all_ttys" lineno="1316">
+<summary>
+Relabel from and to all tty device nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="term_write_all_ttys" lineno="1335">
+<summary>
+Write to all ttys.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="term_use_all_ttys" lineno="1355">
+<summary>
+Read and write all ttys.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="term_dontaudit_use_all_ttys" lineno="1375">
+<summary>
+Do not audit attempts to read or write
+any ttys.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="term_getattr_all_user_ttys" lineno="1395">
+<summary>
+Get the attributes of all user tty
+device nodes. (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="term_dontaudit_getattr_all_user_ttys" lineno="1412">
+<summary>
+Do not audit attempts to get the
+attributes of any user tty
+device nodes. (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="term_setattr_all_user_ttys" lineno="1429">
+<summary>
+Set the attributes of all user tty
+device nodes. (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="term_relabel_all_user_ttys" lineno="1445">
+<summary>
+Relabel from and to all user
+user tty device nodes. (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="term_write_all_user_ttys" lineno="1460">
+<summary>
+Write to all user ttys. (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="term_use_all_user_ttys" lineno="1476">
+<summary>
+Read and write all user to all user ttys. (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="term_dontaudit_use_all_user_ttys" lineno="1492">
+<summary>
+Do not audit attempts to read or write
+any user ttys. (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="ubac" filename="policy/modules/kernel/ubac.if">
+<summary>User-based access control policy</summary>
+<required val="true">
+Contains attributes used in UBAC policy.
+</required>
+<interface name="ubac_constrained" lineno="29">
+<summary>
+Constrain by user-based access control (UBAC).
+</summary>
+<desc>
+<p>
+Constrain the specified type by user-based
+access control (UBAC).  Typically, these are
+user processes or user files that need to be
+differentiated by SELinux user.  Normally this
+does not include administrative or privileged
+programs. For the UBAC rules to be enforced,
+both the subject (source) type and the object
+(target) types must be UBAC constrained.
+</p>
+</desc>
+<param name="type">
+<summary>
+Type to be constrained by UBAC.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="ubac_file_exempt" lineno="47">
+<summary>
+Exempt user-based access control for files.
+</summary>
+<param name="domain">
+<summary>
+Domain to be exempted.
+</summary>
+</param>
+</interface>
+<interface name="ubac_process_exempt" lineno="65">
+<summary>
+Exempt user-based access control for processes.
+</summary>
+<param name="domain">
+<summary>
+Domain to be exempted.
+</summary>
+</param>
+</interface>
+<interface name="ubac_fd_exempt" lineno="83">
+<summary>
+Exempt user-based access control for file descriptors.
+</summary>
+<param name="domain">
+<summary>
+Domain to be exempted.
+</summary>
+</param>
+</interface>
+<interface name="ubac_socket_exempt" lineno="101">
+<summary>
+Exempt user-based access control for sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain to be exempted.
+</summary>
+</param>
+</interface>
+<interface name="ubac_sysvipc_exempt" lineno="119">
+<summary>
+Exempt user-based access control for SysV IPC.
+</summary>
+<param name="domain">
+<summary>
+Domain to be exempted.
+</summary>
+</param>
+</interface>
+<interface name="ubac_xwin_exempt" lineno="137">
+<summary>
+Exempt user-based access control for X Windows.
+</summary>
+<param name="domain">
+<summary>
+Domain to be exempted.
+</summary>
+</param>
+</interface>
+<interface name="ubac_dbus_exempt" lineno="155">
+<summary>
+Exempt user-based access control for dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain to be exempted.
+</summary>
+</param>
+</interface>
+<interface name="ubac_key_exempt" lineno="173">
+<summary>
+Exempt user-based access control for keys.
+</summary>
+<param name="domain">
+<summary>
+Domain to be exempted.
+</summary>
+</param>
+</interface>
+<interface name="ubac_db_exempt" lineno="191">
+<summary>
+Exempt user-based access control for databases.
+</summary>
+<param name="domain">
+<summary>
+Domain to be exempted.
+</summary>
+</param>
+</interface>
+</module>
+</layer>
+<layer name="roles">
+<summary>Policy modules for user roles.</summary>
+<module name="auditadm" filename="policy/modules/roles/auditadm.if">
+<summary>Audit administrator role</summary>
+<interface name="auditadm_role_change" lineno="14">
+<summary>
+Change to the audit administrator role.
+</summary>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="auditadm_role_change_to" lineno="44">
+<summary>
+Change from the audit administrator role.
+</summary>
+<desc>
+<p>
+Change from the audit administrator role to
+the specified role.
+</p>
+<p>
+This is an interface to support third party modules
+and its use is not allowed in upstream reference
+policy.
+</p>
+</desc>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="logadm" filename="policy/modules/roles/logadm.if">
+<summary>Log administrator role</summary>
+<interface name="logadm_role_change" lineno="14">
+<summary>
+Change to the log administrator role.
+</summary>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="logadm_role_change_to" lineno="44">
+<summary>
+Change from the log administrator role.
+</summary>
+<desc>
+<p>
+Change from the log administrator role to
+the specified role.
+</p>
+<p>
+This is an interface to support third party modules
+and its use is not allowed in upstream reference
+policy.
+</p>
+</desc>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="secadm" filename="policy/modules/roles/secadm.if">
+<summary>Security administrator role</summary>
+<interface name="secadm_role_change" lineno="14">
+<summary>
+Change to the security administrator role.
+</summary>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="secadm_role_change_to_template" lineno="44">
+<summary>
+Change from the security administrator role.
+</summary>
+<desc>
+<p>
+Change from the security administrator role to
+the specified role.
+</p>
+<p>
+This is an interface to support third party modules
+and its use is not allowed in upstream reference
+policy.
+</p>
+</desc>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="staff" filename="policy/modules/roles/staff.if">
+<summary>Administrator's unprivileged user role</summary>
+<interface name="staff_role_change" lineno="14">
+<summary>
+Change to the staff role.
+</summary>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="staff_role_change_to" lineno="44">
+<summary>
+Change from the staff role.
+</summary>
+<desc>
+<p>
+Change from the staff role to
+the specified role.
+</p>
+<p>
+This is an interface to support third party modules
+and its use is not allowed in upstream reference
+policy.
+</p>
+</desc>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="sysadm" filename="policy/modules/roles/sysadm.if">
+<summary>General system administration role</summary>
+<interface name="sysadm_role_change" lineno="14">
+<summary>
+Change to the system administrator role.
+</summary>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="sysadm_role_change_to" lineno="44">
+<summary>
+Change from the system administrator role.
+</summary>
+<desc>
+<p>
+Change from the system administrator role to
+the specified role.
+</p>
+<p>
+This is an interface to support third party modules
+and its use is not allowed in upstream reference
+policy.
+</p>
+</desc>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="sysadm_shell_domtrans" lineno="62">
+<summary>
+Execute a shell in the sysadm domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sysadm_bin_spec_domtrans" lineno="83">
+<summary>
+Execute a generic bin program in the sysadm domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sysadm_entry_spec_domtrans" lineno="106">
+<summary>
+Execute all entrypoint files in the sysadm domain. This
+is an explicit transition, requiring the
+caller to use setexeccon().
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sysadm_entry_spec_domtrans_to" lineno="141">
+<summary>
+Allow sysadm to execute all entrypoint files in
+a specified domain.  This is an explicit transition,
+requiring the caller to use setexeccon().
+</summary>
+<desc>
+<p>
+Allow sysadm to execute all entrypoint files in
+a specified domain.  This is an explicit transition,
+requiring the caller to use setexeccon().
+</p>
+<p>
+This is a interface to support third party modules
+and its use is not allowed in upstream reference
+policy.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sysadm_bin_spec_domtrans_to" lineno="175">
+<summary>
+Allow sysadm to execute a generic bin program in
+a specified domain.  This is an explicit transition,
+requiring the caller to use setexeccon().
+</summary>
+<desc>
+<p>
+Allow sysadm to execute a generic bin program in
+a specified domain.
+</p>
+<p>
+This is a interface to support third party modules
+and its use is not allowed in upstream reference
+policy.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain to execute in.
+</summary>
+</param>
+</interface>
+<interface name="sysadm_sigchld" lineno="196">
+<summary>
+Send a SIGCHLD signal to sysadm users.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sysadm_use_fds" lineno="214">
+<summary>
+Inherit and use sysadm file descriptors
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sysadm_rw_pipes" lineno="232">
+<summary>
+Read and write sysadm user unnamed pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<tunable name="allow_ptrace" dftval="false">
+<desc>
+<p>
+Allow sysadm to debug or ptrace all processes.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="unprivuser" filename="policy/modules/roles/unprivuser.if">
+<summary>Generic unprivileged user role</summary>
+<interface name="unprivuser_role_change" lineno="14">
+<summary>
+Change to the generic user role.
+</summary>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="unprivuser_role_change_to" lineno="44">
+<summary>
+Change from the generic user role.
+</summary>
+<desc>
+<p>
+Change from the generic user role to
+the specified role.
+</p>
+<p>
+This is an interface to support third party modules
+and its use is not allowed in upstream reference
+policy.
+</p>
+</desc>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+</layer>
+<layer name="services">
+<summary>
+	Policy modules for system services, like cron, and network services,
+	like sshd.
+</summary>
+<module name="postgresql" filename="policy/modules/services/postgresql.if">
+<summary>PostgreSQL relational database</summary>
+<interface name="postgresql_role" lineno="18">
+<summary>
+Role access for SE-PostgreSQL.
+</summary>
+<param name="user_role">
+<summary>
+The role associated with the user domain.
+</summary>
+</param>
+<param name="user_domain">
+<summary>
+The type of the user domain.
+</summary>
+</param>
+</interface>
+<interface name="postgresql_loadable_module" lineno="103">
+<summary>
+Marks as a SE-PostgreSQL loadable shared library module
+</summary>
+<param name="type">
+<summary>
+Type marked as a database object type.
+</summary>
+</param>
+</interface>
+<interface name="postgresql_database_object" lineno="121">
+<summary>
+Marks as a SE-PostgreSQL database object type
+</summary>
+<param name="type">
+<summary>
+Type marked as a database object type.
+</summary>
+</param>
+</interface>
+<interface name="postgresql_schema_object" lineno="139">
+<summary>
+Marks as a SE-PostgreSQL schema object type
+</summary>
+<param name="type">
+<summary>
+Type marked as a schema object type.
+</summary>
+</param>
+</interface>
+<interface name="postgresql_table_object" lineno="157">
+<summary>
+Marks as a SE-PostgreSQL table/column/tuple object type
+</summary>
+<param name="type">
+<summary>
+Type marked as a table/column/tuple object type.
+</summary>
+</param>
+</interface>
+<interface name="postgresql_system_table_object" lineno="175">
+<summary>
+Marks as a SE-PostgreSQL system table/column/tuple object type
+</summary>
+<param name="type">
+<summary>
+Type marked as a table/column/tuple object type.
+</summary>
+</param>
+</interface>
+<interface name="postgresql_sequence_object" lineno="194">
+<summary>
+Marks as a SE-PostgreSQL sequence type
+</summary>
+<param name="type">
+<summary>
+Type marked as a sequence type.
+</summary>
+</param>
+</interface>
+<interface name="postgresql_view_object" lineno="212">
+<summary>
+Marks as a SE-PostgreSQL view object type
+</summary>
+<param name="type">
+<summary>
+Type marked as a view object type.
+</summary>
+</param>
+</interface>
+<interface name="postgresql_procedure_object" lineno="230">
+<summary>
+Marks as a SE-PostgreSQL procedure object type
+</summary>
+<param name="type">
+<summary>
+Type marked as a database object type.
+</summary>
+</param>
+</interface>
+<interface name="postgresql_language_object" lineno="248">
+<summary>
+Marks as a SE-PostgreSQL procedural language object type
+</summary>
+<param name="type">
+<summary>
+Type marked as a procedural language object type.
+</summary>
+</param>
+</interface>
+<interface name="postgresql_blob_object" lineno="266">
+<summary>
+Marks as a SE-PostgreSQL binary large object type
+</summary>
+<param name="type">
+<summary>
+Type marked as a database binary large object type.
+</summary>
+</param>
+</interface>
+<interface name="postgresql_search_db" lineno="284">
+<summary>
+Allow the specified domain to search postgresql's database directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="postgresql_manage_db" lineno="301">
+<summary>
+Allow the specified domain to manage postgresql's database.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="postgresql_domtrans" lineno="321">
+<summary>
+Execute postgresql in the postgresql domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="postgresql_signal" lineno="339">
+<summary>
+Allow domain to signal postgresql
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="postgresql_read_config" lineno="357">
+<summary>
+Allow the specified domain to read postgresql's etc.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="postgresql_tcp_connect" lineno="378">
+<summary>
+Allow the specified domain to connect to postgresql with a tcp socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="postgresql_stream_connect" lineno="400">
+<summary>
+Allow the specified domain to connect to postgresql with a unix socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="postgresql_unpriv_client" lineno="423">
+<summary>
+Allow the specified domain unprivileged accesses to unifined database objects
+managed by SE-PostgreSQL,
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="postgresql_unconfined" lineno="508">
+<summary>
+Allow the specified domain unconfined accesses to any database objects
+managed by SE-PostgreSQL,
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="postgresql_admin" lineno="532">
+<summary>
+All of the rules required to administrate an postgresql environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the postgresql domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<tunable name="sepgsql_enable_users_ddl" dftval="true">
+<desc>
+<p>
+Allow unprived users to execute DDL statement
+</p>
+</desc>
+</tunable>
+<tunable name="sepgsql_unconfined_dbadm" dftval="true">
+<desc>
+<p>
+Allow database admins to execute DML statement
+</p>
+</desc>
+</tunable>
+</module>
+<module name="ssh" filename="policy/modules/services/ssh.if">
+<summary>Secure shell client and server policy.</summary>
+<template name="ssh_basic_client_template" lineno="34">
+<summary>
+Basic SSH client template.
+</summary>
+<desc>
+<p>
+This template creates a derived domains which are used
+for ssh client sessions.  A derived
+type is also created to protect the user ssh keys.
+</p>
+<p>
+This template was added for NX.
+</p>
+</desc>
+<param name="userdomain_prefix">
+<summary>
+The prefix of the domain (e.g., user
+is the prefix for user_t).
+</summary>
+</param>
+<param name="user_domain">
+<summary>
+The type of the domain.
+</summary>
+</param>
+<param name="user_role">
+<summary>
+The role associated with the user domain.
+</summary>
+</param>
+</template>
+<template name="ssh_server_template" lineno="171">
+<summary>
+The template to define a ssh server.
+</summary>
+<desc>
+<p>
+This template creates a domains to be used for
+creating a ssh server.  This is typically done
+to have multiple ssh servers of different sensitivities,
+such as for an internal network-facing ssh server, and
+a external network-facing ssh server.
+</p>
+</desc>
+<param name="userdomain_prefix">
+<summary>
+The prefix of the server domain (e.g., sshd
+is the prefix for sshd_t).
+</summary>
+</param>
+</template>
+<template name="ssh_role_template" lineno="296">
+<summary>
+Role access for ssh
+</summary>
+<param name="role_prefix">
+<summary>
+The prefix of the role (e.g., user
+is the prefix for user_r).
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role
+</summary>
+</param>
+</template>
+<interface name="ssh_sigchld" lineno="440">
+<summary>
+Send a SIGCHLD signal to the ssh server.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ssh_signal" lineno="458">
+<summary>
+Send a generic signal to the ssh server.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ssh_signull" lineno="476">
+<summary>
+Send a null signal to sshd processes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ssh_read_pipes" lineno="494">
+<summary>
+Read a ssh server unnamed pipe.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ssh_rw_pipes" lineno="511">
+<summary>
+Read and write a ssh server unnamed pipe.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ssh_rw_stream_sockets" lineno="529">
+<summary>
+Read and write ssh server unix domain stream sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ssh_rw_tcp_sockets" lineno="547">
+<summary>
+Read and write ssh server TCP sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ssh_dontaudit_rw_tcp_sockets" lineno="566">
+<summary>
+Do not audit attempts to read and write
+ssh server TCP sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="ssh_tcp_connect" lineno="584">
+<summary>
+Connect to SSH daemons over TCP sockets.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ssh_domtrans" lineno="598">
+<summary>
+Execute the ssh daemon sshd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="ssh_exec" lineno="616">
+<summary>
+Execute the ssh client in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ssh_setattr_key_files" lineno="635">
+<summary>
+Set the attributes of sshd key files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ssh_agent_exec" lineno="654">
+<summary>
+Execute the ssh agent client in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ssh_read_user_home_files" lineno="673">
+<summary>
+Read ssh home directory content
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ssh_domtrans_keygen" lineno="694">
+<summary>
+Execute the ssh key generator in the ssh keygen domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="ssh_dontaudit_read_server_keys" lineno="712">
+<summary>
+Read ssh server keys
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="ssh_manage_home_files" lineno="730">
+<summary>
+Manage ssh home directory content
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ssh_delete_tmp" lineno="749">
+<summary>
+Delete from the ssh temp files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<tunable name="allow_ssh_keysign" dftval="false">
+<desc>
+<p>
+allow host key based authentication
+</p>
+</desc>
+</tunable>
+<tunable name="ssh_sysadm_login" dftval="false">
+<desc>
+<p>
+Allow ssh logins as sysadm_r:sysadm_t
+</p>
+</desc>
+</tunable>
+</module>
+<module name="xserver" filename="policy/modules/services/xserver.if">
+<summary>X Windows Server</summary>
+<interface name="xserver_restricted_role" lineno="19">
+<summary>
+Rules required for using the X Windows server
+and environment, for restricted users.
+</summary>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="xserver_role" lineno="133">
+<summary>
+Rules required for using the X Windows server
+and environment.
+</summary>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="xserver_ro_session" lineno="185">
+<summary>
+Create sessions on the X server, with read-only
+access to the X server shared
+memory segments.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="tmpfs_type">
+<summary>
+The type of the domain SYSV tmpfs files.
+</summary>
+</param>
+</interface>
+<interface name="xserver_rw_session" lineno="225">
+<summary>
+Create sessions on the X server, with read and write
+access to the X server shared
+memory segments.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="tmpfs_type">
+<summary>
+The type of the domain SYSV tmpfs files.
+</summary>
+</param>
+</interface>
+<interface name="xserver_non_drawing_client" lineno="245">
+<summary>
+Create non-drawing client sessions on an X server.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="xserver_user_client" lineno="282">
+<summary>
+Create full client sessions
+on a user X server.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="tmpfs_type">
+<summary>
+The type of the domain SYSV tmpfs files.
+</summary>
+</param>
+</interface>
+<template name="xserver_common_x_domain_template" lineno="343">
+<summary>
+Interface to provide X object permissions on a given X server to
+an X client domain.  Provides the minimal set required by a basic
+X client application.
+</summary>
+<param name="prefix">
+<summary>
+The prefix of the X client domain (e.g., user
+is the prefix for user_t).
+</summary>
+</param>
+<param name="domain">
+<summary>
+Client domain allowed access.
+</summary>
+</param>
+</template>
+<template name="xserver_object_types_template" lineno="403">
+<summary>
+Template for creating the set of types used
+in an X windows domain.
+</summary>
+<param name="prefix">
+<summary>
+The prefix of the X client domain (e.g., user
+is the prefix for user_t).
+</summary>
+</param>
+</template>
+<template name="xserver_user_x_domain_template" lineno="445">
+<summary>
+Interface to provide X object permissions on a given X server to
+an X client domain.  Provides the minimal set required by a basic
+X client application.
+</summary>
+<param name="prefix">
+<summary>
+The prefix of the X client domain (e.g., user
+is the prefix for user_t).
+</summary>
+</param>
+<param name="domain">
+<summary>
+Client domain allowed access.
+</summary>
+</param>
+<param name="tmpfs_type">
+<summary>
+The type of the domain SYSV tmpfs files.
+</summary>
+</param>
+</template>
+<interface name="xserver_use_user_fonts" lineno="512">
+<summary>
+Read user fonts, user font configuration,
+and manage the user font cache.
+</summary>
+<desc>
+<p>
+Read user fonts, user font configuration,
+and manage the user font cache.
+</p>
+<p>
+This is a templated interface, and should only
+be called from a per-userdomain template.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="xserver_domtrans_xauth" lineno="542">
+<summary>
+Transition to the Xauthority domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="xserver_user_home_dir_filetrans_user_xauth" lineno="560">
+<summary>
+Create a Xauthority file in the user home directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="xserver_use_all_users_fonts" lineno="579">
+<summary>
+Read all users fonts, user font configurations,
+and manage all users font caches.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="xserver_read_user_xauth" lineno="594">
+<summary>
+Read all users .Xauthority.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="xserver_setattr_console_pipes" lineno="613">
+<summary>
+Set the attributes of the X windows console named pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="xserver_rw_console" lineno="631">
+<summary>
+Read and write the X windows console named pipe.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="xserver_use_xdm_fds" lineno="649">
+<summary>
+Use file descriptors for xdm.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="xserver_dontaudit_use_xdm_fds" lineno="668">
+<summary>
+Do not audit attempts to inherit
+XDM file descriptors.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="xserver_rw_xdm_pipes" lineno="686">
+<summary>
+Read and write XDM unnamed pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="xserver_dontaudit_rw_xdm_pipes" lineno="705">
+<summary>
+Do not audit attempts to read and write
+XDM unnamed pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="xserver_stream_connect_xdm" lineno="725">
+<summary>
+Connect to XDM over a unix domain
+stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="xserver_read_xdm_rw_config" lineno="744">
+<summary>
+Read xdm-writable configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="xserver_setattr_xdm_tmp_dirs" lineno="763">
+<summary>
+Set the attributes of XDM temporary directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="xserver_create_xdm_tmp_sockets" lineno="782">
+<summary>
+Create a named socket in a XDM
+temporary directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="xserver_read_xdm_pid" lineno="802">
+<summary>
+Read XDM pid files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="xserver_read_xdm_lib_files" lineno="821">
+<summary>
+Read XDM var lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="xserver_xsession_entry_type" lineno="839">
+<summary>
+Make an X session script an entrypoint for the specified domain.
+</summary>
+<param name="domain">
+<summary>
+The domain for which the shell is an entrypoint.
+</summary>
+</param>
+</interface>
+<interface name="xserver_xsession_spec_domtrans" lineno="876">
+<summary>
+Execute an X session in the target domain.  This
+is an explicit transition, requiring the
+caller to use setexeccon().
+</summary>
+<desc>
+<p>
+Execute an Xsession in the target domain.  This
+is an explicit transition, requiring the
+caller to use setexeccon().
+</p>
+<p>
+No interprocess communication (signals, pipes,
+etc.) is provided by this interface since
+the domains are not owned by this module.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="target_domain">
+<summary>
+The type of the shell process.
+</summary>
+</param>
+</interface>
+<interface name="xserver_getattr_log" lineno="894">
+<summary>
+Get the attributes of X server logs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="xserver_dontaudit_write_log" lineno="914">
+<summary>
+Do not audit attempts to write the X server
+log files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="xserver_delete_log" lineno="932">
+<summary>
+Delete X server log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="xserver_read_xkb_libs" lineno="953">
+<summary>
+Read X keyboard extension libraries.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="xserver_read_xdm_tmp_files" lineno="974">
+<summary>
+Read xdm temporary files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="xserver_dontaudit_read_xdm_tmp_files" lineno="993">
+<summary>
+Do not audit attempts to read xdm temporary files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="xserver_rw_xdm_tmp_files" lineno="1012">
+<summary>
+Read write xdm temporary files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="xserver_manage_xdm_tmp_files" lineno="1031">
+<summary>
+Create, read, write, and delete xdm temporary files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="xserver_dontaudit_getattr_xdm_tmp_sockets" lineno="1050">
+<summary>
+Do not audit attempts to get the attributes of
+xdm temporary named sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="xserver_domtrans" lineno="1068">
+<summary>
+Execute the X server in the X server domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="xserver_signal" lineno="1087">
+<summary>
+Signal X servers
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="xserver_kill" lineno="1105">
+<summary>
+Kill X servers
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="xserver_rw_shm" lineno="1124">
+<summary>
+Read and write X server Sys V Shared
+memory segments.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="xserver_dontaudit_rw_tcp_sockets" lineno="1143">
+<summary>
+Do not audit attempts to read and write to
+X server sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="xserver_dontaudit_rw_stream_sockets" lineno="1162">
+<summary>
+Do not audit attempts to read and write X server
+unix domain stream sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="xserver_stream_connect" lineno="1181">
+<summary>
+Connect to the X server over a unix domain
+stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="xserver_read_tmp_files" lineno="1200">
+<summary>
+Read X server temporary files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="xserver_manage_core_devices" lineno="1221">
+<summary>
+Interface to provide X object permissions on a given X server to
+an X client domain.  Gives the domain permission to read the
+virtual core keyboard and virtual core pointer devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="xserver_unconfined" lineno="1244">
+<summary>
+Interface to provide X object permissions on a given X server to
+an X client domain.  Gives the domain complete control over the
+display.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<tunable name="allow_write_xshm" dftval="false">
+<desc>
+<p>
+Allows clients to write to the X server shared
+memory segments.
+</p>
+</desc>
+</tunable>
+<tunable name="xdm_sysadm_login" dftval="false">
+<desc>
+<p>
+Allow xdm logins as sysadm
+</p>
+</desc>
+</tunable>
+<tunable name="xserver_object_manager" dftval="false">
+<desc>
+<p>
+Support X userspace object manager
+</p>
+</desc>
+</tunable>
+</module>
+</layer>
+<layer name="system">
+<summary>
+	Policy modules for system functions from init to multi-user login.
+</summary>
+<module name="application" filename="policy/modules/system/application.if">
+<summary>Policy for user executable applications.</summary>
+<interface name="application_type" lineno="13">
+<summary>
+Make the specified type usable as an application domain.
+</summary>
+<param name="type">
+<summary>
+Type to be used as a domain type.
+</summary>
+</param>
+</interface>
+<interface name="application_executable_file" lineno="36">
+<summary>
+Make the specified type usable for files
+that are exectuables, such as binary programs.
+This does not include shared libraries.
+</summary>
+<param name="type">
+<summary>
+Type to be used for files.
+</summary>
+</param>
+</interface>
+<interface name="application_exec" lineno="56">
+<summary>
+Execute application executables in the caller domain.
+</summary>
+<param name="type">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="application_exec_all" lineno="75">
+<summary>
+Execute all executable files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="application_domain" lineno="110">
+<summary>
+Create a domain for applications.
+</summary>
+<desc>
+<p>
+Create a domain for applications.  Typically these are
+programs that are run interactively.
+</p>
+<p>
+The types will be made usable as a domain and file, making
+calls to domain_type() and files_type() redundant.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Type to be used as an application domain.
+</summary>
+</param>
+<param name="entry_point">
+<summary>
+Type of the program to be used as an entry point to this domain.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="application_signull" lineno="126">
+<summary>
+Send null signals to all application domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="application_dontaudit_signull" lineno="145">
+<summary>
+Do not audit attempts to send null signals
+to all application domains.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="application_signal" lineno="163">
+<summary>
+Send general signals to all application domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="application_dontaudit_signal" lineno="182">
+<summary>
+Do not audit attempts to send general signals
+to all application domains.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="application_dontaudit_sigkill" lineno="201">
+<summary>
+Do not audit attempts to send kill signals
+to all application domains.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+</module>
+<module name="authlogin" filename="policy/modules/system/authlogin.if">
+<summary>Common policy for authentication and user login.</summary>
+<interface name="auth_role" lineno="18">
+<summary>
+Role access for password authentication.
+</summary>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_use_pam" lineno="43">
+<summary>
+Use PAM for authentication.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_login_pgm_domain" lineno="95">
+<summary>
+Make the specified domain used for a login program.
+</summary>
+<param name="domain">
+<summary>
+Domain type used for a login program domain.
+</summary>
+</param>
+</interface>
+<interface name="auth_login_entry_type" lineno="173">
+<summary>
+Use the login program as an entry point program.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_file" lineno="203">
+<summary>
+Make the specified type usable as a
+login file.
+</summary>
+<desc>
+<p>
+Make the specified type usable as a login file,
+This type has restricted modification capabilities when used with
+other interfaces that permit files_type access.
+The default type has properties similar to that of the shadow file.
+This will also make the type usable as a security file, making
+calls to files_security_file() redundant.
+</p>
+</desc>
+<param name="type">
+<summary>
+Type to be used as a login file.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="auth_domtrans_login_program" lineno="227">
+<summary>
+Execute a login_program in the target domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="target_domain">
+<summary>
+The type of the login_program process.
+</summary>
+</param>
+</interface>
+<interface name="auth_ranged_domtrans_login_program" lineno="257">
+<summary>
+Execute a login_program in the target domain,
+with a range transition.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="target_domain">
+<summary>
+The type of the login_program process.
+</summary>
+</param>
+<param name="range">
+<summary>
+Range of the login program.
+</summary>
+</param>
+</interface>
+<interface name="auth_search_cache" lineno="283">
+<summary>
+Search authentication cache
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_read_cache" lineno="301">
+<summary>
+Read authentication cache
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_rw_cache" lineno="319">
+<summary>
+Read/Write authentication cache
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_manage_cache" lineno="337">
+<summary>
+Manage authentication cache
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_var_filetrans_cache" lineno="356">
+<summary>
+Automatic transition from cache_t to cache.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_domtrans_chk_passwd" lineno="374">
+<summary>
+Run unix_chkpwd to check a password.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="auth_domtrans_chkpwd" lineno="422">
+<summary>
+Run unix_chkpwd to check a password.
+Stripped down version to be called within boolean
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="auth_run_chk_passwd" lineno="448">
+<summary>
+Execute chkpwd programs in the chkpwd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to allow the chkpwd domain.
+</summary>
+</param>
+</interface>
+<interface name="auth_domtrans_upd_passwd" lineno="467">
+<summary>
+Execute a domain transition to run unix_update.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="auth_run_upd_passwd" lineno="492">
+<summary>
+Execute updpwd programs in the updpwd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to allow the updpwd domain.
+</summary>
+</param>
+</interface>
+<interface name="auth_getattr_shadow" lineno="511">
+<summary>
+Get the attributes of the shadow passwords file.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_dontaudit_getattr_shadow" lineno="531">
+<summary>
+Do not audit attempts to get the attributes
+of the shadow passwords file.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="auth_read_shadow" lineno="553">
+<summary>
+Read the shadow passwords file (/etc/shadow)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_can_read_shadow_passwords" lineno="577">
+<summary>
+Pass shadow assertion for reading.
+</summary>
+<desc>
+<p>
+Pass shadow assertion for reading.
+This should only be used with
+auth_tunable_read_shadow(), and
+only exists because typeattribute
+does not work in conditionals.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_tunable_read_shadow" lineno="603">
+<summary>
+Read the shadow password file.
+</summary>
+<desc>
+<p>
+Read the shadow password file.  This
+should only be used in a conditional;
+it does not pass the reading shadow
+assertion.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_dontaudit_read_shadow" lineno="623">
+<summary>
+Do not audit attempts to read the shadow
+password file (/etc/shadow).
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="auth_rw_shadow" lineno="641">
+<summary>
+Read and write the shadow password file (/etc/shadow).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_manage_shadow" lineno="663">
+<summary>
+Create, read, write, and delete the shadow
+password file.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_etc_filetrans_shadow" lineno="683">
+<summary>
+Automatic transition from etc to shadow.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_relabelto_shadow" lineno="702">
+<summary>
+Relabel to the shadow
+password file type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_relabel_shadow" lineno="724">
+<summary>
+Relabel from and to the shadow
+password file type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_append_faillog" lineno="745">
+<summary>
+Append to the login failure log.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_rw_faillog" lineno="764">
+<summary>
+Read and write the login failure log.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_read_lastlog" lineno="784">
+<summary>
+Read the last logins log.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="auth_append_lastlog" lineno="803">
+<summary>
+Append only to the last logins log.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_rw_lastlog" lineno="822">
+<summary>
+Read and write to the last logins log.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_domtrans_pam" lineno="841">
+<summary>
+Execute pam programs in the pam domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="auth_signal_pam" lineno="859">
+<summary>
+Send generic signals to pam processes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_run_pam" lineno="882">
+<summary>
+Execute pam programs in the PAM domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to allow the PAM domain.
+</summary>
+</param>
+</interface>
+<interface name="auth_exec_pam" lineno="901">
+<summary>
+Execute the pam program.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_read_var_auth" lineno="920">
+<summary>
+Read var auth files. Used by various other applications
+and pam applets etc.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_rw_var_auth" lineno="940">
+<summary>
+Read and write var auth files. Used by various other applications
+and pam applets etc.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_manage_var_auth" lineno="960">
+<summary>
+Manage var auth files. Used by various other applications
+and pam applets etc.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_read_pam_pid" lineno="981">
+<summary>
+Read PAM PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_dontaudit_read_pam_pid" lineno="1001">
+<summary>
+Do not audit attemps to read PAM PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="auth_delete_pam_pid" lineno="1019">
+<summary>
+Delete pam PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_manage_pam_pid" lineno="1039">
+<summary>
+Manage pam PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_domtrans_pam_console" lineno="1059">
+<summary>
+Execute pam_console with a domain transition.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="auth_search_pam_console_data" lineno="1078">
+<summary>
+Search the contents of the
+pam_console data directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_list_pam_console_data" lineno="1098">
+<summary>
+List the contents of the pam_console
+data directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_relabel_pam_console_data_dirs" lineno="1117">
+<summary>
+Relabel pam_console data directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_read_pam_console_data" lineno="1135">
+<summary>
+Read pam_console data files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_manage_pam_console_data" lineno="1156">
+<summary>
+Create, read, write, and delete
+pam_console data files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_delete_pam_console_data" lineno="1176">
+<summary>
+Delete pam_console data.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_read_all_dirs_except_auth_files" lineno="1203">
+<summary>
+Read all directories on the filesystem, except
+login files and listed exceptions.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="exception_types" optional="true">
+<summary>
+The types to be excluded.  Each type or attribute
+must be negated by the caller.
+</summary>
+</param>
+</interface>
+<interface name="auth_read_all_dirs_except_shadow" lineno="1228">
+<summary>
+Read all directories on the filesystem, except
+the shadow passwords and listed exceptions.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="exception_types" optional="true">
+<summary>
+The types to be excluded.  Each type or attribute
+must be negated by the caller.
+</summary>
+</param>
+</interface>
+<interface name="auth_read_all_files_except_auth_files" lineno="1251">
+<summary>
+Read all files on the filesystem, except
+login files and listed exceptions.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="exception_types" optional="true">
+<summary>
+The types to be excluded.  Each type or attribute
+must be negated by the caller.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="auth_read_all_files_except_shadow" lineno="1277">
+<summary>
+Read all files on the filesystem, except
+the shadow passwords and listed exceptions.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="exception_types" optional="true">
+<summary>
+The types to be excluded.  Each type or attribute
+must be negated by the caller.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="auth_read_all_symlinks_except_auth_files" lineno="1299">
+<summary>
+Read all symbolic links on the filesystem, except
+login files and listed exceptions.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="exception_types" optional="true">
+<summary>
+The types to be excluded.  Each type or attribute
+must be negated by the caller.
+</summary>
+</param>
+</interface>
+<interface name="auth_read_all_symlinks_except_shadow" lineno="1324">
+<summary>
+Read all symbolic links on the filesystem, except
+the shadow passwords and listed exceptions.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="exception_types" optional="true">
+<summary>
+The types to be excluded.  Each type or attribute
+must be negated by the caller.
+</summary>
+</param>
+</interface>
+<interface name="auth_relabel_all_files_except_auth_files" lineno="1346">
+<summary>
+Relabel all files on the filesystem, except
+login files and listed exceptions.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="exception_types" optional="true">
+<summary>
+The types to be excluded.  Each type or attribute
+must be negated by the caller.
+</summary>
+</param>
+</interface>
+<interface name="auth_relabel_all_files_except_shadow" lineno="1371">
+<summary>
+Relabel all files on the filesystem, except
+the shadow passwords and listed exceptions.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="exception_types" optional="true">
+<summary>
+The types to be excluded.  Each type or attribute
+must be negated by the caller.
+</summary>
+</param>
+</interface>
+<interface name="auth_rw_all_files_except_auth_files" lineno="1393">
+<summary>
+Read and write all files on the filesystem, except
+login files and listed exceptions.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="exception_types" optional="true">
+<summary>
+The types to be excluded.  Each type or attribute
+must be negated by the caller.
+</summary>
+</param>
+</interface>
+<interface name="auth_rw_all_files_except_shadow" lineno="1418">
+<summary>
+Read and write all files on the filesystem, except
+the shadow passwords and listed exceptions.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="exception_types" optional="true">
+<summary>
+The types to be excluded.  Each type or attribute
+must be negated by the caller.
+</summary>
+</param>
+</interface>
+<interface name="auth_manage_all_files_except_auth_files" lineno="1440">
+<summary>
+Manage all files on the filesystem, except
+login files passwords and listed exceptions.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="exception_types" optional="true">
+<summary>
+The types to be excluded.  Each type or attribute
+must be negated by the caller.
+</summary>
+</param>
+</interface>
+<interface name="auth_manage_all_files_except_shadow" lineno="1465">
+<summary>
+Manage all files on the filesystem, except
+the shadow passwords and listed exceptions.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="exception_types" optional="true">
+<summary>
+The types to be excluded.  Each type or attribute
+must be negated by the caller.
+</summary>
+</param>
+</interface>
+<interface name="auth_domtrans_utempter" lineno="1480">
+<summary>
+Execute utempter programs in the utempter domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="auth_run_utempter" lineno="1503">
+<summary>
+Execute utempter programs in the utempter domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to allow the utempter domain.
+</summary>
+</param>
+</interface>
+<interface name="auth_dontaudit_exec_utempter" lineno="1522">
+<summary>
+Do not audit attemps to execute utempter executable.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="auth_setattr_login_records" lineno="1540">
+<summary>
+Set the attributes of login record files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_read_login_records" lineno="1560">
+<summary>
+Read login records files (/var/log/wtmp).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="auth_dontaudit_read_login_records" lineno="1581">
+<summary>
+Do not audit attempts to read login records
+files (/var/log/wtmp).
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="auth_dontaudit_write_login_records" lineno="1600">
+<summary>
+Do not audit attempts to write to
+login records files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="auth_append_login_records" lineno="1618">
+<summary>
+Append to login records (wtmp).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_write_login_records" lineno="1637">
+<summary>
+Write to login records (wtmp).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_rw_login_records" lineno="1655">
+<summary>
+Read and write login records.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_log_filetrans_login_records" lineno="1675">
+<summary>
+Create a login records in the log directory
+using a type transition.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_manage_login_records" lineno="1694">
+<summary>
+Create, read, write, and delete login
+records files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_relabel_login_records" lineno="1713">
+<summary>
+Relabel login record files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_use_nsswitch" lineno="1741">
+<summary>
+Use nsswitch to look up user, password, group, or
+host information.
+</summary>
+<desc>
+<p>
+Allow the specified domain to look up user, password,
+group, or host information using the name service.
+The most common use of this interface is for services
+that do host name resolution (usually DNS resolution).
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="auth_unconfined" lineno="1812">
+<summary>
+Unconfined access to the authlogin module.
+</summary>
+<desc>
+<p>
+Unconfined access to the authlogin module.
+</p>
+<p>
+Currently, this only allows assertions for
+the shadow passwords file (/etc/shadow) to
+be passed.  No access is granted yet.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="clock" filename="policy/modules/system/clock.if">
+<summary>Policy for reading and setting the hardware clock.</summary>
+<interface name="clock_domtrans" lineno="13">
+<summary>
+Execute hwclock in the clock domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="clock_run" lineno="38">
+<summary>
+Execute hwclock in the clock domain, and
+allow the specified role the hwclock domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="clock_exec" lineno="57">
+<summary>
+Execute hwclock in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="clock_dontaudit_write_adjtime" lineno="75">
+<summary>
+Do not audit attempts to write clock drift adjustments.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="clock_rw_adjtime" lineno="93">
+<summary>
+Read and write clock drift adjustments.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="fstools" filename="policy/modules/system/fstools.if">
+<summary>Tools for filesystem management, such as mkfs and fsck.</summary>
+<interface name="fstools_domtrans" lineno="13">
+<summary>
+Execute fs tools in the fstools domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="fstools_run" lineno="39">
+<summary>
+Execute fs tools in the fstools domain, and
+allow the specified role the fs tools domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="fstools_exec" lineno="58">
+<summary>
+Execute fsadm in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fstools_signal" lineno="76">
+<summary>
+Send signal to fsadm process
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fstools_read_pipes" lineno="94">
+<summary>
+Read fstools unnamed pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fstools_relabelto_entry_files" lineno="113">
+<summary>
+Relabel a file to the type used by the
+filesystem tools programs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fstools_manage_entry_files" lineno="132">
+<summary>
+Create, read, write, and delete a file used by the
+filesystem tools programs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fstools_getattr_swap_files" lineno="150">
+<summary>
+Getattr swapfile
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="getty" filename="policy/modules/system/getty.if">
+<summary>Policy for getty.</summary>
+<interface name="getty_domtrans" lineno="13">
+<summary>
+Execute gettys in the getty domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="getty_use_fds" lineno="32">
+<summary>
+Inherit and use getty file descriptors.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="getty_read_log" lineno="51">
+<summary>
+Allow process to read getty log file.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="getty_read_config" lineno="71">
+<summary>
+Allow process to read getty config file.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="getty_rw_config" lineno="91">
+<summary>
+Allow process to edit getty config file.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="hostname" filename="policy/modules/system/hostname.if">
+<summary>Policy for changing the system host name.</summary>
+<interface name="hostname_domtrans" lineno="13">
+<summary>
+Execute hostname in the hostname domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="hostname_run" lineno="38">
+<summary>
+Execute hostname in the hostname domain, and
+allow the specified role the hostname domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+<interface name="hostname_exec" lineno="58">
+<summary>
+Execute hostname in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="hotplug" filename="policy/modules/system/hotplug.if">
+<summary>
+Policy for hotplug system, for supporting the
+connection and disconnection of devices at runtime.
+</summary>
+<interface name="hotplug_domtrans" lineno="16">
+<summary>
+Execute hotplug with a domain transition.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="hotplug_exec" lineno="35">
+<summary>
+Execute hotplug in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="hotplug_use_fds" lineno="54">
+<summary>
+Inherit and use hotplug file descriptors.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="hotplug_dontaudit_use_fds" lineno="73">
+<summary>
+Do not audit attempts to inherit
+hotplug file descriptors.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="hotplug_dontaudit_search_config" lineno="92">
+<summary>
+Do not audit attempts to search the
+hotplug configuration directories.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="hotplug_getattr_config_dirs" lineno="110">
+<summary>
+Get the attributes of the hotplug configuration directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="hotplug_search_config" lineno="128">
+<summary>
+Search the hotplug configuration directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="hotplug_read_config" lineno="147">
+<summary>
+Read the configuration files for hotplug.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="hotplug_search_pids" lineno="168">
+<summary>
+Search the hotplug PIDs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="init" filename="policy/modules/system/init.if">
+<summary>System initialization programs (init and init scripts).</summary>
+<interface name="init_script_file" lineno="32">
+<summary>
+Create a file type used for init scripts.
+</summary>
+<desc>
+<p>
+Create a file type used for init scripts.  It can not be
+used in conjunction with init_script_domain(). These
+script files are typically stored in the /etc/init.d directory.
+</p>
+<p>
+Typically this is used to constrain what services an
+admin can start/stop.  For example, a policy writer may want
+to constrain a web administrator to only being able to
+restart the web server, not other services.  This special type
+will help address that goal.
+</p>
+<p>
+This also makes the type usable for files; thus an
+explicit call to files_type() is redundant.
+</p>
+</desc>
+<param name="script_file">
+<summary>
+Type to be used for a script file.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="init_script_domain" lineno="67">
+<summary>
+Create a domain used for init scripts.
+</summary>
+<desc>
+<p>
+Create a domain used for init scripts.
+Can not be used in conjunction with
+init_script_file().
+</p>
+</desc>
+<param name="domain">
+<summary>
+Type to be used as an init script domain.
+</summary>
+</param>
+<param name="script_file">
+<summary>
+Type of the script file used as an entry point to this domain.
+</summary>
+</param>
+</interface>
+<interface name="init_domain" lineno="97">
+<summary>
+Create a domain which can be started by init.
+</summary>
+<param name="domain">
+<summary>
+Type to be used as a domain.
+</summary>
+</param>
+<param name="entry_point">
+<summary>
+Type of the program to be used as an entry point to this domain.
+</summary>
+</param>
+</interface>
+<interface name="init_ranged_domain" lineno="140">
+<summary>
+Create a domain which can be started by init,
+with a range transition.
+</summary>
+<param name="domain">
+<summary>
+Type to be used as a domain.
+</summary>
+</param>
+<param name="entry_point">
+<summary>
+Type of the program to be used as an entry point to this domain.
+</summary>
+</param>
+<param name="range">
+<summary>
+Range for the domain.
+</summary>
+</param>
+</interface>
+<interface name="init_daemon_domain" lineno="192">
+<summary>
+Create a domain for long running processes
+(daemons/services) which are started by init scripts.
+</summary>
+<desc>
+<p>
+Create a domain for long running processes (daemons/services)
+which are started by init scripts. Short running processes
+should use the init_system_domain() interface instead.
+Typically all long running processes started by an init
+script (usually in /etc/init.d) will need to use this
+interface.
+</p>
+<p>
+The types will be made usable as a domain and file, making
+calls to domain_type() and files_type() redundant.
+</p>
+<p>
+If the process must also run in a specific MLS/MCS level,
+the init_ranged_daemon_domain() should be used instead.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Type to be used as a daemon domain.
+</summary>
+</param>
+<param name="entry_point">
+<summary>
+Type of the program to be used as an entry point to this domain.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="init_ranged_daemon_domain" lineno="283">
+<summary>
+Create a domain for long running processes
+(daemons/services) which are started by init scripts,
+running at a specified MLS/MCS range.
+</summary>
+<desc>
+<p>
+Create a domain for long running processes (daemons/services)
+which are started by init scripts, running at a specified
+MLS/MCS range. Short running processes
+should use the init_ranged_system_domain() interface instead.
+Typically all long running processes started by an init
+script (usually in /etc/init.d) will need to use this
+interface if they need to run in a specific MLS/MCS range.
+</p>
+<p>
+The types will be made usable as a domain and file, making
+calls to domain_type() and files_type() redundant.
+</p>
+<p>
+If the policy build option TYPE is standard (MLS and MCS disabled),
+this interface has the same behavior as init_daemon_domain().
+</p>
+</desc>
+<param name="domain">
+<summary>
+Type to be used as a daemon domain.
+</summary>
+</param>
+<param name="entry_point">
+<summary>
+Type of the program to be used as an entry point to this domain.
+</summary>
+</param>
+<param name="range">
+<summary>
+MLS/MCS range for the domain.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="init_system_domain" lineno="337">
+<summary>
+Create a domain for short running processes
+which are started by init scripts.
+</summary>
+<desc>
+<p>
+Create a domain for short running processes
+which are started by init scripts. These are generally applications that
+are used to initialize the system during boot.
+Long running processes, such as daemons/services
+should use the init_daemon_domain() interface instead.
+Typically all short running processes started by an init
+script (usually in /etc/init.d) will need to use this
+interface.
+</p>
+<p>
+The types will be made usable as a domain and file, making
+calls to domain_type() and files_type() redundant.
+</p>
+<p>
+If the process must also run in a specific MLS/MCS level,
+the init_ranged_system_domain() should be used instead.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Type to be used as a system domain.
+</summary>
+</param>
+<param name="entry_point">
+<summary>
+Type of the program to be used as an entry point to this domain.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="init_ranged_system_domain" lineno="401">
+<summary>
+Create a domain for short running processes
+which are started by init scripts.
+</summary>
+<desc>
+<p>
+Create a domain for long running processes (daemons/services)
+which are started by init scripts.
+These are generally applications that
+are used to initialize the system during boot.
+Long running processes
+should use the init_ranged_system_domain() interface instead.
+Typically all short running processes started by an init
+script (usually in /etc/init.d) will need to use this
+interface if they need to run in a specific MLS/MCS range.
+</p>
+<p>
+The types will be made usable as a domain and file, making
+calls to domain_type() and files_type() redundant.
+</p>
+<p>
+If the policy build option TYPE is standard (MLS and MCS disabled),
+this interface has the same behavior as init_system_domain().
+</p>
+</desc>
+<param name="domain">
+<summary>
+Type to be used as a system domain.
+</summary>
+</param>
+<param name="entry_point">
+<summary>
+Type of the program to be used as an entry point to this domain.
+</summary>
+</param>
+<param name="range">
+<summary>
+Range for the domain.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="init_domtrans" lineno="428">
+<summary>
+Execute init (/sbin/init) with a domain transition.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="init_exec" lineno="447">
+<summary>
+Execute the init program in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="init_exec_rc" lineno="477">
+<summary>
+Execute the rc application in the caller domain.
+</summary>
+<desc>
+<p>
+This is only applicable to Gentoo or distributions that use the OpenRC
+init system.
+</p>
+<p>
+The OpenRC /sbin/rc binary is used for both init scripts as well as
+management applications and tools. When used for management purposes,
+calling /sbin/rc should never cause a transition to initrc_t.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_getpgid" lineno="496">
+<summary>
+Get the process group of init.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_signull" lineno="514">
+<summary>
+Send init a null signal.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_sigchld" lineno="532">
+<summary>
+Send init a SIGCHLD signal.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_stream_connect" lineno="550">
+<summary>
+Connect to init with a unix socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_use_fds" lineno="608">
+<summary>
+Inherit and use file descriptors from init.
+</summary>
+<desc>
+<p>
+Allow the specified domain to inherit file
+descriptors from the init program (process ID 1).
+Typically the only file descriptors to be
+inherited from init are for the console.
+This does not allow the domain any access to
+the object to which the file descriptors references.
+</p>
+<p>
+Related interfaces:
+</p>
+<ul>
+<li>init_dontaudit_use_fds()</li>
+<li>term_dontaudit_use_console()</li>
+<li>term_use_console()</li>
+</ul>
+<p>
+Example usage:
+</p>
+<p>
+init_use_fds(mydomain_t)
+term_use_console(mydomain_t)
+</p>
+<p>
+Normally, processes that can inherit these file
+descriptors (usually services) write messages to the
+system log instead of writing to the console.
+Therefore, in many cases, this access should
+dontaudited instead.
+</p>
+<p>
+Example dontaudit usage:
+</p>
+<p>
+init_dontaudit_use_fds(mydomain_t)
+term_dontaudit_use_console(mydomain_t)
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="1"/>
+</interface>
+<interface name="init_dontaudit_use_fds" lineno="627">
+<summary>
+Do not audit attempts to inherit file
+descriptors from init.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="init_udp_send" lineno="645">
+<summary>
+Send UDP network traffic to init.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_getattr_initctl" lineno="659">
+<summary>
+Get the attributes of initctl.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_dontaudit_getattr_initctl" lineno="678">
+<summary>
+Do not audit attempts to get the
+attributes of initctl.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="init_write_initctl" lineno="696">
+<summary>
+Write to initctl.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_telinit" lineno="716">
+<summary>
+Use telinit (Read and write initctl).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="init_rw_initctl" lineno="747">
+<summary>
+Read and write initctl.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_dontaudit_rw_initctl" lineno="767">
+<summary>
+Do not audit attempts to read and
+write initctl.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_script_file_entry_type" lineno="786">
+<summary>
+Make init scripts an entry point for
+the specified domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_spec_domtrans_script" lineno="804">
+<summary>
+Execute init scripts with a specified domain transition.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="init_domtrans_script" lineno="839">
+<summary>
+Execute init scripts with an automatic domain transition.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="init_script_file_domtrans" lineno="881">
+<summary>
+Execute a init script in a specified domain.
+</summary>
+<desc>
+<p>
+Execute a init script in a specified domain.
+</p>
+<p>
+No interprocess communication (signals, pipes,
+etc.) is provided by this interface since
+the domains are not owned by this module.
+</p>
+</desc>
+<param name="source_domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="target_domain">
+<summary>
+Domain to transition to.
+</summary>
+</param>
+</interface>
+<interface name="init_labeled_script_domtrans" lineno="906">
+<summary>
+Transition to the init script domain
+on a specified labeled init script.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="init_script_file">
+<summary>
+Labeled init script file.
+</summary>
+</param>
+</interface>
+<interface name="init_all_labeled_script_domtrans" lineno="926">
+<summary>
+Transition to the init script domain
+for all labeled init script types
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="init_run_daemon" lineno="956">
+<summary>
+Start and stop daemon programs directly.
+</summary>
+<desc>
+<p>
+Start and stop daemon programs directly
+in the traditional "/etc/init.d/daemon start"
+style, and do not require run_init.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be performing this action.
+</summary>
+</param>
+</interface>
+<interface name="init_read_state" lineno="976">
+<summary>
+Read the process state (/proc/pid) of init.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_ptrace" lineno="997">
+<summary>
+Ptrace init
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="init_write_script_pipes" lineno="1015">
+<summary>
+Write an init script unnamed pipe.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_getattr_script_files" lineno="1033">
+<summary>
+Get the attribute of init script entrypoint files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_read_script_files" lineno="1052">
+<summary>
+Read init scripts.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_exec_script_files" lineno="1071">
+<summary>
+Execute init scripts in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_getattr_all_script_files" lineno="1090">
+<summary>
+Get the attribute of all init script entrypoint files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_read_all_script_files" lineno="1109">
+<summary>
+Read all init script files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_dontaudit_read_all_script_files" lineno="1128">
+<summary>
+Dontaudit read all init script files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="init_exec_all_script_files" lineno="1146">
+<summary>
+Execute all init scripts in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_read_script_state" lineno="1165">
+<summary>
+Read the process state (/proc/pid) of the init scripts.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_use_script_fds" lineno="1189">
+<summary>
+Inherit and use init script file descriptors.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_dontaudit_use_script_fds" lineno="1208">
+<summary>
+Do not audit attempts to inherit
+init script file descriptors.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="init_search_script_keys" lineno="1226">
+<summary>
+Search init script keys.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_getpgid_script" lineno="1244">
+<summary>
+Get the process group ID of init scripts.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_sigchld_script" lineno="1262">
+<summary>
+Send SIGCHLD signals to init scripts.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_signal_script" lineno="1280">
+<summary>
+Send generic signals to init scripts.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_signull_script" lineno="1298">
+<summary>
+Send null signals to init scripts.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_rw_script_pipes" lineno="1316">
+<summary>
+Read and write init script unnamed pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_udp_send_script" lineno="1334">
+<summary>
+Send UDP network traffic to init scripts.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_stream_connect_script" lineno="1349">
+<summary>
+Allow the specified domain to connect to
+init scripts with a unix socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_rw_script_stream_sockets" lineno="1368">
+<summary>
+Allow the specified domain to read/write to
+init scripts with a unix domain stream sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_dontaudit_stream_connect_script" lineno="1387">
+<summary>
+Dont audit the specified domain connecting to
+init scripts with a unix domain stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="init_dbus_send_script" lineno="1404">
+<summary>
+Send messages to init scripts over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_dbus_chat_script" lineno="1424">
+<summary>
+Send and receive messages from
+init scripts over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_use_script_ptys" lineno="1453">
+<summary>
+Read and write the init script pty.
+</summary>
+<desc>
+<p>
+Read and write the init script pty.  This
+pty is generally opened by the open_init_pty
+portion of the run_init program so that the
+daemon does not require direct access to
+the administrator terminal.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_dontaudit_use_script_ptys" lineno="1473">
+<summary>
+Do not audit attempts to read and
+write the init script pty.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="init_getattr_script_status_files" lineno="1492">
+<summary>
+Get the attributes of init script
+status files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_dontaudit_read_script_status_files" lineno="1511">
+<summary>
+Do not audit attempts to read init script
+status files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="init_read_script_tmp_files" lineno="1530">
+<summary>
+Read init script temporary data.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_rw_script_tmp_files" lineno="1549">
+<summary>
+Read and write init script temporary data.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_script_tmp_filetrans" lineno="1579">
+<summary>
+Create files in a init script
+temporary data directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="file_type">
+<summary>
+The type of the object to be created
+</summary>
+</param>
+<param name="object_class">
+<summary>
+The object class.
+</summary>
+</param>
+</interface>
+<interface name="init_getattr_utmp" lineno="1598">
+<summary>
+Get the attributes of init script process id files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_read_utmp" lineno="1616">
+<summary>
+Read utmp.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_dontaudit_write_utmp" lineno="1635">
+<summary>
+Do not audit attempts to write utmp.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="init_write_utmp" lineno="1653">
+<summary>
+Write to utmp.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_dontaudit_lock_utmp" lineno="1673">
+<summary>
+Do not audit attempts to lock
+init script pid files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="init_rw_utmp" lineno="1691">
+<summary>
+Read and write utmp.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_dontaudit_rw_utmp" lineno="1710">
+<summary>
+Do not audit attempts to read and write utmp.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="init_manage_utmp" lineno="1728">
+<summary>
+Create, read, write, and delete utmp.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_pid_filetrans_utmp" lineno="1748">
+<summary>
+Create files in /var/run with the
+utmp file type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_tcp_recvfrom_all_daemons" lineno="1766">
+<summary>
+Allow the specified domain to connect to daemon with a tcp socket
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_udp_recvfrom_all_daemons" lineno="1784">
+<summary>
+Allow the specified domain to connect to daemon with a udp socket
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<tunable name="init_upstart" dftval="false">
+<desc>
+<p>
+Enable support for upstart as the init program.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="ipsec" filename="policy/modules/system/ipsec.if">
+<summary>TCP/IP encryption</summary>
+<interface name="ipsec_domtrans" lineno="13">
+<summary>
+Execute ipsec in the ipsec domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="ipsec_stream_connect" lineno="31">
+<summary>
+Connect to IPSEC using a unix domain stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ipsec_domtrans_mgmt" lineno="50">
+<summary>
+Execute ipsec in the ipsec mgmt domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ipsec_stream_connect_racoon" lineno="68">
+<summary>
+Connect to racoon using a unix domain stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ipsec_getattr_key_sockets" lineno="87">
+<summary>
+Get the attributes of an IPSEC key socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ipsec_exec_mgmt" lineno="105">
+<summary>
+Execute the IPSEC management program in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ipsec_signal_mgmt" lineno="124">
+<summary>
+Send ipsec mgmt a general signal.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ipsec_signull_mgmt" lineno="143">
+<summary>
+Send ipsec mgmt a null signal.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ipsec_kill_mgmt" lineno="162">
+<summary>
+Send ipsec mgmt a kill signal.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ipsec_mgmt_dbus_chat" lineno="181">
+<summary>
+Send and receive messages from
+ipsec-mgmt over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ipsec_read_config" lineno="202">
+<summary>
+Read the IPSEC configuration
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="ipsec_match_default_spd" lineno="221">
+<summary>
+Match the default SPD entry.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ipsec_setcontext_default_spd" lineno="241">
+<summary>
+Set the context of a SPD entry to
+the default context.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ipsec_write_pid" lineno="259">
+<summary>
+write the ipsec_var_run_t files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ipsec_manage_pid" lineno="278">
+<summary>
+Create, read, write, and delete the IPSEC pid files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ipsec_domtrans_racoon" lineno="297">
+<summary>
+Execute racoon in the racoon domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="ipsec_run_racoon" lineno="321">
+<summary>
+Execute racoon and allow the specified role the domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="ipsec_domtrans_setkey" lineno="340">
+<summary>
+Execute setkey in the setkey domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="ipsec_run_setkey" lineno="364">
+<summary>
+Execute setkey and allow the specified role the domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access..
+</summary>
+</param>
+<rolecap/>
+</interface>
+<tunable name="racoon_read_shadow" dftval="false">
+<desc>
+<p>
+Allow racoon to read shadow
+</p>
+</desc>
+</tunable>
+</module>
+<module name="iptables" filename="policy/modules/system/iptables.if">
+<summary>Policy for iptables.</summary>
+<interface name="iptables_domtrans" lineno="13">
+<summary>
+Execute iptables in the iptables domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="iptables_run" lineno="43">
+<summary>
+Execute iptables in the iptables domain, and
+allow the specified role the iptables domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="iptables_exec" lineno="62">
+<summary>
+Execute iptables in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="iptables_initrc_domtrans" lineno="81">
+<summary>
+Execute iptables in the iptables domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="iptables_setattr_config" lineno="99">
+<summary>
+Set the attributes of iptables config files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="iptables_read_config" lineno="118">
+<summary>
+Read iptables config files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="iptables_etc_filetrans_config" lineno="139">
+<summary>
+Create files in /etc with the type used for
+the iptables config files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="iptables_manage_config" lineno="157">
+<summary>
+Manage iptables config files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="libraries" filename="policy/modules/system/libraries.if">
+<summary>Policy for system libraries.</summary>
+<interface name="libs_domtrans_ldconfig" lineno="13">
+<summary>
+Execute ldconfig in the ldconfig domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="libs_run_ldconfig" lineno="38">
+<summary>
+Execute ldconfig in the ldconfig domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to allow the ldconfig domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="libs_exec_ldconfig" lineno="58">
+<summary>
+Execute ldconfig in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="libs_use_ld_so" lineno="78">
+<summary>
+Use the dynamic link/loader for automatic loading
+of shared libraries.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="libs_legacy_use_ld_so" lineno="103">
+<summary>
+Use the dynamic link/loader for automatic loading
+of shared libraries with legacy support.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="libs_exec_ld_so" lineno="123">
+<summary>
+Execute the dynamic link/loader in the caller's domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="libs_manage_ld_so" lineno="145">
+<summary>
+Create, read, write, and delete the
+dynamic link/loader.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="libs_relabel_ld_so" lineno="165">
+<summary>
+Relabel to and from the type used for
+the dynamic link/loader.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="libs_rw_ld_so_cache" lineno="184">
+<summary>
+Modify the dynamic link/loader's cached listing
+of shared libraries.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="libs_search_lib" lineno="203">
+<summary>
+Search library directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="libs_dontaudit_write_lib_dirs" lineno="228">
+<summary>
+Do not audit attempts to write to library directories.
+</summary>
+<desc>
+<p>
+Do not audit attempts to write to library directories.
+Typically this is used to quiet attempts to recompile
+python byte code.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="libs_manage_lib_dirs" lineno="246">
+<summary>
+Create, read, write, and delete library directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="libs_dontaudit_setattr_lib_files" lineno="264">
+<summary>
+dontaudit attempts to setattr on library files
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="libs_read_lib_files" lineno="283">
+<summary>
+Read files in the library directories, such
+as static libraries.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="libs_exec_lib_files" lineno="304">
+<summary>
+Execute library scripts in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="libs_use_lib_files" lineno="326">
+<summary>
+Load and execute functions from generic
+lib files as shared libraries.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="libs_manage_lib_files" lineno="343">
+<summary>
+Create, read, write, and delete generic
+files in library directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="libs_relabelto_lib_files" lineno="361">
+<summary>
+Relabel files to the type used in library directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="libs_relabel_lib_files" lineno="381">
+<summary>
+Relabel to and from the type used
+for generic lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="libs_delete_lib_symlinks" lineno="400">
+<summary>
+Delete generic symlinks in library directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="libs_manage_shared_libs" lineno="419">
+<summary>
+Create, read, write, and delete shared libraries.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="libs_use_shared_libs" lineno="437">
+<summary>
+Load and execute functions from shared libraries.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="libs_legacy_use_shared_libs" lineno="460">
+<summary>
+Load and execute functions from shared libraries,
+with legacy support.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="libs_relabel_shared_libs" lineno="481">
+<summary>
+Relabel to and from the type used for
+shared libraries.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="lib_filetrans_shared_lib" lineno="505">
+<summary>
+Create an object in lib directories, with
+the shared libraries type using a type transition.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="object">
+<summary>
+The object class of the object being created.
+</summary>
+</param>
+</interface>
+<interface name="files_lib_filetrans_shared_lib" lineno="534">
+<summary>
+Create an object in lib directories, with
+the shared libraries type using a type transition.  (Deprecated)
+</summary>
+<desc>
+<p>
+Create an object in lib directories, with
+the shared libraries type using a type transition.  (Deprecated)
+</p>
+<p>
+lib_filetrans_shared_lib() should be used instead.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="object">
+<summary>
+The object class of the object being created.
+</summary>
+</param>
+</interface>
+</module>
+<module name="locallogin" filename="policy/modules/system/locallogin.if">
+<summary>Policy for local logins.</summary>
+<interface name="locallogin_domtrans" lineno="13">
+<summary>
+Execute local logins in the local login domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="locallogin_use_fds" lineno="35">
+<summary>
+Allow processes to inherit local login file descriptors.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="locallogin_dontaudit_use_fds" lineno="53">
+<summary>
+Do not audit attempts to inherit local login file descriptors.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="locallogin_signull" lineno="71">
+<summary>
+Send a null signal to local login processes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="locallogin_search_keys" lineno="89">
+<summary>
+Search for key.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="locallogin_link_keys" lineno="107">
+<summary>
+Allow link to the local_login key ring.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="locallogin_domtrans_sulogin" lineno="125">
+<summary>
+Execute local logins in the local login domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+</module>
+<module name="logging" filename="policy/modules/system/logging.if">
+<summary>Policy for the kernel message logger and system logging daemon.</summary>
+<interface name="logging_log_file" lineno="41">
+<summary>
+Make the specified type usable for log files
+in a filesystem.
+</summary>
+<desc>
+<p>
+Make the specified type usable for log files in a filesystem.
+This will also make the type usable for files, making
+calls to files_type() redundant.  Failure to use this interface
+for a log file type may result in problems with log
+rotation, log analysis, and log monitoring programs.
+</p>
+<p>
+Related interfaces:
+</p>
+<ul>
+<li>logging_log_filetrans()</li>
+</ul>
+<p>
+Example usage with a domain that can create
+and append to a private log file stored in the
+general directories (e.g., /var/log):
+</p>
+<p>
+type mylogfile_t;
+logging_log_file(mylogfile_t)
+allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms };
+logging_log_filetrans(mydomain_t, mylogfile_t, file)
+</p>
+</desc>
+<param name="type">
+<summary>
+Type to be used for files.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="logging_send_audit_msgs" lineno="62">
+<summary>
+Send audit messages.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="logging_dontaudit_send_audit_msgs" lineno="77">
+<summary>
+dontaudit attempts to send audit messages.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="logging_set_loginuid" lineno="92">
+<summary>
+Set login uid
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="logging_set_tty_audit" lineno="107">
+<summary>
+Set tty auditing
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="logging_set_audit_parameters" lineno="121">
+<summary>
+Set up audit
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="logging_read_audit_log" lineno="137">
+<summary>
+Read the audit log.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="logging_domtrans_auditctl" lineno="157">
+<summary>
+Execute auditctl in the auditctl domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="logging_run_auditctl" lineno="182">
+<summary>
+Execute auditctl in the auditctl domain, and
+allow the specified role the auditctl domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="logging_domtrans_auditd" lineno="201">
+<summary>
+Execute auditd in the auditd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="logging_run_auditd" lineno="225">
+<summary>
+Execute auditd in the auditd domain, and
+allow the specified role the auditd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+<interface name="logging_stream_connect_auditd" lineno="244">
+<summary>
+Connect to auditdstored over an unix stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="logging_domtrans_dispatcher" lineno="259">
+<summary>
+Execute a domain transition to run the audit dispatcher.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="logging_signal_dispatcher" lineno="277">
+<summary>
+Signal the audit dispatcher.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="logging_dispatcher_domain" lineno="301">
+<summary>
+Create a domain for processes
+which can be started by the system audit dispatcher
+</summary>
+<param name="domain">
+<summary>
+Type to be used as a domain.
+</summary>
+</param>
+<param name="entry_point">
+<summary>
+Type of the program to be used as an entry point to this domain.
+</summary>
+</param>
+</interface>
+<interface name="logging_stream_connect_dispatcher" lineno="329">
+<summary>
+Connect to the audit dispatcher over an unix stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="logging_manage_audit_config" lineno="349">
+<summary>
+Manage the auditd configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="logging_manage_audit_log" lineno="369">
+<summary>
+Manage the audit log.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="logging_domtrans_klog" lineno="389">
+<summary>
+Execute klogd in the klog domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="logging_check_exec_syslog" lineno="408">
+<summary>
+Check if syslogd is executable.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="logging_domtrans_syslog" lineno="428">
+<summary>
+Execute syslogd in the syslog domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="logging_log_filetrans" lineno="485">
+<summary>
+Create an object in the log directory, with a private type.
+</summary>
+<desc>
+<p>
+Allow the specified domain to create an object
+in the general system log directories (e.g., /var/log)
+with a private type.  Typically this is used for creating
+private log files in /var/log with the private type instead
+of the general system log type. To accomplish this goal,
+either the program must be SELinux-aware, or use this interface.
+</p>
+<p>
+Related interfaces:
+</p>
+<ul>
+<li>logging_log_file()</li>
+</ul>
+<p>
+Example usage with a domain that can create
+and append to a private log file stored in the
+general directories (e.g., /var/log):
+</p>
+<p>
+type mylogfile_t;
+logging_log_file(mylogfile_t)
+allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms };
+logging_log_filetrans(mydomain_t, mylogfile_t, file)
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="private type">
+<summary>
+The type of the object to be created.
+</summary>
+</param>
+<param name="object">
+<summary>
+The object class of the object being created.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="logging_send_syslog_msg" lineno="526">
+<summary>
+Send system log messages.
+</summary>
+<desc>
+<p>
+Allow the specified domain to connect to the
+system log service (syslog), to send messages be added to
+the system logs. Typically this is used by services
+that do not have their own log file in /var/log.
+</p>
+<p>
+This does not allow messages to be sent to
+the auditing system.
+</p>
+<p>
+Programs which use the libc function syslog() will
+require this access.
+</p>
+<p>
+Related interfaces:
+</p>
+<ul>
+<li>logging_send_audit_msgs()</li>
+</ul>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="logging_read_audit_config" lineno="557">
+<summary>
+Read the auditd configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="logging_dontaudit_search_audit_config" lineno="578">
+<summary>
+dontaudit search of auditd configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="logging_read_syslog_config" lineno="597">
+<summary>
+Read syslog configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="logging_search_logs" lineno="617">
+<summary>
+Allows the domain to open a file in the
+log directory, but does not allow the listing
+of the contents of the log directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="logging_dontaudit_search_logs" lineno="636">
+<summary>
+Do not audit attempts to search the var log directory.
+</summary>
+<param name="domain">
+<summary>
+Domain not to audit.
+</summary>
+</param>
+</interface>
+<interface name="logging_list_logs" lineno="654">
+<summary>
+List the contents of the generic log directory (/var/log).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="logging_rw_generic_log_dirs" lineno="673">
+<summary>
+Read and write the generic log directory (/var/log).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="logging_setattr_all_log_dirs" lineno="693">
+<summary>
+Set attributes on all log dirs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="logging_dontaudit_getattr_all_logs" lineno="712">
+<summary>
+Do not audit attempts to get the atttributes
+of any log files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="logging_append_all_logs" lineno="730">
+<summary>
+Append to all log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="logging_read_all_logs" lineno="751">
+<summary>
+Read all log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="logging_exec_all_logs" lineno="773">
+<summary>
+Execute all log files in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="logging_rw_all_logs" lineno="793">
+<summary>
+read/write to all log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="logging_manage_all_logs" lineno="813">
+<summary>
+Create, read, write, and delete all log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="logging_read_generic_logs" lineno="834">
+<summary>
+Read generic log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="logging_write_generic_logs" lineno="854">
+<summary>
+Write generic log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="logging_dontaudit_write_generic_logs" lineno="874">
+<summary>
+Dontaudit Write generic log files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="logging_rw_generic_logs" lineno="892">
+<summary>
+Read and write generic log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="logging_manage_generic_logs" lineno="914">
+<summary>
+Create, read, write, and delete
+generic log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="logging_admin_audit" lineno="940">
+<summary>
+All of the rules required to administrate
+the audit environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+User role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="logging_admin_syslog" lineno="984">
+<summary>
+All of the rules required to administrate
+the syslog environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+User role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="logging_admin" lineno="1042">
+<summary>
+All of the rules required to administrate
+the logging environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+User role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="lvm" filename="policy/modules/system/lvm.if">
+<summary>Policy for logical volume management programs.</summary>
+<interface name="lvm_domtrans" lineno="13">
+<summary>
+Execute lvm programs in the lvm domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="lvm_exec" lineno="32">
+<summary>
+Execute lvm programs in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="lvm_run" lineno="57">
+<summary>
+Execute lvm programs in the lvm domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to allow the LVM domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="lvm_read_config" lineno="77">
+<summary>
+Read LVM configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="lvm_manage_config" lineno="98">
+<summary>
+Manage LVM configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="lvm_domtrans_clvmd" lineno="118">
+<summary>
+Execute a domain transition to run clvmd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+</module>
+<module name="miscfiles" filename="policy/modules/system/miscfiles.if">
+<summary>Miscelaneous files.</summary>
+<interface name="miscfiles_cert_type" lineno="38">
+<summary>
+Make the specified type usable as a cert file.
+</summary>
+<desc>
+<p>
+Make the specified type usable for cert files.
+This will also make the type usable for files, making
+calls to files_type() redundant.  Failure to use this interface
+for a temporary file may result in problems with
+cert management tools.
+</p>
+<p>
+Related interfaces:
+</p>
+<ul>
+<li>files_type()</li>
+</ul>
+<p>
+Example:
+</p>
+<p>
+type mycertfile_t;
+cert_type(mycertfile_t)
+allow mydomain_t mycertfile_t:file read_file_perms;
+files_search_etc(mydomain_t)
+</p>
+</desc>
+<param name="type">
+<summary>
+Type to be used for files.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="miscfiles_read_all_certs" lineno="58">
+<summary>
+Read all SSL certificates.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="miscfiles_read_generic_certs" lineno="79">
+<summary>
+Read generic SSL certificates.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="miscfiles_manage_generic_cert_dirs" lineno="99">
+<summary>
+Manage generic SSL certificates.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="miscfiles_manage_generic_cert_files" lineno="118">
+<summary>
+Manage generic SSL certificates.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="miscfiles_read_certs" lineno="137">
+<summary>
+Read SSL certificates.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="miscfiles_manage_cert_dirs" lineno="152">
+<summary>
+Manage SSL certificates.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="miscfiles_manage_cert_files" lineno="167">
+<summary>
+Manage SSL certificates.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="miscfiles_read_fonts" lineno="183">
+<summary>
+Read fonts.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="miscfiles_setattr_fonts_dirs" lineno="212">
+<summary>
+Set the attributes on a fonts directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="miscfiles_dontaudit_setattr_fonts_dirs" lineno="232">
+<summary>
+Do not audit attempts to set the attributes
+on a fonts directory.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="miscfiles_dontaudit_write_fonts" lineno="251">
+<summary>
+Do not audit attempts to write fonts.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="miscfiles_manage_fonts" lineno="271">
+<summary>
+Create, read, write, and delete fonts.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="miscfiles_setattr_fonts_cache_dirs" lineno="295">
+<summary>
+Set the attributes on a fonts cache directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="miscfiles_dontaudit_setattr_fonts_cache_dirs" lineno="314">
+<summary>
+Do not audit attempts to set the attributes
+on a fonts cache directory.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="miscfiles_manage_fonts_cache" lineno="333">
+<summary>
+Create, read, write, and delete fonts cache.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="miscfiles_read_hwdata" lineno="355">
+<summary>
+Read hardware identification data.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="miscfiles_setattr_localization" lineno="375">
+<summary>
+Allow process to setattr localization info
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="miscfiles_read_localization" lineno="407">
+<summary>
+Allow process to read localization information.
+</summary>
+<desc>
+<p>
+Allow the specified domain to read the localization files.
+This is typically for time zone configuration files, such as
+/etc/localtime and files in /usr/share/zoneinfo.
+Typically, any domain which needs to know the GMT/UTC
+offset of the current timezone will need access
+to these files. Generally, it should be safe for any
+domain to read these files.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="miscfiles_rw_localization" lineno="429">
+<summary>
+Allow process to write localization info
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="miscfiles_relabel_localization" lineno="449">
+<summary>
+Allow process to relabel localization info
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="miscfiles_legacy_read_localization" lineno="468">
+<summary>
+Allow process to read legacy time localization info
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="miscfiles_search_man_pages" lineno="487">
+<summary>
+Search man pages.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="miscfiles_dontaudit_search_man_pages" lineno="506">
+<summary>
+Do not audit attempts to search man pages.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="miscfiles_read_man_pages" lineno="525">
+<summary>
+Read man pages
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="miscfiles_delete_man_pages" lineno="547">
+<summary>
+Delete man pages
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="miscfiles_manage_man_pages" lineno="572">
+<summary>
+Create, read, write, and delete man pages
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="miscfiles_read_public_files" lineno="595">
+<summary>
+Read public files used for file
+transfer services.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="miscfiles_manage_public_files" lineno="617">
+<summary>
+Create, read, write, and delete public files
+and directories used for file transfer services.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="miscfiles_read_tetex_data" lineno="637">
+<summary>
+Read TeX data
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="miscfiles_exec_tetex_data" lineno="661">
+<summary>
+Execute TeX data programs in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="miscfiles_domain_entry_test_files" lineno="686">
+<summary>
+Let test files be an entry point for
+a specified domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="miscfiles_read_test_files" lineno="704">
+<summary>
+Read test files and directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="miscfiles_exec_test_files" lineno="723">
+<summary>
+Execute test files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="miscfiles_etc_filetrans_localization" lineno="742">
+<summary>
+Execute test files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="miscfiles_manage_localization" lineno="762">
+<summary>
+Create, read, write, and delete localization
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="modutils" filename="policy/modules/system/modutils.if">
+<summary>Policy for kernel module utilities</summary>
+<interface name="modutils_getattr_module_deps" lineno="13">
+<summary>
+Getattr the dependencies of kernel modules.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="modutils_read_module_deps" lineno="31">
+<summary>
+Read the dependencies of kernel modules.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="modutils_read_module_config" lineno="52">
+<summary>
+Read the configuration options used when
+loading modules.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="modutils_rename_module_config" lineno="77">
+<summary>
+Rename a file with the configuration options used when
+loading modules.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="modutils_delete_module_config" lineno="96">
+<summary>
+Unlink a file with the configuration options used when
+loading modules.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="modutils_manage_module_config" lineno="115">
+<summary>
+Manage files with the configuration options used when
+loading modules.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="modutils_domtrans_insmod_uncond" lineno="135">
+<summary>
+Unconditionally execute insmod in the insmod domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="modutils_domtrans_insmod" lineno="154">
+<summary>
+Execute insmod in the insmod domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="modutils_run_insmod" lineno="182">
+<summary>
+Execute insmod in the insmod domain, and
+allow the specified role the insmod domain,
+and use the caller's terminal.  Has a sigchld
+backchannel.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="modutils_exec_insmod" lineno="201">
+<summary>
+Execute insmod in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="modutils_domtrans_depmod" lineno="220">
+<summary>
+Execute depmod in the depmod domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="modutils_run_depmod" lineno="245">
+<summary>
+Execute depmod in the depmod domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="modutils_exec_depmod" lineno="264">
+<summary>
+Execute depmod in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="modutils_domtrans_update_mods" lineno="283">
+<summary>
+Execute depmod in the depmod domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="modutils_run_update_mods" lineno="308">
+<summary>
+Execute update_modules in the update_modules domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="modutils_exec_update_mods" lineno="327">
+<summary>
+Execute update_modules in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="mount" filename="policy/modules/system/mount.if">
+<summary>Policy for mount.</summary>
+<interface name="mount_domtrans" lineno="13">
+<summary>
+Execute mount in the mount domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="mount_run" lineno="39">
+<summary>
+Execute mount in the mount domain, and
+allow the specified role the mount domain,
+and use the caller's terminal.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="mount_exec" lineno="58">
+<summary>
+Execute mount in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mount_signal" lineno="80">
+<summary>
+Send a generic signal to mount.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mount_use_fds" lineno="98">
+<summary>
+Use file descriptors for mount.
+</summary>
+<param name="domain">
+<summary>
+The type of the process performing this action.
+</summary>
+</param>
+</interface>
+<interface name="mount_send_nfs_client_request" lineno="128">
+<summary>
+Allow the mount domain to send nfs requests for mounting
+network drives
+</summary>
+<desc>
+<p>
+Allow the mount domain to send nfs requests for mounting
+network drives
+</p>
+<p>
+This interface has been deprecated as these rules were
+a side effect of leaked mount file descriptors.  This
+interface has no effect.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mount_domtrans_unconfined" lineno="142">
+<summary>
+Execute mount in the unconfined mount domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="mount_run_unconfined" lineno="168">
+<summary>
+Execute mount in the unconfined mount domain, and
+allow the specified role the unconfined mount domain,
+and use the caller's terminal.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<tunable name="allow_mount_anyfile" dftval="false">
+<desc>
+<p>
+Allow the mount command to mount any directory or file.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="netlabel" filename="policy/modules/system/netlabel.if">
+<summary>NetLabel/CIPSO labeled networking management</summary>
+<interface name="netlabel_domtrans_mgmt" lineno="13">
+<summary>
+Execute netlabel_mgmt in the netlabel_mgmt domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="netlabel_run_mgmt" lineno="39">
+<summary>
+Execute netlabel_mgmt in the netlabel_mgmt domain, and
+allow the specified role the netlabel_mgmt domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="selinuxutil" filename="policy/modules/system/selinuxutil.if">
+<summary>Policy for SELinux policy and userland applications.</summary>
+<interface name="seutil_domtrans_checkpolicy" lineno="13">
+<summary>
+Execute checkpolicy in the checkpolicy domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="seutil_run_checkpolicy" lineno="41">
+<summary>
+Execute checkpolicy in the checkpolicy domain, and
+allow the specified role the checkpolicy domain,
+and use the caller's terminal.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="seutil_exec_checkpolicy" lineno="61">
+<summary>
+Execute checkpolicy in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="seutil_domtrans_loadpolicy" lineno="81">
+<summary>
+Execute load_policy in the load_policy domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="seutil_run_loadpolicy" lineno="108">
+<summary>
+Execute load_policy in the load_policy domain, and
+allow the specified role the load_policy domain,
+and use the caller's terminal.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="seutil_exec_loadpolicy" lineno="127">
+<summary>
+Execute load_policy in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="seutil_read_loadpolicy" lineno="146">
+<summary>
+Read the load_policy program file.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="seutil_domtrans_newrole" lineno="165">
+<summary>
+Execute newrole in the newole domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="seutil_run_newrole" lineno="193">
+<summary>
+Execute newrole in the newrole domain, and
+allow the specified role the newrole domain,
+and use the caller's terminal.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="seutil_exec_newrole" lineno="212">
+<summary>
+Execute newrole in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="seutil_dontaudit_signal_newrole" lineno="233">
+<summary>
+Do not audit the caller attempts to send
+a signal to newrole.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="seutil_sigchld_newrole" lineno="261">
+<summary>
+Send a SIGCHLD signal to newrole.
+</summary>
+<desc>
+<p>
+Allow the specified domain to send a SIGCHLD
+signal to newrole.  This signal is automatically
+sent from a process that is terminating to
+its parent.  This may be needed by domains
+that are executed from newrole.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="1"/>
+</interface>
+<interface name="seutil_use_newrole_fds" lineno="279">
+<summary>
+Inherit and use newrole file descriptors.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="seutil_dontaudit_use_newrole_fds" lineno="298">
+<summary>
+Do not audit attempts to inherit and use
+newrole file descriptors.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="seutil_domtrans_restorecon" lineno="316">
+<summary>
+Execute restorecon in the restorecon domain.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="seutil_run_restorecon" lineno="339">
+<summary>
+Execute restorecon in the restorecon domain, and
+allow the specified role the restorecon domain,
+and use the caller's terminal.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="seutil_exec_restorecon" lineno="355">
+<summary>
+Execute restorecon in the caller domain.  (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="seutil_domtrans_runinit" lineno="370">
+<summary>
+Execute run_init in the run_init domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="seutil_init_script_domtrans_runinit" lineno="396">
+<summary>
+Execute init scripts in the run_init domain.
+</summary>
+<desc>
+<p>
+Execute init scripts in the run_init domain.
+This is used for the Gentoo integrated run_init.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="seutil_run_runinit" lineno="426">
+<summary>
+Execute run_init in the run_init domain, and
+allow the specified role the run_init domain,
+and use the caller's terminal.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="seutil_init_script_run_runinit" lineno="462">
+<summary>
+Execute init scripts in the run_init domain, and
+allow the specified role the run_init domain,
+and use the caller's terminal.
+</summary>
+<desc>
+<p>
+Execute init scripts in the run_init domain, and
+allow the specified role the run_init domain,
+and use the caller's terminal.
+</p>
+<p>
+This is used for the Gentoo integrated run_init.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+<interface name="seutil_use_runinit_fds" lineno="481">
+<summary>
+Inherit and use run_init file descriptors.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="seutil_domtrans_setfiles" lineno="499">
+<summary>
+Execute setfiles in the setfiles domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="seutil_run_setfiles" lineno="527">
+<summary>
+Execute setfiles in the setfiles domain, and
+allow the specified role the setfiles domain,
+and use the caller's terminal.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="seutil_exec_setfiles" lineno="546">
+<summary>
+Execute setfiles in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="seutil_dontaudit_search_config" lineno="567">
+<summary>
+Do not audit attempts to search the SELinux
+configuration directory (/etc/selinux).
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="seutil_dontaudit_read_config" lineno="586">
+<summary>
+Do not audit attempts to read the SELinux
+userland configuration (/etc/selinux).
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="seutil_read_config" lineno="606">
+<summary>
+Read the general SELinux configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="seutil_rw_config" lineno="628">
+<summary>
+Read and write the general SELinux configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="seutil_manage_selinux_config" lineno="660">
+<summary>
+Create, read, write, and delete
+the general selinux configuration files.  (Deprecated)
+</summary>
+<desc>
+<p>
+Create, read, write, and delete
+the general selinux configuration files.
+</p>
+<p>
+This interface has been deprecated, please
+use the seutil_manage_config() interface instead.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="seutil_manage_config" lineno="677">
+<summary>
+Create, read, write, and delete
+the general selinux configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="seutil_manage_config_dirs" lineno="699">
+<summary>
+Create, read, write, and delete
+the general selinux configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="seutil_search_default_contexts" lineno="718">
+<summary>
+Search the policy directory with default_context files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="seutil_read_default_contexts" lineno="738">
+<summary>
+Read the default_contexts files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="seutil_manage_default_contexts" lineno="759">
+<summary>
+Create, read, write, and delete the default_contexts files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="seutil_read_file_contexts" lineno="780">
+<summary>
+Read the file_contexts files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="seutil_dontaudit_read_file_contexts" lineno="801">
+<summary>
+Do not audit attempts to read the file_contexts files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="seutil_rw_file_contexts" lineno="820">
+<summary>
+Read and write the file_contexts files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="seutil_manage_file_contexts" lineno="841">
+<summary>
+Create, read, write, and delete the file_contexts files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="seutil_read_bin_policy" lineno="861">
+<summary>
+Read the SELinux binary policy.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="seutil_create_bin_policy" lineno="881">
+<summary>
+Create the SELinux binary policy.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="seutil_relabelto_bin_policy" lineno="904">
+<summary>
+Allow the caller to relabel a file to the binary policy type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="seutil_manage_bin_policy" lineno="925">
+<summary>
+Create, read, write, and delete the SELinux
+binary policy.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="seutil_read_src_policy" lineno="947">
+<summary>
+Read SELinux policy source files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="seutil_manage_src_policy" lineno="969">
+<summary>
+Create, read, write, and delete SELinux
+policy source files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="seutil_domtrans_semanage" lineno="990">
+<summary>
+Execute a domain transition to run semanage.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="seutil_run_semanage" lineno="1018">
+<summary>
+Execute semanage in the semanage domain, and
+allow the specified role the semanage domain,
+and use the caller's terminal.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="seutil_manage_module_store" lineno="1038">
+<summary>
+Full management of the semanage
+module store.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="seutil_get_semanage_read_lock" lineno="1059">
+<summary>
+Get read lock on module store
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="seutil_get_semanage_trans_lock" lineno="1078">
+<summary>
+Get trans lock on module store
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="seutil_libselinux_linked" lineno="1106">
+<summary>
+SELinux-enabled program access for
+libselinux-linked programs.
+</summary>
+<desc>
+<p>
+SELinux-enabled programs are typically
+linked to the libselinux library.  This
+interface will allow access required for
+the libselinux constructor to function.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="seutil_dontaudit_libselinux_linked" lineno="1136">
+<summary>
+Do not audit SELinux-enabled program access for
+libselinux-linked programs.
+</summary>
+<desc>
+<p>
+SELinux-enabled programs are typically
+linked to the libselinux library.  This
+interface will dontaudit access required for
+the libselinux constructor to function.
+</p>
+<p>
+Generally this should not be used on anything
+but simple SELinux-enabled programs that do not
+rely on data initialized by the libselinux
+constructor.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+</module>
+<module name="setrans" filename="policy/modules/system/setrans.if">
+<summary>SELinux MLS/MCS label translation service.</summary>
+<interface name="setrans_initrc_domtrans" lineno="14">
+<summary>
+Execute setrans server in the setrans domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="setrans_translate_context" lineno="32">
+<summary>
+Allow a domain to translate contexts.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="sysnetwork" filename="policy/modules/system/sysnetwork.if">
+<summary>Policy for network configuration: ifconfig and dhcp client.</summary>
+<interface name="sysnet_domtrans_dhcpc" lineno="13">
+<summary>
+Execute dhcp client in dhcpc domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="sysnet_run_dhcpc" lineno="39">
+<summary>
+Execute DHCP clients in the dhcpc domain, and
+allow the specified role the dhcpc domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="sysnet_dontaudit_use_dhcpc_fds" lineno="59">
+<summary>
+Do not audit attempts to use
+the dhcp file descriptors.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="sysnet_sigchld_dhcpc" lineno="77">
+<summary>
+Send a SIGCHLD signal to the dhcp client.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sysnet_kill_dhcpc" lineno="96">
+<summary>
+Send a kill signal to the dhcp client.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="sysnet_sigstop_dhcpc" lineno="114">
+<summary>
+Send a SIGSTOP signal to the dhcp client.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sysnet_signull_dhcpc" lineno="132">
+<summary>
+Send a null signal to the dhcp client.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sysnet_signal_dhcpc" lineno="151">
+<summary>
+Send a generic signal to the dhcp client.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="sysnet_dbus_chat_dhcpc" lineno="170">
+<summary>
+Send and receive messages from
+dhcpc over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sysnet_rw_dhcp_config" lineno="190">
+<summary>
+Read and write dhcp configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sysnet_search_dhcpc_state" lineno="210">
+<summary>
+Search the DHCP client state
+directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sysnet_read_dhcpc_state" lineno="229">
+<summary>
+Read dhcp client state files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sysnet_delete_dhcpc_state" lineno="247">
+<summary>
+Delete the dhcp client state files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sysnet_setattr_config" lineno="265">
+<summary>
+Set the attributes of network config files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sysnet_read_config" lineno="305">
+<summary>
+Read network config files.
+</summary>
+<desc>
+<p>
+Allow the specified domain to read the
+general network configuration files.  A
+common example of this is the
+/etc/resolv.conf file, which has domain
+name system (DNS) server IP addresses.
+Typically, most networking processes will
+require	the access provided by this interface.
+</p>
+<p>
+Higher-level interfaces which involve
+networking will generally call this interface,
+for example:
+</p>
+<ul>
+<li>sysnet_dns_name_resolve()</li>
+<li>sysnet_use_ldap()</li>
+<li>sysnet_use_portmap()</li>
+</ul>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sysnet_dontaudit_read_config" lineno="329">
+<summary>
+Do not audit attempts to read network config files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="sysnet_write_config" lineno="347">
+<summary>
+Write network config files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sysnet_create_config" lineno="366">
+<summary>
+Create network config files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sysnet_etc_filetrans_config" lineno="386">
+<summary>
+Create files in /etc with the type used for
+the network config files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sysnet_manage_config" lineno="404">
+<summary>
+Create, read, write, and delete network config files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sysnet_read_dhcpc_pid" lineno="426">
+<summary>
+Read the dhcp client pid file.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sysnet_delete_dhcpc_pid" lineno="445">
+<summary>
+Delete the dhcp client pid file.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sysnet_domtrans_ifconfig" lineno="463">
+<summary>
+Execute ifconfig in the ifconfig domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="sysnet_run_ifconfig" lineno="490">
+<summary>
+Execute ifconfig in the ifconfig domain, and
+allow the specified role the ifconfig domain,
+and use the caller's terminal.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="sysnet_exec_ifconfig" lineno="510">
+<summary>
+Execute ifconfig in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sysnet_signal_ifconfig" lineno="530">
+<summary>
+Send a generic signal to ifconfig.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="sysnet_read_dhcp_config" lineno="548">
+<summary>
+Read the DHCP configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sysnet_search_dhcp_state" lineno="568">
+<summary>
+Search the DHCP state data directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sysnet_dhcp_state_filetrans" lineno="607">
+<summary>
+Create DHCP state data.
+</summary>
+<desc>
+<p>
+Create DHCP state data.
+</p>
+<p>
+This is added for DHCP server, as
+the server and client put their state
+files in the same directory.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="file_type">
+<summary>
+The type of the object to be created
+</summary>
+</param>
+<param name="object_class">
+<summary>
+The object class.
+</summary>
+</param>
+</interface>
+<interface name="sysnet_dns_name_resolve" lineno="627">
+<summary>
+Perform a DNS name resolution.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="sysnet_use_ldap" lineno="668">
+<summary>
+Connect and use a LDAP server.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sysnet_use_portmap" lineno="700">
+<summary>
+Connect and use remote port mappers.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="udev" filename="policy/modules/system/udev.if">
+<summary>Policy for udev.</summary>
+<interface name="udev_signal" lineno="13">
+<summary>
+Send generic signals to udev.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="udev_domtrans" lineno="31">
+<summary>
+Execute udev in the udev domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="udev_exec" lineno="49">
+<summary>
+Execute udev in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="udev_helper_domtrans" lineno="67">
+<summary>
+Execute a udev helper in the udev domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="udev_read_state" lineno="85">
+<summary>
+Allow process to read udev process state.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="udev_dontaudit_use_fds" lineno="106">
+<summary>
+Do not audit attempts to inherit a
+udev file descriptor.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="udev_dontaudit_rw_dgram_sockets" lineno="125">
+<summary>
+Do not audit attempts to read or write
+to a udev unix datagram socket.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="udev_manage_rules_files" lineno="143">
+<summary>
+Manage udev rules files
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="udev_dontaudit_search_db" lineno="161">
+<summary>
+Do not audit search of udev database directories.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="udev_read_db" lineno="185">
+<summary>
+Read the udev device table.
+</summary>
+<desc>
+<p>
+Allow the specified domain to read the udev device table.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="udev_rw_db" lineno="206">
+<summary>
+Allow process to modify list of devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="udev_manage_pid_files" lineno="226">
+<summary>
+Create, read, write, and delete
+udev pid files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="unconfined" filename="policy/modules/system/unconfined.if">
+<summary>The unconfined domain.</summary>
+<interface name="unconfined_domain_noaudit" lineno="13">
+<summary>
+Make the specified domain unconfined.
+</summary>
+<param name="domain">
+<summary>
+Domain to make unconfined.
+</summary>
+</param>
+</interface>
+<interface name="unconfined_domain" lineno="124">
+<summary>
+Make the specified domain unconfined and
+audit executable heap usage.
+</summary>
+<desc>
+<p>
+Make the specified domain unconfined and
+audit executable heap usage.  With exception
+of memory protections, usage of this interface
+will result in the level of access the domain has
+is like SELinux	was not being used.
+</p>
+<p>
+Only completely trusted domains should use this interface.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain to make unconfined.
+</summary>
+</param>
+</interface>
+<interface name="unconfined_alias_domain" lineno="152">
+<summary>
+Add an alias type to the unconfined domain.  (Deprecated)
+</summary>
+<desc>
+<p>
+Add an alias type to the unconfined domain.  (Deprecated)
+</p>
+<p>
+This is added to support targeted policy.  Its
+use should be limited.  It has no effect
+on the strict policy.
+</p>
+</desc>
+<param name="domain">
+<summary>
+New alias of the unconfined domain.
+</summary>
+</param>
+</interface>
+<interface name="unconfined_execmem_alias_program" lineno="178">
+<summary>
+Add an alias type to the unconfined execmem
+program file type.  (Deprecated)
+</summary>
+<desc>
+<p>
+Add an alias type to the unconfined execmem
+program file type.  (Deprecated)
+</p>
+<p>
+This is added to support targeted policy.  Its
+use should be limited.  It has no effect
+on the strict policy.
+</p>
+</desc>
+<param name="domain">
+<summary>
+New alias of the unconfined execmem program type.
+</summary>
+</param>
+</interface>
+<interface name="unconfined_domtrans" lineno="192">
+<summary>
+Transition to the unconfined domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="unconfined_run" lineno="215">
+<summary>
+Execute specified programs in the unconfined domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to allow the unconfined domain.
+</summary>
+</param>
+</interface>
+<interface name="unconfined_shell_domtrans" lineno="234">
+<summary>
+Transition to the unconfined domain by executing a shell.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="unconfined_domtrans_to" lineno="272">
+<summary>
+Allow unconfined to execute the specified program in
+the specified domain.
+</summary>
+<desc>
+<p>
+Allow unconfined to execute the specified program in
+the specified domain.
+</p>
+<p>
+This is a interface to support third party modules
+and its use is not allowed in upstream reference
+policy.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain to execute in.
+</summary>
+</param>
+<param name="entry_file">
+<summary>
+Domain entry point file.
+</summary>
+</param>
+</interface>
+<interface name="unconfined_run_to" lineno="309">
+<summary>
+Allow unconfined to execute the specified program in
+the specified domain.  Allow the specified domain the
+unconfined role and use of unconfined user terminals.
+</summary>
+<desc>
+<p>
+Allow unconfined to execute the specified program in
+the specified domain.  Allow the specified domain the
+unconfined role and use of unconfined user terminals.
+</p>
+<p>
+This is a interface to support third party modules
+and its use is not allowed in upstream reference
+policy.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain to execute in.
+</summary>
+</param>
+<param name="entry_file">
+<summary>
+Domain entry point file.
+</summary>
+</param>
+</interface>
+<interface name="unconfined_use_fds" lineno="330">
+<summary>
+Inherit file descriptors from the unconfined domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="unconfined_sigchld" lineno="348">
+<summary>
+Send a SIGCHLD signal to the unconfined domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="unconfined_signull" lineno="366">
+<summary>
+Send a SIGNULL signal to the unconfined domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="unconfined_signal" lineno="384">
+<summary>
+Send generic signals to the unconfined domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="unconfined_read_pipes" lineno="402">
+<summary>
+Read unconfined domain unnamed pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="unconfined_dontaudit_read_pipes" lineno="420">
+<summary>
+Do not audit attempts to read unconfined domain unnamed pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="unconfined_rw_pipes" lineno="438">
+<summary>
+Read and write unconfined domain unnamed pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="unconfined_dontaudit_rw_pipes" lineno="457">
+<summary>
+Do not audit attempts to read and write
+unconfined domain unnamed pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="unconfined_stream_connect" lineno="476">
+<summary>
+Connect to the unconfined domain using
+a unix domain stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="unconfined_dontaudit_rw_tcp_sockets" lineno="505">
+<summary>
+Do not audit attempts to read or write
+unconfined domain tcp sockets.
+</summary>
+<desc>
+<p>
+Do not audit attempts to read or write
+unconfined domain tcp sockets.
+</p>
+<p>
+This interface was added due to a broken
+symptom in ldconfig.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="unconfined_create_keys" lineno="523">
+<summary>
+Create keys for the unconfined domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="unconfined_dbus_send" lineno="541">
+<summary>
+Send messages to the unconfined domain over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="unconfined_dbus_chat" lineno="561">
+<summary>
+Send and receive messages from
+unconfined_t over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="unconfined_dbus_connect" lineno="582">
+<summary>
+Connect to the the unconfined DBUS
+for service (acquire_svc).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="userdomain" filename="policy/modules/system/userdomain.if">
+<summary>Policy for user domains</summary>
+<template name="userdom_base_user_template" lineno="24">
+<summary>
+The template containing the most basic rules common to all users.
+</summary>
+<desc>
+<p>
+The template containing the most basic rules common to all users.
+</p>
+<p>
+This template creates a user domain, types, and
+rules for the user's tty and pty.
+</p>
+</desc>
+<param name="userdomain_prefix">
+<summary>
+The prefix of the user domain (e.g., user
+is the prefix for user_t).
+</summary>
+</param>
+<rolebase/>
+</template>
+<interface name="userdom_ro_home_role" lineno="148">
+<summary>
+Allow a home directory for which the
+role has read-only access.
+</summary>
+<desc>
+<p>
+Allow a home directory for which the
+role has read-only access.
+</p>
+<p>
+This does not allow execute access.
+</p>
+</desc>
+<param name="role">
+<summary>
+The user role
+</summary>
+</param>
+<param name="userdomain">
+<summary>
+The user domain
+</summary>
+</param>
+<rolebase/>
+</interface>
+<interface name="userdom_manage_home_role" lineno="219">
+<summary>
+Allow a home directory for which the
+role has full access.
+</summary>
+<desc>
+<p>
+Allow a home directory for which the
+role has full access.
+</p>
+<p>
+This does not allow execute access.
+</p>
+</desc>
+<param name="role">
+<summary>
+The user role
+</summary>
+</param>
+<param name="userdomain">
+<summary>
+The user domain
+</summary>
+</param>
+<rolebase/>
+</interface>
+<interface name="userdom_manage_tmp_role" lineno="288">
+<summary>
+Manage user temporary files
+</summary>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolebase/>
+</interface>
+<interface name="userdom_exec_user_tmp_files" lineno="314">
+<summary>
+The execute access user temporary files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolebase/>
+</interface>
+<interface name="userdom_manage_tmpfs_role" lineno="349">
+<summary>
+Role access for the user tmpfs type
+that the user has full access.
+</summary>
+<desc>
+<p>
+Role access for the user tmpfs type
+that the user has full access.
+</p>
+<p>
+This does not allow execute access.
+</p>
+</desc>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<template name="userdom_basic_networking_template" lineno="375">
+<summary>
+The template allowing the user basic
+network permissions
+</summary>
+<param name="userdomain_prefix">
+<summary>
+The prefix of the user domain (e.g., user
+is the prefix for user_t).
+</summary>
+</param>
+<rolebase/>
+</template>
+<template name="userdom_xwindows_client_template" lineno="418">
+<summary>
+The template for creating a user xwindows client.  (Deprecated)
+</summary>
+<param name="userdomain_prefix">
+<summary>
+The prefix of the user domain (e.g., user
+is the prefix for user_t).
+</summary>
+</param>
+<rolebase/>
+</template>
+<template name="userdom_change_password_template" lineno="459">
+<summary>
+The template for allowing the user to change passwords.
+</summary>
+<param name="userdomain_prefix">
+<summary>
+The prefix of the user domain (e.g., user
+is the prefix for user_t).
+</summary>
+</param>
+<rolebase/>
+</template>
+<template name="userdom_common_user_template" lineno="489">
+<summary>
+The template containing rules common to unprivileged
+users and administrative users.
+</summary>
+<desc>
+<p>
+This template creates a user domain, types, and
+rules for the user's tty, pty, tmp, and tmpfs files.
+</p>
+</desc>
+<param name="userdomain_prefix">
+<summary>
+The prefix of the user domain (e.g., user
+is the prefix for user_t).
+</summary>
+</param>
+</template>
+<template name="userdom_login_user_template" lineno="709">
+<summary>
+The template for creating a login user.
+</summary>
+<desc>
+<p>
+This template creates a user domain, types, and
+rules for the user's tty, pty, home directories,
+tmp, and tmpfs files.
+</p>
+</desc>
+<param name="userdomain_prefix">
+<summary>
+The prefix of the user domain (e.g., user
+is the prefix for user_t).
+</summary>
+</param>
+</template>
+<template name="userdom_restricted_user_template" lineno="827">
+<summary>
+The template for creating a unprivileged login user.
+</summary>
+<desc>
+<p>
+This template creates a user domain, types, and
+rules for the user's tty, pty, home directories,
+tmp, and tmpfs files.
+</p>
+</desc>
+<param name="userdomain_prefix">
+<summary>
+The prefix of the user domain (e.g., user
+is the prefix for user_t).
+</summary>
+</param>
+</template>
+<template name="userdom_restricted_xwindows_user_template" lineno="868">
+<summary>
+The template for creating a unprivileged xwindows login user.
+</summary>
+<desc>
+<p>
+The template for creating a unprivileged xwindows login user.
+</p>
+<p>
+This template creates a user domain, types, and
+rules for the user's tty, pty, home directories,
+tmp, and tmpfs files.
+</p>
+</desc>
+<param name="userdomain_prefix">
+<summary>
+The prefix of the user domain (e.g., user
+is the prefix for user_t).
+</summary>
+</param>
+</template>
+<template name="userdom_unpriv_user_template" lineno="943">
+<summary>
+The template for creating a unprivileged user roughly
+equivalent to a regular linux user.
+</summary>
+<desc>
+<p>
+The template for creating a unprivileged user roughly
+equivalent to a regular linux user.
+</p>
+<p>
+This template creates a user domain, types, and
+rules for the user's tty, pty, home directories,
+tmp, and tmpfs files.
+</p>
+</desc>
+<param name="userdomain_prefix">
+<summary>
+The prefix of the user domain (e.g., user
+is the prefix for user_t).
+</summary>
+</param>
+</template>
+<template name="userdom_admin_user_template" lineno="1040">
+<summary>
+The template for creating an administrative user.
+</summary>
+<desc>
+<p>
+This template creates a user domain, types, and
+rules for the user's tty, pty, home directories,
+tmp, and tmpfs files.
+</p>
+<p>
+The privileges given to administrative users are:
+<ul>
+<li>Raw disk access</li>
+<li>Set all sysctls</li>
+<li>All kernel ring buffer controls</li>
+<li>Create, read, write, and delete all files but shadow</li>
+<li>Manage source and binary format SELinux policy</li>
+<li>Run insmod</li>
+</ul>
+</p>
+</desc>
+<param name="userdomain_prefix">
+<summary>
+The prefix of the user domain (e.g., sysadm
+is the prefix for sysadm_t).
+</summary>
+</param>
+</template>
+<template name="userdom_security_admin_template" lineno="1204">
+<summary>
+Allow user to run as a secadm
+</summary>
+<desc>
+<p>
+Create objects in a user home directory
+with an automatic type transition to
+a specified private type.
+</p>
+<p>
+This is a templated interface, and should only
+be called from a per-userdomain template.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role  of the object to create.
+</summary>
+</param>
+</template>
+<interface name="userdom_user_application_type" lineno="1279">
+<summary>
+Make the specified type usable as
+a user application domain type.
+</summary>
+<param name="type">
+<summary>
+Type to be used as a user application domain.
+</summary>
+</param>
+</interface>
+<interface name="userdom_user_application_domain" lineno="1300">
+<summary>
+Make the specified type usable as
+a user application domain.
+</summary>
+<param name="type">
+<summary>
+Type to be used as a user application domain.
+</summary>
+</param>
+<param name="type">
+<summary>
+Type to be used as the domain entry point.
+</summary>
+</param>
+</interface>
+<interface name="userdom_user_home_content" lineno="1317">
+<summary>
+Make the specified type usable in a
+user home directory.
+</summary>
+<param name="type">
+<summary>
+Type to be used as a file in the
+user home directory.
+</summary>
+</param>
+</interface>
+<interface name="userdom_user_tmp_file" lineno="1340">
+<summary>
+Make the specified type usable as a
+user temporary file.
+</summary>
+<param name="type">
+<summary>
+Type to be used as a file in the
+temporary directories.
+</summary>
+</param>
+</interface>
+<interface name="userdom_user_tmpfs_file" lineno="1357">
+<summary>
+Make the specified type usable as a
+user tmpfs file.
+</summary>
+<param name="type">
+<summary>
+Type to be used as a file in
+tmpfs directories.
+</summary>
+</param>
+</interface>
+<interface name="userdom_attach_admin_tun_iface" lineno="1372">
+<summary>
+Allow domain to attach to TUN devices created by administrative users.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_setattr_user_ptys" lineno="1391">
+<summary>
+Set the attributes of a user pty.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_create_user_pty" lineno="1409">
+<summary>
+Create a user pty.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_getattr_user_home_dirs" lineno="1427">
+<summary>
+Get the attributes of user home directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_dontaudit_getattr_user_home_dirs" lineno="1446">
+<summary>
+Do not audit attempts to get the attributes of user home directories.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="userdom_search_user_home_dirs" lineno="1464">
+<summary>
+Search user home directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_dontaudit_search_user_home_dirs" lineno="1491">
+<summary>
+Do not audit attempts to search user home directories.
+</summary>
+<desc>
+<p>
+Do not audit attempts to search user home directories.
+This will supress SELinux denial messages when the specified
+domain is denied the permission to search these directories.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="userdom_list_user_home_dirs" lineno="1509">
+<summary>
+List user home directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_dontaudit_list_user_home_dirs" lineno="1528">
+<summary>
+Do not audit attempts to list user home subdirectories.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="userdom_create_user_home_dirs" lineno="1546">
+<summary>
+Create user home directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_manage_user_home_dirs" lineno="1564">
+<summary>
+Create user home directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_relabelto_user_home_dirs" lineno="1582">
+<summary>
+Relabel to user home directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_home_filetrans_user_home_dir" lineno="1601">
+<summary>
+Create directories in the home dir root with
+the user home directory type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_user_home_domtrans" lineno="1638">
+<summary>
+Do a domain transition to the specified
+domain when executing a program in the
+user home directory.
+</summary>
+<desc>
+<p>
+Do a domain transition to the specified
+domain when executing a program in the
+user home directory.
+</p>
+<p>
+No interprocess communication (signals, pipes,
+etc.) is provided by this interface since
+the domains are not owned by this module.
+</p>
+</desc>
+<param name="source_domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="target_domain">
+<summary>
+Domain to transition to.
+</summary>
+</param>
+</interface>
+<interface name="userdom_dontaudit_search_user_home_content" lineno="1658">
+<summary>
+Do not audit attempts to search user home content directories.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="userdom_list_user_home_content" lineno="1676">
+<summary>
+List contents of users home directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_manage_user_home_content_dirs" lineno="1695">
+<summary>
+Create, read, write, and delete directories
+in a user home subdirectory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_delete_user_home_content_dirs" lineno="1714">
+<summary>
+Delete directories in a user home subdirectory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_dontaudit_setattr_user_home_content_files" lineno="1733">
+<summary>
+Do not audit attempts to set the
+attributes of user home files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="userdom_mmap_user_home_content_files" lineno="1751">
+<summary>
+Mmap user home files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_read_user_home_content_files" lineno="1770">
+<summary>
+Read user home files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_dontaudit_read_user_home_content_files" lineno="1789">
+<summary>
+Do not audit attempts to read user home files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="userdom_dontaudit_append_user_home_content_files" lineno="1808">
+<summary>
+Do not audit attempts to append user home files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="userdom_dontaudit_write_user_home_content_files" lineno="1826">
+<summary>
+Do not audit attempts to write user home files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="userdom_delete_user_home_content_files" lineno="1844">
+<summary>
+Delete files in a user home subdirectory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_dontaudit_relabel_user_home_content_files" lineno="1862">
+<summary>
+Do not audit attempts to write user home files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="userdom_read_user_home_content_symlinks" lineno="1880">
+<summary>
+Read user home subdirectory symbolic links.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_exec_user_home_content_files" lineno="1900">
+<summary>
+Execute user home files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="userdom_dontaudit_exec_user_home_content_files" lineno="1927">
+<summary>
+Do not audit attempts to execute user home files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="userdom_manage_user_home_content_files" lineno="1946">
+<summary>
+Create, read, write, and delete files
+in a user home subdirectory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_dontaudit_manage_user_home_content_dirs" lineno="1967">
+<summary>
+Do not audit attempts to create, read, write, and delete directories
+in a user home subdirectory.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="userdom_manage_user_home_content_symlinks" lineno="1986">
+<summary>
+Create, read, write, and delete symbolic links
+in a user home subdirectory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_delete_user_home_content_symlinks" lineno="2006">
+<summary>
+Delete symbolic links in a user home directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_manage_user_home_content_pipes" lineno="2025">
+<summary>
+Create, read, write, and delete named pipes
+in a user home subdirectory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_manage_user_home_content_sockets" lineno="2046">
+<summary>
+Create, read, write, and delete named sockets
+in a user home subdirectory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_user_home_dir_filetrans" lineno="2078">
+<summary>
+Create objects in a user home directory
+with an automatic type transition to
+a specified private type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="private_type">
+<summary>
+The type of the object to create.
+</summary>
+</param>
+<param name="object_class">
+<summary>
+The class of the object to be created.
+</summary>
+</param>
+</interface>
+<interface name="userdom_user_home_content_filetrans" lineno="2109">
+<summary>
+Create objects in a user home directory
+with an automatic type transition to
+a specified private type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="private_type">
+<summary>
+The type of the object to create.
+</summary>
+</param>
+<param name="object_class">
+<summary>
+The class of the object to be created.
+</summary>
+</param>
+</interface>
+<interface name="userdom_user_home_dir_filetrans_user_home_content" lineno="2136">
+<summary>
+Create objects in a user home directory
+with an automatic type transition to
+the user home file type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="object_class">
+<summary>
+The class of the object to be created.
+</summary>
+</param>
+</interface>
+<interface name="userdom_write_user_tmp_sockets" lineno="2155">
+<summary>
+Write to user temporary named sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_list_user_tmp" lineno="2174">
+<summary>
+List user temporary directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_dontaudit_list_user_tmp" lineno="2194">
+<summary>
+Do not audit attempts to list user
+temporary directories.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="userdom_dontaudit_manage_user_tmp_dirs" lineno="2213">
+<summary>
+Do not audit attempts to manage users
+temporary directories.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="userdom_read_user_tmp_files" lineno="2231">
+<summary>
+Read user temporary files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_dontaudit_read_user_tmp_files" lineno="2252">
+<summary>
+Do not audit attempts to read users
+temporary files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="userdom_dontaudit_append_user_tmp_files" lineno="2271">
+<summary>
+Do not audit attempts to append users
+temporary files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="userdom_rw_user_tmp_files" lineno="2289">
+<summary>
+Read and write user temporary files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_dontaudit_manage_user_tmp_files" lineno="2310">
+<summary>
+Do not audit attempts to manage users
+temporary files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="userdom_read_user_tmp_symlinks" lineno="2328">
+<summary>
+Read user temporary symbolic links.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_manage_user_tmp_dirs" lineno="2349">
+<summary>
+Create, read, write, and delete user
+temporary directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_manage_user_tmp_files" lineno="2369">
+<summary>
+Create, read, write, and delete user
+temporary files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_manage_user_tmp_symlinks" lineno="2389">
+<summary>
+Create, read, write, and delete user
+temporary symbolic links.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_manage_user_tmp_pipes" lineno="2409">
+<summary>
+Create, read, write, and delete user
+temporary named pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_manage_user_tmp_sockets" lineno="2429">
+<summary>
+Create, read, write, and delete user
+temporary named sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_user_tmp_filetrans" lineno="2460">
+<summary>
+Create objects in a user temporary directory
+with an automatic type transition to
+a specified private type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="private_type">
+<summary>
+The type of the object to create.
+</summary>
+</param>
+<param name="object_class">
+<summary>
+The class of the object to be created.
+</summary>
+</param>
+</interface>
+<interface name="userdom_tmp_filetrans_user_tmp" lineno="2486">
+<summary>
+Create objects in the temporary directory
+with an automatic type transition to
+the user temporary type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="object_class">
+<summary>
+The class of the object to be created.
+</summary>
+</param>
+</interface>
+<interface name="userdom_read_user_tmpfs_files" lineno="2504">
+<summary>
+Read user tmpfs files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_rw_user_tmpfs_files" lineno="2524">
+<summary>
+Read user tmpfs files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_manage_user_tmpfs_files" lineno="2545">
+<summary>
+Create, read, write, and delete user tmpfs files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_getattr_user_ttys" lineno="2565">
+<summary>
+Get the attributes of a user domain tty.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_dontaudit_getattr_user_ttys" lineno="2583">
+<summary>
+Do not audit attempts to get the attributes of a user domain tty.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="userdom_setattr_user_ttys" lineno="2601">
+<summary>
+Set the attributes of a user domain tty.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_dontaudit_setattr_user_ttys" lineno="2619">
+<summary>
+Do not audit attempts to set the attributes of a user domain tty.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="userdom_use_user_ttys" lineno="2637">
+<summary>
+Read and write a user domain tty.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_use_user_ptys" lineno="2655">
+<summary>
+Read and write a user domain pty.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_use_user_terminals" lineno="2689">
+<summary>
+Read and write a user TTYs and PTYs.
+</summary>
+<desc>
+<p>
+Allow the specified domain to read and write user
+TTYs and PTYs. This will allow the domain to
+interact with the user via the terminal. Typically
+all interactive applications will require this
+access.
+</p>
+<p>
+However, this also allows the applications to spy
+on user sessions or inject information into the
+user session.  Thus, this access should likely
+not be allowed for non-interactive domains.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="userdom_dontaudit_use_user_terminals" lineno="2710">
+<summary>
+Do not audit attempts to read and write
+a user domain tty and pty.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="userdom_spec_domtrans_all_users" lineno="2731">
+<summary>
+Execute a shell in all user domains.  This
+is an explicit transition, requiring the
+caller to use setexeccon().
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="userdom_xsession_spec_domtrans_all_users" lineno="2754">
+<summary>
+Execute an Xserver session in all unprivileged user domains.  This
+is an explicit transition, requiring the
+caller to use setexeccon().
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="userdom_spec_domtrans_unpriv_users" lineno="2777">
+<summary>
+Execute a shell in all unprivileged user domains.  This
+is an explicit transition, requiring the
+caller to use setexeccon().
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="userdom_xsession_spec_domtrans_unpriv_users" lineno="2800">
+<summary>
+Execute an Xserver session in all unprivileged user domains.  This
+is an explicit transition, requiring the
+caller to use setexeccon().
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="userdom_rw_unpriv_user_semaphores" lineno="2821">
+<summary>
+Read and write unpriviledged user SysV sempaphores.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_manage_unpriv_user_semaphores" lineno="2839">
+<summary>
+Manage unpriviledged user SysV sempaphores.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_rw_unpriv_user_shared_mem" lineno="2858">
+<summary>
+Read and write unpriviledged user SysV shared
+memory segments.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_manage_unpriv_user_shared_mem" lineno="2877">
+<summary>
+Manage unpriviledged user SysV shared
+memory segments.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_bin_spec_domtrans_unpriv_users" lineno="2897">
+<summary>
+Execute bin_t in the unprivileged user domains. This
+is an explicit transition, requiring the
+caller to use setexeccon().
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="userdom_entry_spec_domtrans_unpriv_users" lineno="2920">
+<summary>
+Execute all entrypoint files in unprivileged user
+domains. This is an explicit transition, requiring the
+caller to use setexeccon().
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_search_user_home_content" lineno="2941">
+<summary>
+Search users home directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_signull_unpriv_users" lineno="2960">
+<summary>
+Send signull to unprivileged user domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_signal_unpriv_users" lineno="2978">
+<summary>
+Send general signals to unprivileged user domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_use_unpriv_users_fds" lineno="2996">
+<summary>
+Inherit the file descriptors from unprivileged user domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_dontaudit_use_unpriv_user_fds" lineno="3024">
+<summary>
+Do not audit attempts to inherit the file descriptors
+from unprivileged user domains.
+</summary>
+<desc>
+<p>
+Do not audit attempts to inherit the file descriptors
+from unprivileged user domains. This will supress
+SELinux denial messages when the specified domain is denied
+the permission to inherit these file descriptors.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="userdom_dontaudit_use_user_ptys" lineno="3042">
+<summary>
+Do not audit attempts to use user ptys.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="userdom_relabelto_user_ptys" lineno="3060">
+<summary>
+Relabel files to unprivileged user pty types.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_dontaudit_relabelfrom_user_ptys" lineno="3079">
+<summary>
+Do not audit attempts to relabel files from
+user pty types.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="userdom_write_user_tmp_files" lineno="3097">
+<summary>
+Write all users files in /tmp
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_dontaudit_use_user_ttys" lineno="3115">
+<summary>
+Do not audit attempts to use user ttys.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="userdom_read_all_users_state" lineno="3133">
+<summary>
+Read the process state of all user domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_getattr_all_users" lineno="3152">
+<summary>
+Get the attributes of all user domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_use_all_users_fds" lineno="3170">
+<summary>
+Inherit the file descriptors from all user domains
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_dontaudit_use_all_users_fds" lineno="3189">
+<summary>
+Do not audit attempts to inherit the file
+descriptors from any user domains.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="userdom_signal_all_users" lineno="3207">
+<summary>
+Send general signals to all user domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_sigchld_all_users" lineno="3225">
+<summary>
+Send a SIGCHLD signal to all user domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_create_all_users_keys" lineno="3243">
+<summary>
+Create keys for all user domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_dbus_send_all_users" lineno="3261">
+<summary>
+Send a dbus message to all user domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<tunable name="allow_user_mysql_connect" dftval="false">
+<desc>
+<p>
+Allow users to connect to mysql
+</p>
+</desc>
+</tunable>
+<tunable name="allow_user_postgresql_connect" dftval="false">
+<desc>
+<p>
+Allow users to connect to PostgreSQL
+</p>
+</desc>
+</tunable>
+<tunable name="user_direct_mouse" dftval="false">
+<desc>
+<p>
+Allow regular users direct mouse access
+</p>
+</desc>
+</tunable>
+<tunable name="user_dmesg" dftval="false">
+<desc>
+<p>
+Allow users to read system messages.
+</p>
+</desc>
+</tunable>
+<tunable name="user_rw_noexattrfile" dftval="false">
+<desc>
+<p>
+Allow user to r/w files on filesystems
+that do not have extended attributes (FAT, CDROM, FLOPPY)
+</p>
+</desc>
+</tunable>
+<tunable name="user_ttyfile_stat" dftval="false">
+<desc>
+<p>
+Allow w to display everyone
+</p>
+</desc>
+</tunable>
+</module>
+</layer>
+<tunable name="allow_execheap" dftval="false">
+<desc>
+<p>
+Allow unconfined executables to make their heap memory executable.  Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
+</p>
+</desc>
+</tunable>
+<tunable name="allow_execmem" dftval="false">
+<desc>
+<p>
+Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")
+</p>
+</desc>
+</tunable>
+<tunable name="allow_execmod" dftval="false">
+<desc>
+<p>
+Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")
+</p>
+</desc>
+</tunable>
+<tunable name="allow_execstack" dftval="false">
+<desc>
+<p>
+Allow unconfined executables to make their stack executable.  This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")
+</p>
+</desc>
+</tunable>
+<tunable name="allow_polyinstantiation" dftval="false">
+<desc>
+<p>
+Enable polyinstantiated directory support.
+</p>
+</desc>
+</tunable>
+<tunable name="allow_ypbind" dftval="false">
+<desc>
+<p>
+Allow system to run with NIS
+</p>
+</desc>
+</tunable>
+<tunable name="console_login" dftval="true">
+<desc>
+<p>
+Allow logging in and using the system from /dev/console.
+</p>
+</desc>
+</tunable>
+<tunable name="global_ssp" dftval="false">
+<desc>
+<p>
+Enable reading of urandom for all domains.
+</p>
+<p>
+This should be enabled when all programs
+are compiled with ProPolice/SSP
+stack smashing protection.  All domains will
+be allowed to read from /dev/urandom.
+</p>
+</desc>
+</tunable>
+<tunable name="mail_read_content" dftval="false">
+<desc>
+<p>
+Allow email client to various content.
+nfs, samba, removable devices, and user temp
+files
+</p>
+</desc>
+</tunable>
+<tunable name="nfs_export_all_rw" dftval="false">
+<desc>
+<p>
+Allow any files/directories to be exported read/write via NFS.
+</p>
+</desc>
+</tunable>
+<tunable name="nfs_export_all_ro" dftval="false">
+<desc>
+<p>
+Allow any files/directories to be exported read/only via NFS.
+</p>
+</desc>
+</tunable>
+<tunable name="use_nfs_home_dirs" dftval="false">
+<desc>
+<p>
+Support NFS home directories
+</p>
+</desc>
+</tunable>
+<tunable name="use_samba_home_dirs" dftval="false">
+<desc>
+<p>
+Support SAMBA home directories
+</p>
+</desc>
+</tunable>
+<tunable name="user_tcp_server" dftval="false">
+<desc>
+<p>
+Allow users to run TCP servers (bind to ports and accept connection from
+the same domain and outside users)  disabling this forces FTP passive mode
+and may change other protocols.
+</p>
+</desc>
+</tunable>
+<bool name="secure_mode" dftval="false">
+<desc>
+<p>
+Enabling secure mode disallows programs, such as
+newrole, from transitioning to administrative
+user domains.
+</p>
+</desc>
+</bool>
+</policy>
diff --git a/doc/templates/bool_list.html b/doc/templates/bool_list.html
new file mode 100644
index 00000000..2d852da4
--- /dev/null
+++ b/doc/templates/bool_list.html
@@ -0,0 +1,23 @@
+<h3>Master boolean index:</h3>
+
+[[for bool in booleans]]
+<div id="interfacesmall">
+[[if bool.has_key('mod_layer')]]
+Module: <a href='[[bool['mod_layer']+ "_" + bool['mod_name'] + ".html#link_" + bool['bool_name']]]'>
+[[bool['mod_name']]]</a><p/>
+Layer: <a href='[[bool['mod_layer']]].html'>
+[[bool['mod_layer']]]</a><p/>
+[[else]]
+Global
+[[end]]
+<div id="codeblock">
+[[bool['bool_name']]]
+<small>(Default: [[bool['def_val']]])</small>
+</div>
+[[if bool['desc']]]
+<div id="description">
+[[bool['desc']]]
+</div>
+[[end]]
+</div>
+[[end]]
diff --git a/doc/templates/boolean.html b/doc/templates/boolean.html
new file mode 100644
index 00000000..ea5a2604
--- /dev/null
+++ b/doc/templates/boolean.html
@@ -0,0 +1,13 @@
+[[for bool in booleans]]
+<a name="link_[[bool['bool_name']]]"></a>
+<div id="interface">
+<div id="codeblock">[[bool['bool_name']]]</div>
+<div id="description">
+<h5>Default value</h5>
+<p>[[bool['def_val']]]</p>
+[[if bool['desc']]]
+<h5>Description</h5>
+[[bool['desc']]]
+[[end]]
+</div></div>
+[[end]]
diff --git a/doc/templates/global_bool_list.html b/doc/templates/global_bool_list.html
new file mode 100644
index 00000000..a8065af8
--- /dev/null
+++ b/doc/templates/global_bool_list.html
@@ -0,0 +1,14 @@
+<h3>Global booleans:</h3>
+
+[[for bool in booleans]]
+<div id="interface">
+<div id="codeblock">[[bool['bool_name']]]</div>
+<div id="description">
+<h5>Default value</h5>
+<p>[[bool['def_val']]]</p>
+[[if bool['desc']]]
+<h5>Description</h5>
+[[bool['desc']]]
+[[end]]
+</div></div>
+[[end]]
diff --git a/doc/templates/global_tun_list.html b/doc/templates/global_tun_list.html
new file mode 100644
index 00000000..6ed80133
--- /dev/null
+++ b/doc/templates/global_tun_list.html
@@ -0,0 +1,14 @@
+<h3>Global tunables:</h3>
+
+[[for tun in tunables]]
+<div id="interface">
+<div id="codeblock">[[tun['tun_name']]]</div>
+<div id="description">
+<h5>Default value</h5>
+<p>[[tun['def_val']]]</p>
+[[if tun['desc']]]
+<h5>Description</h5>
+[[tun['desc']]]
+[[end]]
+</div></div>
+[[end]]
diff --git a/doc/templates/header.html b/doc/templates/header.html
new file mode 100644
index 00000000..9ef487cf
--- /dev/null
+++ b/doc/templates/header.html
@@ -0,0 +1,15 @@
+<html>
+<head>
+<title>
+ Security Enhanced Linux Reference Policy
+ </title>
+<style type="text/css" media="all">@import "style.css";</style>
+</head>
+<body>
+<div id="Header">Security Enhanced Linux Reference Policy</div>
+[[menu]]
+<div id="Content">
+[[content]]
+</div>
+</body>
+</html>
diff --git a/doc/templates/int_list.html b/doc/templates/int_list.html
new file mode 100644
index 00000000..b95c3435
--- /dev/null
+++ b/doc/templates/int_list.html
@@ -0,0 +1,33 @@
+<h3>Master interface index:</h3>
+
+[[for int in interfaces]]
+<div id="interfacesmall">
+Module: <a href='[[int['mod_layer']+ "_" + int['mod_name'] + ".html#link_" + int['interface_name']]]'>
+[[int['mod_name']]]</a><p/>
+Layer: <a href='[[int['mod_layer']]].html'>
+[[int['mod_layer']]]</a><p/>
+<div id="codeblock">
+[[exec i = 0]]
+<b>[[int['interface_name']]]</b>(
+	[[for arg in int['interface_parameters']]]
+		[[if i != 0]]
+			,
+		[[end]]
+		[[exec i = 1]]
+		[[if arg['optional'] == 'yes']]
+			[
+		[[end]]
+		[[arg['name']]]
+		[[if arg['optional'] == 'yes']]
+			]
+		[[end]]
+	[[end]]
+	)<br>
+</div>
+[[if int['interface_summary']]]
+<div id="description">
+[[int['interface_summary']]]
+</div>
+[[end]]
+</div>
+[[end]]
diff --git a/doc/templates/interface.html b/doc/templates/interface.html
new file mode 100644
index 00000000..90eb4369
--- /dev/null
+++ b/doc/templates/interface.html
@@ -0,0 +1,50 @@
+[[for int in interfaces]]
+<a name="link_[[int['interface_name']]]"></a>
+<div id="interface">
+[[if int.has_key("mod_layer")]]
+	Layer: [[mod_layer]]<br>
+[[end]]
+[[if int.has_key("mod_name")]]
+	Module: [[mod_name]]<br>
+[[end]]
+<div id="codeblock">
+[[exec i = 0]]
+<b>[[int['interface_name']]]</b>(
+	[[for arg in int['interface_parameters']]]
+		[[if i != 0]]
+			,
+		[[end]]
+		[[exec i = 1]]
+		[[if arg['optional'] == 'yes']]
+			[
+		[[end]]
+		[[arg['name']]]
+		[[if arg['optional'] == 'yes']]
+			]
+		[[end]]
+	[[end]]
+	)<br>
+</div>
+<div id="description">
+[[if int['interface_summary']]]
+<h5>Summary</h5>
+[[int['interface_summary']]]
+[[end]]
+[[if int['interface_desc']]]
+<h5>Description</h5>
+[[int['interface_desc']]]
+[[end]]
+<h5>Parameters</h5>
+<table border="1" cellspacing="0" cellpadding="3" width="65%">
+<tr><th >Parameter:</th><th >Description:</th></tr>
+[[for arg in int['interface_parameters']]]
+<tr><td>
+[[arg['name']]]
+</td><td>
+[[arg['desc']]]
+</td></tr>
+[[end]]
+</table>
+</div>
+</div>
+[[end]]
diff --git a/doc/templates/menu.html b/doc/templates/menu.html
new file mode 100644
index 00000000..9472b2c3
--- /dev/null
+++ b/doc/templates/menu.html
@@ -0,0 +1,26 @@
+<div id='Menu'>
+	[[for layer_name, layer_mods in menulist]]
+		<a href="[[layer_name]].html">+&nbsp;
+		[[layer_name]]</a></br/>
+		<div id='subitem'>
+		[[for module, s in layer_mods]]
+			&nbsp;&nbsp;&nbsp;-&nbsp;<a href='[[layer_name + "_" + module]].html'>
+			[[module]]</a><br/>
+		[[end]]
+		</div>
+	[[end]]
+	<br/><p/>
+	<a href="global_booleans.html">*&nbsp;Global&nbsp;Booleans&nbsp;</a>
+	<br/><p/>
+	<a href="global_tunables.html">*&nbsp;Global&nbsp;Tunables&nbsp;</a>
+	<p/><br/><p/>
+	<a href="index.html">*&nbsp;Layer Index</a>
+	<br/><p/>
+	<a href="booleans.html">*&nbsp;Boolean&nbsp;Index</a>
+	<br/><p/>
+	<a href="tunables.html">*&nbsp;Tunable&nbsp;Index</a>
+	<br/><p/>
+	<a href="interfaces.html">*&nbsp;Interface&nbsp;Index</a>
+	<br/><p/>
+	<a href="templates.html">*&nbsp;Template&nbsp;Index</a>
+</div>
diff --git a/doc/templates/module.html b/doc/templates/module.html
new file mode 100644
index 00000000..a8d008a8
--- /dev/null
+++ b/doc/templates/module.html
@@ -0,0 +1,52 @@
+<a name="top":></a>
+<h1>Layer: [[mod_layer]]</h1><p/>
+<h2>Module: [[mod_name]]</h2><p/>
+[[if booleans]]
+<a href=#booleans>Booleans</a>
+[[end]]
+[[if tunables]]
+<a href=#tunables>Tunables</a>
+[[end]]
+[[if interfaces]]
+<a href=#interfaces>Interfaces</a>
+[[end]]
+[[if templates]]
+<a href=#templates>Templates</a>
+[[end]]
+<h3>Description:</h3>
+[[if mod_desc]] 
+<p>[[mod_desc]]</p>
+[[else]]
+<p>[[mod_summary]]</p>
+[[end]]
+[[if mod_req]]
+<p>This module is required to be included in all policies.</p>
+[[end]]
+<hr>
+[[if booleans]]
+<a name="booleans"></a>
+<h3>Booleans: </h3>
+[[booleans]]
+<a href=#top>Return</a>
+[[end]]
+[[if tunables]]
+<a name="tunables"></a>
+<h3>Tunables: </h3>
+[[tunables]]
+<a href=#top>Return</a>
+[[end]]
+[[if interfaces]]
+<a name="interfaces"></a>
+<h3>Interfaces: </h3>
+[[interfaces]]
+<a href=#top>Return</a>
+[[end]]
+[[if templates]]
+<a name="templates"></a>
+<h3>Templates: </h3>
+[[templates]]
+<a href=#top>Return</a>
+[[end]]
+[[if not templates and not interfaces and not tunables]]
+<h3>No booleans, tunables, interfaces, or templates.</h3>
+[[end]]
diff --git a/doc/templates/module_list.html b/doc/templates/module_list.html
new file mode 100644
index 00000000..7317a6be
--- /dev/null
+++ b/doc/templates/module_list.html
@@ -0,0 +1,19 @@
+[[if mod_layer]]
+<h1>Layer: [[mod_layer]]</h1><p/>
+[[if layer_summary]]
+<p>[[layer_summary]]</p><br/>
+[[end]]
+[[end]]
+<table border="1" cellspacing="0" cellpadding="3" width="75%">
+<tr><td class="title">Module:</td><td class="title">Description:</td></tr>
+	[[for layer_name, layer_mods in menulist]]
+		[[for module, s in layer_mods]]
+			<tr><td>
+			<a href='[[layer_name + "_" + module]].html'>
+			[[module]]</a></td>
+			<td>[[s]]</td>
+		[[end]]
+		</td></tr>
+	[[end]]
+</table>
+<p/><br/><br/>
diff --git a/doc/templates/style.css b/doc/templates/style.css
new file mode 100644
index 00000000..9bac0d96
--- /dev/null
+++ b/doc/templates/style.css
@@ -0,0 +1,216 @@
+body {
+	margin:0px;
+	padding:0px;
+	font-family:verdana, arial, helvetica, sans-serif;
+	color:#333;
+	background-color:white;
+	}
+h1 {
+	margin:0px 0px 5px 0px;
+	padding:0px;
+	font-size:150%
+	line-height:28px;
+	font-weight:900;
+	color:#ccc;
+	}
+h2 {
+	font-size:125%;
+	margin:0px;
+	padding:5px 0px 10px 0px;
+	}
+h3 {
+	font-size:110%;
+	margin:0px;
+	padding:5px 0px 10px 5px;
+	}
+h4 {
+	font-size:100%;
+	margin:0px;
+	padding:5px 0px 10px 5px;
+	}
+h5 {
+	font-size:100%;
+	margin:0px;
+	font-weight:600;
+	padding:0px 0px 5px 0px;
+	margin:0px 0px 0px 5px;
+}
+li {
+	font:11px/20px verdana, arial, helvetica, sans-serif;
+	margin:0px 0px 0px 10px;
+	padding:0px;
+	}
+p {
+	/* normal */
+	font:11px/20px verdana, arial, helvetica, sans-serif;
+	margin:0px 0px 0px 10px;
+	padding:0px;
+	}
+        
+tt {
+	/* inline code */
+	font-family: monospace;
+	}
+        
+table {
+        background-color:#efefef;
+        /*background-color: white;*/
+	border-style:solid;
+	border-color:black;
+	border-width:0px 1px 1px 0px;
+        color: black;
+        text-align: left;
+	font:11px/20px verdana, arial, helvetica, sans-serif;
+        margin-left: 5%;
+        margin-right: 5%;
+}
+
+th {
+	font-weight:500;
+        background-color: #eaeaef;
+        text-align: center;
+}
+
+td.header {
+        font-weight: bold;
+}
+        
+#Content>p {margin:0px;}
+#Content>p+p {text-indent:30px;}
+a {
+	color:#09c;
+	font-size:11px;
+	text-decoration:none;
+	font-weight:600;
+	font-family:verdana, arial, helvetica, sans-serif;
+	}
+a:link {color:#09c;}
+a:visited {color:#07a;}
+a:hover {background-color:#eee;}
+
+#Codeblock {
+	margin:5px 50px 5px 10px;
+	padding:5px 0px 5px 15px;
+	border-style:solid;
+	border-color:lightgrey;
+	border-width:1px 1px 1px 1px;
+	background-color:#f5f5ff;
+	font-size:100%;
+	font-weight:600;
+	text-decoration:none;
+	font-family:monospace;
+}
+#Interface {
+	margin:5px 0px 25px 5px;
+	padding:5px 0px 5px 5px;
+	border-style:solid;
+	border-color:black;
+	border-width:1px 1px 1px 1px;
+	background-color:#fafafa;
+	font-size:14px;
+	font-weight:400;
+	text-decoration:none;
+	font-family:verdana, arial, helvetica, sans-serif;
+}
+#Interfacesmall {
+	margin:0px 0px 5px 0px;
+	padding:5px 0px 0px 5px;
+	border-style:solid;
+	border-color:black;
+	border-width:1px 1px 1px 1px;
+	background-color:#fafafa;
+	font-size:14px;
+	font-weight:400;
+	text-decoration:none;
+	font-family:verdana, arial, helvetica, sans-serif;
+}	
+#Template {
+	margin:5px 0px 25px 5px;
+	padding:5px 0px 5px 5px;
+	border-style:solid;
+	border-color:black;
+	border-width:1px 1px 1px 1px;
+	background-color:#fafafa;
+	font-size:14px;
+	font-weight:400;
+	text-decoration:none;
+	font-family:verdana, arial, helvetica, sans-serif;
+}
+#Templatesmall {
+	margin:0px 0px 5px 0px;
+	padding:5px 0px 0px 5px;
+	border-style:solid;
+	border-color:black;
+	border-width:1px 1px 1px 1px;
+	background-color:#fafafa;
+	font-size:14px;
+	font-weight:400;
+	text-decoration:none;
+	font-family:verdana, arial, helvetica, sans-serif;
+}	
+#Description {
+	margin:0px 0px 0px 5px;
+	padding:0px 0px 0px 5px;
+	text-decoration:none;
+	font-family:verdana, arial, helvetica, sans-serif;
+	font-size:12px;
+	font-weight:400;
+}
+pre {
+	margin:0px;
+	padding:0px;
+	font-size:14px;
+	text-decoration:none;
+	font-family:verdana, arial, helvetica, sans-serif;
+}
+dl {
+	/* definition text block */
+	font:11px/20px verdana, arial, helvetica, sans-serif;
+	margin:0px 0px 16px 0px;
+	padding:0px;
+	}
+dt {
+	/* definition term */
+        font-weight: bold;
+	}
+
+#Header {
+	margin:50px 0px 10px 0px;
+	padding:17px 0px 0px 20px;
+	/* For IE5/Win's benefit height = [correct height] + [top padding] + [top and bottom border widths] */
+	height:33px; /* 14px + 17px + 2px = 33px */
+	border-style:solid;
+	border-color:black;
+	border-width:1px 0px; /* top and bottom borders: 1px; left and right borders: 0px */
+	line-height:11px;
+	font-size:110%;
+	background-color:#eee;
+	voice-family: "\"}\"";
+	voice-family:inherit;
+	height:14px; /* the correct height */
+	}
+body>#Header {height:14px;}
+#Content {
+	margin:0px 50px 0px 200px;
+	padding:10px;
+	}
+
+#Menu {
+	position:absolute;
+	top:100px;
+	left:20px;
+	width:162px;
+	padding:10px;
+	background-color:#eee;
+	border:1px solid #aaa;
+	line-height:17px;
+	text-align:left;	
+	voice-family: "\"}\"";
+	voice-family:inherit;
+	width:160px;
+	}
+#Menu subitem {
+	font-size: 5px;
+}
+
+body>#Menu {width:160px;}
diff --git a/doc/templates/temp_list.html b/doc/templates/temp_list.html
new file mode 100644
index 00000000..9d635d87
--- /dev/null
+++ b/doc/templates/temp_list.html
@@ -0,0 +1,33 @@
+<h3>Master template index:</h3>
+
+[[for temp in templates]]
+<div id="templatesmall">
+Module: <a href='[[temp['mod_layer']+ "_" + temp['mod_name'] + ".html#link_" + temp['template_name']]]'>
+[[temp['mod_name']]]</a><p/>
+Layer: <a href='[[temp['mod_layer']]].html'>
+[[temp['mod_layer']]]</a><p/>
+<div id="codeblock">
+[[exec i = 0]]
+<b>[[temp['template_name']]]</b>(
+	[[for arg in temp['template_parameters']]]
+		[[if i != 0]]
+			,
+		[[end]]
+		[[exec i = 1]]
+		[[if arg['optional'] == 'yes']]
+			[
+		[[end]]
+		[[arg['name']]]
+		[[if arg['optional'] == 'yes']]
+			]
+		[[end]]
+	[[end]]
+	)<br>
+</div>
+[[if temp['template_summary']]]
+<div id="description">
+[[temp['template_summary']]]
+</div>
+[[end]]
+</div>
+[[end]]
diff --git a/doc/templates/template.html b/doc/templates/template.html
new file mode 100644
index 00000000..251d2277
--- /dev/null
+++ b/doc/templates/template.html
@@ -0,0 +1,50 @@
+[[for temp in templates]]
+<a name="link_[[temp['template_name']]]"></a>
+<div id="template">
+[[if temp.has_key("mod_layer")]]
+	Layer: [[mod_layer]]<br>
+[[end]]
+[[if temp.has_key("mod_name")]]
+	Module: [[mod_name]]<br>
+[[end]]
+<div id="codeblock">
+[[exec i = 0]]
+<b>[[temp['template_name']]]</b>(
+	[[for arg in temp['template_parameters']]]
+		[[if i != 0]]
+			,
+		[[end]]
+		[[exec i = 1]]
+		[[if arg['optional'] == 'yes']]
+			[
+		[[end]]
+		[[arg['name']]]
+		[[if arg['optional'] == 'yes']]
+			]
+		[[end]]
+	[[end]]
+	)<br>
+</div>
+<div id="description">
+[[if temp['template_summary']]]
+<h5>Summary</h5>
+[[temp['template_summary']]]
+[[end]]
+[[if temp['template_desc']]]
+<h5>Description</h5>
+[[temp['template_desc']]]
+[[end]]
+<h5>Parameters</h5>
+<table border="1" cellspacing="0" cellpadding="3" width="65%">
+<tr><th >Parameter:</th><th >Description:</th></tr>
+[[for arg in temp['template_parameters']]]
+<tr><td>
+[[arg['name']]]
+</td><td>
+[[arg['desc']]]
+</td></tr>
+[[end]]
+</table>
+</div>
+</div>
+[[end]]
diff --git a/doc/templates/tun_list.html b/doc/templates/tun_list.html
new file mode 100644
index 00000000..278f284c
--- /dev/null
+++ b/doc/templates/tun_list.html
@@ -0,0 +1,23 @@
+<h3>Master tunable index:</h3>
+
+[[for tun in tunables]]
+<div id="interfacesmall">
+[[if tun.has_key('mod_layer')]]
+Module: <a href='[[tun['mod_layer']+ "_" + tun['mod_name'] + ".html#link_" + tun['tun_name']]]'>
+[[tun['mod_name']]]</a><p/>
+Layer: <a href='[[tun['mod_layer']]].html'>
+[[tun['mod_layer']]]</a><p/>
+[[else]]
+Global
+[[end]]
+<div id="codeblock">
+[[tun['tun_name']]]
+<small>(Default: [[tun['def_val']]])</small>
+</div>
+[[if tun['desc']]]
+<div id="description">
+[[tun['desc']]]
+</div>
+[[end]]
+</div>
+[[end]]
diff --git a/doc/templates/tunable.html b/doc/templates/tunable.html
new file mode 100644
index 00000000..9316779e
--- /dev/null
+++ b/doc/templates/tunable.html
@@ -0,0 +1,13 @@
+[[for tun in tunables]]
+<a name="link_[[tun['tun_name']]]"></a>
+<div id="interface">
+<div id="codeblock">[[tun['tun_name']]]</div>
+<div id="description">
+<h5>Default value</h5>
+<p>[[tun['def_val']]]</p>
+[[if tun['desc']]]
+<h5>Description</h5>
+[[tun['desc']]]
+[[end]]
+</div></div>
+[[end]]
diff --git a/man/man8/ftpd_selinux.8 b/man/man8/ftpd_selinux.8
new file mode 100644
index 00000000..5bebd82d
--- /dev/null
+++ b/man/man8/ftpd_selinux.8
@@ -0,0 +1,65 @@
+.TH  "ftpd_selinux"  "8"  "17 Jan 2005" "dwalsh@redhat.com" "ftpd SELinux policy documentation"
+.SH "NAME"
+.PP
+ftpd_selinux \- Security-Enhanced Linux policy for ftp daemons.
+.SH "DESCRIPTION"
+.PP
+Security-Enhanced Linux provides security for ftp daemons via flexible mandatory access control.
+.SH FILE_CONTEXTS
+.PP
+SELinux requires files to have a file type. File types may be specified with semanage and are restored with restorecon.  Policy governs the access that daemons have to files.
+.TP
+Allow ftp servers to read the /var/ftp directory by adding the public_content_t file type to the directory and by restoring the file type.
+.PP
+.B
+semanage fcontext -a -t public_content_t "/var/ftp(/.*)?"
+.TP
+.B
+restorecon -F -R -v /var/ftp
+.TP
+Allow ftp servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type.  This also requires the allow_ftpd_anon_write boolean to be set.
+.PP
+.B
+semanage fcontext -a -t public_content_rw_t "/var/ftp/incoming(/.*)?"
+.TP
+.B
+restorecon -F -R -v /var/ftp/incoming
+
+.SH BOOLEANS
+.PP
+SELinux policy is based on least privilege required and may also be customizable by setting a boolean with setsebool.
+.TP
+Allow ftp servers to read and write files with the public_content_rw_t file type.
+.PP
+.B
+setsebool -P allow_ftpd_anon_write on
+.TP
+Allow ftp servers to read or write files in the user home directories.
+.PP
+.B
+setsebool -P ftp_home_dir on
+.TP
+Allow ftp servers to read or write all files on the system.
+.PP
+.B
+setsebool -P allow_ftpd_full_access on
+.TP
+Allow ftp servers to use cifs for public file transfer services.
+.PP
+.B
+setsebool -P allow_ftpd_use_cifs on
+.TP
+Allow ftp servers to use nfs for public file transfer services.
+.PP
+.B
+setsebool -P allow_ftpd_use_nfs on
+.TP
+system-config-selinux is a GUI tool available to customize SELinux policy settings.
+.SH AUTHOR	
+.PP
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+.PP
+
+selinux(8), ftpd(8), setsebool(8), semanage(8), restorecon(8)
diff --git a/man/man8/git_selinux.8 b/man/man8/git_selinux.8
new file mode 100644
index 00000000..e9c43b19
--- /dev/null
+++ b/man/man8/git_selinux.8
@@ -0,0 +1,109 @@
+.TH  "git_selinux"  "8"  "27 May 2010" "domg472@gmail.com" "Git SELinux policy documentation"
+.de EX
+.nf
+.ft CW
+..
+.de EE
+.ft R
+.fi
+..
+.SH "NAME"
+git_selinux \- Security Enhanced Linux Policy for the Git daemon.
+.SH "DESCRIPTION"
+Security-Enhanced Linux secures the Git server via flexible mandatory access
+control.
+.SH FILE_CONTEXTS
+SELinux requires files to have an extended attribute to define the file type. 
+Policy governs the access daemons have to these files. 
+SELinux Git policy is very flexible allowing users to setup their web services in as secure a method as possible.
+.PP 
+The following file contexts types are by default defined for Git:
+.EX
+git_system_content_t 
+.EE 
+- Set files with git_system_content_t if you want the Git system daemon to read the file, and if you want the file to be modifiable and executable by all "Git shell" users.
+.EX
+git_session_content_t 
+.EE 
+- Set files with git_session_content_t if you want the Git session and system daemon to read the file, and if you want the file to be modifiable and executable by all users. Note that "Git shell" users may not interact with this type.
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. Git policy is extremely flexible and has several booleans that allow you to manipulate the policy and run Git with the tightest access possible.
+.PP
+Allow the Git system daemon to search user home directories so that it can find git session content. This is useful if you want the Git system daemon to host users personal repositories. 
+.EX
+sudo setsebool -P git_system_enable_homedirs 1
+.EE
+.PP
+Allow the Git system daemon to read system shared repositories on NFS shares.
+.EX
+sudo setsebool -P git_system_use_nfs 1
+.EE
+.PP
+Allow the Git system daemon to read system shared repositories on Samba shares.
+.EX
+sudo setsebool -P git_system_use_cifs 1
+.EE
+.PP
+Allow the Git session daemon to read users personal repositories on NFS mounted home directories.
+.EX
+sudo setsebool -P use_nfs_home_dirs 1
+.EE
+.PP
+Allow the Git session daemon to read users personal repositories on Samba mounted home directories.
+.EX
+sudo setsebool -P use_samba_home_dirs 1
+.EE
+.PP
+To also allow Git system daemon to read users personal repositories on NFS and Samba mounted home directories you must also allow the Git system daemon to search home directories so that it can find the repositories.
+.EX
+sudo setsebool -P git_system_enable_homedirs 1
+.EE
+.PP
+To allow the Git System daemon mass hosting of users personal repositories you can allow the Git daemon to listen to any unreserved ports.
+.EX
+sudo setsebool -P git_session_bind_all_unreserved_ports 1
+.EE
+.SH GIT_SHELL
+The Git policy by default provides a restricted user environment to be used with "Git shell". This default git_shell_u SELinux user can modify and execute generic Git system content (generic system shared respositories with type git_system_content_t).
+.PP
+To add a new Linux user and map him to this Git shell user domain automatically:
+.EX
+sudo useradd -Z git_shell_u joe
+.EE
+.SH ADVANCED_SYSTEM_SHARED_REPOSITORY_AND GIT_SHELL_RESTRICTIONS
+Alternatively Git SELinux policy can be used to restrict "Git shell" users to git system shared repositories. The policy allows for the creation of new types of Git system content and Git shell user environment. The policy allows for delegation of types of "Git shell" environments to types of Git system content.
+.PP
+To add a new Git system repository type, for example "project1" create a file named project1.te and add to it:
+.EX
+policy_module(project1, 1.0.0)
+git_content_template(project1)
+.EE
+Next create a file named project1.fc and add a file context specification for the new repository type to it:
+.EX
+/srv/git/project1\.git(/.*)? gen_context(system_u:object_r:git_project1_content_t,s0)
+.EE
+Build a binary representation of this source policy module, load it into the policy store and restore the context of the repository:
+.EX
+make -f /usr/share/selinux/devel/Makefile project.pp
+sudo semodule -i project1.pp
+sudo restorecon -R -v /srv/git/project1
+.EE
+To create a "Git shell" domain that can interact with this repository create a file named project1user.te in the same directory as where the source policy for the Git systemm content type is and add the following:
+.EX
+policy_module(project1user, 1.0.0) 
+git_role_template(project1user)
+git_content_delegation(project1user_t, git_project1_content_t)
+gen_user(project1user_u, user, project1user_r, s0, s0)
+.EE
+Build a binary representation of this source policy module, load it into the policy store and map Linux users to the new project1user_u SELinux user:
+.EX
+make -f /usr/share/selinux/devel/Makefile project1user.pp
+sudo semodule -i project1user.pp
+sudo useradd -Z project1user_u jane
+.EE
+.PP
+system-config-selinux is a GUI tool available to customize SELinux policy settings.
+.SH AUTHOR	
+This manual page was written by Dominick Grift <domg472@gmail.com>.
+.SH "SEE ALSO"
+selinux(8), git(8), chcon(1), semodule(8), setsebool(8)
diff --git a/man/man8/httpd_selinux.8 b/man/man8/httpd_selinux.8
new file mode 100644
index 00000000..16e8b132
--- /dev/null
+++ b/man/man8/httpd_selinux.8
@@ -0,0 +1,120 @@
+.TH  "httpd_selinux"  "8"  "17 Jan 2005" "dwalsh@redhat.com" "httpd Selinux Policy documentation"
+.de EX
+.nf
+.ft CW
+..
+.de EE
+.ft R
+.fi
+..
+.SH "NAME"
+httpd_selinux \- Security Enhanced Linux Policy for the httpd daemon
+.SH "DESCRIPTION"
+
+Security-Enhanced Linux secures the httpd server via flexible mandatory access
+control.  
+.SH FILE_CONTEXTS
+SELinux requires files to have an extended attribute to define the file type. 
+Policy governs the access daemons have to these files. 
+SELinux httpd policy is very flexible allowing users to setup their web services in as secure a method as possible.
+.PP 
+The following file contexts types are defined for httpd:
+.EX
+httpd_sys_content_t 
+.EE 
+- Set files with httpd_sys_content_t if you want httpd_sys_script_exec_t scripts and the daemon to read the file, and disallow other non sys scripts from access.
+.EX
+httpd_sys_script_exec_t  
+.EE 
+- Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types.
+.EX
+httpd_sys_content_rw_t 
+.EE
+- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and disallow other non sys scripts from access.
+.EX
+httpd_sys_content_ra_t 
+.EE
+- Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts and the daemon to read/append to the file, and disallow other non sys scripts from access.
+.EX
+httpd_unconfined_script_exec_t  
+.EE 
+- Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a very complex httpd scripts, after exhausting all other options.  It is better to use this script rather than turning off SELinux protection for httpd.
+
+.SH NOTE
+With certain policies you can define additional file contexts based on roles like user or staff.  httpd_user_script_exec_t can be defined where it would only have access to "user" contexts.
+
+.SH SHARING FILES
+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t.  These context allow any of the above domains to read the content.  If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.  allow_DOMAIN_anon_write.  So for httpd you would execute:
+
+.EX
+setsebool -P allow_httpd_anon_write=1
+.EE
+
+or 
+
+.EX
+setsebool -P allow_httpd_sys_script_anon_write=1
+.EE
+
+.SH BOOLEANS
+SELinux policy is customizable based on least access required.  SELinux can be setup to prevent certain http scripts from working.  httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.
+.PP
+httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this
+
+.EX
+setsebool -P httpd_enable_cgi 1
+.EE
+
+.PP
+SELinux policy for httpd can be setup to not allowed to access users home directories.  If you want to allow access to users home directories you need to set the httpd_enable_homedirs boolean and change the context of the files that you want people to access off the home dir.
+
+.EX
+setsebool -P httpd_enable_homedirs 1
+chcon -R -t httpd_sys_content_t ~user/public_html
+.EE
+
+.PP
+SELinux policy for httpd can be setup to not allow access to the controlling terminal.  In most cases this is preferred, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required.  Set the httpd_tty_comm boolean to allow terminal access.
+
+.EX
+setsebool -P httpd_tty_comm 1
+.EE
+
+.PP
+httpd can be configured to not differentiate file controls based on context, i.e. all files labeled as httpd context can be read/write/execute.  Setting this boolean to false allows you to setup the security policy such that one httpd service can not interfere with another.
+
+.EX
+setsebool -P httpd_unified 0
+.EE
+
+.PP
+SELinu policy for httpd can be configured to turn on sending email. This is a security feature, since it would prevent a vulnerabiltiy in http from causing a spam attack.  I certain situations, you may want http modules to send mail.  You can turn on the httpd_send_mail boolean.
+
+.EX
+setsebool -P httpd_can_sendmail 1
+.PP
+httpd can be configured to turn off internal scripting (PHP).  PHP and other
+loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts.
+
+.EX
+setsebool -P httpd_builtin_scripting 0
+.EE
+
+.PP
+SELinux policy can be setup such that httpd scripts are not allowed to connect out to the network.
+This would prevent a hacker from breaking into you httpd server and attacking 
+other machines.  If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on.
+
+.EX
+setsebool -P httpd_can_network_connect 1
+.EE
+
+.PP
+system-config-selinux is a GUI tool available to customize SELinux policy settings.
+.SH AUTHOR	
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+selinux(8), httpd(8), chcon(1), setsebool(8)
+
+
diff --git a/man/man8/kerberos_selinux.8 b/man/man8/kerberos_selinux.8
new file mode 100644
index 00000000..a8f81c8e
--- /dev/null
+++ b/man/man8/kerberos_selinux.8
@@ -0,0 +1,28 @@
+.TH  "kerberos_selinux"  "8"  "17 Jan 2005" "dwalsh@redhat.com" "kerberos Selinux Policy documentation"
+.de EX
+.nf
+.ft CW
+..
+.de EE
+.ft R
+.fi
+..
+.SH "NAME"
+kerberos_selinux \- Security Enhanced Linux Policy for Kerberos.
+.SH "DESCRIPTION"
+
+Security-Enhanced Linux secures the system via flexible mandatory access
+control. SELinux policy can be configured to deny Kerberos access to confined applications, since it requires daemons to be allowed greater access to certain secure files and additional access to the network.  
+.SH BOOLEANS
+.PP
+You must set the allow_kerberos boolean to allow your system to work properly in a Kerberos environment.
+.EX
+setsebool -P allow_kerberos 1
+.EE
+.PP
+system-config-selinux is a GUI tool available to customize SELinux policy settings.
+.SH AUTHOR	
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+selinux(8), kerberos(1), chcon(1), setsebool(8)
diff --git a/man/man8/named_selinux.8 b/man/man8/named_selinux.8
new file mode 100644
index 00000000..fce0b481
--- /dev/null
+++ b/man/man8/named_selinux.8
@@ -0,0 +1,30 @@
+.TH  "named_selinux"  "8"  "17 Jan 2005" "dwalsh@redhat.com" "named Selinux Policy documentation"
+.de EX
+.nf
+.ft CW
+..
+.de EE
+.ft R
+.fi
+..
+.SH "NAME"
+named_selinux \- Security Enhanced Linux Policy for the Internet Name server (named) daemon
+.SH "DESCRIPTION"
+
+Security-Enhanced Linux secures the named server via flexible mandatory access
+control.  
+.SH BOOLEANS
+SELinux policy is customizable based on least access required.  So by 
+default SELinux policy does not allow named to write master zone files.  If you want to have named update the master zone files you need to set the named_write_master_zones boolean.
+.EX
+setsebool -P named_write_master_zones 1
+.EE
+.PP
+system-config-selinux is a GUI tool available to customize SELinux policy settings.
+.SH AUTHOR	
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+selinux(8), named(8), chcon(1), setsebool(8)
+
+
diff --git a/man/man8/nfs_selinux.8 b/man/man8/nfs_selinux.8
new file mode 100644
index 00000000..8e30c4c6
--- /dev/null
+++ b/man/man8/nfs_selinux.8
@@ -0,0 +1,31 @@
+.TH  "nfs_selinux"  "8"  "9 Feb 2009" "dwalsh@redhat.com" "NFS SELinux Policy documentation"
+.SH "NAME"
+nfs_selinux \- Security Enhanced Linux Policy for NFS
+.SH "DESCRIPTION"
+
+Security Enhanced Linux secures the NFS server via flexible mandatory access
+control.  
+.SH BOOLEANS
+SELinux policy is customizable based on the least level of access required. SELinux can be configured to not allow NFS to share files. If you want to share NFS partitions, and only allow read-only access to those NFS partitions, turn the nfs_export_all_ro boolean on:
+
+.TP
+setsebool -P nfs_export_all_ro 1
+.TP
+If you want to share files read/write you must set the nfs_export_all_rw boolean.
+.TP
+setsebool -P nfs_export_all_rw 1
+
+.TP
+These booleans are not required when files to be shared are labeled with the public_content_t or public_content_rw_t types. NFS can share files labeled with the public_content_t or public_content_rw_t types even if the nfs_export_all_ro and nfs_export_all_rw booleans are off.
+
+.TP
+If you want to use a remote NFS server for the home directories on this machine, you must set the use_nfs_home_dirs boolean:
+.TP
+setsebool -P use_nfs_home_dirs 1
+.TP
+system-config-selinux is a GUI tool available to customize SELinux policy settings.
+.SH AUTHOR	
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+selinux(8), chcon(1), setsebool(8)
diff --git a/man/man8/nis_selinux.8 b/man/man8/nis_selinux.8
new file mode 100644
index 00000000..6271c951
--- /dev/null
+++ b/man/man8/nis_selinux.8
@@ -0,0 +1 @@
+.so man8/ypbind_selinux.8
diff --git a/man/man8/rsync_selinux.8 b/man/man8/rsync_selinux.8
new file mode 100644
index 00000000..ad9ccf5c
--- /dev/null
+++ b/man/man8/rsync_selinux.8
@@ -0,0 +1,52 @@
+.TH  "rsync_selinux"  "8"  "17 Jan 2005" "dwalsh@redhat.com" "rsync Selinux Policy documentation"
+.de EX
+.nf
+.ft CW
+..
+.de EE
+.ft R
+.fi
+..
+.SH "NAME"
+rsync_selinux \- Security Enhanced Linux Policy for the rsync daemon
+.SH "DESCRIPTION"
+
+Security-Enhanced Linux secures the rsync server via flexible mandatory access
+control.  
+.SH FILE_CONTEXTS
+SELinux requires files to have an extended attribute to define the file type. 
+Policy governs the access daemons have to these files. 
+If you want to share files using the rsync daemon, you must label the files and directories public_content_t.  So if you created a special directory /var/rsync, you 
+would need to label the directory with the chcon tool.
+.TP
+chcon -t public_content_t /var/rsync
+.TP
+.TP
+To make this change permanent (survive a relabel), use the semanage command to add the change to file context configuration:
+.TP
+semanage fcontext -a -t public_content_t "/var/rsync(/.*)?"
+.TP
+This command adds the following entry to /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local:
+.TP
+/var/rsync(/.*)? system_u:object_r:publix_content_t:s0
+.TP
+Run the restorecon command to apply the changes:
+.TP
+restorecon -R -v /var/rsync/
+.EE
+
+.SH SHARING FILES
+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t.  These context allow any of the above domains to read the content.  If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.  allow_DOMAIN_anon_write.  So for rsync you would execute:
+
+.EX
+setsebool -P allow_rsync_anon_write=1
+.EE
+
+.SH BOOLEANS
+.TP
+system-config-selinux is a GUI tool available to customize SELinux policy settings.
+.SH AUTHOR	
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+selinux(8), rsync(1), chcon(1), setsebool(8), semanage(8)
diff --git a/man/man8/samba_selinux.8 b/man/man8/samba_selinux.8
new file mode 100644
index 00000000..ca702c79
--- /dev/null
+++ b/man/man8/samba_selinux.8
@@ -0,0 +1,56 @@
+.TH  "samba_selinux"  "8"  "17 Jan 2005" "dwalsh@redhat.com" "Samba Selinux Policy documentation"
+.SH "NAME"
+samba_selinux \- Security Enhanced Linux Policy for Samba
+.SH "DESCRIPTION"
+
+Security-Enhanced Linux secures the Samba server via flexible mandatory access
+control.  
+.SH FILE_CONTEXTS
+SELinux requires files to have an extended attribute to define the file type. 
+Policy governs the access daemons have to these files. 
+If you want to share files other than home directories, those files must be 
+labeled samba_share_t.  So if you created a special directory /var/eng, you 
+would need to label the directory with the chcon tool.
+.TP
+chcon -t samba_share_t /var/eng
+.TP
+To make this change permanent (survive a relabel), use the semanage command to add the change to file context configuration:
+.TP
+semanage fcontext -a -t samba_share_t "/var/eng(/.*)?"
+.TP
+This command adds the following entry to /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local:
+.TP
+/var/eng(/.*)? system_u:object_r:samba_share_t:s0
+.TP
+Run the restorecon command to apply the changes:
+.TP
+restorecon -R -v /var/eng/
+
+.SH SHARING FILES
+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t.  These context allow any of the above domains to read the content.  If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.  allow_DOMAIN_anon_write.  So for samba you would execute:
+
+setsebool -P allow_smbd_anon_write=1
+
+.SH BOOLEANS
+.br 
+SELinux policy is customizable based on least access required.  So by 
+default SELinux policy turns off SELinux sharing of home directories and 
+the use of Samba shares from a remote machine as a home directory.
+.TP
+If you are setting up this machine as a Samba server and wish to share the home directories, you need to set the samba_enable_home_dirs boolean. 
+.br
+
+setsebool -P samba_enable_home_dirs 1
+.TP
+If you want to use a remote Samba server for the home directories on this machine, you must set the use_samba_home_dirs boolean.
+.br 
+
+setsebool -P use_samba_home_dirs 1
+.TP
+system-config-selinux is a GUI tool available to customize SELinux policy settings.
+
+.SH AUTHOR	
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+selinux(8), samba(7), chcon(1), setsebool(8), semanage(8)
diff --git a/man/man8/ypbind_selinux.8 b/man/man8/ypbind_selinux.8
new file mode 100644
index 00000000..5061a5f0
--- /dev/null
+++ b/man/man8/ypbind_selinux.8
@@ -0,0 +1,19 @@
+.TH  "ypbind_selinux"  "8"  "17 Jan 2005" "dwalsh@redhat.com" "ypbind Selinux Policy documentation"
+.SH "NAME"
+ypbind_selinux \- Security Enhanced Linux Policy for NIS.
+.SH "DESCRIPTION"
+
+Security-Enhanced Linux secures the system via flexible mandatory access
+control. SELinux can be setup deny NIS from working, since it requires daemons to be allowed greater access to the network.  
+.SH BOOLEANS
+.TP
+You must set the allow_ypbind boolean to allow your system to work properly in a NIS environment.
+.TP
+setsebool -P allow_ypbind 1
+.TP
+system-config-selinux is a GUI tool available to customize SELinux policy settings.
+.SH AUTHOR	
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+selinux(8), ypbind(8), chcon(1), setsebool(8)
diff --git a/man/ru/man8/ftpd_selinux.8 b/man/ru/man8/ftpd_selinux.8
new file mode 100644
index 00000000..efa915e1
--- /dev/null
+++ b/man/ru/man8/ftpd_selinux.8
@@ -0,0 +1,57 @@
+.TH  "ftpd_selinux"  "8"  "17 Янв 2005" "dwalsh@redhat.com" "ftpd Selinux Policy documentation"
+.SH "НАЗВАНИЕ"
+ftpd_selinux \- Политика Security Enhanced Linux для демона ftp
+.SH "ОПИСАНИЕ"
+
+Security-Enhanced Linux обеспечивает защиту сервера ftpd при помощи гибко настраиваемого мандатного контроля доступа. 
+.SH КОНТЕКСТ ФАЙЛОВ
+SELinux требует наличия у файлов расширенных атрибутов, определяющих тип файла. 
+Политика управляет видом доступа демона к этим файлам. Если вы хотите организовать анонимный
+доступ к файлам, вы должны присвоить  этим файлам и директориям контекст public_content_t.
+Таким образом, если вы создаете специальную директорию /var/ftp, то вам необходимо установить  контекст для этой директории при помощи утилиты chcon.
+.TP
+chcon -R -t public_content_t /var/ftp
+.TP
+Если вы хотите задать директорию, в которую вы собираетесь загружать файлы, то вы должны
+установить контекст ftpd_anon_rw_t. Таким образом, если вы создаете специальную директорию /var/ftp/incoming, то вам необходимо установить контекст для этой директории при помощи утилиты chcon.
+.TP
+chcon -t public_content_rw_t /var/ftp/incoming
+.TP
+Вы также должны включить переключатель allow_ftpd_anon_write.
+.TP
+setsebool -P allow_ftpd_anon_write=1
+.TP
+Если вы хотите сделать эти изменения постоянными, иными словами, чтобы данный контекст сохранялся
+при обновлении контекстов, вы должны добавить записи в файл file_contexts.local.
+.TP
+/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
+.br
+/var/ftp(/.*)? system_u:object_r:public_content_t
+/var/ftp/incoming(/.*)? system_u:object_r:public_content_rw_t
+
+.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
+Политика SELinux для демона ftp настроена исходя из принципа наименьших привелегий. Таким
+образом, по умолчанию политика SELinux не позволяет пользователям заходить на сервер и 
+читать содержимое их домашних директорий.
+.br
+Если вы настраиваете данную машину как ftpd-сервер и хотите, чтобы пользователи могли получать 
+доступ к своим домашним директориям, то вам необходимо установить переключатель ftp_home_dir.
+.TP
+setsebool -P ftp_home_dir 1
+.TP
+ftpd может функционировать как самостоятельный демон, а также как часть домена xinetd. Если вы 
+хотите, чтобы ftpd работал как демон, вы должны установить переключатель ftpd_is_daemon.
+.TP
+setsebool -P ftpd_is_daemon 1
+.br
+service vsftpd restart
+.TP
+Для управления настройками SELinux существует графическая утилита system-config-selinux.
+.SH АВТОРЫ	
+Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
+Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
+
+.SH "СМОТРИ ТАКЖЕ"
+selinux(8), ftpd(8), chcon(1), setsebool(8)
+
+
diff --git a/man/ru/man8/httpd_selinux.8 b/man/ru/man8/httpd_selinux.8
new file mode 100644
index 00000000..a653b7d9
--- /dev/null
+++ b/man/ru/man8/httpd_selinux.8
@@ -0,0 +1,137 @@
+.TH  "httpd_selinux"  "8"  "17 Янв 2005" "dwalsh@redhat.com" "httpd Selinux Policy documentation"
+.de EX
+.nf
+.ft CW
+..
+.de EE
+.ft R
+.fi
+..
+.SH "НАЗВАНИЕ"
+httpd_selinux \- Политика Security Enhanced Linux для демона httpd
+.SH "ОПИСАНИЕ"
+
+Security-Enhanced Linux обеспечивает защиту сервера httpd при помощи гибко настраиваемого мандатного контроля доступа.  
+.SH КОНТЕКСТ ФАЙЛОВ
+SELinux требует наличия у файлов расширенных атрибутов, определяющих тип файла. 
+Политика управляет видом доступа демона к этим файлам.
+Политика SELinux для демона httpd позволяет пользователям настроить web-службы максимально безопасным методом с высокой степенью гибкости.
+.PP 
+Для httpd определены следующие контексты файлов:
+.EX
+httpd_sys_content_t 
+.EE 
+- Установите контекст httpd_sys_content_t для содержимого, которое должно быть доступно для всех скриптов httpd и для самого демона.
+.EX
+httpd_sys_script_exec_t  
+.EE 
+- Установите контекст httpd_sys_script_exec_t для cgi-скриптов, чтобы разрешить им доступ ко всем sys-типам.
+.EX
+httpd_sys_script_ro_t 
+.EE
+- Установите на файлы контекст httpd_sys_script_ro_t если вы хотите, чтобы скрипты httpd_sys_script_exec_t могли читать данные, и при этом нужно запретить доступ другим не-sys скриптам.
+.EX
+httpd_sys_script_rw_t 
+.EE
+- Установите на файлы контекст httpd_sys_script_rw_t если вы хотите, чтобы скрипты httpd_sys_script_exec_t могли читать и писать данные, и при этом нужно запретить доступ другим не-sys скриптам.
+.EX
+httpd_sys_script_ra_t 
+.EE
+- Установите на файлы контекст httpd_sys_script_ra_t если вы хотите, чтобы скрипты httpd_sys_script_exec_t могли читать и добавлять данные, и при этом нужно запретить доступ другим не-sys скриптам.
+.EX
+httpd_unconfined_script_exec_t  
+.EE 
+- Установите на cgi-скрипты контекст httpd_unconfined_script_exec_t если вы хотите разрешить
+им исполняться без какой-либо защиты SELinux. Такой способ должен использоваться только для
+скриптов с очень комплексными требованиями, и только в случае, если все остальные варианты настройки не дали результата. Лучше использовать скрипты с контекстом httpd_unconfined_script_exec_t, чем выключать защиту SELinux для httpd.
+
+.SH ЗАМЕЧАНИЕ
+Вместе с некоторыми политиками, вы можете определить дополнительные контексты файлов, основанные
+на ролях, таких как user или staff. Может быть определен контекст httpd_user_script_exec_t, который будет иметь доступ только к "пользовательским" контекстам.
+
+.SH СОВМЕСТНОЕ ВЛАДЕНИЕ ФАЙЛАМИ
+Если вы хотите организовать между несколькими доменами (Apache, FTP, rsync, Samba) совместный
+доступ к файлам, то вы можете установить контекст файлов в public_content_t и public_content_rw_t.
+Данный контекст позволяет любому из выше перечисленных демонов читать содержимое.
+Если вы хотите, чтобы конкретный домен имел право записи в домен public_content_rw_t, вы должны
+установить соответствующий переключатель allow_ДОМЕН_anon_write. Таким образом, для httpd вы должны выполнить команду:
+
+.EX
+setsebool -P allow_httpd_anon_write=1
+.EE
+
+или 
+
+.EX
+setsebool -P allow_httpd_sys_script_anon_write=1
+.EE
+
+.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
+Политика SELinux настроена исходя из принципа наименьших привилегий. Таким образом,
+по умолчанию SELinux препятствует работе некоторых http-скриптов. Политика httpd весьма
+гибка, и существующие переключатели управляют политикой, позволяя httpd выполняться
+с наименее возможными правами доступа.
+.PP
+Если вы хотите, чтобы httpd мог исполнять cgi-скрипты, установите переключатель httpd_enable_cgi
+.EX
+setsebool -P httpd_enable_cgi 1
+.EE
+
+.PP
+По умолчанию демону httpd не разрешен доступ в домашние дерикториии пользователей. Если вы хотите разрешить доступ, вам необходимо установить переключатель httpd_enable_homedirs и изменить контекст
+тех файлов в домашних директориях пользователей, к которым должен быть разрешен доступ.
+
+.EX
+setsebool -P httpd_enable_homedirs 1
+chcon -R -t httpd_sys_content_t ~user/public_html
+.EE
+
+.PP
+По умолчанию демон httpd не имеет доступ к управляющему терминалу. В большинстве случаев такое
+поведение является предпочтительным. Это связанно с тем, что злоумышленник может попытаться
+использовать доступ к терминалу для получения привилегий. Однако, в некоторых ситуациях демон
+httpd должен выводить запрос пароля для открытия файла сертификата и в таких случаях нужен доступ
+к терминалу. Для того, чтобы разрешить доступ к терминалу, установите переключатель httpd_tty_comm.
+.EX
+setsebool -P httpd_tty_comm 1
+.EE
+
+.PP
+httpd может быть настроен так, чтобы не разграничивать тип доступа к файлу на основании контекста.
+Иными словами, ко всем файлам, имеющим контекст httpd разрешен доступ на чтение/запись/исполнение. 
+Установка этого переключателя в false, позволяет настроить политику безопасности таким образом,
+что одина служба httpd не конфликтует с другой.
+.EX
+setsebool -P httpd_unified 0
+.EE
+
+.PP
+Имеется возможность настроить httpd таким образом, чтобы отключить встроенную поддержку 
+скриптов (PHP). PHP и другие загружаемые модули работают в том же контексте, что и httpd.
+Таким образом, если используются только внешние cgi-скрипты, некоторые из правил политики
+разрешают httpd больший доступ к системе, чем необходимо. 
+
+.EX
+setsebool -P httpd_builtin_scripting 0
+.EE
+
+.PP
+По умолчанию httpd-скриптам запрещено устанавливать внешние сетевые подключения. 
+Это не позволит хакеру, взломавшему ваш httpd-сервер, атаковать другие машины.
+Если вашим скриптам необходимо иметь возможность подключения, установите переключатель
+httpd_can_network_connect
+
+.EX
+setsebool -P httpd_can_network_connect 1
+.EE
+
+.PP
+Для управления настройками SELinux существует графическая утилита system-config-selinux.
+.SH АВТОРЫ	
+Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
+Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
+
+.SH "СМОТРИ ТАКЖЕ"
+selinux(8), httpd(8), chcon(1), setsebool(8)
+
+
diff --git a/man/ru/man8/kerberos_selinux.8 b/man/ru/man8/kerberos_selinux.8
new file mode 100644
index 00000000..9f546dc9
--- /dev/null
+++ b/man/ru/man8/kerberos_selinux.8
@@ -0,0 +1,30 @@
+.TH  "kerberos_selinux"  "8"  "17 Янв 2005" "dwalsh@redhat.com" "kerberos Selinux Policy documentation"
+.de EX
+.nf
+.ft CW
+..
+.de EE
+.ft R
+.fi
+..
+.SH "НАЗВАНИЕ"
+kerberos_selinux \- Политика Security Enhanced Linux для Kerberos.
+.SH "ОПИСАНИЕ"
+
+Security-Enhanced Linux защищает систему при помощи гибко настраиваемого мандатного контроля доступа. По умолчанию Kerberos запрещен, поскольку требуется функционирование демонов,
+которым предоставляется слишком обширный доступ к сети и некоторым чувствительным в плане безопасности файлам.
+
+.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
+.PP
+Для того, чтобы система могла корректно работать в окружении Kerberos, вы должны установить переключатель allow_kerberos.
+.EX
+setsebool -P allow_kerberos 1
+.EE
+.PP
+Для управления настройками SELinux существует графическая утилита system-config-selinux.
+.SH АВТОРЫ	
+Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
+Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
+
+.SH "СМОТРИ ТАКЖЕ"
+selinux(8), kerberos(1), chcon(1), setsebool(8)
diff --git a/man/ru/man8/named_selinux.8 b/man/ru/man8/named_selinux.8
new file mode 100644
index 00000000..9818f79e
--- /dev/null
+++ b/man/ru/man8/named_selinux.8
@@ -0,0 +1,31 @@
+.TH  "named_selinux"  "8"  "17 Янв 2005" "dwalsh@redhat.com" "named Selinux Policy documentation"
+.de EX
+.nf
+.ft CW
+..
+.de EE
+.ft R
+.fi
+..
+.SH "НАЗВАНИЕ"
+named_selinux \- Политика Security Enhanced Linux для демона Internet Name server (named)
+.SH "ОПИСАНИЕ"
+
+Security-Enhanced Linux обеспечивает защиту сервера named при помощи гибко настраиваемого мандатного контроля доступа.
+.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
+Политика SELinux настраивается исходя из принципа наименьших привилегий. Таким образом,
+по умолчанию политика SELinux не позволяет демону named осуществлять изменения файлов мастер-зоны.
+Если вам необходимо, чтобы named мог обновлять файлы мастер-зоны, вы должны установить переключатель named_write_master_zones boolean.
+.EX
+setsebool -P named_write_master_zones 1
+.EE
+.PP
+Для управления настройками SELinux существует графическая утилита system-config-selinux.
+.SH АВТОРЫ	
+Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
+Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
+
+.SH "СМОТРИ ТАКЖЕ"
+selinux(8), named(8), chcon(1), setsebool(8)
+
+
diff --git a/man/ru/man8/nfs_selinux.8 b/man/ru/man8/nfs_selinux.8
new file mode 100644
index 00000000..525513f8
--- /dev/null
+++ b/man/ru/man8/nfs_selinux.8
@@ -0,0 +1,33 @@
+.TH  "nfs_selinux"  "8"  "17 Янв 2005" "dwalsh@redhat.com" "nfs Selinux Policy documentation"
+.SH "НАЗВАНИЕ"
+nfs_selinux \- Политика Security Enhanced Linux для NFS
+.SH "ОПИСАНИЕ"
+
+Security-Enhanced Linux защищает сервер nfs при помощи гибко настраиваемого мандатного контроля доступа.
+.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
+Политика SELinux настраивается исходя из принципа наименьших привилегий. Таким образом, 
+по умолчанию политика SELinux не позволяет предоставлять доступ к файлам по nfs. Если вы хотите 
+разрешить доступ только на чтение к файлам этой машины по nfs, вы должны установить переключатель
+nfs_export_all_ro.
+
+.TP
+setsebool -P nfs_export_all_ro 1
+.TP
+Если вы хотите разрешить доступ на чтение/запись, вы должны установить переключатель nfs_export_all_rw.
+.TP
+setsebool -P nfs_export_all_rw 1
+
+.TP
+Если вы хотите использовать удаленный NFS сервер для хранения домашних директорий этой машины,
+то вы должны установить переключатель use_nfs_home_dir boolean.
+.TP
+setsebool -P use_nfs_home_dirs 1
+.TP
+Для управления настройками SELinux существует графическая утилита
+system-config-selinux.
+.SH АВТОРЫ	
+Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
+Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
+
+.SH "СМОТРИ ТАКЖЕ"
+selinux(8), chcon(1), setsebool(8)
diff --git a/man/ru/man8/rsync_selinux.8 b/man/ru/man8/rsync_selinux.8
new file mode 100644
index 00000000..7b60605b
--- /dev/null
+++ b/man/ru/man8/rsync_selinux.8
@@ -0,0 +1,50 @@
+.TH  "rsync_selinux"  "8"  "17 Янв 2005" "dwalsh@redhat.com" "rsync Selinux Policy documentation"
+.de EX
+.nf
+.ft CW
+..
+.de EE
+.ft R
+.fi
+..
+.SH "НАЗВАНИЕ"
+rsync_selinux \- Политика Security Enhanced Linux для демона rsync
+.SH "ОПИСАНИЕ"
+
+Security-Enhanced Linux обеспечивает защиту сервера rsync при помощи гибко настраиваемого мандатного контроля доступа. 
+.SH КОНТЕКСТ ФАЙЛОВ
+SELinux требует наличия у файлов расширенных атрибутов, определяющих тип файла. 
+Политика управляет видом доступа демона к этим файлам. Если вы хотите предоставить доступ к файлам
+при помощи демона rsync, вы должны присвоить этим файлам и директориям контекст
+public_content_t. Таким образом, если вы создаете специальную директорию /var/rsync, то вам 
+необходимо установить контекст для этой директории при помощи утилиты chcon.
+.TP
+chcon -t public_content_t /var/rsync
+.TP
+Если вы хотите сделать эти изменения постоянными, иными словами, чтобы данный контекст сохранялся
+при обновлении контекстов, вы должны добавить записи в файл file_contexts.local.
+.EX
+/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
+/var/rsync(/.*)? system_u:object_r:public_content_t
+.EE
+
+.SH СОВМЕСТНОЕ ВЛАДЕНИЕ ФАЙЛАМИ
+Если вы хотите организовать между несколькими доменами (Apache, FTP, rsync, Samba) совместный
+доступ к файлам, то вы можете установить контекст файлов в public_content_t и public_content_rw_t.
+Данный контекст позволяет любому из выше перечисленных демонов читать содержимое.
+Если вы хотите, чтобы конкретный домен имел право записи в домен public_content_rw_t, вы должны
+установить соответствующий переключатель allow_ДОМЕН_anon_write. Таким образом, для rsync вы должны выполнить команду:
+
+.EX
+setsebool -P allow_rsync_anon_write=1
+.EE
+
+.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
+.TP
+Для управления настройками SELinux существует графическая утилита system-config-selinux.
+.SH АВТОРЫ	
+Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
+Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
+
+.SH "СМОТРИ ТАКЖЕ"
+selinux(8), rsync(1), chcon(1), setsebool(8)
diff --git a/man/ru/man8/samba_selinux.8 b/man/ru/man8/samba_selinux.8
new file mode 100644
index 00000000..9a16863f
--- /dev/null
+++ b/man/ru/man8/samba_selinux.8
@@ -0,0 +1,60 @@
+.TH  "samba_selinux"  "8"  "17 Янв 2005" "dwalsh@redhat.com" "Samba Selinux Policy documentation"
+.SH "НАЗВАНИЕ"
+samba_selinux \- Политика Security Enhanced Linux для Samba
+.SH "ОПИСАНИЕ"
+
+Security-Enhanced Linux обеспечивает защиту сервера Samba при помощи гибко настраиваемого мандатного контроля доступа.  
+.SH КОНТЕКСТ ФАЙЛОВ
+SELinux требует наличия у файлов расширенных атрибутов, определяющих тип файла. 
+Политика управляет видом доступа демона к этим файлам. 
+Если вы хотите предоставить доступ к файлам вовне домашних директорий, этим файлам необходимо
+присвоить контекст samba_share_t. 
+Таким образом, если вы создаете специальную директорию  /var/eng,  то  вам  необходимо
+установить  контекст для этой директории при помощи утилиты chcon.
+.TP
+chcon -t samba_share_t /var/eng
+.TP
+
+Если вы хотите сделать эти изменения постоянными, иными словами, чтобы данный контекст сохранялся
+при обновлении контекстов, вы должны добавить записи в файл file_contexts.local.
+.TP
+/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
+.br
+/var/eng(/.*)? system_u:object_r:samba_share_t
+
+.SH СОВМЕСТНОЕ ВЛАДЕНИЕ ФАЙЛАМИ
+Если вы хотите организовать между несколькими доменами (Apache, FTP, rsync, Samba) совместный
+доступ к файлам, то вы можете установить контекст файлов в public_content_t и public_content_rw_t.
+Данный контекст позволяет любому из выше перечисленных демонов читать содержимое.
+Если вы хотите, чтобы конкретный домен имел право записи в домен public_content_rw_t, вы должны
+установить соответствующий переключатель allow_ДОМЕН_anon_write. Таким образом, для samba вы должны выполнить команду:
+
+setsebool -P allow_smbd_anon_write=1
+
+.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
+.br 
+Политика SELinux настраивается исходя из принципа наименьших привилегий.
+Таким образом, по умолчанию политика SELinux не позволяет предоставлять удаленный доступ
+к домашним директориям и не позволяет использовать удаленный сервер Samba для хранения 
+домашних директорий.
+.TP
+Если вы настроили эту машину как сервер Samba и желаете предоставить доступ к домашним
+директориям, вы должны установить переключатель samba_enable_home_dirs.
+.br
+
+setsebool -P samba_enable_home_dirs 1
+.TP
+Если вы хотите для хранения домашних директорий пользователей этой машины использовать удаленный
+сервер Samba, вы должны установить переключатель use_samba_home_dirs.
+.br 
+
+setsebool -P use_samba_home_dirs 1
+.TP
+Для управления настройками SELinux существует графическая утилита system-config-selinux.
+
+.SH АВТОРЫ	
+Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
+Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
+
+.SH "СМОТРИ ТАКЖЕ"
+selinux(8), samba(7), chcon(1), setsebool(8)
diff --git a/man/ru/man8/ypbind_selinux.8 b/man/ru/man8/ypbind_selinux.8
new file mode 100644
index 00000000..a6c084ac
--- /dev/null
+++ b/man/ru/man8/ypbind_selinux.8
@@ -0,0 +1,19 @@
+.TH  "ypbind_selinux"  "8"  "17 Янв 2005" "dwalsh@redhat.com" "ypbind Selinux Policy documentation"
+.SH "НАЗВАНИЕ"
+ypbind_selinux \- Политика Security Enhanced Linux для NIS.
+.SH "ОПИСАНИЕ"
+
+Security-Enhanced Linux защищает систему при помощи гибко настраиваемого мандатного контроля доступа. По умолчанию работа NIS запрещена. Это является следствием того, что демоны NIS требуют слишком обширного доступа к сети.  
+.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
+.TP
+Для того, чтобы система могла работать в окружении NIS, вы должны установить переключатель allow_ypbind.
+.TP
+setsebool -P allow_ypbind 1
+.TP
+Для управления настройками SELinux существует графическая утилита system-config-selinux.
+.SH АВТОРЫ	
+Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
+Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
+
+.SH "СМОТРИ ТАКЖЕ"
+selinux(8), ypbind(8), chcon(1), setsebool(8)
diff --git a/policy/booleans.conf b/policy/booleans.conf
new file mode 100644
index 00000000..5dd0bf5a
--- /dev/null
+++ b/policy/booleans.conf
@@ -0,0 +1,793 @@
+#
+# Disable kernel module loading.
+# 
+secure_mode_insmod = false
+
+#
+# Boolean to determine whether the system permits loading policy, setting
+# enforcing mode, and changing boolean values.  Set this to true and you
+# have to reboot to set it back.
+# 
+secure_mode_policyload = false
+
+#
+# Enabling secure mode disallows programs, such as
+# newrole, from transitioning to administrative
+# user domains.
+# 
+secure_mode = false
+
+#
+# Control users use of ping and traceroute
+# 
+user_ping = false
+
+#
+# Allow Apache to modify public files
+# used for public file transfer services. Directories/Files must
+# be labeled public_content_rw_t.
+# 
+allow_httpd_anon_write = false
+
+#
+# Allow Apache to use mod_auth_pam
+# 
+allow_httpd_mod_auth_pam = false
+
+#
+# Allow httpd to use built in scripting (usually php)
+# 
+httpd_builtin_scripting = false
+
+#
+# Allow HTTPD scripts and modules to connect to the network using TCP.
+# 
+httpd_can_network_connect = false
+
+#
+# Allow HTTPD scripts and modules to connect to databases over the network.
+# 
+httpd_can_network_connect_db = false
+
+#
+# Allow httpd to act as a relay
+# 
+httpd_can_network_relay = false
+
+#
+# Allow http daemon to send mail
+# 
+httpd_can_sendmail = false
+
+#
+# Allow Apache to communicate with avahi service via dbus
+# 
+httpd_dbus_avahi = false
+
+#
+# Allow httpd cgi support
+# 
+httpd_enable_cgi = false
+
+#
+# Allow httpd to act as a FTP server by
+# listening on the ftp port.
+# 
+httpd_enable_ftp_server = false
+
+#
+# Allow httpd to read home directories
+# 
+httpd_enable_homedirs = false
+
+#
+# Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
+# 
+httpd_ssi_exec = false
+
+#
+# Unify HTTPD to communicate with the terminal.
+# Needed for entering the passphrase for certificates at
+# the terminal.
+# 
+httpd_tty_comm = false
+
+#
+# Unify HTTPD handling of all content files.
+# 
+httpd_unified = false
+
+#
+# Allow httpd to access cifs file systems
+# 
+httpd_use_cifs = false
+
+#
+# Allow httpd to run gpg
+# 
+httpd_use_gpg = false
+
+#
+# Allow httpd to access nfs file systems
+# 
+httpd_use_nfs = false
+
+#
+# Allow BIND to write the master zone files.
+# Generally this is used for dynamic DNS or zone transfers.
+# 
+named_write_master_zones = false
+
+#
+# Allow cdrecord to read various content.
+# nfs, samba, removable devices, user temp
+# and untrusted content files
+# 
+cdrecord_read_content = false
+
+#
+# Allow clamd to use JIT compiler
+# 
+clamd_use_jit = false
+
+#
+# Allow Cobbler to modify public files
+# used for public file transfer services.
+# 
+cobbler_anon_write = false
+
+#
+# Allow system cron jobs to relabel filesystem
+# for restoring file contexts.
+# 
+cron_can_relabel = false
+
+#
+# Enable extra rules in the cron domain
+# to support fcron.
+# 
+fcron_crond = false
+
+#
+# Allow cvs daemon to read shadow
+# 
+allow_cvs_read_shadow = false
+
+#
+# Allow dbadm to manage files in users home directories
+# 
+dbadm_manage_user_files = false
+
+#
+# Allow dbadm to read files in users home directories
+# 
+dbadm_read_user_files = false
+
+#
+# Allow the use of the audio devices as the source for the entropy feeds
+# 
+entropyd_use_audio = false
+
+#
+# Allow exim to connect to databases (postgres, mysql)
+# 
+exim_can_connect_db = false
+
+#
+# Allow exim to read unprivileged user files.
+# 
+exim_read_user_files = false
+
+#
+# Allow exim to create, read, write, and delete
+# unprivileged user files.
+# 
+exim_manage_user_files = false
+
+#
+# Allow ftp servers to upload files,  used for public file
+# transfer services. Directories must be labeled
+# public_content_rw_t.
+# 
+allow_ftpd_anon_write = false
+
+#
+# Allow ftp servers to login to local users and
+# read/write all files on the system, governed by DAC.
+# 
+allow_ftpd_full_access = false
+
+#
+# Allow ftp servers to use cifs
+# used for public file transfer services.
+# 
+allow_ftpd_use_cifs = false
+
+#
+# Allow ftp servers to use nfs
+# used for public file transfer services.
+# 
+allow_ftpd_use_nfs = false
+
+#
+# Allow ftp to read and write files in the user home directories
+# 
+ftp_home_dir = false
+
+#
+# Allow anon internal-sftp to upload files, used for
+# public file transfer services. Directories must be labeled
+# public_content_rw_t.
+# 
+sftpd_anon_write = false
+
+#
+# Allow sftp-internal to read and write files
+# in the user home directories
+# 
+sftpd_enable_homedirs = false
+
+#
+# Allow sftp-internal to login to local users and
+# read/write all files on the system, governed by DAC.
+# 
+sftpd_full_access = false
+
+#
+# Determine whether Git CGI
+# can search home directories.
+# 
+git_cgi_enable_homedirs = false
+
+#
+# Determine whether Git CGI
+# can access cifs file systems.
+# 
+git_cgi_use_cifs = false
+
+#
+# Determine whether Git CGI
+# can access nfs file systems.
+# 
+git_cgi_use_nfs = false
+
+#
+# Determine whether calling user domains
+# can execute Git daemon in the
+# git_session_t domain.
+# 
+git_session_users = false
+
+#
+# Determine whether Git session daemons
+# can send syslog messages.
+# 
+git_session_send_syslog_msg = false
+
+#
+# Determine whether Git system daemon
+# can search home directories.
+# 
+git_system_enable_homedirs = false
+
+#
+# Determine whether Git system daemon
+# can access cifs file systems.
+# 
+git_system_use_cifs = false
+
+#
+# Determine whether Git system daemon
+# can access nfs file systems.
+# 
+git_system_use_nfs = false
+
+#
+# Allow usage of the gpg-agent --write-env-file option.
+# This also allows gpg-agent to manage user files.
+# 
+gpg_agent_env_file = false
+
+#
+# Allow java executable stack
+# 
+allow_java_execstack = false
+
+#
+# Allow confined applications to run with kerberos.
+# 
+allow_kerberos = false
+
+#
+# Use lpd server instead of cups
+# 
+use_lpd_server = false
+
+#
+# Allow confined web browsers to read home directory content
+# 
+mozilla_read_content = false
+
+#
+# Allow mplayer executable stack
+# 
+allow_mplayer_execstack = false
+
+#
+# Allow mysqld to connect to all ports
+# 
+mysql_connect_any = false
+
+#
+# Allow openvpn to read home directories
+# 
+openvpn_enable_homedirs = false
+
+#
+# Allow the portage domains to use NFS mounts (regular nfs_t)
+# 
+portage_use_nfs = false
+
+#
+# Allow pppd to load kernel modules for certain modems
+# 
+pppd_can_insmod = false
+
+#
+# Allow pppd to be run for a regular user
+# 
+pppd_for_user = false
+
+#
+# Allow privoxy to connect to all ports, not just
+# HTTP, FTP, and Gopher ports.
+# 
+privoxy_connect_any = false
+
+#
+# Allow Puppet client to manage all file
+# types.
+# 
+puppet_manage_all_files = false
+
+#
+# Allow qemu to connect fully to the network
+# 
+qemu_full_network = false
+
+#
+# Allow qemu to use cifs/Samba file systems
+# 
+qemu_use_cifs = true
+
+#
+# Allow qemu to use serial/parallel communication ports
+# 
+qemu_use_comm = false
+
+#
+# Allow qemu to use nfs file systems
+# 
+qemu_use_nfs = true
+
+#
+# Allow qemu to use usb devices
+# 
+qemu_use_usb = true
+
+#
+# Allow rgmanager domain to connect to the network using TCP.
+# 
+rgmanager_can_network_connect = false
+
+#
+# Allow fenced domain to connect to the network using TCP.
+# 
+fenced_can_network_connect = false
+
+#
+# Allow gssd to read temp directory.  For access to kerberos tgt.
+# 
+allow_gssd_read_tmp = true
+
+#
+# Allow nfs servers to modify public files
+# used for public file transfer services.  Files/Directories must be
+# labeled public_content_rw_t.
+# 
+allow_nfsd_anon_write = false
+
+#
+# Allow rsync to export any files/directories read only.
+# 
+rsync_export_all_ro = false
+
+#
+# Allow rsync to modify public files
+# used for public file transfer services.  Files/Directories must be
+# labeled public_content_rw_t.
+# 
+allow_rsync_anon_write = false
+
+#
+# Allow samba to modify public files used for public file
+# transfer services.  Files/Directories must be labeled
+# public_content_rw_t.
+# 
+allow_smbd_anon_write = false
+
+#
+# Allow samba to create new home directories (e.g. via PAM)
+# 
+samba_create_home_dirs = false
+
+#
+# Allow samba to act as the domain controller, add users,
+# groups and change passwords.
+# 
+samba_domain_controller = false
+
+#
+# Allow samba to share users home directories.
+# 
+samba_enable_home_dirs = false
+
+#
+# Allow samba to share any file/directory read only.
+# 
+samba_export_all_ro = false
+
+#
+# Allow samba to share any file/directory read/write.
+# 
+samba_export_all_rw = false
+
+#
+# Allow samba to run unconfined scripts
+# 
+samba_run_unconfined = false
+
+#
+# Allow samba to export NFS volumes.
+# 
+samba_share_nfs = false
+
+#
+# Allow samba to export ntfs/fusefs volumes.
+# 
+samba_share_fusefs = false
+
+#
+# Allow confined virtual guests to manage nfs files
+# 
+sanlock_use_nfs = false
+
+#
+# Allow confined virtual guests to manage cifs files
+# 
+sanlock_use_samba = false
+
+#
+# Allow sasl to read shadow
+# 
+allow_saslauthd_read_shadow = false
+
+#
+# Enable additional permissions needed to support
+# devices on 3ware controllers.
+# 
+smartmon_3ware = false
+
+#
+# Allow user spamassassin clients to use the network.
+# 
+spamassassin_can_network = false
+
+#
+# Allow spamd to read/write user home directories.
+# 
+spamd_enable_home_dirs = true
+
+#
+# Allow squid to connect to all ports, not just
+# HTTP, FTP, and Gopher ports.
+# 
+squid_connect_any = false
+
+#
+# Allow squid to run as a transparent proxy (TPROXY)
+# 
+squid_use_tproxy = false
+
+#
+# Allow the Telepathy connection managers
+# to connect to any generic TCP port.
+# 
+telepathy_tcp_connect_generic_network_ports = false
+
+#
+# Allow the Telepathy connection managers
+# to connect to any network port.
+# 
+telepathy_connect_all_ports = false
+
+#
+# Allow tftp to modify public files
+# used for public file transfer services.
+# 
+tftp_anon_write = false
+
+#
+# Allow tor daemon to bind
+# tcp sockets to all unreserved ports.
+# 
+tor_bind_all_unreserved_ports = false
+
+#
+# Allow varnishd to connect to all ports,
+# not just HTTP.
+# 
+varnishd_connect_any = false
+
+#
+# Ignore vbetool mmap_zero errors.
+# 
+vbetool_mmap_zero_ignore = false
+
+#
+# Allow virt to use serial/parallell communication ports
+# 
+virt_use_comm = false
+
+#
+# Allow virt to read fuse files
+# 
+virt_use_fusefs = false
+
+#
+# Allow virt to manage nfs files
+# 
+virt_use_nfs = false
+
+#
+# Allow virt to manage cifs files
+# 
+virt_use_samba = false
+
+#
+# Allow virt to manage device configuration, (pci)
+# 
+virt_use_sysfs = false
+
+#
+# Allow virt to use usb devices
+# 
+virt_use_usb = true
+
+#
+# Allow webadm to manage files in users home directories
+# 
+webadm_manage_user_files = false
+
+#
+# Allow webadm to read files in users home directories
+# 
+webadm_read_user_files = false
+
+#
+# Ignore wine mmap_zero errors.
+# 
+wine_mmap_zero_ignore = false
+
+#
+# Allow xend to run blktapctrl/tapdisk.
+# Not required if using dedicated logical volumes for disk images.
+# 
+xend_run_blktap = true
+
+#
+# Allow xend to run qemu-dm.
+# Not required if using paravirt and no vfb.
+# 
+xend_run_qemu = true
+
+#
+# Allow xen to manage nfs files
+# 
+xen_use_nfs = false
+
+#
+# Allow xguest users to mount removable media
+# 
+xguest_mount_media = true
+
+#
+# Allow xguest to configure Network Manager
+# 
+xguest_connect_network = true
+
+#
+# Allow xguest to use blue tooth devices
+# 
+xguest_use_bluetooth = true
+
+#
+# Allow zebra daemon to write it configuration files
+# 
+allow_zebra_write_config = false
+
+#
+# Control the ability to mmap a low area of the address space,
+# as configured by /proc/sys/kernel/mmap_min_addr.
+# 
+mmap_low_allowed = false
+
+#
+# Allow sysadm to debug or ptrace all processes.
+# 
+allow_ptrace = false
+
+#
+# Allow unprived users to execute DDL statement
+# 
+sepgsql_enable_users_ddl = true
+
+#
+# Allow database admins to execute DML statement
+# 
+sepgsql_unconfined_dbadm = true
+
+#
+# allow host key based authentication
+# 
+allow_ssh_keysign = false
+
+#
+# Allow ssh logins as sysadm_r:sysadm_t
+# 
+ssh_sysadm_login = false
+
+#
+# Allows clients to write to the X server shared
+# memory segments.
+# 
+allow_write_xshm = false
+
+#
+# Allow xdm logins as sysadm
+# 
+xdm_sysadm_login = false
+
+#
+# Support X userspace object manager
+# 
+xserver_object_manager = false
+
+#
+# Enable support for upstart as the init program.
+# 
+init_upstart = false
+
+#
+# Allow racoon to read shadow
+# 
+racoon_read_shadow = false
+
+#
+# Allow the mount command to mount any directory or file.
+# 
+allow_mount_anyfile = false
+
+#
+# Allow users to connect to mysql
+# 
+allow_user_mysql_connect = false
+
+#
+# Allow users to connect to PostgreSQL
+# 
+allow_user_postgresql_connect = false
+
+#
+# Allow regular users direct mouse access
+# 
+user_direct_mouse = false
+
+#
+# Allow users to read system messages.
+# 
+user_dmesg = false
+
+#
+# Allow user to r/w files on filesystems
+# that do not have extended attributes (FAT, CDROM, FLOPPY)
+# 
+user_rw_noexattrfile = false
+
+#
+# Allow w to display everyone
+# 
+user_ttyfile_stat = false
+
+#
+# Allow unconfined executables to make their heap memory executable.  Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
+# 
+allow_execheap = false
+
+#
+# Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")
+# 
+allow_execmem = false
+
+#
+# Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")
+# 
+allow_execmod = false
+
+#
+# Allow unconfined executables to make their stack executable.  This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")
+# 
+allow_execstack = false
+
+#
+# Enable polyinstantiated directory support.
+# 
+allow_polyinstantiation = false
+
+#
+# Allow system to run with NIS
+# 
+allow_ypbind = false
+
+#
+# Allow logging in and using the system from /dev/console.
+# 
+console_login = true
+
+#
+# Enable reading of urandom for all domains.
+# 
+# 
+# 
+# 
+# This should be enabled when all programs
+# are compiled with ProPolice/SSP
+# stack smashing protection.  All domains will
+# be allowed to read from /dev/urandom.
+# 
+global_ssp = false
+
+#
+# Allow email client to various content.
+# nfs, samba, removable devices, and user temp
+# files
+# 
+mail_read_content = false
+
+#
+# Allow any files/directories to be exported read/write via NFS.
+# 
+nfs_export_all_rw = false
+
+#
+# Allow any files/directories to be exported read/only via NFS.
+# 
+nfs_export_all_ro = false
+
+#
+# Support NFS home directories
+# 
+use_nfs_home_dirs = false
+
+#
+# Support SAMBA home directories
+# 
+use_samba_home_dirs = false
+
+#
+# Allow users to run TCP servers (bind to ports and accept connection from
+# the same domain and outside users)  disabling this forces FTP passive mode
+# and may change other protocols.
+# 
+user_tcp_server = false
+
diff --git a/policy/constraints b/policy/constraints
new file mode 100644
index 00000000..3a45f236
--- /dev/null
+++ b/policy/constraints
@@ -0,0 +1,241 @@
+
+#
+# Define the constraints
+#
+# constrain class_set perm_set expression ;
+#
+# expression : ( expression ) 
+#	     | not expression
+#	     | expression and expression
+#	     | expression or expression
+#	     | u1 op u2
+#	     | r1 role_op r2
+#	     | t1 op t2
+#	     | u1 op names
+#	     | u2 op names
+#	     | r1 op names
+#	     | r2 op names
+#	     | t1 op names
+#	     | t2 op names
+#
+# op : == | != 
+# role_op : == | != | eq | dom | domby | incomp
+#
+# names : name | { name_list }
+# name_list : name | name_list name		
+#
+
+define(`basic_ubac_conditions',`
+	ifdef(`enable_ubac',`
+		u1 == u2
+		or u1 == system_u
+		or u2 == system_u
+		or t1 != ubac_constrained_type
+		or t2 != ubac_constrained_type
+	')
+')
+
+define(`basic_ubac_constraint',`
+	ifdef(`enable_ubac',`
+		constrain $1 all_$1_perms
+		(
+			basic_ubac_conditions
+		);
+	')
+')
+
+define(`exempted_ubac_constraint',`
+	ifdef(`enable_ubac',`
+		constrain $1 all_$1_perms
+		(
+			basic_ubac_conditions
+			or t1 == $2
+		);
+	')
+')
+
+########################################
+#
+# File rules
+#
+
+exempted_ubac_constraint(dir, ubacfile)
+exempted_ubac_constraint(file, ubacfile)
+exempted_ubac_constraint(lnk_file, ubacfile)
+exempted_ubac_constraint(fifo_file, ubacfile)
+exempted_ubac_constraint(sock_file, ubacfile)
+exempted_ubac_constraint(chr_file, ubacfile)
+exempted_ubac_constraint(blk_file, ubacfile)
+
+# SELinux object identity change constraint:
+constrain dir_file_class_set { create relabelto relabelfrom } 
+(
+	u1 == u2
+	or t1 == can_change_object_identity
+);
+
+########################################
+#
+# Process rules
+#
+
+ifdef(`enable_ubac',`
+	constrain process { sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setrlimit }
+	(
+		basic_ubac_conditions
+		or t1 == ubacproc
+	);
+')
+
+constrain process { transition dyntransition noatsecure siginh rlimitinh }
+(
+	u1 == u2
+	or ( t1 == can_change_process_identity and t2 == process_user_target )
+       	or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) )
+	or ( t1 == can_system_change and u2 == system_u )
+	or ( t1 == process_uncond_exempt )
+);
+
+constrain process { transition dyntransition noatsecure siginh rlimitinh }
+(
+	r1 == r2 
+	or ( t1 == can_change_process_role and t2 == process_user_target )
+   	or ( t1 == cron_source_domain and t2 == cron_job_domain )
+	or ( t1 == can_system_change and r2 == system_r )
+	or ( t1 == process_uncond_exempt )
+);
+
+# These permissions do not have ubac constraints:
+# fork
+# setexec
+# setfscreate
+# setcurrent
+# execmem
+# execstack
+# execheap
+# setkeycreate
+# setsockcreate
+
+########################################
+#
+# File descriptor rules
+#
+
+exempted_ubac_constraint(fd, ubacfd)
+
+########################################
+#
+# Socket rules
+#
+
+exempted_ubac_constraint(socket, ubacsock)
+exempted_ubac_constraint(tcp_socket, ubacsock)
+exempted_ubac_constraint(udp_socket, ubacsock)
+exempted_ubac_constraint(rawip_socket, ubacsock)
+exempted_ubac_constraint(netlink_socket, ubacsock)
+exempted_ubac_constraint(packet_socket, ubacsock)
+exempted_ubac_constraint(key_socket, ubacsock)
+exempted_ubac_constraint(unix_stream_socket, ubacsock)
+exempted_ubac_constraint(unix_dgram_socket, ubacsock)
+exempted_ubac_constraint(netlink_route_socket, ubacsock)
+exempted_ubac_constraint(netlink_firewall_socket, ubacsock)
+exempted_ubac_constraint(netlink_tcpdiag_socket, ubacsock)
+exempted_ubac_constraint(netlink_nflog_socket, ubacsock)
+exempted_ubac_constraint(netlink_xfrm_socket, ubacsock)
+exempted_ubac_constraint(netlink_selinux_socket, ubacsock)
+exempted_ubac_constraint(netlink_audit_socket, ubacsock)
+exempted_ubac_constraint(netlink_ip6fw_socket, ubacsock)
+exempted_ubac_constraint(netlink_dnrt_socket, ubacsock)
+exempted_ubac_constraint(netlink_kobject_uevent_socket, ubacsock)
+exempted_ubac_constraint(appletalk_socket, ubacsock)
+exempted_ubac_constraint(dccp_socket, ubacsock)
+exempted_ubac_constraint(tun_socket, ubacsock)
+
+constrain socket_class_set { create relabelto relabelfrom } 
+(
+	u1 == u2
+	or t1 == can_change_object_identity
+);
+
+########################################
+#
+# SysV IPC rules
+
+exempted_ubac_constraint(sem, ubacipc)
+exempted_ubac_constraint(msg, ubacipc)
+exempted_ubac_constraint(msgq, ubacipc)
+exempted_ubac_constraint(shm, ubacipc)
+exempted_ubac_constraint(ipc, ubacipc)
+
+########################################
+#
+# SE-X Windows rules
+#
+
+exempted_ubac_constraint(x_drawable, ubacxwin)
+exempted_ubac_constraint(x_screen, ubacxwin)
+exempted_ubac_constraint(x_gc, ubacxwin)
+exempted_ubac_constraint(x_font, ubacxwin)
+exempted_ubac_constraint(x_colormap, ubacxwin)
+exempted_ubac_constraint(x_property, ubacxwin)
+exempted_ubac_constraint(x_selection, ubacxwin)
+exempted_ubac_constraint(x_cursor, ubacxwin)
+exempted_ubac_constraint(x_client, ubacxwin)
+exempted_ubac_constraint(x_device, ubacxwin)
+exempted_ubac_constraint(x_server, ubacxwin)
+exempted_ubac_constraint(x_extension, ubacxwin)
+exempted_ubac_constraint(x_resource, ubacxwin)
+exempted_ubac_constraint(x_event, ubacxwin)
+exempted_ubac_constraint(x_synthetic_event, ubacxwin)
+exempted_ubac_constraint(x_application_data, ubacxwin)
+
+########################################
+#
+# D-BUS rules
+#
+
+exempted_ubac_constraint(dbus, ubacdbus)
+
+########################################
+#
+# Key rules
+#
+
+exempted_ubac_constraint(key, ubackey)
+
+########################################
+#
+# Database rules
+#
+
+exempted_ubac_constraint(db_database, ubacdb)
+exempted_ubac_constraint(db_table, ubacdb)
+exempted_ubac_constraint(db_procedure, ubacdb)
+exempted_ubac_constraint(db_column, ubacdb)
+exempted_ubac_constraint(db_tuple, ubacdb)
+exempted_ubac_constraint(db_blob, ubacdb)
+
+
+
+basic_ubac_constraint(association)
+basic_ubac_constraint(peer)
+
+
+# these classes have no UBAC restrictions
+#class security
+#class system
+#class capability
+#class memprotect
+#class passwd			# userspace
+#class node
+#class netif
+#class packet
+#class capability2
+#class nscd			# userspace
+#class context			# userspace
+
+
+
+undefine(`basic_ubac_constraint')
+undefine(`basic_ubac_conditions')
+undefine(`exempted_ubac_constraint')
diff --git a/policy/flask/Makefile b/policy/flask/Makefile
new file mode 100644
index 00000000..17dc1747
--- /dev/null
+++ b/policy/flask/Makefile
@@ -0,0 +1,51 @@
+PYTHON ?= python
+
+# flask needs to know where to export the libselinux headers.
+LIBSELINUX_D ?= ../../libselinux
+
+# flask needs to know where to export the kernel headers.
+LINUX_D ?= ../../../linux-2.6
+
+ACCESS_VECTORS_F = access_vectors
+INITIAL_SIDS_F = initial_sids
+SECURITY_CLASSES_F = security_classes
+
+USER_D = userspace
+KERN_D = kernel
+
+LIBSELINUX_INCLUDE_H = flask.h av_permissions.h
+LIBSELINUX_SOURCE_H = class_to_string.h av_inherit.h common_perm_to_string.h av_perm_to_string.h
+
+FLASK_H = class_to_string.h flask.h initial_sid_to_string.h
+ACCESS_VECTORS_H = av_inherit.h common_perm_to_string.h av_perm_to_string.h av_permissions.h
+ALL_H = $(FLASK_H) $(ACCESS_VECTORS_H)
+
+USER_H = $(addprefix $(USER_D)/, $(ALL_H))
+KERN_H = $(addprefix $(KERN_D)/, $(ALL_H))
+
+FLASK_NOWARNINGS = --nowarnings
+
+all:  $(USER_H) $(KERN_H)
+
+$(USER_H): flask.py $(ACCESS_VECTORS_F) $(INITIAL_SIDS_F) $(SECURITY_CLASSES_F)
+	mkdir -p $(USER_D)
+	$(PYTHON) flask.py -a $(ACCESS_VECTORS_F) -i $(INITIAL_SIDS_F) -s $(SECURITY_CLASSES_F) -o $(USER_D) -u $(FLASK_NOWARNINGS)
+
+$(KERN_H): flask.py $(ACCESS_VECTORS_F) $(INITIAL_SIDS_F) $(SECURITY_CLASSES_F)
+	mkdir -p $(KERN_D) 
+	$(PYTHON) flask.py -a $(ACCESS_VECTORS_F) -i $(INITIAL_SIDS_F) -s $(SECURITY_CLASSES_F) -o $(KERN_D) -k $(FLASK_NOWARNINGS)
+
+tolib: all
+	install -m 644 $(addprefix $(USER_D)/, $(LIBSELINUX_INCLUDE_H)) $(LIBSELINUX_D)/include/selinux
+	install -m 644 $(addprefix $(USER_D)/, $(LIBSELINUX_SOURCE_H)) $(LIBSELINUX_D)/src
+
+tokern: all
+	install -m 644 $(KERN_H) $(LINUX_D)/security/selinux/include
+
+install: all
+
+relabel:
+
+clean:  
+	rm -fr userspace
+	rm -fr kernel
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
new file mode 100644
index 00000000..bf241600
--- /dev/null
+++ b/policy/flask/access_vectors
@@ -0,0 +1,864 @@
+#
+# Define common prefixes for access vectors
+#
+# common common_name { permission_name ... }
+
+
+#
+# Define a common prefix for file access vectors.
+#
+
+common file
+{
+	ioctl
+	read
+	write
+	create
+	getattr
+	setattr
+	lock
+	relabelfrom
+	relabelto
+	append
+	unlink
+	link
+	rename
+	execute
+	swapon
+	quotaon
+	mounton
+}
+
+
+#
+# Define a common prefix for socket access vectors.
+#
+
+common socket
+{
+# inherited from file
+	ioctl
+	read
+	write
+	create
+	getattr
+	setattr
+	lock
+	relabelfrom
+	relabelto
+	append
+# socket-specific
+	bind
+	connect
+	listen
+	accept
+	getopt
+	setopt
+	shutdown
+	recvfrom
+	sendto
+	recv_msg
+	send_msg
+	name_bind
+}	
+
+#
+# Define a common prefix for ipc access vectors.
+#
+
+common ipc
+{
+	create
+	destroy
+	getattr
+	setattr
+	read
+	write
+	associate
+	unix_read
+	unix_write
+}
+
+#
+#  Define a common prefix for userspace database object access vectors.
+#
+
+common database
+{
+	create
+	drop
+	getattr
+	setattr
+	relabelfrom
+	relabelto
+}
+
+#
+# Define a common prefix for pointer and keyboard access vectors.
+#
+
+common x_device
+{
+	getattr
+	setattr
+	use
+	read
+	write
+	getfocus
+	setfocus
+	bell
+	force_cursor
+	freeze
+	grab
+	manage
+	list_property
+	get_property
+	set_property
+	add
+	remove
+	create
+	destroy
+}
+
+#
+# Define the access vectors.
+#
+# class class_name [ inherits common_name ] { permission_name ... }
+
+
+#
+# Define the access vector interpretation for file-related objects.
+#
+
+class filesystem
+{
+	mount
+	remount
+	unmount
+	getattr
+	relabelfrom
+	relabelto
+	transition
+	associate
+	quotamod
+	quotaget
+}
+
+class dir
+inherits file
+{
+	add_name
+	remove_name
+	reparent
+	search
+	rmdir
+	open
+	audit_access
+	execmod
+}
+
+class file
+inherits file
+{
+	execute_no_trans
+	entrypoint
+	execmod
+	open
+	audit_access
+}
+
+class lnk_file
+inherits file
+{
+	open
+	audit_access
+	execmod
+}
+
+class chr_file
+inherits file
+{
+	execute_no_trans
+	entrypoint
+	execmod
+	open
+	audit_access
+}
+
+class blk_file
+inherits file
+{
+	open
+	audit_access
+	execmod
+}
+
+class sock_file
+inherits file
+{
+	open
+	audit_access
+	execmod
+}
+
+class fifo_file
+inherits file
+{
+	open
+	audit_access
+	execmod
+}
+
+class fd
+{
+	use
+}
+
+
+#
+# Define the access vector interpretation for network-related objects.
+#
+
+class socket
+inherits socket
+
+class tcp_socket
+inherits socket
+{
+	connectto
+	newconn
+	acceptfrom
+	node_bind
+	name_connect
+}
+
+class udp_socket
+inherits socket
+{
+	node_bind
+}
+
+class rawip_socket
+inherits socket
+{
+	node_bind
+}
+
+class node 
+{
+	tcp_recv
+	tcp_send
+	udp_recv
+	udp_send
+	rawip_recv
+	rawip_send
+	enforce_dest
+	dccp_recv
+	dccp_send
+	recvfrom
+	sendto
+}
+
+class netif
+{
+	tcp_recv
+	tcp_send
+	udp_recv
+	udp_send
+	rawip_recv
+	rawip_send
+	dccp_recv
+	dccp_send
+	ingress
+	egress
+}
+
+class netlink_socket
+inherits socket
+
+class packet_socket
+inherits socket
+
+class key_socket
+inherits socket
+
+class unix_stream_socket
+inherits socket
+{
+	connectto
+	newconn
+	acceptfrom
+}
+
+class unix_dgram_socket
+inherits socket
+
+#
+# Define the access vector interpretation for process-related objects
+#
+
+class process
+{
+	fork
+	transition
+	sigchld # commonly granted from child to parent
+	sigkill # cannot be caught or ignored
+	sigstop # cannot be caught or ignored
+	signull # for kill(pid, 0)
+	signal  # all other signals
+	ptrace
+	getsched
+	setsched
+	getsession
+	getpgid
+	setpgid
+	getcap
+	setcap
+	share
+	getattr
+	setexec
+	setfscreate
+	noatsecure
+	siginh
+	setrlimit
+	rlimitinh
+	dyntransition
+	setcurrent
+	execmem
+	execstack
+	execheap
+	setkeycreate
+	setsockcreate
+}
+
+
+#
+# Define the access vector interpretation for ipc-related objects
+#
+
+class ipc
+inherits ipc
+
+class sem
+inherits ipc
+
+class msgq
+inherits ipc
+{
+	enqueue
+}
+
+class msg
+{
+	send
+	receive
+}
+
+class shm
+inherits ipc
+{
+	lock
+}
+
+
+#
+# Define the access vector interpretation for the security server. 
+#
+
+class security
+{
+	compute_av
+	compute_create
+	compute_member
+	check_context
+	load_policy
+	compute_relabel
+	compute_user
+	setenforce     # was avc_toggle in system class
+	setbool
+	setsecparam
+	setcheckreqprot
+	read_policy
+}
+
+
+#
+# Define the access vector interpretation for system operations.
+#
+
+class system
+{
+	ipc_info
+	syslog_read  
+	syslog_mod
+	syslog_console
+	module_request
+}
+
+#
+# Define the access vector interpretation for controling capabilies
+#
+
+class capability
+{
+	# The capabilities are defined in include/linux/capability.h
+	# Capabilities >= 32 are defined in the capability2 class.
+	# Care should be taken to ensure that these are consistent with
+	# those definitions. (Order matters)
+
+	chown           
+	dac_override    
+	dac_read_search 
+	fowner          
+	fsetid          
+	kill            
+	setgid           
+	setuid           
+	setpcap          
+	linux_immutable  
+	net_bind_service 
+	net_broadcast    
+	net_admin        
+	net_raw          
+	ipc_lock         
+	ipc_owner        
+	sys_module       
+	sys_rawio        
+	sys_chroot       
+	sys_ptrace       
+	sys_pacct        
+	sys_admin        
+	sys_boot         
+	sys_nice         
+	sys_resource     
+	sys_time         
+	sys_tty_config  
+	mknod
+	lease
+	audit_write
+	audit_control
+	setfcap
+}
+
+class capability2 
+{
+	mac_override	# unused by SELinux
+	mac_admin	# unused by SELinux
+	syslog
+}
+
+#
+# Define the access vector interpretation for controlling
+# changes to passwd information.
+#
+class passwd
+{
+	passwd	# change another user passwd
+	chfn	# change another user finger info
+	chsh	# change another user shell
+	rootok  # pam_rootok check (skip auth)
+	crontab # crontab on another user
+}
+
+#
+# SE-X Windows stuff
+#
+class x_drawable
+{
+	create
+	destroy
+	read
+	write
+	blend
+	getattr
+	setattr
+	list_child
+	add_child
+	remove_child
+	list_property
+	get_property
+	set_property
+	manage
+	override
+	show
+	hide
+	send
+	receive
+}
+
+class x_screen
+{
+	getattr
+	setattr
+	hide_cursor
+	show_cursor
+	saver_getattr
+	saver_setattr
+	saver_hide
+	saver_show
+}
+
+class x_gc
+{
+	create
+	destroy
+	getattr
+	setattr
+	use
+}
+
+class x_font
+{
+	create
+	destroy
+	getattr
+	add_glyph
+	remove_glyph
+	use
+}
+
+class x_colormap
+{
+	create
+	destroy
+	read
+	write
+	getattr
+	add_color
+	remove_color
+	install
+	uninstall
+	use
+}
+
+class x_property
+{
+	create
+	destroy
+	read
+	write
+	append
+	getattr
+	setattr
+}
+
+class x_selection
+{
+	read
+	write
+	getattr
+	setattr
+}
+
+class x_cursor
+{
+	create
+	destroy
+	read
+	write
+	getattr
+	setattr
+	use
+}
+
+class x_client
+{
+	destroy
+	getattr
+	setattr
+	manage
+}
+
+class x_device
+inherits x_device
+
+class x_server
+{
+	getattr
+	setattr
+	record
+	debug
+	grab
+	manage
+}
+
+class x_extension
+{
+	query
+	use
+}
+
+class x_resource
+{
+	read
+	write
+}
+
+class x_event
+{
+	send
+	receive
+}
+
+class x_synthetic_event
+{
+	send
+	receive
+}
+
+#
+# Extended Netlink classes
+#
+class netlink_route_socket
+inherits socket
+{
+	nlmsg_read
+	nlmsg_write
+}
+
+class netlink_firewall_socket
+inherits socket
+{
+	nlmsg_read
+	nlmsg_write
+}
+
+class netlink_tcpdiag_socket
+inherits socket
+{
+	nlmsg_read
+	nlmsg_write
+}
+
+class netlink_nflog_socket
+inherits socket
+
+class netlink_xfrm_socket
+inherits socket
+{
+	nlmsg_read
+	nlmsg_write
+}
+
+class netlink_selinux_socket
+inherits socket
+
+class netlink_audit_socket
+inherits socket
+{
+	nlmsg_read
+	nlmsg_write
+	nlmsg_relay
+	nlmsg_readpriv
+	nlmsg_tty_audit
+}
+
+class netlink_ip6fw_socket
+inherits socket
+{
+	nlmsg_read
+	nlmsg_write
+}
+
+class netlink_dnrt_socket
+inherits socket
+
+# Define the access vector interpretation for controlling
+# access and communication through the D-BUS messaging
+# system.
+#
+class dbus
+{
+	acquire_svc
+	send_msg
+}
+
+# Define the access vector interpretation for controlling
+# access through the name service cache daemon (nscd).
+#
+class nscd
+{
+	getpwd
+	getgrp
+	gethost
+	getstat
+	admin
+	shmempwd
+	shmemgrp
+	shmemhost
+	getserv
+	shmemserv
+}
+
+# Define the access vector interpretation for controlling
+# access to IPSec network data by association
+#
+class association
+{
+	sendto
+	recvfrom
+	setcontext
+	polmatch
+}
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+inherits socket
+
+class appletalk_socket
+inherits socket
+
+class packet
+{
+	send
+	recv
+	relabelto
+	flow_in		# deprecated
+	flow_out	# deprecated
+	forward_in
+	forward_out
+}
+
+class key
+{
+	view
+	read
+	write
+	search
+	link
+	setattr
+	create
+}
+
+class context
+{
+	translate
+	contains
+}
+
+class dccp_socket
+inherits socket
+{
+	node_bind
+	name_connect
+}
+
+class memprotect
+{
+	mmap_zero
+}
+
+class db_database
+inherits database
+{
+	access
+	install_module
+	load_module
+	get_param	# deprecated
+	set_param	# deprecated
+}
+
+class db_table
+inherits database
+{
+	use		# deprecated
+	select
+	update
+	insert
+	delete
+	lock
+}
+
+class db_procedure
+inherits database
+{
+	execute
+	entrypoint
+	install
+}
+
+class db_column
+inherits database
+{
+	use		# deprecated
+	select
+	update
+	insert
+}
+
+class db_tuple
+{
+	relabelfrom
+	relabelto
+	use		# deprecated
+	select
+	update
+	insert
+	delete
+}
+
+class db_blob
+inherits database
+{
+	read
+	write
+	import
+	export
+}
+
+# network peer labels
+class peer
+{
+	recv
+}
+
+class x_application_data
+{
+	paste
+	paste_after_confirm
+	copy
+}
+
+class kernel_service
+{
+	use_as_override
+	create_files_as	
+}
+
+class tun_socket
+inherits socket
+
+class x_pointer
+inherits x_device
+
+class x_keyboard
+inherits x_device
+
+class db_schema
+inherits database
+{
+	search
+	add_name
+	remove_name
+}
+
+class db_view
+inherits database
+{
+	expand
+}
+
+class db_sequence
+inherits database
+{
+	get_value
+	next_value
+	set_value
+}
+
+class db_language
+inherits database
+{
+	implement
+	execute
+}
diff --git a/policy/flask/flask.py b/policy/flask/flask.py
new file mode 100644
index 00000000..8b4be503
--- /dev/null
+++ b/policy/flask/flask.py
@@ -0,0 +1,536 @@
+#!/usr/bin/python -E
+#
+# Author(s):	Caleb Case <ccase@tresys.com>
+#
+# Adapted from the bash/awk scripts mkflask.sh and mkaccess_vector.sh
+#
+
+import getopt
+import os
+import sys
+import re
+
+class ParseError(Exception):
+	def __init__(self, type, file, line):
+		self.type = type
+		self.file = file
+		self.line = line
+	def __str__(self):
+		typeS = self.type
+		if type(self.type) is not str: typeS = Flask.CONSTANT_S[self.type]
+		return "Parse Error: Unexpected %s on line %d of %s." % (typeS, self.line, self.file)
+
+class DuplicateError(Exception):
+	def __init__(self, type, file, line, symbol):
+		self.type = type
+		self.file = file
+		self.line = line
+		self.symbol = symbol
+	def __str__(self):
+		typeS = self.type
+		if type(self.type) is not str: typeS = Flask.CONSTANT_S[self.type]
+		return "Duplicate Error: Duplicate %s '%s' on line %d of %s." % (typeS, self.symbol, self.line, self.file)
+
+class UndefinedError(Exception):
+	def __init__(self, type, file, line, symbol):
+		self.type = type
+		self.file = file
+		self.line = line
+		self.symbol = symbol
+	def __str__(self):
+		typeS = self.type
+		if type(self.type) is not str: typeS = Flask.CONSTANT_S[self.type]
+		return "Undefined Error: %s '%s' is not defined but used on line %d of %s." % (typeS, self.symbol, self.line, self.file)
+
+class UnusedError(Exception):
+	def __init__(self, info):
+		self.info = info
+	def __str__(self):
+		return "Unused Error: %s" % self.info
+
+class Flask:
+	'''
+	FLASK container class with utilities for parsing definition
+	files and creating c header files.
+	'''
+
+	#Constants used in definitions parsing.
+	WHITE    = re.compile(r'^\s*$')
+	COMMENT  = re.compile(r'^\s*#')
+	USERFLAG = re.compile(r'# userspace')
+	CLASS    = re.compile(r'^class (?P<name>\w+)')
+	COMMON   = re.compile(r'^common (?P<name>\w+)')
+	INHERITS = re.compile(r'^inherits (?P<name>\w+)')
+	OPENB    = re.compile(r'^{')
+	VECTOR   = re.compile(r'^\s*(?P<name>\w+)')
+	CLOSEB   = re.compile(r'^}')
+	SID      = re.compile(r'^sid (?P<name>\w+)')
+	EOF      = "end of file"
+
+	#Constants used in header generation.
+	USERSPACE = 0
+	KERNEL    = 1
+
+	CONSTANT_S = { \
+		#parsing constants
+		WHITE    : "whitespace", \
+		COMMENT  : "comment", \
+		USERFLAG : "userspace flag", \
+		CLASS    : "class definition", \
+		COMMON   : "common definition", \
+		INHERITS : "inherits definition", \
+		OPENB    : "'{'", \
+		VECTOR   : "access vector definition", \
+		CLOSEB   : "'}'", \
+		SID      : "security identifier", \
+		EOF      : "end of file", \
+		#generation constants
+		USERSPACE : "userspace mode", \
+		KERNEL    : "kernel mode", \
+	}
+
+	def __init__(self, warn = True):
+		self.WARN = warn
+		self.autogen   = "/* This file is automatically generated.  Do not edit. */\n"
+		self.commons   = []
+		self.user_commons = []
+		self.common    = {}
+		self.classes   = []
+		self.vectors   = []
+		self.vector    = {}
+		self.userspace = {}
+		self.sids      = []
+		self.inherits  = {}
+	
+	def warning(self, msg):
+		'''
+		Prints a warning message out to stderr if warnings are enabled.
+		'''
+		if self.WARN: sys.stderr.write("Warning: %s\n" % msg)
+
+	def parseClasses(self, path):
+		'''
+		Parses security class definitions from the given path.
+		'''
+		classes = []
+		input = open(path, 'r')
+
+		number = 0
+		for line in input:
+			number += 1
+			m = self.COMMENT.search(line)
+			if m: continue
+
+			m = self.WHITE.search(line)
+			if m: continue
+
+			m = self.CLASS.search(line)
+			if m:
+				g = m.groupdict()
+				c = g['name']
+				if c in classes: raise DuplicateError, (self.CLASS, path, number, c)
+				classes.append(c)
+				if self.USERFLAG.search(line):
+					self.userspace[c] = True
+				else:
+					self.userspace[c] = False
+				continue
+
+			raise ParseError, ("data.  Was expecting either a comment, whitespace, or class definition. ", path, number)
+
+		self.classes = classes
+		return classes
+
+	def parseSids(self, path):
+		'''
+		Parses initial SID definitions from the given path.
+		'''
+
+		sids = []
+		input = open(path, 'r')
+		for line in input:
+			m = self.COMMENT.search(line)
+			if m: continue
+
+			m = self.WHITE.search(line)
+			if m: continue
+
+			m = self.SID.search(line)
+			if m:
+				g = m.groupdict()
+				s = g['name']
+				if s in sids: raise DuplicateError, (self.SID, path, number, s)
+				sids.append(s)
+				continue
+			
+			raise ParseError, ("data. Was expecting either a comment, whitespace, or security identifier. ", path, number)
+
+		self.sids = sids
+		return sids
+
+	def parseVectors(self, path):
+		'''
+		Parses access vector definitions from the given path.
+		'''
+		vectors = []
+		vector  = {}
+		commons = []
+		common = {}
+		inherits = {}
+		user_commons = {}
+		input = open(path, 'r')
+
+		# states
+		NONE    = 0
+		COMMON  = 1
+		CLASS   = 2
+		INHERIT = 3
+		OPEN    = 4
+
+		state = NONE
+		state2 = NONE
+		number = 0
+		for line in input:
+			number += 1
+			m = self.COMMENT.search(line)
+			if m: continue
+
+			m = self.WHITE.search(line)
+			if m: 
+				if state == INHERIT:
+					state = NONE
+				continue
+
+			m = self.COMMON.search(line)
+			if m:
+				if state != NONE: raise ParseError, (self.COMMON, path, number)
+				g = m.groupdict()
+				c = g['name']
+				if c in commons: raise DuplicateError, (self.COMMON, path, number, c)
+				commons.append(c)
+				common[c] = []
+				user_commons[c] = True
+				state = COMMON
+				continue
+
+			m = self.CLASS.search(line)
+			if m:
+				if state != NONE: raise ParseError, (self.CLASS, number)
+				g = m.groupdict()
+				c = g['name']
+				if c in vectors: raise DuplicateError, (self.CLASS, path, number, c)
+				if c not in self.classes: raise UndefinedError, (self.CLASS, path, number, c)
+				vectors.append(c)
+				vector[c] = []
+				state = CLASS
+				continue
+			
+			m = self.INHERITS.search(line)
+			if m:
+				if state != CLASS: raise ParseError, (self.INHERITS, number)
+				g = m.groupdict()
+				i = g['name']
+				if c in inherits: raise DuplicateError, (self.INHERITS, path, number, c)
+				if i not in common: raise UndefinedError, (self.COMMON, path, number, i)
+				inherits[c] = i
+				state = INHERIT
+				if not self.userspace[c]: user_commons[i] = False
+				continue
+
+			m = self.OPENB.search(line)
+			if m:
+				if (state != CLASS \
+				and state != INHERIT \
+				and state != COMMON) \
+				or state2 != NONE: 
+					raise ParseError, (self.OPENB, path, number)
+				state2 = OPEN
+				continue
+
+			m = self.VECTOR.search(line)
+			if m:
+				if state2 != OPEN: raise ParseError, (self.VECTOR, path, number)
+				g = m.groupdict()
+				v = g['name']
+				if state == CLASS or state == INHERIT:
+					if v in vector[c]: raise DuplicateError, (self.VECTOR, path, number, v)
+					vector[c].append(v)
+				elif state == COMMON:
+					if v in common[c]: raise DuplicateError, (self.VECTOR, path, number, v)
+					common[c].append(v)
+				continue
+
+			m = self.CLOSEB.search(line)
+			if m:
+				if state2 != OPEN: raise ParseError, (self.CLOSEB, path, number)
+				state = NONE
+				state2 = NONE
+				c = None
+				continue
+			
+			raise ParseError, ("data", path, number)
+
+		if state != NONE and state2 != NONE: raise ParseError, (self.EOF, path, number)
+
+		cvdiff = set(self.classes) - set(vectors)
+		if cvdiff: raise UnusedError, "Not all security classes were used in access vectors: %s" % cvdiff # the inverse of this will be caught as an undefined class error
+
+		self.commons = commons
+		self.user_commons = user_commons
+		self.common = common
+		self.vectors = vectors
+		self.vector = vector
+		self.inherits = inherits
+		return vector
+
+	def createHeaders(self, path, mode = USERSPACE):
+		'''
+		Creates the C header files in the specified MODE and outputs
+		them to give PATH.
+		'''
+		headers = { \
+			'av_inherit.h'            : self.createAvInheritH(mode), \
+			'av_perm_to_string.h'     : self.createAvPermToStringH(mode), \
+			'av_permissions.h'        : self.createAvPermissionsH(mode), \
+			'class_to_string.h'       : self.createClassToStringH(mode), \
+			'common_perm_to_string.h' : self.createCommonPermToStringH(mode), \
+			'flask.h'                 : self.createFlaskH(mode), \
+			'initial_sid_to_string.h' : self.createInitialSidToStringH(mode) \
+		}
+
+		for key, value in headers.items():
+			of = open(os.path.join(path, key), 'w')
+			of.writelines(value)
+			of.close()
+
+	def createUL(self, count):
+		fields = [1, 2, 4, 8]
+		return "0x%08xUL" % (fields[count % 4] << 4 * (count / 4))
+
+	def createAvInheritH(self, mode = USERSPACE):
+		'''
+		'''
+		results = []
+		results.append(self.autogen)
+		for c in self.vectors:
+			if self.inherits.has_key(c):
+				i = self.inherits[c]
+				count = len(self.common[i])
+				if not (mode == self.KERNEL and self.userspace[c]):
+					results.append("   S_(SECCLASS_%s, %s, %s)\n" % (c.upper(), i, self.createUL(count)))
+		return results
+
+	def createAvPermToStringH(self, mode = USERSPACE):
+		'''
+		'''
+		results = []
+		results.append(self.autogen)
+		for c in self.vectors:
+			for p in self.vector[c]:
+				if not (mode == self.KERNEL and self.userspace[c]):
+					results.append("   S_(SECCLASS_%s, %s__%s, \"%s\")\n" % (c.upper(), c.upper(), p.upper(), p))
+
+		return results
+
+	def createAvPermissionsH(self, mode = USERSPACE):
+		'''
+		'''
+		results = []
+		results.append(self.autogen)
+
+		width = 57
+		count = 0
+		for common in self.commons:
+			count = 0
+			shift = 0
+			for p in self.common[common]:
+				if not (mode == self.KERNEL and self.user_commons[common]):
+					columnA = "#define COMMON_%s__%s " % (common.upper(), p.upper())
+					columnA += "".join([" " for i in range(width - len(columnA))])
+					results.append("%s%s\n" % (columnA, self.createUL(count)))
+					count += 1
+
+		width = 50 # broken for old tools whitespace
+		for c in self.vectors:
+			count = 0
+
+			ps = []
+			if self.inherits.has_key(c):
+				ps += self.common[self.inherits[c]]
+			ps += self.vector[c]
+			for p in ps: 
+				columnA = "#define %s__%s " % (c.upper(), p.upper())
+				columnA += "".join([" " for i in range(width - len(columnA))])
+				if not (mode == self.KERNEL and self.userspace[c]):
+					results.append("%s%s\n" % (columnA, self.createUL(count)))
+				count += 1
+
+		return results
+
+	def createClassToStringH(self, mode = USERSPACE):
+		'''
+		'''
+		results = []
+		results.append(self.autogen)
+		results.append("/*\n * Security object class definitions\n */\n")
+
+		if mode == self.KERNEL:
+			results.append("    S_(NULL)\n")
+		else:
+			results.append("    S_(\"null\")\n")
+
+		for c in self.classes:
+			if mode == self.KERNEL and self.userspace[c]:
+				results.append("    S_(NULL)\n")
+			else:
+				results.append("    S_(\"%s\")\n" % c)
+		return results
+
+	def createCommonPermToStringH(self, mode = USERSPACE):
+		'''
+		'''
+		results = []
+		results.append(self.autogen)
+		for common in self.commons:
+			if not (mode == self.KERNEL and self.user_commons[common]):
+				results.append("TB_(common_%s_perm_to_string)\n" % common)
+				for p in self.common[common]:
+					results.append("    S_(\"%s\")\n" % p)
+				results.append("TE_(common_%s_perm_to_string)\n\n" % common)
+		return results
+	
+	def createFlaskH(self, mode = USERSPACE):
+		'''
+		'''
+		results = []
+		results.append(self.autogen)
+		results.append("#ifndef _SELINUX_FLASK_H_\n")
+		results.append("#define _SELINUX_FLASK_H_\n")
+		results.append("\n")
+		results.append("/*\n")
+		results.append(" * Security object class definitions\n")
+		results.append(" */\n")
+
+		count = 0
+		width = 57
+		for c in self.classes:
+			count += 1
+			columnA = "#define SECCLASS_%s " % c.upper()
+			columnA += "".join([" " for i in range(width - len(columnA))])
+			if not (mode == self.KERNEL and self.userspace[c]):
+				results.append("%s%d\n" % (columnA, count))
+
+		results.append("\n")
+		results.append("/*\n")
+		results.append(" * Security identifier indices for initial entities\n")
+		results.append(" */\n")
+		
+		count = 0
+		width = 56 # broken for old tools whitespace
+		for s in self.sids:
+			count += 1
+			columnA = "#define SECINITSID_%s " % s.upper()
+			columnA += "".join([" " for i in range(width - len(columnA))])
+			results.append("%s%d\n" % (columnA, count))
+
+		results.append("\n")
+		columnA = "#define SECINITSID_NUM "
+		columnA += "".join([" " for i in range(width - len(columnA))])
+		results.append("%s%d\n" % (columnA, count))
+
+		results.append("\n")
+		results.append("#endif\n")
+		return results
+
+
+
+	def createInitialSidToStringH(self, mode = USERSPACE):
+		'''
+		'''
+		results = []
+		results.append(self.autogen)
+		results.append("static char *initial_sid_to_string[] =\n")
+		results.append("{\n")
+		results.append("    \"null\",\n")
+		for s in self.sids:
+			results.append("    \"%s\",\n" % s)
+		results.append("};\n")
+		results.append("\n")
+
+		return results
+
+def usage():
+	'''
+	Returns the usage string.
+	'''
+	usage  = 'Usage: %s -a ACCESS_VECTORS -i INITIAL_SIDS -s SECURITY_CLASSES -o OUTPUT_DIRECTORY -k|-u [-w]\n' % os.path.basename(sys.argv[0])
+	usage += '\n'
+	usage += ' -a --access_vectors\taccess vector definitions\n'
+	usage += ' -i --initial_sids\tinitial sid definitions\n'
+	usage += ' -s --security_classes\tsecurity class definitions\n'
+	usage += ' -o --output\toutput directory for generated files\n'
+	usage += ' -k --kernel\toutput mode set to kernel (kernel headers contain empty blocks for all classes specified with # userspace in the security_classes file)\n'
+	usage += ' -u --user\toutput mode set to userspace\n'
+	usage += ' -w --nowarnings\tsupresses output of warning messages\n'
+	return usage
+
+########## MAIN ##########
+if __name__ == '__main__':
+	
+	# Parse command line args
+	try:
+		opts, args = getopt.getopt(sys.argv[1:], 'a:i:s:o:kuwh', ['access_vectors=', 'initial_sids=', 'security_classes=', 'output=', 'kernel', 'user', 'nowarnings', 'help'])
+	except getopt.GetoptError:
+		print(usage())
+		sys.exit(2)
+	
+	avec = None
+	isid = None
+	secc = None
+	outd = None
+	mode = None
+	warn = True
+	for o, a in opts:
+		if o in ('-h', '--help'):
+			print(usage())
+			sys.exit(0)
+		elif o in ('-a', '--access_vectors'):
+			avec = a
+		elif o in ('-i', '--initial_sids'):
+			isid = a
+		elif o in ('-s', '--security_classes'):
+			secc = a
+		elif o in ('-o', '--output'):
+			outd = a
+		elif o in ('-k', '--kernel'):
+			if mode != None:
+				print(usage())
+				sys.exit(2)
+			mode = Flask.KERNEL
+		elif o in ('-u', '--user'):
+			if mode != None:
+				print(usage())
+				sys.exit(2)
+			mode = Flask.USERSPACE
+		elif o in ('-w', '--nowarnings'):
+			warn = False
+		else:
+			print(usage())
+			sys.exit(2)
+
+	if avec == None or \
+	   isid == None or \
+	   secc == None or \
+	   outd == None:
+		   print(usage())
+		   sys.exit(2)
+
+	try:
+		f = Flask(warn)
+		f.parseSids(isid)
+		f.parseClasses(secc)
+		f.parseVectors(avec)
+		f.createHeaders(outd, mode)
+	except Exception, e:
+		print(e)
+		sys.exit(2)
diff --git a/policy/flask/initial_sids b/policy/flask/initial_sids
new file mode 100644
index 00000000..95894eb4
--- /dev/null
+++ b/policy/flask/initial_sids
@@ -0,0 +1,35 @@
+# FLASK
+
+#
+# Define initial security identifiers 
+#
+
+sid kernel
+sid security
+sid unlabeled
+sid fs
+sid file
+sid file_labels
+sid init
+sid any_socket
+sid port
+sid netif
+sid netmsg
+sid node
+sid igmp_packet
+sid icmp_socket
+sid tcp_socket
+sid sysctl_modprobe
+sid sysctl
+sid sysctl_fs
+sid sysctl_kernel
+sid sysctl_net
+sid sysctl_net_unix
+sid sysctl_vm
+sid sysctl_dev
+sid kmod
+sid policy
+sid scmp_packet
+sid devnull
+
+# FLASK
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
new file mode 100644
index 00000000..14a47991
--- /dev/null
+++ b/policy/flask/security_classes
@@ -0,0 +1,134 @@
+# FLASK
+
+#
+# Define the security object classes 
+#
+
+# Classes marked as userspace are classes
+# for userspace object managers
+
+class security
+class process
+class system
+class capability
+
+# file-related classes
+class filesystem
+class file
+class dir
+class fd
+class lnk_file
+class chr_file
+class blk_file
+class sock_file
+class fifo_file
+
+# network-related classes
+class socket
+class tcp_socket
+class udp_socket
+class rawip_socket
+class node
+class netif
+class netlink_socket
+class packet_socket
+class key_socket
+class unix_stream_socket
+class unix_dgram_socket
+
+# sysv-ipc-related classes
+class sem
+class msg
+class msgq
+class shm
+class ipc
+
+#
+# userspace object manager classes
+#
+
+# passwd/chfn/chsh
+class passwd			# userspace
+
+# SE-X Windows stuff (more classes below)
+class x_drawable		# userspace
+class x_screen			# userspace
+class x_gc			# userspace
+class x_font			# userspace
+class x_colormap		# userspace
+class x_property		# userspace
+class x_selection		# userspace
+class x_cursor			# userspace
+class x_client			# userspace
+class x_device			# userspace
+class x_server			# userspace
+class x_extension		# userspace
+
+# extended netlink sockets
+class netlink_route_socket
+class netlink_firewall_socket
+class netlink_tcpdiag_socket
+class netlink_nflog_socket
+class netlink_xfrm_socket
+class netlink_selinux_socket
+class netlink_audit_socket
+class netlink_ip6fw_socket
+class netlink_dnrt_socket
+
+class dbus			# userspace
+class nscd			# userspace
+
+# IPSec association
+class association
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+
+class appletalk_socket
+
+class packet
+
+# Kernel access key retention
+class key
+
+class context			# userspace
+
+class dccp_socket
+
+class memprotect
+
+class db_database		# userspace
+class db_table			# userspace
+class db_procedure		# userspace
+class db_column			# userspace
+class db_tuple			# userspace
+class db_blob			# userspace
+
+# network peer labels
+class peer
+
+# Capabilities >= 32
+class capability2
+
+# More SE-X Windows stuff
+class x_resource		# userspace
+class x_event			# userspace
+class x_synthetic_event		# userspace
+class x_application_data	# userspace
+
+# kernel services that need to override task security, e.g. cachefiles
+class kernel_service 
+
+class tun_socket
+
+# Still More SE-X Windows stuff
+class x_pointer			# userspace
+class x_keyboard		# userspace
+
+# More Database stuff
+class db_schema			# userspace
+class db_view			# userspace
+class db_sequence		# userspace
+class db_language		# userspace
+
+# FLASK
diff --git a/policy/global_booleans b/policy/global_booleans
new file mode 100644
index 00000000..66e85ea5
--- /dev/null
+++ b/policy/global_booleans
@@ -0,0 +1,14 @@
+#
+# This file is for the declaration of global booleans.
+# To change the default value at build time, the booleans.conf
+# file should be used.
+#
+
+## <desc>
+## <p>
+## Enabling secure mode disallows programs, such as
+## newrole, from transitioning to administrative
+## user domains.
+## </p>
+## </desc>
+gen_bool(secure_mode,false)
diff --git a/policy/global_tunables b/policy/global_tunables
new file mode 100644
index 00000000..4705ab61
--- /dev/null
+++ b/policy/global_tunables
@@ -0,0 +1,113 @@
+#
+# This file is for the declaration of global tunables.
+# To change the default value at build time, the booleans.conf
+# file should be used.
+#
+
+## <desc>
+## <p>
+## Allow unconfined executables to make their heap memory executable.  Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
+## </p>
+## </desc>
+gen_tunable(allow_execheap,false)
+
+## <desc>
+## <p>
+## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")
+## </p>
+## </desc>
+gen_tunable(allow_execmem,false)
+
+## <desc>
+## <p>
+## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")
+## </p>
+## </desc>
+gen_tunable(allow_execmod,false)
+
+## <desc>
+## <p>
+## Allow unconfined executables to make their stack executable.  This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")
+## </p>
+## </desc>
+gen_tunable(allow_execstack,false)
+
+## <desc>
+## <p>
+## Enable polyinstantiated directory support.
+## </p>
+## </desc>
+gen_tunable(allow_polyinstantiation,false)
+
+## <desc>
+## <p>
+## Allow system to run with NIS
+## </p>
+## </desc>
+gen_tunable(allow_ypbind,false)
+
+## <desc>
+## <p>
+## Allow logging in and using the system from /dev/console.
+## </p>
+## </desc>
+gen_tunable(console_login,true)
+
+## <desc>
+## <p>
+## Enable reading of urandom for all domains.
+## </p>
+## <p>
+## This should be enabled when all programs
+## are compiled with ProPolice/SSP
+## stack smashing protection.  All domains will
+## be allowed to read from /dev/urandom.
+## </p>
+## </desc>
+gen_tunable(global_ssp,false)
+
+## <desc>
+## <p>
+## Allow email client to various content.
+## nfs, samba, removable devices, and user temp
+## files
+## </p>
+## </desc>
+gen_tunable(mail_read_content,false)
+
+## <desc>
+## <p>
+## Allow any files/directories to be exported read/write via NFS.
+## </p>
+## </desc>
+gen_tunable(nfs_export_all_rw,false)
+
+## <desc>
+## <p>
+## Allow any files/directories to be exported read/only via NFS.
+## </p>
+## </desc>
+gen_tunable(nfs_export_all_ro,false)
+
+## <desc>
+## <p>
+## Support NFS home directories
+## </p>
+## </desc>
+gen_tunable(use_nfs_home_dirs,false)
+
+## <desc>
+## <p>
+## Support SAMBA home directories
+## </p>
+## </desc>
+gen_tunable(use_samba_home_dirs,false)
+
+## <desc>
+## <p>
+## Allow users to run TCP servers (bind to ports and accept connection from
+## the same domain and outside users)  disabling this forces FTP passive mode
+## and may change other protocols.
+## </p>
+## </desc>
+gen_tunable(user_tcp_server,false)
diff --git a/policy/mcs b/policy/mcs
new file mode 100644
index 00000000..df8e0fa6
--- /dev/null
+++ b/policy/mcs
@@ -0,0 +1,147 @@
+ifdef(`enable_mcs',`
+#
+# Define sensitivities 
+#
+# MCS is single-sensitivity.
+
+gen_sens(1)
+
+#
+# Define the categories
+#
+# Generate declarations
+
+gen_cats(mcs_num_cats)
+
+#
+# Each MCS level specifies a sensitivity and zero or more categories which may
+# be associated with that sensitivity.
+#
+
+gen_levels(1,mcs_num_cats)
+
+#
+# Define the MCS policy
+#
+# mlsconstrain class_set perm_set expression ;
+#
+# mlsvalidatetrans class_set expression ;
+#
+# expression : ( expression )
+#	     | not expression
+#	     | expression and expression
+#	     | expression or expression
+#	     | u1 op u2
+#	     | r1 role_mls_op r2
+#	     | t1 op t2
+#	     | l1 role_mls_op l2
+#	     | l1 role_mls_op h2
+#	     | h1 role_mls_op l2
+#	     | h1 role_mls_op h2
+#	     | l1 role_mls_op h1
+#	     | l2 role_mls_op h2
+#	     | u1 op names
+#	     | u2 op names
+#	     | r1 op names
+#	     | r2 op names
+#	     | t1 op names
+#	     | t2 op names
+#	     | u3 op names (NOTE: this is only available for mlsvalidatetrans)
+#	     | r3 op names (NOTE: this is only available for mlsvalidatetrans)
+#	     | t3 op names (NOTE: this is only available for mlsvalidatetrans)
+#
+# op : == | !=
+# role_mls_op : == | != | eq | dom | domby | incomp
+#
+# names : name | { name_list }
+# name_list : name | name_list name
+#
+
+#
+# MCS policy for the file classes
+#
+# Constrain file access so that the high range of the process dominates
+# the high range of the file.  We use the high range of the process so
+# that processes can always simply run at s0.
+#
+# Note:
+#  - getattr on dirs/files is not constrained.
+#  - /proc/pid operations are not constrained.
+
+mlsconstrain file { read ioctl lock execute execute_no_trans }
+	(( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
+
+mlsconstrain file { write setattr append unlink link rename }
+	(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
+
+mlsconstrain dir { search read ioctl lock }
+	(( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
+
+mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
+	(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
+
+# New filesystem object labels must be dominated by the relabeling subject
+# clearance, also the objects are single-level.
+mlsconstrain file { create relabelto }
+	(( h1 dom h2 ) and ( l2 eq h2 ));
+
+# new file labels must be dominated by the relabeling subject clearance
+mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
+	( h1 dom h2 );
+
+mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
+	(( h1 dom h2 ) and ( l2 eq h2 ));
+
+mlsconstrain process { transition dyntransition }
+	(( h1 dom h2 ) or ( t1 == mcssetcats ));
+
+mlsconstrain process { ptrace }
+	(( h1 dom h2) or ( t1 == mcsptraceall ));
+
+mlsconstrain process { sigkill sigstop }
+	(( h1 dom h2 ) or ( t1 == mcskillall ));
+
+#
+# MCS policy for SELinux-enabled databases
+#
+
+# Any database object must be dominated by the relabeling subject
+# clearance, also the objects are single-level.
+mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto }
+	(( h1 dom h2 ) and ( l2 eq h2 ));
+
+mlsconstrain { db_tuple } { insert relabelto }
+	(( h1 dom h2 ) and ( l2 eq h2 ));
+
+# Access control for any database objects based on MCS rules.
+mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }
+	( h1 dom h2 );
+
+mlsconstrain db_language { drop getattr setattr relabelfrom execute }
+	( h1 dom h2 );
+
+mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete use lock }
+	( h1 dom h2 );
+
+mlsconstrain db_column { drop getattr setattr relabelfrom select update insert use }
+	( h1 dom h2 );
+
+mlsconstrain db_tuple { relabelfrom select update delete use }
+	( h1 dom h2 );
+
+mlsconstrain db_sequence { drop getattr setattr relabelfrom get_value next_value set_value }
+	( h1 dom h2 );
+
+mlsconstrain db_view { drop getattr setattr relabelfrom expand }
+	( h1 dom h2 );
+
+mlsconstrain db_procedure { drop getattr setattr relabelfrom execute install }
+	( h1 dom h2 );
+
+mlsconstrain db_language { drop getattr setattr relabelfrom execute }
+	( h1 dom h2 );
+
+mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
+	( h1 dom h2 );
+
+') dnl end enable_mcs
diff --git a/policy/mls b/policy/mls
new file mode 100644
index 00000000..0e8474b9
--- /dev/null
+++ b/policy/mls
@@ -0,0 +1,882 @@
+ifdef(`enable_mls',`
+#
+# Define sensitivities 
+#
+# Domination of sensitivities is in increasin
+# numerical order, with s0 being the lowest
+
+gen_sens(mls_num_sens)
+
+#
+# Define the categories
+#
+# Generate declarations
+
+gen_cats(mls_num_cats)
+
+#
+# Each MLS level specifies a sensitivity and zero or more categories which may
+# be associated with that sensitivity.
+#
+# Generate levels from all sensitivities
+# with all categories
+
+gen_levels(mls_num_sens,mls_num_cats)
+
+#
+# Define the MLS policy
+#
+# mlsconstrain class_set perm_set expression ;
+#
+# mlsvalidatetrans class_set expression ;
+#
+# expression : ( expression )
+#	     | not expression
+#	     | expression and expression
+#	     | expression or expression
+#	     | u1 op u2
+#	     | r1 role_mls_op r2
+#	     | t1 op t2
+#	     | l1 role_mls_op l2
+#	     | l1 role_mls_op h2
+#	     | h1 role_mls_op l2
+#	     | h1 role_mls_op h2
+#	     | l1 role_mls_op h1
+#	     | l2 role_mls_op h2
+#	     | u1 op names
+#	     | u2 op names
+#	     | r1 op names
+#	     | r2 op names
+#	     | t1 op names
+#	     | t2 op names
+#	     | u3 op names (NOTE: this is only available for mlsvalidatetrans)
+#	     | r3 op names (NOTE: this is only available for mlsvalidatetrans)
+#	     | t3 op names (NOTE: this is only available for mlsvalidatetrans)
+#
+# op : == | !=
+# role_mls_op : == | != | eq | dom | domby | incomp
+#
+# names : name | { name_list }
+# name_list : name | name_list name
+#
+
+#
+# MLS policy for the file classes
+#
+
+# make sure these file classes are "single level"
+mlsconstrain { file lnk_file fifo_file } { create relabelto }
+	( l2 eq h2 );
+
+# new file labels must be dominated by the relabeling subjects clearance
+mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto
+	( h1 dom h2 );
+
+# the file "read" ops (note the check is dominance of the low level)
+mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsfileread ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain dir search
+	(( l1 dom l2 ) or
+	 (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsfileread ) or
+	 ( t2 == mlstrustedobject ));
+
+# the "single level" file "write" ops
+mlsconstrain { file lnk_file fifo_file dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 (( t2 == mlsfilewriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t1 == mlsfilewrite ) or
+	 ( t2 == mlstrustedobject ));
+
+# Directory "write" ops
+mlsconstrain dir { add_name remove_name reparent rmdir }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsfilewriteinrange ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
+	 (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 ( t1 == mlsfilewrite ) or
+	 ( t2 == mlstrustedobject ));
+
+# these access vectors have no MLS restrictions
+# { dir file lnk_file chr_file blk_file sock_file fifo_file } { ioctl lock swapon quotaon }
+#
+# { file chr_file } { execute_no_trans entrypoint execmod }
+
+# the file upgrade/downgrade rule
+mlsvalidatetrans { dir file lnk_file chr_file blk_file sock_file fifo_file }
+	((( l1 eq l2 ) or
+	  (( t3 == mlsfileupgrade ) and ( l1 domby l2 )) or
+	  (( t3 == mlsfiledowngrade ) and ( l1 dom l2 )) or
+	  (( t3 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and
+	 (( h1 eq h2 ) or
+	  (( t3 == mlsfileupgrade ) and ( h1 domby h2 )) or
+	  (( t3 == mlsfiledowngrade ) and ( h1 dom h2 )) or
+	  (( t3 == mlsfiledowngrade ) and ( h1 incomp h2 ))));
+
+# create can also require the upgrade/downgrade checks if the creating process
+# has used setfscreate (note that both the high and low level of the object
+# default to the process sensitivity level)
+mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create
+	((( l1 eq l2 ) or
+	  (( t1 == mlsfileupgrade ) and ( l1 domby l2 )) or
+	  (( t1 == mlsfiledowngrade ) and ( l1 dom l2 )) or
+	  (( t1 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and
+	 (( l1 eq h2 ) or
+	  (( t1 == mlsfileupgrade ) and ( l1 domby h2 )) or
+	  (( t1 == mlsfiledowngrade ) and ( l1 dom h2 )) or
+	  (( t1 == mlsfiledowngrade ) and ( l1 incomp h2 ))));
+
+
+
+
+#
+# MLS policy for the filesystem class
+#
+
+# new filesystem labels must be dominated by the relabeling subjects clearance
+mlsconstrain filesystem relabelto
+	( h1 dom h2 );
+
+# the filesystem "read" ops (implicit single level)
+mlsconstrain filesystem { getattr quotaget }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsfileread ));
+
+# all the filesystem "write" ops (implicit single level)
+mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 ( t1 == mlsfilewrite ));
+
+# these access vectors have no MLS restrictions
+# filesystem { transition associate }
+
+
+
+
+#
+# MLS policy for the socket classes
+#
+
+# new socket labels must be dominated by the relabeling subjects clearance
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
+	( h1 dom h2 );
+
+# the socket "read+write" ops
+# (Socket FDs are generally bidirectional, equivalent to open(..., O_RDWR),
+# require equal levels for unprivileged subjects, or read *and* write overrides)
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { accept connect }
+	(( l1 eq l2 ) or
+	 (((( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+	   ( t1 == mlsnetread )) and
+	  ((( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
+	   (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	   ( t1 == mlsnetwrite ))));
+
+
+# the socket "read" ops (note the check is dominance of the low level)
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recv_msg }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsnetread ));
+
+mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_read
+	(( l1 dom l2 ) or
+	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsnetread ));
+
+# the socket "write" ops
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown }
+	(( l1 eq l2 ) or 
+	 (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
+	 (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 ( t1 == mlsnetwrite ));
+
+# used by netlabel to restrict normal domains to same level connections
+mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
+	(( l1 eq l2 ) or
+	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsnetread ));
+
+# UNIX domain socket ops
+mlsconstrain unix_stream_socket connectto
+	(( l1 eq l2 ) or 
+	 (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
+	 (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 ( t1 == mlsnetwrite ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain unix_dgram_socket sendto
+	(( l1 eq l2 ) or 
+	 (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
+	 (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 ( t1 == mlsnetwrite ) or
+	 ( t2 == mlstrustedobject ));
+
+# these access vectors have no MLS restrictions
+# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }
+#
+# { tcp_socket udp_socket rawip_socket } node_bind
+#
+# { tcp_socket unix_stream_socket } { connectto newconn acceptfrom }
+#
+# tcp_socket name_connect
+#
+# { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write
+#
+# netlink_audit_socket { nlmsg_relay nlmsg_readpriv }
+#
+# netlink_kobject_uevent_socket *
+#
+
+
+
+
+#
+# MLS policy for the ipc classes
+#
+
+# the ipc "read" ops (implicit single level)
+mlsconstrain { ipc sem msgq shm } { getattr read unix_read }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsipcread ));
+
+mlsconstrain msg receive
+	(( l1 dom l2 ) or
+	 (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsipcread ));
+
+# the ipc "write" ops (implicit single level)
+mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 ( t1 == mlsipcwrite ));
+
+mlsconstrain msgq enqueue
+	(( l1 eq l2 ) or
+	 (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 ( t1 == mlsipcwrite ));
+
+mlsconstrain shm lock
+	(( l1 eq l2 ) or
+	 (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 ( t1 == mlsipcwrite ));
+
+mlsconstrain msg send
+	(( l1 eq l2 ) or
+	 (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 ( t1 == mlsipcwrite ));
+
+# these access vectors have no MLS restrictions
+# { ipc sem msgq shm } associate
+
+
+
+
+#
+# MLS policy for the fd class
+#
+
+# No sharing of open file descriptors between levels unless
+# the process type is authorized to use fds created by 
+# other levels (mlsfduse) or the fd type is authorized to
+# shared among levels (mlsfdshare). 
+mlsconstrain fd use (
+	l1 eq l2
+	or t1 == mlsfduse
+	or t2 == mlsfdshare
+);
+
+#
+# MLS policy for the network object classes
+#
+
+# the netif/node "read" ops (implicit single level socket doing the read)
+#                           (note the check is dominance of the low level)
+mlsconstrain { node netif } { tcp_recv udp_recv rawip_recv }
+	(( l1 dom l2 ) or ( t1 == mlsnetrecvall ));
+
+# the netif/node "write" ops (implicit single level socket doing the write)
+mlsconstrain { netif node } { tcp_send udp_send rawip_send }
+	(( l1 eq l2 ) or
+	(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )));
+
+# these access vectors have no MLS restrictions
+# node enforce_dest
+
+
+
+
+#
+# MLS policy for the network ingress/egress controls
+#
+
+# the netif ingress/egress ops, the ingress permission is a "write" operation
+# because the subject in this particular case is the remote domain which is
+# writing data out the network interface which is acting as the object
+mlsconstrain { netif } { ingress }
+	((( l1 dom l2 ) and ( l1 domby h2 )) or
+	 ( t1 == mlsnetinbound ) or
+	 ( t1 == unlabeled_t ));
+mlsconstrain { netif } { egress }
+	((( l1 dom l2 ) and ( l1 domby h2 )) or
+	 ( t1 == mlsnetoutbound ));
+
+# the node recvfrom/sendto ops, the recvfrom permission is a "write" operation
+# because the subject in this particular case is the remote domain which is
+# writing data out the network node which is acting as the object
+mlsconstrain { node } { recvfrom }
+	((( l1 dom l2 ) and ( l1 domby h2 )) or
+	 ( t1 == mlsnetinbound ) or
+	 ( t1 == unlabeled_t ));
+mlsconstrain { node } { sendto }
+	((( l1 dom l2 ) and ( l1 domby h2 )) or
+	 ( t1 == mlsnetoutbound ));
+
+# the forward ops, the forward_in permission is a "write" operation because the
+# subject in this particular case is the remote domain which is writing data
+# to the network with a secmark label, the object in this case
+mlsconstrain { packet } { forward_in }
+	((( l1 dom l2 ) and ( l1 domby h2 )) or
+	 ( t1 == mlsnetinbound ) or
+	 ( t1 == unlabeled_t ));
+mlsconstrain { packet } { forward_out }
+	((( l1 dom l2 ) and ( l1 domby h2 )) or
+	 ( t1 == mlsnetoutbound ) or
+	 ( t1 == unlabeled_t ));
+
+#
+# MLS policy for the secmark and peer controls
+#
+
+# the peer/packet recv op
+mlsconstrain { peer packet } { recv }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsnetread ));
+
+
+
+
+#
+# MLS policy for the process class
+#
+
+# new process labels must be dominated by the relabeling subjects clearance
+# and sensitivity level changes require privilege
+mlsconstrain process transition
+	(( h1 dom h2 ) and
+	 (( l1 eq l2 ) or ( t1 == mlsprocsetsl ) or
+	  (( t1 == privrangetrans ) and ( t2 == mlsrangetrans ))));
+mlsconstrain process dyntransition
+	(( h1 dom h2 ) and
+	 (( l1 eq l2 ) or ( t1 == mlsprocsetsl )));
+
+# all the process "read" ops
+mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsprocreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsprocread ));
+
+# all the process "write" ops (note the check is equality on the low level)
+mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec setfscreate setcurrent ptrace share }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 ( t1 == mlsprocwrite ));
+
+# these access vectors have no MLS restrictions
+# process { fork sigchld signull noatsecure siginh setrlimit rlimitinh execmem execstack execheap }
+
+
+
+
+#
+# MLS policy for the security class
+#
+
+# these access vectors have no MLS restrictions
+# security *
+
+
+
+
+#
+# MLS policy for the system class
+#
+
+# these access vectors have no MLS restrictions
+# system *
+
+
+
+
+#
+# MLS policy for the capability class
+#
+
+# these access vectors have no MLS restrictions
+# capability *
+
+
+
+
+#
+# MLS policy for the passwd class
+#
+
+# these access vectors have no MLS restrictions
+# passwd *
+
+
+
+
+#
+# MLS policy for the x_drawable class
+#
+
+# the x_drawable "read" ops (implicit single level)
+mlsconstrain x_drawable { read blend getattr list_child list_property get_property receive }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsxwinread ));
+
+# the x_drawable "write" ops (implicit single level)
+mlsconstrain x_drawable { create destroy write setattr add_child remove_child send manage }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 ( t1 == mlsxwinwrite ));
+
+# No MLS restrictions: x_drawable { show hide override }
+
+
+#
+# MLS policy for the x_gc class
+#
+
+# the x_gc "read" ops (implicit single level)
+mlsconstrain x_gc { getattr use }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsxwinread ));
+
+# the x_gc "write" ops (implicit single level)
+mlsconstrain x_gc { create destroy setattr }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 ( t1 == mlsxwinwrite ));
+
+
+#
+# MLS policy for the x_font class
+#
+
+# the x_font "read" ops (implicit single level)
+mlsconstrain x_font { use }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsxwinread ));
+
+# the x_font "write" ops (implicit single level)
+mlsconstrain x_font { create destroy add_glyph remove_glyph }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 ( t1 == mlsxwinwrite ));
+
+# these access vectors have no MLS restrictions
+# font use
+
+
+#
+# MLS policy for the x_colormap class
+#
+
+# the x_colormap "read" ops (implicit single level)
+mlsconstrain x_colormap { read getattr use }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsxwinreadcolormap ) or
+	 ( t1 == mlsxwinread ));
+
+# the x_colormap "write" ops (implicit single level)
+mlsconstrain x_colormap { create destroy write add_color remove_color install uninstall }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 ( t1 == mlsxwinwritecolormap ) or
+	 ( t1 == mlsxwinwrite ));
+
+
+#
+# MLS policy for the x_property class
+#
+
+# the x_property "read" ops (implicit single level)
+mlsconstrain x_property { read getattr }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsxwinreadproperty ) or
+	 ( t1 == mlsxwinread ));
+
+# the x_property "write" ops (implicit single level)
+mlsconstrain x_property { create destroy write append setattr }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 ( t1 == mlsxwinwriteproperty ) or
+	 ( t1 == mlsxwinwrite ));
+
+
+#
+# MLS policy for the x_selection class
+#
+
+# the x_selection "read" ops (implicit single level)
+mlsconstrain x_selection { read getattr }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsxwinreadselection ) or
+	 ( t1 == mlsxwinread ));
+
+# the x_selection "write" ops (implicit single level)
+mlsconstrain x_selection { write setattr }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 ( t1 == mlsxwinwriteselection ) or
+	 ( t1 == mlsxwinwrite ));
+
+
+#
+# MLS policy for the x_cursor class
+#
+
+# the x_cursor "read" ops (implicit single level)
+mlsconstrain x_cursor { read getattr use }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsxwinread ));
+	
+# the x_cursor "write" ops (implicit single level)
+mlsconstrain x_cursor { create destroy write setattr }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 ( t1 == mlsxwinwrite ));
+
+
+#
+# MLS policy for the x_client class
+#
+
+# the x_client "read" ops (implicit single level)
+mlsconstrain x_client { getattr }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsxwinread ));
+
+# the x_client "write" ops (implicit single level)
+mlsconstrain x_client { destroy setattr manage }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 ( t1 == mlsxwinwrite ));
+
+
+#
+# MLS policy for the x_device class
+#
+
+# the x_device "read" ops (implicit single level)
+mlsconstrain x_device { getattr use read getfocus grab }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsxwinread ));
+
+# the x_device "write" ops (implicit single level)
+mlsconstrain x_device { setattr write setfocus bell force_cursor freeze manage }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 ( t1 == mlsxwinwritexinput ) or
+	 ( t1 == mlsxwinwrite ));
+
+
+#
+# MLS policy for the x_server class
+#
+
+# these access vectors have no MLS restrictions
+# x_server *
+
+
+#
+# MLS policy for the x_extension class
+#
+
+# these access vectors have no MLS restrictions
+# x_extension { query use }
+
+
+#
+# MLS policy for the x_resource class
+#
+
+# the x_resource "read" ops (implicit single level)
+mlsconstrain x_resource { read }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsxwinread ));
+
+# the x_resource "write" ops (implicit single level)
+mlsconstrain x_resource { write }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 ( t1 == mlsxwinwritexinput ) or
+	 ( t1 == mlsxwinwrite ));
+
+
+#
+# MLS policy for the x_event class
+#
+
+# the x_event "read" ops (implicit single level)
+mlsconstrain x_event { receive }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsxwinread ));
+
+# the x_event "write" ops (implicit single level)
+mlsconstrain x_event { send }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 ( t1 == mlsxwinwritexinput ) or
+	 ( t1 == mlsxwinwrite ));
+
+
+#
+# MLS policy for the x_application_data class
+#
+
+# the x_application_data "paste" ops
+mlsconstrain x_application_data { paste }
+	( l1 domby l2 );
+
+# the x_application_data "paste_after_confirm" ops
+mlsconstrain x_application_data { paste_after_confirm }
+	( l1 dom l2 );
+
+
+
+#
+# MLS policy for the dbus class
+#
+
+mlsconstrain dbus { send_msg }
+	(( l1 eq l2 ) or
+	 ( t1 == mlsdbussend ) or
+	 ( t2 == mlsdbusrecv ));
+
+# these access vectors have no MLS restrictions
+# dbus { acquire_svc }
+
+
+
+
+#
+# MLS policy for the nscd class
+#
+
+# these access vectors have no MLS restrictions
+# nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost }
+
+
+
+
+#
+# MLS policy for the association class
+#
+
+mlsconstrain association { recvfrom }
+	((( l1 dom l2 ) and ( l1 domby h2 )) or
+	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsnetread ) or
+	 ( t2 == unlabeled_t ));
+
+mlsconstrain association { sendto }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
+	 ( t2 == unlabeled_t ));
+
+mlsconstrain association { polmatch }
+	(( l1 dom l2 ) and ( h1 domby h2 ));
+
+
+
+#
+# MLS policy for the context class
+#
+
+mlsconstrain context translate
+	(( h1 dom h2 ) or ( t1 == mlstranslate ));
+
+mlsconstrain context contains
+	(( h1 dom h2 ) and ( l1 domby l2));
+
+#
+# MLS policy for database classes
+#
+
+# make sure these database classes are "single level"
+mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto }
+	( l2 eq h2 );
+mlsconstrain { db_tuple } { insert relabelto }
+	( l2 eq h2 );
+
+# new database labels must be dominated by the relabeling subjects clearance
+mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_tuple db_blob } { relabelto }
+	( h1 dom h2 );
+
+# the database "read" ops (note the check is dominance of the low level)
+mlsconstrain { db_database } { getattr access get_param }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsdbread ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_schema } { getattr search }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsdbread ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_table } { getattr use select lock }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsdbread ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_column } { getattr use select }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsdbread ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_sequence } { getattr get_value next_value }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsdbread ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_view } { getattr expand }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsdbread ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_procedure } { getattr execute install }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsdbread ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_language } { getattr execute }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsdbread ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_blob } { getattr read export }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsdbread ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_tuple } { use select }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsdbread ) or
+	 ( t2 == mlstrustedobject ));
+
+# the "single level" file "write" ops
+mlsconstrain { db_database } { create drop setattr relabelfrom install_module load_module set_param }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t1 == mlsdbwrite ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_schema } { create drop setattr relabelfrom add_name remove_name }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t1 == mlsdbwrite ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_table } { create drop setattr relabelfrom update insert delete }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t1 == mlsdbwrite ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_column } { create drop setattr relabelfrom update insert }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t1 == mlsdbwrite ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_sequence } { create drop setattr relabelfrom set_value }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t1 == mlsdbwrite ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_view } { create drop setattr relabelfrom }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t1 == mlsdbwrite ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_procedure } { create drop setattr relabelfrom }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t1 == mlsdbwrite ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_language } { create drop setattr relabelfrom }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t1 == mlsdbwrite ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_blob } { create drop setattr relabelfrom write import }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t1 == mlsdbwrite ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_tuple } { relabelfrom update insert delete }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t1 == mlsdbwrite ) or
+	 ( t2 == mlstrustedobject ));
+
+# the database upgrade/downgrade rule
+mlsvalidatetrans { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_tuple db_blob }
+	((( l1 eq l2 ) or
+	  (( t3 == mlsdbupgrade ) and ( l1 domby l2 )) or
+	  (( t3 == mlsdbdowngrade ) and ( l1 dom l2 )) or
+	  (( t3 == mlsdbdowngrade ) and ( l1 incomp l2 ))) and
+	 (( l1 eq h2 ) or
+	  (( t3 == mlsdbupgrade ) and ( h1 domby h2 )) or
+	  (( t3 == mlsdbdowngrade ) and ( h1 dom h2 )) or
+	  (( t3 == mlsdbdowngrade ) and ( h1 incomp h2 ))));
+
+') dnl end enable_mls
diff --git a/policy/modules.conf b/policy/modules.conf
new file mode 100644
index 00000000..e65acc92
--- /dev/null
+++ b/policy/modules.conf
@@ -0,0 +1,2521 @@
+#
+# This file contains a listing of available modules.
+# To prevent a module from  being used in policy
+# creation, set the module name to "off".
+#
+# For monolithic policies, modules set to "base" and "module"
+# will be built into the policy.
+#
+# For modular policies, modules set to "base" will be
+# included in the base module.  "module" will be compiled
+# as individual loadable modules.
+#
+
+# Layer: kernel
+# Module: corecommands
+# Required in base
+#
+# Core policy for shells, and generic programs
+# in /bin, /sbin, /usr/bin, and /usr/sbin.
+# 
+corecommands = base
+
+# Layer: kernel
+# Module: corenetwork
+# Required in base
+#
+# Policy controlling access to network objects
+# 
+corenetwork = base
+
+# Layer: kernel
+# Module: devices
+# Required in base
+#
+# Device nodes and interfaces for many basic system devices.
+# 
+devices = base
+
+# Layer: kernel
+# Module: domain
+# Required in base
+#
+# Core policy for domains.
+# 
+domain = base
+
+# Layer: kernel
+# Module: files
+# Required in base
+#
+# Basic filesystem types and interfaces.
+# 
+files = base
+
+# Layer: kernel
+# Module: filesystem
+# Required in base
+#
+# Policy for filesystems.
+# 
+filesystem = base
+
+# Layer: kernel
+# Module: kernel
+# Required in base
+#
+# Policy for kernel threads, proc filesystem,
+# and unlabeled processes and objects.
+# 
+kernel = base
+
+# Layer: kernel
+# Module: mcs
+# Required in base
+#
+# Multicategory security policy
+# 
+mcs = base
+
+# Layer: kernel
+# Module: mls
+# Required in base
+#
+# Multilevel security policy
+# 
+mls = base
+
+# Layer: kernel
+# Module: selinux
+# Required in base
+#
+# Policy for kernel security interface, in particular, selinuxfs.
+# 
+selinux = base
+
+# Layer: kernel
+# Module: terminal
+# Required in base
+#
+# Policy for terminals.
+# 
+terminal = base
+
+# Layer: kernel
+# Module: ubac
+# Required in base
+#
+# User-based access control policy
+# 
+ubac = base
+
+# Layer: admin
+# Module: bootloader
+#
+# Policy for the kernel modules, kernel image, and bootloader.
+# 
+bootloader = module
+
+# Layer: admin
+# Module: consoletype
+#
+# Determine of the console connected to the controlling terminal.
+# 
+consoletype = module
+
+# Layer: admin
+# Module: dmesg
+#
+# Policy for dmesg.
+# 
+dmesg = module
+
+# Layer: admin
+# Module: netutils
+#
+# Network analysis utilities
+# 
+netutils = module
+
+# Layer: admin
+# Module: su
+#
+# Run shells with substitute user and group
+# 
+su = module
+
+# Layer: admin
+# Module: sudo
+#
+# Execute a command with a substitute user
+# 
+sudo = module
+
+# Layer: admin
+# Module: usermanage
+#
+# Policy for managing user accounts.
+# 
+usermanage = module
+
+# Layer: apps
+# Module: seunshare
+#
+# Filesystem namespacing/polyinstantiation application.
+# 
+seunshare = module
+
+# Layer: contrib
+# Module: abrt
+#
+# ABRT - automated bug-reporting tool
+# 
+abrt = module
+
+# Layer: contrib
+# Module: accountsd
+#
+# AccountsService and daemon for manipulating user account information via D-Bus
+# 
+accountsd = module
+
+# Layer: contrib
+# Module: acct
+#
+# Berkeley process accounting
+# 
+acct = module
+
+# Layer: contrib
+# Module: ada
+#
+# GNAT Ada95 compiler
+# 
+ada = module
+
+# Layer: contrib
+# Module: afs
+#
+# Andrew Filesystem server
+# 
+afs = module
+
+# Layer: contrib
+# Module: aiccu
+#
+# Automatic IPv6 Connectivity Client Utility.
+# 
+aiccu = module
+
+# Layer: contrib
+# Module: aide
+#
+# Aide filesystem integrity checker
+# 
+aide = module
+
+# Layer: contrib
+# Module: aisexec
+#
+# Aisexec Cluster Engine
+# 
+aisexec = module
+
+# Layer: contrib
+# Module: alsa
+#
+# Ainit ALSA configuration tool.
+# 
+alsa = module
+
+# Layer: contrib
+# Module: amanda
+#
+# Advanced Maryland Automatic Network Disk Archiver.
+# 
+amanda = module
+
+# Layer: contrib
+# Module: amavis
+#
+# Daemon that interfaces mail transfer agents and content
+# checkers, such as virus scanners.
+# 
+amavis = module
+
+# Layer: contrib
+# Module: amtu
+#
+# Abstract Machine Test Utility.
+# 
+amtu = module
+
+# Layer: contrib
+# Module: anaconda
+#
+# Anaconda installer.
+# 
+anaconda = module
+
+# Layer: contrib
+# Module: apache
+#
+# Apache web server
+# 
+apache = module
+
+# Layer: contrib
+# Module: apcupsd
+#
+# APC UPS monitoring daemon
+# 
+apcupsd = module
+
+# Layer: contrib
+# Module: apm
+#
+# Advanced power management daemon
+# 
+apm = module
+
+# Layer: contrib
+# Module: apt
+#
+# APT advanced package tool.
+# 
+apt = module
+
+# Layer: contrib
+# Module: arpwatch
+#
+# Ethernet activity monitor.
+# 
+arpwatch = module
+
+# Layer: contrib
+# Module: asterisk
+#
+# Asterisk IP telephony server
+# 
+asterisk = module
+
+# Layer: contrib
+# Module: authbind
+#
+# Tool for non-root processes to bind to reserved ports
+# 
+authbind = module
+
+# Layer: contrib
+# Module: automount
+#
+# Filesystem automounter service.
+# 
+automount = module
+
+# Layer: contrib
+# Module: avahi
+#
+# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture
+# 
+avahi = module
+
+# Layer: contrib
+# Module: awstats
+#
+# AWStats is a free powerful and featureful tool that generates advanced
+# web, streaming, ftp or mail server statistics, graphically.
+# 
+awstats = module
+
+# Layer: contrib
+# Module: backup
+#
+# System backup scripts
+# 
+backup = module
+
+# Layer: contrib
+# Module: bind
+#
+# Berkeley internet name domain DNS server.
+# 
+bind = module
+
+# Layer: contrib
+# Module: bitlbee
+#
+# Bitlbee service
+# 
+bitlbee = module
+
+# Layer: contrib
+# Module: bluetooth
+#
+# Bluetooth tools and system services.
+# 
+bluetooth = module
+
+# Layer: contrib
+# Module: brctl
+#
+# Utilities for configuring the linux ethernet bridge
+# 
+brctl = module
+
+# Layer: contrib
+# Module: bugzilla
+#
+# Bugzilla server
+# 
+bugzilla = module
+
+# Layer: contrib
+# Module: calamaris
+#
+# Squid log analysis
+# 
+calamaris = module
+
+# Layer: contrib
+# Module: canna
+#
+# Canna - kana-kanji conversion server
+# 
+canna = module
+
+# Layer: contrib
+# Module: ccs
+#
+# Cluster Configuration System
+# 
+ccs = module
+
+# Layer: contrib
+# Module: cdrecord
+#
+# Policy for cdrecord
+# 
+cdrecord = module
+
+# Layer: contrib
+# Module: certmaster
+#
+# Certmaster SSL certificate distribution service
+# 
+certmaster = module
+
+# Layer: contrib
+# Module: certmonger
+#
+# Certificate status monitor and PKI enrollment client
+# 
+certmonger = module
+
+# Layer: contrib
+# Module: certwatch
+#
+# Digital Certificate Tracking
+# 
+certwatch = module
+
+# Layer: contrib
+# Module: cgroup
+#
+# libcg is a library that abstracts the control group file system in Linux.
+# 
+cgroup = module
+
+# Layer: contrib
+# Module: chronyd
+#
+# Chrony NTP background daemon
+# 
+chronyd = module
+
+# Layer: contrib
+# Module: cipe
+#
+# Encrypted tunnel daemon
+# 
+cipe = module
+
+# Layer: contrib
+# Module: clamav
+#
+# ClamAV Virus Scanner
+# 
+clamav = module
+
+# Layer: contrib
+# Module: clockspeed
+#
+# Clockspeed simple network time protocol client
+# 
+clockspeed = module
+
+# Layer: contrib
+# Module: clogd
+#
+# clogd - Clustered Mirror Log Server
+# 
+clogd = module
+
+# Layer: contrib
+# Module: cmirrord
+#
+# Cluster mirror log daemon
+# 
+cmirrord = module
+
+# Layer: contrib
+# Module: cobbler
+#
+# Cobbler installation server.
+# 
+cobbler = module
+
+# Layer: contrib
+# Module: colord
+#
+# GNOME color manager
+# 
+colord = module
+
+# Layer: contrib
+# Module: comsat
+#
+# Comsat, a biff server.
+# 
+comsat = module
+
+# Layer: contrib
+# Module: consolekit
+#
+# Framework for facilitating multiple user sessions on desktops.
+# 
+consolekit = module
+
+# Layer: contrib
+# Module: corosync
+#
+# Corosync Cluster Engine
+# 
+corosync = module
+
+# Layer: contrib
+# Module: courier
+#
+# Courier IMAP and POP3 email servers
+# 
+courier = module
+
+# Layer: contrib
+# Module: cpucontrol
+#
+# Services for loading CPU microcode and CPU frequency scaling.
+# 
+cpucontrol = module
+
+# Layer: contrib
+# Module: cpufreqselector
+#
+# Command-line CPU frequency settings.
+# 
+cpufreqselector = module
+
+# Layer: contrib
+# Module: cron
+#
+# Periodic execution of scheduled commands.
+# 
+cron = module
+
+# Layer: contrib
+# Module: cups
+#
+# Common UNIX printing system
+# 
+cups = module
+
+# Layer: contrib
+# Module: cvs
+#
+# Concurrent versions system
+# 
+cvs = module
+
+# Layer: contrib
+# Module: cyphesis
+#
+# Cyphesis WorldForge game server
+# 
+cyphesis = module
+
+# Layer: contrib
+# Module: cyrus
+#
+# Cyrus is an IMAP service intended to be run on sealed servers
+# 
+cyrus = module
+
+# Layer: contrib
+# Module: daemontools
+#
+# Collection of tools for managing UNIX services
+# 
+daemontools = module
+
+# Layer: contrib
+# Module: dante
+#
+# Dante msproxy and socks4/5 proxy server
+# 
+dante = module
+
+# Layer: contrib
+# Module: dbadm
+#
+# Database administrator role
+# 
+dbadm = module
+
+# Layer: contrib
+# Module: dbskk
+#
+# Dictionary server for the SKK Japanese input method system.
+# 
+dbskk = module
+
+# Layer: contrib
+# Module: dbus
+#
+# Desktop messaging bus
+# 
+dbus = module
+
+# Layer: contrib
+# Module: dcc
+#
+# Distributed checksum clearinghouse spam filtering
+# 
+dcc = module
+
+# Layer: contrib
+# Module: ddclient
+#
+# Update dynamic IP address at DynDNS.org
+# 
+ddclient = module
+
+# Layer: contrib
+# Module: ddcprobe
+#
+# ddcprobe retrieves monitor and graphics card information
+# 
+ddcprobe = module
+
+# Layer: contrib
+# Module: denyhosts
+#
+# DenyHosts SSH dictionary attack mitigation
+# 
+denyhosts = module
+
+# Layer: contrib
+# Module: devicekit
+#
+# Devicekit modular hardware abstraction layer
+# 
+devicekit = module
+
+# Layer: contrib
+# Module: dhcp
+#
+# Dynamic host configuration protocol (DHCP) server
+# 
+dhcp = module
+
+# Layer: contrib
+# Module: dictd
+#
+# Dictionary daemon
+# 
+dictd = module
+
+# Layer: contrib
+# Module: distcc
+#
+# Distributed compiler daemon
+# 
+distcc = module
+
+# Layer: contrib
+# Module: djbdns
+#
+# small and secure DNS daemon
+# 
+djbdns = module
+
+# Layer: contrib
+# Module: dkim
+#
+# DomainKeys Identified Mail milter.
+# 
+dkim = module
+
+# Layer: contrib
+# Module: dmidecode
+#
+# Decode DMI data for x86/ia64 bioses.
+# 
+dmidecode = module
+
+# Layer: contrib
+# Module: dnsmasq
+#
+# dnsmasq DNS forwarder and DHCP server
+# 
+dnsmasq = module
+
+# Layer: contrib
+# Module: dovecot
+#
+# Dovecot POP and IMAP mail server
+# 
+dovecot = module
+
+# Layer: contrib
+# Module: dpkg
+#
+# Policy for the Debian package manager.
+# 
+dpkg = module
+
+# Layer: contrib
+# Module: entropyd
+#
+# Generate entropy from audio input
+# 
+entropyd = module
+
+# Layer: contrib
+# Module: evolution
+#
+# Evolution email client
+# 
+evolution = module
+
+# Layer: contrib
+# Module: exim
+#
+# Exim mail transfer agent
+# 
+exim = module
+
+# Layer: contrib
+# Module: fail2ban
+#
+# Update firewall filtering to ban IP addresses with too many password failures.
+# 
+fail2ban = module
+
+# Layer: contrib
+# Module: fetchmail
+#
+# Remote-mail retrieval and forwarding utility
+# 
+fetchmail = module
+
+# Layer: contrib
+# Module: finger
+#
+# Finger user information service.
+# 
+finger = module
+
+# Layer: contrib
+# Module: firstboot
+#
+# Final system configuration run during the first boot
+# after installation of Red Hat/Fedora systems.
+# 
+firstboot = module
+
+# Layer: contrib
+# Module: fprintd
+#
+# DBus fingerprint reader service
+# 
+fprintd = module
+
+# Layer: contrib
+# Module: ftp
+#
+# File transfer protocol service
+# 
+ftp = module
+
+# Layer: contrib
+# Module: games
+#
+# Games
+# 
+games = module
+
+# Layer: contrib
+# Module: gatekeeper
+#
+# OpenH.323 Voice-Over-IP Gatekeeper
+# 
+gatekeeper = module
+
+# Layer: contrib
+# Module: gift
+#
+# giFT peer to peer file sharing tool
+# 
+gift = module
+
+# Layer: contrib
+# Module: git
+#
+# GIT revision control system.
+# 
+git = module
+
+# Layer: contrib
+# Module: gitosis
+#
+# Tools for managing and hosting git repositories.
+# 
+gitosis = module
+
+# Layer: contrib
+# Module: glance
+#
+# policy for glance
+# 
+glance = module
+
+# Layer: contrib
+# Module: gnome
+#
+# GNU network object model environment (GNOME)
+# 
+gnome = module
+
+# Layer: contrib
+# Module: gnomeclock
+#
+# Gnome clock handler for setting the time.
+# 
+gnomeclock = module
+
+# Layer: contrib
+# Module: gpg
+#
+# Policy for GNU Privacy Guard and related programs.
+# 
+gpg = module
+
+# Layer: contrib
+# Module: gpm
+#
+# General Purpose Mouse driver
+# 
+gpm = module
+
+# Layer: contrib
+# Module: gpsd
+#
+# gpsd monitor daemon
+# 
+gpsd = module
+
+# Layer: contrib
+# Module: guest
+#
+# Least privledge terminal user role
+# 
+guest = module
+
+# Layer: contrib
+# Module: hadoop
+#
+# Software for reliable, scalable, distributed computing.
+# 
+hadoop = module
+
+# Layer: contrib
+# Module: hal
+#
+# Hardware abstraction layer
+# 
+hal = module
+
+# Layer: contrib
+# Module: hddtemp
+#
+# hddtemp hard disk temperature tool running as a daemon.
+# 
+hddtemp = module
+
+# Layer: contrib
+# Module: howl
+#
+# Port of Apple Rendezvous multicast DNS
+# 
+howl = module
+
+# Layer: contrib
+# Module: i18n_input
+#
+# IIIMF htt server
+# 
+i18n_input = module
+
+# Layer: contrib
+# Module: icecast
+#
+# ShoutCast compatible streaming media server
+# 
+icecast = module
+
+# Layer: contrib
+# Module: ifplugd
+#
+# Bring up/down ethernet interfaces based on cable detection.
+# 
+ifplugd = module
+
+# Layer: contrib
+# Module: imaze
+#
+# iMaze game server
+# 
+imaze = module
+
+# Layer: contrib
+# Module: inetd
+#
+# Internet services daemon.
+# 
+inetd = module
+
+# Layer: contrib
+# Module: inn
+#
+# Internet News NNTP server
+# 
+inn = module
+
+# Layer: contrib
+# Module: irc
+#
+# IRC client policy
+# 
+irc = module
+
+# Layer: contrib
+# Module: ircd
+#
+# IRC server
+# 
+ircd = module
+
+# Layer: contrib
+# Module: irqbalance
+#
+# IRQ balancing daemon
+# 
+irqbalance = module
+
+# Layer: contrib
+# Module: iscsi
+#
+# Establish connections to iSCSI devices
+# 
+iscsi = module
+
+# Layer: contrib
+# Module: jabber
+#
+# Jabber instant messaging server
+# 
+jabber = module
+
+# Layer: contrib
+# Module: java
+#
+# Java virtual machine
+# 
+java = module
+
+# Layer: contrib
+# Module: kdump
+#
+# Kernel crash dumping mechanism
+# 
+kdump = module
+
+# Layer: contrib
+# Module: kdumpgui
+#
+# system-config-kdump GUI
+# 
+kdumpgui = module
+
+# Layer: contrib
+# Module: kerberos
+#
+# MIT Kerberos admin and KDC
+# 
+kerberos = module
+
+# Layer: contrib
+# Module: kerneloops
+#
+# Service for reporting kernel oopses to kerneloops.org
+# 
+kerneloops = module
+
+# Layer: contrib
+# Module: kismet
+#
+# Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.
+# 
+kismet = module
+
+# Layer: contrib
+# Module: ksmtuned
+#
+# Kernel Samepage Merging (KSM) Tuning Daemon
+# 
+ksmtuned = module
+
+# Layer: contrib
+# Module: ktalk
+#
+# KDE Talk daemon
+# 
+ktalk = module
+
+# Layer: contrib
+# Module: kudzu
+#
+# Hardware detection and configuration tools
+# 
+kudzu = module
+
+# Layer: contrib
+# Module: ldap
+#
+# OpenLDAP directory server
+# 
+ldap = module
+
+# Layer: contrib
+# Module: likewise
+#
+# Likewise Active Directory support for UNIX.
+# 
+likewise = module
+
+# Layer: contrib
+# Module: lircd
+#
+# Linux infared remote control daemon
+# 
+lircd = module
+
+# Layer: contrib
+# Module: livecd
+#
+# Livecd tool for building alternate livecd for different os and policy versions.
+# 
+livecd = module
+
+# Layer: contrib
+# Module: loadkeys
+#
+# Load keyboard mappings.
+# 
+loadkeys = module
+
+# Layer: contrib
+# Module: lockdev
+#
+# device locking policy for lockdev
+# 
+lockdev = module
+
+# Layer: contrib
+# Module: logrotate
+#
+# Rotate and archive system logs
+# 
+logrotate = module
+
+# Layer: contrib
+# Module: logwatch
+#
+# System log analyzer and reporter
+# 
+logwatch = module
+
+# Layer: contrib
+# Module: lpd
+#
+# Line printer daemon
+# 
+lpd = module
+
+# Layer: contrib
+# Module: mailman
+#
+# Mailman is for managing electronic mail discussion and e-newsletter lists
+# 
+mailman = module
+
+# Layer: contrib
+# Module: mcelog
+#
+# policy for mcelog
+# 
+mcelog = module
+
+# Layer: contrib
+# Module: mediawiki
+#
+# Mediawiki policy
+# 
+mediawiki = module
+
+# Layer: contrib
+# Module: memcached
+#
+# high-performance memory object caching system
+# 
+memcached = module
+
+# Layer: contrib
+# Module: milter
+#
+# Milter mail filters
+# 
+milter = module
+
+# Layer: contrib
+# Module: modemmanager
+#
+# Provides a DBus interface to communicate with mobile broadband (GSM, CDMA, UMTS, ...) cards.
+# 
+modemmanager = module
+
+# Layer: contrib
+# Module: mojomojo
+#
+# MojoMojo Wiki
+# 
+mojomojo = module
+
+# Layer: contrib
+# Module: mono
+#
+# Run .NET server and client applications on Linux.
+# 
+mono = module
+
+# Layer: contrib
+# Module: monop
+#
+# Monopoly daemon
+# 
+monop = module
+
+# Layer: contrib
+# Module: mozilla
+#
+# Policy for Mozilla and related web browsers
+# 
+mozilla = module
+
+# Layer: contrib
+# Module: mpd
+#
+# Music Player Daemon
+# 
+mpd = module
+
+# Layer: contrib
+# Module: mplayer
+#
+# Mplayer media player and encoder
+# 
+mplayer = module
+
+# Layer: contrib
+# Module: mrtg
+#
+# Network traffic graphing
+# 
+mrtg = module
+
+# Layer: contrib
+# Module: mta
+#
+# Policy common to all email tranfer agents.
+# 
+mta = module
+
+# Layer: contrib
+# Module: munin
+#
+# Munin network-wide load graphing (formerly LRRD)
+# 
+munin = module
+
+# Layer: contrib
+# Module: mysql
+#
+# Policy for MySQL
+# 
+mysql = module
+
+# Layer: contrib
+# Module: nagios
+#
+# Net Saint / NAGIOS - network monitoring server
+# 
+nagios = module
+
+# Layer: contrib
+# Module: ncftool
+#
+# Netcf network configuration tool (ncftool).
+# 
+ncftool = module
+
+# Layer: contrib
+# Module: nessus
+#
+# Nessus network scanning daemon
+# 
+nessus = module
+
+# Layer: contrib
+# Module: networkmanager
+#
+# Manager for dynamically switching between networks.
+# 
+networkmanager = module
+
+# Layer: contrib
+# Module: nis
+#
+# Policy for NIS (YP) servers and clients
+# 
+nis = module
+
+# Layer: contrib
+# Module: nscd
+#
+# Name service cache daemon
+# 
+nscd = module
+
+# Layer: contrib
+# Module: nsd
+#
+# Authoritative only name server
+# 
+nsd = module
+
+# Layer: contrib
+# Module: nslcd
+#
+# nslcd - local LDAP name service daemon.
+# 
+nslcd = module
+
+# Layer: contrib
+# Module: ntop
+#
+# Network Top
+# 
+ntop = module
+
+# Layer: contrib
+# Module: ntp
+#
+# Network time protocol daemon
+# 
+ntp = module
+
+# Layer: contrib
+# Module: nut
+#
+# nut - Network UPS Tools
+# 
+nut = module
+
+# Layer: contrib
+# Module: nx
+#
+# NX remote desktop
+# 
+nx = module
+
+# Layer: contrib
+# Module: oav
+#
+# Open AntiVirus scannerdaemon and signature update
+# 
+oav = module
+
+# Layer: contrib
+# Module: oddjob
+#
+# Oddjob provides a mechanism by which unprivileged applications can
+# request that specified privileged operations be performed on their
+# behalf.
+# 
+oddjob = module
+
+# Layer: contrib
+# Module: oident
+#
+# SELinux policy for Oident daemon.
+# 
+oident = module
+
+# Layer: contrib
+# Module: openca
+#
+# OpenCA - Open Certificate Authority
+# 
+openca = module
+
+# Layer: contrib
+# Module: openct
+#
+# Service for handling smart card readers.
+# 
+openct = module
+
+# Layer: contrib
+# Module: openvpn
+#
+# full-featured SSL VPN solution
+# 
+openvpn = module
+
+# Layer: contrib
+# Module: pads
+#
+# Passive Asset Detection System
+# 
+pads = module
+
+# Layer: contrib
+# Module: passenger
+#
+# Ruby on rails deployment for Apache and Nginx servers.
+# 
+passenger = module
+
+# Layer: contrib
+# Module: pcmcia
+#
+# PCMCIA card management services
+# 
+pcmcia = module
+
+# Layer: contrib
+# Module: pcscd
+#
+# PCSC smart card service
+# 
+pcscd = module
+
+# Layer: contrib
+# Module: pegasus
+#
+# The Open Group Pegasus CIM/WBEM Server.
+# 
+pegasus = module
+
+# Layer: contrib
+# Module: perdition
+#
+# Perdition POP and IMAP proxy
+# 
+perdition = module
+
+# Layer: contrib
+# Module: pingd
+#
+# Pingd of the Whatsup cluster node up/down detection utility
+# 
+pingd = module
+
+# Layer: contrib
+# Module: plymouthd
+#
+# Plymouth graphical boot
+# 
+plymouthd = module
+
+# Layer: contrib
+# Module: podsleuth
+#
+# Podsleuth is a tool to get information about an Apple (TM) iPod (TM)
+# 
+podsleuth = module
+
+# Layer: contrib
+# Module: policykit
+#
+# Policy framework for controlling privileges for system-wide services.
+# 
+policykit = module
+
+# Layer: contrib
+# Module: portage
+#
+# Portage Package Management System. The primary package management and
+# distribution system for Gentoo.
+# 
+portage = module
+
+# Layer: contrib
+# Module: portmap
+#
+# RPC port mapping service.
+# 
+portmap = module
+
+# Layer: contrib
+# Module: portreserve
+#
+# Reserve well-known ports in the RPC port range.
+# 
+portreserve = module
+
+# Layer: contrib
+# Module: portslave
+#
+# Portslave terminal server software
+# 
+portslave = module
+
+# Layer: contrib
+# Module: postfix
+#
+# Postfix email server
+# 
+postfix = module
+
+# Layer: contrib
+# Module: postfixpolicyd
+#
+# Postfix policy server
+# 
+postfixpolicyd = module
+
+# Layer: contrib
+# Module: postgrey
+#
+# Postfix grey-listing server
+# 
+postgrey = module
+
+# Layer: contrib
+# Module: ppp
+#
+# Point to Point Protocol daemon creates links in ppp networks
+# 
+ppp = module
+
+# Layer: contrib
+# Module: prelink
+#
+# Prelink ELF shared library mappings.
+# 
+prelink = module
+
+# Layer: contrib
+# Module: prelude
+#
+# Prelude hybrid intrusion detection system
+# 
+prelude = module
+
+# Layer: contrib
+# Module: privoxy
+#
+# Privacy enhancing web proxy.
+# 
+privoxy = module
+
+# Layer: contrib
+# Module: procmail
+#
+# Procmail mail delivery agent
+# 
+procmail = module
+
+# Layer: contrib
+# Module: psad
+#
+# Intrusion Detection and Log Analysis with iptables
+# 
+psad = module
+
+# Layer: contrib
+# Module: ptchown
+#
+# helper function for grantpt(3), changes ownship and permissions of pseudotty
+# 
+ptchown = module
+
+# Layer: contrib
+# Module: publicfile
+#
+# publicfile supplies files to the public through HTTP and FTP
+# 
+publicfile = module
+
+# Layer: contrib
+# Module: pulseaudio
+#
+# Pulseaudio network sound server.
+# 
+pulseaudio = module
+
+# Layer: contrib
+# Module: puppet
+#
+# Puppet client daemon
+# 
+puppet = module
+
+# Layer: contrib
+# Module: pxe
+#
+# Server for the PXE network boot protocol
+# 
+pxe = module
+
+# Layer: contrib
+# Module: pyicqt
+#
+# PyICQt is an ICQ transport for XMPP server.
+# 
+pyicqt = module
+
+# Layer: contrib
+# Module: pyzor
+#
+# Pyzor is a distributed, collaborative spam detection and filtering network.
+# 
+pyzor = module
+
+# Layer: contrib
+# Module: qemu
+#
+# QEMU machine emulator and virtualizer
+# 
+qemu = module
+
+# Layer: contrib
+# Module: qmail
+#
+# Qmail Mail Server
+# 
+qmail = module
+
+# Layer: contrib
+# Module: qpid
+#
+# Apache QPID AMQP messaging server.
+# 
+qpid = module
+
+# Layer: contrib
+# Module: quota
+#
+# File system quota management
+# 
+quota = module
+
+# Layer: contrib
+# Module: radius
+#
+# RADIUS authentication and accounting server.
+# 
+radius = module
+
+# Layer: contrib
+# Module: radvd
+#
+# IPv6 router advertisement daemon
+# 
+radvd = module
+
+# Layer: contrib
+# Module: raid
+#
+# RAID array management tools
+# 
+raid = module
+
+# Layer: contrib
+# Module: razor
+#
+# A distributed, collaborative, spam detection and filtering network.
+# 
+razor = module
+
+# Layer: contrib
+# Module: rdisc
+#
+# Network router discovery daemon
+# 
+rdisc = module
+
+# Layer: contrib
+# Module: readahead
+#
+# Readahead, read files into page cache for improved performance
+# 
+readahead = module
+
+# Layer: contrib
+# Module: remotelogin
+#
+# Policy for rshd, rlogind, and telnetd.
+# 
+remotelogin = module
+
+# Layer: contrib
+# Module: resmgr
+#
+# Resource management daemon
+# 
+resmgr = module
+
+# Layer: contrib
+# Module: rgmanager
+#
+# rgmanager - Resource Group Manager
+# 
+rgmanager = module
+
+# Layer: contrib
+# Module: rhcs
+#
+# RHCS - Red Hat Cluster Suite
+# 
+rhcs = module
+
+# Layer: contrib
+# Module: rhgb
+#
+# Red Hat Graphical Boot
+# 
+rhgb = module
+
+# Layer: contrib
+# Module: rhsmcertd
+#
+# Subscription Management Certificate Daemon policy
+# 
+rhsmcertd = module
+
+# Layer: contrib
+# Module: ricci
+#
+# Ricci cluster management agent
+# 
+ricci = module
+
+# Layer: contrib
+# Module: rlogin
+#
+# Remote login daemon
+# 
+rlogin = module
+
+# Layer: contrib
+# Module: roundup
+#
+# Roundup Issue Tracking System policy
+# 
+roundup = module
+
+# Layer: contrib
+# Module: rpc
+#
+# Remote Procedure Call Daemon for managment of network based process communication
+# 
+rpc = module
+
+# Layer: contrib
+# Module: rpcbind
+#
+# Universal Addresses to RPC Program Number Mapper
+# 
+rpcbind = module
+
+# Layer: contrib
+# Module: rpm
+#
+# Policy for the RPM package manager.
+# 
+rpm = module
+
+# Layer: contrib
+# Module: rshd
+#
+# Remote shell service.
+# 
+rshd = module
+
+# Layer: contrib
+# Module: rssh
+#
+# Restricted (scp/sftp) only shell
+# 
+rssh = module
+
+# Layer: contrib
+# Module: rsync
+#
+# Fast incremental file transfer for synchronization
+# 
+rsync = module
+
+# Layer: contrib
+# Module: rtkit
+#
+# Realtime scheduling for user processes.
+# 
+rtkit = module
+
+# Layer: contrib
+# Module: rwho
+#
+# Who is logged in on other machines?
+# 
+rwho = module
+
+# Layer: contrib
+# Module: samba
+#
+# SMB and CIFS client/server programs for UNIX and
+# name  Service  Switch  daemon for resolving names
+# from Windows NT servers.
+# 
+samba = module
+
+# Layer: contrib
+# Module: sambagui
+#
+# system-config-samba dbus service policy
+# 
+sambagui = module
+
+# Layer: contrib
+# Module: samhain
+#
+# Samhain - check file integrity
+# 
+samhain = module
+
+# Layer: contrib
+# Module: sanlock
+#
+# policy for sanlock
+# 
+sanlock = module
+
+# Layer: contrib
+# Module: sasl
+#
+# SASL authentication server
+# 
+sasl = module
+
+# Layer: contrib
+# Module: sblim
+#
+# policy for SBLIM Gatherer
+# 
+sblim = module
+
+# Layer: contrib
+# Module: screen
+#
+# GNU terminal multiplexer
+# 
+screen = module
+
+# Layer: contrib
+# Module: sectoolm
+#
+# Sectool security audit tool
+# 
+sectoolm = module
+
+# Layer: contrib
+# Module: sendmail
+#
+# Policy for sendmail.
+# 
+sendmail = module
+
+# Layer: contrib
+# Module: setroubleshoot
+#
+# SELinux troubleshooting service
+# 
+setroubleshoot = module
+
+# Layer: contrib
+# Module: shorewall
+#
+# Shoreline Firewall high-level tool for configuring netfilter
+# 
+shorewall = module
+
+# Layer: contrib
+# Module: shutdown
+#
+# System shutdown command
+# 
+shutdown = module
+
+# Layer: contrib
+# Module: slocate
+#
+# Update database for mlocate
+# 
+slocate = module
+
+# Layer: contrib
+# Module: slrnpull
+#
+# Service for downloading news feeds the slrn newsreader.
+# 
+slrnpull = module
+
+# Layer: contrib
+# Module: smartmon
+#
+# Smart disk monitoring daemon policy
+# 
+smartmon = module
+
+# Layer: contrib
+# Module: smokeping
+#
+# Smokeping network latency measurement.
+# 
+smokeping = module
+
+# Layer: contrib
+# Module: smoltclient
+#
+# The Fedora hardware profiler client
+# 
+smoltclient = module
+
+# Layer: contrib
+# Module: snmp
+#
+# Simple network management protocol services
+# 
+snmp = module
+
+# Layer: contrib
+# Module: snort
+#
+# Snort network intrusion detection system
+# 
+snort = module
+
+# Layer: contrib
+# Module: sosreport
+#
+# sosreport - Generate debugging information for system
+# 
+sosreport = module
+
+# Layer: contrib
+# Module: soundserver
+#
+# sound server for network audio server programs, nasd, yiff, etc
+# 
+soundserver = module
+
+# Layer: contrib
+# Module: spamassassin
+#
+# Filter used for removing unsolicited email.
+# 
+spamassassin = module
+
+# Layer: contrib
+# Module: speedtouch
+#
+# Alcatel speedtouch USB ADSL modem
+# 
+speedtouch = module
+
+# Layer: contrib
+# Module: squid
+#
+# Squid caching http proxy server
+# 
+squid = module
+
+# Layer: contrib
+# Module: sssd
+#
+# System Security Services Daemon
+# 
+sssd = module
+
+# Layer: contrib
+# Module: stunnel
+#
+# SSL Tunneling Proxy
+# 
+stunnel = module
+
+# Layer: contrib
+# Module: sxid
+#
+# SUID/SGID program monitoring
+# 
+sxid = module
+
+# Layer: contrib
+# Module: sysstat
+#
+# Policy for sysstat. Reports on various system states
+# 
+sysstat = module
+
+# Layer: contrib
+# Module: tcpd
+#
+# Policy for TCP daemon.
+# 
+tcpd = module
+
+# Layer: contrib
+# Module: tcsd
+#
+# TSS Core Services (TCS) daemon (tcsd) policy
+# 
+tcsd = module
+
+# Layer: contrib
+# Module: telepathy
+#
+# Telepathy communications framework.
+# 
+telepathy = module
+
+# Layer: contrib
+# Module: telnet
+#
+# Telnet daemon
+# 
+telnet = module
+
+# Layer: contrib
+# Module: tftp
+#
+# Trivial file transfer protocol daemon
+# 
+tftp = module
+
+# Layer: contrib
+# Module: tgtd
+#
+# Linux Target Framework Daemon.
+# 
+tgtd = module
+
+# Layer: contrib
+# Module: thunderbird
+#
+# Thunderbird email client
+# 
+thunderbird = module
+
+# Layer: contrib
+# Module: timidity
+#
+# MIDI to WAV converter and player configured as a service
+# 
+timidity = module
+
+# Layer: contrib
+# Module: tmpreaper
+#
+# Manage temporary directory sizes and file ages
+# 
+tmpreaper = module
+
+# Layer: contrib
+# Module: tor
+#
+# TOR, the onion router
+# 
+tor = module
+
+# Layer: contrib
+# Module: transproxy
+#
+# HTTP transperant proxy
+# 
+transproxy = module
+
+# Layer: contrib
+# Module: tripwire
+#
+# Tripwire file integrity checker.
+# 
+tripwire = module
+
+# Layer: contrib
+# Module: tuned
+#
+# Dynamic adaptive system tuning daemon
+# 
+tuned = module
+
+# Layer: contrib
+# Module: tvtime
+#
+# tvtime - a high quality television application
+# 
+tvtime = module
+
+# Layer: contrib
+# Module: tzdata
+#
+# Time zone updater
+# 
+tzdata = module
+
+# Layer: contrib
+# Module: ucspitcp
+#
+# ucspitcp policy
+# 
+ucspitcp = module
+
+# Layer: contrib
+# Module: ulogd
+#
+# Iptables/netfilter userspace logging daemon.
+# 
+ulogd = module
+
+# Layer: contrib
+# Module: uml
+#
+# Policy for UML
+# 
+uml = module
+
+# Layer: contrib
+# Module: updfstab
+#
+# Red Hat utility to change /etc/fstab.
+# 
+updfstab = module
+
+# Layer: contrib
+# Module: uptime
+#
+# Uptime daemon
+# 
+uptime = module
+
+# Layer: contrib
+# Module: usbmodules
+#
+# List kernel modules of USB devices
+# 
+usbmodules = module
+
+# Layer: contrib
+# Module: usbmuxd
+#
+# USB multiplexing daemon for communicating with Apple iPod Touch and iPhone
+# 
+usbmuxd = module
+
+# Layer: contrib
+# Module: userhelper
+#
+# SELinux utility to run a shell with a new role
+# 
+userhelper = module
+
+# Layer: contrib
+# Module: usernetctl
+#
+# User network interface configuration helper
+# 
+usernetctl = module
+
+# Layer: contrib
+# Module: uucp
+#
+# Unix to Unix Copy
+# 
+uucp = module
+
+# Layer: contrib
+# Module: uuidd
+#
+# policy for uuidd
+# 
+uuidd = module
+
+# Layer: contrib
+# Module: uwimap
+#
+# University of Washington IMAP toolkit POP3 and IMAP mail server
+# 
+uwimap = module
+
+# Layer: contrib
+# Module: varnishd
+#
+# Varnishd http accelerator daemon
+# 
+varnishd = module
+
+# Layer: contrib
+# Module: vbetool
+#
+# run real-mode video BIOS code to alter hardware state
+# 
+vbetool = module
+
+# Layer: contrib
+# Module: vdagent
+#
+# policy for vdagent
+# 
+vdagent = module
+
+# Layer: contrib
+# Module: vhostmd
+#
+# Virtual host metrics daemon
+# 
+vhostmd = module
+
+# Layer: contrib
+# Module: virt
+#
+# Libvirt virtualization API
+# 
+virt = module
+
+# Layer: contrib
+# Module: vlock
+#
+# Lock one or more sessions on the Linux console.
+# 
+vlock = module
+
+# Layer: contrib
+# Module: vmware
+#
+# VMWare Workstation virtual machines
+# 
+vmware = module
+
+# Layer: contrib
+# Module: vnstatd
+#
+# Console network traffic monitor.
+# 
+vnstatd = module
+
+# Layer: contrib
+# Module: vpn
+#
+# Virtual Private Networking client
+# 
+vpn = module
+
+# Layer: contrib
+# Module: w3c
+#
+# W3C Markup Validator
+# 
+w3c = module
+
+# Layer: contrib
+# Module: watchdog
+#
+# Software watchdog
+# 
+watchdog = module
+
+# Layer: contrib
+# Module: webadm
+#
+# Web administrator role
+# 
+webadm = module
+
+# Layer: contrib
+# Module: webalizer
+#
+# Web server log analysis
+# 
+webalizer = module
+
+# Layer: contrib
+# Module: wine
+#
+# Wine Is Not an Emulator.  Run Windows programs in Linux.
+# 
+wine = module
+
+# Layer: contrib
+# Module: wireshark
+#
+# Wireshark packet capture tool.
+# 
+wireshark = module
+
+# Layer: contrib
+# Module: wm
+#
+# X Window Managers
+# 
+wm = module
+
+# Layer: contrib
+# Module: xen
+#
+# Xen hypervisor
+# 
+xen = module
+
+# Layer: contrib
+# Module: xfs
+#
+# X Windows Font Server
+# 
+xfs = module
+
+# Layer: contrib
+# Module: xguest
+#
+# Least privledge xwindows user role
+# 
+xguest = module
+
+# Layer: contrib
+# Module: xprint
+#
+# X print server
+# 
+xprint = module
+
+# Layer: contrib
+# Module: xscreensaver
+#
+# X Screensaver
+# 
+xscreensaver = module
+
+# Layer: contrib
+# Module: yam
+#
+# Yum/Apt Mirroring
+# 
+yam = module
+
+# Layer: contrib
+# Module: zabbix
+#
+# Distributed infrastructure monitoring
+# 
+zabbix = module
+
+# Layer: contrib
+# Module: zarafa
+#
+# Zarafa collaboration platform.
+# 
+zarafa = module
+
+# Layer: contrib
+# Module: zebra
+#
+# Zebra border gateway protocol network routing service
+# 
+zebra = module
+
+# Layer: contrib
+# Module: zosremote
+#
+# policy for z/OS Remote-services Audit dispatcher plugin
+# 
+zosremote = module
+
+# Layer: kernel
+# Module: storage
+#
+# Policy controlling access to storage devices
+# 
+storage = module
+
+# Layer: roles
+# Module: auditadm
+#
+# Audit administrator role
+# 
+auditadm = module
+
+# Layer: roles
+# Module: logadm
+#
+# Log administrator role
+# 
+logadm = module
+
+# Layer: roles
+# Module: secadm
+#
+# Security administrator role
+# 
+secadm = module
+
+# Layer: roles
+# Module: staff
+#
+# Administrator's unprivileged user role
+# 
+staff = module
+
+# Layer: roles
+# Module: sysadm
+#
+# General system administration role
+# 
+sysadm = module
+
+# Layer: roles
+# Module: unprivuser
+#
+# Generic unprivileged user role
+# 
+unprivuser = module
+
+# Layer: services
+# Module: postgresql
+#
+# PostgreSQL relational database
+# 
+postgresql = module
+
+# Layer: services
+# Module: ssh
+#
+# Secure shell client and server policy.
+# 
+ssh = module
+
+# Layer: services
+# Module: xserver
+#
+# X Windows Server
+# 
+xserver = module
+
+# Layer: system
+# Module: application
+#
+# Policy for user executable applications.
+# 
+application = module
+
+# Layer: system
+# Module: authlogin
+#
+# Common policy for authentication and user login.
+# 
+authlogin = module
+
+# Layer: system
+# Module: clock
+#
+# Policy for reading and setting the hardware clock.
+# 
+clock = module
+
+# Layer: system
+# Module: fstools
+#
+# Tools for filesystem management, such as mkfs and fsck.
+# 
+fstools = module
+
+# Layer: system
+# Module: getty
+#
+# Policy for getty.
+# 
+getty = module
+
+# Layer: system
+# Module: hostname
+#
+# Policy for changing the system host name.
+# 
+hostname = module
+
+# Layer: system
+# Module: hotplug
+#
+# Policy for hotplug system, for supporting the
+# connection and disconnection of devices at runtime.
+# 
+hotplug = module
+
+# Layer: system
+# Module: init
+#
+# System initialization programs (init and init scripts).
+# 
+init = module
+
+# Layer: system
+# Module: ipsec
+#
+# TCP/IP encryption
+# 
+ipsec = module
+
+# Layer: system
+# Module: iptables
+#
+# Policy for iptables.
+# 
+iptables = module
+
+# Layer: system
+# Module: libraries
+#
+# Policy for system libraries.
+# 
+libraries = module
+
+# Layer: system
+# Module: locallogin
+#
+# Policy for local logins.
+# 
+locallogin = module
+
+# Layer: system
+# Module: logging
+#
+# Policy for the kernel message logger and system logging daemon.
+# 
+logging = module
+
+# Layer: system
+# Module: lvm
+#
+# Policy for logical volume management programs.
+# 
+lvm = module
+
+# Layer: system
+# Module: miscfiles
+#
+# Miscelaneous files.
+# 
+miscfiles = module
+
+# Layer: system
+# Module: modutils
+#
+# Policy for kernel module utilities
+# 
+modutils = module
+
+# Layer: system
+# Module: mount
+#
+# Policy for mount.
+# 
+mount = module
+
+# Layer: system
+# Module: netlabel
+#
+# NetLabel/CIPSO labeled networking management
+# 
+netlabel = module
+
+# Layer: system
+# Module: selinuxutil
+#
+# Policy for SELinux policy and userland applications.
+# 
+selinuxutil = module
+
+# Layer: system
+# Module: setrans
+#
+# SELinux MLS/MCS label translation service.
+# 
+setrans = module
+
+# Layer: system
+# Module: sysnetwork
+#
+# Policy for network configuration: ifconfig and dhcp client.
+# 
+sysnetwork = module
+
+# Layer: system
+# Module: udev
+#
+# Policy for udev.
+# 
+udev = module
+
+# Layer: system
+# Module: unconfined
+#
+# The unconfined domain.
+# 
+unconfined = module
+
+# Layer: system
+# Module: userdomain
+#
+# Policy for user domains
+# 
+userdomain = module
+
diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
new file mode 100644
index 00000000..7a6f06f5
--- /dev/null
+++ b/policy/modules/admin/bootloader.fc
@@ -0,0 +1,9 @@
+
+/etc/lilo\.conf.*	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
+/etc/yaboot\.conf.*	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
+
+/sbin/grub		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+/sbin/lilo.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+/sbin/ybin.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+
+/usr/sbin/grub		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
new file mode 100644
index 00000000..a778bb15
--- /dev/null
+++ b/policy/modules/admin/bootloader.if
@@ -0,0 +1,124 @@
+## <summary>Policy for the kernel modules, kernel image, and bootloader.</summary>
+
+########################################
+## <summary>
+##	Execute bootloader in the bootloader domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`bootloader_domtrans',`
+	gen_require(`
+		type bootloader_t, bootloader_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, bootloader_exec_t, bootloader_t)
+')
+
+########################################
+## <summary>
+##	Execute bootloader interactively and do
+##	a domain transition to the bootloader domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`bootloader_run',`
+	gen_require(`
+		attribute_role bootloader_roles;
+	')
+
+	bootloader_domtrans($1)
+	roleattribute $2 bootloader_roles;
+')
+
+########################################
+## <summary>
+##	Read the bootloader configuration file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bootloader_read_config',`
+	gen_require(`
+		type bootloader_etc_t;
+	')
+
+	allow $1 bootloader_etc_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Read and write the bootloader
+##	configuration file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`bootloader_rw_config',`
+	gen_require(`
+		type bootloader_etc_t;
+	')
+
+	allow $1 bootloader_etc_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Read and write the bootloader
+##	temporary data in /tmp.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bootloader_rw_tmp_files',`
+	gen_require(`
+		type bootloader_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 bootloader_tmp_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Read and write the bootloader
+##	temporary data in /tmp.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bootloader_create_runtime_file',`
+	gen_require(`
+		type boot_runtime_t;
+	')
+
+	allow $1 boot_runtime_t:file { create_file_perms rw_file_perms };
+	files_boot_filetrans($1, boot_runtime_t, file)
+')
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
new file mode 100644
index 00000000..ab0439a2
--- /dev/null
+++ b/policy/modules/admin/bootloader.te
@@ -0,0 +1,211 @@
+policy_module(bootloader, 1.13.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role bootloader_roles;
+roleattribute system_r bootloader_roles;
+
+#
+# boot_runtime_t is the type for /boot/kernel.h,
+# which is automatically generated at boot time.
+# only for Red Hat
+#
+type boot_runtime_t;
+files_type(boot_runtime_t)
+
+type bootloader_t;
+type bootloader_exec_t;
+application_domain(bootloader_t, bootloader_exec_t)
+role bootloader_roles types bootloader_t;
+
+#
+# bootloader_etc_t is the configuration file,
+# grub.conf, lilo.conf, etc.
+#
+type bootloader_etc_t alias etc_bootloader_t;
+files_type(bootloader_etc_t)
+
+#
+# The temp file is used for initrd creation;
+# it consists of files and device nodes
+#
+type bootloader_tmp_t;
+files_tmp_file(bootloader_tmp_t)
+dev_node(bootloader_tmp_t)
+
+########################################
+#
+# bootloader local policy
+#
+
+allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin mknod chown };
+allow bootloader_t self:process { signal_perms execmem };
+allow bootloader_t self:fifo_file rw_fifo_file_perms;
+
+allow bootloader_t bootloader_etc_t:file read_file_perms;
+# uncomment the following lines if you use "lilo -p"
+#allow bootloader_t bootloader_etc_t:file manage_file_perms;
+#files_etc_filetrans(bootloader_t,bootloader_etc_t,file)
+
+manage_dirs_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
+manage_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
+manage_lnk_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
+manage_blk_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
+manage_chr_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
+files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file blk_file })
+# for tune2fs (cjp: ?)
+files_root_filetrans(bootloader_t, bootloader_tmp_t, file)
+
+kernel_getattr_core_if(bootloader_t)
+kernel_read_network_state(bootloader_t)
+kernel_read_system_state(bootloader_t)
+kernel_read_software_raid_state(bootloader_t)
+kernel_read_kernel_sysctls(bootloader_t)
+
+storage_raw_read_fixed_disk(bootloader_t)
+storage_raw_write_fixed_disk(bootloader_t)
+storage_raw_read_removable_device(bootloader_t)
+storage_raw_write_removable_device(bootloader_t)
+
+dev_getattr_all_chr_files(bootloader_t)
+dev_getattr_all_blk_files(bootloader_t)
+dev_dontaudit_rw_generic_dev_nodes(bootloader_t)
+dev_read_rand(bootloader_t)
+dev_read_urand(bootloader_t)
+dev_read_sysfs(bootloader_t)
+# needed on some hardware
+dev_rw_nvram(bootloader_t)
+
+fs_getattr_xattr_fs(bootloader_t)
+fs_getattr_tmpfs(bootloader_t)
+fs_read_tmpfs_symlinks(bootloader_t)
+#Needed for ia64
+fs_manage_dos_files(bootloader_t)
+
+mls_file_read_all_levels(bootloader_t)
+mls_file_write_all_levels(bootloader_t)
+
+term_getattr_all_ttys(bootloader_t)
+term_dontaudit_manage_pty_dirs(bootloader_t)
+
+corecmd_exec_all_executables(bootloader_t)
+
+domain_use_interactive_fds(bootloader_t)
+
+files_create_boot_dirs(bootloader_t)
+files_manage_boot_files(bootloader_t)
+files_manage_boot_symlinks(bootloader_t)
+files_read_etc_files(bootloader_t)
+files_exec_etc_files(bootloader_t)
+files_read_usr_src_files(bootloader_t)
+files_read_usr_files(bootloader_t)
+files_read_var_files(bootloader_t)
+files_read_kernel_modules(bootloader_t)
+# for nscd
+files_dontaudit_search_pids(bootloader_t)
+# for blkid.tab
+files_manage_etc_runtime_files(bootloader_t)
+files_etc_filetrans_etc_runtime(bootloader_t, file)
+files_dontaudit_search_home(bootloader_t)
+
+init_getattr_initctl(bootloader_t)
+init_use_script_ptys(bootloader_t)
+init_use_script_fds(bootloader_t)
+init_rw_script_pipes(bootloader_t)
+
+libs_read_lib_files(bootloader_t)
+libs_exec_lib_files(bootloader_t)
+
+logging_send_syslog_msg(bootloader_t)
+logging_rw_generic_logs(bootloader_t)
+
+miscfiles_read_localization(bootloader_t)
+
+modutils_domtrans_insmod(bootloader_t)
+
+seutil_read_bin_policy(bootloader_t)
+seutil_read_loadpolicy(bootloader_t)
+seutil_dontaudit_search_config(bootloader_t)
+
+userdom_use_user_terminals(bootloader_t)
+userdom_dontaudit_search_user_home_dirs(bootloader_t)
+
+ifdef(`distro_debian',`
+	allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
+	fs_list_tmpfs(bootloader_t)
+
+	files_relabel_kernel_modules(bootloader_t)
+	files_relabelfrom_boot_files(bootloader_t)
+	files_delete_kernel_modules(bootloader_t)
+	files_relabelto_usr_files(bootloader_t)
+	files_search_var_lib(bootloader_t)
+	# for /usr/share/initrd-tools/scripts
+	files_exec_usr_files(bootloader_t)
+
+	fstools_manage_entry_files(bootloader_t)
+	fstools_relabelto_entry_files(bootloader_t)
+
+	libs_relabelto_lib_files(bootloader_t)
+')
+
+ifdef(`distro_redhat',`
+	# for memlock
+	allow bootloader_t self:capability ipc_lock;
+
+	# new file system defaults to file_t, granting file_t access is still bad.
+	allow bootloader_t boot_runtime_t:file { read_file_perms delete_file_perms };
+
+	# new file system defaults to file_t, granting file_t access is still bad.
+	files_manage_isid_type_dirs(bootloader_t)
+	files_manage_isid_type_files(bootloader_t)
+	files_manage_isid_type_symlinks(bootloader_t)
+	files_manage_isid_type_blk_files(bootloader_t)
+	files_manage_isid_type_chr_files(bootloader_t)
+
+	# for mke2fs
+	mount_run(bootloader_t, bootloader_roles)
+
+	optional_policy(`
+		unconfined_domain(bootloader_t)
+	')
+')
+
+optional_policy(`
+	fstools_exec(bootloader_t)
+')
+
+optional_policy(`
+	hal_dontaudit_append_lib_files(bootloader_t)
+	hal_write_log(bootloader_t)
+')
+
+optional_policy(`
+	kudzu_domtrans(bootloader_t)
+')
+
+optional_policy(`
+	dev_rw_lvm_control(bootloader_t)
+
+	lvm_domtrans(bootloader_t)
+	lvm_read_config(bootloader_t)
+')
+
+optional_policy(`
+	modutils_exec_insmod(bootloader_t)
+	modutils_read_module_deps(bootloader_t)
+	modutils_read_module_config(bootloader_t)
+	modutils_exec_insmod(bootloader_t)
+	modutils_exec_depmod(bootloader_t)
+	modutils_exec_update_mods(bootloader_t)
+')
+
+optional_policy(`
+	nscd_socket_use(bootloader_t)
+')
+
+optional_policy(`
+	rpm_rw_pipes(bootloader_t)
+')
diff --git a/policy/modules/admin/consoletype.fc b/policy/modules/admin/consoletype.fc
new file mode 100644
index 00000000..b7f053bf
--- /dev/null
+++ b/policy/modules/admin/consoletype.fc
@@ -0,0 +1,2 @@
+
+/sbin/consoletype	--	gen_context(system_u:object_r:consoletype_exec_t,s0)
diff --git a/policy/modules/admin/consoletype.if b/policy/modules/admin/consoletype.if
new file mode 100644
index 00000000..0f57d3bc
--- /dev/null
+++ b/policy/modules/admin/consoletype.if
@@ -0,0 +1,71 @@
+## <summary>
+##	Determine of the console connected to the controlling terminal.
+## </summary>
+
+########################################
+## <summary>
+##	Execute consoletype in the consoletype domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`consoletype_domtrans',`
+	gen_require(`
+		type consoletype_t, consoletype_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, consoletype_exec_t, consoletype_t)
+
+	ifdef(`hide_broken_symptoms', `
+		dontaudit consoletype_t $1:socket_class_set { read write };
+	')
+')
+
+########################################
+## <summary>
+##	Execute consoletype in the consoletype domain, and
+##	allow the specified role the consoletype domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`consoletype_run',`
+	gen_require(`
+		type consoletype_t;
+	')
+
+	consoletype_domtrans($1)
+	role $2 types consoletype_t;
+')
+
+########################################
+## <summary>
+##	Execute consoletype in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`consoletype_exec',`
+	gen_require(`
+		type consoletype_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, consoletype_exec_t)
+')
diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
new file mode 100644
index 00000000..cd5e005c
--- /dev/null
+++ b/policy/modules/admin/consoletype.te
@@ -0,0 +1,125 @@
+policy_module(consoletype, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+
+type consoletype_t;
+type consoletype_exec_t;
+init_domain(consoletype_t, consoletype_exec_t)
+init_system_domain(consoletype_t, consoletype_exec_t)
+
+########################################
+#
+# Local declarations
+#
+
+allow consoletype_t self:capability { sys_admin sys_tty_config };
+allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow consoletype_t self:fd use;
+allow consoletype_t self:fifo_file rw_fifo_file_perms;
+allow consoletype_t self:sock_file read_sock_file_perms;
+allow consoletype_t self:unix_dgram_socket create_socket_perms;
+allow consoletype_t self:unix_stream_socket create_stream_socket_perms;
+allow consoletype_t self:unix_dgram_socket sendto;
+allow consoletype_t self:unix_stream_socket connectto;
+allow consoletype_t self:shm create_shm_perms;
+allow consoletype_t self:sem create_sem_perms;
+allow consoletype_t self:msgq create_msgq_perms;
+allow consoletype_t self:msg { send receive };
+
+kernel_use_fds(consoletype_t)
+kernel_dontaudit_read_system_state(consoletype_t)
+
+dev_dontaudit_rw_generic_chr_files(consoletype_t)
+
+domain_use_interactive_fds(consoletype_t)
+
+files_dontaudit_read_root_files(consoletype_t)
+files_list_usr(consoletype_t)
+
+fs_getattr_all_fs(consoletype_t)
+fs_search_auto_mountpoints(consoletype_t)
+fs_write_nfs_files(consoletype_t)
+fs_list_inotifyfs(consoletype_t)
+
+mls_file_read_all_levels(consoletype_t)
+mls_file_write_all_levels(consoletype_t)
+
+term_use_all_terms(consoletype_t)
+
+init_use_fds(consoletype_t)
+init_use_script_ptys(consoletype_t)
+init_use_script_fds(consoletype_t)
+init_rw_script_pipes(consoletype_t)
+
+userdom_use_user_terminals(consoletype_t)
+
+ifdef(`distro_redhat',`
+	fs_rw_tmpfs_chr_files(consoletype_t)
+')
+
+optional_policy(`
+	apm_use_fds(consoletype_t)
+	apm_write_pipes(consoletype_t)
+')
+
+optional_policy(`
+	auth_read_pam_pid(consoletype_t)
+')
+
+optional_policy(`
+	cron_read_pipes(consoletype_t)
+	cron_use_system_job_fds(consoletype_t)
+')
+
+optional_policy(`
+	dbus_use_system_bus_fds(consoletype_t)
+')
+
+optional_policy(`
+	files_read_etc_files(consoletype_t)
+	firstboot_use_fds(consoletype_t)
+	firstboot_rw_pipes(consoletype_t)
+')
+
+optional_policy(`
+	hal_dontaudit_use_fds(consoletype_t)
+	hal_dontaudit_rw_pipes(consoletype_t)
+	hal_dontaudit_rw_dgram_sockets(consoletype_t)
+	hal_dontaudit_write_log(consoletype_t)
+')
+
+optional_policy(`
+	hotplug_dontaudit_use_fds(consoletype_t)
+')
+
+optional_policy(`
+	logrotate_dontaudit_use_fds(consoletype_t)
+')
+
+optional_policy(`
+	lpd_read_config(consoletype_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(consoletype_t)
+')
+
+optional_policy(`
+	# Commonly used from postinst scripts
+	rpm_read_pipes(consoletype_t)
+')
+
+optional_policy(`
+	userdom_use_unpriv_users_fds(consoletype_t)
+')
+
+optional_policy(`
+	kernel_read_xen_state(consoletype_t)
+	kernel_write_xen_state(consoletype_t)
+	xen_append_log(consoletype_t)
+	xen_dontaudit_rw_unix_stream_sockets(consoletype_t)
+	xen_dontaudit_use_fds(consoletype_t)
+')
diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc
new file mode 100644
index 00000000..d6cc2d97
--- /dev/null
+++ b/policy/modules/admin/dmesg.fc
@@ -0,0 +1,2 @@
+
+/bin/dmesg		--		gen_context(system_u:object_r:dmesg_exec_t,s0)
diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if
new file mode 100644
index 00000000..e1973c78
--- /dev/null
+++ b/policy/modules/admin/dmesg.if
@@ -0,0 +1,40 @@
+## <summary>Policy for dmesg.</summary>
+
+########################################
+## <summary>
+##	Execute dmesg in the dmesg domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`dmesg_domtrans',`
+	gen_require(`
+		type dmesg_t, dmesg_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, dmesg_exec_t, dmesg_t)
+')
+
+########################################
+## <summary>
+##	Execute dmesg in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`dmesg_exec',`
+	gen_require(`
+		type dmesg_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, dmesg_exec_t)
+')
diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
new file mode 100644
index 00000000..72bc6d81
--- /dev/null
+++ b/policy/modules/admin/dmesg.te
@@ -0,0 +1,58 @@
+policy_module(dmesg, 1.3.0)
+
+########################################
+#
+# Declarations
+#
+
+type dmesg_t;
+type dmesg_exec_t;
+init_system_domain(dmesg_t, dmesg_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow dmesg_t self:capability sys_admin;
+dontaudit dmesg_t self:capability sys_tty_config;
+
+allow dmesg_t self:process signal_perms;
+
+kernel_read_kernel_sysctls(dmesg_t)
+kernel_read_ring_buffer(dmesg_t)
+kernel_clear_ring_buffer(dmesg_t)
+kernel_change_ring_buffer_level(dmesg_t)
+kernel_list_proc(dmesg_t)
+kernel_read_proc_symlinks(dmesg_t)
+
+dev_read_sysfs(dmesg_t)
+
+fs_search_auto_mountpoints(dmesg_t)
+
+term_dontaudit_use_console(dmesg_t)
+
+domain_use_interactive_fds(dmesg_t)
+
+files_list_etc(dmesg_t)
+# for when /usr is not mounted:
+files_dontaudit_search_isid_type_dirs(dmesg_t)
+
+init_use_fds(dmesg_t)
+init_use_script_ptys(dmesg_t)
+
+logging_send_syslog_msg(dmesg_t)
+logging_write_generic_logs(dmesg_t)
+
+miscfiles_read_localization(dmesg_t)
+
+userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
+userdom_use_user_terminals(dmesg_t)
+
+optional_policy(`
+	seutil_sigchld_newrole(dmesg_t)
+')
+
+optional_policy(`
+	udev_read_db(dmesg_t)
+')
diff --git a/policy/modules/admin/metadata.xml b/policy/modules/admin/metadata.xml
new file mode 100644
index 00000000..bd8d1747
--- /dev/null
+++ b/policy/modules/admin/metadata.xml
@@ -0,0 +1,3 @@
+<summary>
+	Policy modules for administrative functions, such as package management.
+</summary>
diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
new file mode 100644
index 00000000..407078f4
--- /dev/null
+++ b/policy/modules/admin/netutils.fc
@@ -0,0 +1,15 @@
+/bin/ping.* 		--	gen_context(system_u:object_r:ping_exec_t,s0)
+/bin/tracepath.*		--	gen_context(system_u:object_r:traceroute_exec_t,s0)
+/bin/traceroute.*	--	gen_context(system_u:object_r:traceroute_exec_t,s0)
+
+/sbin/arping		--	gen_context(system_u:object_r:netutils_exec_t,s0)
+
+/usr/bin/lft		--	gen_context(system_u:object_r:traceroute_exec_t,s0)
+/usr/bin/nmap		--	gen_context(system_u:object_r:traceroute_exec_t,s0)
+/usr/bin/traceroute.*	--	gen_context(system_u:object_r:traceroute_exec_t,s0)
+
+/usr/sbin/fping 	--	gen_context(system_u:object_r:ping_exec_t,s0)
+/usr/sbin/traceroute.*	--	gen_context(system_u:object_r:traceroute_exec_t,s0)
+/usr/sbin/hping2	--	gen_context(system_u:object_r:ping_exec_t,s0)
+/usr/sbin/send_arp	--	gen_context(system_u:object_r:ping_exec_t,s0)
+/usr/sbin/tcpdump	--	gen_context(system_u:object_r:netutils_exec_t,s0)
diff --git a/policy/modules/admin/netutils.if b/policy/modules/admin/netutils.if
new file mode 100644
index 00000000..c6ca761c
--- /dev/null
+++ b/policy/modules/admin/netutils.if
@@ -0,0 +1,307 @@
+## <summary>Network analysis utilities</summary>
+
+########################################
+## <summary>
+##	Execute network utilities in the netutils domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`netutils_domtrans',`
+	gen_require(`
+		type netutils_t, netutils_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, netutils_exec_t, netutils_t)
+')
+
+########################################
+## <summary>
+##	Execute network utilities in the netutils domain, and
+##	allow the specified role the netutils domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`netutils_run',`
+	gen_require(`
+		type netutils_t;
+	')
+
+	netutils_domtrans($1)
+	role $2 types netutils_t;
+')
+
+########################################
+## <summary>
+##	Execute network utilities in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`netutils_exec',`
+	gen_require(`
+		type netutils_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, netutils_exec_t)
+')
+
+########################################
+## <summary>
+##	Send generic signals to network utilities.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`netutils_signal',`
+	gen_require(`
+		type netutils_t;
+	')
+
+	allow $1 netutils_t:process signal;
+')
+
+########################################
+## <summary>
+##	Execute ping in the ping domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`netutils_domtrans_ping',`
+	gen_require(`
+		type ping_t, ping_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, ping_exec_t, ping_t)
+')
+
+########################################
+## <summary>
+##	Send a kill (SIGKILL) signal to ping.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`netutils_kill_ping',`
+	gen_require(`
+		type ping_t;
+	')
+
+	allow $1 ping_t:process sigkill;
+')
+
+########################################
+## <summary>
+##	Send generic signals to ping.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`netutils_signal_ping',`
+	gen_require(`
+		type ping_t;
+	')
+
+	allow $1 ping_t:process signal;
+')
+
+########################################
+## <summary>
+##	Execute ping in the ping domain, and
+##	allow the specified role the ping domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`netutils_run_ping',`
+	gen_require(`
+		type ping_t;
+	')
+
+	netutils_domtrans_ping($1)
+	role $2 types ping_t;
+')
+
+########################################
+## <summary>
+##	Conditionally execute ping in the ping domain, and
+##	allow the specified role the ping domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`netutils_run_ping_cond',`
+	gen_require(`
+		type ping_t;
+		bool user_ping;
+	')
+
+	role $2 types ping_t;
+
+	if ( user_ping ) {
+		netutils_domtrans_ping($1)
+	}
+')
+
+########################################
+## <summary>
+##	Execute ping in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`netutils_exec_ping',`
+	gen_require(`
+		type ping_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, ping_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute traceroute in the traceroute domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`netutils_domtrans_traceroute',`
+	gen_require(`
+		type traceroute_t, traceroute_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, traceroute_exec_t, traceroute_t)
+')
+
+########################################
+## <summary>
+##	Execute traceroute in the traceroute domain, and
+##	allow the specified role the traceroute domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`netutils_run_traceroute',`
+	gen_require(`
+		type traceroute_t;
+	')
+
+	netutils_domtrans_traceroute($1)
+	role $2 types traceroute_t;
+')
+
+########################################
+## <summary>
+##	Conditionally execute traceroute in the traceroute domain, and
+##	allow the specified role the traceroute domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`netutils_run_traceroute_cond',`
+	gen_require(`
+		type traceroute_t;
+		bool user_ping;
+	')
+
+	role $2 types traceroute_t;
+
+	if( user_ping ) {
+		netutils_domtrans_traceroute($1)
+	}
+')
+
+########################################
+## <summary>
+##	Execute traceroute in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`netutils_exec_traceroute',`
+	gen_require(`
+		type traceroute_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, traceroute_exec_t)
+')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
new file mode 100644
index 00000000..e0791b96
--- /dev/null
+++ b/policy/modules/admin/netutils.te
@@ -0,0 +1,212 @@
+policy_module(netutils, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Control users use of ping and traceroute
+## </p>
+## </desc>
+gen_tunable(user_ping, false)
+
+type netutils_t;
+type netutils_exec_t;
+init_system_domain(netutils_t, netutils_exec_t)
+
+type netutils_tmp_t;
+files_tmp_file(netutils_tmp_t)
+
+type ping_t;
+type ping_exec_t;
+init_system_domain(ping_t, ping_exec_t)
+
+type traceroute_t;
+type traceroute_exec_t;
+init_system_domain(traceroute_t, traceroute_exec_t)
+
+########################################
+#
+# Netutils local policy
+#
+
+# Perform network administration operations and have raw access to the network.
+allow netutils_t self:capability { net_admin net_raw setuid setgid };
+dontaudit netutils_t self:capability sys_tty_config;
+allow netutils_t self:process signal_perms;
+allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
+allow netutils_t self:packet_socket create_socket_perms;
+allow netutils_t self:udp_socket create_socket_perms;
+allow netutils_t self:tcp_socket create_stream_socket_perms;
+allow netutils_t self:socket create_socket_perms;
+
+manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
+manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
+files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
+
+kernel_search_proc(netutils_t)
+kernel_read_all_sysctls(netutils_t)
+
+corenet_all_recvfrom_unlabeled(netutils_t)
+corenet_all_recvfrom_netlabel(netutils_t)
+corenet_tcp_sendrecv_generic_if(netutils_t)
+corenet_raw_sendrecv_generic_if(netutils_t)
+corenet_udp_sendrecv_generic_if(netutils_t)
+corenet_tcp_sendrecv_generic_node(netutils_t)
+corenet_raw_sendrecv_generic_node(netutils_t)
+corenet_udp_sendrecv_generic_node(netutils_t)
+corenet_tcp_sendrecv_all_ports(netutils_t)
+corenet_udp_sendrecv_all_ports(netutils_t)
+corenet_tcp_connect_all_ports(netutils_t)
+corenet_sendrecv_all_client_packets(netutils_t)
+corenet_udp_bind_generic_node(netutils_t)
+
+dev_read_sysfs(netutils_t)
+
+fs_getattr_xattr_fs(netutils_t)
+
+domain_use_interactive_fds(netutils_t)
+
+files_read_etc_files(netutils_t)
+# for nscd
+files_dontaudit_search_var(netutils_t)
+
+init_use_fds(netutils_t)
+init_use_script_ptys(netutils_t)
+
+auth_use_nsswitch(netutils_t)
+
+logging_send_syslog_msg(netutils_t)
+
+miscfiles_read_localization(netutils_t)
+
+term_dontaudit_use_console(netutils_t)
+userdom_use_user_terminals(netutils_t)
+userdom_use_all_users_fds(netutils_t)
+
+optional_policy(`
+	nis_use_ypbind(netutils_t)
+')
+
+optional_policy(`
+	vmware_append_log(netutils_t)
+')
+
+optional_policy(`
+	xen_append_log(netutils_t)
+')
+
+########################################
+#
+# Ping local policy
+#
+
+allow ping_t self:capability { setuid net_raw };
+dontaudit ping_t self:capability sys_tty_config;
+allow ping_t self:tcp_socket create_socket_perms;
+allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
+allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
+allow ping_t self:netlink_route_socket create_netlink_socket_perms;
+
+corenet_all_recvfrom_unlabeled(ping_t)
+corenet_all_recvfrom_netlabel(ping_t)
+corenet_tcp_sendrecv_generic_if(ping_t)
+corenet_raw_sendrecv_generic_if(ping_t)
+corenet_raw_sendrecv_generic_node(ping_t)
+corenet_tcp_sendrecv_generic_node(ping_t)
+corenet_raw_bind_generic_node(ping_t)
+corenet_tcp_sendrecv_all_ports(ping_t)
+
+fs_dontaudit_getattr_xattr_fs(ping_t)
+
+domain_use_interactive_fds(ping_t)
+
+files_read_etc_files(ping_t)
+files_dontaudit_search_var(ping_t)
+
+kernel_read_system_state(ping_t)
+
+auth_use_nsswitch(ping_t)
+
+logging_send_syslog_msg(ping_t)
+
+miscfiles_read_localization(ping_t)
+
+userdom_use_user_terminals(ping_t)
+
+ifdef(`hide_broken_symptoms',`
+	init_dontaudit_use_fds(ping_t)
+
+	optional_policy(`
+		nagios_dontaudit_rw_log(ping_t)
+		nagios_dontaudit_rw_pipes(ping_t)
+	')
+')
+
+optional_policy(`
+	munin_append_log(ping_t)
+')
+
+optional_policy(`
+	pcmcia_use_cardmgr_fds(ping_t)
+')
+
+optional_policy(`
+	hotplug_use_fds(ping_t)
+')
+
+########################################
+#
+# Traceroute local policy
+#
+
+allow traceroute_t self:capability { net_admin net_raw setuid setgid };
+allow traceroute_t self:rawip_socket create_socket_perms;
+allow traceroute_t self:packet_socket create_socket_perms;
+allow traceroute_t self:udp_socket create_socket_perms;
+
+kernel_read_system_state(traceroute_t)
+kernel_read_network_state(traceroute_t)
+
+corenet_all_recvfrom_unlabeled(traceroute_t)
+corenet_all_recvfrom_netlabel(traceroute_t)
+corenet_tcp_sendrecv_generic_if(traceroute_t)
+corenet_udp_sendrecv_generic_if(traceroute_t)
+corenet_raw_sendrecv_generic_if(traceroute_t)
+corenet_tcp_sendrecv_generic_node(traceroute_t)
+corenet_udp_sendrecv_generic_node(traceroute_t)
+corenet_raw_sendrecv_generic_node(traceroute_t)
+corenet_tcp_sendrecv_all_ports(traceroute_t)
+corenet_udp_sendrecv_all_ports(traceroute_t)
+corenet_udp_bind_generic_node(traceroute_t)
+corenet_tcp_bind_generic_node(traceroute_t)
+# traceroute needs this but not tracepath
+corenet_raw_bind_generic_node(traceroute_t)
+corenet_udp_bind_traceroute_port(traceroute_t)
+corenet_tcp_connect_all_ports(traceroute_t)
+corenet_sendrecv_all_client_packets(traceroute_t)
+corenet_sendrecv_traceroute_server_packets(traceroute_t)
+
+fs_dontaudit_getattr_xattr_fs(traceroute_t)
+
+domain_use_interactive_fds(traceroute_t)
+
+files_read_etc_files(traceroute_t)
+files_dontaudit_search_var(traceroute_t)
+
+init_use_fds(traceroute_t)
+
+auth_use_nsswitch(traceroute_t)
+
+logging_send_syslog_msg(traceroute_t)
+
+miscfiles_read_localization(traceroute_t)
+
+userdom_use_user_terminals(traceroute_t)
+
+#rules needed for nmap
+dev_read_rand(traceroute_t)
+dev_read_urand(traceroute_t)
+files_read_usr_files(traceroute_t)
diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc
new file mode 100644
index 00000000..688abc2a
--- /dev/null
+++ b/policy/modules/admin/su.fc
@@ -0,0 +1,5 @@
+
+/bin/su			--	gen_context(system_u:object_r:su_exec_t,s0)
+
+/usr/(local/)?bin/ksu	--	gen_context(system_u:object_r:su_exec_t,s0)
+/usr/bin/kdesu		--	gen_context(system_u:object_r:su_exec_t,s0)
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
new file mode 100644
index 00000000..c9196e3d
--- /dev/null
+++ b/policy/modules/admin/su.if
@@ -0,0 +1,337 @@
+## <summary>Run shells with substitute user and group</summary>
+
+#######################################
+## <summary>
+##	Restricted su domain template.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domain which is allowed
+##	to change the linux user id, to run shells as a different
+##	user.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+#
+template(`su_restricted_domain_template', `
+	gen_require(`
+		type su_exec_t;
+	')
+
+	type $1_su_t;
+	domain_entry_file($1_su_t, su_exec_t)
+	domain_type($1_su_t)
+	domain_interactive_fd($1_su_t)
+	role $3 types $1_su_t;
+
+	allow $2 $1_su_t:process signal;
+
+	allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
+	dontaudit $1_su_t self:capability sys_tty_config;
+	allow $1_su_t self:key { search write };
+	allow $1_su_t self:process { setexec setsched setrlimit };
+	allow $1_su_t self:fifo_file rw_fifo_file_perms;
+	allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
+	allow $1_su_t self:unix_stream_socket create_stream_socket_perms;
+
+	# Transition from the user domain to this domain.
+	domtrans_pattern($2, su_exec_t, $1_su_t)
+
+	# By default, revert to the calling domain when a shell is executed.
+	corecmd_shell_domtrans($1_su_t,$2)
+	allow $2 $1_su_t:fd use;
+	allow $2 $1_su_t:fifo_file rw_file_perms;
+	allow $2 $1_su_t:process sigchld;
+
+	kernel_read_system_state($1_su_t)
+	kernel_read_kernel_sysctls($1_su_t)
+	kernel_search_key($1_su_t)
+	kernel_link_key($1_su_t)
+
+	# for SSP
+	dev_read_urand($1_su_t)
+
+	files_read_etc_files($1_su_t)
+	files_read_etc_runtime_files($1_su_t)
+	files_search_var_lib($1_su_t)
+	files_dontaudit_getattr_tmp_dirs($1_su_t)
+
+	# for the rootok check
+	selinux_compute_access_vector($1_su_t)
+	selinux_get_fs_mount($1_su_t)
+
+	auth_domtrans_chk_passwd($1_su_t)
+	auth_dontaudit_read_shadow($1_su_t)
+	auth_use_nsswitch($1_su_t)
+	auth_rw_faillog($1_su_t)
+
+	domain_use_interactive_fds($1_su_t)
+
+	init_dontaudit_use_fds($1_su_t)
+	init_dontaudit_use_script_ptys($1_su_t)
+	# Write to utmp.
+	init_rw_utmp($1_su_t)
+	init_search_script_keys($1_su_t)
+
+	logging_send_syslog_msg($1_su_t)
+
+	miscfiles_read_localization($1_su_t)
+
+	ifdef(`distro_redhat',`
+		# RHEL5 and possibly newer releases incl. Fedora
+		auth_domtrans_upd_passwd($1_su_t)
+
+		optional_policy(`
+			locallogin_search_keys($1_su_t)
+		')
+	')
+
+	ifdef(`distro_rhel4',`
+		domain_role_change_exemption($1_su_t)
+		domain_subj_id_change_exemption($1_su_t)
+		domain_obj_id_change_exemption($1_su_t)
+
+		selinux_get_fs_mount($1_su_t)
+		selinux_validate_context($1_su_t)
+		selinux_compute_access_vector($1_su_t)
+		selinux_compute_create_context($1_su_t)
+		selinux_compute_relabel_context($1_su_t)
+		selinux_compute_user_contexts($1_su_t)
+
+		seutil_read_config($1_su_t)
+		seutil_read_default_contexts($1_su_t)
+
+		# Only allow transitions to unprivileged user domains.
+		userdom_spec_domtrans_unpriv_users($1_su_t)
+	')
+
+	ifdef(`hide_broken_symptoms',`
+		# dontaudit leaked sockets from parent
+		dontaudit $1_su_t $2:socket_class_set { read write };
+	')
+
+	optional_policy(`
+		cron_read_pipes($1_su_t)
+	')
+
+	optional_policy(`
+		kerberos_use($1_su_t)
+	')
+
+	optional_policy(`
+		# used when the password has expired
+		usermanage_read_crack_db($1_su_t)
+	')
+')
+
+#######################################
+## <summary>
+##	The role template for the su module.
+## </summary>
+## <param name="role_prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+template(`su_role_template',`
+	gen_require(`
+		attribute su_domain_type;
+		type su_exec_t;
+		bool secure_mode;
+	')
+
+	type $1_su_t, su_domain_type;
+	userdom_user_application_domain($1_su_t, su_exec_t)
+	domain_interactive_fd($1_su_t)
+	role $2 types $1_su_t;
+
+	allow $3 $1_su_t:process signal;
+
+	allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
+	dontaudit $1_su_t self:capability sys_tty_config;
+	allow $1_su_t self:process { setexec setsched setrlimit };
+	allow $1_su_t self:fifo_file rw_fifo_file_perms;
+	allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
+	allow $1_su_t self:key { search write };
+
+	allow $1_su_t $3:key search;
+
+	# Transition from the user domain to this domain.
+	domtrans_pattern($3, su_exec_t, $1_su_t)
+
+	ps_process_pattern($3, $1_su_t)
+
+	# By default, revert to the calling domain when a shell is executed.
+	corecmd_shell_domtrans($1_su_t, $3)
+	allow $3 $1_su_t:fd use;
+	allow $3 $1_su_t:fifo_file rw_file_perms;
+	allow $3 $1_su_t:process sigchld;
+
+	kernel_read_system_state($1_su_t)
+	kernel_read_kernel_sysctls($1_su_t)
+	kernel_search_key($1_su_t)
+	kernel_link_key($1_su_t)
+
+	# for SSP
+	dev_read_urand($1_su_t)
+
+	fs_search_auto_mountpoints($1_su_t)
+
+	# needed for pam_rootok
+	selinux_compute_access_vector($1_su_t)
+	selinux_get_fs_mount($1_su_t)
+
+	auth_domtrans_chk_passwd($1_su_t)
+	auth_dontaudit_read_shadow($1_su_t)
+	auth_use_nsswitch($1_su_t)
+	auth_rw_faillog($1_su_t)
+
+	corecmd_search_bin($1_su_t)
+
+	domain_use_interactive_fds($1_su_t)
+
+	files_read_etc_files($1_su_t)
+	files_read_etc_runtime_files($1_su_t)
+	files_search_var_lib($1_su_t)
+	files_dontaudit_getattr_tmp_dirs($1_su_t)
+
+	init_dontaudit_use_fds($1_su_t)
+	# Write to utmp.
+	init_rw_utmp($1_su_t)
+
+	mls_file_write_all_levels($1_su_t)
+
+	logging_send_syslog_msg($1_su_t)
+
+	miscfiles_read_localization($1_su_t)
+
+	userdom_use_user_terminals($1_su_t)
+	userdom_search_user_home_dirs($1_su_t)
+
+	ifdef(`distro_redhat',`
+		# RHEL5 and possibly newer releases incl. Fedora
+		auth_domtrans_upd_passwd($1_su_t)
+
+		optional_policy(`
+			locallogin_search_keys($1_su_t)
+		')
+	')
+
+	ifdef(`distro_rhel4',`
+		domain_role_change_exemption($1_su_t)
+		domain_subj_id_change_exemption($1_su_t)
+		domain_obj_id_change_exemption($1_su_t)
+
+		selinux_get_fs_mount($1_su_t)
+		selinux_validate_context($1_su_t)
+		selinux_compute_create_context($1_su_t)
+		selinux_compute_relabel_context($1_su_t)
+		selinux_compute_user_contexts($1_su_t)
+
+		# Relabel ttys and ptys.
+		term_relabel_all_ttys($1_su_t)
+		term_relabel_all_ptys($1_su_t)
+		# Close and re-open ttys and ptys to get the fd into the correct domain.
+		term_use_all_ttys($1_su_t)
+		term_use_all_ptys($1_su_t)
+
+		seutil_read_config($1_su_t)
+		seutil_read_default_contexts($1_su_t)
+
+		if(secure_mode) {
+			# Only allow transitions to unprivileged user domains.
+			userdom_spec_domtrans_unpriv_users($1_su_t)
+		} else {
+			# Allow transitions to all user domains
+			userdom_spec_domtrans_all_users($1_su_t)
+		}
+
+		optional_policy(`
+			unconfined_domtrans($1_su_t)
+			unconfined_signal($1_su_t)
+		')
+	')
+
+	ifdef(`hide_broken_symptoms',`
+		# dontaudit leaked sockets from parent
+		dontaudit $1_su_t $3:socket_class_set { read write };
+	')
+
+	tunable_policy(`allow_polyinstantiation',`
+		fs_mount_xattr_fs($1_su_t)
+		fs_unmount_xattr_fs($1_su_t)
+	')
+
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_search_nfs($1_su_t)
+	')
+
+	tunable_policy(`use_samba_home_dirs',`
+		fs_search_cifs($1_su_t)
+	')
+
+	optional_policy(`
+		cron_read_pipes($1_su_t)
+	')
+
+	optional_policy(`
+		kerberos_use($1_su_t)
+	')
+
+	optional_policy(`
+		# used when the password has expired
+		usermanage_read_crack_db($1_su_t)
+	')
+
+	# Modify .Xauthority file (via xauth program).
+	optional_policy(`
+		xserver_user_home_dir_filetrans_user_xauth($1_su_t)
+		xserver_domtrans_xauth($1_su_t)
+	')
+')
+
+#######################################
+## <summary>
+##	Execute su in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`su_exec',`
+	gen_require(`
+		type su_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, su_exec_t)
+')
diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te
new file mode 100644
index 00000000..85bb77e0
--- /dev/null
+++ b/policy/modules/admin/su.te
@@ -0,0 +1,11 @@
+policy_module(su, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute su_domain_type;
+
+type su_exec_t;
+corecmd_executable_file(su_exec_t)
diff --git a/policy/modules/admin/sudo.fc b/policy/modules/admin/sudo.fc
new file mode 100644
index 00000000..7bddc02a
--- /dev/null
+++ b/policy/modules/admin/sudo.fc
@@ -0,0 +1,2 @@
+
+/usr/bin/sudo(edit)?	--	gen_context(system_u:object_r:sudo_exec_t,s0)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
new file mode 100644
index 00000000..09601993
--- /dev/null
+++ b/policy/modules/admin/sudo.if
@@ -0,0 +1,180 @@
+## <summary>Execute a command with a substitute user</summary>
+
+#######################################
+## <summary>
+##	The role template for the sudo module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domain which is allowed
+##	to change the linux user id, to run commands as a different
+##	user.
+##	</p>
+## </desc>
+## <param name="role_prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <param name="user_role">
+##	<summary>
+##	The user role.
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The user domain associated with the role.
+##	</summary>
+## </param>
+#
+template(`sudo_role_template',`
+
+	gen_require(`
+		type sudo_exec_t;
+		attribute sudodomain;
+	')
+
+	##############################
+	#
+	# Declarations
+	#
+
+	type $1_sudo_t, sudodomain; 
+	userdom_user_application_domain($1_sudo_t, sudo_exec_t)
+	domain_interactive_fd($1_sudo_t)
+	domain_role_change_exemption($1_sudo_t)
+	role $2 types $1_sudo_t;
+
+	##############################
+	#
+	# Local Policy
+	#
+
+	# Use capabilities.
+	allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
+	allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+	allow $1_sudo_t self:process { setexec setrlimit };
+	allow $1_sudo_t self:fd use;
+	allow $1_sudo_t self:fifo_file rw_fifo_file_perms;
+	allow $1_sudo_t self:shm create_shm_perms;
+	allow $1_sudo_t self:sem create_sem_perms;
+	allow $1_sudo_t self:msgq create_msgq_perms;
+	allow $1_sudo_t self:msg { send receive };
+	allow $1_sudo_t self:unix_dgram_socket create_socket_perms;
+	allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
+	allow $1_sudo_t self:unix_dgram_socket sendto;
+	allow $1_sudo_t self:unix_stream_socket connectto;
+	allow $1_sudo_t self:key manage_key_perms;
+
+	allow $1_sudo_t $3:key search;
+
+	# Enter this derived domain from the user domain
+	domtrans_pattern($3, sudo_exec_t, $1_sudo_t)
+
+	# By default, revert to the calling domain when a shell is executed.
+	corecmd_shell_domtrans($1_sudo_t, $3)
+	corecmd_bin_domtrans($1_sudo_t, $3)
+	allow $3 $1_sudo_t:fd use;
+	allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms;
+	allow $3 $1_sudo_t:process signal_perms;
+
+	kernel_read_kernel_sysctls($1_sudo_t)
+	kernel_read_system_state($1_sudo_t)
+	kernel_link_key($1_sudo_t)
+
+	corecmd_read_bin_symlinks($1_sudo_t)
+	corecmd_exec_all_executables($1_sudo_t)
+
+	dev_getattr_fs($1_sudo_t)
+	dev_read_urand($1_sudo_t)
+	dev_rw_generic_usb_dev($1_sudo_t)
+	dev_read_sysfs($1_sudo_t)
+
+	domain_use_interactive_fds($1_sudo_t)
+	domain_sigchld_interactive_fds($1_sudo_t)
+	domain_getattr_all_entry_files($1_sudo_t)
+
+	files_read_etc_files($1_sudo_t)
+	files_read_var_files($1_sudo_t)
+	files_read_usr_symlinks($1_sudo_t)
+	files_getattr_usr_files($1_sudo_t)
+	# for some PAM modules and for cwd
+	files_dontaudit_search_home($1_sudo_t)
+	files_list_tmp($1_sudo_t)
+
+	fs_search_auto_mountpoints($1_sudo_t)
+	fs_getattr_xattr_fs($1_sudo_t)
+
+	selinux_validate_context($1_sudo_t)
+	selinux_compute_relabel_context($1_sudo_t)
+
+	term_getattr_pty_fs($1_sudo_t)
+	term_relabel_all_ttys($1_sudo_t)
+	term_relabel_all_ptys($1_sudo_t)
+
+	auth_run_chk_passwd($1_sudo_t, $2)
+	# sudo stores a token in the pam_pid directory
+	auth_manage_pam_pid($1_sudo_t)
+	auth_use_nsswitch($1_sudo_t)
+
+	init_rw_utmp($1_sudo_t)
+
+	logging_send_audit_msgs($1_sudo_t)
+	logging_send_syslog_msg($1_sudo_t)
+
+	miscfiles_read_localization($1_sudo_t)
+
+	seutil_search_default_contexts($1_sudo_t)
+	seutil_libselinux_linked($1_sudo_t)
+
+	userdom_spec_domtrans_all_users($1_sudo_t)
+	userdom_create_all_users_keys($1_sudo_t)
+	userdom_manage_user_home_content_files($1_sudo_t)
+	userdom_manage_user_home_content_symlinks($1_sudo_t)
+	userdom_manage_user_tmp_files($1_sudo_t)
+	userdom_manage_user_tmp_symlinks($1_sudo_t)
+	userdom_use_user_terminals($1_sudo_t)
+	# for some PAM modules and for cwd
+	userdom_dontaudit_search_user_home_content($1_sudo_t)
+	userdom_dontaudit_search_user_home_dirs($1_sudo_t)
+
+	ifdef(`hide_broken_symptoms', `
+		dontaudit $1_sudo_t $3:socket_class_set { read write };
+	')
+
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_manage_nfs_files($1_sudo_t)
+	')
+
+	tunable_policy(`use_samba_home_dirs',`
+		fs_manage_cifs_files($1_sudo_t)
+	')
+
+	optional_policy(`
+		dbus_system_bus_client($1_sudo_t)
+	')
+
+	optional_policy(`
+		fprintd_dbus_chat($1_sudo_t)
+	')
+
+')
+
+########################################
+## <summary>
+##	Send a SIGCHLD signal to the sudo domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sudo_sigchld',`
+	gen_require(`
+		attribute sudodomain;
+	')
+
+	allow $1 sudodomain:process sigchld;
+')
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
new file mode 100644
index 00000000..56ead1de
--- /dev/null
+++ b/policy/modules/admin/sudo.te
@@ -0,0 +1,9 @@
+policy_module(sudo, 1.9.0)
+
+########################################
+#
+# Declarations
+attribute sudodomain;
+
+type sudo_exec_t;
+application_executable_file(sudo_exec_t)
diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
new file mode 100644
index 00000000..c4671440
--- /dev/null
+++ b/policy/modules/admin/usermanage.fc
@@ -0,0 +1,33 @@
+ifdef(`distro_gentoo',`
+/bin/passwd		--	gen_context(system_u:object_r:passwd_exec_t,s0)
+')
+
+/usr/bin/chage		--	gen_context(system_u:object_r:passwd_exec_t,s0)
+/usr/bin/chfn		--	gen_context(system_u:object_r:chfn_exec_t,s0)
+/usr/bin/chsh		--	gen_context(system_u:object_r:chfn_exec_t,s0)
+/usr/bin/gpasswd	--	gen_context(system_u:object_r:groupadd_exec_t,s0)
+/usr/bin/passwd		--	gen_context(system_u:object_r:passwd_exec_t,s0)
+/usr/bin/vigr		--	gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+/usr/bin/vipw		--	gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+
+/usr/lib(64)?/cracklib_dict.* -- gen_context(system_u:object_r:crack_db_t,s0)
+
+/usr/sbin/crack_[a-z]*	--	gen_context(system_u:object_r:crack_exec_t,s0)
+/usr/sbin/cracklib-[a-z]* --	gen_context(system_u:object_r:crack_exec_t,s0)
+/usr/sbin/gpasswd	--	gen_context(system_u:object_r:groupadd_exec_t,s0)
+/usr/sbin/groupadd	--	gen_context(system_u:object_r:groupadd_exec_t,s0)
+/usr/sbin/groupdel	--	gen_context(system_u:object_r:groupadd_exec_t,s0)
+/usr/sbin/groupmod	--	gen_context(system_u:object_r:groupadd_exec_t,s0)
+/usr/sbin/grpconv	--	gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+/usr/sbin/grpunconv	--	gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+/usr/sbin/pwconv	--	gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+/usr/sbin/pwunconv	--	gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+/usr/sbin/useradd	--	gen_context(system_u:object_r:useradd_exec_t,s0)
+/usr/sbin/userdel	--	gen_context(system_u:object_r:useradd_exec_t,s0)
+/usr/sbin/usermod	--	gen_context(system_u:object_r:useradd_exec_t,s0)
+/usr/sbin/vigr		--	gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+/usr/sbin/vipw		--	gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+
+/usr/share/cracklib(/.*)?	gen_context(system_u:object_r:crack_db_t,s0)
+
+/var/cache/cracklib(/.*)?	gen_context(system_u:object_r:crack_db_t,s0)
diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
new file mode 100644
index 00000000..98b8b2d4
--- /dev/null
+++ b/policy/modules/admin/usermanage.if
@@ -0,0 +1,297 @@
+## <summary>Policy for managing user accounts.</summary>
+
+########################################
+## <summary>
+##	Execute chfn in the chfn domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`usermanage_domtrans_chfn',`
+	gen_require(`
+		type chfn_t, chfn_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, chfn_exec_t, chfn_t)
+
+	ifdef(`hide_broken_symptoms',`
+		dontaudit chfn_t $1:socket_class_set { read write };
+	')
+')
+
+########################################
+## <summary>
+##	Execute chfn in the chfn domain, and
+##	allow the specified role the chfn domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`usermanage_run_chfn',`
+	gen_require(`
+		attribute_role chfn_roles;
+	')
+
+	usermanage_domtrans_chfn($1)
+	roleattribute $2 chfn_roles;
+')
+
+########################################
+## <summary>
+##	Execute groupadd in the groupadd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`usermanage_domtrans_groupadd',`
+	gen_require(`
+		type groupadd_t, groupadd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, groupadd_exec_t, groupadd_t)
+
+	ifdef(`hide_broken_symptoms',`
+		dontaudit groupadd_t $1:socket_class_set { read write };
+	')
+')
+
+########################################
+## <summary>
+##	Execute groupadd in the groupadd domain, and
+##	allow the specified role the groupadd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`usermanage_run_groupadd',`
+	gen_require(`
+		attribute_role groupadd_roles;
+	')
+
+	usermanage_domtrans_groupadd($1)
+	roleattribute $2 groupadd_roles;
+')
+
+########################################
+## <summary>
+##	Execute passwd in the passwd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`usermanage_domtrans_passwd',`
+	gen_require(`
+		type passwd_t, passwd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, passwd_exec_t, passwd_t)
+
+	ifdef(`hide_broken_symptoms',`
+		dontaudit passwd_t $1:socket_class_set { read write };
+	')
+')
+
+########################################
+## <summary>
+##	Send sigkills to passwd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`usermanage_kill_passwd',`
+	gen_require(`
+		type passwd_t;
+	')
+
+	allow $1 passwd_t:process sigkill;
+')
+
+########################################
+## <summary>
+##	Execute passwd in the passwd domain, and
+##	allow the specified role the passwd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`usermanage_run_passwd',`
+	gen_require(`
+		attribute_role passwd_roles;
+	')
+
+	usermanage_domtrans_passwd($1)
+	roleattribute $2 passwd_roles;
+')
+
+########################################
+## <summary>
+##	Execute password admin functions in
+##	the admin passwd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`usermanage_domtrans_admin_passwd',`
+	gen_require(`
+		type sysadm_passwd_t, admin_passwd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, admin_passwd_exec_t, sysadm_passwd_t)
+')
+
+########################################
+## <summary>
+##	Execute passwd admin functions in the admin
+##	passwd domain, and allow the specified role
+##	the admin passwd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`usermanage_run_admin_passwd',`
+	gen_require(`
+		attribute_role sysadm_passwd_roles;
+	')
+
+	usermanage_domtrans_admin_passwd($1)
+	roleattribute $2 sysadm_passwd_roles;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to use useradd fds.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`usermanage_dontaudit_use_useradd_fds',`
+	gen_require(`
+		type useradd_t;
+	')
+
+	dontaudit $1 useradd_t:fd use;
+')
+
+########################################
+## <summary>
+##	Execute useradd in the useradd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`usermanage_domtrans_useradd',`
+	gen_require(`
+		type useradd_t, useradd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, useradd_exec_t, useradd_t)
+
+	ifdef(`hide_broken_symptoms',`
+		dontaudit useradd_t $1:socket_class_set { read write };
+	')
+')
+
+########################################
+## <summary>
+##	Execute useradd in the useradd domain, and
+##	allow the specified role the useradd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`usermanage_run_useradd',`
+	gen_require(`
+		attribute_role useradd_roles;
+	')
+
+	usermanage_domtrans_useradd($1)
+	roleattribute $2 useradd_roles;
+')
+
+########################################
+## <summary>
+##	Read the crack database.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`usermanage_read_crack_db',`
+	gen_require(`
+		type crack_db_t;
+	')
+
+	files_search_var($1)
+	read_files_pattern($1, crack_db_t, crack_db_t)
+')
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
new file mode 100644
index 00000000..7cac66fb
--- /dev/null
+++ b/policy/modules/admin/usermanage.te
@@ -0,0 +1,559 @@
+policy_module(usermanage, 1.17.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role chfn_roles;
+role chfn_roles types chfn_t;
+role system_r types chfn_t;
+
+attribute_role groupadd_roles;
+role groupadd_roles types groupadd_t;
+
+attribute_role passwd_roles;
+roleattribute system_r passwd_roles;
+
+attribute_role sysadm_passwd_roles;
+roleattribute system_r sysadm_passwd_roles;
+
+attribute_role useradd_roles;
+role useradd_roles types useradd_t;
+
+type admin_passwd_exec_t;
+files_type(admin_passwd_exec_t)
+
+type chfn_t;
+type chfn_exec_t;
+domain_obj_id_change_exemption(chfn_t)
+application_domain(chfn_t, chfn_exec_t)
+
+type crack_t;
+type crack_exec_t;
+application_domain(crack_t, crack_exec_t)
+role system_r types crack_t;
+
+type crack_db_t;
+files_type(crack_db_t)
+
+type crack_tmp_t;
+files_tmp_file(crack_tmp_t)
+
+type groupadd_t;
+type groupadd_exec_t;
+domain_obj_id_change_exemption(groupadd_t)
+init_system_domain(groupadd_t, groupadd_exec_t)
+
+type passwd_t;
+type passwd_exec_t;
+domain_obj_id_change_exemption(passwd_t)
+application_domain(passwd_t, passwd_exec_t)
+role passwd_roles types passwd_t;
+
+type sysadm_passwd_t;
+domain_obj_id_change_exemption(sysadm_passwd_t)
+application_domain(sysadm_passwd_t, admin_passwd_exec_t)
+role sysadm_passwd_roles types sysadm_passwd_t;
+
+type sysadm_passwd_tmp_t;
+files_tmp_file(sysadm_passwd_tmp_t)
+
+type useradd_t;
+type useradd_exec_t;
+domain_obj_id_change_exemption(useradd_t)
+init_system_domain(useradd_t, useradd_exec_t)
+
+########################################
+#
+# Chfn local policy
+#
+
+allow chfn_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
+allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
+allow chfn_t self:process { setrlimit setfscreate };
+allow chfn_t self:fd use;
+allow chfn_t self:fifo_file rw_fifo_file_perms;
+allow chfn_t self:sock_file read_sock_file_perms;
+allow chfn_t self:shm create_shm_perms;
+allow chfn_t self:sem create_sem_perms;
+allow chfn_t self:msgq create_msgq_perms;
+allow chfn_t self:msg { send receive };
+allow chfn_t self:unix_dgram_socket create_socket_perms;
+allow chfn_t self:unix_stream_socket create_stream_socket_perms;
+allow chfn_t self:unix_dgram_socket sendto;
+allow chfn_t self:unix_stream_socket connectto;
+
+kernel_read_system_state(chfn_t)
+kernel_read_kernel_sysctls(chfn_t)
+
+selinux_get_fs_mount(chfn_t)
+selinux_validate_context(chfn_t)
+selinux_compute_access_vector(chfn_t)
+selinux_compute_create_context(chfn_t)
+selinux_compute_relabel_context(chfn_t)
+selinux_compute_user_contexts(chfn_t)
+
+term_use_all_ttys(chfn_t)
+term_use_all_ptys(chfn_t)
+
+fs_getattr_xattr_fs(chfn_t)
+fs_search_auto_mountpoints(chfn_t)
+
+# for SSP
+dev_read_urand(chfn_t)
+
+auth_run_chk_passwd(chfn_t, chfn_roles)
+auth_dontaudit_read_shadow(chfn_t)
+auth_use_nsswitch(chfn_t)
+
+# allow checking if a shell is executable
+corecmd_check_exec_shell(chfn_t)
+
+domain_use_interactive_fds(chfn_t)
+
+files_manage_etc_files(chfn_t)
+files_read_etc_runtime_files(chfn_t)
+files_dontaudit_search_var(chfn_t)
+files_dontaudit_search_home(chfn_t)
+
+# /usr/bin/passwd asks for w access to utmp, but it will operate
+# correctly without it.  Do not audit write denials to utmp.
+init_dontaudit_rw_utmp(chfn_t)
+
+miscfiles_read_localization(chfn_t)
+
+logging_send_syslog_msg(chfn_t)
+
+# uses unix_chkpwd for checking passwords
+seutil_dontaudit_search_config(chfn_t)
+
+userdom_use_unpriv_users_fds(chfn_t)
+# user generally runs this from their home directory, so do not audit a search
+# on user home dir
+userdom_dontaudit_search_user_home_content(chfn_t)
+
+########################################
+#
+# Crack local policy
+#
+
+allow crack_t self:process signal_perms;
+allow crack_t self:fifo_file rw_fifo_file_perms;
+
+manage_files_pattern(crack_t, crack_db_t, crack_db_t)
+manage_lnk_files_pattern(crack_t, crack_db_t, crack_db_t)
+files_search_var(crack_t)
+
+manage_dirs_pattern(crack_t, crack_tmp_t, crack_tmp_t)
+manage_files_pattern(crack_t, crack_tmp_t, crack_tmp_t)
+files_tmp_filetrans(crack_t, crack_tmp_t, { file dir })
+
+kernel_read_system_state(crack_t)
+
+# for SSP
+dev_read_urand(crack_t)
+
+fs_getattr_xattr_fs(crack_t)
+
+files_read_etc_files(crack_t)
+files_read_etc_runtime_files(crack_t)
+# for dictionaries
+files_read_usr_files(crack_t)
+
+corecmd_exec_bin(crack_t)
+
+logging_send_syslog_msg(crack_t)
+
+userdom_dontaudit_search_user_home_dirs(crack_t)
+
+ifdef(`distro_debian',`
+	# the package cracklib-runtime on Debian contains a daily maintenance
+	# script /etc/cron.daily/cracklib-runtime, that calls
+	# update-cracklib and that calls crack_mkdict, which is a shell script.
+	corecmd_exec_shell(crack_t)
+')
+
+optional_policy(`
+	cron_system_entry(crack_t, crack_exec_t)
+')
+
+########################################
+#
+# Groupadd local policy
+#
+
+allow groupadd_t self:capability { dac_override chown kill setuid sys_resource audit_write };
+dontaudit groupadd_t self:capability { fsetid sys_tty_config };
+allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
+allow groupadd_t self:process { setrlimit setfscreate };
+allow groupadd_t self:fd use;
+allow groupadd_t self:fifo_file rw_fifo_file_perms;
+allow groupadd_t self:shm create_shm_perms;
+allow groupadd_t self:sem create_sem_perms;
+allow groupadd_t self:msgq create_msgq_perms;
+allow groupadd_t self:msg { send receive };
+allow groupadd_t self:unix_dgram_socket create_socket_perms;
+allow groupadd_t self:unix_stream_socket create_stream_socket_perms;
+allow groupadd_t self:unix_dgram_socket sendto;
+allow groupadd_t self:unix_stream_socket connectto;
+
+fs_getattr_xattr_fs(groupadd_t)
+fs_search_auto_mountpoints(groupadd_t)
+
+# Allow access to context for shadow file
+selinux_get_fs_mount(groupadd_t)
+selinux_validate_context(groupadd_t)
+selinux_compute_access_vector(groupadd_t)
+selinux_compute_create_context(groupadd_t)
+selinux_compute_relabel_context(groupadd_t)
+selinux_compute_user_contexts(groupadd_t)
+
+term_use_all_ttys(groupadd_t)
+term_use_all_ptys(groupadd_t)
+
+init_use_fds(groupadd_t)
+init_read_utmp(groupadd_t)
+init_dontaudit_write_utmp(groupadd_t)
+
+domain_use_interactive_fds(groupadd_t)
+
+files_manage_etc_files(groupadd_t)
+files_relabel_etc_files(groupadd_t)
+files_read_etc_runtime_files(groupadd_t)
+files_read_usr_symlinks(groupadd_t)
+
+# Execute /usr/bin/{passwd, chfn, chsh} and /usr/sbin/{useradd, vipw}.
+corecmd_exec_bin(groupadd_t)
+
+logging_send_audit_msgs(groupadd_t)
+logging_send_syslog_msg(groupadd_t)
+
+miscfiles_read_localization(groupadd_t)
+
+auth_run_chk_passwd(groupadd_t, groupadd_roles)
+auth_rw_lastlog(groupadd_t)
+auth_use_nsswitch(groupadd_t)
+# these may be unnecessary due to the above
+# domtrans_chk_passwd() call.
+auth_manage_shadow(groupadd_t)
+auth_relabel_shadow(groupadd_t)
+auth_etc_filetrans_shadow(groupadd_t)
+
+seutil_read_config(groupadd_t)
+
+userdom_use_unpriv_users_fds(groupadd_t)
+# for when /root is the cwd
+userdom_dontaudit_search_user_home_dirs(groupadd_t)
+
+optional_policy(`
+	dpkg_use_fds(groupadd_t)
+	dpkg_rw_pipes(groupadd_t)
+')
+
+optional_policy(`
+	nscd_run(groupadd_t, groupadd_roles)
+')
+
+optional_policy(`
+	puppet_rw_tmp(groupadd_t)
+')
+
+optional_policy(`
+	rpm_use_fds(groupadd_t)
+	rpm_rw_pipes(groupadd_t)
+')
+
+########################################
+#
+# Passwd local policy
+#
+
+allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource };
+dontaudit passwd_t self:capability sys_tty_config;
+allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow passwd_t self:process { setrlimit setfscreate };
+allow passwd_t self:fd use;
+allow passwd_t self:fifo_file rw_fifo_file_perms;
+allow passwd_t self:sock_file read_sock_file_perms;
+allow passwd_t self:unix_dgram_socket create_socket_perms;
+allow passwd_t self:unix_stream_socket create_stream_socket_perms;
+allow passwd_t self:unix_dgram_socket sendto;
+allow passwd_t self:unix_stream_socket connectto;
+allow passwd_t self:shm create_shm_perms;
+allow passwd_t self:sem create_sem_perms;
+allow passwd_t self:msgq create_msgq_perms;
+allow passwd_t self:msg { send receive };
+
+allow passwd_t crack_db_t:dir list_dir_perms;
+read_files_pattern(passwd_t, crack_db_t, crack_db_t)
+
+kernel_read_kernel_sysctls(passwd_t)
+
+# for SSP
+dev_read_urand(passwd_t)
+
+fs_getattr_xattr_fs(passwd_t)
+fs_search_auto_mountpoints(passwd_t)
+
+mls_file_write_all_levels(passwd_t)
+mls_file_downgrade(passwd_t)
+
+selinux_get_fs_mount(passwd_t)
+selinux_validate_context(passwd_t)
+selinux_compute_access_vector(passwd_t)
+selinux_compute_create_context(passwd_t)
+selinux_compute_relabel_context(passwd_t)
+selinux_compute_user_contexts(passwd_t)
+
+term_use_all_ttys(passwd_t)
+term_use_all_ptys(passwd_t)
+
+auth_run_chk_passwd(passwd_t, passwd_roles)
+auth_manage_shadow(passwd_t)
+auth_relabel_shadow(passwd_t)
+auth_etc_filetrans_shadow(passwd_t)
+auth_use_nsswitch(passwd_t)
+
+# allow checking if a shell is executable
+corecmd_check_exec_shell(passwd_t)
+
+domain_use_interactive_fds(passwd_t)
+
+files_read_etc_runtime_files(passwd_t)
+files_manage_etc_files(passwd_t)
+files_search_var(passwd_t)
+files_dontaudit_search_pids(passwd_t)
+files_relabel_etc_files(passwd_t)
+
+# /usr/bin/passwd asks for w access to utmp, but it will operate
+# correctly without it.  Do not audit write denials to utmp.
+init_dontaudit_rw_utmp(passwd_t)
+init_use_fds(passwd_t)
+
+logging_send_audit_msgs(passwd_t)
+logging_send_syslog_msg(passwd_t)
+
+miscfiles_read_localization(passwd_t)
+
+seutil_dontaudit_search_config(passwd_t)
+
+userdom_use_user_terminals(passwd_t)
+userdom_use_unpriv_users_fds(passwd_t)
+# make sure that getcon succeeds
+userdom_getattr_all_users(passwd_t)
+userdom_read_all_users_state(passwd_t)
+userdom_read_user_tmp_files(passwd_t)
+# user generally runs this from their home directory, so do not audit a search
+# on user home dir
+userdom_dontaudit_search_user_home_content(passwd_t)
+
+optional_policy(`
+	nscd_run(passwd_t, passwd_roles)
+')
+
+########################################
+#
+# Password admin local policy
+#
+
+allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
+allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow sysadm_passwd_t self:process { setrlimit setfscreate };
+allow sysadm_passwd_t self:fd use;
+allow sysadm_passwd_t self:fifo_file rw_fifo_file_perms;
+allow sysadm_passwd_t self:sock_file read_sock_file_perms;
+allow sysadm_passwd_t self:unix_dgram_socket create_socket_perms;
+allow sysadm_passwd_t self:unix_stream_socket create_stream_socket_perms;
+allow sysadm_passwd_t self:unix_dgram_socket sendto;
+allow sysadm_passwd_t self:unix_stream_socket connectto;
+allow sysadm_passwd_t self:shm create_shm_perms;
+allow sysadm_passwd_t self:sem create_sem_perms;
+allow sysadm_passwd_t self:msgq create_msgq_perms;
+allow sysadm_passwd_t self:msg { send receive };
+
+# allow vipw to create temporary files under /var/tmp/vi.recover
+manage_dirs_pattern(sysadm_passwd_t, sysadm_passwd_tmp_t, sysadm_passwd_tmp_t)
+manage_files_pattern(sysadm_passwd_t, sysadm_passwd_tmp_t, sysadm_passwd_tmp_t)
+files_tmp_filetrans(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir })
+files_search_var(sysadm_passwd_t)
+files_dontaudit_search_home(sysadm_passwd_t)
+
+kernel_read_kernel_sysctls(sysadm_passwd_t)
+# for /proc/meminfo
+kernel_read_system_state(sysadm_passwd_t)
+
+selinux_get_fs_mount(sysadm_passwd_t)
+selinux_validate_context(sysadm_passwd_t)
+selinux_compute_access_vector(sysadm_passwd_t)
+selinux_compute_create_context(sysadm_passwd_t)
+selinux_compute_relabel_context(sysadm_passwd_t)
+selinux_compute_user_contexts(sysadm_passwd_t)
+
+# for SSP
+dev_read_urand(sysadm_passwd_t)
+
+fs_getattr_xattr_fs(sysadm_passwd_t)
+fs_search_auto_mountpoints(sysadm_passwd_t)
+
+term_use_all_ttys(sysadm_passwd_t)
+term_use_all_ptys(sysadm_passwd_t)
+
+auth_manage_shadow(sysadm_passwd_t)
+auth_relabel_shadow(sysadm_passwd_t)
+auth_etc_filetrans_shadow(sysadm_passwd_t)
+auth_use_nsswitch(sysadm_passwd_t)
+
+# allow vipw to exec the editor
+corecmd_exec_bin(sysadm_passwd_t)
+corecmd_exec_shell(sysadm_passwd_t)
+files_read_usr_files(sysadm_passwd_t)
+
+domain_use_interactive_fds(sysadm_passwd_t)
+
+files_manage_etc_files(sysadm_passwd_t)
+files_relabel_etc_files(sysadm_passwd_t)
+files_read_etc_runtime_files(sysadm_passwd_t)
+# for nscd lookups
+files_dontaudit_search_pids(sysadm_passwd_t)
+
+# /usr/bin/passwd asks for w access to utmp, but it will operate
+# correctly without it.  Do not audit write denials to utmp.
+init_dontaudit_rw_utmp(sysadm_passwd_t)
+
+miscfiles_read_localization(sysadm_passwd_t)
+
+logging_send_syslog_msg(sysadm_passwd_t)
+
+seutil_dontaudit_search_config(sysadm_passwd_t)
+
+userdom_use_unpriv_users_fds(sysadm_passwd_t)
+# user generally runs this from their home directory, so do not audit a search
+# on user home dir
+userdom_dontaudit_search_user_home_content(sysadm_passwd_t)
+
+optional_policy(`
+	nscd_run(sysadm_passwd_t, sysadm_passwd_roles)
+')
+
+########################################
+#
+# Useradd local policy
+#
+
+allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
+dontaudit useradd_t self:capability sys_tty_config;
+allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow useradd_t self:process setfscreate;
+allow useradd_t self:fd use;
+allow useradd_t self:fifo_file rw_fifo_file_perms;
+allow useradd_t self:shm create_shm_perms;
+allow useradd_t self:sem create_sem_perms;
+allow useradd_t self:msgq create_msgq_perms;
+allow useradd_t self:msg { send receive };
+allow useradd_t self:unix_dgram_socket create_socket_perms;
+allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+allow useradd_t self:unix_dgram_socket sendto;
+allow useradd_t self:unix_stream_socket connectto;
+
+# for getting the number of groups
+kernel_read_kernel_sysctls(useradd_t)
+
+corecmd_exec_shell(useradd_t)
+# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
+corecmd_exec_bin(useradd_t)
+
+domain_use_interactive_fds(useradd_t)
+domain_read_all_domains_state(useradd_t)
+
+files_manage_etc_files(useradd_t)
+files_search_var_lib(useradd_t)
+files_relabel_etc_files(useradd_t)
+files_read_etc_runtime_files(useradd_t)
+
+fs_search_auto_mountpoints(useradd_t)
+fs_getattr_xattr_fs(useradd_t)
+
+mls_file_upgrade(useradd_t)
+
+# Allow access to context for shadow file
+selinux_get_fs_mount(useradd_t)
+selinux_validate_context(useradd_t)
+selinux_compute_access_vector(useradd_t)
+selinux_compute_create_context(useradd_t)
+selinux_compute_relabel_context(useradd_t)
+selinux_compute_user_contexts(useradd_t)
+
+term_use_all_ttys(useradd_t)
+term_use_all_ptys(useradd_t)
+
+auth_run_chk_passwd(useradd_t, useradd_roles)
+auth_rw_lastlog(useradd_t)
+auth_rw_faillog(useradd_t)
+auth_use_nsswitch(useradd_t)
+# these may be unnecessary due to the above
+# domtrans_chk_passwd() call.
+auth_manage_shadow(useradd_t)
+auth_relabel_shadow(useradd_t)
+auth_etc_filetrans_shadow(useradd_t)
+
+init_use_fds(useradd_t)
+init_rw_utmp(useradd_t)
+
+logging_send_audit_msgs(useradd_t)
+logging_send_syslog_msg(useradd_t)
+
+miscfiles_read_localization(useradd_t)
+
+seutil_read_config(useradd_t)
+seutil_read_file_contexts(useradd_t)
+seutil_read_default_contexts(useradd_t)
+seutil_run_semanage(useradd_t, useradd_roles)
+seutil_run_setfiles(useradd_t, useradd_roles)
+
+userdom_use_unpriv_users_fds(useradd_t)
+# Add/remove user home directories
+userdom_manage_user_home_dirs(useradd_t)
+userdom_home_filetrans_user_home_dir(useradd_t)
+userdom_manage_user_home_content_dirs(useradd_t)
+userdom_manage_user_home_content_files(useradd_t)
+userdom_home_filetrans_user_home_dir(useradd_t)
+userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
+
+optional_policy(`
+	mta_manage_spool(useradd_t)
+')
+
+ifdef(`distro_redhat',`
+	optional_policy(`
+		unconfined_domain(useradd_t)
+	')
+')
+
+optional_policy(`
+	apache_manage_all_user_content(useradd_t)
+')
+
+optional_policy(`
+	dpkg_use_fds(useradd_t)
+	dpkg_rw_pipes(useradd_t)
+')
+
+optional_policy(`
+	nscd_run(useradd_t, useradd_roles)
+')
+
+optional_policy(`
+	puppet_rw_tmp(useradd_t)
+')
+
+optional_policy(`
+	tunable_policy(`samba_domain_controller',`
+		samba_append_log(useradd_t)
+	')
+')
+
+optional_policy(`
+	rpm_use_fds(useradd_t)
+	rpm_rw_pipes(useradd_t)
+')
diff --git a/policy/modules/apps/metadata.xml b/policy/modules/apps/metadata.xml
new file mode 100644
index 00000000..a5ad4c0e
--- /dev/null
+++ b/policy/modules/apps/metadata.xml
@@ -0,0 +1 @@
+<summary>Policy modules for applications</summary>
diff --git a/policy/modules/apps/seunshare.fc b/policy/modules/apps/seunshare.fc
new file mode 100644
index 00000000..30a4b9fd
--- /dev/null
+++ b/policy/modules/apps/seunshare.fc
@@ -0,0 +1 @@
+/usr/sbin/seunshare	--	gen_context(system_u:object_r:seunshare_exec_t,s0)
diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
new file mode 100644
index 00000000..1dc7a85d
--- /dev/null
+++ b/policy/modules/apps/seunshare.if
@@ -0,0 +1,80 @@
+## <summary>Filesystem namespacing/polyinstantiation application.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run seunshare.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`seunshare_domtrans',`
+	gen_require(`
+		type seunshare_t, seunshare_exec_t;
+	')
+
+	domtrans_pattern($1, seunshare_exec_t, seunshare_t)
+')
+
+########################################
+## <summary>
+##	Execute seunshare in the seunshare domain, and
+##	allow the specified role the seunshare domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`seunshare_run',`
+	gen_require(`
+		type seunshare_t;
+	')
+
+	seunshare_domtrans($1)
+	role $2 types seunshare_t;
+
+	allow $1 seunshare_t:process signal_perms;
+
+	ifdef(`hide_broken_symptoms', `
+		dontaudit seunshare_t $1:tcp_socket rw_socket_perms;
+		dontaudit seunshare_t $1:udp_socket rw_socket_perms;
+		dontaudit seunshare_t $1:unix_stream_socket rw_socket_perms;
+	')
+')
+
+########################################
+## <summary>
+##	Role access for seunshare
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role.
+##	</summary>
+## </param>
+#
+interface(`seunshare_role',`
+	gen_require(`
+		type seunshare_t;
+	')
+
+	role $2 types seunshare_t;
+
+	seunshare_domtrans($1)
+
+	ps_process_pattern($2, seunshare_t)
+	allow $2 seunshare_t:process signal;
+')
diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te
new file mode 100644
index 00000000..75901658
--- /dev/null
+++ b/policy/modules/apps/seunshare.te
@@ -0,0 +1,44 @@
+policy_module(seunshare, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type seunshare_t;
+type seunshare_exec_t;
+application_domain(seunshare_t, seunshare_exec_t)
+role system_r types seunshare_t;
+
+########################################
+#
+# seunshare local policy
+#
+
+allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
+allow seunshare_t self:process { setexec signal getcap setcap };
+
+allow seunshare_t self:fifo_file rw_file_perms;
+allow seunshare_t self:unix_stream_socket create_stream_socket_perms;
+
+corecmd_exec_shell(seunshare_t)
+corecmd_exec_bin(seunshare_t)
+
+files_read_etc_files(seunshare_t)
+files_mounton_all_poly_members(seunshare_t)
+
+auth_use_nsswitch(seunshare_t)
+
+logging_send_syslog_msg(seunshare_t)
+
+miscfiles_read_localization(seunshare_t)
+
+userdom_use_user_terminals(seunshare_t)
+
+ifdef(`hide_broken_symptoms', `
+	fs_dontaudit_rw_anon_inodefs_files(seunshare_t)
+
+	optional_policy(`
+		mozilla_dontaudit_manage_user_home_files(seunshare_t)
+	')
+')
diff --git a/policy/modules/contrib/abrt.fc b/policy/modules/contrib/abrt.fc
new file mode 100644
index 00000000..1bd5812e
--- /dev/null
+++ b/policy/modules/contrib/abrt.fc
@@ -0,0 +1,20 @@
+/etc/abrt(/.*)?				gen_context(system_u:object_r:abrt_etc_t,s0)
+/etc/rc\.d/init\.d/abrt		--	gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+
+/usr/bin/abrt-pyhook-helper 	--	gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+
+/usr/libexec/abrt-pyhook-helper --	gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+/usr/libexec/abrt-hook-python 	--	gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+
+/usr/sbin/abrtd			--	gen_context(system_u:object_r:abrt_exec_t,s0)
+
+/var/cache/abrt(/.*)?			gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/cache/abrt-di(/.*)?		gen_context(system_u:object_r:abrt_var_cache_t,s0)
+
+/var/log/abrt-logger		--	gen_context(system_u:object_r:abrt_var_log_t,s0)
+
+/var/run/abrt\.pid		--	gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrtd?\.lock		--	gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrt(/.*)?			gen_context(system_u:object_r:abrt_var_run_t,s0)
+
+/var/spool/abrt(/.*)?			gen_context(system_u:object_r:abrt_var_cache_t,s0)
diff --git a/policy/modules/contrib/abrt.if b/policy/modules/contrib/abrt.if
new file mode 100644
index 00000000..0b827c52
--- /dev/null
+++ b/policy/modules/contrib/abrt.if
@@ -0,0 +1,303 @@
+## <summary>ABRT - automated bug-reporting tool</summary>
+
+######################################
+## <summary>
+##	Execute abrt in the abrt domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`abrt_domtrans',`
+	gen_require(`
+		type abrt_t, abrt_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, abrt_exec_t, abrt_t)
+')
+
+######################################
+## <summary>
+##	Execute abrt in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_exec',`
+	gen_require(`
+		type abrt_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, abrt_exec_t)
+')
+
+########################################
+## <summary>
+##	Send a null signal to abrt.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_signull',`
+	gen_require(`
+		type abrt_t;
+	')
+
+	allow $1 abrt_t:process signull;
+')
+
+########################################
+## <summary>
+##	Allow the domain to read abrt state files in /proc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_read_state',`
+	gen_require(`
+		type abrt_t;
+	')
+
+	ps_process_pattern($1, abrt_t)
+')
+
+########################################
+## <summary>
+##	Connect to abrt over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_stream_connect',`
+	gen_require(`
+		type abrt_t, abrt_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, abrt_var_run_t, abrt_var_run_t, abrt_t)
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	abrt over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_dbus_chat',`
+	gen_require(`
+		type abrt_t;
+		class dbus send_msg;
+	')
+
+	allow $1 abrt_t:dbus send_msg;
+	allow abrt_t $1:dbus send_msg;
+')
+
+#####################################
+## <summary>
+##	Execute abrt-helper in the abrt-helper domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`abrt_domtrans_helper',`
+	gen_require(`
+		type abrt_helper_t, abrt_helper_exec_t;
+	')
+
+	domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t)
+')
+
+########################################
+## <summary>
+##	Execute abrt helper in the abrt_helper domain, and
+##	allow the specified role the abrt_helper domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`abrt_run_helper',`
+	gen_require(`
+		type abrt_helper_t;
+	')
+
+	abrt_domtrans_helper($1)
+	role $2 types abrt_helper_t;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	abrt over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_cache_manage',`
+	gen_require(`
+		type abrt_var_cache_t;
+	')
+
+	manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+')
+
+####################################
+## <summary>
+##	Read abrt configuration file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_read_config',`
+	gen_require(`
+		type abrt_etc_t;
+	')
+
+	files_search_etc($1)
+	read_files_pattern($1, abrt_etc_t, abrt_etc_t)
+')
+
+######################################
+## <summary>
+##	Read abrt logs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_read_log',`
+	gen_require(`
+		type abrt_var_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, abrt_var_log_t, abrt_var_log_t)
+')
+
+######################################
+## <summary>
+##	Read abrt PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_read_pid_files',`
+	gen_require(`
+		type abrt_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
+')
+
+######################################
+## <summary>
+##	Create, read, write, and delete abrt PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_manage_pid_files',`
+	gen_require(`
+		type abrt_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
+')
+
+#####################################
+## <summary>
+##	All of the rules required to administrate
+##	an abrt environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the abrt domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`abrt_admin',`
+	gen_require(`
+		type abrt_t, abrt_etc_t;
+		type abrt_var_cache_t, abrt_var_log_t;
+		type abrt_var_run_t, abrt_tmp_t;
+		type abrt_initrc_exec_t;
+	')
+
+	allow $1 abrt_t:process { ptrace signal_perms };
+	ps_process_pattern($1, abrt_t)
+
+	init_labeled_script_domtrans($1, abrt_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 abrt_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_search_etc($1)
+	admin_pattern($1, abrt_etc_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, abrt_var_log_t)
+
+	files_search_var($1)
+	admin_pattern($1, abrt_var_cache_t)
+
+	files_search_pids($1)
+	admin_pattern($1, abrt_var_run_t)
+
+	files_search_tmp($1)
+	admin_pattern($1, abrt_tmp_t)
+')
diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te
new file mode 100644
index 00000000..30861ec4
--- /dev/null
+++ b/policy/modules/contrib/abrt.te
@@ -0,0 +1,227 @@
+policy_module(abrt, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type abrt_t;
+type abrt_exec_t;
+init_daemon_domain(abrt_t, abrt_exec_t)
+
+type abrt_initrc_exec_t;
+init_script_file(abrt_initrc_exec_t)
+
+# etc files
+type abrt_etc_t;
+files_config_file(abrt_etc_t)
+
+# log files
+type abrt_var_log_t;
+logging_log_file(abrt_var_log_t)
+
+# tmp files
+type abrt_tmp_t;
+files_tmp_file(abrt_tmp_t)
+
+# var/cache files
+type abrt_var_cache_t;
+files_type(abrt_var_cache_t)
+
+# pid files
+type abrt_var_run_t;
+files_pid_file(abrt_var_run_t)
+
+# type needed to allow all domains
+# to handle /var/cache/abrt
+type abrt_helper_t;
+type abrt_helper_exec_t;
+application_domain(abrt_helper_t, abrt_helper_exec_t)
+role system_r types abrt_helper_t;
+
+ifdef(`enable_mcs',`
+	init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
+')
+
+########################################
+#
+# abrt local policy
+#
+
+allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override };
+dontaudit abrt_t self:capability sys_rawio;
+allow abrt_t self:process { signal signull setsched getsched };
+
+allow abrt_t self:fifo_file rw_fifo_file_perms;
+allow abrt_t self:tcp_socket create_stream_socket_perms;
+allow abrt_t self:udp_socket create_socket_perms;
+allow abrt_t self:unix_dgram_socket create_socket_perms;
+allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
+
+# abrt etc files
+rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
+
+# log file
+manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
+logging_log_filetrans(abrt_t, abrt_var_log_t, file)
+
+# abrt tmp files
+manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
+
+# abrt var/cache files
+manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
+manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
+manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
+files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
+files_spool_filetrans(abrt_t, abrt_var_cache_t, dir)
+
+# abrt pid files
+manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir })
+
+kernel_read_ring_buffer(abrt_t)
+kernel_read_system_state(abrt_t)
+kernel_rw_kernel_sysctl(abrt_t)
+
+corecmd_exec_bin(abrt_t)
+corecmd_exec_shell(abrt_t)
+corecmd_read_all_executables(abrt_t)
+
+corenet_all_recvfrom_netlabel(abrt_t)
+corenet_all_recvfrom_unlabeled(abrt_t)
+corenet_tcp_sendrecv_generic_if(abrt_t)
+corenet_tcp_sendrecv_generic_node(abrt_t)
+corenet_tcp_sendrecv_generic_port(abrt_t)
+corenet_tcp_bind_generic_node(abrt_t)
+corenet_tcp_connect_http_port(abrt_t)
+corenet_tcp_connect_ftp_port(abrt_t)
+corenet_tcp_connect_all_ports(abrt_t)
+corenet_sendrecv_http_client_packets(abrt_t)
+
+dev_getattr_all_chr_files(abrt_t)
+dev_read_urand(abrt_t)
+dev_rw_sysfs(abrt_t)
+dev_dontaudit_read_raw_memory(abrt_t)
+
+domain_getattr_all_domains(abrt_t)
+domain_read_all_domains_state(abrt_t)
+domain_signull_all_domains(abrt_t)
+
+files_getattr_all_files(abrt_t)
+files_read_etc_files(abrt_t)
+files_read_var_symlinks(abrt_t)
+files_read_var_lib_files(abrt_t)
+files_read_usr_files(abrt_t)
+files_read_generic_tmp_files(abrt_t)
+files_read_kernel_modules(abrt_t)
+files_dontaudit_list_default(abrt_t)
+files_dontaudit_read_default_files(abrt_t)
+
+fs_list_inotifyfs(abrt_t)
+fs_getattr_all_fs(abrt_t)
+fs_getattr_all_dirs(abrt_t)
+fs_read_fusefs_files(abrt_t)
+fs_read_noxattr_fs_files(abrt_t)
+fs_read_nfs_files(abrt_t)
+fs_read_nfs_symlinks(abrt_t)
+fs_search_all(abrt_t)
+
+sysnet_read_config(abrt_t)
+
+logging_read_generic_logs(abrt_t)
+logging_send_syslog_msg(abrt_t)
+
+miscfiles_read_generic_certs(abrt_t)
+miscfiles_read_localization(abrt_t)
+
+userdom_dontaudit_read_user_home_content_files(abrt_t)
+
+optional_policy(`
+	dbus_system_domain(abrt_t, abrt_exec_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(abrt_t)
+')
+
+optional_policy(`
+	policykit_dbus_chat(abrt_t)
+	policykit_domtrans_auth(abrt_t)
+	policykit_read_lib(abrt_t)
+	policykit_read_reload(abrt_t)
+')
+
+optional_policy(`
+	prelink_exec(abrt_t)
+	libs_exec_ld_so(abrt_t)
+	corecmd_exec_all_executables(abrt_t)
+')
+
+# to install debuginfo packages
+optional_policy(`
+	rpm_exec(abrt_t)
+	rpm_dontaudit_manage_db(abrt_t)
+	rpm_manage_cache(abrt_t)
+	rpm_manage_pid_files(abrt_t)
+	rpm_read_db(abrt_t)
+	rpm_signull(abrt_t)
+')
+
+# to run mailx plugin
+optional_policy(`
+	sendmail_domtrans(abrt_t)
+')
+
+optional_policy(`
+	sssd_stream_connect(abrt_t)
+')
+
+########################################
+#
+# abrt--helper local policy
+#
+
+allow abrt_helper_t self:capability { chown setgid sys_nice };
+allow abrt_helper_t self:process signal;
+
+read_files_pattern(abrt_helper_t, abrt_etc_t, abrt_etc_t)
+
+files_search_spool(abrt_helper_t)
+manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+
+read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
+read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
+
+domain_read_all_domains_state(abrt_helper_t)
+
+files_read_etc_files(abrt_helper_t)
+
+fs_list_inotifyfs(abrt_helper_t)
+fs_getattr_all_fs(abrt_helper_t)
+
+auth_use_nsswitch(abrt_helper_t)
+
+logging_send_syslog_msg(abrt_helper_t)
+
+miscfiles_read_localization(abrt_helper_t)
+
+term_dontaudit_use_all_ttys(abrt_helper_t)
+term_dontaudit_use_all_ptys(abrt_helper_t)
+
+ifdef(`hide_broken_symptoms', `
+	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
+	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
+	dev_dontaudit_read_all_blk_files(abrt_helper_t)
+	dev_dontaudit_read_all_chr_files(abrt_helper_t)
+	dev_dontaudit_write_all_chr_files(abrt_helper_t)
+	dev_dontaudit_write_all_blk_files(abrt_helper_t)
+	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
+')
diff --git a/policy/modules/contrib/accountsd.fc b/policy/modules/contrib/accountsd.fc
new file mode 100644
index 00000000..1adca53f
--- /dev/null
+++ b/policy/modules/contrib/accountsd.fc
@@ -0,0 +1,3 @@
+/usr/libexec/accounts-daemon		--	gen_context(system_u:object_r:accountsd_exec_t,s0)
+
+/var/lib/AccountsService(/.*)?			gen_context(system_u:object_r:accountsd_var_lib_t,s0)
diff --git a/policy/modules/contrib/accountsd.if b/policy/modules/contrib/accountsd.if
new file mode 100644
index 00000000..c0f858de
--- /dev/null
+++ b/policy/modules/contrib/accountsd.if
@@ -0,0 +1,145 @@
+## <summary>AccountsService and daemon for manipulating user account information via D-Bus</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run accountsd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`accountsd_domtrans',`
+	gen_require(`
+		type accountsd_t, accountsd_exec_t;
+	')
+
+	domtrans_pattern($1, accountsd_exec_t, accountsd_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write Accounts Daemon
+##	fifo file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`accountsd_dontaudit_rw_fifo_file',`
+	gen_require(`
+		type accountsd_t;
+	')
+
+	dontaudit $1 accountsd_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	accountsd over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`accountsd_dbus_chat',`
+	gen_require(`
+		type accountsd_t;
+		class dbus send_msg;
+	')
+
+	allow $1 accountsd_t:dbus send_msg;
+	allow accountsd_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Search accountsd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`accountsd_search_lib',`
+	gen_require(`
+		type accountsd_var_lib_t;
+	')
+
+	allow $1 accountsd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read accountsd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`accountsd_read_lib_files',`
+	gen_require(`
+		type accountsd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	accountsd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`accountsd_manage_lib_files',`
+	gen_require(`
+		type accountsd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an accountsd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`accountsd_admin',`
+	gen_require(`
+		type accountsd_t;
+	')
+
+	allow $1 accountsd_t:process { ptrace signal_perms getattr };
+	ps_process_pattern($1, accountsd_t)
+
+	accountsd_manage_lib_files($1)
+')
diff --git a/policy/modules/contrib/accountsd.te b/policy/modules/contrib/accountsd.te
new file mode 100644
index 00000000..1632f105
--- /dev/null
+++ b/policy/modules/contrib/accountsd.te
@@ -0,0 +1,57 @@
+policy_module(accountsd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type accountsd_t;
+type accountsd_exec_t;
+dbus_system_domain(accountsd_t, accountsd_exec_t)
+
+type accountsd_var_lib_t;
+files_type(accountsd_var_lib_t)
+
+########################################
+#
+# accountsd local policy
+#
+
+allow accountsd_t self:capability { dac_override setuid setgid sys_ptrace };
+allow accountsd_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
+manage_files_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
+files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, { file dir })
+
+kernel_read_kernel_sysctls(accountsd_t)
+
+corecmd_exec_bin(accountsd_t)
+
+files_read_usr_files(accountsd_t)
+files_read_mnt_files(accountsd_t)
+
+fs_list_inotifyfs(accountsd_t)
+fs_read_noxattr_fs_files(accountsd_t)
+
+auth_use_nsswitch(accountsd_t)
+auth_read_shadow(accountsd_t)
+
+miscfiles_read_localization(accountsd_t)
+
+logging_send_syslog_msg(accountsd_t)
+logging_set_loginuid(accountsd_t)
+
+userdom_read_user_tmp_files(accountsd_t)
+userdom_read_user_home_content_files(accountsd_t)
+
+usermanage_domtrans_useradd(accountsd_t)
+usermanage_domtrans_passwd(accountsd_t)
+
+optional_policy(`
+	consolekit_read_log(accountsd_t)
+')
+
+optional_policy(`
+	policykit_dbus_chat(accountsd_t)
+')
diff --git a/policy/modules/contrib/acct.fc b/policy/modules/contrib/acct.fc
new file mode 100644
index 00000000..e81367cc
--- /dev/null
+++ b/policy/modules/contrib/acct.fc
@@ -0,0 +1,9 @@
+
+/etc/cron\.(daily|monthly)/acct -- gen_context(system_u:object_r:acct_exec_t,s0)
+
+/sbin/accton		--	gen_context(system_u:object_r:acct_exec_t,s0)
+
+/usr/sbin/accton	--	gen_context(system_u:object_r:acct_exec_t,s0)
+
+/var/account(/.*)?		gen_context(system_u:object_r:acct_data_t,s0)
+/var/log/account(/.*)?		gen_context(system_u:object_r:acct_data_t,s0)
diff --git a/policy/modules/contrib/acct.if b/policy/modules/contrib/acct.if
new file mode 100644
index 00000000..e66c296e
--- /dev/null
+++ b/policy/modules/contrib/acct.if
@@ -0,0 +1,80 @@
+## <summary>Berkeley process accounting</summary>
+
+########################################
+## <summary>
+##	Transition to the accounting management domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`acct_domtrans',`
+	gen_require(`
+		type acct_t, acct_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, acct_exec_t, acct_t)
+')
+
+########################################
+## <summary>
+##	Execute accounting management tools in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`acct_exec',`
+	gen_require(`
+		type acct_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, acct_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute accounting management data in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+# cjp: this is added for logrotate, and does
+# not make sense to me.
+interface(`acct_exec_data',`
+	gen_require(`
+		type acct_data_t;
+	')
+
+	files_search_var($1)
+	can_exec($1, acct_data_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete process accounting data.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`acct_manage_data',`
+	gen_require(`
+		type acct_data_t;
+	')
+
+	files_search_var($1)
+	manage_files_pattern($1, acct_data_t, acct_data_t)
+	manage_lnk_files_pattern($1, acct_data_t, acct_data_t)
+')
diff --git a/policy/modules/contrib/acct.te b/policy/modules/contrib/acct.te
new file mode 100644
index 00000000..63ef90ec
--- /dev/null
+++ b/policy/modules/contrib/acct.te
@@ -0,0 +1,89 @@
+policy_module(acct, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type acct_t;
+type acct_exec_t;
+init_system_domain(acct_t, acct_exec_t)
+
+type acct_data_t;
+logging_log_file(acct_data_t)
+
+########################################
+#
+# Local Policy
+#
+
+# gzip needs chown capability for some reason
+allow acct_t self:capability { sys_pacct chown fsetid };
+# not sure why we need kill, the command "last" is reported as using it
+dontaudit acct_t self:capability { kill sys_tty_config };
+
+allow acct_t self:fifo_file rw_fifo_file_perms;
+allow acct_t self:process signal_perms;
+
+manage_files_pattern(acct_t, acct_data_t, acct_data_t)
+manage_lnk_files_pattern(acct_t, acct_data_t, acct_data_t)
+
+can_exec(acct_t, acct_exec_t)
+
+kernel_list_proc(acct_t)
+kernel_read_system_state(acct_t)
+kernel_read_kernel_sysctls(acct_t)
+
+dev_read_sysfs(acct_t)
+# for SSP
+dev_read_urand(acct_t)
+
+fs_search_auto_mountpoints(acct_t)
+fs_getattr_xattr_fs(acct_t)
+
+term_dontaudit_use_console(acct_t)
+term_dontaudit_use_generic_ptys(acct_t)
+
+corecmd_exec_bin(acct_t)
+corecmd_exec_shell(acct_t)
+
+domain_use_interactive_fds(acct_t)
+
+files_read_etc_files(acct_t)
+files_read_etc_runtime_files(acct_t)
+files_list_usr(acct_t)
+# for nscd
+files_dontaudit_search_pids(acct_t)
+
+init_use_fds(acct_t)
+init_use_script_ptys(acct_t)
+init_exec_script_files(acct_t)
+
+logging_send_syslog_msg(acct_t)
+
+miscfiles_read_localization(acct_t)
+
+userdom_dontaudit_use_unpriv_user_fds(acct_t)
+userdom_dontaudit_search_user_home_dirs(acct_t)
+
+optional_policy(`
+	optional_policy(`
+		# for monthly cron job
+		auth_log_filetrans_login_records(acct_t)
+		auth_manage_login_records(acct_t)
+	')
+
+	cron_system_entry(acct_t, acct_exec_t)
+')
+
+optional_policy(`
+	nscd_socket_use(acct_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(acct_t)
+')
+
+optional_policy(`
+	udev_read_db(acct_t)
+')
diff --git a/policy/modules/contrib/ada.fc b/policy/modules/contrib/ada.fc
new file mode 100644
index 00000000..e802ed56
--- /dev/null
+++ b/policy/modules/contrib/ada.fc
@@ -0,0 +1,7 @@
+#
+# /usr
+#
+/usr/bin/gnatbind	--	gen_context(system_u:object_r:ada_exec_t,s0)
+/usr/bin/gnatls		--	gen_context(system_u:object_r:ada_exec_t,s0)
+/usr/bin/gnatmake	--	gen_context(system_u:object_r:ada_exec_t,s0)
+/usr/libexec/gcc(/.*)?/gnat1 -- gen_context(system_u:object_r:ada_exec_t,s0)
diff --git a/policy/modules/contrib/ada.if b/policy/modules/contrib/ada.if
new file mode 100644
index 00000000..43ba21dc
--- /dev/null
+++ b/policy/modules/contrib/ada.if
@@ -0,0 +1,45 @@
+## <summary>GNAT Ada95 compiler</summary>
+
+########################################
+## <summary>
+##	Execute the ada program in the ada domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ada_domtrans',`
+	gen_require(`
+		type ada_t, ada_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, ada_exec_t, ada_t)
+')
+
+########################################
+## <summary>
+##	Execute ada in the ada domain, and
+##	allow the specified role the ada domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`ada_run',`
+	gen_require(`
+		type ada_t;
+	')
+
+	ada_domtrans($1)
+	role $2 types ada_t;
+')
diff --git a/policy/modules/contrib/ada.te b/policy/modules/contrib/ada.te
new file mode 100644
index 00000000..39c75fb4
--- /dev/null
+++ b/policy/modules/contrib/ada.te
@@ -0,0 +1,24 @@
+policy_module(ada, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+
+type ada_t;
+type ada_exec_t;
+application_domain(ada_t, ada_exec_t)
+role system_r types ada_t;
+
+########################################
+#
+# Local policy
+#
+
+allow ada_t self:process { execstack execmem };
+
+userdom_use_user_terminals(ada_t)
+
+optional_policy(`
+	unconfined_domain(ada_t)
+')
diff --git a/policy/modules/contrib/afs.fc b/policy/modules/contrib/afs.fc
new file mode 100644
index 00000000..eaea1388
--- /dev/null
+++ b/policy/modules/contrib/afs.fc
@@ -0,0 +1,32 @@
+/etc/rc\.d/init\.d/openafs-client -- gen_context(system_u:object_r:afs_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/afs	--	gen_context(system_u:object_r:afs_initrc_exec_t,s0)
+
+/usr/afs/bin/bosserver	--	gen_context(system_u:object_r:afs_bosserver_exec_t,s0)
+/usr/afs/bin/fileserver	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/kaserver	--	gen_context(system_u:object_r:afs_kaserver_exec_t,s0)
+/usr/afs/bin/ptserver	--	gen_context(system_u:object_r:afs_ptserver_exec_t,s0)
+/usr/afs/bin/salvager	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/volserver	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/vlserver	--	gen_context(system_u:object_r:afs_vlserver_exec_t,s0)
+
+/usr/afs/db		-d	gen_context(system_u:object_r:afs_dbdir_t,s0)
+/usr/afs/db/pr.*	--	gen_context(system_u:object_r:afs_pt_db_t,s0)
+/usr/afs/db/ka.*	--	gen_context(system_u:object_r:afs_ka_db_t,s0)
+/usr/afs/db/vl.*	--	gen_context(system_u:object_r:afs_vl_db_t,s0)
+
+/usr/afs/etc(/.*)?		gen_context(system_u:object_r:afs_config_t,s0)
+
+/usr/afs/local(/.*)?		gen_context(system_u:object_r:afs_config_t,s0)
+
+/usr/afs/logs(/.*)?		gen_context(system_u:object_r:afs_logfile_t,s0)
+
+/usr/sbin/afsd		--	gen_context(system_u:object_r:afs_exec_t,s0)
+
+/usr/vice/cache(/.*)?		gen_context(system_u:object_r:afs_cache_t,s0)
+/usr/vice/etc/afsd	--	gen_context(system_u:object_r:afs_exec_t,s0)
+
+/var/cache/afs(/.*)?		gen_context(system_u:object_r:afs_cache_t,s0)
+
+/vicepa				gen_context(system_u:object_r:afs_files_t,s0)
+/vicepb				gen_context(system_u:object_r:afs_files_t,s0)
+/vicepc				gen_context(system_u:object_r:afs_files_t,s0)
diff --git a/policy/modules/contrib/afs.if b/policy/modules/contrib/afs.if
new file mode 100644
index 00000000..8559cdc6
--- /dev/null
+++ b/policy/modules/contrib/afs.if
@@ -0,0 +1,109 @@
+## <summary>Andrew Filesystem server</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run the
+##	afs client.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`afs_domtrans',`
+	gen_require(`
+		type afs_t, afs_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, afs_exec_t, afs_t)
+')
+
+########################################
+## <summary>
+##	Read and write afs client UDP sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`afs_rw_udp_sockets',`
+	gen_require(`
+		type afs_t;
+	')
+
+	allow $1 afs_t:udp_socket { read write };
+')
+
+########################################
+## <summary>
+##	read/write afs cache files
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`afs_rw_cache',`
+	gen_require(`
+		type afs_cache_t;
+	')
+
+	files_search_var($1)
+	allow $1 afs_cache_t:file { read write };
+')
+
+########################################
+## <summary>
+##	Execute afs server in the afs domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`afs_initrc_domtrans',`
+	gen_require(`
+		type afs_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, afs_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an afs environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the afs domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`afs_admin',`
+	gen_require(`
+		type afs_t, afs_initrc_exec_t;
+	')
+
+	allow $1 afs_t:process { ptrace signal_perms getattr };
+	read_files_pattern($1, afs_t, afs_t)
+
+	# Allow afs_admin to restart the afs service
+	afs_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 afs_initrc_exec_t system_r;
+	allow $2 system_r;
+
+')
diff --git a/policy/modules/contrib/afs.te b/policy/modules/contrib/afs.te
new file mode 100644
index 00000000..a496fdea
--- /dev/null
+++ b/policy/modules/contrib/afs.te
@@ -0,0 +1,355 @@
+policy_module(afs, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type afs_t;
+type afs_exec_t;
+init_daemon_domain(afs_t, afs_exec_t)
+
+type afs_bosserver_t;
+type afs_bosserver_exec_t;
+init_daemon_domain(afs_bosserver_t, afs_bosserver_exec_t)
+
+type afs_cache_t;
+files_type(afs_cache_t)
+
+type afs_config_t;
+files_type(afs_config_t)
+
+type afs_dbdir_t;
+files_type(afs_dbdir_t)
+
+# exported files
+type afs_files_t;
+files_type(afs_files_t)
+
+type afs_fsserver_t;
+type afs_fsserver_exec_t;
+domain_type(afs_fsserver_t)
+domain_entry_file(afs_fsserver_t, afs_fsserver_exec_t)
+role system_r types afs_fsserver_t;
+
+type afs_initrc_exec_t;
+init_script_file(afs_initrc_exec_t)
+
+type afs_ka_db_t;
+files_type(afs_ka_db_t)
+
+type afs_kaserver_t;
+type afs_kaserver_exec_t;
+domain_type(afs_kaserver_t)
+domain_entry_file(afs_kaserver_t, afs_kaserver_exec_t)
+role system_r types afs_kaserver_t;
+
+type afs_logfile_t;
+logging_log_file(afs_logfile_t)
+
+type afs_pt_db_t;
+files_type(afs_pt_db_t)
+
+type afs_ptserver_t;
+type afs_ptserver_exec_t;
+domain_type(afs_ptserver_t)
+domain_entry_file(afs_ptserver_t, afs_ptserver_exec_t)
+role system_r types afs_ptserver_t;
+
+type afs_vl_db_t;
+files_type(afs_vl_db_t)
+
+type afs_vlserver_t;
+type afs_vlserver_exec_t;
+domain_type(afs_vlserver_t)
+domain_entry_file(afs_vlserver_t, afs_vlserver_exec_t)
+role system_r types afs_vlserver_t;
+
+########################################
+#
+# afs client local policy
+#
+
+allow afs_t self:capability { sys_admin sys_nice sys_tty_config };
+allow afs_t self:process { setsched signal };
+allow afs_t self:udp_socket create_socket_perms;
+allow afs_t self:fifo_file rw_file_perms;
+allow afs_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(afs_t, afs_cache_t, afs_cache_t)
+manage_dirs_pattern(afs_t, afs_cache_t, afs_cache_t)
+files_var_filetrans(afs_t, afs_cache_t, { file dir })
+
+kernel_rw_afs_state(afs_t)
+
+corenet_all_recvfrom_unlabeled(afs_t)
+corenet_all_recvfrom_netlabel(afs_t)
+corenet_tcp_sendrecv_generic_if(afs_t)
+corenet_udp_sendrecv_generic_if(afs_t)
+corenet_tcp_sendrecv_generic_node(afs_t)
+corenet_udp_sendrecv_generic_node(afs_t)
+corenet_tcp_sendrecv_all_ports(afs_t)
+corenet_udp_sendrecv_all_ports(afs_t)
+corenet_udp_bind_generic_node(afs_t)
+
+files_mounton_mnt(afs_t)
+files_read_etc_files(afs_t)
+files_read_usr_files(afs_t)
+files_rw_etc_runtime_files(afs_t)
+
+fs_getattr_xattr_fs(afs_t)
+fs_mount_nfs(afs_t)
+fs_read_nfs_symlinks(afs_t)
+
+logging_send_syslog_msg(afs_t)
+
+miscfiles_read_localization(afs_t)
+
+sysnet_dns_name_resolve(afs_t)
+
+########################################
+#
+# AFS bossserver local policy
+#
+
+allow afs_bosserver_t self:process { setsched signal_perms };
+allow afs_bosserver_t self:tcp_socket create_stream_socket_perms;
+allow afs_bosserver_t self:udp_socket create_socket_perms;
+
+can_exec(afs_bosserver_t, afs_bosserver_exec_t)
+
+manage_dirs_pattern(afs_bosserver_t, afs_config_t, afs_config_t)
+manage_files_pattern(afs_bosserver_t, afs_config_t, afs_config_t)
+
+allow afs_bosserver_t afs_dbdir_t:dir list_dir_perms;
+
+allow afs_bosserver_t afs_fsserver_t:process signal_perms;
+domtrans_pattern(afs_bosserver_t, afs_fsserver_exec_t, afs_fsserver_t)
+
+allow afs_bosserver_t afs_kaserver_t:process signal_perms;
+domtrans_pattern(afs_bosserver_t, afs_kaserver_exec_t, afs_kaserver_t)
+
+allow afs_bosserver_t afs_logfile_t:file manage_file_perms;
+allow afs_bosserver_t afs_logfile_t:dir manage_dir_perms;
+
+allow afs_bosserver_t afs_ptserver_t:process signal_perms;
+domtrans_pattern(afs_bosserver_t, afs_ptserver_exec_t, afs_ptserver_t)
+
+allow afs_bosserver_t afs_vlserver_t:process signal_perms;
+domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t)
+
+kernel_read_kernel_sysctls(afs_bosserver_t)
+
+corenet_all_recvfrom_unlabeled(afs_bosserver_t)
+corenet_all_recvfrom_netlabel(afs_bosserver_t)
+corenet_tcp_sendrecv_generic_if(afs_bosserver_t)
+corenet_udp_sendrecv_generic_if(afs_bosserver_t)
+corenet_tcp_sendrecv_generic_node(afs_bosserver_t)
+corenet_udp_sendrecv_generic_node(afs_bosserver_t)
+corenet_tcp_sendrecv_all_ports(afs_bosserver_t)
+corenet_udp_sendrecv_all_ports(afs_bosserver_t)
+corenet_udp_bind_generic_node(afs_bosserver_t)
+corenet_udp_bind_afs_bos_port(afs_bosserver_t)
+corenet_sendrecv_afs_bos_server_packets(afs_bosserver_t)
+
+files_read_etc_files(afs_bosserver_t)
+files_list_home(afs_bosserver_t)
+files_read_usr_files(afs_bosserver_t)
+
+miscfiles_read_localization(afs_bosserver_t)
+
+seutil_read_config(afs_bosserver_t)
+
+sysnet_read_config(afs_bosserver_t)
+
+########################################
+#
+# fileserver local policy
+#
+
+allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice };
+dontaudit afs_fsserver_t self:capability fsetid;
+allow afs_fsserver_t self:process { setsched signal_perms };
+allow afs_fsserver_t self:fifo_file rw_fifo_file_perms;
+allow afs_fsserver_t self:tcp_socket create_stream_socket_perms;
+allow afs_fsserver_t self:udp_socket create_socket_perms;
+
+read_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
+allow afs_fsserver_t afs_config_t:dir list_dir_perms;
+
+manage_dirs_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
+manage_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
+
+allow afs_fsserver_t afs_files_t:filesystem getattr;
+manage_dirs_pattern(afs_fsserver_t, afs_files_t, afs_files_t)
+manage_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t)
+manage_lnk_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t)
+manage_fifo_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t)
+manage_sock_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t)
+filetrans_pattern(afs_fsserver_t, afs_config_t, afs_files_t, { file lnk_file sock_file fifo_file })
+
+can_exec(afs_fsserver_t, afs_fsserver_exec_t)
+
+manage_dirs_pattern(afs_fsserver_t, afs_logfile_t, afs_logfile_t)
+manage_files_pattern(afs_fsserver_t, afs_logfile_t, afs_logfile_t)
+
+kernel_read_system_state(afs_fsserver_t)
+kernel_read_kernel_sysctls(afs_fsserver_t)
+
+corenet_tcp_sendrecv_generic_if(afs_fsserver_t)
+corenet_udp_sendrecv_generic_if(afs_fsserver_t)
+corenet_tcp_sendrecv_generic_node(afs_fsserver_t)
+corenet_udp_sendrecv_generic_node(afs_fsserver_t)
+corenet_tcp_sendrecv_all_ports(afs_fsserver_t)
+corenet_udp_sendrecv_all_ports(afs_fsserver_t)
+corenet_all_recvfrom_unlabeled(afs_fsserver_t)
+corenet_all_recvfrom_netlabel(afs_fsserver_t)
+corenet_tcp_bind_generic_node(afs_fsserver_t)
+corenet_udp_bind_generic_node(afs_fsserver_t)
+corenet_tcp_bind_afs_fs_port(afs_fsserver_t)
+corenet_udp_bind_afs_fs_port(afs_fsserver_t)
+corenet_sendrecv_afs_fs_server_packets(afs_fsserver_t)
+
+files_read_etc_files(afs_fsserver_t)
+files_read_etc_runtime_files(afs_fsserver_t)
+files_list_home(afs_fsserver_t)
+files_read_usr_files(afs_fsserver_t)
+files_list_pids(afs_fsserver_t)
+files_dontaudit_search_mnt(afs_fsserver_t)
+
+fs_getattr_xattr_fs(afs_fsserver_t)
+
+term_dontaudit_use_console(afs_fsserver_t)
+
+init_dontaudit_use_script_fds(afs_fsserver_t)
+
+logging_send_syslog_msg(afs_fsserver_t)
+
+miscfiles_read_localization(afs_fsserver_t)
+
+seutil_read_config(afs_fsserver_t)
+
+sysnet_read_config(afs_fsserver_t)
+
+userdom_dontaudit_use_user_terminals(afs_fsserver_t)
+
+########################################
+#
+# kaserver local policy
+#
+
+allow afs_kaserver_t self:unix_stream_socket create_stream_socket_perms;
+allow afs_kaserver_t self:tcp_socket create_stream_socket_perms;
+allow afs_kaserver_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(afs_kaserver_t, afs_config_t, afs_config_t)
+
+manage_files_pattern(afs_kaserver_t, afs_dbdir_t, afs_ka_db_t)
+filetrans_pattern(afs_kaserver_t, afs_dbdir_t, afs_ka_db_t, file)
+
+manage_dirs_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t)
+manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t)
+
+kernel_read_kernel_sysctls(afs_kaserver_t)
+
+corenet_all_recvfrom_unlabeled(afs_kaserver_t)
+corenet_all_recvfrom_netlabel(afs_kaserver_t)
+corenet_tcp_sendrecv_generic_if(afs_kaserver_t)
+corenet_udp_sendrecv_generic_if(afs_kaserver_t)
+corenet_tcp_sendrecv_generic_node(afs_kaserver_t)
+corenet_udp_sendrecv_generic_node(afs_kaserver_t)
+corenet_tcp_sendrecv_all_ports(afs_kaserver_t)
+corenet_udp_sendrecv_all_ports(afs_kaserver_t)
+corenet_udp_bind_generic_node(afs_kaserver_t)
+corenet_udp_bind_afs_ka_port(afs_kaserver_t)
+corenet_udp_bind_kerberos_port(afs_kaserver_t)
+corenet_sendrecv_afs_ka_server_packets(afs_kaserver_t)
+corenet_sendrecv_kerberos_server_packets(afs_kaserver_t)
+
+files_read_etc_files(afs_kaserver_t)
+files_list_home(afs_kaserver_t)
+files_read_usr_files(afs_kaserver_t)
+
+miscfiles_read_localization(afs_kaserver_t)
+
+seutil_read_config(afs_kaserver_t)
+
+sysnet_read_config(afs_kaserver_t)
+
+userdom_dontaudit_use_user_terminals(afs_kaserver_t)
+
+########################################
+#
+# ptserver local policy
+#
+
+allow afs_ptserver_t self:unix_stream_socket create_stream_socket_perms;
+allow afs_ptserver_t self:tcp_socket create_stream_socket_perms;
+allow afs_ptserver_t self:udp_socket create_socket_perms;
+
+read_files_pattern(afs_ptserver_t, afs_config_t, afs_config_t)
+allow afs_ptserver_t afs_config_t:dir list_dir_perms;
+
+manage_dirs_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
+manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
+
+manage_files_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t)
+filetrans_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t, file)
+
+corenet_all_recvfrom_unlabeled(afs_ptserver_t)
+corenet_all_recvfrom_netlabel(afs_ptserver_t)
+corenet_tcp_sendrecv_generic_if(afs_ptserver_t)
+corenet_udp_sendrecv_generic_if(afs_ptserver_t)
+corenet_tcp_sendrecv_generic_node(afs_ptserver_t)
+corenet_udp_sendrecv_generic_node(afs_ptserver_t)
+corenet_tcp_sendrecv_all_ports(afs_ptserver_t)
+corenet_udp_sendrecv_all_ports(afs_ptserver_t)
+corenet_udp_bind_generic_node(afs_ptserver_t)
+corenet_udp_bind_afs_pt_port(afs_ptserver_t)
+corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t)
+
+files_read_etc_files(afs_ptserver_t)
+
+miscfiles_read_localization(afs_ptserver_t)
+
+sysnet_read_config(afs_ptserver_t)
+
+userdom_dontaudit_use_user_terminals(afs_ptserver_t)
+
+########################################
+#
+# vlserver local policy
+#
+
+allow afs_vlserver_t self:unix_stream_socket create_stream_socket_perms;
+allow afs_vlserver_t self:tcp_socket create_stream_socket_perms;
+allow afs_vlserver_t self:udp_socket create_socket_perms;
+
+read_files_pattern(afs_vlserver_t, afs_config_t, afs_config_t)
+allow afs_vlserver_t afs_config_t:dir list_dir_perms;
+
+manage_dirs_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
+manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
+
+manage_files_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t)
+filetrans_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t, file)
+
+corenet_all_recvfrom_unlabeled(afs_vlserver_t)
+corenet_all_recvfrom_netlabel(afs_vlserver_t)
+corenet_tcp_sendrecv_generic_if(afs_vlserver_t)
+corenet_udp_sendrecv_generic_if(afs_vlserver_t)
+corenet_tcp_sendrecv_generic_node(afs_vlserver_t)
+corenet_udp_sendrecv_generic_node(afs_vlserver_t)
+corenet_tcp_sendrecv_all_ports(afs_vlserver_t)
+corenet_udp_sendrecv_all_ports(afs_vlserver_t)
+corenet_udp_bind_generic_node(afs_vlserver_t)
+corenet_udp_bind_afs_vl_port(afs_vlserver_t)
+corenet_sendrecv_afs_vl_server_packets(afs_vlserver_t)
+
+files_read_etc_files(afs_vlserver_t)
+
+miscfiles_read_localization(afs_vlserver_t)
+
+sysnet_read_config(afs_vlserver_t)
+
+userdom_dontaudit_use_user_terminals(afs_vlserver_t)
diff --git a/policy/modules/contrib/aiccu.fc b/policy/modules/contrib/aiccu.fc
new file mode 100644
index 00000000..069518f9
--- /dev/null
+++ b/policy/modules/contrib/aiccu.fc
@@ -0,0 +1,6 @@
+/etc/aiccu.conf			--	gen_context(system_u:object_r:aiccu_etc_t,s0)
+/etc/rc\.d/init\.d/aiccu	--	gen_context(system_u:object_r:aiccu_initrc_exec_t,s0)
+
+/usr/sbin/aiccu			--	gen_context(system_u:object_r:aiccu_exec_t,s0)
+
+/var/run/aiccu\.pid		--	gen_context(system_u:object_r:aiccu_var_run_t,s0)
diff --git a/policy/modules/contrib/aiccu.if b/policy/modules/contrib/aiccu.if
new file mode 100644
index 00000000..184c9a80
--- /dev/null
+++ b/policy/modules/contrib/aiccu.if
@@ -0,0 +1,95 @@
+## <summary>Automatic IPv6 Connectivity Client Utility.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run aiccu.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`aiccu_domtrans',`
+	gen_require(`
+		type aiccu_t, aiccu_exec_t;
+	')
+
+	domtrans_pattern($1, aiccu_exec_t, aiccu_t)
+	corecmd_search_bin($1)
+')
+
+########################################
+## <summary>
+##	Execute aiccu server in the aiccu domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`aiccu_initrc_domtrans',`
+	gen_require(`
+		type aiccu_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, aiccu_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Read aiccu PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`aiccu_read_pid_files',`
+	gen_require(`
+		type aiccu_var_run_t;
+	')
+
+	allow $1 aiccu_var_run_t:file read_file_perms;
+	files_search_pids($1)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an aiccu environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`aiccu_admin',`
+	gen_require(`
+		type aiccu_t, aiccu_initrc_exec_t, aiccu_etc_t;
+		type aiccu_var_run_t;
+	')
+
+	allow $1 aiccu_t:process { ptrace signal_perms };
+	ps_process_pattern($1, aiccu_t)
+
+	aiccu_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 aiccu_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	admin_pattern($1, aiccu_etc_t)
+	files_list_etc($1)
+
+	admin_pattern($1, aiccu_var_run_t)
+	files_list_pids($1)
+')
diff --git a/policy/modules/contrib/aiccu.te b/policy/modules/contrib/aiccu.te
new file mode 100644
index 00000000..6d685baf
--- /dev/null
+++ b/policy/modules/contrib/aiccu.te
@@ -0,0 +1,76 @@
+policy_module(aiccu, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type aiccu_t;
+type aiccu_exec_t;
+init_daemon_domain(aiccu_t, aiccu_exec_t)
+
+type aiccu_initrc_exec_t;
+init_script_file(aiccu_initrc_exec_t)
+
+type aiccu_etc_t;
+files_config_file(aiccu_etc_t)
+
+type aiccu_var_run_t;
+files_pid_file(aiccu_var_run_t)
+
+########################################
+#
+# aiccu local policy
+#
+
+allow aiccu_t self:capability { kill net_admin net_raw };
+dontaudit aiccu_t self:capability sys_tty_config;
+allow aiccu_t self:process signal;
+allow aiccu_t self:fifo_file rw_fifo_file_perms;
+allow aiccu_t self:netlink_route_socket create_netlink_socket_perms;
+allow aiccu_t self:tcp_socket create_stream_socket_perms;
+allow aiccu_t self:tun_socket create_socket_perms;
+allow aiccu_t self:udp_socket create_stream_socket_perms;
+allow aiccu_t self:unix_stream_socket create_stream_socket_perms;
+
+allow aiccu_t aiccu_etc_t:file read_file_perms;
+
+manage_dirs_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
+manage_files_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
+files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir })
+
+kernel_read_system_state(aiccu_t)
+
+corecmd_exec_shell(aiccu_t)
+
+corenet_all_recvfrom_netlabel(aiccu_t)
+corenet_all_recvfrom_unlabeled(aiccu_t)
+corenet_tcp_sendrecv_generic_if(aiccu_t)
+corenet_tcp_sendrecv_generic_node(aiccu_t)
+corenet_tcp_sendrecv_generic_port(aiccu_t)
+corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t)
+corenet_tcp_bind_generic_node(aiccu_t)
+corenet_tcp_connect_sixxsconfig_port(aiccu_t)
+corenet_sendrecv_sixxsconfig_client_packets(aiccu_t)
+
+corenet_rw_tun_tap_dev(aiccu_t)
+
+domain_use_interactive_fds(aiccu_t)
+
+dev_read_rand(aiccu_t)
+dev_read_urand(aiccu_t)
+
+files_read_etc_files(aiccu_t)
+
+logging_send_syslog_msg(aiccu_t)
+
+miscfiles_read_localization(aiccu_t)
+
+optional_policy(`
+	modutils_domtrans_insmod(aiccu_t)
+')
+
+optional_policy(`
+	sysnet_domtrans_ifconfig(aiccu_t)
+	sysnet_dns_name_resolve(aiccu_t)
+')
diff --git a/policy/modules/contrib/aide.fc b/policy/modules/contrib/aide.fc
new file mode 100644
index 00000000..7798464d
--- /dev/null
+++ b/policy/modules/contrib/aide.fc
@@ -0,0 +1,6 @@
+/usr/sbin/aide		--	gen_context(system_u:object_r:aide_exec_t,mls_systemhigh)
+
+/var/lib/aide(/.*)		gen_context(system_u:object_r:aide_db_t,mls_systemhigh)
+
+/var/log/aide(/.*)?		gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
+/var/log/aide\.log	--	gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
diff --git a/policy/modules/contrib/aide.if b/policy/modules/contrib/aide.if
new file mode 100644
index 00000000..838d25b3
--- /dev/null
+++ b/policy/modules/contrib/aide.if
@@ -0,0 +1,71 @@
+## <summary>Aide filesystem integrity checker</summary>
+
+########################################
+## <summary>
+##	Execute aide in the aide domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`aide_domtrans',`
+	gen_require(`
+		type aide_t, aide_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, aide_exec_t, aide_t)
+')
+
+########################################
+## <summary>
+##	Execute aide programs in the AIDE domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the AIDE domain.
+##	</summary>
+## </param>
+#
+interface(`aide_run',`
+	gen_require(`
+		type aide_t;
+	')
+
+	aide_domtrans($1)
+	role $2 types aide_t;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an aide environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`aide_admin',`
+	gen_require(`
+		type aide_t, aide_db_t, aide_log_t;
+	')
+
+	allow $1 aide_t:process { ptrace signal_perms };
+	ps_process_pattern($1, aide_t)
+
+	files_list_etc($1)
+	admin_pattern($1, aide_db_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, aide_log_t)
+')
diff --git a/policy/modules/contrib/aide.te b/policy/modules/contrib/aide.te
new file mode 100644
index 00000000..2509dd2c
--- /dev/null
+++ b/policy/modules/contrib/aide.te
@@ -0,0 +1,42 @@
+policy_module(aide, 1.6.0)
+
+########################################
+#
+# Declarations
+#
+
+type aide_t;
+type aide_exec_t;
+application_domain(aide_t, aide_exec_t)
+
+# log files
+type aide_log_t;
+logging_log_file(aide_log_t)
+
+# aide database
+type aide_db_t;
+files_type(aide_db_t)
+
+########################################
+#
+# aide local policy
+#
+
+allow aide_t self:capability { dac_override fowner };
+
+# database actions
+manage_files_pattern(aide_t, aide_db_t, aide_db_t)
+
+# logs
+manage_files_pattern(aide_t, aide_log_t, aide_log_t)
+logging_log_filetrans(aide_t, aide_log_t, file)
+
+files_read_all_files(aide_t)
+
+logging_send_audit_msgs(aide_t)
+# AIDE can be configured to log to syslog
+logging_send_syslog_msg(aide_t)
+
+seutil_use_newrole_fds(aide_t)
+
+userdom_use_user_terminals(aide_t)
diff --git a/policy/modules/contrib/aisexec.fc b/policy/modules/contrib/aisexec.fc
new file mode 100644
index 00000000..7b4f4b9e
--- /dev/null
+++ b/policy/modules/contrib/aisexec.fc
@@ -0,0 +1,9 @@
+/etc/rc\.d/init\.d/openais		--	gen_context(system_u:object_r:aisexec_initrc_exec_t,s0)
+
+/usr/sbin/aisexec			--	gen_context(system_u:object_r:aisexec_exec_t,s0)
+
+/var/lib/openais(/.*)?				gen_context(system_u:object_r:aisexec_var_lib_t,s0)
+
+/var/log/cluster/aisexec\.log		--	gen_context(system_u:object_r:aisexec_var_log_t,s0)
+
+/var/run/aisexec\.pid			--	gen_context(system_u:object_r:aisexec_var_run_t,s0)
diff --git a/policy/modules/contrib/aisexec.if b/policy/modules/contrib/aisexec.if
new file mode 100644
index 00000000..0370dba1
--- /dev/null
+++ b/policy/modules/contrib/aisexec.if
@@ -0,0 +1,106 @@
+## <summary>Aisexec Cluster Engine</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run aisexec.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`aisexec_domtrans',`
+	gen_require(`
+		type aisexec_t, aisexec_exec_t;
+	')
+
+	domtrans_pattern($1, aisexec_exec_t, aisexec_t)
+')
+
+#####################################
+## <summary>
+##	Connect to aisexec over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`aisexec_stream_connect',`
+	gen_require(`
+		type aisexec_t, aisexec_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, aisexec_var_run_t, aisexec_var_run_t, aisexec_t)
+')
+
+#######################################
+## <summary>
+##	Allow the specified domain to read aisexec's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`aisexec_read_log',`
+	gen_require(`
+		type aisexec_var_log_t;
+	')
+
+	logging_search_logs($1)
+	list_dirs_pattern($1, aisexec_var_log_t, aisexec_var_log_t)
+	read_files_pattern($1, aisexec_var_log_t, aisexec_var_log_t)
+')
+
+######################################
+## <summary>
+##	All of the rules required to administrate
+##	an aisexec environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the aisexecd domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`aisexecd_admin',`
+	gen_require(`
+		type aisexec_t, aisexec_var_lib_t, aisexec_var_log_t;
+		type aisexec_var_run_t, aisexec_tmp_t, aisexec_tmpfs_t;
+		type aisexec_initrc_exec_t;
+	')
+
+	allow $1 aisexec_t:process { ptrace signal_perms };
+	ps_process_pattern($1, aisexec_t)
+
+	init_labeled_script_domtrans($1, aisexec_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 aisexec_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_var_lib($1)
+	admin_pattern($1, aisexec_var_lib_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, aisexec_var_log_t)
+
+	files_list_pids($1)
+	admin_pattern($1, aisexec_var_run_t)
+
+	files_list_tmp($1)
+	admin_pattern($1, aisexec_tmp_t)
+
+	admin_pattern($1, aisexec_tmpfs_t)
+')
diff --git a/policy/modules/contrib/aisexec.te b/policy/modules/contrib/aisexec.te
new file mode 100644
index 00000000..50b9b48b
--- /dev/null
+++ b/policy/modules/contrib/aisexec.te
@@ -0,0 +1,102 @@
+policy_module(aisexec, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type aisexec_t;
+type aisexec_exec_t;
+init_daemon_domain(aisexec_t, aisexec_exec_t)
+
+type aisexec_initrc_exec_t;
+init_script_file(aisexec_initrc_exec_t)
+
+type aisexec_tmp_t;
+files_tmp_file(aisexec_tmp_t)
+
+type aisexec_tmpfs_t;
+files_tmpfs_file(aisexec_tmpfs_t)
+
+type aisexec_var_lib_t;
+files_type(aisexec_var_lib_t)
+
+type aisexec_var_log_t;
+logging_log_file(aisexec_var_log_t)
+
+type aisexec_var_run_t;
+files_pid_file(aisexec_var_run_t)
+
+########################################
+#
+# aisexec local policy
+#
+
+allow aisexec_t self:capability { sys_nice sys_resource ipc_lock ipc_owner };
+allow aisexec_t self:process { setrlimit setsched signal };
+allow aisexec_t self:fifo_file rw_fifo_file_perms;
+allow aisexec_t self:sem create_sem_perms;
+allow aisexec_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow aisexec_t self:unix_dgram_socket create_socket_perms;
+allow aisexec_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(aisexec_t, aisexec_tmp_t, aisexec_tmp_t)
+manage_files_pattern(aisexec_t, aisexec_tmp_t, aisexec_tmp_t)
+files_tmp_filetrans(aisexec_t, aisexec_tmp_t, { file dir })
+
+manage_dirs_pattern(aisexec_t, aisexec_tmpfs_t, aisexec_tmpfs_t)
+manage_files_pattern(aisexec_t, aisexec_tmpfs_t, aisexec_tmpfs_t)
+fs_tmpfs_filetrans(aisexec_t, aisexec_tmpfs_t, { dir file })
+
+manage_files_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t)
+manage_dirs_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t)
+manage_sock_files_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t)
+files_var_lib_filetrans(aisexec_t, aisexec_var_lib_t, { file dir sock_file })
+
+manage_files_pattern(aisexec_t, aisexec_var_log_t, aisexec_var_log_t)
+manage_sock_files_pattern(aisexec_t, aisexec_var_log_t, aisexec_var_log_t)
+logging_log_filetrans(aisexec_t, aisexec_var_log_t, { sock_file file })
+
+manage_files_pattern(aisexec_t, aisexec_var_run_t, aisexec_var_run_t)
+manage_sock_files_pattern(aisexec_t, aisexec_var_run_t, aisexec_var_run_t)
+files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file })
+
+kernel_read_system_state(aisexec_t)
+
+corecmd_exec_bin(aisexec_t)
+
+corenet_udp_bind_netsupport_port(aisexec_t)
+corenet_tcp_bind_reserved_port(aisexec_t)
+corenet_udp_bind_cluster_port(aisexec_t)
+
+dev_read_urand(aisexec_t)
+
+files_manage_mounttab(aisexec_t)
+
+auth_use_nsswitch(aisexec_t)
+
+init_rw_script_tmp_files(aisexec_t)
+
+logging_send_syslog_msg(aisexec_t)
+
+miscfiles_read_localization(aisexec_t)
+
+userdom_rw_unpriv_user_semaphores(aisexec_t)
+userdom_rw_unpriv_user_shared_mem(aisexec_t)
+
+optional_policy(`
+	ccs_stream_connect(aisexec_t)
+')
+
+optional_policy(`
+	# to communication with RHCS
+	rhcs_rw_dlm_controld_semaphores(aisexec_t)
+
+	rhcs_rw_fenced_semaphores(aisexec_t)
+
+	rhcs_rw_gfs_controld_semaphores(aisexec_t)
+	rhcs_rw_gfs_controld_shm(aisexec_t)
+
+	rhcs_rw_groupd_semaphores(aisexec_t)
+	rhcs_rw_groupd_shm(aisexec_t)
+')
diff --git a/policy/modules/contrib/alsa.fc b/policy/modules/contrib/alsa.fc
new file mode 100644
index 00000000..d362d9ce
--- /dev/null
+++ b/policy/modules/contrib/alsa.fc
@@ -0,0 +1,20 @@
+HOME_DIR/\.asoundrc	--	gen_context(system_u:object_r:alsa_home_t,s0)
+
+/bin/alsaunmute		--	gen_context(system_u:object_r:alsa_exec_t,s0)
+
+/etc/alsa/asound\.state --	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/etc/alsa/pcm(/.*)?		gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/etc/asound(/.*)?		gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/etc/asound\.state	--	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+
+/sbin/alsactl 		--	gen_context(system_u:object_r:alsa_exec_t,s0)
+/sbin/salsa 		--	gen_context(system_u:object_r:alsa_exec_t,s0)
+
+/usr/bin/ainit 		--	gen_context(system_u:object_r:alsa_exec_t,s0)
+
+/usr/sbin/alsactl	--	gen_context(system_u:object_r:alsa_exec_t,s0)
+
+/usr/share/alsa/alsa\.conf	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/usr/share/alsa/pcm(/.*)?	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+
+/var/lib/alsa(/.*)?		gen_context(system_u:object_r:alsa_var_lib_t,s0)
diff --git a/policy/modules/contrib/alsa.if b/policy/modules/contrib/alsa.if
new file mode 100644
index 00000000..13926793
--- /dev/null
+++ b/policy/modules/contrib/alsa.if
@@ -0,0 +1,208 @@
+## <summary>Ainit ALSA configuration tool.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run Alsa.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`alsa_domtrans',`
+	gen_require(`
+		type alsa_t, alsa_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, alsa_exec_t, alsa_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run
+##	Alsa, and allow the specified role
+##	the Alsa domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`alsa_run',`
+	gen_require(`
+		type alsa_t;
+	')
+
+	alsa_domtrans($1)
+	role $2 types alsa_t;
+')
+
+########################################
+## <summary>
+##	Read and write Alsa semaphores.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`alsa_rw_semaphores',`
+	gen_require(`
+		type alsa_t;
+	')
+
+	allow $1 alsa_t:sem rw_sem_perms;
+')
+
+########################################
+## <summary>
+##	Read and write Alsa shared memory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`alsa_rw_shared_mem',`
+	gen_require(`
+		type alsa_t;
+	')
+
+	allow $1 alsa_t:shm rw_shm_perms;
+')
+
+########################################
+## <summary>
+##	Read writable Alsa config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`alsa_read_rw_config',`
+	gen_require(`
+		type alsa_etc_rw_t;
+	')
+
+	files_search_etc($1)
+	allow $1 alsa_etc_rw_t:dir list_dir_perms;
+	read_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
+	read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
+
+	ifdef(`distro_debian',`
+		files_search_usr($1)
+	')
+')
+
+########################################
+## <summary>
+##	Manage writable Alsa config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`alsa_manage_rw_config',`
+	gen_require(`
+		type alsa_etc_rw_t;
+	')
+
+	files_search_etc($1)
+	allow $1 alsa_etc_rw_t:dir list_dir_perms;
+	manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
+	read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
+
+	ifdef(`distro_debian',`
+		files_search_usr($1)
+	')
+')
+
+########################################
+## <summary>
+##	Manage alsa home files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`alsa_manage_home_files',`
+	gen_require(`
+		type alsa_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 alsa_home_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Read Alsa home files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`alsa_read_home_files',`
+	gen_require(`
+		type alsa_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 alsa_home_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Relabel alsa home files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`alsa_relabel_home_files',`
+	gen_require(`
+		type alsa_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 alsa_home_t:file relabel_file_perms;
+')
+
+########################################
+## <summary>
+##	Read Alsa lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`alsa_read_lib',`
+	gen_require(`
+		type alsa_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+')
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
new file mode 100644
index 00000000..dc1b0880
--- /dev/null
+++ b/policy/modules/contrib/alsa.te
@@ -0,0 +1,84 @@
+policy_module(alsa, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+type alsa_t;
+type alsa_exec_t;
+init_system_domain(alsa_t, alsa_exec_t)
+role system_r types alsa_t;
+
+type alsa_etc_rw_t;
+files_config_file(alsa_etc_rw_t)
+
+type alsa_tmp_t;
+files_tmp_file(alsa_tmp_t)
+
+type alsa_var_lib_t;
+files_type(alsa_var_lib_t)
+
+type alsa_home_t;
+userdom_user_home_content(alsa_home_t)
+
+########################################
+#
+# Local policy
+#
+
+allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner };
+dontaudit alsa_t self:capability sys_admin;
+allow alsa_t self:sem create_sem_perms;
+allow alsa_t self:shm create_shm_perms;
+allow alsa_t self:unix_stream_socket create_stream_socket_perms;
+allow alsa_t self:unix_dgram_socket create_socket_perms;
+
+allow alsa_t alsa_home_t:file read_file_perms;
+
+manage_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
+manage_lnk_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
+files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
+
+can_exec(alsa_t, alsa_exec_t)
+
+manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
+manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
+files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
+userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
+
+manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
+manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
+files_search_var_lib(alsa_t)
+
+kernel_read_system_state(alsa_t)
+
+dev_read_sound(alsa_t)
+dev_write_sound(alsa_t)
+dev_read_sysfs(alsa_t)
+
+corecmd_exec_bin(alsa_t)
+
+files_read_etc_files(alsa_t)
+files_read_usr_files(alsa_t)
+
+term_dontaudit_use_console(alsa_t)
+term_dontaudit_use_generic_ptys(alsa_t)
+term_dontaudit_use_all_ptys(alsa_t)
+
+auth_use_nsswitch(alsa_t)
+
+init_use_fds(alsa_t)
+
+logging_send_syslog_msg(alsa_t)
+
+miscfiles_read_localization(alsa_t)
+
+userdom_manage_unpriv_user_semaphores(alsa_t)
+userdom_manage_unpriv_user_shared_mem(alsa_t)
+userdom_search_user_home_dirs(alsa_t)
+
+optional_policy(`
+	hal_use_fds(alsa_t)
+	hal_write_log(alsa_t)
+')
diff --git a/policy/modules/contrib/amanda.fc b/policy/modules/contrib/amanda.fc
new file mode 100644
index 00000000..e3e07011
--- /dev/null
+++ b/policy/modules/contrib/amanda.fc
@@ -0,0 +1,26 @@
+/etc/amanda(/.*)?			gen_context(system_u:object_r:amanda_config_t,s0)
+/etc/amanda/.*/tapelist(/.*)?		gen_context(system_u:object_r:amanda_data_t,s0)
+/etc/amandates				gen_context(system_u:object_r:amanda_amandates_t,s0)
+/etc/dumpdates				gen_context(system_u:object_r:amanda_dumpdates_t,s0)
+# empty m4 string so the index macro is not invoked
+/etc/amanda/.*/index`'(/.*)?		gen_context(system_u:object_r:amanda_data_t,s0)
+
+/root/restore			-d	gen_context(system_u:object_r:amanda_recover_dir_t,s0)
+
+/usr/lib(64)?/amanda		-d	gen_context(system_u:object_r:amanda_usr_lib_t,s0)
+/usr/lib(64)?/amanda/.+		--	gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/amandad	--	gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+/usr/lib(64)?/amanda/amidxtaped	--	gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+/usr/lib(64)?/amanda/amindexd	--	gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+
+/usr/sbin/amrecover		--	gen_context(system_u:object_r:amanda_recover_exec_t,s0)
+
+/var/lib/amanda			-d	gen_context(system_u:object_r:amanda_var_lib_t,s0)
+/var/lib/amanda/[^/]+(/.*)?		gen_context(system_u:object_r:amanda_data_t,s0)
+/var/lib/amanda/[^/]*/log(/.*)?		gen_context(system_u:object_r:amanda_log_t,s0)
+/var/lib/amanda/\.amandahosts	--	gen_context(system_u:object_r:amanda_config_t,s0)
+/var/lib/amanda/gnutar-lists(/.*)?	gen_context(system_u:object_r:amanda_gnutarlists_t,s0)
+# the null string in here because index is a m4 builtin function
+/var/lib/amanda/[^/]+/index`'(/.*)?	gen_context(system_u:object_r:amanda_var_lib_t,s0)
+
+/var/log/amanda(/.*)?			gen_context(system_u:object_r:amanda_log_t,s0)
diff --git a/policy/modules/contrib/amanda.if b/policy/modules/contrib/amanda.if
new file mode 100644
index 00000000..8498e971
--- /dev/null
+++ b/policy/modules/contrib/amanda.if
@@ -0,0 +1,161 @@
+## <summary>Advanced Maryland Automatic Network Disk Archiver.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run
+##	Amanda recover.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`amanda_domtrans_recover',`
+	gen_require(`
+		type amanda_recover_t, amanda_recover_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, amanda_recover_exec_t, amanda_recover_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run
+##	Amanda recover, and allow the specified
+##	role the Amanda recover domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`amanda_run_recover',`
+	gen_require(`
+		type amanda_recover_t;
+	')
+
+	amanda_domtrans_recover($1)
+	role $2 types amanda_recover_t;
+')
+
+########################################
+## <summary>
+##	Search Amanda library directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`amanda_search_lib',`
+	gen_require(`
+		type amanda_usr_lib_t;
+	')
+
+	files_search_usr($1)
+	allow $1 amanda_usr_lib_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read /etc/dumpdates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`amanda_dontaudit_read_dumpdates',`
+	gen_require(`
+		type amanda_dumpdates_t;
+	')
+
+	dontaudit $1 amanda_dumpdates_t:file { getattr read };
+')
+
+########################################
+## <summary>
+##	Read and write /etc/dumpdates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`amanda_rw_dumpdates_files',`
+	gen_require(`
+		type amanda_dumpdates_t;
+	')
+
+	files_search_etc($1)
+	allow $1 amanda_dumpdates_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Search Amanda library directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`amanda_manage_lib',`
+	gen_require(`
+		type amanda_usr_lib_t;
+	')
+
+	files_search_usr($1)
+	allow $1 amanda_usr_lib_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read and append amanda logs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`amanda_append_log_files',`
+	gen_require(`
+		type amanda_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 amanda_log_t:file { read_file_perms append_file_perms };
+')
+
+#######################################
+## <summary>
+##	Search Amanda var library directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`amanda_search_var_lib',`
+	gen_require(`
+		type amanda_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 amanda_var_lib_t:dir search_dir_perms;
+')
diff --git a/policy/modules/contrib/amanda.te b/policy/modules/contrib/amanda.te
new file mode 100644
index 00000000..46d467c1
--- /dev/null
+++ b/policy/modules/contrib/amanda.te
@@ -0,0 +1,211 @@
+policy_module(amanda, 1.13.0)
+
+#######################################
+#
+# Declarations
+#
+
+type amanda_t;
+type amanda_inetd_exec_t;
+inetd_service_domain(amanda_t, amanda_inetd_exec_t)
+role system_r types amanda_t;
+
+type amanda_exec_t;
+domain_entry_file(amanda_t, amanda_exec_t)
+
+type amanda_log_t;
+logging_log_file(amanda_log_t)
+
+type amanda_config_t;
+files_type(amanda_config_t)
+
+type amanda_usr_lib_t;
+files_type(amanda_usr_lib_t)
+
+type amanda_var_lib_t;
+files_type(amanda_var_lib_t)
+
+type amanda_gnutarlists_t;
+files_type(amanda_gnutarlists_t)
+
+type amanda_tmp_t;
+files_tmp_file(amanda_tmp_t)
+
+type amanda_amandates_t;
+files_type(amanda_amandates_t)
+
+type amanda_dumpdates_t;
+files_type(amanda_dumpdates_t)
+
+type amanda_data_t;
+files_type(amanda_data_t)
+
+type amanda_recover_t;
+type amanda_recover_exec_t;
+application_domain(amanda_recover_t, amanda_recover_exec_t)
+role system_r types amanda_recover_t;
+
+type amanda_recover_dir_t;
+files_type(amanda_recover_dir_t)
+
+optional_policy(`
+	prelink_object_file(amanda_usr_lib_t)
+')
+
+########################################
+#
+# Amanda local policy
+#
+
+allow amanda_t self:capability { chown dac_override setuid kill };
+allow amanda_t self:process { setpgid signal };
+allow amanda_t self:fifo_file rw_fifo_file_perms;
+allow amanda_t self:unix_stream_socket create_stream_socket_perms;
+allow amanda_t self:unix_dgram_socket create_socket_perms;
+allow amanda_t self:tcp_socket create_stream_socket_perms;
+allow amanda_t self:udp_socket create_socket_perms;
+
+allow amanda_t amanda_amandates_t:file rw_file_perms;
+
+allow amanda_t amanda_config_t:file read_file_perms;
+
+manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
+manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
+filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
+
+allow amanda_t amanda_dumpdates_t:file rw_file_perms;
+
+can_exec(amanda_t, amanda_exec_t)
+can_exec(amanda_t, amanda_inetd_exec_t)
+
+allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms;
+allow amanda_t amanda_gnutarlists_t:file manage_file_perms;
+allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms;
+
+manage_dirs_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t)
+manage_files_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t)
+
+manage_files_pattern(amanda_t, amanda_log_t, amanda_log_t)
+manage_dirs_pattern(amanda_t, amanda_log_t, amanda_log_t)
+logging_log_filetrans(amanda_t, amanda_log_t, { file dir })
+
+manage_files_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t)
+manage_dirs_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t)
+files_tmp_filetrans(amanda_t, amanda_tmp_t, { file dir })
+
+kernel_read_system_state(amanda_t)
+kernel_read_kernel_sysctls(amanda_t)
+kernel_dontaudit_getattr_unlabeled_files(amanda_t)
+kernel_dontaudit_read_proc_symlinks(amanda_t)
+
+corecmd_exec_shell(amanda_t)
+corecmd_exec_bin(amanda_t)
+
+corenet_all_recvfrom_unlabeled(amanda_t)
+corenet_all_recvfrom_netlabel(amanda_t)
+corenet_tcp_sendrecv_generic_if(amanda_t)
+corenet_udp_sendrecv_generic_if(amanda_t)
+corenet_raw_sendrecv_generic_if(amanda_t)
+corenet_tcp_sendrecv_generic_node(amanda_t)
+corenet_udp_sendrecv_generic_node(amanda_t)
+corenet_raw_sendrecv_generic_node(amanda_t)
+corenet_tcp_sendrecv_all_ports(amanda_t)
+corenet_udp_sendrecv_all_ports(amanda_t)
+corenet_tcp_bind_generic_node(amanda_t)
+corenet_udp_bind_generic_node(amanda_t)
+corenet_tcp_bind_all_rpc_ports(amanda_t)
+corenet_tcp_bind_generic_port(amanda_t)
+corenet_dontaudit_tcp_bind_all_ports(amanda_t)
+
+dev_getattr_all_blk_files(amanda_t)
+dev_getattr_all_chr_files(amanda_t)
+
+files_read_etc_files(amanda_t)
+files_read_etc_runtime_files(amanda_t)
+files_list_all(amanda_t)
+files_read_all_files(amanda_t)
+files_read_all_symlinks(amanda_t)
+files_read_all_blk_files(amanda_t)
+files_read_all_chr_files(amanda_t)
+files_getattr_all_pipes(amanda_t)
+files_getattr_all_sockets(amanda_t)
+
+fs_getattr_xattr_fs(amanda_t)
+fs_list_all(amanda_t)
+
+storage_raw_read_fixed_disk(amanda_t)
+storage_read_tape(amanda_t)
+storage_write_tape(amanda_t)
+
+auth_use_nsswitch(amanda_t)
+auth_read_shadow(amanda_t)
+
+logging_send_syslog_msg(amanda_t)
+
+########################################
+#
+# Amanda recover local policy
+#
+
+allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override };
+allow amanda_recover_t self:process { sigkill sigstop signal };
+allow amanda_recover_t self:fifo_file rw_fifo_file_perms;
+allow amanda_recover_t self:unix_stream_socket { connect create read write };
+allow amanda_recover_t self:tcp_socket create_stream_socket_perms;
+allow amanda_recover_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t)
+manage_lnk_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t)
+
+manage_dirs_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
+manage_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
+manage_lnk_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
+manage_fifo_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
+manage_sock_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
+userdom_user_home_dir_filetrans(amanda_recover_t, amanda_recover_dir_t, { dir file lnk_file sock_file fifo_file })
+
+manage_dirs_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
+manage_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
+manage_lnk_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
+manage_fifo_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
+manage_sock_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
+files_tmp_filetrans(amanda_recover_t, amanda_tmp_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_read_system_state(amanda_recover_t)
+kernel_read_kernel_sysctls(amanda_recover_t)
+
+corecmd_exec_shell(amanda_recover_t)
+corecmd_exec_bin(amanda_recover_t)
+
+corenet_all_recvfrom_unlabeled(amanda_recover_t)
+corenet_all_recvfrom_netlabel(amanda_recover_t)
+corenet_tcp_sendrecv_generic_if(amanda_recover_t)
+corenet_udp_sendrecv_generic_if(amanda_recover_t)
+corenet_tcp_sendrecv_generic_node(amanda_recover_t)
+corenet_udp_sendrecv_generic_node(amanda_recover_t)
+corenet_tcp_sendrecv_all_ports(amanda_recover_t)
+corenet_udp_sendrecv_all_ports(amanda_recover_t)
+corenet_tcp_bind_generic_node(amanda_recover_t)
+corenet_udp_bind_generic_node(amanda_recover_t)
+corenet_tcp_bind_reserved_port(amanda_recover_t)
+corenet_tcp_connect_amanda_port(amanda_recover_t)
+corenet_sendrecv_amanda_client_packets(amanda_recover_t)
+
+domain_use_interactive_fds(amanda_recover_t)
+
+files_read_etc_files(amanda_recover_t)
+files_read_etc_runtime_files(amanda_recover_t)
+files_search_tmp(amanda_recover_t)
+files_search_pids(amanda_recover_t)
+
+auth_use_nsswitch(amanda_recover_t)
+
+fstools_domtrans(amanda_t)
+fstools_signal(amanda_t)
+
+logging_search_logs(amanda_recover_t)
+
+miscfiles_read_localization(amanda_recover_t)
+
+userdom_use_user_terminals(amanda_recover_t)
+userdom_search_user_home_content(amanda_recover_t)
diff --git a/policy/modules/contrib/amavis.fc b/policy/modules/contrib/amavis.fc
new file mode 100644
index 00000000..3b669107
--- /dev/null
+++ b/policy/modules/contrib/amavis.fc
@@ -0,0 +1,18 @@
+
+/etc/amavis(d)?\.conf		--	gen_context(system_u:object_r:amavis_etc_t,s0)
+/etc/amavisd(/.*)?			gen_context(system_u:object_r:amavis_etc_t,s0)
+/etc/rc\.d/init\.d/amavis	--	gen_context(system_u:object_r:amavis_initrc_exec_t,s0)
+
+/usr/sbin/amavisd.*		--	gen_context(system_u:object_r:amavis_exec_t,s0)
+/usr/lib(64)?/AntiVir/antivir	--	gen_context(system_u:object_r:amavis_exec_t,s0)
+
+ifdef(`distro_debian',`
+/usr/sbin/amavisd-new-cronjob	--	gen_context(system_u:object_r:amavis_exec_t,s0)
+')
+
+/var/amavis(/.*)?			gen_context(system_u:object_r:amavis_var_lib_t,s0)
+/var/lib/amavis(/.*)?			gen_context(system_u:object_r:amavis_var_lib_t,s0)
+/var/log/amavisd\.log		--	gen_context(system_u:object_r:amavis_var_log_t,s0)
+/var/run/amavis(d)?(/.*)?		gen_context(system_u:object_r:amavis_var_run_t,s0)
+/var/spool/amavisd(/.*)?		gen_context(system_u:object_r:amavis_spool_t,s0)
+/var/virusmails(/.*)?			gen_context(system_u:object_r:amavis_quarantine_t,s0)
diff --git a/policy/modules/contrib/amavis.if b/policy/modules/contrib/amavis.if
new file mode 100644
index 00000000..e31d92a4
--- /dev/null
+++ b/policy/modules/contrib/amavis.if
@@ -0,0 +1,261 @@
+## <summary>
+##	Daemon that interfaces mail transfer agents and content
+##	checkers, such as virus scanners.
+## </summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run amavis.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`amavis_domtrans',`
+	gen_require(`
+		type amavis_t, amavis_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, amavis_exec_t, amavis_t)
+')
+
+########################################
+## <summary>
+##	Execute amavis server in the amavis domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`amavis_initrc_domtrans',`
+	gen_require(`
+		type amavis_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, amavis_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Read amavis spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`amavis_read_spool_files',`
+	gen_require(`
+		type amavis_spool_t;
+	')
+
+	files_search_spool($1)
+	read_files_pattern($1, amavis_spool_t, amavis_spool_t)
+')
+
+########################################
+## <summary>
+##	Manage amavis spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`amavis_manage_spool_files',`
+	gen_require(`
+		type amavis_spool_t;
+	')
+
+	files_search_spool($1)
+	manage_dirs_pattern($1, amavis_spool_t, amavis_spool_t)
+	manage_files_pattern($1, amavis_spool_t, amavis_spool_t)
+')
+
+########################################
+## <summary>
+##	Create objects in the amavis spool directories
+##	with a private type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	Private file type.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+#
+interface(`amavis_spool_filetrans',`
+	gen_require(`
+		type amavis_spool_t;
+	')
+
+	files_search_spool($1)
+	filetrans_pattern($1, amavis_spool_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Search amavis lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`amavis_search_lib',`
+	gen_require(`
+		type amavis_var_lib_t;
+	')
+
+	allow $1 amavis_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read amavis lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`amavis_read_lib_files',`
+	gen_require(`
+		type amavis_var_lib_t;
+	')
+
+	read_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t)
+	allow $1 amavis_var_lib_t:dir list_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	amavis lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`amavis_manage_lib_files',`
+	gen_require(`
+		type amavis_var_lib_t;
+	')
+
+	manage_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t)
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Set the attributes of amavis pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`amavis_setattr_pid_files',`
+	gen_require(`
+		type amavis_var_run_t;
+	')
+
+	allow $1 amavis_var_run_t:file setattr_file_perms;
+	files_search_pids($1)
+')
+
+########################################
+## <summary>
+##	Create of amavis pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`amavis_create_pid_files',`
+	gen_require(`
+		type amavis_var_run_t;
+	')
+
+	allow $1 amavis_var_run_t:file create_file_perms;
+	files_search_pids($1)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an amavis environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`amavis_admin',`
+	gen_require(`
+		type amavis_t, amavis_tmp_t, amavis_var_log_t;
+		type amavis_spool_t, amavis_var_lib_t, amavis_var_run_t;
+		type amavis_etc_t, amavis_quarantine_t;
+		type amavis_initrc_exec_t;
+	')
+
+	allow $1 amavis_t:process { ptrace signal_perms };
+	ps_process_pattern($1, amavis_t)
+
+	amavis_initrc_domtrans($1)
+ 	domain_system_change_exemption($1)
+ 	role_transition $2 amavis_initrc_exec_t system_r;
+ 	allow $2 system_r;
+
+	files_list_etc($1)
+	admin_pattern($1, amavis_etc_t)
+
+	admin_pattern($1, amavis_quarantine_t)
+
+	files_list_spool($1)
+	admin_pattern($1, amavis_spool_t)
+
+	files_list_tmp($1)
+	admin_pattern($1, amavis_tmp_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, amavis_var_lib_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, amavis_var_log_t)
+
+	files_list_pids($1)
+	admin_pattern($1, amavis_var_run_t)
+')
diff --git a/policy/modules/contrib/amavis.te b/policy/modules/contrib/amavis.te
new file mode 100644
index 00000000..c4f59249
--- /dev/null
+++ b/policy/modules/contrib/amavis.te
@@ -0,0 +1,194 @@
+policy_module(amavis, 1.13.0)
+
+########################################
+#
+# Declarations
+#
+
+type amavis_t;
+type amavis_exec_t;
+domain_type(amavis_t)
+init_daemon_domain(amavis_t, amavis_exec_t)
+
+# configuration files
+type amavis_etc_t;
+files_config_file(amavis_etc_t)
+
+type amavis_initrc_exec_t;
+init_script_file(amavis_initrc_exec_t)
+
+# pid files
+type amavis_var_run_t;
+files_pid_file(amavis_var_run_t)
+
+# var/lib files
+type amavis_var_lib_t;
+files_type(amavis_var_lib_t)
+
+# log files
+type amavis_var_log_t;
+logging_log_file(amavis_var_log_t)
+
+# tmp files
+type amavis_tmp_t;
+files_tmp_file(amavis_tmp_t)
+
+# virus quarantine
+type amavis_quarantine_t;
+files_type(amavis_quarantine_t)
+
+type amavis_spool_t;
+files_type(amavis_spool_t)
+
+########################################
+#
+# amavis local policy
+#
+
+allow amavis_t self:capability { kill chown dac_override setgid setuid };
+dontaudit amavis_t self:capability sys_tty_config;
+allow amavis_t self:process { signal sigchld sigkill signull };
+allow amavis_t self:fifo_file rw_fifo_file_perms;
+allow amavis_t self:unix_stream_socket create_stream_socket_perms;
+allow amavis_t self:unix_dgram_socket create_socket_perms;
+allow amavis_t self:tcp_socket { listen accept };
+allow amavis_t self:netlink_route_socket r_netlink_socket_perms;
+
+# configuration files
+allow amavis_t amavis_etc_t:dir list_dir_perms;
+read_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t)
+read_lnk_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t)
+
+can_exec(amavis_t, amavis_exec_t)
+
+# mail quarantine
+manage_dirs_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t)
+manage_files_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t)
+manage_sock_files_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t)
+
+# Spool Files
+manage_dirs_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
+manage_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
+manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
+manage_sock_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
+filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file)
+files_search_spool(amavis_t)
+
+# tmp files
+manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
+allow amavis_t amavis_tmp_t:dir setattr_dir_perms;
+files_tmp_filetrans(amavis_t, amavis_tmp_t, file)
+
+# var/lib files for amavis
+manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
+manage_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
+manage_sock_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
+files_search_var_lib(amavis_t)
+
+# log files
+allow amavis_t amavis_var_log_t:dir setattr_dir_perms;
+manage_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
+manage_sock_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
+logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir })
+
+# pid file
+manage_dirs_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t)
+manage_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t)
+manage_sock_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t)
+files_pid_filetrans(amavis_t, amavis_var_run_t, { dir file sock_file })
+
+kernel_read_kernel_sysctls(amavis_t)
+# amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
+kernel_dontaudit_list_proc(amavis_t)
+kernel_dontaudit_read_proc_symlinks(amavis_t)
+kernel_dontaudit_read_system_state(amavis_t)
+
+# find perl
+corecmd_exec_bin(amavis_t)
+corecmd_exec_shell(amavis_t)
+
+corenet_all_recvfrom_unlabeled(amavis_t)
+corenet_all_recvfrom_netlabel(amavis_t)
+corenet_tcp_sendrecv_generic_if(amavis_t)
+corenet_tcp_sendrecv_generic_node(amavis_t)
+corenet_tcp_bind_generic_node(amavis_t)
+corenet_udp_bind_generic_node(amavis_t)
+# amavis uses well-defined ports
+corenet_tcp_sendrecv_amavisd_recv_port(amavis_t)
+corenet_tcp_sendrecv_amavisd_send_port(amavis_t)
+# just the other side not. ;-)
+corenet_tcp_sendrecv_all_ports(amavis_t)
+# connect to backchannel port
+corenet_tcp_connect_amavisd_send_port(amavis_t)
+# bind to incoming port
+corenet_tcp_bind_amavisd_recv_port(amavis_t)
+corenet_udp_bind_generic_port(amavis_t)
+corenet_dontaudit_udp_bind_all_ports(amavis_t)
+corenet_tcp_connect_razor_port(amavis_t)
+
+dev_read_rand(amavis_t)
+dev_read_urand(amavis_t)
+
+domain_use_interactive_fds(amavis_t)
+
+files_read_etc_files(amavis_t)
+files_read_etc_runtime_files(amavis_t)
+files_read_usr_files(amavis_t)
+
+fs_getattr_xattr_fs(amavis_t)
+
+auth_dontaudit_read_shadow(amavis_t)
+
+# uses uptime which reads utmp - redhat bug 561383
+init_read_utmp(amavis_t)
+init_stream_connect_script(amavis_t)
+
+logging_send_syslog_msg(amavis_t)
+
+miscfiles_read_generic_certs(amavis_t)
+miscfiles_read_localization(amavis_t)
+
+sysnet_dns_name_resolve(amavis_t)
+sysnet_use_ldap(amavis_t)
+
+userdom_dontaudit_search_user_home_dirs(amavis_t)
+
+# Cron handling
+cron_use_fds(amavis_t)
+cron_use_system_job_fds(amavis_t)
+cron_rw_pipes(amavis_t)
+
+mta_read_config(amavis_t)
+
+optional_policy(`
+	clamav_stream_connect(amavis_t)
+	clamav_domtrans_clamscan(amavis_t)
+')
+
+optional_policy(`
+	dcc_domtrans_client(amavis_t)
+	dcc_stream_connect_dccifd(amavis_t)
+')
+
+optional_policy(`
+	nslcd_stream_connect(amavis_t)
+')
+
+optional_policy(`
+	postfix_read_config(amavis_t)
+')
+
+optional_policy(`
+	pyzor_domtrans(amavis_t)
+	pyzor_signal(amavis_t)
+')
+
+optional_policy(`
+	razor_domtrans(amavis_t)
+')
+
+optional_policy(`
+	spamassassin_exec(amavis_t)
+	spamassassin_exec_client(amavis_t)
+	spamassassin_read_lib_files(amavis_t)
+')
diff --git a/policy/modules/contrib/amtu.fc b/policy/modules/contrib/amtu.fc
new file mode 100644
index 00000000..d97160eb
--- /dev/null
+++ b/policy/modules/contrib/amtu.fc
@@ -0,0 +1 @@
+/usr/bin/amtu	--	gen_context(system_u:object_r:amtu_exec_t,s0)
diff --git a/policy/modules/contrib/amtu.if b/policy/modules/contrib/amtu.if
new file mode 100644
index 00000000..be82315d
--- /dev/null
+++ b/policy/modules/contrib/amtu.if
@@ -0,0 +1,46 @@
+## <summary>Abstract Machine Test Utility.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run Amtu.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`amtu_domtrans',`
+	gen_require(`
+		type amtu_t, amtu_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, amtu_exec_t, amtu_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run
+##	Amtu, and allow the specified role
+##	the Amtu domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`amtu_run',`
+	gen_require(`
+		type amtu_t;
+	')
+
+	amtu_domtrans($1)
+	role $2 types amtu_t;
+')
diff --git a/policy/modules/contrib/amtu.te b/policy/modules/contrib/amtu.te
new file mode 100644
index 00000000..057abb0c
--- /dev/null
+++ b/policy/modules/contrib/amtu.te
@@ -0,0 +1,34 @@
+policy_module(amtu, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type amtu_t;
+type amtu_exec_t;
+domain_type(amtu_t)
+domain_entry_file(amtu_t, amtu_exec_t)
+
+########################################
+#
+# amtu local policy
+#
+
+kernel_read_system_state(amtu_t)
+
+files_manage_boot_files(amtu_t)
+files_read_etc_runtime_files(amtu_t)
+files_read_etc_files(amtu_t)
+
+logging_send_audit_msgs(amtu_t)
+
+userdom_use_user_terminals(amtu_t)
+
+optional_policy(`
+	nscd_dontaudit_search_pid(amtu_t)
+')
+
+optional_policy(`
+	seutil_use_newrole_fds(amtu_t)
+')
diff --git a/policy/modules/contrib/anaconda.fc b/policy/modules/contrib/anaconda.fc
new file mode 100644
index 00000000..b098089d
--- /dev/null
+++ b/policy/modules/contrib/anaconda.fc
@@ -0,0 +1 @@
+# No file context specifications.
diff --git a/policy/modules/contrib/anaconda.if b/policy/modules/contrib/anaconda.if
new file mode 100644
index 00000000..14a61b7e
--- /dev/null
+++ b/policy/modules/contrib/anaconda.if
@@ -0,0 +1 @@
+## <summary>Anaconda installer.</summary>
diff --git a/policy/modules/contrib/anaconda.te b/policy/modules/contrib/anaconda.te
new file mode 100644
index 00000000..e81bdbd7
--- /dev/null
+++ b/policy/modules/contrib/anaconda.te
@@ -0,0 +1,59 @@
+policy_module(anaconda, 1.6.0)
+
+########################################
+#
+# Declarations
+#
+
+type anaconda_t;
+type anaconda_exec_t;
+domain_type(anaconda_t)
+domain_obj_id_change_exemption(anaconda_t)
+role system_r types anaconda_t;
+
+########################################
+#
+# Local policy
+#
+
+allow anaconda_t self:process execmem;
+
+kernel_domtrans_to(anaconda_t, anaconda_exec_t)
+
+init_domtrans_script(anaconda_t)
+
+libs_domtrans_ldconfig(anaconda_t)
+
+logging_send_syslog_msg(anaconda_t)
+
+modutils_domtrans_insmod(anaconda_t)
+modutils_domtrans_depmod(anaconda_t)
+
+seutil_domtrans_semanage(anaconda_t)
+
+userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
+
+optional_policy(`
+	kudzu_domtrans(anaconda_t)
+')
+
+optional_policy(`
+	rpm_domtrans(anaconda_t)
+	rpm_domtrans_script(anaconda_t)
+')
+
+optional_policy(`
+	ssh_domtrans_keygen(anaconda_t)
+')
+
+optional_policy(`
+	udev_domtrans(anaconda_t)
+')
+
+optional_policy(`
+	unconfined_domain(anaconda_t)
+')
+
+optional_policy(`
+	usermanage_domtrans_admin_passwd(anaconda_t)
+')
diff --git a/policy/modules/contrib/apache.fc b/policy/modules/contrib/apache.fc
new file mode 100644
index 00000000..9e39aa5b
--- /dev/null
+++ b/policy/modules/contrib/apache.fc
@@ -0,0 +1,111 @@
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
+
+/etc/apache(2)?(/.*)?			gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/apache-ssl(2)?(/.*)?		gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/drupal(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/etc/httpd(/.*)?			gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/httpd/conf/keytab		--	gen_context(system_u:object_r:httpd_keytab_t,s0)
+/etc/httpd/logs				gen_context(system_u:object_r:httpd_log_t,s0)
+/etc/httpd/modules			gen_context(system_u:object_r:httpd_modules_t,s0)
+/etc/lighttpd(/.*)?			gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/mock/koji(/.*)? 			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/rc\.d/init\.d/httpd	--	gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lighttpd	--	gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+
+/etc/vhosts			--	gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/zabbix/web(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/srv/([^/]*/)?www(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/srv/gallery2(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
+/usr/bin/htsslpass 		--	gen_context(system_u:object_r:httpd_helper_exec_t,s0)
+/usr/bin/mongrel_rails		--	gen_context(system_u:object_r:httpd_exec_t,s0)
+
+/usr/lib/apache-ssl/.+		--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/lib/cgi-bin(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/lib/dirsrv/cgi-bin(/.*)?		gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/lib(64)?/apache(/.*)?		gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib(64)?/apache2/modules(/.*)?	gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib(64)?/apache(2)?/suexec(2)? --	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/lib(64)?/httpd(/.*)?		gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib(64)?/lighttpd(/.*)?		gen_context(system_u:object_r:httpd_modules_t,s0)
+
+/usr/sbin/apache(2)?		--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/apache-ssl(2)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/httpd(\.worker)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/lighttpd		--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/rotatelogs		--	gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
+/usr/sbin/suexec		--	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+
+ifdef(`distro_suse', `
+/usr/sbin/httpd2-.*		--	gen_context(system_u:object_r:httpd_exec_t,s0)
+')
+
+/usr/share/dirsrv(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/drupal(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/icecast(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/mythweb(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/mythweb/mythweb\.pl		gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/mythtv/data(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/ntop/html(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/openca/htdocs(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/wordpress-mu/wp-config\.php	-- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/var/cache/httpd(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/lighttpd(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mason(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mediawiki(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_.*			gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_gnutls(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_proxy(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_ssl(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/php-.*			gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/php-eaccelerator(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/php-mmcache(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/rt3(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/ssl.*\.sem		--	gen_context(system_u:object_r:httpd_cache_t,s0)
+
+/var/lib/cacti/rra(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/dav(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/drupal(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/httpd(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php/session(/.*)?		gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/lib/squirrelmail/prefs(/.*)?	gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
+
+/var/log/apache(2)?(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/apache-ssl(2)?(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cacti(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cgiwrap\.log.*		--	gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/httpd(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/lighttpd(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/piranha(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
+
+ifdef(`distro_debian', `
+/var/log/horde2(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
+')
+
+/var/run/apache.*			gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/gcache_port		-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/httpd.*			gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/lighttpd(/.*)?			gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/mod_.*				gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/wsgi.*			-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
+
+/var/spool/gosa(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/spool/squirrelmail(/.*)?		gen_context(system_u:object_r:squirrelmail_spool_t,s0)
+/var/spool/viewvc(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+
+/var/www(/.*)?				gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/www(/.*)?/logs(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/[^/]*/cgi-bin(/.*)?		gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/cgi-bin(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/icons(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/www/perl(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if
new file mode 100644
index 00000000..53b982ed
--- /dev/null
+++ b/policy/modules/contrib/apache.if
@@ -0,0 +1,1324 @@
+## <summary>Apache web server</summary>
+
+########################################
+## <summary>
+##	Create a set of derived types for apache
+##	web content.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix to be used for deriving type names.
+##	</summary>
+## </param>
+#
+template(`apache_content_template',`
+	gen_require(`
+		attribute httpdcontent;
+		attribute httpd_exec_scripts;
+		attribute httpd_script_exec_type;
+		attribute httpd_rw_content;
+		attribute httpd_ra_content;
+		type httpd_t, httpd_suexec_t, httpd_log_t;
+	')
+	# allow write access to public file transfer
+	# services files.
+	gen_tunable(allow_httpd_$1_script_anon_write, false)
+
+	#This type is for webpages
+	type httpd_$1_content_t, httpdcontent; # customizable
+	typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
+	files_type(httpd_$1_content_t)
+
+	# This type is used for .htaccess files
+	type httpd_$1_htaccess_t; # customizable;
+	files_type(httpd_$1_htaccess_t)
+
+	# Type that CGI scripts run as
+	type httpd_$1_script_t;
+	domain_type(httpd_$1_script_t)
+	role system_r types httpd_$1_script_t;
+
+	# This type is used for executable scripts files
+	type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
+	corecmd_shell_entry_type(httpd_$1_script_t)
+	domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
+
+	type httpd_$1_rw_content_t, httpdcontent, httpd_rw_content; # customizable
+	typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
+	files_type(httpd_$1_rw_content_t)
+
+	type httpd_$1_ra_content_t, httpdcontent, httpd_ra_content; # customizable
+	typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
+	files_type(httpd_$1_ra_content_t)
+
+	read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)
+
+	domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+
+	allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
+	allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
+
+	allow httpd_$1_script_t self:fifo_file rw_file_perms;
+	allow httpd_$1_script_t self:unix_stream_socket connectto;
+
+	allow httpd_$1_script_t httpd_t:fifo_file write;
+	# apache should set close-on-exec
+	dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
+
+	# Allow the script process to search the cgi directory, and users directory
+	allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;
+
+	append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t)
+	logging_search_logs(httpd_$1_script_t)
+
+	can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
+	allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;
+
+	allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
+	read_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+	append_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+	read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+
+	allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms;
+	read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
+	read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
+
+	manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+	manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+	manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+	manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+	manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+	files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file })
+
+	kernel_dontaudit_search_sysctl(httpd_$1_script_t)
+	kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
+
+	dev_read_rand(httpd_$1_script_t)
+	dev_read_urand(httpd_$1_script_t)
+
+	corecmd_exec_all_executables(httpd_$1_script_t)
+
+	files_exec_etc_files(httpd_$1_script_t)
+	files_read_etc_files(httpd_$1_script_t)
+	files_search_home(httpd_$1_script_t)
+
+	libs_exec_ld_so(httpd_$1_script_t)
+	libs_exec_lib_files(httpd_$1_script_t)
+
+	miscfiles_read_fonts(httpd_$1_script_t)
+	miscfiles_read_public_files(httpd_$1_script_t)
+
+	seutil_dontaudit_search_config(httpd_$1_script_t)
+
+	tunable_policy(`httpd_enable_cgi && httpd_unified',`
+		allow httpd_$1_script_t httpdcontent:file entrypoint;
+
+		manage_dirs_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
+		manage_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
+		manage_lnk_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
+		can_exec(httpd_$1_script_t, httpdcontent)
+	')
+
+	tunable_policy(`allow_httpd_$1_script_anon_write',`
+		miscfiles_manage_public_files(httpd_$1_script_t)
+	')
+
+	# Allow the web server to run scripts and serve pages
+	tunable_policy(`httpd_builtin_scripting',`
+		manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+		manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+		manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+		rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+
+		allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
+		read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+		append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+		read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+
+		allow httpd_t httpd_$1_content_t:dir list_dir_perms;
+		read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
+		read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
+
+		allow httpd_t httpd_$1_content_t:dir list_dir_perms;
+		read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
+		read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
+	')
+
+	tunable_policy(`httpd_enable_cgi',`
+		allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
+
+		# privileged users run the script:
+		domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
+
+		# apache runs the script:
+		domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+
+		allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
+		allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;
+
+		allow httpd_$1_script_t self:process { setsched signal_perms };
+		allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
+
+		allow httpd_$1_script_t httpd_t:fd use;
+		allow httpd_$1_script_t httpd_t:process sigchld;
+
+		kernel_read_system_state(httpd_$1_script_t)
+
+		dev_read_urand(httpd_$1_script_t)
+
+		fs_getattr_xattr_fs(httpd_$1_script_t)
+
+		files_read_etc_runtime_files(httpd_$1_script_t)
+		files_read_usr_files(httpd_$1_script_t)
+
+		libs_read_lib_files(httpd_$1_script_t)
+
+		miscfiles_read_localization(httpd_$1_script_t)
+	')
+
+	optional_policy(`
+		tunable_policy(`httpd_enable_cgi && allow_ypbind',`
+			nis_use_ypbind_uncond(httpd_$1_script_t)
+		')
+	')
+
+	optional_policy(`
+		postgresql_unpriv_client(httpd_$1_script_t)
+
+		tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
+			postgresql_tcp_connect(httpd_$1_script_t)
+		')
+	')
+
+	optional_policy(`
+		nscd_socket_use(httpd_$1_script_t)
+	')
+')
+
+########################################
+## <summary>
+##	Role access for apache
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`apache_role',`
+	gen_require(`
+		attribute httpdcontent;
+		type httpd_user_content_t, httpd_user_htaccess_t;
+		type httpd_user_script_t, httpd_user_script_exec_t;
+		type httpd_user_ra_content_t, httpd_user_rw_content_t;
+	')
+
+	role $1 types httpd_user_script_t;
+
+	allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
+
+	manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+
+	manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+	manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+	manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+	relabel_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+	relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+	relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+
+	manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+	manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+	manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+	relabel_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+	relabel_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+	relabel_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+
+	manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+	manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+	manage_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+	relabel_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+	relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+	relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+
+	tunable_policy(`httpd_enable_cgi',`
+		# If a user starts a script by hand it gets the proper context
+		domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
+	')
+
+	tunable_policy(`httpd_enable_cgi && httpd_unified',`
+		domtrans_pattern($2, httpdcontent, httpd_user_script_t)
+	')
+')
+
+########################################
+## <summary>
+##	Read httpd user scripts executables.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_read_user_scripts',`
+	gen_require(`
+		type httpd_user_script_exec_t;
+	')
+
+	allow $1 httpd_user_script_exec_t:dir list_dir_perms;
+	read_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t)
+	read_lnk_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t)
+')
+
+########################################
+## <summary>
+##	Read user web content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_read_user_content',`
+	gen_require(`
+		type httpd_user_content_t;
+	')
+
+	allow $1 httpd_user_content_t:dir list_dir_perms;
+	read_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
+	read_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
+')
+
+########################################
+## <summary>
+##	Transition to apache.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`apache_domtrans',`
+	gen_require(`
+		type httpd_t, httpd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, httpd_exec_t, httpd_t)
+')
+
+#######################################
+## <summary>
+##	Send a generic signal to apache.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_signal',`
+	gen_require(`
+		type httpd_t;
+	')
+
+	allow $1 httpd_t:process signal;
+')
+
+########################################
+## <summary>
+##	Send a null signal to apache.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_signull',`
+	gen_require(`
+		type httpd_t;
+	')
+
+	allow $1 httpd_t:process signull;
+')
+
+########################################
+## <summary>
+##	Send a SIGCHLD signal to apache.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_sigchld',`
+	gen_require(`
+		type httpd_t;
+	')
+
+	allow $1 httpd_t:process sigchld;
+')
+
+########################################
+## <summary>
+##	Inherit and use file descriptors from Apache.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_use_fds',`
+	gen_require(`
+		type httpd_t;
+	')
+
+	allow $1 httpd_t:fd use;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write Apache
+##	unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`apache_dontaudit_rw_fifo_file',`
+	gen_require(`
+		type httpd_t;
+	')
+
+	dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write Apache
+##	unix domain stream sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`apache_dontaudit_rw_stream_sockets',`
+	gen_require(`
+		type httpd_t;
+	')
+
+	dontaudit $1 httpd_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write Apache
+##	TCP sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`apache_dontaudit_rw_tcp_sockets',`
+	gen_require(`
+		type httpd_t;
+	')
+
+	dontaudit $1 httpd_t:tcp_socket { read write };
+')
+
+########################################
+## <summary>
+##	Read all appendable content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_read_all_ra_content',`
+	gen_require(`
+		attribute httpd_ra_content;
+	')
+
+	read_files_pattern($1, httpd_ra_content, httpd_ra_content)
+	read_lnk_files_pattern($1, httpd_ra_content, httpd_ra_content)
+')
+
+########################################
+## <summary>
+##	Append to all appendable web content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_append_all_ra_content',`
+	gen_require(`
+		attribute httpd_ra_content;
+	')
+
+	allow $1 httpd_ra_content:dir { list_dir_perms add_entry_dir_perms };
+	append_files_pattern($1, httpd_ra_content, httpd_ra_content)
+')
+
+########################################
+## <summary>
+##	Read all read/write content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_read_all_rw_content',`
+	gen_require(`
+		attribute httpd_rw_content;
+	')
+
+	read_files_pattern($1, httpd_rw_content, httpd_rw_content)
+	read_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content)
+')
+
+########################################
+## <summary>
+##	Manage all read/write content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_manage_all_rw_content',`
+	gen_require(`
+		attribute httpd_rw_content;
+	')
+
+	manage_dirs_pattern($1, httpd_rw_content, httpd_rw_content)
+	manage_files_pattern($1, httpd_rw_content, httpd_rw_content)
+	manage_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content)
+')
+
+########################################
+## <summary>
+##	Read all web content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_read_all_content',`
+	gen_require(`
+		attribute httpdcontent, httpd_script_exec_type;
+	')
+
+	read_files_pattern($1, httpdcontent, httpdcontent)
+	read_lnk_files_pattern($1, httpdcontent, httpdcontent)
+
+	read_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
+	read_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete all web content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_manage_all_content',`
+	gen_require(`
+		attribute httpdcontent, httpd_script_exec_type;
+	')
+
+	manage_dirs_pattern($1, httpdcontent, httpdcontent)
+	manage_files_pattern($1, httpdcontent, httpdcontent)
+	manage_lnk_files_pattern($1, httpdcontent, httpdcontent)
+
+	manage_dirs_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
+	manage_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
+	manage_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
+')
+
+########################################
+## <summary>
+##	Allow domain to  set the attributes
+##	of the APACHE cache directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_setattr_cache_dirs',`
+	gen_require(`
+		type httpd_cache_t;
+	')
+
+	allow $1 httpd_cache_t:dir setattr;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to list
+##	Apache cache.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_list_cache',`
+	gen_require(`
+		type httpd_cache_t;
+	')
+
+	list_dirs_pattern($1, httpd_cache_t, httpd_cache_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read
+##	and write Apache cache files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_rw_cache_files',`
+	gen_require(`
+		type httpd_cache_t;
+	')
+
+	allow $1 httpd_cache_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to delete
+##	Apache cache.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_delete_cache_files',`
+	gen_require(`
+		type httpd_cache_t;
+	')
+
+	delete_files_pattern($1, httpd_cache_t, httpd_cache_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read
+##	apache configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_read_config',`
+	gen_require(`
+		type httpd_config_t;
+	')
+
+	files_search_etc($1)
+	allow $1 httpd_config_t:dir list_dir_perms;
+	read_files_pattern($1, httpd_config_t, httpd_config_t)
+	read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to manage
+##	apache configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_manage_config',`
+	gen_require(`
+		type httpd_config_t;
+	')
+
+	files_search_etc($1)
+	manage_dirs_pattern($1, httpd_config_t, httpd_config_t)
+	manage_files_pattern($1, httpd_config_t, httpd_config_t)
+	read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
+')
+
+########################################
+## <summary>
+##	Execute the Apache helper program with
+##	a domain transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_domtrans_helper',`
+	gen_require(`
+		type httpd_helper_t, httpd_helper_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, httpd_helper_exec_t, httpd_helper_t)
+')
+
+########################################
+## <summary>
+##	Execute the Apache helper program with
+##	a domain transition, and allow the
+##	specified role the Apache helper domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_run_helper',`
+	gen_require(`
+		type httpd_helper_t;
+	')
+
+	apache_domtrans_helper($1)
+	role $2 types httpd_helper_t;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read
+##	apache log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_read_log',`
+	gen_require(`
+		type httpd_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 httpd_log_t:dir list_dir_perms;
+	read_files_pattern($1, httpd_log_t, httpd_log_t)
+	read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to append
+##	to apache log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_append_log',`
+	gen_require(`
+		type httpd_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 httpd_log_t:dir list_dir_perms;
+	append_files_pattern($1, httpd_log_t, httpd_log_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to append to the
+##	Apache logs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`apache_dontaudit_append_log',`
+	gen_require(`
+		type httpd_log_t;
+	')
+
+	dontaudit $1 httpd_log_t:file { getattr append };
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to manage
+##	to apache log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_manage_log',`
+	gen_require(`
+		type httpd_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_dirs_pattern($1, httpd_log_t, httpd_log_t)
+	manage_files_pattern($1, httpd_log_t, httpd_log_t)
+	read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search Apache
+##	module directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`apache_dontaudit_search_modules',`
+	gen_require(`
+		type httpd_modules_t;
+	')
+
+	dontaudit $1 httpd_modules_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to list
+##	the contents of the apache modules
+##	directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_list_modules',`
+	gen_require(`
+		type httpd_modules_t;
+	')
+
+	allow $1 httpd_modules_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to execute
+##	apache modules.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_exec_modules',`
+	gen_require(`
+		type httpd_modules_t;
+	')
+
+	allow $1 httpd_modules_t:dir list_dir_perms;
+	allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
+	can_exec($1, httpd_modules_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run httpd_rotatelogs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`apache_domtrans_rotatelogs',`
+	gen_require(`
+		type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
+	')
+
+	domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to list
+##	apache system content files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_list_sys_content',`
+	gen_require(`
+		type httpd_sys_content_t;
+	')
+
+	list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+	files_search_var($1)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to manage
+##	apache system content files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
+interface(`apache_manage_sys_content',`
+	gen_require(`
+		type httpd_sys_content_t;
+	')
+
+	files_search_var($1)
+	manage_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+	manage_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+	manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+')
+
+########################################
+## <summary>
+##	Execute all web scripts in the system
+##	script domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+# cjp: this interface specifically added to allow
+# sysadm_t to run scripts
+interface(`apache_domtrans_sys_script',`
+	gen_require(`
+		attribute httpdcontent;
+		type httpd_sys_script_t;
+	')
+
+	tunable_policy(`httpd_enable_cgi && httpd_unified',`
+		domtrans_pattern($1, httpdcontent, httpd_sys_script_t)
+	')
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write Apache
+##	system script unix domain stream sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`apache_dontaudit_rw_sys_script_stream_sockets',`
+	gen_require(`
+		type httpd_sys_script_t;
+	')
+
+	dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+##	Execute all user scripts in the user
+##	script domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`apache_domtrans_all_scripts',`
+	gen_require(`
+		attribute httpd_exec_scripts;
+	')
+
+	typeattribute $1 httpd_exec_scripts;
+')
+
+########################################
+## <summary>
+##	Execute all user scripts in the user
+##	script domain.  Add user script domains
+##	to the specified role.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access..
+##	</summary>
+## </param>
+#
+interface(`apache_run_all_scripts',`
+	gen_require(`
+		attribute httpd_exec_scripts, httpd_script_domains;
+	')
+
+	role $2 types httpd_script_domains;
+	apache_domtrans_all_scripts($1)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read
+##	apache squirrelmail data.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_read_squirrelmail_data',`
+	gen_require(`
+		type httpd_squirrelmail_t;
+	')
+
+	allow $1 httpd_squirrelmail_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to append
+##	apache squirrelmail data.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_append_squirrelmail_data',`
+	gen_require(`
+		type httpd_squirrelmail_t;
+	')
+
+	allow $1 httpd_squirrelmail_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+##	Search apache system content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_search_sys_content',`
+	gen_require(`
+		type httpd_sys_content_t;
+	')
+
+	allow $1 httpd_sys_content_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read apache system content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_read_sys_content',`
+	gen_require(`
+		type httpd_sys_content_t;
+	')
+
+	allow $1 httpd_sys_content_t:dir list_dir_perms;
+	read_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+	read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+')
+
+########################################
+## <summary>
+##	Search apache system CGI directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_search_sys_scripts',`
+	gen_require(`
+		type httpd_sys_content_t, httpd_sys_script_exec_t;
+	')
+
+	search_dirs_pattern($1, httpd_sys_content_t, httpd_sys_script_exec_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete all user web content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_manage_all_user_content',`
+	gen_require(`
+		attribute httpd_user_content_type, httpd_user_script_exec_type;
+	')
+
+	manage_dirs_pattern($1, httpd_user_content_type, httpd_user_content_type)
+	manage_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
+	manage_lnk_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
+
+	manage_dirs_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
+	manage_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
+	manage_lnk_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
+')
+
+########################################
+## <summary>
+##	Search system script state directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_search_sys_script_state',`
+	gen_require(`
+		type httpd_sys_script_t;
+	')
+
+	allow $1 httpd_sys_script_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read
+##	apache tmp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_read_tmp_files',`
+	gen_require(`
+		type httpd_tmp_t;
+	')
+
+	files_search_tmp($1)
+	read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
+')
+
+########################################
+## <summary>
+##	Dontaudit attempts to write
+##	apache tmp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`apache_dontaudit_write_tmp_files',`
+	gen_require(`
+		type httpd_tmp_t;
+	')
+
+	dontaudit $1 httpd_tmp_t:file write_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute CGI in the specified domain.
+## </summary>
+##	<desc>
+##	<p>
+##	Execute CGI in the specified domain.
+##	</p>
+##	<p>
+##	This is an interface to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+##	</desc>
+## <param name="domain">
+##	<summary>
+##	Domain run the cgi script in.
+##	</summary>
+## </param>
+## <param name="entrypoint">
+##	<summary>
+##	Type of the executable to enter the cgi domain.
+##	</summary>
+## </param>
+#
+interface(`apache_cgi_domain',`
+	gen_require(`
+		type httpd_t, httpd_sys_script_exec_t;
+	')
+
+	domtrans_pattern(httpd_t, $2, $1)
+	apache_search_sys_scripts($1)
+
+	allow httpd_t $1:process signal;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate an apache environment
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Prefix of the domain. Example, user would be
+##	the prefix for the uder_t domain.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_admin',`
+	gen_require(`
+		attribute httpdcontent;
+		attribute httpd_script_exec_type;
+
+		type httpd_t, httpd_config_t, httpd_log_t;
+		type httpd_modules_t, httpd_lock_t;
+		type httpd_var_run_t, httpd_php_tmp_t;
+		type httpd_suexec_tmp_t, httpd_tmp_t;
+		type httpd_initrc_exec_t;
+	')
+
+	allow $1 httpd_t:process { getattr ptrace signal_perms };
+	ps_process_pattern($1, httpd_t)
+
+	init_labeled_script_domtrans($1, httpd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 httpd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	apache_manage_all_content($1)
+	miscfiles_manage_public_files($1)
+
+	files_search_etc($1)
+	admin_pattern($1, httpd_config_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, httpd_log_t)
+
+	admin_pattern($1, httpd_modules_t)
+
+	admin_pattern($1, httpd_lock_t)
+	files_lock_filetrans($1, httpd_lock_t, file)
+
+	admin_pattern($1, httpd_var_run_t)
+	files_pid_filetrans($1, httpd_var_run_t, file)
+
+	kernel_search_proc($1)
+	allow $1 httpd_t:dir list_dir_perms;
+
+	read_lnk_files_pattern($1, httpd_t, httpd_t)
+
+	admin_pattern($1, httpdcontent)
+	admin_pattern($1, httpd_script_exec_type)
+	admin_pattern($1, httpd_tmp_t)
+	admin_pattern($1, httpd_php_tmp_t)
+	admin_pattern($1, httpd_suexec_tmp_t)
+')
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
new file mode 100644
index 00000000..18d44040
--- /dev/null
+++ b/policy/modules/contrib/apache.te
@@ -0,0 +1,915 @@
+policy_module(apache, 2.3.0)
+
+#
+# NOTES:
+#  This policy will work with SUEXEC enabled as part of the Apache
+#  configuration. However, the user CGI scripts will run under the
+#  system_u:system_r:httpd_user_script_t.
+#
+#  The user CGI scripts must be labeled with the httpd_user_script_exec_t
+#  type, and the directory containing the scripts should also be labeled
+#  with these types. This policy allows the user role to perform that
+#  relabeling. If it is desired that only admin role should be able to relabel
+#  the user CGI scripts, then relabel rule for user roles should be removed.
+#
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow Apache to modify public files
+## used for public file transfer services. Directories/Files must
+## be labeled public_content_rw_t.
+## </p>
+## </desc>
+gen_tunable(allow_httpd_anon_write, false)
+
+## <desc>
+## <p>
+## Allow Apache to use mod_auth_pam
+## </p>
+## </desc>
+gen_tunable(allow_httpd_mod_auth_pam, false)
+
+## <desc>
+## <p>
+## Allow httpd to use built in scripting (usually php)
+## </p>
+## </desc>
+gen_tunable(httpd_builtin_scripting, false)
+
+## <desc>
+## <p>
+## Allow HTTPD scripts and modules to connect to the network using TCP.
+## </p>
+## </desc>
+gen_tunable(httpd_can_network_connect, false)
+
+## <desc>
+## <p>
+## Allow HTTPD scripts and modules to connect to databases over the network.
+## </p>
+## </desc>
+gen_tunable(httpd_can_network_connect_db, false)
+
+## <desc>
+## <p>
+## Allow httpd to act as a relay
+## </p>
+## </desc>
+gen_tunable(httpd_can_network_relay, false)
+
+## <desc>
+## <p>
+## Allow http daemon to send mail
+## </p>
+## </desc>
+gen_tunable(httpd_can_sendmail, false)
+
+## <desc>
+## <p>
+## Allow Apache to communicate with avahi service via dbus
+## </p>
+## </desc>
+gen_tunable(httpd_dbus_avahi, false)
+
+## <desc>
+## <p>
+## Allow httpd cgi support
+## </p>
+## </desc>
+gen_tunable(httpd_enable_cgi, false)
+
+## <desc>
+## <p>
+## Allow httpd to act as a FTP server by
+## listening on the ftp port.
+## </p>
+## </desc>
+gen_tunable(httpd_enable_ftp_server, false)
+
+## <desc>
+## <p>
+## Allow httpd to read home directories
+## </p>
+## </desc>
+gen_tunable(httpd_enable_homedirs, false)
+
+## <desc>
+## <p>
+## Allow httpd daemon to change its resource limits
+## </p>
+## </desc>
+gen_tunable(httpd_setrlimit, false)
+
+## <desc>
+## <p>
+## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
+## </p>
+## </desc>
+gen_tunable(httpd_ssi_exec, false)
+
+## <desc>
+## <p>
+## Unify HTTPD to communicate with the terminal.
+## Needed for entering the passphrase for certificates at
+## the terminal.
+## </p>
+## </desc>
+gen_tunable(httpd_tty_comm, false)
+
+## <desc>
+## <p>
+## Unify HTTPD handling of all content files.
+## </p>
+## </desc>
+gen_tunable(httpd_unified, false)
+
+## <desc>
+## <p>
+## Allow httpd to access cifs file systems
+## </p>
+## </desc>
+gen_tunable(httpd_use_cifs, false)
+
+## <desc>
+## <p>
+## Allow httpd to run gpg
+## </p>
+## </desc>
+gen_tunable(httpd_use_gpg, false)
+
+## <desc>
+## <p>
+## Allow httpd to access nfs file systems
+## </p>
+## </desc>
+gen_tunable(httpd_use_nfs, false)
+
+attribute httpdcontent;
+attribute httpd_ra_content;
+attribute httpd_rw_content;
+attribute httpd_user_content_type;
+
+# domains that can exec all users scripts
+attribute httpd_exec_scripts;
+
+attribute httpd_script_exec_type;
+attribute httpd_user_script_exec_type;
+
+# user script domains
+attribute httpd_script_domains;
+
+type httpd_t;
+type httpd_exec_t;
+init_daemon_domain(httpd_t, httpd_exec_t)
+role system_r types httpd_t;
+
+# httpd_cache_t is the type given to the /var/cache/httpd
+# directory and the files under that directory
+type httpd_cache_t;
+files_type(httpd_cache_t)
+
+# httpd_config_t is the type given to the configuration files
+type httpd_config_t;
+files_type(httpd_config_t)
+
+type httpd_helper_t;
+type httpd_helper_exec_t;
+domain_type(httpd_helper_t)
+domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
+role system_r types httpd_helper_t;
+
+type httpd_initrc_exec_t;
+init_script_file(httpd_initrc_exec_t)
+
+type httpd_lock_t;
+files_lock_file(httpd_lock_t)
+
+type httpd_log_t;
+logging_log_file(httpd_log_t)
+
+# httpd_modules_t is the type given to module files (libraries)
+# that come with Apache /etc/httpd/modules and /usr/lib/apache
+type httpd_modules_t;
+files_type(httpd_modules_t)
+
+type httpd_php_t;
+type httpd_php_exec_t;
+domain_type(httpd_php_t)
+domain_entry_file(httpd_php_t, httpd_php_exec_t)
+role system_r types httpd_php_t;
+
+type httpd_php_tmp_t;
+files_tmp_file(httpd_php_tmp_t)
+
+type httpd_rotatelogs_t;
+type httpd_rotatelogs_exec_t;
+init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
+
+type httpd_squirrelmail_t;
+files_type(httpd_squirrelmail_t)
+
+# SUEXEC runs user scripts as their own user ID
+type httpd_suexec_t; #, daemon;
+type httpd_suexec_exec_t;
+domain_type(httpd_suexec_t)
+domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
+role system_r types httpd_suexec_t;
+
+type httpd_suexec_tmp_t;
+files_tmp_file(httpd_suexec_tmp_t)
+
+# setup the system domain for system CGI scripts
+apache_content_template(sys)
+typealias httpd_sys_content_t alias ntop_http_content_t;
+
+type httpd_tmp_t;
+files_tmp_file(httpd_tmp_t)
+
+type httpd_tmpfs_t;
+files_tmpfs_file(httpd_tmpfs_t)
+
+apache_content_template(user)
+ubac_constrained(httpd_user_script_t)
+userdom_user_home_content(httpd_user_content_t)
+userdom_user_home_content(httpd_user_htaccess_t)
+userdom_user_home_content(httpd_user_script_exec_t)
+userdom_user_home_content(httpd_user_ra_content_t)
+userdom_user_home_content(httpd_user_rw_content_t)
+typeattribute httpd_user_script_t httpd_script_domains;
+typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
+typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
+typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
+typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
+typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t };
+typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t };
+typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t };
+typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t };
+typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t };
+typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t };
+typealias httpd_user_rw_content_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t };
+typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t };
+typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
+typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
+
+# for apache2 memory mapped files
+type httpd_var_lib_t;
+files_type(httpd_var_lib_t)
+
+type httpd_var_run_t;
+files_pid_file(httpd_var_run_t)
+
+# File Type of squirrelmail attachments
+type squirrelmail_spool_t;
+files_tmp_file(squirrelmail_spool_t)
+
+optional_policy(`
+	prelink_object_file(httpd_modules_t)
+')
+
+########################################
+#
+# Apache server local policy
+#
+
+allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
+dontaudit httpd_t self:capability { net_admin sys_tty_config };
+allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow httpd_t self:fd use;
+allow httpd_t self:sock_file read_sock_file_perms;
+allow httpd_t self:fifo_file rw_fifo_file_perms;
+allow httpd_t self:shm create_shm_perms;
+allow httpd_t self:sem create_sem_perms;
+allow httpd_t self:msgq create_msgq_perms;
+allow httpd_t self:msg { send receive };
+allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow httpd_t self:tcp_socket create_stream_socket_perms;
+allow httpd_t self:udp_socket create_socket_perms;
+
+# Allow httpd_t to put files in /var/cache/httpd etc
+manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
+manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
+manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
+
+# Allow the httpd_t to read the web servers config files
+allow httpd_t httpd_config_t:dir list_dir_perms;
+read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
+read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
+
+can_exec(httpd_t, httpd_exec_t)
+
+allow httpd_t httpd_lock_t:file manage_file_perms;
+files_lock_filetrans(httpd_t, httpd_lock_t, file)
+
+allow httpd_t httpd_log_t:dir setattr;
+create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+# cjp: need to refine create interfaces to
+# cut this back to add_name only
+logging_log_filetrans(httpd_t, httpd_log_t, file)
+
+allow httpd_t httpd_modules_t:dir list_dir_perms;
+mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+
+apache_domtrans_rotatelogs(httpd_t)
+# Apache-httpd needs to be able to send signals to the log rotate procs.
+allow httpd_t httpd_rotatelogs_t:process signal_perms;
+
+manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+
+allow httpd_t httpd_suexec_exec_t:file read_file_perms;
+
+allow httpd_t httpd_sys_content_t:dir list_dir_perms;
+read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
+read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
+
+allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+
+manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file })
+
+manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+manage_lnk_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
+files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
+
+setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
+manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
+manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
+manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
+files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file dir })
+
+manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+
+kernel_read_kernel_sysctls(httpd_t)
+# for modules that want to access /proc/meminfo
+kernel_read_system_state(httpd_t)
+
+corenet_all_recvfrom_unlabeled(httpd_t)
+corenet_all_recvfrom_netlabel(httpd_t)
+corenet_tcp_sendrecv_generic_if(httpd_t)
+corenet_udp_sendrecv_generic_if(httpd_t)
+corenet_tcp_sendrecv_generic_node(httpd_t)
+corenet_udp_sendrecv_generic_node(httpd_t)
+corenet_tcp_sendrecv_all_ports(httpd_t)
+corenet_udp_sendrecv_all_ports(httpd_t)
+corenet_tcp_bind_generic_node(httpd_t)
+corenet_tcp_bind_http_port(httpd_t)
+corenet_tcp_bind_http_cache_port(httpd_t)
+corenet_sendrecv_http_server_packets(httpd_t)
+# Signal self for shutdown
+corenet_tcp_connect_http_port(httpd_t)
+
+dev_read_sysfs(httpd_t)
+dev_read_rand(httpd_t)
+dev_read_urand(httpd_t)
+dev_rw_crypto(httpd_t)
+
+fs_getattr_all_fs(httpd_t)
+fs_search_auto_mountpoints(httpd_t)
+
+auth_use_nsswitch(httpd_t)
+
+# execute perl
+corecmd_exec_bin(httpd_t)
+corecmd_exec_shell(httpd_t)
+
+domain_use_interactive_fds(httpd_t)
+
+files_dontaudit_getattr_all_pids(httpd_t)
+files_read_usr_files(httpd_t)
+files_list_mnt(httpd_t)
+files_search_spool(httpd_t)
+files_read_var_lib_files(httpd_t)
+files_search_home(httpd_t)
+files_getattr_home_dir(httpd_t)
+# for modules that want to access /etc/mtab
+files_read_etc_runtime_files(httpd_t)
+# Allow httpd_t to have access to files such as nisswitch.conf
+files_read_etc_files(httpd_t)
+# for tomcat
+files_read_var_lib_symlinks(httpd_t)
+
+fs_search_auto_mountpoints(httpd_sys_script_t)
+
+libs_read_lib_files(httpd_t)
+
+logging_send_syslog_msg(httpd_t)
+
+miscfiles_read_localization(httpd_t)
+miscfiles_read_fonts(httpd_t)
+miscfiles_read_public_files(httpd_t)
+miscfiles_read_generic_certs(httpd_t)
+
+seutil_dontaudit_search_config(httpd_t)
+
+userdom_use_unpriv_users_fds(httpd_t)
+
+tunable_policy(`allow_httpd_anon_write',`
+	miscfiles_manage_public_files(httpd_t)
+')
+
+ifdef(`TODO', `
+#
+# We need optionals to be able to be within booleans to make this work
+#
+tunable_policy(`allow_httpd_mod_auth_pam',`
+	auth_domtrans_chk_passwd(httpd_t)
+')
+')
+
+tunable_policy(`httpd_can_network_connect',`
+	corenet_tcp_connect_all_ports(httpd_t)
+')
+
+tunable_policy(`httpd_can_network_relay',`
+	# allow httpd to work as a relay
+	corenet_tcp_connect_gopher_port(httpd_t)
+	corenet_tcp_connect_ftp_port(httpd_t)
+	corenet_tcp_connect_http_port(httpd_t)
+	corenet_tcp_connect_http_cache_port(httpd_t)
+	corenet_tcp_connect_memcache_port(httpd_t)
+	corenet_sendrecv_gopher_client_packets(httpd_t)
+	corenet_sendrecv_ftp_client_packets(httpd_t)
+	corenet_sendrecv_http_client_packets(httpd_t)
+	corenet_sendrecv_http_cache_client_packets(httpd_t)
+')
+
+tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
+	fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+	fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
+	domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
+
+	manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
+	manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
+	manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
+')
+
+tunable_policy(`httpd_enable_ftp_server',`
+	corenet_tcp_bind_ftp_port(httpd_t)
+')
+
+tunable_policy(`httpd_enable_homedirs',`
+	userdom_read_user_home_content_files(httpd_t)
+')
+
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+	fs_read_nfs_files(httpd_t)
+	fs_read_nfs_symlinks(httpd_t)
+')
+
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+	fs_read_cifs_files(httpd_t)
+	fs_read_cifs_symlinks(httpd_t)
+')
+
+tunable_policy(`httpd_can_sendmail',`
+	# allow httpd to connect to mail servers
+	corenet_tcp_connect_smtp_port(httpd_t)
+	corenet_sendrecv_smtp_client_packets(httpd_t)
+	mta_send_mail(httpd_t)
+')
+
+tunable_policy(`httpd_setrlimit',`
+	allow httpd_t self:process setrlimit;
+	allow httpd_t self:capability sys_resource;
+')
+
+tunable_policy(`httpd_ssi_exec',`
+	corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
+	allow httpd_sys_script_t httpd_t:fd use;
+	allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
+	allow httpd_sys_script_t httpd_t:process sigchld;
+')
+
+# When the admin starts the server, the server wants to access
+# the TTY or PTY associated with the session. The httpd appears
+# to run correctly without this permission, so the permission
+# are dontaudited here.
+tunable_policy(`httpd_tty_comm',`
+	userdom_use_user_terminals(httpd_t)
+',`
+	userdom_dontaudit_use_user_terminals(httpd_t)
+')
+
+optional_policy(`
+	calamaris_read_www_files(httpd_t)
+')
+
+optional_policy(`
+	ccs_read_config(httpd_t)
+')
+
+optional_policy(`
+	cobbler_search_lib(httpd_t)
+')
+
+optional_policy(`
+	cron_system_entry(httpd_t, httpd_exec_t)
+')
+
+optional_policy(`
+	cvs_read_data(httpd_t)
+')
+
+optional_policy(`
+	daemontools_service_domain(httpd_t, httpd_exec_t)
+')
+
+ optional_policy(`
+	dbus_system_bus_client(httpd_t)
+
+	tunable_policy(`httpd_dbus_avahi',`
+		avahi_dbus_chat(httpd_t)
+	')
+')
+
+optional_policy(`
+	tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
+		gpg_domtrans(httpd_t)
+	')
+')
+
+optional_policy(`
+	kerberos_keytab_template(httpd, httpd_t)
+')
+
+optional_policy(`
+	mailman_signal_cgi(httpd_t)
+	mailman_domtrans_cgi(httpd_t)
+	mailman_read_data_files(httpd_t)
+	# should have separate types for public and private archives
+	mailman_search_data(httpd_t)
+	mailman_read_archive(httpd_t)
+')
+
+optional_policy(`
+	# Allow httpd to work with mysql
+	mysql_stream_connect(httpd_t)
+	mysql_rw_db_sockets(httpd_t)
+
+	tunable_policy(`httpd_can_network_connect_db',`
+		mysql_tcp_connect(httpd_t)
+	')
+')
+
+optional_policy(`
+	nagios_read_config(httpd_t)
+')
+
+optional_policy(`
+	openca_domtrans(httpd_t)
+	openca_signal(httpd_t)
+	openca_sigstop(httpd_t)
+	openca_kill(httpd_t)
+')
+
+optional_policy(`
+	# Allow httpd to work with postgresql
+	postgresql_stream_connect(httpd_t)
+	postgresql_unpriv_client(httpd_t)
+
+	tunable_policy(`httpd_can_network_connect_db',`
+		postgresql_tcp_connect(httpd_t)
+	')
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(httpd_t)
+')
+
+optional_policy(`
+	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
+	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
+')
+
+optional_policy(`
+	udev_read_db(httpd_t)
+')
+
+optional_policy(`
+	yam_read_content(httpd_t)
+')
+
+########################################
+#
+# Apache helper local policy
+#
+
+domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
+
+allow httpd_helper_t httpd_config_t:file read_file_perms;
+
+allow httpd_helper_t httpd_log_t:file append_file_perms;
+
+logging_send_syslog_msg(httpd_helper_t)
+
+userdom_use_user_terminals(httpd_helper_t)
+
+########################################
+#
+# Apache PHP script local policy
+#
+
+allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow httpd_php_t self:fd use;
+allow httpd_php_t self:fifo_file rw_fifo_file_perms;
+allow httpd_php_t self:sock_file read_sock_file_perms;
+allow httpd_php_t self:unix_dgram_socket create_socket_perms;
+allow httpd_php_t self:unix_stream_socket create_stream_socket_perms;
+allow httpd_php_t self:unix_dgram_socket sendto;
+allow httpd_php_t self:unix_stream_socket connectto;
+allow httpd_php_t self:shm create_shm_perms;
+allow httpd_php_t self:sem create_sem_perms;
+allow httpd_php_t self:msgq create_msgq_perms;
+allow httpd_php_t self:msg { send receive };
+
+domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t)
+
+# allow php to read and append to apache logfiles
+allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms };
+
+manage_dirs_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
+manage_files_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
+files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir })
+
+fs_search_auto_mountpoints(httpd_php_t)
+
+auth_use_nsswitch(httpd_php_t)
+
+libs_exec_lib_files(httpd_php_t)
+
+userdom_use_unpriv_users_fds(httpd_php_t)
+
+tunable_policy(`httpd_can_network_connect_db',`
+	corenet_tcp_connect_mysqld_port(httpd_t)
+	corenet_sendrecv_mysqld_client_packets(httpd_t)
+	corenet_tcp_connect_mysqld_port(httpd_sys_script_t)
+	corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t)
+	corenet_tcp_connect_mysqld_port(httpd_suexec_t)
+	corenet_sendrecv_mysqld_client_packets(httpd_suexec_t)
+
+	corenet_tcp_connect_mssql_port(httpd_t)
+	corenet_sendrecv_mssql_client_packets(httpd_t)
+	corenet_tcp_connect_mssql_port(httpd_sys_script_t)
+	corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
+	corenet_tcp_connect_mssql_port(httpd_suexec_t)
+	corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
+')
+
+optional_policy(`
+	mysql_stream_connect(httpd_php_t)
+	mysql_read_config(httpd_php_t)
+')
+
+optional_policy(`
+	postgresql_stream_connect(httpd_php_t)
+')
+
+########################################
+#
+# Apache suexec local policy
+#
+
+allow httpd_suexec_t self:capability { setuid setgid };
+allow httpd_suexec_t self:process signal_perms;
+allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
+
+domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
+
+create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
+append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
+read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
+
+allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms;
+
+manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
+
+kernel_read_kernel_sysctls(httpd_suexec_t)
+kernel_list_proc(httpd_suexec_t)
+kernel_read_proc_symlinks(httpd_suexec_t)
+
+dev_read_urand(httpd_suexec_t)
+
+fs_search_auto_mountpoints(httpd_suexec_t)
+
+# for shell scripts
+corecmd_exec_bin(httpd_suexec_t)
+corecmd_exec_shell(httpd_suexec_t)
+
+files_read_etc_files(httpd_suexec_t)
+files_read_usr_files(httpd_suexec_t)
+files_dontaudit_search_pids(httpd_suexec_t)
+files_search_home(httpd_suexec_t)
+
+auth_use_nsswitch(httpd_suexec_t)
+
+logging_search_logs(httpd_suexec_t)
+logging_send_syslog_msg(httpd_suexec_t)
+
+miscfiles_read_localization(httpd_suexec_t)
+miscfiles_read_public_files(httpd_suexec_t)
+
+tunable_policy(`httpd_can_network_connect',`
+	allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
+	allow httpd_suexec_t self:udp_socket create_socket_perms;
+
+	corenet_all_recvfrom_unlabeled(httpd_suexec_t)
+	corenet_all_recvfrom_netlabel(httpd_suexec_t)
+	corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
+	corenet_udp_sendrecv_generic_if(httpd_suexec_t)
+	corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
+	corenet_udp_sendrecv_generic_node(httpd_suexec_t)
+	corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
+	corenet_udp_sendrecv_all_ports(httpd_suexec_t)
+	corenet_tcp_connect_all_ports(httpd_suexec_t)
+	corenet_sendrecv_all_client_packets(httpd_suexec_t)
+')
+
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+	allow httpd_sys_script_t httpdcontent:file entrypoint;
+	domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
+
+')
+
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+	fs_read_nfs_files(httpd_suexec_t)
+	fs_read_nfs_symlinks(httpd_suexec_t)
+	fs_exec_nfs_files(httpd_suexec_t)
+')
+
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+	fs_read_cifs_files(httpd_suexec_t)
+	fs_read_cifs_symlinks(httpd_suexec_t)
+	fs_exec_cifs_files(httpd_suexec_t)
+')
+
+optional_policy(`
+	mailman_domtrans_cgi(httpd_suexec_t)
+')
+
+optional_policy(`
+	mta_stub(httpd_suexec_t)
+
+	# apache should set close-on-exec
+	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
+')
+
+########################################
+#
+# Apache system script local policy
+#
+
+allow httpd_sys_script_t self:process getsched;
+
+allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
+allow httpd_sys_script_t httpd_t:tcp_socket { read write };
+
+dontaudit httpd_sys_script_t httpd_config_t:dir search;
+
+allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
+
+allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
+read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
+read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
+
+kernel_read_kernel_sysctls(httpd_sys_script_t)
+
+files_search_var_lib(httpd_sys_script_t)
+files_search_spool(httpd_sys_script_t)
+
+# Should we add a boolean?
+apache_domtrans_rotatelogs(httpd_sys_script_t)
+
+ifdef(`distro_redhat',`
+	allow httpd_sys_script_t httpd_log_t:file append_file_perms;
+')
+
+tunable_policy(`httpd_can_sendmail',`
+	mta_send_mail(httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+	allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+	allow httpd_sys_script_t self:udp_socket create_socket_perms;
+
+	corenet_tcp_bind_all_nodes(httpd_sys_script_t)
+	corenet_udp_bind_all_nodes(httpd_sys_script_t)
+	corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
+	corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+	corenet_tcp_sendrecv_all_if(httpd_sys_script_t)
+	corenet_udp_sendrecv_all_if(httpd_sys_script_t)
+	corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t)
+	corenet_udp_sendrecv_all_nodes(httpd_sys_script_t)
+	corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
+	corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
+	corenet_tcp_connect_all_ports(httpd_sys_script_t)
+	corenet_sendrecv_all_client_packets(httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_enable_homedirs',`
+	userdom_read_user_home_content_files(httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+	fs_read_nfs_files(httpd_sys_script_t)
+	fs_read_nfs_symlinks(httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+	fs_read_cifs_files(httpd_sys_script_t)
+	fs_read_cifs_symlinks(httpd_sys_script_t)
+')
+
+optional_policy(`
+	clamav_domtrans_clamscan(httpd_sys_script_t)
+')
+
+optional_policy(`
+	mysql_stream_connect(httpd_sys_script_t)
+	mysql_rw_db_sockets(httpd_sys_script_t)
+')
+
+optional_policy(`
+	postgresql_stream_connect(httpd_sys_script_t)
+')
+
+########################################
+#
+# httpd_rotatelogs local policy
+#
+
+allow httpd_rotatelogs_t self:capability dac_override;
+
+manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
+
+kernel_read_kernel_sysctls(httpd_rotatelogs_t)
+kernel_dontaudit_list_proc(httpd_rotatelogs_t)
+kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
+
+files_read_etc_files(httpd_rotatelogs_t)
+
+logging_search_logs(httpd_rotatelogs_t)
+
+miscfiles_read_localization(httpd_rotatelogs_t)
+
+########################################
+#
+# Unconfined script local policy
+#
+
+optional_policy(`
+	type httpd_unconfined_script_t;
+	type httpd_unconfined_script_exec_t;
+	domain_type(httpd_unconfined_script_t)
+	domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t)
+	domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
+	unconfined_domain(httpd_unconfined_script_t)
+
+	role system_r types httpd_unconfined_script_t;
+	allow httpd_t httpd_unconfined_script_t:process signal_perms;
+')
+
+########################################
+#
+# User content local policy
+#
+
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+	allow httpd_user_script_t httpdcontent:file entrypoint;
+')
+
+# allow accessing files/dirs below the users home dir
+tunable_policy(`httpd_enable_homedirs',`
+	userdom_search_user_home_dirs(httpd_t)
+	userdom_search_user_home_dirs(httpd_suexec_t)
+	userdom_search_user_home_dirs(httpd_user_script_t)
+')
diff --git a/policy/modules/contrib/apcupsd.fc b/policy/modules/contrib/apcupsd.fc
new file mode 100644
index 00000000..cd07b96e
--- /dev/null
+++ b/policy/modules/contrib/apcupsd.fc
@@ -0,0 +1,15 @@
+/etc/rc\.d/init\.d/apcupsd	--	gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
+
+/sbin/apcupsd			--	gen_context(system_u:object_r:apcupsd_exec_t,s0)
+
+/usr/sbin/apcupsd		--	gen_context(system_u:object_r:apcupsd_exec_t,s0)
+
+/var/log/apcupsd\.events.*	--	gen_context(system_u:object_r:apcupsd_log_t,s0)
+/var/log/apcupsd\.status.*	--	gen_context(system_u:object_r:apcupsd_log_t,s0)
+
+/var/run/apcupsd\.pid		--	gen_context(system_u:object_r:apcupsd_var_run_t,s0)
+
+/var/www/apcupsd/multimon\.cgi	--	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+/var/www/apcupsd/upsfstats\.cgi	--	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+/var/www/apcupsd/upsimage\.cgi	--	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+/var/www/apcupsd/upsstats\.cgi	--	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
diff --git a/policy/modules/contrib/apcupsd.if b/policy/modules/contrib/apcupsd.if
new file mode 100644
index 00000000..e342775e
--- /dev/null
+++ b/policy/modules/contrib/apcupsd.if
@@ -0,0 +1,168 @@
+## <summary>APC UPS monitoring daemon</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run apcupsd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`apcupsd_domtrans',`
+	gen_require(`
+		type apcupsd_t, apcupsd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, apcupsd_exec_t, apcupsd_t)
+')
+
+########################################
+## <summary>
+##	Execute apcupsd server in the apcupsd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`apcupsd_initrc_domtrans',`
+	gen_require(`
+		type apcupsd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, apcupsd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Read apcupsd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apcupsd_read_pid_files',`
+	gen_require(`
+		type apcupsd_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 apcupsd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read apcupsd's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`apcupsd_read_log',`
+	gen_require(`
+		type apcupsd_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 apcupsd_log_t:dir list_dir_perms;
+	allow $1 apcupsd_log_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to append
+##	apcupsd log files.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access.
+## 	</summary>
+## </param>
+#
+interface(`apcupsd_append_log',`
+	gen_require(`
+		type apcupsd_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 apcupsd_log_t:dir list_dir_perms;
+	allow $1 apcupsd_log_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run httpd_apcupsd_cgi_script.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`apcupsd_cgi_script_domtrans',`
+	gen_require(`
+		type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t;
+	')
+
+	optional_policy(`
+		apache_search_sys_content($1)
+	')
+
+	files_search_var($1)
+	domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an apcupsd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the apcupsd domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`apcupsd_admin',`
+	gen_require(`
+		type apcupsd_t, apcupsd_tmp_t;
+		type apcupsd_log_t, apcupsd_lock_t;
+		type apcupsd_var_run_t;
+		type apcupsd_initrc_exec_t;
+	')
+
+	allow $1 apcupsd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, apcupsd_t)
+
+	apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 apcupsd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_var($1)
+	admin_pattern($1, apcupsd_lock_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, apcupsd_log_t)
+
+	files_list_tmp($1)
+	admin_pattern($1, apcupsd_tmp_t)
+
+	files_list_pids($1)
+	admin_pattern($1, apcupsd_var_run_t)
+')
diff --git a/policy/modules/contrib/apcupsd.te b/policy/modules/contrib/apcupsd.te
new file mode 100644
index 00000000..d052bf0e
--- /dev/null
+++ b/policy/modules/contrib/apcupsd.te
@@ -0,0 +1,127 @@
+policy_module(apcupsd, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type apcupsd_t;
+type apcupsd_exec_t;
+init_daemon_domain(apcupsd_t, apcupsd_exec_t)
+
+type apcupsd_lock_t;
+files_lock_file(apcupsd_lock_t)
+
+type apcupsd_initrc_exec_t;
+init_script_file(apcupsd_initrc_exec_t)
+
+type apcupsd_log_t;
+logging_log_file(apcupsd_log_t)
+
+type apcupsd_tmp_t;
+files_tmp_file(apcupsd_tmp_t)
+
+type apcupsd_var_run_t;
+files_pid_file(apcupsd_var_run_t)
+
+########################################
+#
+# apcupsd local policy
+#
+
+allow apcupsd_t self:capability { dac_override setgid sys_tty_config };
+allow apcupsd_t self:process signal;
+allow apcupsd_t self:fifo_file rw_file_perms;
+allow apcupsd_t self:unix_stream_socket create_stream_socket_perms;
+allow apcupsd_t self:tcp_socket create_stream_socket_perms;
+
+allow apcupsd_t apcupsd_lock_t:file manage_file_perms;
+files_lock_filetrans(apcupsd_t, apcupsd_lock_t, file)
+
+allow apcupsd_t apcupsd_log_t:dir setattr;
+manage_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
+logging_log_filetrans(apcupsd_t, apcupsd_log_t, { file dir })
+
+manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t)
+files_tmp_filetrans(apcupsd_t, apcupsd_tmp_t, file)
+
+manage_files_pattern(apcupsd_t, apcupsd_var_run_t, apcupsd_var_run_t)
+files_pid_filetrans(apcupsd_t, apcupsd_var_run_t, file)
+
+kernel_read_system_state(apcupsd_t)
+
+corecmd_exec_bin(apcupsd_t)
+corecmd_exec_shell(apcupsd_t)
+
+corenet_all_recvfrom_unlabeled(apcupsd_t)
+corenet_all_recvfrom_netlabel(apcupsd_t)
+corenet_tcp_sendrecv_generic_if(apcupsd_t)
+corenet_tcp_sendrecv_generic_node(apcupsd_t)
+corenet_tcp_sendrecv_all_ports(apcupsd_t)
+corenet_tcp_bind_generic_node(apcupsd_t)
+corenet_tcp_bind_apcupsd_port(apcupsd_t)
+corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
+corenet_tcp_connect_apcupsd_port(apcupsd_t)
+
+dev_rw_generic_usb_dev(apcupsd_t)
+
+# Init script handling
+domain_use_interactive_fds(apcupsd_t)
+
+files_read_etc_files(apcupsd_t)
+files_search_locks(apcupsd_t)
+# Creates /etc/nologin
+files_manage_etc_runtime_files(apcupsd_t)
+files_etc_filetrans_etc_runtime(apcupsd_t, file)
+
+# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240805
+term_use_unallocated_ttys(apcupsd_t)
+
+#apcupsd runs shutdown, probably need a shutdown domain
+init_rw_utmp(apcupsd_t)
+init_telinit(apcupsd_t)
+
+logging_send_syslog_msg(apcupsd_t)
+
+miscfiles_read_localization(apcupsd_t)
+
+sysnet_dns_name_resolve(apcupsd_t)
+
+userdom_use_user_ttys(apcupsd_t)
+
+optional_policy(`
+	hostname_exec(apcupsd_t)
+')
+
+optional_policy(`
+	mta_send_mail(apcupsd_t)
+	mta_system_content(apcupsd_tmp_t)
+')
+
+optional_policy(`
+	shutdown_domtrans(apcupsd_t)
+')
+
+########################################
+#
+# apcupsd_cgi Declarations
+#
+
+optional_policy(`
+	apache_content_template(apcupsd_cgi)
+
+	allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
+	allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
+
+	corenet_all_recvfrom_unlabeled(httpd_apcupsd_cgi_script_t)
+	corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t)
+	corenet_tcp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t)
+	corenet_tcp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t)
+	corenet_tcp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
+	corenet_tcp_connect_apcupsd_port(httpd_apcupsd_cgi_script_t)
+	corenet_udp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t)
+	corenet_udp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t)
+	corenet_udp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
+
+	sysnet_dns_name_resolve(httpd_apcupsd_cgi_script_t)
+')
diff --git a/policy/modules/contrib/apm.fc b/policy/modules/contrib/apm.fc
new file mode 100644
index 00000000..01237771
--- /dev/null
+++ b/policy/modules/contrib/apm.fc
@@ -0,0 +1,23 @@
+
+#
+# /usr
+#
+/usr/bin/apm		--	gen_context(system_u:object_r:apm_exec_t,s0)
+
+/usr/sbin/acpid		--	gen_context(system_u:object_r:apmd_exec_t,s0)
+/usr/sbin/apmd		--	gen_context(system_u:object_r:apmd_exec_t,s0)
+/usr/sbin/powersaved	--	gen_context(system_u:object_r:apmd_exec_t,s0)
+
+#
+# /var
+#
+/var/log/acpid.*	--	gen_context(system_u:object_r:apmd_log_t,s0)
+
+/var/run/\.?acpid\.socket -s	gen_context(system_u:object_r:apmd_var_run_t,s0)
+/var/run/apmd\.pid	--	gen_context(system_u:object_r:apmd_var_run_t,s0)
+/var/run/powersaved\.pid --	gen_context(system_u:object_r:apmd_var_run_t,s0)
+/var/run/powersave_socket -s	gen_context(system_u:object_r:apmd_var_run_t,s0)
+
+ifdef(`distro_suse',`
+/var/lib/acpi(/.*)?		gen_context(system_u:object_r:apmd_var_lib_t,s0)
+')
diff --git a/policy/modules/contrib/apm.if b/policy/modules/contrib/apm.if
new file mode 100644
index 00000000..1ea99b29
--- /dev/null
+++ b/policy/modules/contrib/apm.if
@@ -0,0 +1,113 @@
+## <summary>Advanced power management daemon</summary>
+
+########################################
+## <summary>
+##	Execute APM in the apm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`apm_domtrans_client',`
+	gen_require(`
+		type apm_t, apm_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, apm_exec_t, apm_t)
+')
+
+########################################
+## <summary>
+##	Use file descriptors for apmd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apm_use_fds',`
+	gen_require(`
+		type apmd_t;
+	')
+
+	allow $1 apmd_t:fd use; 
+')
+
+########################################
+## <summary>
+##	Write to apmd unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apm_write_pipes',`
+	gen_require(`
+		type apmd_t;
+	')
+
+	allow $1 apmd_t:fifo_file write; 
+')
+
+########################################
+## <summary>
+##	Read and write to an apm unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apm_rw_stream_sockets',`
+	gen_require(`
+		type apmd_t;
+	')
+
+	allow $1 apmd_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+##	Append to apm's log file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apm_append_log',`
+	gen_require(`
+		type apmd_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 apmd_log_t:file append;
+')
+
+########################################
+## <summary>
+##	Connect to apmd over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apm_stream_connect',`
+	gen_require(`
+		type apmd_t, apmd_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 apmd_var_run_t:sock_file write;
+	allow $1 apmd_t:unix_stream_socket connectto;
+')
diff --git a/policy/modules/contrib/apm.te b/policy/modules/contrib/apm.te
new file mode 100644
index 00000000..1c8c27e4
--- /dev/null
+++ b/policy/modules/contrib/apm.te
@@ -0,0 +1,232 @@
+policy_module(apm, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+type apmd_t;
+type apmd_exec_t;
+init_daemon_domain(apmd_t, apmd_exec_t)
+
+type apm_t;
+type apm_exec_t;
+application_domain(apm_t, apm_exec_t)
+role system_r types apm_t;
+
+type apmd_log_t;
+logging_log_file(apmd_log_t)
+
+type apmd_tmp_t;
+files_tmp_file(apmd_tmp_t)
+
+type apmd_var_run_t;
+files_pid_file(apmd_var_run_t)
+
+ifdef(`distro_redhat',`
+	type apmd_lock_t;
+	files_lock_file(apmd_lock_t)
+')
+
+ifdef(`distro_suse',`
+	type apmd_var_lib_t;
+	files_type(apmd_var_lib_t)
+')
+
+########################################
+#
+# apm client Local policy
+#
+
+allow apm_t self:capability { dac_override sys_admin };
+
+kernel_read_system_state(apm_t)
+
+dev_rw_apm_bios(apm_t)
+
+fs_getattr_xattr_fs(apm_t)
+
+term_use_all_terms(apm_t)
+
+domain_use_interactive_fds(apm_t)
+
+logging_send_syslog_msg(apm_t)
+
+########################################
+#
+# apm daemon Local policy
+#
+
+# mknod: controlling an orderly resume of PCMCIA requires creating device
+# nodes 254,{0,1,2} for some reason.
+allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
+dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
+allow apmd_t self:process { signal_perms getsession };
+allow apmd_t self:fifo_file rw_fifo_file_perms;
+allow apmd_t self:unix_dgram_socket create_socket_perms;
+allow apmd_t self:unix_stream_socket create_stream_socket_perms;
+
+allow apmd_t apmd_log_t:file manage_file_perms;
+logging_log_filetrans(apmd_t, apmd_log_t, file)
+
+manage_dirs_pattern(apmd_t, apmd_tmp_t, apmd_tmp_t)
+manage_files_pattern(apmd_t, apmd_tmp_t, apmd_tmp_t)
+files_tmp_filetrans(apmd_t, apmd_tmp_t, { file dir })
+
+manage_files_pattern(apmd_t, apmd_var_run_t, apmd_var_run_t)
+manage_sock_files_pattern(apmd_t, apmd_var_run_t, apmd_var_run_t)
+files_pid_filetrans(apmd_t, apmd_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctls(apmd_t)
+kernel_rw_all_sysctls(apmd_t)
+kernel_read_system_state(apmd_t)
+kernel_write_proc_files(apmd_t)
+
+dev_read_realtime_clock(apmd_t)
+dev_read_urand(apmd_t)
+dev_rw_apm_bios(apmd_t)
+dev_rw_sysfs(apmd_t)
+dev_dontaudit_getattr_all_chr_files(apmd_t) # Excessive?
+dev_dontaudit_getattr_all_blk_files(apmd_t) # Excessive?
+
+fs_dontaudit_list_tmpfs(apmd_t)
+fs_getattr_all_fs(apmd_t)
+fs_search_auto_mountpoints(apmd_t)
+fs_dontaudit_getattr_all_files(apmd_t) # Excessive?
+fs_dontaudit_getattr_all_symlinks(apmd_t) # Excessive?
+fs_dontaudit_getattr_all_pipes(apmd_t) # Excessive?
+fs_dontaudit_getattr_all_sockets(apmd_t) # Excessive?
+
+selinux_search_fs(apmd_t)
+
+corecmd_exec_all_executables(apmd_t)
+
+domain_read_all_domains_state(apmd_t)
+domain_dontaudit_ptrace_all_domains(apmd_t)
+domain_use_interactive_fds(apmd_t)
+domain_dontaudit_getattr_all_sockets(apmd_t)
+domain_dontaudit_getattr_all_key_sockets(apmd_t) # Excessive?
+domain_dontaudit_list_all_domains_state(apmd_t) # Excessive?
+
+files_exec_etc_files(apmd_t)
+files_read_etc_runtime_files(apmd_t)
+files_dontaudit_getattr_all_files(apmd_t) # Excessive?
+files_dontaudit_getattr_all_symlinks(apmd_t) # Excessive?
+files_dontaudit_getattr_all_pipes(apmd_t) # Excessive?
+files_dontaudit_getattr_all_sockets(apmd_t) # Excessive?
+
+init_domtrans_script(apmd_t)
+init_rw_utmp(apmd_t)
+init_telinit(apmd_t)
+
+libs_exec_ld_so(apmd_t)
+libs_exec_lib_files(apmd_t)
+
+logging_send_syslog_msg(apmd_t)
+logging_send_audit_msgs(apmd_t)
+
+miscfiles_read_localization(apmd_t)
+miscfiles_read_hwdata(apmd_t)
+
+modutils_domtrans_insmod(apmd_t)
+modutils_read_module_config(apmd_t)
+
+seutil_dontaudit_read_config(apmd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(apmd_t)
+userdom_dontaudit_search_user_home_dirs(apmd_t)
+userdom_dontaudit_search_user_home_content(apmd_t) # Excessive?
+
+ifdef(`distro_redhat',`
+	allow apmd_t apmd_lock_t:file manage_file_perms;
+	files_lock_filetrans(apmd_t, apmd_lock_t, file)
+
+	can_exec(apmd_t, apmd_var_run_t)
+
+	# ifconfig_exec_t needs to be run in its own domain for Red Hat
+	optional_policy(`
+		sysnet_domtrans_ifconfig(apmd_t)
+	')
+
+	optional_policy(`
+		iptables_domtrans(apmd_t)
+	')
+
+	optional_policy(`
+		netutils_domtrans(apmd_t)
+	')
+
+',`
+	# for ifconfig which is run all the time
+	kernel_dontaudit_search_sysctl(apmd_t)
+')
+
+ifdef(`distro_suse',`
+	manage_dirs_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t)
+	manage_files_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t)
+	files_var_lib_filetrans(apmd_t, apmd_var_lib_t, file)
+')
+
+optional_policy(`
+	automount_domtrans(apmd_t)
+')
+
+optional_policy(`
+	clock_domtrans(apmd_t)
+	clock_rw_adjtime(apmd_t)
+')
+
+optional_policy(`
+	cron_system_entry(apmd_t, apmd_exec_t)
+	cron_anacron_domtrans_system_job(apmd_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(apmd_t)
+
+	optional_policy(`
+		consolekit_dbus_chat(apmd_t)
+	')
+
+	optional_policy(`
+		networkmanager_dbus_chat(apmd_t)
+	')
+')
+
+optional_policy(`
+	logrotate_use_fds(apmd_t)
+')
+
+optional_policy(`
+	mta_send_mail(apmd_t)
+')
+
+optional_policy(`
+	nscd_socket_use(apmd_t)
+')
+
+optional_policy(`
+	pcmcia_domtrans_cardmgr(apmd_t)
+	pcmcia_domtrans_cardctl(apmd_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(apmd_t)
+')
+
+optional_policy(`
+	udev_read_db(apmd_t)
+	udev_read_state(apmd_t) #necessary?
+')
+
+optional_policy(`
+	unconfined_domain(apmd_t)
+')
+
+optional_policy(`
+	vbetool_domtrans(apmd_t)
+')
+
+# cjp: related to sleep/resume (?)
+optional_policy(`
+	xserver_domtrans(apmd_t)
+')
diff --git a/policy/modules/contrib/apt.fc b/policy/modules/contrib/apt.fc
new file mode 100644
index 00000000..0a29b893
--- /dev/null
+++ b/policy/modules/contrib/apt.fc
@@ -0,0 +1,21 @@
+/usr/bin/apt-get		--	gen_context(system_u:object_r:apt_exec_t,s0)
+# apt-shell is redhat specific
+/usr/bin/apt-shell		--	gen_context(system_u:object_r:apt_exec_t,s0)
+# other package managers
+/usr/bin/aptitude		--	gen_context(system_u:object_r:apt_exec_t,s0)
+/usr/sbin/synaptic		--	gen_context(system_u:object_r:apt_exec_t,s0)
+
+# package cache repository
+/var/cache/apt(/.*)?			gen_context(system_u:object_r:apt_var_cache_t,s0)
+
+# package list repository
+/var/lib/apt(/.*)?			gen_context(system_u:object_r:apt_var_lib_t,s0)
+/var/lib/aptitude(/.*)?			gen_context(system_u:object_r:apt_var_lib_t,s0)
+
+# aptitude lock
+/var/lock/aptitude			gen_context(system_u:object_r:apt_lock_t,s0)
+# aptitude log
+/var/log/aptitude.*			gen_context(system_u:object_r:apt_var_log_t,s0)
+
+# dpkg terminal log
+/var/log/apt(/.*)?			gen_context(system_u:object_r:apt_var_log_t,s0)
diff --git a/policy/modules/contrib/apt.if b/policy/modules/contrib/apt.if
new file mode 100644
index 00000000..e696b80c
--- /dev/null
+++ b/policy/modules/contrib/apt.if
@@ -0,0 +1,225 @@
+## <summary>APT advanced package tool.</summary>
+
+########################################
+## <summary>
+##	Execute apt programs in the apt domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`apt_domtrans',`
+	gen_require(`
+		type apt_t, apt_exec_t;
+	')
+
+	files_search_usr($1)
+	corecmd_search_bin($1)
+	domtrans_pattern($1, apt_exec_t, apt_t)
+')
+
+########################################
+## <summary>
+##	Execute apt programs in the apt domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the apt domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`apt_run',`
+	gen_require(`
+		type apt_t;
+	')
+
+	apt_domtrans($1)
+	role $2 types apt_t;
+	# TODO: likely have to add dpkg_run here.
+')
+
+########################################
+## <summary>
+##	Inherit and use file descriptors from apt.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apt_use_fds',`
+	gen_require(`
+		type apt_t;
+	')
+
+	allow $1 apt_t:fd use;
+	# TODO: enforce dpkg_use_fd?
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to use file descriptors from apt.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`apt_dontaudit_use_fds',`
+	gen_require(`
+		type apt_t;
+	')
+
+	dontaudit $1 apt_t:fd use;
+')
+
+########################################
+## <summary>
+##	Read from an unnamed apt pipe.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apt_read_pipes',`
+	gen_require(`
+		type apt_t;
+	')
+
+	allow $1 apt_t:fifo_file read_fifo_file_perms;
+	# TODO: enforce dpkg_read_pipes?
+')
+
+########################################
+## <summary>
+##	Read and write an unnamed apt pipe.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apt_rw_pipes',`
+	gen_require(`
+		type apt_t;
+	')
+
+	allow $1 apt_t:fifo_file rw_file_perms;
+	# TODO: enforce dpkg_rw_pipes?
+')
+
+########################################
+## <summary>
+##	Read from and write to apt ptys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apt_use_ptys',`
+	gen_require(`
+		type apt_devpts_t;
+	')
+
+	allow $1 apt_devpts_t:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+##	Read the apt package cache.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apt_read_cache',`
+	gen_require(`
+		type apt_var_cache_t;
+	')
+
+	files_search_var($1)
+	allow $1 apt_var_cache_t:dir list_dir_perms;
+	dontaudit $1 apt_var_cache_t:dir write;
+	allow $1 apt_var_cache_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Read the apt package database.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apt_read_db',`
+	gen_require(`
+		type apt_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 apt_var_lib_t:dir list_dir_perms;
+	read_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
+	read_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete the apt package database.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apt_manage_db',`
+	gen_require(`
+		type apt_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
+	# cjp: shouldnt this be manage_lnk_files?
+	rw_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
+	delete_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to create, read, 
+##	write, and delete the apt package database.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`apt_dontaudit_manage_db',`
+	gen_require(`
+		type apt_var_lib_t;
+	')
+
+	dontaudit $1 apt_var_lib_t:dir rw_dir_perms;
+	dontaudit $1 apt_var_lib_t:file manage_file_perms;
+	dontaudit $1 apt_var_lib_t:lnk_file manage_lnk_file_perms;
+')
diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te
new file mode 100644
index 00000000..8555315d
--- /dev/null
+++ b/policy/modules/contrib/apt.te
@@ -0,0 +1,162 @@
+policy_module(apt, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type apt_t;
+type apt_exec_t;
+init_system_domain(apt_t, apt_exec_t)
+domain_system_change_exemption(apt_t)
+role system_r types apt_t;
+
+# pseudo terminal for running dpkg
+type apt_devpts_t;
+term_pty(apt_devpts_t)
+
+# aptitude lock file
+type apt_lock_t;
+files_lock_file(apt_lock_t)
+
+type apt_tmp_t;
+files_tmp_file(apt_tmp_t)
+
+type apt_tmpfs_t;
+files_tmpfs_file(apt_tmpfs_t)
+
+# package cache
+type apt_var_cache_t alias var_cache_apt_t;
+files_type(apt_var_cache_t)
+
+# status files
+type apt_var_lib_t alias var_lib_apt_t;
+files_type(apt_var_lib_t)
+
+# aptitude log file
+type apt_var_log_t;
+logging_log_file(apt_var_log_t)
+
+########################################
+#
+# apt Local policy
+#
+
+allow apt_t self:capability { chown dac_override fowner fsetid };
+allow apt_t self:process { signal setpgid fork };
+allow apt_t self:fd use;
+allow apt_t self:fifo_file rw_fifo_file_perms;
+allow apt_t self:unix_dgram_socket create_socket_perms;
+allow apt_t self:unix_stream_socket rw_stream_socket_perms;
+allow apt_t self:unix_dgram_socket sendto;
+allow apt_t self:unix_stream_socket connectto;
+allow apt_t self:udp_socket { connect create_socket_perms };
+allow apt_t self:tcp_socket create_stream_socket_perms;
+allow apt_t self:shm create_shm_perms;
+allow apt_t self:sem create_sem_perms;
+allow apt_t self:msgq create_msgq_perms;
+allow apt_t self:msg { send receive };
+# Run update
+allow apt_t self:netlink_route_socket r_netlink_socket_perms;
+
+# lock files
+allow apt_t apt_lock_t:dir manage_dir_perms;
+allow apt_t apt_lock_t:file manage_file_perms;
+files_lock_filetrans(apt_t, apt_lock_t, {dir file})
+
+manage_dirs_pattern(apt_t, apt_tmp_t, apt_tmp_t)
+manage_files_pattern(apt_t, apt_tmp_t, apt_tmp_t)
+files_tmp_filetrans(apt_t, apt_tmp_t, { file dir })
+
+manage_dirs_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
+manage_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
+manage_lnk_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
+manage_fifo_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
+manage_sock_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
+fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+# Access /var/cache/apt files
+manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
+files_var_filetrans(apt_t, apt_var_cache_t, dir)
+
+# Access /var/lib/apt files
+manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
+files_var_lib_filetrans(apt_t, apt_var_lib_t, dir)
+
+# log files
+allow apt_t apt_var_log_t:file manage_file_perms;
+logging_log_filetrans(apt_t, apt_var_log_t, file)
+
+kernel_read_system_state(apt_t)
+kernel_read_kernel_sysctls(apt_t)
+
+# to launch dpkg-preconfigure
+corecmd_exec_bin(apt_t)
+corecmd_exec_shell(apt_t)
+
+corenet_all_recvfrom_unlabeled(apt_t)
+corenet_all_recvfrom_netlabel(apt_t)
+corenet_tcp_sendrecv_generic_if(apt_t)
+corenet_udp_sendrecv_generic_if(apt_t)
+corenet_tcp_sendrecv_generic_node(apt_t)
+corenet_udp_sendrecv_generic_node(apt_t)
+corenet_tcp_sendrecv_all_ports(apt_t)
+corenet_udp_sendrecv_all_ports(apt_t)
+# TODO: really allow all these?
+corenet_tcp_bind_generic_node(apt_t)
+corenet_udp_bind_generic_node(apt_t)
+corenet_tcp_connect_all_ports(apt_t)
+corenet_sendrecv_all_client_packets(apt_t)
+
+dev_read_urand(apt_t)
+
+domain_getattr_all_domains(apt_t)
+domain_use_interactive_fds(apt_t)
+
+files_exec_usr_files(apt_t)
+files_read_etc_files(apt_t)
+files_read_etc_runtime_files(apt_t)
+
+fs_getattr_all_fs(apt_t)
+
+term_create_pty(apt_t, apt_devpts_t)
+term_list_ptys(apt_t)
+term_use_all_terms(apt_t)
+
+libs_exec_ld_so(apt_t)
+libs_exec_lib_files(apt_t)
+
+logging_send_syslog_msg(apt_t)
+
+miscfiles_read_localization(apt_t)
+
+seutil_use_newrole_fds(apt_t)
+
+sysnet_read_config(apt_t)
+
+userdom_use_user_terminals(apt_t)
+
+# with boolean, for cron-apt and such?
+#optional_policy(`
+#	cron_system_entry(apt_t,apt_exec_t)
+#')
+
+optional_policy(`
+	# dpkg interaction
+	dpkg_read_db(apt_t)
+	dpkg_domtrans(apt_t)
+	dpkg_lock_db(apt_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(apt_t)
+')
+
+optional_policy(`
+	rpm_read_db(apt_t)
+	rpm_domtrans(apt_t)
+')
+
+optional_policy(`
+	unconfined_domain(apt_t)
+')
diff --git a/policy/modules/contrib/arpwatch.fc b/policy/modules/contrib/arpwatch.fc
new file mode 100644
index 00000000..a86a6c71
--- /dev/null
+++ b/policy/modules/contrib/arpwatch.fc
@@ -0,0 +1,12 @@
+/etc/rc\.d/init\.d/arpwatch --	gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/arpwatch	--	gen_context(system_u:object_r:arpwatch_exec_t,s0)
+
+#
+# /var
+#
+/var/arpwatch(/.*)?		gen_context(system_u:object_r:arpwatch_data_t,s0)
+/var/lib/arpwatch(/.*)?		gen_context(system_u:object_r:arpwatch_data_t,s0)
diff --git a/policy/modules/contrib/arpwatch.if b/policy/modules/contrib/arpwatch.if
new file mode 100644
index 00000000..c804110a
--- /dev/null
+++ b/policy/modules/contrib/arpwatch.if
@@ -0,0 +1,156 @@
+## <summary>Ethernet activity monitor.</summary>
+
+########################################
+## <summary>
+##	Execute arpwatch server in the arpwatch domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`arpwatch_initrc_domtrans',`
+	gen_require(`
+		type arpwatch_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, arpwatch_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Search arpwatch's data file directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`arpwatch_search_data',`
+	gen_require(`
+		type arpwatch_data_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 arpwatch_data_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create arpwatch data files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`arpwatch_manage_data_files',`
+	gen_require(`
+		type arpwatch_data_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, arpwatch_data_t, arpwatch_data_t)
+')
+
+########################################
+## <summary>
+##	Read and write arpwatch temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`arpwatch_rw_tmp_files',`
+	gen_require(`
+		type arpwatch_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 arpwatch_tmp_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Read and write arpwatch temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`arpwatch_manage_tmp_files',`
+	gen_require(`
+		type arpwatch_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 arpwatch_tmp_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write
+##	arpwatch packet sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`arpwatch_dontaudit_rw_packet_sockets',`
+	gen_require(`
+		type arpwatch_t;
+	')
+
+	dontaudit $1 arpwatch_t:packet_socket { read write };
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an arpwatch environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the arpwatch domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`arpwatch_admin',`
+	gen_require(`
+		type arpwatch_t, arpwatch_tmp_t;
+		type arpwatch_data_t, arpwatch_var_run_t;
+		type arpwatch_initrc_exec_t;
+	')
+
+	allow $1 arpwatch_t:process { ptrace signal_perms getattr };
+	ps_process_pattern($1, arpwatch_t)
+
+	arpwatch_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 arpwatch_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, arpwatch_tmp_t)
+
+	files_list_var($1)
+	admin_pattern($1, arpwatch_data_t)
+
+	files_list_pids($1)
+	admin_pattern($1, arpwatch_var_run_t)
+')
diff --git a/policy/modules/contrib/arpwatch.te b/policy/modules/contrib/arpwatch.te
new file mode 100644
index 00000000..804135f9
--- /dev/null
+++ b/policy/modules/contrib/arpwatch.te
@@ -0,0 +1,98 @@
+policy_module(arpwatch, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+
+type arpwatch_t;
+type arpwatch_exec_t;
+init_daemon_domain(arpwatch_t, arpwatch_exec_t)
+
+type arpwatch_data_t;
+files_type(arpwatch_data_t)
+
+type arpwatch_initrc_exec_t;
+init_script_file(arpwatch_initrc_exec_t)
+
+type arpwatch_tmp_t;
+files_tmp_file(arpwatch_tmp_t)
+
+type arpwatch_var_run_t;
+files_pid_file(arpwatch_var_run_t)
+
+########################################
+#
+# Local policy
+#
+allow arpwatch_t self:capability { net_admin net_raw setgid setuid };
+dontaudit arpwatch_t self:capability sys_tty_config;
+allow arpwatch_t self:process signal_perms;
+allow arpwatch_t self:unix_dgram_socket create_socket_perms;
+allow arpwatch_t self:unix_stream_socket create_stream_socket_perms;
+allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms };
+allow arpwatch_t self:udp_socket create_socket_perms;
+allow arpwatch_t self:packet_socket create_socket_perms;
+allow arpwatch_t self:socket create_socket_perms;
+
+manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
+manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
+manage_lnk_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
+
+manage_dirs_pattern(arpwatch_t, arpwatch_tmp_t, arpwatch_tmp_t)
+manage_files_pattern(arpwatch_t, arpwatch_tmp_t, arpwatch_tmp_t)
+files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir })
+
+manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
+files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
+
+kernel_read_network_state(arpwatch_t)
+kernel_read_kernel_sysctls(arpwatch_t)
+kernel_list_proc(arpwatch_t)
+kernel_read_proc_symlinks(arpwatch_t)
+kernel_request_load_module(arpwatch_t)
+
+corenet_all_recvfrom_unlabeled(arpwatch_t)
+corenet_all_recvfrom_netlabel(arpwatch_t)
+corenet_tcp_sendrecv_generic_if(arpwatch_t)
+corenet_udp_sendrecv_generic_if(arpwatch_t)
+corenet_raw_sendrecv_generic_if(arpwatch_t)
+corenet_tcp_sendrecv_generic_node(arpwatch_t)
+corenet_udp_sendrecv_generic_node(arpwatch_t)
+corenet_raw_sendrecv_generic_node(arpwatch_t)
+corenet_tcp_sendrecv_all_ports(arpwatch_t)
+corenet_udp_sendrecv_all_ports(arpwatch_t)
+
+dev_read_sysfs(arpwatch_t)
+dev_read_usbmon_dev(arpwatch_t)
+dev_rw_generic_usb_dev(arpwatch_t)
+
+fs_getattr_all_fs(arpwatch_t)
+fs_search_auto_mountpoints(arpwatch_t)
+
+corecmd_read_bin_symlinks(arpwatch_t)
+
+domain_use_interactive_fds(arpwatch_t)
+
+files_read_etc_files(arpwatch_t)
+files_read_usr_files(arpwatch_t)
+files_search_var_lib(arpwatch_t)
+
+auth_use_nsswitch(arpwatch_t)
+
+logging_send_syslog_msg(arpwatch_t)
+
+miscfiles_read_localization(arpwatch_t)
+
+userdom_dontaudit_search_user_home_dirs(arpwatch_t)
+userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
+
+mta_send_mail(arpwatch_t)
+
+optional_policy(`
+	seutil_sigchld_newrole(arpwatch_t)
+')
+
+optional_policy(`
+	udev_read_db(arpwatch_t)
+')
diff --git a/policy/modules/contrib/asterisk.fc b/policy/modules/contrib/asterisk.fc
new file mode 100644
index 00000000..b4889d40
--- /dev/null
+++ b/policy/modules/contrib/asterisk.fc
@@ -0,0 +1,9 @@
+/etc/asterisk(/.*)?		gen_context(system_u:object_r:asterisk_etc_t,s0)
+/etc/rc\.d/init\.d/asterisk --	gen_context(system_u:object_r:asterisk_initrc_exec_t,s0)
+
+/usr/sbin/asterisk	--	gen_context(system_u:object_r:asterisk_exec_t,s0)
+
+/var/lib/asterisk(/.*)?		gen_context(system_u:object_r:asterisk_var_lib_t,s0)
+/var/log/asterisk(/.*)?		gen_context(system_u:object_r:asterisk_log_t,s0)
+/var/run/asterisk(/.*)?		gen_context(system_u:object_r:asterisk_var_run_t,s0)
+/var/spool/asterisk(/.*)?	gen_context(system_u:object_r:asterisk_spool_t,s0)
diff --git a/policy/modules/contrib/asterisk.if b/policy/modules/contrib/asterisk.if
new file mode 100644
index 00000000..bd6273f1
--- /dev/null
+++ b/policy/modules/contrib/asterisk.if
@@ -0,0 +1,135 @@
+## <summary>Asterisk IP telephony server</summary>
+
+######################################
+## <summary>
+##	Execute asterisk in the asterisk domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`asterisk_domtrans',`
+	gen_require(`
+		type asterisk_t, asterisk_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, asterisk_exec_t, asterisk_t)
+')
+
+#####################################
+## <summary>
+##	Connect to asterisk over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`asterisk_stream_connect',`
+	gen_require(`
+		type asterisk_t, asterisk_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, asterisk_var_run_t, asterisk_var_run_t, asterisk_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an asterisk environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the asterisk domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`asterisk_admin',`
+	gen_require(`
+		type asterisk_t, asterisk_var_run_t, asterisk_spool_t;
+		type asterisk_etc_t, asterisk_tmp_t, asterisk_log_t;
+		type asterisk_var_lib_t;
+		type asterisk_initrc_exec_t;
+	')
+
+	allow $1 asterisk_t:process { ptrace signal_perms getattr };
+	ps_process_pattern($1, asterisk_t)
+
+	init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 asterisk_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, asterisk_tmp_t)
+
+	files_list_etc($1)
+	admin_pattern($1, asterisk_etc_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, asterisk_log_t)
+
+	files_list_spool($1)
+	admin_pattern($1, asterisk_spool_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, asterisk_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, asterisk_var_run_t)
+')
+
+#######################################
+## <summary>
+##   Allow changing the attributes of the asterisk log files and directories
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed to change the attributes of the asterisk log files and
+##     directories
+##   </summary>
+## </param>
+#
+interface(`asterisk_setattr_logs',`
+	gen_require(`
+		type asterisk_log_t;
+	')
+
+	setattr_files_pattern($1, asterisk_log_t, asterisk_log_t)
+	setattr_dirs_pattern($1, asterisk_log_t, asterisk_log_t)
+
+	logging_search_logs($1)
+')
+
+#######################################
+## <summary>
+##   Allow changing the attributes of the asterisk PID files
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed to change the attributes of the asterisk PID files
+##   </summary>
+## </param>
+#
+interface(`asterisk_setattr_pid_files',`
+	gen_require(`
+		type asterisk_var_run_t;
+	')
+
+	setattr_files_pattern($1, asterisk_var_run_t, asterisk_var_run_t)
+	setattr_dirs_pattern($1, asterisk_var_run_t, asterisk_var_run_t)
+
+	files_search_pids($1)
+')
diff --git a/policy/modules/contrib/asterisk.te b/policy/modules/contrib/asterisk.te
new file mode 100644
index 00000000..dda6c5e5
--- /dev/null
+++ b/policy/modules/contrib/asterisk.te
@@ -0,0 +1,172 @@
+policy_module(asterisk, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+
+type asterisk_t;
+type asterisk_exec_t;
+init_daemon_domain(asterisk_t, asterisk_exec_t)
+application_executable_file(asterisk_exec_t)
+
+type asterisk_etc_t;
+files_config_file(asterisk_etc_t)
+
+type asterisk_initrc_exec_t;
+init_script_file(asterisk_initrc_exec_t)
+
+type asterisk_log_t;
+logging_log_file(asterisk_log_t)
+
+type asterisk_spool_t;
+files_type(asterisk_spool_t)
+
+type asterisk_tmp_t;
+files_tmp_file(asterisk_tmp_t)
+
+type asterisk_tmpfs_t;
+files_tmpfs_file(asterisk_tmpfs_t)
+
+type asterisk_var_lib_t;
+files_type(asterisk_var_lib_t)
+
+type asterisk_var_run_t;
+files_pid_file(asterisk_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+# dac_override for /var/run/asterisk
+allow asterisk_t self:capability { dac_override setgid setuid sys_nice net_admin chown };
+dontaudit asterisk_t self:capability sys_tty_config;
+allow asterisk_t self:process { getsched setsched signal_perms getcap setcap };
+allow asterisk_t self:fifo_file rw_fifo_file_perms;
+allow asterisk_t self:sem create_sem_perms;
+allow asterisk_t self:shm create_shm_perms;
+allow asterisk_t self:unix_stream_socket { connectto listen accept };
+allow asterisk_t self:tcp_socket create_stream_socket_perms;
+allow asterisk_t self:udp_socket create_socket_perms;
+
+allow asterisk_t asterisk_etc_t:dir list_dir_perms;
+read_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t)
+read_lnk_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t)
+files_search_etc(asterisk_t)
+
+can_exec(asterisk_t, asterisk_exec_t)
+
+manage_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
+logging_log_filetrans(asterisk_t, asterisk_log_t, { file dir })
+
+manage_dirs_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
+manage_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
+manage_lnk_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
+
+manage_dirs_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t)
+manage_files_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t)
+files_tmp_filetrans(asterisk_t, asterisk_tmp_t, { file dir })
+
+manage_files_pattern(asterisk_t, asterisk_tmpfs_t, asterisk_tmpfs_t)
+manage_lnk_files_pattern(asterisk_t, asterisk_tmpfs_t, asterisk_tmpfs_t)
+manage_fifo_files_pattern(asterisk_t, asterisk_tmpfs_t, asterisk_tmpfs_t)
+manage_sock_files_pattern(asterisk_t, asterisk_tmpfs_t, asterisk_tmpfs_t)
+fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t)
+files_var_lib_filetrans(asterisk_t, asterisk_var_lib_t, file)
+
+manage_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
+manage_fifo_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
+manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
+files_pid_filetrans(asterisk_t, asterisk_var_run_t, file)
+
+kernel_read_system_state(asterisk_t)
+kernel_read_kernel_sysctls(asterisk_t)
+kernel_request_load_module(asterisk_t)
+
+corecmd_exec_bin(asterisk_t)
+corecmd_exec_shell(asterisk_t)
+
+corenet_all_recvfrom_unlabeled(asterisk_t)
+corenet_all_recvfrom_netlabel(asterisk_t)
+corenet_tcp_sendrecv_generic_if(asterisk_t)
+corenet_udp_sendrecv_generic_if(asterisk_t)
+corenet_tcp_sendrecv_generic_node(asterisk_t)
+corenet_udp_sendrecv_generic_node(asterisk_t)
+corenet_tcp_sendrecv_all_ports(asterisk_t)
+corenet_udp_sendrecv_all_ports(asterisk_t)
+corenet_tcp_bind_generic_node(asterisk_t)
+corenet_udp_bind_generic_node(asterisk_t)
+corenet_tcp_bind_asterisk_port(asterisk_t)
+corenet_tcp_bind_sip_port(asterisk_t)
+corenet_udp_bind_asterisk_port(asterisk_t)
+corenet_udp_bind_sip_port(asterisk_t)
+corenet_sendrecv_asterisk_server_packets(asterisk_t)
+# for VOIP voice channels.
+corenet_tcp_bind_generic_port(asterisk_t)
+corenet_udp_bind_generic_port(asterisk_t)
+corenet_dontaudit_udp_bind_all_ports(asterisk_t)
+corenet_sendrecv_generic_server_packets(asterisk_t)
+corenet_tcp_connect_postgresql_port(asterisk_t)
+corenet_tcp_connect_snmp_port(asterisk_t)
+corenet_tcp_connect_sip_port(asterisk_t)
+
+dev_rw_generic_usb_dev(asterisk_t)
+dev_read_sysfs(asterisk_t)
+dev_read_sound(asterisk_t)
+dev_write_sound(asterisk_t)
+dev_read_rand(asterisk_t)
+dev_read_urand(asterisk_t)
+
+domain_use_interactive_fds(asterisk_t)
+
+files_read_etc_files(asterisk_t)
+files_search_spool(asterisk_t)
+# demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm
+# are labeled usr_t
+files_read_usr_files(asterisk_t)
+
+fs_getattr_all_fs(asterisk_t)
+fs_list_inotifyfs(asterisk_t)
+fs_read_anon_inodefs_files(asterisk_t)
+fs_search_auto_mountpoints(asterisk_t)
+
+auth_use_nsswitch(asterisk_t)
+
+logging_send_syslog_msg(asterisk_t)
+
+miscfiles_read_localization(asterisk_t)
+
+userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
+userdom_dontaudit_search_user_home_dirs(asterisk_t)
+
+optional_policy(`
+	mysql_stream_connect(asterisk_t)
+')
+
+optional_policy(`
+	mta_send_mail(asterisk_t)
+')
+
+optional_policy(`
+	postfix_domtrans_postdrop(asterisk_t)
+')
+
+optional_policy(`
+	postgresql_stream_connect(asterisk_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(asterisk_t)
+')
+
+optional_policy(`
+	snmp_read_snmp_var_lib_files(asterisk_t)
+	snmp_stream_connect(asterisk_t)
+')
+
+optional_policy(`
+	udev_read_db(asterisk_t)
+')
diff --git a/policy/modules/contrib/authbind.fc b/policy/modules/contrib/authbind.fc
new file mode 100644
index 00000000..48cf11b4
--- /dev/null
+++ b/policy/modules/contrib/authbind.fc
@@ -0,0 +1,3 @@
+/etc/authbind(/.*)?			gen_context(system_u:object_r:authbind_etc_t,s0)
+
+/usr/lib(64)?/authbind/helper	--	gen_context(system_u:object_r:authbind_exec_t,s0)
diff --git a/policy/modules/contrib/authbind.if b/policy/modules/contrib/authbind.if
new file mode 100644
index 00000000..d28020f1
--- /dev/null
+++ b/policy/modules/contrib/authbind.if
@@ -0,0 +1,20 @@
+## <summary>Tool for non-root processes to bind to reserved ports</summary>
+
+########################################
+## <summary>
+##	Use authbind to bind to a reserved port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`authbind_domtrans',`
+	gen_require(`
+		type authbind_t, authbind_exec_t;
+	')
+
+	domtrans_pattern($1, authbind_exec_t, authbind_t)
+	allow authbind_t $1:{ tcp_socket udp_socket } rw_socket_perms;
+')
diff --git a/policy/modules/contrib/authbind.te b/policy/modules/contrib/authbind.te
new file mode 100644
index 00000000..b4285f76
--- /dev/null
+++ b/policy/modules/contrib/authbind.te
@@ -0,0 +1,31 @@
+policy_module(authbind, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type authbind_t;
+type authbind_exec_t;
+application_domain(authbind_t, authbind_exec_t)
+role system_r types authbind_t;
+
+type authbind_etc_t;
+files_config_file(authbind_etc_t)
+
+########################################
+#
+# Local policy
+#
+
+allow authbind_t self:capability net_bind_service;
+
+allow authbind_t authbind_etc_t:dir list_dir_perms;
+exec_files_pattern(authbind_t, authbind_etc_t, authbind_etc_t)
+read_lnk_files_pattern(authbind_t, authbind_etc_t, authbind_etc_t)
+
+files_list_etc(authbind_t)
+
+term_use_console(authbind_t)
+
+logging_send_syslog_msg(authbind_t)
diff --git a/policy/modules/contrib/automount.fc b/policy/modules/contrib/automount.fc
new file mode 100644
index 00000000..f16ab681
--- /dev/null
+++ b/policy/modules/contrib/automount.fc
@@ -0,0 +1,16 @@
+#
+# /etc
+#
+/etc/apm/event\.d/autofs --	gen_context(system_u:object_r:automount_exec_t,s0)
+/etc/rc\.d/init\.d/autofs	--	gen_context(system_u:object_r:automount_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/automount	--	gen_context(system_u:object_r:automount_exec_t,s0)
+
+#
+# /var
+#
+
+/var/run/autofs.*		gen_context(system_u:object_r:automount_var_run_t,s0)
diff --git a/policy/modules/contrib/automount.if b/policy/modules/contrib/automount.if
new file mode 100644
index 00000000..d80a16b8
--- /dev/null
+++ b/policy/modules/contrib/automount.if
@@ -0,0 +1,168 @@
+## <summary>Filesystem automounter service.</summary>
+
+########################################
+## <summary>
+##	Execute automount in the automount domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`automount_domtrans',`
+	gen_require(`
+		type automount_t, automount_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, automount_exec_t, automount_t)
+')
+
+########################################
+## <summary>
+##	Send automount a signal
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+interface(`automount_signal',`
+	gen_require(`
+		type automount_t;
+	')
+
+	allow $1 automount_t:process signal;
+')
+
+########################################
+## <summary>
+##	Execute automount in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`automount_exec_config',`
+	refpolicywarn(`$0(): has been deprecated, please use files_exec_etc_files() instead.')
+	files_exec_etc_files($1)
+')
+
+########################################
+## <summary>
+##	Allow the domain to read state files in /proc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to allow access.
+##	</summary>
+## </param>
+#
+interface(`automount_read_state',`
+	gen_require(`
+		type automount_t;
+	')
+
+	read_files_pattern($1, automount_t, automount_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to file descriptors for automount.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`automount_dontaudit_use_fds',`
+	gen_require(`
+		type automount_t;
+	')
+
+	dontaudit $1 automount_t:fd use;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write automount daemon unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`automount_dontaudit_write_pipes',`
+	gen_require(`
+		type automount_t;
+	')
+
+	dontaudit $1 automount_t:fifo_file write;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of automount temporary directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`automount_dontaudit_getattr_tmp_dirs',`
+	gen_require(`
+		type automount_tmp_t;
+	')
+
+	dontaudit $1 automount_tmp_t:dir getattr;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an automount environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the automount domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`automount_admin',`
+	gen_require(`
+		type automount_t, automount_lock_t, automount_tmp_t;
+		type automount_var_run_t, automount_initrc_exec_t;
+	')
+
+	allow $1 automount_t:process { ptrace signal_perms getattr };
+	ps_process_pattern($1, automount_t)
+
+	init_labeled_script_domtrans($1, automount_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 automount_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_var($1)
+	admin_pattern($1, automount_lock_t)
+
+	files_list_tmp($1)
+	admin_pattern($1, automount_tmp_t)
+
+	files_list_pids($1)
+	admin_pattern($1, automount_var_run_t)
+')
diff --git a/policy/modules/contrib/automount.te b/policy/modules/contrib/automount.te
new file mode 100644
index 00000000..39799dba
--- /dev/null
+++ b/policy/modules/contrib/automount.te
@@ -0,0 +1,182 @@
+policy_module(automount, 1.13.0)
+
+########################################
+#
+# Declarations
+#
+
+type automount_t;
+type automount_exec_t;
+init_daemon_domain(automount_t, automount_exec_t)
+
+type automount_initrc_exec_t;
+init_script_file(automount_initrc_exec_t)
+
+type automount_var_run_t;
+files_pid_file(automount_var_run_t)
+
+type automount_lock_t;
+files_lock_file(automount_lock_t)
+
+type automount_tmp_t;
+files_tmp_file(automount_tmp_t)
+files_mountpoint(automount_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow automount_t self:capability { net_bind_service setgid setuid sys_nice sys_resource dac_override sys_admin };
+dontaudit automount_t self:capability sys_tty_config;
+allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
+allow automount_t self:fifo_file rw_fifo_file_perms;
+allow automount_t self:unix_stream_socket create_socket_perms;
+allow automount_t self:unix_dgram_socket create_socket_perms;
+allow automount_t self:tcp_socket create_stream_socket_perms;
+allow automount_t self:udp_socket create_socket_perms;
+allow automount_t self:rawip_socket create_socket_perms;
+
+can_exec(automount_t, automount_exec_t)
+
+allow automount_t automount_lock_t:file manage_file_perms;
+files_lock_filetrans(automount_t, automount_lock_t, file)
+
+manage_dirs_pattern(automount_t, automount_tmp_t, automount_tmp_t)
+manage_files_pattern(automount_t, automount_tmp_t, automount_tmp_t)
+files_tmp_filetrans(automount_t, automount_tmp_t, { file dir })
+
+# Allow automount to create and delete directories in / and /home
+allow automount_t automount_tmp_t:dir manage_dir_perms;
+files_home_filetrans(automount_t, automount_tmp_t, dir)
+files_root_filetrans(automount_t, automount_tmp_t, dir)
+
+manage_files_pattern(automount_t, automount_var_run_t, automount_var_run_t)
+manage_fifo_files_pattern(automount_t, automount_var_run_t, automount_var_run_t)
+files_pid_filetrans(automount_t, automount_var_run_t, { file fifo_file })
+
+kernel_read_kernel_sysctls(automount_t)
+kernel_read_irq_sysctls(automount_t)
+kernel_read_fs_sysctls(automount_t)
+kernel_read_proc_symlinks(automount_t)
+kernel_read_system_state(automount_t)
+kernel_read_network_state(automount_t)
+kernel_list_proc(automount_t)
+kernel_dontaudit_search_xen_state(automount_t)
+
+files_search_boot(automount_t)
+# Automount is slowly adding all mount functionality internally
+files_search_all(automount_t)
+files_mounton_all_mountpoints(automount_t)
+files_mount_all_file_type_fs(automount_t)
+files_unmount_all_file_type_fs(automount_t)
+files_manage_non_security_dirs(automount_t)
+
+fs_mount_all_fs(automount_t)
+fs_unmount_all_fs(automount_t)
+fs_search_all(automount_t)
+
+corecmd_exec_bin(automount_t)
+corecmd_exec_shell(automount_t)
+
+corenet_all_recvfrom_unlabeled(automount_t)
+corenet_all_recvfrom_netlabel(automount_t)
+corenet_tcp_sendrecv_generic_if(automount_t)
+corenet_udp_sendrecv_generic_if(automount_t)
+corenet_tcp_sendrecv_generic_node(automount_t)
+corenet_udp_sendrecv_generic_node(automount_t)
+corenet_tcp_sendrecv_all_ports(automount_t)
+corenet_udp_sendrecv_all_ports(automount_t)
+corenet_tcp_bind_generic_node(automount_t)
+corenet_udp_bind_generic_node(automount_t)
+corenet_tcp_connect_portmap_port(automount_t)
+corenet_tcp_connect_all_ports(automount_t)
+corenet_dontaudit_tcp_connect_all_reserved_ports(automount_t)
+corenet_sendrecv_all_client_packets(automount_t)
+# Automount execs showmount when you browse /net.  This is required until
+# Someone writes a showmount policy
+corenet_tcp_bind_reserved_port(automount_t)
+corenet_tcp_bind_all_rpc_ports(automount_t)
+corenet_udp_bind_reserved_port(automount_t)
+corenet_udp_bind_all_rpc_ports(automount_t)
+
+dev_read_sysfs(automount_t)
+dev_rw_autofs(automount_t)
+# for SSP
+dev_read_rand(automount_t)
+dev_read_urand(automount_t)
+
+domain_use_interactive_fds(automount_t)
+domain_dontaudit_read_all_domains_state(automount_t)
+
+files_dontaudit_write_var_dirs(automount_t)
+files_getattr_all_dirs(automount_t)
+files_list_mnt(automount_t)
+files_getattr_home_dir(automount_t)
+files_read_etc_files(automount_t)
+files_read_etc_runtime_files(automount_t)
+# for if the mount point is not labelled
+files_getattr_isid_type_dirs(automount_t)
+files_getattr_default_dirs(automount_t)
+# because config files can be shell scripts
+files_exec_etc_files(automount_t)
+files_mounton_mnt(automount_t)
+
+fs_getattr_all_fs(automount_t)
+fs_getattr_all_dirs(automount_t)
+fs_search_auto_mountpoints(automount_t)
+fs_manage_auto_mountpoints(automount_t)
+fs_unmount_autofs(automount_t)
+fs_mount_autofs(automount_t)
+fs_manage_autofs_symlinks(automount_t)
+fs_read_nfs_files(automount_t)
+
+storage_rw_fuse(automount_t)
+
+term_dontaudit_getattr_pty_dirs(automount_t)
+
+auth_use_nsswitch(automount_t)
+
+logging_send_syslog_msg(automount_t)
+logging_search_logs(automount_t)
+
+miscfiles_read_localization(automount_t)
+miscfiles_read_generic_certs(automount_t)
+
+# Run mount in the mount_t domain.
+mount_domtrans(automount_t)
+mount_signal(automount_t)
+
+userdom_dontaudit_use_unpriv_user_fds(automount_t)
+userdom_dontaudit_search_user_home_dirs(automount_t)
+
+optional_policy(`
+	bind_search_cache(automount_t)
+')
+
+optional_policy(`
+	fstools_domtrans(automount_t)
+')
+
+optional_policy(`
+	kerberos_keytab_template(automount, automount_t)
+	kerberos_read_config(automount_t)
+	kerberos_dontaudit_write_config(automount_t)
+')
+
+optional_policy(`
+	rpc_search_nfs_state_data(automount_t)
+')
+
+optional_policy(`
+	samba_read_config(automount_t)
+	samba_manage_var_files(automount_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(automount_t)
+')
+
+optional_policy(`
+	udev_read_db(automount_t)
+')
diff --git a/policy/modules/contrib/avahi.fc b/policy/modules/contrib/avahi.fc
new file mode 100644
index 00000000..7e365494
--- /dev/null
+++ b/policy/modules/contrib/avahi.fc
@@ -0,0 +1,9 @@
+/etc/rc\.d/init\.d/avahi.*	--	gen_context(system_u:object_r:avahi_initrc_exec_t,s0)
+
+/usr/sbin/avahi-daemon		--	gen_context(system_u:object_r:avahi_exec_t,s0)
+/usr/sbin/avahi-dnsconfd 	--	gen_context(system_u:object_r:avahi_exec_t,s0)
+/usr/sbin/avahi-autoipd 	--	gen_context(system_u:object_r:avahi_exec_t,s0)
+
+/var/run/avahi-daemon(/.*)? 		gen_context(system_u:object_r:avahi_var_run_t,s0)
+
+/var/lib/avahi-autoipd(/.*)?		gen_context(system_u:object_r:avahi_var_lib_t,s0)
diff --git a/policy/modules/contrib/avahi.if b/policy/modules/contrib/avahi.if
new file mode 100644
index 00000000..61c74bcc
--- /dev/null
+++ b/policy/modules/contrib/avahi.if
@@ -0,0 +1,166 @@
+## <summary>mDNS/DNS-SD daemon implementing Apple ZeroConf architecture</summary>
+
+########################################
+## <summary>
+##	Execute avahi server in the avahi domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`avahi_domtrans',`
+	gen_require(`
+		type avahi_exec_t, avahi_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, avahi_exec_t, avahi_t)
+')
+
+########################################
+## <summary>
+##	Send avahi a signal
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`avahi_signal',`
+	gen_require(`
+		type avahi_t;
+	')
+
+	allow $1 avahi_t:process signal;
+')
+
+########################################
+## <summary>
+##	Send avahi a kill signal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`avahi_kill',`
+	gen_require(`
+		type avahi_t;
+	')
+
+	allow $1 avahi_t:process sigkill;
+')
+
+########################################
+## <summary>
+##	Send avahi a signull
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`avahi_signull',`
+	gen_require(`
+		type avahi_t;
+	')
+
+	allow $1 avahi_t:process signull;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	avahi over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`avahi_dbus_chat',`
+	gen_require(`
+		type avahi_t;
+		class dbus send_msg;
+	')
+
+	allow $1 avahi_t:dbus send_msg;
+	allow avahi_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Connect to avahi using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`avahi_stream_connect',`
+	gen_require(`
+		type avahi_t, avahi_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, avahi_var_run_t, avahi_var_run_t, avahi_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search the avahi pid directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`avahi_dontaudit_search_pid',`
+	gen_require(`
+		type avahi_var_run_t;
+	')
+
+	dontaudit $1 avahi_var_run_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an avahi environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the avahi domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`avahi_admin',`
+	gen_require(`
+		type avahi_t, avahi_var_run_t, avahi_initrc_exec_t;
+	')
+
+	allow $1 avahi_t:process { ptrace signal_perms };
+	ps_process_pattern($1, avahi_t)
+
+	init_labeled_script_domtrans($1, avahi_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 avahi_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_pids($1)
+	admin_pattern($1, avahi_var_run_t)
+')
diff --git a/policy/modules/contrib/avahi.te b/policy/modules/contrib/avahi.te
new file mode 100644
index 00000000..a7a0e71a
--- /dev/null
+++ b/policy/modules/contrib/avahi.te
@@ -0,0 +1,112 @@
+policy_module(avahi, 1.13.0)
+
+########################################
+#
+# Declarations
+#
+
+type avahi_t;
+type avahi_exec_t;
+init_daemon_domain(avahi_t, avahi_exec_t)
+
+type avahi_initrc_exec_t;
+init_script_file(avahi_initrc_exec_t)
+
+type avahi_var_lib_t;
+files_pid_file(avahi_var_lib_t)
+
+type avahi_var_run_t;
+files_pid_file(avahi_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow avahi_t self:capability { dac_override setgid chown fowner kill net_admin net_raw setuid sys_chroot };
+dontaudit avahi_t self:capability sys_tty_config;
+allow avahi_t self:process { setrlimit signal_perms getcap setcap };
+allow avahi_t self:fifo_file rw_fifo_file_perms;
+allow avahi_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow avahi_t self:unix_dgram_socket create_socket_perms;
+allow avahi_t self:tcp_socket create_stream_socket_perms;
+allow avahi_t self:udp_socket create_socket_perms;
+allow avahi_t self:packet_socket create_socket_perms;
+
+manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
+manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
+files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file })
+
+manage_dirs_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
+manage_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
+manage_sock_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
+allow avahi_t avahi_var_run_t:dir setattr_dir_perms;
+files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file })
+
+kernel_read_system_state(avahi_t)
+kernel_read_kernel_sysctls(avahi_t)
+kernel_read_network_state(avahi_t)
+
+corecmd_exec_bin(avahi_t)
+corecmd_exec_shell(avahi_t)
+
+corenet_all_recvfrom_unlabeled(avahi_t)
+corenet_all_recvfrom_netlabel(avahi_t)
+corenet_tcp_sendrecv_generic_if(avahi_t)
+corenet_udp_sendrecv_generic_if(avahi_t)
+corenet_tcp_sendrecv_generic_node(avahi_t)
+corenet_udp_sendrecv_generic_node(avahi_t)
+corenet_tcp_sendrecv_all_ports(avahi_t)
+corenet_udp_sendrecv_all_ports(avahi_t)
+corenet_tcp_bind_generic_node(avahi_t)
+corenet_udp_bind_generic_node(avahi_t)
+corenet_tcp_bind_howl_port(avahi_t)
+corenet_udp_bind_howl_port(avahi_t)
+corenet_send_howl_client_packets(avahi_t)
+corenet_receive_howl_server_packets(avahi_t)
+
+dev_read_sysfs(avahi_t)
+dev_read_urand(avahi_t)
+
+fs_getattr_all_fs(avahi_t)
+fs_search_auto_mountpoints(avahi_t)
+fs_list_inotifyfs(avahi_t)
+
+domain_use_interactive_fds(avahi_t)
+
+files_read_etc_files(avahi_t)
+files_read_etc_runtime_files(avahi_t)
+files_read_usr_files(avahi_t)
+
+auth_use_nsswitch(avahi_t)
+
+init_signal_script(avahi_t)
+init_signull_script(avahi_t)
+
+logging_send_syslog_msg(avahi_t)
+
+miscfiles_read_localization(avahi_t)
+miscfiles_read_generic_certs(avahi_t)
+
+sysnet_domtrans_ifconfig(avahi_t)
+sysnet_manage_config(avahi_t)
+sysnet_etc_filetrans_config(avahi_t)
+
+userdom_dontaudit_use_unpriv_user_fds(avahi_t)
+userdom_dontaudit_search_user_home_dirs(avahi_t)
+
+optional_policy(`
+	dbus_system_domain(avahi_t, avahi_exec_t)
+	dbus_system_bus_client(avahi_t)
+	dbus_connect_system_bus(avahi_t)
+
+	init_dbus_chat_script(avahi_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(avahi_t)
+')
+
+optional_policy(`
+	udev_read_db(avahi_t)
+')
diff --git a/policy/modules/contrib/awstats.fc b/policy/modules/contrib/awstats.fc
new file mode 100644
index 00000000..5f0fa49d
--- /dev/null
+++ b/policy/modules/contrib/awstats.fc
@@ -0,0 +1,5 @@
+/usr/share/awstats/tools/.+\.pl		--	gen_context(system_u:object_r:awstats_exec_t,s0)
+/usr/share/awstats/wwwroot(/.*)?		gen_context(system_u:object_r:httpd_awstats_content_t,s0)
+/usr/share/awstats/wwwroot/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_awstats_script_exec_t,s0)
+
+/var/lib/awstats(/.*)?				gen_context(system_u:object_r:awstats_var_lib_t,s0)
diff --git a/policy/modules/contrib/awstats.if b/policy/modules/contrib/awstats.if
new file mode 100644
index 00000000..283ff0d1
--- /dev/null
+++ b/policy/modules/contrib/awstats.if
@@ -0,0 +1,42 @@
+## <summary>
+##	AWStats is a free powerful and featureful tool that generates advanced
+##	web, streaming, ftp or mail server statistics, graphically.
+## </summary>
+
+########################################
+## <summary>
+##	Read and write awstats unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`awstats_rw_pipes',`
+	gen_require(`
+		type awstats_t;
+	')
+
+	allow $1 awstats_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute awstats cgi scripts in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`awstats_cgi_exec',`
+	gen_require(`
+		type httpd_awstats_script_exec_t, httpd_awstats_content_t;
+	')
+
+	allow $1 httpd_awstats_content_t:dir search_dir_perms;
+	allow $1 httpd_awstats_script_exec_t:dir search_dir_perms;
+	can_exec($1, httpd_awstats_script_exec_t)
+')
diff --git a/policy/modules/contrib/awstats.te b/policy/modules/contrib/awstats.te
new file mode 100644
index 00000000..6bd3ad3c
--- /dev/null
+++ b/policy/modules/contrib/awstats.te
@@ -0,0 +1,85 @@
+policy_module(awstats, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+
+type awstats_t;
+type awstats_exec_t;
+domain_type(awstats_t)
+domain_entry_file(awstats_t, awstats_exec_t)
+role system_r types awstats_t;
+
+type awstats_tmp_t;
+files_tmp_file(awstats_tmp_t)
+
+type awstats_var_lib_t;
+files_type(awstats_var_lib_t)
+
+apache_content_template(awstats)
+
+########################################
+#
+# awstats policy
+#
+
+awstats_rw_pipes(awstats_t)
+awstats_cgi_exec(awstats_t)
+
+can_exec(awstats_t, awstats_exec_t)
+
+manage_dirs_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t)
+manage_files_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t)
+files_tmp_filetrans(awstats_t, awstats_tmp_t, { dir file })
+
+manage_files_pattern(awstats_t, awstats_var_lib_t, awstats_var_lib_t)
+files_var_lib_filetrans(awstats_t, awstats_var_lib_t, file)
+
+# dontaudit access to /proc/meminfo
+kernel_dontaudit_read_system_state(awstats_t)
+
+corecmd_exec_bin(awstats_t)
+corecmd_exec_shell(awstats_t)
+
+dev_read_urand(awstats_t)
+
+files_read_etc_files(awstats_t)
+# e.g. /usr/share/awstats/lang/awstats-en.txt
+files_read_usr_files(awstats_t)
+files_dontaudit_search_all_mountpoints(awstats_t)
+
+fs_list_inotifyfs(awstats_t)
+
+libs_read_lib_files(awstats_t)
+
+logging_read_generic_logs(awstats_t)
+
+miscfiles_read_localization(awstats_t)
+
+sysnet_dns_name_resolve(awstats_t)
+
+apache_read_log(awstats_t)
+
+optional_policy(`
+	cron_system_entry(awstats_t, awstats_exec_t)
+')
+
+optional_policy(`
+	# dontaudit searching nscd pid directory
+	nscd_dontaudit_search_pid(awstats_t)
+')
+
+optional_policy(`
+	squid_read_log(awstats_t)
+')
+
+########################################
+#
+# awstats cgi script policy
+#
+
+allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms;
+
+read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
+files_search_var_lib(httpd_awstats_script_t)
diff --git a/policy/modules/contrib/backup.fc b/policy/modules/contrib/backup.fc
new file mode 100644
index 00000000..223b7f20
--- /dev/null
+++ b/policy/modules/contrib/backup.fc
@@ -0,0 +1,13 @@
+# backup
+# label programs that do backups to other files on disk (IE a cron job that
+# calls tar) in backup_exec_t and label the directory for storing them as
+# backup_store_t, Debian uses /var/backups
+
+#/usr/local/bin/backup-script	--	gen_context(system_u:object_r:backup_exec_t,s0)
+
+ifdef(`distro_debian',`
+/etc/cron.daily/aptitude	--	gen_context(system_u:object_r:backup_exec_t,s0)
+/etc/cron.daily/standard	--	gen_context(system_u:object_r:backup_exec_t,s0)
+')
+
+/var/backups(/.*)?			gen_context(system_u:object_r:backup_store_t,s0)
diff --git a/policy/modules/contrib/backup.if b/policy/modules/contrib/backup.if
new file mode 100644
index 00000000..1017b7aa
--- /dev/null
+++ b/policy/modules/contrib/backup.if
@@ -0,0 +1,45 @@
+## <summary>System backup scripts</summary>
+
+########################################
+## <summary>
+##	Execute backup in the backup domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`backup_domtrans',`
+	gen_require(`
+		type backup_t, backup_exec_t;
+	')
+
+	domtrans_pattern($1, backup_exec_t, backup_t)
+')
+
+########################################
+## <summary>
+##	Execute backup in the backup domain, and
+##	allow the specified role the backup domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`backup_run',`
+	gen_require(`
+		type backup_t;
+	')
+
+	backup_domtrans($1)
+	role $2 types backup_t;
+')
diff --git a/policy/modules/contrib/backup.te b/policy/modules/contrib/backup.te
new file mode 100644
index 00000000..0bfc9588
--- /dev/null
+++ b/policy/modules/contrib/backup.te
@@ -0,0 +1,85 @@
+policy_module(backup, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type backup_t;
+type backup_exec_t;
+domain_type(backup_t)
+domain_entry_file(backup_t, backup_exec_t)
+role system_r types backup_t;
+
+type backup_store_t;
+files_type(backup_store_t)
+
+########################################
+#
+# Local policy
+#
+
+allow backup_t self:capability dac_override;
+allow backup_t self:process signal;
+allow backup_t self:fifo_file rw_fifo_file_perms;
+allow backup_t self:tcp_socket create_socket_perms;
+allow backup_t self:udp_socket create_socket_perms;
+
+allow backup_t backup_store_t:file setattr;
+manage_files_pattern(backup_t, backup_store_t, backup_store_t)
+rw_files_pattern(backup_t, backup_store_t, backup_store_t)
+read_lnk_files_pattern(backup_t, backup_store_t, backup_store_t)
+
+kernel_read_system_state(backup_t)
+kernel_read_kernel_sysctls(backup_t)
+
+corecmd_exec_bin(backup_t)
+corecmd_exec_shell(backup_t)
+
+corenet_all_recvfrom_unlabeled(backup_t)
+corenet_all_recvfrom_netlabel(backup_t)
+corenet_tcp_sendrecv_generic_if(backup_t)
+corenet_udp_sendrecv_generic_if(backup_t)
+corenet_raw_sendrecv_generic_if(backup_t)
+corenet_tcp_sendrecv_generic_node(backup_t)
+corenet_udp_sendrecv_generic_node(backup_t)
+corenet_raw_sendrecv_generic_node(backup_t)
+corenet_tcp_sendrecv_all_ports(backup_t)
+corenet_udp_sendrecv_all_ports(backup_t)
+corenet_tcp_connect_all_ports(backup_t)
+corenet_sendrecv_all_client_packets(backup_t)
+
+dev_getattr_all_blk_files(backup_t)
+dev_getattr_all_chr_files(backup_t)
+# for SSP
+dev_read_urand(backup_t)
+
+domain_use_interactive_fds(backup_t)
+
+files_read_all_files(backup_t)
+files_read_all_symlinks(backup_t)
+files_getattr_all_pipes(backup_t)
+files_getattr_all_sockets(backup_t)
+
+fs_getattr_xattr_fs(backup_t)
+fs_list_all(backup_t)
+
+auth_read_shadow(backup_t)
+
+logging_send_syslog_msg(backup_t)
+
+sysnet_read_config(backup_t)
+
+userdom_use_user_terminals(backup_t)
+
+optional_policy(`
+	cron_system_entry(backup_t, backup_exec_t)
+')
+
+optional_policy(`
+	hostname_exec(backup_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(backup_t)
+')
diff --git a/policy/modules/contrib/bacula.fc b/policy/modules/contrib/bacula.fc
new file mode 100644
index 00000000..b70b6d29
--- /dev/null
+++ b/policy/modules/contrib/bacula.fc
@@ -0,0 +1,20 @@
+#
+# /usr
+#
+/usr/sbin/bacula-(.*)?	--	gen_context(system_u:object_r:bacula_exec_t,s0)
+/usr/sbin/bat			gen_context(system_u:object_r:bacula_admin_exec_t,s0)
+/usr/sbin/bconsole		gen_context(system_u:object_r:bacula_admin_exec_t,s0)
+
+#
+# /etc
+#
+/etc/bacula(/.*)?		gen_context(system_u:object_r:bacula_etc_t,s0)
+
+# 
+# /var
+#
+/var/lib/bacula(/.*)?		gen_context(system_u:object_r:bacula_var_lib_t,s0)
+
+# A separate disk for backups mounted at /bacula or beginning with
+# /bacula also matches a restore directory like /bacula-restores
+/bacula(.*)?			gen_context(system_u:object_r:bacula_store_t,s0)
diff --git a/policy/modules/contrib/bacula.if b/policy/modules/contrib/bacula.if
new file mode 100644
index 00000000..6b1722e2
--- /dev/null
+++ b/policy/modules/contrib/bacula.if
@@ -0,0 +1,45 @@
+## <summary>bacula backup program</summary>
+
+########################################
+## <summary>
+##	Execute user interfaces in the bacula_admin domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`bacula_domtrans_admin',`
+	gen_require(`
+		type bacula_admin_t, bacula_admin_exec_t;
+	')
+
+	domtrans_pattern($1, bacula_admin_exec_t, bacula_admin_t)
+')
+
+########################################
+## <summary>
+##	Execute user interfaces in the bacula_admin domain, and
+##	allow the specified role to transition to the bacula_admin domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`bacula_run_admin',`
+	gen_require(`
+		type bacula_admin_t;
+	')
+
+	bacula_domtrans_admin($1)
+	role $2 types bacula_admin_t;
+')
diff --git a/policy/modules/contrib/bacula.te b/policy/modules/contrib/bacula.te
new file mode 100644
index 00000000..f2ad3642
--- /dev/null
+++ b/policy/modules/contrib/bacula.te
@@ -0,0 +1,122 @@
+policy_module(bacula, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type bacula_t;
+type bacula_exec_t;
+init_daemon_domain(bacula_t, bacula_exec_t)
+
+type bacula_etc_t;
+files_type(bacula_etc_t)
+
+type bacula_store_t;
+files_type(bacula_store_t)
+files_mountpoint(bacula_store_t)
+
+type bacula_var_lib_t;
+files_type(bacula_var_lib_t)
+
+type bacula_var_run_t;
+files_pid_file(bacula_var_run_t)
+
+type bacula_admin_t;
+type bacula_admin_exec_t;
+application_domain(bacula_admin_t, bacula_admin_exec_t)
+
+########################################
+#
+# Local policy - bacula daemon
+#
+
+allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid};
+allow bacula_t self:process signal;
+allow bacula_t self:fifo_file rw_fifo_file_perms;
+allow bacula_t self:tcp_socket create_stream_socket_perms;
+allow bacula_t self:udp_socket create_socket_perms;
+allow bacula_t self:netlink_route_socket create_netlink_socket_perms;
+
+read_files_pattern(bacula_t, bacula_etc_t, bacula_etc_t)
+
+manage_files_pattern(bacula_t, bacula_store_t, bacula_store_t)
+manage_lnk_files_pattern(bacula_t, bacula_store_t, bacula_store_t)
+manage_dirs_pattern(bacula_t, bacula_store_t, bacula_store_t)
+
+manage_files_pattern(bacula_t, bacula_var_lib_t, bacula_var_lib_t)
+files_var_lib_filetrans(bacula_t, bacula_var_lib_t, file)
+
+allow bacula_t bacula_var_run_t:file { create_file_perms write_file_perms unlink};
+files_pid_filetrans(bacula_t, bacula_var_run_t, file)
+
+kernel_read_kernel_sysctls(bacula_t)
+kernel_read_system_state(bacula_t)
+
+corecmd_exec_bin(bacula_t)
+corecmd_exec_shell(bacula_t)
+
+corenet_tcp_bind_generic_node(bacula_t)
+corenet_udp_bind_generic_node(bacula_t)
+corenet_tcp_bind_generic_port(bacula_t)
+corenet_udp_bind_generic_port(bacula_t)
+corenet_tcp_bind_hplip_port(bacula_t)
+corenet_udp_bind_hplip_port(bacula_t)
+corenet_tcp_connect_all_ports(bacula_t)
+corenet_tcp_connect_smtp_port(bacula_t)
+# Bacula's default port are listed already under hplip
+
+dev_getattr_all_blk_files(bacula_t)
+dev_getattr_all_chr_files(bacula_t)
+
+files_dontaudit_getattr_all_sockets(bacula_t)
+files_read_all_files(bacula_t)
+files_read_all_symlinks(bacula_t)
+
+fs_getattr_xattr_fs(bacula_t)
+fs_list_all(bacula_t)
+
+auth_read_shadow(bacula_t)
+
+logging_send_syslog_msg(bacula_t)
+
+optional_policy(`
+	mysql_stream_connect(bacula_t)
+	mysql_tcp_connect(bacula_t)
+')
+	
+optional_policy(`
+	nis_use_ypbind(bacula_t)
+')
+
+optional_policy(`
+	sysnet_use_ldap(bacula_t)
+	ldap_stream_connect(bacula_t)
+')
+
+
+########################################
+#
+# Local policy - bacula admin client
+#
+allow bacula_admin_t self:process signal;
+allow bacula_admin_t self:tcp_socket create_stream_socket_perms;
+allow bacula_admin_t self:dgram_socket_class_set create_socket_perms;
+
+read_files_pattern(bacula_admin_t, bacula_etc_t, bacula_etc_t)
+
+corenet_tcp_connect_hplip_port(bacula_admin_t)
+corenet_udp_sendrecv_hplip_port(bacula_admin_t)
+
+domain_use_interactive_fds(bacula_admin_t)
+
+files_read_etc_files(bacula_admin_t)
+
+miscfiles_read_localization(bacula_admin_t)
+
+sysnet_dns_name_resolve(bacula_admin_t)
+
+userdom_dontaudit_search_user_home_dirs(bacula_admin_t)
+userdom_use_user_ptys(bacula_admin_t)
+
+
diff --git a/policy/modules/contrib/bind.fc b/policy/modules/contrib/bind.fc
new file mode 100644
index 00000000..59aa54f9
--- /dev/null
+++ b/policy/modules/contrib/bind.fc
@@ -0,0 +1,63 @@
+/etc/rc\.d/init\.d/named --	gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/unbound --	gen_context(system_u:object_r:named_initrc_exec_t,s0)
+
+/etc/rndc.*		--	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/rndc\.key 		-- 	gen_context(system_u:object_r:dnssec_t,s0)
+/etc/unbound(/.*)?		gen_context(system_u:object_r:named_conf_t,s0)
+
+/usr/sbin/lwresd	--	gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/named		--	gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/named-checkconf --	gen_context(system_u:object_r:named_checkconf_exec_t,s0)
+/usr/sbin/r?ndc		--	gen_context(system_u:object_r:ndc_exec_t,s0)
+/usr/sbin/unbound	--	gen_context(system_u:object_r:named_exec_t,s0)
+
+/var/log/named.*	--	gen_context(system_u:object_r:named_log_t,s0)
+
+/var/run/ndc		-s	gen_context(system_u:object_r:named_var_run_t,s0)
+/var/run/bind(/.*)?		gen_context(system_u:object_r:named_var_run_t,s0)
+/var/run/named(/.*)?		gen_context(system_u:object_r:named_var_run_t,s0)
+/var/run/unbound(/.*)?		gen_context(system_u:object_r:named_var_run_t,s0)
+
+ifdef(`distro_debian',`
+/etc/bind(/.*)?			gen_context(system_u:object_r:named_zone_t,s0)
+/etc/bind/named\.conf	--	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/named\.conf\.local --	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/named\.conf\.options -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/rndc\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
+/var/cache/bind(/.*)?		gen_context(system_u:object_r:named_cache_t,s0)
+')
+
+ifdef(`distro_gentoo',`
+/etc/bind(/.*)?			gen_context(system_u:object_r:named_zone_t,s0)
+/etc/bind/named\.conf	--	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/rndc\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
+/var/bind(/.*)?			gen_context(system_u:object_r:named_cache_t,s0)
+/var/bind/pri(/.*)?		gen_context(system_u:object_r:named_zone_t,s0)
+')
+
+ifdef(`distro_redhat',`
+/etc/named\.rfc1912.zones --	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/named\.root\.hints	--	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/named\.conf	--	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named(/.*)?		gen_context(system_u:object_r:named_zone_t,s0)
+/var/named/slaves(/.*)?		gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/data(/.*)?		gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/named\.ca	--	gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot(/.*)?		gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/proc(/.*)?	<<none>>
+/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
+/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/named/dynamic(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/var/log/named.*	--	gen_context(system_u:object_r:named_log_t,s0)
+/var/named/dynamic(/.*)?		gen_context(system_u:object_r:named_cache_t,s0)
+')
diff --git a/policy/modules/contrib/bind.if b/policy/modules/contrib/bind.if
new file mode 100644
index 00000000..44a1e3d1
--- /dev/null
+++ b/policy/modules/contrib/bind.if
@@ -0,0 +1,399 @@
+## <summary>Berkeley internet name domain DNS server.</summary>
+
+########################################
+## <summary>
+##	Execute bind server in the bind domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`bind_initrc_domtrans',`
+	gen_require(`
+		type named_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, named_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute ndc in the ndc domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`bind_domtrans_ndc',`
+	gen_require(`
+		type ndc_t, ndc_exec_t;
+	')
+
+	domtrans_pattern($1, ndc_exec_t, ndc_t)
+')
+
+########################################
+## <summary>
+##	Send generic signals to BIND.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_signal',`
+	gen_require(`
+		type named_t;
+	')
+
+	allow $1 named_t:process signal;
+')
+
+########################################
+## <summary>
+##	Send null sigals to BIND.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_signull',`
+	gen_require(`
+		type named_t;
+	')
+
+	allow $1 named_t:process signull;
+')
+
+########################################
+## <summary>
+##	Send BIND the kill signal
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_kill',`
+	gen_require(`
+		type named_t;
+	')
+
+	allow $1 named_t:process sigkill;
+')
+
+########################################
+## <summary>
+##	Execute ndc in the ndc domain, and
+##	allow the specified role the ndc domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`bind_run_ndc',`
+	gen_require(`
+		type ndc_t;
+	')
+
+	bind_domtrans_ndc($1)
+	role $2 types ndc_t;
+')
+
+########################################
+## <summary>
+##	Execute bind in the named domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`bind_domtrans',`
+	gen_require(`
+		type named_t, named_exec_t;
+	')
+
+	domtrans_pattern($1, named_exec_t, named_t)
+')
+
+########################################
+## <summary>
+##	Read DNSSEC keys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_read_dnssec_keys',`
+	gen_require(`
+		type named_conf_t, named_zone_t, dnssec_t;
+	')
+
+	read_files_pattern($1, { named_conf_t named_zone_t }, dnssec_t)
+')
+
+########################################
+## <summary>
+##	Read BIND named configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_read_config',`
+	gen_require(`
+		type named_conf_t;
+	')
+
+	read_files_pattern($1, named_conf_t, named_conf_t)
+')
+
+########################################
+## <summary>
+##	Write BIND named configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_write_config',`
+	gen_require(`
+		type named_conf_t;
+	')
+
+	write_files_pattern($1, named_conf_t, named_conf_t)
+	allow $1 named_conf_t:file setattr;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	BIND configuration directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_manage_config_dirs',`
+	gen_require(`
+		type named_conf_t;
+	')
+
+	manage_dirs_pattern($1, named_conf_t, named_conf_t)
+')
+
+########################################
+## <summary>
+##	Search the BIND cache directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_search_cache',`
+	gen_require(`
+		type named_conf_t, named_cache_t, named_zone_t;
+	')
+
+	files_search_var($1)
+	allow $1 named_conf_t:dir search_dir_perms;
+	allow $1 named_zone_t:dir search_dir_perms;
+	allow $1 named_cache_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	BIND cache files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_manage_cache',`
+	gen_require(`
+		type named_cache_t, named_zone_t;
+	')
+
+	files_search_var($1)
+	allow $1 named_zone_t:dir search_dir_perms;
+	manage_files_pattern($1, named_cache_t, named_cache_t)
+	manage_lnk_files_pattern($1, named_cache_t, named_cache_t)
+')
+
+########################################
+## <summary>
+##	Set the attributes of the BIND pid directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_setattr_pid_dirs',`
+	gen_require(`
+		type named_var_run_t;
+	')
+
+	allow $1 named_var_run_t:dir setattr;
+')
+
+########################################
+## <summary>
+##	Set the attributes of the BIND zone directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_setattr_zone_dirs',`
+	gen_require(`
+		type named_zone_t;
+	')
+
+	allow $1 named_zone_t:dir setattr;
+')
+
+########################################
+## <summary>
+##	Read BIND zone files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_read_zone',`
+	gen_require(`
+		type named_zone_t;
+	')
+
+	files_search_var($1)
+	read_files_pattern($1, named_zone_t, named_zone_t)
+')
+
+########################################
+## <summary>
+##	Manage BIND zone files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_manage_zone',`
+	gen_require(`
+		type named_zone_t;
+	')
+
+	files_search_var($1)
+	manage_files_pattern($1, named_zone_t, named_zone_t)
+')
+
+########################################
+## <summary>
+##	Send and receive datagrams to and from named.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_udp_chat_named',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an bind environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the bind domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`bind_admin',`
+	gen_require(`
+		type named_t, named_tmp_t, named_log_t;
+		type named_conf_t, named_var_lib_t, named_var_run_t;
+		type named_cache_t, named_zone_t;
+		type dnssec_t, ndc_t;
+		type named_initrc_exec_t;
+	')
+
+	allow $1 named_t:process { ptrace signal_perms };
+	ps_process_pattern($1, named_t)
+
+	allow $1 ndc_t:process { ptrace signal_perms };
+	ps_process_pattern($1, ndc_t)
+
+	bind_run_ndc($1, $2)
+
+	init_labeled_script_domtrans($1, named_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 named_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, named_tmp_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, named_log_t)
+
+	files_list_etc($1)
+	admin_pattern($1, named_conf_t)
+
+	admin_pattern($1, named_cache_t)
+	admin_pattern($1, named_zone_t)
+	admin_pattern($1, dnssec_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, named_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, named_var_run_t)
+')
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
new file mode 100644
index 00000000..4deca04f
--- /dev/null
+++ b/policy/modules/contrib/bind.te
@@ -0,0 +1,260 @@
+policy_module(bind, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow BIND to write the master zone files.
+## Generally this is used for dynamic DNS or zone transfers.
+## </p>
+## </desc>
+gen_tunable(named_write_master_zones, false)
+
+# for DNSSEC key files
+type dnssec_t;
+files_security_file(dnssec_t)
+
+type named_t;
+type named_exec_t;
+init_daemon_domain(named_t, named_exec_t)
+role system_r types named_t;
+
+type named_checkconf_exec_t;
+init_system_domain(named_t, named_checkconf_exec_t)
+
+# A type for configuration files of named.
+type named_conf_t;
+files_type(named_conf_t)
+files_mountpoint(named_conf_t)
+
+# for secondary zone files
+type named_cache_t;
+files_type(named_cache_t)
+
+type named_initrc_exec_t;
+init_script_file(named_initrc_exec_t)
+
+type named_log_t;
+logging_log_file(named_log_t)
+
+type named_tmp_t;
+files_tmp_file(named_tmp_t)
+
+type named_var_run_t;
+files_pid_file(named_var_run_t)
+
+# for primary zone files
+type named_zone_t;
+files_type(named_zone_t)
+
+type ndc_t;
+type ndc_exec_t;
+init_system_domain(ndc_t, ndc_exec_t)
+role system_r types ndc_t;
+
+########################################
+#
+# Named local policy
+#
+
+allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
+dontaudit named_t self:capability sys_tty_config;
+allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
+allow named_t self:fifo_file rw_fifo_file_perms;
+allow named_t self:unix_stream_socket create_stream_socket_perms;
+allow named_t self:unix_dgram_socket create_socket_perms;
+allow named_t self:tcp_socket create_stream_socket_perms;
+allow named_t self:udp_socket create_socket_perms;
+
+allow named_t dnssec_t:file read_file_perms;
+
+# read configuration
+allow named_t named_conf_t:dir list_dir_perms;
+read_files_pattern(named_t, named_conf_t, named_conf_t)
+read_lnk_files_pattern(named_t, named_conf_t, named_conf_t)
+
+# write cache for secondary zones
+manage_files_pattern(named_t, named_cache_t, named_cache_t)
+manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t)
+
+can_exec(named_t, named_exec_t)
+
+manage_files_pattern(named_t, named_log_t, named_log_t)
+logging_log_filetrans(named_t, named_log_t, { file dir })
+
+manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
+manage_files_pattern(named_t, named_tmp_t, named_tmp_t)
+files_tmp_filetrans(named_t, named_tmp_t, { file dir })
+
+manage_files_pattern(named_t, named_var_run_t, named_var_run_t)
+manage_sock_files_pattern(named_t, named_var_run_t, named_var_run_t)
+files_pid_filetrans(named_t, named_var_run_t, { file sock_file })
+
+# read zone files
+allow named_t named_zone_t:dir list_dir_perms;
+read_files_pattern(named_t, named_zone_t, named_zone_t)
+read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
+
+kernel_read_kernel_sysctls(named_t)
+kernel_read_system_state(named_t)
+kernel_read_network_state(named_t)
+
+corecmd_search_bin(named_t)
+
+corenet_all_recvfrom_unlabeled(named_t)
+corenet_all_recvfrom_netlabel(named_t)
+corenet_tcp_sendrecv_generic_if(named_t)
+corenet_udp_sendrecv_generic_if(named_t)
+corenet_tcp_sendrecv_generic_node(named_t)
+corenet_udp_sendrecv_generic_node(named_t)
+corenet_tcp_sendrecv_all_ports(named_t)
+corenet_udp_sendrecv_all_ports(named_t)
+corenet_tcp_bind_generic_node(named_t)
+corenet_udp_bind_generic_node(named_t)
+corenet_tcp_bind_dns_port(named_t)
+corenet_udp_bind_dns_port(named_t)
+corenet_tcp_bind_rndc_port(named_t)
+corenet_tcp_connect_all_ports(named_t)
+corenet_sendrecv_dns_server_packets(named_t)
+corenet_sendrecv_dns_client_packets(named_t)
+corenet_sendrecv_rndc_server_packets(named_t)
+corenet_sendrecv_rndc_client_packets(named_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(named_t)
+corenet_udp_bind_all_unreserved_ports(named_t)
+
+dev_read_sysfs(named_t)
+dev_read_rand(named_t)
+dev_read_urand(named_t)
+
+domain_use_interactive_fds(named_t)
+
+files_read_etc_files(named_t)
+files_read_etc_runtime_files(named_t)
+
+fs_getattr_all_fs(named_t)
+fs_search_auto_mountpoints(named_t)
+
+auth_use_nsswitch(named_t)
+
+logging_send_syslog_msg(named_t)
+
+miscfiles_read_localization(named_t)
+miscfiles_read_generic_certs(named_t)
+
+userdom_dontaudit_use_unpriv_user_fds(named_t)
+userdom_dontaudit_search_user_home_dirs(named_t)
+
+tunable_policy(`named_write_master_zones',`
+	manage_dirs_pattern(named_t, named_zone_t, named_zone_t)
+	manage_files_pattern(named_t, named_zone_t, named_zone_t)
+	manage_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
+')
+
+optional_policy(`
+	init_dbus_chat_script(named_t)
+
+	sysnet_dbus_chat_dhcpc(named_t)
+
+	dbus_system_bus_client(named_t)
+	dbus_connect_system_bus(named_t)
+
+	optional_policy(`
+		networkmanager_dbus_chat(named_t)
+	')
+')
+
+optional_policy(`
+	kerberos_keytab_template(named, named_t)
+')
+
+optional_policy(`
+	# this seems like fds that arent being
+	# closed. these should probably be
+	# dontaudits instead.
+	networkmanager_rw_udp_sockets(named_t)
+	networkmanager_rw_packet_sockets(named_t)
+	networkmanager_rw_routing_sockets(named_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(named_t)
+')
+
+optional_policy(`
+	udev_read_db(named_t)
+')
+
+########################################
+#
+# NDC local policy
+#
+
+# cjp: why net_admin?!
+allow ndc_t self:capability { dac_override net_admin };
+allow ndc_t self:process { fork signal_perms };
+allow ndc_t self:fifo_file rw_fifo_file_perms;
+allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms };
+allow ndc_t self:tcp_socket create_socket_perms;
+allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow ndc_t dnssec_t:file read_file_perms;
+allow ndc_t dnssec_t:lnk_file { getattr read };
+
+stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t)
+
+allow ndc_t named_conf_t:file read_file_perms;
+allow ndc_t named_conf_t:lnk_file { getattr read };
+
+allow ndc_t named_zone_t:dir search_dir_perms;
+
+kernel_read_kernel_sysctls(ndc_t)
+
+corenet_all_recvfrom_unlabeled(ndc_t)
+corenet_all_recvfrom_netlabel(ndc_t)
+corenet_tcp_sendrecv_generic_if(ndc_t)
+corenet_tcp_sendrecv_generic_node(ndc_t)
+corenet_tcp_sendrecv_all_ports(ndc_t)
+corenet_tcp_bind_generic_node(ndc_t)
+corenet_tcp_connect_rndc_port(ndc_t)
+corenet_sendrecv_rndc_client_packets(ndc_t)
+
+domain_use_interactive_fds(ndc_t)
+
+files_read_etc_files(ndc_t)
+files_search_pids(ndc_t)
+
+fs_getattr_xattr_fs(ndc_t)
+
+init_use_fds(ndc_t)
+init_use_script_ptys(ndc_t)
+
+logging_send_syslog_msg(ndc_t)
+
+miscfiles_read_localization(ndc_t)
+
+sysnet_read_config(ndc_t)
+sysnet_dns_name_resolve(ndc_t)
+
+userdom_use_user_terminals(ndc_t)
+
+term_dontaudit_use_console(ndc_t)
+
+# for /etc/rndc.key
+ifdef(`distro_redhat',`
+	allow ndc_t named_conf_t:dir search;
+')
+
+optional_policy(`
+	nis_use_ypbind(ndc_t)
+')
+
+optional_policy(`
+	nscd_socket_use(ndc_t)
+')
+
+optional_policy(`
+	ppp_dontaudit_use_fds(ndc_t)
+')
diff --git a/policy/modules/contrib/bitlbee.fc b/policy/modules/contrib/bitlbee.fc
new file mode 100644
index 00000000..0197980d
--- /dev/null
+++ b/policy/modules/contrib/bitlbee.fc
@@ -0,0 +1,6 @@
+/etc/rc\.d/init\.d/bitlbee --	gen_context(system_u:object_r:bitlbee_initrc_exec_t,s0)
+/etc/bitlbee(/.*)?		gen_context(system_u:object_r:bitlbee_conf_t,s0)
+
+/usr/sbin/bitlbee	--	gen_context(system_u:object_r:bitlbee_exec_t,s0)
+
+/var/lib/bitlbee(/.*)?		gen_context(system_u:object_r:bitlbee_var_t,s0)
diff --git a/policy/modules/contrib/bitlbee.if b/policy/modules/contrib/bitlbee.if
new file mode 100644
index 00000000..de0bd679
--- /dev/null
+++ b/policy/modules/contrib/bitlbee.if
@@ -0,0 +1,59 @@
+## <summary>Bitlbee service</summary>
+
+########################################
+## <summary>
+##	Read bitlbee configuration files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed accesss.
+##	</summary>
+## </param>
+#
+interface(`bitlbee_read_config',`
+	gen_require(`
+		type bitlbee_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 bitlbee_conf_t:dir list_dir_perms;
+	allow $1 bitlbee_conf_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an bitlbee environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the bitlbee domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`bitlbee_admin',`
+	gen_require(`
+		type bitlbee_t, bitlbee_conf_t, bitlbee_var_t;
+		type bitlbee_initrc_exec_t;
+	')
+
+	allow $1 bitlbee_t:process { ptrace signal_perms };
+	ps_process_pattern($1, bitlbee_t)
+
+	init_labeled_script_domtrans($1, bitlbee_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 bitlbee_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_etc($1)
+	admin_pattern($1, bitlbee_conf_t)
+
+	files_list_var($1)
+	admin_pattern($1, bitlbee_var_t)
+')
diff --git a/policy/modules/contrib/bitlbee.te b/policy/modules/contrib/bitlbee.te
new file mode 100644
index 00000000..f4e7ad3d
--- /dev/null
+++ b/policy/modules/contrib/bitlbee.te
@@ -0,0 +1,94 @@
+policy_module(bitlbee, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+
+type bitlbee_t;
+type bitlbee_exec_t;
+init_daemon_domain(bitlbee_t, bitlbee_exec_t)
+inetd_tcp_service_domain(bitlbee_t, bitlbee_exec_t)
+
+type bitlbee_conf_t;
+files_config_file(bitlbee_conf_t)
+
+type bitlbee_initrc_exec_t;
+init_script_file(bitlbee_initrc_exec_t)
+
+type bitlbee_tmp_t;
+files_tmp_file(bitlbee_tmp_t)
+
+type bitlbee_var_t;
+files_type(bitlbee_var_t)
+
+########################################
+#
+# Local policy
+#
+
+allow bitlbee_t self:capability { setgid setuid };
+allow bitlbee_t self:process signal;
+allow bitlbee_t self:udp_socket create_socket_perms;
+allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
+allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
+allow bitlbee_t self:fifo_file rw_fifo_file_perms;
+
+bitlbee_read_config(bitlbee_t)
+
+# tmp files
+manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
+files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, file)
+
+# user account information is read and edited at runtime; give the usual
+# r/w access to bitlbee_var_t
+manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
+files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file)
+
+kernel_read_system_state(bitlbee_t)
+
+corenet_all_recvfrom_unlabeled(bitlbee_t)
+corenet_udp_sendrecv_generic_if(bitlbee_t)
+corenet_udp_sendrecv_generic_node(bitlbee_t)
+corenet_tcp_sendrecv_generic_if(bitlbee_t)
+corenet_tcp_sendrecv_generic_node(bitlbee_t)
+# Allow bitlbee to connect to jabber servers
+corenet_tcp_connect_jabber_client_port(bitlbee_t)
+corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)
+# to AIM servers:
+corenet_tcp_connect_aol_port(bitlbee_t)
+corenet_tcp_sendrecv_aol_port(bitlbee_t)
+# and to MMCC (Yahoo IM) servers:
+corenet_tcp_connect_mmcc_port(bitlbee_t)
+corenet_tcp_sendrecv_mmcc_port(bitlbee_t)
+# and to MSNP (MSN Messenger) servers:
+corenet_tcp_connect_msnp_port(bitlbee_t)
+corenet_tcp_sendrecv_msnp_port(bitlbee_t)
+# MSN can use passport auth, which is over http:
+corenet_tcp_connect_http_port(bitlbee_t)
+corenet_tcp_sendrecv_http_port(bitlbee_t)
+corenet_tcp_connect_http_cache_port(bitlbee_t)
+corenet_tcp_sendrecv_http_cache_port(bitlbee_t)
+
+dev_read_rand(bitlbee_t)
+dev_read_urand(bitlbee_t)
+
+files_read_etc_files(bitlbee_t)
+files_search_pids(bitlbee_t)
+# grant read-only access to the user help files
+files_read_usr_files(bitlbee_t)
+
+libs_legacy_use_shared_libs(bitlbee_t)
+
+auth_use_nsswitch(bitlbee_t)
+
+logging_send_syslog_msg(bitlbee_t)
+
+miscfiles_read_localization(bitlbee_t)
+
+sysnet_dns_name_resolve(bitlbee_t)
+
+optional_policy(`
+	# normally started from inetd using tcpwrappers, so use those entry points
+	tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t)
+')
diff --git a/policy/modules/contrib/bluetooth.fc b/policy/modules/contrib/bluetooth.fc
new file mode 100644
index 00000000..dc687e6d
--- /dev/null
+++ b/policy/modules/contrib/bluetooth.fc
@@ -0,0 +1,30 @@
+#
+# /etc
+#
+/etc/bluetooth(/.*)?		gen_context(system_u:object_r:bluetooth_conf_t,s0)
+/etc/bluetooth/link_key		gen_context(system_u:object_r:bluetooth_conf_rw_t,s0)
+/etc/rc\.d/init\.d/bluetooth --	gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/dund	--	gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/pand	--	gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/blue.*pin	--	gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
+/usr/bin/dund		--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/bin/hidd		--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/bin/rfcomm		--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
+
+/usr/sbin/bluetoothd	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/sbin/hciattach	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/sbin/hcid		--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/sbin/hid2hci	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/sbin/sdpd		--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/bluetooth(/.*)?	gen_context(system_u:object_r:bluetooth_var_lib_t,s0)
+
+/var/run/bluetoothd_address	gen_context(system_u:object_r:bluetooth_var_run_t,s0)
+/var/run/sdp		-s	gen_context(system_u:object_r:bluetooth_var_run_t,s0)
diff --git a/policy/modules/contrib/bluetooth.if b/policy/modules/contrib/bluetooth.if
new file mode 100644
index 00000000..3e454314
--- /dev/null
+++ b/policy/modules/contrib/bluetooth.if
@@ -0,0 +1,228 @@
+## <summary>Bluetooth tools and system services.</summary>
+
+########################################
+## <summary>
+##	Role access for bluetooth
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`bluetooth_role',`
+	gen_require(`
+		type bluetooth_helper_t, bluetooth_helper_exec_t;
+		type bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t;
+	')
+
+	role $1 types bluetooth_helper_t;
+
+	domtrans_pattern($2, bluetooth_helper_exec_t, bluetooth_helper_t)
+
+	# allow ps to show cdrecord and allow the user to kill it
+	ps_process_pattern($2, bluetooth_helper_t)
+	allow $2 bluetooth_helper_t:process signal;
+
+	manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
+	manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
+	manage_sock_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
+
+	manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
+	manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
+')
+
+#####################################
+## <summary>
+##	Connect to bluetooth over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bluetooth_stream_connect',`
+	gen_require(`
+		type bluetooth_t, bluetooth_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 bluetooth_t:socket rw_socket_perms;
+	stream_connect_pattern($1, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t)
+')
+
+########################################
+## <summary>
+##	Execute bluetooth in the bluetooth domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`bluetooth_domtrans',`
+	gen_require(`
+		type bluetooth_t, bluetooth_exec_t;
+	')
+
+	domtrans_pattern($1, bluetooth_exec_t, bluetooth_t)
+')
+
+########################################
+## <summary>
+##	Read bluetooth daemon configuration.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bluetooth_read_config',`
+	gen_require(`
+		type bluetooth_conf_t;
+	')
+
+	allow $1 bluetooth_conf_t:file { getattr read ioctl };
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	bluetooth over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bluetooth_dbus_chat',`
+	gen_require(`
+		type bluetooth_t;
+		class dbus send_msg;
+	')
+
+	allow $1 bluetooth_t:dbus send_msg;
+	allow bluetooth_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Execute bluetooth_helper in the bluetooth_helper domain.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`bluetooth_domtrans_helper',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	Execute bluetooth_helper in the bluetooth_helper domain, and
+##	allow the specified role the bluetooth_helper domain.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the bluetooth_helper domain to use.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`bluetooth_run_helper',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	Read bluetooth helper state files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`bluetooth_dontaudit_read_helper_state',`
+	gen_require(`
+		type bluetooth_helper_t;
+	')
+
+	dontaudit $1 bluetooth_helper_t:dir search;
+	dontaudit $1 bluetooth_helper_t:file { read getattr };
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an bluetooth environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the bluetooth domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`bluetooth_admin',`
+	gen_require(`
+		type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
+		type bluetooth_spool_t, bluetooth_var_lib_t, bluetooth_var_run_t;
+		type bluetooth_conf_t, bluetooth_conf_rw_t;
+		type bluetooth_initrc_exec_t;
+	')
+
+	allow $1 bluetooth_t:process { ptrace signal_perms };
+	ps_process_pattern($1, bluetooth_t)
+
+	init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 bluetooth_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, bluetooth_tmp_t)
+
+	files_list_var($1)
+	admin_pattern($1, bluetooth_lock_t)
+
+	files_list_etc($1)
+	admin_pattern($1, bluetooth_conf_t)
+	admin_pattern($1, bluetooth_conf_rw_t)
+
+	files_list_spool($1)
+	admin_pattern($1, bluetooth_spool_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, bluetooth_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, bluetooth_var_run_t)
+')
diff --git a/policy/modules/contrib/bluetooth.te b/policy/modules/contrib/bluetooth.te
new file mode 100644
index 00000000..d3019b31
--- /dev/null
+++ b/policy/modules/contrib/bluetooth.te
@@ -0,0 +1,241 @@
+policy_module(bluetooth, 3.4.0)
+
+########################################
+#
+# Declarations
+#
+type bluetooth_t;
+type bluetooth_exec_t;
+init_daemon_domain(bluetooth_t, bluetooth_exec_t)
+
+type bluetooth_conf_t;
+files_type(bluetooth_conf_t)
+
+type bluetooth_conf_rw_t;
+files_type(bluetooth_conf_rw_t)
+
+type bluetooth_helper_t;
+type bluetooth_helper_exec_t;
+typealias bluetooth_helper_t alias { user_bluetooth_helper_t staff_bluetooth_helper_t sysadm_bluetooth_helper_t };
+typealias bluetooth_helper_t alias { auditadm_bluetooth_helper_t secadm_bluetooth_helper_t };
+userdom_user_application_domain(bluetooth_helper_t, bluetooth_helper_exec_t)
+
+type bluetooth_helper_tmp_t;
+typealias bluetooth_helper_tmp_t alias { user_bluetooth_helper_tmp_t staff_bluetooth_helper_tmp_t sysadm_bluetooth_helper_tmp_t };
+typealias bluetooth_helper_tmp_t alias { auditadm_bluetooth_helper_tmp_t secadm_bluetooth_helper_tmp_t };
+userdom_user_tmp_file(bluetooth_helper_tmp_t)
+
+type bluetooth_helper_tmpfs_t;
+typealias bluetooth_helper_tmpfs_t alias { user_bluetooth_helper_tmpfs_t staff_bluetooth_helper_tmpfs_t sysadm_bluetooth_helper_tmpfs_t };
+typealias bluetooth_helper_tmpfs_t alias { auditadm_bluetooth_helper_tmpfs_t secadm_bluetooth_helper_tmpfs_t };
+userdom_user_tmpfs_file(bluetooth_helper_tmpfs_t)
+
+type bluetooth_initrc_exec_t;
+init_script_file(bluetooth_initrc_exec_t)
+
+type bluetooth_lock_t;
+files_lock_file(bluetooth_lock_t)
+
+type bluetooth_tmp_t;
+files_tmp_file(bluetooth_tmp_t)
+
+type bluetooth_var_lib_t;
+files_type(bluetooth_var_lib_t)
+
+type bluetooth_var_run_t;
+files_pid_file(bluetooth_var_run_t)
+
+########################################
+#
+# Bluetooth services local policy
+#
+
+#sys_admin capability - redhat bug 573015
+allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw setpcap sys_admin sys_tty_config ipc_lock };
+dontaudit bluetooth_t self:capability sys_tty_config;
+allow bluetooth_t self:process { getcap setcap getsched signal_perms };
+allow bluetooth_t self:fifo_file rw_fifo_file_perms;
+allow bluetooth_t self:shm create_shm_perms;
+allow bluetooth_t self:socket create_stream_socket_perms;
+allow bluetooth_t self:unix_dgram_socket create_socket_perms;
+allow bluetooth_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow bluetooth_t self:tcp_socket create_stream_socket_perms;
+allow bluetooth_t self:udp_socket create_socket_perms;
+allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
+
+manage_dirs_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t)
+manage_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t)
+manage_lnk_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t)
+manage_fifo_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t)
+manage_sock_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t)
+filetrans_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t, { dir file lnk_file sock_file fifo_file })
+
+can_exec(bluetooth_t, bluetooth_helper_exec_t)
+
+allow bluetooth_t bluetooth_lock_t:file manage_file_perms;
+files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file)
+
+manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
+manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
+files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { file dir })
+
+manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
+manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
+files_var_lib_filetrans(bluetooth_t, bluetooth_var_lib_t, { dir file } )
+
+manage_files_pattern(bluetooth_t, bluetooth_var_run_t, bluetooth_var_run_t)
+manage_sock_files_pattern(bluetooth_t, bluetooth_var_run_t, bluetooth_var_run_t)
+files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctls(bluetooth_t)
+kernel_read_system_state(bluetooth_t)
+kernel_read_network_state(bluetooth_t)
+kernel_request_load_module(bluetooth_t)
+#search debugfs - redhat bug 548206
+kernel_search_debugfs(bluetooth_t)
+
+corenet_all_recvfrom_unlabeled(bluetooth_t)
+corenet_all_recvfrom_netlabel(bluetooth_t)
+corenet_tcp_sendrecv_generic_if(bluetooth_t)
+corenet_udp_sendrecv_generic_if(bluetooth_t)
+corenet_raw_sendrecv_generic_if(bluetooth_t)
+corenet_tcp_sendrecv_generic_node(bluetooth_t)
+corenet_udp_sendrecv_generic_node(bluetooth_t)
+corenet_raw_sendrecv_generic_node(bluetooth_t)
+corenet_tcp_sendrecv_all_ports(bluetooth_t)
+corenet_udp_sendrecv_all_ports(bluetooth_t)
+
+dev_read_sysfs(bluetooth_t)
+dev_rw_usbfs(bluetooth_t)
+dev_rw_generic_usb_dev(bluetooth_t)
+dev_read_urand(bluetooth_t)
+dev_rw_input_dev(bluetooth_t)
+dev_rw_wireless(bluetooth_t)
+
+fs_getattr_all_fs(bluetooth_t)
+fs_search_auto_mountpoints(bluetooth_t)
+fs_list_inotifyfs(bluetooth_t)
+
+#Handle bluetooth serial devices
+term_use_unallocated_ttys(bluetooth_t)
+
+corecmd_exec_bin(bluetooth_t)
+corecmd_exec_shell(bluetooth_t)
+
+domain_use_interactive_fds(bluetooth_t)
+domain_dontaudit_search_all_domains_state(bluetooth_t)
+
+files_read_etc_files(bluetooth_t)
+files_read_etc_runtime_files(bluetooth_t)
+files_read_usr_files(bluetooth_t)
+
+auth_use_nsswitch(bluetooth_t)
+
+logging_send_syslog_msg(bluetooth_t)
+
+miscfiles_read_localization(bluetooth_t)
+miscfiles_read_fonts(bluetooth_t)
+miscfiles_read_hwdata(bluetooth_t)
+
+userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
+userdom_dontaudit_use_user_terminals(bluetooth_t)
+userdom_dontaudit_search_user_home_dirs(bluetooth_t)
+
+optional_policy(`
+	dbus_system_bus_client(bluetooth_t)
+	dbus_connect_system_bus(bluetooth_t)
+
+	optional_policy(`
+		cups_dbus_chat(bluetooth_t)
+	')
+
+	optional_policy(`
+		hal_dbus_chat(bluetooth_t)
+	')
+
+	optional_policy(`
+		networkmanager_dbus_chat(bluetooth_t)
+	')
+
+	optional_policy(`
+		pulseaudio_dbus_chat(bluetooth_t)
+	')
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(bluetooth_t)
+')
+
+optional_policy(`
+	udev_read_db(bluetooth_t)
+')
+
+optional_policy(`
+	ppp_domtrans(bluetooth_t)
+')
+
+########################################
+#
+# Bluetooth helper programs local policy
+#
+
+allow bluetooth_helper_t self:capability sys_nice;
+allow bluetooth_helper_t self:process getsched;
+allow bluetooth_helper_t self:fifo_file rw_fifo_file_perms;
+allow bluetooth_helper_t self:shm create_shm_perms;
+allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow bluetooth_helper_t self:tcp_socket create_socket_perms;
+allow bluetooth_helper_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow bluetooth_helper_t bluetooth_t:socket { read write };
+
+manage_dirs_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
+manage_files_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
+manage_sock_files_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
+files_tmp_filetrans(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir sock_file })
+
+manage_dirs_pattern(bluetooth_helper_t, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
+manage_files_pattern(bluetooth_helper_t, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
+fs_tmpfs_filetrans(bluetooth_helper_t, bluetooth_helper_tmpfs_t, { dir file })
+
+kernel_read_system_state(bluetooth_helper_t)
+kernel_read_kernel_sysctls(bluetooth_helper_t)
+
+dev_read_urand(bluetooth_helper_t)
+
+term_dontaudit_use_all_ttys(bluetooth_helper_t)
+
+corecmd_exec_bin(bluetooth_helper_t)
+corecmd_exec_shell(bluetooth_helper_t)
+
+domain_read_all_domains_state(bluetooth_helper_t)
+
+files_read_etc_files(bluetooth_helper_t)
+files_read_etc_runtime_files(bluetooth_helper_t)
+files_read_usr_files(bluetooth_helper_t)
+files_dontaudit_list_default(bluetooth_helper_t)
+
+locallogin_dontaudit_use_fds(bluetooth_helper_t)
+
+logging_send_syslog_msg(bluetooth_helper_t)
+
+miscfiles_read_localization(bluetooth_helper_t)
+
+sysnet_read_config(bluetooth_helper_t)
+
+optional_policy(`
+	bluetooth_dbus_chat(bluetooth_helper_t)
+
+	dbus_system_bus_client(bluetooth_helper_t)
+	dbus_connect_system_bus(bluetooth_helper_t)
+')
+
+optional_policy(`
+	nscd_socket_use(bluetooth_helper_t)
+')
+
+optional_policy(`
+	xserver_user_x_domain_template(bluetooth_helper, bluetooth_helper_t, bluetooth_helper_tmpfs_t)
+')
diff --git a/policy/modules/contrib/brctl.fc b/policy/modules/contrib/brctl.fc
new file mode 100644
index 00000000..642f67e0
--- /dev/null
+++ b/policy/modules/contrib/brctl.fc
@@ -0,0 +1 @@
+/usr/sbin/brctl		--	gen_context(system_u:object_r:brctl_exec_t,s0)
diff --git a/policy/modules/contrib/brctl.if b/policy/modules/contrib/brctl.if
new file mode 100644
index 00000000..2c2cdb62
--- /dev/null
+++ b/policy/modules/contrib/brctl.if
@@ -0,0 +1,20 @@
+## <summary>Utilities for configuring the linux ethernet bridge</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run brctl.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`brctl_domtrans',`
+	gen_require(`
+		type brctl_t, brctl_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, brctl_exec_t, brctl_t)
+')
diff --git a/policy/modules/contrib/brctl.te b/policy/modules/contrib/brctl.te
new file mode 100644
index 00000000..9a62a1d0
--- /dev/null
+++ b/policy/modules/contrib/brctl.te
@@ -0,0 +1,44 @@
+policy_module(brctl, 1.6.0)
+
+########################################
+#
+# Declarations
+#
+
+type brctl_t;
+type brctl_exec_t;
+init_system_domain(brctl_t, brctl_exec_t)
+
+########################################
+#
+# brctl local policy
+#
+
+allow brctl_t self:capability net_admin;
+allow brctl_t self:fifo_file rw_fifo_file_perms;
+allow brctl_t self:unix_stream_socket create_stream_socket_perms;
+allow brctl_t self:unix_dgram_socket create_socket_perms;
+allow brctl_t self:tcp_socket create_socket_perms;
+
+kernel_request_load_module(brctl_t)
+kernel_read_network_state(brctl_t)
+kernel_read_sysctl(brctl_t)
+
+corenet_rw_tun_tap_dev(brctl_t)
+
+dev_rw_sysfs(brctl_t)
+dev_write_sysfs_dirs(brctl_t)
+
+# Init script handling
+domain_use_interactive_fds(brctl_t)
+
+files_read_etc_files(brctl_t)
+
+term_dontaudit_use_console(brctl_t)
+
+miscfiles_read_localization(brctl_t)
+
+optional_policy(`
+	xen_append_log(brctl_t)
+	xen_dontaudit_rw_unix_stream_sockets(brctl_t)
+')
diff --git a/policy/modules/contrib/bugzilla.fc b/policy/modules/contrib/bugzilla.fc
new file mode 100644
index 00000000..8c840634
--- /dev/null
+++ b/policy/modules/contrib/bugzilla.fc
@@ -0,0 +1,4 @@
+/usr/share/bugzilla(/.*)?	-d	gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
+/usr/share/bugzilla(/.*)?	--	gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
+
+/var/lib/bugzilla(/.*)?			gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0)
diff --git a/policy/modules/contrib/bugzilla.if b/policy/modules/contrib/bugzilla.if
new file mode 100644
index 00000000..de89d0f1
--- /dev/null
+++ b/policy/modules/contrib/bugzilla.if
@@ -0,0 +1,77 @@
+## <summary>Bugzilla server</summary>
+
+########################################
+## <summary>
+##	Allow the specified domain to search
+##	bugzilla directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bugzilla_search_content',`
+	gen_require(`
+		type httpd_bugzilla_content_t;
+	')
+
+	allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write
+##	bugzilla script unix domain stream sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`bugzilla_dontaudit_rw_stream_sockets',`
+	gen_require(`
+		type httpd_bugzilla_script_t;
+	')
+
+	dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an bugzilla environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the bugzilla domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`bugzilla_admin',`
+	gen_require(`
+		type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
+		type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t;
+		type httpd_bugzilla_htaccess_t;
+	')
+
+	allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
+	ps_process_pattern($1, httpd_bugzilla_script_t)
+
+	files_list_var_lib(httpd_bugzilla_script_t)
+
+	apache_list_sys_content($1)
+	admin_pattern($1, httpd_bugzilla_script_exec_t)
+	admin_pattern($1, httpd_bugzilla_script_t)
+	admin_pattern($1, httpd_bugzilla_content_t)
+	admin_pattern($1, httpd_bugzilla_htaccess_t)
+	admin_pattern($1, httpd_bugzilla_rw_content_t)
+	admin_pattern($1, httpd_bugzilla_ra_content_t)
+')
diff --git a/policy/modules/contrib/bugzilla.te b/policy/modules/contrib/bugzilla.te
new file mode 100644
index 00000000..048abbf7
--- /dev/null
+++ b/policy/modules/contrib/bugzilla.te
@@ -0,0 +1,50 @@
+policy_module(bugzilla, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+apache_content_template(bugzilla)
+
+########################################
+#
+# bugzilla local policy
+#
+
+allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms;
+allow httpd_bugzilla_script_t self:tcp_socket create_stream_socket_perms;
+allow httpd_bugzilla_script_t self:udp_socket create_socket_perms;
+
+corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t)
+corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_generic_if(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_generic_node(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_all_ports(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_all_ports(httpd_bugzilla_script_t)
+corenet_tcp_connect_postgresql_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_mysqld_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_http_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
+corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t)
+corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t)
+
+files_search_var_lib(httpd_bugzilla_script_t)
+
+sysnet_read_config(httpd_bugzilla_script_t)
+sysnet_use_ldap(httpd_bugzilla_script_t)
+
+optional_policy(`
+	mta_send_mail(httpd_bugzilla_script_t)
+')
+
+optional_policy(`
+	mysql_search_db(httpd_bugzilla_script_t)
+	mysql_stream_connect(httpd_bugzilla_script_t)
+')
+
+optional_policy(`
+	postgresql_stream_connect(httpd_bugzilla_script_t)
+')
diff --git a/policy/modules/contrib/calamaris.fc b/policy/modules/contrib/calamaris.fc
new file mode 100644
index 00000000..9cbd0a06
--- /dev/null
+++ b/policy/modules/contrib/calamaris.fc
@@ -0,0 +1,10 @@
+#
+# /etc
+#
+/etc/cron\.daily/calamaris --	gen_context(system_u:object_r:calamaris_exec_t,s0)
+
+#
+# /var
+#
+/var/log/calamaris(/.*)?	gen_context(system_u:object_r:calamaris_log_t,s0)
+/var/www/calamaris(/.*)?	gen_context(system_u:object_r:calamaris_www_t,s0)
diff --git a/policy/modules/contrib/calamaris.if b/policy/modules/contrib/calamaris.if
new file mode 100644
index 00000000..df183be2
--- /dev/null
+++ b/policy/modules/contrib/calamaris.if
@@ -0,0 +1,21 @@
+## <summary>Squid log analysis</summary>
+
+#######################################
+## <summary>
+##	Allow domain to read calamaris www files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`calamaris_read_www_files',`
+	gen_require(`
+		type calamaris_www_t;
+	')
+
+	allow $1 calamaris_www_t:dir list_dir_perms;
+	read_files_pattern($1, calamaris_www_t, calamaris_www_t)
+	read_lnk_files_pattern($1, calamaris_www_t, calamaris_www_t)
+')
diff --git a/policy/modules/contrib/calamaris.te b/policy/modules/contrib/calamaris.te
new file mode 100644
index 00000000..b13fb66c
--- /dev/null
+++ b/policy/modules/contrib/calamaris.te
@@ -0,0 +1,83 @@
+policy_module(calamaris, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type calamaris_t;
+type calamaris_exec_t;
+init_system_domain(calamaris_t, calamaris_exec_t)
+
+type calamaris_www_t;
+files_type(calamaris_www_t)
+
+type calamaris_log_t;
+logging_log_file(calamaris_log_t)
+
+########################################
+#
+# Local policy
+#
+
+# for when squid has a different UID
+allow calamaris_t self:capability dac_override;
+allow calamaris_t self:process { fork signal_perms setsched };
+allow calamaris_t self:fifo_file rw_fifo_file_perms;
+allow calamaris_t self:unix_stream_socket create_stream_socket_perms;
+allow calamaris_t self:tcp_socket create_stream_socket_perms;
+allow calamaris_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(calamaris_t, calamaris_www_t, calamaris_www_t)
+manage_lnk_files_pattern(calamaris_t, calamaris_www_t, calamaris_www_t)
+
+manage_files_pattern(calamaris_t, calamaris_log_t, calamaris_log_t)
+logging_log_filetrans(calamaris_t, calamaris_log_t, { file dir })
+
+kernel_read_all_sysctls(calamaris_t)
+kernel_read_system_state(calamaris_t)
+
+corecmd_exec_bin(calamaris_t)
+
+corenet_all_recvfrom_unlabeled(calamaris_t)
+corenet_all_recvfrom_netlabel(calamaris_t)
+corenet_tcp_sendrecv_generic_if(calamaris_t)
+corenet_udp_sendrecv_generic_if(calamaris_t)
+corenet_tcp_sendrecv_generic_node(calamaris_t)
+corenet_udp_sendrecv_generic_node(calamaris_t)
+corenet_tcp_sendrecv_all_ports(calamaris_t)
+corenet_udp_sendrecv_all_ports(calamaris_t)
+
+dev_read_urand(calamaris_t)
+
+files_search_pids(calamaris_t)
+files_read_etc_files(calamaris_t)
+files_read_usr_files(calamaris_t)
+files_read_var_files(calamaris_t)
+files_read_etc_runtime_files(calamaris_t)
+
+libs_read_lib_files(calamaris_t)
+
+auth_use_nsswitch(calamaris_t)
+
+logging_send_syslog_msg(calamaris_t)
+
+miscfiles_read_localization(calamaris_t)
+
+userdom_dontaudit_list_user_home_dirs(calamaris_t)
+
+optional_policy(`
+	apache_search_sys_content(calamaris_t)
+')
+
+optional_policy(`
+	cron_system_entry(calamaris_t, calamaris_exec_t)
+')
+
+optional_policy(`
+	mta_send_mail(calamaris_t)
+')
+
+optional_policy(`
+	squid_read_log(calamaris_t)
+')
diff --git a/policy/modules/contrib/canna.fc b/policy/modules/contrib/canna.fc
new file mode 100644
index 00000000..5432d0e5
--- /dev/null
+++ b/policy/modules/contrib/canna.fc
@@ -0,0 +1,23 @@
+/etc/rc\.d/init\.d/canna --	gen_context(system_u:object_r:canna_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/cannaping	--	gen_context(system_u:object_r:canna_exec_t,s0)
+/usr/bin/catdic		--	gen_context(system_u:object_r:canna_exec_t,s0)
+
+/usr/sbin/cannaserver	--	gen_context(system_u:object_r:canna_exec_t,s0)
+/usr/sbin/jserver	--	gen_context(system_u:object_r:canna_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/canna/dic(/.*)?	gen_context(system_u:object_r:canna_var_lib_t,s0)
+/var/lib/wnn/dic(/.*)?		gen_context(system_u:object_r:canna_var_lib_t,s0)
+
+/var/log/canna(/.*)?		gen_context(system_u:object_r:canna_log_t,s0)
+/var/log/wnn(/.*)?		gen_context(system_u:object_r:canna_log_t,s0)
+
+/var/run/\.iroha_unix	-d	gen_context(system_u:object_r:canna_var_run_t,s0)
+/var/run/\.iroha_unix/.* -s	gen_context(system_u:object_r:canna_var_run_t,s0)
+/var/run/wnn-unix(/.*)		gen_context(system_u:object_r:canna_var_run_t,s0)
diff --git a/policy/modules/contrib/canna.if b/policy/modules/contrib/canna.if
new file mode 100644
index 00000000..4a26b0cb
--- /dev/null
+++ b/policy/modules/contrib/canna.if
@@ -0,0 +1,61 @@
+## <summary>Canna - kana-kanji conversion server</summary>
+
+########################################
+## <summary>
+##	Connect to Canna using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`canna_stream_connect',`
+	gen_require(`
+		type canna_t, canna_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, canna_var_run_t, canna_var_run_t, canna_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an canna environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the canna domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`canna_admin',`
+	gen_require(`
+		type canna_t, canna_log_t, canna_var_lib_t;
+		type canna_var_run_t, canna_initrc_exec_t;
+	')
+
+	allow $1 canna_t:process { ptrace signal_perms };
+	ps_process_pattern($1, canna_t)
+
+	init_labeled_script_domtrans($1, canna_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 canna_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	logging_list_logs($1)
+	admin_pattern($1, canna_log_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, canna_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, canna_var_run_t)
+')
diff --git a/policy/modules/contrib/canna.te b/policy/modules/contrib/canna.te
new file mode 100644
index 00000000..1d25efe3
--- /dev/null
+++ b/policy/modules/contrib/canna.te
@@ -0,0 +1,93 @@
+policy_module(canna, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+type canna_t;
+type canna_exec_t;
+init_daemon_domain(canna_t, canna_exec_t)
+
+type canna_initrc_exec_t;
+init_script_file(canna_initrc_exec_t)
+
+type canna_log_t;
+logging_log_file(canna_log_t)
+
+type canna_var_lib_t;
+files_type(canna_var_lib_t)
+
+type canna_var_run_t;
+files_pid_file(canna_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow canna_t self:capability { setgid setuid net_bind_service };
+dontaudit canna_t self:capability sys_tty_config;
+allow canna_t self:process signal_perms;
+allow canna_t self:unix_stream_socket { connectto create_stream_socket_perms};
+allow canna_t self:unix_dgram_socket create_stream_socket_perms;
+allow canna_t self:tcp_socket create_stream_socket_perms;
+
+manage_files_pattern(canna_t, canna_log_t, canna_log_t)
+allow canna_t canna_log_t:dir setattr;
+logging_log_filetrans(canna_t, canna_log_t, { file dir })
+
+manage_dirs_pattern(canna_t, canna_var_lib_t, canna_var_lib_t)
+manage_files_pattern(canna_t, canna_var_lib_t, canna_var_lib_t)
+manage_lnk_files_pattern(canna_t, canna_var_lib_t, canna_var_lib_t)
+files_var_lib_filetrans(canna_t, canna_var_lib_t, file)
+
+manage_dirs_pattern(canna_t, canna_var_run_t, canna_var_run_t)
+manage_files_pattern(canna_t, canna_var_run_t, canna_var_run_t)
+manage_sock_files_pattern(canna_t, canna_var_run_t, canna_var_run_t)
+files_pid_filetrans(canna_t, canna_var_run_t, { dir file sock_file })
+
+kernel_read_kernel_sysctls(canna_t)
+kernel_read_system_state(canna_t)
+
+corenet_all_recvfrom_unlabeled(canna_t)
+corenet_all_recvfrom_netlabel(canna_t)
+corenet_tcp_sendrecv_generic_if(canna_t)
+corenet_tcp_sendrecv_generic_node(canna_t)
+corenet_tcp_sendrecv_all_ports(canna_t)
+corenet_tcp_connect_all_ports(canna_t)
+corenet_sendrecv_all_client_packets(canna_t)
+
+dev_read_sysfs(canna_t)
+
+fs_getattr_all_fs(canna_t)
+fs_search_auto_mountpoints(canna_t)
+
+domain_use_interactive_fds(canna_t)
+
+files_read_etc_files(canna_t)
+files_read_etc_runtime_files(canna_t)
+files_read_usr_files(canna_t)
+files_search_tmp(canna_t)
+files_dontaudit_read_root_files(canna_t)
+
+logging_send_syslog_msg(canna_t)
+
+miscfiles_read_localization(canna_t)
+
+sysnet_read_config(canna_t)
+
+userdom_dontaudit_use_unpriv_user_fds(canna_t)
+userdom_dontaudit_search_user_home_dirs(canna_t)
+
+optional_policy(`
+	nis_use_ypbind(canna_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(canna_t)
+')
+
+optional_policy(`
+	udev_read_db(canna_t)
+')
diff --git a/policy/modules/contrib/ccs.fc b/policy/modules/contrib/ccs.fc
new file mode 100644
index 00000000..8a7177d4
--- /dev/null
+++ b/policy/modules/contrib/ccs.fc
@@ -0,0 +1,6 @@
+/etc/cluster(/.*)?		gen_context(system_u:object_r:cluster_conf_t,s0)
+
+/sbin/ccsd		--	gen_context(system_u:object_r:ccs_exec_t,s0)
+
+/var/run/cluster/ccsd\.pid --	gen_context(system_u:object_r:ccs_var_run_t,s0)
+/var/run/cluster/ccsd\.sock -s	gen_context(system_u:object_r:ccs_var_run_t,s0)
diff --git a/policy/modules/contrib/ccs.if b/policy/modules/contrib/ccs.if
new file mode 100644
index 00000000..6ee2cc8c
--- /dev/null
+++ b/policy/modules/contrib/ccs.if
@@ -0,0 +1,75 @@
+## <summary>Cluster Configuration System</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run ccs.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ccs_domtrans',`
+	gen_require(`
+		type ccs_t, ccs_exec_t;
+	')
+
+	domtrans_pattern($1, ccs_exec_t, ccs_t)
+')
+
+########################################
+## <summary>
+##	Connect to ccs over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ccs_stream_connect',`
+	gen_require(`
+		type ccs_t, ccs_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, ccs_var_run_t, ccs_var_run_t, ccs_t)
+')
+
+########################################
+## <summary>
+##	Read cluster configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ccs_read_config',`
+	gen_require(`
+		type cluster_conf_t;
+	')
+
+	read_files_pattern($1, cluster_conf_t, cluster_conf_t)
+')
+
+########################################
+## <summary>
+##	Manage cluster configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ccs_manage_config',`
+	gen_require(`
+		type cluster_conf_t;
+	')
+
+	manage_dirs_pattern($1, cluster_conf_t, cluster_conf_t)
+	manage_files_pattern($1, cluster_conf_t, cluster_conf_t)
+')
diff --git a/policy/modules/contrib/ccs.te b/policy/modules/contrib/ccs.te
new file mode 100644
index 00000000..4c90b57e
--- /dev/null
+++ b/policy/modules/contrib/ccs.te
@@ -0,0 +1,122 @@
+policy_module(ccs, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type ccs_t;
+type ccs_exec_t;
+init_daemon_domain(ccs_t, ccs_exec_t)
+
+type cluster_conf_t;
+files_type(cluster_conf_t)
+
+type ccs_tmp_t;
+files_tmp_file(ccs_tmp_t)
+
+type ccs_tmpfs_t;
+files_tmpfs_file(ccs_tmpfs_t)
+
+type ccs_var_lib_t;
+logging_log_file(ccs_var_lib_t)
+
+type ccs_var_log_t;
+logging_log_file(ccs_var_log_t)
+
+type ccs_var_run_t;
+files_pid_file(ccs_var_run_t)
+
+########################################
+#
+# ccs local policy
+#
+
+allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin };
+allow ccs_t self:process { signal setrlimit setsched };
+dontaudit ccs_t self:process ptrace;
+allow ccs_t self:fifo_file rw_fifo_file_perms;
+allow ccs_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow ccs_t self:unix_dgram_socket create_socket_perms;
+allow ccs_t self:netlink_route_socket r_netlink_socket_perms;
+allow ccs_t self:tcp_socket create_stream_socket_perms;
+allow ccs_t self:udp_socket { create_socket_perms listen recv_msg send_msg };
+# cjp: this needs to be fixed to be specific
+allow ccs_t self:socket create_socket_perms;
+
+manage_files_pattern(ccs_t, cluster_conf_t, cluster_conf_t)
+
+# tmp file
+allow ccs_t ccs_tmp_t:dir manage_dir_perms;
+manage_dirs_pattern(ccs_t, ccs_tmp_t, ccs_tmp_t)
+manage_files_pattern(ccs_t, ccs_tmp_t, ccs_tmp_t)
+files_tmp_filetrans(ccs_t, ccs_tmp_t, { file dir })
+
+manage_dirs_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t)
+manage_files_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t)
+fs_tmpfs_filetrans(ccs_t, ccs_tmpfs_t, { dir file })
+
+# var lib files
+manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
+manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
+files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { file dir })
+
+allow ccs_t ccs_var_log_t:dir setattr;
+manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
+manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
+logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir })
+
+# pid file
+manage_dirs_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t)
+manage_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t)
+manage_sock_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t)
+files_pid_filetrans(ccs_t, ccs_var_run_t, { dir file sock_file })
+
+kernel_read_kernel_sysctls(ccs_t)
+
+corecmd_list_bin(ccs_t)
+corecmd_exec_bin(ccs_t)
+
+corenet_all_recvfrom_unlabeled(ccs_t)
+corenet_all_recvfrom_netlabel(ccs_t)
+corenet_tcp_sendrecv_generic_if(ccs_t)
+corenet_udp_sendrecv_generic_if(ccs_t)
+corenet_tcp_sendrecv_generic_node(ccs_t)
+corenet_udp_sendrecv_generic_node(ccs_t)
+corenet_tcp_sendrecv_all_ports(ccs_t)
+corenet_udp_sendrecv_all_ports(ccs_t)
+corenet_tcp_bind_generic_node(ccs_t)
+corenet_udp_bind_generic_node(ccs_t)
+corenet_tcp_bind_cluster_port(ccs_t)
+corenet_udp_bind_cluster_port(ccs_t)
+corenet_udp_bind_netsupport_port(ccs_t)
+
+dev_read_urand(ccs_t)
+
+files_read_etc_files(ccs_t)
+files_read_etc_runtime_files(ccs_t)
+
+init_rw_script_tmp_files(ccs_t)
+
+logging_send_syslog_msg(ccs_t)
+
+miscfiles_read_localization(ccs_t)
+
+sysnet_dns_name_resolve(ccs_t)
+
+userdom_manage_unpriv_user_shared_mem(ccs_t)
+userdom_manage_unpriv_user_semaphores(ccs_t)
+
+ifdef(`hide_broken_symptoms', `
+	corecmd_dontaudit_write_bin_dirs(ccs_t)
+	files_manage_isid_type_files(ccs_t)
+')
+
+optional_policy(`
+	aisexec_stream_connect(ccs_t)
+	corosync_stream_connect(ccs_t)
+')
+
+optional_policy(`
+	unconfined_use_fds(ccs_t)
+')
diff --git a/policy/modules/contrib/cdrecord.fc b/policy/modules/contrib/cdrecord.fc
new file mode 100644
index 00000000..91697ccd
--- /dev/null
+++ b/policy/modules/contrib/cdrecord.fc
@@ -0,0 +1,6 @@
+#
+# /usr
+#
+/usr/bin/cdrecord	--	gen_context(system_u:object_r:cdrecord_exec_t,s0)
+/usr/bin/growisofs	--	gen_context(system_u:object_r:cdrecord_exec_t,s0)
+/usr/bin/wodim		--	gen_context(system_u:object_r:cdrecord_exec_t,s0)
diff --git a/policy/modules/contrib/cdrecord.if b/policy/modules/contrib/cdrecord.if
new file mode 100644
index 00000000..1582faff
--- /dev/null
+++ b/policy/modules/contrib/cdrecord.if
@@ -0,0 +1,33 @@
+## <summary>Policy for cdrecord</summary>
+
+########################################
+## <summary>
+##	Role access for cdrecord
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`cdrecord_role',`
+	gen_require(`
+		type cdrecord_t, cdrecord_exec_t;
+	')
+
+	role $1 types cdrecord_t;
+
+	# Transition from the user domain to the derived domain.
+	domtrans_pattern($2, cdrecord_exec_t, cdrecord_t)
+
+	allow cdrecord_t $2:unix_stream_socket { getattr read write ioctl };
+
+	# allow ps to show cdrecord and allow the user to kill it 
+	ps_process_pattern($2, cdrecord_t)
+	allow $2 cdrecord_t:process signal;
+')
diff --git a/policy/modules/contrib/cdrecord.te b/policy/modules/contrib/cdrecord.te
new file mode 100644
index 00000000..4626931d
--- /dev/null
+++ b/policy/modules/contrib/cdrecord.te
@@ -0,0 +1,119 @@
+policy_module(cdrecord, 2.5.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow cdrecord to read various content.
+## nfs, samba, removable devices, user temp
+## and untrusted content files
+## </p>
+## </desc>
+gen_tunable(cdrecord_read_content, false)
+
+type cdrecord_t;
+type cdrecord_exec_t;
+typealias cdrecord_t alias { user_cdrecord_t staff_cdrecord_t sysadm_cdrecord_t };
+typealias cdrecord_t alias { auditadm_cdrecord_t secadm_cdrecord_t };
+userdom_user_application_domain(cdrecord_t, cdrecord_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
+allow cdrecord_t self:process { getcap getsched setrlimit setsched sigkill };
+allow cdrecord_t self:unix_dgram_socket create_socket_perms;
+allow cdrecord_t self:unix_stream_socket create_stream_socket_perms;
+
+# growisofs uses mkisofs
+corecmd_exec_bin(cdrecord_t)
+
+# allow searching for cdrom-drive
+dev_list_all_dev_nodes(cdrecord_t)
+dev_read_sysfs(cdrecord_t)
+
+domain_interactive_fd(cdrecord_t)
+domain_use_interactive_fds(cdrecord_t)
+
+files_read_etc_files(cdrecord_t)
+
+term_use_controlling_term(cdrecord_t)
+term_list_ptys(cdrecord_t)
+
+# allow cdrecord to write the CD
+storage_raw_read_removable_device(cdrecord_t)
+storage_raw_write_removable_device(cdrecord_t)
+storage_write_scsi_generic(cdrecord_t)
+
+logging_send_syslog_msg(cdrecord_t)
+
+miscfiles_read_localization(cdrecord_t)
+
+# write to the user domain tty.
+userdom_use_user_terminals(cdrecord_t)
+userdom_read_user_home_content_files(cdrecord_t)
+
+# Handle nfs home dirs
+tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',`
+	fs_list_auto_mountpoints(cdrecord_t)
+	files_list_home(cdrecord_t)
+	fs_read_nfs_files(cdrecord_t)
+	fs_read_nfs_symlinks(cdrecord_t)
+
+',`
+	files_dontaudit_list_home(cdrecord_t)
+	fs_dontaudit_list_auto_mountpoints(cdrecord_t)
+	fs_dontaudit_read_nfs_files(cdrecord_t)
+	fs_dontaudit_list_nfs(cdrecord_t)
+')
+# Handle samba home dirs
+tunable_policy(`cdrecord_read_content && use_samba_home_dirs',`
+	fs_list_auto_mountpoints(cdrecord_t)
+	files_list_home(cdrecord_t)
+	fs_read_cifs_files(cdrecord_t)
+	fs_read_cifs_symlinks(cdrecord_t)
+',`
+	files_dontaudit_list_home(cdrecord_t)
+	fs_dontaudit_list_auto_mountpoints(cdrecord_t)
+	fs_dontaudit_read_cifs_files(cdrecord_t)
+	fs_dontaudit_list_cifs(cdrecord_t)
+')
+
+# Handle removable media, /tmp, and /home
+tunable_policy(`cdrecord_read_content',`
+	userdom_list_user_tmp(cdrecord_t)
+	userdom_read_user_tmp_files(cdrecord_t)
+	userdom_read_user_tmp_symlinks(cdrecord_t)
+	userdom_read_user_home_content_files(cdrecord_t)
+	userdom_read_user_home_content_symlinks(cdrecord_t)
+
+	ifndef(`enable_mls',`
+		fs_search_removable(cdrecord_t)
+		fs_read_removable_files(cdrecord_t)
+		fs_read_removable_symlinks(cdrecord_t)
+	')
+',`
+	files_dontaudit_list_tmp(cdrecord_t)
+	files_dontaudit_list_home(cdrecord_t)
+	fs_dontaudit_list_removable(cdrecord_t)
+	fs_dontaudit_read_removable_files(cdrecord_t)
+	userdom_dontaudit_list_user_tmp(cdrecord_t)
+	userdom_dontaudit_read_user_tmp_files(cdrecord_t)
+	userdom_dontaudit_list_user_home_dirs(cdrecord_t)
+	userdom_dontaudit_read_user_home_content_files(cdrecord_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	files_search_mnt(cdrecord_t)
+	fs_read_nfs_files(cdrecord_t)
+	fs_read_nfs_symlinks(cdrecord_t)
+')
+
+optional_policy(`
+	resmgr_stream_connect(cdrecord_t)
+')
diff --git a/policy/modules/contrib/certmaster.fc b/policy/modules/contrib/certmaster.fc
new file mode 100644
index 00000000..79295d60
--- /dev/null
+++ b/policy/modules/contrib/certmaster.fc
@@ -0,0 +1,8 @@
+/etc/certmaster(/.*)?			gen_context(system_u:object_r:certmaster_etc_rw_t,s0)
+/etc/rc\.d/init\.d/certmaster	--	gen_context(system_u:object_r:certmaster_initrc_exec_t,s0)
+
+/usr/bin/certmaster		--	gen_context(system_u:object_r:certmaster_exec_t,s0)
+
+/var/lib/certmaster(/.*)?		gen_context(system_u:object_r:certmaster_var_lib_t,s0)
+/var/log/certmaster(/.*)?		gen_context(system_u:object_r:certmaster_var_log_t,s0)
+/var/run/certmaster.*			gen_context(system_u:object_r:certmaster_var_run_t,s0)
diff --git a/policy/modules/contrib/certmaster.if b/policy/modules/contrib/certmaster.if
new file mode 100644
index 00000000..fa627873
--- /dev/null
+++ b/policy/modules/contrib/certmaster.if
@@ -0,0 +1,145 @@
+## <summary>Certmaster SSL certificate distribution service</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run certmaster.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`certmaster_domtrans',`
+	gen_require(`
+		type certmaster_t, certmaster_exec_t;
+	')
+
+	domtrans_pattern($1, certmaster_exec_t, certmaster_t)
+')
+
+####################################
+## <summary>
+##	Execute certmaster in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`certmaster_exec',`
+	gen_require(`
+		type certmaster_exec_t;
+	')
+
+	can_exec($1, certmaster_exec_t)
+	corecmd_search_bin($1)
+')
+
+#######################################
+## <summary>
+##	read certmaster logs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`certmaster_read_log',`
+	gen_require(`
+		type certmaster_var_log_t;
+	')
+
+	read_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
+	logging_search_logs($1)
+')
+
+#######################################
+## <summary>
+##	Append to certmaster logs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`certmaster_append_log',`
+	gen_require(`
+		type certmaster_var_log_t;
+	')
+
+	append_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
+	logging_search_logs($1)
+')
+
+#######################################
+## <summary>
+##	Create, read, write, and delete
+##	certmaster logs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`certmaster_manage_log',`
+	gen_require(`
+		type certmaster_var_log_t;
+	')
+
+	manage_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
+	manage_lnk_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
+	logging_search_logs($1)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an snort environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+## 	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the syslog domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`certmaster_admin',`
+	gen_require(`
+		type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t;
+		type certmaster_etc_rw_t, certmaster_var_log_t;
+		type certmaster_initrc_exec_t;
+	')
+
+	allow $1 certmaster_t:process { ptrace signal_perms };
+	ps_process_pattern($1, certmaster_t)
+
+	init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 certmaster_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_etc($1)
+	miscfiles_manage_generic_cert_dirs($1)	
+	miscfiles_manage_generic_cert_files($1)	
+
+	admin_pattern($1, certmaster_etc_rw_t)
+
+	files_list_pids($1)
+	admin_pattern($1, certmaster_var_run_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, certmaster_var_log_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, certmaster_var_lib_t)
+')
diff --git a/policy/modules/contrib/certmaster.te b/policy/modules/contrib/certmaster.te
new file mode 100644
index 00000000..33841321
--- /dev/null
+++ b/policy/modules/contrib/certmaster.te
@@ -0,0 +1,71 @@
+policy_module(certmaster, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type certmaster_t;
+type certmaster_exec_t;
+init_daemon_domain(certmaster_t, certmaster_exec_t)
+
+type certmaster_initrc_exec_t;
+init_script_file(certmaster_initrc_exec_t)
+
+type certmaster_etc_rw_t;
+files_type(certmaster_etc_rw_t)
+
+type certmaster_var_lib_t;
+files_type(certmaster_var_lib_t)
+
+type certmaster_var_log_t;
+logging_log_file(certmaster_var_log_t)
+
+type certmaster_var_run_t;
+files_pid_file(certmaster_var_run_t)
+
+###########################################
+#
+# certmaster local policy
+#
+
+allow certmaster_t self:capability { dac_read_search dac_override sys_tty_config };
+allow certmaster_t self:tcp_socket create_stream_socket_perms;
+
+# config files
+list_dirs_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t)
+manage_files_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t)
+
+# var/lib files for certmaster
+manage_files_pattern(certmaster_t, certmaster_var_lib_t, certmaster_var_lib_t)
+manage_dirs_pattern(certmaster_t, certmaster_var_lib_t, certmaster_var_lib_t)
+files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir })
+
+# log files
+manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t)
+logging_log_filetrans(certmaster_t, certmaster_var_log_t, file )
+
+# pid file
+manage_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t)
+manage_sock_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t)
+files_pid_filetrans(certmaster_t ,certmaster_var_run_t, { file sock_file })
+
+# read meminfo
+kernel_read_system_state(certmaster_t)
+
+corecmd_search_bin(certmaster_t)
+corecmd_getattr_bin_files(certmaster_t)
+
+corenet_tcp_bind_generic_node(certmaster_t)
+corenet_tcp_bind_certmaster_port(certmaster_t)
+
+files_search_etc(certmaster_t)
+files_list_var(certmaster_t)
+files_search_var_lib(certmaster_t)
+
+auth_use_nsswitch(certmaster_t)
+
+miscfiles_read_localization(certmaster_t)
+
+miscfiles_manage_generic_cert_dirs(certmaster_t)
+miscfiles_manage_generic_cert_files(certmaster_t)
diff --git a/policy/modules/contrib/certmonger.fc b/policy/modules/contrib/certmonger.fc
new file mode 100644
index 00000000..5ad1a526
--- /dev/null
+++ b/policy/modules/contrib/certmonger.fc
@@ -0,0 +1,6 @@
+/etc/rc\.d/init\.d/certmonger	--	gen_context(system_u:object_r:certmonger_initrc_exec_t,s0)
+
+/usr/sbin/certmonger		--	gen_context(system_u:object_r:certmonger_exec_t,s0)
+
+/var/lib/certmonger(/.*)?		gen_context(system_u:object_r:certmonger_var_lib_t,s0)
+/var/run/certmonger.pid		--	gen_context(system_u:object_r:certmonger_var_run_t,s0)
diff --git a/policy/modules/contrib/certmonger.if b/policy/modules/contrib/certmonger.if
new file mode 100644
index 00000000..7a6e5bae
--- /dev/null
+++ b/policy/modules/contrib/certmonger.if
@@ -0,0 +1,174 @@
+## <summary>Certificate status monitor and PKI enrollment client</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run certmonger.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`certmonger_domtrans',`
+	gen_require(`
+		type certmonger_t, certmonger_exec_t;
+	')
+
+	domtrans_pattern($1, certmonger_exec_t, certmonger_t)
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	certmonger over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`certmonger_dbus_chat',`
+	gen_require(`
+		type certmonger_t;
+		class dbus send_msg;
+	')
+
+	allow $1 certmonger_t:dbus send_msg;
+	allow certmonger_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Execute certmonger server in the certmonger domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`certmonger_initrc_domtrans',`
+	gen_require(`
+		type certmonger_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, certmonger_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Read certmonger PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`certmonger_read_pid_files',`
+	gen_require(`
+		type certmonger_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 certmonger_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Search certmonger lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`certmonger_search_lib',`
+	gen_require(`
+		type certmonger_var_lib_t;
+	')
+
+	allow $1 certmonger_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read certmonger lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`certmonger_read_lib_files',`
+	gen_require(`
+		type certmonger_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, certmonger_var_lib_t, certmonger_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	certmonger lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`certmonger_manage_lib_files',`
+	gen_require(`
+		type certmonger_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, certmonger_var_lib_t, certmonger_var_lib_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an certmonger environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`certmonger_admin',`
+	gen_require(`
+		type certmonger_t, certmonger_initrc_exec_t;
+		type certmonger_var_lib_t, certmonger_var_run_t;
+	')
+
+	ps_process_pattern($1, certmonger_t)
+	allow $1 certmonger_t:process { ptrace signal_perms };
+
+	# Allow certmonger_t to restart the apache service
+	certmonger_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 certmonger_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_search_var_lib($1)
+	admin_pattern($1, certmonger_var_lib_t)
+
+	files_search_pids($1)
+	admin_pattern($1, certmonger_var_run_t)
+')
diff --git a/policy/modules/contrib/certmonger.te b/policy/modules/contrib/certmonger.te
new file mode 100644
index 00000000..c3e3f79d
--- /dev/null
+++ b/policy/modules/contrib/certmonger.te
@@ -0,0 +1,72 @@
+policy_module(certmonger, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type certmonger_t;
+type certmonger_exec_t;
+init_daemon_domain(certmonger_t, certmonger_exec_t)
+
+type certmonger_initrc_exec_t;
+init_script_file(certmonger_initrc_exec_t)
+
+type certmonger_var_run_t;
+files_pid_file(certmonger_var_run_t)
+
+type certmonger_var_lib_t;
+files_type(certmonger_var_lib_t)
+
+########################################
+#
+# certmonger local policy
+#
+
+allow certmonger_t self:capability { kill sys_nice };
+allow certmonger_t self:process { getsched setsched sigkill };
+allow certmonger_t self:fifo_file rw_file_perms;
+allow certmonger_t self:unix_stream_socket create_stream_socket_perms;
+allow certmonger_t self:tcp_socket create_stream_socket_perms;
+allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
+
+manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
+manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
+files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, { file dir } )
+
+manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
+manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
+files_pid_filetrans(certmonger_t, certmonger_var_run_t, { file dir })
+
+corenet_tcp_sendrecv_generic_if(certmonger_t)
+corenet_tcp_sendrecv_generic_node(certmonger_t)
+corenet_tcp_sendrecv_all_ports(certmonger_t)
+corenet_tcp_connect_certmaster_port(certmonger_t)
+
+dev_read_urand(certmonger_t)
+
+domain_use_interactive_fds(certmonger_t)
+
+files_read_etc_files(certmonger_t)
+files_read_usr_files(certmonger_t)
+files_list_tmp(certmonger_t)
+
+logging_send_syslog_msg(certmonger_t)
+
+miscfiles_read_localization(certmonger_t)
+miscfiles_manage_generic_cert_files(certmonger_t)
+
+sysnet_dns_name_resolve(certmonger_t)
+
+optional_policy(`
+	dbus_system_bus_client(certmonger_t)
+	dbus_connect_system_bus(certmonger_t)
+')
+
+optional_policy(`
+	kerberos_use(certmonger_t)
+')
+
+optional_policy(`
+	pcscd_stream_connect(certmonger_t)
+')
diff --git a/policy/modules/contrib/certwatch.fc b/policy/modules/contrib/certwatch.fc
new file mode 100644
index 00000000..b8a3414b
--- /dev/null
+++ b/policy/modules/contrib/certwatch.fc
@@ -0,0 +1 @@
+/usr/bin/certwatch	-- gen_context(system_u:object_r:certwatch_exec_t,s0)
diff --git a/policy/modules/contrib/certwatch.if b/policy/modules/contrib/certwatch.if
new file mode 100644
index 00000000..953451a4
--- /dev/null
+++ b/policy/modules/contrib/certwatch.if
@@ -0,0 +1,78 @@
+## <summary>Digital Certificate Tracking</summary>
+
+########################################
+## <summary>
+##	Domain transition to certwatch.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`certwatch_domtrans',`
+	gen_require(`
+		type certwatch_exec_t, certwatch_t;
+	')
+
+	files_search_usr($1)
+	corecmd_search_bin($1)
+	domtrans_pattern($1, certwatch_exec_t, certwatch_t)
+')
+
+########################################
+## <summary>
+##	Execute certwatch in the certwatch domain, and
+##	allow the specified role the certwatch domain,
+##	and use the caller's terminal. Has a sigchld
+##	backchannel.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`certwatch_run',`
+	gen_require(`
+		type certwatch_t;
+	')
+
+	certwatch_domtrans($1)
+	role $2 types certwatch_t;
+')
+
+########################################
+## <summary>
+##	Execute certwatch in the certwatch domain, and
+##	allow the specified role the certwatch domain,
+##	and use the caller's terminal. Has a sigchld
+##	backchannel.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the certwatch domain to use.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`certwatach_run',`
+	refpolicywarn(`$0($*) has been deprecated, please use certwatch_run() instead.')
+	certwatch_run($*)
+')
diff --git a/policy/modules/contrib/certwatch.te b/policy/modules/contrib/certwatch.te
new file mode 100644
index 00000000..e07cef5d
--- /dev/null
+++ b/policy/modules/contrib/certwatch.te
@@ -0,0 +1,53 @@
+policy_module(certwatch, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type certwatch_t;
+type certwatch_exec_t;
+application_domain(certwatch_t, certwatch_exec_t)
+role system_r types certwatch_t;
+
+########################################
+#
+# Local policy
+#
+allow certwatch_t self:capability sys_nice;
+allow certwatch_t self:process { setsched getsched };
+
+dev_read_urand(certwatch_t)
+
+files_read_etc_files(certwatch_t)
+files_read_usr_files(certwatch_t)
+files_read_usr_symlinks(certwatch_t)
+files_list_tmp(certwatch_t)
+
+fs_list_inotifyfs(certwatch_t)
+
+auth_manage_cache(certwatch_t)
+auth_var_filetrans_cache(certwatch_t)
+
+logging_send_syslog_msg(certwatch_t)
+
+miscfiles_read_all_certs(certwatch_t)
+miscfiles_read_localization(certwatch_t)
+
+userdom_use_user_terminals(certwatch_t)
+userdom_dontaudit_list_user_home_dirs(certwatch_t)
+
+optional_policy(`
+	apache_exec_modules(certwatch_t)
+	apache_read_config(certwatch_t)
+')
+
+optional_policy(`
+	cron_system_entry(certwatch_t, certwatch_exec_t)
+')
+
+optional_policy(`
+	pcscd_domtrans(certwatch_t)
+	pcscd_stream_connect(certwatch_t)
+	pcscd_read_pub_files(certwatch_t)
+')
diff --git a/policy/modules/contrib/cgroup.fc b/policy/modules/contrib/cgroup.fc
new file mode 100644
index 00000000..b6bb46cf
--- /dev/null
+++ b/policy/modules/contrib/cgroup.fc
@@ -0,0 +1,15 @@
+/etc/cgconfig.conf		--	gen_context(system_u:object_r:cgconfig_etc_t,s0)
+/etc/cgrules.conf		--	gen_context(system_u:object_r:cgrules_etc_t,s0)
+
+/etc/sysconfig/cgconfig		--	gen_context(system_u:object_r:cgconfig_etc_t,s0)
+/etc/sysconfig/cgred.conf	--	gen_context(system_u:object_r:cgrules_etc_t,s0)
+
+/etc/rc\.d/init\.d/cgconfig	--	gen_context(system_u:object_r:cgconfig_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/cgred	--	gen_context(system_u:object_r:cgred_initrc_exec_t,s0)
+
+/sbin/cgconfigparser		--	gen_context(system_u:object_r:cgconfig_exec_t,s0)
+/sbin/cgrulesengd		--	gen_context(system_u:object_r:cgred_exec_t,s0)
+/sbin/cgclear			--	gen_context(system_u:object_r:cgclear_exec_t,s0)
+
+/var/log/cgrulesengd\.log	--	gen_context(system_u:object_r:cgred_log_t,s0)
+/var/run/cgred.*			gen_context(system_u:object_r:cgred_var_run_t,s0)
diff --git a/policy/modules/contrib/cgroup.if b/policy/modules/contrib/cgroup.if
new file mode 100644
index 00000000..33facaf2
--- /dev/null
+++ b/policy/modules/contrib/cgroup.if
@@ -0,0 +1,199 @@
+## <summary>libcg is a library that abstracts the control group file system in Linux.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run
+##	CG Clear.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cgroup_domtrans_cgclear',`
+	gen_require(`
+		type cgclear_t, cgclear_exec_t;
+	')
+
+	domtrans_pattern($1, cgclear_exec_t, cgclear_t)
+	corecmd_search_bin($1)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run
+##	CG config parser.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cgroup_domtrans_cgconfig',`
+	gen_require(`
+		type cgconfig_t, cgconfig_exec_t;
+	')
+
+	domtrans_pattern($1, cgconfig_exec_t, cgconfig_t)
+	corecmd_search_bin($1)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run
+##	CG config parser.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`cgroup_initrc_domtrans_cgconfig',`
+	gen_require(`
+		type cgconfig_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, cgconfig_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run
+##	CG rules engine daemon.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cgroup_domtrans_cgred',`
+	gen_require(`
+		type cgred_t, cgred_exec_t;
+	')
+
+	domtrans_pattern($1, cgred_exec_t, cgred_t)
+	corecmd_search_bin($1)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run
+## 	CG rules engine daemon.
+##	domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`cgroup_initrc_domtrans_cgred',`
+	gen_require(`
+		type cgred_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, cgred_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to
+##	run CG Clear and allow the
+##	specified role the CG Clear
+##	domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`cgroup_run_cgclear',`
+	gen_require(`
+		type cgclear_t;
+	')
+
+	cgroup_domtrans_cgclear($1)
+	role $2 types cgclear_t;
+')
+
+########################################
+## <summary>
+##	Connect to CG rules engine daemon
+##	over unix stream sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cgroup_stream_connect_cgred', `
+	gen_require(`
+		type cgred_var_run_t, cgred_t;
+	')
+
+	stream_connect_pattern($1, cgred_var_run_t, cgred_var_run_t, cgred_t)
+	files_search_pids($1)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an cgroup environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`cgroup_admin',`
+	gen_require(`
+		type cgred_t, cgconfig_t, cgred_var_run_t;
+		type cgconfig_etc_t, cgconfig_initrc_exec_t, cgred_initrc_exec_t;
+		type cgrules_etc_t, cgclear_t;
+	')
+
+	allow $1 cgclear_t:process { ptrace signal_perms };
+	ps_process_pattern($1, cgclear_t)
+
+	allow $1 cgconfig_t:process { ptrace signal_perms };
+	ps_process_pattern($1, cgconfig_t)
+
+	allow $1 cgred_t:process { ptrace signal_perms };
+	ps_process_pattern($1, cgred_t)
+
+	admin_pattern($1, cgconfig_etc_t)
+	admin_pattern($1, cgrules_etc_t)
+	files_list_etc($1)
+
+	admin_pattern($1, cgred_var_run_t)
+	files_list_pids($1)
+
+	cgroup_initrc_domtrans_cgconfig($1)
+	domain_system_change_exemption($1)
+	role_transition $2 cgconfig_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	cgroup_initrc_domtrans_cgred($1)
+	role_transition $2 cgred_initrc_exec_t system_r;
+
+	cgroup_run_cgclear($1, $2)
+')
diff --git a/policy/modules/contrib/cgroup.te b/policy/modules/contrib/cgroup.te
new file mode 100644
index 00000000..806191ad
--- /dev/null
+++ b/policy/modules/contrib/cgroup.te
@@ -0,0 +1,109 @@
+policy_module(cgroup, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type cgclear_t;
+type cgclear_exec_t;
+init_daemon_domain(cgclear_t, cgclear_exec_t)
+
+type cgred_t;
+type cgred_exec_t;
+init_daemon_domain(cgred_t, cgred_exec_t)
+
+type cgred_initrc_exec_t;
+init_script_file(cgred_initrc_exec_t)
+
+type cgred_log_t;
+logging_log_file(cgred_log_t)
+
+type cgred_var_run_t;
+files_pid_file(cgred_var_run_t)
+
+type cgrules_etc_t;
+files_config_file(cgrules_etc_t)
+
+type cgconfig_t;
+type cgconfig_exec_t;
+init_daemon_domain(cgconfig_t, cgconfig_exec_t)
+
+type cgconfig_initrc_exec_t;
+init_script_file(cgconfig_initrc_exec_t)
+
+type cgconfig_etc_t;
+files_config_file(cgconfig_etc_t)
+
+########################################
+#
+# cgclear personal policy.
+#
+
+allow cgclear_t self:capability { dac_read_search dac_override sys_admin };
+
+kernel_read_system_state(cgclear_t)
+
+domain_setpriority_all_domains(cgclear_t)
+
+fs_manage_cgroup_dirs(cgclear_t)
+fs_manage_cgroup_files(cgclear_t)
+fs_unmount_cgroup(cgclear_t)
+
+########################################
+#
+# cgconfig personal policy.
+#
+
+allow cgconfig_t self:capability { dac_override fowner fsetid chown sys_admin sys_tty_config };
+
+allow cgconfig_t cgconfig_etc_t:file read_file_perms;
+
+# search will do.
+kernel_list_unlabeled(cgconfig_t)
+kernel_read_system_state(cgconfig_t)
+
+# /etc/nsswitch.conf, /etc/passwd
+files_read_etc_files(cgconfig_t)
+
+fs_manage_cgroup_dirs(cgconfig_t)
+fs_manage_cgroup_files(cgconfig_t)
+fs_mount_cgroup(cgconfig_t)
+fs_mounton_cgroup(cgconfig_t)
+fs_unmount_cgroup(cgconfig_t)
+
+########################################
+#
+# cgred personal policy.
+#
+
+allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
+allow cgred_t self:netlink_socket { write bind create read };
+allow cgred_t self:unix_dgram_socket { write create connect };
+
+manage_files_pattern(cgred_t, cgred_log_t, cgred_log_t)
+logging_log_filetrans(cgred_t, cgred_log_t, file)
+
+allow cgred_t cgrules_etc_t:file read_file_perms;
+
+# rc script creates pid file
+manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
+manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
+files_pid_filetrans(cgred_t, cgred_var_run_t, { file sock_file })
+
+kernel_read_system_state(cgred_t)
+
+domain_read_all_domains_state(cgred_t)
+domain_setpriority_all_domains(cgred_t)
+
+files_getattr_all_files(cgred_t)
+files_getattr_all_sockets(cgred_t)
+files_read_all_symlinks(cgred_t)
+# /etc/group
+files_read_etc_files(cgred_t)
+
+fs_write_cgroup_files(cgred_t)
+
+logging_send_syslog_msg(cgred_t)
+
+miscfiles_read_localization(cgred_t)
diff --git a/policy/modules/contrib/chronyd.fc b/policy/modules/contrib/chronyd.fc
new file mode 100644
index 00000000..fd8cd0b3
--- /dev/null
+++ b/policy/modules/contrib/chronyd.fc
@@ -0,0 +1,9 @@
+/etc/chrony\.keys		--	gen_context(system_u:object_r:chronyd_keys_t,s0)
+
+/etc/rc\.d/init\.d/chronyd	--	gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
+
+/usr/sbin/chronyd		--	gen_context(system_u:object_r:chronyd_exec_t,s0)
+
+/var/lib/chrony(/.*)?			gen_context(system_u:object_r:chronyd_var_lib_t,s0)
+/var/log/chrony(/.*)?			gen_context(system_u:object_r:chronyd_var_log_t,s0)
+/var/run/chronyd\.pid		--	gen_context(system_u:object_r:chronyd_var_run_t,s0)
diff --git a/policy/modules/contrib/chronyd.if b/policy/modules/contrib/chronyd.if
new file mode 100644
index 00000000..9a0da946
--- /dev/null
+++ b/policy/modules/contrib/chronyd.if
@@ -0,0 +1,105 @@
+## <summary>Chrony NTP background daemon</summary>
+
+#####################################
+## <summary>
+##	Execute chronyd in the chronyd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`chronyd_domtrans',`
+	gen_require(`
+		type chronyd_t, chronyd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, chronyd_exec_t, chronyd_t)
+')
+
+####################################
+## <summary>
+##	Execute chronyd
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`chronyd_exec',`
+	gen_require(`
+		type chronyd_exec_t;
+	')
+
+	can_exec($1, chronyd_exec_t)
+')
+
+#####################################
+## <summary>
+##	Read chronyd logs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`chronyd_read_log',`
+	gen_require(`
+		type chronyd_var_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t)
+')
+
+####################################
+## <summary>
+##	All of the rules required to administrate
+##	an chronyd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the chronyd domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`chronyd_admin',`
+	gen_require(`
+		type chronyd_t, chronyd_var_log_t;
+		type chronyd_var_run_t, chronyd_var_lib_t;
+		type chronyd_initrc_exec_t, chronyd_keys_t;
+	')
+
+	allow $1 chronyd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, chronyd_t)
+
+	init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 chronyd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_search_etc($1)
+	admin_pattern($1, chronyd_keys_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, chronyd_var_log_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, chronyd_var_lib_t)
+
+	files_search_pids($1)
+	admin_pattern($1, chronyd_var_run_t)
+
+	files_search_tmp($1)
+	admin_pattern($1, chronyd_tmp_t)
+')
diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
new file mode 100644
index 00000000..fa82327a
--- /dev/null
+++ b/policy/modules/contrib/chronyd.te
@@ -0,0 +1,68 @@
+policy_module(chronyd, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type chronyd_t;
+type chronyd_exec_t;
+init_daemon_domain(chronyd_t, chronyd_exec_t)
+
+type chronyd_initrc_exec_t;
+init_script_file(chronyd_initrc_exec_t)
+
+type chronyd_keys_t;
+files_type(chronyd_keys_t)
+
+type chronyd_var_lib_t;
+files_type(chronyd_var_lib_t)
+
+type chronyd_var_log_t;
+logging_log_file(chronyd_var_log_t)
+
+type chronyd_var_run_t;
+files_pid_file(chronyd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
+allow chronyd_t self:process { getcap setcap setrlimit };
+allow chronyd_t self:shm create_shm_perms;
+allow chronyd_t self:udp_socket create_socket_perms;
+allow chronyd_t self:unix_dgram_socket create_socket_perms;
+
+allow chronyd_t chronyd_keys_t:file read_file_perms;
+
+manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
+manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
+manage_sock_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
+files_var_lib_filetrans(chronyd_t, chronyd_var_lib_t, { file dir })
+
+manage_files_pattern(chronyd_t, chronyd_var_log_t, chronyd_var_log_t)
+manage_dirs_pattern(chronyd_t, chronyd_var_log_t, chronyd_var_log_t)
+logging_log_filetrans(chronyd_t, chronyd_var_log_t, { file dir })
+
+manage_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
+manage_dirs_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
+files_pid_filetrans(chronyd_t, chronyd_var_run_t, file)
+
+corenet_udp_bind_ntp_port(chronyd_t)
+# bind to udp/323
+corenet_udp_bind_chronyd_port(chronyd_t)
+
+# real time clock option
+dev_rw_realtime_clock(chronyd_t)
+
+auth_use_nsswitch(chronyd_t)
+
+logging_send_syslog_msg(chronyd_t)
+
+miscfiles_read_localization(chronyd_t)
+
+optional_policy(`
+	gpsd_rw_shm(chronyd_t)
+')
diff --git a/policy/modules/contrib/cipe.fc b/policy/modules/contrib/cipe.fc
new file mode 100644
index 00000000..afcdf02b
--- /dev/null
+++ b/policy/modules/contrib/cipe.fc
@@ -0,0 +1,4 @@
+#
+# /usr
+#
+/usr/sbin/ciped.*	--	gen_context(system_u:object_r:ciped_exec_t,s0)
diff --git a/policy/modules/contrib/cipe.if b/policy/modules/contrib/cipe.if
new file mode 100644
index 00000000..b5fd6689
--- /dev/null
+++ b/policy/modules/contrib/cipe.if
@@ -0,0 +1 @@
+## <summary>Encrypted tunnel daemon</summary>
diff --git a/policy/modules/contrib/cipe.te b/policy/modules/contrib/cipe.te
new file mode 100644
index 00000000..8e1ef38b
--- /dev/null
+++ b/policy/modules/contrib/cipe.te
@@ -0,0 +1,72 @@
+policy_module(cipe, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type ciped_t;
+type ciped_exec_t;
+init_daemon_domain(ciped_t, ciped_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow ciped_t self:capability { net_admin ipc_lock sys_tty_config };
+dontaudit ciped_t self:capability sys_tty_config;
+allow ciped_t self:process signal_perms;
+allow ciped_t self:fifo_file rw_fifo_file_perms;
+allow ciped_t self:unix_dgram_socket create_socket_perms;
+allow ciped_t self:unix_stream_socket create_socket_perms;
+allow ciped_t self:udp_socket create_socket_perms;
+
+kernel_read_kernel_sysctls(ciped_t)
+kernel_read_system_state(ciped_t)
+
+corecmd_exec_shell(ciped_t)
+corecmd_exec_bin(ciped_t)
+
+corenet_all_recvfrom_unlabeled(ciped_t)
+corenet_all_recvfrom_netlabel(ciped_t)
+corenet_udp_sendrecv_generic_if(ciped_t)
+corenet_udp_sendrecv_generic_node(ciped_t)
+corenet_udp_sendrecv_all_ports(ciped_t)
+corenet_udp_bind_generic_node(ciped_t)
+# cipe uses the afs3-bos port (udp 7007)
+corenet_udp_bind_afs_bos_port(ciped_t)
+corenet_sendrecv_afs_bos_server_packets(ciped_t)
+
+dev_read_sysfs(ciped_t)
+dev_read_rand(ciped_t)
+# for SSP
+dev_read_urand(ciped_t)
+
+domain_use_interactive_fds(ciped_t)
+
+files_read_etc_files(ciped_t)
+files_read_etc_runtime_files(ciped_t)
+files_dontaudit_search_var(ciped_t)
+
+fs_search_auto_mountpoints(ciped_t)
+
+logging_send_syslog_msg(ciped_t)
+
+miscfiles_read_localization(ciped_t)
+
+sysnet_read_config(ciped_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ciped_t)
+
+optional_policy(`
+	nis_use_ypbind(ciped_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(ciped_t)
+')
+
+optional_policy(`
+	udev_read_db(ciped_t)
+')
diff --git a/policy/modules/contrib/clamav.fc b/policy/modules/contrib/clamav.fc
new file mode 100644
index 00000000..e8e9a213
--- /dev/null
+++ b/policy/modules/contrib/clamav.fc
@@ -0,0 +1,20 @@
+/etc/clamav(/.*)?			gen_context(system_u:object_r:clamd_etc_t,s0)
+/etc/rc\.d/init\.d/clamd-wrapper --	gen_context(system_u:object_r:clamd_initrc_exec_t,s0)
+
+/usr/bin/clamscan		--	gen_context(system_u:object_r:clamscan_exec_t,s0)
+/usr/bin/clamdscan		--	gen_context(system_u:object_r:clamscan_exec_t,s0)
+/usr/bin/freshclam		--	gen_context(system_u:object_r:freshclam_exec_t,s0)
+
+/usr/sbin/clamd			--	gen_context(system_u:object_r:clamd_exec_t,s0)
+/usr/sbin/clamav-milter		--	gen_context(system_u:object_r:clamd_exec_t,s0)
+
+/var/clamav(/.*)?			gen_context(system_u:object_r:clamd_var_lib_t,s0)
+/var/lib/clamav(/.*)?			gen_context(system_u:object_r:clamd_var_lib_t,s0)
+/var/log/clamav.*			gen_context(system_u:object_r:clamd_var_log_t,s0)
+/var/log/clamav/freshclam.*	--	gen_context(system_u:object_r:freshclam_var_log_t,s0)
+/var/log/clamd.*			gen_context(system_u:object_r:clamd_var_log_t,s0)
+/var/run/amavis(d)?/clamd\.pid	--	gen_context(system_u:object_r:clamd_var_run_t,s0)
+/var/run/clamav.*			gen_context(system_u:object_r:clamd_var_run_t,s0)
+/var/run/clamd.*			gen_context(system_u:object_r:clamd_var_run_t,s0)
+/var/spool/amavisd/clamd\.sock	-s	gen_context(system_u:object_r:clamd_var_run_t,s0)
+/var/spool/MailScanner(/.*)?		gen_context(system_u:object_r:clamd_var_run_t,s0)
diff --git a/policy/modules/contrib/clamav.if b/policy/modules/contrib/clamav.if
new file mode 100644
index 00000000..cf81277f
--- /dev/null
+++ b/policy/modules/contrib/clamav.if
@@ -0,0 +1,192 @@
+## <summary>ClamAV Virus Scanner</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run clamd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`clamav_domtrans',`
+	gen_require(`
+		type clamd_t, clamd_exec_t;
+	')
+
+	domtrans_pattern($1, clamd_exec_t, clamd_t)
+')
+
+########################################
+## <summary>
+##	Connect to run clamd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`clamav_stream_connect',`
+	gen_require(`
+		type clamd_t, clamd_var_run_t;
+	')
+
+	stream_connect_pattern($1, clamd_var_run_t, clamd_var_run_t, clamd_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to append
+##	to clamav log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`clamav_append_log',`
+	gen_require(`
+		type clamav_var_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 clamav_var_log_t:dir list_dir_perms;
+	append_files_pattern($1, clamav_var_log_t, clamav_var_log_t)
+')
+
+########################################
+## <summary>
+##	Read clamav configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`clamav_read_config',`
+	gen_require(`
+		type clamd_etc_t;
+	')
+
+	files_search_etc($1)
+	allow $1 clamd_etc_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Search clamav libraries directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`clamav_search_lib',`
+	gen_require(`
+		type clamd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 clamd_var_lib_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run clamscan.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`clamav_domtrans_clamscan',`
+	gen_require(`
+		type clamscan_t, clamscan_exec_t;
+	')
+
+	domtrans_pattern($1, clamscan_exec_t, clamscan_t)
+')
+
+########################################
+## <summary>
+##	Execute clamscan without a transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`clamav_exec_clamscan',`
+	gen_require(`
+		type clamscan_exec_t;
+	')
+
+	can_exec($1, clamscan_exec_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an clamav environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the clamav domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`clamav_admin',`
+	gen_require(`
+		type clamd_t, clamd_etc_t, clamd_tmp_t;
+		type clamd_var_log_t, clamd_var_lib_t;
+		type clamd_var_run_t, clamscan_t, clamscan_tmp_t;
+		type clamd_initrc_exec_t;
+		type freshclam_t, freshclam_var_log_t;
+	')
+
+	allow $1 clamd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, clamd_t)
+
+	allow $1 clamscan_t:process { ptrace signal_perms };
+	ps_process_pattern($1, clamscan_t)
+
+	allow $1 freshclam_t:process { ptrace signal_perms };
+	ps_process_pattern($1, freshclam_t)
+
+	init_labeled_script_domtrans($1, clamd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 clamd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_etc($1)
+	admin_pattern($1, clamd_etc_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, clamd_var_lib_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, clamd_var_log_t)
+
+	files_list_pids($1)
+	admin_pattern($1, clamd_var_run_t)
+
+	files_list_tmp($1)
+	admin_pattern($1, clamd_tmp_t)
+
+	admin_pattern($1, clamscan_tmp_t)
+
+	admin_pattern($1, freshclam_var_log_t)
+')
diff --git a/policy/modules/contrib/clamav.te b/policy/modules/contrib/clamav.te
new file mode 100644
index 00000000..f7583237
--- /dev/null
+++ b/policy/modules/contrib/clamav.te
@@ -0,0 +1,275 @@
+policy_module(clamav, 1.9.0)
+
+## <desc>
+## <p>
+## Allow clamd to use JIT compiler
+## </p>
+## </desc>
+gen_tunable(clamd_use_jit, false)
+
+########################################
+#
+# Declarations
+#
+
+# Main clamd domain
+type clamd_t;
+type clamd_exec_t;
+init_daemon_domain(clamd_t, clamd_exec_t)
+
+# configuration files
+type clamd_etc_t;
+files_config_file(clamd_etc_t)
+
+type clamd_initrc_exec_t;
+init_script_file(clamd_initrc_exec_t)
+
+# tmp files
+type clamd_tmp_t;
+files_tmp_file(clamd_tmp_t)
+
+# log files
+type clamd_var_log_t;
+logging_log_file(clamd_var_log_t)
+
+# var/lib files
+type clamd_var_lib_t;
+files_type(clamd_var_lib_t)
+
+# pid files
+type clamd_var_run_t;
+files_pid_file(clamd_var_run_t)
+typealias clamd_var_run_t alias clamd_sock_t;
+
+type clamscan_t;
+type clamscan_exec_t;
+init_daemon_domain(clamscan_t, clamscan_exec_t)
+
+# tmp files
+type clamscan_tmp_t;
+files_tmp_file(clamscan_tmp_t)
+
+type freshclam_t;
+type freshclam_exec_t;
+init_daemon_domain(freshclam_t, freshclam_exec_t)
+
+# log files
+type freshclam_var_log_t;
+logging_log_file(freshclam_var_log_t)
+
+########################################
+#
+# clamd local policy
+#
+
+allow clamd_t self:capability { kill setgid setuid dac_override };
+dontaudit clamd_t self:capability sys_tty_config;
+allow clamd_t self:fifo_file rw_fifo_file_perms;
+allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow clamd_t self:unix_dgram_socket create_socket_perms;
+allow clamd_t self:tcp_socket { listen accept };
+
+# configuration files
+allow clamd_t clamd_etc_t:dir list_dir_perms;
+read_files_pattern(clamd_t, clamd_etc_t, clamd_etc_t)
+read_lnk_files_pattern(clamd_t, clamd_etc_t, clamd_etc_t)
+
+# tmp files
+manage_dirs_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
+manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
+files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
+
+# var/lib files for clamd
+manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
+manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
+
+# log files
+manage_dirs_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t)
+manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t)
+logging_log_filetrans(clamd_t, clamd_var_log_t, { dir file })
+
+# pid file
+manage_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
+manage_sock_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
+files_pid_filetrans(clamd_t, clamd_var_run_t, { file dir })
+
+kernel_dontaudit_list_proc(clamd_t)
+kernel_read_sysctl(clamd_t)
+kernel_read_kernel_sysctls(clamd_t)
+kernel_read_system_state(clamd_t)
+
+corecmd_exec_shell(clamd_t)
+
+corenet_all_recvfrom_unlabeled(clamd_t)
+corenet_all_recvfrom_netlabel(clamd_t)
+corenet_tcp_sendrecv_generic_if(clamd_t)
+corenet_tcp_sendrecv_generic_node(clamd_t)
+corenet_tcp_sendrecv_all_ports(clamd_t)
+corenet_tcp_sendrecv_clamd_port(clamd_t)
+corenet_tcp_bind_generic_node(clamd_t)
+corenet_tcp_bind_clamd_port(clamd_t)
+corenet_tcp_bind_generic_port(clamd_t)
+corenet_tcp_connect_generic_port(clamd_t)
+corenet_sendrecv_clamd_server_packets(clamd_t)
+
+dev_read_rand(clamd_t)
+dev_read_urand(clamd_t)
+
+domain_use_interactive_fds(clamd_t)
+
+files_read_etc_files(clamd_t)
+files_read_etc_runtime_files(clamd_t)
+files_search_spool(clamd_t)
+
+auth_use_nsswitch(clamd_t)
+
+logging_send_syslog_msg(clamd_t)
+
+miscfiles_read_localization(clamd_t)
+
+cron_use_fds(clamd_t)
+cron_use_system_job_fds(clamd_t)
+cron_rw_pipes(clamd_t)
+
+mta_read_config(clamd_t)
+mta_send_mail(clamd_t)
+
+optional_policy(`
+	amavis_read_lib_files(clamd_t)
+	amavis_read_spool_files(clamd_t)
+	amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file)
+	amavis_create_pid_files(clamd_t)
+')
+
+optional_policy(`
+	exim_read_spool_files(clamd_t)
+')
+
+tunable_policy(`clamd_use_jit',`
+	allow clamd_t self:process execmem;
+', `
+	dontaudit clamd_t self:process execmem;
+')
+
+########################################
+#
+# Freshclam local policy
+#
+
+allow freshclam_t self:capability { setgid setuid dac_override };
+allow freshclam_t self:fifo_file rw_fifo_file_perms;
+allow freshclam_t self:unix_stream_socket create_stream_socket_perms;
+allow freshclam_t self:unix_dgram_socket create_socket_perms;
+allow freshclam_t self:tcp_socket { listen accept };
+
+# configuration files
+allow freshclam_t clamd_etc_t:dir list_dir_perms;
+read_files_pattern(freshclam_t, clamd_etc_t, clamd_etc_t)
+read_lnk_files_pattern(freshclam_t, clamd_etc_t, clamd_etc_t)
+
+# var/lib files together with clamd
+manage_dirs_pattern(freshclam_t, clamd_var_lib_t, clamd_var_lib_t)
+manage_files_pattern(freshclam_t, clamd_var_lib_t, clamd_var_lib_t)
+
+# pidfiles- var/run together with clamd
+manage_files_pattern(freshclam_t, clamd_var_run_t, clamd_var_run_t)
+manage_sock_files_pattern(freshclam_t, clamd_var_run_t, clamd_var_run_t)
+files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
+
+# log files (own logfiles only)
+manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
+allow freshclam_t freshclam_var_log_t:dir setattr;
+allow freshclam_t clamd_var_log_t:dir search_dir_perms;
+logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)
+
+corenet_all_recvfrom_unlabeled(freshclam_t)
+corenet_all_recvfrom_netlabel(freshclam_t)
+corenet_tcp_sendrecv_generic_if(freshclam_t)
+corenet_tcp_sendrecv_generic_node(freshclam_t)
+corenet_tcp_sendrecv_all_ports(freshclam_t)
+corenet_tcp_sendrecv_clamd_port(freshclam_t)
+corenet_tcp_connect_http_port(freshclam_t)
+corenet_sendrecv_http_client_packets(freshclam_t)
+
+dev_read_rand(freshclam_t)
+dev_read_urand(freshclam_t)
+
+domain_use_interactive_fds(freshclam_t)
+
+files_read_etc_files(freshclam_t)
+files_read_etc_runtime_files(freshclam_t)
+
+auth_use_nsswitch(freshclam_t)
+
+logging_send_syslog_msg(freshclam_t)
+
+miscfiles_read_localization(freshclam_t)
+
+clamav_stream_connect(freshclam_t)
+
+optional_policy(`
+	cron_system_entry(freshclam_t, freshclam_exec_t)
+')
+
+tunable_policy(`clamd_use_jit',`
+	allow freshclam_t self:process execmem;
+', `
+	dontaudit freshclam_t self:process execmem;
+')
+
+########################################
+#
+# clamscam local policy
+#
+
+allow clamscan_t self:capability { setgid setuid dac_override };
+allow clamscan_t self:fifo_file rw_file_perms;
+allow clamscan_t self:unix_stream_socket create_stream_socket_perms;
+allow clamscan_t self:unix_dgram_socket create_socket_perms;
+allow clamscan_t self:tcp_socket create_stream_socket_perms;
+
+# configuration files
+allow clamscan_t clamd_etc_t:dir list_dir_perms;
+read_files_pattern(clamscan_t, clamd_etc_t, clamd_etc_t)
+read_lnk_files_pattern(clamscan_t, clamd_etc_t, clamd_etc_t)
+
+# tmp files
+manage_dirs_pattern(clamscan_t, clamscan_tmp_t, clamscan_tmp_t)
+manage_files_pattern(clamscan_t, clamscan_tmp_t, clamscan_tmp_t)
+files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
+
+# var/lib files together with clamd
+manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
+allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
+
+corenet_all_recvfrom_unlabeled(clamscan_t)
+corenet_all_recvfrom_netlabel(clamscan_t)
+corenet_tcp_sendrecv_generic_if(clamscan_t)
+corenet_tcp_sendrecv_generic_node(clamscan_t)
+corenet_tcp_sendrecv_all_ports(clamscan_t)
+corenet_tcp_sendrecv_clamd_port(clamscan_t)
+corenet_tcp_connect_clamd_port(clamscan_t)
+
+kernel_read_kernel_sysctls(clamscan_t)
+
+files_read_etc_files(clamscan_t)
+files_read_etc_runtime_files(clamscan_t)
+files_search_var_lib(clamscan_t)
+
+init_read_utmp(clamscan_t)
+init_dontaudit_write_utmp(clamscan_t)
+
+miscfiles_read_localization(clamscan_t)
+miscfiles_read_public_files(clamscan_t)
+
+clamav_stream_connect(clamscan_t)
+
+mta_send_mail(clamscan_t)
+
+optional_policy(`
+	amavis_read_spool_files(clamscan_t)
+')
+
+optional_policy(`
+	apache_read_sys_content(clamscan_t)
+')
diff --git a/policy/modules/contrib/clockspeed.fc b/policy/modules/contrib/clockspeed.fc
new file mode 100644
index 00000000..a7aa3858
--- /dev/null
+++ b/policy/modules/contrib/clockspeed.fc
@@ -0,0 +1,14 @@
+
+#
+# /usr
+#
+/usr/bin/clockadd	--	gen_context(system_u:object_r:clockspeed_cli_exec_t,s0)
+/usr/bin/clockspeed	--	gen_context(system_u:object_r:clockspeed_srv_exec_t,s0)
+/usr/bin/sntpclock	--	gen_context(system_u:object_r:clockspeed_cli_exec_t,s0)
+/usr/bin/taiclock	--	gen_context(system_u:object_r:clockspeed_cli_exec_t,s0)
+/usr/bin/taiclockd	--	gen_context(system_u:object_r:clockspeed_srv_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/clockspeed(/.*)?	gen_context(system_u:object_r:clockspeed_var_lib_t,s0)
diff --git a/policy/modules/contrib/clockspeed.if b/policy/modules/contrib/clockspeed.if
new file mode 100644
index 00000000..07976176
--- /dev/null
+++ b/policy/modules/contrib/clockspeed.if
@@ -0,0 +1,44 @@
+## <summary>Clockspeed simple network time protocol client</summary>
+
+########################################
+## <summary>
+##	Execute clockspeed utilities in the clockspeed_cli domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`clockspeed_domtrans_cli',`
+	gen_require(`
+		type clockspeed_cli_t, clockspeed_cli_exec_t;
+	')
+
+	domtrans_pattern($1, clockspeed_cli_exec_t, clockspeed_cli_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified role the clockspeed_cli domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`clockspeed_run_cli',`
+	gen_require(`
+		type clockspeed_cli_t;
+	')
+
+	role $2 types clockspeed_cli_t;
+	clockspeed_domtrans_cli($1)
+')
diff --git a/policy/modules/contrib/clockspeed.te b/policy/modules/contrib/clockspeed.te
new file mode 100644
index 00000000..b40f3f7b
--- /dev/null
+++ b/policy/modules/contrib/clockspeed.te
@@ -0,0 +1,72 @@
+policy_module(clockspeed, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type clockspeed_cli_t;
+type clockspeed_cli_exec_t;
+application_domain(clockspeed_cli_t, clockspeed_cli_exec_t)
+
+type clockspeed_srv_t;
+type clockspeed_srv_exec_t;
+init_daemon_domain(clockspeed_srv_t, clockspeed_srv_exec_t)
+
+type clockspeed_var_lib_t;
+files_type(clockspeed_var_lib_t)
+
+########################################
+#
+# Client local policy
+#
+
+allow clockspeed_cli_t self:capability sys_time;
+allow clockspeed_cli_t self:udp_socket create_socket_perms;
+
+read_files_pattern(clockspeed_cli_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
+
+corenet_all_recvfrom_unlabeled(clockspeed_cli_t)
+corenet_all_recvfrom_netlabel(clockspeed_cli_t)
+corenet_udp_sendrecv_generic_if(clockspeed_cli_t)
+corenet_udp_sendrecv_generic_node(clockspeed_cli_t)
+corenet_udp_sendrecv_ntp_port(clockspeed_cli_t)
+corenet_sendrecv_ntp_client_packets(clockspeed_cli_t)
+
+files_list_var_lib(clockspeed_cli_t)
+files_read_etc_files(clockspeed_cli_t)
+
+miscfiles_read_localization(clockspeed_cli_t)
+
+userdom_use_user_terminals(clockspeed_cli_t)
+
+########################################
+#
+# Server local policy
+#
+
+allow clockspeed_srv_t self:capability { sys_time net_bind_service };
+allow clockspeed_srv_t self:udp_socket create_socket_perms;
+allow clockspeed_srv_t self:unix_dgram_socket create_socket_perms;
+allow clockspeed_srv_t self:unix_stream_socket create_socket_perms;
+
+manage_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
+manage_fifo_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
+
+corenet_all_recvfrom_unlabeled(clockspeed_srv_t)
+corenet_all_recvfrom_netlabel(clockspeed_srv_t)
+corenet_udp_sendrecv_generic_if(clockspeed_srv_t)
+corenet_udp_sendrecv_generic_node(clockspeed_srv_t)
+corenet_udp_sendrecv_ntp_port(clockspeed_srv_t)
+corenet_udp_bind_generic_node(clockspeed_srv_t)
+corenet_udp_bind_clockspeed_port(clockspeed_srv_t)
+corenet_sendrecv_clockspeed_server_packets(clockspeed_srv_t)
+
+files_read_etc_files(clockspeed_srv_t)
+files_list_var_lib(clockspeed_srv_t)
+
+miscfiles_read_localization(clockspeed_srv_t)
+
+optional_policy(`
+	daemontools_service_domain(clockspeed_srv_t, clockspeed_srv_exec_t)
+')
diff --git a/policy/modules/contrib/clogd.fc b/policy/modules/contrib/clogd.fc
new file mode 100644
index 00000000..6793948a
--- /dev/null
+++ b/policy/modules/contrib/clogd.fc
@@ -0,0 +1,3 @@
+/usr/sbin/clogd			--	gen_context(system_u:object_r:clogd_exec_t,s0)
+
+/var/run/clogd\.pid		--	gen_context(system_u:object_r:clogd_var_run_t,s0)
diff --git a/policy/modules/contrib/clogd.if b/policy/modules/contrib/clogd.if
new file mode 100644
index 00000000..c0a66a41
--- /dev/null
+++ b/policy/modules/contrib/clogd.if
@@ -0,0 +1,79 @@
+## <summary>clogd - Clustered Mirror Log Server</summary>
+
+######################################
+## <summary>
+##	Execute a domain transition to run clogd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`clogd_domtrans',`
+	gen_require(`
+		type clogd_t, clogd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, clogd_exec_t, clogd_t)
+')
+
+#####################################
+## <summary>
+##	Connect to clogd over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`clogd_stream_connect',`
+	gen_require(`
+		type clogd_t, clogd_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, clogd_var_run_t, clogd_var_run_t, clogd_t)
+')
+
+#####################################
+## <summary>
+##	Allow read and write access to clogd semaphores.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`clogd_rw_semaphores',`
+	gen_require(`
+		type clogd_t;
+	')
+
+	allow $1 clogd_t:sem rw_sem_perms;
+')
+
+########################################
+## <summary>
+##	Read and write to group shared memory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`clogd_rw_shm',`
+	gen_require(`
+		type clogd_t, clogd_tmpfs_t;
+	')
+
+	allow $1 clogd_t:shm rw_shm_perms;
+	allow $1 clogd_tmpfs_t:dir list_dir_perms;
+	rw_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t)
+	fs_search_tmpfs($1)
+')
diff --git a/policy/modules/contrib/clogd.te b/policy/modules/contrib/clogd.te
new file mode 100644
index 00000000..60773390
--- /dev/null
+++ b/policy/modules/contrib/clogd.te
@@ -0,0 +1,54 @@
+policy_module(clogd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type clogd_t;
+type clogd_exec_t;
+init_daemon_domain(clogd_t, clogd_exec_t)
+
+type clogd_tmpfs_t;
+files_tmpfs_file(clogd_tmpfs_t)
+
+# pid files
+type clogd_var_run_t;
+files_pid_file(clogd_var_run_t)
+
+########################################
+#
+# clogd local policy
+#
+
+allow clogd_t self:capability { net_admin mknod };
+allow clogd_t self:process signal;
+
+allow clogd_t self:sem create_sem_perms;
+allow clogd_t self:shm create_shm_perms;
+allow clogd_t self:netlink_socket create_socket_perms;
+allow clogd_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(clogd_t, clogd_tmpfs_t, clogd_tmpfs_t)
+manage_files_pattern(clogd_t, clogd_tmpfs_t, clogd_tmpfs_t)
+fs_tmpfs_filetrans(clogd_t, clogd_tmpfs_t, { dir file })
+
+# pid files
+manage_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t)
+manage_sock_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t)
+files_pid_filetrans(clogd_t, clogd_var_run_t, { file })
+
+dev_read_lvm_control(clogd_t)
+dev_manage_generic_blk_files(clogd_t)
+
+storage_raw_read_fixed_disk(clogd_t)
+storage_raw_write_fixed_disk(clogd_t)
+
+logging_send_syslog_msg(clogd_t)
+
+miscfiles_read_localization(clogd_t)
+
+optional_policy(`
+	aisexec_stream_connect(clogd_t)
+	corosync_stream_connect(clogd_t)
+')
diff --git a/policy/modules/contrib/cmirrord.fc b/policy/modules/contrib/cmirrord.fc
new file mode 100644
index 00000000..049e2b61
--- /dev/null
+++ b/policy/modules/contrib/cmirrord.fc
@@ -0,0 +1,5 @@
+/etc/rc\.d/init\.d/cmirrord	--	gen_context(system_u:object_r:cmirrord_initrc_exec_t,s0)
+
+/usr/sbin/cmirrord		--	gen_context(system_u:object_r:cmirrord_exec_t,s0)
+
+/var/run/cmirrord\.pid		--	gen_context(system_u:object_r:cmirrord_var_run_t,s0)
diff --git a/policy/modules/contrib/cmirrord.if b/policy/modules/contrib/cmirrord.if
new file mode 100644
index 00000000..f8463c0f
--- /dev/null
+++ b/policy/modules/contrib/cmirrord.if
@@ -0,0 +1,113 @@
+## <summary>Cluster mirror log daemon</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run cmirrord.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`cmirrord_domtrans',`
+	gen_require(`
+		type cmirrord_t, cmirrord_exec_t;
+	')
+
+	domtrans_pattern($1, cmirrord_exec_t, cmirrord_t)
+')
+
+########################################
+## <summary>
+##	Execute cmirrord server in the cmirrord domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`cmirrord_initrc_domtrans',`
+	gen_require(`
+		type cmirrord_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, cmirrord_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Read cmirrord PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cmirrord_read_pid_files',`
+	gen_require(`
+		type cmirrord_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 cmirrord_var_run_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+##	Read and write to cmirrord shared memory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cmirrord_rw_shm',`
+	gen_require(`
+		type cmirrord_t, cmirrord_tmpfs_t;
+	')
+
+	allow $1 cmirrord_t:shm rw_shm_perms;
+
+	allow $1 cmirrord_tmpfs_t:dir list_dir_perms;
+	rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+	read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+	fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an cmirrord environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`cmirrord_admin',`
+	gen_require(`
+		type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t;
+	')
+
+	allow $1 cmirrord_t:process { ptrace signal_perms };
+	ps_process_pattern($1, cmirrord_t)
+
+	cmirrord_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 cmirrord_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_pids($1)
+	admin_pattern($1, cmirrord_var_run_t)
+')
diff --git a/policy/modules/contrib/cmirrord.te b/policy/modules/contrib/cmirrord.te
new file mode 100644
index 00000000..28fdd8ad
--- /dev/null
+++ b/policy/modules/contrib/cmirrord.te
@@ -0,0 +1,58 @@
+policy_module(cmirrord, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type cmirrord_t;
+type cmirrord_exec_t;
+init_daemon_domain(cmirrord_t, cmirrord_exec_t)
+
+type cmirrord_initrc_exec_t;
+init_script_file(cmirrord_initrc_exec_t)
+
+type cmirrord_tmpfs_t;
+files_tmpfs_file(cmirrord_tmpfs_t)
+
+type cmirrord_var_run_t;
+files_pid_file(cmirrord_var_run_t)
+
+########################################
+#
+# cmirrord local policy
+#
+
+allow cmirrord_t self:capability { net_admin kill };
+dontaudit cmirrord_t self:capability sys_tty_config;
+allow cmirrord_t self:process { setfscreate signal};
+allow cmirrord_t self:fifo_file rw_fifo_file_perms;
+allow cmirrord_t self:sem create_sem_perms;
+allow cmirrord_t self:shm create_shm_perms;
+allow cmirrord_t self:netlink_socket create_socket_perms;
+allow cmirrord_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+manage_files_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+fs_tmpfs_filetrans(cmirrord_t, cmirrord_tmpfs_t, { dir file })
+
+manage_dirs_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t)
+manage_files_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t)
+files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
+
+domain_use_interactive_fds(cmirrord_t)
+domain_obj_id_change_exemption(cmirrord_t)
+
+files_read_etc_files(cmirrord_t)
+
+storage_create_fixed_disk_dev(cmirrord_t)
+
+seutil_read_file_contexts(cmirrord_t)
+
+logging_send_syslog_msg(cmirrord_t)
+
+miscfiles_read_localization(cmirrord_t)
+
+optional_policy(`
+	corosync_stream_connect(cmirrord_t)
+')
diff --git a/policy/modules/contrib/cobbler.fc b/policy/modules/contrib/cobbler.fc
new file mode 100644
index 00000000..1cf6c4e4
--- /dev/null
+++ b/policy/modules/contrib/cobbler.fc
@@ -0,0 +1,7 @@
+/etc/cobbler(/.*)?		gen_context(system_u:object_r:cobbler_etc_t, s0)
+/etc/rc\.d/init\.d/cobblerd --	gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)
+
+/usr/bin/cobblerd	--	gen_context(system_u:object_r:cobblerd_exec_t, s0)
+
+/var/lib/cobbler(/.*)?		gen_context(system_u:object_r:cobbler_var_lib_t, s0)
+/var/log/cobbler(/.*)?		gen_context(system_u:object_r:cobbler_var_log_t, s0)
diff --git a/policy/modules/contrib/cobbler.if b/policy/modules/contrib/cobbler.if
new file mode 100644
index 00000000..116d60f5
--- /dev/null
+++ b/policy/modules/contrib/cobbler.if
@@ -0,0 +1,185 @@
+## <summary>Cobbler installation server.</summary>
+## <desc>
+##	<p>
+##		Cobbler is a Linux installation server that allows for
+##		rapid setup of network installation environments. It
+##		glues together and automates many associated Linux
+##		tasks so you do not have to hop between lots of various
+##		commands and applications when rolling out new systems,
+##		and, in some cases, changing existing ones.
+##	</p>
+## </desc>
+
+########################################
+## <summary>
+##	Execute a domain transition to run cobblerd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cobblerd_domtrans',`
+	gen_require(`
+		type cobblerd_t, cobblerd_exec_t;
+	')
+
+	domtrans_pattern($1, cobblerd_exec_t, cobblerd_t)
+')
+
+########################################
+## <summary>
+##	Execute cobblerd server in the cobblerd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`cobblerd_initrc_domtrans',`
+	gen_require(`
+		type cobblerd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, cobblerd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Read Cobbler content in /etc
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cobbler_read_config',`
+	gen_require(`
+		type cobbler_etc_t;
+	')
+
+	read_files_pattern($1, cobbler_etc_t, cobbler_etc_t)
+	files_search_etc($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write
+##	Cobbler log files (leaked fd).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`cobbler_dontaudit_rw_log',`
+	gen_require(`
+		type cobbler_var_log_t;
+	')
+
+	dontaudit $1 cobbler_var_log_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Search cobbler dirs in /var/lib
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cobbler_search_lib',`
+	gen_require(`
+		type cobbler_var_lib_t;
+	')
+
+	search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read cobbler files in /var/lib
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cobbler_read_lib_files',`
+	gen_require(`
+		type cobbler_var_lib_t;
+	')
+
+	read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Manage cobbler files in /var/lib
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cobbler_manage_lib_files',`
+	gen_require(`
+		type cobbler_var_lib_t;
+	')
+
+	manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an cobblerd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`cobblerd_admin',`
+	gen_require(`
+		type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
+		type cobbler_etc_t, cobblerd_initrc_exec_t;
+	')
+
+	allow $1 cobblerd_t:process { ptrace signal_perms getattr };
+	read_files_pattern($1, cobblerd_t, cobblerd_t)
+
+	files_search_etc($1)
+	admin_pattern($1, cobbler_etc_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, cobbler_var_lib_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, cobbler_var_log_t)
+
+	admin_pattern($1, httpd_cobbler_content_rw_t)
+
+	cobblerd_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 cobblerd_initrc_exec_t system_r;
+	allow $2 system_r;
+')
diff --git a/policy/modules/contrib/cobbler.te b/policy/modules/contrib/cobbler.te
new file mode 100644
index 00000000..0258b481
--- /dev/null
+++ b/policy/modules/contrib/cobbler.te
@@ -0,0 +1,128 @@
+policy_module(cobbler, 1.1.0)
+
+########################################
+#
+# Cobbler personal declarations.
+#
+
+## <desc>
+## <p>
+## Allow Cobbler to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(cobbler_anon_write, false)
+
+type cobblerd_t;
+type cobblerd_exec_t;
+init_daemon_domain(cobblerd_t, cobblerd_exec_t)
+
+type cobblerd_initrc_exec_t;
+init_script_file(cobblerd_initrc_exec_t)
+
+type cobbler_etc_t;
+files_config_file(cobbler_etc_t)
+
+type cobbler_var_log_t;
+logging_log_file(cobbler_var_log_t)
+
+type cobbler_var_lib_t;
+files_type(cobbler_var_lib_t)
+
+########################################
+#
+# Cobbler personal policy.
+#
+
+allow cobblerd_t self:capability { chown dac_override fowner sys_nice };
+allow cobblerd_t self:process { getsched setsched signal };
+allow cobblerd_t self:fifo_file rw_fifo_file_perms;
+allow cobblerd_t self:tcp_socket create_stream_socket_perms;
+
+list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
+read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
+
+manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
+manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
+files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file })
+
+append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
+
+kernel_read_system_state(cobblerd_t)
+
+corecmd_exec_bin(cobblerd_t)
+corecmd_exec_shell(cobblerd_t)
+
+corenet_all_recvfrom_netlabel(cobblerd_t)
+corenet_all_recvfrom_unlabeled(cobblerd_t)
+corenet_sendrecv_cobbler_server_packets(cobblerd_t)
+corenet_tcp_bind_cobbler_port(cobblerd_t)
+corenet_tcp_bind_generic_node(cobblerd_t)
+corenet_tcp_sendrecv_generic_if(cobblerd_t)
+corenet_tcp_sendrecv_generic_node(cobblerd_t)
+corenet_tcp_sendrecv_generic_port(cobblerd_t)
+
+dev_read_urand(cobblerd_t)
+
+files_read_usr_files(cobblerd_t)
+files_list_boot(cobblerd_t)
+files_list_tmp(cobblerd_t)
+# read /etc/nsswitch.conf
+files_read_etc_files(cobblerd_t)
+
+miscfiles_read_localization(cobblerd_t)
+miscfiles_read_public_files(cobblerd_t)
+
+sysnet_read_config(cobblerd_t)
+sysnet_rw_dhcp_config(cobblerd_t)
+sysnet_write_config(cobblerd_t)
+
+tunable_policy(`cobbler_anon_write',`
+	miscfiles_manage_public_files(cobblerd_t)
+')
+
+optional_policy(`
+	bind_read_config(cobblerd_t)
+	bind_write_config(cobblerd_t)
+	bind_domtrans_ndc(cobblerd_t)
+	bind_domtrans(cobblerd_t)
+	bind_initrc_domtrans(cobblerd_t)
+	bind_manage_zone(cobblerd_t)
+')
+
+optional_policy(`
+	dhcpd_domtrans(cobblerd_t)
+	dhcpd_initrc_domtrans(cobblerd_t)
+')
+
+optional_policy(`
+	dnsmasq_domtrans(cobblerd_t)
+	dnsmasq_initrc_domtrans(cobblerd_t)
+	dnsmasq_write_config(cobblerd_t)
+')
+
+optional_policy(`
+	rpm_exec(cobblerd_t)
+')
+
+optional_policy(`
+	rsync_read_config(cobblerd_t)
+	rsync_write_config(cobblerd_t)
+')
+
+optional_policy(`
+	tftp_manage_rw_content(cobblerd_t)
+')
+
+########################################
+#
+# Cobbler web local policy.
+#
+
+apache_content_template(cobbler)
+manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
+manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
diff --git a/policy/modules/contrib/colord.fc b/policy/modules/contrib/colord.fc
new file mode 100644
index 00000000..78b2fea2
--- /dev/null
+++ b/policy/modules/contrib/colord.fc
@@ -0,0 +1,4 @@
+/usr/libexec/colord	--	gen_context(system_u:object_r:colord_exec_t,s0)
+
+/var/lib/color(/.*)?		gen_context(system_u:object_r:colord_var_lib_t,s0)
+/var/lib/colord(/.*)?		gen_context(system_u:object_r:colord_var_lib_t,s0)
diff --git a/policy/modules/contrib/colord.if b/policy/modules/contrib/colord.if
new file mode 100644
index 00000000..733e4e63
--- /dev/null
+++ b/policy/modules/contrib/colord.if
@@ -0,0 +1,59 @@
+## <summary>GNOME color manager</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run colord.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`colord_domtrans',`
+	gen_require(`
+		type colord_t, colord_exec_t;
+	')
+
+	domtrans_pattern($1, colord_exec_t, colord_t)
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	colord over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`colord_dbus_chat',`
+	gen_require(`
+		type colord_t;
+		class dbus send_msg;
+	')
+
+	allow $1 colord_t:dbus send_msg;
+	allow colord_t $1:dbus send_msg;
+')
+
+######################################
+## <summary>
+##	Read colord lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`colord_read_lib_files',`
+	gen_require(`
+		type colord_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, colord_var_lib_t, colord_var_lib_t)
+')
diff --git a/policy/modules/contrib/colord.te b/policy/modules/contrib/colord.te
new file mode 100644
index 00000000..74505cca
--- /dev/null
+++ b/policy/modules/contrib/colord.te
@@ -0,0 +1,100 @@
+policy_module(colord, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type colord_t;
+type colord_exec_t;
+dbus_system_domain(colord_t, colord_exec_t)
+
+type colord_tmp_t;
+files_tmp_file(colord_tmp_t)
+
+type colord_tmpfs_t;
+files_tmpfs_file(colord_tmpfs_t)
+
+type colord_var_lib_t;
+files_type(colord_var_lib_t)
+
+########################################
+#
+# colord local policy
+#
+allow colord_t self:capability { dac_read_search dac_override };
+allow colord_t self:process signal;
+allow colord_t self:fifo_file rw_fifo_file_perms;
+allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow colord_t self:udp_socket create_socket_perms;
+allow colord_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
+manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
+files_tmp_filetrans(colord_t, colord_tmp_t, { file dir })
+
+manage_dirs_pattern(colord_t, colord_tmpfs_t, colord_tmpfs_t)
+manage_files_pattern(colord_t, colord_tmpfs_t, colord_tmpfs_t)
+fs_tmpfs_filetrans(colord_t, colord_tmpfs_t, { dir file })
+
+manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
+manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
+files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
+
+kernel_getattr_proc_files(colord_t)
+kernel_read_device_sysctls(colord_t)
+
+corenet_all_recvfrom_unlabeled(colord_t)
+corenet_all_recvfrom_netlabel(colord_t)
+corenet_udp_bind_generic_node(colord_t)
+corenet_udp_bind_ipp_port(colord_t)
+corenet_tcp_connect_ipp_port(colord_t)
+
+dev_read_video_dev(colord_t)
+dev_write_video_dev(colord_t)
+dev_rw_printer(colord_t)
+dev_read_rand(colord_t)
+dev_read_sysfs(colord_t)
+dev_read_urand(colord_t)
+dev_list_sysfs(colord_t)
+dev_rw_generic_usb_dev(colord_t)
+
+domain_use_interactive_fds(colord_t)
+
+files_list_mnt(colord_t)
+files_read_etc_files(colord_t)
+files_read_usr_files(colord_t)
+
+fs_read_noxattr_fs_files(colord_t)
+
+logging_send_syslog_msg(colord_t)
+
+miscfiles_read_localization(colord_t)
+
+sysnet_dns_name_resolve(colord_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_read_nfs_files(colord_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_read_cifs_files(colord_t)
+')
+
+optional_policy(`
+	cups_read_config(colord_t)
+	cups_read_rw_config(colord_t)
+	cups_stream_connect(colord_t)
+	cups_dbus_chat(colord_t)
+')
+
+optional_policy(`
+	policykit_dbus_chat(colord_t)
+	policykit_domtrans_auth(colord_t)
+	policykit_read_lib(colord_t)
+	policykit_read_reload(colord_t)
+')
+
+optional_policy(`
+	udev_read_db(colord_t)
+')
diff --git a/policy/modules/contrib/comsat.fc b/policy/modules/contrib/comsat.fc
new file mode 100644
index 00000000..e7633fa2
--- /dev/null
+++ b/policy/modules/contrib/comsat.fc
@@ -0,0 +1,2 @@
+
+/usr/sbin/in\.comsat	--	gen_context(system_u:object_r:comsat_exec_t,s0)
diff --git a/policy/modules/contrib/comsat.if b/policy/modules/contrib/comsat.if
new file mode 100644
index 00000000..afc4dfe7
--- /dev/null
+++ b/policy/modules/contrib/comsat.if
@@ -0,0 +1 @@
+## <summary>Comsat, a biff server.</summary>
diff --git a/policy/modules/contrib/comsat.te b/policy/modules/contrib/comsat.te
new file mode 100644
index 00000000..3d121fda
--- /dev/null
+++ b/policy/modules/contrib/comsat.te
@@ -0,0 +1,74 @@
+policy_module(comsat, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type comsat_t;
+type comsat_exec_t;
+inetd_udp_service_domain(comsat_t, comsat_exec_t)
+role system_r types comsat_t;
+
+type comsat_tmp_t;
+files_tmp_file(comsat_tmp_t)
+
+type comsat_var_run_t;
+files_pid_file(comsat_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow comsat_t self:capability { setuid setgid };
+allow comsat_t self:process signal_perms;
+allow comsat_t self:fifo_file rw_fifo_file_perms;
+allow comsat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow comsat_t self:tcp_socket connected_stream_socket_perms;
+allow comsat_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(comsat_t, comsat_tmp_t, comsat_tmp_t)
+manage_files_pattern(comsat_t, comsat_tmp_t, comsat_tmp_t)
+files_tmp_filetrans(comsat_t, comsat_tmp_t, { file dir })
+
+manage_files_pattern(comsat_t, comsat_var_run_t, comsat_var_run_t)
+files_pid_filetrans(comsat_t, comsat_var_run_t, file)
+
+kernel_read_kernel_sysctls(comsat_t)
+kernel_read_network_state(comsat_t)
+kernel_read_system_state(comsat_t)
+
+corenet_all_recvfrom_unlabeled(comsat_t)
+corenet_all_recvfrom_netlabel(comsat_t)
+corenet_tcp_sendrecv_generic_if(comsat_t)
+corenet_udp_sendrecv_generic_if(comsat_t)
+corenet_tcp_sendrecv_generic_node(comsat_t)
+corenet_udp_sendrecv_generic_node(comsat_t)
+corenet_udp_sendrecv_all_ports(comsat_t)
+
+dev_read_urand(comsat_t)
+
+fs_getattr_xattr_fs(comsat_t)
+
+files_read_etc_files(comsat_t)
+files_list_usr(comsat_t)
+files_search_spool(comsat_t)
+files_search_home(comsat_t)
+
+auth_use_nsswitch(comsat_t)
+
+init_read_utmp(comsat_t)
+init_dontaudit_write_utmp(comsat_t)
+
+logging_send_syslog_msg(comsat_t)
+
+miscfiles_read_localization(comsat_t)
+
+userdom_dontaudit_getattr_user_ttys(comsat_t)
+
+mta_getattr_spool(comsat_t)
+
+optional_policy(`
+	kerberos_use(comsat_t)
+')
diff --git a/policy/modules/contrib/consolekit.fc b/policy/modules/contrib/consolekit.fc
new file mode 100644
index 00000000..32233abf
--- /dev/null
+++ b/policy/modules/contrib/consolekit.fc
@@ -0,0 +1,7 @@
+/usr/sbin/console-kit-daemon	--	gen_context(system_u:object_r:consolekit_exec_t,s0)
+
+/var/log/ConsoleKit(/.*)?		gen_context(system_u:object_r:consolekit_log_t,s0)
+
+/var/run/consolekit\.pid	--	gen_context(system_u:object_r:consolekit_var_run_t,s0)
+/var/run/console-kit-daemon\.pid --	gen_context(system_u:object_r:consolekit_var_run_t,s0)
+/var/run/ConsoleKit(/.*)?		gen_context(system_u:object_r:consolekit_var_run_t,s0)
diff --git a/policy/modules/contrib/consolekit.if b/policy/modules/contrib/consolekit.if
new file mode 100644
index 00000000..fd15dfe1
--- /dev/null
+++ b/policy/modules/contrib/consolekit.if
@@ -0,0 +1,98 @@
+## <summary>Framework for facilitating multiple user sessions on desktops.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run consolekit.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`consolekit_domtrans',`
+	gen_require(`
+		type consolekit_t, consolekit_exec_t;
+	')
+
+	domtrans_pattern($1, consolekit_exec_t, consolekit_t)
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	consolekit over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`consolekit_dbus_chat',`
+	gen_require(`
+		type consolekit_t;
+		class dbus send_msg;
+	')
+
+	allow $1 consolekit_t:dbus send_msg;
+	allow consolekit_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Read consolekit log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`consolekit_read_log',`
+	gen_require(`
+		type consolekit_log_t;
+	')
+
+	read_files_pattern($1, consolekit_log_t, consolekit_log_t)
+	logging_search_logs($1)
+')
+
+########################################
+## <summary>
+##	Manage consolekit log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`consolekit_manage_log',`
+	gen_require(`
+		type consolekit_log_t;
+	')
+
+	manage_files_pattern($1, consolekit_log_t, consolekit_log_t)
+	files_search_pids($1)
+')
+
+########################################
+## <summary>
+##	Read consolekit PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`consolekit_read_pid_files',`
+	gen_require(`
+		type consolekit_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 consolekit_var_run_t:dir list_dir_perms;
+	read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
+')
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
new file mode 100644
index 00000000..6f2896db
--- /dev/null
+++ b/policy/modules/contrib/consolekit.te
@@ -0,0 +1,131 @@
+policy_module(consolekit, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type consolekit_t;
+type consolekit_exec_t;
+init_daemon_domain(consolekit_t, consolekit_exec_t)
+
+type consolekit_log_t;
+logging_log_file(consolekit_log_t)
+
+type consolekit_var_run_t;
+files_pid_file(consolekit_var_run_t)
+
+########################################
+#
+# consolekit local policy
+#
+
+allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
+allow consolekit_t self:process { getsched signal };
+allow consolekit_t self:fifo_file rw_fifo_file_perms;
+allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
+allow consolekit_t self:unix_dgram_socket create_socket_perms;
+
+manage_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+logging_log_filetrans(consolekit_t, consolekit_log_t, file)
+
+manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
+manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
+files_pid_filetrans(consolekit_t, consolekit_var_run_t, { file dir })
+
+kernel_read_system_state(consolekit_t)
+
+corecmd_exec_bin(consolekit_t)
+corecmd_exec_shell(consolekit_t)
+
+dev_read_urand(consolekit_t)
+dev_read_sysfs(consolekit_t)
+
+domain_read_all_domains_state(consolekit_t)
+domain_use_interactive_fds(consolekit_t)
+domain_dontaudit_ptrace_all_domains(consolekit_t)
+
+files_read_etc_files(consolekit_t)
+files_read_usr_files(consolekit_t)
+# needs to read /var/lib/dbus/machine-id
+files_read_var_lib_files(consolekit_t)
+files_search_all_mountpoints(consolekit_t)
+
+fs_list_inotifyfs(consolekit_t)
+
+mcs_ptrace_all(consolekit_t)
+
+term_use_all_terms(consolekit_t)
+
+auth_use_nsswitch(consolekit_t)
+auth_manage_pam_console_data(consolekit_t)
+auth_write_login_records(consolekit_t)
+
+init_telinit(consolekit_t)
+init_rw_utmp(consolekit_t)
+
+logging_send_syslog_msg(consolekit_t)
+logging_send_audit_msgs(consolekit_t)
+
+miscfiles_read_localization(consolekit_t)
+
+userdom_dontaudit_read_user_home_content_files(consolekit_t)
+userdom_read_user_tmp_files(consolekit_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_read_nfs_files(consolekit_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_read_cifs_files(consolekit_t)
+')
+
+optional_policy(`
+	dbus_system_domain(consolekit_t, consolekit_exec_t)
+
+	optional_policy(`
+		hal_dbus_chat(consolekit_t)
+	')
+
+	optional_policy(`
+		rpm_dbus_chat(consolekit_t)
+	')
+
+	optional_policy(`
+		unconfined_dbus_chat(consolekit_t)
+	')
+')
+
+optional_policy(`
+	hal_ptrace(consolekit_t)
+')
+
+optional_policy(`
+	policykit_dbus_chat(consolekit_t)
+	policykit_domtrans_auth(consolekit_t)
+	policykit_read_lib(consolekit_t)
+	policykit_read_reload(consolekit_t)
+')
+
+optional_policy(`
+	type consolekit_tmpfs_t;
+	files_tmpfs_file(consolekit_tmpfs_t)
+
+	xserver_read_xdm_pid(consolekit_t)
+	xserver_read_user_xauth(consolekit_t)
+	xserver_non_drawing_client(consolekit_t)
+	corenet_tcp_connect_xserver_port(consolekit_t)
+	xserver_stream_connect(consolekit_t)
+	xserver_user_x_domain_template(consolekit, consolekit_t, consolekit_tmpfs_t)
+')
+
+optional_policy(`
+	udev_domtrans(consolekit_t)
+	udev_read_db(consolekit_t)
+	udev_signal(consolekit_t)
+')
+
+optional_policy(`
+	#reading .Xauthity
+	unconfined_stream_connect(consolekit_t)
+')
diff --git a/policy/modules/contrib/corosync.fc b/policy/modules/contrib/corosync.fc
new file mode 100644
index 00000000..3a6d7eb2
--- /dev/null
+++ b/policy/modules/contrib/corosync.fc
@@ -0,0 +1,12 @@
+/etc/rc\.d/init\.d/corosync	--	gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
+
+/usr/sbin/corosync		--	gen_context(system_u:object_r:corosync_exec_t,s0)
+
+/usr/sbin/ccs_tool		--	gen_context(system_u:object_r:corosync_exec_t,s0)
+
+/var/lib/corosync(/.*)?			gen_context(system_u:object_r:corosync_var_lib_t,s0)
+
+/var/log/cluster/corosync\.log	--	gen_context(system_u:object_r:corosync_var_log_t,s0)
+
+/var/run/cman_.*		-s	gen_context(system_u:object_r:corosync_var_run_t,s0)
+/var/run/corosync\.pid		--	gen_context(system_u:object_r:corosync_var_run_t,s0)
diff --git a/policy/modules/contrib/corosync.if b/policy/modules/contrib/corosync.if
new file mode 100644
index 00000000..5220c9d5
--- /dev/null
+++ b/policy/modules/contrib/corosync.if
@@ -0,0 +1,106 @@
+## <summary>Corosync Cluster Engine</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run corosync.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`corosync_domtrans',`
+	gen_require(`
+		type corosync_t, corosync_exec_t;
+	')
+
+	domtrans_pattern($1, corosync_exec_t, corosync_t)
+')
+
+#######################################
+## <summary>
+##	Allow the specified domain to read corosync's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corosync_read_log',`
+	gen_require(`
+		type corosync_var_log_t;
+	')
+
+	logging_search_logs($1)
+	list_dirs_pattern($1, corosync_var_log_t, corosync_var_log_t)
+	read_files_pattern($1, corosync_var_log_t, corosync_var_log_t)
+')
+
+#####################################
+## <summary>
+##	Connect to corosync over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corosync_stream_connect',`
+	gen_require(`
+		type corosync_t, corosync_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t)
+')
+
+######################################
+## <summary>
+##	All of the rules required to administrate
+##	an corosync environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the corosyncd domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`corosyncd_admin',`
+	gen_require(`
+		type corosync_t, corosync_var_lib_t, corosync_var_log_t;
+		type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t;
+		type corosync_initrc_exec_t;
+	')
+
+	allow $1 corosync_t:process { ptrace signal_perms };
+	ps_process_pattern($1, corosync_t)
+
+	init_labeled_script_domtrans($1, corosync_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 corosync_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, corosync_tmp_t)
+
+	admin_pattern($1, corosync_tmpfs_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, corosync_var_lib_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, corosync_var_log_t)
+
+	files_list_pids($1)
+	admin_pattern($1, corosync_var_run_t)
+')
diff --git a/policy/modules/contrib/corosync.te b/policy/modules/contrib/corosync.te
new file mode 100644
index 00000000..04969e59
--- /dev/null
+++ b/policy/modules/contrib/corosync.te
@@ -0,0 +1,103 @@
+policy_module(corosync, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type corosync_t;
+type corosync_exec_t;
+init_daemon_domain(corosync_t, corosync_exec_t)
+
+type corosync_initrc_exec_t;
+init_script_file(corosync_initrc_exec_t)
+
+type corosync_tmp_t;
+files_tmp_file(corosync_tmp_t)
+
+type corosync_tmpfs_t;
+files_tmpfs_file(corosync_tmpfs_t)
+
+type corosync_var_lib_t;
+files_type(corosync_var_lib_t)
+
+type corosync_var_log_t;
+logging_log_file(corosync_var_log_t)
+
+type corosync_var_run_t;
+files_pid_file(corosync_var_run_t)
+
+########################################
+#
+# corosync local policy
+#
+
+allow corosync_t self:capability { sys_nice sys_resource ipc_lock };
+allow corosync_t self:process { setrlimit setsched signal };
+
+allow corosync_t self:fifo_file rw_fifo_file_perms;
+allow corosync_t self:sem create_sem_perms;
+allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow corosync_t self:unix_dgram_socket create_socket_perms;
+allow corosync_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
+manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
+files_tmp_filetrans(corosync_t, corosync_tmp_t, { file dir })
+
+manage_dirs_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
+manage_files_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
+fs_tmpfs_filetrans(corosync_t, corosync_tmpfs_t, { dir file })
+
+manage_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t)
+manage_dirs_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t)
+manage_sock_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t)
+files_var_lib_filetrans(corosync_t, corosync_var_lib_t, { file dir sock_file })
+
+manage_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t)
+manage_sock_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t)
+logging_log_filetrans(corosync_t, corosync_var_log_t, { sock_file file })
+
+manage_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
+manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
+files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file })
+
+kernel_read_system_state(corosync_t)
+
+corecmd_exec_bin(corosync_t)
+
+corenet_udp_bind_netsupport_port(corosync_t)
+
+dev_read_urand(corosync_t)
+
+domain_read_all_domains_state(corosync_t)
+
+files_manage_mounttab(corosync_t)
+
+auth_use_nsswitch(corosync_t)
+
+init_read_script_state(corosync_t)
+init_rw_script_tmp_files(corosync_t)
+
+logging_send_syslog_msg(corosync_t)
+
+miscfiles_read_localization(corosync_t)
+
+userdom_rw_user_tmpfs_files(corosync_t)
+
+optional_policy(`
+	ccs_read_config(corosync_t)
+')
+
+optional_policy(`
+	# to communication with RHCS
+	rhcs_rw_dlm_controld_semaphores(corosync_t)
+
+	rhcs_rw_fenced_semaphores(corosync_t)
+
+	rhcs_rw_gfs_controld_semaphores(corosync_t)
+')
+
+optional_policy(`
+	rgmanager_manage_tmpfs_files(corosync_t)
+')
diff --git a/policy/modules/contrib/courier.fc b/policy/modules/contrib/courier.fc
new file mode 100644
index 00000000..5e591fa5
--- /dev/null
+++ b/policy/modules/contrib/courier.fc
@@ -0,0 +1,33 @@
+/etc/courier(/.*)?				gen_context(system_u:object_r:courier_etc_t,s0)
+/etc/courier-imap(/.*)?				gen_context(system_u:object_r:courier_etc_t,s0)
+
+/usr/bin/imapd				--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
+
+/usr/sbin/authdaemond			--	gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
+/usr/sbin/courier-imapd			--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/sbin/courierlogger			--	gen_context(system_u:object_r:courier_exec_t,s0)
+/usr/sbin/courierldapaliasd		--	gen_context(system_u:object_r:courier_exec_t,s0)
+/usr/sbin/couriertcpd			--	gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
+/usr/sbin/imaplogin			--	gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
+
+/usr/lib(64)?/courier/(courier-)?authlib/.* --	gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
+/usr/lib(64)?/courier/courier/.*	--	gen_context(system_u:object_r:courier_exec_t,s0)
+/usr/lib(64)?/courier/courier/courierpop.* --	gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib(64)?/courier/courier/imaplogin --	gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib(64)?/courier/courier/pcpd	--	gen_context(system_u:object_r:courier_pcp_exec_t,s0)
+/usr/lib(64)?/courier/imapd		--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib(64)?/courier/pop3d		--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib(64)?/courier/rootcerts(/.*)?		gen_context(system_u:object_r:courier_etc_t,s0)
+/usr/lib(64)?/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+/usr/lib(64)?/courier-imap/couriertcpd	--	gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
+')
+
+/var/lib/courier(/.*)?				gen_context(system_u:object_r:courier_var_lib_t,s0)
+/var/lib/courier-imap(/.*)?			gen_context(system_u:object_r:courier_var_lib_t,s0)
+
+/var/run/courier(/.*)?				gen_context(system_u:object_r:courier_var_run_t,s0)
+
+/var/spool/authdaemon(/.*)?			gen_context(system_u:object_r:courier_spool_t,s0)
+/var/spool/courier(/.*)?			gen_context(system_u:object_r:courier_spool_t,s0)
diff --git a/policy/modules/contrib/courier.if b/policy/modules/contrib/courier.if
new file mode 100644
index 00000000..459763f2
--- /dev/null
+++ b/policy/modules/contrib/courier.if
@@ -0,0 +1,255 @@
+## <summary>Courier IMAP and POP3 email servers</summary>
+
+########################################
+## <summary>
+##	Template for creating courier server processes.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Prefix name of the server process.
+##	</summary>
+## </param>
+#
+template(`courier_domain_template',`
+
+	##############################
+	#
+	# Declarations
+	#
+
+	type courier_$1_t;
+	type courier_$1_exec_t;
+	init_daemon_domain(courier_$1_t, courier_$1_exec_t)
+
+	##############################
+	#
+	# Declarations
+	#
+
+	allow courier_$1_t self:capability dac_override;
+	dontaudit courier_$1_t self:capability sys_tty_config;
+	allow courier_$1_t self:process { setpgid signal_perms };
+	allow courier_$1_t self:fifo_file { read write getattr };
+	allow courier_$1_t self:tcp_socket create_stream_socket_perms;
+	allow courier_$1_t self:udp_socket create_socket_perms;
+
+	can_exec(courier_$1_t, courier_$1_exec_t)
+
+	read_files_pattern(courier_$1_t, courier_etc_t, courier_etc_t)
+	allow courier_$1_t courier_etc_t:dir list_dir_perms;
+
+	manage_dirs_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t)
+	manage_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t)
+	manage_lnk_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t)
+	manage_sock_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t)
+	files_search_pids(courier_$1_t)
+	files_pid_filetrans(courier_$1_t, courier_var_run_t, dir)
+
+	kernel_read_system_state(courier_$1_t)
+	kernel_read_kernel_sysctls(courier_$1_t)
+
+	corecmd_exec_bin(courier_$1_t)
+	corecmd_exec_shell(courier_$1_t)
+
+	corenet_all_recvfrom_unlabeled(courier_$1_t)
+	corenet_all_recvfrom_netlabel(courier_$1_t)
+	corenet_tcp_sendrecv_generic_if(courier_$1_t)
+	corenet_udp_sendrecv_generic_if(courier_$1_t)
+	corenet_tcp_sendrecv_generic_node(courier_$1_t)
+	corenet_udp_sendrecv_generic_node(courier_$1_t)
+	corenet_tcp_sendrecv_all_ports(courier_$1_t)
+	corenet_udp_sendrecv_all_ports(courier_$1_t)
+
+	dev_read_sysfs(courier_$1_t)
+
+	domain_use_interactive_fds(courier_$1_t)
+
+	files_read_etc_files(courier_$1_t)
+	files_read_etc_runtime_files(courier_$1_t)
+	files_read_usr_files(courier_$1_t)
+
+	fs_getattr_xattr_fs(courier_$1_t)
+	fs_search_auto_mountpoints(courier_$1_t)
+
+	logging_send_syslog_msg(courier_$1_t)
+
+	sysnet_read_config(courier_$1_t)
+
+	userdom_dontaudit_use_unpriv_user_fds(courier_$1_t)
+
+	optional_policy(`
+		seutil_sigchld_newrole(courier_$1_t)
+	')
+
+	optional_policy(`
+		udev_read_db(courier_$1_t)
+	')
+')
+
+########################################
+## <summary>
+##	Execute the courier authentication daemon with
+##	a domain transition.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`courier_domtrans_authdaemon',`
+	gen_require(`
+		type courier_authdaemon_t, courier_authdaemon_exec_t;
+	')
+
+	domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t)
+')
+
+########################################
+## <summary>
+##     Allow read/write operations on an inherited stream socket
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`courier_authdaemon_rw_inherited_stream_sockets',`
+       gen_require(`
+               type courier_authdaemon_t;
+       ')
+       allow $1 courier_authdaemon_t:unix_stream_socket { read write };
+')
+
+
+########################################
+## <summary>
+##     Connect to Authdaemon using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`courier_authdaemon_stream_connect',`
+       gen_require(`
+               type courier_authdaemon_t, courier_var_run_t;
+       ')
+
+       stream_connect_pattern($1, courier_var_run_t, courier_var_run_t, courier_authdaemon_t)
+')
+
+########################################
+## <summary>
+##	Execute the courier POP3 and IMAP server with
+##	a domain transition.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`courier_domtrans_pop',`
+	gen_require(`
+		type courier_pop_t, courier_pop_exec_t;
+	')
+
+	domtrans_pattern($1, courier_pop_exec_t, courier_pop_t)
+')
+
+########################################
+## <summary>
+##	Read courier config files
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`courier_read_config',`
+	gen_require(`
+		type courier_etc_t;
+	')
+
+	read_files_pattern($1, courier_etc_t, courier_etc_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete courier
+##	spool directories.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`courier_manage_spool_dirs',`
+	gen_require(`
+		type courier_spool_t;
+	')
+
+	manage_dirs_pattern($1, courier_spool_t, courier_spool_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete courier
+##	spool files.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`courier_manage_spool_files',`
+	gen_require(`
+		type courier_spool_t;
+	')
+
+	manage_files_pattern($1, courier_spool_t, courier_spool_t)
+')
+
+########################################
+## <summary>
+##	Read courier spool files.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`courier_read_spool',`
+	gen_require(`
+		type courier_spool_t;
+	')
+
+	read_files_pattern($1, courier_spool_t, courier_spool_t)
+')
+
+########################################
+## <summary>
+##	Read and write to courier spool pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`courier_rw_spool_pipes',`
+	gen_require(`
+		type courier_spool_t;
+	')
+
+	allow $1 courier_spool_t:fifo_file rw_fifo_file_perms;
+')
diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te
new file mode 100644
index 00000000..98c31225
--- /dev/null
+++ b/policy/modules/contrib/courier.te
@@ -0,0 +1,161 @@
+policy_module(courier, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+courier_domain_template(authdaemon)
+
+type courier_etc_t;
+files_config_file(courier_etc_t)
+
+courier_domain_template(pcp)
+
+courier_domain_template(pop)
+
+type courier_spool_t;
+files_type(courier_spool_t)
+
+courier_domain_template(tcpd)
+
+type courier_var_lib_t;
+files_type(courier_var_lib_t)
+
+type courier_var_run_t;
+files_pid_file(courier_var_run_t)
+
+type courier_exec_t;
+mta_agent_executable(courier_exec_t)
+
+courier_domain_template(sqwebmail)
+typealias courier_sqwebmail_exec_t alias sqwebmail_cron_exec_t;
+
+########################################
+#
+# Authdaemon local policy
+#
+
+allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config };
+allow courier_authdaemon_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+can_exec(courier_authdaemon_t, courier_exec_t)
+
+allow courier_authdaemon_t courier_tcpd_t:fd use;
+allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
+allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_fifo_file_perms;
+
+allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
+allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms;
+allow courier_authdaemon_t courier_tcpd_t:process sigchld;
+allow courier_authdaemon_t courier_tcpd_t:fd use;
+allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
+allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms;
+
+read_lnk_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
+
+create_dirs_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
+manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t)
+manage_sock_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
+files_search_spool(courier_authdaemon_t)
+
+corecmd_search_bin(courier_authdaemon_t)
+
+# for SSP
+dev_read_urand(courier_authdaemon_t)
+
+files_getattr_tmp_dirs(courier_authdaemon_t)
+
+auth_domtrans_chk_passwd(courier_authdaemon_t)
+
+libs_read_lib_files(courier_authdaemon_t)
+
+miscfiles_read_localization(courier_authdaemon_t)
+
+# should not be needed!
+userdom_search_user_home_dirs(courier_authdaemon_t)
+
+courier_domtrans_pop(courier_authdaemon_t)
+
+########################################
+#
+# Calendar (PCP) local policy
+#
+
+allow courier_pcp_t self:capability { setuid setgid };
+
+dev_read_rand(courier_pcp_t)
+
+########################################
+#
+# POP3/IMAP local policy
+#
+
+allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
+allow courier_pop_t courier_authdaemon_t:process sigchld;
+
+allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
+
+# inherits file handle - should it?
+allow courier_pop_t courier_var_lib_t:file { read write };
+
+# TODO Correct this, mentioning "var_lib_t" here is not done.
+search_dirs_pattern(courier_pop_t, var_lib_t, courier_var_lib_t)
+read_lnk_files_pattern(courier_pop_t, var_lib_t, courier_var_lib_t)
+
+miscfiles_read_localization(courier_pop_t)
+
+courier_authdaemon_rw_inherited_stream_sockets(courier_pop_t)
+courier_domtrans_authdaemon(courier_pop_t)
+
+# do the actual work (read the Maildir)
+userdom_manage_user_home_content_files(courier_pop_t)
+# cjp: the fact that this is different for pop vs imap means that
+# there should probably be a courier_pop_t and courier_imap_t
+# this should also probably be a separate type too instead of
+# the regular home dir
+userdom_manage_user_home_content_dirs(courier_pop_t)
+
+########################################
+#
+# TCPd local policy
+#
+
+allow courier_tcpd_t self:capability kill;
+
+can_exec(courier_tcpd_t, courier_exec_t)
+
+manage_files_pattern(courier_tcpd_t, courier_var_lib_t, courier_var_lib_t)
+manage_lnk_files_pattern(courier_tcpd_t, courier_var_lib_t, courier_var_lib_t)
+files_search_var_lib(courier_tcpd_t)
+
+corecmd_search_bin(courier_tcpd_t)
+
+corenet_tcp_bind_generic_node(courier_tcpd_t)
+corenet_tcp_bind_pop_port(courier_tcpd_t)
+corenet_sendrecv_pop_server_packets(courier_tcpd_t)
+
+# for TLS
+dev_read_rand(courier_tcpd_t)
+dev_read_urand(courier_tcpd_t)
+
+miscfiles_read_localization(courier_tcpd_t)
+
+courier_domtrans_pop(courier_tcpd_t)
+courier_authdaemon_stream_connect(courier_tcpd_t)
+courier_domtrans_authdaemon(courier_tcpd_t)
+
+########################################
+#
+# Webmail local policy
+#
+
+kernel_read_kernel_sysctls(courier_sqwebmail_t)
+
+optional_policy(`
+	cron_system_entry(courier_sqwebmail_t, courier_sqwebmail_exec_t)
+')
+
+optional_policy(`
+	mysql_stream_connect(courier_authdaemon_t)
+')
diff --git a/policy/modules/contrib/cpucontrol.fc b/policy/modules/contrib/cpucontrol.fc
new file mode 100644
index 00000000..789c8c7d
--- /dev/null
+++ b/policy/modules/contrib/cpucontrol.fc
@@ -0,0 +1,10 @@
+
+/etc/firmware/.*	--	gen_context(system_u:object_r:cpucontrol_conf_t,s0)
+
+/sbin/microcode_ctl	--	gen_context(system_u:object_r:cpucontrol_exec_t,s0)
+
+/usr/sbin/cpufreqd	--	gen_context(system_u:object_r:cpuspeed_exec_t,s0)
+/usr/sbin/cpuspeed	--	gen_context(system_u:object_r:cpuspeed_exec_t,s0)
+/usr/sbin/powernowd	--	gen_context(system_u:object_r:cpuspeed_exec_t,s0)
+
+/var/run/cpufreqd\.pid	--	gen_context(system_u:object_r:cpuspeed_var_run_t,s0)
diff --git a/policy/modules/contrib/cpucontrol.if b/policy/modules/contrib/cpucontrol.if
new file mode 100644
index 00000000..ff6310d4
--- /dev/null
+++ b/policy/modules/contrib/cpucontrol.if
@@ -0,0 +1,17 @@
+## <summary>Services for loading CPU microcode and CPU frequency scaling.</summary>
+
+########################################
+## <summary>
+##	CPUcontrol stub interface.  No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cpucontrol_stub',`
+	gen_require(`
+		type cpucontrol_t;
+	')
+')
diff --git a/policy/modules/contrib/cpucontrol.te b/policy/modules/contrib/cpucontrol.te
new file mode 100644
index 00000000..13d2f636
--- /dev/null
+++ b/policy/modules/contrib/cpucontrol.te
@@ -0,0 +1,122 @@
+policy_module(cpucontrol, 1.3.0)
+
+########################################
+#
+# Declarations
+#
+
+type cpucontrol_t;
+type cpucontrol_exec_t;
+init_system_domain(cpucontrol_t, cpucontrol_exec_t)
+
+type cpucontrol_conf_t;
+files_type(cpucontrol_conf_t)
+
+type cpuspeed_t;
+type cpuspeed_exec_t;
+init_system_domain(cpuspeed_t, cpuspeed_exec_t)
+
+type cpuspeed_var_run_t;
+files_pid_file(cpuspeed_var_run_t)
+
+########################################
+#
+# CPU microcode loader local policy
+#
+
+allow cpucontrol_t self:capability { ipc_lock sys_rawio };
+dontaudit cpucontrol_t self:capability sys_tty_config;
+allow cpucontrol_t self:process signal_perms;
+
+allow cpucontrol_t cpucontrol_conf_t:dir list_dir_perms;
+read_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t)
+read_lnk_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t)
+
+kernel_list_proc(cpucontrol_t)
+kernel_read_proc_symlinks(cpucontrol_t)
+kernel_read_kernel_sysctls(cpucontrol_t)
+
+dev_read_sysfs(cpucontrol_t)
+dev_rw_cpu_microcode(cpucontrol_t)
+
+fs_search_auto_mountpoints(cpucontrol_t)
+
+term_dontaudit_use_console(cpucontrol_t)
+
+domain_use_interactive_fds(cpucontrol_t)
+
+files_list_usr(cpucontrol_t)
+
+init_use_fds(cpucontrol_t)
+init_use_script_ptys(cpucontrol_t)
+
+logging_send_syslog_msg(cpucontrol_t)
+
+userdom_dontaudit_use_unpriv_user_fds(cpucontrol_t)
+
+optional_policy(`
+	nscd_socket_use(cpucontrol_t)
+')
+
+optional_policy(`
+	rhgb_use_ptys(cpucontrol_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(cpucontrol_t)
+')
+
+optional_policy(`
+	udev_read_db(cpucontrol_t)
+')
+
+########################################
+#
+# CPU frequency scaling daemons
+#
+
+dontaudit cpuspeed_t self:capability sys_tty_config;
+allow cpuspeed_t self:process { signal_perms setsched };
+allow cpuspeed_t self:unix_dgram_socket create_socket_perms;
+
+allow cpuspeed_t cpuspeed_var_run_t:file manage_file_perms;
+files_pid_filetrans(cpuspeed_t, cpuspeed_var_run_t, file)
+
+kernel_read_system_state(cpuspeed_t)
+kernel_read_kernel_sysctls(cpuspeed_t)
+
+dev_write_sysfs_dirs(cpuspeed_t)
+dev_rw_sysfs(cpuspeed_t)
+
+domain_use_interactive_fds(cpuspeed_t)
+# for demand/load-based scaling:
+domain_read_all_domains_state(cpuspeed_t)
+
+files_read_etc_files(cpuspeed_t)
+files_read_etc_runtime_files(cpuspeed_t)
+files_list_usr(cpuspeed_t)
+
+fs_search_auto_mountpoints(cpuspeed_t)
+
+term_dontaudit_use_console(cpuspeed_t)
+
+init_use_fds(cpuspeed_t)
+init_use_script_ptys(cpuspeed_t)
+
+logging_send_syslog_msg(cpuspeed_t)
+
+miscfiles_read_localization(cpuspeed_t)
+
+userdom_dontaudit_use_unpriv_user_fds(cpuspeed_t)
+
+optional_policy(`
+	nscd_socket_use(cpuspeed_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(cpuspeed_t)
+')
+
+optional_policy(`
+	udev_read_db(cpuspeed_t)
+')
diff --git a/policy/modules/contrib/cpufreqselector.fc b/policy/modules/contrib/cpufreqselector.fc
new file mode 100644
index 00000000..b187f0f7
--- /dev/null
+++ b/policy/modules/contrib/cpufreqselector.fc
@@ -0,0 +1 @@
+/usr/bin/cpufreq-selector	--	gen_context(system_u:object_r:cpufreqselector_exec_t,s0)
diff --git a/policy/modules/contrib/cpufreqselector.if b/policy/modules/contrib/cpufreqselector.if
new file mode 100644
index 00000000..932fa532
--- /dev/null
+++ b/policy/modules/contrib/cpufreqselector.if
@@ -0,0 +1,22 @@
+## <summary>Command-line CPU frequency settings.</summary>
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	cpufreq-selector over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cpufreqselector_dbus_chat',`
+	gen_require(`
+		type cpufreqselector_t;
+		class dbus send_msg;
+	')
+
+	allow $1 cpufreqselector_t:dbus send_msg;
+	allow cpufreqselector_t $1:dbus send_msg;
+')
diff --git a/policy/modules/contrib/cpufreqselector.te b/policy/modules/contrib/cpufreqselector.te
new file mode 100644
index 00000000..f77d58a4
--- /dev/null
+++ b/policy/modules/contrib/cpufreqselector.te
@@ -0,0 +1,55 @@
+policy_module(cpufreqselector, 1.3.0)
+
+########################################
+#
+# Declarations
+#
+
+type cpufreqselector_t;
+type cpufreqselector_exec_t;
+application_domain(cpufreqselector_t, cpufreqselector_exec_t)
+
+########################################
+#
+# cpufreq-selector local policy
+#
+
+allow cpufreqselector_t self:capability { sys_nice sys_ptrace };
+allow cpufreqselector_t self:process getsched;
+allow cpufreqselector_t self:fifo_file rw_fifo_file_perms;
+
+kernel_read_system_state(cpufreqselector_t)
+
+files_read_etc_files(cpufreqselector_t)
+files_read_usr_files(cpufreqselector_t)
+
+corecmd_search_bin(cpufreqselector_t)
+
+dev_rw_sysfs(cpufreqselector_t)
+
+miscfiles_read_localization(cpufreqselector_t)
+
+userdom_read_all_users_state(cpufreqselector_t)
+userdom_dontaudit_search_user_home_dirs(cpufreqselector_t)
+
+optional_policy(`
+	dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
+
+	optional_policy(`
+		consolekit_dbus_chat(cpufreqselector_t)
+	')
+
+	optional_policy(`
+		policykit_dbus_chat(cpufreqselector_t)
+	')
+')
+
+optional_policy(`
+	nscd_dontaudit_search_pid(cpufreqselector_t)
+')
+
+optional_policy(`
+	policykit_domtrans_auth(cpufreqselector_t)
+	policykit_read_lib(cpufreqselector_t)
+	policykit_read_reload(cpufreqselector_t)
+')
diff --git a/policy/modules/contrib/cron.fc b/policy/modules/contrib/cron.fc
new file mode 100644
index 00000000..3559a052
--- /dev/null
+++ b/policy/modules/contrib/cron.fc
@@ -0,0 +1,56 @@
+/etc/rc\.d/init\.d/atd		--	gen_context(system_u:object_r:crond_initrc_exec_t,s0)
+
+/etc/cron\.d(/.*)?			gen_context(system_u:object_r:system_cron_spool_t,s0)
+/etc/crontab			--	gen_context(system_u:object_r:system_cron_spool_t,s0)
+
+/usr/bin/at			--	gen_context(system_u:object_r:crontab_exec_t,s0)
+/usr/bin/(f)?crontab		--	gen_context(system_u:object_r:crontab_exec_t,s0)
+
+/usr/sbin/anacron		--	gen_context(system_u:object_r:anacron_exec_t,s0)
+/usr/sbin/atd			--	gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/sbin/cron(d)?		--	gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/sbin/fcron			--	gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/sbin/fcronsighup		--	gen_context(system_u:object_r:crontab_exec_t,s0)
+
+/var/run/anacron\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/atd\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/crond?\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/crond\.reboot		--	gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/fcron\.fifo		-s	gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/fcron\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
+
+/var/spool/anacron(/.*)?		gen_context(system_u:object_r:system_cron_spool_t,s0)
+/var/spool/at(/.*)?			gen_context(system_u:object_r:user_cron_spool_t,s0)
+
+/var/spool/cron			-d	gen_context(system_u:object_r:cron_spool_t,s0)
+#/var/spool/cron/root		--	gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
+/var/spool/cron/[^/]*		--	<<none>>
+
+/var/spool/cron/crontabs 	-d	gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/crontabs/.*	--	<<none>>
+#/var/spool/cron/crontabs/root	--	gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
+
+/var/spool/fcron		-d	gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/fcron/.*			<<none>>
+/var/spool/fcron/systab\.orig	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
+/var/spool/fcron/systab		--	gen_context(system_u:object_r:system_cron_spool_t,s0)
+/var/spool/fcron/new\.systab	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
+
+ifdef(`distro_debian',`
+/var/log/prelink.log		--	gen_context(system_u:object_r:cron_log_t,s0)
+
+/var/spool/cron/atjobs		-d	gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/atjobs/[^/]*	--	<<none>>
+/var/spool/cron/atspool		-d	gen_context(system_u:object_r:cron_spool_t,s0)
+')
+
+ifdef(`distro_gentoo',`
+/var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
+/var/spool/cron/lastrun/[^/]*	--	<<none>>
+')
+
+ifdef(`distro_suse', `
+/var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
+/var/spool/cron/lastrun/[^/]*	--	<<none>>
+/var/spool/cron/tabs		-d	gen_context(system_u:object_r:cron_spool_t,s0)
+')
diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if
new file mode 100644
index 00000000..6e12dc75
--- /dev/null
+++ b/policy/modules/contrib/cron.if
@@ -0,0 +1,632 @@
+## <summary>Periodic execution of scheduled commands.</summary>
+
+#######################################
+## <summary>
+##	The common rules for a crontab domain.
+## </summary>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+#
+template(`cron_common_crontab_template',`
+	##############################
+	#
+	# Declarations
+	#
+
+	type $1_t;
+	userdom_user_application_domain($1_t, crontab_exec_t)
+
+	type $1_tmp_t;
+	userdom_user_tmp_file($1_tmp_t)
+
+	##############################
+	#
+	# Local policy
+	#
+
+	# dac_override is to create the file in the directory under /tmp
+	allow $1_t self:capability { fowner setuid setgid chown dac_override };
+	allow $1_t self:process { setsched signal_perms };
+	allow $1_t self:fifo_file rw_fifo_file_perms;
+
+	allow $1_t $1_tmp_t:file manage_file_perms;
+	files_tmp_filetrans($1_t, $1_tmp_t, file)
+
+	# create files in /var/spool/cron
+	manage_files_pattern($1_t, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
+	filetrans_pattern($1_t, cron_spool_t, user_cron_spool_t, file)
+	files_list_spool($1_t)
+
+	# crontab signals crond by updating the mtime on the spooldir
+	allow $1_t cron_spool_t:dir setattr;
+
+	kernel_read_system_state($1_t)
+
+	# for the checks used by crontab -u
+	selinux_dontaudit_search_fs($1_t)
+
+	fs_getattr_xattr_fs($1_t)
+
+	domain_use_interactive_fds($1_t)
+
+	files_read_etc_files($1_t)
+	files_read_usr_files($1_t)
+	files_dontaudit_search_pids($1_t)
+
+	auth_domtrans_chk_passwd($1_t)
+
+	logging_send_syslog_msg($1_t)
+	logging_send_audit_msgs($1_t)
+
+	init_dontaudit_write_utmp($1_t)
+	init_read_utmp($1_t)
+
+	miscfiles_read_localization($1_t)
+
+	seutil_read_config($1_t)
+
+	userdom_manage_user_tmp_dirs($1_t)
+	userdom_manage_user_tmp_files($1_t)
+	# Access terminals.
+	userdom_use_user_terminals($1_t)
+	# Read user crontabs
+	userdom_read_user_home_content_files($1_t)
+
+	tunable_policy(`fcron_crond',`
+		# fcron wants an instant update of a crontab change for the administrator
+		# also crontab does a security check for crontab -u
+		dontaudit $1_t crond_t:process signal;
+	')
+
+	optional_policy(`
+		nscd_socket_use($1_t)
+	')
+')
+
+########################################
+## <summary>
+##	Role access for cron
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`cron_role',`
+	gen_require(`
+		type cronjob_t, crontab_t, crontab_exec_t;
+	')
+
+	role $1 types { cronjob_t crontab_t };
+
+	# cronjob shows up in user ps
+	ps_process_pattern($2, cronjob_t)
+
+	# Transition from the user domain to the derived domain.
+	domtrans_pattern($2, crontab_exec_t, crontab_t)
+
+	# crontab shows up in user ps
+	ps_process_pattern($2, crontab_t)
+	allow $2 crontab_t:process signal;
+
+	# Run helper programs as the user domain
+	#corecmd_bin_domtrans(crontab_t, $2)
+	#corecmd_shell_domtrans(crontab_t, $2)
+	corecmd_exec_bin(crontab_t)
+	corecmd_exec_shell(crontab_t)
+
+	optional_policy(`
+		gen_require(`
+			class dbus send_msg;
+		')
+
+		dbus_stub(cronjob_t)
+
+		allow cronjob_t $2:dbus send_msg;
+	')		
+')
+
+########################################
+## <summary>
+##	Role access for unconfined cronjobs
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`cron_unconfined_role',`
+	gen_require(`
+		type unconfined_cronjob_t, crontab_t, crontab_tmp_t, crontab_exec_t;
+	')
+
+	role $1 types { unconfined_cronjob_t crontab_t };
+
+	# cronjob shows up in user ps
+	ps_process_pattern($2, unconfined_cronjob_t)
+
+	# Transition from the user domain to the derived domain.
+	domtrans_pattern($2, crontab_exec_t, crontab_t)
+
+	# crontab shows up in user ps
+	ps_process_pattern($2, crontab_t)
+	allow $2 crontab_t:process signal;
+
+	# Run helper programs as the user domain
+	#corecmd_bin_domtrans(crontab_t, $2)
+	#corecmd_shell_domtrans(crontab_t, $2)
+	corecmd_exec_bin(crontab_t)
+	corecmd_exec_shell(crontab_t)
+
+	optional_policy(`
+		gen_require(`
+			class dbus send_msg;
+		')
+
+		dbus_stub(unconfined_cronjob_t)
+
+		allow unconfined_cronjob_t $2:dbus send_msg;
+	')		
+')
+
+########################################
+## <summary>
+##	Role access for cron
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`cron_admin_role',`
+	gen_require(`
+		type cronjob_t, crontab_exec_t, admin_crontab_t, admin_crontab_tmp_t;
+		class passwd crontab;
+	')
+
+	role $1 types { cronjob_t admin_crontab_t admin_crontab_tmp_t };
+
+	# cronjob shows up in user ps
+	ps_process_pattern($2, cronjob_t)
+
+	# Manipulate other users crontab.
+	allow $2 self:passwd crontab;
+
+	# Transition from the user domain to the derived domain.
+	domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
+
+	# crontab shows up in user ps
+	ps_process_pattern($2, admin_crontab_t)
+	allow $2 admin_crontab_t:process signal;
+
+	# Run helper programs as the user domain
+	#corecmd_bin_domtrans(admin_crontab_t, $2)
+	#corecmd_shell_domtrans(admin_crontab_t, $2)
+	corecmd_exec_bin(admin_crontab_t)
+	corecmd_exec_shell(admin_crontab_t)
+
+	optional_policy(`
+		gen_require(`
+			class dbus send_msg;
+		')
+
+		dbus_stub(admin_cronjob_t)
+
+		allow cronjob_t $2:dbus send_msg;
+	')		
+')
+
+########################################
+## <summary>
+##	Make the specified program domain accessable
+##	from the system cron jobs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process to transition to.
+##	</summary>
+## </param>
+## <param name="entrypoint">
+##	<summary>
+##	The type of the file used as an entrypoint to this domain.
+##	</summary>
+## </param>
+#
+interface(`cron_system_entry',`
+	gen_require(`
+		type crond_t, system_cronjob_t;
+	')
+
+	domtrans_pattern(system_cronjob_t, $2, $1)
+	domtrans_pattern(crond_t, $2, $1)
+
+	role system_r types $1;
+')
+
+########################################
+## <summary>
+##	Execute cron in the cron system domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`cron_domtrans',`
+	gen_require(`
+		type system_cronjob_t, crond_exec_t;
+	')
+
+	domtrans_pattern($1, crond_exec_t, system_cronjob_t)
+')
+
+########################################
+## <summary>
+##	Execute crond_exec_t 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_exec',`
+	gen_require(`
+		type crond_exec_t;
+	')
+
+	can_exec($1, crond_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute crond server in the nscd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`cron_initrc_domtrans',`
+	gen_require(`
+		type crond_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, crond_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Inherit and use a file descriptor
+##	from the cron daemon.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_use_fds',`
+	gen_require(`
+		type crond_t;
+	')
+
+	allow $1 crond_t:fd use;
+')
+
+########################################
+## <summary>
+##	Send a SIGCHLD signal to the cron daemon.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_sigchld',`
+	gen_require(`
+		type crond_t;
+	')
+
+	allow $1 crond_t:process sigchld;
+')
+
+########################################
+## <summary>
+##	Read a cron daemon unnamed pipe.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_read_pipes',`
+	gen_require(`
+		type crond_t;
+	')
+
+	allow $1 crond_t:fifo_file read_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write cron daemon unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`cron_dontaudit_write_pipes',`
+	gen_require(`
+		type crond_t;
+	')
+
+	dontaudit $1 crond_t:fifo_file write;
+')
+
+########################################
+## <summary>
+##	Read and write a cron daemon unnamed pipe.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_rw_pipes',`
+	gen_require(`
+		type crond_t;
+	')
+
+	allow $1 crond_t:fifo_file { getattr read write };
+')
+
+########################################
+## <summary>
+##	Read, and write cron daemon TCP sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_rw_tcp_sockets',`
+	gen_require(`
+		type crond_t;
+	')
+
+	allow $1 crond_t:tcp_socket { read write };
+')
+
+########################################
+## <summary>
+##	Dontaudit Read, and write cron daemon TCP sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`cron_dontaudit_rw_tcp_sockets',`
+	gen_require(`
+		type crond_t;
+	')
+
+	dontaudit $1 crond_t:tcp_socket { read write };
+')
+
+########################################
+## <summary>
+##	Search the directory containing user cron tables.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_search_spool',`
+	gen_require(`
+		type cron_spool_t;
+	')
+
+	files_search_spool($1)
+	allow $1 cron_spool_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Manage pid files used by cron
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_manage_pid_files',`
+	gen_require(`
+		type crond_var_run_t;
+	')
+
+	manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
+')
+
+########################################
+## <summary>
+##	Execute anacron in the cron system domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`cron_anacron_domtrans_system_job',`
+	gen_require(`
+		type system_cronjob_t, anacron_exec_t;
+	')
+
+	domtrans_pattern($1, anacron_exec_t, system_cronjob_t)
+')
+
+########################################
+## <summary>
+##	Inherit and use a file descriptor
+##	from system cron jobs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_use_system_job_fds',`
+	gen_require(`
+		type system_cronjob_t;
+	')
+
+	allow $1 system_cronjob_t:fd use;
+')
+
+########################################
+## <summary>
+##	Write a system cron job unnamed pipe.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_write_system_job_pipes',`
+	gen_require(`
+		type system_cronjob_t;
+	')
+
+	allow $1 system_cronjob_t:file write;
+')
+
+########################################
+## <summary>
+##	Read and write a system cron job unnamed pipe.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_rw_system_job_pipes',`
+	gen_require(`
+		type system_cronjob_t;
+	')
+
+	allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow read/write unix stream sockets from the system cron jobs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_rw_system_job_stream_sockets',`
+	gen_require(`
+		type system_cronjob_t;
+	')
+
+	allow $1 system_cronjob_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+##	Read temporary files from the system cron jobs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_read_system_job_tmp_files',`
+	gen_require(`
+		type system_cronjob_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 system_cronjob_tmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to append temporary
+##	files from the system cron jobs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`cron_dontaudit_append_system_job_tmp_files',`
+	gen_require(`
+		type system_cronjob_tmp_t;
+	')
+
+	dontaudit $1 system_cronjob_tmp_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write temporary
+##	files from the system cron jobs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`cron_dontaudit_write_system_job_tmp_files',`
+	gen_require(`
+		type system_cronjob_tmp_t;
+	')
+
+	dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
+')
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
new file mode 100644
index 00000000..f25d9d14
--- /dev/null
+++ b/policy/modules/contrib/cron.te
@@ -0,0 +1,631 @@
+policy_module(cron, 2.4.0)
+
+gen_require(`
+	class passwd rootok;
+')
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow system cron jobs to relabel filesystem
+## for restoring file contexts.
+## </p>
+## </desc>
+gen_tunable(cron_can_relabel, false)
+
+## <desc>
+## <p>
+## Enable extra rules in the cron domain
+## to support fcron.
+## </p>
+## </desc>
+gen_tunable(fcron_crond, false)
+
+attribute cron_spool_type;
+
+type anacron_exec_t;
+application_executable_file(anacron_exec_t)
+
+type cron_spool_t;
+files_type(cron_spool_t)
+
+# var/lib files
+type cron_var_lib_t;
+files_type(cron_var_lib_t)
+
+type cron_var_run_t;
+files_type(cron_var_run_t)
+
+# var/log files
+type cron_log_t;
+logging_log_file(cron_log_t)
+
+type cronjob_t;
+typealias cronjob_t alias { user_crond_t staff_crond_t sysadm_crond_t };
+typealias cronjob_t alias { auditadm_crond_t secadm_crond_t };
+domain_type(cronjob_t)
+domain_cron_exemption_target(cronjob_t)
+domain_interactive_fd(cronjob_t)
+corecmd_shell_entry_type(cronjob_t)
+ubac_constrained(cronjob_t)
+
+type crond_t;
+type crond_exec_t;
+init_daemon_domain(crond_t, crond_exec_t)
+domain_interactive_fd(crond_t)
+domain_cron_exemption_source(crond_t)
+
+type crond_initrc_exec_t;
+init_script_file(crond_initrc_exec_t)
+
+type crond_tmp_t;
+files_tmp_file(crond_tmp_t)
+
+type crond_var_run_t;
+files_pid_file(crond_var_run_t)
+
+type crontab_exec_t;
+application_executable_file(crontab_exec_t)
+
+cron_common_crontab_template(admin_crontab)
+typealias admin_crontab_t alias sysadm_crontab_t;
+typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t;
+
+cron_common_crontab_template(crontab)
+typealias crontab_t alias { user_crontab_t staff_crontab_t };
+typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
+typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
+typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
+
+type system_cron_spool_t, cron_spool_type;
+files_type(system_cron_spool_t)
+
+type system_cronjob_t alias system_crond_t;
+init_daemon_domain(system_cronjob_t, anacron_exec_t)
+corecmd_shell_entry_type(system_cronjob_t)
+domain_interactive_fd(system_cronjob_t)
+role system_r types system_cronjob_t;
+
+type system_cronjob_lock_t alias system_crond_lock_t;
+files_lock_file(system_cronjob_lock_t)
+
+type system_cronjob_tmp_t alias system_crond_tmp_t;
+files_tmp_file(system_cronjob_tmp_t)
+
+ifdef(`enable_mcs',`
+	init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
+')
+
+type unconfined_cronjob_t;
+domain_type(unconfined_cronjob_t)
+domain_cron_exemption_target(unconfined_cronjob_t)
+
+# Type of user crontabs once moved to cron spool.
+type user_cron_spool_t, cron_spool_type;
+typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
+typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
+files_type(user_cron_spool_t)
+ubac_constrained(user_cron_spool_t)
+
+########################################
+#
+# Admin crontab local policy
+#
+
+# Allow our crontab domain to unlink a user cron spool file.
+allow admin_crontab_t user_cron_spool_t:file { getattr read unlink };
+
+# Manipulate other users crontab.
+selinux_get_fs_mount(admin_crontab_t)
+selinux_validate_context(admin_crontab_t)
+selinux_compute_access_vector(admin_crontab_t)
+selinux_compute_create_context(admin_crontab_t)
+selinux_compute_relabel_context(admin_crontab_t)
+selinux_compute_user_contexts(admin_crontab_t)
+
+tunable_policy(`fcron_crond', `
+	# fcron wants an instant update of a crontab change for the administrator
+	# also crontab does a security check for crontab -u
+	allow admin_crontab_t self:process setfscreate;
+')
+
+########################################
+#
+# Cron daemon local policy
+#
+
+allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
+dontaudit crond_t self:capability { sys_resource sys_tty_config };
+allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow crond_t self:process { setexec setfscreate };
+allow crond_t self:fd use;
+allow crond_t self:fifo_file rw_fifo_file_perms;
+allow crond_t self:unix_dgram_socket create_socket_perms;
+allow crond_t self:unix_stream_socket create_stream_socket_perms;
+allow crond_t self:unix_dgram_socket sendto;
+allow crond_t self:unix_stream_socket connectto;
+allow crond_t self:shm create_shm_perms;
+allow crond_t self:sem create_sem_perms;
+allow crond_t self:msgq create_msgq_perms;
+allow crond_t self:msg { send receive };
+allow crond_t self:key { search write link };
+
+manage_files_pattern(crond_t, cron_log_t, cron_log_t)
+logging_log_filetrans(crond_t, cron_log_t, file)
+
+manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
+files_pid_filetrans(crond_t, crond_var_run_t, file)
+
+manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
+
+manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
+manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
+files_tmp_filetrans(crond_t, crond_tmp_t, { file dir })
+
+list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
+read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
+
+kernel_read_kernel_sysctls(crond_t)
+kernel_read_fs_sysctls(crond_t)
+kernel_search_key(crond_t)
+
+dev_read_sysfs(crond_t)
+selinux_get_fs_mount(crond_t)
+selinux_validate_context(crond_t)
+selinux_compute_access_vector(crond_t)
+selinux_compute_create_context(crond_t)
+selinux_compute_relabel_context(crond_t)
+selinux_compute_user_contexts(crond_t)
+
+dev_read_urand(crond_t)
+
+fs_getattr_all_fs(crond_t)
+fs_search_auto_mountpoints(crond_t)
+fs_list_inotifyfs(crond_t)
+
+# need auth_chkpwd to check for locked accounts.
+auth_domtrans_chk_passwd(crond_t)
+
+corecmd_exec_shell(crond_t)
+corecmd_list_bin(crond_t)
+corecmd_read_bin_symlinks(crond_t)
+
+domain_use_interactive_fds(crond_t)
+
+files_read_usr_files(crond_t)
+files_read_etc_runtime_files(crond_t)
+files_read_etc_files(crond_t)
+files_read_generic_spool(crond_t)
+files_list_usr(crond_t)
+# Read from /var/spool/cron.
+files_search_var_lib(crond_t)
+files_search_default(crond_t)
+
+init_rw_utmp(crond_t)
+init_spec_domtrans_script(crond_t)
+
+auth_use_nsswitch(crond_t)
+
+logging_send_syslog_msg(crond_t)
+logging_set_loginuid(crond_t)
+
+seutil_read_config(crond_t)
+seutil_read_default_contexts(crond_t)
+seutil_sigchld_newrole(crond_t)
+
+miscfiles_read_localization(crond_t)
+
+userdom_use_unpriv_users_fds(crond_t)
+# Not sure why this is needed
+userdom_list_user_home_dirs(crond_t)
+
+mta_send_mail(crond_t)
+
+ifdef(`distro_debian',`
+	# pam_limits is used
+	allow crond_t self:process setrlimit;
+
+	optional_policy(`
+		# Debian logcheck has the home dir set to its cache
+		logwatch_search_cache_dir(crond_t)
+	')
+')
+
+ifdef(`distro_redhat', `
+	# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+	# via redirection of standard out.
+	optional_policy(`
+		rpm_manage_log(crond_t)
+	')
+')
+
+tunable_policy(`allow_polyinstantiation',`
+	files_polyinstantiate_all(crond_t)
+')
+
+tunable_policy(`fcron_crond', `
+	allow crond_t system_cron_spool_t:file manage_file_perms;
+')
+
+optional_policy(`
+	locallogin_search_keys(crond_t)
+	locallogin_link_keys(crond_t)
+')
+
+optional_policy(`
+	amanda_search_var_lib(crond_t)
+')
+
+optional_policy(`
+	amavis_search_lib(crond_t)
+')
+
+optional_policy(`
+	hal_dbus_chat(crond_t)
+')
+
+optional_policy(`
+	# cjp: why?
+	munin_search_lib(crond_t)
+')
+
+optional_policy(`
+	rpc_search_nfs_state_data(crond_t)
+')
+
+optional_policy(`
+	# Commonly used from postinst scripts
+	rpm_read_pipes(crond_t)
+')
+
+optional_policy(`
+	# allow crond to find /usr/lib/postgresql/bin/do.maintenance
+	postgresql_search_db(crond_t)
+')
+
+optional_policy(`
+	udev_read_db(crond_t)
+')
+
+########################################
+#
+# System cron process domain
+#
+
+allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
+allow system_cronjob_t self:process { signal_perms getsched setsched };
+allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
+allow system_cronjob_t self:passwd rootok;
+
+# This is to handle creation of files in /var/log directory.
+#  Used currently by rpm script log files
+allow system_cronjob_t cron_log_t:file manage_file_perms;
+logging_log_filetrans(system_cronjob_t, cron_log_t, file)
+
+# This is to handle /var/lib/misc directory.  Used currently
+# by prelink var/lib files for cron 
+allow system_cronjob_t cron_var_lib_t:file manage_file_perms;
+files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
+
+allow system_cronjob_t system_cron_spool_t:file read_file_perms;
+# The entrypoint interface is not used as this is not
+# a regular entrypoint.  Since crontab files are
+# not directly executed, crond must ensure that
+# the crontab file has a type that is appropriate
+# for the domain of the user cron job.  It
+# performs an entrypoint permission check
+# for this purpose.
+allow system_cronjob_t system_cron_spool_t:file entrypoint;
+
+# Permit a transition from the crond_t domain to this domain.
+# The transition is requested explicitly by the modified crond 
+# via setexeccon.  There is no way to set up an automatic
+# transition, since crontabs are configuration files, not executables.
+allow crond_t system_cronjob_t:process transition;
+dontaudit crond_t system_cronjob_t:process { noatsecure siginh rlimitinh };
+allow crond_t system_cronjob_t:fd use;
+allow system_cronjob_t crond_t:fd use;
+allow system_cronjob_t crond_t:fifo_file rw_file_perms;
+allow system_cronjob_t crond_t:process sigchld;
+
+# Write /var/lock/makewhatis.lock.
+allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
+files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file)
+
+# write temporary files
+manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
+files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
+
+# Read from /var/spool/cron.
+allow system_cronjob_t cron_spool_t:dir list_dir_perms;
+allow system_cronjob_t cron_spool_t:file read_file_perms;
+
+kernel_read_kernel_sysctls(system_cronjob_t)
+kernel_read_system_state(system_cronjob_t)
+kernel_read_software_raid_state(system_cronjob_t)
+
+# ps does not need to access /boot when run from cron
+files_dontaudit_search_boot(system_cronjob_t)
+
+corecmd_exec_all_executables(system_cronjob_t)
+
+corenet_all_recvfrom_unlabeled(system_cronjob_t)
+corenet_all_recvfrom_netlabel(system_cronjob_t)
+corenet_tcp_sendrecv_generic_if(system_cronjob_t)
+corenet_udp_sendrecv_generic_if(system_cronjob_t)
+corenet_tcp_sendrecv_generic_node(system_cronjob_t)
+corenet_udp_sendrecv_generic_node(system_cronjob_t)
+corenet_tcp_sendrecv_all_ports(system_cronjob_t)
+corenet_udp_sendrecv_all_ports(system_cronjob_t)
+
+dev_getattr_all_blk_files(system_cronjob_t)
+dev_getattr_all_chr_files(system_cronjob_t)
+dev_read_urand(system_cronjob_t)
+
+fs_getattr_all_fs(system_cronjob_t)
+fs_getattr_all_files(system_cronjob_t)
+fs_getattr_all_symlinks(system_cronjob_t)
+fs_getattr_all_pipes(system_cronjob_t)
+fs_getattr_all_sockets(system_cronjob_t)
+
+# quiet other ps operations
+domain_dontaudit_read_all_domains_state(system_cronjob_t)
+
+files_exec_etc_files(system_cronjob_t)
+files_read_etc_files(system_cronjob_t)
+files_read_etc_runtime_files(system_cronjob_t)
+files_list_all(system_cronjob_t)
+files_getattr_all_dirs(system_cronjob_t)
+files_getattr_all_files(system_cronjob_t)
+files_getattr_all_symlinks(system_cronjob_t)
+files_getattr_all_pipes(system_cronjob_t)
+files_getattr_all_sockets(system_cronjob_t)
+files_read_usr_files(system_cronjob_t)
+files_read_var_files(system_cronjob_t)
+# for nscd:
+files_dontaudit_search_pids(system_cronjob_t)
+# Access other spool directories like
+# /var/spool/anacron and /var/spool/slrnpull.
+files_manage_generic_spool(system_cronjob_t)
+
+init_use_script_fds(system_cronjob_t)
+init_read_utmp(system_cronjob_t)
+init_dontaudit_rw_utmp(system_cronjob_t)
+# prelink tells init to restart it self, we either need to allow or dontaudit
+init_telinit(system_cronjob_t)
+init_domtrans_script(system_cronjob_t)
+
+auth_use_nsswitch(system_cronjob_t)
+
+libs_exec_lib_files(system_cronjob_t)
+libs_exec_ld_so(system_cronjob_t)
+
+logging_read_generic_logs(system_cronjob_t)
+logging_send_audit_msgs(system_cronjob_t)
+logging_send_syslog_msg(system_cronjob_t)
+
+miscfiles_read_localization(system_cronjob_t)
+miscfiles_manage_man_pages(system_cronjob_t)
+
+seutil_read_config(system_cronjob_t)
+
+ifdef(`distro_redhat', `
+	# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+	# via redirection of standard out.
+	optional_policy(`
+		rpm_manage_log(system_cronjob_t)
+	')
+')
+
+tunable_policy(`cron_can_relabel',`
+	seutil_domtrans_setfiles(system_cronjob_t)
+',`
+	selinux_get_fs_mount(system_cronjob_t)
+	selinux_validate_context(system_cronjob_t)
+	selinux_compute_access_vector(system_cronjob_t)
+	selinux_compute_create_context(system_cronjob_t)
+	selinux_compute_relabel_context(system_cronjob_t)
+	selinux_compute_user_contexts(system_cronjob_t)
+	seutil_read_file_contexts(system_cronjob_t)
+')
+
+optional_policy(`
+	# Needed for certwatch
+	apache_exec_modules(system_cronjob_t)
+	apache_read_config(system_cronjob_t)
+	apache_read_log(system_cronjob_t)
+	apache_read_sys_content(system_cronjob_t)
+')
+
+optional_policy(`
+	cyrus_manage_data(system_cronjob_t)
+')
+
+optional_policy(`
+	ftp_read_log(system_cronjob_t)
+')
+
+optional_policy(`
+	inn_manage_log(system_cronjob_t)
+	inn_manage_pid(system_cronjob_t)
+	inn_read_config(system_cronjob_t)
+')
+
+optional_policy(`
+	lpd_list_spool(system_cronjob_t)
+')
+
+optional_policy(`
+	mrtg_append_create_logs(system_cronjob_t)
+')
+
+optional_policy(`
+	mta_send_mail(system_cronjob_t)
+')
+
+optional_policy(`
+	mysql_read_config(system_cronjob_t)
+')
+
+optional_policy(`
+	postfix_read_config(system_cronjob_t)
+')	
+
+optional_policy(`
+	prelink_delete_cache(system_cronjob_t)
+	prelink_manage_lib(system_cronjob_t)
+	prelink_manage_log(system_cronjob_t)
+	prelink_read_cache(system_cronjob_t)
+	prelink_relabelfrom_lib(system_cronjob_t)
+')
+
+optional_policy(`
+	samba_read_config(system_cronjob_t)
+	samba_read_log(system_cronjob_t)
+	#samba_read_secrets(system_cronjob_t)
+')
+
+optional_policy(`
+	slocate_create_append_log(system_cronjob_t)
+')
+
+optional_policy(`
+	spamassassin_manage_lib_files(system_cronjob_t)
+')
+
+optional_policy(`
+	sysstat_manage_log(system_cronjob_t)
+')
+
+optional_policy(`
+	unconfined_domain(system_cronjob_t)
+	userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
+')
+
+########################################
+#
+# User cronjobs local policy
+#
+
+allow cronjob_t self:process { signal_perms setsched };
+allow cronjob_t self:fifo_file rw_fifo_file_perms;
+allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
+allow cronjob_t self:unix_dgram_socket create_socket_perms;
+
+# The entrypoint interface is not used as this is not
+# a regular entrypoint.  Since crontab files are
+# not directly executed, crond must ensure that
+# the crontab file has a type that is appropriate
+# for the domain of the user cron job.  It
+# performs an entrypoint permission check
+# for this purpose.
+allow cronjob_t user_cron_spool_t:file entrypoint;
+
+# Permit a transition from the crond_t domain to this domain.
+# The transition is requested explicitly by the modified crond 
+# via setexeccon.  There is no way to set up an automatic
+# transition, since crontabs are configuration files, not executables.
+allow crond_t cronjob_t:process transition;
+dontaudit crond_t cronjob_t:process { noatsecure siginh rlimitinh };
+allow crond_t cronjob_t:fd use;
+allow crond_t cronjob_t:key create;
+allow cronjob_t crond_t:fd use;
+allow cronjob_t crond_t:fifo_file rw_file_perms;
+allow cronjob_t crond_t:process sigchld;
+
+kernel_read_system_state(cronjob_t)
+kernel_read_kernel_sysctls(cronjob_t)
+
+# ps does not need to access /boot when run from cron
+files_dontaudit_search_boot(cronjob_t)
+
+corenet_all_recvfrom_unlabeled(cronjob_t)
+corenet_all_recvfrom_netlabel(cronjob_t)
+corenet_tcp_sendrecv_generic_if(cronjob_t)
+corenet_udp_sendrecv_generic_if(cronjob_t)
+corenet_tcp_sendrecv_generic_node(cronjob_t)
+corenet_udp_sendrecv_generic_node(cronjob_t)
+corenet_tcp_sendrecv_all_ports(cronjob_t)
+corenet_udp_sendrecv_all_ports(cronjob_t)
+corenet_tcp_connect_all_ports(cronjob_t)
+corenet_sendrecv_all_client_packets(cronjob_t)
+
+dev_read_urand(cronjob_t)
+
+fs_getattr_all_fs(cronjob_t)
+
+corecmd_exec_all_executables(cronjob_t)
+
+# quiet other ps operations
+domain_dontaudit_read_all_domains_state(cronjob_t)
+domain_dontaudit_getattr_all_domains(cronjob_t)
+
+files_read_usr_files(cronjob_t)
+files_exec_etc_files(cronjob_t)
+# for nscd:
+files_dontaudit_search_pids(cronjob_t)
+
+libs_exec_lib_files(cronjob_t)
+libs_exec_ld_so(cronjob_t)
+
+files_read_etc_runtime_files(cronjob_t)
+files_read_var_files(cronjob_t)
+files_search_spool(cronjob_t)
+
+logging_search_logs(cronjob_t)
+
+seutil_read_config(cronjob_t)
+
+miscfiles_read_localization(cronjob_t)
+
+userdom_manage_user_tmp_files(cronjob_t)
+userdom_manage_user_tmp_symlinks(cronjob_t)
+userdom_manage_user_tmp_pipes(cronjob_t)
+userdom_manage_user_tmp_sockets(cronjob_t)
+# Run scripts in user home directory and access shared libs.
+userdom_exec_user_home_content_files(cronjob_t)
+# Access user files and dirs.
+userdom_manage_user_home_content_files(cronjob_t)
+userdom_manage_user_home_content_symlinks(cronjob_t)
+userdom_manage_user_home_content_pipes(cronjob_t)
+userdom_manage_user_home_content_sockets(cronjob_t)
+#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
+
+list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+
+tunable_policy(`fcron_crond', `
+	allow crond_t user_cron_spool_t:file manage_file_perms;
+')
+
+# need a per-role version of this:
+#optional_policy(`
+#	mono_domtrans(cronjob_t)
+#')
+
+optional_policy(`
+	nis_use_ypbind(cronjob_t)
+')
+
+########################################
+#
+# Unconfined cronjobs local policy
+#
+
+optional_policy(`
+	# Permit a transition from the crond_t domain to this domain.
+	# The transition is requested explicitly by the modified crond 
+	# via setexeccon.  There is no way to set up an automatic
+	# transition, since crontabs are configuration files, not executables.
+	allow crond_t unconfined_cronjob_t:process transition;
+	dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
+	allow crond_t unconfined_cronjob_t:fd use;
+
+	unconfined_domain(unconfined_cronjob_t)
+')
diff --git a/policy/modules/contrib/cups.fc b/policy/modules/contrib/cups.fc
new file mode 100644
index 00000000..1b492eda
--- /dev/null
+++ b/policy/modules/contrib/cups.fc
@@ -0,0 +1,73 @@
+
+/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/etc/cups(/.*)?			gen_context(system_u:object_r:cupsd_etc_t,s0)
+/etc/cups/classes\.conf.* --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/cupsd\.conf.* --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/lpoptions.* 	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/ppd(/.*)?		gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/ppds\.dat	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/printers\.conf.* --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/subscriptions.* --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/certs		-d	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/certs/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/rc\.d/init\.d/cups	--	gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
+
+/etc/cups/interfaces(/.*)?	gen_context(system_u:object_r:cupsd_interface_t,s0)
+
+/etc/hp(/.*)?			gen_context(system_u:object_r:hplip_etc_t,s0)
+
+/etc/printcap.* 	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+
+/opt/gutenprint/ppds(/.*)? 	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/usr/bin/cups-config-daemon --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/bin/hpijs		--	gen_context(system_u:object_r:hplip_exec_t,s0)
+
+# keep as separate lines to ensure proper sorting
+/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
+/usr/lib64/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
+/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
+/usr/lib64/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
+/usr/lib/cups/backend/hp.* --	gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/lib64/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+
+/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/libexec/hal_lpadmin --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+
+/usr/sbin/hp-[^/]+	--	gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/sbin/cupsd		--	gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/hal_lpadmin --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/sbin/hpiod		--	gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/sbin/printconf-backend --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/sbin/ptal-printd	--	gen_context(system_u:object_r:ptal_exec_t,s0)
+/usr/sbin/ptal-mlcd	--	gen_context(system_u:object_r:ptal_exec_t,s0)
+/usr/sbin/ptal-photod	--	gen_context(system_u:object_r:ptal_exec_t,s0)
+
+/usr/share/cups(/.*)?		gen_context(system_u:object_r:cupsd_etc_t,s0)
+/usr/share/foomatic/db/oldprinterids --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/share/hplip/.*\.py --	gen_context(system_u:object_r:hplip_exec_t,s0)
+
+/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/var/cache/foomatic(/.*)? 	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/var/cache/cups(/.*)? 		gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
+
+/var/lib/cups/certs	-d	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/var/lib/cups/certs/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/var/lib/hp(/.*)?		gen_context(system_u:object_r:hplip_var_lib_t,s0)
+
+/var/log/cups(/.*)?		gen_context(system_u:object_r:cupsd_log_t,s0)
+/var/log/turboprint.*		gen_context(system_u:object_r:cupsd_log_t,s0)
+
+/var/ccpd(/.*)?			gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/ekpd(/.*)?			gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/cups(/.*)?		gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/hp.*\.pid	--	gen_context(system_u:object_r:hplip_var_run_t,s0)
+/var/run/hp.*\.port	--	gen_context(system_u:object_r:hplip_var_run_t,s0)
+/var/run/ptal-printd(/.*)?	gen_context(system_u:object_r:ptal_var_run_t,s0)
+/var/run/ptal-mlcd(/.*)?	gen_context(system_u:object_r:ptal_var_run_t,s0)
+/var/run/udev-configure-printer(/.*)? 	gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
+/var/turboprint(/.*)?		gen_context(system_u:object_r:cupsd_var_run_t,s0)
diff --git a/policy/modules/contrib/cups.if b/policy/modules/contrib/cups.if
new file mode 100644
index 00000000..305ddf46
--- /dev/null
+++ b/policy/modules/contrib/cups.if
@@ -0,0 +1,358 @@
+## <summary>Common UNIX printing system</summary>
+
+########################################
+## <summary>
+##	Setup cups to transtion to the cups backend domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cups_backend',`
+	gen_require(`
+		type cupsd_t;
+	')
+
+	domain_type($1)
+	domain_entry_file($1, $2)
+	role system_r types $1;
+
+	domtrans_pattern(cupsd_t, $2, $1)
+	allow cupsd_t $1:process signal;
+	allow $1 cupsd_t:unix_stream_socket connected_stream_socket_perms;
+
+	cups_read_config($1)
+	cups_append_log($1)
+')
+
+########################################
+## <summary>
+##	Execute cups in the cups domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`cups_domtrans',`
+	gen_require(`
+		type cupsd_t, cupsd_exec_t;
+	')
+
+	domtrans_pattern($1, cupsd_exec_t, cupsd_t)
+')
+
+########################################
+## <summary>
+##	Connect to cupsd over an unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cups_stream_connect',`
+	gen_require(`
+		type cupsd_t, cupsd_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+')
+
+########################################
+## <summary>
+##	Connect to cups over TCP.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cups_tcp_connect',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	cups over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cups_dbus_chat',`
+	gen_require(`
+		type cupsd_t;
+		class dbus send_msg;
+	')
+
+	allow $1 cupsd_t:dbus send_msg;
+	allow cupsd_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Read cups PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cups_read_pid_files',`
+	gen_require(`
+		type cupsd_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 cupsd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute cups_config in the cups_config domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`cups_domtrans_config',`
+	gen_require(`
+		type cupsd_config_t, cupsd_config_exec_t;
+	')
+
+	domtrans_pattern($1, cupsd_config_exec_t, cupsd_config_t)
+')
+
+########################################
+## <summary>
+##	Send generic signals to the cups
+##	configuration daemon.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cups_signal_config',`
+	gen_require(`
+		type cupsd_config_t;
+	')
+
+	allow $1 cupsd_config_t:process signal;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	cupsd_config over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cups_dbus_chat_config',`
+	gen_require(`
+		type cupsd_config_t;
+		class dbus send_msg;
+	')
+
+	allow $1 cupsd_config_t:dbus send_msg;
+	allow cupsd_config_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Read cups configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`cups_read_config',`
+	gen_require(`
+		type cupsd_etc_t, cupsd_rw_etc_t;
+	')
+
+	files_search_etc($1)
+	read_files_pattern($1, cupsd_etc_t, cupsd_etc_t)
+	read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
+')
+
+########################################
+## <summary>
+##	Read cups-writable configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`cups_read_rw_config',`
+	gen_require(`
+		type cupsd_etc_t, cupsd_rw_etc_t;
+	')
+
+	files_search_etc($1)
+	read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
+')
+
+########################################
+## <summary>
+##	Read cups log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`cups_read_log',`
+	gen_require(`
+		type cupsd_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 cupsd_log_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Append cups log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cups_append_log',`
+	gen_require(`
+		type cupsd_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, cupsd_log_t, cupsd_log_t)
+')
+
+########################################
+## <summary>
+##	Write cups log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cups_write_log',`
+	gen_require(`
+		type cupsd_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 cupsd_log_t:file write_file_perms;
+')
+
+########################################
+## <summary>
+##	Connect to ptal over an unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cups_stream_connect_ptal',`
+	gen_require(`
+		type ptal_t, ptal_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, ptal_var_run_t, ptal_var_run_t, ptal_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an cups environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the cups domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`cups_admin',`
+	gen_require(`
+		type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
+		type cupsd_etc_t, cupsd_log_t, cupsd_spool_t;
+		type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
+		type cupsd_var_run_t, ptal_etc_t;
+		type ptal_var_run_t, hplip_var_run_t;
+		type cupsd_initrc_exec_t;
+	')
+
+	allow $1 cupsd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, cupsd_t)
+
+	init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 cupsd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	admin_pattern($1, cupsd_etc_t)
+	files_list_etc($1)
+
+	admin_pattern($1, cupsd_config_var_run_t)
+
+	admin_pattern($1, cupsd_log_t)
+	logging_list_logs($1)
+
+	admin_pattern($1, cupsd_lpd_tmp_t)
+
+	admin_pattern($1, cupsd_lpd_var_run_t)
+
+	admin_pattern($1, cupsd_spool_t)
+	files_list_spool($1)
+
+	admin_pattern($1, cupsd_tmp_t)
+	files_list_tmp($1)
+
+	admin_pattern($1, cupsd_var_run_t)
+	files_list_pids($1)
+
+	admin_pattern($1, hplip_var_run_t)
+
+	admin_pattern($1, ptal_etc_t)
+
+	admin_pattern($1, ptal_var_run_t)
+')
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
new file mode 100644
index 00000000..0f28095a
--- /dev/null
+++ b/policy/modules/contrib/cups.te
@@ -0,0 +1,781 @@
+policy_module(cups, 1.14.0)
+
+########################################
+#
+# Declarations
+#
+
+type cupsd_config_t;
+type cupsd_config_exec_t;
+init_daemon_domain(cupsd_config_t, cupsd_config_exec_t)
+
+type cupsd_config_var_run_t;
+files_pid_file(cupsd_config_var_run_t)
+
+type cupsd_t;
+type cupsd_exec_t;
+init_daemon_domain(cupsd_t, cupsd_exec_t)
+
+type cupsd_etc_t;
+files_config_file(cupsd_etc_t)
+
+type cupsd_initrc_exec_t;
+init_script_file(cupsd_initrc_exec_t)
+
+type cupsd_interface_t;
+files_type(cupsd_interface_t)
+
+type cupsd_rw_etc_t;
+files_config_file(cupsd_rw_etc_t)
+
+type cupsd_lock_t;
+files_lock_file(cupsd_lock_t)
+
+type cupsd_log_t;
+logging_log_file(cupsd_log_t)
+
+type cupsd_lpd_t;
+type cupsd_lpd_exec_t;
+domain_type(cupsd_lpd_t)
+domain_entry_file(cupsd_lpd_t, cupsd_lpd_exec_t)
+role system_r types cupsd_lpd_t;
+
+type cupsd_lpd_tmp_t;
+files_tmp_file(cupsd_lpd_tmp_t)
+
+type cupsd_lpd_var_run_t;
+files_pid_file(cupsd_lpd_var_run_t)
+
+type cups_pdf_t;
+type cups_pdf_exec_t;
+cups_backend(cups_pdf_t, cups_pdf_exec_t)
+
+type cups_pdf_tmp_t;
+files_tmp_file(cups_pdf_tmp_t)
+
+type cupsd_tmp_t;
+files_tmp_file(cupsd_tmp_t)
+
+type cupsd_var_run_t;
+files_pid_file(cupsd_var_run_t)
+mls_trusted_object(cupsd_var_run_t)
+
+type hplip_t;
+type hplip_exec_t;
+init_daemon_domain(hplip_t, hplip_exec_t)
+# For CUPS to run as a backend
+cups_backend(hplip_t, hplip_exec_t)
+
+type hplip_etc_t;
+files_config_file(hplip_etc_t)
+
+type hplip_tmp_t;
+files_tmp_file(hplip_tmp_t)
+
+type hplip_var_lib_t;
+files_type(hplip_var_lib_t)
+
+type hplip_var_run_t;
+files_pid_file(hplip_var_run_t)
+
+type ptal_t;
+type ptal_exec_t;
+init_daemon_domain(ptal_t, ptal_exec_t)
+
+type ptal_etc_t;
+files_config_file(ptal_etc_t)
+
+type ptal_var_run_t;
+files_pid_file(ptal_var_run_t)
+
+ifdef(`enable_mcs',`
+	init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, s0 - mcs_systemhigh)
+')
+
+ifdef(`enable_mls',`
+	init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh)
+')
+
+########################################
+#
+# Cups local policy
+#
+
+# /usr/lib/cups/backend/serial needs sys_admin(?!)
+allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_rawio sys_resource sys_tty_config };
+dontaudit cupsd_t self:capability { sys_tty_config net_admin };
+allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
+allow cupsd_t self:fifo_file rw_fifo_file_perms;
+allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow cupsd_t self:unix_dgram_socket create_socket_perms;
+allow cupsd_t self:netlink_selinux_socket create_socket_perms;
+allow cupsd_t self:shm create_shm_perms;
+allow cupsd_t self:sem create_sem_perms;
+allow cupsd_t self:tcp_socket create_stream_socket_perms;
+allow cupsd_t self:udp_socket create_socket_perms;
+allow cupsd_t self:appletalk_socket create_socket_perms;
+# generic socket here until appletalk socket is available in kernels
+allow cupsd_t self:socket create_socket_perms;
+
+allow cupsd_t cupsd_etc_t:{ dir file } setattr;
+read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
+read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
+files_search_etc(cupsd_t)
+
+manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
+
+manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
+manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
+filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
+files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file })
+
+# allow cups to execute its backend scripts
+can_exec(cupsd_t, cupsd_exec_t)
+allow cupsd_t cupsd_exec_t:dir search_dir_perms;
+allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
+
+allow cupsd_t cupsd_lock_t:file manage_file_perms;
+files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
+
+manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+allow cupsd_t cupsd_log_t:dir setattr;
+logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
+
+manage_dirs_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
+manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
+manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
+files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
+
+allow cupsd_t cupsd_var_run_t:dir setattr;
+manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
+manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
+manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
+files_pid_filetrans(cupsd_t, cupsd_var_run_t, { file fifo_file })
+
+allow cupsd_t hplip_t:process { signal sigkill };
+
+read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
+
+allow cupsd_t hplip_var_run_t:file read_file_perms;
+
+stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
+allow cupsd_t ptal_var_run_t : sock_file setattr;
+
+kernel_read_system_state(cupsd_t)
+kernel_read_network_state(cupsd_t)
+kernel_read_all_sysctls(cupsd_t)
+kernel_request_load_module(cupsd_t)
+
+corenet_all_recvfrom_unlabeled(cupsd_t)
+corenet_all_recvfrom_netlabel(cupsd_t)
+corenet_tcp_sendrecv_generic_if(cupsd_t)
+corenet_udp_sendrecv_generic_if(cupsd_t)
+corenet_raw_sendrecv_generic_if(cupsd_t)
+corenet_tcp_sendrecv_generic_node(cupsd_t)
+corenet_udp_sendrecv_generic_node(cupsd_t)
+corenet_raw_sendrecv_generic_node(cupsd_t)
+corenet_tcp_sendrecv_all_ports(cupsd_t)
+corenet_udp_sendrecv_all_ports(cupsd_t)
+corenet_tcp_bind_generic_node(cupsd_t)
+corenet_udp_bind_generic_node(cupsd_t)
+corenet_tcp_bind_ipp_port(cupsd_t)
+corenet_udp_bind_ipp_port(cupsd_t)
+corenet_udp_bind_howl_port(cupsd_t)
+corenet_tcp_bind_reserved_port(cupsd_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
+corenet_tcp_bind_all_rpc_ports(cupsd_t)
+corenet_tcp_connect_all_ports(cupsd_t)
+corenet_sendrecv_hplip_client_packets(cupsd_t)
+corenet_sendrecv_ipp_client_packets(cupsd_t)
+corenet_sendrecv_ipp_server_packets(cupsd_t)
+
+dev_rw_printer(cupsd_t)
+dev_read_urand(cupsd_t)
+dev_read_sysfs(cupsd_t)
+dev_rw_input_dev(cupsd_t)	#447878
+dev_rw_generic_usb_dev(cupsd_t)
+dev_rw_usbfs(cupsd_t)
+dev_getattr_printer_dev(cupsd_t)
+
+domain_read_all_domains_state(cupsd_t)
+
+fs_getattr_all_fs(cupsd_t)
+fs_search_auto_mountpoints(cupsd_t)
+fs_search_fusefs(cupsd_t)
+fs_read_anon_inodefs_files(cupsd_t)
+
+mls_file_downgrade(cupsd_t)
+mls_file_write_all_levels(cupsd_t)
+mls_file_read_all_levels(cupsd_t)
+mls_rangetrans_target(cupsd_t)
+mls_socket_write_all_levels(cupsd_t)
+mls_fd_use_all_levels(cupsd_t)
+
+term_use_unallocated_ttys(cupsd_t)
+term_search_ptys(cupsd_t)
+
+# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
+corecmd_exec_shell(cupsd_t)
+corecmd_exec_bin(cupsd_t)
+
+domain_use_interactive_fds(cupsd_t)
+
+files_list_spool(cupsd_t)
+files_read_etc_files(cupsd_t)
+files_read_etc_runtime_files(cupsd_t)
+# read python modules
+files_read_usr_files(cupsd_t)
+# for /var/lib/defoma
+files_read_var_lib_files(cupsd_t)
+files_list_world_readable(cupsd_t)
+files_read_world_readable_files(cupsd_t)
+files_read_world_readable_symlinks(cupsd_t)
+# Satisfy readahead
+files_read_var_files(cupsd_t)
+files_read_var_symlinks(cupsd_t)
+# for /etc/printcap
+files_dontaudit_write_etc_files(cupsd_t)
+# smbspool seems to be iterating through all existing tmp files.
+# redhat bug #214953
+# cjp: this might be a broken behavior
+files_dontaudit_getattr_all_tmp_files(cupsd_t)
+
+selinux_compute_access_vector(cupsd_t)
+selinux_validate_context(cupsd_t)
+
+init_exec_script_files(cupsd_t)
+init_read_utmp(cupsd_t)
+
+auth_domtrans_chk_passwd(cupsd_t)
+auth_dontaudit_read_pam_pid(cupsd_t)
+auth_rw_faillog(cupsd_t)
+auth_use_nsswitch(cupsd_t)
+
+# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
+libs_read_lib_files(cupsd_t)
+libs_exec_lib_files(cupsd_t)
+
+logging_send_audit_msgs(cupsd_t)
+logging_send_syslog_msg(cupsd_t)
+
+miscfiles_read_localization(cupsd_t)
+# invoking ghostscript needs to read fonts
+miscfiles_read_fonts(cupsd_t)
+miscfiles_setattr_fonts_cache_dirs(cupsd_t)
+
+seutil_read_config(cupsd_t)
+sysnet_exec_ifconfig(cupsd_t)
+
+files_dontaudit_list_home(cupsd_t)
+userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
+userdom_dontaudit_search_user_home_content(cupsd_t)
+
+# Write to /var/spool/cups.
+lpd_manage_spool(cupsd_t)
+lpd_read_config(cupsd_t)
+lpd_exec_lpr(cupsd_t)
+lpd_relabel_spool(cupsd_t)
+
+optional_policy(`
+	apm_domtrans_client(cupsd_t)
+')
+
+optional_policy(`
+	cron_system_entry(cupsd_t, cupsd_exec_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(cupsd_t)
+
+	userdom_dbus_send_all_users(cupsd_t)
+
+	optional_policy(`
+		avahi_dbus_chat(cupsd_t)
+	')
+
+	optional_policy(`
+		hal_dbus_chat(cupsd_t)
+	')
+
+	optional_policy(`
+		unconfined_dbus_chat(cupsd_t)
+	')
+')
+
+optional_policy(`
+	hostname_exec(cupsd_t)
+')
+
+optional_policy(`
+	inetd_core_service_domain(cupsd_t, cupsd_exec_t)
+')
+
+optional_policy(`
+	logrotate_domtrans(cupsd_t)
+')
+
+optional_policy(`
+	mta_send_mail(cupsd_t)
+')
+
+optional_policy(`
+	# cups execs smbtool which reads samba_etc_t files
+	samba_read_config(cupsd_t)
+	samba_rw_var_files(cupsd_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(cupsd_t)
+')
+
+optional_policy(`
+	snmp_read_snmp_var_lib_files(cupsd_t)
+')
+
+optional_policy(`
+	udev_read_db(cupsd_t)
+')
+
+########################################
+#
+# Cups configuration daemon local policy
+#
+
+allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
+dontaudit cupsd_config_t self:capability sys_tty_config;
+allow cupsd_config_t self:process { getsched signal_perms };
+allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
+allow cupsd_config_t self:unix_stream_socket create_socket_perms;
+allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
+allow cupsd_config_t self:tcp_socket create_stream_socket_perms;
+
+allow cupsd_config_t cupsd_t:process signal;
+ps_process_pattern(cupsd_config_t, cupsd_t)
+
+manage_files_pattern(cupsd_config_t, cupsd_etc_t, cupsd_etc_t)
+manage_lnk_files_pattern(cupsd_config_t, cupsd_etc_t, cupsd_etc_t)
+filetrans_pattern(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file)
+
+manage_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
+manage_lnk_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
+files_var_filetrans(cupsd_config_t, cupsd_rw_etc_t, file)
+
+can_exec(cupsd_config_t, cupsd_config_exec_t)
+
+allow cupsd_config_t cupsd_log_t:file rw_file_perms;
+
+manage_lnk_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
+manage_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
+manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
+files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+
+allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
+
+manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
+files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file)
+
+domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
+
+read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
+
+kernel_read_system_state(cupsd_config_t)
+kernel_read_all_sysctls(cupsd_config_t)
+
+corenet_all_recvfrom_unlabeled(cupsd_config_t)
+corenet_all_recvfrom_netlabel(cupsd_config_t)
+corenet_tcp_sendrecv_generic_if(cupsd_config_t)
+corenet_tcp_sendrecv_generic_node(cupsd_config_t)
+corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+corenet_tcp_connect_all_ports(cupsd_config_t)
+corenet_sendrecv_all_client_packets(cupsd_config_t)
+
+dev_read_sysfs(cupsd_config_t)
+dev_read_urand(cupsd_config_t)
+dev_read_rand(cupsd_config_t)
+dev_rw_generic_usb_dev(cupsd_config_t)
+
+files_search_all_mountpoints(cupsd_config_t)
+
+fs_getattr_all_fs(cupsd_config_t)
+fs_search_auto_mountpoints(cupsd_config_t)
+
+corecmd_exec_bin(cupsd_config_t)
+corecmd_exec_shell(cupsd_config_t)
+
+domain_use_interactive_fds(cupsd_config_t)
+# killall causes the following
+domain_dontaudit_search_all_domains_state(cupsd_config_t)
+
+files_read_usr_files(cupsd_config_t)
+files_read_etc_files(cupsd_config_t)
+files_read_etc_runtime_files(cupsd_config_t)
+files_read_var_symlinks(cupsd_config_t)
+
+# Alternatives asks for this
+init_getattr_all_script_files(cupsd_config_t)
+
+auth_use_nsswitch(cupsd_config_t)
+
+logging_send_syslog_msg(cupsd_config_t)
+
+miscfiles_read_localization(cupsd_config_t)
+miscfiles_read_hwdata(cupsd_config_t)
+
+seutil_dontaudit_search_config(cupsd_config_t)
+
+userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
+userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
+
+cups_stream_connect(cupsd_config_t)
+
+lpd_read_config(cupsd_config_t)
+
+ifdef(`distro_redhat',`
+	optional_policy(`
+		rpm_read_db(cupsd_config_t)
+	')
+')
+
+optional_policy(`
+	term_use_generic_ptys(cupsd_config_t)
+')
+
+optional_policy(`
+	cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
+')
+
+optional_policy(`
+	dbus_system_domain(cupsd_config_t, cupsd_config_exec_t)
+
+	optional_policy(`
+		hal_dbus_chat(cupsd_config_t)
+	')
+')
+
+optional_policy(`
+	hal_domtrans(cupsd_config_t)
+	hal_read_tmp_files(cupsd_config_t)
+	hal_dontaudit_use_fds(hplip_t)
+')
+
+optional_policy(`
+	hostname_exec(cupsd_config_t)
+')
+
+optional_policy(`
+	logrotate_use_fds(cupsd_config_t)
+')
+
+optional_policy(`
+	policykit_dbus_chat(cupsd_config_t)
+	userdom_read_all_users_state(cupsd_config_t)
+')
+
+optional_policy(`
+	rpm_read_db(cupsd_config_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(cupsd_config_t)
+')
+
+optional_policy(`
+	udev_read_db(cupsd_config_t)
+')
+
+optional_policy(`
+	unconfined_stream_connect(cupsd_config_t)
+')
+
+########################################
+#
+# Cups lpd support
+#
+
+allow cupsd_lpd_t self:process signal_perms;
+allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms;
+allow cupsd_lpd_t self:tcp_socket connected_stream_socket_perms;
+allow cupsd_lpd_t self:udp_socket create_socket_perms;
+
+# for identd
+# cjp: this should probably only be inetd_child rules?
+allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow cupsd_lpd_t self:capability { setuid setgid };
+files_search_home(cupsd_lpd_t)
+optional_policy(`
+	kerberos_use(cupsd_lpd_t)
+')
+#end for identd
+
+allow cupsd_lpd_t cupsd_etc_t:dir list_dir_perms;
+read_files_pattern(cupsd_lpd_t, cupsd_etc_t, cupsd_etc_t)
+read_lnk_files_pattern(cupsd_lpd_t, cupsd_etc_t, cupsd_etc_t)
+
+allow cupsd_lpd_t cupsd_rw_etc_t:dir list_dir_perms;
+read_files_pattern(cupsd_lpd_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
+read_lnk_files_pattern(cupsd_lpd_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
+
+manage_dirs_pattern(cupsd_lpd_t, cupsd_lpd_tmp_t, cupsd_lpd_tmp_t)
+manage_files_pattern(cupsd_lpd_t, cupsd_lpd_tmp_t, cupsd_lpd_tmp_t)
+files_tmp_filetrans(cupsd_lpd_t, cupsd_lpd_tmp_t, { file dir })
+
+manage_files_pattern(cupsd_lpd_t, cupsd_lpd_var_run_t, cupsd_lpd_var_run_t)
+files_pid_filetrans(cupsd_lpd_t, cupsd_lpd_var_run_t, file)
+
+kernel_read_kernel_sysctls(cupsd_lpd_t)
+kernel_read_system_state(cupsd_lpd_t)
+kernel_read_network_state(cupsd_lpd_t)
+
+corenet_all_recvfrom_unlabeled(cupsd_lpd_t)
+corenet_all_recvfrom_netlabel(cupsd_lpd_t)
+corenet_tcp_sendrecv_generic_if(cupsd_lpd_t)
+corenet_udp_sendrecv_generic_if(cupsd_lpd_t)
+corenet_tcp_sendrecv_generic_node(cupsd_lpd_t)
+corenet_udp_sendrecv_generic_node(cupsd_lpd_t)
+corenet_tcp_sendrecv_all_ports(cupsd_lpd_t)
+corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
+corenet_tcp_bind_generic_node(cupsd_lpd_t)
+corenet_udp_bind_generic_node(cupsd_lpd_t)
+corenet_tcp_connect_ipp_port(cupsd_lpd_t)
+
+dev_read_urand(cupsd_lpd_t)
+dev_read_rand(cupsd_lpd_t)
+
+fs_getattr_xattr_fs(cupsd_lpd_t)
+
+files_read_etc_files(cupsd_lpd_t)
+
+auth_use_nsswitch(cupsd_lpd_t)
+
+logging_send_syslog_msg(cupsd_lpd_t)
+
+miscfiles_read_localization(cupsd_lpd_t)
+miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
+
+cups_stream_connect(cupsd_lpd_t)
+
+optional_policy(`
+	inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
+')
+
+########################################
+#
+# cups_pdf local policy
+#
+
+allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
+allow cups_pdf_t self:fifo_file rw_file_perms;
+allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
+
+manage_files_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
+manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
+files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
+
+fs_rw_anon_inodefs_files(cups_pdf_t)
+
+kernel_read_system_state(cups_pdf_t)
+
+files_read_etc_files(cups_pdf_t)
+files_read_usr_files(cups_pdf_t)
+
+corecmd_exec_shell(cups_pdf_t)
+corecmd_exec_bin(cups_pdf_t)
+
+auth_use_nsswitch(cups_pdf_t)
+
+miscfiles_read_localization(cups_pdf_t)
+miscfiles_read_fonts(cups_pdf_t)
+
+userdom_home_filetrans_user_home_dir(cups_pdf_t)
+userdom_manage_user_home_content_dirs(cups_pdf_t)
+userdom_manage_user_home_content_files(cups_pdf_t)
+
+lpd_manage_spool(cups_pdf_t)
+
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_search_auto_mountpoints(cups_pdf_t)
+	fs_manage_nfs_dirs(cups_pdf_t)
+	fs_manage_nfs_files(cups_pdf_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(cups_pdf_t)
+	fs_manage_cifs_files(cups_pdf_t)
+')
+
+########################################
+#
+# HPLIP local policy
+#
+
+# Needed for USB Scanneer and xsane
+allow hplip_t self:capability { dac_override dac_read_search net_raw };
+dontaudit hplip_t self:capability sys_tty_config;
+allow hplip_t self:fifo_file rw_fifo_file_perms;
+allow hplip_t self:process signal_perms;
+allow hplip_t self:unix_dgram_socket create_socket_perms;
+allow hplip_t self:unix_stream_socket create_socket_perms;
+allow hplip_t self:netlink_route_socket r_netlink_socket_perms;
+allow hplip_t self:tcp_socket create_stream_socket_perms;
+allow hplip_t self:udp_socket create_socket_perms;
+allow hplip_t self:rawip_socket create_socket_perms;
+
+allow hplip_t cupsd_etc_t:dir search_dir_perms;
+manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
+manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
+files_tmp_filetrans(hplip_t, cupsd_tmp_t, { file dir })
+
+cups_stream_connect(hplip_t)
+
+allow hplip_t hplip_etc_t:dir list_dir_perms;
+read_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
+read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
+files_search_etc(hplip_t)
+
+manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+
+manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
+files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
+
+manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
+files_pid_filetrans(hplip_t, hplip_var_run_t, file)
+
+kernel_read_system_state(hplip_t)
+kernel_read_kernel_sysctls(hplip_t)
+
+corenet_all_recvfrom_unlabeled(hplip_t)
+corenet_all_recvfrom_netlabel(hplip_t)
+corenet_tcp_sendrecv_generic_if(hplip_t)
+corenet_udp_sendrecv_generic_if(hplip_t)
+corenet_raw_sendrecv_generic_if(hplip_t)
+corenet_tcp_sendrecv_generic_node(hplip_t)
+corenet_udp_sendrecv_generic_node(hplip_t)
+corenet_raw_sendrecv_generic_node(hplip_t)
+corenet_tcp_sendrecv_all_ports(hplip_t)
+corenet_udp_sendrecv_all_ports(hplip_t)
+corenet_tcp_bind_generic_node(hplip_t)
+corenet_udp_bind_generic_node(hplip_t)
+corenet_tcp_bind_hplip_port(hplip_t)
+corenet_tcp_connect_hplip_port(hplip_t)
+corenet_tcp_connect_ipp_port(hplip_t)
+corenet_sendrecv_hplip_client_packets(hplip_t)
+corenet_receive_hplip_server_packets(hplip_t)
+corenet_udp_bind_howl_port(hplip_t)
+
+dev_read_sysfs(hplip_t)
+dev_rw_printer(hplip_t)
+dev_read_urand(hplip_t)
+dev_read_rand(hplip_t)
+dev_rw_generic_usb_dev(hplip_t)
+dev_rw_usbfs(hplip_t)
+
+fs_getattr_all_fs(hplip_t)
+fs_search_auto_mountpoints(hplip_t)
+fs_rw_anon_inodefs_files(hplip_t)
+
+# for python
+corecmd_exec_bin(hplip_t)
+
+domain_use_interactive_fds(hplip_t)
+
+files_read_etc_files(hplip_t)
+files_read_etc_runtime_files(hplip_t)
+files_read_usr_files(hplip_t)
+
+logging_send_syslog_msg(hplip_t)
+
+miscfiles_read_localization(hplip_t)
+
+sysnet_read_config(hplip_t)
+
+userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+userdom_dontaudit_search_user_home_dirs(hplip_t)
+userdom_dontaudit_search_user_home_content(hplip_t)
+
+lpd_read_config(hplip_t)
+lpd_manage_spool(hplip_t)
+
+optional_policy(`
+	dbus_system_bus_client(hplip_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(hplip_t)
+')
+
+optional_policy(`
+	snmp_read_snmp_var_lib_files(hplip_t)
+')
+
+optional_policy(`
+	udev_read_db(hplip_t)
+')
+
+########################################
+#
+# PTAL local policy
+#
+
+allow ptal_t self:capability { chown sys_rawio };
+dontaudit ptal_t self:capability sys_tty_config;
+allow ptal_t self:fifo_file rw_fifo_file_perms;
+allow ptal_t self:unix_dgram_socket create_socket_perms;
+allow ptal_t self:unix_stream_socket create_stream_socket_perms;
+allow ptal_t self:tcp_socket create_stream_socket_perms;
+
+allow ptal_t ptal_etc_t:dir list_dir_perms;
+read_files_pattern(ptal_t, ptal_etc_t, ptal_etc_t)
+read_lnk_files_pattern(ptal_t, ptal_etc_t, ptal_etc_t)
+files_search_etc(ptal_t)
+
+manage_dirs_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
+manage_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
+manage_lnk_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
+manage_fifo_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
+manage_sock_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
+files_pid_filetrans(ptal_t, ptal_var_run_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_read_kernel_sysctls(ptal_t)
+kernel_list_proc(ptal_t)
+kernel_read_proc_symlinks(ptal_t)
+
+corenet_all_recvfrom_unlabeled(ptal_t)
+corenet_all_recvfrom_netlabel(ptal_t)
+corenet_tcp_sendrecv_generic_if(ptal_t)
+corenet_tcp_sendrecv_generic_node(ptal_t)
+corenet_tcp_sendrecv_all_ports(ptal_t)
+corenet_tcp_bind_generic_node(ptal_t)
+corenet_tcp_bind_ptal_port(ptal_t)
+
+dev_read_sysfs(ptal_t)
+dev_read_usbfs(ptal_t)
+dev_rw_printer(ptal_t)
+
+fs_getattr_all_fs(ptal_t)
+fs_search_auto_mountpoints(ptal_t)
+
+domain_use_interactive_fds(ptal_t)
+
+files_read_etc_files(ptal_t)
+files_read_etc_runtime_files(ptal_t)
+
+logging_send_syslog_msg(ptal_t)
+
+miscfiles_read_localization(ptal_t)
+
+sysnet_read_config(ptal_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ptal_t)
+userdom_dontaudit_search_user_home_content(ptal_t)
+
+optional_policy(`
+	seutil_sigchld_newrole(ptal_t)
+')
+
+optional_policy(`
+	udev_read_db(ptal_t)
+')
diff --git a/policy/modules/contrib/cvs.fc b/policy/modules/contrib/cvs.fc
new file mode 100644
index 00000000..48a30de1
--- /dev/null
+++ b/policy/modules/contrib/cvs.fc
@@ -0,0 +1,10 @@
+
+/opt/cvs(/.*)?		gen_context(system_u:object_r:cvs_data_t,s0)
+
+/usr/bin/cvs	--	gen_context(system_u:object_r:cvs_exec_t,s0)
+
+/var/cvs(/.*)?		gen_context(system_u:object_r:cvs_data_t,s0)
+
+#CVSWeb file context
+/usr/share/cvsweb/cvsweb\.cgi	--	gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
+/var/www/cgi-bin/cvsweb\.cgi	--	gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
diff --git a/policy/modules/contrib/cvs.if b/policy/modules/contrib/cvs.if
new file mode 100644
index 00000000..c43ff4c1
--- /dev/null
+++ b/policy/modules/contrib/cvs.if
@@ -0,0 +1,82 @@
+## <summary>Concurrent versions system</summary>
+
+########################################
+## <summary>
+##	Read the CVS data and metadata.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cvs_read_data',`
+	gen_require(`
+		type cvs_data_t;
+	')
+
+	list_dirs_pattern($1, cvs_data_t, cvs_data_t)
+	read_files_pattern($1, cvs_data_t, cvs_data_t)
+	read_lnk_files_pattern($1, cvs_data_t, cvs_data_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to execute cvs
+##	in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cvs_exec',`
+	gen_require(`
+		type cvs_exec_t;
+	')
+
+	can_exec($1, cvs_exec_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an cvs environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the cvs domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`cvs_admin',`
+	gen_require(`
+		type cvs_t, cvs_tmp_t;
+		type cvs_data_t, cvs_var_run_t;
+		type cvs_initrc_exec_t;
+	')
+
+	allow $1 cvs_t:process { ptrace signal_perms };
+	ps_process_pattern($1, cvs_t)
+
+	# Allow cvs_t to restart the apache service
+	init_labeled_script_domtrans($1, cvs_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 cvs_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, cvs_tmp_t)
+
+	admin_pattern($1, cvs_data_t)
+
+	files_list_pids($1)
+	admin_pattern($1, cvs_var_run_t)
+')
diff --git a/policy/modules/contrib/cvs.te b/policy/modules/contrib/cvs.te
new file mode 100644
index 00000000..88e7e97f
--- /dev/null
+++ b/policy/modules/contrib/cvs.te
@@ -0,0 +1,115 @@
+policy_module(cvs, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow cvs daemon to read shadow
+## </p>
+## </desc>
+gen_tunable(allow_cvs_read_shadow, false)
+
+type cvs_t;
+type cvs_exec_t;
+inetd_tcp_service_domain(cvs_t, cvs_exec_t)
+application_executable_file(cvs_exec_t)
+role system_r types cvs_t;
+
+type cvs_data_t; # customizable
+files_type(cvs_data_t)
+
+type cvs_initrc_exec_t;
+init_script_file(cvs_initrc_exec_t)
+
+type cvs_tmp_t;
+files_tmp_file(cvs_tmp_t)
+
+type cvs_var_run_t;
+files_pid_file(cvs_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow cvs_t self:process signal_perms;
+allow cvs_t self:fifo_file rw_fifo_file_perms;
+allow cvs_t self:tcp_socket connected_stream_socket_perms;
+# for identd; cjp: this should probably only be inetd_child rules?
+allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow cvs_t self:capability { setuid setgid };
+
+manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
+manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
+manage_lnk_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
+
+manage_dirs_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t)
+manage_files_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t)
+files_tmp_filetrans(cvs_t, cvs_tmp_t, { file dir })
+
+manage_files_pattern(cvs_t, cvs_var_run_t, cvs_var_run_t)
+files_pid_filetrans(cvs_t, cvs_var_run_t, file)
+
+kernel_read_kernel_sysctls(cvs_t)
+kernel_read_system_state(cvs_t)
+kernel_read_network_state(cvs_t)
+
+corenet_all_recvfrom_unlabeled(cvs_t)
+corenet_all_recvfrom_netlabel(cvs_t)
+corenet_tcp_sendrecv_generic_if(cvs_t)
+corenet_udp_sendrecv_generic_if(cvs_t)
+corenet_tcp_sendrecv_generic_node(cvs_t)
+corenet_udp_sendrecv_generic_node(cvs_t)
+corenet_tcp_sendrecv_all_ports(cvs_t)
+corenet_udp_sendrecv_all_ports(cvs_t)
+
+dev_read_urand(cvs_t)
+
+fs_getattr_xattr_fs(cvs_t)
+
+auth_domtrans_chk_passwd(cvs_t)
+auth_use_nsswitch(cvs_t)
+
+corecmd_exec_bin(cvs_t)
+corecmd_exec_shell(cvs_t)
+
+files_read_etc_files(cvs_t)
+files_read_etc_runtime_files(cvs_t)
+# for identd; cjp: this should probably only be inetd_child rules?
+files_search_home(cvs_t)
+
+logging_send_syslog_msg(cvs_t)
+logging_send_audit_msgs(cvs_t)
+
+miscfiles_read_localization(cvs_t)
+
+mta_send_mail(cvs_t)
+
+# cjp: typeattribute doesnt work in conditionals yet
+auth_can_read_shadow_passwords(cvs_t)
+tunable_policy(`allow_cvs_read_shadow',`
+	allow cvs_t self:capability dac_override;
+	auth_tunable_read_shadow(cvs_t)
+')
+
+optional_policy(`
+	kerberos_keytab_template(cvs, cvs_t)
+	kerberos_read_config(cvs_t)
+	kerberos_dontaudit_write_config(cvs_t)
+')
+
+########################################
+#
+# CVSWeb policy
+#
+
+optional_policy(`
+	apache_content_template(cvs)
+
+	read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
+	manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+	manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+')
diff --git a/policy/modules/contrib/cyphesis.fc b/policy/modules/contrib/cyphesis.fc
new file mode 100644
index 00000000..c47a7722
--- /dev/null
+++ b/policy/modules/contrib/cyphesis.fc
@@ -0,0 +1,5 @@
+/usr/bin/cyphesis	--	gen_context(system_u:object_r:cyphesis_exec_t,s0)
+
+/var/log/cyphesis(/.*)?		gen_context(system_u:object_r:cyphesis_log_t,s0)
+
+/var/run/cyphesis(/.*)?		gen_context(system_u:object_r:cyphesis_var_run_t,s0)
diff --git a/policy/modules/contrib/cyphesis.if b/policy/modules/contrib/cyphesis.if
new file mode 100644
index 00000000..9d445386
--- /dev/null
+++ b/policy/modules/contrib/cyphesis.if
@@ -0,0 +1,19 @@
+## <summary>Cyphesis WorldForge game server</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run cyphesis.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cyphesis_domtrans',`
+	gen_require(`
+		type cyphesis_t, cyphesis_exec_t;
+	')
+
+	domtrans_pattern($1, cyphesis_exec_t, cyphesis_t)
+')
diff --git a/policy/modules/contrib/cyphesis.te b/policy/modules/contrib/cyphesis.te
new file mode 100644
index 00000000..25897c94
--- /dev/null
+++ b/policy/modules/contrib/cyphesis.te
@@ -0,0 +1,85 @@
+policy_module(cyphesis, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type cyphesis_t;
+type cyphesis_exec_t;
+init_daemon_domain(cyphesis_t, cyphesis_exec_t)
+
+type cyphesis_log_t;
+logging_log_file(cyphesis_log_t)
+
+type cyphesis_tmp_t;
+files_tmp_file(cyphesis_tmp_t)
+
+type cyphesis_var_run_t;
+files_pid_file(cyphesis_var_run_t)
+
+########################################
+#
+# cyphesis local policy
+#
+
+allow cyphesis_t self:process { setfscreate setsched signal };
+allow cyphesis_t self:fifo_file rw_fifo_file_perms;
+allow cyphesis_t self:tcp_socket create_stream_socket_perms;
+allow cyphesis_t self:unix_stream_socket create_stream_socket_perms;
+allow cyphesis_t self:unix_dgram_socket create_socket_perms;
+
+manage_files_pattern(cyphesis_t, cyphesis_log_t, cyphesis_log_t)
+logging_log_filetrans(cyphesis_t, cyphesis_log_t, file)
+
+# DAN > Does cyphesis really create a sock_file in /tmp? Why?
+allow cyphesis_t cyphesis_tmp_t:sock_file manage_sock_file_perms;
+files_tmp_filetrans(cyphesis_t, cyphesis_tmp_t, file)
+
+manage_dirs_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t)
+manage_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t)
+manage_sock_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t)
+files_pid_filetrans(cyphesis_t, cyphesis_var_run_t, { dir file sock_file })
+
+kernel_read_system_state(cyphesis_t)
+kernel_read_kernel_sysctls(cyphesis_t)
+
+# DAN> What is cyphesis looking for in /bin?
+corecmd_search_bin(cyphesis_t)
+corecmd_getattr_bin_files(cyphesis_t)
+
+corenet_all_recvfrom_unlabeled(cyphesis_t)
+corenet_tcp_sendrecv_generic_if(cyphesis_t)
+corenet_tcp_sendrecv_generic_node(cyphesis_t)
+corenet_tcp_sendrecv_all_ports(cyphesis_t)
+corenet_tcp_bind_generic_node(cyphesis_t)
+corenet_tcp_bind_cyphesis_port(cyphesis_t)
+corenet_sendrecv_cyphesis_server_packets(cyphesis_t)
+
+dev_read_urand(cyphesis_t)
+
+# Init script handling
+domain_use_interactive_fds(cyphesis_t)
+
+files_read_etc_files(cyphesis_t)
+files_read_usr_files(cyphesis_t)
+
+logging_send_syslog_msg(cyphesis_t)
+
+miscfiles_read_localization(cyphesis_t)
+
+sysnet_dns_name_resolve(cyphesis_t)
+
+# cyphesis wants to talk to avahi via dbus
+optional_policy(`
+	avahi_dbus_chat(cyphesis_t)
+	dbus_system_bus_client(cyphesis_t)
+')
+
+optional_policy(`
+	kerberos_use(cyphesis_t)
+')
+
+optional_policy(`
+	postgresql_stream_connect(cyphesis_t)
+')
diff --git a/policy/modules/contrib/cyrus.fc b/policy/modules/contrib/cyrus.fc
new file mode 100644
index 00000000..25546bca
--- /dev/null
+++ b/policy/modules/contrib/cyrus.fc
@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/cyrus		--	gen_context(system_u:object_r:cyrus_initrc_exec_t,s0)
+
+/usr/lib(64)?/cyrus/master		--	gen_context(system_u:object_r:cyrus_exec_t,s0)
+/usr/lib(64)?/cyrus-imapd/cyrus-master	--	gen_context(system_u:object_r:cyrus_exec_t,s0)
+
+/var/imap(/.*)?					gen_context(system_u:object_r:cyrus_var_lib_t,s0)
+/var/lib/imap(/.*)?				gen_context(system_u:object_r:cyrus_var_lib_t,s0)
diff --git a/policy/modules/contrib/cyrus.if b/policy/modules/contrib/cyrus.if
new file mode 100644
index 00000000..e4e86d0a
--- /dev/null
+++ b/policy/modules/contrib/cyrus.if
@@ -0,0 +1,81 @@
+## <summary>Cyrus is an IMAP service intended to be run on sealed servers</summary>
+
+########################################
+## <summary>
+##	Allow caller to create, read, write,
+##	and delete cyrus data files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cyrus_manage_data',`
+	gen_require(`
+		type cyrus_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Connect to Cyrus using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cyrus_stream_connect',`
+	gen_require(`
+		type cyrus_t, cyrus_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	stream_connect_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t, cyrus_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an cyrus environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the cyrus domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`cyrus_admin',`
+	gen_require(`
+		type cyrus_t, cyrus_tmp_t, cyrus_var_lib_t;
+		type cyrus_var_run_t, cyrus_initrc_exec_t;
+	')
+
+	allow $1 cyrus_t:process { ptrace signal_perms };
+	ps_process_pattern($1, cyrus_t)
+
+	init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 cyrus_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, cyrus_tmp_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, cyrus_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, cyrus_var_run_t)
+')
diff --git a/policy/modules/contrib/cyrus.te b/policy/modules/contrib/cyrus.te
new file mode 100644
index 00000000..2ced0233
--- /dev/null
+++ b/policy/modules/contrib/cyrus.te
@@ -0,0 +1,145 @@
+policy_module(cyrus, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+type cyrus_t;
+type cyrus_exec_t;
+init_daemon_domain(cyrus_t, cyrus_exec_t)
+
+type cyrus_initrc_exec_t;
+init_script_file(cyrus_initrc_exec_t)
+
+type cyrus_tmp_t;
+files_tmp_file(cyrus_tmp_t)
+
+type cyrus_var_lib_t;
+files_type(cyrus_var_lib_t)
+
+type cyrus_var_run_t;
+files_pid_file(cyrus_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
+dontaudit cyrus_t self:capability sys_tty_config;
+allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow cyrus_t self:process setrlimit;
+allow cyrus_t self:fd use;
+allow cyrus_t self:fifo_file rw_fifo_file_perms;
+allow cyrus_t self:sock_file read_sock_file_perms;
+allow cyrus_t self:shm create_shm_perms;
+allow cyrus_t self:sem create_sem_perms;
+allow cyrus_t self:msgq create_msgq_perms;
+allow cyrus_t self:msg { send receive };
+allow cyrus_t self:unix_dgram_socket create_socket_perms;
+allow cyrus_t self:unix_stream_socket create_stream_socket_perms;
+allow cyrus_t self:unix_dgram_socket sendto;
+allow cyrus_t self:unix_stream_socket connectto;
+allow cyrus_t self:tcp_socket create_stream_socket_perms;
+allow cyrus_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(cyrus_t, cyrus_tmp_t, cyrus_tmp_t)
+manage_files_pattern(cyrus_t, cyrus_tmp_t, cyrus_tmp_t)
+files_tmp_filetrans(cyrus_t, cyrus_tmp_t, { file dir })
+
+manage_dirs_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t)
+manage_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t)
+manage_lnk_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t)
+manage_sock_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t)
+files_pid_filetrans(cyrus_t, cyrus_var_run_t, file)
+
+manage_files_pattern(cyrus_t, cyrus_var_run_t, cyrus_var_run_t)
+manage_sock_files_pattern(cyrus_t, cyrus_var_run_t, cyrus_var_run_t)
+files_pid_filetrans(cyrus_t, cyrus_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctls(cyrus_t)
+kernel_read_system_state(cyrus_t)
+kernel_read_all_sysctls(cyrus_t)
+
+corenet_all_recvfrom_unlabeled(cyrus_t)
+corenet_all_recvfrom_netlabel(cyrus_t)
+corenet_tcp_sendrecv_generic_if(cyrus_t)
+corenet_udp_sendrecv_generic_if(cyrus_t)
+corenet_tcp_sendrecv_generic_node(cyrus_t)
+corenet_udp_sendrecv_generic_node(cyrus_t)
+corenet_tcp_sendrecv_all_ports(cyrus_t)
+corenet_udp_sendrecv_all_ports(cyrus_t)
+corenet_tcp_bind_generic_node(cyrus_t)
+corenet_tcp_bind_mail_port(cyrus_t)
+corenet_tcp_bind_lmtp_port(cyrus_t)
+corenet_tcp_bind_pop_port(cyrus_t)
+corenet_tcp_bind_sieve_port(cyrus_t)
+corenet_tcp_connect_all_ports(cyrus_t)
+corenet_sendrecv_mail_server_packets(cyrus_t)
+corenet_sendrecv_pop_server_packets(cyrus_t)
+corenet_sendrecv_lmtp_server_packets(cyrus_t)
+corenet_sendrecv_all_client_packets(cyrus_t)
+
+dev_read_rand(cyrus_t)
+dev_read_urand(cyrus_t)
+dev_read_sysfs(cyrus_t)
+
+fs_getattr_all_fs(cyrus_t)
+fs_search_auto_mountpoints(cyrus_t)
+
+corecmd_exec_bin(cyrus_t)
+
+domain_use_interactive_fds(cyrus_t)
+
+files_list_var_lib(cyrus_t)
+files_read_etc_files(cyrus_t)
+files_read_etc_runtime_files(cyrus_t)
+files_read_usr_files(cyrus_t)
+
+auth_use_nsswitch(cyrus_t)
+
+libs_exec_lib_files(cyrus_t)
+
+logging_send_syslog_msg(cyrus_t)
+
+miscfiles_read_localization(cyrus_t)
+miscfiles_read_generic_certs(cyrus_t)
+
+sysnet_read_config(cyrus_t)
+
+userdom_use_unpriv_users_fds(cyrus_t)
+userdom_dontaudit_search_user_home_dirs(cyrus_t)
+
+mta_manage_spool(cyrus_t)
+mta_send_mail(cyrus_t)
+
+optional_policy(`
+	cron_system_entry(cyrus_t, cyrus_exec_t)
+')
+
+optional_policy(`
+	kerberos_keytab_template(cyrus, cyrus_t)
+')
+
+optional_policy(`
+	ldap_stream_connect(cyrus_t)
+')
+
+optional_policy(`
+	sasl_connect(cyrus_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(cyrus_t)
+')
+
+optional_policy(`
+	snmp_read_snmp_var_lib_files(cyrus_t)
+	snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
+	snmp_stream_connect(cyrus_t)
+')
+
+optional_policy(`
+	udev_read_db(cyrus_t)
+')
diff --git a/policy/modules/contrib/daemontools.fc b/policy/modules/contrib/daemontools.fc
new file mode 100644
index 00000000..26df050b
--- /dev/null
+++ b/policy/modules/contrib/daemontools.fc
@@ -0,0 +1,53 @@
+#
+# /service
+#
+
+/service		-d	gen_context(system_u:object_r:svc_svc_t,s0)
+/service/.*			gen_context(system_u:object_r:svc_svc_t,s0)
+
+#
+# /usr
+#
+
+/usr/bin/envdir		--	gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/envuidgid	--	gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/fghack		--	gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/multilog	--	gen_context(system_u:object_r:svc_multilog_exec_t,s0)
+/usr/bin/pgrphack	--	gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/setlock		--	gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/setuidgid	--	gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/softlimit	--	gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/svc		--	gen_context(system_u:object_r:svc_start_exec_t,s0)
+/usr/bin/svok		--	gen_context(system_u:object_r:svc_start_exec_t,s0)
+/usr/bin/svscan		--	gen_context(system_u:object_r:svc_start_exec_t,s0)
+/usr/bin/svscanboot	--	gen_context(system_u:object_r:svc_start_exec_t,s0)
+/usr/bin/supervise	--	gen_context(system_u:object_r:svc_start_exec_t,s0)
+
+#
+# /var
+#
+
+/var/axfrdns(/.*)?		gen_context(system_u:object_r:svc_svc_t,s0)
+/var/axfrdns/run		--	gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/axfrdns/log/run	--	gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/axfrdns/env(/.*)?		gen_context(system_u:object_r:svc_conf_t,s0)
+
+/var/dnscache(/.*)?		gen_context(system_u:object_r:svc_svc_t,s0)
+/var/dnscache/env(/.*)?		gen_context(system_u:object_r:svc_conf_t,s0)
+/var/dnscache/run	--	gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/dnscache/log/run	--	gen_context(system_u:object_r:svc_run_exec_t,s0)
+
+/var/qmail/supervise(/.*)?	gen_context(system_u:object_r:svc_svc_t,s0)
+/var/qmail/supervise/.*/run --	gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/qmail/supervise/.*/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+
+/var/service/.*			gen_context(system_u:object_r:svc_svc_t,s0)
+/var/service/.*/env(/.*)?	gen_context(system_u:object_r:svc_conf_t,s0)
+/var/service/.*/log/main(/.*)?	gen_context(system_u:object_r:svc_log_t,s0)
+/var/service/.*/log/run		gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/service/.*/run.*		gen_context(system_u:object_r:svc_run_exec_t,s0)
+
+/var/tinydns(/.*)?		gen_context(system_u:object_r:svc_svc_t,s0)
+/var/tinydns/run		--	gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/tinydns/log/run	--	gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/tinydns/env(/.*)?		gen_context(system_u:object_r:svc_conf_t,s0)
diff --git a/policy/modules/contrib/daemontools.if b/policy/modules/contrib/daemontools.if
new file mode 100644
index 00000000..ce3e6761
--- /dev/null
+++ b/policy/modules/contrib/daemontools.if
@@ -0,0 +1,212 @@
+## <summary>Collection of tools for managing UNIX services</summary>
+## <desc>
+##	<p>
+##		Policy for DJB's daemontools
+##	</p>
+## </desc>
+
+########################################
+## <summary>
+##	An ipc channel between the supervised domain and svc_start_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`daemontools_ipc_domain',`
+	gen_require(`
+		type svc_start_t;
+	')
+
+	allow $1 svc_start_t:process sigchld;
+	allow $1 svc_start_t:fd use;
+	allow $1 svc_start_t:fifo_file { read write getattr };
+	allow svc_start_t $1:process signal;
+')
+
+########################################
+## <summary>
+##	Define a specified domain as a supervised service.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="entrypoint">
+##	<summary>
+##	The type associated with the process program.
+##	</summary>
+## </param>
+#
+interface(`daemontools_service_domain',`
+	gen_require(`
+		type svc_run_t;
+	')
+
+	domain_auto_trans(svc_run_t, $2, $1)
+	daemontools_ipc_domain($1)
+
+	allow svc_run_t $1:process signal;
+	allow $1 svc_run_t:fd use;
+')
+
+########################################
+## <summary>
+##	Execute in the svc_start_t domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`daemontools_domtrans_start',`
+	gen_require(`
+		type svc_start_t, svc_start_exec_t;
+	')
+
+	domtrans_pattern($1, svc_start_exec_t, svc_start_t)
+')
+
+######################################
+## <summary>
+##  Execute svc_start in the svc_start domain, and
+##  allow the specified role the svc_start domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+## <param name="role">
+##  <summary>
+##  The role to be allowed the svc_start domain.
+##  </summary>
+## </param>
+## <rolecap/>
+#
+interface(`daemonstools_run_start',`
+    gen_require(`
+		type svc_start_t;
+    ')
+
+    daemontools_domtrans_start($1)
+    role $2 types svc_start_t;
+')
+
+########################################
+## <summary>
+##	Execute in the svc_run_t domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`daemontools_domtrans_run',`
+	gen_require(`
+		type svc_run_t, svc_run_exec_t;
+	')
+
+	domtrans_pattern($1, svc_run_exec_t, svc_run_t)
+')
+
+######################################
+## <summary>
+##  Send a SIGCHLD signal to svc_run domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`daemontools_sigchld_run',`
+    gen_require(`
+		type svc_run_t;
+    ')
+
+    allow $1 svc_run_t:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute in the svc_multilog_t domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`daemontools_domtrans_multilog',`
+	gen_require(`
+		type svc_multilog_t, svc_multilog_exec_t;
+	')
+
+	domtrans_pattern($1, svc_multilog_exec_t, svc_multilog_t)
+')
+
+######################################
+## <summary>
+##  Search svc_svc_t  directory.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`daemontools_search_svc_dir',`
+    gen_require(`
+		type svc_svc_t;
+    ')
+
+    allow $1 svc_svc_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Allow a domain to read svc_svc_t files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`daemontools_read_svc',`
+	gen_require(`
+		type svc_svc_t;
+	')
+
+	allow $1 svc_svc_t:dir list_dir_perms;
+	allow $1 svc_svc_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow a domain to create svc_svc_t files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`daemontools_manage_svc',`
+	gen_require(`
+		type svc_svc_t;
+	')
+
+	allow $1 svc_svc_t:dir manage_dir_perms;
+	allow $1 svc_svc_t:fifo_file manage_fifo_file_perms;
+	allow $1 svc_svc_t:file manage_file_perms;
+	allow $1 svc_svc_t:lnk_file { read create };
+')
diff --git a/policy/modules/contrib/daemontools.te b/policy/modules/contrib/daemontools.te
new file mode 100644
index 00000000..dcc5f1c3
--- /dev/null
+++ b/policy/modules/contrib/daemontools.te
@@ -0,0 +1,118 @@
+policy_module(daemontools, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type svc_conf_t;
+files_config_file(svc_conf_t)
+
+type svc_log_t;
+files_type(svc_log_t)
+
+type svc_multilog_t;
+type svc_multilog_exec_t;
+application_domain(svc_multilog_t, svc_multilog_exec_t)
+role system_r types svc_multilog_t;
+
+type svc_run_t;
+type svc_run_exec_t;
+application_domain(svc_run_t, svc_run_exec_t)
+role system_r types svc_run_t;
+
+type svc_start_t;
+type svc_start_exec_t;
+init_domain(svc_start_t, svc_start_exec_t)
+init_system_domain(svc_start_t, svc_start_exec_t)
+role system_r types svc_start_t;
+
+type svc_svc_t;
+files_type(svc_svc_t)
+
+########################################
+#
+# multilog local policy
+#
+
+# multilog creates /service/*/log/status
+manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t)
+
+init_use_fds(svc_multilog_t)
+
+# writes to /var/log/*/*
+logging_manage_generic_logs(svc_multilog_t)
+
+daemontools_ipc_domain(svc_multilog_t)
+
+########################################
+#
+# local policy for binaries that impose 
+# a given environment to supervised daemons
+# ie. softlimit, setuidgid, envuidgid, envdir, fghack ..
+#
+
+allow svc_run_t self:capability { setgid setuid chown fsetid sys_resource };
+allow svc_run_t self:process setrlimit;
+allow svc_run_t self:fifo_file rw_fifo_file_perms;
+allow svc_run_t self:unix_stream_socket create_stream_socket_perms;
+
+allow svc_run_t svc_conf_t:dir list_dir_perms;
+allow svc_run_t svc_conf_t:file read_file_perms;
+
+can_exec(svc_run_t, svc_run_exec_t)
+
+kernel_read_system_state(svc_run_t)
+
+dev_read_urand(svc_run_t)
+
+corecmd_exec_bin(svc_run_t)
+corecmd_exec_shell(svc_run_t)
+
+files_read_etc_files(svc_run_t)
+files_read_etc_runtime_files(svc_run_t)
+files_search_pids(svc_run_t)
+files_search_var_lib(svc_run_t)
+
+init_use_script_fds(svc_run_t)
+init_use_fds(svc_run_t)
+
+daemontools_domtrans_multilog(svc_run_t)
+daemontools_read_svc(svc_run_t)
+
+optional_policy(`
+	qmail_read_config(svc_run_t)
+')
+
+########################################
+#
+# local policy for service monitoring programs
+# ie svc, svscan, supervise ...
+#
+
+allow svc_start_t svc_run_t:process { signal setrlimit };
+
+allow svc_start_t self:fifo_file rw_fifo_file_perms;
+allow svc_start_t self:capability kill;
+allow svc_start_t self:tcp_socket create_stream_socket_perms;
+allow svc_start_t self:unix_stream_socket create_socket_perms;
+
+can_exec(svc_start_t, svc_start_exec_t)
+
+kernel_read_kernel_sysctls(svc_start_t)
+kernel_read_system_state(svc_start_t)
+
+corecmd_exec_bin(svc_start_t)
+corecmd_exec_shell(svc_start_t)
+
+files_read_etc_files(svc_start_t)
+files_read_etc_runtime_files(svc_start_t)
+files_search_var(svc_start_t)
+files_search_pids(svc_start_t)
+
+daemontools_domtrans_run(svc_start_t)
+daemontools_manage_svc(svc_start_t)
+
+logging_send_syslog_msg(svc_start_t)
+
+miscfiles_read_localization(svc_start_t)
diff --git a/policy/modules/contrib/dante.fc b/policy/modules/contrib/dante.fc
new file mode 100644
index 00000000..139171dc
--- /dev/null
+++ b/policy/modules/contrib/dante.fc
@@ -0,0 +1,6 @@
+
+/etc/socks(/.*)?		gen_context(system_u:object_r:dante_conf_t,s0)
+
+/usr/sbin/sockd		--	gen_context(system_u:object_r:dante_exec_t,s0)
+
+/var/run/sockd\.pid	--	gen_context(system_u:object_r:dante_var_run_t,s0)
diff --git a/policy/modules/contrib/dante.if b/policy/modules/contrib/dante.if
new file mode 100644
index 00000000..704661c6
--- /dev/null
+++ b/policy/modules/contrib/dante.if
@@ -0,0 +1 @@
+## <summary>Dante msproxy and socks4/5 proxy server</summary>
diff --git a/policy/modules/contrib/dante.te b/policy/modules/contrib/dante.te
new file mode 100644
index 00000000..9636326b
--- /dev/null
+++ b/policy/modules/contrib/dante.te
@@ -0,0 +1,78 @@
+policy_module(dante, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type dante_t;
+type dante_exec_t;
+init_daemon_domain(dante_t, dante_exec_t)
+
+type dante_conf_t;
+files_type(dante_conf_t)
+
+type dante_var_run_t;
+files_pid_file(dante_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow dante_t self:capability { setuid setgid };
+dontaudit dante_t self:capability sys_tty_config;
+allow dante_t self:process signal_perms;
+allow dante_t self:fifo_file rw_fifo_file_perms;
+allow dante_t self:tcp_socket create_stream_socket_perms;
+allow dante_t self:udp_socket create_socket_perms;
+
+allow dante_t dante_conf_t:dir list_dir_perms;
+allow dante_t dante_conf_t:file read_file_perms;
+
+manage_files_pattern(dante_t, dante_var_run_t, dante_var_run_t)
+files_pid_filetrans(dante_t, dante_var_run_t, file)
+
+kernel_read_kernel_sysctls(dante_t)
+kernel_list_proc(dante_t)
+kernel_read_proc_symlinks(dante_t)
+
+corenet_all_recvfrom_unlabeled(dante_t)
+corenet_all_recvfrom_netlabel(dante_t)
+corenet_tcp_sendrecv_generic_if(dante_t)
+corenet_udp_sendrecv_generic_if(dante_t)
+corenet_tcp_sendrecv_generic_node(dante_t)
+corenet_udp_sendrecv_generic_node(dante_t)
+corenet_tcp_sendrecv_all_ports(dante_t)
+corenet_udp_sendrecv_all_ports(dante_t)
+corenet_tcp_bind_generic_node(dante_t)
+corenet_tcp_bind_socks_port(dante_t)
+
+dev_read_sysfs(dante_t)
+
+domain_use_interactive_fds(dante_t)
+
+files_read_etc_files(dante_t)
+files_read_etc_runtime_files(dante_t)
+
+fs_getattr_all_fs(dante_t)
+fs_search_auto_mountpoints(dante_t)
+
+init_write_utmp(dante_t)
+
+logging_send_syslog_msg(dante_t)
+
+miscfiles_read_localization(dante_t)
+
+sysnet_read_config(dante_t)
+
+userdom_dontaudit_use_unpriv_user_fds(dante_t)
+userdom_dontaudit_search_user_home_dirs(dante_t)
+
+optional_policy(`
+	seutil_sigchld_newrole(dante_t)
+')
+
+optional_policy(`
+	udev_read_db(dante_t)
+')
diff --git a/policy/modules/contrib/dbadm.fc b/policy/modules/contrib/dbadm.fc
new file mode 100644
index 00000000..e6aa2fba
--- /dev/null
+++ b/policy/modules/contrib/dbadm.fc
@@ -0,0 +1 @@
+# No dbadm file contexts
diff --git a/policy/modules/contrib/dbadm.if b/policy/modules/contrib/dbadm.if
new file mode 100644
index 00000000..56f2af74
--- /dev/null
+++ b/policy/modules/contrib/dbadm.if
@@ -0,0 +1,50 @@
+## <summary>Database administrator role</summary>
+
+########################################
+## <summary>
+##	Change to the database administrator role.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`dbadm_role_change',`
+	gen_require(`
+		role dbadm_r;
+	')
+
+	allow $1 dbadm_r;
+')
+
+########################################
+## <summary>
+##	Change from the database administrator role.
+## </summary>
+## <desc>
+##	<p>
+##	Change from the database administrator role to
+##	the specified role.
+##	</p>
+##	<p>
+##	This is an interface to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`dbadm_role_change_to',`
+	gen_require(`
+		role dbadm_r;
+	')
+
+	allow dbadm_r $1;
+')
diff --git a/policy/modules/contrib/dbadm.te b/policy/modules/contrib/dbadm.te
new file mode 100644
index 00000000..1875064e
--- /dev/null
+++ b/policy/modules/contrib/dbadm.te
@@ -0,0 +1,60 @@
+policy_module(dbadm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow dbadm to manage files in users home directories
+## </p>
+## </desc>
+gen_tunable(dbadm_manage_user_files, false)
+
+## <desc>
+## <p>
+## Allow dbadm to read files in users home directories
+## </p>
+## </desc>
+gen_tunable(dbadm_read_user_files, false)
+
+role dbadm_r;
+
+userdom_base_user_template(dbadm)
+
+########################################
+#
+# database admin local policy
+#
+
+allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace };
+
+files_dontaudit_search_all_dirs(dbadm_t)
+files_delete_generic_locks(dbadm_t)
+files_list_var(dbadm_t)
+
+selinux_get_enforce_mode(dbadm_t)
+
+logging_send_syslog_msg(dbadm_t)
+
+userdom_dontaudit_search_user_home_dirs(dbadm_t)
+
+tunable_policy(`dbadm_manage_user_files',`
+	userdom_manage_user_home_content_files(dbadm_t)
+	userdom_read_user_tmp_files(dbadm_t)
+	userdom_write_user_tmp_files(dbadm_t)
+')
+
+tunable_policy(`dbadm_read_user_files',`
+	userdom_read_user_home_content_files(dbadm_t)
+	userdom_read_user_tmp_files(dbadm_t)
+')
+
+optional_policy(`
+	mysql_admin(dbadm_t, dbadm_r)
+')
+
+optional_policy(`
+	postgresql_admin(dbadm_t, dbadm_r)
+')
diff --git a/policy/modules/contrib/dbskk.fc b/policy/modules/contrib/dbskk.fc
new file mode 100644
index 00000000..7af25903
--- /dev/null
+++ b/policy/modules/contrib/dbskk.fc
@@ -0,0 +1,2 @@
+
+/usr/sbin/dbskkd-cdb	--	gen_context(system_u:object_r:dbskkd_exec_t,s0)
diff --git a/policy/modules/contrib/dbskk.if b/policy/modules/contrib/dbskk.if
new file mode 100644
index 00000000..9e710048
--- /dev/null
+++ b/policy/modules/contrib/dbskk.if
@@ -0,0 +1 @@
+## <summary>Dictionary server for the SKK Japanese input method system.</summary>
diff --git a/policy/modules/contrib/dbskk.te b/policy/modules/contrib/dbskk.te
new file mode 100644
index 00000000..1445f97d
--- /dev/null
+++ b/policy/modules/contrib/dbskk.te
@@ -0,0 +1,69 @@
+policy_module(dbskk, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type dbskkd_t;
+type dbskkd_exec_t;
+inetd_service_domain(dbskkd_t, dbskkd_exec_t)
+role system_r types dbskkd_t;
+
+type dbskkd_tmp_t;
+files_tmp_file(dbskkd_tmp_t)
+
+type dbskkd_var_run_t;
+files_pid_file(dbskkd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow dbskkd_t self:process signal_perms;
+allow dbskkd_t self:fifo_file rw_fifo_file_perms;
+allow dbskkd_t self:tcp_socket connected_stream_socket_perms;
+allow dbskkd_t self:udp_socket create_socket_perms;
+
+# for identd
+# cjp: this should probably only be inetd_child rules?
+allow dbskkd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow dbskkd_t self:capability { setuid setgid };
+files_search_home(dbskkd_t)
+optional_policy(`
+	kerberos_use(dbskkd_t)
+')
+#end for identd
+
+manage_dirs_pattern(dbskkd_t, dbskkd_tmp_t, dbskkd_tmp_t)
+manage_files_pattern(dbskkd_t, dbskkd_tmp_t, dbskkd_tmp_t)
+files_tmp_filetrans(dbskkd_t, dbskkd_tmp_t, { file dir })
+
+manage_files_pattern(dbskkd_t, dbskkd_var_run_t, dbskkd_var_run_t)
+files_pid_filetrans(dbskkd_t, dbskkd_var_run_t, file)
+
+kernel_read_kernel_sysctls(dbskkd_t)
+kernel_read_system_state(dbskkd_t)
+kernel_read_network_state(dbskkd_t)
+
+corenet_all_recvfrom_unlabeled(dbskkd_t)
+corenet_all_recvfrom_netlabel(dbskkd_t)
+corenet_tcp_sendrecv_generic_if(dbskkd_t)
+corenet_udp_sendrecv_generic_if(dbskkd_t)
+corenet_tcp_sendrecv_generic_node(dbskkd_t)
+corenet_udp_sendrecv_generic_node(dbskkd_t)
+corenet_tcp_sendrecv_all_ports(dbskkd_t)
+corenet_udp_sendrecv_all_ports(dbskkd_t)
+
+dev_read_urand(dbskkd_t)
+
+fs_getattr_xattr_fs(dbskkd_t)
+
+files_read_etc_files(dbskkd_t)
+
+auth_use_nsswitch(dbskkd_t)
+
+logging_send_syslog_msg(dbskkd_t)
+
+miscfiles_read_localization(dbskkd_t)
diff --git a/policy/modules/contrib/dbus.fc b/policy/modules/contrib/dbus.fc
new file mode 100644
index 00000000..68dd0068
--- /dev/null
+++ b/policy/modules/contrib/dbus.fc
@@ -0,0 +1,26 @@
+/etc/dbus-1(/.*)?		gen_context(system_u:object_r:dbusd_etc_t,s0)
+
+/bin/dbus-daemon 	--	gen_context(system_u:object_r:dbusd_exec_t,s0)
+
+ifdef(`distro_redhat',`
+/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+')
+
+/usr/bin/dbus-daemon(-1)? --	gen_context(system_u:object_r:dbusd_exec_t,s0)
+
+ifdef(`distro_debian',`
+/usr/lib/dbus-1.0/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+')
+
+ifdef(`distro_gentoo',`
+/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+')
+
+/var/lib/dbus(/.*)?		gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
+
+/var/run/dbus(/.*)?		gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+
+ifdef(`distro_redhat',`
+/var/named/chroot/var/run/dbus(/.*)?	gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+')
diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if
new file mode 100644
index 00000000..57dd64bf
--- /dev/null
+++ b/policy/modules/contrib/dbus.if
@@ -0,0 +1,507 @@
+## <summary>Desktop messaging bus</summary>
+
+########################################
+## <summary>
+##	DBUS stub interface.  No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`dbus_stub',`
+	gen_require(`
+		type system_dbusd_t;
+		class dbus all_dbus_perms;
+	')
+')
+
+########################################
+## <summary>
+##	Role access for dbus
+## </summary>
+## <param name="role_prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+template(`dbus_role_template',`
+	gen_require(`
+		class dbus { send_msg acquire_svc };
+
+		attribute session_bus_type;
+		type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
+	')
+
+	##############################
+	#
+	# Delcarations
+	#
+
+	type $1_dbusd_t, session_bus_type;
+	domain_type($1_dbusd_t)
+	domain_entry_file($1_dbusd_t, dbusd_exec_t)
+	ubac_constrained($1_dbusd_t)
+	role $2 types $1_dbusd_t;
+
+	##############################
+	#
+	# Local policy
+	#
+
+	allow $1_dbusd_t self:process { getattr sigkill signal };
+	dontaudit $1_dbusd_t self:process ptrace;
+	allow $1_dbusd_t self:file { getattr read write };
+	allow $1_dbusd_t self:fifo_file rw_fifo_file_perms;
+	allow $1_dbusd_t self:dbus { send_msg acquire_svc };
+	allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
+	allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
+	allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
+	allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
+
+	# For connecting to the bus
+	allow $3 $1_dbusd_t:unix_stream_socket connectto;
+
+	# SE-DBus specific permissions
+	allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
+	allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
+
+	allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
+	read_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
+	read_lnk_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
+
+	manage_dirs_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
+	manage_files_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
+	files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
+
+	domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
+	allow $3 $1_dbusd_t:process { signull sigkill signal };
+
+	# cjp: this seems very broken
+	corecmd_bin_domtrans($1_dbusd_t, $3)
+	allow $1_dbusd_t $3:process sigkill;
+	allow $3 $1_dbusd_t:fd use;
+	allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
+	allow $3 $1_dbusd_t:process sigchld;
+
+	kernel_read_system_state($1_dbusd_t)
+	kernel_read_kernel_sysctls($1_dbusd_t)
+
+	corecmd_list_bin($1_dbusd_t)
+	corecmd_read_bin_symlinks($1_dbusd_t)
+	corecmd_read_bin_files($1_dbusd_t)
+	corecmd_read_bin_pipes($1_dbusd_t)
+	corecmd_read_bin_sockets($1_dbusd_t)
+
+	corenet_all_recvfrom_unlabeled($1_dbusd_t)
+	corenet_all_recvfrom_netlabel($1_dbusd_t)
+	corenet_tcp_sendrecv_generic_if($1_dbusd_t)
+	corenet_tcp_sendrecv_generic_node($1_dbusd_t)
+	corenet_tcp_sendrecv_all_ports($1_dbusd_t)
+	corenet_tcp_bind_generic_node($1_dbusd_t)
+	corenet_tcp_bind_reserved_port($1_dbusd_t)
+
+	dev_read_urand($1_dbusd_t)
+
+ 	domain_use_interactive_fds($1_dbusd_t)
+	domain_read_all_domains_state($1_dbusd_t)
+
+	files_read_etc_files($1_dbusd_t)
+	files_list_home($1_dbusd_t)
+	files_read_usr_files($1_dbusd_t)
+	files_dontaudit_search_var($1_dbusd_t)
+
+	fs_getattr_romfs($1_dbusd_t)
+	fs_getattr_xattr_fs($1_dbusd_t)
+	fs_list_inotifyfs($1_dbusd_t)
+	fs_dontaudit_list_nfs($1_dbusd_t)
+
+	selinux_get_fs_mount($1_dbusd_t)
+	selinux_validate_context($1_dbusd_t)
+	selinux_compute_access_vector($1_dbusd_t)
+	selinux_compute_create_context($1_dbusd_t)
+	selinux_compute_relabel_context($1_dbusd_t)
+	selinux_compute_user_contexts($1_dbusd_t)
+
+	auth_read_pam_console_data($1_dbusd_t)
+	auth_use_nsswitch($1_dbusd_t)
+
+	logging_send_audit_msgs($1_dbusd_t)
+	logging_send_syslog_msg($1_dbusd_t)
+
+	miscfiles_read_localization($1_dbusd_t)
+
+	seutil_read_config($1_dbusd_t)
+	seutil_read_default_contexts($1_dbusd_t)
+
+	term_use_all_terms($1_dbusd_t)
+
+	userdom_read_user_home_content_files($1_dbusd_t)
+
+
+	ifdef(`hide_broken_symptoms', `
+		dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
+	')
+
+	optional_policy(`
+		hal_dbus_chat($1_dbusd_t)
+	')
+
+	optional_policy(`
+		xdg_read_generic_data_home_files($1_dbusd_t)
+	')
+
+	optional_policy(`
+		xserver_use_xdm_fds($1_dbusd_t)
+		xserver_rw_xdm_pipes($1_dbusd_t)
+	')
+')
+
+#######################################
+## <summary>
+##	Template for creating connections to
+##	the system DBUS.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dbus_system_bus_client',`
+	gen_require(`
+		type system_dbusd_t, system_dbusd_t;
+		type system_dbusd_var_run_t, system_dbusd_var_lib_t;
+		class dbus send_msg;
+	')
+
+	# SE-DBus specific permissions
+	allow $1 { system_dbusd_t self }:dbus send_msg;
+	allow system_dbusd_t $1:dbus send_msg;
+
+	read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+	files_search_var_lib($1)
+
+	# For connecting to the bus
+	files_search_pids($1)
+	stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
+	dbus_read_config($1)
+')
+
+#######################################
+## <summary>
+##	Template for creating connections to
+##	a user DBUS.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dbus_session_bus_client',`
+	gen_require(`
+		attribute session_bus_type;
+		class dbus send_msg;
+	')
+
+	# SE-DBus specific permissions
+	allow $1 { session_bus_type self }:dbus send_msg;
+
+	# For connecting to the bus
+	allow $1 session_bus_type:unix_stream_socket connectto;
+
+	dontaudit $1 session_bus_type:fd use;
+')
+
+########################################
+## <summary>
+##	Send a message the session DBUS.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dbus_send_session_bus',`
+	gen_require(`
+		attribute session_bus_type;
+		class dbus send_msg;
+	')
+
+	allow $1 session_bus_type:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Read dbus configuration.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dbus_read_config',`
+	gen_require(`
+		type dbusd_etc_t;
+	')
+
+	allow $1 dbusd_etc_t:dir list_dir_perms;
+	allow $1 dbusd_etc_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Read system dbus lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dbus_read_lib_files',`
+	gen_require(`
+		type system_dbusd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	system dbus lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dbus_manage_lib_files',`
+	gen_require(`
+		type system_dbusd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Connect to the system DBUS
+##	for service (acquire_svc).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dbus_connect_session_bus',`
+	gen_require(`
+		attribute session_bus_type;
+		class dbus acquire_svc;
+	')
+
+	allow $1 session_bus_type:dbus acquire_svc;
+')
+
+########################################
+## <summary>
+##	Allow a application domain to be started
+##	by the session dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Type to be used as a domain.
+##	</summary>
+## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program to be used as an
+##	entry point to this domain.
+##	</summary>
+## </param>
+#
+interface(`dbus_session_domain',`
+	gen_require(`
+		attribute session_bus_type;
+	')
+
+	domtrans_pattern(session_bus_type, $2, $1)
+
+	dbus_session_bus_client($1)
+	dbus_connect_session_bus($1)
+')
+
+########################################
+## <summary>
+##	Connect to the system DBUS
+##	for service (acquire_svc).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dbus_connect_system_bus',`
+	gen_require(`
+		type system_dbusd_t;
+		class dbus acquire_svc;
+	')
+
+	allow $1 system_dbusd_t:dbus acquire_svc;
+')
+
+########################################
+## <summary>
+##	Send a message on the system DBUS.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dbus_send_system_bus',`
+	gen_require(`
+		type system_dbusd_t;
+		class dbus send_msg;
+	')
+
+	allow $1 system_dbusd_t:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Allow unconfined access to the system DBUS.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dbus_system_bus_unconfined',`
+	gen_require(`
+		type system_dbusd_t;
+		class dbus all_dbus_perms;
+	')
+
+	allow $1 system_dbusd_t:dbus *;
+')
+
+########################################
+## <summary>
+##	Create a domain for processes
+##	which can be started by the system dbus
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Type to be used as a domain.
+##	</summary>
+## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program to be used as an entry point to this domain.
+##	</summary>
+## </param>
+#
+interface(`dbus_system_domain',`
+	gen_require(`
+		type system_dbusd_t;
+		role system_r;
+	')
+
+	domain_type($1)
+	domain_entry_file($1, $2)
+
+	role system_r types $1;
+
+	domtrans_pattern(system_dbusd_t, $2, $1)
+
+	dbus_system_bus_client($1)
+	dbus_connect_system_bus($1)
+
+	ps_process_pattern(system_dbusd_t, $1)
+
+	userdom_read_all_users_state($1)
+
+	ifdef(`hide_broken_symptoms', `
+		dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
+	')
+')
+
+########################################
+## <summary>
+##	Use and inherit system DBUS file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dbus_use_system_bus_fds',`
+	gen_require(`
+		type system_dbusd_t;
+	')
+
+	allow $1 system_dbusd_t:fd use;
+')
+
+########################################
+## <summary>
+##	Dontaudit Read, and write system dbus TCP sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+	gen_require(`
+		type system_dbusd_t;
+	')
+
+	allow $1 system_dbusd_t:tcp_socket { read write };
+	allow $1 system_dbusd_t:fd use;
+')
+
+########################################
+## <summary>
+##	Allow unconfined access to the system DBUS.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dbus_unconfined',`
+	gen_require(`
+		attribute dbusd_unconfined;
+	')
+
+	typeattribute $1 dbusd_unconfined;
+')
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
new file mode 100644
index 00000000..ea3d8d26
--- /dev/null
+++ b/policy/modules/contrib/dbus.te
@@ -0,0 +1,161 @@
+policy_module(dbus, 1.16.0)
+
+gen_require(`
+	class dbus all_dbus_perms;
+')
+
+##############################
+#
+# Delcarations
+#
+
+attribute dbusd_unconfined;
+attribute session_bus_type;
+
+type dbusd_etc_t;
+files_config_file(dbusd_etc_t)
+
+type dbusd_exec_t;
+corecmd_executable_file(dbusd_exec_t)
+typealias dbusd_exec_t alias system_dbusd_exec_t;
+
+type session_dbusd_tmp_t;
+typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };
+typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t };
+userdom_user_tmp_file(session_dbusd_tmp_t)
+
+type system_dbusd_t;
+init_system_domain(system_dbusd_t, dbusd_exec_t)
+
+type system_dbusd_tmp_t;
+files_tmp_file(system_dbusd_tmp_t)
+
+type system_dbusd_var_lib_t;
+files_type(system_dbusd_var_lib_t)
+
+type system_dbusd_var_run_t;
+files_pid_file(system_dbusd_var_run_t)
+
+ifdef(`enable_mcs',`
+	init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
+')
+
+ifdef(`enable_mls',`
+	init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh)
+')
+
+##############################
+#
+# System bus local policy
+#
+
+# dac_override: /var/run/dbus is owned by messagebus on Debian
+# cjp: dac_override should probably go in a distro_debian
+allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
+dontaudit system_dbusd_t self:capability sys_tty_config;
+allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
+allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
+allow system_dbusd_t self:dbus { send_msg acquire_svc };
+allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
+allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
+# Receive notifications of policy reloads and enforcing status changes.
+allow system_dbusd_t self:netlink_selinux_socket { create bind read };
+
+can_exec(system_dbusd_t, dbusd_exec_t)
+
+allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
+read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
+read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
+
+manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
+manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
+files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
+
+read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+
+manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
+manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
+files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, file)
+
+kernel_read_system_state(system_dbusd_t)
+kernel_read_kernel_sysctls(system_dbusd_t)
+
+dev_read_urand(system_dbusd_t)
+dev_read_sysfs(system_dbusd_t)
+
+fs_getattr_all_fs(system_dbusd_t)
+fs_list_inotifyfs(system_dbusd_t)
+fs_search_auto_mountpoints(system_dbusd_t)
+fs_dontaudit_list_nfs(system_dbusd_t)
+
+mls_fd_use_all_levels(system_dbusd_t)
+mls_rangetrans_target(system_dbusd_t)
+mls_file_read_all_levels(system_dbusd_t)
+mls_socket_write_all_levels(system_dbusd_t)
+mls_socket_read_to_clearance(system_dbusd_t)
+mls_dbus_recv_all_levels(system_dbusd_t)
+
+selinux_get_fs_mount(system_dbusd_t)
+selinux_validate_context(system_dbusd_t)
+selinux_compute_access_vector(system_dbusd_t)
+selinux_compute_create_context(system_dbusd_t)
+selinux_compute_relabel_context(system_dbusd_t)
+selinux_compute_user_contexts(system_dbusd_t)
+
+term_dontaudit_use_console(system_dbusd_t)
+
+auth_use_nsswitch(system_dbusd_t)
+auth_read_pam_console_data(system_dbusd_t)
+
+corecmd_list_bin(system_dbusd_t)
+corecmd_read_bin_pipes(system_dbusd_t)
+corecmd_read_bin_sockets(system_dbusd_t)
+
+domain_use_interactive_fds(system_dbusd_t)
+domain_read_all_domains_state(system_dbusd_t)
+
+files_read_etc_files(system_dbusd_t)
+files_list_home(system_dbusd_t)
+files_read_usr_files(system_dbusd_t)
+
+init_use_fds(system_dbusd_t)
+init_use_script_ptys(system_dbusd_t)
+init_domtrans_script(system_dbusd_t)
+
+logging_send_audit_msgs(system_dbusd_t)
+logging_send_syslog_msg(system_dbusd_t)
+
+miscfiles_read_localization(system_dbusd_t)
+miscfiles_read_generic_certs(system_dbusd_t)
+
+seutil_read_config(system_dbusd_t)
+seutil_read_default_contexts(system_dbusd_t)
+seutil_sigchld_newrole(system_dbusd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
+userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
+
+optional_policy(`
+	bind_domtrans(system_dbusd_t)
+')
+
+optional_policy(`
+	policykit_dbus_chat(system_dbusd_t)
+	policykit_domtrans_auth(system_dbusd_t)
+	policykit_search_lib(system_dbusd_t)
+')
+
+optional_policy(`
+	sysnet_domtrans_dhcpc(system_dbusd_t)
+')
+
+optional_policy(`
+	udev_read_db(system_dbusd_t)
+')
+
+########################################
+#
+# Unconfined access to this module
+#
+
+allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
diff --git a/policy/modules/contrib/dcc.fc b/policy/modules/contrib/dcc.fc
new file mode 100644
index 00000000..29773e72
--- /dev/null
+++ b/policy/modules/contrib/dcc.fc
@@ -0,0 +1,30 @@
+/etc/dcc(/.*)?				gen_context(system_u:object_r:dcc_var_t,s0)
+/etc/dcc/dccifd			-s	gen_context(system_u:object_r:dccifd_var_run_t,s0)
+/etc/dcc/map			--	gen_context(system_u:object_r:dcc_client_map_t,s0)
+
+/usr/bin/cdcc			--	gen_context(system_u:object_r:cdcc_exec_t,s0)
+/usr/bin/dccproc		--	gen_context(system_u:object_r:dcc_client_exec_t,s0)
+
+/usr/libexec/dcc/dbclean	--	gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
+/usr/libexec/dcc/dccd		--	gen_context(system_u:object_r:dccd_exec_t,s0)
+/usr/libexec/dcc/dccifd		--	gen_context(system_u:object_r:dccifd_exec_t,s0)
+/usr/libexec/dcc/dccm		--	gen_context(system_u:object_r:dccm_exec_t,s0)
+
+ifdef(`distro_debian',`
+/usr/sbin/dbclean		--	gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
+/usr/sbin/dccd			--	gen_context(system_u:object_r:dccd_exec_t,s0)
+/usr/sbin/dccifd		--	gen_context(system_u:object_r:dccifd_exec_t,s0)
+/usr/sbin/dccm			--	gen_context(system_u:object_r:dccm_exec_t,s0)
+')
+
+/var/lib/dcc(/.*)?			gen_context(system_u:object_r:dcc_var_t,s0)
+/var/lib/dcc/map		--	gen_context(system_u:object_r:dcc_client_map_t,s0)
+
+/var/run/dcc(/.*)?			gen_context(system_u:object_r:dcc_var_run_t,s0)
+/var/run/dcc/map		--	gen_context(system_u:object_r:dcc_client_map_t,s0)
+/var/run/dcc/dccifd		-s	gen_context(system_u:object_r:dccifd_var_run_t,s0)
+
+ifdef(`distro_redhat',`
+/var/dcc(/.*)?				gen_context(system_u:object_r:dcc_var_t,s0)
+/var/dcc/map			--	gen_context(system_u:object_r:dcc_client_map_t,s0)
+')
diff --git a/policy/modules/contrib/dcc.if b/policy/modules/contrib/dcc.if
new file mode 100644
index 00000000..784753e6
--- /dev/null
+++ b/policy/modules/contrib/dcc.if
@@ -0,0 +1,173 @@
+## <summary>Distributed checksum clearinghouse spam filtering</summary>
+
+########################################
+## <summary>
+##	Execute cdcc in the cdcc domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`dcc_domtrans_cdcc',`
+	gen_require(`
+		type cdcc_t, cdcc_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, cdcc_exec_t, cdcc_t)
+')
+
+########################################
+## <summary>
+##	Execute cdcc in the cdcc domain, and
+##	allow the specified role the cdcc domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`dcc_run_cdcc',`
+	gen_require(`
+		type cdcc_t;
+	')
+
+	dcc_domtrans_cdcc($1)
+	role $2 types cdcc_t;
+')
+
+########################################
+## <summary>
+##	Execute dcc_client in the dcc_client domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`dcc_domtrans_client',`
+	gen_require(`
+		type dcc_client_t, dcc_client_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, dcc_client_exec_t, dcc_client_t)
+')
+
+########################################
+## <summary>
+##	Send a signal to the dcc_client.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dcc_signal_client',`
+	gen_require(`
+		type dcc_client_t;
+	')
+
+	allow $1 dcc_client_t:process signal;
+')
+
+########################################
+## <summary>
+##	Execute dcc_client in the dcc_client domain, and
+##	allow the specified role the dcc_client domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`dcc_run_client',`
+	gen_require(`
+		type dcc_client_t;
+	')
+
+	dcc_domtrans_client($1)
+	role $2 types dcc_client_t;
+')
+
+########################################
+## <summary>
+##	Execute dbclean in the dcc_dbclean domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`dcc_domtrans_dbclean',`
+	gen_require(`
+		type dcc_dbclean_t, dcc_dbclean_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, dcc_dbclean_exec_t, dcc_dbclean_t)
+')
+
+########################################
+## <summary>
+##	Execute dbclean in the dcc_dbclean domain, and
+##	allow the specified role the dcc_dbclean domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`dcc_run_dbclean',`
+	gen_require(`
+		type dcc_dbclean_t;
+	')
+
+	dcc_domtrans_dbclean($1)
+	role $2 types dcc_dbclean_t;
+')
+
+########################################
+## <summary>
+##	Connect to dccifd over a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dcc_stream_connect_dccifd',`
+	gen_require(`
+		type dcc_var_t, dccifd_var_run_t, dccifd_t;
+	')
+
+	files_search_var($1)
+	stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t)
+')
diff --git a/policy/modules/contrib/dcc.te b/policy/modules/contrib/dcc.te
new file mode 100644
index 00000000..51783373
--- /dev/null
+++ b/policy/modules/contrib/dcc.te
@@ -0,0 +1,404 @@
+policy_module(dcc, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+type cdcc_t;
+type cdcc_exec_t;
+application_domain(cdcc_t, cdcc_exec_t)
+role system_r types cdcc_t;
+
+type cdcc_tmp_t;
+files_tmp_file(cdcc_tmp_t)
+
+type dcc_client_t;
+type dcc_client_exec_t;
+application_domain(dcc_client_t, dcc_client_exec_t)
+role system_r types dcc_client_t;
+
+type dcc_client_map_t;
+files_type(dcc_client_map_t)
+
+type dcc_client_tmp_t;
+files_tmp_file(dcc_client_tmp_t)
+
+type dcc_dbclean_t;
+type dcc_dbclean_exec_t;
+application_domain(dcc_dbclean_t, dcc_dbclean_exec_t)
+role system_r types dcc_dbclean_t;
+
+type dcc_dbclean_tmp_t;
+files_tmp_file(dcc_dbclean_tmp_t)
+
+type dcc_var_t;
+files_type(dcc_var_t)
+
+type dcc_var_run_t;
+files_type(dcc_var_run_t)
+
+type dccd_t;
+type dccd_exec_t;
+init_daemon_domain(dccd_t, dccd_exec_t)
+
+type dccd_tmp_t;
+files_tmp_file(dccd_tmp_t)
+
+type dccd_var_run_t;
+files_pid_file(dccd_var_run_t)
+
+type dccifd_t;
+type dccifd_exec_t;
+init_daemon_domain(dccifd_t, dccifd_exec_t)
+
+type dccifd_tmp_t;
+files_tmp_file(dccifd_tmp_t)
+
+type dccifd_var_run_t;
+files_pid_file(dccifd_var_run_t)
+
+type dccm_t;
+type dccm_exec_t;
+init_daemon_domain(dccm_t, dccm_exec_t)
+
+type dccm_tmp_t;
+files_tmp_file(dccm_tmp_t)
+
+type dccm_var_run_t;
+files_pid_file(dccm_var_run_t)
+
+# NOTE: DCC has writeable files in /etc/dcc that should probably be in
+# /var/lib/dcc.  For now this policy supports both directories being
+# writable.
+
+# cjp: dccifd and dccm should be merged, as
+# they have the same rules.
+
+########################################
+#
+# dcc daemon controller local policy
+#
+
+allow cdcc_t self:capability { setuid setgid };
+allow cdcc_t self:unix_dgram_socket create_socket_perms;
+allow cdcc_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(cdcc_t, cdcc_tmp_t, cdcc_tmp_t)
+manage_files_pattern(cdcc_t, cdcc_tmp_t, cdcc_tmp_t)
+files_tmp_filetrans(cdcc_t, cdcc_tmp_t, { file dir })
+
+allow cdcc_t dcc_client_map_t:file rw_file_perms;
+
+# Access files in /var/dcc. The map file can be updated
+allow cdcc_t dcc_var_t:dir list_dir_perms;
+read_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
+read_lnk_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
+
+corenet_all_recvfrom_unlabeled(cdcc_t)
+corenet_all_recvfrom_netlabel(cdcc_t)
+corenet_udp_sendrecv_generic_if(cdcc_t)
+corenet_udp_sendrecv_generic_node(cdcc_t)
+corenet_udp_sendrecv_all_ports(cdcc_t)
+
+files_read_etc_files(cdcc_t)
+files_read_etc_runtime_files(cdcc_t)
+
+auth_use_nsswitch(cdcc_t)
+
+logging_send_syslog_msg(cdcc_t)
+
+miscfiles_read_localization(cdcc_t)
+
+userdom_use_user_terminals(cdcc_t)
+
+########################################
+#
+# dcc procmail interface local policy
+#
+
+allow dcc_client_t self:capability { setuid setgid };
+allow dcc_client_t self:unix_dgram_socket create_socket_perms;
+allow dcc_client_t self:udp_socket create_socket_perms;
+
+allow dcc_client_t dcc_client_map_t:file rw_file_perms;
+
+manage_dirs_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t)
+manage_files_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t)
+files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir })
+
+# Access files in /var/dcc. The map file can be updated
+allow dcc_client_t dcc_var_t:dir list_dir_perms;
+manage_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
+read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
+
+kernel_read_system_state(dcc_client_t)
+
+corenet_all_recvfrom_unlabeled(dcc_client_t)
+corenet_all_recvfrom_netlabel(dcc_client_t)
+corenet_udp_sendrecv_generic_if(dcc_client_t)
+corenet_udp_sendrecv_generic_node(dcc_client_t)
+corenet_udp_sendrecv_all_ports(dcc_client_t)
+corenet_udp_bind_generic_node(dcc_client_t)
+
+files_read_etc_files(dcc_client_t)
+files_read_etc_runtime_files(dcc_client_t)
+
+fs_getattr_all_fs(dcc_client_t)
+
+auth_use_nsswitch(dcc_client_t)
+
+logging_send_syslog_msg(dcc_client_t)
+
+miscfiles_read_localization(dcc_client_t)
+
+userdom_use_user_terminals(dcc_client_t)
+
+optional_policy(`
+	amavis_read_spool_files(dcc_client_t)
+')
+
+optional_policy(`
+	spamassassin_read_spamd_tmp_files(dcc_client_t)
+')
+
+########################################
+#
+# Database cleanup tool local policy
+#
+
+allow dcc_dbclean_t self:unix_dgram_socket create_socket_perms;
+allow dcc_dbclean_t self:udp_socket create_socket_perms;
+
+allow dcc_dbclean_t dcc_client_map_t:file rw_file_perms;
+
+manage_dirs_pattern(dcc_dbclean_t, dcc_dbclean_tmp_t, dcc_dbclean_tmp_t)
+manage_files_pattern(dcc_dbclean_t, dcc_dbclean_tmp_t, dcc_dbclean_tmp_t)
+files_tmp_filetrans(dcc_dbclean_t, dcc_dbclean_tmp_t, { file dir })
+
+manage_dirs_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
+manage_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
+manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
+
+kernel_read_system_state(dcc_dbclean_t)
+
+corenet_all_recvfrom_unlabeled(dcc_dbclean_t)
+corenet_all_recvfrom_netlabel(dcc_dbclean_t)
+corenet_udp_sendrecv_generic_if(dcc_dbclean_t)
+corenet_udp_sendrecv_generic_node(dcc_dbclean_t)
+corenet_udp_sendrecv_all_ports(dcc_dbclean_t)
+
+files_read_etc_files(dcc_dbclean_t)
+files_read_etc_runtime_files(dcc_dbclean_t)
+
+auth_use_nsswitch(dcc_dbclean_t)
+
+logging_send_syslog_msg(dcc_dbclean_t)
+
+miscfiles_read_localization(dcc_dbclean_t)
+
+userdom_use_user_terminals(dcc_dbclean_t)
+
+########################################
+#
+# Server daemon local policy
+#
+
+allow dccd_t self:capability net_admin;
+dontaudit dccd_t self:capability sys_tty_config;
+allow dccd_t self:process signal_perms;
+allow dccd_t self:unix_stream_socket create_socket_perms;
+allow dccd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow dccd_t self:udp_socket create_socket_perms;
+
+allow dccd_t dcc_client_map_t:file rw_file_perms;
+
+# Access files in /var/dcc. The map file can be updated
+allow dccd_t dcc_var_t:dir list_dir_perms;
+read_files_pattern(dccd_t, dcc_var_t, dcc_var_t)
+read_lnk_files_pattern(dccd_t, dcc_var_t, dcc_var_t)
+
+# Runs the dbclean program
+domtrans_pattern(dccd_t, dcc_dbclean_exec_t, dcc_dbclean_t)
+corecmd_search_bin(dccd_t)
+
+# Updating dcc_db, flod, ...
+manage_dirs_pattern(dccd_t, dcc_var_t, dcc_var_t)
+manage_files_pattern(dccd_t, dcc_var_t, dcc_var_t)
+manage_lnk_files_pattern(dccd_t, dcc_var_t, dcc_var_t)
+
+manage_dirs_pattern(dccd_t, dccd_tmp_t, dccd_tmp_t)
+manage_files_pattern(dccd_t, dccd_tmp_t, dccd_tmp_t)
+files_tmp_filetrans(dccd_t, dccd_tmp_t, { file dir })
+
+manage_dirs_pattern(dccd_t, dccd_var_run_t, dccd_var_run_t)
+manage_files_pattern(dccd_t, dccd_var_run_t, dccd_var_run_t)
+files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file })
+
+kernel_read_system_state(dccd_t)
+kernel_read_kernel_sysctls(dccd_t)
+
+corenet_all_recvfrom_unlabeled(dccd_t)
+corenet_all_recvfrom_netlabel(dccd_t)
+corenet_udp_sendrecv_generic_if(dccd_t)
+corenet_udp_sendrecv_generic_node(dccd_t)
+corenet_udp_sendrecv_all_ports(dccd_t)
+corenet_udp_bind_generic_node(dccd_t)
+corenet_udp_bind_dcc_port(dccd_t)
+corenet_sendrecv_dcc_server_packets(dccd_t)
+
+dev_read_sysfs(dccd_t)
+
+domain_use_interactive_fds(dccd_t)
+
+files_read_etc_files(dccd_t)
+files_read_etc_runtime_files(dccd_t)
+
+fs_getattr_all_fs(dccd_t)
+fs_search_auto_mountpoints(dccd_t)
+
+auth_use_nsswitch(dccd_t)
+
+logging_send_syslog_msg(dccd_t)
+
+miscfiles_read_localization(dccd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(dccd_t)
+userdom_dontaudit_search_user_home_dirs(dccd_t)
+
+optional_policy(`
+	seutil_sigchld_newrole(dccd_t)
+')
+
+optional_policy(`
+	udev_read_db(dccd_t)
+')
+
+########################################
+#
+# Spamassassin and general MTA persistent client local policy
+#
+
+dontaudit dccifd_t self:capability sys_tty_config;
+allow dccifd_t self:process signal_perms;
+allow dccifd_t self:unix_stream_socket create_stream_socket_perms;
+allow dccifd_t self:unix_dgram_socket create_socket_perms;
+allow dccifd_t self:udp_socket create_socket_perms;
+
+allow dccifd_t dcc_client_map_t:file rw_file_perms;
+
+# Updating dcc_db, flod, ...
+manage_dirs_pattern(dccifd_t, dcc_var_t, dcc_var_t)
+manage_files_pattern(dccifd_t, dcc_var_t, dcc_var_t)
+manage_lnk_files_pattern(dccifd_t, dcc_var_t, dcc_var_t)
+manage_fifo_files_pattern(dccifd_t, dcc_var_t, dcc_var_t)
+manage_sock_files_pattern(dccifd_t, dcc_var_t, dcc_var_t)
+
+manage_dirs_pattern(dccifd_t, dccifd_tmp_t, dccifd_tmp_t)
+manage_files_pattern(dccifd_t, dccifd_tmp_t, dccifd_tmp_t)
+files_tmp_filetrans(dccifd_t, dccifd_tmp_t, { file dir })
+
+manage_files_pattern(dccifd_t, dccifd_var_run_t, dccifd_var_run_t)
+manage_sock_files_pattern(dccifd_t, dccifd_var_run_t, dccifd_var_run_t)
+filetrans_pattern(dccifd_t, dcc_var_t, dccifd_var_run_t, { file sock_file })
+files_pid_filetrans(dccifd_t, dccifd_var_run_t, file)
+
+kernel_read_system_state(dccifd_t)
+kernel_read_kernel_sysctls(dccifd_t)
+
+corenet_all_recvfrom_unlabeled(dccifd_t)
+corenet_all_recvfrom_netlabel(dccifd_t)
+corenet_udp_sendrecv_generic_if(dccifd_t)
+corenet_udp_sendrecv_generic_node(dccifd_t)
+corenet_udp_sendrecv_all_ports(dccifd_t)
+
+dev_read_sysfs(dccifd_t)
+
+domain_use_interactive_fds(dccifd_t)
+
+files_read_etc_files(dccifd_t)
+files_read_etc_runtime_files(dccifd_t)
+
+fs_getattr_all_fs(dccifd_t)
+fs_search_auto_mountpoints(dccifd_t)
+
+auth_use_nsswitch(dccifd_t)
+
+logging_send_syslog_msg(dccifd_t)
+
+miscfiles_read_localization(dccifd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
+userdom_dontaudit_search_user_home_dirs(dccifd_t)
+
+optional_policy(`
+	seutil_sigchld_newrole(dccifd_t)
+')
+
+optional_policy(`
+	udev_read_db(dccifd_t)
+')
+
+########################################
+#
+# sendmail milter client local policy
+#
+
+dontaudit dccm_t self:capability sys_tty_config;
+allow dccm_t self:process signal_perms;
+allow dccm_t self:unix_stream_socket create_stream_socket_perms;
+allow dccm_t self:unix_dgram_socket create_socket_perms;
+allow dccm_t self:udp_socket create_socket_perms;
+
+allow dccm_t dcc_client_map_t:file rw_file_perms;
+
+manage_dirs_pattern(dccm_t, dcc_var_t, dcc_var_t)
+manage_files_pattern(dccm_t, dcc_var_t, dcc_var_t)
+manage_lnk_files_pattern(dccm_t, dcc_var_t, dcc_var_t)
+manage_fifo_files_pattern(dccm_t, dcc_var_t, dcc_var_t)
+manage_sock_files_pattern(dccm_t, dcc_var_t, dcc_var_t)
+
+manage_dirs_pattern(dccm_t, dccm_tmp_t, dccm_tmp_t)
+manage_files_pattern(dccm_t, dccm_tmp_t, dccm_tmp_t)
+files_tmp_filetrans(dccm_t, dccm_tmp_t, { file dir })
+
+manage_files_pattern(dccm_t, dccm_var_run_t, dccm_var_run_t)
+manage_sock_files_pattern(dccm_t, dccm_var_run_t, dccm_var_run_t)
+filetrans_pattern(dccm_t, dcc_var_run_t, dccm_var_run_t, { file sock_file })
+files_pid_filetrans(dccm_t, dccm_var_run_t, file)
+
+kernel_read_system_state(dccm_t)
+kernel_read_kernel_sysctls(dccm_t)
+
+corenet_all_recvfrom_unlabeled(dccm_t)
+corenet_all_recvfrom_netlabel(dccm_t)
+corenet_udp_sendrecv_generic_if(dccm_t)
+corenet_udp_sendrecv_generic_node(dccm_t)
+corenet_udp_sendrecv_all_ports(dccm_t)
+
+dev_read_sysfs(dccm_t)
+
+domain_use_interactive_fds(dccm_t)
+
+files_read_etc_files(dccm_t)
+files_read_etc_runtime_files(dccm_t)
+
+fs_getattr_all_fs(dccm_t)
+fs_search_auto_mountpoints(dccm_t)
+
+auth_use_nsswitch(dccm_t)
+
+logging_send_syslog_msg(dccm_t)
+
+miscfiles_read_localization(dccm_t)
+
+userdom_dontaudit_use_unpriv_user_fds(dccm_t)
+userdom_dontaudit_search_user_home_dirs(dccm_t)
+
+optional_policy(`
+	seutil_sigchld_newrole(dccm_t)
+')
+
+optional_policy(`
+	udev_read_db(dccm_t)
+')
diff --git a/policy/modules/contrib/ddclient.fc b/policy/modules/contrib/ddclient.fc
new file mode 100644
index 00000000..083c1351
--- /dev/null
+++ b/policy/modules/contrib/ddclient.fc
@@ -0,0 +1,12 @@
+/etc/ddclient\.conf	--	gen_context(system_u:object_r:ddclient_etc_t,s0)
+/etc/ddtcd\.conf	--	gen_context(system_u:object_r:ddclient_etc_t,s0)
+/etc/rc\.d/init\.d/ddclient --	gen_context(system_u:object_r:ddclient_initrc_exec_t,s0)
+
+/usr/sbin/ddclient	--	gen_context(system_u:object_r:ddclient_exec_t,s0)
+/usr/sbin/ddtcd		--	gen_context(system_u:object_r:ddclient_exec_t,s0)
+
+/var/cache/ddclient(/.*)?	gen_context(system_u:object_r:ddclient_var_t,s0)
+/var/lib/ddt-client(/.*)?	gen_context(system_u:object_r:ddclient_var_lib_t,s0)
+/var/log/ddtcd\.log.*	--	gen_context(system_u:object_r:ddclient_log_t,s0)
+/var/run/ddclient\.pid	--	gen_context(system_u:object_r:ddclient_var_run_t,s0)
+/var/run/ddtcd\.pid	--	gen_context(system_u:object_r:ddclient_var_run_t,s0)
diff --git a/policy/modules/contrib/ddclient.if b/policy/modules/contrib/ddclient.if
new file mode 100644
index 00000000..0a1a61b3
--- /dev/null
+++ b/policy/modules/contrib/ddclient.if
@@ -0,0 +1,93 @@
+## <summary>Update dynamic IP address at DynDNS.org</summary>
+
+#######################################
+## <summary>
+##	Execute ddclient in the ddclient domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ddclient_domtrans',`
+	gen_require(`
+		type ddclient_t, ddclient_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, ddclient_exec_t, ddclient_t)
+')
+
+########################################
+## <summary>
+##	 Execute ddclient daemon on behalf of a user or staff type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	 Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ddclient_run',`
+	gen_require(`
+		type ddclient_t;
+	')
+
+	ddclient_domtrans($1)
+	role $2 types ddclient_t;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an ddclient environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the ddclient domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ddclient_admin',`
+	gen_require(`
+		type ddclient_t, ddclient_etc_t, ddclient_log_t;
+		type ddclient_var_t, ddclient_var_lib_t;
+		type ddclient_var_run_t, ddclient_initrc_exec_t;
+	')
+
+	allow $1 ddclient_t:process { ptrace signal_perms };
+	ps_process_pattern($1, ddclient_t)
+
+	init_labeled_script_domtrans($1, ddclient_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 ddclient_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_etc($1)
+	admin_pattern($1, ddclient_etc_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, ddclient_log_t)
+
+	files_list_var($1)
+	admin_pattern($1, ddclient_var_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, ddclient_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, ddclient_var_run_t)
+')
diff --git a/policy/modules/contrib/ddclient.te b/policy/modules/contrib/ddclient.te
new file mode 100644
index 00000000..24ba98a6
--- /dev/null
+++ b/policy/modules/contrib/ddclient.te
@@ -0,0 +1,108 @@
+policy_module(ddclient, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type ddclient_t;
+type ddclient_exec_t;
+init_daemon_domain(ddclient_t, ddclient_exec_t)
+
+type ddclient_etc_t;
+files_config_file(ddclient_etc_t)
+
+type ddclient_initrc_exec_t;
+init_script_file(ddclient_initrc_exec_t)
+
+type ddclient_log_t;
+logging_log_file(ddclient_log_t)
+
+type ddclient_var_t;
+files_type(ddclient_var_t)
+
+type ddclient_var_lib_t;
+files_type(ddclient_var_lib_t)
+
+type ddclient_var_run_t;
+files_pid_file(ddclient_var_run_t)
+
+########################################
+#
+# Declarations
+#
+
+dontaudit ddclient_t self:capability sys_tty_config;
+allow ddclient_t self:process signal_perms;
+allow ddclient_t self:fifo_file rw_fifo_file_perms;
+allow ddclient_t self:tcp_socket create_socket_perms;
+allow ddclient_t self:udp_socket create_socket_perms;
+
+allow ddclient_t ddclient_etc_t:file read_file_perms;
+
+allow ddclient_t ddclient_log_t:file manage_file_perms;
+logging_log_filetrans(ddclient_t, ddclient_log_t, file)
+
+manage_dirs_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
+manage_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
+manage_lnk_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
+manage_fifo_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
+manage_sock_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
+files_var_filetrans(ddclient_t, ddclient_var_t, { file lnk_file sock_file fifo_file })
+
+manage_files_pattern(ddclient_t, ddclient_var_lib_t, ddclient_var_lib_t)
+files_var_lib_filetrans(ddclient_t, ddclient_var_lib_t, file)
+
+manage_files_pattern(ddclient_t, ddclient_var_run_t, ddclient_var_run_t)
+files_pid_filetrans(ddclient_t, ddclient_var_run_t, file)
+
+kernel_read_system_state(ddclient_t)
+kernel_read_network_state(ddclient_t)
+kernel_read_software_raid_state(ddclient_t)
+kernel_getattr_core_if(ddclient_t)
+kernel_getattr_message_if(ddclient_t)
+kernel_read_kernel_sysctls(ddclient_t)
+
+corecmd_exec_shell(ddclient_t)
+corecmd_exec_bin(ddclient_t)
+
+corenet_all_recvfrom_unlabeled(ddclient_t)
+corenet_all_recvfrom_netlabel(ddclient_t)
+corenet_tcp_sendrecv_generic_if(ddclient_t)
+corenet_udp_sendrecv_generic_if(ddclient_t)
+corenet_tcp_sendrecv_generic_node(ddclient_t)
+corenet_udp_sendrecv_generic_node(ddclient_t)
+corenet_tcp_sendrecv_all_ports(ddclient_t)
+corenet_udp_sendrecv_all_ports(ddclient_t)
+corenet_tcp_connect_all_ports(ddclient_t)
+corenet_sendrecv_all_client_packets(ddclient_t)
+
+dev_read_sysfs(ddclient_t)
+dev_read_urand(ddclient_t)
+
+domain_use_interactive_fds(ddclient_t)
+
+files_read_etc_files(ddclient_t)
+files_read_etc_runtime_files(ddclient_t)
+files_read_usr_files(ddclient_t)
+
+fs_getattr_all_fs(ddclient_t)
+fs_search_auto_mountpoints(ddclient_t)
+
+logging_send_syslog_msg(ddclient_t)
+
+miscfiles_read_localization(ddclient_t)
+
+sysnet_exec_ifconfig(ddclient_t)
+sysnet_read_config(ddclient_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ddclient_t)
+userdom_dontaudit_search_user_home_dirs(ddclient_t)
+
+optional_policy(`
+	seutil_sigchld_newrole(ddclient_t)
+')
+
+optional_policy(`
+	udev_read_db(ddclient_t)
+')
diff --git a/policy/modules/contrib/ddcprobe.fc b/policy/modules/contrib/ddcprobe.fc
new file mode 100644
index 00000000..49e6a256
--- /dev/null
+++ b/policy/modules/contrib/ddcprobe.fc
@@ -0,0 +1,4 @@
+#
+# /usr
+#
+/usr/sbin/ddcprobe	--	gen_context(system_u:object_r:ddcprobe_exec_t,s0)
diff --git a/policy/modules/contrib/ddcprobe.if b/policy/modules/contrib/ddcprobe.if
new file mode 100644
index 00000000..9868652f
--- /dev/null
+++ b/policy/modules/contrib/ddcprobe.if
@@ -0,0 +1,45 @@
+## <summary>ddcprobe retrieves monitor and graphics card information</summary>
+
+########################################
+## <summary>
+##	Execute ddcprobe in the ddcprobe domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ddcprobe_domtrans',`
+	gen_require(`
+		type ddcprobe_t, ddcprobe_exec_t;
+	')
+
+	domtrans_pattern($1, ddcprobe_exec_t, ddcprobe_t)
+')
+
+########################################
+## <summary>
+##	Execute ddcprobe in the ddcprobe domain, and
+##	allow the specified role the ddcprobe domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role to be authenticated for ddcprobe domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ddcprobe_run',`
+	gen_require(`
+		type ddcprobe_t;
+	')
+
+	ddcprobe_domtrans($1)
+	role $2 types ddcprobe_t;
+')
diff --git a/policy/modules/contrib/ddcprobe.te b/policy/modules/contrib/ddcprobe.te
new file mode 100644
index 00000000..5e062bc1
--- /dev/null
+++ b/policy/modules/contrib/ddcprobe.te
@@ -0,0 +1,51 @@
+policy_module(ddcprobe, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type ddcprobe_t;
+type ddcprobe_exec_t;
+application_domain(ddcprobe_t, ddcprobe_exec_t)
+role system_r types ddcprobe_t;
+
+########################################
+#
+# Local policy
+#
+
+allow ddcprobe_t self:capability { sys_rawio sys_admin };
+allow ddcprobe_t self:process execmem;
+
+kernel_read_system_state(ddcprobe_t)
+kernel_read_kernel_sysctls(ddcprobe_t)
+kernel_change_ring_buffer_level(ddcprobe_t)
+
+files_search_kernel_modules(ddcprobe_t)
+
+corecmd_list_bin(ddcprobe_t)
+corecmd_exec_bin(ddcprobe_t)
+
+dev_read_urand(ddcprobe_t)
+dev_read_raw_memory(ddcprobe_t)
+dev_wx_raw_memory(ddcprobe_t)
+
+files_read_etc_files(ddcprobe_t)
+files_read_etc_runtime_files(ddcprobe_t)
+files_read_usr_files(ddcprobe_t)
+
+term_use_all_ttys(ddcprobe_t)
+term_use_all_ptys(ddcprobe_t)
+
+libs_read_lib_files(ddcprobe_t)
+
+miscfiles_read_localization(ddcprobe_t)
+
+modutils_read_module_deps(ddcprobe_t)
+
+userdom_use_user_terminals(ddcprobe_t)
+userdom_use_all_users_fds(ddcprobe_t)
+
+#reh why? this does not seem even necessary to function properly
+kudzu_getattr_exec_files(ddcprobe_t)
diff --git a/policy/modules/contrib/denyhosts.fc b/policy/modules/contrib/denyhosts.fc
new file mode 100644
index 00000000..257fef60
--- /dev/null
+++ b/policy/modules/contrib/denyhosts.fc
@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/denyhosts	--	gen_context(system_u:object_r:denyhosts_initrc_exec_t,s0)
+
+/usr/bin/denyhosts\.py		--	gen_context(system_u:object_r:denyhosts_exec_t,s0)
+
+/var/lib/denyhosts(/.*)?		gen_context(system_u:object_r:denyhosts_var_lib_t,s0)
+/var/lock/subsys/denyhosts	--	gen_context(system_u:object_r:denyhosts_var_lock_t,s0)
+/var/log/denyhosts(/.*)?		gen_context(system_u:object_r:denyhosts_var_log_t,s0)
diff --git a/policy/modules/contrib/denyhosts.if b/policy/modules/contrib/denyhosts.if
new file mode 100644
index 00000000..567865f3
--- /dev/null
+++ b/policy/modules/contrib/denyhosts.if
@@ -0,0 +1,85 @@
+## <summary>DenyHosts SSH dictionary attack mitigation</summary>
+## <desc>
+##	<p>
+##	DenyHosts is a script intended to be run by Linux
+##	system administrators to help thwart SSH server attacks
+##	(also known as dictionary based attacks and brute force
+##	attacks).
+##	</p>
+## </desc>
+
+########################################
+## <summary>
+##	Execute a domain transition to run denyhosts.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`denyhosts_domtrans', `
+	gen_require(`
+		type denyhosts_t, denyhosts_exec_t;
+	')
+
+	domtrans_pattern($1, denyhosts_exec_t, denyhosts_t)
+')
+
+########################################
+## <summary>
+##	Execute denyhost server in the denyhost domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`denyhosts_initrc_domtrans', `
+	gen_require(`
+		type denyhosts_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, denyhosts_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an denyhosts environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`denyhosts_admin', `
+	gen_require(`
+		type denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lock_t;
+		type denyhosts_var_log_t, denyhosts_initrc_exec_t;
+	')
+
+	allow $1 denyhosts_t:process { ptrace signal_perms };
+	ps_process_pattern($1, denyhosts_t)
+
+	denyhosts_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 denyhosts_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_search_var_lib($1)
+	admin_pattern($1, denyhosts_var_lib_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, denyhosts_var_log_t)
+
+	files_search_locks($1)
+	admin_pattern($1, denyhosts_var_lock_t)
+')
diff --git a/policy/modules/contrib/denyhosts.te b/policy/modules/contrib/denyhosts.te
new file mode 100644
index 00000000..8ba94250
--- /dev/null
+++ b/policy/modules/contrib/denyhosts.te
@@ -0,0 +1,72 @@
+policy_module(denyhosts, 1.0.0)
+
+########################################
+#
+# DenyHosts personal declarations.
+#
+
+type denyhosts_t;
+type denyhosts_exec_t;
+init_daemon_domain(denyhosts_t, denyhosts_exec_t)
+
+type denyhosts_initrc_exec_t;
+init_script_file(denyhosts_initrc_exec_t)
+
+type denyhosts_var_lib_t;
+files_type(denyhosts_var_lib_t)
+
+type denyhosts_var_lock_t;
+files_lock_file(denyhosts_var_lock_t)
+
+type denyhosts_var_log_t;
+logging_log_file(denyhosts_var_log_t)
+
+########################################
+#
+# DenyHosts personal policy.
+#
+
+allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms;
+allow denyhosts_t self:tcp_socket create_socket_perms;
+allow denyhosts_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lib_t)
+files_var_lib_filetrans(denyhosts_t, denyhosts_var_lib_t, file)
+
+manage_dirs_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t)
+manage_files_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t)
+files_lock_filetrans(denyhosts_t, denyhosts_var_lock_t, { dir file })
+
+append_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
+create_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
+read_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
+setattr_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
+logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file)
+
+kernel_read_system_state(denyhosts_t)
+
+corecmd_exec_bin(denyhosts_t)
+
+corenet_all_recvfrom_unlabeled(denyhosts_t)
+corenet_all_recvfrom_netlabel(denyhosts_t)
+corenet_tcp_sendrecv_generic_if(denyhosts_t)
+corenet_tcp_sendrecv_generic_node(denyhosts_t)
+corenet_tcp_bind_generic_node(denyhosts_t)
+corenet_tcp_connect_smtp_port(denyhosts_t)
+corenet_sendrecv_smtp_client_packets(denyhosts_t)
+
+dev_read_urand(denyhosts_t)
+
+files_read_etc_files(denyhosts_t)
+
+# /var/log/secure
+logging_read_generic_logs(denyhosts_t)
+
+miscfiles_read_localization(denyhosts_t)
+
+sysnet_manage_config(denyhosts_t)
+sysnet_etc_filetrans_config(denyhosts_t)
+
+optional_policy(`
+	cron_system_entry(denyhosts_t, denyhosts_exec_t)
+')
diff --git a/policy/modules/contrib/devicekit.fc b/policy/modules/contrib/devicekit.fc
new file mode 100644
index 00000000..9af85c85
--- /dev/null
+++ b/policy/modules/contrib/devicekit.fc
@@ -0,0 +1,20 @@
+/usr/lib/udisks/udisks-daemon	--	gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
+
+/usr/libexec/devkit-daemon	--	gen_context(system_u:object_r:devicekit_exec_t,s0)
+/usr/libexec/devkit-disks-daemon --	gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
+/usr/libexec/devkit-power-daemon --	gen_context(system_u:object_r:devicekit_power_exec_t,s0)
+/usr/libexec/udisks-daemon	--	gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
+/usr/libexec/upowerd		--	gen_context(system_u:object_r:devicekit_power_exec_t,s0)
+
+ifdef(`distro_debian',`
+/usr/lib/upower/upowerd		--	gen_context(system_u:object_r:devicekit_power_exec_t,s0)
+')
+
+/var/lib/DeviceKit-.*			gen_context(system_u:object_r:devicekit_var_lib_t,s0)
+/var/lib/upower(/.*)?			gen_context(system_u:object_r:devicekit_var_lib_t,s0)
+/var/lib/udisks(/.*)?			gen_context(system_u:object_r:devicekit_var_lib_t,s0)
+
+/var/run/devkit(/.*)?			gen_context(system_u:object_r:devicekit_var_run_t,s0)
+/var/run/DeviceKit-disks(/.*)?		gen_context(system_u:object_r:devicekit_var_run_t,s0)
+/var/run/udisks(/.*)?			gen_context(system_u:object_r:devicekit_var_run_t,s0)
+/var/run/upower(/.*)?			gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff --git a/policy/modules/contrib/devicekit.if b/policy/modules/contrib/devicekit.if
new file mode 100644
index 00000000..f706b994
--- /dev/null
+++ b/policy/modules/contrib/devicekit.if
@@ -0,0 +1,185 @@
+## <summary>Devicekit modular hardware abstraction layer</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run devicekit.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`devicekit_domtrans',`
+	gen_require(`
+		type devicekit_t, devicekit_exec_t;
+	')
+
+	domtrans_pattern($1, devicekit_exec_t, devicekit_t)
+')
+
+########################################
+## <summary>
+##	Send to devicekit over a unix domain
+##	datagram socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`devicekit_dgram_send',`
+	gen_require(`
+		type devicekit_t;
+	')
+
+	allow $1 devicekit_t:unix_dgram_socket sendto;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	devicekit over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`devicekit_dbus_chat',`
+	gen_require(`
+		type devicekit_t;
+		class dbus send_msg;
+	')
+
+	allow $1 devicekit_t:dbus send_msg;
+	allow devicekit_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	devicekit disk over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`devicekit_dbus_chat_disk',`
+	gen_require(`
+		type devicekit_disk_t;
+		class dbus send_msg;
+	')
+
+	allow $1 devicekit_disk_t:dbus send_msg;
+	allow devicekit_disk_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Send signal devicekit power
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`devicekit_signal_power',`
+	gen_require(`
+		type devicekit_power_t;
+	')
+
+	allow $1 devicekit_power_t:process signal;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	devicekit power over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`devicekit_dbus_chat_power',`
+	gen_require(`
+		type devicekit_power_t;
+		class dbus send_msg;
+	')
+
+	allow $1 devicekit_power_t:dbus send_msg;
+	allow devicekit_power_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Read devicekit PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`devicekit_read_pid_files',`
+	gen_require(`
+		type devicekit_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an devicekit environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the devicekit domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the user terminal.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`devicekit_admin',`
+	gen_require(`
+		type devicekit_t, devicekit_disk_t, devicekit_power_t;
+		type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
+	')
+
+	allow $1 devicekit_t:process { ptrace signal_perms getattr };
+	ps_process_pattern($1, devicekit_t)
+
+	allow $1 devicekit_disk_t:process { ptrace signal_perms getattr };
+	ps_process_pattern($1, devicekit_disk_t)
+
+	allow $1 devicekit_power_t:process { ptrace signal_perms getattr };
+	ps_process_pattern($1, devicekit_power_t)
+
+	admin_pattern($1, devicekit_tmp_t)
+	files_search_tmp($1)
+
+	admin_pattern($1, devicekit_var_lib_t)
+	files_search_var_lib($1)
+
+	admin_pattern($1, devicekit_var_run_t)
+	files_search_pids($1)
+')
diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te
new file mode 100644
index 00000000..1819518a
--- /dev/null
+++ b/policy/modules/contrib/devicekit.te
@@ -0,0 +1,284 @@
+policy_module(devicekit, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type devicekit_t;
+type devicekit_exec_t;
+dbus_system_domain(devicekit_t, devicekit_exec_t)
+
+type devicekit_power_t;
+type devicekit_power_exec_t;
+dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
+
+type devicekit_disk_t;
+type devicekit_disk_exec_t;
+dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t)
+
+type devicekit_tmp_t;
+files_tmp_file(devicekit_tmp_t)
+
+type devicekit_var_run_t;
+files_pid_file(devicekit_var_run_t)
+
+type devicekit_var_lib_t;
+files_type(devicekit_var_lib_t)
+
+########################################
+#
+# DeviceKit local policy
+#
+
+allow devicekit_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
+manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
+files_pid_filetrans(devicekit_t, devicekit_var_run_t, { file dir })
+
+kernel_read_system_state(devicekit_t)
+
+dev_read_sysfs(devicekit_t)
+dev_read_urand(devicekit_t)
+
+files_read_etc_files(devicekit_t)
+
+miscfiles_read_localization(devicekit_t)
+
+optional_policy(`
+	dbus_system_bus_client(devicekit_t)
+
+	allow devicekit_t devicekit_disk_t:dbus send_msg;
+	allow devicekit_t devicekit_power_t:dbus send_msg;
+')
+
+optional_policy(`
+	udev_read_db(devicekit_t)
+')
+
+########################################
+#
+# DeviceKit disk local policy
+#
+
+allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio };
+allow devicekit_disk_t self:process { getsched signal_perms };
+allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
+allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
+manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
+files_tmp_filetrans(devicekit_disk_t, devicekit_tmp_t, { file dir })
+
+manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
+manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
+files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
+
+manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
+manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
+files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { file dir })
+
+kernel_getattr_message_if(devicekit_disk_t)
+kernel_read_fs_sysctls(devicekit_disk_t)
+kernel_read_network_state(devicekit_disk_t)
+kernel_read_software_raid_state(devicekit_disk_t)
+kernel_read_system_state(devicekit_disk_t)
+kernel_request_load_module(devicekit_disk_t)
+kernel_setsched(devicekit_disk_t)
+
+corecmd_exec_bin(devicekit_disk_t)
+corecmd_exec_shell(devicekit_disk_t)
+corecmd_getattr_all_executables(devicekit_disk_t)
+
+dev_rw_sysfs(devicekit_disk_t)
+dev_read_urand(devicekit_disk_t)
+dev_getattr_usbfs_dirs(devicekit_disk_t)
+dev_manage_generic_files(devicekit_disk_t)
+dev_getattr_all_chr_files(devicekit_disk_t)
+dev_getattr_mtrr_dev(devicekit_disk_t)
+
+domain_getattr_all_pipes(devicekit_disk_t)
+domain_getattr_all_sockets(devicekit_disk_t)
+domain_getattr_all_stream_sockets(devicekit_disk_t)
+domain_read_all_domains_state(devicekit_disk_t)
+
+files_dontaudit_read_all_symlinks(devicekit_disk_t)
+files_getattr_all_sockets(devicekit_disk_t)
+files_getattr_all_mountpoints(devicekit_disk_t)
+files_getattr_all_files(devicekit_disk_t)
+files_manage_isid_type_dirs(devicekit_disk_t)
+files_manage_mnt_dirs(devicekit_disk_t)
+files_read_etc_files(devicekit_disk_t)
+files_read_etc_runtime_files(devicekit_disk_t)
+files_read_usr_files(devicekit_disk_t)
+
+fs_list_inotifyfs(devicekit_disk_t)
+fs_manage_fusefs_dirs(devicekit_disk_t)
+fs_mount_all_fs(devicekit_disk_t)
+fs_unmount_all_fs(devicekit_disk_t)
+fs_search_all(devicekit_disk_t)
+
+mls_file_read_all_levels(devicekit_disk_t)
+mls_file_write_to_clearance(devicekit_disk_t)
+
+storage_raw_read_fixed_disk(devicekit_disk_t)
+storage_raw_write_fixed_disk(devicekit_disk_t)
+storage_raw_read_removable_device(devicekit_disk_t)
+storage_raw_write_removable_device(devicekit_disk_t)
+
+term_use_all_terms(devicekit_disk_t)
+
+auth_use_nsswitch(devicekit_disk_t)
+
+miscfiles_read_localization(devicekit_disk_t)
+
+userdom_read_all_users_state(devicekit_disk_t)
+userdom_search_user_home_dirs(devicekit_disk_t)
+
+optional_policy(`
+	dbus_system_bus_client(devicekit_disk_t)
+
+	allow devicekit_disk_t devicekit_t:dbus send_msg;
+
+	optional_policy(`
+		consolekit_dbus_chat(devicekit_disk_t)
+	')
+')
+
+optional_policy(`
+	fstools_domtrans(devicekit_disk_t)
+')
+
+optional_policy(`
+	lvm_domtrans(devicekit_disk_t)
+')
+
+optional_policy(`
+	mount_domtrans(devicekit_disk_t)
+')
+
+optional_policy(`
+	policykit_dbus_chat(devicekit_disk_t)
+	policykit_domtrans_auth(devicekit_disk_t)
+	policykit_read_lib(devicekit_disk_t)
+	policykit_read_reload(devicekit_disk_t)
+')
+
+optional_policy(`
+	raid_domtrans_mdadm(devicekit_disk_t)
+')
+
+optional_policy(`
+	udev_domtrans(devicekit_disk_t)
+	udev_read_db(devicekit_disk_t)
+')
+
+optional_policy(`
+	virt_manage_images(devicekit_disk_t)
+')
+
+########################################
+#
+# DeviceKit-Power local policy
+#
+
+allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
+allow devicekit_power_t self:process getsched;
+allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
+allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
+allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
+
+kernel_read_network_state(devicekit_power_t)
+kernel_read_system_state(devicekit_power_t)
+kernel_rw_hotplug_sysctls(devicekit_power_t)
+kernel_rw_kernel_sysctl(devicekit_power_t)
+kernel_search_debugfs(devicekit_power_t)
+kernel_write_proc_files(devicekit_power_t)
+
+corecmd_exec_bin(devicekit_power_t)
+corecmd_exec_shell(devicekit_power_t)
+
+consoletype_exec(devicekit_power_t)
+
+domain_read_all_domains_state(devicekit_power_t)
+
+dev_read_input(devicekit_power_t)
+dev_rw_generic_usb_dev(devicekit_power_t)
+dev_rw_generic_chr_files(devicekit_power_t)
+dev_rw_netcontrol(devicekit_power_t)
+dev_rw_sysfs(devicekit_power_t)
+
+files_read_kernel_img(devicekit_power_t)
+files_read_etc_files(devicekit_power_t)
+files_read_usr_files(devicekit_power_t)
+
+fs_list_inotifyfs(devicekit_power_t)
+
+term_use_all_terms(devicekit_power_t)
+
+auth_use_nsswitch(devicekit_power_t)
+
+miscfiles_read_localization(devicekit_power_t)
+
+sysnet_read_config(devicekit_power_t)
+sysnet_domtrans_ifconfig(devicekit_power_t)
+
+userdom_read_all_users_state(devicekit_power_t)
+
+optional_policy(`
+	bootloader_domtrans(devicekit_power_t)
+')
+
+optional_policy(`
+	cron_initrc_domtrans(devicekit_power_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(devicekit_power_t)
+
+	allow devicekit_power_t devicekit_t:dbus send_msg;
+
+	optional_policy(`
+		consolekit_dbus_chat(devicekit_power_t)
+	')
+
+	optional_policy(`
+		networkmanager_dbus_chat(devicekit_power_t)
+	')
+
+	optional_policy(`
+		rpm_dbus_chat(devicekit_power_t)
+	')
+')
+
+optional_policy(`
+	fstools_domtrans(devicekit_power_t)
+')
+
+optional_policy(`
+	hal_domtrans_mac(devicekit_power_t)
+	hal_manage_log(devicekit_power_t)
+	hal_manage_pid_dirs(devicekit_power_t)
+	hal_manage_pid_files(devicekit_power_t)
+	hal_dbus_chat(devicekit_power_t)
+')
+
+optional_policy(`
+	policykit_dbus_chat(devicekit_power_t)
+	policykit_domtrans_auth(devicekit_power_t)
+	policykit_read_lib(devicekit_power_t)
+	policykit_read_reload(devicekit_power_t)
+')
+
+optional_policy(`
+	udev_read_db(devicekit_power_t)
+')
+
+optional_policy(`
+	vbetool_domtrans(devicekit_power_t)
+')
diff --git a/policy/modules/contrib/dhcp.fc b/policy/modules/contrib/dhcp.fc
new file mode 100644
index 00000000..767e0c79
--- /dev/null
+++ b/policy/modules/contrib/dhcp.fc
@@ -0,0 +1,8 @@
+/etc/rc\.d/init\.d/dhcpd	--	gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
+
+/usr/sbin/dhcpd.*		--	gen_context(system_u:object_r:dhcpd_exec_t,s0)
+
+/var/lib/dhcpd(/.*)?			gen_context(system_u:object_r:dhcpd_state_t,s0)
+/var/lib/dhcp(3)?/dhcpd\.leases.* --	gen_context(system_u:object_r:dhcpd_state_t,s0)
+
+/var/run/dhcpd\.pid		--	gen_context(system_u:object_r:dhcpd_var_run_t,s0)
diff --git a/policy/modules/contrib/dhcp.if b/policy/modules/contrib/dhcp.if
new file mode 100644
index 00000000..5e2cea82
--- /dev/null
+++ b/policy/modules/contrib/dhcp.if
@@ -0,0 +1,99 @@
+## <summary>Dynamic host configuration protocol (DHCP) server</summary>
+
+########################################
+## <summary>
+##	Transition to dhcpd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`dhcpd_domtrans',`
+	gen_require(`
+		type dhcpd_t, dhcpd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, dhcpd_exec_t, dhcpd_t)
+')
+
+########################################
+## <summary>
+##	Set the attributes of the DCHP
+##	server state files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dhcpd_setattr_state_files',`
+	gen_require(`
+		type dhcpd_state_t;
+	')
+
+	sysnet_search_dhcp_state($1)
+	allow $1 dhcpd_state_t:file setattr;
+')
+
+########################################
+## <summary>
+##	Execute dhcp server in the dhcp domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+#
+interface(`dhcpd_initrc_domtrans',`
+	gen_require(`
+		type dhcpd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an dhcp environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the dhcp domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`dhcpd_admin',`
+	gen_require(`
+		type dhcpd_t; type dhcpd_tmp_t;	type dhcpd_state_t;
+		type dhcpd_var_run_t, dhcpd_initrc_exec_t;
+	')
+
+	allow $1 dhcpd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, dhcpd_t)
+
+	init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 dhcpd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, dhcpd_tmp_t)
+
+	admin_pattern($1, dhcpd_state_t)
+
+	files_list_pids($1)
+	admin_pattern($1, dhcpd_var_run_t)
+')
diff --git a/policy/modules/contrib/dhcp.te b/policy/modules/contrib/dhcp.te
new file mode 100644
index 00000000..ddcac941
--- /dev/null
+++ b/policy/modules/contrib/dhcp.te
@@ -0,0 +1,135 @@
+policy_module(dhcp, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+## <desc>
+## <p>
+##	Enable LDAP backend support for DHCP daemon.
+## </p>
+## </desc>
+gen_tunable(dhcp_use_ldap, false)
+
+type dhcpd_t;
+type dhcpd_exec_t;
+init_daemon_domain(dhcpd_t, dhcpd_exec_t)
+
+type dhcpd_initrc_exec_t;
+init_script_file(dhcpd_initrc_exec_t)
+
+type dhcpd_state_t;
+files_type(dhcpd_state_t)
+
+type dhcpd_tmp_t;
+files_tmp_file(dhcpd_tmp_t)
+
+type dhcpd_var_run_t;
+files_pid_file(dhcpd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow dhcpd_t self:capability { net_raw sys_resource };
+dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
+allow dhcpd_t self:process signal_perms;
+allow dhcpd_t self:fifo_file rw_fifo_file_perms;
+allow dhcpd_t self:unix_dgram_socket create_socket_perms;
+allow dhcpd_t self:unix_stream_socket create_socket_perms;
+allow dhcpd_t self:tcp_socket create_stream_socket_perms;
+allow dhcpd_t self:udp_socket create_socket_perms;
+# Allow dhcpd_t to use packet sockets
+allow dhcpd_t self:packet_socket create_socket_perms;
+allow dhcpd_t self:rawip_socket create_socket_perms;
+
+can_exec(dhcpd_t, dhcpd_exec_t)
+
+manage_files_pattern(dhcpd_t, dhcpd_state_t, dhcpd_state_t)
+sysnet_dhcp_state_filetrans(dhcpd_t, dhcpd_state_t, file)
+
+manage_dirs_pattern(dhcpd_t, dhcpd_tmp_t, dhcpd_tmp_t)
+manage_files_pattern(dhcpd_t, dhcpd_tmp_t, dhcpd_tmp_t)
+files_tmp_filetrans(dhcpd_t, dhcpd_tmp_t, { file dir })
+
+manage_files_pattern(dhcpd_t, dhcpd_var_run_t, dhcpd_var_run_t)
+files_pid_filetrans(dhcpd_t, dhcpd_var_run_t, file)
+
+kernel_read_system_state(dhcpd_t)
+kernel_read_kernel_sysctls(dhcpd_t)
+kernel_read_network_state(dhcpd_t)
+
+corenet_all_recvfrom_unlabeled(dhcpd_t)
+corenet_all_recvfrom_netlabel(dhcpd_t)
+corenet_tcp_sendrecv_generic_if(dhcpd_t)
+corenet_udp_sendrecv_generic_if(dhcpd_t)
+corenet_raw_sendrecv_generic_if(dhcpd_t)
+corenet_tcp_sendrecv_generic_node(dhcpd_t)
+corenet_udp_sendrecv_generic_node(dhcpd_t)
+corenet_raw_sendrecv_generic_node(dhcpd_t)
+corenet_tcp_sendrecv_all_ports(dhcpd_t)
+corenet_udp_sendrecv_all_ports(dhcpd_t)
+corenet_tcp_bind_generic_node(dhcpd_t)
+corenet_udp_bind_generic_node(dhcpd_t)
+corenet_udp_bind_all_unreserved_ports(dhcpd_t) # scanning available interfaces
+corenet_tcp_bind_dhcpd_port(dhcpd_t)
+corenet_udp_bind_dhcpd_port(dhcpd_t)
+corenet_udp_bind_pxe_port(dhcpd_t)
+corenet_tcp_connect_all_ports(dhcpd_t)
+corenet_sendrecv_dhcpd_server_packets(dhcpd_t)
+corenet_sendrecv_pxe_server_packets(dhcpd_t)
+corenet_sendrecv_all_client_packets(dhcpd_t)
+
+dev_read_sysfs(dhcpd_t)
+dev_read_rand(dhcpd_t)
+dev_read_urand(dhcpd_t)
+
+fs_getattr_all_fs(dhcpd_t)
+fs_search_auto_mountpoints(dhcpd_t)
+
+corecmd_exec_bin(dhcpd_t)
+
+domain_use_interactive_fds(dhcpd_t)
+
+files_read_etc_files(dhcpd_t)
+files_read_usr_files(dhcpd_t)
+files_read_etc_runtime_files(dhcpd_t)
+files_search_var_lib(dhcpd_t)
+
+auth_use_nsswitch(dhcpd_t)
+
+logging_send_syslog_msg(dhcpd_t)
+
+miscfiles_read_localization(dhcpd_t)
+
+sysnet_read_dhcp_config(dhcpd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
+userdom_dontaudit_search_user_home_dirs(dhcpd_t)
+
+ifdef(`distro_gentoo',`
+	allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
+')
+
+tunable_policy(`dhcp_use_ldap',`
+	sysnet_use_ldap(dhcpd_t)
+')
+
+optional_policy(`
+	# used for dynamic DNS
+	bind_read_dnssec_keys(dhcpd_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(dhcpd_t)
+	dbus_connect_system_bus(dhcpd_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(dhcpd_t)
+')
+
+optional_policy(`
+	udev_read_db(dhcpd_t)
+')
diff --git a/policy/modules/contrib/dictd.fc b/policy/modules/contrib/dictd.fc
new file mode 100644
index 00000000..54f88c87
--- /dev/null
+++ b/policy/modules/contrib/dictd.fc
@@ -0,0 +1,9 @@
+/etc/rc\.d/init\.d/dictd --	gen_context(system_u:object_r:dictd_initrc_exec_t,s0)
+
+/etc/dictd\.conf	--	gen_context(system_u:object_r:dictd_etc_t,s0)
+
+/usr/sbin/dictd		--	gen_context(system_u:object_r:dictd_exec_t,s0)
+
+/var/lib/dictd(/.*)?		gen_context(system_u:object_r:dictd_var_lib_t,s0)
+
+/var/run/dictd\.pid	--	gen_context(system_u:object_r:dictd_var_run_t,s0)
diff --git a/policy/modules/contrib/dictd.if b/policy/modules/contrib/dictd.if
new file mode 100644
index 00000000..a0d23ce1
--- /dev/null
+++ b/policy/modules/contrib/dictd.if
@@ -0,0 +1,57 @@
+## <summary>Dictionary daemon</summary>
+
+########################################
+## <summary>
+##	Use dictionary services by connecting
+##	over TCP.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dictd_tcp_connect',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an dictd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the dictd domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`dictd_admin',`
+	gen_require(`
+		type dictd_t, dictd_etc_t, dictd_var_lib_t;
+		type dictd_var_run_t, dictd_initrc_exec_t;
+	')
+
+	allow $1 dictd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, dictd_t)
+
+	init_labeled_script_domtrans($1, dictd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 dictd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_etc($1)
+	admin_pattern($1, dictd_etc_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, dictd_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, dictd_var_run_t)
+')
diff --git a/policy/modules/contrib/dictd.te b/policy/modules/contrib/dictd.te
new file mode 100644
index 00000000..d2d93594
--- /dev/null
+++ b/policy/modules/contrib/dictd.te
@@ -0,0 +1,98 @@
+policy_module(dictd, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type dictd_t;
+type dictd_exec_t;
+init_daemon_domain(dictd_t, dictd_exec_t)
+
+type dictd_etc_t;
+files_config_file(dictd_etc_t)
+
+type dictd_initrc_exec_t;
+init_script_file(dictd_initrc_exec_t)
+
+type dictd_var_lib_t alias var_lib_dictd_t;
+files_type(dictd_var_lib_t)
+
+type dictd_var_run_t;
+files_pid_file(dictd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow dictd_t self:capability { setuid setgid };
+dontaudit dictd_t self:capability sys_tty_config;
+allow dictd_t self:process { signal_perms setpgid };
+allow dictd_t self:unix_stream_socket create_stream_socket_perms;
+allow dictd_t self:tcp_socket create_stream_socket_perms;
+allow dictd_t self:udp_socket create_socket_perms;
+
+allow dictd_t dictd_etc_t:file read_file_perms;
+files_search_etc(dictd_t)
+
+allow dictd_t dictd_var_lib_t:dir list_dir_perms;
+allow dictd_t dictd_var_lib_t:file read_file_perms;
+
+manage_files_pattern(dictd_t, dictd_var_run_t, dictd_var_run_t)
+files_pid_filetrans(dictd_t, dictd_var_run_t, file)
+
+kernel_read_system_state(dictd_t)
+kernel_read_kernel_sysctls(dictd_t)
+
+corenet_all_recvfrom_unlabeled(dictd_t)
+corenet_all_recvfrom_netlabel(dictd_t)
+corenet_tcp_sendrecv_generic_if(dictd_t)
+corenet_raw_sendrecv_generic_if(dictd_t)
+corenet_udp_sendrecv_generic_if(dictd_t)
+corenet_tcp_sendrecv_generic_node(dictd_t)
+corenet_udp_sendrecv_generic_node(dictd_t)
+corenet_raw_sendrecv_generic_node(dictd_t)
+corenet_tcp_sendrecv_all_ports(dictd_t)
+corenet_udp_sendrecv_all_ports(dictd_t)
+corenet_tcp_bind_generic_node(dictd_t)
+corenet_tcp_bind_dict_port(dictd_t)
+corenet_sendrecv_dict_server_packets(dictd_t)
+
+dev_read_sysfs(dictd_t)
+
+fs_getattr_xattr_fs(dictd_t)
+fs_search_auto_mountpoints(dictd_t)
+
+domain_use_interactive_fds(dictd_t)
+
+files_read_etc_files(dictd_t)
+files_read_etc_runtime_files(dictd_t)
+files_read_usr_files(dictd_t)
+files_search_var_lib(dictd_t)
+# for checking for nscd
+files_dontaudit_search_pids(dictd_t)
+
+logging_send_syslog_msg(dictd_t)
+
+miscfiles_read_localization(dictd_t)
+
+sysnet_read_config(dictd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(dictd_t)
+
+optional_policy(`
+	nis_use_ypbind(dictd_t)
+')
+
+optional_policy(`
+	nscd_socket_use(dictd_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(dictd_t)
+')
+
+optional_policy(`
+	udev_read_db(dictd_t)
+')
diff --git a/policy/modules/contrib/distcc.fc b/policy/modules/contrib/distcc.fc
new file mode 100644
index 00000000..6ce6b006
--- /dev/null
+++ b/policy/modules/contrib/distcc.fc
@@ -0,0 +1,2 @@
+
+/usr/bin/distccd	--	gen_context(system_u:object_r:distccd_exec_t,s0)
diff --git a/policy/modules/contrib/distcc.if b/policy/modules/contrib/distcc.if
new file mode 100644
index 00000000..926e9595
--- /dev/null
+++ b/policy/modules/contrib/distcc.if
@@ -0,0 +1 @@
+## <summary>Distributed compiler daemon</summary>
diff --git a/policy/modules/contrib/distcc.te b/policy/modules/contrib/distcc.te
new file mode 100644
index 00000000..54d93e8f
--- /dev/null
+++ b/policy/modules/contrib/distcc.te
@@ -0,0 +1,93 @@
+policy_module(distcc, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type distccd_t;
+type distccd_exec_t;
+init_daemon_domain(distccd_t, distccd_exec_t)
+
+type distccd_log_t;
+logging_log_file(distccd_log_t)
+
+type distccd_tmp_t;
+files_tmp_file(distccd_tmp_t)
+
+type distccd_var_run_t;
+files_pid_file(distccd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow distccd_t self:capability { setgid setuid };
+dontaudit distccd_t self:capability sys_tty_config;
+allow distccd_t self:process { signal_perms setsched };
+allow distccd_t self:fifo_file rw_fifo_file_perms;
+allow distccd_t self:netlink_route_socket r_netlink_socket_perms;
+allow distccd_t self:tcp_socket create_stream_socket_perms;
+allow distccd_t self:udp_socket create_socket_perms;
+
+allow distccd_t distccd_log_t:file manage_file_perms;
+logging_log_filetrans(distccd_t, distccd_log_t, file)
+
+manage_dirs_pattern(distccd_t, distccd_tmp_t, distccd_tmp_t)
+manage_files_pattern(distccd_t, distccd_tmp_t, distccd_tmp_t)
+files_tmp_filetrans(distccd_t, distccd_tmp_t, { file dir })
+
+manage_files_pattern(distccd_t, distccd_var_run_t, distccd_var_run_t)
+files_pid_filetrans(distccd_t, distccd_var_run_t, file)
+
+kernel_read_system_state(distccd_t)
+kernel_read_kernel_sysctls(distccd_t)
+
+corenet_all_recvfrom_unlabeled(distccd_t)
+corenet_all_recvfrom_netlabel(distccd_t)
+corenet_tcp_sendrecv_generic_if(distccd_t)
+corenet_udp_sendrecv_generic_if(distccd_t)
+corenet_tcp_sendrecv_generic_node(distccd_t)
+corenet_udp_sendrecv_generic_node(distccd_t)
+corenet_tcp_sendrecv_all_ports(distccd_t)
+corenet_udp_sendrecv_all_ports(distccd_t)
+corenet_tcp_bind_generic_node(distccd_t)
+corenet_tcp_bind_distccd_port(distccd_t)
+corenet_sendrecv_distccd_server_packets(distccd_t)
+
+dev_read_sysfs(distccd_t)
+
+fs_getattr_all_fs(distccd_t)
+fs_search_auto_mountpoints(distccd_t)
+
+corecmd_exec_bin(distccd_t)
+corecmd_read_bin_symlinks(distccd_t)
+
+domain_use_interactive_fds(distccd_t)
+
+files_read_etc_files(distccd_t)
+files_read_etc_runtime_files(distccd_t)
+
+libs_exec_lib_files(distccd_t)
+
+logging_send_syslog_msg(distccd_t)
+
+miscfiles_read_localization(distccd_t)
+
+sysnet_read_config(distccd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(distccd_t)
+userdom_dontaudit_search_user_home_dirs(distccd_t)
+
+optional_policy(`
+	nis_use_ypbind(distccd_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(distccd_t)
+')
+
+optional_policy(`
+	udev_read_db(distccd_t)
+')
diff --git a/policy/modules/contrib/djbdns.fc b/policy/modules/contrib/djbdns.fc
new file mode 100644
index 00000000..fdb66525
--- /dev/null
+++ b/policy/modules/contrib/djbdns.fc
@@ -0,0 +1,9 @@
+
+/usr/bin/axfrdns		--	gen_context(system_u:object_r:djbdns_axfrdns_exec_t,s0)
+/usr/bin/dnscache	--	gen_context(system_u:object_r:djbdns_dnscache_exec_t,s0)
+/usr/bin/tinydns		--	gen_context(system_u:object_r:djbdns_tinydns_exec_t,s0)
+
+/var/axfrdns/root(/.*)?		gen_context(system_u:object_r:djbdns_axfrdns_conf_t,s0)
+/var/dnscache/root(/.*)?		gen_context(system_u:object_r:djbdns_dnscache_conf_t,s0)
+/var/tinydns/root(/.*)?		gen_context(system_u:object_r:djbdns_tinydns_conf_t,s0)
+
diff --git a/policy/modules/contrib/djbdns.if b/policy/modules/contrib/djbdns.if
new file mode 100644
index 00000000..ade3079b
--- /dev/null
+++ b/policy/modules/contrib/djbdns.if
@@ -0,0 +1,90 @@
+## <summary>small and secure DNS daemon</summary>
+
+########################################
+## <summary>
+##	Create a set of derived types for djbdns
+##	components that are directly supervised by daemontools.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix to be used for deriving type names.
+##	</summary>
+## </param>
+#
+template(`djbdns_daemontools_domain_template',`
+
+	type djbdns_$1_t;
+	type djbdns_$1_exec_t;
+	type djbdns_$1_conf_t;
+	files_config_file(djbdns_$1_conf_t)
+
+	domain_type(djbdns_$1_t)
+	domain_entry_file(djbdns_$1_t, djbdns_$1_exec_t)
+	role system_r types djbdns_$1_t;
+
+	daemontools_service_domain(djbdns_$1_t, djbdns_$1_exec_t)
+	daemontools_read_svc(djbdns_$1_t)
+
+	allow djbdns_$1_t self:capability { net_bind_service setgid setuid sys_chroot };
+	allow djbdns_$1_t self:process signal;
+	allow djbdns_$1_t self:fifo_file rw_fifo_file_perms;
+	allow djbdns_$1_t self:tcp_socket create_stream_socket_perms;
+	allow djbdns_$1_t self:udp_socket create_socket_perms;
+
+	allow djbdns_$1_t djbdns_$1_conf_t:dir list_dir_perms;
+	allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms;
+
+	corenet_all_recvfrom_unlabeled(djbdns_$1_t)
+	corenet_all_recvfrom_netlabel(djbdns_$1_t)
+	corenet_tcp_sendrecv_generic_if(djbdns_$1_t)
+	corenet_udp_sendrecv_generic_if(djbdns_$1_t)
+	corenet_tcp_sendrecv_generic_node(djbdns_$1_t)
+	corenet_udp_sendrecv_generic_node(djbdns_$1_t)
+	corenet_tcp_sendrecv_all_ports(djbdns_$1_t)
+	corenet_udp_sendrecv_all_ports(djbdns_$1_t)
+	corenet_tcp_bind_generic_node(djbdns_$1_t)
+	corenet_udp_bind_generic_node(djbdns_$1_t)
+	corenet_tcp_bind_dns_port(djbdns_$1_t)
+	corenet_udp_bind_dns_port(djbdns_$1_t)
+	corenet_udp_bind_generic_port(djbdns_$1_t)
+	corenet_sendrecv_dns_server_packets(djbdns_$1_t)
+	corenet_sendrecv_generic_server_packets(djbdns_$1_t)
+
+	files_search_var(djbdns_$1_t)
+')
+
+#####################################
+## <summary>
+##	Allow search the djbdns-tinydns key ring.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`djbdns_search_tinydns_keys',`
+	gen_require(`
+		type djbdns_tinydns_t;
+	')
+
+	allow $1 djbdns_tinydns_t:key search;
+')
+
+#####################################
+## <summary>
+##	Allow link to the djbdns-tinydns key ring.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`djbdns_link_tinydns_keys',`
+	gen_require(`
+		type djbdns_tinydn_t;
+	')
+
+	allow $1 djbdns_tinydn_t:key link;
+')
diff --git a/policy/modules/contrib/djbdns.te b/policy/modules/contrib/djbdns.te
new file mode 100644
index 00000000..03b5286d
--- /dev/null
+++ b/policy/modules/contrib/djbdns.te
@@ -0,0 +1,49 @@
+policy_module(djbdns, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type djbdns_axfrdns_t;
+type djbdns_axfrdns_exec_t;
+domain_type(djbdns_axfrdns_t)
+domain_entry_file(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
+role system_r types djbdns_axfrdns_t;
+
+type djbdns_axfrdns_conf_t;
+files_config_file(djbdns_axfrdns_conf_t)
+
+djbdns_daemontools_domain_template(dnscache)
+
+djbdns_daemontools_domain_template(tinydns)
+
+########################################
+#
+# Local policy for axfrdns component
+#
+
+daemontools_ipc_domain(djbdns_axfrdns_t)
+daemontools_read_svc(djbdns_axfrdns_t)
+
+allow djbdns_axfrdns_t self:capability { setuid setgid sys_chroot };
+
+allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:dir list_dir_perms;
+allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:file read_file_perms;
+
+allow djbdns_axfrdns_t djbdns_tinydns_t:dir list_dir_perms;
+allow djbdns_axfrdns_t djbdns_tinydns_t:file read_file_perms;
+
+allow djbdns_axfrdns_t djbdns_tinydns_conf_t:dir list_dir_perms;
+allow djbdns_axfrdns_t djbdns_tinydns_conf_t:file read_file_perms;
+
+files_search_var(djbdns_axfrdns_t)
+
+ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
+
+########################################
+#
+# Local policy for tinydns
+#
+
+init_dontaudit_use_script_fds(djbdns_tinydns_t)
diff --git a/policy/modules/contrib/dkim.fc b/policy/modules/contrib/dkim.fc
new file mode 100644
index 00000000..bf4321a1
--- /dev/null
+++ b/policy/modules/contrib/dkim.fc
@@ -0,0 +1,14 @@
+/etc/mail/dkim-milter/keys(/.*)?	gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+/etc/opendkim/keys(/.*)?		gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+
+/usr/sbin/dkim-filter		--	gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+/usr/sbin/opendkim		--	gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+
+/var/db/dkim(/.*)?			gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+
+/var/run/dkim-filter(/.*)?		gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/var/run/dkim-milter(/.*)?		gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/var/run/dkim-milter\.pid	--	gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/var/run/opendkim(/.*)?			gen_context(system_u:object_r:dkim_milter_data_t,s0)
+
+/var/spool/opendkim(/.*)?		gen_context(system_u:object_r:dkim_milter_data_t,s0)
diff --git a/policy/modules/contrib/dkim.if b/policy/modules/contrib/dkim.if
new file mode 100644
index 00000000..32d108ad
--- /dev/null
+++ b/policy/modules/contrib/dkim.if
@@ -0,0 +1 @@
+## <summary>DomainKeys Identified Mail milter.</summary>
diff --git a/policy/modules/contrib/dkim.te b/policy/modules/contrib/dkim.te
new file mode 100644
index 00000000..cc1199e1
--- /dev/null
+++ b/policy/modules/contrib/dkim.te
@@ -0,0 +1,33 @@
+policy_module(dkim, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+milter_template(dkim)
+
+# Type for the private key of dkim-filter
+type dkim_milter_private_key_t;
+files_type(dkim_milter_private_key_t)
+
+########################################
+#
+# Local policy
+#
+
+allow dkim_milter_t self:capability { setgid setuid };
+allow dkim_milter_t self:process signal;
+
+read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
+
+kernel_read_kernel_sysctls(dkim_milter_t)
+
+dev_read_urand(dkim_milter_t)
+
+files_read_etc_files(dkim_milter_t)
+files_search_spool(dkim_milter_t)
+
+sysnet_dns_name_resolve(dkim_milter_t)
+
+mta_read_config(dkim_milter_t)
diff --git a/policy/modules/contrib/dmidecode.fc b/policy/modules/contrib/dmidecode.fc
new file mode 100644
index 00000000..016e6b88
--- /dev/null
+++ b/policy/modules/contrib/dmidecode.fc
@@ -0,0 +1,4 @@
+
+/usr/sbin/dmidecode	--	gen_context(system_u:object_r:dmidecode_exec_t,s0)
+/usr/sbin/ownership	--	gen_context(system_u:object_r:dmidecode_exec_t,s0)
+/usr/sbin/vpddecode	--	gen_context(system_u:object_r:dmidecode_exec_t,s0)
diff --git a/policy/modules/contrib/dmidecode.if b/policy/modules/contrib/dmidecode.if
new file mode 100644
index 00000000..4bf435c9
--- /dev/null
+++ b/policy/modules/contrib/dmidecode.if
@@ -0,0 +1,50 @@
+## <summary>Decode DMI data for x86/ia64 bioses.</summary>
+
+########################################
+## <summary>
+##	Execute dmidecode in the dmidecode domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`dmidecode_domtrans',`
+	gen_require(`
+		type dmidecode_t, dmidecode_exec_t;
+	')
+
+	domain_auto_trans($1, dmidecode_exec_t, dmidecode_t)
+
+	allow $1 dmidecode_t:fd use;
+	allow dmidecode_t $1:fd use;
+	allow dmidecode_t $1:fifo_file rw_file_perms;
+	allow dmidecode_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute dmidecode in the dmidecode domain, and
+##	allow the specified role the dmidecode domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`dmidecode_run',`
+	gen_require(`
+		type dmidecode_t;
+	')
+
+	dmidecode_domtrans($1)
+	role $2 types dmidecode_t;
+')
diff --git a/policy/modules/contrib/dmidecode.te b/policy/modules/contrib/dmidecode.te
new file mode 100644
index 00000000..d6356b53
--- /dev/null
+++ b/policy/modules/contrib/dmidecode.te
@@ -0,0 +1,30 @@
+policy_module(dmidecode, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+
+type dmidecode_t;
+type dmidecode_exec_t;
+application_domain(dmidecode_t, dmidecode_exec_t)
+role system_r types dmidecode_t;
+
+########################################
+#
+# Local policy
+#
+
+allow dmidecode_t self:capability sys_rawio;
+
+dev_read_sysfs(dmidecode_t)
+# Allow dmidecode to read /dev/mem
+dev_read_raw_memory(dmidecode_t)
+
+mls_file_read_all_levels(dmidecode_t)
+
+files_list_usr(dmidecode_t)
+
+locallogin_use_fds(dmidecode_t)
+
+userdom_use_user_terminals(dmidecode_t)
diff --git a/policy/modules/contrib/dnsmasq.fc b/policy/modules/contrib/dnsmasq.fc
new file mode 100644
index 00000000..b8866766
--- /dev/null
+++ b/policy/modules/contrib/dnsmasq.fc
@@ -0,0 +1,12 @@
+/etc/dnsmasq\.conf		--	gen_context(system_u:object_r:dnsmasq_etc_t, s0)
+/etc/rc\.d/init\.d/dnsmasq	--	gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
+
+/usr/sbin/dnsmasq		--	gen_context(system_u:object_r:dnsmasq_exec_t,s0)
+
+/var/lib/misc/dnsmasq\.leases	--	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
+/var/lib/dnsmasq(/.*)?			gen_context(system_u:object_r:dnsmasq_lease_t,s0)
+
+/var/log/dnsmasq\.log			gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
+
+/var/run/dnsmasq\.pid		--	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
+/var/run/libvirt/network(/.*)?		gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff --git a/policy/modules/contrib/dnsmasq.if b/policy/modules/contrib/dnsmasq.if
new file mode 100644
index 00000000..9bd812b4
--- /dev/null
+++ b/policy/modules/contrib/dnsmasq.if
@@ -0,0 +1,211 @@
+## <summary>dnsmasq DNS forwarder and DHCP server</summary>
+
+########################################
+## <summary>
+##	Execute dnsmasq server in the dnsmasq domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+#
+interface(`dnsmasq_domtrans',`
+	gen_require(`
+		type dnsmasq_exec_t, dnsmasq_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t)
+')
+
+########################################
+## <summary>
+##	Execute the dnsmasq init script in the init script domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+#
+interface(`dnsmasq_initrc_domtrans',`
+	gen_require(`
+		type dnsmasq_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Send dnsmasq a signal
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+interface(`dnsmasq_signal',`
+	gen_require(`
+		type dnsmasq_t;
+	')
+
+	allow $1 dnsmasq_t:process signal;
+')
+
+########################################
+## <summary>
+##	Send dnsmasq a signull
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+interface(`dnsmasq_signull',`
+	gen_require(`
+		type dnsmasq_t;
+	')
+
+	allow $1 dnsmasq_t:process signull;
+')
+
+########################################
+## <summary>
+##	Send dnsmasq a kill signal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+interface(`dnsmasq_kill',`
+	gen_require(`
+		type dnsmasq_t;
+	')
+
+	allow $1 dnsmasq_t:process sigkill;
+')
+
+########################################
+## <summary>
+##	Read dnsmasq config files.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dnsmasq_read_config',`
+	gen_require(`
+		type dnsmasq_etc_t;
+	')
+
+	read_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t)
+	files_search_etc($1)
+')
+
+########################################
+## <summary>
+##	Write to dnsmasq config files.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dnsmasq_write_config',`
+	gen_require(`
+		type dnsmasq_etc_t;
+	')
+
+	write_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t)
+	files_search_etc($1)
+')
+
+########################################
+## <summary>
+##	Delete dnsmasq pid files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+interface(`dnsmasq_delete_pid_files',`
+	gen_require(`
+		type dnsmasq_var_run_t;
+	')
+
+	delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
+')
+
+########################################
+## <summary>
+##	Read dnsmasq pid files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+interface(`dnsmasq_read_pid_files',`
+	gen_require(`
+		type dnsmasq_var_run_t;
+	')
+
+	read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an dnsmasq environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the dnsmasq domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`dnsmasq_admin',`
+	gen_require(`
+		type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
+		type dnsmasq_initrc_exec_t;
+	')
+
+	allow $1 dnsmasq_t:process { ptrace signal_perms };
+	ps_process_pattern($1, dnsmasq_t)
+
+	init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 dnsmasq_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_var_lib($1)
+	admin_pattern($1, dnsmasq_lease_t)
+
+	files_list_pids($1)
+	admin_pattern($1, dnsmasq_var_run_t)
+')
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
new file mode 100644
index 00000000..fdaeebac
--- /dev/null
+++ b/policy/modules/contrib/dnsmasq.te
@@ -0,0 +1,117 @@
+policy_module(dnsmasq, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type dnsmasq_t;
+type dnsmasq_exec_t;
+init_daemon_domain(dnsmasq_t, dnsmasq_exec_t)
+
+type dnsmasq_initrc_exec_t;
+init_script_file(dnsmasq_initrc_exec_t)
+
+type dnsmasq_etc_t;
+files_config_file(dnsmasq_etc_t)
+
+type dnsmasq_lease_t;
+files_type(dnsmasq_lease_t)
+
+type dnsmasq_var_log_t;
+logging_log_file(dnsmasq_var_log_t)
+
+type dnsmasq_var_run_t;
+files_pid_file(dnsmasq_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow dnsmasq_t self:capability { chown dac_override net_admin setgid setuid net_bind_service net_raw };
+dontaudit dnsmasq_t self:capability sys_tty_config;
+allow dnsmasq_t self:process { getcap setcap signal_perms };
+allow dnsmasq_t self:fifo_file rw_fifo_file_perms;
+allow dnsmasq_t self:netlink_route_socket { bind create nlmsg_read read write };
+allow dnsmasq_t self:tcp_socket create_stream_socket_perms;
+allow dnsmasq_t self:udp_socket create_socket_perms;
+allow dnsmasq_t self:packet_socket create_socket_perms;
+allow dnsmasq_t self:rawip_socket create_socket_perms;
+
+read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
+
+# dhcp leases
+manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t)
+files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
+
+manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t)
+logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file)
+
+manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
+files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file)
+
+kernel_read_kernel_sysctls(dnsmasq_t)
+kernel_read_system_state(dnsmasq_t)
+
+corenet_all_recvfrom_unlabeled(dnsmasq_t)
+corenet_all_recvfrom_netlabel(dnsmasq_t)
+corenet_tcp_sendrecv_generic_if(dnsmasq_t)
+corenet_udp_sendrecv_generic_if(dnsmasq_t)
+corenet_raw_sendrecv_generic_if(dnsmasq_t)
+corenet_tcp_sendrecv_generic_node(dnsmasq_t)
+corenet_udp_sendrecv_generic_node(dnsmasq_t)
+corenet_raw_sendrecv_generic_node(dnsmasq_t)
+corenet_tcp_sendrecv_all_ports(dnsmasq_t)
+corenet_udp_sendrecv_all_ports(dnsmasq_t)
+corenet_tcp_bind_generic_node(dnsmasq_t)
+corenet_udp_bind_generic_node(dnsmasq_t)
+corenet_tcp_bind_dns_port(dnsmasq_t)
+corenet_udp_bind_all_ports(dnsmasq_t)
+corenet_sendrecv_dns_server_packets(dnsmasq_t)
+corenet_sendrecv_dhcpd_server_packets(dnsmasq_t)
+
+dev_read_sysfs(dnsmasq_t)
+dev_read_urand(dnsmasq_t)
+
+domain_use_interactive_fds(dnsmasq_t)
+
+files_read_etc_files(dnsmasq_t)
+files_read_etc_runtime_files(dnsmasq_t)
+
+fs_getattr_all_fs(dnsmasq_t)
+fs_search_auto_mountpoints(dnsmasq_t)
+
+auth_use_nsswitch(dnsmasq_t)
+
+logging_send_syslog_msg(dnsmasq_t)
+
+miscfiles_read_localization(dnsmasq_t)
+
+userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
+userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
+
+optional_policy(`
+	cobbler_read_lib_files(dnsmasq_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(dnsmasq_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(dnsmasq_t)
+')
+
+optional_policy(`
+	tftp_read_content(dnsmasq_t)
+')
+
+optional_policy(`
+	udev_read_db(dnsmasq_t)
+')
+
+optional_policy(`
+	virt_manage_lib_files(dnsmasq_t)
+	virt_read_pid_files(dnsmasq_t)
+')
diff --git a/policy/modules/contrib/dovecot.fc b/policy/modules/contrib/dovecot.fc
new file mode 100644
index 00000000..3a3ecb28
--- /dev/null
+++ b/policy/modules/contrib/dovecot.fc
@@ -0,0 +1,46 @@
+
+#
+# /etc
+#
+/etc/dovecot(/.*)?*			gen_context(system_u:object_r:dovecot_etc_t,s0)
+/etc/dovecot\.conf.*			gen_context(system_u:object_r:dovecot_etc_t,s0)
+/etc/dovecot\.passwd.*			gen_context(system_u:object_r:dovecot_passwd_t,s0)
+
+/etc/pki/dovecot(/.*)?			gen_context(system_u:object_r:dovecot_cert_t,s0)
+/etc/rc\.d/init\.d/dovecot	--	gen_context(system_u:object_r:dovecot_initrc_exec_t,s0)
+
+# Debian uses /etc/dovecot/
+ifdef(`distro_debian',`
+/etc/dovecot/passwd.*			gen_context(system_u:object_r:dovecot_passwd_t,s0)
+')
+
+#
+# /usr
+#
+/usr/sbin/dovecot		--	gen_context(system_u:object_r:dovecot_exec_t,s0)
+
+/usr/share/ssl/certs/dovecot\.pem --	gen_context(system_u:object_r:dovecot_cert_t,s0)
+/usr/share/ssl/private/dovecot\.pem --	gen_context(system_u:object_r:dovecot_cert_t,s0)
+
+ifdef(`distro_debian', `
+/usr/lib/dovecot/dovecot-auth	--	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+')
+
+ifdef(`distro_redhat', `
+/usr/libexec/dovecot/auth 	--	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+/usr/libexec/dovecot/deliver	--	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+/usr/libexec/dovecot/deliver-lda --	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+/usr/libexec/dovecot/dovecot-auth --	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+')
+
+#
+# /var
+#
+/var/run/dovecot(-login)?(/.*)?		gen_context(system_u:object_r:dovecot_var_run_t,s0)
+
+/var/lib/dovecot(/.*)?			gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+
+/var/log/dovecot(/.*)?			gen_context(system_u:object_r:dovecot_var_log_t,s0)
+/var/log/dovecot\.log.*			gen_context(system_u:object_r:dovecot_var_log_t,s0)
+
+/var/spool/dovecot(/.*)?		gen_context(system_u:object_r:dovecot_spool_t,s0)
diff --git a/policy/modules/contrib/dovecot.if b/policy/modules/contrib/dovecot.if
new file mode 100644
index 00000000..e1d7dc5a
--- /dev/null
+++ b/policy/modules/contrib/dovecot.if
@@ -0,0 +1,130 @@
+## <summary>Dovecot POP and IMAP mail server</summary>
+
+########################################
+## <summary>
+##	Connect to dovecot auth unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`dovecot_stream_connect_auth',`
+	gen_require(`
+		type dovecot_auth_t, dovecot_var_run_t;
+	')
+
+	stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_auth_t)
+')
+
+########################################
+## <summary>
+##	Execute dovecot_deliver in the dovecot_deliver domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`dovecot_domtrans_deliver',`
+	gen_require(`
+		type dovecot_deliver_t, dovecot_deliver_exec_t;
+	')
+
+	domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete the dovecot spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dovecot_manage_spool',`
+	gen_require(`
+		type dovecot_spool_t;
+	')
+
+	manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
+	manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to delete dovecot lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dovecot_dontaudit_unlink_lib_files',`
+	gen_require(`
+		type dovecot_var_lib_t;
+	')
+
+	dontaudit $1 dovecot_var_lib_t:file unlink;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an dovecot environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the dovecot domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`dovecot_admin',`
+	gen_require(`
+		type dovecot_t, dovecot_etc_t, dovecot_log_t;
+		type dovecot_spool_t, dovecot_var_lib_t;
+		type dovecot_var_run_t;
+
+		type dovecot_cert_t, dovecot_passwd_t;
+		type dovecot_initrc_exec_t;
+	')
+
+	allow $1 dovecot_t:process { ptrace signal_perms };
+	ps_process_pattern($1, dovecot_t)
+
+	init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 dovecot_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_etc($1)
+	admin_pattern($1, dovecot_etc_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, dovecot_log_t)
+
+	files_list_spool($1)
+	admin_pattern($1, dovecot_spool_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, dovecot_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, dovecot_var_run_t)
+
+	admin_pattern($1, dovecot_cert_t)
+
+	admin_pattern($1, dovecot_passwd_t)
+')
diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te
new file mode 100644
index 00000000..2df77662
--- /dev/null
+++ b/policy/modules/contrib/dovecot.te
@@ -0,0 +1,306 @@
+policy_module(dovecot, 1.14.0)
+
+########################################
+#
+# Declarations
+#
+type dovecot_t;
+type dovecot_exec_t;
+init_daemon_domain(dovecot_t, dovecot_exec_t)
+
+type dovecot_auth_t;
+type dovecot_auth_exec_t;
+domain_type(dovecot_auth_t)
+domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
+role system_r types dovecot_auth_t;
+
+type dovecot_auth_tmp_t;
+files_tmp_file(dovecot_auth_tmp_t)
+
+type dovecot_cert_t;
+files_type(dovecot_cert_t)
+
+type dovecot_deliver_t;
+type dovecot_deliver_exec_t;
+domain_type(dovecot_deliver_t)
+domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
+role system_r types dovecot_deliver_t;
+
+type dovecot_etc_t;
+files_config_file(dovecot_etc_t)
+
+type dovecot_initrc_exec_t;
+init_script_file(dovecot_initrc_exec_t)
+
+type dovecot_passwd_t;
+files_type(dovecot_passwd_t)
+
+type dovecot_spool_t;
+files_type(dovecot_spool_t)
+
+type dovecot_tmp_t;
+files_tmp_file(dovecot_tmp_t)
+
+# /var/lib/dovecot holds SSL parameters file
+type dovecot_var_lib_t;
+files_type(dovecot_var_lib_t)
+
+type dovecot_var_log_t;
+logging_log_file(dovecot_var_log_t)
+
+type dovecot_var_run_t;
+files_pid_file(dovecot_var_run_t)
+
+########################################
+#
+# dovecot local policy
+#
+
+allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot };
+dontaudit dovecot_t self:capability sys_tty_config;
+allow dovecot_t self:process { setrlimit signal_perms getcap setcap };
+allow dovecot_t self:fifo_file rw_fifo_file_perms;
+allow dovecot_t self:tcp_socket create_stream_socket_perms;
+allow dovecot_t self:unix_dgram_socket create_socket_perms;
+allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
+
+allow dovecot_t dovecot_auth_t:process signal;
+
+allow dovecot_t dovecot_cert_t:dir list_dir_perms;
+read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
+read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
+
+allow dovecot_t dovecot_etc_t:file read_file_perms;
+files_search_etc(dovecot_t)
+
+can_exec(dovecot_t, dovecot_exec_t)
+
+manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
+manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
+files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
+
+# Allow dovecot to create and read SSL parameters file
+manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)
+files_search_var_lib(dovecot_t)
+files_read_var_symlinks(dovecot_t)
+
+manage_dirs_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
+manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
+logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir })
+
+manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+
+manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+files_pid_filetrans(dovecot_t, dovecot_var_run_t, file)
+
+kernel_read_kernel_sysctls(dovecot_t)
+kernel_read_system_state(dovecot_t)
+
+corenet_all_recvfrom_unlabeled(dovecot_t)
+corenet_all_recvfrom_netlabel(dovecot_t)
+corenet_tcp_sendrecv_generic_if(dovecot_t)
+corenet_tcp_sendrecv_generic_node(dovecot_t)
+corenet_tcp_sendrecv_all_ports(dovecot_t)
+corenet_tcp_bind_generic_node(dovecot_t)
+corenet_tcp_bind_mail_port(dovecot_t)
+corenet_tcp_bind_pop_port(dovecot_t)
+corenet_tcp_bind_sieve_port(dovecot_t)
+corenet_tcp_connect_all_ports(dovecot_t)
+corenet_tcp_connect_postgresql_port(dovecot_t)
+corenet_sendrecv_pop_server_packets(dovecot_t)
+corenet_sendrecv_all_client_packets(dovecot_t)
+
+dev_read_sysfs(dovecot_t)
+dev_read_urand(dovecot_t)
+
+fs_getattr_all_fs(dovecot_t)
+fs_getattr_all_dirs(dovecot_t)
+fs_search_auto_mountpoints(dovecot_t)
+fs_list_inotifyfs(dovecot_t)
+
+corecmd_exec_bin(dovecot_t)
+
+domain_use_interactive_fds(dovecot_t)
+
+files_read_etc_files(dovecot_t)
+files_search_spool(dovecot_t)
+files_search_tmp(dovecot_t)
+files_dontaudit_list_default(dovecot_t)
+# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
+files_read_etc_runtime_files(dovecot_t)
+files_search_all_mountpoints(dovecot_t)
+
+init_getattr_utmp(dovecot_t)
+
+auth_use_nsswitch(dovecot_t)
+
+logging_send_syslog_msg(dovecot_t)
+
+miscfiles_read_generic_certs(dovecot_t)
+miscfiles_read_localization(dovecot_t)
+
+userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
+userdom_manage_user_home_content_dirs(dovecot_t)
+userdom_manage_user_home_content_files(dovecot_t)
+userdom_manage_user_home_content_symlinks(dovecot_t)
+userdom_manage_user_home_content_pipes(dovecot_t)
+userdom_manage_user_home_content_sockets(dovecot_t)
+userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file })
+
+mta_manage_spool(dovecot_t)
+
+optional_policy(`
+	kerberos_keytab_template(dovecot, dovecot_t)
+')
+
+optional_policy(`
+	postgresql_stream_connect(dovecot_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(dovecot_t)
+')
+
+optional_policy(`
+	squid_dontaudit_search_cache(dovecot_t)
+')
+
+optional_policy(`
+	udev_read_db(dovecot_t)
+')
+
+########################################
+#
+# dovecot auth local policy
+#
+
+allow dovecot_auth_t self:capability { chown dac_override setgid setuid };
+allow dovecot_auth_t self:process { signal_perms getcap setcap };
+allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
+allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
+allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
+
+allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
+
+read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
+
+manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
+manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
+files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
+
+allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
+manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
+dovecot_stream_connect_auth(dovecot_auth_t)
+
+kernel_read_all_sysctls(dovecot_auth_t)
+kernel_read_system_state(dovecot_auth_t)
+
+logging_send_audit_msgs(dovecot_auth_t)
+logging_send_syslog_msg(dovecot_auth_t)
+
+dev_read_urand(dovecot_auth_t)
+
+auth_domtrans_chk_passwd(dovecot_auth_t)
+auth_use_nsswitch(dovecot_auth_t)
+
+files_read_etc_files(dovecot_auth_t)
+files_read_etc_runtime_files(dovecot_auth_t)
+files_search_pids(dovecot_auth_t)
+files_read_usr_files(dovecot_auth_t)
+files_read_usr_symlinks(dovecot_auth_t)
+files_read_var_lib_files(dovecot_auth_t)
+files_search_tmp(dovecot_auth_t)
+files_read_var_lib_files(dovecot_t)
+
+init_rw_utmp(dovecot_auth_t)
+
+miscfiles_read_localization(dovecot_auth_t)
+
+seutil_dontaudit_search_config(dovecot_auth_t)
+
+optional_policy(`
+	kerberos_use(dovecot_auth_t)
+
+	# for gssapi (kerberos)
+	userdom_list_user_tmp(dovecot_auth_t)
+	userdom_read_user_tmp_files(dovecot_auth_t)
+	userdom_read_user_tmp_symlinks(dovecot_auth_t)
+')
+
+optional_policy(`
+	mysql_search_db(dovecot_auth_t)
+	mysql_stream_connect(dovecot_auth_t)
+')
+
+optional_policy(`
+	nis_authenticate(dovecot_auth_t)
+')
+
+optional_policy(`
+	postfix_search_spool(dovecot_auth_t)
+')
+
+########################################
+#
+# dovecot deliver local policy
+#
+allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
+
+allow dovecot_deliver_t dovecot_t:process signull;
+
+allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
+allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
+
+kernel_read_all_sysctls(dovecot_deliver_t)
+kernel_read_system_state(dovecot_deliver_t)
+
+files_read_etc_files(dovecot_deliver_t)
+files_read_etc_runtime_files(dovecot_deliver_t)
+
+auth_use_nsswitch(dovecot_deliver_t)
+
+logging_send_syslog_msg(dovecot_deliver_t)
+logging_search_logs(dovecot_auth_t)
+
+miscfiles_read_localization(dovecot_deliver_t)
+
+dovecot_stream_connect_auth(dovecot_deliver_t)
+
+files_search_tmp(dovecot_deliver_t)
+
+fs_getattr_all_fs(dovecot_deliver_t)
+
+userdom_manage_user_home_content_dirs(dovecot_deliver_t)
+userdom_manage_user_home_content_files(dovecot_deliver_t)
+userdom_manage_user_home_content_symlinks(dovecot_deliver_t)
+userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+userdom_manage_user_home_content_sockets(dovecot_deliver_t)
+userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(dovecot_deliver_t)
+	fs_manage_nfs_files(dovecot_deliver_t)
+	fs_manage_nfs_symlinks(dovecot_deliver_t)
+	fs_manage_nfs_dirs(dovecot_t)
+	fs_manage_nfs_files(dovecot_t)
+	fs_manage_nfs_symlinks(dovecot_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(dovecot_deliver_t)
+	fs_manage_cifs_files(dovecot_deliver_t)
+	fs_manage_cifs_symlinks(dovecot_deliver_t)
+	fs_manage_cifs_dirs(dovecot_t)
+	fs_manage_cifs_files(dovecot_t)
+	fs_manage_cifs_symlinks(dovecot_t)
+')
+
+optional_policy(`
+	mta_manage_spool(dovecot_deliver_t)
+')
diff --git a/policy/modules/contrib/dpkg.fc b/policy/modules/contrib/dpkg.fc
new file mode 100644
index 00000000..6d0f9eea
--- /dev/null
+++ b/policy/modules/contrib/dpkg.fc
@@ -0,0 +1,12 @@
+# Debian package manager
+/usr/bin/debsums		--	gen_context(system_u:object_r:dpkg_exec_t,s0)
+/usr/bin/dpkg			--	gen_context(system_u:object_r:dpkg_exec_t,s0)
+# not sure if dselect should be in apt instead?
+/usr/bin/dselect		--	gen_context(system_u:object_r:dpkg_exec_t,s0)
+
+/var/lib/dpkg(/.*)?			gen_context(system_u:object_r:dpkg_var_lib_t,s0)
+# lockfile is treated specially, since used by apt, too
+/var/lib/dpkg/(meth)?lock	--	gen_context(system_u:object_r:dpkg_lock_t,s0)
+
+/usr/sbin/dpkg-preconfigure	--	gen_context(system_u:object_r:dpkg_exec_t,s0)
+/usr/sbin/dpkg-reconfigure	--	gen_context(system_u:object_r:dpkg_exec_t,s0)
diff --git a/policy/modules/contrib/dpkg.if b/policy/modules/contrib/dpkg.if
new file mode 100644
index 00000000..4d32b425
--- /dev/null
+++ b/policy/modules/contrib/dpkg.if
@@ -0,0 +1,224 @@
+## <summary>Policy for the Debian package manager.</summary>
+# TODO: need debconf policy
+# TODO: need install-menu policy
+
+########################################
+## <summary>
+##	Execute dpkg programs in the dpkg domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`dpkg_domtrans',`
+	gen_require(`
+		type dpkg_t, dpkg_exec_t;
+	')
+
+	files_search_usr($1)
+	corecmd_search_bin($1)
+	domtrans_pattern($1, dpkg_exec_t, dpkg_t)
+')
+
+########################################
+## <summary>
+##	Execute dpkg_script programs in the dpkg_script domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`dpkg_domtrans_script',`
+	gen_require(`
+		type dpkg_script_t;
+	')
+
+	# transition to dpkg script:
+	corecmd_shell_domtrans($1, dpkg_script_t)
+	allow dpkg_script_t $1:fd use;
+	allow dpkg_script_t $1:fifo_file rw_file_perms;
+	allow dpkg_script_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute dpkg programs in the dpkg domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the dpkg domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`dpkg_run',`
+	gen_require(`
+		attribute_role dpkg_roles;
+	')
+
+	dpkg_domtrans($1)
+	roleattribute $2 dpkg_roles;
+')
+
+########################################
+## <summary>
+##	Inherit and use file descriptors from dpkg.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dpkg_use_fds',`
+	gen_require(`
+		type dpkg_t;
+	')
+
+	allow $1 dpkg_t:fd use;
+')
+
+########################################
+## <summary>
+##	Read from an unnamed dpkg pipe.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dpkg_read_pipes',`
+	gen_require(`
+		type dpkg_t;
+	')
+
+	allow $1 dpkg_t:fifo_file read_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Read and write an unnamed dpkg pipe.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dpkg_rw_pipes',`
+	gen_require(`
+		type dpkg_t;
+	')
+
+	allow $1 dpkg_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Inherit and use file descriptors from dpkg scripts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dpkg_use_script_fds',`
+	gen_require(`
+		type dpkg_script_t;
+	')
+
+	allow $1 dpkg_script_t:fd use;
+')
+
+########################################
+## <summary>
+##	Read the dpkg package database.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dpkg_read_db',`
+	gen_require(`
+		type dpkg_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 dpkg_var_lib_t:dir list_dir_perms;
+	read_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t)
+	read_lnk_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete the dpkg package database.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dpkg_manage_db',`
+	gen_require(`
+		type dpkg_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t)
+	manage_lnk_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to create, read, 
+##	write, and delete the dpkg package database.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dpkg_dontaudit_manage_db',`
+	gen_require(`
+		type dpkg_var_lib_t;
+	')
+
+	dontaudit $1 dpkg_var_lib_t:dir rw_dir_perms;
+	dontaudit $1 dpkg_var_lib_t:file manage_file_perms;
+	dontaudit $1 dpkg_var_lib_t:lnk_file manage_lnk_file_perms;
+')
+
+########################################
+## <summary>
+##	Lock the dpkg package database.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dpkg_lock_db',`
+	gen_require(`
+		type dpkg_lock_t, dpkg_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 dpkg_var_lib_t:dir list_dir_perms;
+	allow $1 dpkg_lock_t:file manage_file_perms;
+')
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
new file mode 100644
index 00000000..20ee3f5c
--- /dev/null
+++ b/policy/modules/contrib/dpkg.te
@@ -0,0 +1,341 @@
+policy_module(dpkg, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role dpkg_roles;
+roleattribute system_r dpkg_roles;
+
+type dpkg_t;
+type dpkg_exec_t;
+# dpkg can start/stop services
+init_system_domain(dpkg_t, dpkg_exec_t)
+# dpkg can change file labels, roles, IO
+domain_obj_id_change_exemption(dpkg_t)
+domain_role_change_exemption(dpkg_t)
+domain_system_change_exemption(dpkg_t)
+domain_interactive_fd(dpkg_t)
+role dpkg_roles types dpkg_t;
+
+# lockfile
+type dpkg_lock_t;
+files_type(dpkg_lock_t)
+
+type dpkg_tmp_t;
+files_tmp_file(dpkg_tmp_t)
+
+type dpkg_tmpfs_t;
+files_tmpfs_file(dpkg_tmpfs_t)
+
+# status files
+type dpkg_var_lib_t alias var_lib_dpkg_t;
+files_type(dpkg_var_lib_t)
+
+# package scripts
+type dpkg_script_t;
+domain_type(dpkg_script_t)
+domain_entry_file(dpkg_t, dpkg_var_lib_t)
+corecmd_shell_entry_type(dpkg_script_t)
+domain_obj_id_change_exemption(dpkg_script_t)
+domain_system_change_exemption(dpkg_script_t)
+domain_interactive_fd(dpkg_script_t)
+role dpkg_roles types dpkg_script_t;
+
+type dpkg_script_tmp_t;
+files_tmp_file(dpkg_script_tmp_t)
+
+type dpkg_script_tmpfs_t;
+files_tmpfs_file(dpkg_script_tmpfs_t)
+
+########################################
+#
+# dpkg Local policy
+#
+
+allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
+allow dpkg_t self:process { setpgid fork getsched setfscreate };
+allow dpkg_t self:fd use;
+allow dpkg_t self:fifo_file rw_fifo_file_perms;
+allow dpkg_t self:unix_dgram_socket create_socket_perms;
+allow dpkg_t self:unix_stream_socket rw_stream_socket_perms;
+allow dpkg_t self:unix_dgram_socket sendto;
+allow dpkg_t self:unix_stream_socket connectto;
+allow dpkg_t self:udp_socket { connect create_socket_perms };
+allow dpkg_t self:tcp_socket create_stream_socket_perms;
+allow dpkg_t self:shm create_shm_perms;
+allow dpkg_t self:sem create_sem_perms;
+allow dpkg_t self:msgq create_msgq_perms;
+allow dpkg_t self:msg { send receive };
+
+allow dpkg_t dpkg_lock_t:file manage_file_perms;
+
+manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
+manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
+files_tmp_filetrans(dpkg_t, dpkg_tmp_t, { file dir })
+
+manage_dirs_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
+manage_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
+manage_lnk_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
+manage_sock_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
+manage_fifo_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
+fs_tmpfs_filetrans(dpkg_t, dpkg_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+# Access /var/lib/dpkg files
+manage_files_pattern(dpkg_t, dpkg_var_lib_t, dpkg_var_lib_t)
+files_var_lib_filetrans(dpkg_t, dpkg_var_lib_t, dir)
+
+kernel_read_system_state(dpkg_t)
+kernel_read_kernel_sysctls(dpkg_t)
+
+corecmd_exec_all_executables(dpkg_t)
+
+# TODO: do we really need all networking?
+corenet_all_recvfrom_unlabeled(dpkg_t)
+corenet_all_recvfrom_netlabel(dpkg_t)
+corenet_tcp_sendrecv_generic_if(dpkg_t)
+corenet_raw_sendrecv_generic_if(dpkg_t)
+corenet_udp_sendrecv_generic_if(dpkg_t)
+corenet_tcp_sendrecv_generic_node(dpkg_t)
+corenet_raw_sendrecv_generic_node(dpkg_t)
+corenet_udp_sendrecv_generic_node(dpkg_t)
+corenet_tcp_sendrecv_all_ports(dpkg_t)
+corenet_udp_sendrecv_all_ports(dpkg_t)
+corenet_tcp_connect_all_ports(dpkg_t)
+corenet_sendrecv_all_client_packets(dpkg_t)
+
+dev_list_sysfs(dpkg_t)
+dev_list_usbfs(dpkg_t)
+dev_read_urand(dpkg_t)
+#devices_manage_all_device_types(dpkg_t)
+
+domain_read_all_domains_state(dpkg_t)
+domain_getattr_all_domains(dpkg_t)
+domain_dontaudit_ptrace_all_domains(dpkg_t)
+domain_use_interactive_fds(dpkg_t)
+domain_dontaudit_getattr_all_pipes(dpkg_t)
+domain_dontaudit_getattr_all_tcp_sockets(dpkg_t)
+domain_dontaudit_getattr_all_udp_sockets(dpkg_t)
+domain_dontaudit_getattr_all_packet_sockets(dpkg_t)
+domain_dontaudit_getattr_all_raw_sockets(dpkg_t)
+domain_dontaudit_getattr_all_stream_sockets(dpkg_t)
+domain_dontaudit_getattr_all_dgram_sockets(dpkg_t)
+
+fs_manage_nfs_dirs(dpkg_t)
+fs_manage_nfs_files(dpkg_t)
+fs_manage_nfs_symlinks(dpkg_t)
+fs_getattr_all_fs(dpkg_t)
+fs_search_auto_mountpoints(dpkg_t)
+
+mls_file_read_all_levels(dpkg_t)
+mls_file_write_all_levels(dpkg_t)
+mls_file_upgrade(dpkg_t)
+
+selinux_get_fs_mount(dpkg_t)
+selinux_validate_context(dpkg_t)
+selinux_compute_access_vector(dpkg_t)
+selinux_compute_create_context(dpkg_t)
+selinux_compute_relabel_context(dpkg_t)
+selinux_compute_user_contexts(dpkg_t)
+
+storage_raw_write_fixed_disk(dpkg_t)
+# for installing kernel packages
+storage_raw_read_fixed_disk(dpkg_t)
+
+auth_relabel_all_files_except_auth_files(dpkg_t)
+auth_manage_all_files_except_auth_files(dpkg_t)
+auth_dontaudit_read_shadow(dpkg_t)
+
+files_exec_etc_files(dpkg_t)
+
+init_domtrans_script(dpkg_t)
+init_use_script_ptys(dpkg_t)
+
+libs_exec_ld_so(dpkg_t)
+libs_exec_lib_files(dpkg_t)
+libs_run_ldconfig(dpkg_t, dpkg_roles)
+
+logging_send_syslog_msg(dpkg_t)
+
+# allow compiling and loading new policy
+seutil_manage_src_policy(dpkg_t)
+seutil_manage_bin_policy(dpkg_t)
+
+sysnet_read_config(dpkg_t)
+
+userdom_use_user_terminals(dpkg_t)
+userdom_use_unpriv_users_fds(dpkg_t)
+
+# transition to dpkg script:
+dpkg_domtrans_script(dpkg_t)
+# since the scripts aren't labeled correctly yet...
+allow dpkg_t dpkg_var_lib_t:file mmap_file_perms;
+
+optional_policy(`
+	apt_use_ptys(dpkg_t)
+')
+
+# TODO: allow?
+#optional_policy(`
+#	cron_system_entry(dpkg_t,dpkg_exec_t)
+#')
+
+optional_policy(`
+	nis_use_ypbind(dpkg_t)
+')
+
+optional_policy(`
+	unconfined_domain(dpkg_t)
+')
+
+# TODO: the following was copied from dpkg_script_t, and could probably
+# be removed again when dpkg_script_t is actually used...
+domain_signal_all_domains(dpkg_t)
+domain_signull_all_domains(dpkg_t)
+files_read_etc_runtime_files(dpkg_t)
+files_exec_usr_files(dpkg_t)
+miscfiles_read_localization(dpkg_t)
+modutils_run_depmod(dpkg_t, dpkg_roles)
+modutils_run_insmod(dpkg_t, dpkg_roles)
+seutil_run_loadpolicy(dpkg_t, dpkg_roles)
+seutil_run_setfiles(dpkg_t, dpkg_roles)
+userdom_use_all_users_fds(dpkg_t)
+optional_policy(`
+	mta_send_mail(dpkg_t)
+')
+optional_policy(`
+	usermanage_run_groupadd(dpkg_t, dpkg_roles)
+	usermanage_run_useradd(dpkg_t, dpkg_roles)
+')
+
+########################################
+#
+# dpkg-script Local policy
+#
+# TODO: actually use dpkg_script_t
+
+allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
+allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow dpkg_script_t self:fd use;
+allow dpkg_script_t self:fifo_file rw_fifo_file_perms;
+allow dpkg_script_t self:unix_dgram_socket create_socket_perms;
+allow dpkg_script_t self:unix_stream_socket rw_stream_socket_perms;
+allow dpkg_script_t self:unix_dgram_socket sendto;
+allow dpkg_script_t self:unix_stream_socket connectto;
+allow dpkg_script_t self:shm create_shm_perms;
+allow dpkg_script_t self:sem create_sem_perms;
+allow dpkg_script_t self:msgq create_msgq_perms;
+allow dpkg_script_t self:msg { send receive };
+
+allow dpkg_script_t dpkg_tmp_t:file read_file_perms;
+
+allow dpkg_script_t dpkg_script_tmp_t:dir { manage_dir_perms mounton };
+allow dpkg_script_t dpkg_script_tmp_t:file manage_file_perms;
+files_tmp_filetrans(dpkg_script_t, dpkg_script_tmp_t, { file dir })
+
+allow dpkg_script_t dpkg_script_tmpfs_t:dir manage_dir_perms;
+allow dpkg_script_t dpkg_script_tmpfs_t:file manage_file_perms;
+allow dpkg_script_t dpkg_script_tmpfs_t:lnk_file manage_lnk_file_perms;
+allow dpkg_script_t dpkg_script_tmpfs_t:sock_file manage_sock_file_perms;
+allow dpkg_script_t dpkg_script_tmpfs_t:fifo_file manage_fifo_file_perms;
+fs_tmpfs_filetrans(dpkg_script_t, dpkg_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_read_kernel_sysctls(dpkg_script_t)
+kernel_read_system_state(dpkg_script_t)
+
+corecmd_exec_all_executables(dpkg_script_t)
+
+dev_list_sysfs(dpkg_script_t)
+# ideally we would not need this
+dev_manage_generic_blk_files(dpkg_script_t)
+dev_manage_generic_chr_files(dpkg_script_t)
+dev_manage_all_blk_files(dpkg_script_t)
+dev_manage_all_chr_files(dpkg_script_t)
+
+domain_read_all_domains_state(dpkg_script_t)
+domain_getattr_all_domains(dpkg_script_t)
+domain_dontaudit_ptrace_all_domains(dpkg_script_t)
+domain_use_interactive_fds(dpkg_script_t)
+domain_signal_all_domains(dpkg_script_t)
+domain_signull_all_domains(dpkg_script_t)
+
+files_exec_etc_files(dpkg_script_t)
+files_read_etc_runtime_files(dpkg_script_t)
+files_exec_usr_files(dpkg_script_t)
+
+fs_manage_nfs_files(dpkg_script_t)
+fs_getattr_nfs(dpkg_script_t)
+# why is this not using mount?
+fs_getattr_xattr_fs(dpkg_script_t)
+fs_mount_xattr_fs(dpkg_script_t)
+fs_unmount_xattr_fs(dpkg_script_t)
+fs_search_auto_mountpoints(dpkg_script_t)
+
+mls_file_read_all_levels(dpkg_script_t)
+mls_file_write_all_levels(dpkg_script_t)
+
+selinux_get_fs_mount(dpkg_script_t)
+selinux_validate_context(dpkg_script_t)
+selinux_compute_access_vector(dpkg_script_t)
+selinux_compute_create_context(dpkg_script_t)
+selinux_compute_relabel_context(dpkg_script_t)
+selinux_compute_user_contexts(dpkg_script_t)
+
+storage_raw_read_fixed_disk(dpkg_script_t)
+storage_raw_write_fixed_disk(dpkg_script_t)
+
+term_use_all_terms(dpkg_script_t)
+
+auth_dontaudit_getattr_shadow(dpkg_script_t)
+# ideally we would not need this
+auth_manage_all_files_except_auth_files(dpkg_script_t)
+
+init_domtrans_script(dpkg_script_t)
+init_use_script_fds(dpkg_script_t)
+
+libs_exec_ld_so(dpkg_script_t)
+libs_exec_lib_files(dpkg_script_t)
+libs_run_ldconfig(dpkg_script_t, dpkg_roles)
+
+logging_send_syslog_msg(dpkg_script_t)
+
+miscfiles_read_localization(dpkg_script_t)
+
+modutils_run_depmod(dpkg_script_t, dpkg_roles)
+modutils_run_insmod(dpkg_script_t, dpkg_roles)
+
+seutil_run_loadpolicy(dpkg_script_t, dpkg_roles)
+seutil_run_setfiles(dpkg_script_t, dpkg_roles)
+
+userdom_use_all_users_fds(dpkg_script_t)
+
+tunable_policy(`allow_execmem',`
+	allow dpkg_script_t self:process execmem;
+')
+
+optional_policy(`
+	apt_rw_pipes(dpkg_script_t)
+	apt_use_fds(dpkg_script_t)
+')
+
+optional_policy(`
+	bootloader_run(dpkg_script_t, dpkg_roles)
+')
+
+optional_policy(`
+	mta_send_mail(dpkg_script_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(dpkg_script_t)
+')
+
+optional_policy(`
+	unconfined_domain(dpkg_script_t)
+')
+
+optional_policy(`
+	usermanage_run_groupadd(dpkg_script_t, dpkg_roles)
+	usermanage_run_useradd(dpkg_script_t, dpkg_roles)
+')
diff --git a/policy/modules/contrib/dracut.fc b/policy/modules/contrib/dracut.fc
new file mode 100644
index 00000000..fca0d673
--- /dev/null
+++ b/policy/modules/contrib/dracut.fc
@@ -0,0 +1,4 @@
+#
+# /usr
+#
+/usr/(s)?bin/dracut	--	gen_context(system_u:object_r:dracut_exec_t,s0)
diff --git a/policy/modules/contrib/dracut.if b/policy/modules/contrib/dracut.if
new file mode 100644
index 00000000..929fffd3
--- /dev/null
+++ b/policy/modules/contrib/dracut.if
@@ -0,0 +1,69 @@
+## <summary>Dracut initramfs creation tool</summary>
+
+########################################
+## <summary>
+##	Execute the dracut program in the dracut domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`dracut_domtrans',`
+	gen_require(`
+		type dracut_t, dracut_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, dracut_exec_t, dracut_t)
+')
+
+########################################
+## <summary>
+##	Execute dracut in the dracut domain, and
+##	allow the specified role the dracut domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`dracut_run',`
+	gen_require(`
+		type dracut_t;
+	')
+
+	dracut_domtrans($1)
+	role $2 types dracut_t;
+')
+
+########################################
+## <summary>
+## 	Allow domain to manage dracut temporary files
+## </summary>
+## <param name="domain">
+##	<summary>
+##		Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dracut_manage_tmp_files',`
+	gen_require(`
+		type dracut_tmp_t;
+	')
+
+	files_search_var($1)
+	files_search_tmp($1)
+
+	manage_files_pattern($1, dracut_tmp_t, dracut_tmp_t)
+	manage_dirs_pattern($1, dracut_tmp_t, dracut_tmp_t)
+	read_lnk_files_pattern($1, dracut_tmp_t, dracut_tmp_t)
+')
+
diff --git a/policy/modules/contrib/dracut.te b/policy/modules/contrib/dracut.te
new file mode 100644
index 00000000..9a80a059
--- /dev/null
+++ b/policy/modules/contrib/dracut.te
@@ -0,0 +1,74 @@
+policy_module(dracut, 1.0)
+
+type dracut_t;
+type dracut_exec_t;
+application_domain(dracut_t, dracut_exec_t)
+
+type dracut_var_log_t;
+logging_log_file(dracut_var_log_t)
+
+type dracut_tmp_t;
+files_tmp_file(dracut_tmp_t)
+
+########################################
+#
+# Local policy
+#
+allow dracut_t self:process setfscreate;
+allow dracut_t self:fifo_file rw_fifo_file_perms;
+allow dracut_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
+manage_lnk_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
+manage_dirs_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
+files_tmp_filetrans(dracut_t, dracut_tmp_t, { file lnk_file dir })
+
+manage_files_pattern(dracut_t, dracut_var_log_t, dracut_var_log_t)
+logging_log_filetrans(dracut_t, dracut_var_log_t, file)
+
+kernel_read_system_state(dracut_t)
+
+corecmd_exec_bin(dracut_t)
+corecmd_exec_shell(dracut_t)
+corecmd_read_all_executables(dracut_t)
+
+dev_read_sysfs(dracut_t)
+
+domain_use_interactive_fds(dracut_t)
+
+files_create_kernel_img(dracut_t)
+files_read_kernel_modules(dracut_t)
+files_read_etc_files(dracut_t)
+files_read_usr_files(dracut_t)
+files_search_pids(dracut_t)
+
+fstools_exec(dracut_t)
+
+libs_domtrans_ldconfig(dracut_t)
+libs_exec_ld_so(dracut_t)
+libs_exec_lib_files(dracut_t)
+
+lvm_exec(dracut_t)
+lvm_read_config(dracut_t)
+
+miscfiles_read_localization(dracut_t)
+
+modutils_exec_depmod(dracut_t)
+modutils_exec_insmod(dracut_t)
+modutils_read_module_config(dracut_t)
+modutils_list_module_config(dracut_t)
+modutils_read_module_deps(dracut_t)
+
+mount_exec(dracut_t)
+
+seutil_exec_setfiles(dracut_t)
+
+udev_exec(dracut_t)
+udev_read_rules_files(dracut_t)
+
+userdom_use_user_terminals(dracut_t)
+
+optional_policy(`
+	dmesg_exec(dracut_t)
+')
+
diff --git a/policy/modules/contrib/entropyd.fc b/policy/modules/contrib/entropyd.fc
new file mode 100644
index 00000000..d2d8ce34
--- /dev/null
+++ b/policy/modules/contrib/entropyd.fc
@@ -0,0 +1,8 @@
+#
+# /usr
+#
+/usr/sbin/audio-entropyd	--	gen_context(system_u:object_r:entropyd_exec_t,s0)
+/usr/sbin/haveged		--	gen_context(system_u:object_r:entropyd_exec_t,s0)
+
+/var/run/audio-entropyd\.pid	--	gen_context(system_u:object_r:entropyd_var_run_t,s0)
+/var/run/haveged\.pid		--	gen_context(system_u:object_r:entropyd_var_run_t,s0)
diff --git a/policy/modules/contrib/entropyd.if b/policy/modules/contrib/entropyd.if
new file mode 100644
index 00000000..67906f01
--- /dev/null
+++ b/policy/modules/contrib/entropyd.if
@@ -0,0 +1 @@
+## <summary>Generate entropy from audio input</summary>
diff --git a/policy/modules/contrib/entropyd.te b/policy/modules/contrib/entropyd.te
new file mode 100644
index 00000000..b6ac808a
--- /dev/null
+++ b/policy/modules/contrib/entropyd.te
@@ -0,0 +1,80 @@
+policy_module(entropyd, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+##   Allow the use of the audio devices as the source for the entropy feeds
+## </p>
+## </desc>
+gen_tunable(entropyd_use_audio, false)
+
+type entropyd_t;
+type entropyd_exec_t;
+init_daemon_domain(entropyd_t, entropyd_exec_t)
+
+type entropyd_var_run_t;
+files_pid_file(entropyd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow entropyd_t self:capability { dac_override ipc_lock sys_admin };
+dontaudit entropyd_t self:capability sys_tty_config;
+allow entropyd_t self:process signal_perms;
+allow entropyd_t self:unix_dgram_socket create_socket_perms;
+
+manage_files_pattern(entropyd_t, entropyd_var_run_t, entropyd_var_run_t)
+files_pid_filetrans(entropyd_t, entropyd_var_run_t, file)
+
+kernel_rw_kernel_sysctl(entropyd_t)
+kernel_list_proc(entropyd_t)
+kernel_read_proc_symlinks(entropyd_t)
+
+dev_read_sysfs(entropyd_t)
+dev_read_urand(entropyd_t)
+dev_write_urand(entropyd_t)
+dev_read_rand(entropyd_t)
+dev_write_rand(entropyd_t)
+
+files_read_etc_files(entropyd_t)
+files_read_usr_files(entropyd_t)
+
+fs_getattr_all_fs(entropyd_t)
+fs_search_auto_mountpoints(entropyd_t)
+
+domain_use_interactive_fds(entropyd_t)
+
+logging_send_syslog_msg(entropyd_t)
+
+miscfiles_read_localization(entropyd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
+userdom_dontaudit_search_user_home_dirs(entropyd_t)
+
+tunable_policy(`entropyd_use_audio',`
+	dev_read_sound(entropyd_t)
+	# set sound card parameters such as sample format, number of channels
+	# and sample rate.
+	dev_write_sound(entropyd_t)
+')
+
+optional_policy(`
+	tunable_policy(`entropyd_use_audio',`
+		alsa_read_lib(entropyd_t)
+		alsa_read_rw_config(entropyd_t)
+	')
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(entropyd_t)
+')
+
+optional_policy(`
+	udev_read_db(entropyd_t)
+')
diff --git a/policy/modules/contrib/evolution.fc b/policy/modules/contrib/evolution.fc
new file mode 100644
index 00000000..c0112777
--- /dev/null
+++ b/policy/modules/contrib/evolution.fc
@@ -0,0 +1,21 @@
+#
+# HOME_DIR/
+#
+
+HOME_DIR/\.camel_certs(/.*)?					gen_context(system_u:object_r:evolution_home_t,s0)
+HOME_DIR/\.evolution(/.*)?					gen_context(system_u:object_r:evolution_home_t,s0)
+
+#
+# /tmp
+#
+/tmp/\.exchange-USER(/.*)?					gen_context(system_u:object_r:evolution_exchange_tmp_t,s0)
+
+#
+# /usr
+#
+/usr/bin/evolution.*					--	gen_context(system_u:object_r:evolution_exec_t,s0)
+
+/usr/libexec/evolution/.*evolution-alarm-notify.*	--	gen_context(system_u:object_r:evolution_alarm_exec_t,s0)
+/usr/libexec/evolution/.*evolution-exchange-storage.*	--	gen_context(system_u:object_r:evolution_exchange_exec_t,s0)
+/usr/libexec/evolution-data-server.*			--	gen_context(system_u:object_r:evolution_server_exec_t,s0)
+/usr/libexec/evolution-webcal.*				--	gen_context(system_u:object_r:evolution_webcal_exec_t,s0)
diff --git a/policy/modules/contrib/evolution.if b/policy/modules/contrib/evolution.if
new file mode 100644
index 00000000..1cb204c9
--- /dev/null
+++ b/policy/modules/contrib/evolution.if
@@ -0,0 +1,153 @@
+## <summary>Evolution email client</summary>
+
+########################################
+## <summary>
+##	Role access for evolution
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`evolution_role',`
+	gen_require(`
+		type evolution_t, evolution_exec_t, evolution_home_t;
+		type evolution_alarm_t, evolution_alarm_exec_t;
+		type evolution_exchange_t, evolution_exchange_exec_t;
+		type evolution_exchange_orbit_tmp_t;
+		type evolution_server_t, evolution_server_exec_t;
+		type evolution_webcal_t, evolution_webcal_exec_t;
+	')
+
+	role $1 types { evolution_t evolution_alarm_t evolution_exchange_t };
+	role $1 types { evolution_server_t evolution_webcal_t };
+
+	domtrans_pattern($2, evolution_exec_t, evolution_t)
+	domtrans_pattern($2, evolution_alarm_exec_t, evolution_alarm_t)
+	domtrans_pattern($2, evolution_exchange_exec_t, evolution_exchange_t)
+	domtrans_pattern($2, evolution_server_exec_t, evolution_server_t)
+	domtrans_pattern($2, evolution_webcal_exec_t, evolution_webcal_t)
+
+	ps_process_pattern($2, evolution_t)
+	ps_process_pattern($2, evolution_alarm_t)
+	ps_process_pattern($2, evolution_exchange_t)
+	ps_process_pattern($2, evolution_server_t)
+	ps_process_pattern($2, evolution_webcal_t)
+
+	allow evolution_t $2:dir search;
+	allow evolution_t $2:file read;
+	allow evolution_t $2:lnk_file read;
+	allow evolution_t $2:unix_stream_socket connectto;
+
+	allow $2 evolution_t:unix_stream_socket connectto;
+	allow $2 evolution_t:process noatsecure;
+	allow $2 evolution_t:process signal_perms;
+
+	# Access .evolution
+	allow $2 evolution_home_t:dir manage_dir_perms;
+	allow $2 evolution_home_t:file manage_file_perms;
+	allow $2 evolution_home_t:lnk_file manage_lnk_file_perms;
+	allow $2 evolution_home_t:{ dir file lnk_file } { relabelfrom relabelto };
+
+	allow evolution_exchange_t $2:unix_stream_socket connectto;
+
+	# Clock applet talks to exchange (FIXME: Needs policy)
+	allow $2 evolution_exchange_t:unix_stream_socket connectto;
+	allow $2 evolution_exchange_orbit_tmp_t:sock_file write;
+')
+
+########################################
+## <summary>
+##	Create objects in users evolution home folders.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="file_type">
+##	<summary>
+##	Private file type.
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+#
+interface(`evolution_home_filetrans',`
+	gen_require(`
+		type evolution_home_t;
+	')
+
+	allow $1 evolution_home_t:dir rw_dir_perms;
+	type_transition $1 evolution_home_t:$3 $2;
+')
+
+########################################
+## <summary>
+##	Connect to evolution unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`evolution_stream_connect',`
+	gen_require(`
+		type evolution_t, evolution_home_t;
+	')
+
+	allow $1 evolution_t:unix_stream_socket connectto;
+	allow $1 evolution_home_t:dir search;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	evolution over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`evolution_dbus_chat',`
+	gen_require(`
+		type evolution_t;
+		class dbus send_msg;
+	')
+
+	allow $1 evolution_t:dbus send_msg;
+	allow evolution_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	evolution_alarm over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`evolution_alarm_dbus_chat',`
+	gen_require(`
+		type evolution_alarm_t;
+		class dbus send_msg;
+	')
+
+	allow $1 evolution_alarm_t:dbus send_msg;
+	allow evolution_alarm_t $1:dbus send_msg;
+')
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
new file mode 100644
index 00000000..73cb712c
--- /dev/null
+++ b/policy/modules/contrib/evolution.te
@@ -0,0 +1,604 @@
+policy_module(evolution, 2.3.0)
+
+########################################
+#
+# Declarations
+#
+
+type evolution_t;
+type evolution_exec_t;
+typealias evolution_t alias { user_evolution_t staff_evolution_t sysadm_evolution_t };
+typealias evolution_t alias { auditadm_evolution_t secadm_evolution_t };
+userdom_user_application_domain(evolution_t, evolution_exec_t)
+
+type evolution_alarm_t;
+type evolution_alarm_exec_t;
+typealias evolution_alarm_t alias { user_evolution_alarm_t staff_evolution_alarm_t sysadm_evolution_alarm_t };
+typealias evolution_alarm_t alias { auditadm_evolution_alarm_t secadm_evolution_alarm_t };
+userdom_user_application_domain(evolution_alarm_t, evolution_alarm_exec_t)
+
+type evolution_alarm_tmpfs_t;
+typealias evolution_alarm_tmpfs_t alias { user_evolution_alarm_tmpfs_t staff_evolution_alarm_tmpfs_t sysadm_evolution_alarm_tmpfs_t };
+typealias evolution_alarm_tmpfs_t alias { auditadm_evolution_alarm_tmpfs_t secadm_evolution_alarm_tmpfs_t };
+userdom_user_tmpfs_file(evolution_alarm_tmpfs_t)
+
+type evolution_alarm_orbit_tmp_t;
+typealias evolution_alarm_orbit_tmp_t alias { user_evolution_alarm_orbit_tmp_t staff_evolution_alarm_orbit_tmp_t sysadm_evolution_alarm_orbit_tmp_t };
+typealias evolution_alarm_orbit_tmp_t alias { auditadm_evolution_alarm_orbit_tmp_t secadm_evolution_alarm_orbit_tmp_t };
+userdom_user_tmp_file(evolution_alarm_orbit_tmp_t)
+
+type evolution_exchange_t;
+type evolution_exchange_exec_t;
+typealias evolution_exchange_t alias { user_evolution_exchange_t staff_evolution_exchange_t sysadm_evolution_exchange_t };
+typealias evolution_exchange_t alias { auditadm_evolution_exchange_t secadm_evolution_exchange_t };
+userdom_user_application_domain(evolution_exchange_t, evolution_exchange_exec_t)
+
+type evolution_exchange_tmpfs_t;
+typealias evolution_exchange_tmpfs_t alias { user_evolution_exchange_tmpfs_t staff_evolution_exchange_tmpfs_t sysadm_evolution_exchange_tmpfs_t };
+typealias evolution_exchange_tmpfs_t alias { auditadm_evolution_exchange_tmpfs_t secadm_evolution_exchange_tmpfs_t };
+userdom_user_tmpfs_file(evolution_exchange_tmpfs_t)
+
+type evolution_exchange_tmp_t;
+typealias evolution_exchange_tmp_t alias { user_evolution_exchange_tmp_t staff_evolution_exchange_tmp_t sysadm_evolution_exchange_tmp_t };
+typealias evolution_exchange_tmp_t alias { auditadm_evolution_exchange_tmp_t secadm_evolution_exchange_tmp_t };
+userdom_user_tmp_file(evolution_exchange_tmp_t)
+
+type evolution_exchange_orbit_tmp_t;
+typealias evolution_exchange_orbit_tmp_t alias { user_evolution_exchange_orbit_tmp_t staff_evolution_exchange_orbit_tmp_t sysadm_evolution_exchange_orbit_tmp_t };
+typealias evolution_exchange_orbit_tmp_t alias { auditadm_evolution_exchange_orbit_tmp_t secadm_evolution_exchange_orbit_tmp_t };
+userdom_user_tmp_file(evolution_exchange_orbit_tmp_t)
+
+type evolution_home_t;
+typealias evolution_home_t alias { user_evolution_home_t staff_evolution_home_t sysadm_evolution_home_t };
+typealias evolution_home_t alias { auditadm_evolution_home_t secadm_evolution_home_t };
+userdom_user_home_content(evolution_home_t)
+
+type evolution_orbit_tmp_t;
+typealias evolution_home_t alias { user_evolution_orbit_tmp_t staff_evolution_orbit_tmp_t sysadm_evolution_orbit_tmp_t };
+typealias evolution_home_t alias { auditadm_evolution_orbit_tmp_t secadm_evolution_orbit_tmp_t };
+userdom_user_tmp_file(evolution_orbit_tmp_t)
+
+type evolution_server_t;
+type evolution_server_exec_t;
+typealias evolution_server_t alias { user_evolution_server_t staff_evolution_server_t sysadm_evolution_server_t };
+typealias evolution_server_t alias { auditadm_evolution_server_t secadm_evolution_server_t };
+userdom_user_application_domain(evolution_server_t, evolution_server_exec_t)
+
+type evolution_server_orbit_tmp_t;
+typealias evolution_server_orbit_tmp_t alias { user_evolution_server_orbit_tmp_t staff_evolution_server_orbit_tmp_t sysadm_evolution_server_orbit_tmp_t };
+typealias evolution_server_orbit_tmp_t alias { auditadm_evolution_server_orbit_tmp_t secadm_evolution_server_orbit_tmp_t };
+userdom_user_tmp_file(evolution_server_orbit_tmp_t)
+
+type evolution_tmpfs_t;
+typealias evolution_tmpfs_t alias { user_evolution_tmpfs_t staff_evolution_tmpfs_t sysadm_evolution_tmpfs_t };
+typealias evolution_tmpfs_t alias { auditadm_evolution_tmpfs_t secadm_evolution_tmpfs_t };
+userdom_user_tmpfs_file(evolution_tmpfs_t)
+
+type evolution_webcal_t;
+type evolution_webcal_exec_t;
+typealias evolution_webcal_t alias { user_evolution_webcal_t staff_evolution_webcal_t sysadm_evolution_webcal_t };
+typealias evolution_webcal_t alias { auditadm_evolution_webcal_t secadm_evolution_webcal_t };
+userdom_user_application_domain(evolution_webcal_t, evolution_webcal_exec_t)
+
+type evolution_webcal_tmpfs_t;
+typealias evolution_webcal_tmpfs_t alias { user_evolution_webcal_tmpfs_t staff_evolution_webcal_tmpfs_t sysadm_evolution_webcal_tmpfs_t };
+typealias evolution_webcal_tmpfs_t alias { auditadm_evolution_webcal_tmpfs_t secadm_evolution_webcal_tmpfs_t };
+userdom_user_tmpfs_file(evolution_webcal_tmpfs_t)
+
+########################################
+#
+# Evolution local policy
+#
+
+allow evolution_t self:capability { setuid setgid sys_nice };
+allow evolution_t self:process { signal getsched setsched };
+allow evolution_t self:fifo_file rw_file_perms;
+allow evolution_t self:tcp_socket create_socket_perms;
+allow evolution_t self:udp_socket create_socket_perms;
+
+allow evolution_t evolution_alarm_t:dir search_dir_perms;
+allow evolution_t evolution_alarm_t:file read;
+
+allow evolution_t evolution_alarm_t:unix_stream_socket connectto;
+allow evolution_t evolution_alarm_orbit_tmp_t:sock_file write;
+
+can_exec(evolution_t, evolution_alarm_exec_t)
+
+allow evolution_t evolution_exchange_t:unix_stream_socket connectto;
+allow evolution_t evolution_exchange_orbit_tmp_t:sock_file write;
+
+allow evolution_t evolution_home_t:dir manage_dir_perms;
+allow evolution_t evolution_home_t:file manage_file_perms;
+allow evolution_t evolution_home_t:lnk_file manage_lnk_file_perms;
+userdom_search_user_home_dirs(evolution_t)
+
+allow evolution_t evolution_orbit_tmp_t:dir manage_dir_perms;
+allow evolution_t evolution_orbit_tmp_t:file manage_file_perms;
+files_tmp_filetrans(evolution_t, evolution_orbit_tmp_t, { dir file })
+
+allow evolution_server_t evolution_orbit_tmp_t:dir manage_dir_perms;
+allow evolution_server_t evolution_orbit_tmp_t:file manage_file_perms;
+files_tmp_filetrans(evolution_server_t, evolution_orbit_tmp_t, { dir file })
+
+allow evolution_t evolution_server_t:dir search_dir_perms;
+allow evolution_t evolution_server_t:file read;
+
+allow evolution_t evolution_server_t:unix_stream_socket connectto;
+allow evolution_t evolution_server_orbit_tmp_t:sock_file write;
+
+can_exec(evolution_t, evolution_server_exec_t)
+
+allow evolution_t evolution_tmpfs_t:dir rw_dir_perms;
+allow evolution_t evolution_tmpfs_t:file manage_file_perms;
+allow evolution_t evolution_tmpfs_t:lnk_file manage_lnk_file_perms;
+allow evolution_t evolution_tmpfs_t:sock_file manage_sock_file_perms;
+allow evolution_t evolution_tmpfs_t:fifo_file manage_fifo_file_perms;
+fs_tmpfs_filetrans(evolution_t, evolution_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+#FIXME check to see if really needed
+kernel_read_kernel_sysctls(evolution_t)
+kernel_read_system_state(evolution_t)
+# Allow netstat
+kernel_read_network_state(evolution_t)
+kernel_read_net_sysctls(evolution_t)
+
+corecmd_exec_shell(evolution_t)
+# Run various programs
+corecmd_exec_bin(evolution_t)
+
+corenet_all_recvfrom_unlabeled(evolution_t)
+corenet_all_recvfrom_netlabel(evolution_t)
+corenet_tcp_sendrecv_generic_if(evolution_t)
+corenet_udp_sendrecv_generic_if(evolution_t)
+corenet_raw_sendrecv_generic_if(evolution_t)
+corenet_tcp_sendrecv_generic_node(evolution_t)
+corenet_udp_sendrecv_generic_node(evolution_t)
+corenet_tcp_sendrecv_pop_port(evolution_t)
+corenet_udp_sendrecv_pop_port(evolution_t)
+corenet_tcp_sendrecv_smtp_port(evolution_t)
+corenet_udp_sendrecv_smtp_port(evolution_t)
+corenet_tcp_sendrecv_innd_port(evolution_t)
+corenet_udp_sendrecv_innd_port(evolution_t)
+corenet_tcp_sendrecv_ldap_port(evolution_t)
+corenet_udp_sendrecv_ldap_port(evolution_t)
+corenet_tcp_sendrecv_ipp_port(evolution_t)
+corenet_udp_sendrecv_ipp_port(evolution_t)
+corenet_tcp_connect_pop_port(evolution_t)
+corenet_tcp_connect_smtp_port(evolution_t)
+corenet_tcp_connect_innd_port(evolution_t)
+corenet_tcp_connect_ldap_port(evolution_t)
+corenet_tcp_connect_ipp_port(evolution_t)
+corenet_sendrecv_pop_client_packets(evolution_t)
+corenet_sendrecv_smtp_client_packets(evolution_t)
+corenet_sendrecv_innd_client_packets(evolution_t)
+corenet_sendrecv_ldap_client_packets(evolution_t)
+corenet_sendrecv_ipp_client_packets(evolution_t)
+# not sure about this bind
+corenet_udp_bind_generic_node(evolution_t)
+corenet_udp_bind_generic_port(evolution_t)
+
+dev_read_urand(evolution_t)
+
+domain_dontaudit_read_all_domains_state(evolution_t)
+
+files_read_etc_files(evolution_t)
+files_read_usr_files(evolution_t)
+files_read_usr_symlinks(evolution_t)
+files_read_var_files(evolution_t)
+
+fs_search_auto_mountpoints(evolution_t)
+
+logging_send_syslog_msg(evolution_t)
+
+miscfiles_read_localization(evolution_t)
+
+sysnet_read_config(evolution_t)
+sysnet_dns_name_resolve(evolution_t)
+
+udev_read_state(evolution_t)
+
+userdom_rw_user_tmp_files(evolution_t)
+userdom_manage_user_tmp_dirs(evolution_t)
+userdom_manage_user_tmp_sockets(evolution_t)
+userdom_manage_user_tmp_files(evolution_t)
+userdom_use_user_terminals(evolution_t)
+# FIXME: suppress access to .local/.icons/.themes until properly implemented
+# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
+# until properly implemented
+userdom_dontaudit_read_user_home_content_files(evolution_t)
+
+mta_read_config(evolution_t)
+
+xserver_user_x_domain_template(evolution, evolution_t, evolution_tmpfs_t)
+xserver_read_xdm_tmp_files(evolution_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(evolution_t)
+	fs_manage_nfs_files(evolution_t)
+	fs_manage_nfs_symlinks(evolution_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(evolution_t)
+	fs_manage_cifs_files(evolution_t)
+	fs_manage_cifs_symlinks(evolution_t)
+')
+
+tunable_policy(`mail_read_content && use_nfs_home_dirs',`
+	fs_list_auto_mountpoints(evolution_t)
+	files_list_home(evolution_t)
+	fs_read_nfs_files(evolution_t)
+	fs_read_nfs_symlinks(evolution_t)
+
+',`
+	files_dontaudit_list_home(evolution_t)
+	fs_dontaudit_list_auto_mountpoints(evolution_t)
+	fs_dontaudit_read_nfs_files(evolution_t)
+	fs_dontaudit_list_nfs(evolution_t)
+')
+
+tunable_policy(`mail_read_content && use_samba_home_dirs',`
+	fs_list_auto_mountpoints(evolution_t)
+	files_list_home(evolution_t)
+	fs_read_cifs_files(evolution_t)
+	fs_read_cifs_symlinks(evolution_t)
+',`
+	files_dontaudit_list_home(evolution_t)
+	fs_dontaudit_list_auto_mountpoints(evolution_t)
+	fs_dontaudit_read_cifs_files(evolution_t)
+	fs_dontaudit_list_cifs(evolution_t)
+')
+
+tunable_policy(`mail_read_content',`
+	userdom_list_user_tmp(evolution_t)
+	userdom_read_user_tmp_files(evolution_t)
+	userdom_read_user_tmp_symlinks(evolution_t)
+	userdom_read_user_home_content_files(evolution_t)
+	userdom_read_user_home_content_symlinks(evolution_t)
+
+	ifndef(`enable_mls',`
+		fs_search_removable(evolution_t)
+		fs_read_removable_files(evolution_t)
+		fs_read_removable_symlinks(evolution_t)
+	')
+',`
+	files_dontaudit_list_tmp(evolution_t)
+	files_dontaudit_list_home(evolution_t)
+	fs_dontaudit_list_removable(evolution_t)
+	fs_dontaudit_read_removable_files(evolution_t)
+	userdom_dontaudit_list_user_tmp(evolution_t)
+	userdom_dontaudit_read_user_tmp_files(evolution_t)
+	userdom_dontaudit_list_user_home_dirs(evolution_t)
+	userdom_dontaudit_read_user_home_content_files(evolution_t)
+')
+
+optional_policy(`
+	automount_read_state(evolution_t)
+')
+
+# Allow printing the mail
+optional_policy(`
+	cups_read_rw_config(evolution_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(evolution_t)
+	dbus_session_bus_client(evolution_t)
+')
+
+optional_policy(`
+	gnome_stream_connect_gconf(evolution_t)
+')
+
+# Encrypt mail
+optional_policy(`
+	gpg_domtrans(evolution_t)
+	gpg_signal(evolution_t)
+')
+
+optional_policy(`
+	lpd_domtrans_lpr(evolution_t)
+')
+
+optional_policy(`
+	mozilla_read_user_home_files(evolution_t)
+	mozilla_domtrans(evolution_t)
+')
+
+# Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing)
+optional_policy(`
+	nis_use_ypbind(evolution_t)
+')
+
+optional_policy(`
+	nscd_socket_use(evolution_t)
+')
+
+### Junk mail filtering (start spamd)
+optional_policy(`
+	spamassassin_exec_spamd(evolution_t)
+	spamassassin_domtrans_client(evolution_t)
+	spamassassin_domtrans_local_client(evolution_t)
+	# Allow evolution to signal the daemon
+	# FIXME: Now evolution can read spamd temp files
+	spamassassin_read_spamd_tmp_files(evolution_t)
+	spamassassin_signal_spamd(evolution_t)
+	spamassassin_dontaudit_getattr_spamd_tmp_sockets(evolution_t)
+')
+
+########################################
+#
+# Evolution alarm local policy
+#
+
+allow evolution_alarm_t self:process { signal getsched };
+allow evolution_alarm_t self:fifo_file rw_fifo_file_perms;
+
+allow evolution_alarm_t evolution_t:unix_stream_socket connectto;
+allow evolution_alarm_t evolution_orbit_tmp_t:sock_file write;
+
+allow evolution_alarm_t evolution_alarm_tmpfs_t:dir rw_dir_perms;
+allow evolution_alarm_t evolution_alarm_tmpfs_t:file manage_file_perms;
+allow evolution_alarm_t evolution_alarm_tmpfs_t:lnk_file manage_lnk_file_perms;
+allow evolution_alarm_t evolution_alarm_tmpfs_t:sock_file manage_sock_file_perms;
+allow evolution_alarm_t evolution_alarm_tmpfs_t:fifo_file manage_fifo_file_perms;
+fs_tmpfs_filetrans(evolution_alarm_t, evolution_alarm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+allow evolution_alarm_t evolution_exchange_t:unix_stream_socket connectto;
+allow evolution_alarm_t evolution_exchange_orbit_tmp_t:sock_file write;
+
+# Access evolution home
+allow evolution_alarm_t evolution_home_t:dir manage_dir_perms;
+allow evolution_alarm_t evolution_home_t:file manage_file_perms;
+allow evolution_alarm_t evolution_home_t:lnk_file manage_lnk_file_perms;
+
+allow evolution_alarm_t evolution_server_t:unix_stream_socket connectto;
+allow evolution_alarm_t evolution_server_orbit_tmp_t:sock_file write;
+
+dev_read_urand(evolution_alarm_t)
+
+files_read_etc_files(evolution_alarm_t)
+files_read_usr_files(evolution_alarm_t)
+
+fs_search_auto_mountpoints(evolution_alarm_t)
+
+miscfiles_read_localization(evolution_alarm_t)
+
+# Access evolution home
+userdom_search_user_home_dirs(evolution_alarm_t)
+# FIXME: suppress access to .local/.icons/.themes until properly implemented
+# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
+# until properly implemented
+userdom_dontaudit_read_user_home_content_files(evolution_alarm_t)
+
+xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t)
+
+# Access evolution home
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_files(evolution_alarm_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_files(evolution_alarm_t)
+')
+
+optional_policy(`
+	dbus_session_bus_client(evolution_alarm_t)
+')
+
+optional_policy(`
+	gnome_stream_connect_gconf(evolution_alarm_t)
+')
+
+optional_policy(`
+	nscd_socket_use(evolution_alarm_t)
+')
+
+########################################
+#
+# Evolution exchange connector local policy
+#
+
+allow evolution_exchange_t self:process getsched;
+allow evolution_exchange_t self:fifo_file rw_fifo_file_perms;
+
+allow evolution_exchange_t self:tcp_socket create_socket_perms;
+allow evolution_exchange_t self:udp_socket create_socket_perms;
+
+allow evolution_exchange_t evolution_t:unix_stream_socket connectto;
+allow evolution_exchange_t evolution_orbit_tmp_t:sock_file write;
+
+allow evolution_exchange_t evolution_alarm_t:unix_stream_socket connectto;
+allow evolution_exchange_t evolution_alarm_orbit_tmp_t:sock_file write;
+
+# Access evolution home
+allow evolution_exchange_t evolution_home_t:dir manage_dir_perms;
+allow evolution_exchange_t evolution_home_t:file manage_file_perms;
+allow evolution_exchange_t evolution_home_t:lnk_file manage_lnk_file_perms;
+
+allow evolution_exchange_t evolution_server_t:unix_stream_socket connectto;
+allow evolution_exchange_t evolution_server_orbit_tmp_t:sock_file write;
+
+# /tmp/.exchange-$USER
+allow evolution_exchange_t evolution_exchange_tmp_t:dir manage_dir_perms;
+allow evolution_exchange_t evolution_exchange_tmp_t:file manage_file_perms;
+files_tmp_filetrans(evolution_exchange_t, evolution_exchange_tmp_t, { file dir })
+
+allow evolution_exchange_t evolution_exchange_tmpfs_t:dir rw_dir_perms;
+allow evolution_exchange_t evolution_exchange_tmpfs_t:file manage_file_perms;
+allow evolution_exchange_t evolution_exchange_tmpfs_t:lnk_file manage_lnk_file_perms;
+allow evolution_exchange_t evolution_exchange_tmpfs_t:sock_file manage_sock_file_perms;
+allow evolution_exchange_t evolution_exchange_tmpfs_t:fifo_file manage_fifo_file_perms;
+fs_tmpfs_filetrans(evolution_exchange_t, evolution_exchange_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_read_network_state(evolution_exchange_t)
+kernel_read_net_sysctls(evolution_exchange_t)
+
+# Allow netstat
+corecmd_exec_bin(evolution_exchange_t)
+
+dev_read_urand(evolution_exchange_t)
+
+files_read_etc_files(evolution_exchange_t)
+files_read_usr_files(evolution_exchange_t)
+
+# Access evolution home
+fs_search_auto_mountpoints(evolution_exchange_t)
+
+miscfiles_read_localization(evolution_exchange_t)
+
+userdom_write_user_tmp_sockets(evolution_exchange_t)
+# Access evolution home
+userdom_search_user_home_dirs(evolution_exchange_t)
+# FIXME: suppress access to .local/.icons/.themes until properly implemented
+# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
+# until properly implemented
+userdom_dontaudit_read_user_home_content_files(evolution_exchange_t)
+
+xserver_user_x_domain_template(evolution_exchange, evolution_exchange_t, evolution_exchange_tmpfs_t)
+
+# Access evolution home
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_files(evolution_exchange_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_files(evolution_exchange_t)
+')
+
+optional_policy(`
+	gnome_stream_connect_gconf(evolution_exchange_t)
+')
+
+optional_policy(`
+	nscd_socket_use(evolution_exchange_t)
+')
+
+########################################
+#
+# Evolution data server local policy
+#
+
+allow evolution_server_t self:process { getsched signal };
+
+allow evolution_server_t self:fifo_file { read write };
+allow evolution_server_t self:unix_stream_socket { accept connectto };
+# Talk to ldap (address book),
+# Obtain weather data via http (read server name from xml file in /usr)
+allow evolution_server_t self:tcp_socket create_socket_perms;
+
+allow evolution_server_t evolution_t:unix_stream_socket connectto;
+allow evolution_server_t evolution_orbit_tmp_t:sock_file write;
+
+allow evolution_server_t evolution_exchange_t:unix_stream_socket connectto;
+allow evolution_server_t evolution_exchange_orbit_tmp_t:sock_file write;
+
+# Access evolution home
+allow evolution_server_t evolution_home_t:dir manage_dir_perms;
+allow evolution_server_t evolution_home_t:file manage_file_perms;
+allow evolution_server_t evolution_home_t:lnk_file manage_lnk_file_perms;
+
+allow evolution_server_t evolution_alarm_t:unix_stream_socket connectto;
+allow evolution_server_t evolution_alarm_orbit_tmp_t:sock_file write;
+
+kernel_read_system_state(evolution_server_t)
+
+corecmd_exec_shell(evolution_server_t)
+
+# Obtain weather data via http (read server name from xml file in /usr)
+corenet_all_recvfrom_unlabeled(evolution_server_t)
+corenet_all_recvfrom_netlabel(evolution_server_t)
+corenet_tcp_sendrecv_generic_if(evolution_server_t)
+corenet_tcp_sendrecv_generic_node(evolution_server_t)
+corenet_tcp_sendrecv_http_port(evolution_server_t)
+corenet_tcp_sendrecv_http_cache_port(evolution_server_t)
+corenet_tcp_connect_http_cache_port(evolution_server_t)
+corenet_tcp_connect_http_port(evolution_server_t)
+corenet_sendrecv_http_client_packets(evolution_server_t)
+corenet_sendrecv_http_cache_client_packets(evolution_server_t)
+
+dev_read_urand(evolution_server_t)
+
+files_read_etc_files(evolution_server_t)
+# Obtain weather data via http (read server name from xml file in /usr)
+files_read_usr_files(evolution_server_t)
+
+fs_search_auto_mountpoints(evolution_server_t)
+
+miscfiles_read_localization(evolution_server_t)
+# Look in /etc/pki
+miscfiles_read_generic_certs(evolution_server_t)
+
+# Talk to ldap (address book)
+sysnet_read_config(evolution_server_t)
+sysnet_dns_name_resolve(evolution_server_t)
+sysnet_use_ldap(evolution_server_t)
+
+# Access evolution home
+userdom_search_user_home_dirs(evolution_server_t)
+# FIXME: suppress access to .local/.icons/.themes until properly implemented
+# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
+# until properly implemented
+userdom_dontaudit_read_user_home_content_files(evolution_server_t)
+
+# Access evolution home
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_files(evolution_server_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_files(evolution_server_t)
+')
+
+optional_policy(`
+	gnome_stream_connect_gconf(evolution_server_t)
+')
+
+optional_policy(`
+	nscd_socket_use(evolution_server_t)
+')
+
+########################################
+#
+# Evolution webcal local policy
+#
+
+allow evolution_webcal_t self:tcp_socket create_socket_perms;
+
+# X/evolution common stuff
+allow evolution_webcal_t evolution_webcal_tmpfs_t:dir rw_dir_perms;
+allow evolution_webcal_t evolution_webcal_tmpfs_t:file manage_file_perms;
+allow evolution_webcal_t evolution_webcal_tmpfs_t:lnk_file manage_lnk_file_perms;
+allow evolution_webcal_t evolution_webcal_tmpfs_t:sock_file manage_sock_file_perms;
+allow evolution_webcal_t evolution_webcal_tmpfs_t:fifo_file manage_fifo_file_perms;
+fs_tmpfs_filetrans(evolution_webcal_t, evolution_webcal_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+corenet_all_recvfrom_unlabeled(evolution_webcal_t)
+corenet_all_recvfrom_netlabel(evolution_webcal_t)
+corenet_tcp_sendrecv_generic_if(evolution_webcal_t)
+corenet_raw_sendrecv_generic_if(evolution_webcal_t)
+corenet_tcp_sendrecv_generic_node(evolution_webcal_t)
+corenet_raw_sendrecv_generic_node(evolution_webcal_t)
+corenet_tcp_sendrecv_http_port(evolution_webcal_t)
+corenet_tcp_sendrecv_http_cache_port(evolution_webcal_t)
+corenet_tcp_connect_http_cache_port(evolution_webcal_t)
+corenet_tcp_connect_http_port(evolution_webcal_t)
+corenet_sendrecv_http_client_packets(evolution_webcal_t)
+corenet_sendrecv_http_cache_client_packets(evolution_webcal_t)
+
+# Networking capability - connect to website and handle ics link
+sysnet_read_config(evolution_webcal_t)
+sysnet_dns_name_resolve(evolution_webcal_t)
+
+# Search home directory (?)
+userdom_search_user_home_dirs(evolution_webcal_t)
+# FIXME: suppress access to .local/.icons/.themes until properly implemented
+# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
+# until properly implemented
+userdom_dontaudit_read_user_home_content_files(evolution_webcal_t)
+
+xserver_user_x_domain_template(evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t)
+
+optional_policy(`
+	nscd_socket_use(evolution_webcal_t)
+')
diff --git a/policy/modules/contrib/exim.fc b/policy/modules/contrib/exim.fc
new file mode 100644
index 00000000..298f0660
--- /dev/null
+++ b/policy/modules/contrib/exim.fc
@@ -0,0 +1,8 @@
+/usr/sbin/exim[0-9]?		--	gen_context(system_u:object_r:exim_exec_t,s0)
+/var/log/exim[0-9]?(/.*)?		gen_context(system_u:object_r:exim_log_t,s0)
+/var/run/exim[0-9]?\.pid	--	gen_context(system_u:object_r:exim_var_run_t,s0)
+/var/spool/exim[0-9]?(/.*)?		gen_context(system_u:object_r:exim_spool_t,s0)
+
+ifdef(`distro_debian',`
+/var/run/exim[0-9]?(/.*)?		gen_context(system_u:object_r:exim_var_run_t,s0)
+')
diff --git a/policy/modules/contrib/exim.if b/policy/modules/contrib/exim.if
new file mode 100644
index 00000000..6bef7f86
--- /dev/null
+++ b/policy/modules/contrib/exim.if
@@ -0,0 +1,196 @@
+## <summary>Exim mail transfer agent</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run exim.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`exim_domtrans',`
+	gen_require(`
+		type exim_t, exim_exec_t;
+	')
+
+	domtrans_pattern($1, exim_exec_t, exim_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read, 
+##	exim tmp files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`exim_dontaudit_read_tmp_files',`
+	gen_require(`
+		type exim_tmp_t;
+	')
+
+	dontaudit $1 exim_tmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow domain to read, exim tmp files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`exim_read_tmp_files',`
+	gen_require(`
+		type exim_tmp_t;
+	')
+
+	allow $1 exim_tmp_t:file read_file_perms;
+	files_search_tmp($1)
+')
+
+########################################
+## <summary>
+##	Read exim PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`exim_read_pid_files',`
+	gen_require(`
+		type exim_var_run_t;
+	')
+
+	allow $1 exim_var_run_t:file read_file_perms;
+	files_search_pids($1)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read exim's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`exim_read_log',`
+	gen_require(`
+		type exim_log_t;
+	')
+
+	read_files_pattern($1, exim_log_t, exim_log_t)
+	logging_search_logs($1)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to append
+##	exim log files.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access.
+## 	</summary>
+## </param>
+#
+interface(`exim_append_log',`
+	gen_require(`
+		type exim_log_t;
+	')
+
+	append_files_pattern($1, exim_log_t, exim_log_t)
+	logging_search_logs($1)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to manage exim's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`exim_manage_log',`
+	gen_require(`
+		type exim_log_t;
+	')
+
+	manage_files_pattern($1, exim_log_t, exim_log_t)
+	logging_search_logs($1)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	exim spool dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`exim_manage_spool_dirs',`
+	gen_require(`
+		type exim_spool_t;
+	')
+
+	manage_dirs_pattern($1, exim_spool_t, exim_spool_t)
+	files_search_spool($1)
+')
+
+########################################
+## <summary>
+##	Read exim spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`exim_read_spool_files',`
+	gen_require(`
+		type exim_spool_t;
+	')
+
+	allow $1 exim_spool_t:file read_file_perms;
+	allow $1 exim_spool_t:dir list_dir_perms;
+	files_search_spool($1)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	exim spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`exim_manage_spool_files',`
+	gen_require(`
+		type exim_spool_t;
+	')
+
+	manage_files_pattern($1, exim_spool_t, exim_spool_t)
+	files_search_spool($1)
+')
diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
new file mode 100644
index 00000000..f28f64b9
--- /dev/null
+++ b/policy/modules/contrib/exim.te
@@ -0,0 +1,203 @@
+policy_module(exim, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow exim to connect to databases (postgres, mysql)
+## </p>
+## </desc>
+gen_tunable(exim_can_connect_db, false)
+
+## <desc>
+## <p>
+## Allow exim to read unprivileged user files.
+## </p>
+## </desc>
+gen_tunable(exim_read_user_files, false)
+
+## <desc>
+## <p>
+## Allow exim to create, read, write, and delete
+## unprivileged user files.
+## </p>
+## </desc>
+gen_tunable(exim_manage_user_files, false)
+
+type exim_t;
+type exim_exec_t;
+init_daemon_domain(exim_t, exim_exec_t)
+mta_mailserver(exim_t, exim_exec_t)
+mta_mailserver_user_agent(exim_t)
+application_executable_file(exim_exec_t)
+mta_agent_executable(exim_exec_t)
+
+type exim_log_t;
+logging_log_file(exim_log_t)
+
+type exim_spool_t;
+files_type(exim_spool_t)
+
+type exim_tmp_t;
+files_tmp_file(exim_tmp_t)
+
+type exim_var_run_t;
+files_pid_file(exim_var_run_t)
+
+########################################
+#
+# exim local policy
+#
+
+allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource };
+allow exim_t self:process { setrlimit setpgid };
+allow exim_t self:fifo_file rw_fifo_file_perms;
+allow exim_t self:unix_stream_socket create_stream_socket_perms;
+allow exim_t self:tcp_socket create_stream_socket_perms;
+allow exim_t self:udp_socket create_socket_perms;
+
+can_exec(exim_t, exim_exec_t)
+
+manage_files_pattern(exim_t, exim_log_t, exim_log_t)
+logging_log_filetrans(exim_t, exim_log_t, { file dir })
+
+manage_dirs_pattern(exim_t, exim_spool_t, exim_spool_t)
+manage_files_pattern(exim_t, exim_spool_t, exim_spool_t)
+manage_sock_files_pattern(exim_t, exim_spool_t, exim_spool_t)
+files_spool_filetrans(exim_t, exim_spool_t, { file dir sock_file })
+
+manage_dirs_pattern(exim_t, exim_tmp_t, exim_tmp_t)
+manage_files_pattern(exim_t, exim_tmp_t, exim_tmp_t)
+files_tmp_filetrans(exim_t, exim_tmp_t, { file dir })
+
+manage_dirs_pattern(exim_t, exim_var_run_t, exim_var_run_t)
+manage_files_pattern(exim_t, exim_var_run_t, exim_var_run_t)
+files_pid_filetrans(exim_t, exim_var_run_t, { file dir })
+
+kernel_read_kernel_sysctls(exim_t)
+kernel_read_network_state(exim_t)
+kernel_dontaudit_read_system_state(exim_t)
+
+corecmd_search_bin(exim_t)
+
+corenet_all_recvfrom_unlabeled(exim_t)
+corenet_all_recvfrom_netlabel(exim_t)
+corenet_tcp_sendrecv_generic_if(exim_t)
+corenet_udp_sendrecv_generic_if(exim_t)
+corenet_tcp_sendrecv_generic_node(exim_t)
+corenet_udp_sendrecv_generic_node(exim_t)
+corenet_tcp_sendrecv_all_ports(exim_t)
+corenet_tcp_bind_generic_node(exim_t)
+corenet_tcp_bind_smtp_port(exim_t)
+corenet_tcp_bind_amavisd_send_port(exim_t)
+corenet_tcp_connect_auth_port(exim_t)
+corenet_tcp_connect_smtp_port(exim_t)
+corenet_tcp_connect_ldap_port(exim_t)
+corenet_tcp_connect_inetd_child_port(exim_t)
+# connect to spamassassin
+corenet_tcp_connect_spamd_port(exim_t)
+
+dev_read_rand(exim_t)
+dev_read_urand(exim_t)
+
+# Init script handling
+domain_use_interactive_fds(exim_t)
+
+files_search_usr(exim_t)
+files_search_var(exim_t)
+files_read_etc_files(exim_t)
+files_read_etc_runtime_files(exim_t)
+files_getattr_all_mountpoints(exim_t)
+
+fs_getattr_xattr_fs(exim_t)
+fs_list_inotifyfs(exim_t)
+
+auth_use_nsswitch(exim_t)
+
+logging_send_syslog_msg(exim_t)
+
+miscfiles_read_localization(exim_t)
+miscfiles_read_generic_certs(exim_t)
+
+userdom_dontaudit_search_user_home_dirs(exim_t)
+
+mta_read_aliases(exim_t)
+mta_read_config(exim_t)
+mta_manage_spool(exim_t)
+mta_mailserver_delivery(exim_t)
+
+tunable_policy(`exim_can_connect_db',`
+	corenet_tcp_connect_mysqld_port(exim_t)
+	corenet_sendrecv_mysqld_client_packets(exim_t)
+	corenet_tcp_connect_postgresql_port(exim_t)
+	corenet_sendrecv_postgresql_client_packets(exim_t)
+')
+
+tunable_policy(`exim_read_user_files',`
+	userdom_read_user_home_content_files(exim_t)
+	userdom_read_user_tmp_files(exim_t)
+')
+
+tunable_policy(`exim_manage_user_files',`
+	userdom_manage_user_home_content_dirs(exim_t)
+	userdom_read_user_tmp_files(exim_t)
+	userdom_write_user_tmp_files(exim_t)
+')
+
+optional_policy(`
+	clamav_domtrans_clamscan(exim_t)
+	clamav_stream_connect(exim_t)
+')
+
+optional_policy(`
+	cron_read_pipes(exim_t)
+	cron_rw_system_job_pipes(exim_t)
+')
+
+optional_policy(`
+	cyrus_stream_connect(exim_t)
+')
+
+optional_policy(`
+	kerberos_keytab_template(exim, exim_t)
+')
+
+optional_policy(`
+	mailman_read_data_files(exim_t)
+	mailman_domtrans(exim_t)
+')
+
+optional_policy(`
+	tunable_policy(`exim_can_connect_db',`
+		mysql_stream_connect(exim_t)
+	')
+')
+
+optional_policy(`
+	tunable_policy(`exim_can_connect_db',`
+		postgresql_stream_connect(exim_t)
+	')
+')
+
+optional_policy(`
+	procmail_domtrans(exim_t)
+')
+
+optional_policy(`
+	sasl_connect(exim_t)
+')
+
+optional_policy(`
+	# https://bugzilla.redhat.com/show_bug.cgi?id=512710
+	# uses sendmail for outgoing mail and exim
+	# for incoming mail
+	sendmail_manage_tmp_files(exim_t)
+')
+
+optional_policy(`
+	spamassassin_exec(exim_t)
+	spamassassin_exec_client(exim_t)
+')
diff --git a/policy/modules/contrib/fail2ban.fc b/policy/modules/contrib/fail2ban.fc
new file mode 100644
index 00000000..0de2b83b
--- /dev/null
+++ b/policy/modules/contrib/fail2ban.fc
@@ -0,0 +1,8 @@
+/etc/rc\.d/init\.d/fail2ban --	gen_context(system_u:object_r:fail2ban_initrc_exec_t,s0)
+
+/usr/bin/fail2ban	--	gen_context(system_u:object_r:fail2ban_exec_t,s0)
+/usr/bin/fail2ban-server --	gen_context(system_u:object_r:fail2ban_exec_t,s0)
+
+/var/lib/fail2ban(/.*)?		gen_context(system_u:object_r:fail2ban_var_lib_t,s0)
+/var/log/fail2ban\.log	--	gen_context(system_u:object_r:fail2ban_log_t,s0)
+/var/run/fail2ban.*		gen_context(system_u:object_r:fail2ban_var_run_t,s0)
diff --git a/policy/modules/contrib/fail2ban.if b/policy/modules/contrib/fail2ban.if
new file mode 100644
index 00000000..f590a1ff
--- /dev/null
+++ b/policy/modules/contrib/fail2ban.if
@@ -0,0 +1,175 @@
+## <summary>Update firewall filtering to ban IP addresses with too many password failures.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run fail2ban.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`fail2ban_domtrans',`
+	gen_require(`
+		type fail2ban_t, fail2ban_exec_t;
+	')
+
+	domtrans_pattern($1, fail2ban_exec_t, fail2ban_t)
+')
+
+#####################################
+## <summary>
+##	Connect to fail2ban over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fail2ban_stream_connect',`
+	gen_require(`
+		type fail2ban_t, fail2ban_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
+')
+
+########################################
+## <summary>
+##	Read and write to an fail2ban unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fail2ban_rw_stream_sockets',`
+	gen_require(`
+		type fail2ban_t;
+	')
+
+	allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms;
+')
+
+########################################
+## <summary>
+##	Read fail2ban lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fail2ban_read_lib_files',`
+	gen_require(`
+		type fail2ban_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 fail2ban_var_lib_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read fail2ban's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fail2ban_read_log',`
+	gen_require(`
+		type fail2ban_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 fail2ban_log_t:dir list_dir_perms;
+	allow $1 fail2ban_log_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to append
+##	fail2ban log files.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access.
+## 	</summary>
+## </param>
+#
+interface(`fail2ban_append_log',`
+	gen_require(`
+		type fail2ban_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 fail2ban_log_t:dir list_dir_perms;
+	allow $1 fail2ban_log_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+##	Read fail2ban PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fail2ban_read_pid_files',`
+	gen_require(`
+		type fail2ban_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 fail2ban_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an fail2ban environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the fail2ban domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fail2ban_admin',`
+	gen_require(`
+		type fail2ban_t, fail2ban_log_t;
+		type fail2ban_var_run_t, fail2ban_initrc_exec_t;
+	')
+
+	allow $1 fail2ban_t:process { ptrace signal_perms };
+	ps_process_pattern($1, fail2ban_t)
+
+	init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 fail2ban_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	logging_list_logs($1)
+	admin_pattern($1, fail2ban_log_t)
+
+	files_list_pids($1)
+	admin_pattern($1, fail2ban_var_run_t)
+')
diff --git a/policy/modules/contrib/fail2ban.te b/policy/modules/contrib/fail2ban.te
new file mode 100644
index 00000000..4cdbca54
--- /dev/null
+++ b/policy/modules/contrib/fail2ban.te
@@ -0,0 +1,102 @@
+policy_module(fail2ban, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+
+type fail2ban_t;
+type fail2ban_exec_t;
+init_daemon_domain(fail2ban_t, fail2ban_exec_t)
+
+type fail2ban_initrc_exec_t;
+init_script_file(fail2ban_initrc_exec_t)
+
+# log files
+type fail2ban_log_t;
+logging_log_file(fail2ban_log_t)
+
+type fail2ban_var_lib_t;
+files_type(fail2ban_var_lib_t)
+
+# pid files
+type fail2ban_var_run_t;
+files_pid_file(fail2ban_var_run_t)
+
+########################################
+#
+# fail2ban local policy
+#
+
+allow fail2ban_t self:capability { sys_tty_config };
+allow fail2ban_t self:process signal;
+allow fail2ban_t self:fifo_file rw_fifo_file_perms;
+allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow fail2ban_t self:unix_dgram_socket create_socket_perms;
+allow fail2ban_t self:tcp_socket create_stream_socket_perms;
+
+# log files
+allow fail2ban_t fail2ban_log_t:dir setattr;
+manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
+logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
+
+manage_dirs_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
+manage_files_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
+files_var_lib_filetrans(fail2ban_t, fail2ban_var_lib_t, { dir file })
+
+# pid file
+manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
+manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
+manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
+files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { dir file sock_file })
+
+# FAM support needs this (/proc/self and parent stuff)
+read_files_pattern(fail2ban_t, fail2ban_t, fail2ban_t)
+
+kernel_read_system_state(fail2ban_t)
+
+corecmd_exec_bin(fail2ban_t)
+corecmd_exec_shell(fail2ban_t)
+
+corenet_all_recvfrom_unlabeled(fail2ban_t)
+corenet_all_recvfrom_netlabel(fail2ban_t)
+corenet_tcp_sendrecv_generic_if(fail2ban_t)
+corenet_tcp_sendrecv_generic_node(fail2ban_t)
+corenet_tcp_sendrecv_all_ports(fail2ban_t)
+corenet_tcp_connect_whois_port(fail2ban_t)
+corenet_sendrecv_whois_client_packets(fail2ban_t)
+
+dev_read_urand(fail2ban_t)
+
+domain_use_interactive_fds(fail2ban_t)
+
+files_read_etc_files(fail2ban_t)
+files_read_etc_runtime_files(fail2ban_t)
+files_read_usr_files(fail2ban_t)
+files_list_var(fail2ban_t)
+files_search_var_lib(fail2ban_t)
+files_dontaudit_write_usr_dirs(fail2ban_t)
+
+fs_list_inotifyfs(fail2ban_t)
+fs_getattr_all_fs(fail2ban_t)
+
+auth_use_nsswitch(fail2ban_t)
+
+logging_read_all_logs(fail2ban_t)
+logging_send_syslog_msg(fail2ban_t)
+
+miscfiles_read_localization(fail2ban_t)
+
+mta_send_mail(fail2ban_t)
+
+optional_policy(`
+	apache_read_log(fail2ban_t)
+')
+
+optional_policy(`
+	ftp_read_log(fail2ban_t)
+')
+
+optional_policy(`
+	iptables_domtrans(fail2ban_t)
+')
diff --git a/policy/modules/contrib/fetchmail.fc b/policy/modules/contrib/fetchmail.fc
new file mode 100644
index 00000000..39928d5a
--- /dev/null
+++ b/policy/modules/contrib/fetchmail.fc
@@ -0,0 +1,19 @@
+
+#
+# /etc
+#
+
+/etc/fetchmailrc		--	gen_context(system_u:object_r:fetchmail_etc_t,s0)
+
+#
+# /usr
+#
+
+/usr/bin/fetchmail		--	gen_context(system_u:object_r:fetchmail_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/fetchmail(/.*)?		gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
+/var/mail/\.fetchmail-UIDL-cache --	gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
+/var/run/fetchmail/.*		--	gen_context(system_u:object_r:fetchmail_var_run_t,s0)
diff --git a/policy/modules/contrib/fetchmail.if b/policy/modules/contrib/fetchmail.if
new file mode 100644
index 00000000..6537214c
--- /dev/null
+++ b/policy/modules/contrib/fetchmail.if
@@ -0,0 +1,30 @@
+## <summary>Remote-mail retrieval and forwarding utility</summary>
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an fetchmail environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fetchmail_admin',`
+	gen_require(`
+		type fetchmail_t, fetchmail_etc_t, fetchmail_uidl_cache_t;
+		type fetchmail_var_run_t;
+	')
+
+	ps_process_pattern($1, fetchmail_t)
+
+	files_list_etc($1)
+	admin_pattern($1, fetchmail_etc_t)
+
+	admin_pattern($1, fetchmail_uidl_cache_t)
+
+	files_list_pids($1)
+	admin_pattern($1, fetchmail_var_run_t)
+')
diff --git a/policy/modules/contrib/fetchmail.te b/policy/modules/contrib/fetchmail.te
new file mode 100644
index 00000000..ac6626eb
--- /dev/null
+++ b/policy/modules/contrib/fetchmail.te
@@ -0,0 +1,104 @@
+policy_module(fetchmail, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+type fetchmail_t;
+type fetchmail_exec_t;
+init_daemon_domain(fetchmail_t, fetchmail_exec_t)
+application_executable_file(fetchmail_exec_t)
+
+type fetchmail_var_run_t;
+files_pid_file(fetchmail_var_run_t)
+
+type fetchmail_etc_t;
+files_config_file(fetchmail_etc_t)
+
+type fetchmail_uidl_cache_t;
+files_type(fetchmail_uidl_cache_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit fetchmail_t self:capability sys_tty_config;
+allow fetchmail_t self:process { signal_perms setrlimit };
+allow fetchmail_t self:unix_dgram_socket create_socket_perms;
+allow fetchmail_t self:unix_stream_socket create_stream_socket_perms;
+allow fetchmail_t self:netlink_route_socket r_netlink_socket_perms;
+allow fetchmail_t self:tcp_socket create_socket_perms;
+allow fetchmail_t self:udp_socket create_socket_perms;
+
+allow fetchmail_t fetchmail_etc_t:file read_file_perms;
+
+allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms;
+mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file)
+
+manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
+manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
+files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, { dir file })
+
+kernel_read_kernel_sysctls(fetchmail_t)
+kernel_list_proc(fetchmail_t)
+kernel_getattr_proc_files(fetchmail_t)
+kernel_read_proc_symlinks(fetchmail_t)
+kernel_dontaudit_read_system_state(fetchmail_t)
+
+#looks like it uses system command - calls uname
+corecmd_exec_bin(fetchmail_t)
+corecmd_exec_shell(fetchmail_t)
+
+corenet_all_recvfrom_unlabeled(fetchmail_t)
+corenet_all_recvfrom_netlabel(fetchmail_t)
+corenet_tcp_sendrecv_generic_if(fetchmail_t)
+corenet_udp_sendrecv_generic_if(fetchmail_t)
+corenet_tcp_sendrecv_generic_node(fetchmail_t)
+corenet_udp_sendrecv_generic_node(fetchmail_t)
+corenet_tcp_sendrecv_dns_port(fetchmail_t)
+corenet_udp_sendrecv_dns_port(fetchmail_t)
+corenet_tcp_sendrecv_pop_port(fetchmail_t)
+corenet_tcp_sendrecv_smtp_port(fetchmail_t)
+corenet_tcp_connect_all_ports(fetchmail_t)
+corenet_sendrecv_all_client_packets(fetchmail_t)
+
+dev_read_sysfs(fetchmail_t)
+dev_read_rand(fetchmail_t)
+dev_read_urand(fetchmail_t)
+
+files_read_etc_files(fetchmail_t)
+files_read_etc_runtime_files(fetchmail_t)
+files_dontaudit_search_home(fetchmail_t)
+
+fs_getattr_all_fs(fetchmail_t)
+fs_search_auto_mountpoints(fetchmail_t)
+
+domain_use_interactive_fds(fetchmail_t)
+
+logging_send_syslog_msg(fetchmail_t)
+
+miscfiles_read_localization(fetchmail_t)
+miscfiles_read_generic_certs(fetchmail_t)
+
+sysnet_read_config(fetchmail_t)
+
+userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
+userdom_dontaudit_search_user_home_dirs(fetchmail_t)
+
+optional_policy(`
+	procmail_domtrans(fetchmail_t)
+')
+
+optional_policy(`
+	sendmail_manage_log(fetchmail_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(fetchmail_t)
+')
+
+optional_policy(`
+	udev_read_db(fetchmail_t)
+')
diff --git a/policy/modules/contrib/finger.fc b/policy/modules/contrib/finger.fc
new file mode 100644
index 00000000..c8611923
--- /dev/null
+++ b/policy/modules/contrib/finger.fc
@@ -0,0 +1,19 @@
+# fingerd
+
+#
+# /etc
+#
+/etc/cfingerd(/.*)?		gen_context(system_u:object_r:fingerd_etc_t,s0)
+
+/etc/cron\.weekly/(c)?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/in\.fingerd	--	gen_context(system_u:object_r:fingerd_exec_t,s0)
+/usr/sbin/[cef]fingerd	--	gen_context(system_u:object_r:fingerd_exec_t,s0)
+
+#
+# /var
+#
+/var/log/cfingerd\.log.* --	gen_context(system_u:object_r:fingerd_log_t,s0)
diff --git a/policy/modules/contrib/finger.if b/policy/modules/contrib/finger.if
new file mode 100644
index 00000000..b5dd671f
--- /dev/null
+++ b/policy/modules/contrib/finger.if
@@ -0,0 +1,33 @@
+## <summary>Finger user information service.</summary>
+
+########################################
+## <summary>
+##	Execute fingerd in the fingerd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`finger_domtrans',`
+	gen_require(`
+		type fingerd_t, fingerd_exec_t;
+	')
+
+	domtrans_pattern($1, fingerd_exec_t, fingerd_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to connect to fingerd with a tcp socket.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`finger_tcp_connect',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
diff --git a/policy/modules/contrib/finger.te b/policy/modules/contrib/finger.te
new file mode 100644
index 00000000..9b7036aa
--- /dev/null
+++ b/policy/modules/contrib/finger.te
@@ -0,0 +1,121 @@
+policy_module(finger, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type fingerd_t;
+type fingerd_exec_t;
+init_daemon_domain(fingerd_t, fingerd_exec_t)
+inetd_tcp_service_domain(fingerd_t, fingerd_exec_t)
+
+type fingerd_etc_t;
+files_config_file(fingerd_etc_t)
+
+type fingerd_log_t;
+logging_log_file(fingerd_log_t)
+
+type fingerd_var_run_t;
+files_pid_file(fingerd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow fingerd_t self:capability { setgid setuid };
+dontaudit fingerd_t self:capability { sys_tty_config fsetid };
+allow fingerd_t self:process signal_perms;
+allow fingerd_t self:fifo_file rw_fifo_file_perms;
+allow fingerd_t self:tcp_socket connected_stream_socket_perms;
+allow fingerd_t self:udp_socket create_socket_perms;
+allow fingerd_t self:unix_dgram_socket create_socket_perms;
+allow fingerd_t self:unix_stream_socket create_socket_perms;
+
+manage_files_pattern(fingerd_t, fingerd_var_run_t, fingerd_var_run_t)
+files_pid_filetrans(fingerd_t, fingerd_var_run_t, file)
+
+allow fingerd_t fingerd_etc_t:dir list_dir_perms;
+read_files_pattern(fingerd_t, fingerd_etc_t, fingerd_etc_t)
+read_lnk_files_pattern(fingerd_t, fingerd_etc_t, fingerd_etc_t)
+
+allow fingerd_t fingerd_log_t:file manage_file_perms;
+logging_log_filetrans(fingerd_t, fingerd_log_t, file)
+
+kernel_read_kernel_sysctls(fingerd_t)
+kernel_read_system_state(fingerd_t)
+
+corenet_all_recvfrom_unlabeled(fingerd_t)
+corenet_all_recvfrom_netlabel(fingerd_t)
+corenet_tcp_sendrecv_generic_if(fingerd_t)
+corenet_udp_sendrecv_generic_if(fingerd_t)
+corenet_tcp_sendrecv_generic_node(fingerd_t)
+corenet_udp_sendrecv_generic_node(fingerd_t)
+corenet_tcp_sendrecv_all_ports(fingerd_t)
+corenet_udp_sendrecv_all_ports(fingerd_t)
+corenet_tcp_bind_generic_node(fingerd_t)
+corenet_tcp_bind_fingerd_port(fingerd_t)
+
+dev_read_sysfs(fingerd_t)
+
+fs_getattr_all_fs(fingerd_t)
+fs_search_auto_mountpoints(fingerd_t)
+
+term_getattr_all_ttys(fingerd_t)
+term_getattr_all_ptys(fingerd_t)
+
+auth_read_lastlog(fingerd_t)
+
+corecmd_exec_bin(fingerd_t)
+corecmd_exec_shell(fingerd_t)
+
+domain_use_interactive_fds(fingerd_t)
+
+files_search_home(fingerd_t)
+files_read_etc_files(fingerd_t)
+files_read_etc_runtime_files(fingerd_t)
+
+init_read_utmp(fingerd_t)
+init_dontaudit_write_utmp(fingerd_t)
+
+logging_send_syslog_msg(fingerd_t)
+
+mta_getattr_spool(fingerd_t)
+
+sysnet_read_config(fingerd_t)
+
+miscfiles_read_localization(fingerd_t)
+
+# stop it accessing sub-directories, prevents checking a Maildir for new mail,
+# have to change this when we create a type for Maildir
+userdom_read_user_home_content_files(fingerd_t)
+userdom_dontaudit_use_unpriv_user_fds(fingerd_t)
+
+optional_policy(`
+	cron_system_entry(fingerd_t, fingerd_exec_t)
+')
+
+optional_policy(`
+	logrotate_exec(fingerd_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(fingerd_t)
+')
+
+optional_policy(`
+	nscd_socket_use(fingerd_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(fingerd_t)
+')
+
+optional_policy(`
+	tcpd_wrapped_domain(fingerd_t, fingerd_exec_t)
+')
+
+optional_policy(`
+	udev_read_db(fingerd_t)
+')
diff --git a/policy/modules/contrib/firstboot.fc b/policy/modules/contrib/firstboot.fc
new file mode 100644
index 00000000..ba614e45
--- /dev/null
+++ b/policy/modules/contrib/firstboot.fc
@@ -0,0 +1,3 @@
+/usr/sbin/firstboot		--	gen_context(system_u:object_r:firstboot_exec_t,s0)
+
+/usr/share/firstboot/firstboot\.py --	gen_context(system_u:object_r:firstboot_exec_t,s0)
diff --git a/policy/modules/contrib/firstboot.if b/policy/modules/contrib/firstboot.if
new file mode 100644
index 00000000..8fa451cc
--- /dev/null
+++ b/policy/modules/contrib/firstboot.if
@@ -0,0 +1,157 @@
+## <summary>
+##	Final system configuration run during the first boot
+##	after installation of Red Hat/Fedora systems.
+## </summary>
+
+########################################
+## <summary>
+##	Execute firstboot in the firstboot domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`firstboot_domtrans',`
+	gen_require(`
+		type firstboot_t, firstboot_exec_t;
+	')
+
+	domtrans_pattern($1, firstboot_exec_t, firstboot_t)
+')
+
+########################################
+## <summary>
+##	Execute firstboot in the firstboot domain, and
+##	allow the specified role the firstboot domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`firstboot_run',`
+	gen_require(`
+		type firstboot_t;
+	')
+
+	firstboot_domtrans($1)
+	role $2 types firstboot_t;
+')
+
+########################################
+## <summary>
+##	Inherit and use a file descriptor from firstboot.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`firstboot_use_fds',`
+	gen_require(`
+		type firstboot_t;
+	')
+
+	allow $1 firstboot_t:fd use;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to inherit a
+##	file descriptor from firstboot.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`firstboot_dontaudit_use_fds',`
+	gen_require(`
+		type firstboot_t;
+	')
+
+	dontaudit $1 firstboot_t:fd use;
+')
+
+########################################
+## <summary>
+##	Write to a firstboot unnamed pipe.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`firstboot_write_pipes',`
+	gen_require(`
+		type firstboot_t;
+	')
+
+	allow $1 firstboot_t:fifo_file write;
+')
+
+########################################
+## <summary>
+##	Read and Write to a firstboot unnamed pipe.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`firstboot_rw_pipes',`
+	gen_require(`
+		type firstboot_t;
+	')
+
+	allow $1 firstboot_t:fifo_file { read write };
+')
+
+########################################
+## <summary>
+## 	Do not audit attemps to read and write to a firstboot unnamed pipe.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`firstboot_dontaudit_rw_pipes',`
+	gen_require(`
+		type firstboot_t;
+	')
+
+	dontaudit $1 firstboot_t:fifo_file { read write };
+')
+
+########################################
+## <summary>
+## 	Do not audit attemps to read and write to a firstboot
+##	unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`firstboot_dontaudit_rw_stream_sockets',`
+	gen_require(`
+		type firstboot_t;
+	')
+
+	dontaudit $1 firstboot_t:unix_stream_socket { read write };
+')
diff --git a/policy/modules/contrib/firstboot.te b/policy/modules/contrib/firstboot.te
new file mode 100644
index 00000000..c4d89985
--- /dev/null
+++ b/policy/modules/contrib/firstboot.te
@@ -0,0 +1,135 @@
+policy_module(firstboot, 1.12.0)
+
+gen_require(`
+	class passwd rootok;
+')
+
+########################################
+#
+# Declarations
+#
+
+type firstboot_t;
+type firstboot_exec_t;
+init_system_domain(firstboot_t, firstboot_exec_t)
+domain_obj_id_change_exemption(firstboot_t)
+domain_subj_id_change_exemption(firstboot_t)
+role system_r types firstboot_t;
+
+type firstboot_etc_t;
+files_config_file(firstboot_etc_t)
+
+########################################
+#
+# Local policy
+#
+
+allow firstboot_t self:capability { dac_override setgid };
+allow firstboot_t self:process setfscreate;
+allow firstboot_t self:fifo_file rw_fifo_file_perms;
+allow firstboot_t self:tcp_socket create_stream_socket_perms;
+allow firstboot_t self:unix_stream_socket { connect create };
+allow firstboot_t self:passwd rootok;
+
+allow firstboot_t firstboot_etc_t:file read_file_perms;
+
+kernel_read_system_state(firstboot_t)
+kernel_read_kernel_sysctls(firstboot_t)
+
+corenet_all_recvfrom_unlabeled(firstboot_t)
+corenet_all_recvfrom_netlabel(firstboot_t)
+corenet_tcp_sendrecv_generic_if(firstboot_t)
+corenet_tcp_sendrecv_generic_node(firstboot_t)
+corenet_tcp_sendrecv_all_ports(firstboot_t)
+
+dev_read_urand(firstboot_t)
+
+selinux_get_fs_mount(firstboot_t)
+selinux_validate_context(firstboot_t)
+selinux_compute_access_vector(firstboot_t)
+selinux_compute_create_context(firstboot_t)
+selinux_compute_relabel_context(firstboot_t)
+selinux_compute_user_contexts(firstboot_t)
+
+auth_dontaudit_getattr_shadow(firstboot_t)
+
+corecmd_exec_all_executables(firstboot_t)
+
+files_exec_etc_files(firstboot_t)
+files_manage_etc_files(firstboot_t)
+files_manage_etc_runtime_files(firstboot_t)
+files_read_usr_files(firstboot_t)
+files_manage_var_dirs(firstboot_t)
+files_manage_var_files(firstboot_t)
+files_manage_var_symlinks(firstboot_t)
+
+init_domtrans_script(firstboot_t)
+init_rw_utmp(firstboot_t)
+
+libs_exec_ld_so(firstboot_t)
+libs_exec_lib_files(firstboot_t)
+
+locallogin_use_fds(firstboot_t)
+
+logging_send_syslog_msg(firstboot_t)
+
+miscfiles_read_localization(firstboot_t)
+
+modutils_domtrans_insmod(firstboot_t)
+modutils_domtrans_depmod(firstboot_t)
+modutils_read_module_config(firstboot_t)
+modutils_read_module_deps(firstboot_t)
+
+userdom_use_user_terminals(firstboot_t)
+# Add/remove user home directories
+userdom_manage_user_home_content_dirs(firstboot_t)
+userdom_manage_user_home_content_files(firstboot_t)
+userdom_manage_user_home_content_symlinks(firstboot_t)
+userdom_manage_user_home_content_pipes(firstboot_t)
+userdom_manage_user_home_content_sockets(firstboot_t)
+userdom_home_filetrans_user_home_dir(firstboot_t)
+userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
+
+optional_policy(`
+	consoletype_domtrans(firstboot_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(firstboot_t)
+
+	optional_policy(`
+		hal_dbus_chat(firstboot_t)
+	')
+')
+
+optional_policy(`
+	nis_use_ypbind(firstboot_t)
+')
+
+optional_policy(`
+	samba_rw_config(firstboot_t)
+')
+
+optional_policy(`
+	unconfined_domtrans(firstboot_t)
+	# The big hammer
+	unconfined_domain(firstboot_t)
+')
+
+optional_policy(`
+	usermanage_domtrans_chfn(firstboot_t)
+	usermanage_domtrans_groupadd(firstboot_t)
+	usermanage_domtrans_passwd(firstboot_t)
+	usermanage_domtrans_useradd(firstboot_t)
+	usermanage_domtrans_admin_passwd(firstboot_t)
+')
+
+optional_policy(`
+	gnome_manage_config(firstboot_t)
+')
+
+optional_policy(`
+	xserver_domtrans(firstboot_t)
+	xserver_rw_shm(firstboot_t)
+	xserver_unconfined(firstboot_t)
+')
diff --git a/policy/modules/contrib/fprintd.fc b/policy/modules/contrib/fprintd.fc
new file mode 100644
index 00000000..a4f5fb1e
--- /dev/null
+++ b/policy/modules/contrib/fprintd.fc
@@ -0,0 +1,2 @@
+/usr/libexec/fprintd	--	gen_context(system_u:object_r:fprintd_exec_t,s0)
+/var/lib/fprint(/.*)?		gen_context(system_u:object_r:fprintd_var_lib_t,s0)
diff --git a/policy/modules/contrib/fprintd.if b/policy/modules/contrib/fprintd.if
new file mode 100644
index 00000000..ebad8c42
--- /dev/null
+++ b/policy/modules/contrib/fprintd.if
@@ -0,0 +1,41 @@
+## <summary>DBus fingerprint reader service</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run fprintd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`fprintd_domtrans',`
+	gen_require(`
+		type fprintd_t, fprintd_exec_t;
+	')
+
+	domtrans_pattern($1, fprintd_exec_t, fprintd_t)
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	fprintd over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fprintd_dbus_chat',`
+	gen_require(`
+		type fprintd_t;
+		class dbus send_msg;
+	')
+
+	allow $1 fprintd_t:dbus send_msg;
+	allow fprintd_t $1:dbus send_msg;
+')
+
diff --git a/policy/modules/contrib/fprintd.te b/policy/modules/contrib/fprintd.te
new file mode 100644
index 00000000..7df52c7d
--- /dev/null
+++ b/policy/modules/contrib/fprintd.te
@@ -0,0 +1,57 @@
+policy_module(fprintd, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type fprintd_t;
+type fprintd_exec_t;
+dbus_system_domain(fprintd_t, fprintd_exec_t)
+
+type fprintd_var_lib_t;
+files_type(fprintd_var_lib_t)
+
+########################################
+#
+# Local policy
+#
+
+allow fprintd_t self:capability sys_ptrace;
+allow fprintd_t self:fifo_file rw_fifo_file_perms;
+allow fprintd_t self:process { getsched signal };
+
+manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
+manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
+files_var_lib_filetrans(fprintd_t, fprintd_var_lib_t, { dir file })
+
+kernel_read_system_state(fprintd_t)
+
+corecmd_search_bin(fprintd_t)
+
+dev_list_usbfs(fprintd_t)
+dev_rw_generic_usb_dev(fprintd_t)
+dev_read_sysfs(fprintd_t)
+
+files_read_etc_files(fprintd_t)
+files_read_usr_files(fprintd_t)
+
+fs_getattr_all_fs(fprintd_t)
+
+auth_use_nsswitch(fprintd_t)
+
+miscfiles_read_localization(fprintd_t)
+
+userdom_use_user_ptys(fprintd_t)
+userdom_read_all_users_state(fprintd_t)
+
+optional_policy(`
+	consolekit_dbus_chat(fprintd_t)
+')
+
+optional_policy(`
+	policykit_read_reload(fprintd_t)
+	policykit_read_lib(fprintd_t)
+	policykit_dbus_chat(fprintd_t)
+	policykit_domtrans_auth(fprintd_t)
+')
diff --git a/policy/modules/contrib/ftp.fc b/policy/modules/contrib/ftp.fc
new file mode 100644
index 00000000..69dcd2a0
--- /dev/null
+++ b/policy/modules/contrib/ftp.fc
@@ -0,0 +1,31 @@
+#
+# /etc
+#
+/etc/proftpd\.conf	--	gen_context(system_u:object_r:ftpd_etc_t,s0)
+/etc/cron\.monthly/proftpd --	gen_context(system_u:object_r:ftpd_exec_t,s0)
+/etc/rc\.d/init\.d/vsftpd --	gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/proftpd --	gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/ftpdctl	--	gen_context(system_u:object_r:ftpdctl_exec_t,s0)
+
+/usr/kerberos/sbin/ftpd	--	gen_context(system_u:object_r:ftpd_exec_t,s0)
+
+/usr/sbin/ftpwho	--	gen_context(system_u:object_r:ftpd_exec_t,s0)
+/usr/sbin/in\.ftpd	--	gen_context(system_u:object_r:ftpd_exec_t,s0)
+/usr/sbin/muddleftpd	--	gen_context(system_u:object_r:ftpd_exec_t,s0)
+/usr/sbin/proftpd	--	gen_context(system_u:object_r:ftpd_exec_t,s0)
+/usr/sbin/vsftpd	--	gen_context(system_u:object_r:ftpd_exec_t,s0)
+
+#
+# /var
+#
+/var/run/proftpd.* 		gen_context(system_u:object_r:ftpd_var_run_t,s0)
+
+/var/log/muddleftpd\.log.* --	gen_context(system_u:object_r:xferlog_t,s0)
+/var/log/proftpd(/.*)?		gen_context(system_u:object_r:xferlog_t,s0)
+/var/log/vsftpd.*	--	gen_context(system_u:object_r:xferlog_t,s0)
+/var/log/xferlog.*	--	gen_context(system_u:object_r:xferlog_t,s0)
+/var/log/xferreport.*	--	gen_context(system_u:object_r:xferlog_t,s0)
diff --git a/policy/modules/contrib/ftp.if b/policy/modules/contrib/ftp.if
new file mode 100644
index 00000000..9d3201b6
--- /dev/null
+++ b/policy/modules/contrib/ftp.if
@@ -0,0 +1,206 @@
+## <summary>File transfer protocol service</summary>
+
+#######################################
+## <summary>
+##	Allow domain dyntransition to sftpd_anon domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ftp_dyntrans_anon_sftpd',`
+	gen_require(`
+		type anon_sftpd_t;
+	')
+
+	dyntrans_pattern($1, anon_sftpd_t)
+')
+
+########################################
+## <summary>
+##	Use ftp by connecting over TCP.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ftp_tcp_connect',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	Read ftpd etc files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ftp_read_config',`
+	gen_require(`
+		type ftpd_etc_t;
+	')
+
+	files_search_etc($1)
+	allow $1 ftpd_etc_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute FTP daemon entry point programs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ftp_check_exec',`
+	gen_require(`
+		type ftpd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	allow $1 ftpd_exec_t:file { getattr execute };
+')
+
+########################################
+## <summary>
+##	Read FTP transfer logs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ftp_read_log',`
+	gen_require(`
+		type xferlog_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 xferlog_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute the ftpdctl program in the ftpdctl domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ftp_domtrans_ftpdctl',`
+	gen_require(`
+		type ftpdctl_t, ftpdctl_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, ftpdctl_exec_t, ftpdctl_t)
+')
+
+########################################
+## <summary>
+##	Execute the ftpdctl program in the ftpdctl domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the ftpdctl domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ftp_run_ftpdctl',`
+	gen_require(`
+		type ftpdctl_t;
+	')
+
+	ftp_domtrans_ftpdctl($1)
+	role $2 types ftpdctl_t;
+')
+
+#######################################
+## <summary>
+##	Allow domain dyntransition to sftpd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ftp_dyntrans_sftpd',`
+	gen_require(`
+		type sftpd_t;
+	')
+
+	dyntrans_pattern($1, sftpd_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an ftp environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the ftp domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ftp_admin',`
+	gen_require(`
+		type ftpd_t, ftpdctl_t, ftpd_tmp_t;
+		type ftpd_etc_t, ftpd_lock_t;
+		type ftpd_var_run_t, xferlog_t;
+		type ftpd_initrc_exec_t;
+	')
+
+	allow $1 ftpd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, ftpd_t)
+
+	init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 ftpd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	ps_process_pattern($1, ftpdctl_t)
+	ftp_run_ftpdctl($1, $2)
+
+	miscfiles_manage_public_files($1)
+
+	files_list_tmp($1)
+	admin_pattern($1, ftpd_tmp_t)
+
+	files_list_etc($1)
+	admin_pattern($1, ftpd_etc_t)
+
+	files_list_var($1)
+	admin_pattern($1, ftpd_lock_t)
+
+	files_list_pids($1)
+	admin_pattern($1, ftpd_var_run_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, xferlog_t)
+')
diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
new file mode 100644
index 00000000..02ffdfb4
--- /dev/null
+++ b/policy/modules/contrib/ftp.te
@@ -0,0 +1,412 @@
+policy_module(ftp, 1.13.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow ftp servers to upload files,  used for public file
+## transfer services. Directories must be labeled
+## public_content_rw_t.
+## </p>
+## </desc>
+gen_tunable(allow_ftpd_anon_write, false)
+
+## <desc>
+## <p>
+## Allow ftp servers to login to local users and
+## read/write all files on the system, governed by DAC.
+## </p>
+## </desc>
+gen_tunable(allow_ftpd_full_access, false)
+
+## <desc>
+## <p>
+## Allow ftp servers to use cifs
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(allow_ftpd_use_cifs, false)
+
+## <desc>
+## <p>
+## Allow ftp servers to use nfs
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(allow_ftpd_use_nfs, false)
+
+## <desc>
+## <p>
+## Allow ftp to read and write files in the user home directories
+## </p>
+## </desc>
+gen_tunable(ftp_home_dir, false)
+
+## <desc>
+## <p>
+## Allow anon internal-sftp to upload files, used for
+## public file transfer services. Directories must be labeled
+## public_content_rw_t.
+## </p>
+## </desc>
+gen_tunable(sftpd_anon_write, false)
+
+## <desc>
+## <p>
+## Allow sftp-internal to read and write files
+## in the user home directories
+## </p>
+## </desc>
+gen_tunable(sftpd_enable_homedirs, false)
+
+## <desc>
+## <p>
+## Allow sftp-internal to login to local users and
+## read/write all files on the system, governed by DAC.
+## </p>
+## </desc>
+gen_tunable(sftpd_full_access, false)
+
+type anon_sftpd_t;
+typealias anon_sftpd_t alias sftpd_anon_t;
+domain_type(anon_sftpd_t)
+role system_r types anon_sftpd_t;
+
+type ftpd_t;
+type ftpd_exec_t;
+init_daemon_domain(ftpd_t, ftpd_exec_t)
+
+type ftpd_etc_t;
+files_config_file(ftpd_etc_t)
+
+type ftpd_initrc_exec_t;
+init_script_file(ftpd_initrc_exec_t)
+
+type ftpd_lock_t;
+files_lock_file(ftpd_lock_t)
+
+type ftpd_tmp_t;
+files_tmp_file(ftpd_tmp_t)
+
+type ftpd_tmpfs_t;
+files_tmpfs_file(ftpd_tmpfs_t)
+
+type ftpd_var_run_t;
+files_pid_file(ftpd_var_run_t)
+
+type ftpdctl_t;
+type ftpdctl_exec_t;
+init_system_domain(ftpdctl_t, ftpdctl_exec_t)
+
+type ftpdctl_tmp_t;
+files_tmp_file(ftpdctl_tmp_t)
+
+type sftpd_t;
+domain_type(sftpd_t)
+role system_r types sftpd_t;
+
+type xferlog_t;
+logging_log_file(xferlog_t)
+
+ifdef(`enable_mcs',`
+	init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh)
+')
+
+########################################
+#
+# anon-sftp local policy
+#
+
+files_read_etc_files(anon_sftpd_t)
+
+miscfiles_read_public_files(anon_sftpd_t)
+
+tunable_policy(`sftpd_anon_write',`
+	miscfiles_manage_public_files(anon_sftpd_t)
+')
+
+########################################
+#
+# ftpd local policy
+#
+
+allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
+dontaudit ftpd_t self:capability sys_tty_config;
+allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
+allow ftpd_t self:fifo_file rw_fifo_file_perms;
+allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
+allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
+allow ftpd_t self:tcp_socket create_stream_socket_perms;
+allow ftpd_t self:udp_socket create_socket_perms;
+allow ftpd_t self:shm create_shm_perms;
+allow ftpd_t self:key manage_key_perms;
+
+allow ftpd_t ftpd_etc_t:file read_file_perms;
+
+allow ftpd_t ftpd_lock_t:file manage_file_perms;
+files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
+
+manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
+manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
+files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
+
+manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
+manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
+manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
+manage_fifo_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
+manage_sock_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
+fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
+manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
+manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
+files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} )
+
+# proftpd requires the client side to bind a socket so that
+# it can stat the socket to perform access control decisions,
+# since getsockopt with SO_PEERCRED is not available on all
+# proftpd-supported OSs
+allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
+
+# Create and modify /var/log/xferlog.
+manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
+logging_log_filetrans(ftpd_t, xferlog_t, file)
+
+kernel_read_kernel_sysctls(ftpd_t)
+kernel_read_system_state(ftpd_t)
+kernel_search_network_state(ftpd_t)
+
+dev_read_sysfs(ftpd_t)
+dev_read_urand(ftpd_t)
+
+corecmd_exec_bin(ftpd_t)
+
+corenet_all_recvfrom_unlabeled(ftpd_t)
+corenet_all_recvfrom_netlabel(ftpd_t)
+corenet_tcp_sendrecv_generic_if(ftpd_t)
+corenet_udp_sendrecv_generic_if(ftpd_t)
+corenet_tcp_sendrecv_generic_node(ftpd_t)
+corenet_udp_sendrecv_generic_node(ftpd_t)
+corenet_tcp_sendrecv_all_ports(ftpd_t)
+corenet_udp_sendrecv_all_ports(ftpd_t)
+corenet_tcp_bind_generic_node(ftpd_t)
+corenet_tcp_bind_ftp_port(ftpd_t)
+corenet_tcp_bind_ftp_data_port(ftpd_t)
+corenet_tcp_bind_generic_port(ftpd_t)
+corenet_tcp_bind_all_unreserved_ports(ftpd_t)
+corenet_dontaudit_tcp_bind_all_ports(ftpd_t)
+corenet_tcp_connect_all_ports(ftpd_t)
+corenet_sendrecv_ftp_server_packets(ftpd_t)
+
+domain_use_interactive_fds(ftpd_t)
+
+files_search_etc(ftpd_t)
+files_read_etc_files(ftpd_t)
+files_read_etc_runtime_files(ftpd_t)
+files_search_var_lib(ftpd_t)
+
+fs_search_auto_mountpoints(ftpd_t)
+fs_getattr_all_fs(ftpd_t)
+fs_search_fusefs(ftpd_t)
+
+auth_use_nsswitch(ftpd_t)
+auth_domtrans_chk_passwd(ftpd_t)
+# Append to /var/log/wtmp.
+auth_append_login_records(ftpd_t)
+#kerberized ftp requires the following
+auth_write_login_records(ftpd_t)
+auth_rw_faillog(ftpd_t)
+
+init_rw_utmp(ftpd_t)
+
+logging_send_audit_msgs(ftpd_t)
+logging_send_syslog_msg(ftpd_t)
+logging_set_loginuid(ftpd_t)
+
+miscfiles_read_localization(ftpd_t)
+miscfiles_read_public_files(ftpd_t)
+
+seutil_dontaudit_search_config(ftpd_t)
+
+sysnet_read_config(ftpd_t)
+sysnet_use_ldap(ftpd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
+userdom_dontaudit_search_user_home_dirs(ftpd_t)
+
+tunable_policy(`allow_ftpd_anon_write',`
+	miscfiles_manage_public_files(ftpd_t)
+')
+
+tunable_policy(`allow_ftpd_use_cifs',`
+	fs_read_cifs_files(ftpd_t)
+	fs_read_cifs_symlinks(ftpd_t)
+')
+
+tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',`
+	fs_manage_cifs_files(ftpd_t)
+')
+
+tunable_policy(`allow_ftpd_use_nfs',`
+	fs_read_nfs_files(ftpd_t)
+	fs_read_nfs_symlinks(ftpd_t)
+')
+
+tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
+	fs_manage_nfs_files(ftpd_t)
+')
+
+tunable_policy(`allow_ftpd_full_access',`
+	allow ftpd_t self:capability { dac_override dac_read_search };
+	auth_manage_all_files_except_auth_files(ftpd_t)
+')
+
+tunable_policy(`ftp_home_dir',`
+	allow ftpd_t self:capability { dac_override dac_read_search };
+
+	# allow access to /home
+	files_list_home(ftpd_t)
+	userdom_read_user_home_content_files(ftpd_t)
+	userdom_manage_user_home_content_dirs(ftpd_t)
+	userdom_manage_user_home_content_files(ftpd_t)
+	userdom_manage_user_home_content_symlinks(ftpd_t)
+	userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file })
+')
+
+tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
+	fs_manage_nfs_files(ftpd_t)
+	fs_read_nfs_symlinks(ftpd_t)
+')
+
+tunable_policy(`ftp_home_dir && use_samba_home_dirs',`
+	fs_manage_cifs_files(ftpd_t)
+	fs_read_cifs_symlinks(ftpd_t)
+')
+
+optional_policy(`
+	tunable_policy(`ftp_home_dir',`
+		apache_search_sys_content(ftpd_t)
+	')
+')
+
+optional_policy(`
+	corecmd_exec_shell(ftpd_t)
+
+	files_read_usr_files(ftpd_t)
+
+	cron_system_entry(ftpd_t, ftpd_exec_t)
+
+	optional_policy(`
+		logrotate_exec(ftpd_t)
+	')
+')
+
+optional_policy(`
+	daemontools_service_domain(ftpd_t, ftpd_exec_t)
+')
+
+optional_policy(`
+	selinux_validate_context(ftpd_t)
+
+	kerberos_keytab_template(ftpd, ftpd_t)
+	kerberos_manage_host_rcache(ftpd_t)
+')
+
+optional_policy(`
+	inetd_tcp_service_domain(ftpd_t, ftpd_exec_t)
+
+	optional_policy(`
+		tcpd_domtrans(tcpd_t)
+	')
+')
+
+optional_policy(`
+	dbus_system_bus_client(ftpd_t)
+
+	optional_policy(`
+		oddjob_dbus_chat(ftpd_t)
+		oddjob_domtrans_mkhomedir(ftpd_t)
+	')
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(ftpd_t)
+')
+
+optional_policy(`
+	udev_read_db(ftpd_t)
+')
+
+########################################
+#
+# ftpdctl local policy
+#
+
+# Allow ftpdctl to talk to ftpd over a socket connection
+stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
+
+# ftpdctl creates a socket so that the daemon can perform
+# access control decisions (see comments in ftpd_t rules above)
+allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr };
+files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
+
+# Allow ftpdctl to read config files
+files_read_etc_files(ftpdctl_t)
+
+userdom_use_user_terminals(ftpdctl_t)
+
+########################################
+#
+# sftpd local policy
+#
+
+files_read_etc_files(sftpd_t)
+
+# allow read access to /home by default
+userdom_read_user_home_content_files(sftpd_t)
+userdom_read_user_home_content_symlinks(sftpd_t)
+
+tunable_policy(`sftpd_enable_homedirs',`
+	allow sftpd_t self:capability { dac_override dac_read_search };
+
+	# allow access to /home
+	files_list_home(sftpd_t)
+	userdom_manage_user_home_content_files(sftpd_t)
+	userdom_manage_user_home_content_dirs(sftpd_t)
+	userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
+')
+
+tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(sftpd_t)
+	fs_manage_nfs_files(sftpd_t)
+	fs_manage_nfs_symlinks(sftpd_t)
+')
+
+tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
+	fs_manage_cifs_dirs(sftpd_t)
+	fs_manage_cifs_files(sftpd_t)
+	fs_manage_cifs_symlinks(sftpd_t)
+')
+
+tunable_policy(`sftpd_full_access',`
+	allow sftpd_t self:capability { dac_override dac_read_search };
+	fs_read_noxattr_fs_files(sftpd_t)
+	auth_manage_all_files_except_auth_files(sftpd_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	# allow read access to /home by default
+	fs_list_cifs(sftpd_t)
+	fs_read_cifs_files(sftpd_t)
+	fs_read_cifs_symlinks(sftpd_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	# allow read access to /home by default
+	fs_list_nfs(sftpd_t)
+	fs_read_nfs_files(sftpd_t)
+	fs_read_nfs_symlinks(ftpd_t)
+')
diff --git a/policy/modules/contrib/games.fc b/policy/modules/contrib/games.fc
new file mode 100644
index 00000000..78dc515e
--- /dev/null
+++ b/policy/modules/contrib/games.fc
@@ -0,0 +1,66 @@
+#
+# /usr
+#
+/usr/lib/games(/.*)? 		gen_context(system_u:object_r:games_exec_t,s0)
+/usr/games/.*		--	gen_context(system_u:object_r:games_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/games(/.*)? 		gen_context(system_u:object_r:games_data_t,s0)
+/var/games(/.*)?		gen_context(system_u:object_r:games_data_t,s0)
+
+ifndef(`distro_debian',`
+/usr/bin/micq		--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/blackjack	--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gataxx		--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/glines		--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnect		--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnibbles	--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnobots2	--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnome-stones	--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnomine	--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnotravex	--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnotski	--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gtali		--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/iagno		--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/mahjongg	--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/same-gnome	--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/sol		--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/atlantik	--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kasteroids	--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/katomic	--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kbackgammon	--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kbattleship	--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kblackbox	--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kbounce	--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kenolaba	--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kfouleggs	--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kgoldrunner	--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kjumpingcube	--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/klickety	--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/klines		--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kmahjongg	--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kmines		--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kolf		--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/konquest	--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kpat		--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kpoker		--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kreversi	--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ksame		--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kshisen	--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ksirtet	--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ksmiletris	--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ksnake		--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ksokoban	--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kspaceduel	--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ktron		--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ktuberling	--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kwin4		--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kwin4proc	--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/lskat		--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/lskatproc	--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/Maelstrom	--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/civclient.*	--	gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/civserver.*	--	gen_context(system_u:object_r:games_exec_t,s0)
+')dnl end non-Debian section
diff --git a/policy/modules/contrib/games.if b/policy/modules/contrib/games.if
new file mode 100644
index 00000000..7ac736d3
--- /dev/null
+++ b/policy/modules/contrib/games.if
@@ -0,0 +1,51 @@
+## <summary>Games</summary>
+
+############################################################
+## <summary>
+##	Role access for games
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`games_role',`
+	gen_require(`
+		type games_t, games_exec_t;
+	')
+
+	role $1 types games_t;
+
+	domtrans_pattern($2, games_exec_t, games_t)
+	allow $2 games_t:unix_stream_socket connectto;
+	allow games_t $2:unix_stream_socket connectto;
+
+	# Allow the user domain to signal/ps.
+	ps_process_pattern($2, games_t)
+	allow $2 games_t:process signal_perms;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read/write
+##	games data.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`games_rw_data',`
+	gen_require(`
+		type games_data_t;
+	')
+
+	rw_files_pattern($1, games_data_t, games_data_t)
+')
diff --git a/policy/modules/contrib/games.te b/policy/modules/contrib/games.te
new file mode 100644
index 00000000..b73d33c9
--- /dev/null
+++ b/policy/modules/contrib/games.te
@@ -0,0 +1,178 @@
+policy_module(games, 2.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type games_t;
+type games_exec_t;
+typealias games_t alias { user_games_t staff_games_t sysadm_games_t };
+typealias games_t alias { auditadm_games_t secadm_games_t };
+userdom_user_application_domain(games_t, games_exec_t)
+
+type games_data_t;
+typealias games_data_t alias { user_games_data_t staff_games_data_t sysadm_games_data_t };
+typealias games_data_t alias { auditadm_games_data_t secadm_games_data_t };
+files_type(games_data_t)
+ubac_constrained(games_data_t)
+
+type games_devpts_t;
+typealias games_devpts_t alias { user_games_devpts_t staff_games_devpts_t sysadm_games_devpts_t };
+typealias games_devpts_t alias { auditadm_games_devpts_t secadm_games_devpts_t };
+term_pty(games_devpts_t)
+ubac_constrained(games_devpts_t)
+
+# games_srv_t is for system operation of games, generic games daemons and
+# games recovery scripts
+type games_srv_t;
+init_system_domain(games_srv_t, games_exec_t)
+
+type games_srv_var_run_t;
+files_pid_file(games_srv_var_run_t)
+
+type games_tmp_t;
+typealias games_tmp_t alias { user_games_tmp_t staff_games_tmp_t sysadm_games_tmp_t };
+typealias games_tmp_t alias { auditadm_games_tmp_t secadm_games_tmp_t };
+userdom_user_tmp_file(games_tmp_t)
+
+type games_tmpfs_t;
+typealias games_tmpfs_t alias { user_games_tmpfs_t staff_games_tmpfs_t sysadm_games_tmpfs_t };
+typealias games_tmpfs_t alias { auditadm_games_tmpfs_t secadm_games_tmpfs_t };
+userdom_user_tmpfs_file(games_tmpfs_t)
+
+########################################
+#
+# Server local policy
+#
+
+dontaudit games_srv_t self:capability sys_tty_config;
+allow games_srv_t self:process signal_perms;
+
+manage_files_pattern(games_srv_t, games_data_t, games_data_t)
+manage_lnk_files_pattern(games_srv_t, games_data_t, games_data_t)
+
+manage_files_pattern(games_srv_t, games_srv_var_run_t, games_srv_var_run_t)
+files_pid_filetrans(games_srv_t, games_srv_var_run_t, file)
+
+can_exec(games_srv_t, games_exec_t)
+
+kernel_read_kernel_sysctls(games_srv_t)
+kernel_list_proc(games_srv_t)
+kernel_read_proc_symlinks(games_srv_t)
+
+dev_read_sysfs(games_srv_t)
+
+fs_getattr_all_fs(games_srv_t)
+fs_search_auto_mountpoints(games_srv_t)
+
+term_dontaudit_use_console(games_srv_t)
+
+domain_use_interactive_fds(games_srv_t)
+
+init_use_fds(games_srv_t)
+init_use_script_ptys(games_srv_t)
+
+logging_send_syslog_msg(games_srv_t)
+
+miscfiles_read_localization(games_srv_t)
+
+userdom_dontaudit_use_unpriv_user_fds(games_srv_t)
+
+userdom_dontaudit_search_user_home_dirs(games_srv_t)
+
+optional_policy(`
+	seutil_sigchld_newrole(games_srv_t)
+')
+
+optional_policy(`
+	udev_read_db(games_srv_t)
+')
+
+########################################
+#
+# Local policy
+#
+
+allow games_t self:sem create_sem_perms;
+allow games_t self:tcp_socket create_stream_socket_perms;
+allow games_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(games_t, games_data_t, games_data_t)
+manage_lnk_files_pattern(games_t, games_data_t, games_data_t)
+
+allow games_t games_devpts_t:chr_file { rw_chr_file_perms setattr };
+term_create_pty(games_t, games_devpts_t)
+
+manage_dirs_pattern(games_t, games_tmp_t, games_tmp_t)
+manage_files_pattern(games_t, games_tmp_t, games_tmp_t)
+files_tmp_filetrans(games_t, games_tmp_t, { file dir })
+
+manage_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
+manage_lnk_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
+manage_fifo_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
+manage_sock_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
+fs_tmpfs_filetrans(games_t, games_tmpfs_t, { file lnk_file sock_file fifo_file })
+
+can_exec(games_t, games_exec_t)
+
+kernel_read_system_state(games_t)
+
+corecmd_exec_bin(games_t)
+
+corenet_all_recvfrom_unlabeled(games_t)
+corenet_all_recvfrom_netlabel(games_t)
+corenet_tcp_sendrecv_generic_if(games_t)
+corenet_udp_sendrecv_generic_if(games_t)
+corenet_tcp_sendrecv_generic_node(games_t)
+corenet_udp_sendrecv_generic_node(games_t)
+corenet_tcp_sendrecv_all_ports(games_t)
+corenet_udp_sendrecv_all_ports(games_t)
+corenet_tcp_bind_generic_node(games_t)
+corenet_tcp_bind_generic_port(games_t)
+corenet_tcp_connect_generic_port(games_t)
+corenet_sendrecv_generic_client_packets(games_t)
+corenet_sendrecv_generic_server_packets(games_t)
+
+dev_read_sound(games_t)
+dev_write_sound(games_t)
+dev_read_input(games_t)
+dev_read_mouse(games_t)
+dev_read_urand(games_t)
+
+files_list_var(games_t)
+files_search_var_lib(games_t)
+files_dontaudit_search_var(games_t)
+files_read_etc_files(games_t)
+files_read_usr_files(games_t)
+files_read_var_files(games_t)
+
+init_dontaudit_rw_utmp(games_t)
+
+logging_dontaudit_search_logs(games_t)
+
+miscfiles_read_man_pages(games_t)
+miscfiles_read_localization(games_t)
+
+sysnet_read_config(games_t)
+
+userdom_manage_user_tmp_dirs(games_t)
+userdom_manage_user_tmp_files(games_t)
+userdom_manage_user_tmp_symlinks(games_t)
+userdom_manage_user_tmp_sockets(games_t)
+# Suppress .icons denial until properly implemented
+userdom_dontaudit_read_user_home_content_files(games_t)
+
+tunable_policy(`allow_execmem',`
+	allow games_t self:process execmem;
+')
+
+optional_policy(`
+	nscd_socket_use(games_t)
+')
+
+optional_policy(`
+	xserver_user_x_domain_template(games, games_t, games_tmpfs_t)
+	xserver_create_xdm_tmp_sockets(games_t)
+	xserver_read_xdm_lib_files(games_t)
+')
diff --git a/policy/modules/contrib/gatekeeper.fc b/policy/modules/contrib/gatekeeper.fc
new file mode 100644
index 00000000..d6ef0255
--- /dev/null
+++ b/policy/modules/contrib/gatekeeper.fc
@@ -0,0 +1,8 @@
+/etc/gatekeeper\.ini	--	gen_context(system_u:object_r:gatekeeper_etc_t,s0)
+
+/usr/sbin/gk		--	gen_context(system_u:object_r:gatekeeper_exec_t,s0)
+/usr/sbin/gnugk		--	gen_context(system_u:object_r:gatekeeper_exec_t,s0)
+
+/var/log/gnugk(/.*)?		gen_context(system_u:object_r:gatekeeper_log_t,s0)
+/var/run/gk\.pid	--	gen_context(system_u:object_r:gatekeeper_var_run_t,s0)
+/var/run/gnugk(/.*)?		gen_context(system_u:object_r:gatekeeper_var_run_t,s0)
diff --git a/policy/modules/contrib/gatekeeper.if b/policy/modules/contrib/gatekeeper.if
new file mode 100644
index 00000000..311cb061
--- /dev/null
+++ b/policy/modules/contrib/gatekeeper.if
@@ -0,0 +1 @@
+## <summary>OpenH.323 Voice-Over-IP Gatekeeper</summary>
diff --git a/policy/modules/contrib/gatekeeper.te b/policy/modules/contrib/gatekeeper.te
new file mode 100644
index 00000000..99a94de5
--- /dev/null
+++ b/policy/modules/contrib/gatekeeper.te
@@ -0,0 +1,99 @@
+policy_module(gatekeeper, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type gatekeeper_t;
+type gatekeeper_exec_t;
+init_daemon_domain(gatekeeper_t, gatekeeper_exec_t)
+
+type gatekeeper_etc_t;
+files_config_file(gatekeeper_etc_t)
+
+type gatekeeper_log_t;
+logging_log_file(gatekeeper_log_t)
+
+# for stupid symlinks
+type gatekeeper_tmp_t;
+files_tmp_file(gatekeeper_tmp_t)
+
+type gatekeeper_var_run_t;
+files_pid_file(gatekeeper_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit gatekeeper_t self:capability sys_tty_config;
+allow gatekeeper_t self:process { setsched signal_perms };
+allow gatekeeper_t self:fifo_file rw_fifo_file_perms;
+allow gatekeeper_t self:tcp_socket create_stream_socket_perms;
+allow gatekeeper_t self:udp_socket create_socket_perms;
+
+allow gatekeeper_t gatekeeper_etc_t:lnk_file { getattr read };
+allow gatekeeper_t gatekeeper_etc_t:file read_file_perms;
+files_search_etc(gatekeeper_t)
+
+manage_files_pattern(gatekeeper_t, gatekeeper_log_t, gatekeeper_log_t)
+logging_log_filetrans(gatekeeper_t, gatekeeper_log_t, { file dir })
+
+manage_dirs_pattern(gatekeeper_t, gatekeeper_tmp_t, gatekeeper_tmp_t)
+manage_files_pattern(gatekeeper_t, gatekeeper_tmp_t, gatekeeper_tmp_t)
+files_tmp_filetrans(gatekeeper_t, gatekeeper_tmp_t, { file dir })
+
+manage_files_pattern(gatekeeper_t, gatekeeper_var_run_t, gatekeeper_var_run_t)
+files_pid_filetrans(gatekeeper_t, gatekeeper_var_run_t, file)
+
+kernel_read_system_state(gatekeeper_t)
+kernel_read_kernel_sysctls(gatekeeper_t)
+
+corecmd_list_bin(gatekeeper_t)
+
+corenet_all_recvfrom_unlabeled(gatekeeper_t)
+corenet_all_recvfrom_netlabel(gatekeeper_t)
+corenet_tcp_sendrecv_generic_if(gatekeeper_t)
+corenet_udp_sendrecv_generic_if(gatekeeper_t)
+corenet_tcp_sendrecv_generic_node(gatekeeper_t)
+corenet_udp_sendrecv_generic_node(gatekeeper_t)
+corenet_tcp_sendrecv_all_ports(gatekeeper_t)
+corenet_udp_sendrecv_all_ports(gatekeeper_t)
+corenet_tcp_bind_generic_node(gatekeeper_t)
+corenet_udp_bind_generic_node(gatekeeper_t)
+corenet_tcp_bind_gatekeeper_port(gatekeeper_t)
+corenet_udp_bind_gatekeeper_port(gatekeeper_t)
+corenet_sendrecv_gatekeeper_server_packets(gatekeeper_t)
+
+dev_read_sysfs(gatekeeper_t)
+# for SSP
+dev_read_urand(gatekeeper_t)
+
+domain_use_interactive_fds(gatekeeper_t)
+
+files_read_etc_files(gatekeeper_t)
+
+fs_getattr_all_fs(gatekeeper_t)
+fs_search_auto_mountpoints(gatekeeper_t)
+
+logging_send_syslog_msg(gatekeeper_t)
+
+miscfiles_read_localization(gatekeeper_t)
+
+sysnet_read_config(gatekeeper_t)
+
+userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t)
+userdom_dontaudit_search_user_home_dirs(gatekeeper_t)
+
+optional_policy(`
+	nis_use_ypbind(gatekeeper_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(gatekeeper_t)
+')
+
+optional_policy(`
+	udev_read_db(gatekeeper_t)
+')
diff --git a/policy/modules/contrib/gift.fc b/policy/modules/contrib/gift.fc
new file mode 100644
index 00000000..df7ced4b
--- /dev/null
+++ b/policy/modules/contrib/gift.fc
@@ -0,0 +1,6 @@
+HOME_DIR/\.giFT(/.*)?			gen_context(system_u:object_r:gift_home_t,s0)
+
+/usr/(local/)?bin/apollon	-- 	gen_context(system_u:object_r:gift_exec_t,s0)
+/usr/(local/)?bin/giftd		--	gen_context(system_u:object_r:giftd_exec_t,s0)
+/usr/(local/)?bin/giftui	-- 	gen_context(system_u:object_r:gift_exec_t,s0)
+/usr/(local/)?bin/giFToxic	--	gen_context(system_u:object_r:gift_exec_t,s0)
diff --git a/policy/modules/contrib/gift.if b/policy/modules/contrib/gift.if
new file mode 100644
index 00000000..c9b90d3a
--- /dev/null
+++ b/policy/modules/contrib/gift.if
@@ -0,0 +1,42 @@
+## <summary>giFT peer to peer file sharing tool</summary>
+
+############################################################
+## <summary>
+##	Role access for gift
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`gift_role',`
+	gen_require(`
+		type gift_t, gift_exec_t;
+		type giftd_t, giftd_exec_t;
+		type gift_home_t;
+	')
+
+	role $1 types { gift_t giftd_t };
+
+	# transition from user domain
+	domtrans_pattern($2, gift_exec_t, gift_t)
+	domtrans_pattern($2, giftd_exec_t, giftd_t)
+
+	# user managed content
+	manage_dirs_pattern($2, gift_home_t, gift_home_t)
+	manage_files_pattern($2, gift_home_t, gift_home_t)
+	manage_lnk_files_pattern($2, gift_home_t, gift_home_t)
+	relabel_dirs_pattern($2, gift_home_t, gift_home_t)
+	relabel_files_pattern($2, gift_home_t, gift_home_t)
+	relabel_lnk_files_pattern($2, gift_home_t, gift_home_t)
+
+	# Allow the user domain to signal/ps.
+	ps_process_pattern($2, { gift_t giftd_t })
+	allow $2 { gift_t giftd_t }:process signal_perms;
+')
diff --git a/policy/modules/contrib/gift.te b/policy/modules/contrib/gift.te
new file mode 100644
index 00000000..49753439
--- /dev/null
+++ b/policy/modules/contrib/gift.te
@@ -0,0 +1,144 @@
+policy_module(gift, 2.3.0)
+
+########################################
+#
+# Declarations
+#
+
+type gift_t;
+type gift_exec_t;
+typealias gift_t alias { user_gift_t staff_gift_t sysadm_gift_t };
+typealias gift_t alias { auditadm_gift_t secadm_gift_t };
+userdom_user_application_domain(gift_t, gift_exec_t)
+
+type gift_home_t;
+typealias gift_home_t alias { user_gift_home_t staff_gift_home_t sysadm_gift_home_t };
+typealias gift_home_t alias { auditadm_gift_home_t secadm_gift_home_t };
+userdom_user_home_content(gift_home_t)
+
+type gift_tmpfs_t;
+typealias gift_tmpfs_t alias { user_gift_tmpfs_t staff_gift_tmpfs_t sysadm_gift_tmpfs_t };
+typealias gift_tmpfs_t alias { auditadm_gift_tmpfs_t secadm_gift_tmpfs_t };
+userdom_user_tmpfs_file(gift_tmpfs_t)
+
+type giftd_t;
+type giftd_exec_t;
+typealias giftd_t alias { user_giftd_t staff_giftd_t sysadm_giftd_t };
+typealias giftd_t alias { auditadm_giftd_t secadm_giftd_t };
+userdom_user_application_domain(giftd_t, giftd_exec_t)
+
+##############################
+#
+# giFT user interface local policy
+#
+
+allow gift_t self:tcp_socket create_socket_perms;
+
+manage_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
+manage_lnk_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
+manage_fifo_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
+manage_sock_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
+fs_tmpfs_filetrans(gift_t, gift_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+manage_dirs_pattern(gift_t, gift_home_t, gift_home_t)
+manage_files_pattern(gift_t, gift_home_t, gift_home_t)
+manage_lnk_files_pattern(gift_t, gift_home_t, gift_home_t)
+userdom_user_home_dir_filetrans(gift_t, gift_home_t, dir)
+
+# Launch gift daemon
+domtrans_pattern(gift_t, giftd_exec_t, giftd_t)
+
+# Read /proc/meminfo
+kernel_read_system_state(gift_t)
+
+# Connect to gift daemon
+corenet_all_recvfrom_unlabeled(gift_t)
+corenet_all_recvfrom_netlabel(gift_t)
+corenet_tcp_sendrecv_generic_if(gift_t)
+corenet_tcp_sendrecv_generic_node(gift_t)
+corenet_tcp_sendrecv_giftd_port(gift_t)
+corenet_tcp_connect_giftd_port(gift_t)
+corenet_sendrecv_giftd_client_packets(gift_t)
+
+fs_search_auto_mountpoints(gift_t)
+
+sysnet_read_config(gift_t)
+
+# giftui looks in .icons, .themes.
+userdom_dontaudit_read_user_home_content_files(gift_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(gift_t)
+	fs_manage_nfs_files(gift_t)
+	fs_manage_nfs_symlinks(gift_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(gift_t)
+	fs_manage_cifs_files(gift_t)
+	fs_manage_cifs_symlinks(gift_t)
+')
+
+optional_policy(`
+	nscd_socket_use(gift_t)
+')
+
+optional_policy(`
+	xserver_user_x_domain_template(gift, gift_t, gift_tmpfs_t)
+')
+
+##############################
+#
+# giFT server local policy
+#
+
+allow giftd_t self:process { signal setsched };
+allow giftd_t self:unix_stream_socket create_socket_perms;
+allow giftd_t self:tcp_socket create_stream_socket_perms;
+allow giftd_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(giftd_t, gift_home_t, gift_home_t)
+manage_files_pattern(giftd_t, gift_home_t, gift_home_t)
+manage_lnk_files_pattern(giftd_t, gift_home_t, gift_home_t)
+userdom_user_home_dir_filetrans(giftd_t, gift_home_t, dir)
+
+kernel_read_system_state(giftd_t)
+kernel_read_kernel_sysctls(giftd_t)
+
+# Serve content on various p2p networks. Ports can be random.
+corenet_all_recvfrom_unlabeled(giftd_t)
+corenet_all_recvfrom_netlabel(giftd_t)
+corenet_tcp_sendrecv_generic_if(giftd_t)
+corenet_udp_sendrecv_generic_if(giftd_t)
+corenet_tcp_sendrecv_generic_node(giftd_t)
+corenet_udp_sendrecv_generic_node(giftd_t)
+corenet_tcp_sendrecv_all_ports(giftd_t)
+corenet_udp_sendrecv_all_ports(giftd_t)
+corenet_tcp_bind_generic_node(giftd_t)
+corenet_udp_bind_generic_node(giftd_t)
+corenet_tcp_bind_all_ports(giftd_t)
+corenet_udp_bind_all_ports(giftd_t)
+corenet_tcp_connect_all_ports(giftd_t)
+corenet_sendrecv_all_client_packets(giftd_t)
+
+files_read_usr_files(giftd_t)
+# Read /etc/mtab
+files_read_etc_runtime_files(giftd_t)
+
+miscfiles_read_localization(giftd_t)
+
+sysnet_read_config(giftd_t)
+
+userdom_use_user_terminals(giftd_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(giftd_t)
+	fs_manage_nfs_files(giftd_t)
+	fs_manage_nfs_symlinks(giftd_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(giftd_t)
+	fs_manage_cifs_files(giftd_t)
+	fs_manage_cifs_symlinks(giftd_t)
+')
diff --git a/policy/modules/contrib/git.fc b/policy/modules/contrib/git.fc
new file mode 100644
index 00000000..13e72a7a
--- /dev/null
+++ b/policy/modules/contrib/git.fc
@@ -0,0 +1,11 @@
+HOME_DIR/public_git(/.*)?			gen_context(system_u:object_r:git_user_content_t,s0)
+
+/usr/libexec/git-core/git-daemon	--	gen_context(system_u:object_r:gitd_exec_t,s0)
+
+/var/cache/cgit(/.*)?				gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
+
+/var/lib/git(/.*)?				gen_context(system_u:object_r:git_sys_content_t,s0)
+
+/var/www/cgi-bin/cgit			--	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+/var/www/git(/.*)?				gen_context(system_u:object_r:httpd_git_content_t,s0)
+/var/www/git/gitweb\.cgi		--	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
diff --git a/policy/modules/contrib/git.if b/policy/modules/contrib/git.if
new file mode 100644
index 00000000..b0242d92
--- /dev/null
+++ b/policy/modules/contrib/git.if
@@ -0,0 +1,50 @@
+## <summary>GIT revision control system.</summary>
+
+########################################
+## <summary>
+##	Role access for Git session.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role.
+##	</summary>
+## </param>
+#
+template(`git_role',`
+	gen_require(`
+		type git_session_t, gitd_exec_t, git_user_content_t;
+	')
+
+	########################################
+	#
+	# Declarations
+	#
+
+	role $1 types git_session_t;
+
+	########################################
+	#
+	# Policy
+	#
+
+	manage_dirs_pattern($2, git_user_content_t, git_user_content_t)
+	relabel_dirs_pattern($2, git_user_content_t, git_user_content_t)
+
+	exec_files_pattern($2, git_user_content_t, git_user_content_t)
+	manage_files_pattern($2, git_user_content_t, git_user_content_t)
+	relabel_files_pattern($2, git_user_content_t, git_user_content_t)
+
+	allow $2 git_session_t:process { ptrace signal_perms };
+	ps_process_pattern($2, git_session_t)
+
+	tunable_policy(`git_session_users',`
+		domtrans_pattern($2, gitd_exec_t, git_session_t)
+	',`
+		can_exec($2, gitd_exec_t)
+	')
+')
diff --git a/policy/modules/contrib/git.te b/policy/modules/contrib/git.te
new file mode 100644
index 00000000..58c3c61a
--- /dev/null
+++ b/policy/modules/contrib/git.te
@@ -0,0 +1,226 @@
+policy_module(git, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+##	<p>
+##	Determine whether Git CGI
+##	can search home directories.
+##	</p>
+## </desc>
+gen_tunable(git_cgi_enable_homedirs, false)
+
+## <desc>
+##	<p>
+##	Determine whether Git CGI
+##	can access cifs file systems.
+##	</p>
+## </desc>
+gen_tunable(git_cgi_use_cifs, false)
+
+## <desc>
+##	<p>
+##	Determine whether Git CGI
+##	can access nfs file systems.
+##	</p>
+## </desc>
+gen_tunable(git_cgi_use_nfs, false)
+
+## <desc>
+##	<p>
+##	Determine whether calling user domains
+##	can execute Git daemon in the
+##	git_session_t domain.
+##	</p>
+## </desc>
+gen_tunable(git_session_users, false)
+
+## <desc>
+##	<p>
+##	Determine whether Git session daemons
+##	can send syslog messages.
+##	</p>
+## </desc>
+gen_tunable(git_session_send_syslog_msg, false)
+
+## <desc>
+##	<p>
+##	Determine whether Git system daemon
+##	can search home directories.
+##	</p>
+## </desc>
+gen_tunable(git_system_enable_homedirs, false)
+
+## <desc>
+##	<p>
+##	Determine whether Git system daemon
+##	can access cifs file systems.
+##	</p>
+## </desc>
+gen_tunable(git_system_use_cifs, false)
+
+## <desc>
+##	<p>
+##	Determine whether Git system daemon
+##	can access nfs file systems.
+##	</p>
+## </desc>
+gen_tunable(git_system_use_nfs, false)
+
+attribute git_daemon;
+
+apache_content_template(git)
+
+type git_system_t, git_daemon;
+type gitd_exec_t;
+inetd_service_domain(git_system_t, gitd_exec_t)
+
+type git_session_t, git_daemon;
+userdom_user_application_domain(git_session_t, gitd_exec_t)
+
+type git_sys_content_t;
+files_type(git_sys_content_t)
+
+type git_user_content_t;
+userdom_user_home_content(git_user_content_t)
+
+########################################
+#
+# Git session policy
+#
+
+allow git_session_t self:tcp_socket { accept listen };
+
+list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
+read_files_pattern(git_session_t, git_user_content_t, git_user_content_t)
+userdom_search_user_home_dirs(git_session_t)
+
+corenet_all_recvfrom_netlabel(git_session_t)
+corenet_all_recvfrom_unlabeled(git_session_t)
+corenet_tcp_bind_generic_node(git_session_t)
+corenet_tcp_sendrecv_generic_if(git_session_t)
+corenet_tcp_sendrecv_generic_node(git_session_t)
+corenet_tcp_sendrecv_generic_port(git_session_t)
+corenet_tcp_bind_git_port(git_session_t)
+corenet_tcp_sendrecv_git_port(git_session_t)
+corenet_sendrecv_git_server_packets(git_session_t)
+
+userdom_use_user_terminals(git_session_t)
+
+tunable_policy(`git_session_send_syslog_msg',`
+	logging_send_syslog_msg(git_session_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_read_nfs_files(git_session_t)
+',`
+	fs_dontaudit_read_nfs_files(git_session_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_read_cifs_files(git_session_t)
+',`
+	fs_dontaudit_read_cifs_files(git_session_t)
+')
+
+########################################
+#
+# Git system policy
+#
+
+list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
+read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
+files_search_var_lib(git_system_t)
+
+logging_send_syslog_msg(git_system_t)
+
+tunable_policy(`git_system_enable_homedirs',`
+	userdom_search_user_home_dirs(git_system_t)
+')
+
+tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
+	fs_read_nfs_files(git_system_t)
+',`
+	fs_dontaudit_read_nfs_files(git_system_t)
+')
+
+tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',`
+	fs_read_cifs_files(git_system_t)
+',`
+	fs_dontaudit_read_cifs_files(git_system_t)
+')
+
+tunable_policy(`git_system_use_cifs',`
+	fs_read_cifs_files(git_system_t)
+',`
+	fs_dontaudit_read_cifs_files(git_system_t)
+')
+
+tunable_policy(`git_system_use_nfs',`
+	fs_read_nfs_files(git_system_t)
+',`
+	fs_dontaudit_read_nfs_files(git_system_t)
+')
+
+########################################
+#
+# Git CGI policy
+#
+
+list_dirs_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
+read_files_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
+files_search_var_lib(httpd_git_script_t)
+
+files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
+
+auth_use_nsswitch(httpd_git_script_t)
+
+tunable_policy(`git_cgi_enable_homedirs',`
+	userdom_search_user_home_dirs(httpd_git_script_t)
+')
+
+tunable_policy(`git_cgi_enable_homedirs && use_nfs_home_dirs',`
+	fs_read_nfs_files(httpd_git_script_t)
+',`
+	fs_dontaudit_read_nfs_files(httpd_git_script_t)
+')
+
+tunable_policy(`git_cgi_enable_homedirs && use_samba_home_dirs',`
+	fs_read_cifs_files(httpd_git_script_t)
+',`
+	fs_dontaudit_read_cifs_files(httpd_git_script_t)
+')
+
+tunable_policy(`git_cgi_use_cifs',`
+	fs_read_cifs_files(httpd_git_script_t)
+',`
+	fs_dontaudit_read_cifs_files(httpd_git_script_t)
+')
+
+tunable_policy(`git_cgi_use_nfs',`
+	fs_read_nfs_files(httpd_git_script_t)
+',`
+	fs_dontaudit_read_nfs_files(httpd_git_script_t)
+')
+
+########################################
+#
+# Git global policy
+#
+
+allow git_daemon self:fifo_file rw_fifo_file_perms;
+
+kernel_read_system_state(git_daemon)
+
+corecmd_exec_bin(git_daemon)
+
+files_read_usr_files(git_daemon)
+
+fs_search_auto_mountpoints(git_daemon)
+
+auth_use_nsswitch(git_daemon)
+
+miscfiles_read_localization(git_daemon)
diff --git a/policy/modules/contrib/gitosis.fc b/policy/modules/contrib/gitosis.fc
new file mode 100644
index 00000000..24f64418
--- /dev/null
+++ b/policy/modules/contrib/gitosis.fc
@@ -0,0 +1,9 @@
+ifdef(`distro_debian',`
+/srv/lib/gitosis(/.*)?				gen_context(system_u:object_r:gitosis_var_lib_t,s0)
+')
+
+/usr/bin/gitosis-serve			--	gen_context(system_u:object_r:gitosis_exec_t,s0)
+/usr/bin/gl-auth-command		--	gen_context(system_u:object_r:gitosis_exec_t,s0)
+
+/var/lib/gitosis(/.*)?				gen_context(system_u:object_r:gitosis_var_lib_t,s0)
+/var/lib/gitolite(/.*)?				gen_context(system_u:object_r:gitosis_var_lib_t,s0)
diff --git a/policy/modules/contrib/gitosis.if b/policy/modules/contrib/gitosis.if
new file mode 100644
index 00000000..e898b911
--- /dev/null
+++ b/policy/modules/contrib/gitosis.if
@@ -0,0 +1,86 @@
+## <summary>Tools for managing and hosting git repositories.</summary>
+
+#######################################
+## <summary>
+##	Execute a domain transition to run gitosis.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gitosis_domtrans',`
+	gen_require(`
+		type gitosis_t, gitosis_exec_t;
+	')
+
+	domtrans_pattern($1, gitosis_exec_t, gitosis_t)
+')
+
+#######################################
+## <summary>
+##	Execute gitosis-serve in the gitosis domain, and
+##	allow the specified role the gitosis domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`gitosis_run',`
+	gen_require(`
+		type gitosis_t;
+	')
+
+	gitosis_domtrans($1)
+	role $2 types gitosis_t;
+')
+
+#######################################
+## <summary>
+##	Allow the specified domain to read
+##	gitosis lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gitosis_read_lib_files',`
+	gen_require(`
+		type gitosis_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+	read_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+	list_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+')
+
+######################################
+## <summary>
+##	Allow the specified domain to manage
+##	gitosis lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gitosis_manage_lib_files',`
+	gen_require(`
+		type gitosis_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+')
diff --git a/policy/modules/contrib/gitosis.te b/policy/modules/contrib/gitosis.te
new file mode 100644
index 00000000..0eb75f41
--- /dev/null
+++ b/policy/modules/contrib/gitosis.te
@@ -0,0 +1,41 @@
+policy_module(gitosis, 1.3.0)
+
+########################################
+#
+# Declarations
+#
+
+type gitosis_t;
+type gitosis_exec_t;
+application_domain(gitosis_t, gitosis_exec_t)
+role system_r types gitosis_t;
+
+type gitosis_var_lib_t;
+files_type(gitosis_var_lib_t)
+
+########################################
+#
+# gitosis local policy
+#
+
+allow gitosis_t self:fifo_file rw_fifo_file_perms;
+
+exec_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t)
+manage_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t)
+manage_lnk_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t)
+manage_dirs_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t)
+
+kernel_read_system_state(gitosis_t)
+
+corecmd_exec_bin(gitosis_t)
+corecmd_exec_shell(gitosis_t)
+
+dev_read_urand(gitosis_t)
+
+files_read_etc_files(gitosis_t)
+files_read_usr_files(gitosis_t)
+files_search_var_lib(gitosis_t)
+
+miscfiles_read_localization(gitosis_t)
+
+sysnet_read_config(gitosis_t)
diff --git a/policy/modules/contrib/glance.fc b/policy/modules/contrib/glance.fc
new file mode 100644
index 00000000..ed3528d2
--- /dev/null
+++ b/policy/modules/contrib/glance.fc
@@ -0,0 +1,12 @@
+/etc/rc\.d/init\.d/openstack-glance-api --	gen_context(system_u:object_r:glance_api_initrc_exec_t,s0)
+
+/etc/rc\.d/init\.d/openstack-glance-registry --	gen_context(system_u:object_r:glance_registry_initrc_exec_t,s0)
+
+/usr/bin/glance-api			--	gen_context(system_u:object_r:glance_api_exec_t,s0)
+/usr/bin/glance-registry		--	gen_context(system_u:object_r:glance_registry_exec_t,s0)
+
+/var/lib/glance(/.*)?				gen_context(system_u:object_r:glance_var_lib_t,s0)
+
+/var/log/glance(/.*)?				gen_context(system_u:object_r:glance_log_t,s0)
+
+/var/run/glance(/.*)?				gen_context(system_u:object_r:glance_var_run_t,s0)
diff --git a/policy/modules/contrib/glance.if b/policy/modules/contrib/glance.if
new file mode 100644
index 00000000..7ff9d6d9
--- /dev/null
+++ b/policy/modules/contrib/glance.if
@@ -0,0 +1,261 @@
+## <summary>policy for glance</summary>
+
+########################################
+## <summary>
+##	Transition to glance registry.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`glance_domtrans_registry',`
+	gen_require(`
+		type glance_registry_t, glance_registry_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, glance_registry_exec_t, glance_registry_t)
+')
+
+########################################
+## <summary>
+##	Transition to glance api.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`glance_domtrans_api',`
+	gen_require(`
+		type glance_api_t, glance_api_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, glance_api_exec_t, glance_api_t)
+')
+
+########################################
+## <summary>
+##	Read glance's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`glance_read_log',`
+	gen_require(`
+		type glance_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, glance_log_t, glance_log_t)
+')
+
+########################################
+## <summary>
+##	Append to glance log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`glance_append_log',`
+	gen_require(`
+		type glance_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, glance_log_t, glance_log_t)
+')
+
+########################################
+## <summary>
+##	Manage glance log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`glance_manage_log',`
+	gen_require(`
+		type glance_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_dirs_pattern($1, glance_log_t, glance_log_t)
+	manage_files_pattern($1, glance_log_t, glance_log_t)
+	manage_lnk_files_pattern($1, glance_log_t, glance_log_t)
+')
+
+########################################
+## <summary>
+##	Search glance lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`glance_search_lib',`
+	gen_require(`
+		type glance_var_lib_t;
+	')
+
+	allow $1 glance_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read glance lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`glance_read_lib_files',`
+	gen_require(`
+		type glance_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, glance_var_lib_t, glance_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage glance lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`glance_manage_lib_files',`
+	gen_require(`
+		type glance_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, glance_var_lib_t, glance_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage glance lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`glance_manage_lib_dirs',`
+	gen_require(`
+		type glance_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, glance_var_lib_t, glance_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read glance PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`glance_read_pid_files',`
+	gen_require(`
+		type glance_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, glance_var_run_t, glance_var_run_t)
+')
+
+########################################
+## <summary>
+##	Manage glance PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`glance_manage_pid_files',`
+	gen_require(`
+		type glance_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_files_pattern($1, glance_var_run_t, glance_var_run_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an glance environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`glance_admin',`
+	gen_require(`
+		type glance_registry_t, glance_api_t, glance_log_t;
+		type glance_var_lib_t, glance_var_run_t;
+		type glance_registry_initrc_exec_t, glance_api_initrc_exec_t;
+	')
+
+	allow $1 glance_registry_t:process signal_perms;
+	ps_process_pattern($1, glance_registry_t)
+
+	allow $1 glance_api_t:process signal_perms;
+	ps_process_pattern($1, glance_api_t)
+
+	init_labeled_script_domtrans($1, glance_registry_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 glance_registry_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	init_labeled_script_domtrans($1, glance_api_initrc_exec_t)
+	role_transition $2 glance_api_initrc_exec_t system_r;
+
+	logging_search_logs($1)
+	admin_pattern($1, glance_log_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, glance_var_lib_t)
+
+	files_search_pids($1)
+	admin_pattern($1, glance_var_run_t)
+')
diff --git a/policy/modules/contrib/glance.te b/policy/modules/contrib/glance.te
new file mode 100644
index 00000000..4afb81fe
--- /dev/null
+++ b/policy/modules/contrib/glance.te
@@ -0,0 +1,104 @@
+policy_module(glance, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute glance_domain;
+
+type glance_registry_t, glance_domain;
+type glance_registry_exec_t;
+init_daemon_domain(glance_registry_t, glance_registry_exec_t)
+
+type glance_registry_initrc_exec_t;
+init_script_file(glance_registry_initrc_exec_t)
+
+type glance_registry_tmp_t;
+files_tmp_file(glance_registry_tmp_t)
+
+type glance_api_t, glance_domain;
+type glance_api_exec_t;
+init_daemon_domain(glance_api_t, glance_api_exec_t)
+
+type glance_api_initrc_exec_t;
+init_script_file(glance_api_initrc_exec_t)
+
+type glance_log_t;
+logging_log_file(glance_log_t)
+
+type glance_var_lib_t;
+files_type(glance_var_lib_t)
+
+type glance_tmp_t;
+files_tmp_file(glance_tmp_t)
+
+type glance_var_run_t;
+files_pid_file(glance_var_run_t)
+
+#######################################
+#
+# glance general domain local policy
+#
+
+allow glance_domain self:fifo_file rw_fifo_file_perms;
+allow glance_domain self:unix_stream_socket create_stream_socket_perms;
+allow glance_domain self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(glance_domain, glance_log_t, glance_log_t)
+manage_files_pattern(glance_domain, glance_log_t, glance_log_t)
+
+manage_dirs_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
+manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
+
+manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
+manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
+
+kernel_read_system_state(glance_domain)
+
+corecmd_exec_bin(glance_domain)
+
+dev_read_urand(glance_domain)
+
+files_read_etc_files(glance_domain)
+files_read_usr_files(glance_domain)
+
+miscfiles_read_localization(glance_domain)
+
+optional_policy(`
+	sysnet_dns_name_resolve(glance_domain)
+')
+
+########################################
+#
+# glance-registry local policy
+#
+
+manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
+manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
+files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { file dir })
+
+corenet_tcp_bind_generic_node(glance_registry_t)
+corenet_tcp_bind_glance_registry_port(glance_registry_t)
+
+########################################
+#
+# glance-api local policy
+#
+
+manage_dirs_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
+manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
+files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
+can_exec(glance_api_t, glance_tmp_t)
+
+corecmd_exec_shell(glance_api_t)
+
+corenet_tcp_bind_generic_node(glance_api_t)
+corenet_tcp_bind_hplip_port(glance_api_t)
+corenet_tcp_connect_glance_registry_port(glance_api_t)
+
+dev_read_urand(glance_api_t)
+
+fs_getattr_xattr_fs(glance_api_t)
+
+libs_exec_ldconfig(glance_api_t)
diff --git a/policy/modules/contrib/gnome.fc b/policy/modules/contrib/gnome.fc
new file mode 100644
index 00000000..00a19e3c
--- /dev/null
+++ b/policy/modules/contrib/gnome.fc
@@ -0,0 +1,9 @@
+HOME_DIR/\.config/gtk-.*	gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.gconf(d)?(/.*)?	gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.gnome2(/.*)?		gen_context(system_u:object_r:gnome_home_t,s0)
+
+/etc/gconf(/.*)?		gen_context(system_u:object_r:gconf_etc_t,s0)
+
+/tmp/gconfd-USER/.*	--	gen_context(system_u:object_r:gconf_tmp_t,s0)
+
+/usr/libexec/gconfd-2 	--	gen_context(system_u:object_r:gconfd_exec_t,s0)
diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if
new file mode 100644
index 00000000..f5afe78d
--- /dev/null
+++ b/policy/modules/contrib/gnome.if
@@ -0,0 +1,190 @@
+## <summary>GNU network object model environment (GNOME)</summary>
+
+############################################################
+## <summary>
+##	Role access for gnome
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`gnome_role',`
+	gen_require(`
+		type gconfd_t, gconfd_exec_t;
+		type gconf_tmp_t;
+	')
+
+	role $1 types gconfd_t;
+
+	domain_auto_trans($2, gconfd_exec_t, gconfd_t)
+	allow gconfd_t $2:fd use;
+	allow gconfd_t $2:fifo_file write;
+	allow gconfd_t $2:unix_stream_socket connectto;
+
+	ps_process_pattern($2, gconfd_t)
+
+	#gnome_stream_connect_gconf_template($1, $2)
+	read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
+	allow $2 gconfd_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	Execute gconf programs in
+##	in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_exec_gconf',`
+	gen_require(`
+		type gconfd_exec_t;
+	')
+
+	can_exec($1, gconfd_exec_t)
+')
+
+########################################
+## <summary>
+##	Read gconf config files.
+## </summary>
+## <param name="user_domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+template(`gnome_read_gconf_config',`
+	gen_require(`
+		type gconf_etc_t;
+	')
+
+	allow $1 gconf_etc_t:dir list_dir_perms;
+	read_files_pattern($1, gconf_etc_t, gconf_etc_t)
+	files_search_etc($1)
+')
+
+#######################################
+## <summary>
+##	Create, read, write, and delete gconf config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_manage_gconf_config',`
+	gen_require(`
+		type gconf_etc_t;
+	')
+
+	manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
+	files_search_etc($1)
+')
+
+########################################
+## <summary>
+##	gconf connection template.
+## </summary>
+## <param name="user_domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_stream_connect_gconf',`
+	gen_require(`
+		type gconfd_t, gconf_tmp_t;
+	')
+
+	read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
+	allow $1 gconfd_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	Run gconfd in gconfd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_domtrans_gconfd',`
+	gen_require(`
+		type gconfd_t, gconfd_exec_t;
+	')
+
+	domtrans_pattern($1, gconfd_exec_t, gconfd_t)
+')
+
+########################################
+## <summary>
+##	Set attributes of Gnome config dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_setattr_config_dirs',`
+	gen_require(`
+		type gnome_home_t;
+	')
+
+	setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
+	files_search_home($1)
+')
+
+########################################
+## <summary>
+##	Read gnome homedir content (.config)
+## </summary>
+## <param name="user_domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+template(`gnome_read_config',`
+	gen_require(`
+		type gnome_home_t;
+	')
+
+	list_dirs_pattern($1, gnome_home_t, gnome_home_t)
+	read_files_pattern($1, gnome_home_t, gnome_home_t)
+	read_lnk_files_pattern($1, gnome_home_t, gnome_home_t)
+')
+
+########################################
+## <summary>
+##	manage gnome homedir content (.config)
+## </summary>
+## <param name="user_domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_manage_config',`
+	gen_require(`
+		type gnome_home_t;
+	')
+
+	allow $1 gnome_home_t:dir manage_dir_perms;
+	allow $1 gnome_home_t:file manage_file_perms;
+	userdom_search_user_home_dirs($1)
+')
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
new file mode 100644
index 00000000..783c5fbc
--- /dev/null
+++ b/policy/modules/contrib/gnome.te
@@ -0,0 +1,75 @@
+policy_module(gnome, 2.2.0)
+
+##############################
+#
+# Declarations
+#
+
+attribute gnomedomain;
+
+type gconf_etc_t;
+files_config_file(gconf_etc_t)
+
+type gconf_home_t;
+typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
+typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
+typealias gconf_home_t alias unconfined_gconf_home_t;
+userdom_user_home_content(gconf_home_t)
+
+type gconf_tmp_t;
+typealias gconf_tmp_t alias { user_gconf_tmp_t staff_gconf_tmp_t sysadm_gconf_tmp_t };
+typealias gconf_tmp_t alias { auditadm_gconf_tmp_t secadm_gconf_tmp_t };
+typealias gconf_tmp_t alias unconfined_gconf_tmp_t;
+userdom_user_tmp_file(gconf_tmp_t)
+
+type gconfd_t, gnomedomain;
+type gconfd_exec_t;
+typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
+typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
+userdom_user_application_domain(gconfd_t, gconfd_exec_t)
+
+type gnome_home_t;
+typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t };
+typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t };
+typealias gnome_home_t alias unconfined_gnome_home_t;
+userdom_user_home_content(gnome_home_t)
+
+##############################
+#
+# Local Policy
+#
+
+allow gconfd_t self:process getsched;
+allow gconfd_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t)
+manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t)
+userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir)
+
+manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
+manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
+userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
+
+allow gconfd_t gconf_etc_t:dir list_dir_perms;
+read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t)
+
+dev_read_urand(gconfd_t)
+
+files_read_etc_files(gconfd_t)
+
+miscfiles_read_localization(gconfd_t)
+
+logging_send_syslog_msg(gconfd_t)
+
+userdom_manage_user_tmp_sockets(gconfd_t)
+userdom_manage_user_tmp_dirs(gconfd_t)
+userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
+
+optional_policy(`
+	nscd_dontaudit_search_pid(gconfd_t)
+')
+
+optional_policy(`
+	xserver_use_xdm_fds(gconfd_t)
+	xserver_rw_xdm_pipes(gconfd_t)
+')
diff --git a/policy/modules/contrib/gnomeclock.fc b/policy/modules/contrib/gnomeclock.fc
new file mode 100644
index 00000000..462de63b
--- /dev/null
+++ b/policy/modules/contrib/gnomeclock.fc
@@ -0,0 +1,2 @@
+/usr/libexec/gnome-clock-applet-mechanism	--	gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+
diff --git a/policy/modules/contrib/gnomeclock.if b/policy/modules/contrib/gnomeclock.if
new file mode 100644
index 00000000..671d8fd2
--- /dev/null
+++ b/policy/modules/contrib/gnomeclock.if
@@ -0,0 +1,65 @@
+## <summary>Gnome clock handler for setting the time.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run gnomeclock.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gnomeclock_domtrans',`
+	gen_require(`
+		type gnomeclock_t, gnomeclock_exec_t;
+	')
+
+	domtrans_pattern($1, gnomeclock_exec_t, gnomeclock_t)
+')
+
+########################################
+## <summary>
+##	Execute gnomeclock in the gnomeclock domain, and
+##	allow the specified role the gnomeclock domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnomeclock_run',`
+	gen_require(`
+		type gnomeclock_t;
+	')
+
+	gnomeclock_domtrans($1)
+	role $2 types gnomeclock_t;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	gnomeclock over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnomeclock_dbus_chat',`
+	gen_require(`
+		type gnomeclock_t;
+		class dbus send_msg;
+	')
+
+	allow $1 gnomeclock_t:dbus send_msg;
+	allow gnomeclock_t $1:dbus send_msg;
+')
diff --git a/policy/modules/contrib/gnomeclock.te b/policy/modules/contrib/gnomeclock.te
new file mode 100644
index 00000000..4fde46bc
--- /dev/null
+++ b/policy/modules/contrib/gnomeclock.te
@@ -0,0 +1,46 @@
+policy_module(gnomeclock, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type gnomeclock_t;
+type gnomeclock_exec_t;
+dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+
+########################################
+#
+# gnomeclock local policy
+#
+
+allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace };
+allow gnomeclock_t self:process { getattr getsched };
+allow gnomeclock_t self:fifo_file rw_fifo_file_perms;
+allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms;
+
+corecmd_exec_bin(gnomeclock_t)
+
+files_read_etc_files(gnomeclock_t)
+files_read_usr_files(gnomeclock_t)
+
+auth_use_nsswitch(gnomeclock_t)
+
+clock_domtrans(gnomeclock_t)
+
+miscfiles_read_localization(gnomeclock_t)
+miscfiles_manage_localization(gnomeclock_t)
+miscfiles_etc_filetrans_localization(gnomeclock_t)
+
+userdom_read_all_users_state(gnomeclock_t)
+
+optional_policy(`
+	consolekit_dbus_chat(gnomeclock_t)
+')
+
+optional_policy(`
+	policykit_dbus_chat(gnomeclock_t)
+	policykit_domtrans_auth(gnomeclock_t)
+	policykit_read_lib(gnomeclock_t)
+	policykit_read_reload(gnomeclock_t)
+')
diff --git a/policy/modules/contrib/gorg.fc b/policy/modules/contrib/gorg.fc
new file mode 100644
index 00000000..bbf5693a
--- /dev/null
+++ b/policy/modules/contrib/gorg.fc
@@ -0,0 +1,3 @@
+/etc/gorg(/.*)?				gen_context(system_u:object_r:gorg_config_t,s0)
+/var/cache/gorg(/.*)?			gen_context(system_u:object_r:gorg_cache_t,s0)
+/usr/bin/gorg			--	gen_context(system_u:object_r:gorg_exec_t,s0)
diff --git a/policy/modules/contrib/gorg.if b/policy/modules/contrib/gorg.if
new file mode 100644
index 00000000..814d5593
--- /dev/null
+++ b/policy/modules/contrib/gorg.if
@@ -0,0 +1,34 @@
+## <summary>Policy for gorg</summary>
+
+#######################################
+## <summary>
+##      Role access for gorg
+## </summary>
+## <param name="role">
+##      <summary>
+##      Role allowed access
+##      </summary>
+## </param>
+## <param name="domain">
+##      <summary>
+##      User domain for the role
+##      </summary>
+## </param>
+#
+interface(`gorg_role',`
+	gen_require(`
+		type gorg_t, gorg_exec_t;
+	')
+
+	role $1 types gorg_t;
+
+	domain_auto_trans($2, gorg_exec_t, gorg_t)
+	allow $2 gorg_t:process { noatsecure siginh rlimitinh };
+	allow gorg_t $2:fd use;
+	allow gorg_t $2:process { sigchld signull };
+
+	ps_process_pattern($2, gorg_t)
+	allow $2 gorg_t:process signal_perms;
+	# Needed for command-usage (pipe)
+	allow gorg_t $2:fifo_file write;
+')
diff --git a/policy/modules/contrib/gorg.te b/policy/modules/contrib/gorg.te
new file mode 100644
index 00000000..b0c8ae33
--- /dev/null
+++ b/policy/modules/contrib/gorg.te
@@ -0,0 +1,63 @@
+policy_module(gorg, 1.0.0)
+
+type gorg_t;
+type gorg_exec_t;
+application_domain(gorg_t, gorg_exec_t)
+
+type gorg_cache_t;
+files_type(gorg_cache_t);
+
+type gorg_config_t;
+files_type(gorg_config_t);
+
+###################################
+#
+# gorg_t local policy
+#
+allow gorg_t self:process signal;
+
+# Allow gorg_t to put files in the gorg_cache_t location(s)
+manage_dirs_pattern(gorg_t, gorg_cache_t, gorg_cache_t)
+manage_files_pattern(gorg_t, gorg_cache_t, gorg_cache_t)
+
+# Allow gorg_t to read configuration file(s)
+allow gorg_t gorg_config_t:dir list_dir_perms;
+read_files_pattern(gorg_t, gorg_config_t, gorg_config_t)
+
+# gorg logs through /dev/log
+logging_send_syslog_msg(gorg_t)
+
+# Allow gorg to bind to port 8080 (http_cache_port_t)
+sysnet_read_config(gorg_t)
+sysnet_dns_name_resolve(gorg_t)
+corenet_all_recvfrom_unlabeled(gorg_t)
+corenet_all_recvfrom_netlabel(gorg_t)
+corenet_tcp_sendrecv_generic_if(gorg_t)
+corenet_tcp_sendrecv_generic_node(gorg_t)
+#corenet_tcp_sendrecv_all_ports(gorg_t)
+corenet_tcp_bind_generic_node(gorg_t)
+corenet_tcp_bind_http_cache_port(gorg_t)
+allow gorg_t self:netlink_route_socket { create_socket_perms nlmsg_read };
+allow gorg_t self:tcp_socket { listen accept };
+
+# Allow gorg read access to user home files (usually where cvs/git pull is stored)
+files_search_home(gorg_t)
+userdom_search_user_home_dirs(gorg_t)
+userdom_user_home_content(gorg_t)
+userdom_list_user_home_content(gorg_t)
+userdom_read_user_home_content_symlinks(gorg_t)
+userdom_read_user_home_content_files(gorg_t)
+
+# Local policy
+allow gorg_t self:fifo_file rw_fifo_file_perms;
+
+# Read /etc files (xml/catalog, hosts.conf, ...)
+files_read_etc_files(gorg_t)
+miscfiles_read_localization(gorg_t)
+
+# Gorg is ruby, so be able to execute ruby
+corecmd_exec_bin(gorg_t)
+
+# Output to screen
+userdom_use_user_terminals(gorg_t)
+domain_use_interactive_fds(gorg_t)
diff --git a/policy/modules/contrib/gpg.fc b/policy/modules/contrib/gpg.fc
new file mode 100644
index 00000000..8617d55b
--- /dev/null
+++ b/policy/modules/contrib/gpg.fc
@@ -0,0 +1,11 @@
+HOME_DIR/\.gnupg(/.+)?		gen_context(system_u:object_r:gpg_secret_t,s0)
+HOME_DIR/\.gnupg/log-socket	gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+
+/usr/bin/gpg(2)?	--	gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/bin/gpgsm		--	gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/bin/gpg-agent	--	gen_context(system_u:object_r:gpg_agent_exec_t,s0)
+/usr/bin/kgpg		--	gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/bin/pinentry.*	--	gen_context(system_u:object_r:pinentry_exec_t,s0)
+
+/usr/lib(64)?/gnupg/.*	--	gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if
new file mode 100644
index 00000000..6d50300c
--- /dev/null
+++ b/policy/modules/contrib/gpg.if
@@ -0,0 +1,181 @@
+## <summary>Policy for GNU Privacy Guard and related programs.</summary>
+
+############################################################
+## <summary>
+##	Role access for gpg
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`gpg_role',`
+	gen_require(`
+		type gpg_t, gpg_exec_t;
+		type gpg_agent_t, gpg_agent_exec_t;
+		type gpg_agent_tmp_t;
+		type gpg_helper_t, gpg_pinentry_t;
+		type gpg_pinentry_tmp_t;
+	')
+
+	role $1 types { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t };
+
+	# transition from the userdomain to the derived domain
+	domtrans_pattern($2, gpg_exec_t, gpg_t)
+
+	# allow ps to show gpg
+	ps_process_pattern($2, gpg_t)
+	allow $2 gpg_t:process { signull sigstop signal sigkill };
+
+	# communicate with the user
+	allow gpg_helper_t $2:fd use;
+	allow gpg_helper_t $2:fifo_file write;
+
+	# allow ps to show gpg-agent
+	ps_process_pattern($2, gpg_agent_t)
+
+	# Allow the user shell to signal the gpg-agent program.
+	allow $2 gpg_agent_t:process { signal sigkill };
+
+	manage_dirs_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+	manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+	manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+	files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
+
+	# Transition from the user domain to the agent domain.
+	domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)
+
+	manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
+	relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
+
+	optional_policy(`
+		gpg_pinentry_dbus_chat($2)
+	')
+
+	ifdef(`hide_broken_symptoms',`
+		#Leaked File Descriptors
+		dontaudit gpg_t $2:socket_class_set { getattr read write };
+		dontaudit gpg_t $2:fifo_file rw_fifo_file_perms;
+		dontaudit gpg_agent_t $2:socket_class_set { getattr read write };
+		dontaudit gpg_agent_t $2:fifo_file rw_fifo_file_perms;
+	')
+')
+
+########################################
+## <summary>
+##	Transition to a user gpg domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`gpg_domtrans',`
+	gen_require(`
+		type gpg_t, gpg_exec_t;
+	')
+
+	domtrans_pattern($1, gpg_exec_t, gpg_t)
+')
+
+########################################
+## <summary>
+##	Execute the gpg application without transitioning
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to execute gpg
+##	</summary>
+## </param>
+#
+interface(`gpg_exec',`
+	gen_require(`
+		type gpg_exec_t;
+	')
+
+	can_exec($1, gpg_exec_t)
+')
+
+########################################
+## <summary>
+##	Send generic signals to user gpg processes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gpg_signal',`
+	gen_require(`
+		type gpg_t;
+	')
+
+	allow $1 gpg_t:process signal;
+')
+
+########################################
+## <summary>
+##	Read and write GPG agent pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gpg_rw_agent_pipes',`
+	# Just wants read/write could this be a leak?
+	gen_require(`
+		type gpg_agent_t;
+	')
+
+	allow $1 gpg_agent_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Send messages to and from GPG
+##	Pinentry over DBUS.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gpg_pinentry_dbus_chat',`
+	gen_require(`
+		type gpg_pinentry_t;
+		class dbus send_msg;
+	')
+
+	allow $1 gpg_pinentry_t:dbus send_msg;
+	allow gpg_pinentry_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	List Gnu Privacy Guard user secrets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gpg_list_user_secrets',`
+	gen_require(`
+		type gpg_secret_t;
+	')
+
+	list_dirs_pattern($1, gpg_secret_t, gpg_secret_t)
+	userdom_search_user_home_dirs($1)
+')
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
new file mode 100644
index 00000000..8a2bd802
--- /dev/null
+++ b/policy/modules/contrib/gpg.te
@@ -0,0 +1,358 @@
+policy_module(gpg, 2.5.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow usage of the gpg-agent --write-env-file option.
+## This also allows gpg-agent to manage user files.
+## </p>
+## </desc>
+gen_tunable(gpg_agent_env_file, false)
+
+type gpg_t;
+type gpg_exec_t;
+typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t };
+typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
+userdom_user_application_domain(gpg_t, gpg_exec_t)
+role system_r types gpg_t;
+
+type gpg_agent_t;
+type gpg_agent_exec_t;
+typealias gpg_agent_t alias { user_gpg_agent_t staff_gpg_agent_t sysadm_gpg_agent_t };
+typealias gpg_agent_t alias { auditadm_gpg_agent_t secadm_gpg_agent_t };
+userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t)
+
+type gpg_agent_tmp_t;
+typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t };
+typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t };
+userdom_user_tmp_file(gpg_agent_tmp_t)
+
+type gpg_secret_t;
+typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t };
+typealias gpg_secret_t alias { auditadm_gpg_secret_t secadm_gpg_secret_t };
+userdom_user_home_content(gpg_secret_t)
+
+type gpg_helper_t;
+type gpg_helper_exec_t;
+typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t };
+typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t };
+userdom_user_application_domain(gpg_helper_t, gpg_helper_exec_t)
+role system_r types gpg_helper_t;
+
+type gpg_pinentry_t;
+type pinentry_exec_t;
+typealias gpg_pinentry_t alias { user_gpg_pinentry_t staff_gpg_pinentry_t sysadm_gpg_pinentry_t };
+typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t };
+userdom_user_application_domain(gpg_pinentry_t, pinentry_exec_t)
+
+type gpg_pinentry_tmp_t;
+userdom_user_tmp_file(gpg_pinentry_tmp_t)
+
+type gpg_pinentry_tmpfs_t;
+userdom_user_tmpfs_file(gpg_pinentry_tmpfs_t)
+
+########################################
+#
+# GPG local policy
+#
+
+allow gpg_t self:capability { ipc_lock setuid };
+# setrlimit is for ulimit -c 0
+allow gpg_t self:process { signal signull setrlimit getcap setcap setpgid };
+
+allow gpg_t self:fifo_file rw_fifo_file_perms;
+allow gpg_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
+
+domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
+
+# transition from the gpg domain to the helper domain
+domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
+
+allow gpg_t gpg_secret_t:dir create_dir_perms;
+manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
+manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
+userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
+
+kernel_read_sysctl(gpg_t)
+
+corecmd_exec_shell(gpg_t)
+corecmd_exec_bin(gpg_t)
+
+corenet_all_recvfrom_unlabeled(gpg_t)
+corenet_all_recvfrom_netlabel(gpg_t)
+corenet_tcp_sendrecv_generic_if(gpg_t)
+corenet_udp_sendrecv_generic_if(gpg_t)
+corenet_tcp_sendrecv_generic_node(gpg_t)
+corenet_udp_sendrecv_generic_node(gpg_t)
+corenet_tcp_sendrecv_all_ports(gpg_t)
+corenet_udp_sendrecv_all_ports(gpg_t)
+corenet_tcp_connect_all_ports(gpg_t)
+corenet_sendrecv_all_client_packets(gpg_t)
+
+dev_read_rand(gpg_t)
+dev_read_urand(gpg_t)
+dev_read_generic_usb_dev(gpg_t)
+
+fs_getattr_xattr_fs(gpg_t)
+fs_list_inotifyfs(gpg_t)
+
+domain_use_interactive_fds(gpg_t)
+
+files_read_etc_files(gpg_t)
+files_read_usr_files(gpg_t)
+files_dontaudit_search_var(gpg_t)
+
+auth_use_nsswitch(gpg_t)
+
+logging_send_syslog_msg(gpg_t)
+
+miscfiles_read_localization(gpg_t)
+
+userdom_use_user_terminals(gpg_t)
+# sign/encrypt user files
+userdom_manage_user_tmp_files(gpg_t)
+userdom_manage_user_home_content_files(gpg_t)
+userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
+
+mta_write_config(gpg_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(gpg_t)
+	fs_manage_nfs_files(gpg_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(gpg_t)
+	fs_manage_cifs_files(gpg_t)
+')
+
+optional_policy(`
+	mozilla_read_user_home_files(gpg_t)
+	mozilla_write_user_home_files(gpg_t)
+')
+
+optional_policy(`
+	xserver_use_xdm_fds(gpg_t)
+	xserver_rw_xdm_pipes(gpg_t)
+')
+
+optional_policy(`
+	cron_system_entry(gpg_t, gpg_exec_t)
+	cron_read_system_job_tmp_files(gpg_t)
+')
+
+########################################
+#
+# GPG helper local policy
+#
+
+allow gpg_helper_t self:process { getsched setsched };
+
+# for helper programs (which automatically fetch keys)
+# Note: this is only tested with the hkp interface. If you use eg the
+# mail interface you will likely need additional permissions.
+
+allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
+allow gpg_helper_t self:tcp_socket { connect connected_socket_perms };
+allow gpg_helper_t self:udp_socket { connect connected_socket_perms };
+
+dontaudit gpg_helper_t gpg_secret_t:file read;
+
+corenet_all_recvfrom_unlabeled(gpg_helper_t)
+corenet_all_recvfrom_netlabel(gpg_helper_t)
+corenet_tcp_sendrecv_generic_if(gpg_helper_t)
+corenet_raw_sendrecv_generic_if(gpg_helper_t)
+corenet_udp_sendrecv_generic_if(gpg_helper_t)
+corenet_tcp_sendrecv_generic_node(gpg_helper_t)
+corenet_udp_sendrecv_generic_node(gpg_helper_t)
+corenet_raw_sendrecv_generic_node(gpg_helper_t)
+corenet_tcp_sendrecv_all_ports(gpg_helper_t)
+corenet_udp_sendrecv_all_ports(gpg_helper_t)
+corenet_tcp_bind_generic_node(gpg_helper_t)
+corenet_udp_bind_generic_node(gpg_helper_t)
+corenet_tcp_connect_all_ports(gpg_helper_t)
+
+files_read_etc_files(gpg_helper_t)
+
+auth_use_nsswitch(gpg_helper_t)
+
+userdom_use_user_terminals(gpg_helper_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_dontaudit_rw_nfs_files(gpg_helper_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_dontaudit_rw_cifs_files(gpg_helper_t)
+')
+
+########################################
+#
+# GPG agent local policy
+#
+
+# rlimit: gpg-agent wants to prevent coredumps
+allow gpg_agent_t self:process setrlimit;
+
+allow gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
+allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
+
+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
+manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+
+# Allow the gpg-agent to manage its tmp files (socket)
+manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
+
+# allow gpg to connect to the gpg agent
+stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
+
+corecmd_read_bin_symlinks(gpg_agent_t)
+corecmd_search_bin(gpg_agent_t)
+corecmd_exec_shell(gpg_agent_t)
+
+dev_read_urand(gpg_agent_t)
+
+domain_use_interactive_fds(gpg_agent_t)
+
+fs_dontaudit_list_inotifyfs(gpg_agent_t)
+
+miscfiles_read_localization(gpg_agent_t)
+
+# Write to the user domain tty.
+userdom_use_user_terminals(gpg_agent_t)
+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
+userdom_search_user_home_dirs(gpg_agent_t)
+
+ifdef(`hide_broken_symptoms',`
+	userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
+')
+
+tunable_policy(`gpg_agent_env_file',`
+	# write ~/.gpg-agent-info or a similar to the users home dir
+	# or subdir (gpg-agent --write-env-file option)
+	#
+	userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
+	userdom_manage_user_home_content_dirs(gpg_agent_t)
+	userdom_manage_user_home_content_files(gpg_agent_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(gpg_agent_t)
+	fs_manage_nfs_files(gpg_agent_t)
+	fs_manage_nfs_symlinks(gpg_agent_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(gpg_agent_t)
+	fs_manage_cifs_files(gpg_agent_t)
+	fs_manage_cifs_symlinks(gpg_agent_t)
+')
+
+optional_policy(`
+	mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
+')
+
+##############################
+#
+# Pinentry local policy
+#
+
+allow gpg_pinentry_t self:process { getcap getsched setsched signal };
+allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
+allow gpg_pinentry_t self:netlink_route_socket create_netlink_socket_perms;
+allow gpg_pinentry_t self:shm create_shm_perms;
+allow gpg_pinentry_t self:tcp_socket create_stream_socket_perms;
+allow gpg_pinentry_t self:unix_dgram_socket sendto;
+allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
+
+can_exec(gpg_pinentry_t, pinentry_exec_t)
+
+# we need to allow gpg-agent to call pinentry so it can get the passphrase
+# from the user.
+domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
+
+manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
+userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)
+
+manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
+manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
+fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
+
+# read /proc/meminfo
+kernel_read_system_state(gpg_pinentry_t)
+
+corecmd_exec_bin(gpg_pinentry_t)
+
+corenet_all_recvfrom_netlabel(gpg_pinentry_t)
+corenet_all_recvfrom_unlabeled(gpg_pinentry_t)
+corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t)
+corenet_tcp_bind_generic_node(gpg_pinentry_t)
+corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t)
+corenet_tcp_sendrecv_generic_if(gpg_pinentry_t)
+corenet_tcp_sendrecv_generic_node(gpg_pinentry_t)
+corenet_tcp_sendrecv_generic_port(gpg_pinentry_t)
+
+dev_read_urand(gpg_pinentry_t)
+dev_read_rand(gpg_pinentry_t)
+
+files_read_usr_files(gpg_pinentry_t)
+# read /etc/X11/qtrc
+files_read_etc_files(gpg_pinentry_t)
+
+fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
+fs_getattr_tmpfs(gpg_pinentry_t)
+
+auth_use_nsswitch(gpg_pinentry_t)
+
+logging_send_syslog_msg(gpg_pinentry_t)
+
+miscfiles_read_fonts(gpg_pinentry_t)
+miscfiles_read_localization(gpg_pinentry_t)
+
+# for .Xauthority
+userdom_read_user_home_content_files(gpg_pinentry_t)
+userdom_read_user_tmpfs_files(gpg_pinentry_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_read_nfs_files(gpg_pinentry_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_read_cifs_files(gpg_pinentry_t)
+')
+
+optional_policy(`
+	dbus_session_bus_client(gpg_pinentry_t)
+	dbus_system_bus_client(gpg_pinentry_t)
+')
+
+optional_policy(`
+	mutt_read_home_files(gpg_t)
+	mutt_read_tmp_files(gpg_t)
+	mutt_rw_tmp_files(gpg_t)
+')
+
+optional_policy(`
+	pulseaudio_exec(gpg_pinentry_t)
+	pulseaudio_rw_home_files(gpg_pinentry_t)
+	pulseaudio_setattr_home_dir(gpg_pinentry_t)
+	pulseaudio_stream_connect(gpg_pinentry_t)
+	pulseaudio_signull(gpg_pinentry_t)
+')
+
+optional_policy(`
+	xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
+')
diff --git a/policy/modules/contrib/gpm.fc b/policy/modules/contrib/gpm.fc
new file mode 100644
index 00000000..6fc9661e
--- /dev/null
+++ b/policy/modules/contrib/gpm.fc
@@ -0,0 +1,7 @@
+
+/dev/gpmctl		-s	gen_context(system_u:object_r:gpmctl_t,s0)
+/dev/gpmdata		-p	gen_context(system_u:object_r:gpmctl_t,s0)
+
+/etc/gpm(/.*)?			gen_context(system_u:object_r:gpm_conf_t,s0)
+
+/usr/sbin/gpm		--	gen_context(system_u:object_r:gpm_exec_t,s0)
diff --git a/policy/modules/contrib/gpm.if b/policy/modules/contrib/gpm.if
new file mode 100644
index 00000000..7d972985
--- /dev/null
+++ b/policy/modules/contrib/gpm.if
@@ -0,0 +1,81 @@
+## <summary>General Purpose Mouse driver</summary>
+
+########################################
+## <summary>
+##	Connect to GPM over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gpm_stream_connect',`
+	gen_require(`
+		type gpmctl_t, gpm_t;
+	')
+
+	allow $1 gpmctl_t:sock_file rw_sock_file_perms;
+	allow $1 gpm_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	Get the attributes of the GPM
+##	control channel named socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gpm_getattr_gpmctl',`
+	gen_require(`
+		type gpmctl_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 gpmctl_t:sock_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the 
+##	attributes of the GPM control channel
+##	named socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`gpm_dontaudit_getattr_gpmctl',`
+	gen_require(`
+		type gpmctl_t;
+	')
+
+	dontaudit $1 gpmctl_t:sock_file getattr;
+')
+
+########################################
+## <summary>
+##	Set the attributes of the GPM
+##	control channel named socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gpm_setattr_gpmctl',`
+	gen_require(`
+		type gpmctl_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 gpmctl_t:sock_file setattr;
+')
diff --git a/policy/modules/contrib/gpm.te b/policy/modules/contrib/gpm.te
new file mode 100644
index 00000000..a627b345
--- /dev/null
+++ b/policy/modules/contrib/gpm.te
@@ -0,0 +1,79 @@
+policy_module(gpm, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type gpm_t;
+type gpm_exec_t;
+init_daemon_domain(gpm_t, gpm_exec_t)
+
+type gpm_conf_t;
+files_type(gpm_conf_t)
+
+type gpm_tmp_t;
+files_tmp_file(gpm_tmp_t)
+
+type gpm_var_run_t;
+files_pid_file(gpm_var_run_t)
+
+type gpmctl_t;
+files_type(gpmctl_t)
+
+########################################
+#
+# Local policy
+#
+
+allow gpm_t self:capability { setpcap setuid dac_override sys_admin sys_tty_config };
+allow gpm_t self:process { getcap setcap };
+allow gpm_t self:unix_stream_socket create_stream_socket_perms;
+
+allow gpm_t gpm_conf_t:dir list_dir_perms;
+read_files_pattern(gpm_t, gpm_conf_t, gpm_conf_t)
+read_lnk_files_pattern(gpm_t, gpm_conf_t, gpm_conf_t)
+
+manage_dirs_pattern(gpm_t, gpm_tmp_t, gpm_tmp_t)
+manage_files_pattern(gpm_t, gpm_tmp_t, gpm_tmp_t)
+files_tmp_filetrans(gpm_t, gpm_tmp_t, { file dir })
+
+allow gpm_t gpm_var_run_t:file manage_file_perms;
+files_pid_filetrans(gpm_t, gpm_var_run_t, file)
+
+allow gpm_t gpmctl_t:sock_file manage_sock_file_perms;
+allow gpm_t gpmctl_t:fifo_file manage_fifo_file_perms;
+dev_filetrans(gpm_t, gpmctl_t, { sock_file fifo_file })
+
+kernel_read_kernel_sysctls(gpm_t)
+kernel_list_proc(gpm_t)
+kernel_read_proc_symlinks(gpm_t)
+
+dev_read_sysfs(gpm_t)
+# Access the mouse.
+dev_rw_input_dev(gpm_t)
+dev_rw_mouse(gpm_t)
+
+files_read_etc_files(gpm_t)
+
+fs_getattr_all_fs(gpm_t)
+fs_search_auto_mountpoints(gpm_t)
+
+term_use_unallocated_ttys(gpm_t)
+
+domain_use_interactive_fds(gpm_t)
+
+logging_send_syslog_msg(gpm_t)
+
+miscfiles_read_localization(gpm_t)
+
+userdom_dontaudit_use_unpriv_user_fds(gpm_t)
+userdom_dontaudit_search_user_home_dirs(gpm_t)
+
+optional_policy(`
+	seutil_sigchld_newrole(gpm_t)
+')
+
+optional_policy(`
+	udev_read_db(gpm_t)
+')
diff --git a/policy/modules/contrib/gpsd.fc b/policy/modules/contrib/gpsd.fc
new file mode 100644
index 00000000..5e81e334
--- /dev/null
+++ b/policy/modules/contrib/gpsd.fc
@@ -0,0 +1,6 @@
+/etc/rc\.d/init\.d/gpsd	--	gen_context(system_u:object_r:gpsd_initrc_exec_t,s0)
+
+/usr/sbin/gpsd		--	gen_context(system_u:object_r:gpsd_exec_t,s0)
+
+/var/run/gpsd\.pid	--	gen_context(system_u:object_r:gpsd_var_run_t,s0)
+/var/run/gpsd\.sock	-s	gen_context(system_u:object_r:gpsd_var_run_t,s0)
diff --git a/policy/modules/contrib/gpsd.if b/policy/modules/contrib/gpsd.if
new file mode 100644
index 00000000..c0ee676e
--- /dev/null
+++ b/policy/modules/contrib/gpsd.if
@@ -0,0 +1,66 @@
+## <summary>gpsd monitor daemon</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run gpsd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gpsd_domtrans',`
+	gen_require(`
+		type gpsd_t, gpsd_exec_t;
+	')
+
+	domtrans_pattern($1, gpsd_exec_t, gpsd_t)
+')
+
+########################################
+## <summary>
+##	Execute gpsd in the gpsd domain, and
+##	allow the specified role the gpsd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`gpsd_run',`
+	gen_require(`
+		type gpsd_t;
+	')
+
+	gpsd_domtrans($1)
+	role $2 types gpsd_t;
+')
+
+########################################
+## <summary>
+##	Read and write gpsd shared memory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gpsd_rw_shm',`
+	gen_require(`
+		type gpsd_t, gpsd_tmpfs_t;
+	')
+
+	allow $1 gpsd_t:shm rw_shm_perms;
+	allow $1 gpsd_tmpfs_t:dir list_dir_perms;
+	rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
+	read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
+	fs_search_tmpfs($1)
+')
diff --git a/policy/modules/contrib/gpsd.te b/policy/modules/contrib/gpsd.te
new file mode 100644
index 00000000..03742d88
--- /dev/null
+++ b/policy/modules/contrib/gpsd.te
@@ -0,0 +1,64 @@
+policy_module(gpsd, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type gpsd_t;
+type gpsd_exec_t;
+application_domain(gpsd_t, gpsd_exec_t)
+init_daemon_domain(gpsd_t, gpsd_exec_t)
+
+type gpsd_initrc_exec_t;
+init_script_file(gpsd_initrc_exec_t)
+
+type gpsd_tmpfs_t;
+files_tmpfs_file(gpsd_tmpfs_t)
+
+type gpsd_var_run_t;
+files_pid_file(gpsd_var_run_t)
+
+########################################
+#
+# gpsd local policy
+#
+
+allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_tty_config };
+allow gpsd_t self:process setsched;
+allow gpsd_t self:shm create_shm_perms;
+allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow gpsd_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t)
+manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t)
+fs_tmpfs_filetrans(gpsd_t, gpsd_tmpfs_t, { dir file })
+
+manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
+manage_sock_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
+files_pid_filetrans(gpsd_t, gpsd_var_run_t, { file sock_file })
+
+corenet_all_recvfrom_unlabeled(gpsd_t)
+corenet_all_recvfrom_netlabel(gpsd_t)
+corenet_tcp_sendrecv_generic_if(gpsd_t)
+corenet_tcp_sendrecv_generic_node(gpsd_t)
+corenet_tcp_sendrecv_all_ports(gpsd_t)
+corenet_tcp_bind_all_nodes(gpsd_t)
+corenet_tcp_bind_gpsd_port(gpsd_t)
+
+term_use_unallocated_ttys(gpsd_t)
+term_setattr_unallocated_ttys(gpsd_t)
+
+auth_use_nsswitch(gpsd_t)
+
+logging_send_syslog_msg(gpsd_t)
+
+miscfiles_read_localization(gpsd_t)
+
+optional_policy(`
+	dbus_system_bus_client(gpsd_t)
+')
+
+optional_policy(`
+	ntp_rw_shm(gpsd_t)
+')
diff --git a/policy/modules/contrib/guest.fc b/policy/modules/contrib/guest.fc
new file mode 100644
index 00000000..601a7b02
--- /dev/null
+++ b/policy/modules/contrib/guest.fc
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --git a/policy/modules/contrib/guest.if b/policy/modules/contrib/guest.if
new file mode 100644
index 00000000..8906a329
--- /dev/null
+++ b/policy/modules/contrib/guest.if
@@ -0,0 +1,50 @@
+## <summary>Least privledge terminal user role</summary>
+
+########################################
+## <summary>
+##	Change to the guest role.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`guest_role_change',`
+	gen_require(`
+		role guest_r;
+	')
+
+	allow $1 guest_r;
+')
+
+########################################
+## <summary>
+##	Change from the guest role.
+## </summary>
+## <desc>
+##	<p>
+##	Change from the guest role to
+##	the specified role.
+##	</p>
+##	<p>
+##	This is an interface to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`guest_role_change_to',`
+	gen_require(`
+		role guest_r;
+	')
+
+	allow guest_r $1;
+')
diff --git a/policy/modules/contrib/guest.te b/policy/modules/contrib/guest.te
new file mode 100644
index 00000000..1cb73118
--- /dev/null
+++ b/policy/modules/contrib/guest.te
@@ -0,0 +1,17 @@
+policy_module(guest, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+role guest_r;
+
+userdom_restricted_user_template(guest)
+
+########################################
+#
+# Local policy
+#
+
+#gen_user(guest_u,, guest_r, s0, s0)
diff --git a/policy/modules/contrib/hadoop.fc b/policy/modules/contrib/hadoop.fc
new file mode 100644
index 00000000..633c4701
--- /dev/null
+++ b/policy/modules/contrib/hadoop.fc
@@ -0,0 +1,59 @@
+/etc/hadoop.*							gen_context(system_u:object_r:hadoop_etc_t,s0)
+
+/etc/init\.d/hadoop-(.*-)?datanode			--	gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
+/etc/init\.d/hadoop-(.*-)?jobtracker			--	gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0)
+/etc/init\.d/hadoop-(.*-)?namenode			--	gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0)
+/etc/init\.d/hadoop-(.*-)?secondarynamenode		--	gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0)
+/etc/init\.d/hadoop-(.*-)?tasktracker			--	gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0)
+/etc/init\.d/zookeeper					--	gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0)
+
+/etc/rc\.d/init\.d/hadoop-(.*-)?datanode		--	gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/hadoop-(.*-)?jobtracker		--	gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/hadoop-(.*-)?namenode		--	gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/hadoop-(.*-)?secondarynamenode	--	gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/hadoop-(.*-)?tasktracker		--	gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/hadoop-zookeeper			--	gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0)
+
+/etc/zookeeper(/.*)?						gen_context(system_u:object_r:zookeeper_etc_t,s0)
+/etc/zookeeper\.dist(/.*)?					gen_context(system_u:object_r:zookeeper_etc_t,s0)
+
+/usr/lib/hadoop.*/bin/hadoop				--	gen_context(system_u:object_r:hadoop_exec_t,s0)
+
+/usr/bin/zookeeper-client				--	gen_context(system_u:object_r:zookeeper_exec_t,s0)
+/usr/bin/zookeeper-server				--	gen_context(system_u:object_r:zookeeper_server_exec_t,s0)
+
+/var/lib/hadoop.*						gen_context(system_u:object_r:hadoop_var_lib_t,s0)
+/var/lib/hadoop.*/cache/hadoop/dfs/data(/.*)?			gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0)
+/var/lib/hadoop.*/cache/hadoop/dfs/name(/.*)?			gen_context(system_u:object_r:hadoop_namenode_var_lib_t,s0)
+/var/lib/hadoop.*/cache/hadoop/dfs/namesecondary(/.*)?		gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0)
+/var/lib/hadoop.*/cache/hadoop/mapred/local/jobTracker(/.*)?	gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0)
+/var/lib/hadoop.*/cache/hadoop/mapred/local/taskTracker(/.*)?	gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0)
+/var/lib/hadoop.*/cache/hdfs/dfs/data(/.*)?			gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0)
+/var/lib/hadoop.*/cache/hdfs/dfs/namesecondary(/.*)?		gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0)
+/var/lib/hadoop.*/cache/mapred/mapred/local/jobTracker(/.*)?	gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0)
+/var/lib/hadoop.*/cache/mapred/mapred/local/taskTracker(/.*)?	gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0)
+/var/lib/zookeeper(/.*)?					gen_context(system_u:object_r:zookeeper_server_var_t,s0)
+
+/var/lock/subsys/hadoop-datanode			--	gen_context(system_u:object_r:hadoop_datanode_lock_t,s0)
+/var/lock/subsys/hadoop-jobtracker			--	gen_context(system_u:object_r:hadoop_jobtracker_lock_t,s0)
+/var/lock/subsys/hadoop-namenode			--	gen_context(system_u:object_r:hadoop_namenode_lock_t,s0)
+/var/lock/subsys/hadoop-secondarynamenode		--	gen_context(system_u:object_r:hadoop_secondarynamenode_lock_t,s0)
+/var/lock/subsys/hadoop-tasktracker			--	gen_context(system_u:object_r:hadoop_tasktracker_lock_t,s0)
+
+/var/log/hadoop.*						gen_context(system_u:object_r:hadoop_log_t,s0)
+/var/log/hadoop.*/hadoop-hadoop-datanode(-.*)?			gen_context(system_u:object_r:hadoop_datanode_log_t,s0)
+/var/log/hadoop.*/hadoop-hadoop-jobtracker(-.*)?		gen_context(system_u:object_r:hadoop_jobtracker_log_t,s0)
+/var/log/hadoop.*/hadoop-hadoop-namenode(-.*)?			gen_context(system_u:object_r:hadoop_namenode_log_t,s0)
+/var/log/hadoop.*/hadoop-hadoop-secondarynamenode(-.*)?		gen_context(system_u:object_r:hadoop_secondarynamenode_log_t,s0)
+/var/log/hadoop.*/hadoop-hadoop-tasktracker(-.*)?		gen_context(system_u:object_r:hadoop_tasktracker_log_t,s0)
+/var/log/hadoop.*/history(/.*)?					gen_context(system_u:object_r:hadoop_jobtracker_log_t,s0)
+/var/log/zookeeper(/.*)?					gen_context(system_u:object_r:zookeeper_log_t,s0)
+
+/var/run/hadoop.*					-d	gen_context(system_u:object_r:hadoop_var_run_t,s0)
+/var/run/hadoop.*/hadoop-hadoop-datanode\.pid		--	gen_context(system_u:object_r:hadoop_datanode_initrc_var_run_t,s0)
+/var/run/hadoop.*/hadoop-hadoop-jobtracker\.pid		--	gen_context(system_u:object_r:hadoop_jobtracker_initrc_var_run_t,s0)
+/var/run/hadoop.*/hadoop-hadoop-namenode\.pid		--	gen_context(system_u:object_r:hadoop_namenode_initrc_var_run_t,s0)
+/var/run/hadoop.*/hadoop-hadoop-secondarynamenode\.pid	--	gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_var_run_t,s0)
+/var/run/hadoop.*/hadoop-hadoop-tasktracker\.pid	--	gen_context(system_u:object_r:hadoop_tasktracker_initrc_var_run_t,s0)
+
+/var/zookeeper(/.*)?						gen_context(system_u:object_r:zookeeper_server_var_t,s0)
diff --git a/policy/modules/contrib/hadoop.if b/policy/modules/contrib/hadoop.if
new file mode 100644
index 00000000..2d0b4e1a
--- /dev/null
+++ b/policy/modules/contrib/hadoop.if
@@ -0,0 +1,534 @@
+## <summary>Software for reliable, scalable, distributed computing.</summary>
+
+#######################################
+## <summary>
+##	The template to define a hadoop domain.
+## </summary>
+## <param name="domain_prefix">
+##	<summary>
+##	Domain prefix to be used.
+##	</summary>
+## </param>
+#
+template(`hadoop_domain_template',`
+	gen_require(`
+		attribute hadoop_domain;
+		type hadoop_log_t, hadoop_var_lib_t, hadoop_var_run_t;
+		type hadoop_exec_t, hadoop_hsperfdata_t;
+	')
+
+	########################################
+	#
+	# Shared declarations.
+	#
+
+	type hadoop_$1_t, hadoop_domain;
+	domain_type(hadoop_$1_t)
+	domain_entry_file(hadoop_$1_t, hadoop_exec_t)
+	role system_r types hadoop_$1_t;
+
+	type hadoop_$1_initrc_t;
+	type hadoop_$1_initrc_exec_t;
+	init_script_domain(hadoop_$1_initrc_t, hadoop_$1_initrc_exec_t)
+	role system_r types hadoop_$1_initrc_t;
+
+	type hadoop_$1_initrc_var_run_t;
+	files_pid_file(hadoop_$1_initrc_var_run_t)
+
+	type hadoop_$1_lock_t;
+	files_lock_file(hadoop_$1_lock_t)
+
+	type hadoop_$1_log_t;
+	logging_log_file(hadoop_$1_log_t)
+
+	type hadoop_$1_tmp_t;
+	files_tmp_file(hadoop_$1_tmp_t)
+
+	type hadoop_$1_var_lib_t;
+	files_type(hadoop_$1_var_lib_t)
+
+	####################################
+	#
+	# Shared hadoop_$1 policy.
+	#
+
+	allow hadoop_$1_t self:capability { chown kill setgid setuid };
+	allow hadoop_$1_t self:process { execmem getsched setsched sigkill signal };
+	allow hadoop_$1_t self:key search;
+	allow hadoop_$1_t self:fifo_file rw_fifo_file_perms;
+	allow hadoop_$1_t self:unix_dgram_socket create_socket_perms;
+	allow hadoop_$1_t self:tcp_socket create_stream_socket_perms;
+	allow hadoop_$1_t self:udp_socket create_socket_perms;
+	dontaudit hadoop_$1_t self:netlink_route_socket rw_netlink_socket_perms;
+
+	allow hadoop_$1_t hadoop_domain:process signull;
+
+	manage_files_pattern(hadoop_$1_t, hadoop_$1_log_t, hadoop_$1_log_t)
+	filetrans_pattern(hadoop_$1_t, hadoop_log_t, hadoop_$1_log_t, { dir file })
+	logging_search_logs(hadoop_$1_t)
+
+	manage_dirs_pattern(hadoop_$1_t, hadoop_$1_var_lib_t, hadoop_$1_var_lib_t)
+	manage_files_pattern(hadoop_$1_t, hadoop_$1_var_lib_t, hadoop_$1_var_lib_t)
+	filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file)
+	files_search_var_lib(hadoop_$1_t)
+
+	manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t)
+	filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file)
+	files_search_pids(hadoop_$1_t)
+
+	allow hadoop_$1_t hadoop_hsperfdata_t:dir manage_dir_perms;
+	manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t)
+	filetrans_pattern(hadoop_$1_t, hadoop_hsperfdata_t, hadoop_$1_tmp_t, file)
+	files_tmp_filetrans(hadoop_$1_t, hadoop_hsperfdata_t, dir)
+
+	kernel_read_kernel_sysctls(hadoop_$1_t)
+	kernel_read_sysctl(hadoop_$1_t)
+	kernel_read_network_state(hadoop_$1_t)
+	kernel_read_system_state(hadoop_$1_t)
+
+	corecmd_exec_bin(hadoop_$1_t)
+	corecmd_exec_shell(hadoop_$1_t)
+
+	corenet_all_recvfrom_unlabeled(hadoop_$1_t)
+	corenet_all_recvfrom_netlabel(hadoop_$1_t)
+	corenet_tcp_bind_all_nodes(hadoop_$1_t)
+	corenet_tcp_sendrecv_generic_if(hadoop_$1_t)
+	corenet_udp_sendrecv_generic_if(hadoop_$1_t)
+	corenet_tcp_sendrecv_generic_node(hadoop_$1_t)
+	corenet_udp_sendrecv_generic_node(hadoop_$1_t)
+	corenet_tcp_sendrecv_all_ports(hadoop_$1_t)
+	corenet_udp_bind_generic_node(hadoop_$1_t)
+	# Hadoop uses high ordered random ports for services
+	# If permanent ports are chosen, remove line below and lock down
+	corenet_tcp_connect_generic_port(hadoop_$1_t)
+
+	dev_read_rand(hadoop_$1_t)
+	dev_read_urand(hadoop_$1_t)
+	dev_read_sysfs(hadoop_$1_t)
+
+	files_read_etc_files(hadoop_$1_t)
+
+	auth_domtrans_chkpwd(hadoop_$1_t)
+
+	hadoop_match_lan_spd(hadoop_$1_t)
+
+	init_read_utmp(hadoop_$1_t)
+	init_use_fds(hadoop_$1_t)
+	init_use_script_fds(hadoop_$1_t)
+	init_use_script_ptys(hadoop_$1_t)
+
+	logging_send_audit_msgs(hadoop_$1_t)
+	logging_send_syslog_msg(hadoop_$1_t)
+
+	miscfiles_read_localization(hadoop_$1_t)
+
+	sysnet_read_config(hadoop_$1_t)
+
+	hadoop_exec_config(hadoop_$1_t)
+
+	java_exec(hadoop_$1_t)
+
+	kerberos_use(hadoop_$1_t)
+
+	su_exec(hadoop_$1_t)
+
+	optional_policy(`
+		nscd_socket_use(hadoop_$1_t)
+	')
+
+	####################################
+	#
+	# Shared hadoop_$1 initrc policy.
+	#
+
+	allow hadoop_$1_initrc_t self:capability { setuid setgid };
+	dontaudit hadoop_$1_initrc_t self:capability sys_tty_config;
+	allow hadoop_$1_initrc_t self:process setsched;
+	allow hadoop_$1_initrc_t self:fifo_file rw_fifo_file_perms;
+
+	allow hadoop_$1_initrc_t hadoop_$1_t:process { signal signull };
+
+	domtrans_pattern(hadoop_$1_initrc_t, hadoop_exec_t, hadoop_$1_t)
+
+	manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_lock_t, hadoop_$1_lock_t)
+	files_lock_filetrans(hadoop_$1_initrc_t, hadoop_$1_lock_t, file)
+	files_search_locks(hadoop_$1_initrc_t)
+
+	manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t)
+	filetrans_pattern(hadoop_$1_initrc_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file)
+	files_search_pids(hadoop_$1_initrc_t)
+
+	manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_log_t, hadoop_$1_log_t)
+	filetrans_pattern(hadoop_$1_initrc_t, hadoop_log_t, hadoop_$1_log_t, { dir file })
+	logging_search_logs(hadoop_$1_initrc_t)
+
+	manage_dirs_pattern(hadoop_$1_initrc_t, hadoop_var_run_t, hadoop_var_run_t)
+	manage_files_pattern(hadoop_$1_initrc_t, hadoop_var_run_t, hadoop_var_run_t)
+
+	kernel_read_kernel_sysctls(hadoop_$1_initrc_t)
+	kernel_read_sysctl(hadoop_$1_initrc_t)
+	kernel_read_system_state(hadoop_$1_initrc_t)
+
+	corecmd_exec_bin(hadoop_$1_initrc_t)
+	corecmd_exec_shell(hadoop_$1_initrc_t)
+
+	files_read_etc_files(hadoop_$1_initrc_t)
+	files_read_usr_files(hadoop_$1_initrc_t)
+
+	consoletype_exec(hadoop_$1_initrc_t)
+
+	fs_getattr_xattr_fs(hadoop_$1_initrc_t)
+	fs_search_cgroup_dirs(hadoop_$1_initrc_t)
+
+	term_use_generic_ptys(hadoop_$1_initrc_t)
+
+	hadoop_exec_config(hadoop_$1_initrc_t)
+
+	init_rw_utmp(hadoop_$1_initrc_t)
+	init_use_fds(hadoop_$1_initrc_t)
+	init_use_script_ptys(hadoop_$1_initrc_t)
+
+	logging_send_syslog_msg(hadoop_$1_initrc_t)
+	logging_send_audit_msgs(hadoop_$1_initrc_t)
+
+	miscfiles_read_localization(hadoop_$1_initrc_t)
+
+	userdom_dontaudit_search_user_home_dirs(hadoop_$1_initrc_t)
+
+	optional_policy(`
+		nscd_socket_use(hadoop_$1_initrc_t)
+	')
+')
+
+########################################
+## <summary>
+##	Role access for hadoop.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`hadoop_role',`
+	gen_require(`
+		type hadoop_t;
+	')
+
+	hadoop_domtrans($2)
+	role $1 types hadoop_t;
+
+	allow $2 hadoop_t:process { ptrace signal_perms };
+	ps_process_pattern($2, hadoop_t)
+
+	hadoop_domtrans_zookeeper_client($2)
+	role $1 types zookeeper_t;
+
+	allow $2 zookeeper_t:process { ptrace signal_perms };
+	ps_process_pattern($2, zookeeper_t)
+')
+
+########################################
+## <summary>
+##	Execute hadoop in the
+##	hadoop domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`hadoop_domtrans',`
+	gen_require(`
+		type hadoop_t, hadoop_exec_t;
+	')
+
+	domtrans_pattern($1, hadoop_exec_t, hadoop_t)
+')
+
+########################################
+## <summary>
+##	Give permission to a domain to
+##	recvfrom hadoop_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain needing recvfrom
+##	permission
+##	</summary>
+## </param>
+#
+interface(`hadoop_recvfrom',`
+	gen_require(`
+		type hadoop_t;
+	')
+
+	allow $1 hadoop_t:peer recv;
+')
+
+########################################
+## <summary>
+##	Execute zookeeper client in the
+##	zookeeper client domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`hadoop_domtrans_zookeeper_client',`
+	gen_require(`
+		type zookeeper_t, zookeeper_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, zookeeper_exec_t, zookeeper_t)
+')
+
+########################################
+## <summary>
+##	Give permission to a domain to
+##	recvfrom zookeeper_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain needing recvfrom
+##	permission
+##	</summary>
+## </param>
+#
+interface(`hadoop_recvfrom_zookeeper_client',`
+	gen_require(`
+		type zookeeper_t;
+	')
+
+	allow $1 zookeeper_t:peer recv;
+')
+
+########################################
+## <summary>
+##	Execute zookeeper server in the
+##	zookeeper server domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`hadoop_domtrans_zookeeper_server',`
+	gen_require(`
+		type zookeeper_server_t, zookeeper_server_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, zookeeper_server_exec_t, zookeeper_server_t)
+')
+
+########################################
+## <summary>
+##	Give permission to a domain to
+##	recvfrom zookeeper_server_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain needing recvfrom
+##	permission
+##	</summary>
+## </param>
+#
+interface(`hadoop_recvfrom_zookeeper_server',`
+	gen_require(`
+		type zookeeper_server_t;
+	')
+
+	allow $1 zookeeper_server_t:peer recv;
+')
+
+########################################
+## <summary>
+##	Execute zookeeper server in the
+##	zookeeper domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`hadoop_initrc_domtrans_zookeeper_server',`
+	gen_require(`
+		type zookeeper_server_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, zookeeper_server_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Give permission to a domain to
+##	recvfrom hadoop_datanode_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain needing recvfrom
+##	permission
+##	</summary>
+## </param>
+#
+interface(`hadoop_recvfrom_datanode',`
+	gen_require(`
+		type hadoop_datanode_t;
+	')
+
+	allow $1 hadoop_datanode_t:peer recv;
+')
+
+########################################
+## <summary>
+##	Give permission to a domain to read
+##	hadoop_etc_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain needing read permission
+##	</summary>
+## </param>
+#
+interface(`hadoop_read_config',`
+	gen_require(`
+		type hadoop_etc_t;
+	')
+
+	read_files_pattern($1, hadoop_etc_t, hadoop_etc_t)
+	read_lnk_files_pattern($1, hadoop_etc_t, hadoop_etc_t)
+')
+
+########################################
+## <summary>
+##	Give permission to a domain to
+##	execute hadoop_etc_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain needing read and execute
+##	permission
+##	</summary>
+## </param>
+#
+interface(`hadoop_exec_config',`
+	gen_require(`
+		type hadoop_etc_t;
+	')
+
+	hadoop_read_config($1)
+	allow $1 hadoop_etc_t:file exec_file_perms;
+')
+
+########################################
+## <summary>
+##	Give permission to a domain to
+##	recvfrom hadoop_jobtracker_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain needing recvfrom
+##	permission
+##	</summary>
+## </param>
+#
+interface(`hadoop_recvfrom_jobtracker',`
+	gen_require(`
+		type hadoop_jobtracker_t;
+	')
+
+	allow $1 hadoop_jobtracker_t:peer recv;
+')
+
+########################################
+## <summary>
+##	Give permission to a domain to
+##	polmatch on hadoop_lan_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain needing polmatch
+##	permission
+##	</summary>
+## </param>
+#
+interface(`hadoop_match_lan_spd',`
+	gen_require(`
+		type hadoop_lan_t;
+	')
+
+	allow $1 hadoop_lan_t:association polmatch;
+')
+
+########################################
+## <summary>
+##	Give permission to a domain to
+##	recvfrom hadoop_namenode_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain needing recvfrom
+##	permission
+##	</summary>
+## </param>
+#
+interface(`hadoop_recvfrom_namenode',`
+	gen_require(`
+		type hadoop_namenode_t;
+	')
+
+	allow $1 hadoop_namenode_t:peer recv;
+')
+
+########################################
+## <summary>
+##	Give permission to a domain to
+##	recvfrom hadoop_secondarynamenode_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain needing recvfrom
+##	permission
+##	</summary>
+## </param>
+#
+interface(`hadoop_recvfrom_secondarynamenode',`
+	gen_require(`
+		type hadoop_secondarynamenode_t;
+	')
+
+	allow $1 hadoop_secondarynamenode_t:peer recv;
+')
+
+########################################
+## <summary>
+##	Give permission to a domain to
+##	recvfrom hadoop_tasktracker_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain needing recvfrom
+##	permission
+##	</summary>
+## </param>
+#
+interface(`hadoop_recvfrom_tasktracker',`
+	gen_require(`
+		type hadoop_tasktracker_t;
+	')
+
+	allow $1 hadoop_tasktracker_t:peer recv;
+')
diff --git a/policy/modules/contrib/hadoop.te b/policy/modules/contrib/hadoop.te
new file mode 100644
index 00000000..c81c58ad
--- /dev/null
+++ b/policy/modules/contrib/hadoop.te
@@ -0,0 +1,435 @@
+policy_module(hadoop, 1.2.0)
+
+########################################
+#
+# Declarations.
+#
+
+attribute hadoop_domain;
+
+type hadoop_t;
+type hadoop_exec_t;
+userdom_user_application_domain(hadoop_t, hadoop_exec_t)
+
+type hadoop_etc_t;
+files_config_file(hadoop_etc_t)
+
+type hadoop_home_t;
+userdom_user_home_content(hadoop_home_t)
+
+type hadoop_lan_t;
+corenet_spd_type(hadoop_lan_t)
+
+type hadoop_log_t;
+logging_log_file(hadoop_log_t)
+
+type hadoop_tmp_t;
+userdom_user_tmp_file(hadoop_tmp_t)
+
+type hadoop_var_lib_t;
+files_type(hadoop_var_lib_t)
+
+type hadoop_var_run_t;
+files_pid_file(hadoop_var_run_t)
+
+type hadoop_hsperfdata_t;
+userdom_user_tmp_file(hadoop_hsperfdata_t)
+
+hadoop_domain_template(datanode)
+hadoop_domain_template(jobtracker)
+hadoop_domain_template(namenode)
+hadoop_domain_template(secondarynamenode)
+hadoop_domain_template(tasktracker)
+
+type zookeeper_t;
+type zookeeper_exec_t;
+userdom_user_application_domain(zookeeper_t, zookeeper_exec_t)
+
+type zookeeper_etc_t;
+files_config_file(zookeeper_etc_t)
+
+type zookeeper_log_t;
+logging_log_file(zookeeper_log_t)
+
+type zookeeper_server_t;
+type zookeeper_server_exec_t;
+init_daemon_domain(zookeeper_server_t, zookeeper_server_exec_t)
+
+type zookeeper_server_initrc_exec_t;
+init_script_file(zookeeper_server_initrc_exec_t)
+
+type zookeeper_server_tmp_t;
+files_tmp_file(zookeeper_server_tmp_t)
+
+type zookeeper_server_var_t;
+files_type(zookeeper_server_var_t)
+
+# This will need a file context specification.
+type zookeeper_server_var_run_t;
+files_pid_file(zookeeper_server_var_run_t)
+
+type zookeeper_tmp_t;
+userdom_user_tmp_file(zookeeper_tmp_t)
+
+########################################
+#
+# Hadoop policy.
+#
+
+allow hadoop_t self:capability sys_resource;
+allow hadoop_t self:process { getsched setsched signal signull setrlimit execmem };
+allow hadoop_t self:fifo_file rw_fifo_file_perms;
+allow hadoop_t self:key write;
+allow hadoop_t self:tcp_socket create_stream_socket_perms;
+allow hadoop_t self:udp_socket create_socket_perms;
+dontaudit hadoop_t self:netlink_route_socket rw_netlink_socket_perms;
+
+allow hadoop_t hadoop_domain:process signull;
+
+hadoop_match_lan_spd(hadoop_t)
+allow hadoop_t self:peer recv;
+hadoop_recvfrom_datanode(hadoop_t)
+hadoop_recvfrom_jobtracker(hadoop_t)
+hadoop_recvfrom_namenode(hadoop_t)
+hadoop_recvfrom_tasktracker(hadoop_t)
+
+read_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t)
+read_lnk_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t)
+can_exec(hadoop_t, hadoop_etc_t)
+
+manage_dirs_pattern(hadoop_t, hadoop_home_t, hadoop_home_t)
+manage_files_pattern(hadoop_t, hadoop_home_t, hadoop_home_t)
+manage_lnk_files_pattern(hadoop_t, hadoop_home_t, hadoop_home_t)
+userdom_user_home_content_filetrans(hadoop_t, hadoop_home_t, { file dir })
+
+allow hadoop_t hadoop_hsperfdata_t:dir manage_dir_perms;
+files_tmp_filetrans(hadoop_t, hadoop_hsperfdata_t, dir)
+
+manage_dirs_pattern(hadoop_t, hadoop_log_t, hadoop_log_t)
+
+manage_dirs_pattern(hadoop_t, hadoop_tmp_t, hadoop_tmp_t)
+manage_files_pattern(hadoop_t, hadoop_tmp_t, hadoop_tmp_t)
+filetrans_pattern(hadoop_t, hadoop_hsperfdata_t, hadoop_tmp_t, { dir file })
+
+manage_dirs_pattern(hadoop_t, hadoop_var_lib_t, hadoop_var_lib_t)
+manage_files_pattern(hadoop_t, hadoop_var_lib_t, hadoop_var_lib_t)
+files_search_var_lib(hadoop_t)
+
+getattr_dirs_pattern(hadoop_t, hadoop_var_run_t, hadoop_var_run_t)
+
+kernel_read_network_state(hadoop_t)
+kernel_read_system_state(hadoop_t)
+
+corecmd_exec_bin(hadoop_t)
+corecmd_exec_shell(hadoop_t)
+
+corenet_all_recvfrom_unlabeled(hadoop_t)
+corenet_all_recvfrom_netlabel(hadoop_t)
+corenet_tcp_sendrecv_generic_if(hadoop_t)
+corenet_udp_sendrecv_generic_if(hadoop_t)
+corenet_tcp_sendrecv_generic_node(hadoop_t)
+corenet_udp_sendrecv_generic_node(hadoop_t)
+corenet_tcp_bind_generic_node(hadoop_t)
+corenet_udp_bind_generic_node(hadoop_t)
+corenet_tcp_sendrecv_all_ports(hadoop_t)
+corenet_udp_sendrecv_all_ports(hadoop_t)
+corenet_tcp_connect_hadoop_namenode_port(hadoop_t)
+corenet_tcp_connect_hadoop_datanode_port(hadoop_t)
+corenet_tcp_connect_portmap_port(hadoop_t)
+corenet_tcp_connect_zope_port(hadoop_t)
+corenet_sendrecv_hadoop_namenode_client_packets(hadoop_t)
+corenet_sendrecv_portmap_client_packets(hadoop_t)
+corenet_sendrecv_zope_client_packets(hadoop_t)
+# Hadoop uses high ordered random ports for services
+# If permanent ports are chosen, remove line below and lock down
+corenet_tcp_connect_generic_port(hadoop_t)
+
+dev_read_rand(hadoop_t)
+dev_read_sysfs(hadoop_t)
+dev_read_urand(hadoop_t)
+
+domain_use_interactive_fds(hadoop_t)
+
+files_dontaudit_search_spool(hadoop_t)
+files_read_etc_files(hadoop_t)
+files_read_usr_files(hadoop_t)
+
+fs_getattr_xattr_fs(hadoop_t)
+
+miscfiles_read_localization(hadoop_t)
+
+sysnet_read_config(hadoop_t)
+
+userdom_use_user_terminals(hadoop_t)
+
+java_exec(hadoop_t)
+
+kerberos_use(hadoop_t)
+
+optional_policy(`
+	nis_use_ypbind(hadoop_t)
+')
+
+optional_policy(`
+	nscd_socket_use(hadoop_t)
+')
+
+########################################
+#
+# Hadoop datanode policy.
+#
+
+allow hadoop_datanode_t self:process signal;
+
+manage_dirs_pattern(hadoop_datanode_t, hadoop_var_lib_t, hadoop_var_lib_t)
+
+corenet_tcp_bind_hadoop_datanode_port(hadoop_datanode_t)
+corenet_tcp_connect_hadoop_datanode_port(hadoop_datanode_t)
+corenet_tcp_connect_hadoop_namenode_port(hadoop_datanode_t)
+
+fs_getattr_xattr_fs(hadoop_datanode_t)
+
+allow hadoop_datanode_t self:peer recv;
+hadoop_recvfrom_jobtracker(hadoop_datanode_t)
+hadoop_recvfrom_namenode(hadoop_datanode_t)
+hadoop_recvfrom(hadoop_datanode_t)
+hadoop_recvfrom_tasktracker(hadoop_datanode_t)
+
+########################################
+#
+# Hadoop jobtracker policy.
+#
+
+create_dirs_pattern(hadoop_jobtracker_t, hadoop_jobtracker_log_t, hadoop_jobtracker_log_t)
+setattr_dirs_pattern(hadoop_jobtracker_t, hadoop_jobtracker_log_t, hadoop_jobtracker_log_t)
+
+manage_dirs_pattern(hadoop_jobtracker_t, hadoop_var_lib_t, hadoop_var_lib_t)
+
+corenet_tcp_bind_zope_port(hadoop_jobtracker_t)
+corenet_tcp_connect_hadoop_datanode_port(hadoop_jobtracker_t)
+corenet_tcp_connect_hadoop_namenode_port(hadoop_jobtracker_t)
+
+allow hadoop_jobtracker_t self:peer recv;
+hadoop_recvfrom_datanode(hadoop_jobtracker_t)
+hadoop_recvfrom_namenode(hadoop_jobtracker_t)
+hadoop_recvfrom(hadoop_jobtracker_t)
+hadoop_recvfrom_tasktracker(hadoop_jobtracker_t)
+
+########################################
+#
+# Hadoop namenode policy.
+#
+
+manage_dirs_pattern(hadoop_namenode_t, hadoop_var_lib_t, hadoop_var_lib_t)
+manage_files_pattern(hadoop_namenode_t, hadoop_var_lib_t, hadoop_var_lib_t)
+
+corenet_tcp_bind_hadoop_namenode_port(hadoop_namenode_t)
+corenet_tcp_connect_hadoop_namenode_port(hadoop_namenode_t)
+
+allow hadoop_namenode_t self:peer recv;
+hadoop_recvfrom_datanode(hadoop_namenode_t)
+hadoop_recvfrom_jobtracker(hadoop_namenode_t)
+hadoop_recvfrom(hadoop_namenode_t)
+hadoop_recvfrom_secondarynamenode(hadoop_namenode_t)
+hadoop_recvfrom_tasktracker(hadoop_namenode_t)
+
+########################################
+#
+# Hadoop secondary namenode policy.
+#
+
+manage_dirs_pattern(hadoop_secondarynamenode_t, hadoop_var_lib_t, hadoop_var_lib_t)
+
+corenet_tcp_connect_hadoop_namenode_port(hadoop_secondarynamenode_t)
+
+allow hadoop_secondarynamenode_t self:peer recv;
+hadoop_recvfrom_namenode(hadoop_secondarynamenode_t)
+
+########################################
+#
+# Hadoop tasktracker policy.
+#
+
+allow hadoop_tasktracker_t self:process signal;
+
+manage_dirs_pattern(hadoop_tasktracker_t, hadoop_tasktracker_log_t, hadoop_tasktracker_log_t)
+setattr_dirs_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_log_t)
+filetrans_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_tasktracker_log_t, dir)
+
+filetrans_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_tasktracker_var_lib_t, lnk_file)
+manage_lnk_files_pattern(hadoop_tasktracker_t, hadoop_tasktracker_var_lib_t, hadoop_tasktracker_var_lib_t)
+
+manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t)
+
+corenet_tcp_connect_hadoop_datanode_port(hadoop_tasktracker_t)
+corenet_tcp_connect_hadoop_namenode_port(hadoop_tasktracker_t)
+corenet_tcp_connect_zope_port(hadoop_tasktracker_t)
+
+fs_getattr_xattr_fs(hadoop_tasktracker_t)
+
+allow hadoop_tasktracker_t self:peer recv;
+hadoop_recvfrom_datanode(hadoop_tasktracker_t)
+hadoop_recvfrom_jobtracker(hadoop_tasktracker_t)
+hadoop_recvfrom(hadoop_tasktracker_t)
+hadoop_recvfrom_namenode(hadoop_tasktracker_t)
+
+########################################
+#
+# Hadoop zookeeper client policy.
+#
+
+allow zookeeper_t self:process { getsched sigkill signal signull execmem };
+allow zookeeper_t self:fifo_file rw_fifo_file_perms;
+allow zookeeper_t self:tcp_socket create_stream_socket_perms;
+allow zookeeper_t self:udp_socket create_socket_perms;
+dontaudit zookeeper_t self:netlink_route_socket rw_netlink_socket_perms;
+
+hadoop_match_lan_spd(zookeeper_t)
+hadoop_recvfrom_zookeeper_server(zookeeper_t)
+
+read_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t)
+read_lnk_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t)
+
+can_exec(zookeeper_t, zookeeper_exec_t)
+
+allow zookeeper_t hadoop_hsperfdata_t:dir manage_dir_perms;
+files_tmp_filetrans(zookeeper_t, hadoop_hsperfdata_t, dir)
+
+allow zookeeper_t zookeeper_log_t:dir { rw_dir_perms setattr_dir_perms };
+allow zookeeper_t zookeeper_log_t:file { create_file_perms append_file_perms read_file_perms setattr_file_perms };
+append_files_pattern(zookeeper_t, zookeeper_log_t, zookeeper_log_t)
+logging_log_filetrans(zookeeper_t, zookeeper_log_t, file)
+
+allow zookeeper_t zookeeper_server_t:process signull;
+
+manage_files_pattern(zookeeper_t, zookeeper_tmp_t, zookeeper_tmp_t)
+filetrans_pattern(zookeeper_t, hadoop_hsperfdata_t, zookeeper_tmp_t, file)
+
+kernel_read_network_state(zookeeper_t)
+kernel_read_system_state(zookeeper_t)
+
+corecmd_exec_bin(zookeeper_t)
+corecmd_exec_shell(zookeeper_t)
+
+corenet_all_recvfrom_unlabeled(zookeeper_t)
+corenet_all_recvfrom_netlabel(zookeeper_t)
+corenet_tcp_sendrecv_generic_if(zookeeper_t)
+corenet_udp_sendrecv_generic_if(zookeeper_t)
+corenet_tcp_sendrecv_generic_node(zookeeper_t)
+corenet_udp_sendrecv_generic_node(zookeeper_t)
+corenet_tcp_sendrecv_all_ports(zookeeper_t)
+corenet_udp_sendrecv_all_ports(zookeeper_t)
+corenet_tcp_bind_generic_node(zookeeper_t)
+corenet_udp_bind_generic_node(zookeeper_t)
+corenet_tcp_connect_zookeeper_client_port(zookeeper_t)
+corenet_sendrecv_zookeeper_client_client_packets(zookeeper_t)
+# Hadoop uses high ordered random ports for services
+# If permanent ports are chosen, remove line below and lock down
+corenet_tcp_connect_generic_port(zookeeper_t)
+
+dev_read_rand(zookeeper_t)
+dev_read_sysfs(zookeeper_t)
+dev_read_urand(zookeeper_t)
+
+domain_use_interactive_fds(zookeeper_t)
+
+files_read_etc_files(zookeeper_t)
+files_read_usr_files(zookeeper_t)
+
+miscfiles_read_localization(zookeeper_t)
+
+sysnet_read_config(zookeeper_t)
+
+userdom_use_user_terminals(zookeeper_t)
+userdom_dontaudit_search_user_home_dirs(zookeeper_t)
+
+java_exec(zookeeper_t)
+
+optional_policy(`
+	nscd_socket_use(zookeeper_t)
+')
+
+########################################
+#
+# Hadoop zookeeper server policy.
+#
+
+allow zookeeper_server_t self:capability kill;
+allow zookeeper_server_t self:process { execmem getsched sigkill signal signull };
+allow zookeeper_server_t self:fifo_file rw_fifo_file_perms;
+allow zookeeper_server_t self:netlink_route_socket rw_netlink_socket_perms;
+allow zookeeper_server_t self:tcp_socket create_stream_socket_perms;
+allow zookeeper_server_t self:udp_socket create_socket_perms;
+
+hadoop_match_lan_spd(zookeeper_server_t)
+allow zookeeper_server_t self:peer recv;
+hadoop_recvfrom_zookeeper_client(zookeeper_server_t)
+
+allow zookeeper_server_t hadoop_hsperfdata_t:dir manage_dir_perms;
+files_tmp_filetrans(zookeeper_server_t, hadoop_hsperfdata_t, dir)
+
+read_files_pattern(zookeeper_server_t, zookeeper_etc_t, zookeeper_etc_t)
+read_lnk_files_pattern(zookeeper_server_t, zookeeper_etc_t, zookeeper_etc_t)
+
+manage_dirs_pattern(zookeeper_server_t, zookeeper_server_var_t, zookeeper_server_var_t)
+manage_files_pattern(zookeeper_server_t, zookeeper_server_var_t, zookeeper_server_var_t)
+files_var_lib_filetrans(zookeeper_server_t, zookeeper_server_var_t, { dir file })
+
+allow zookeeper_server_t zookeeper_log_t:dir { rw_dir_perms setattr_dir_perms };
+allow zookeeper_server_t zookeeper_log_t:file { create_file_perms append_file_perms read_file_perms setattr_file_perms };
+logging_log_filetrans(zookeeper_server_t, zookeeper_log_t, file)
+
+manage_files_pattern(zookeeper_server_t, zookeeper_server_tmp_t, zookeeper_server_tmp_t)
+filetrans_pattern(zookeeper_server_t, hadoop_hsperfdata_t, zookeeper_server_tmp_t, file)
+
+manage_files_pattern(zookeeper_server_t, zookeeper_server_var_run_t, zookeeper_server_var_run_t)
+files_pid_filetrans(zookeeper_server_t, zookeeper_server_var_run_t, file)
+
+can_exec(zookeeper_server_t, zookeeper_server_exec_t)
+
+kernel_read_network_state(zookeeper_server_t)
+kernel_read_system_state(zookeeper_server_t)
+
+corecmd_exec_bin(zookeeper_server_t)
+corecmd_exec_shell(zookeeper_server_t)
+
+corenet_all_recvfrom_unlabeled(zookeeper_server_t)
+corenet_all_recvfrom_netlabel(zookeeper_server_t)
+corenet_tcp_sendrecv_generic_if(zookeeper_server_t)
+corenet_udp_sendrecv_generic_if(zookeeper_server_t)
+corenet_tcp_sendrecv_generic_node(zookeeper_server_t)
+corenet_udp_sendrecv_generic_node(zookeeper_server_t)
+corenet_tcp_sendrecv_all_ports(zookeeper_server_t)
+corenet_udp_sendrecv_all_ports(zookeeper_server_t)
+corenet_tcp_bind_generic_node(zookeeper_server_t)
+corenet_udp_bind_generic_node(zookeeper_server_t)
+corenet_tcp_bind_zookeeper_client_port(zookeeper_server_t)
+corenet_tcp_bind_zookeeper_election_port(zookeeper_server_t)
+corenet_tcp_bind_zookeeper_leader_port(zookeeper_server_t)
+corenet_tcp_connect_zookeeper_election_port(zookeeper_server_t)
+corenet_tcp_connect_zookeeper_leader_port(zookeeper_server_t)
+corenet_sendrecv_zookeeper_election_client_packets(zookeeper_server_t)
+corenet_sendrecv_zookeeper_leader_client_packets(zookeeper_server_t)
+corenet_sendrecv_zookeeper_client_server_packets(zookeeper_server_t)
+corenet_sendrecv_zookeeper_election_server_packets(zookeeper_server_t)
+corenet_sendrecv_zookeeper_leader_server_packets(zookeeper_server_t)
+# Hadoop uses high ordered random ports for services
+# If permanent ports are chosen, remove line below and lock down
+corenet_tcp_connect_generic_port(zookeeper_server_t)
+
+dev_read_rand(zookeeper_server_t)
+dev_read_sysfs(zookeeper_server_t)
+dev_read_urand(zookeeper_server_t)
+
+files_read_etc_files(zookeeper_server_t)
+files_read_usr_files(zookeeper_server_t)
+
+fs_getattr_xattr_fs(zookeeper_server_t)
+
+logging_send_syslog_msg(zookeeper_server_t)
+
+miscfiles_read_localization(zookeeper_server_t)
+
+sysnet_read_config(zookeeper_server_t)
+
+java_exec(zookeeper_server_t)
diff --git a/policy/modules/contrib/hal.fc b/policy/modules/contrib/hal.fc
new file mode 100644
index 00000000..2b6e3a97
--- /dev/null
+++ b/policy/modules/contrib/hal.fc
@@ -0,0 +1,33 @@
+
+/etc/hal/device\.d/printer_remove\.hal -- 	gen_context(system_u:object_r:hald_exec_t,s0)
+/etc/hal/capability\.d/printer_update\.hal --	gen_context(system_u:object_r:hald_exec_t,s0)
+
+/usr/bin/hal-setup-keymap		--	gen_context(system_u:object_r:hald_keymap_exec_t,s0)
+
+/usr/libexec/hal-acl-tool		--	gen_context(system_u:object_r:hald_acl_exec_t,s0)
+/usr/libexec/hal-dccm			--	gen_context(system_u:object_r:hald_dccm_exec_t,s0)
+/usr/libexec/hal-hotplug-map 		--	gen_context(system_u:object_r:hald_exec_t,s0)
+/usr/libexec/hal-system-sonypic	 	--	gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
+/usr/libexec/hald-addon-macbookpro-backlight --	gen_context(system_u:object_r:hald_mac_exec_t,s0)
+/usr/libexec/hald-addon-macbook-backlight --	gen_context(system_u:object_r:hald_mac_exec_t,s0)
+/usr/sbin/radeontool			--	gen_context(system_u:object_r:hald_mac_exec_t,s0)
+
+/usr/sbin/hald		--			gen_context(system_u:object_r:hald_exec_t,s0)
+
+/var/cache/hald(/.*)?				gen_context(system_u:object_r:hald_cache_t,s0)
+
+/var/lib/hal(/.*)?				gen_context(system_u:object_r:hald_var_lib_t,s0)
+
+/var/log/pm(/.*)?				gen_context(system_u:object_r:hald_log_t,s0)
+/var/log/pm-.*\.log.*				gen_context(system_u:object_r:hald_log_t,s0)
+
+/var/run/hald(/.*)?				gen_context(system_u:object_r:hald_var_run_t,s0)
+/var/run/haldaemon\.pid	--	 		gen_context(system_u:object_r:hald_var_run_t,s0)
+/var/run/pm(/.*)?				gen_context(system_u:object_r:hald_var_run_t,s0)
+/var/run/pm-utils(/.*)?				gen_context(system_u:object_r:hald_var_run_t,s0)
+/var/run/synce.*	 			gen_context(system_u:object_r:hald_var_run_t,s0)
+/var/run/vbe.*	 	--			gen_context(system_u:object_r:hald_var_run_t,s0)
+
+ifdef(`distro_gentoo',`
+/var/lib/cache/hald(/.*)?			gen_context(system_u:object_r:hald_cache_t,s0)
+')
diff --git a/policy/modules/contrib/hal.if b/policy/modules/contrib/hal.if
new file mode 100644
index 00000000..7cf67639
--- /dev/null
+++ b/policy/modules/contrib/hal.if
@@ -0,0 +1,433 @@
+## <summary>Hardware abstraction layer</summary>
+
+########################################
+## <summary>
+##	Execute hal in the hal domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`hal_domtrans',`
+	gen_require(`
+		type hald_t, hald_exec_t;
+	')
+
+	domtrans_pattern($1, hald_exec_t, hald_t)
+')
+
+########################################
+## <summary>
+##	Get the attributes of a hal process.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hal_getattr',`
+	gen_require(`
+		type hald_t;
+	')
+
+	allow $1 hald_t:process getattr;
+')
+
+########################################
+## <summary>
+##	Read hal system state
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hal_read_state',`
+	gen_require(`
+		type hald_t;
+	')
+
+	ps_process_pattern($1, hald_t)
+')
+
+########################################
+## <summary>
+##	Allow ptrace of hal domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hal_ptrace',`
+	gen_require(`
+		type hald_t;
+	')
+
+	allow $1 hald_t:process ptrace;
+')
+
+########################################
+## <summary>
+##	Allow domain to use file descriptors from hal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hal_use_fds',`
+	gen_require(`
+		type hald_t;
+	')
+
+	allow $1 hald_t:fd use; 
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to use file descriptors from hal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`hal_dontaudit_use_fds',`
+	gen_require(`
+		type hald_t;
+	')
+
+	dontaudit $1 hald_t:fd use; 
+')
+
+########################################
+## <summary>
+##	Allow attempts to read and write to
+##	hald unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hal_rw_pipes',`
+	gen_require(`
+		type hald_t;
+	')
+
+	allow $1 hald_t:fifo_file rw_fifo_file_perms; 
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write to
+##	hald unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`hal_dontaudit_rw_pipes',`
+	gen_require(`
+		type hald_t;
+	')
+
+	dontaudit $1 hald_t:fifo_file rw_fifo_file_perms; 
+')
+
+########################################
+## <summary>
+##	Send to hal over a unix domain
+##	datagram socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hal_dgram_send',`
+	gen_require(`
+		type hald_t;
+	')
+
+	allow $1 hald_t:unix_dgram_socket sendto;
+')
+
+########################################
+## <summary>
+##	Send to hal over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hal_stream_connect',`
+	gen_require(`
+		type hald_t;
+	')
+
+	allow $1 hald_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	Dontaudit read/write to a hal unix datagram socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`hal_dontaudit_rw_dgram_sockets',`
+	gen_require(`
+		type hald_t;
+	')
+
+	dontaudit $1 hald_t:unix_dgram_socket { read write };
+')
+
+########################################
+## <summary>
+##	Send a dbus message to hal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hal_dbus_send',`
+	gen_require(`
+		type hald_t;
+		class dbus send_msg;
+	')
+
+	allow $1 hald_t:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	hal over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hal_dbus_chat',`
+	gen_require(`
+		type hald_t;
+		class dbus send_msg;
+	')
+
+	allow $1 hald_t:dbus send_msg;
+	allow hald_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Execute hal mac in the hal mac domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`hal_domtrans_mac',`
+	gen_require(`
+		type hald_mac_t, hald_mac_exec_t;
+	')
+
+	domtrans_pattern($1, hald_mac_exec_t, hald_mac_t)
+')
+
+########################################
+## <summary>
+##	Allow attempts to write the hal
+##	log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hal_write_log',`
+	gen_require(`
+		type hald_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 hald_log_t:file write_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write the hal
+##	log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`hal_dontaudit_write_log',`
+	gen_require(`
+		type hald_log_t;
+	')
+
+	dontaudit $1 hald_log_t:file { append write };
+')
+
+########################################
+## <summary>
+##	Manage hald log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hal_manage_log',`
+	gen_require(`
+		type hald_log_t;
+	')
+
+	# log files for hald
+	manage_files_pattern($1, hald_log_t, hald_log_t)
+	logging_log_filetrans($1, hald_log_t, file)
+')
+
+########################################
+## <summary>
+##	Read hald tmp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hal_read_tmp_files',`
+	gen_require(`
+		type hald_tmp_t;
+	')
+
+	allow $1 hald_tmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read or write
+##	HAL libraries files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`hal_dontaudit_append_lib_files',`
+	gen_require(`
+		type hald_var_lib_t;
+	')
+
+	dontaudit $1 hald_var_lib_t:file { read_file_perms append_file_perms };
+')
+
+########################################
+## <summary>
+##	Read hald PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hal_read_pid_files',`
+	gen_require(`
+		type hald_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 hald_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Read/Write hald PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hal_rw_pid_files',`
+	gen_require(`
+		type hald_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 hald_var_run_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Manage hald PID dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hal_manage_pid_dirs',`
+	gen_require(`
+		type hald_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_dirs_pattern($1, hald_var_run_t, hald_var_run_t)
+')
+
+########################################
+## <summary>
+##	Manage hald PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hal_manage_pid_files',`
+	gen_require(`
+		type hald_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_files_pattern($1, hald_var_run_t, hald_var_run_t)
+')
diff --git a/policy/modules/contrib/hal.te b/policy/modules/contrib/hal.te
new file mode 100644
index 00000000..e0476cbd
--- /dev/null
+++ b/policy/modules/contrib/hal.te
@@ -0,0 +1,531 @@
+policy_module(hal, 1.14.0)
+
+########################################
+#
+# Declarations
+#
+
+type hald_t;
+type hald_exec_t;
+init_daemon_domain(hald_t, hald_exec_t)
+
+type hald_acl_t;
+type hald_acl_exec_t;
+domain_type(hald_acl_t)
+domain_entry_file(hald_acl_t, hald_acl_exec_t)
+role system_r types hald_acl_t;
+
+type hald_cache_t;
+files_pid_file(hald_cache_t)
+
+type hald_dccm_t;
+type hald_dccm_exec_t;
+domain_type(hald_dccm_t)
+domain_entry_file(hald_dccm_t, hald_dccm_exec_t)
+role system_r types hald_dccm_t;
+
+type hald_keymap_t;
+type hald_keymap_exec_t;
+domain_type(hald_keymap_t)
+domain_entry_file(hald_keymap_t, hald_keymap_exec_t)
+role system_r types hald_keymap_t;
+
+type hald_log_t;
+logging_log_file(hald_log_t)
+
+type hald_mac_t;
+type hald_mac_exec_t;
+domain_type(hald_mac_t)
+domain_entry_file(hald_mac_t, hald_mac_exec_t)
+role system_r types hald_mac_t;
+
+type hald_sonypic_t;
+type hald_sonypic_exec_t;
+domain_type(hald_sonypic_t)
+domain_entry_file(hald_sonypic_t, hald_sonypic_exec_t)
+role system_r types hald_sonypic_t;
+
+type hald_tmp_t;
+files_tmp_file(hald_tmp_t)
+
+type hald_var_run_t;
+files_pid_file(hald_var_run_t)
+
+type hald_var_lib_t;
+files_type(hald_var_lib_t)
+
+########################################
+#
+# Local policy
+#
+
+# execute openvt which needs setuid
+allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
+dontaudit hald_t self:capability {sys_ptrace sys_tty_config };
+allow hald_t self:process { getsched getattr signal_perms };
+allow hald_t self:fifo_file rw_fifo_file_perms;
+allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow hald_t self:unix_dgram_socket create_socket_perms;
+allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow hald_t self:tcp_socket create_stream_socket_perms;
+allow hald_t self:udp_socket create_socket_perms;
+# For backwards compatibility with older kernels
+allow hald_t self:netlink_socket create_socket_perms;
+
+manage_files_pattern(hald_t, hald_cache_t, hald_cache_t)
+
+# log files for hald
+manage_files_pattern(hald_t, hald_log_t, hald_log_t)
+logging_log_filetrans(hald_t, hald_log_t, file)
+
+manage_dirs_pattern(hald_t, hald_tmp_t, hald_tmp_t)
+manage_files_pattern(hald_t, hald_tmp_t, hald_tmp_t)
+files_tmp_filetrans(hald_t, hald_tmp_t, { file dir })
+
+# var/lib files for hald
+manage_dirs_pattern(hald_t, hald_var_lib_t, hald_var_lib_t)
+manage_files_pattern(hald_t, hald_var_lib_t, hald_var_lib_t)
+manage_sock_files_pattern(hald_t, hald_var_lib_t, hald_var_lib_t)
+
+manage_dirs_pattern(hald_t, hald_var_run_t, hald_var_run_t)
+manage_files_pattern(hald_t, hald_var_run_t, hald_var_run_t)
+files_pid_filetrans(hald_t, hald_var_run_t, { dir file })
+
+kernel_read_system_state(hald_t)
+kernel_read_network_state(hald_t)
+kernel_read_software_raid_state(hald_t)
+kernel_rw_kernel_sysctl(hald_t)
+kernel_read_fs_sysctls(hald_t)
+kernel_rw_irq_sysctls(hald_t)
+kernel_rw_vm_sysctls(hald_t)
+kernel_write_proc_files(hald_t)
+kernel_search_network_sysctl(hald_t)
+kernel_setsched(hald_t)
+kernel_request_load_module(hald_t)
+
+auth_read_pam_console_data(hald_t)
+
+corecmd_exec_all_executables(hald_t)
+
+corenet_all_recvfrom_unlabeled(hald_t)
+corenet_all_recvfrom_netlabel(hald_t)
+corenet_tcp_sendrecv_generic_if(hald_t)
+corenet_udp_sendrecv_generic_if(hald_t)
+corenet_tcp_sendrecv_generic_node(hald_t)
+corenet_udp_sendrecv_generic_node(hald_t)
+corenet_tcp_sendrecv_all_ports(hald_t)
+corenet_udp_sendrecv_all_ports(hald_t)
+
+dev_rw_usbfs(hald_t)
+dev_read_rand(hald_t)
+dev_read_urand(hald_t)
+dev_read_input(hald_t)
+dev_read_mouse(hald_t)
+dev_rw_printer(hald_t)
+dev_read_lvm_control(hald_t)
+dev_getattr_all_chr_files(hald_t)
+dev_manage_generic_chr_files(hald_t)
+dev_rw_generic_usb_dev(hald_t)
+dev_setattr_generic_usb_dev(hald_t)
+dev_setattr_usbfs_files(hald_t)
+dev_rw_power_management(hald_t)
+dev_read_raw_memory(hald_t)
+# hal is now execing pm-suspend
+dev_rw_sysfs(hald_t)
+dev_read_video_dev(hald_t)
+
+domain_use_interactive_fds(hald_t)
+domain_read_all_domains_state(hald_t)
+domain_dontaudit_ptrace_all_domains(hald_t)
+
+files_exec_etc_files(hald_t)
+files_read_etc_files(hald_t)
+files_rw_etc_runtime_files(hald_t)
+files_manage_mnt_dirs(hald_t)
+files_manage_mnt_files(hald_t)
+files_manage_mnt_symlinks(hald_t)
+files_search_var_lib(hald_t)
+files_read_usr_files(hald_t)
+# hal is now execing pm-suspend
+files_create_boot_flag(hald_t)
+files_getattr_all_dirs(hald_t)
+files_getattr_all_files(hald_t)
+files_read_kernel_img(hald_t)
+files_rw_lock_dirs(hald_t)
+files_read_generic_pids(hald_t)
+
+fs_getattr_all_fs(hald_t)
+fs_search_all(hald_t)
+fs_list_inotifyfs(hald_t)
+fs_list_auto_mountpoints(hald_t)
+fs_mount_dos_fs(hald_t)
+fs_unmount_dos_fs(hald_t)
+fs_manage_dos_files(hald_t)
+fs_manage_fusefs_dirs(hald_t)
+fs_rw_removable_blk_files(hald_t)
+
+files_getattr_all_mountpoints(hald_t)
+
+mls_file_read_all_levels(hald_t)
+
+selinux_get_fs_mount(hald_t)
+selinux_validate_context(hald_t)
+selinux_compute_access_vector(hald_t)
+selinux_compute_create_context(hald_t)
+selinux_compute_relabel_context(hald_t)
+selinux_compute_user_contexts(hald_t)
+
+storage_raw_read_removable_device(hald_t)
+storage_raw_write_removable_device(hald_t)
+storage_raw_read_fixed_disk(hald_t)
+storage_raw_write_fixed_disk(hald_t)
+
+# hal_probe_serial causes these
+term_setattr_unallocated_ttys(hald_t)
+term_use_unallocated_ttys(hald_t)
+
+auth_use_nsswitch(hald_t)
+
+fstools_getattr_swap_files(hald_t)
+
+init_domtrans_script(hald_t)
+init_read_utmp(hald_t)
+#hal runs shutdown, probably need a shutdown domain
+init_rw_utmp(hald_t)
+init_telinit(hald_t)
+
+libs_exec_ld_so(hald_t)
+libs_exec_lib_files(hald_t)
+
+logging_send_audit_msgs(hald_t)
+logging_send_syslog_msg(hald_t)
+logging_search_logs(hald_t)
+
+miscfiles_read_localization(hald_t)
+miscfiles_read_hwdata(hald_t)
+
+modutils_domtrans_insmod(hald_t)
+modutils_read_module_deps(hald_t)
+
+seutil_read_config(hald_t)
+seutil_read_default_contexts(hald_t)
+seutil_read_file_contexts(hald_t)
+
+sysnet_read_config(hald_t)
+sysnet_domtrans_dhcpc(hald_t)
+sysnet_domtrans_ifconfig(hald_t)
+sysnet_read_dhcp_config(hald_t)
+
+userdom_dontaudit_use_unpriv_user_fds(hald_t)
+userdom_dontaudit_search_user_home_dirs(hald_t)
+
+optional_policy(`
+	alsa_domtrans(hald_t)
+	alsa_read_rw_config(hald_t)
+')
+
+optional_policy(`
+	bootloader_domtrans(hald_t)
+')
+
+optional_policy(`
+	# For /usr/libexec/hald-addon-acpi
+	# writes to /var/run/acpid.socket
+	apm_stream_connect(hald_t)
+')
+
+optional_policy(`
+	bind_search_cache(hald_t)
+')
+
+optional_policy(`
+	bluetooth_domtrans(hald_t)
+')
+
+optional_policy(`
+	clock_domtrans(hald_t)
+')
+
+optional_policy(`
+	cups_domtrans_config(hald_t)
+	cups_signal_config(hald_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(hald_t)
+	dbus_connect_system_bus(hald_t)
+
+	init_dbus_chat_script(hald_t)
+
+	optional_policy(`
+		networkmanager_dbus_chat(hald_t)
+	')
+')
+
+optional_policy(`
+	# For /usr/libexec/hald-probe-smbios
+	dmidecode_domtrans(hald_t)
+')
+
+optional_policy(`
+	gpm_dontaudit_getattr_gpmctl(hald_t)
+')
+
+optional_policy(`
+	hotplug_read_config(hald_t)
+')
+
+optional_policy(`
+	lvm_domtrans(hald_t)
+')
+
+optional_policy(`
+	mount_domtrans(hald_t)
+')
+
+optional_policy(`
+	ntp_domtrans(hald_t)
+')
+
+optional_policy(`
+	pcmcia_manage_pid(hald_t)
+	pcmcia_manage_pid_chr_files(hald_t)
+')
+
+optional_policy(`
+	podsleuth_domtrans(hald_t)
+')
+
+optional_policy(`
+	ppp_domtrans(hald_t)
+	ppp_read_rw_config(hald_t)
+')
+
+optional_policy(`
+        policykit_dbus_chat(hald_t)
+	policykit_domtrans_auth(hald_t)
+	policykit_domtrans_resolve(hald_t)
+	policykit_read_lib(hald_t)
+	policykit_read_reload(hald_t)
+')
+
+optional_policy(`
+	rpc_search_nfs_state_data(hald_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(hald_t)
+')
+
+optional_policy(`
+	udev_domtrans(hald_t)
+	udev_read_db(hald_t)
+')
+
+optional_policy(`
+	usbmuxd_stream_connect(hald_t)
+')
+
+optional_policy(`
+	updfstab_domtrans(hald_t)
+')
+
+optional_policy(`
+	vbetool_domtrans(hald_t)
+')
+
+optional_policy(`
+	virt_manage_images(hald_t)
+')
+
+########################################
+#
+# Hal acl local policy
+#
+
+allow hald_acl_t self:capability { dac_override fowner sys_resource };
+allow hald_acl_t self:process { getattr signal };
+allow hald_acl_t self:fifo_file rw_fifo_file_perms;
+
+domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
+allow hald_t hald_acl_t:process signal;
+allow hald_acl_t hald_t:unix_stream_socket connectto;
+
+manage_dirs_pattern(hald_acl_t, hald_var_lib_t, hald_var_lib_t)
+manage_files_pattern(hald_acl_t, hald_var_lib_t, hald_var_lib_t)
+files_search_var_lib(hald_acl_t)
+
+manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
+manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
+files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
+
+corecmd_exec_bin(hald_acl_t)
+
+dev_getattr_all_chr_files(hald_acl_t)
+dev_setattr_all_chr_files(hald_acl_t)
+dev_getattr_generic_usb_dev(hald_acl_t)
+dev_getattr_video_dev(hald_acl_t)
+dev_setattr_video_dev(hald_acl_t)
+dev_getattr_sound_dev(hald_acl_t)
+dev_setattr_sound_dev(hald_acl_t)
+dev_setattr_generic_usb_dev(hald_acl_t)
+dev_setattr_usbfs_files(hald_acl_t)
+
+files_read_usr_files(hald_acl_t)
+files_read_etc_files(hald_acl_t)
+
+fs_getattr_all_fs(hald_acl_t)
+
+storage_getattr_removable_dev(hald_acl_t)
+storage_setattr_removable_dev(hald_acl_t)
+storage_getattr_fixed_disk_dev(hald_acl_t)
+storage_setattr_fixed_disk_dev(hald_acl_t)
+
+auth_use_nsswitch(hald_acl_t)
+
+logging_send_syslog_msg(hald_acl_t)
+
+miscfiles_read_localization(hald_acl_t)
+
+optional_policy(`
+        policykit_dbus_chat(hald_acl_t)
+	policykit_domtrans_auth(hald_acl_t)
+	policykit_read_lib(hald_acl_t)
+	policykit_read_reload(hald_acl_t)
+')
+
+########################################
+#
+# Local hald mac policy
+#
+
+allow hald_mac_t self:capability { setgid setuid sys_admin };
+
+domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t)
+allow hald_t hald_mac_t:process signal;
+allow hald_mac_t hald_t:unix_stream_socket connectto;
+
+manage_dirs_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t)
+manage_files_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t)
+files_search_var_lib(hald_mac_t)
+
+write_files_pattern(hald_mac_t, hald_log_t, hald_log_t)
+
+kernel_read_system_state(hald_mac_t)
+
+dev_read_raw_memory(hald_mac_t)
+dev_write_raw_memory(hald_mac_t)
+dev_read_sysfs(hald_mac_t)
+
+files_read_usr_files(hald_mac_t)
+files_read_etc_files(hald_mac_t)
+
+auth_use_nsswitch(hald_mac_t)
+
+logging_send_syslog_msg(hald_mac_t)
+
+miscfiles_read_localization(hald_mac_t)
+
+########################################
+#
+# Local hald sonypic policy
+#
+
+domtrans_pattern(hald_t, hald_sonypic_exec_t, hald_sonypic_t)
+allow hald_t hald_sonypic_t:process signal;
+allow hald_sonypic_t hald_t:unix_stream_socket connectto;
+
+dev_read_video_dev(hald_sonypic_t)
+dev_write_video_dev(hald_sonypic_t)
+
+manage_dirs_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t)
+manage_files_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t)
+files_search_var_lib(hald_sonypic_t)
+
+write_files_pattern(hald_sonypic_t, hald_log_t, hald_log_t)
+
+files_read_usr_files(hald_sonypic_t)
+
+miscfiles_read_localization(hald_sonypic_t)
+
+########################################
+#
+# Hal keymap local policy
+#
+
+domtrans_pattern(hald_t, hald_keymap_exec_t, hald_keymap_t)
+allow hald_t hald_keymap_t:process signal;
+allow hald_keymap_t hald_t:unix_stream_socket connectto;
+
+manage_dirs_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t)
+manage_files_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t)
+files_search_var_lib(hald_keymap_t)
+
+write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t)
+
+dev_rw_input_dev(hald_keymap_t)
+
+files_read_etc_files(hald_keymap_t)
+files_read_usr_files(hald_keymap_t)
+
+miscfiles_read_localization(hald_keymap_t)
+
+########################################
+#
+# Local hald dccm policy
+#
+
+allow hald_dccm_t self:capability { chown net_bind_service };
+allow hald_dccm_t self:process getsched;
+allow hald_dccm_t self:fifo_file rw_fifo_file_perms;
+allow hald_dccm_t self:tcp_socket create_stream_socket_perms;
+allow hald_dccm_t self:udp_socket create_socket_perms;
+allow hald_dccm_t self:netlink_route_socket rw_netlink_socket_perms;
+
+domtrans_pattern(hald_t, hald_dccm_exec_t, hald_dccm_t)
+allow hald_t hald_dccm_t:process signal;
+allow hald_dccm_t hald_t:unix_stream_socket connectto;
+
+manage_dirs_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t)
+manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t)
+files_search_var_lib(hald_dccm_t)
+
+manage_dirs_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t)
+manage_files_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t)
+manage_sock_files_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t)
+files_pid_filetrans(hald_dccm_t, hald_var_run_t, { dir file sock_file })
+
+manage_sock_files_pattern(hald_dccm_t, hald_tmp_t, hald_tmp_t)
+files_tmp_filetrans(hald_dccm_t, hald_tmp_t, sock_file)
+
+write_files_pattern(hald_dccm_t, hald_log_t, hald_log_t)
+
+kernel_search_network_sysctl(hald_dccm_t)
+
+dev_read_urand(hald_dccm_t)
+
+corenet_all_recvfrom_unlabeled(hald_dccm_t)
+corenet_all_recvfrom_netlabel(hald_dccm_t)
+corenet_tcp_sendrecv_generic_if(hald_dccm_t)
+corenet_udp_sendrecv_generic_if(hald_dccm_t)
+corenet_tcp_sendrecv_generic_node(hald_dccm_t)
+corenet_udp_sendrecv_generic_node(hald_dccm_t)
+corenet_tcp_sendrecv_all_ports(hald_dccm_t)
+corenet_udp_sendrecv_all_ports(hald_dccm_t)
+corenet_tcp_bind_generic_node(hald_dccm_t)
+corenet_udp_bind_generic_node(hald_dccm_t)
+corenet_udp_bind_dhcpc_port(hald_dccm_t)
+corenet_tcp_bind_ftp_port(hald_dccm_t)
+corenet_tcp_bind_dccm_port(hald_dccm_t)
+
+logging_send_syslog_msg(hald_dccm_t)
+
+files_read_usr_files(hald_dccm_t)
+
+miscfiles_read_localization(hald_dccm_t)
+
+hal_dontaudit_rw_dgram_sockets(hald_dccm_t)
+
+optional_policy(`
+	dbus_system_bus_client(hald_dccm_t)
+')
diff --git a/policy/modules/contrib/hddtemp.fc b/policy/modules/contrib/hddtemp.fc
new file mode 100644
index 00000000..16766123
--- /dev/null
+++ b/policy/modules/contrib/hddtemp.fc
@@ -0,0 +1,5 @@
+/etc/rc\.d/init\.d/hddtemp	--	gen_context(system_u:object_r:hddtemp_initrc_exec_t,s0)
+
+/etc/sysconfig/hddtemp		--	gen_context(system_u:object_r:hddtemp_etc_t,s0)
+
+/usr/sbin/hddtemp		--	gen_context(system_u:object_r:hddtemp_exec_t,s0)
diff --git a/policy/modules/contrib/hddtemp.if b/policy/modules/contrib/hddtemp.if
new file mode 100644
index 00000000..87b45312
--- /dev/null
+++ b/policy/modules/contrib/hddtemp.if
@@ -0,0 +1,77 @@
+## <summary>hddtemp hard disk temperature tool running as a daemon.</summary>
+
+#######################################
+## <summary>
+##	Execute a domain transition to run hddtemp.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`hddtemp_domtrans',`
+	gen_require(`
+		type hddtemp_t, hddtemp_exec_t;
+	')
+
+	domtrans_pattern($1, hddtemp_exec_t, hddtemp_t)
+	corecmd_search_bin($1)
+')
+
+######################################
+## <summary>
+##	Execute hddtemp.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hddtemp_exec',`
+	gen_require(`
+		type hddtemp_exec_t;
+	')
+
+	can_exec($1, hddtemp_exec_t)
+	corecmd_search_bin($1)
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an hddtemp environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`hddtemp_admin',`
+	gen_require(`
+		type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t;
+	')
+
+	allow $1 hddtemp_t:process { ptrace signal_perms };
+	ps_process_pattern($1, hddtemp_t)
+
+	init_labeled_script_domtrans($1, hddtemp_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 hddtemp_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	admin_pattern($1, hddtemp_etc_t)
+	files_search_etc($1)
+
+	allow $1 hddtemp_t:dir list_dir_perms;
+	read_lnk_files_pattern($1, hddtemp_t, hddtemp_t)
+	kernel_search_proc($1)
+')
diff --git a/policy/modules/contrib/hddtemp.te b/policy/modules/contrib/hddtemp.te
new file mode 100644
index 00000000..c234b323
--- /dev/null
+++ b/policy/modules/contrib/hddtemp.te
@@ -0,0 +1,49 @@
+policy_module(hddtemp, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type hddtemp_t;
+type hddtemp_exec_t;
+init_daemon_domain(hddtemp_t, hddtemp_exec_t)
+
+type hddtemp_initrc_exec_t;
+init_script_file(hddtemp_initrc_exec_t)
+
+type hddtemp_etc_t;
+files_config_file(hddtemp_etc_t)
+
+########################################
+#
+# hddtemp local policy
+#
+
+allow hddtemp_t self:capability sys_rawio;
+dontaudit hddtemp_t self:capability sys_admin;
+allow hddtemp_t self:netlink_route_socket r_netlink_socket_perms;
+allow hddtemp_t self:tcp_socket create_stream_socket_perms;
+allow hddtemp_t self:udp_socket create_socket_perms;
+
+allow hddtemp_t hddtemp_etc_t:file read_file_perms;
+
+corenet_all_recvfrom_unlabeled(hddtemp_t)
+corenet_all_recvfrom_netlabel(hddtemp_t)
+corenet_tcp_sendrecv_generic_if(hddtemp_t)
+corenet_tcp_sendrecv_generic_node(hddtemp_t)
+corenet_tcp_bind_generic_node(hddtemp_t)
+corenet_tcp_sendrecv_all_ports(hddtemp_t)
+corenet_tcp_bind_hddtemp_port(hddtemp_t)
+corenet_sendrecv_hddtemp_server_packets(hddtemp_t)
+corenet_tcp_sendrecv_hddtemp_port(hddtemp_t)
+
+files_search_etc(hddtemp_t)
+files_read_usr_files(hddtemp_t)
+
+storage_raw_read_fixed_disk(hddtemp_t)
+
+logging_send_syslog_msg(hddtemp_t)
+
+miscfiles_read_localization(hddtemp_t)
+
diff --git a/policy/modules/contrib/howl.fc b/policy/modules/contrib/howl.fc
new file mode 100644
index 00000000..faf9146c
--- /dev/null
+++ b/policy/modules/contrib/howl.fc
@@ -0,0 +1,5 @@
+
+/usr/bin/mDNSResponder	--	gen_context(system_u:object_r:howl_exec_t,s0)
+/usr/bin/nifd		--	gen_context(system_u:object_r:howl_exec_t,s0)
+
+/var/run/nifd\.pid	--	gen_context(system_u:object_r:howl_var_run_t,s0)
diff --git a/policy/modules/contrib/howl.if b/policy/modules/contrib/howl.if
new file mode 100644
index 00000000..9164dd26
--- /dev/null
+++ b/policy/modules/contrib/howl.if
@@ -0,0 +1,19 @@
+## <summary>Port of Apple Rendezvous multicast DNS</summary>
+
+########################################
+## <summary>
+##	Send generic signals to howl.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`howl_signal',`
+	gen_require(`
+		type howl_t;
+	')
+
+	allow $1 howl_t:process signal;
+')
diff --git a/policy/modules/contrib/howl.te b/policy/modules/contrib/howl.te
new file mode 100644
index 00000000..6ad2d3cb
--- /dev/null
+++ b/policy/modules/contrib/howl.te
@@ -0,0 +1,80 @@
+policy_module(howl, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type howl_t;
+type howl_exec_t;
+init_daemon_domain(howl_t, howl_exec_t)
+
+type howl_var_run_t;
+files_pid_file(howl_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow howl_t self:capability { kill net_admin };
+dontaudit howl_t self:capability sys_tty_config;
+allow howl_t self:process signal_perms;
+allow howl_t self:fifo_file rw_fifo_file_perms;
+allow howl_t self:tcp_socket create_stream_socket_perms;
+allow howl_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(howl_t, howl_var_run_t, howl_var_run_t)
+files_pid_filetrans(howl_t, howl_var_run_t, file)
+
+kernel_read_network_state(howl_t)
+kernel_read_kernel_sysctls(howl_t)
+kernel_request_load_module(howl_t)
+kernel_list_proc(howl_t)
+kernel_read_proc_symlinks(howl_t)
+
+corenet_all_recvfrom_unlabeled(howl_t)
+corenet_all_recvfrom_netlabel(howl_t)
+corenet_tcp_sendrecv_generic_if(howl_t)
+corenet_udp_sendrecv_generic_if(howl_t)
+corenet_tcp_sendrecv_generic_node(howl_t)
+corenet_udp_sendrecv_generic_node(howl_t)
+corenet_tcp_sendrecv_all_ports(howl_t)
+corenet_udp_sendrecv_all_ports(howl_t)
+corenet_tcp_bind_generic_node(howl_t)
+corenet_udp_bind_generic_node(howl_t)
+corenet_tcp_bind_howl_port(howl_t)
+corenet_udp_bind_howl_port(howl_t)
+corenet_sendrecv_howl_server_packets(howl_t)
+
+dev_read_sysfs(howl_t)
+
+fs_getattr_all_fs(howl_t)
+fs_search_auto_mountpoints(howl_t)
+
+domain_use_interactive_fds(howl_t)
+
+files_read_etc_files(howl_t)
+
+init_rw_utmp(howl_t)
+
+logging_send_syslog_msg(howl_t)
+
+miscfiles_read_localization(howl_t)
+
+sysnet_read_config(howl_t)
+
+userdom_dontaudit_use_unpriv_user_fds(howl_t)
+userdom_dontaudit_search_user_home_dirs(howl_t)
+
+optional_policy(`
+	nis_use_ypbind(howl_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(howl_t)
+')
+
+optional_policy(`
+	udev_read_db(howl_t)
+')
diff --git a/policy/modules/contrib/i18n_input.fc b/policy/modules/contrib/i18n_input.fc
new file mode 100644
index 00000000..024eb188
--- /dev/null
+++ b/policy/modules/contrib/i18n_input.fc
@@ -0,0 +1,19 @@
+#
+# /usr
+#
+
+/usr/bin/iiimd\.bin	--	 gen_context(system_u:object_r:i18n_input_exec_t,s0)
+/usr/bin/httx		--	 gen_context(system_u:object_r:i18n_input_exec_t,s0)
+/usr/bin/htt_xbe	--	 gen_context(system_u:object_r:i18n_input_exec_t,s0)
+/usr/bin/iiimx		--	 gen_context(system_u:object_r:i18n_input_exec_t,s0)
+
+/usr/lib/iiim/iiim-xbe	--	 gen_context(system_u:object_r:i18n_input_exec_t,s0)
+
+/usr/sbin/htt		--	 gen_context(system_u:object_r:i18n_input_exec_t,s0)
+/usr/sbin/htt_server	--	 gen_context(system_u:object_r:i18n_input_exec_t,s0)
+
+#
+# /var
+#
+
+/var/run/iiim(/.*)?		 gen_context(system_u:object_r:i18n_input_var_run_t,s0)
diff --git a/policy/modules/contrib/i18n_input.if b/policy/modules/contrib/i18n_input.if
new file mode 100644
index 00000000..bc7de4ff
--- /dev/null
+++ b/policy/modules/contrib/i18n_input.if
@@ -0,0 +1,15 @@
+## <summary>IIIMF htt server</summary>
+
+########################################
+## <summary>
+##	Use i18n_input over a TCP connection.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`i18n_use',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
diff --git a/policy/modules/contrib/i18n_input.te b/policy/modules/contrib/i18n_input.te
new file mode 100644
index 00000000..5fc89c4e
--- /dev/null
+++ b/policy/modules/contrib/i18n_input.te
@@ -0,0 +1,102 @@
+policy_module(i18n_input, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type i18n_input_t;
+type i18n_input_exec_t;
+init_daemon_domain(i18n_input_t, i18n_input_exec_t)
+
+type i18n_input_var_run_t;
+files_pid_file(i18n_input_var_run_t)
+
+########################################
+#
+# i18n_input local policy
+#
+
+allow i18n_input_t self:capability { kill setgid setuid };
+dontaudit i18n_input_t self:capability sys_tty_config;
+allow i18n_input_t self:process { signal_perms setsched setpgid };
+allow i18n_input_t self:fifo_file rw_fifo_file_perms;
+allow i18n_input_t self:unix_dgram_socket create_socket_perms;
+allow i18n_input_t self:unix_stream_socket create_stream_socket_perms;
+allow i18n_input_t self:tcp_socket create_stream_socket_perms;
+allow i18n_input_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(i18n_input_t, i18n_input_var_run_t, i18n_input_var_run_t)
+manage_files_pattern(i18n_input_t, i18n_input_var_run_t, i18n_input_var_run_t)
+manage_sock_files_pattern(i18n_input_t, i18n_input_var_run_t, i18n_input_var_run_t)
+files_pid_filetrans(i18n_input_t, i18n_input_var_run_t, file)
+
+can_exec(i18n_input_t, i18n_input_exec_t)
+
+kernel_read_kernel_sysctls(i18n_input_t)
+kernel_read_system_state(i18n_input_t)
+
+corenet_all_recvfrom_unlabeled(i18n_input_t)
+corenet_all_recvfrom_netlabel(i18n_input_t)
+corenet_tcp_sendrecv_generic_if(i18n_input_t)
+corenet_udp_sendrecv_generic_if(i18n_input_t)
+corenet_tcp_sendrecv_generic_node(i18n_input_t)
+corenet_udp_sendrecv_generic_node(i18n_input_t)
+corenet_tcp_sendrecv_all_ports(i18n_input_t)
+corenet_udp_sendrecv_all_ports(i18n_input_t)
+corenet_tcp_bind_generic_node(i18n_input_t)
+corenet_tcp_bind_i18n_input_port(i18n_input_t)
+corenet_tcp_connect_all_ports(i18n_input_t)
+corenet_sendrecv_i18n_input_server_packets(i18n_input_t)
+corenet_sendrecv_all_client_packets(i18n_input_t)
+
+dev_read_sysfs(i18n_input_t)
+
+fs_getattr_all_fs(i18n_input_t)
+fs_search_auto_mountpoints(i18n_input_t)
+
+corecmd_search_bin(i18n_input_t)
+corecmd_exec_bin(i18n_input_t)
+
+domain_use_interactive_fds(i18n_input_t)
+
+files_read_etc_files(i18n_input_t)
+files_read_etc_runtime_files(i18n_input_t)
+files_read_usr_files(i18n_input_t)
+
+init_stream_connect_script(i18n_input_t)
+
+logging_send_syslog_msg(i18n_input_t)
+
+miscfiles_read_localization(i18n_input_t)
+
+sysnet_read_config(i18n_input_t)
+
+userdom_dontaudit_use_unpriv_user_fds(i18n_input_t)
+userdom_read_user_home_content_files(i18n_input_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_read_nfs_files(i18n_input_t)
+	fs_read_nfs_symlinks(i18n_input_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_read_cifs_files(i18n_input_t)
+	fs_read_cifs_symlinks(i18n_input_t)
+')
+
+optional_policy(`
+	canna_stream_connect(i18n_input_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(i18n_input_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(i18n_input_t)
+')
+
+optional_policy(`
+	udev_read_db(i18n_input_t)
+')
diff --git a/policy/modules/contrib/icecast.fc b/policy/modules/contrib/icecast.fc
new file mode 100644
index 00000000..a81e0900
--- /dev/null
+++ b/policy/modules/contrib/icecast.fc
@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/icecast	--	gen_context(system_u:object_r:icecast_initrc_exec_t,s0)
+
+/usr/bin/icecast		--	gen_context(system_u:object_r:icecast_exec_t,s0)
+
+/var/log/icecast(/.*)?			gen_context(system_u:object_r:icecast_log_t,s0)
+
+/var/run/icecast(/.*)?			gen_context(system_u:object_r:icecast_var_run_t,s0)
diff --git a/policy/modules/contrib/icecast.if b/policy/modules/contrib/icecast.if
new file mode 100644
index 00000000..ecab47ab
--- /dev/null
+++ b/policy/modules/contrib/icecast.if
@@ -0,0 +1,188 @@
+## <summary> ShoutCast compatible streaming media server</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run icecast.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`icecast_domtrans',`
+	gen_require(`
+		type icecast_t, icecast_exec_t;
+	')
+
+	domtrans_pattern($1, icecast_exec_t, icecast_t)
+')
+
+########################################
+## <summary>
+##	Allow domain signal icecast
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`icecast_signal',`
+	gen_require(`
+		type icecast_t;
+	')
+
+	allow $1 icecast_t:process signal;
+')
+
+########################################
+## <summary>
+##	Execute icecast server in the icecast domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`icecast_initrc_domtrans',`
+	gen_require(`
+		type icecast_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, icecast_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Read icecast PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`icecast_read_pid_files',`
+	gen_require(`
+		type icecast_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 icecast_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Manage icecast pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`icecast_manage_pid_files',`
+	gen_require(`
+		type icecast_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_files_pattern($1, icecast_var_run_t, icecast_var_run_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read icecast's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`icecast_read_log',`
+	gen_require(`
+		type icecast_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, icecast_log_t, icecast_log_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to append
+##	icecast log files.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access.
+## 	</summary>
+## </param>
+#
+interface(`icecast_append_log',`
+	gen_require(`
+		type icecast_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, icecast_log_t, icecast_log_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to manage icecast log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allow access.
+##	</summary>
+## </param>
+#
+interface(`icecast_manage_log',`
+	gen_require(`
+		type icecast_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_files_pattern($1, icecast_log_t, icecast_log_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an icecast environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`icecast_admin',`
+	gen_require(`
+		type icecast_t, icecast_initrc_exec_t;
+	')
+
+	ps_process_pattern($1, icecast_t)
+
+	# Allow icecast_t to restart the apache service
+	icecast_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 icecast_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	icecast_manage_pid_files($1)
+
+	icecast_manage_log($1)
+
+')
diff --git a/policy/modules/contrib/icecast.te b/policy/modules/contrib/icecast.te
new file mode 100644
index 00000000..fdb7e9aa
--- /dev/null
+++ b/policy/modules/contrib/icecast.te
@@ -0,0 +1,61 @@
+policy_module(icecast, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type icecast_t;
+type icecast_exec_t;
+init_daemon_domain(icecast_t, icecast_exec_t)
+
+type icecast_initrc_exec_t;
+init_script_file(icecast_initrc_exec_t)
+
+type icecast_var_run_t;
+files_pid_file(icecast_var_run_t)
+
+type icecast_log_t;
+logging_log_file(icecast_log_t)
+
+########################################
+#
+# icecast local policy
+#
+
+allow icecast_t self:capability { dac_override setgid setuid sys_nice };
+allow icecast_t self:process { getsched fork setsched signal };
+allow icecast_t self:fifo_file rw_fifo_file_perms;
+allow icecast_t self:unix_stream_socket create_stream_socket_perms;
+allow icecast_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(icecast_t, icecast_log_t, icecast_log_t)
+manage_files_pattern(icecast_t, icecast_log_t, icecast_log_t)
+logging_log_filetrans(icecast_t, icecast_log_t, { file dir } )
+
+manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
+manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
+files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir })
+
+kernel_read_system_state(icecast_t)
+
+corenet_tcp_bind_soundd_port(icecast_t)
+
+# Init script handling
+domain_use_interactive_fds(icecast_t)
+
+files_read_etc_files(icecast_t)
+
+auth_use_nsswitch(icecast_t)
+
+miscfiles_read_localization(icecast_t)
+
+sysnet_dns_name_resolve(icecast_t)
+
+optional_policy(`
+	apache_read_sys_content(icecast_t)
+')
+
+optional_policy(`
+	rtkit_scheduled(icecast_t)
+')
diff --git a/policy/modules/contrib/ifplugd.fc b/policy/modules/contrib/ifplugd.fc
new file mode 100644
index 00000000..2eda96f7
--- /dev/null
+++ b/policy/modules/contrib/ifplugd.fc
@@ -0,0 +1,7 @@
+/etc/ifplugd(/.*)?			gen_context(system_u:object_r:ifplugd_etc_t,s0)
+
+/etc/rc\.d/init\.d/ifplugd	--	gen_context(system_u:object_r:ifplugd_initrc_exec_t,s0)
+
+/usr/sbin/ifplugd		--	gen_context(system_u:object_r:ifplugd_exec_t,s0)
+
+/var/run/ifplugd.*			gen_context(system_u:object_r:ifplugd_var_run_t,s0)
diff --git a/policy/modules/contrib/ifplugd.if b/policy/modules/contrib/ifplugd.if
new file mode 100644
index 00000000..dfb42326
--- /dev/null
+++ b/policy/modules/contrib/ifplugd.if
@@ -0,0 +1,133 @@
+## <summary>Bring up/down ethernet interfaces based on cable detection.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run ifplugd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ifplugd_domtrans',`
+	gen_require(`
+		type ifplugd_t, ifplugd_exec_t;
+	')
+
+	domtrans_pattern($1, ifplugd_exec_t, ifplugd_t)
+')
+
+########################################
+## <summary>
+##	Send a generic signal to ifplugd
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ifplugd_signal',`
+	gen_require(`
+		type ifplugd_t;
+	')
+
+	allow $1 ifplugd_t:process signal;
+')
+
+########################################
+## <summary>
+##	Read ifplugd etc configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ifplugd_read_config',`
+	gen_require(`
+		type ifplugd_etc_t;
+	')
+
+	files_search_etc($1)
+	read_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t)
+')
+
+########################################
+## <summary>
+##	Manage ifplugd etc configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ifplugd_manage_config',`
+	gen_require(`
+		type ifplugd_etc_t;
+	')
+
+	files_search_etc($1)
+	manage_dirs_pattern($1, ifplugd_etc_t, ifplugd_etc_t)
+	manage_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t)
+')
+
+########################################
+## <summary>
+##	Read ifplugd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ifplugd_read_pid_files',`
+	gen_require(`
+		type ifplugd_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 ifplugd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an ifplugd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the ifplugd domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ifplugd_admin',`
+	gen_require(`
+		type ifplugd_t, ifplugd_etc_t;
+		type ifplugd_var_run_t, ifplugd_initrc_exec_t;
+	')
+
+	allow $1 ifplugd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, ifplugd_t)
+
+	init_labeled_script_domtrans($1, ifplugd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 ifplugd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_etc($1)
+	admin_pattern($1, ifplugd_etc_t)
+
+	files_list_pids($1)
+	admin_pattern($1, ifplugd_var_run_t)
+')
diff --git a/policy/modules/contrib/ifplugd.te b/policy/modules/contrib/ifplugd.te
new file mode 100644
index 00000000..978c32fb
--- /dev/null
+++ b/policy/modules/contrib/ifplugd.te
@@ -0,0 +1,76 @@
+policy_module(ifplugd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ifplugd_t;
+type ifplugd_exec_t;
+init_daemon_domain(ifplugd_t, ifplugd_exec_t)
+
+# config files
+type ifplugd_etc_t;
+files_type(ifplugd_etc_t)
+
+type ifplugd_initrc_exec_t;
+init_script_file(ifplugd_initrc_exec_t)
+
+# pid files
+type ifplugd_var_run_t;
+files_pid_file(ifplugd_var_run_t)
+
+########################################
+#
+# ifplugd local policy
+#
+
+allow ifplugd_t self:capability { net_admin sys_nice net_bind_service };
+dontaudit ifplugd_t self:capability { sys_tty_config sys_ptrace };
+allow ifplugd_t self:process { signal signull };
+allow ifplugd_t self:fifo_file rw_fifo_file_perms;
+allow ifplugd_t self:tcp_socket create_stream_socket_perms;
+allow ifplugd_t self:udp_socket create_socket_perms;
+allow ifplugd_t self:packet_socket create_socket_perms;
+allow ifplugd_t self:netlink_route_socket create_netlink_socket_perms;
+
+# pid file
+manage_files_pattern(ifplugd_t, ifplugd_var_run_t, ifplugd_var_run_t)
+manage_sock_files_pattern(ifplugd_t, ifplugd_var_run_t, ifplugd_var_run_t)
+files_pid_filetrans(ifplugd_t, ifplugd_var_run_t, { file sock_file })
+
+# config files
+read_files_pattern(ifplugd_t, ifplugd_etc_t, ifplugd_etc_t)
+exec_files_pattern(ifplugd_t, ifplugd_etc_t, ifplugd_etc_t)
+
+kernel_read_system_state(ifplugd_t)
+kernel_read_network_state(ifplugd_t)
+kernel_rw_net_sysctls(ifplugd_t)
+kernel_read_kernel_sysctls(ifplugd_t)
+
+corecmd_exec_shell(ifplugd_t)
+corecmd_exec_bin(ifplugd_t)
+
+# reading of hardware information
+dev_read_sysfs(ifplugd_t)
+
+domain_read_confined_domains_state(ifplugd_t)
+domain_dontaudit_read_all_domains_state(ifplugd_t)
+
+auth_use_nsswitch(ifplugd_t)
+
+logging_send_syslog_msg(ifplugd_t)
+
+miscfiles_read_localization(ifplugd_t)
+
+netutils_domtrans(ifplugd_t)
+# transition to ifconfig & dhcpc
+sysnet_domtrans_ifconfig(ifplugd_t)
+sysnet_domtrans_dhcpc(ifplugd_t)
+sysnet_delete_dhcpc_pid(ifplugd_t)
+sysnet_read_dhcpc_pid(ifplugd_t)
+sysnet_signal_dhcpc(ifplugd_t)
+
+optional_policy(`
+	consoletype_exec(ifplugd_t)
+')
diff --git a/policy/modules/contrib/imaze.fc b/policy/modules/contrib/imaze.fc
new file mode 100644
index 00000000..8d455ba6
--- /dev/null
+++ b/policy/modules/contrib/imaze.fc
@@ -0,0 +1,4 @@
+/usr/games/imazesrv		 --	gen_context(system_u:object_r:imazesrv_exec_t,s0)
+/usr/share/games/imaze(/.*)?		gen_context(system_u:object_r:imazesrv_data_t,s0)
+
+/var/log/imaze\.log		 --	gen_context(system_u:object_r:imazesrv_log_t,s0)
diff --git a/policy/modules/contrib/imaze.if b/policy/modules/contrib/imaze.if
new file mode 100644
index 00000000..8eb9ec3a
--- /dev/null
+++ b/policy/modules/contrib/imaze.if
@@ -0,0 +1 @@
+## <summary>iMaze game server</summary>
diff --git a/policy/modules/contrib/imaze.te b/policy/modules/contrib/imaze.te
new file mode 100644
index 00000000..0778af87
--- /dev/null
+++ b/policy/modules/contrib/imaze.te
@@ -0,0 +1,99 @@
+policy_module(imaze, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type imazesrv_t;
+type imazesrv_exec_t;
+init_daemon_domain(imazesrv_t, imazesrv_exec_t)
+
+type imazesrv_data_t;
+files_type(imazesrv_data_t)
+
+type imazesrv_data_labs_t;
+files_type(imazesrv_data_labs_t)
+
+type imazesrv_log_t;
+logging_log_file(imazesrv_log_t)
+
+type imazesrv_var_run_t;
+files_pid_file(imazesrv_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit imazesrv_t self:capability sys_tty_config;
+allow imazesrv_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow imazesrv_t self:fd use;
+allow imazesrv_t self:fifo_file rw_fifo_file_perms;
+allow imazesrv_t self:unix_dgram_socket { create_socket_perms sendto };
+allow imazesrv_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow imazesrv_t self:shm create_shm_perms;
+allow imazesrv_t self:sem create_sem_perms;
+allow imazesrv_t self:msgq create_msgq_perms;
+allow imazesrv_t self:msg { send receive };
+allow imazesrv_t self:tcp_socket create_stream_socket_perms;
+allow imazesrv_t self:udp_socket create_socket_perms;
+
+allow imazesrv_t imazesrv_data_t:dir list_dir_perms;
+read_files_pattern(imazesrv_t, imazesrv_data_t, imazesrv_data_t)
+read_lnk_files_pattern(imazesrv_t, imazesrv_data_t, imazesrv_data_t)
+
+allow imazesrv_t imazesrv_log_t:file manage_file_perms;
+allow imazesrv_t imazesrv_log_t:dir add_entry_dir_perms;
+logging_log_filetrans(imazesrv_t, imazesrv_log_t, file)
+
+manage_files_pattern(imazesrv_t, imazesrv_var_run_t, imazesrv_var_run_t)
+files_pid_filetrans(imazesrv_t, imazesrv_var_run_t, file)
+
+kernel_read_kernel_sysctls(imazesrv_t)
+kernel_list_proc(imazesrv_t)
+kernel_read_proc_symlinks(imazesrv_t)
+
+corenet_all_recvfrom_unlabeled(imazesrv_t)
+corenet_all_recvfrom_netlabel(imazesrv_t)
+corenet_tcp_sendrecv_generic_if(imazesrv_t)
+corenet_udp_sendrecv_generic_if(imazesrv_t)
+corenet_tcp_sendrecv_generic_node(imazesrv_t)
+corenet_udp_sendrecv_generic_node(imazesrv_t)
+corenet_tcp_sendrecv_all_ports(imazesrv_t)
+corenet_udp_sendrecv_all_ports(imazesrv_t)
+corenet_tcp_bind_generic_node(imazesrv_t)
+corenet_udp_bind_generic_node(imazesrv_t)
+corenet_tcp_bind_imaze_port(imazesrv_t)
+corenet_udp_bind_imaze_port(imazesrv_t)
+corenet_sendrecv_imaze_server_packets(imazesrv_t)
+
+dev_read_sysfs(imazesrv_t)
+
+domain_use_interactive_fds(imazesrv_t)
+
+files_read_etc_files(imazesrv_t)
+
+fs_getattr_all_fs(imazesrv_t)
+fs_search_auto_mountpoints(imazesrv_t)
+
+logging_send_syslog_msg(imazesrv_t)
+
+miscfiles_read_localization(imazesrv_t)
+
+sysnet_read_config(imazesrv_t)
+
+userdom_use_unpriv_users_fds(imazesrv_t)
+userdom_dontaudit_search_user_home_dirs(imazesrv_t)
+
+optional_policy(`
+	nis_use_ypbind(imazesrv_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(imazesrv_t)
+')
+
+optional_policy(`
+	udev_read_db(imazesrv_t)
+')
diff --git a/policy/modules/contrib/inetd.fc b/policy/modules/contrib/inetd.fc
new file mode 100644
index 00000000..39d5baa2
--- /dev/null
+++ b/policy/modules/contrib/inetd.fc
@@ -0,0 +1,12 @@
+
+/usr/sbin/identd	--	gen_context(system_u:object_r:inetd_child_exec_t,s0)
+/usr/sbin/in\..*d	--	gen_context(system_u:object_r:inetd_child_exec_t,s0)
+/usr/local/lib/pysieved/pysieved.*\.py -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
+
+/usr/sbin/inetd		--	gen_context(system_u:object_r:inetd_exec_t,s0)
+/usr/sbin/rlinetd	--	gen_context(system_u:object_r:inetd_exec_t,s0)
+/usr/sbin/xinetd	--	gen_context(system_u:object_r:inetd_exec_t,s0)
+
+/var/log/(x)?inetd\.log	--	gen_context(system_u:object_r:inetd_log_t,s0)
+
+/var/run/(x)?inetd\.pid	--	gen_context(system_u:object_r:inetd_var_run_t,s0)
diff --git a/policy/modules/contrib/inetd.if b/policy/modules/contrib/inetd.if
new file mode 100644
index 00000000..df48e5ed
--- /dev/null
+++ b/policy/modules/contrib/inetd.if
@@ -0,0 +1,205 @@
+## <summary>Internet services daemon.</summary>
+
+########################################
+## <summary>
+##	Define the specified domain as a inetd service.
+## </summary>
+## <desc>
+##	<p>
+##	Define the specified domain as a inetd service.  The
+##	inetd_service_domain(), inetd_tcp_service_domain(),
+##	or inetd_udp_service_domain() interfaces should be used
+##	instead of this interface, as this interface only provides
+##	the common rules to these three interfaces.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	The type associated with the inetd service process.
+##	</summary>
+## </param>
+## <param name="entrypoint">
+##	<summary>
+##	The type associated with the process program.
+##	</summary>
+## </param>
+#
+interface(`inetd_core_service_domain',`
+	gen_require(`
+		type inetd_t;
+		role system_r;
+	')
+
+	domain_type($1)
+	domain_entry_file($1, $2)
+
+	role system_r types $1;
+
+	domtrans_pattern(inetd_t, $2, $1)
+	allow inetd_t $1:process { siginh sigkill };
+')
+
+########################################
+## <summary>
+##	Define the specified domain as a TCP inetd service.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type associated with the inetd service process.
+##	</summary>
+## </param>
+## <param name="entrypoint">
+##	<summary>
+##	The type associated with the process program.
+##	</summary>
+## </param>
+#
+interface(`inetd_tcp_service_domain',`
+
+	gen_require(`
+		type inetd_t;
+	')
+
+	inetd_core_service_domain($1, $2)
+
+	allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
+')
+
+########################################
+## <summary>
+##	Define the specified domain as a UDP inetd service.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type associated with the inetd service process.
+##	</summary>
+## </param>
+## <param name="entrypoint">
+##	<summary>
+##	The type associated with the process program.
+##	</summary>
+## </param>
+#
+interface(`inetd_udp_service_domain',`
+	gen_require(`
+		type inetd_t;
+	')
+
+	inetd_core_service_domain($1, $2)
+
+	allow $1 inetd_t:udp_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+##	Define the specified domain as a TCP and UDP inetd service.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type associated with the inetd service process.
+##	</summary>
+## </param>
+## <param name="entrypoint">
+##	<summary>
+##	The type associated with the process program.
+##	</summary>
+## </param>
+#
+interface(`inetd_service_domain',`
+	gen_require(`
+		type inetd_t;
+	')
+
+	inetd_core_service_domain($1, $2)
+
+	allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
+	allow $1 inetd_t:udp_socket rw_socket_perms;
+
+	# encrypt the service through stunnel
+	optional_policy(`
+		stunnel_service_domain($1, $2)
+	')
+')
+
+########################################
+## <summary>
+##	Inherit and use file descriptors from inetd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`inetd_use_fds',`
+	gen_require(`
+		type inetd_t;
+	')
+
+	allow $1 inetd_t:fd use;
+')
+
+########################################
+## <summary>
+##	Connect to the inetd service using a TCP connection.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`inetd_tcp_connect',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	Run inetd child process in the inet child domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`inetd_domtrans_child',`
+	gen_require(`
+		type inetd_child_t, inetd_child_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, inetd_child_exec_t, inetd_child_t)
+')
+
+########################################
+## <summary>
+##	Send UDP network traffic to inetd.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`inetd_udp_send',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	Read and write inetd TCP sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`inetd_rw_tcp_sockets',`
+	gen_require(`
+		type inetd_t;
+	')
+
+	allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
+')
diff --git a/policy/modules/contrib/inetd.te b/policy/modules/contrib/inetd.te
new file mode 100644
index 00000000..10f25d3e
--- /dev/null
+++ b/policy/modules/contrib/inetd.te
@@ -0,0 +1,243 @@
+policy_module(inetd, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+type inetd_t;
+type inetd_exec_t;
+init_daemon_domain(inetd_t, inetd_exec_t)
+
+type inetd_log_t;
+logging_log_file(inetd_log_t)
+
+type inetd_tmp_t;
+files_tmp_file(inetd_tmp_t)
+
+type inetd_var_run_t;
+files_pid_file(inetd_var_run_t)
+
+type inetd_child_t;
+type inetd_child_exec_t;
+inetd_service_domain(inetd_child_t, inetd_child_exec_t)
+role system_r types inetd_child_t;
+
+type inetd_child_tmp_t;
+files_tmp_file(inetd_child_tmp_t)
+
+type inetd_child_var_run_t;
+files_pid_file(inetd_child_var_run_t)
+
+ifdef(`enable_mcs',`
+	init_ranged_daemon_domain(inetd_t, inetd_exec_t, s0 - mcs_systemhigh)
+')
+
+########################################
+#
+# Local policy
+#
+
+allow inetd_t self:capability { setuid setgid sys_resource };
+dontaudit inetd_t self:capability sys_tty_config;
+allow inetd_t self:process { setsched setexec setrlimit };
+allow inetd_t self:fifo_file rw_fifo_file_perms;
+allow inetd_t self:tcp_socket create_stream_socket_perms;
+allow inetd_t self:udp_socket create_socket_perms;
+allow inetd_t self:fd use;
+
+allow inetd_t inetd_log_t:file manage_file_perms;
+logging_log_filetrans(inetd_t, inetd_log_t, file)
+
+manage_dirs_pattern(inetd_t, inetd_tmp_t, inetd_tmp_t)
+manage_files_pattern(inetd_t, inetd_tmp_t, inetd_tmp_t)
+files_tmp_filetrans(inetd_t, inetd_tmp_t, { file dir })
+
+allow inetd_t inetd_var_run_t:file manage_file_perms;
+files_pid_filetrans(inetd_t, inetd_var_run_t, file)
+
+kernel_read_kernel_sysctls(inetd_t)
+kernel_list_proc(inetd_t)
+kernel_read_proc_symlinks(inetd_t)
+kernel_read_system_state(inetd_t)
+kernel_tcp_recvfrom_unlabeled(inetd_t)
+
+corecmd_bin_domtrans(inetd_t, inetd_child_t)
+
+# base networking:
+corenet_all_recvfrom_unlabeled(inetd_t)
+corenet_all_recvfrom_netlabel(inetd_t)
+corenet_tcp_sendrecv_generic_if(inetd_t)
+corenet_udp_sendrecv_generic_if(inetd_t)
+corenet_tcp_sendrecv_generic_node(inetd_t)
+corenet_udp_sendrecv_generic_node(inetd_t)
+corenet_tcp_sendrecv_all_ports(inetd_t)
+corenet_udp_sendrecv_all_ports(inetd_t)
+corenet_tcp_bind_generic_node(inetd_t)
+corenet_udp_bind_generic_node(inetd_t)
+corenet_tcp_connect_all_ports(inetd_t)
+corenet_sendrecv_all_client_packets(inetd_t)
+
+# listen on service ports:
+corenet_tcp_bind_amanda_port(inetd_t)
+corenet_udp_bind_amanda_port(inetd_t)
+corenet_tcp_bind_auth_port(inetd_t)
+corenet_udp_bind_comsat_port(inetd_t)
+corenet_tcp_bind_dbskkd_port(inetd_t)
+corenet_udp_bind_dbskkd_port(inetd_t)
+corenet_tcp_bind_ftp_port(inetd_t)
+corenet_udp_bind_ftp_port(inetd_t)
+corenet_tcp_bind_inetd_child_port(inetd_t)
+corenet_udp_bind_inetd_child_port(inetd_t)
+corenet_tcp_bind_ircd_port(inetd_t)
+corenet_udp_bind_ktalkd_port(inetd_t)
+corenet_tcp_bind_pop_port(inetd_t)
+corenet_tcp_bind_printer_port(inetd_t)
+corenet_udp_bind_rlogind_port(inetd_t)
+corenet_udp_bind_rsh_port(inetd_t)
+corenet_tcp_bind_rsh_port(inetd_t)
+corenet_tcp_bind_rsync_port(inetd_t)
+corenet_udp_bind_rsync_port(inetd_t)
+corenet_tcp_bind_stunnel_port(inetd_t)
+corenet_tcp_bind_swat_port(inetd_t)
+corenet_udp_bind_swat_port(inetd_t)
+corenet_tcp_bind_telnetd_port(inetd_t)
+corenet_udp_bind_tftp_port(inetd_t)
+corenet_tcp_bind_ssh_port(inetd_t)
+corenet_tcp_bind_git_port(inetd_t)
+corenet_udp_bind_git_port(inetd_t)
+
+# service port packets:
+corenet_sendrecv_amanda_server_packets(inetd_t)
+corenet_sendrecv_auth_server_packets(inetd_t)
+corenet_sendrecv_comsat_server_packets(inetd_t)
+corenet_sendrecv_dbskkd_server_packets(inetd_t)
+corenet_sendrecv_ftp_server_packets(inetd_t)
+corenet_sendrecv_inetd_child_server_packets(inetd_t)
+corenet_sendrecv_ircd_server_packets(inetd_t)
+corenet_sendrecv_ktalkd_server_packets(inetd_t)
+corenet_sendrecv_printer_server_packets(inetd_t)
+corenet_sendrecv_rsh_server_packets(inetd_t)
+corenet_sendrecv_rsync_server_packets(inetd_t)
+corenet_sendrecv_stunnel_server_packets(inetd_t)
+corenet_sendrecv_swat_server_packets(inetd_t)
+corenet_sendrecv_tftp_server_packets(inetd_t)
+
+dev_read_sysfs(inetd_t)
+
+fs_getattr_all_fs(inetd_t)
+fs_search_auto_mountpoints(inetd_t)
+
+selinux_validate_context(inetd_t)
+selinux_compute_create_context(inetd_t)
+
+# Run other daemons in the inetd_child_t domain.
+corecmd_search_bin(inetd_t)
+corecmd_read_bin_symlinks(inetd_t)
+
+domain_use_interactive_fds(inetd_t)
+
+files_read_etc_files(inetd_t)
+files_read_etc_runtime_files(inetd_t)
+
+auth_use_nsswitch(inetd_t)
+
+logging_send_syslog_msg(inetd_t)
+
+miscfiles_read_localization(inetd_t)
+
+# xinetd needs MLS override privileges to work
+mls_fd_share_all_levels(inetd_t)
+mls_socket_read_to_clearance(inetd_t)
+mls_socket_write_to_clearance(inetd_t)
+mls_process_set_level(inetd_t)
+
+sysnet_read_config(inetd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(inetd_t)
+userdom_dontaudit_search_user_home_dirs(inetd_t)
+
+ifdef(`distro_redhat',`
+	optional_policy(`
+		unconfined_domain(inetd_t)
+	')
+')
+
+ifdef(`enable_mls',`
+	corenet_tcp_recvfrom_netlabel(inetd_t)
+	corenet_udp_recvfrom_netlabel(inetd_t)
+')
+
+optional_policy(`
+	amanda_search_lib(inetd_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(inetd_t)
+')
+
+optional_policy(`
+	udev_read_db(inetd_t)
+')
+
+optional_policy(`
+	unconfined_domtrans(inetd_t)
+')
+
+########################################
+#
+# inetd child local_policy
+#
+
+allow inetd_child_t self:process signal_perms;
+allow inetd_child_t self:fifo_file rw_fifo_file_perms;
+allow inetd_child_t self:tcp_socket connected_stream_socket_perms;
+allow inetd_child_t self:udp_socket create_socket_perms;
+
+# for identd
+allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow inetd_child_t self:capability { setuid setgid };
+files_search_home(inetd_child_t)
+
+manage_dirs_pattern(inetd_child_t, inetd_child_tmp_t, inetd_child_tmp_t)
+manage_files_pattern(inetd_child_t, inetd_child_tmp_t, inetd_child_tmp_t)
+files_tmp_filetrans(inetd_child_t, inetd_child_tmp_t, { file dir })
+
+manage_files_pattern(inetd_child_t, inetd_child_var_run_t, inetd_child_var_run_t)
+files_pid_filetrans(inetd_child_t, inetd_child_var_run_t, file)
+
+kernel_read_kernel_sysctls(inetd_child_t)
+kernel_read_system_state(inetd_child_t)
+kernel_read_network_state(inetd_child_t)
+
+corenet_all_recvfrom_unlabeled(inetd_child_t)
+corenet_all_recvfrom_netlabel(inetd_child_t)
+corenet_tcp_sendrecv_generic_if(inetd_child_t)
+corenet_udp_sendrecv_generic_if(inetd_child_t)
+corenet_tcp_sendrecv_generic_node(inetd_child_t)
+corenet_udp_sendrecv_generic_node(inetd_child_t)
+corenet_tcp_sendrecv_all_ports(inetd_child_t)
+corenet_udp_sendrecv_all_ports(inetd_child_t)
+
+dev_read_urand(inetd_child_t)
+
+fs_getattr_xattr_fs(inetd_child_t)
+
+files_read_etc_files(inetd_child_t)
+files_read_etc_runtime_files(inetd_child_t)
+
+auth_use_nsswitch(inetd_child_t)
+
+logging_send_syslog_msg(inetd_child_t)
+
+miscfiles_read_localization(inetd_child_t)
+
+sysnet_read_config(inetd_child_t)
+
+optional_policy(`
+	kerberos_use(inetd_child_t)
+')
+
+optional_policy(`
+	unconfined_domain(inetd_child_t)
+')
diff --git a/policy/modules/contrib/inn.fc b/policy/modules/contrib/inn.fc
new file mode 100644
index 00000000..8ca038d7
--- /dev/null
+++ b/policy/modules/contrib/inn.fc
@@ -0,0 +1,67 @@
+
+#
+# /etc
+#
+/etc/news(/.*)?				gen_context(system_u:object_r:innd_etc_t,s0)
+/etc/news/boot		--		gen_context(system_u:object_r:innd_exec_t,s0)
+/etc/rc\.d/init\.d/innd	--		gen_context(system_u:object_r:innd_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/inews		--		gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/bin/rnews		--		gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/bin/rpost		--		gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/bin/suck		--		gen_context(system_u:object_r:innd_exec_t,s0)
+
+/usr/sbin/in\.nnrpd	--		gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/sbin/innd.*	--		gen_context(system_u:object_r:innd_exec_t,s0)
+
+/var/lib/news(/.*)?			gen_context(system_u:object_r:innd_var_lib_t,s0)
+
+/usr/lib(64)?/news/bin/actsync	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/archive	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/batcher	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/buffchan	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/convdate	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/ctlinnd	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/cvtbatch	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/expire	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/expireover --	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/fastrm	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/filechan	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/getlist	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/grephistory --	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/inews	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/innconfval --	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/inndf	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/inndstart --	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/innfeed	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/innxbatch --	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/innxmit	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/makedbz	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/makehistory --	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/newsrequeue --	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/nnrpd	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/nntpget	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/ovdb_recover --	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/overchan	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/prunehistory --	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/rnews	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/shlock	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/shrinkfile --	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/startinnfeed --	gen_context(system_u:object_r:innd_exec_t,s0)
+
+# cjp: split these to fix an ordering
+# problem with a match in corecommands
+/usr/lib/news/bin/innd 		--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib/news/bin/sm		--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib64/news/bin/innd 	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib64/news/bin/sm		--	gen_context(system_u:object_r:innd_exec_t,s0)
+
+/var/log/news(/.*)?			gen_context(system_u:object_r:innd_log_t,s0)
+
+/var/run/innd(/.*)?			gen_context(system_u:object_r:innd_var_run_t,s0)
+/var/run/news(/.*)?	 		gen_context(system_u:object_r:innd_var_run_t,s0)
+
+/var/spool/news(/.*)?			gen_context(system_u:object_r:news_spool_t,s0)
diff --git a/policy/modules/contrib/inn.if b/policy/modules/contrib/inn.if
new file mode 100644
index 00000000..ebc9e0d7
--- /dev/null
+++ b/policy/modules/contrib/inn.if
@@ -0,0 +1,224 @@
+## <summary>Internet News NNTP server</summary>
+
+########################################
+## <summary>
+##	Allow the specified domain to execute innd
+##	in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`inn_exec',`
+	gen_require(`
+		type innd_t;
+	')
+
+	can_exec($1, innd_exec_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to execute
+##	inn configuration files in /etc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`inn_exec_config',`
+	gen_require(`
+		type innd_etc_t;
+	')
+
+	can_exec($1, innd_etc_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete the innd log.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`inn_manage_log',`
+	gen_require(`
+		type innd_log_t;
+	')
+
+	logging_rw_generic_log_dirs($1)
+	manage_files_pattern($1, innd_log_t, innd_log_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete the innd pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`inn_manage_pid',`
+	gen_require(`
+		type innd_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_files_pattern($1, innd_var_run_t, innd_var_run_t)
+	manage_lnk_files_pattern($1, innd_var_run_t, innd_var_run_t)
+')
+
+########################################
+## <summary>
+##	Read innd configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+
+#
+interface(`inn_read_config',`
+	gen_require(`
+		type innd_etc_t;
+	')
+
+	allow $1 innd_etc_t:dir list_dir_perms;
+	allow $1 innd_etc_t:file read_file_perms;
+	allow $1 innd_etc_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+##	Read innd news library files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`inn_read_news_lib',`
+	gen_require(`
+		type innd_var_lib_t;
+	')
+
+	allow $1 innd_var_lib_t:dir list_dir_perms;
+	allow $1 innd_var_lib_t:file read_file_perms;
+	allow $1 innd_var_lib_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+##	Read innd news library files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`inn_read_news_spool',`
+	gen_require(`
+		type news_spool_t;
+	')
+
+	allow $1 news_spool_t:dir list_dir_perms;
+	allow $1 news_spool_t:file read_file_perms;
+	allow $1 news_spool_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+##	Send to a innd unix dgram socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`inn_dgram_send',`
+	gen_require(`
+		type innd_t;
+	')
+
+	allow $1 innd_t:unix_dgram_socket sendto;
+')
+
+########################################
+## <summary>
+##	Execute inn in the inn domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`inn_domtrans',`
+	gen_require(`
+		type innd_t, innd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, innd_exec_t, innd_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an inn environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the inn domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`inn_admin',`
+	gen_require(`
+		type innd_t, innd_etc_t, innd_log_t;
+		type news_spool_t, innd_var_lib_t;
+		type innd_var_run_t, innd_initrc_exec_t;
+	')
+
+	allow $1 innd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, innd_t)
+
+	init_labeled_script_domtrans($1, innd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 innd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_etc($1)
+	admin_pattern($1, innd_etc_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, innd_log_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, innd_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, innd_var_run_t)
+
+	files_list_spool($1)
+	admin_pattern($1, news_spool_t)
+')
diff --git a/policy/modules/contrib/inn.te b/policy/modules/contrib/inn.te
new file mode 100644
index 00000000..9fab1dc8
--- /dev/null
+++ b/policy/modules/contrib/inn.te
@@ -0,0 +1,129 @@
+policy_module(inn, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+type innd_t;
+type innd_exec_t;
+init_daemon_domain(innd_t, innd_exec_t)
+
+type innd_etc_t;
+files_config_file(innd_etc_t)
+
+type innd_initrc_exec_t;
+init_script_file(innd_initrc_exec_t)
+
+type innd_log_t;
+logging_log_file(innd_log_t)
+
+type innd_var_lib_t;
+files_type(innd_var_lib_t)
+
+type innd_var_run_t;
+files_pid_file(innd_var_run_t)
+
+type news_spool_t;
+files_mountpoint(news_spool_t)
+
+########################################
+#
+# Local policy
+#
+allow innd_t self:capability { dac_override kill setgid setuid };
+dontaudit innd_t self:capability sys_tty_config;
+allow innd_t self:process { setsched signal_perms };
+allow innd_t self:fifo_file rw_fifo_file_perms;
+allow innd_t self:unix_dgram_socket { sendto create_socket_perms };
+allow innd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow innd_t self:tcp_socket create_stream_socket_perms;
+allow innd_t self:udp_socket create_socket_perms;
+allow innd_t self:netlink_route_socket r_netlink_socket_perms;
+
+read_files_pattern(innd_t, innd_etc_t, innd_etc_t)
+read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t)
+
+can_exec(innd_t, innd_exec_t)
+
+manage_files_pattern(innd_t, innd_log_t, innd_log_t)
+allow innd_t innd_log_t:dir setattr;
+logging_log_filetrans(innd_t, innd_log_t, file)
+
+manage_dirs_pattern(innd_t, innd_var_lib_t, innd_var_lib_t)
+manage_files_pattern(innd_t, innd_var_lib_t, innd_var_lib_t)
+files_var_lib_filetrans(innd_t, innd_var_lib_t, file)
+
+manage_dirs_pattern(innd_t, innd_var_run_t, innd_var_run_t)
+manage_files_pattern(innd_t, innd_var_run_t, innd_var_run_t)
+manage_sock_files_pattern(innd_t, innd_var_run_t, innd_var_run_t)
+files_pid_filetrans(innd_t, innd_var_run_t, file)
+
+manage_dirs_pattern(innd_t, news_spool_t, news_spool_t)
+manage_files_pattern(innd_t, news_spool_t, news_spool_t)
+manage_lnk_files_pattern(innd_t, news_spool_t, news_spool_t)
+
+kernel_read_kernel_sysctls(innd_t)
+kernel_read_system_state(innd_t)
+
+corenet_all_recvfrom_unlabeled(innd_t)
+corenet_all_recvfrom_netlabel(innd_t)
+corenet_tcp_sendrecv_generic_if(innd_t)
+corenet_udp_sendrecv_generic_if(innd_t)
+corenet_tcp_sendrecv_generic_node(innd_t)
+corenet_udp_sendrecv_generic_node(innd_t)
+corenet_tcp_sendrecv_all_ports(innd_t)
+corenet_udp_sendrecv_all_ports(innd_t)
+corenet_tcp_bind_generic_node(innd_t)
+corenet_tcp_bind_innd_port(innd_t)
+corenet_tcp_connect_all_ports(innd_t)
+corenet_sendrecv_innd_server_packets(innd_t)
+corenet_sendrecv_all_client_packets(innd_t)
+
+dev_read_sysfs(innd_t)
+dev_read_urand(innd_t)
+
+fs_getattr_all_fs(innd_t)
+fs_search_auto_mountpoints(innd_t)
+
+corecmd_exec_bin(innd_t)
+corecmd_exec_shell(innd_t)
+
+domain_use_interactive_fds(innd_t)
+
+files_list_spool(innd_t)
+files_read_etc_files(innd_t)
+files_read_etc_runtime_files(innd_t)
+files_read_usr_files(innd_t)
+
+logging_send_syslog_msg(innd_t)
+
+miscfiles_read_localization(innd_t)
+
+seutil_dontaudit_search_config(innd_t)
+
+sysnet_read_config(innd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(innd_t)
+userdom_dontaudit_search_user_home_dirs(innd_t)
+
+mta_send_mail(innd_t)
+
+optional_policy(`
+	cron_system_entry(innd_t, innd_exec_t)
+')
+
+optional_policy(`
+	hostname_exec(innd_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(innd_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(innd_t)
+')
+
+optional_policy(`
+	udev_read_db(innd_t)
+')
diff --git a/policy/modules/contrib/irc.fc b/policy/modules/contrib/irc.fc
new file mode 100644
index 00000000..65ece18f
--- /dev/null
+++ b/policy/modules/contrib/irc.fc
@@ -0,0 +1,11 @@
+#
+# /home
+#
+HOME_DIR/\.ircmotd	--	gen_context(system_u:object_r:irc_home_t,s0)
+
+#
+# /usr
+#
+/usr/bin/[st]irc	--	gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/ircII		--	gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/tinyirc	--	gen_context(system_u:object_r:irc_exec_t,s0)
diff --git a/policy/modules/contrib/irc.if b/policy/modules/contrib/irc.if
new file mode 100644
index 00000000..4f9dc90f
--- /dev/null
+++ b/policy/modules/contrib/irc.if
@@ -0,0 +1,31 @@
+## <summary>IRC client policy</summary>
+
+########################################
+## <summary>
+##	Role access for IRC
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`irc_role',`
+	gen_require(`
+		type irc_t, irc_exec_t;
+	')
+
+	role $1 types irc_t;
+
+	# Transition from the user domain to the derived domain.
+	domtrans_pattern($2, irc_exec_t, irc_t)
+
+	# allow ps to show irc
+	ps_process_pattern($2, irc_t)
+	allow $2 irc_t:process signal;
+')
diff --git a/policy/modules/contrib/irc.te b/policy/modules/contrib/irc.te
new file mode 100644
index 00000000..6e2dbd2b
--- /dev/null
+++ b/policy/modules/contrib/irc.te
@@ -0,0 +1,102 @@
+policy_module(irc, 2.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type irc_t;
+type irc_exec_t;
+typealias irc_t alias { user_irc_t staff_irc_t sysadm_irc_t };
+typealias irc_t alias { auditadm_irc_t secadm_irc_t };
+userdom_user_application_domain(irc_t, irc_exec_t)
+
+type irc_home_t;
+typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t };
+typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t };
+userdom_user_home_content(irc_home_t)
+
+type irc_tmp_t;
+typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t };
+typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t };
+userdom_user_tmp_file(irc_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow irc_t self:unix_stream_socket create_stream_socket_perms;
+allow irc_t self:tcp_socket create_socket_perms;
+allow irc_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(irc_t, irc_home_t, irc_home_t)
+manage_files_pattern(irc_t, irc_home_t, irc_home_t)
+manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t)
+userdom_user_home_dir_filetrans(irc_t, irc_home_t, { dir file lnk_file })
+
+# access files under /tmp
+manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
+manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
+manage_lnk_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
+manage_fifo_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
+manage_sock_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
+files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
+
+kernel_read_proc_symlinks(irc_t)
+
+corenet_all_recvfrom_unlabeled(irc_t)
+corenet_all_recvfrom_netlabel(irc_t)
+corenet_tcp_sendrecv_generic_if(irc_t)
+corenet_udp_sendrecv_generic_if(irc_t)
+corenet_tcp_sendrecv_generic_node(irc_t)
+corenet_udp_sendrecv_generic_node(irc_t)
+corenet_tcp_sendrecv_all_ports(irc_t)
+corenet_udp_sendrecv_all_ports(irc_t)
+corenet_sendrecv_ircd_client_packets(irc_t)
+# cjp: this seems excessive:
+corenet_tcp_connect_all_ports(irc_t)
+corenet_sendrecv_all_client_packets(irc_t)
+
+domain_use_interactive_fds(irc_t)
+
+files_dontaudit_search_pids(irc_t)
+files_search_var(irc_t)
+files_read_etc_files(irc_t)
+files_read_usr_files(irc_t)
+
+fs_getattr_xattr_fs(irc_t)
+fs_search_auto_mountpoints(irc_t)
+
+term_use_controlling_term(irc_t)
+term_list_ptys(irc_t)
+
+# allow utmp access
+init_read_utmp(irc_t)
+init_dontaudit_lock_utmp(irc_t)
+
+miscfiles_read_localization(irc_t)
+
+# Inherit and use descriptors from newrole.
+seutil_use_newrole_fds(irc_t)
+
+sysnet_read_config(irc_t)
+
+# Write to the user domain tty.
+userdom_use_user_terminals(irc_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(irc_t)
+	fs_manage_nfs_files(irc_t)
+	fs_manage_nfs_symlinks(irc_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(irc_t)
+	fs_manage_cifs_files(irc_t)
+	fs_manage_cifs_symlinks(irc_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(irc_t)
+')
diff --git a/policy/modules/contrib/ircd.fc b/policy/modules/contrib/ircd.fc
new file mode 100644
index 00000000..d733fa8f
--- /dev/null
+++ b/policy/modules/contrib/ircd.fc
@@ -0,0 +1,7 @@
+/etc/(dancer-)?ircd(/.*)?	gen_context(system_u:object_r:ircd_etc_t,s0)
+
+/usr/sbin/(dancer-)?ircd --	gen_context(system_u:object_r:ircd_exec_t,s0)
+
+/var/lib/dancer-ircd(/.*)?	gen_context(system_u:object_r:ircd_var_lib_t,s0)
+/var/log/(dancer-)?ircd(/.*)?	gen_context(system_u:object_r:ircd_log_t,s0)
+/var/run/dancer-ircd(/.*)?	gen_context(system_u:object_r:ircd_var_run_t,s0)
diff --git a/policy/modules/contrib/ircd.if b/policy/modules/contrib/ircd.if
new file mode 100644
index 00000000..3f4de835
--- /dev/null
+++ b/policy/modules/contrib/ircd.if
@@ -0,0 +1 @@
+## <summary>IRC server</summary>
diff --git a/policy/modules/contrib/ircd.te b/policy/modules/contrib/ircd.te
new file mode 100644
index 00000000..75ab1e2d
--- /dev/null
+++ b/policy/modules/contrib/ircd.te
@@ -0,0 +1,93 @@
+policy_module(ircd, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type ircd_t;
+type ircd_exec_t;
+init_daemon_domain(ircd_t, ircd_exec_t)
+
+type ircd_etc_t;
+files_config_file(ircd_etc_t)
+
+type ircd_log_t;
+logging_log_file(ircd_log_t)
+
+type ircd_var_lib_t;
+files_type(ircd_var_lib_t)
+
+type ircd_var_run_t;
+files_pid_file(ircd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit ircd_t self:capability sys_tty_config;
+allow ircd_t self:process signal_perms;
+allow ircd_t self:tcp_socket create_stream_socket_perms;
+allow ircd_t self:udp_socket create_socket_perms;
+
+read_files_pattern(ircd_t, ircd_etc_t, ircd_etc_t)
+read_lnk_files_pattern(ircd_t, ircd_etc_t, ircd_etc_t)
+files_search_etc(ircd_t)
+
+manage_files_pattern(ircd_t, ircd_log_t, ircd_log_t)
+logging_log_filetrans(ircd_t, ircd_log_t, { file dir })
+
+manage_files_pattern(ircd_t, ircd_var_lib_t, ircd_var_lib_t)
+files_var_lib_filetrans(ircd_t, ircd_var_lib_t, file)
+
+manage_files_pattern(ircd_t, ircd_var_run_t, ircd_var_run_t)
+files_pid_filetrans(ircd_t, ircd_var_run_t, file)
+
+kernel_read_system_state(ircd_t)
+kernel_read_kernel_sysctls(ircd_t)
+
+corecmd_search_bin(ircd_t)
+
+corenet_all_recvfrom_unlabeled(ircd_t)
+corenet_all_recvfrom_netlabel(ircd_t)
+corenet_tcp_sendrecv_generic_if(ircd_t)
+corenet_udp_sendrecv_generic_if(ircd_t)
+corenet_tcp_sendrecv_generic_node(ircd_t)
+corenet_udp_sendrecv_generic_node(ircd_t)
+corenet_tcp_sendrecv_all_ports(ircd_t)
+corenet_udp_sendrecv_all_ports(ircd_t)
+corenet_tcp_bind_generic_node(ircd_t)
+corenet_tcp_bind_ircd_port(ircd_t)
+corenet_sendrecv_ircd_server_packets(ircd_t)
+
+dev_read_sysfs(ircd_t)
+
+domain_use_interactive_fds(ircd_t)
+
+files_read_etc_files(ircd_t)
+files_read_etc_runtime_files(ircd_t)
+
+fs_getattr_all_fs(ircd_t)
+fs_search_auto_mountpoints(ircd_t)
+
+logging_send_syslog_msg(ircd_t)
+
+miscfiles_read_localization(ircd_t)
+
+sysnet_read_config(ircd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ircd_t)
+userdom_dontaudit_search_user_home_dirs(ircd_t)
+
+optional_policy(`
+	nis_use_ypbind(ircd_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(ircd_t)
+')
+
+optional_policy(`
+	udev_read_db(ircd_t)
+')
diff --git a/policy/modules/contrib/irqbalance.fc b/policy/modules/contrib/irqbalance.fc
new file mode 100644
index 00000000..38310757
--- /dev/null
+++ b/policy/modules/contrib/irqbalance.fc
@@ -0,0 +1,2 @@
+
+/usr/sbin/irqbalance	-- gen_context(system_u:object_r:irqbalance_exec_t,s0)
diff --git a/policy/modules/contrib/irqbalance.if b/policy/modules/contrib/irqbalance.if
new file mode 100644
index 00000000..058fb75c
--- /dev/null
+++ b/policy/modules/contrib/irqbalance.if
@@ -0,0 +1 @@
+## <summary>IRQ balancing daemon</summary>
diff --git a/policy/modules/contrib/irqbalance.te b/policy/modules/contrib/irqbalance.te
new file mode 100644
index 00000000..9aeeaf93
--- /dev/null
+++ b/policy/modules/contrib/irqbalance.te
@@ -0,0 +1,56 @@
+policy_module(irqbalance, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type irqbalance_t;
+type irqbalance_exec_t;
+init_daemon_domain(irqbalance_t, irqbalance_exec_t)
+
+type irqbalance_var_run_t;
+files_pid_file(irqbalance_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow irqbalance_t self:capability { setpcap net_admin };
+dontaudit irqbalance_t self:capability sys_tty_config;
+allow irqbalance_t self:process { getcap setcap signal_perms };
+allow irqbalance_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t)
+files_pid_filetrans(irqbalance_t, irqbalance_var_run_t, file)
+
+kernel_read_network_state(irqbalance_t)
+kernel_read_system_state(irqbalance_t)
+kernel_read_kernel_sysctls(irqbalance_t)
+kernel_rw_irq_sysctls(irqbalance_t)
+
+dev_read_sysfs(irqbalance_t)
+
+files_read_etc_files(irqbalance_t)
+files_read_etc_runtime_files(irqbalance_t)
+
+fs_getattr_all_fs(irqbalance_t)
+fs_search_auto_mountpoints(irqbalance_t)
+
+domain_use_interactive_fds(irqbalance_t)
+
+logging_send_syslog_msg(irqbalance_t)
+
+miscfiles_read_localization(irqbalance_t)
+
+userdom_dontaudit_use_unpriv_user_fds(irqbalance_t)
+userdom_dontaudit_search_user_home_dirs(irqbalance_t)
+
+optional_policy(`
+	seutil_sigchld_newrole(irqbalance_t)
+')
+
+optional_policy(`
+	udev_read_db(irqbalance_t)
+')
diff --git a/policy/modules/contrib/iscsi.fc b/policy/modules/contrib/iscsi.fc
new file mode 100644
index 00000000..14d9670b
--- /dev/null
+++ b/policy/modules/contrib/iscsi.fc
@@ -0,0 +1,7 @@
+/sbin/iscsid		--	gen_context(system_u:object_r:iscsid_exec_t,s0)
+/sbin/brcm_iscsiuio	--	gen_context(system_u:object_r:iscsid_exec_t,s0)
+
+/var/lib/iscsi(/.*)?		gen_context(system_u:object_r:iscsi_var_lib_t,s0)
+/var/lock/iscsi(/.*)?		gen_context(system_u:object_r:iscsi_lock_t,s0)
+/var/log/brcm-iscsi\.log --	gen_context(system_u:object_r:iscsi_log_t,s0)
+/var/run/iscsid\.pid	--	gen_context(system_u:object_r:iscsi_var_run_t,s0)
diff --git a/policy/modules/contrib/iscsi.if b/policy/modules/contrib/iscsi.if
new file mode 100644
index 00000000..4cae92ac
--- /dev/null
+++ b/policy/modules/contrib/iscsi.if
@@ -0,0 +1,76 @@
+## <summary>Establish connections to iSCSI devices</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run iscsid.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`iscsid_domtrans',`
+	gen_require(`
+		type iscsid_t, iscsid_exec_t;
+	')
+
+	domtrans_pattern($1, iscsid_exec_t, iscsid_t)
+')
+
+########################################
+## <summary>
+##	Manage iscsid sempaphores.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`iscsi_manage_semaphores',`
+	gen_require(`
+		type iscsid_t;
+	')
+
+	allow $1 iscsid_t:sem create_sem_perms;
+')
+
+########################################
+## <summary>
+##	Connect to ISCSI using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`iscsi_stream_connect',`
+	gen_require(`
+		type iscsid_t, iscsi_var_lib_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, iscsi_var_lib_t, iscsi_var_lib_t, iscsid_t)
+')
+
+########################################
+## <summary>
+##	Read iscsi lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`iscsi_read_lib_files',`
+	gen_require(`
+		type iscsi_var_lib_t;
+	')
+
+	read_files_pattern($1, iscsi_var_lib_t, iscsi_var_lib_t)
+	allow $1 iscsi_var_lib_t:dir list_dir_perms;
+	files_search_var_lib($1)
+')
diff --git a/policy/modules/contrib/iscsi.te b/policy/modules/contrib/iscsi.te
new file mode 100644
index 00000000..8bcfa2fe
--- /dev/null
+++ b/policy/modules/contrib/iscsi.te
@@ -0,0 +1,97 @@
+policy_module(iscsi, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type iscsid_t;
+type iscsid_exec_t;
+domain_type(iscsid_t)
+init_daemon_domain(iscsid_t, iscsid_exec_t)
+
+type iscsi_lock_t;
+files_lock_file(iscsi_lock_t)
+
+type iscsi_log_t;
+logging_log_file(iscsi_log_t)
+
+type iscsi_tmp_t;
+files_tmp_file(iscsi_tmp_t)
+
+type iscsi_var_lib_t;
+files_type(iscsi_var_lib_t)
+
+type iscsi_var_run_t;
+files_pid_file(iscsi_var_run_t)
+
+########################################
+#
+# iscsid local policy
+#
+
+allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource };
+dontaudit iscsid_t self:capability sys_ptrace;
+allow iscsid_t self:process { setrlimit setsched signal };
+allow iscsid_t self:fifo_file rw_fifo_file_perms;
+allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow iscsid_t self:unix_dgram_socket create_socket_perms;
+allow iscsid_t self:sem create_sem_perms;
+allow iscsid_t self:shm create_shm_perms;
+allow iscsid_t self:netlink_socket create_socket_perms;
+allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow iscsid_t self:netlink_route_socket rw_netlink_socket_perms;
+allow iscsid_t self:tcp_socket create_stream_socket_perms;
+
+can_exec(iscsid_t, iscsid_exec_t)
+
+manage_dirs_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t)
+manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t)
+files_lock_filetrans(iscsid_t, iscsi_lock_t, { dir file })
+
+manage_files_pattern(iscsid_t, iscsi_log_t, iscsi_log_t)
+logging_log_filetrans(iscsid_t, iscsi_log_t, file)
+
+manage_dirs_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
+manage_files_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
+fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, { dir file } )
+
+allow iscsid_t iscsi_var_lib_t:dir list_dir_perms;
+read_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
+read_lnk_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
+files_search_var_lib(iscsid_t)
+
+manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t)
+files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
+
+kernel_read_network_state(iscsid_t)
+kernel_read_system_state(iscsid_t)
+
+corenet_all_recvfrom_unlabeled(iscsid_t)
+corenet_all_recvfrom_netlabel(iscsid_t)
+corenet_tcp_sendrecv_generic_if(iscsid_t)
+corenet_tcp_sendrecv_generic_node(iscsid_t)
+corenet_tcp_sendrecv_all_ports(iscsid_t)
+corenet_tcp_connect_http_port(iscsid_t)
+corenet_tcp_connect_iscsi_port(iscsid_t)
+corenet_tcp_connect_isns_port(iscsid_t)
+
+dev_rw_sysfs(iscsid_t)
+dev_rw_userio_dev(iscsid_t)
+
+domain_use_interactive_fds(iscsid_t)
+domain_dontaudit_read_all_domains_state(iscsid_t)
+
+files_read_etc_files(iscsid_t)
+
+auth_use_nsswitch(iscsid_t)
+
+init_stream_connect_script(iscsid_t)
+
+logging_send_syslog_msg(iscsid_t)
+
+miscfiles_read_localization(iscsid_t)
+
+optional_policy(`
+	tgtd_manage_semaphores(iscsid_t)
+')
diff --git a/policy/modules/contrib/jabber.fc b/policy/modules/contrib/jabber.fc
new file mode 100644
index 00000000..da6f4b49
--- /dev/null
+++ b/policy/modules/contrib/jabber.fc
@@ -0,0 +1,10 @@
+/etc/rc\.d/init\.d/jabber --	gen_context(system_u:object_r:jabberd_initrc_exec_t,s0)
+
+/usr/sbin/ejabberd	--	gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/sbin/jabberd	--	gen_context(system_u:object_r:jabberd_exec_t,s0)
+
+/var/lib/ejabberd(/.*)?		gen_context(system_u:object_r:jabberd_var_lib_t,s0)
+/var/lib/jabber(/.*)?		gen_context(system_u:object_r:jabberd_var_lib_t,s0)
+
+/var/log/ejabberd(/.*)?		gen_context(system_u:object_r:jabberd_log_t,s0)
+/var/log/jabber(/.*)?		gen_context(system_u:object_r:jabberd_log_t,s0)
diff --git a/policy/modules/contrib/jabber.if b/policy/modules/contrib/jabber.if
new file mode 100644
index 00000000..98784995
--- /dev/null
+++ b/policy/modules/contrib/jabber.if
@@ -0,0 +1,56 @@
+## <summary>Jabber instant messaging server</summary>
+
+########################################
+## <summary>
+##	Connect to jabber over a TCP socket  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`jabber_tcp_connect',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an jabber environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the jabber domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`jabber_admin',`
+	gen_require(`
+		type jabberd_t, jabberd_log_t, jabberd_var_lib_t;
+		type jabberd_var_run_t, jabberd_initrc_exec_t;
+	')
+
+	allow $1 jabberd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, jabberd_t)
+
+	init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 jabberd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	logging_list_logs($1)
+	admin_pattern($1, jabberd_log_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, jabberd_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, jabberd_var_run_t)
+')
diff --git a/policy/modules/contrib/jabber.te b/policy/modules/contrib/jabber.te
new file mode 100644
index 00000000..53e53ca3
--- /dev/null
+++ b/policy/modules/contrib/jabber.te
@@ -0,0 +1,94 @@
+policy_module(jabber, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type jabberd_t;
+type jabberd_exec_t;
+init_daemon_domain(jabberd_t, jabberd_exec_t)
+
+type jabberd_initrc_exec_t;
+init_script_file(jabberd_initrc_exec_t)
+
+type jabberd_log_t;
+logging_log_file(jabberd_log_t)
+
+type jabberd_var_lib_t;
+files_type(jabberd_var_lib_t)
+
+type jabberd_var_run_t;
+files_pid_file(jabberd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow jabberd_t self:capability dac_override;
+dontaudit jabberd_t self:capability sys_tty_config;
+allow jabberd_t self:process signal_perms;
+allow jabberd_t self:fifo_file read_fifo_file_perms;
+allow jabberd_t self:tcp_socket create_stream_socket_perms;
+allow jabberd_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
+files_var_lib_filetrans(jabberd_t, jabberd_var_lib_t, file)
+
+manage_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
+logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir })
+
+manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
+files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
+
+kernel_read_kernel_sysctls(jabberd_t)
+kernel_list_proc(jabberd_t)
+kernel_read_proc_symlinks(jabberd_t)
+
+corenet_all_recvfrom_unlabeled(jabberd_t)
+corenet_all_recvfrom_netlabel(jabberd_t)
+corenet_tcp_sendrecv_generic_if(jabberd_t)
+corenet_udp_sendrecv_generic_if(jabberd_t)
+corenet_tcp_sendrecv_generic_node(jabberd_t)
+corenet_udp_sendrecv_generic_node(jabberd_t)
+corenet_tcp_sendrecv_all_ports(jabberd_t)
+corenet_udp_sendrecv_all_ports(jabberd_t)
+corenet_tcp_bind_generic_node(jabberd_t)
+corenet_tcp_bind_jabber_client_port(jabberd_t)
+corenet_tcp_bind_jabber_interserver_port(jabberd_t)
+corenet_sendrecv_jabber_client_server_packets(jabberd_t)
+corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
+
+dev_read_sysfs(jabberd_t)
+# For SSL
+dev_read_rand(jabberd_t)
+
+domain_use_interactive_fds(jabberd_t)
+
+files_read_etc_files(jabberd_t)
+files_read_etc_runtime_files(jabberd_t)
+
+fs_getattr_all_fs(jabberd_t)
+fs_search_auto_mountpoints(jabberd_t)
+
+logging_send_syslog_msg(jabberd_t)
+
+miscfiles_read_localization(jabberd_t)
+
+sysnet_read_config(jabberd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
+userdom_dontaudit_search_user_home_dirs(jabberd_t)
+
+optional_policy(`
+	nis_use_ypbind(jabberd_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(jabberd_t)
+')
+
+optional_policy(`
+	udev_read_db(jabberd_t)
+')
diff --git a/policy/modules/contrib/java.fc b/policy/modules/contrib/java.fc
new file mode 100644
index 00000000..95b1cbcb
--- /dev/null
+++ b/policy/modules/contrib/java.fc
@@ -0,0 +1,38 @@
+#
+# /opt
+#
+/opt/(.*/)?bin/java[^/]* --	gen_context(system_u:object_r:java_exec_t,s0)
+/opt/ibm/java.*/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+/opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/opt/matlab.*/bin.*/MATLAB.* --	gen_context(system_u:object_r:java_exec_t,s0)
+
+#
+# /usr
+#
+/usr/(.*/)?bin/java 	--	gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/fastjar	--	gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/frysk		--	gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/gappletviewer	--	gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/gcj-dbtool	--	gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/gij		--	gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/gjarsigner	--	gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/gkeytool	--	gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/grmic		--	gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/grmiregistry	--	gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/jv-convert	--	gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/octave-[^/]*	--	gen_context(system_u:object_r:java_exec_t,s0)
+
+/usr/lib(.*/)?bin/java[^/]* --	gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/eclipse/eclipse --	gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/opera(/.*)?/opera --	gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/opera(/.*)?/works --	gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib64/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+
+/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+
+/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+
+ifdef(`distro_redhat',`
+/usr/java/eclipse[^/]*/eclipse	--	gen_context(system_u:object_r:java_exec_t,s0)
+')
diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if
new file mode 100644
index 00000000..e6d84e86
--- /dev/null
+++ b/policy/modules/contrib/java.if
@@ -0,0 +1,200 @@
+## <summary>Java virtual machine</summary>
+
+########################################
+## <summary>
+##	Role access for java
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`java_role',`
+	gen_require(`
+		type java_t, java_exec_t;
+	')
+
+	role $1 types java_t;
+
+	# The user role is authorized for this domain.
+	domtrans_pattern($2, java_exec_t, java_t)
+	allow java_t $2:process signull;
+	# Unrestricted inheritance from the caller.
+	allow $2 java_t:process { noatsecure siginh rlimitinh };
+
+	allow java_t $2:unix_stream_socket connectto;
+	allow java_t $2:unix_stream_socket { read write };
+	allow java_t $2:tcp_socket { read write };
+')
+
+#######################################
+## <summary>
+##	The role template for the java module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for java applications.
+##	</p>
+## </desc>
+## <param name="role_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+template(`java_role_template',`
+	gen_require(`
+		type java_exec_t;
+	')
+
+	type $1_java_t;
+	domain_type($1_java_t)
+	domain_entry_file($1_java_t, java_exec_t)
+	role $2 types $1_java_t;
+
+	domain_interactive_fd($1_java_t)
+
+	userdom_manage_user_tmpfs_files($1_java_t)
+
+	allow $1_java_t self:process { ptrace signal getsched execmem execstack };
+
+	dontaudit $1_java_t $3:tcp_socket { read write };
+
+	allow $3 $1_java_t:process { getattr ptrace noatsecure signal_perms };
+
+	domtrans_pattern($3, java_exec_t, $1_java_t)
+
+	corecmd_bin_domtrans($1_java_t, $3)
+
+	dev_dontaudit_append_rand($1_java_t)
+
+	files_execmod_all_files($1_java_t)
+
+	fs_dontaudit_rw_tmpfs_files($1_java_t)
+
+	optional_policy(`
+		xserver_role($2, $1_java_t)
+	')
+')
+
+########################################
+## <summary>
+##	Run java in javaplugin domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+template(`java_domtrans',`
+	gen_require(`
+		type java_t, java_exec_t;
+	')
+
+	domtrans_pattern($1, java_exec_t, java_t)
+')
+
+########################################
+## <summary>
+##	Execute java in the java domain, and
+##	allow the specified role the java domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`java_run',`
+	gen_require(`
+		type java_t;
+	')
+
+	java_domtrans($1)
+	role $2 types java_t;
+')
+
+########################################
+## <summary>
+##	Execute the java program in the unconfined java domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`java_domtrans_unconfined',`
+	gen_require(`
+		type unconfined_java_t, java_exec_t;
+	')
+
+	domtrans_pattern($1, java_exec_t, unconfined_java_t)
+	corecmd_search_bin($1)
+')
+
+########################################
+## <summary>
+##	Execute the java program in the unconfined java domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`java_run_unconfined',`
+	gen_require(`
+		type unconfined_java_t;
+	')
+
+	java_domtrans_unconfined($1)
+	role $2 types unconfined_java_t;
+')
+
+########################################
+## <summary>
+##	Execute the java program in the java domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`java_exec',`
+	gen_require(`
+		type java_exec_t;
+	')
+
+	can_exec($1, java_exec_t)
+')
diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
new file mode 100644
index 00000000..bce6b381
--- /dev/null
+++ b/policy/modules/contrib/java.te
@@ -0,0 +1,153 @@
+policy_module(java, 2.5.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow java executable stack
+## </p>
+## </desc>
+gen_tunable(allow_java_execstack, false)
+
+type java_t;
+type java_exec_t;
+userdom_user_application_domain(java_t, java_exec_t)
+typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t };
+typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
+role system_r types java_t;
+
+type java_tmp_t;
+userdom_user_tmp_file(java_tmp_t)
+typealias java_tmp_t alias { staff_javaplugin_tmp_t user_javaplugin_tmp_t sysadm_javaplugin_tmp_t };
+typealias java_tmp_t alias { auditadm_tmp_javaplugin_t secadm_javaplugin_tmp_t };
+
+type java_tmpfs_t;
+userdom_user_tmpfs_file(java_tmpfs_t)
+typealias java_tmpfs_t alias { staff_javaplugin_tmpfs_t user_javaplugin_tmpfs_t sysadm_javaplugin_tmpfs_t };
+typealias java_tmpfs_t alias { auditadm_tmpfs_javaplugin_t secadm_tmpfs_javaplugin_t };
+
+type unconfined_java_t;
+init_system_domain(unconfined_java_t, java_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow java_t self:process { signal_perms getsched setsched execmem };
+allow java_t self:fifo_file rw_fifo_file_perms;
+allow java_t self:tcp_socket create_socket_perms;
+allow java_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(java_t, java_tmp_t, java_tmp_t)
+manage_files_pattern(java_t, java_tmp_t, java_tmp_t)
+files_tmp_filetrans(java_t, java_tmp_t, { file dir })
+
+manage_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
+manage_lnk_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
+manage_fifo_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
+manage_sock_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
+fs_tmpfs_filetrans(java_t, java_tmpfs_t, { file lnk_file sock_file fifo_file })
+
+can_exec(java_t, java_exec_t)
+
+kernel_read_all_sysctls(java_t)
+kernel_search_vm_sysctl(java_t)
+kernel_read_network_state(java_t)
+kernel_read_system_state(java_t)
+
+# Search bin directory under java for java executable
+corecmd_search_bin(java_t)
+
+corenet_all_recvfrom_unlabeled(java_t)
+corenet_all_recvfrom_netlabel(java_t)
+corenet_tcp_sendrecv_generic_if(java_t)
+corenet_udp_sendrecv_generic_if(java_t)
+corenet_tcp_sendrecv_generic_node(java_t)
+corenet_udp_sendrecv_generic_node(java_t)
+corenet_tcp_sendrecv_all_ports(java_t)
+corenet_udp_sendrecv_all_ports(java_t)
+corenet_tcp_connect_all_ports(java_t)
+corenet_sendrecv_all_client_packets(java_t)
+
+dev_read_sound(java_t)
+dev_write_sound(java_t)
+dev_read_urand(java_t)
+dev_read_rand(java_t)
+dev_dontaudit_append_rand(java_t)
+
+files_read_usr_files(java_t)
+files_search_home(java_t)
+files_search_var_lib(java_t)
+files_read_etc_runtime_files(java_t)
+# Read global fonts and font config
+files_read_etc_files(java_t)
+
+fs_getattr_xattr_fs(java_t)
+fs_dontaudit_rw_tmpfs_files(java_t)
+
+logging_send_syslog_msg(java_t)
+
+miscfiles_read_localization(java_t)
+# Read global fonts and font config
+miscfiles_read_fonts(java_t)
+
+sysnet_read_config(java_t)
+
+userdom_dontaudit_use_user_terminals(java_t)
+userdom_dontaudit_setattr_user_home_content_files(java_t)
+userdom_dontaudit_exec_user_home_content_files(java_t)
+userdom_manage_user_home_content_dirs(java_t)
+userdom_manage_user_home_content_files(java_t)
+userdom_manage_user_home_content_symlinks(java_t)
+userdom_manage_user_home_content_pipes(java_t)
+userdom_manage_user_home_content_sockets(java_t)
+userdom_user_home_dir_filetrans_user_home_content(java_t, { file lnk_file sock_file fifo_file })
+userdom_write_user_tmp_sockets(java_t)
+
+tunable_policy(`allow_java_execstack',`
+	allow java_t self:process execstack;
+
+	allow java_t java_tmp_t:file execute;
+
+	libs_legacy_use_shared_libs(java_t)
+	libs_legacy_use_ld_so(java_t)
+
+	miscfiles_legacy_read_localization(java_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(java_t)
+')
+
+optional_policy(`
+	nscd_socket_use(java_t)
+')
+
+optional_policy(`
+	xserver_user_x_domain_template(java, java_t, java_tmpfs_t)
+')
+
+########################################
+#
+# Unconfined java local policy
+#
+
+optional_policy(`
+	# execheap is needed for itanium/BEA jrocket
+	allow unconfined_java_t self:process { execstack execmem execheap };
+
+	files_execmod_all_files(unconfined_java_t)
+
+	init_dbus_chat_script(unconfined_java_t)
+
+	unconfined_domain_noaudit(unconfined_java_t)
+	unconfined_dbus_chat(unconfined_java_t)
+
+	optional_policy(`
+		rpm_domtrans(unconfined_java_t)
+	')
+')
diff --git a/policy/modules/contrib/kdump.fc b/policy/modules/contrib/kdump.fc
new file mode 100644
index 00000000..c66934fb
--- /dev/null
+++ b/policy/modules/contrib/kdump.fc
@@ -0,0 +1,5 @@
+/etc/kdump\.conf	--	gen_context(system_u:object_r:kdump_etc_t,s0)
+/etc/rc\.d/init\.d/kdump --	gen_context(system_u:object_r:kdump_initrc_exec_t,s0)
+
+/sbin/kdump		--	gen_context(system_u:object_r:kdump_exec_t,s0)
+/sbin/kexec		--	gen_context(system_u:object_r:kdump_exec_t,s0)
diff --git a/policy/modules/contrib/kdump.if b/policy/modules/contrib/kdump.if
new file mode 100644
index 00000000..4198ff5f
--- /dev/null
+++ b/policy/modules/contrib/kdump.if
@@ -0,0 +1,111 @@
+## <summary>Kernel crash dumping mechanism</summary>
+
+######################################
+## <summary>
+##	Execute kdump in the kdump domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`kdump_domtrans',`
+	gen_require(`
+		type kdump_t, kdump_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, kdump_exec_t, kdump_t)
+')
+
+#######################################
+## <summary>
+##	Execute kdump in the kdump domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`kdump_initrc_domtrans',`
+	gen_require(`
+		type kdump_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, kdump_initrc_exec_t)
+')
+
+#####################################
+## <summary>
+##	Read kdump configuration file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kdump_read_config',`
+	gen_require(`
+		type kdump_etc_t;
+	')
+
+	files_search_etc($1)
+	allow $1 kdump_etc_t:file read_file_perms;
+')
+
+####################################
+## <summary>
+##	Manage kdump configuration file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kdump_manage_config',`
+	gen_require(`
+		type kdump_etc_t;
+	')
+
+	files_search_etc($1)
+	allow $1 kdump_etc_t:file manage_file_perms;
+')
+
+######################################
+## <summary>
+##	All of the rules required to administrate 
+##	an kdump environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the kdump domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kdump_admin',`
+	gen_require(`
+		type kdump_t, kdump_etc_t;
+		type kdump_initrc_exec_t;
+	')
+
+	allow $1 kdump_t:process { ptrace signal_perms };
+	ps_process_pattern($1, kdump_t)
+
+	init_labeled_script_domtrans($1, kdump_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 kdump_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_search_etc($1)
+	admin_pattern($1, kdump_etc_t)
+')
diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te
new file mode 100644
index 00000000..b29d8e20
--- /dev/null
+++ b/policy/modules/contrib/kdump.te
@@ -0,0 +1,38 @@
+policy_module(kdump, 1.2.0)
+
+#######################################
+#
+# Declarations
+#
+
+type kdump_t;
+type kdump_exec_t;
+init_system_domain(kdump_t, kdump_exec_t)
+
+type kdump_etc_t;
+files_config_file(kdump_etc_t)
+
+type kdump_initrc_exec_t;
+init_script_file(kdump_initrc_exec_t)
+
+#####################################
+#
+# kdump local policy
+#
+
+allow kdump_t self:capability { sys_boot dac_override };
+
+read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t)
+
+files_read_etc_runtime_files(kdump_t)
+files_read_kernel_img(kdump_t)
+
+kernel_read_system_state(kdump_t)
+kernel_read_core_if(kdump_t)
+kernel_read_debugfs(kdump_t)
+kernel_request_load_module(kdump_t)
+
+dev_read_framebuffer(kdump_t)
+dev_read_sysfs(kdump_t)
+
+term_use_console(kdump_t)
diff --git a/policy/modules/contrib/kdumpgui.fc b/policy/modules/contrib/kdumpgui.fc
new file mode 100644
index 00000000..250679cd
--- /dev/null
+++ b/policy/modules/contrib/kdumpgui.fc
@@ -0,0 +1 @@
+/usr/share/system-config-kdump/system-config-kdump-backend\.py	--	gen_context(system_u:object_r:kdumpgui_exec_t,s0)
diff --git a/policy/modules/contrib/kdumpgui.if b/policy/modules/contrib/kdumpgui.if
new file mode 100644
index 00000000..d6af9b08
--- /dev/null
+++ b/policy/modules/contrib/kdumpgui.if
@@ -0,0 +1,2 @@
+## <summary>system-config-kdump GUI</summary>
+
diff --git a/policy/modules/contrib/kdumpgui.te b/policy/modules/contrib/kdumpgui.te
new file mode 100644
index 00000000..0c52f607
--- /dev/null
+++ b/policy/modules/contrib/kdumpgui.te
@@ -0,0 +1,65 @@
+policy_module(kdumpgui, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type kdumpgui_t;
+type kdumpgui_exec_t;
+dbus_system_domain(kdumpgui_t, kdumpgui_exec_t)
+
+######################################
+#
+# system-config-kdump local policy
+#
+
+allow kdumpgui_t self:capability { net_admin sys_admin sys_rawio };
+allow kdumpgui_t self:fifo_file rw_fifo_file_perms;
+allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+kernel_read_system_state(kdumpgui_t)
+kernel_read_network_state(kdumpgui_t)
+
+corecmd_exec_bin(kdumpgui_t)
+corecmd_exec_shell(kdumpgui_t)
+
+dev_dontaudit_getattr_all_chr_files(kdumpgui_t)
+dev_read_sysfs(kdumpgui_t)
+
+files_manage_boot_files(kdumpgui_t)
+files_manage_boot_symlinks(kdumpgui_t)
+# Needed for running chkconfig
+files_manage_etc_symlinks(kdumpgui_t)
+# for blkid.tab
+files_manage_etc_runtime_files(kdumpgui_t)
+files_etc_filetrans_etc_runtime(kdumpgui_t, file)
+files_read_usr_files(kdumpgui_t)
+
+storage_raw_read_fixed_disk(kdumpgui_t)
+storage_raw_write_fixed_disk(kdumpgui_t)
+
+auth_use_nsswitch(kdumpgui_t)
+
+logging_send_syslog_msg(kdumpgui_t)
+
+miscfiles_read_localization(kdumpgui_t)
+
+init_dontaudit_read_all_script_files(kdumpgui_t)
+
+optional_policy(`
+	consoletype_exec(kdumpgui_t)
+')
+
+optional_policy(`
+	dev_rw_lvm_control(kdumpgui_t)
+')
+
+optional_policy(`
+	kdump_manage_config(kdumpgui_t)
+	kdump_initrc_domtrans(kdumpgui_t)
+')
+
+optional_policy(`
+	policykit_dbus_chat(kdumpgui_t)
+')
diff --git a/policy/modules/contrib/kerberos.fc b/policy/modules/contrib/kerberos.fc
new file mode 100644
index 00000000..3525d248
--- /dev/null
+++ b/policy/modules/contrib/kerberos.fc
@@ -0,0 +1,33 @@
+HOME_DIR/\.k5login		--	gen_context(system_u:object_r:krb5_home_t,s0)
+/root/\.k5login			--	gen_context(system_u:object_r:krb5_home_t,s0)
+
+/etc/krb5\.conf			--	gen_context(system_u:object_r:krb5_conf_t,s0)
+/etc/krb5\.keytab			gen_context(system_u:object_r:krb5_keytab_t,s0)
+
+/etc/krb5kdc(/.*)?			gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+/etc/krb5kdc/kadm5\.keytab 	--	gen_context(system_u:object_r:krb5_keytab_t,s0)
+/etc/krb5kdc/principal.*		gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+
+/etc/rc\.d/init\.d/kadmind	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/kprop	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/krb524d	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/krb5kdc	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+
+/usr/(local/)?(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
+/usr/(local/)?(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+/usr/kerberos/sbin/kadmin\.local --	gen_context(system_u:object_r:kadmind_exec_t,s0)
+/usr/kerberos/sbin/kpropd	--	gen_context(system_u:object_r:kpropd_exec_t,s0)
+
+/usr/local/var/krb5kdc(/.*)?		gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+/usr/local/var/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+
+/var/kerberos/krb5kdc(/.*)?		gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+/var/kerberos/krb5kdc/from_master.*	gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+/var/kerberos/krb5kdc/kadm5\.keytab --	gen_context(system_u:object_r:krb5_keytab_t,s0)
+/var/kerberos/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+/var/kerberos/krb5kdc/principal.*\.ok	gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+
+/var/log/krb5kdc\.log			gen_context(system_u:object_r:krb5kdc_log_t,s0)
+/var/log/kadmin(d)?\.log		gen_context(system_u:object_r:kadmind_log_t,s0)
+
+/var/tmp/host_0			-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if
new file mode 100644
index 00000000..604f67bf
--- /dev/null
+++ b/policy/modules/contrib/kerberos.if
@@ -0,0 +1,380 @@
+## <summary>MIT Kerberos admin and KDC</summary>
+## <desc>
+##	<p>
+##	This policy supports:
+##	</p>
+##	<p>
+##	Servers:
+##	<ul>
+##		<li>kadmind</li>
+##		<li>krb5kdc</li>
+##	</ul>
+##	</p>
+##	<p>
+##	Clients:
+##	<ul>
+##		<li>kinit</li>
+##		<li>kdestroy</li>
+##		<li>klist</li>
+##		<li>ksu (incomplete)</li>
+##	</ul>
+##	</p>
+## </desc>
+
+########################################
+## <summary>
+##	Execute kadmind in the current domain
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kerberos_exec_kadmind',`
+	gen_require(`
+		type kadmind_exec_t;
+	')
+
+	can_exec($1, kadmind_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run kpropd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`kerberos_domtrans_kpropd',`
+	gen_require(`
+		type kpropd_t, kpropd_exec_t;
+	')
+
+	domtrans_pattern($1, kpropd_exec_t, kpropd_t)
+')
+
+########################################
+## <summary>
+##	Use kerberos services
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kerberos_use',`
+	gen_require(`
+		type krb5_conf_t, krb5kdc_conf_t;
+		type krb5_host_rcache_t;
+	')
+
+	files_search_etc($1)
+	read_files_pattern($1, krb5_conf_t, krb5_conf_t)
+	dontaudit $1 krb5_conf_t:file write;
+	dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
+	dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
+
+	#kerberos libraries are attempting to set the correct file context
+	dontaudit $1 self:process setfscreate;
+	selinux_dontaudit_validate_context($1)
+	seutil_dontaudit_read_file_contexts($1)
+
+	tunable_policy(`allow_kerberos',`
+		allow $1 self:tcp_socket create_socket_perms;
+		allow $1 self:udp_socket create_socket_perms;
+
+		corenet_all_recvfrom_unlabeled($1)
+		corenet_all_recvfrom_netlabel($1)
+		corenet_tcp_sendrecv_generic_if($1)
+		corenet_udp_sendrecv_generic_if($1)
+		corenet_tcp_sendrecv_generic_node($1)
+		corenet_udp_sendrecv_generic_node($1)
+		corenet_tcp_sendrecv_kerberos_port($1)
+		corenet_udp_sendrecv_kerberos_port($1)
+		corenet_tcp_bind_generic_node($1)
+		corenet_udp_bind_generic_node($1)
+		corenet_tcp_connect_kerberos_port($1)
+		corenet_tcp_connect_ocsp_port($1)
+		corenet_sendrecv_kerberos_client_packets($1)
+		corenet_sendrecv_ocsp_client_packets($1)
+
+		allow $1 krb5_host_rcache_t:file getattr;
+	')
+
+	optional_policy(`
+		tunable_policy(`allow_kerberos',`
+			pcscd_stream_connect($1)
+		')
+	')
+
+	optional_policy(`
+		sssd_read_public_files($1)
+	')
+')
+
+########################################
+## <summary>
+##	Read the kerberos configuration file (/etc/krb5.conf).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kerberos_read_config',`
+	gen_require(`
+		type krb5_conf_t, krb5_home_t;
+	')
+
+	files_search_etc($1)
+	allow $1 krb5_conf_t:file read_file_perms;
+	allow $1 krb5_home_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write the kerberos
+##	configuration file (/etc/krb5.conf).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kerberos_dontaudit_write_config',`
+	gen_require(`
+		type krb5_conf_t;
+	')
+
+	dontaudit $1 krb5_conf_t:file write;
+')
+
+########################################
+## <summary>
+##	Read and write the kerberos configuration file (/etc/krb5.conf).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kerberos_rw_config',`
+	gen_require(`
+		type krb5_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 krb5_conf_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Read the kerberos key table.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kerberos_read_keytab',`
+	gen_require(`
+		type krb5_keytab_t;
+	')
+
+	files_search_etc($1)
+	allow $1 krb5_keytab_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Read/Write the kerberos key table.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kerberos_rw_keytab',`
+	gen_require(`
+		type krb5_keytab_t;
+	')
+
+	files_search_etc($1)
+	allow $1 krb5_keytab_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Create a derived type for kerberos keytab
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix to be used for deriving type names.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+template(`kerberos_keytab_template',`
+	type $1_keytab_t;
+	files_type($1_keytab_t)
+
+ 	allow $2 $1_keytab_t:file read_file_perms;
+
+	kerberos_read_keytab($2)
+	kerberos_use($2)
+')
+
+########################################
+## <summary>
+##	Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kerberos_read_kdc_config',`
+	gen_require(`
+		type krb5kdc_conf_t;
+	')
+
+	files_search_etc($1)
+	read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
+')
+
+########################################
+## <summary>
+##	Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kerberos_manage_host_rcache',`
+	gen_require(`
+		type krb5_host_rcache_t;
+	')
+
+	# creates files as system_u no matter what the selinux user
+	# cjp: should be in the below tunable but typeattribute
+	# does not work in conditionals
+	domain_obj_id_change_exemption($1)
+
+	tunable_policy(`allow_kerberos',`
+		allow $1 self:process setfscreate;
+
+		selinux_validate_context($1)
+
+		seutil_read_file_contexts($1)
+
+		allow $1 krb5_host_rcache_t:file manage_file_perms;
+		files_search_tmp($1)
+	')
+')
+
+########################################
+## <summary>
+##	Connect to krb524 service
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kerberos_connect_524',`
+	tunable_policy(`allow_kerberos',`
+		allow $1 self:udp_socket create_socket_perms;
+
+		corenet_all_recvfrom_unlabeled($1)
+		corenet_udp_sendrecv_generic_if($1)
+		corenet_udp_sendrecv_generic_node($1)
+		corenet_udp_sendrecv_kerberos_master_port($1)
+		corenet_sendrecv_kerberos_master_client_packets($1)
+	')
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an kerberos environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the kerberos domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kerberos_admin',`
+	gen_require(`
+		type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
+		type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
+		type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+		type krb5kdc_principal_t, krb5kdc_tmp_t;
+		type krb5kdc_var_run_t, krb5_host_rcache_t;
+		type kpropd_t;
+	')
+
+	allow $1 kadmind_t:process { ptrace signal_perms };
+	ps_process_pattern($1, kadmind_t)
+
+	allow $1 krb5kdc_t:process { ptrace signal_perms };
+	ps_process_pattern($1, krb5kdc_t)
+
+	allow $1 kpropd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, kpropd_t)
+
+	init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 kerberos_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	logging_list_logs($1)
+	admin_pattern($1, kadmind_log_t)
+
+	files_list_tmp($1)
+	admin_pattern($1, kadmind_tmp_t)
+
+	files_list_pids($1)
+	admin_pattern($1, kadmind_var_run_t)
+
+	admin_pattern($1, krb5_conf_t)
+
+	admin_pattern($1, krb5_host_rcache_t)
+
+	admin_pattern($1, krb5_keytab_t)
+
+	admin_pattern($1, krb5kdc_principal_t)
+
+	admin_pattern($1, krb5kdc_tmp_t)
+
+	admin_pattern($1, krb5kdc_var_run_t)
+')
diff --git a/policy/modules/contrib/kerberos.te b/policy/modules/contrib/kerberos.te
new file mode 100644
index 00000000..8edc29b6
--- /dev/null
+++ b/policy/modules/contrib/kerberos.te
@@ -0,0 +1,325 @@
+policy_module(kerberos, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow confined applications to run with kerberos.
+## </p>
+## </desc>
+gen_tunable(allow_kerberos, false)
+
+type kadmind_t;
+type kadmind_exec_t;
+init_daemon_domain(kadmind_t, kadmind_exec_t)
+domain_obj_id_change_exemption(kadmind_t)
+
+type kadmind_log_t;
+logging_log_file(kadmind_log_t)
+
+type kadmind_tmp_t;
+files_tmp_file(kadmind_tmp_t)
+
+type kadmind_var_run_t;
+files_pid_file(kadmind_var_run_t)
+
+type kerberos_initrc_exec_t;
+init_script_file(kerberos_initrc_exec_t)
+
+type kpropd_t;
+type kpropd_exec_t;
+init_daemon_domain(kpropd_t, kpropd_exec_t)
+domain_obj_id_change_exemption(kpropd_t)
+
+type krb5_conf_t;
+files_type(krb5_conf_t)
+
+type krb5_home_t;
+userdom_user_home_content(krb5_home_t)
+
+type krb5_host_rcache_t;
+files_tmp_file(krb5_host_rcache_t)
+
+# types for general configuration files in /etc
+type krb5_keytab_t;
+files_security_file(krb5_keytab_t)
+
+# types for KDC configs and principal file(s)
+type krb5kdc_conf_t;
+files_type(krb5kdc_conf_t)
+
+type krb5kdc_lock_t;
+files_type(krb5kdc_lock_t)
+
+# types for KDC principal file(s)
+type krb5kdc_principal_t;
+files_type(krb5kdc_principal_t)
+
+type krb5kdc_t;
+type krb5kdc_exec_t;
+init_daemon_domain(krb5kdc_t, krb5kdc_exec_t)
+domain_obj_id_change_exemption(krb5kdc_t)
+
+type krb5kdc_log_t;
+logging_log_file(krb5kdc_log_t)
+
+type krb5kdc_tmp_t;
+files_tmp_file(krb5kdc_tmp_t)
+
+type krb5kdc_var_run_t;
+files_pid_file(krb5kdc_var_run_t)
+
+########################################
+#
+# kadmind local policy
+#
+
+# Use capabilities. Surplus capabilities may be allowed.
+allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
+dontaudit kadmind_t self:capability sys_tty_config;
+allow kadmind_t self:process { setfscreate signal_perms };
+allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
+allow kadmind_t self:unix_dgram_socket { connect create write };
+allow kadmind_t self:tcp_socket connected_stream_socket_perms;
+allow kadmind_t self:udp_socket create_socket_perms;
+
+allow kadmind_t kadmind_log_t:file manage_file_perms;
+logging_log_filetrans(kadmind_t, kadmind_log_t, file)
+
+allow kadmind_t krb5_conf_t:file read_file_perms;
+dontaudit kadmind_t krb5_conf_t:file write;
+
+read_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t)
+dontaudit kadmind_t krb5kdc_conf_t:file { write setattr };
+
+allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr };
+
+allow kadmind_t krb5kdc_principal_t:file manage_file_perms;
+filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file)
+
+can_exec(kadmind_t, kadmind_exec_t)
+
+manage_dirs_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t)
+manage_files_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t)
+files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
+
+manage_files_pattern(kadmind_t, kadmind_var_run_t, kadmind_var_run_t)
+files_pid_filetrans(kadmind_t, kadmind_var_run_t, file)
+
+kernel_read_kernel_sysctls(kadmind_t)
+kernel_list_proc(kadmind_t)
+kernel_read_network_state(kadmind_t)
+kernel_read_proc_symlinks(kadmind_t)
+kernel_read_system_state(kadmind_t)
+
+corenet_all_recvfrom_unlabeled(kadmind_t)
+corenet_all_recvfrom_netlabel(kadmind_t)
+corenet_tcp_sendrecv_generic_if(kadmind_t)
+corenet_udp_sendrecv_generic_if(kadmind_t)
+corenet_tcp_sendrecv_generic_node(kadmind_t)
+corenet_udp_sendrecv_generic_node(kadmind_t)
+corenet_tcp_sendrecv_all_ports(kadmind_t)
+corenet_udp_sendrecv_all_ports(kadmind_t)
+corenet_tcp_bind_generic_node(kadmind_t)
+corenet_udp_bind_generic_node(kadmind_t)
+corenet_tcp_bind_kerberos_admin_port(kadmind_t)
+corenet_udp_bind_kerberos_admin_port(kadmind_t)
+corenet_tcp_bind_reserved_port(kadmind_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(kadmind_t)
+corenet_sendrecv_kerberos_admin_server_packets(kadmind_t)
+
+dev_read_sysfs(kadmind_t)
+dev_read_rand(kadmind_t)
+dev_read_urand(kadmind_t)
+
+fs_getattr_all_fs(kadmind_t)
+fs_search_auto_mountpoints(kadmind_t)
+
+domain_use_interactive_fds(kadmind_t)
+
+files_read_etc_files(kadmind_t)
+files_read_usr_symlinks(kadmind_t)
+files_read_usr_files(kadmind_t)
+files_read_var_files(kadmind_t)
+
+selinux_validate_context(kadmind_t)
+
+logging_send_syslog_msg(kadmind_t)
+
+miscfiles_read_localization(kadmind_t)
+
+seutil_read_file_contexts(kadmind_t)
+
+sysnet_read_config(kadmind_t)
+sysnet_use_ldap(kadmind_t)
+
+userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
+userdom_dontaudit_search_user_home_dirs(kadmind_t)
+
+optional_policy(`
+	nis_use_ypbind(kadmind_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(kadmind_t)
+')
+
+optional_policy(`
+	udev_read_db(kadmind_t)
+')
+
+########################################
+#
+# Krb5kdc local policy
+#
+
+# Use capabilities. Surplus capabilities may be allowed.
+allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
+dontaudit krb5kdc_t self:capability sys_tty_config;
+allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms };
+allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
+allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
+allow krb5kdc_t self:udp_socket create_socket_perms;
+allow krb5kdc_t self:fifo_file rw_fifo_file_perms;
+
+allow krb5kdc_t krb5_conf_t:file read_file_perms;
+dontaudit krb5kdc_t krb5_conf_t:file write;
+
+can_exec(krb5kdc_t, krb5kdc_exec_t)
+
+read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t)
+dontaudit krb5kdc_t krb5kdc_conf_t:file write;
+
+allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr };
+
+allow krb5kdc_t krb5kdc_log_t:file manage_file_perms;
+logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
+
+allow krb5kdc_t krb5kdc_principal_t:file read_file_perms;
+dontaudit krb5kdc_t krb5kdc_principal_t:file write;
+
+manage_dirs_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
+
+manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
+files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file)
+
+kernel_read_system_state(krb5kdc_t)
+kernel_read_kernel_sysctls(krb5kdc_t)
+kernel_list_proc(krb5kdc_t)
+kernel_read_proc_symlinks(krb5kdc_t)
+kernel_read_network_state(krb5kdc_t)
+kernel_search_network_sysctl(krb5kdc_t)
+
+corecmd_exec_bin(krb5kdc_t)
+
+corenet_all_recvfrom_unlabeled(krb5kdc_t)
+corenet_all_recvfrom_netlabel(krb5kdc_t)
+corenet_tcp_sendrecv_generic_if(krb5kdc_t)
+corenet_udp_sendrecv_generic_if(krb5kdc_t)
+corenet_tcp_sendrecv_generic_node(krb5kdc_t)
+corenet_udp_sendrecv_generic_node(krb5kdc_t)
+corenet_tcp_sendrecv_all_ports(krb5kdc_t)
+corenet_udp_sendrecv_all_ports(krb5kdc_t)
+corenet_tcp_bind_generic_node(krb5kdc_t)
+corenet_udp_bind_generic_node(krb5kdc_t)
+corenet_tcp_bind_kerberos_port(krb5kdc_t)
+corenet_udp_bind_kerberos_port(krb5kdc_t)
+corenet_tcp_connect_ocsp_port(krb5kdc_t)
+corenet_sendrecv_kerberos_server_packets(krb5kdc_t)
+corenet_sendrecv_ocsp_client_packets(krb5kdc_t)
+
+dev_read_sysfs(krb5kdc_t)
+dev_read_urand(krb5kdc_t)
+
+fs_getattr_all_fs(krb5kdc_t)
+fs_search_auto_mountpoints(krb5kdc_t)
+
+domain_use_interactive_fds(krb5kdc_t)
+
+files_read_etc_files(krb5kdc_t)
+files_read_usr_symlinks(krb5kdc_t)
+files_read_var_files(krb5kdc_t)
+
+selinux_validate_context(krb5kdc_t)
+
+logging_send_syslog_msg(krb5kdc_t)
+
+miscfiles_read_localization(krb5kdc_t)
+
+seutil_read_file_contexts(krb5kdc_t)
+
+sysnet_read_config(krb5kdc_t)
+sysnet_use_ldap(krb5kdc_t)
+
+userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
+userdom_dontaudit_search_user_home_dirs(krb5kdc_t)
+
+optional_policy(`
+	nis_use_ypbind(krb5kdc_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(krb5kdc_t)
+')
+
+optional_policy(`
+	udev_read_db(krb5kdc_t)
+')
+
+########################################
+#
+# kpropd local policy
+#
+
+allow kpropd_t self:capability net_bind_service;
+allow kpropd_t self:process setfscreate;
+
+allow kpropd_t self:fifo_file rw_file_perms;
+allow kpropd_t self:unix_stream_socket create_stream_socket_perms;
+allow kpropd_t self:tcp_socket create_stream_socket_perms;
+
+allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
+
+allow kpropd_t krb5_keytab_t:file read_file_perms;
+
+read_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_conf_t)
+
+manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t)
+filetrans_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t, file)
+
+manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_principal_t)
+
+manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+manage_files_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
+
+corecmd_exec_bin(kpropd_t)
+
+corenet_all_recvfrom_unlabeled(kpropd_t)
+corenet_tcp_sendrecv_generic_if(kpropd_t)
+corenet_tcp_sendrecv_generic_node(kpropd_t)
+corenet_tcp_sendrecv_all_ports(kpropd_t)
+corenet_tcp_bind_generic_node(kpropd_t)
+corenet_tcp_bind_kprop_port(kpropd_t)
+
+dev_read_urand(kpropd_t)
+
+files_read_etc_files(kpropd_t)
+files_search_tmp(kpropd_t)
+
+selinux_validate_context(kpropd_t)
+
+logging_send_syslog_msg(kpropd_t)
+
+miscfiles_read_localization(kpropd_t)
+
+seutil_read_file_contexts(kpropd_t)
+
+sysnet_dns_name_resolve(kpropd_t)
+
+kerberos_use(kpropd_t)
diff --git a/policy/modules/contrib/kerneloops.fc b/policy/modules/contrib/kerneloops.fc
new file mode 100644
index 00000000..5ef261a3
--- /dev/null
+++ b/policy/modules/contrib/kerneloops.fc
@@ -0,0 +1,3 @@
+/etc/rc\.d/init\.d/kerneloops	--	gen_context(system_u:object_r:kerneloops_initrc_exec_t,s0)
+
+/usr/sbin/kerneloops	--	gen_context(system_u:object_r:kerneloops_exec_t,s0)
diff --git a/policy/modules/contrib/kerneloops.if b/policy/modules/contrib/kerneloops.if
new file mode 100644
index 00000000..835b16b0
--- /dev/null
+++ b/policy/modules/contrib/kerneloops.if
@@ -0,0 +1,115 @@
+## <summary>Service for reporting kernel oopses to kerneloops.org</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run kerneloops.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`kerneloops_domtrans',`
+	gen_require(`
+		type kerneloops_t;
+		type kerneloops_exec_t;
+	')
+
+	domtrans_pattern($1, kerneloops_exec_t, kerneloops_t)
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	kerneloops over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kerneloops_dbus_chat',`
+	gen_require(`
+		type kerneloops_t;
+		class dbus send_msg;
+	')
+
+	allow $1 kerneloops_t:dbus send_msg;
+	allow kerneloops_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	dontaudit attempts to Send and receive messages from
+##	kerneloops over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kerneloops_dontaudit_dbus_chat',`
+	gen_require(`
+		type kerneloops_t;
+		class dbus send_msg;
+	')
+
+	dontaudit $1 kerneloops_t:dbus send_msg;
+	dontaudit kerneloops_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Allow domain to manage kerneloops tmp files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kerneloops_manage_tmp_files',`
+	gen_require(`
+		type kerneloops_tmp_t;
+	')
+
+	manage_files_pattern($1, kerneloops_tmp_t, kerneloops_tmp_t)
+	files_search_tmp($1)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an kerneloops environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the kerneloops domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kerneloops_admin',`
+	gen_require(`
+		type kerneloops_t, kerneloops_initrc_exec_t;
+		type kerneloops_tmp_t;
+	')
+
+	allow $1 kerneloops_t:process { ptrace signal_perms };
+	ps_process_pattern($1, kerneloops_t)
+
+	init_labeled_script_domtrans($1, kerneloops_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 kerneloops_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	admin_pattern($1, kerneloops_tmp_t)
+')
diff --git a/policy/modules/contrib/kerneloops.te b/policy/modules/contrib/kerneloops.te
new file mode 100644
index 00000000..6b355479
--- /dev/null
+++ b/policy/modules/contrib/kerneloops.te
@@ -0,0 +1,54 @@
+policy_module(kerneloops, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+
+type kerneloops_t;
+type kerneloops_exec_t;
+init_daemon_domain(kerneloops_t, kerneloops_exec_t)
+
+type kerneloops_initrc_exec_t;
+init_script_file(kerneloops_initrc_exec_t)
+
+type kerneloops_tmp_t;
+files_tmp_file(kerneloops_tmp_t)
+
+########################################
+#
+# kerneloops local policy
+#
+
+allow kerneloops_t self:capability sys_nice;
+allow kerneloops_t self:process { getcap setcap setsched getsched signal };
+allow kerneloops_t self:fifo_file rw_file_perms;
+
+manage_files_pattern(kerneloops_t, kerneloops_tmp_t, kerneloops_tmp_t)
+files_tmp_filetrans(kerneloops_t, kerneloops_tmp_t, file)
+
+kernel_read_ring_buffer(kerneloops_t)
+
+# Init script handling
+domain_use_interactive_fds(kerneloops_t)
+
+corenet_all_recvfrom_unlabeled(kerneloops_t)
+corenet_all_recvfrom_netlabel(kerneloops_t)
+corenet_tcp_sendrecv_generic_if(kerneloops_t)
+corenet_tcp_sendrecv_generic_node(kerneloops_t)
+corenet_tcp_sendrecv_all_ports(kerneloops_t)
+corenet_tcp_bind_http_port(kerneloops_t)
+corenet_tcp_connect_http_port(kerneloops_t)
+
+files_read_etc_files(kerneloops_t)
+
+auth_use_nsswitch(kerneloops_t)
+
+logging_send_syslog_msg(kerneloops_t)
+logging_read_generic_logs(kerneloops_t)
+
+miscfiles_read_localization(kerneloops_t)
+
+optional_policy(`
+	dbus_system_domain(kerneloops_t, kerneloops_exec_t)
+')
diff --git a/policy/modules/contrib/kismet.fc b/policy/modules/contrib/kismet.fc
new file mode 100644
index 00000000..dae60e5e
--- /dev/null
+++ b/policy/modules/contrib/kismet.fc
@@ -0,0 +1,6 @@
+HOME_DIR/\.kismet(/.*)?			gen_context(system_u:object_r:kismet_home_t,s0)
+
+/usr/bin/kismet			--	gen_context(system_u:object_r:kismet_exec_t,s0)
+/var/lib/kismet(/.*)?			gen_context(system_u:object_r:kismet_var_lib_t,s0)
+/var/log/kismet(/.*)?			gen_context(system_u:object_r:kismet_log_t,s0)
+/var/run/kismet_server.pid	--	gen_context(system_u:object_r:kismet_var_run_t,s0)
diff --git a/policy/modules/contrib/kismet.if b/policy/modules/contrib/kismet.if
new file mode 100644
index 00000000..c18c920c
--- /dev/null
+++ b/policy/modules/contrib/kismet.if
@@ -0,0 +1,247 @@
+## <summary>Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run kismet.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`kismet_domtrans',`
+	gen_require(`
+		type kismet_t, kismet_exec_t;
+	')
+
+	domtrans_pattern($1, kismet_exec_t, kismet_t)
+	allow kismet_t $1:process signull;
+')
+
+########################################
+## <summary>
+##	Execute kismet in the kismet domain, and
+##	allow the specified role the kismet domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`kismet_run',`
+	gen_require(`
+		type kismet_t;
+	')
+
+	kismet_domtrans($1)
+	role $2 types kismet_t;
+')
+
+########################################
+## <summary>
+##	Read kismet PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kismet_read_pid_files',`
+	gen_require(`
+		type kismet_var_run_t;
+	')
+
+	allow $1 kismet_var_run_t:file read_file_perms;
+	files_search_pids($1)
+')
+
+########################################
+## <summary>
+##	Manage kismet var_run files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kismet_manage_pid_files',`
+	gen_require(`
+		type kismet_var_run_t;
+	')
+
+	allow $1 kismet_var_run_t:file manage_file_perms;
+	files_search_pids($1)	
+')
+
+########################################
+## <summary>
+##	Search kismet lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kismet_search_lib',`
+	gen_require(`
+		type kismet_var_lib_t;
+	')
+
+	allow $1 kismet_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read kismet lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kismet_read_lib_files',`
+	gen_require(`
+		type kismet_var_lib_t;
+	')
+
+	allow $1 kismet_var_lib_t:file read_file_perms;
+	allow $1 kismet_var_lib_t:dir list_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	kismet lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kismet_manage_lib_files',`
+	gen_require(`
+		type kismet_var_lib_t;
+	')
+
+	manage_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t)
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Manage kismet var_lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kismet_manage_lib',`
+	gen_require(`
+		type kismet_var_lib_t;
+	')
+
+	manage_dirs_pattern($1, kismet_var_lib_t, kismet_var_lib_t)
+	manage_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t)
+	manage_lnk_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read kismet's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kismet_read_log',`
+	gen_require(`
+		type kismet_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, kismet_log_t, kismet_log_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to append
+##	kismet log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kismet_append_log',`
+	gen_require(`
+		type kismet_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, kismet_log_t, kismet_log_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to manage kismet log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kismet_manage_log',`
+	gen_require(`
+		type kismet_log_t;
+	')
+
+	manage_dirs_pattern($1, kismet_log_t, kismet_log_t)
+	manage_files_pattern($1, kismet_log_t, kismet_log_t)
+	manage_lnk_files_pattern($1, kismet_log_t, kismet_log_t)
+	logging_search_logs($1)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate an kismet environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kismet_admin',`
+	gen_require(`
+		type kismet_t;
+	')
+
+	ps_process_pattern($1, kismet_t)
+	allow $1 kismet_t:process { ptrace signal_perms };
+
+	kismet_manage_pid_files($1)
+	kismet_manage_lib($1)
+	kismet_manage_log($1)
+')
diff --git a/policy/modules/contrib/kismet.te b/policy/modules/contrib/kismet.te
new file mode 100644
index 00000000..9dd6880e
--- /dev/null
+++ b/policy/modules/contrib/kismet.te
@@ -0,0 +1,101 @@
+policy_module(kismet, 1.6.0)
+
+########################################
+#
+# Declarations
+#
+
+type kismet_t;
+type kismet_exec_t;
+application_domain(kismet_t, kismet_exec_t)
+role system_r types kismet_t;
+
+type kismet_home_t;
+userdom_user_home_content(kismet_home_t)
+
+type kismet_log_t;
+logging_log_file(kismet_log_t)
+
+type kismet_tmp_t;
+files_tmp_file(kismet_tmp_t)
+
+type kismet_tmpfs_t;
+files_tmp_file(kismet_tmpfs_t)
+
+type kismet_var_lib_t;
+files_type(kismet_var_lib_t)
+
+type kismet_var_run_t;
+files_pid_file(kismet_var_run_t)
+
+########################################
+#
+# kismet local policy
+#
+
+allow kismet_t self:capability { dac_override kill net_admin net_raw setuid setgid };
+allow kismet_t self:process signal_perms;
+allow kismet_t self:fifo_file rw_file_perms;
+allow kismet_t self:packet_socket create_socket_perms;
+allow kismet_t self:unix_dgram_socket { create_socket_perms sendto };
+allow kismet_t self:unix_stream_socket create_stream_socket_perms;
+allow kismet_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(kismet_t, kismet_home_t, kismet_home_t)
+manage_files_pattern(kismet_t, kismet_home_t, kismet_home_t)
+manage_lnk_files_pattern(kismet_t, kismet_home_t, kismet_home_t)
+userdom_user_home_dir_filetrans(kismet_t, kismet_home_t, { file dir })
+userdom_search_user_home_dirs(kismet_t)
+
+manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
+allow kismet_t kismet_log_t:dir setattr;
+logging_log_filetrans(kismet_t, kismet_log_t, { file dir })
+
+manage_dirs_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
+manage_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
+manage_sock_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
+files_tmp_filetrans(kismet_t, kismet_tmp_t, { file dir sock_file })
+
+manage_dirs_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t)
+manage_files_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t)
+fs_tmpfs_filetrans(kismet_t, kismet_tmpfs_t, { dir file })
+
+allow kismet_t kismet_var_lib_t:file manage_file_perms;
+allow kismet_t kismet_var_lib_t:dir manage_dir_perms;
+files_var_lib_filetrans(kismet_t, kismet_var_lib_t, { file dir })
+
+allow kismet_t kismet_var_run_t:file manage_file_perms;
+allow kismet_t kismet_var_run_t:dir manage_dir_perms;
+files_pid_filetrans(kismet_t, kismet_var_run_t, { file dir })
+
+kernel_search_debugfs(kismet_t)
+kernel_read_system_state(kismet_t)
+kernel_read_network_state(kismet_t)
+
+corecmd_exec_bin(kismet_t)
+
+corenet_all_recvfrom_unlabeled(kismet_t)
+corenet_all_recvfrom_netlabel(kismet_t)
+corenet_tcp_sendrecv_generic_if(kismet_t)
+corenet_tcp_sendrecv_generic_node(kismet_t)
+corenet_tcp_sendrecv_all_ports(kismet_t)
+corenet_tcp_bind_generic_node(kismet_t)
+corenet_tcp_bind_kismet_port(kismet_t)
+corenet_tcp_connect_kismet_port(kismet_t)
+corenet_tcp_connect_pulseaudio_port(kismet_t)
+
+auth_use_nsswitch(kismet_t)
+
+files_read_etc_files(kismet_t)
+files_read_usr_files(kismet_t)
+
+miscfiles_read_localization(kismet_t)
+
+userdom_use_user_terminals(kismet_t)
+userdom_read_user_tmpfs_files(kismet_t)
+
+optional_policy(`
+	dbus_system_bus_client(kismet_t)
+
+	networkmanager_dbus_chat(kismet_t)
+')
diff --git a/policy/modules/contrib/ksmtuned.fc b/policy/modules/contrib/ksmtuned.fc
new file mode 100644
index 00000000..9c0c8354
--- /dev/null
+++ b/policy/modules/contrib/ksmtuned.fc
@@ -0,0 +1,5 @@
+/etc/rc\.d/init\.d/ksmtuned	--	gen_context(system_u:object_r:ksmtuned_initrc_exec_t,s0)
+
+/usr/sbin/ksmtuned		--	gen_context(system_u:object_r:ksmtuned_exec_t,s0)
+
+/var/run/ksmtune\.pid		--	gen_context(system_u:object_r:ksmtuned_var_run_t,s0)
diff --git a/policy/modules/contrib/ksmtuned.if b/policy/modules/contrib/ksmtuned.if
new file mode 100644
index 00000000..6fd0b4c0
--- /dev/null
+++ b/policy/modules/contrib/ksmtuned.if
@@ -0,0 +1,74 @@
+## <summary>Kernel Samepage Merging (KSM) Tuning Daemon</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run ksmtuned.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ksmtuned_domtrans',`
+	gen_require(`
+		type ksmtuned_t, ksmtuned_exec_t;
+	')
+
+	domtrans_pattern($1, ksmtuned_exec_t, ksmtuned_t)
+')
+
+########################################
+## <summary>
+##	Execute ksmtuned server in the ksmtuned domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ksmtuned_initrc_domtrans',`
+	gen_require(`
+		type ksmtuned_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, ksmtuned_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an ksmtuned environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ksmtuned_admin',`
+	gen_require(`
+		type ksmtuned_t, ksmtuned_var_run_t;
+		type ksmtuned_initrc_exec_t;
+	')
+
+	allow $1 ksmtuned_t:process { ptrace signal_perms };
+	ps_process_pattern(ksmtumed_t)
+
+	files_list_pids($1)
+	admin_pattern($1, ksmtuned_var_run_t)
+
+	# Allow ksmtuned_t to restart the apache service
+	ksmtuned_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 ksmtuned_initrc_exec_t system_r;
+	allow $2 system_r;
+
+')
diff --git a/policy/modules/contrib/ksmtuned.te b/policy/modules/contrib/ksmtuned.te
new file mode 100644
index 00000000..a73b7a12
--- /dev/null
+++ b/policy/modules/contrib/ksmtuned.te
@@ -0,0 +1,39 @@
+policy_module(ksmtuned, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ksmtuned_t;
+type ksmtuned_exec_t;
+init_daemon_domain(ksmtuned_t, ksmtuned_exec_t)
+
+type ksmtuned_initrc_exec_t;
+init_script_file(ksmtuned_initrc_exec_t)
+
+type ksmtuned_var_run_t;
+files_pid_file(ksmtuned_var_run_t)
+
+########################################
+#
+# ksmtuned local policy
+#
+
+allow ksmtuned_t self:capability { sys_ptrace sys_tty_config };
+allow ksmtuned_t self:fifo_file rw_file_perms;
+
+manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t)
+files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file)
+
+kernel_read_system_state(ksmtuned_t)
+
+dev_rw_sysfs(ksmtuned_t)
+
+domain_read_all_domains_state(ksmtuned_t)
+
+corecmd_exec_bin(ksmtuned_t)
+
+files_read_etc_files(ksmtuned_t)
+
+miscfiles_read_localization(ksmtuned_t)
diff --git a/policy/modules/contrib/ktalk.fc b/policy/modules/contrib/ktalk.fc
new file mode 100644
index 00000000..47d0bf31
--- /dev/null
+++ b/policy/modules/contrib/ktalk.fc
@@ -0,0 +1,7 @@
+
+/usr/bin/ktalkd		--	gen_context(system_u:object_r:ktalkd_exec_t,s0)
+
+/usr/sbin/in\.talkd	--	gen_context(system_u:object_r:ktalkd_exec_t,s0)
+/usr/sbin/in\.ntalkd	--	gen_context(system_u:object_r:ktalkd_exec_t,s0)
+
+/var/log/talkd.*	--	gen_context(system_u:object_r:ktalkd_log_t,s0)
diff --git a/policy/modules/contrib/ktalk.if b/policy/modules/contrib/ktalk.if
new file mode 100644
index 00000000..5ba36dbf
--- /dev/null
+++ b/policy/modules/contrib/ktalk.if
@@ -0,0 +1 @@
+## <summary>KDE Talk daemon</summary>
diff --git a/policy/modules/contrib/ktalk.te b/policy/modules/contrib/ktalk.te
new file mode 100644
index 00000000..ca5cfdfe
--- /dev/null
+++ b/policy/modules/contrib/ktalk.te
@@ -0,0 +1,79 @@
+policy_module(ktalk, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type ktalkd_t;
+type ktalkd_exec_t;
+inetd_udp_service_domain(ktalkd_t, ktalkd_exec_t)
+role system_r types ktalkd_t;
+
+type ktalkd_log_t;
+logging_log_file(ktalkd_log_t)
+
+type ktalkd_tmp_t;
+files_tmp_file(ktalkd_tmp_t)
+
+type ktalkd_var_run_t;
+files_pid_file(ktalkd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow ktalkd_t self:process signal_perms;
+allow ktalkd_t self:fifo_file rw_fifo_file_perms;
+allow ktalkd_t self:tcp_socket connected_stream_socket_perms;
+allow ktalkd_t self:udp_socket create_socket_perms;
+# for identd
+# cjp: this should probably only be inetd_child rules?
+allow ktalkd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow ktalkd_t self:capability { setuid setgid };
+files_search_home(ktalkd_t)
+optional_policy(`
+	kerberos_use(ktalkd_t)
+')
+#end for identd
+
+allow ktalkd_t ktalkd_log_t:file manage_file_perms;
+logging_log_filetrans(ktalkd_t, ktalkd_log_t, file)
+
+manage_dirs_pattern(ktalkd_t, ktalkd_tmp_t, ktalkd_tmp_t)
+manage_files_pattern(ktalkd_t, ktalkd_tmp_t, ktalkd_tmp_t)
+files_tmp_filetrans(ktalkd_t, ktalkd_tmp_t, { file dir })
+
+manage_files_pattern(ktalkd_t, ktalkd_var_run_t, ktalkd_var_run_t)
+files_pid_filetrans(ktalkd_t, ktalkd_var_run_t, file)
+
+kernel_read_kernel_sysctls(ktalkd_t)
+kernel_read_system_state(ktalkd_t)
+kernel_read_network_state(ktalkd_t)
+
+corenet_all_recvfrom_unlabeled(ktalkd_t)
+corenet_all_recvfrom_netlabel(ktalkd_t)
+corenet_tcp_sendrecv_generic_if(ktalkd_t)
+corenet_udp_sendrecv_generic_if(ktalkd_t)
+corenet_tcp_sendrecv_generic_node(ktalkd_t)
+corenet_udp_sendrecv_generic_node(ktalkd_t)
+corenet_tcp_sendrecv_all_ports(ktalkd_t)
+corenet_udp_sendrecv_all_ports(ktalkd_t)
+
+dev_read_urand(ktalkd_t)
+
+fs_getattr_xattr_fs(ktalkd_t)
+
+files_read_etc_files(ktalkd_t)
+
+term_search_ptys(ktalkd_t)
+term_use_all_terms(ktalkd_t)
+
+auth_use_nsswitch(ktalkd_t)
+
+init_read_utmp(ktalkd_t)
+
+logging_send_syslog_msg(ktalkd_t)
+
+miscfiles_read_localization(ktalkd_t)
diff --git a/policy/modules/contrib/kudzu.fc b/policy/modules/contrib/kudzu.fc
new file mode 100644
index 00000000..dd88f746
--- /dev/null
+++ b/policy/modules/contrib/kudzu.fc
@@ -0,0 +1,5 @@
+
+/sbin/kmodule	--	gen_context(system_u:object_r:kudzu_exec_t,s0)
+/sbin/kudzu	--	gen_context(system_u:object_r:kudzu_exec_t,s0)
+
+/usr/sbin/kudzu	--	gen_context(system_u:object_r:kudzu_exec_t,s0)
diff --git a/policy/modules/contrib/kudzu.if b/policy/modules/contrib/kudzu.if
new file mode 100644
index 00000000..65bcaffa
--- /dev/null
+++ b/policy/modules/contrib/kudzu.if
@@ -0,0 +1,64 @@
+## <summary>Hardware detection and configuration tools</summary>
+
+########################################
+## <summary>
+##	Execute kudzu in the kudzu domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`kudzu_domtrans',`
+	gen_require(`
+		type kudzu_t, kudzu_exec_t;
+	')
+
+	domtrans_pattern($1, kudzu_exec_t, kudzu_t)
+')
+
+########################################
+## <summary>
+##	Execute kudzu in the kudzu domain, and
+##	allow the specified role the kudzu domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kudzu_run',`
+	gen_require(`
+		type kudzu_t;
+	')
+
+	kudzu_domtrans($1)
+	role $2 types kudzu_t;
+')
+
+########################################
+## <summary>
+##	Get attributes of kudzu executable.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+# cjp: added for ddcprobe
+interface(`kudzu_getattr_exec_files',`
+	gen_require(`
+		type kudzu_exec_t;
+	')
+
+	allow $1 kudzu_exec_t:file getattr;
+')
diff --git a/policy/modules/contrib/kudzu.te b/policy/modules/contrib/kudzu.te
new file mode 100644
index 00000000..4f7bd3c3
--- /dev/null
+++ b/policy/modules/contrib/kudzu.te
@@ -0,0 +1,145 @@
+policy_module(kudzu, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type kudzu_t;
+type kudzu_exec_t;
+init_system_domain(kudzu_t, kudzu_exec_t)
+
+type kudzu_tmp_t;
+files_tmp_file(kudzu_tmp_t)
+
+type kudzu_var_run_t;
+files_pid_file(kudzu_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow kudzu_t self:capability { dac_override sys_admin sys_ptrace sys_rawio net_admin sys_tty_config mknod };
+dontaudit kudzu_t self:capability sys_tty_config;
+allow kudzu_t self:process { signal_perms execmem };
+allow kudzu_t self:fifo_file rw_fifo_file_perms;
+allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow kudzu_t self:unix_dgram_socket create_socket_perms;
+allow kudzu_t self:udp_socket { create ioctl };
+
+manage_dirs_pattern(kudzu_t, kudzu_tmp_t, kudzu_tmp_t)
+manage_files_pattern(kudzu_t, kudzu_tmp_t, kudzu_tmp_t)
+manage_chr_files_pattern(kudzu_t, kudzu_tmp_t, kudzu_tmp_t)
+files_tmp_filetrans(kudzu_t, kudzu_tmp_t, { file dir chr_file })
+
+manage_dirs_pattern(kudzu_t, kudzu_var_run_t, kudzu_var_run_t)
+manage_files_pattern(kudzu_t, kudzu_var_run_t, kudzu_var_run_t)
+files_pid_filetrans(kudzu_t, kudzu_var_run_t, file)
+
+kernel_change_ring_buffer_level(kudzu_t)
+kernel_list_proc(kudzu_t)
+kernel_read_device_sysctls(kudzu_t)
+kernel_read_kernel_sysctls(kudzu_t)
+kernel_read_proc_symlinks(kudzu_t)
+kernel_read_network_state(kudzu_t)
+kernel_read_system_state(kudzu_t)
+kernel_rw_hotplug_sysctls(kudzu_t)
+kernel_rw_kernel_sysctl(kudzu_t)
+
+files_read_kernel_modules(kudzu_t)
+
+dev_list_sysfs(kudzu_t)
+dev_read_usbfs(kudzu_t)
+dev_read_sysfs(kudzu_t)
+dev_rx_raw_memory(kudzu_t)
+dev_wx_raw_memory(kudzu_t)
+dev_rw_mouse(kudzu_t)
+dev_rwx_zero(kudzu_t)
+
+fs_search_auto_mountpoints(kudzu_t)
+fs_search_ramfs(kudzu_t)
+fs_write_ramfs_sockets(kudzu_t)
+
+mls_file_read_all_levels(kudzu_t)
+mls_file_write_all_levels(kudzu_t)
+
+storage_read_scsi_generic(kudzu_t)
+storage_read_tape(kudzu_t)
+storage_raw_write_fixed_disk(kudzu_t)
+storage_raw_write_removable_device(kudzu_t)
+storage_raw_read_fixed_disk(kudzu_t)
+storage_raw_read_removable_device(kudzu_t)
+
+term_dontaudit_use_console(kudzu_t)
+# so it can write messages to the console
+term_use_unallocated_ttys(kudzu_t)
+
+corecmd_exec_all_executables(kudzu_t)
+
+domain_use_interactive_fds(kudzu_t)
+
+files_search_var(kudzu_t)
+files_search_locks(kudzu_t)
+files_manage_etc_files(kudzu_t)
+files_manage_etc_runtime_files(kudzu_t)
+files_etc_filetrans_etc_runtime(kudzu_t, file)
+files_manage_mnt_files(kudzu_t)
+files_manage_mnt_symlinks(kudzu_t)
+files_dontaudit_search_src(kudzu_t)
+# Read /usr/share/hwdata/.* and /usr/share/terminfo/l/linux
+files_read_usr_files(kudzu_t)
+# for /etc/sysconfig/hwconf - probably need a new type
+files_rw_etc_runtime_files(kudzu_t)
+# for file systems that are not yet mounted
+files_dontaudit_search_isid_type_dirs(kudzu_t)
+
+init_use_fds(kudzu_t)
+init_use_script_ptys(kudzu_t)
+init_stream_connect_script(kudzu_t)
+init_read_state(kudzu_t)
+init_ptrace(kudzu_t)
+# kudzu will telinit to make init re-read
+# the inittab after configuring serial consoles
+init_telinit(kudzu_t)
+
+# Read /usr/lib/gconv/gconv-modules.*
+libs_read_lib_files(kudzu_t)
+
+logging_send_syslog_msg(kudzu_t)
+
+miscfiles_read_hwdata(kudzu_t)
+miscfiles_read_localization(kudzu_t)
+
+modutils_read_module_config(kudzu_t)
+modutils_read_module_deps(kudzu_t)
+modutils_rename_module_config(kudzu_t)
+modutils_delete_module_config(kudzu_t)
+modutils_domtrans_insmod(kudzu_t)
+
+sysnet_read_config(kudzu_t)
+
+userdom_use_user_terminals(kudzu_t)
+userdom_dontaudit_use_unpriv_user_fds(kudzu_t)
+userdom_search_user_home_dirs(kudzu_t)
+
+optional_policy(`
+	gpm_getattr_gpmctl(kudzu_t)
+')
+
+optional_policy(`
+	nscd_socket_use(kudzu_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(kudzu_t)
+')
+
+optional_policy(`
+	udev_read_db(kudzu_t)
+')
+
+optional_policy(`
+	unconfined_domtrans(kudzu_t)
+	unconfined_domain(kudzu_t)
+')
diff --git a/policy/modules/contrib/ldap.fc b/policy/modules/contrib/ldap.fc
new file mode 100644
index 00000000..ba8ba951
--- /dev/null
+++ b/policy/modules/contrib/ldap.fc
@@ -0,0 +1,21 @@
+
+/etc/ldap/slapd\.conf	--	gen_context(system_u:object_r:slapd_etc_t,s0)
+/etc/rc\.d/init\.d/ldap	--	gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
+
+/usr/sbin/slapd		--	gen_context(system_u:object_r:slapd_exec_t,s0)
+
+/usr/lib(64)?/openldap/slapd	--	gen_context(system_u:object_r:slapd_exec_t,s0)
+ifdef(`distro_debian',`
+/usr/lib/slapd		--	gen_context(system_u:object_r:slapd_exec_t,s0)
+')
+
+/var/lib/ldap(/.*)?		gen_context(system_u:object_r:slapd_db_t,s0)
+/var/lib/ldap/replog(/.*)?	gen_context(system_u:object_r:slapd_replog_t,s0)
+/var/lib/openldap-data(/.*)?	gen_context(system_u:object_r:slapd_db_t,s0)
+/var/lib/openldap-ldbm(/.*)?	gen_context(system_u:object_r:slapd_db_t,s0)
+/var/lib/openldap-slurpd(/.*)?	gen_context(system_u:object_r:slapd_db_t,s0)
+
+/var/run/ldapi		-s	gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/openldap(/.*)?		gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd\.args	--	gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd\.pid	--	gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --git a/policy/modules/contrib/ldap.if b/policy/modules/contrib/ldap.if
new file mode 100644
index 00000000..e131cfae
--- /dev/null
+++ b/policy/modules/contrib/ldap.if
@@ -0,0 +1,123 @@
+## <summary>OpenLDAP directory server</summary>
+
+########################################
+## <summary>
+##	Read the contents of the OpenLDAP
+##	database directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ldap_list_db',`
+	gen_require(`
+		type slapd_db_t;
+	')
+
+	allow $1 slapd_db_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read the OpenLDAP configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ldap_read_config',`
+	gen_require(`
+		type slapd_etc_t;
+	')
+
+	files_search_etc($1)
+	allow $1 slapd_etc_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Use LDAP over TCP connection.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ldap_use',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	Connect to slapd over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ldap_stream_connect',`
+	gen_require(`
+		type slapd_t, slapd_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 slapd_var_run_t:sock_file write;
+	allow $1 slapd_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an ldap environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the ldap domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ldap_admin',`
+	gen_require(`
+		type slapd_t, slapd_tmp_t, slapd_replog_t;
+		type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
+		type slapd_initrc_exec_t, slapd_exec_t;
+	')
+
+	allow $1 slapd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, slapd_t)
+
+	init_labeled_script_domtrans($1, slapd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 slapd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	role $2 types slapd_t;
+	domtrans_pattern($1, slapd_exec_t, slapd_t)
+
+	files_list_etc($1)
+	admin_pattern($1, slapd_etc_t)
+
+	admin_pattern($1, slapd_lock_t)
+
+	admin_pattern($1, slapd_replog_t)
+
+	files_list_tmp($1)
+	admin_pattern($1, slapd_tmp_t)
+
+	files_list_pids($1)
+	admin_pattern($1, slapd_var_run_t)
+')
diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te
new file mode 100644
index 00000000..116bbe27
--- /dev/null
+++ b/policy/modules/contrib/ldap.te
@@ -0,0 +1,134 @@
+policy_module(ldap, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+
+type slapd_t;
+type slapd_exec_t;
+init_daemon_domain(slapd_t, slapd_exec_t)
+
+type slapd_cert_t;
+files_type(slapd_cert_t)
+
+type slapd_db_t;
+files_type(slapd_db_t)
+
+type slapd_etc_t;
+files_config_file(slapd_etc_t)
+
+type slapd_initrc_exec_t;
+init_script_file(slapd_initrc_exec_t)
+
+type slapd_lock_t;
+files_lock_file(slapd_lock_t)
+
+type slapd_replog_t;
+files_type(slapd_replog_t)
+
+type slapd_tmp_t;
+files_tmp_file(slapd_tmp_t)
+
+type slapd_var_run_t;
+files_pid_file(slapd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+# should not need kill
+# cjp: why net_raw?
+allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search };
+dontaudit slapd_t self:capability sys_tty_config;
+allow slapd_t self:process { setsched signal };
+allow slapd_t self:fifo_file rw_fifo_file_perms;
+allow slapd_t self:udp_socket create_socket_perms;
+allow slapd_t self:unix_stream_socket listen;
+#slapd needs to listen and accept needed by ldapsearch (slapd needs to accept from ldapseach)
+allow slapd_t self:tcp_socket create_stream_socket_perms;
+
+allow slapd_t slapd_cert_t:dir list_dir_perms;
+read_files_pattern(slapd_t, slapd_cert_t, slapd_cert_t)
+read_lnk_files_pattern(slapd_t, slapd_cert_t, slapd_cert_t)
+
+# Allow access to the slapd databases
+manage_dirs_pattern(slapd_t, slapd_db_t, slapd_db_t)
+manage_files_pattern(slapd_t, slapd_db_t, slapd_db_t)
+manage_lnk_files_pattern(slapd_t, slapd_db_t, slapd_db_t)
+
+allow slapd_t slapd_etc_t:file read_file_perms;
+
+allow slapd_t slapd_lock_t:file manage_file_perms;
+files_lock_filetrans(slapd_t, slapd_lock_t, file)
+
+# Allow access to write the replication log (should tighten this)
+manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
+manage_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
+manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
+
+manage_dirs_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
+manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
+files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
+
+manage_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
+manage_sock_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
+files_pid_filetrans(slapd_t, slapd_var_run_t, { file sock_file })
+
+kernel_read_system_state(slapd_t)
+kernel_read_kernel_sysctls(slapd_t)
+
+corenet_all_recvfrom_unlabeled(slapd_t)
+corenet_all_recvfrom_netlabel(slapd_t)
+corenet_tcp_sendrecv_generic_if(slapd_t)
+corenet_udp_sendrecv_generic_if(slapd_t)
+corenet_tcp_sendrecv_generic_node(slapd_t)
+corenet_udp_sendrecv_generic_node(slapd_t)
+corenet_tcp_sendrecv_all_ports(slapd_t)
+corenet_udp_sendrecv_all_ports(slapd_t)
+corenet_tcp_bind_generic_node(slapd_t)
+corenet_tcp_bind_ldap_port(slapd_t)
+corenet_tcp_connect_all_ports(slapd_t)
+corenet_sendrecv_ldap_server_packets(slapd_t)
+corenet_sendrecv_all_client_packets(slapd_t)
+
+dev_read_urand(slapd_t)
+dev_read_sysfs(slapd_t)
+
+fs_getattr_all_fs(slapd_t)
+fs_search_auto_mountpoints(slapd_t)
+
+domain_use_interactive_fds(slapd_t)
+
+files_read_etc_files(slapd_t)
+files_read_etc_runtime_files(slapd_t)
+files_read_usr_files(slapd_t)
+files_list_var_lib(slapd_t)
+
+auth_use_nsswitch(slapd_t)
+
+logging_send_syslog_msg(slapd_t)
+
+miscfiles_read_generic_certs(slapd_t)
+miscfiles_read_localization(slapd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(slapd_t)
+userdom_dontaudit_search_user_home_dirs(slapd_t)
+userdom_use_user_terminals(slapd_t)
+
+optional_policy(`
+	kerberos_keytab_template(slapd, slapd_t)
+')
+
+optional_policy(`
+	sasl_connect(slapd_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(slapd_t)
+')
+
+optional_policy(`
+	udev_read_db(slapd_t)
+')
diff --git a/policy/modules/contrib/likewise.fc b/policy/modules/contrib/likewise.fc
new file mode 100644
index 00000000..057a4e45
--- /dev/null
+++ b/policy/modules/contrib/likewise.fc
@@ -0,0 +1,54 @@
+/etc/likewise-open(/.*)?			gen_context(system_u:object_r:likewise_etc_t,s0)
+/etc/likewise-open/.pstore.lock		--	gen_context(system_u:object_r:likewise_pstore_lock_t,s0)
+/etc/likewise-open/likewise-krb5-ad.conf --	gen_context(system_u:object_r:likewise_krb5_ad_t,s0)
+
+/etc/rc\.d/init\.d/dcerpcd		--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/eventlogd		--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lsassd		--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lwiod		--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lwregd		--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lwsmd		--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/netlogond		--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/srvsvcd		--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+
+/usr/sbin/dcerpcd			--	gen_context(system_u:object_r:dcerpcd_exec_t,s0)
+/usr/sbin/eventlogd			--	gen_context(system_u:object_r:eventlogd_exec_t,s0)
+/usr/sbin/lsassd			--	gen_context(system_u:object_r:lsassd_exec_t,s0)
+/usr/sbin/lwiod				--	gen_context(system_u:object_r:lwiod_exec_t,s0)
+/usr/sbin/lwregd			--	gen_context(system_u:object_r:lwregd_exec_t,s0)
+/usr/sbin/lwsmd				--	gen_context(system_u:object_r:lwsmd_exec_t,s0)
+/usr/sbin/netlogond			--	gen_context(system_u:object_r:netlogond_exec_t,s0)
+/usr/sbin/srvsvcd			--	gen_context(system_u:object_r:srvsvcd_exec_t,s0)
+
+/var/lib/likewise-open(/.*)?			gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise-open/\.lsassd		-s	gen_context(system_u:object_r:lsassd_var_socket_t,s0)
+/var/lib/likewise-open/\.lwiod		-s	gen_context(system_u:object_r:lwiod_var_socket_t,s0)
+/var/lib/likewise-open/\.regsd		-s	gen_context(system_u:object_r:lwregd_var_socket_t,s0)
+/var/lib/likewise-open/\.lwsm		-s	gen_context(system_u:object_r:lwsmd_var_socket_t,s0)
+/var/lib/likewise-open/\.netlogond	-s	gen_context(system_u:object_r:netlogond_var_socket_t,s0)
+/var/lib/likewise-open/\.ntlmd		-s	gen_context(system_u:object_r:lsassd_var_socket_t,s0)
+/var/lib/likewise-open/krb5-affinity.conf --	gen_context(system_u:object_r:netlogond_var_lib_t, s0)
+/var/lib/likewise-open/krb5ccr_lsass	--	gen_context(system_u:object_r:lsassd_var_lib_t, s0)
+/var/lib/likewise-open/LWNetsd\.err	--	gen_context(system_u:object_r:netlogond_var_lib_t,s0)
+/var/lib/likewise-open/lsasd\.err	--	gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise-open/regsd\.err	--	gen_context(system_u:object_r:lwregd_var_lib_t,s0)
+/var/lib/likewise-open/db		-d	gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise-open/db/lwi_events.db	--	gen_context(system_u:object_r:eventlogd_var_lib_t,s0)
+/var/lib/likewise-open/db/sam\.db	--	gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise-open/db/lsass-adcache\.db --	gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise-open/db/lsass-adstate\.filedb -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise-open/db/registry\.db	--	gen_context(system_u:object_r:lwregd_var_lib_t,s0)
+/var/lib/likewise-open/rpc		-d	gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise-open/rpc/epmapper	-s	gen_context(system_u:object_r:dcerpcd_var_socket_t, s0)
+/var/lib/likewise-open/rpc/lsass	-s	gen_context(system_u:object_r:lsassd_var_socket_t, s0)
+/var/lib/likewise-open/rpc/socket 	-s	gen_context(system_u:object_r:eventlogd_var_socket_t, s0)
+/var/lib/likewise-open/run		-d	gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise-open/run/rpcdep.dat	--	gen_context(system_u:object_r:dcerpcd_var_lib_t, s0)
+
+/var/run/eventlogd.pid			--	gen_context(system_u:object_r:eventlogd_var_run_t,s0)
+/var/run/lsassd.pid			--	gen_context(system_u:object_r:lsassd_var_run_t,s0)
+/var/run/lwiod.pid			--	gen_context(system_u:object_r:lwiod_var_run_t,s0)
+/var/run/lwregd.pid			--	gen_context(system_u:object_r:lwregd_var_run_t,s0)
+/var/run/netlogond.pid			--	gen_context(system_u:object_r:netlogond_var_run_t,s0)
+/var/run/srvsvcd.pid			--	gen_context(system_u:object_r:srvsvcd_var_run_t,s0)
+
diff --git a/policy/modules/contrib/likewise.if b/policy/modules/contrib/likewise.if
new file mode 100644
index 00000000..771e04b6
--- /dev/null
+++ b/policy/modules/contrib/likewise.if
@@ -0,0 +1,105 @@
+## <summary>Likewise Active Directory support for UNIX.</summary>
+## <desc>
+##	<p>
+##	Likewise Open is a free, open source application that joins Linux, Unix,
+##	and Mac machines to Microsoft Active Directory to securely authenticate
+##	users with their domain credentials.
+##	</p>
+## </desc>
+
+#######################################
+## <summary>
+##	The template to define a likewise domain.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a domain to be used for
+##	a new likewise daemon.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The type of daemon to be used.
+##	</summary>
+## </param>
+#
+template(`likewise_domain_template',`
+
+	gen_require(`
+		attribute likewise_domains;
+		type likewise_var_lib_t;
+	')
+
+	########################################
+	#
+	# Declarations
+	#
+
+	type $1_t;
+	type $1_exec_t;
+	init_daemon_domain($1_t, $1_exec_t)
+	domain_use_interactive_fds($1_t)
+
+	typeattribute $1_t likewise_domains;
+
+	type $1_var_run_t;
+	files_pid_file($1_var_run_t)
+
+	type $1_var_socket_t;
+	files_type($1_var_socket_t)
+
+	type $1_var_lib_t;
+	files_type($1_var_lib_t)
+
+	####################################
+	#
+	# Local Policy
+	#
+
+	allow $1_t self:process { signal_perms getsched setsched };
+	allow $1_t self:fifo_file rw_fifo_file_perms;
+	allow $1_t self:unix_dgram_socket create_socket_perms;
+	allow $1_t self:unix_stream_socket create_stream_socket_perms;
+	allow $1_t self:tcp_socket create_stream_socket_perms;
+	allow $1_t self:udp_socket create_socket_perms;
+
+	allow $1_t likewise_var_lib_t:dir setattr;
+
+	manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+	files_pid_filetrans($1_t, $1_var_run_t, file)
+
+	manage_files_pattern($1_t, likewise_var_lib_t, $1_var_lib_t)
+	filetrans_pattern($1_t, likewise_var_lib_t, $1_var_lib_t, file)
+
+	manage_sock_files_pattern($1_t, likewise_var_lib_t, $1_var_socket_t)
+	filetrans_pattern($1_t, likewise_var_lib_t, $1_var_socket_t, sock_file)
+
+	dev_read_rand($1_t)
+	dev_read_urand($1_t)
+
+	files_read_etc_files($1_t)
+	files_search_var_lib($1_t)
+
+	logging_send_syslog_msg($1_t)
+
+	miscfiles_read_localization($1_t)
+')
+
+########################################
+## <summary>
+##	Connect to lsassd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`likewise_stream_connect_lsassd',`
+	gen_require(`
+		type likewise_var_lib_t, lsassd_var_socket_t, lsassd_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t)
+')
diff --git a/policy/modules/contrib/likewise.te b/policy/modules/contrib/likewise.te
new file mode 100644
index 00000000..5ba6cc2a
--- /dev/null
+++ b/policy/modules/contrib/likewise.te
@@ -0,0 +1,238 @@
+policy_module(likewise, 1.2.0)
+
+#################################
+#
+# Declarations
+#
+
+attribute likewise_domains;
+
+type likewise_etc_t;
+files_config_file(likewise_etc_t)
+
+type likewise_initrc_exec_t;
+init_script_file(likewise_initrc_exec_t)
+
+type likewise_var_lib_t;
+files_type(likewise_var_lib_t)
+
+type likewise_pstore_lock_t;
+files_type(likewise_pstore_lock_t)
+
+type likewise_krb5_ad_t;
+files_type(likewise_krb5_ad_t)
+
+likewise_domain_template(dcerpcd)
+
+likewise_domain_template(eventlogd)
+
+likewise_domain_template(lsassd)
+
+type lsassd_tmp_t;
+files_tmp_file(lsassd_tmp_t)
+
+likewise_domain_template(lwiod)
+
+likewise_domain_template(lwregd)
+
+likewise_domain_template(lwsmd)
+
+likewise_domain_template(netlogond)
+
+likewise_domain_template(srvsvcd)
+
+#################################
+#
+# Likewise dcerpcd personal policy
+#
+
+stream_connect_pattern(dcerpcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+
+corenet_all_recvfrom_netlabel(dcerpcd_t)
+corenet_all_recvfrom_unlabeled(dcerpcd_t)
+corenet_sendrecv_generic_client_packets(dcerpcd_t)
+corenet_sendrecv_generic_server_packets(dcerpcd_t)
+corenet_tcp_sendrecv_generic_if(dcerpcd_t)
+corenet_tcp_sendrecv_generic_node(dcerpcd_t)
+corenet_tcp_sendrecv_generic_port(dcerpcd_t)
+corenet_tcp_bind_generic_node(dcerpcd_t)
+corenet_tcp_bind_epmap_port(dcerpcd_t)
+corenet_tcp_connect_generic_port(dcerpcd_t)
+corenet_udp_bind_generic_node(dcerpcd_t)
+corenet_udp_bind_epmap_port(dcerpcd_t)
+corenet_udp_sendrecv_generic_if(dcerpcd_t)
+corenet_udp_sendrecv_generic_node(dcerpcd_t)
+corenet_udp_sendrecv_generic_port(dcerpcd_t)
+
+#################################
+#
+# Likewise Auditing and Logging service policy
+#
+
+stream_connect_pattern(eventlogd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t)
+stream_connect_pattern(eventlogd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+
+corenet_all_recvfrom_netlabel(eventlogd_t)
+corenet_all_recvfrom_unlabeled(eventlogd_t)
+corenet_sendrecv_generic_server_packets(eventlogd_t)
+corenet_tcp_sendrecv_generic_if(eventlogd_t)
+corenet_tcp_sendrecv_generic_node(eventlogd_t)
+corenet_tcp_sendrecv_generic_port(eventlogd_t)
+corenet_tcp_bind_generic_node(eventlogd_t)
+corenet_udp_bind_generic_node(eventlogd_t)
+corenet_udp_sendrecv_generic_if(eventlogd_t)
+corenet_udp_sendrecv_generic_node(eventlogd_t)
+corenet_udp_sendrecv_generic_port(eventlogd_t)
+
+#################################
+#
+# Likewise Authentication service local policy
+#
+
+allow lsassd_t self:capability { fowner chown fsetid dac_override sys_time };
+allow lsassd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow lsassd_t self:netlink_route_socket rw_netlink_socket_perms;
+
+allow lsassd_t likewise_krb5_ad_t:file read_file_perms;
+allow lsassd_t netlogond_var_lib_t:file read_file_perms;
+
+manage_files_pattern(lsassd_t, likewise_etc_t, likewise_etc_t)
+
+manage_files_pattern(lsassd_t, lsassd_tmp_t, lsassd_tmp_t)
+files_tmp_filetrans(lsassd_t, lsassd_tmp_t, file)
+
+stream_connect_pattern(lsassd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t)
+stream_connect_pattern(lsassd_t, likewise_var_lib_t, eventlogd_var_socket_t, eventlogd_t)
+stream_connect_pattern(lsassd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t)
+stream_connect_pattern(lsassd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+stream_connect_pattern(lsassd_t, likewise_var_lib_t, netlogond_var_socket_t, netlogond_t)
+
+kernel_read_system_state(lsassd_t)
+kernel_getattr_proc_files(lsassd_t)
+kernel_list_all_proc(lsassd_t)
+kernel_list_proc(lsassd_t)
+
+corecmd_exec_bin(lsassd_t)
+corecmd_exec_shell(lsassd_t)
+
+corenet_all_recvfrom_netlabel(lsassd_t)
+corenet_all_recvfrom_unlabeled(lsassd_t)
+corenet_tcp_sendrecv_generic_if(lsassd_t)
+corenet_tcp_sendrecv_generic_node(lsassd_t)
+corenet_tcp_sendrecv_generic_port(lsassd_t)
+corenet_tcp_bind_generic_node(lsassd_t)
+corenet_tcp_connect_epmap_port(lsassd_t)
+corenet_tcp_sendrecv_epmap_port(lsassd_t)
+
+domain_obj_id_change_exemption(lsassd_t)
+
+files_manage_etc_files(lsassd_t)
+files_manage_etc_symlinks(lsassd_t)
+files_manage_etc_runtime_files(lsassd_t)
+files_relabelto_home(lsassd_t)
+
+selinux_get_fs_mount(lsassd_t)
+selinux_validate_context(lsassd_t)
+
+seutil_read_config(lsassd_t)
+seutil_read_default_contexts(lsassd_t)
+seutil_read_file_contexts(lsassd_t)
+seutil_run_semanage(lsassd_t, system_r)
+
+sysnet_use_ldap(lsassd_t)
+sysnet_read_config(lsassd_t)
+
+userdom_home_filetrans_user_home_dir(lsassd_t)
+userdom_manage_user_home_content_files(lsassd_t)
+
+optional_policy(`
+	kerberos_rw_keytab(lsassd_t)
+	kerberos_use(lsassd_t)
+')
+
+#################################
+#
+# Likewise I/O service local policy
+#
+
+allow lwiod_t self:capability { fowner chown fsetid dac_override };
+allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms;
+
+allow lwiod_t likewise_krb5_ad_t:file read_file_perms;
+allow lwiod_t netlogond_var_lib_t:file read_file_perms;
+
+stream_connect_pattern(lwiod_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+stream_connect_pattern(lwiod_t, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t)
+
+corenet_all_recvfrom_netlabel(lwiod_t)
+corenet_all_recvfrom_unlabeled(lwiod_t)
+corenet_sendrecv_smbd_server_packets(lwiod_t)
+corenet_sendrecv_smbd_client_packets(lwiod_t)
+corenet_tcp_sendrecv_generic_if(lwiod_t)
+corenet_tcp_sendrecv_generic_node(lwiod_t)
+corenet_tcp_sendrecv_generic_port(lwiod_t)
+corenet_tcp_bind_generic_node(lwiod_t)
+corenet_tcp_bind_smbd_port(lwiod_t)
+corenet_tcp_connect_smbd_port(lwiod_t)
+
+sysnet_read_config(lwiod_t)
+
+optional_policy(`
+	kerberos_rw_config(lwiod_t)
+	kerberos_use(lwiod_t)
+')
+
+#################################
+#
+# Likewise Service Manager service local policy
+#
+
+allow lwsmd_t likewise_domains:process signal;
+
+domtrans_pattern(lwsmd_t, dcerpcd_exec_t, dcerpcd_t)
+domtrans_pattern(lwsmd_t, eventlogd_exec_t, eventlogd_t)
+domtrans_pattern(lwsmd_t, lsassd_exec_t, lsassd_t)
+domtrans_pattern(lwsmd_t, lwiod_exec_t, lwiod_t)
+domtrans_pattern(lwsmd_t, lwregd_exec_t, lwregd_t)
+domtrans_pattern(lwsmd_t, netlogond_exec_t, netlogond_t)
+domtrans_pattern(lwsmd_t, srvsvcd_exec_t, srvsvcd_t)
+
+stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t)
+stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+
+#################################
+#
+# Likewise DC location service local policy
+#
+
+allow netlogond_t self:capability {dac_override};
+
+manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t)
+
+stream_connect_pattern(netlogond_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+
+sysnet_dns_name_resolve(netlogond_t)
+sysnet_use_ldap(netlogond_t)
+
+#################################
+#
+# Likewise Srv service local policy
+#
+
+allow srvsvcd_t likewise_etc_t:dir search_dir_perms;
+
+stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t)
+stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t)
+stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+
+corenet_all_recvfrom_netlabel(srvsvcd_t)
+corenet_all_recvfrom_unlabeled(srvsvcd_t)
+corenet_sendrecv_generic_server_packets(srvsvcd_t)
+corenet_tcp_sendrecv_generic_if(srvsvcd_t)
+corenet_tcp_sendrecv_generic_node(srvsvcd_t)
+corenet_tcp_sendrecv_generic_port(srvsvcd_t)
+corenet_tcp_bind_generic_node(srvsvcd_t)
+
+optional_policy(`
+	kerberos_use(srvsvcd_t)
+')
diff --git a/policy/modules/contrib/links.fc b/policy/modules/contrib/links.fc
new file mode 100644
index 00000000..d973b307
--- /dev/null
+++ b/policy/modules/contrib/links.fc
@@ -0,0 +1,2 @@
+/usr/bin/links         -- gen_context(system_u:object_r:links_exec_t,s0)
+HOME_DIR/\.links(/.*)?    gen_context(system_u:object_r:links_home_t,s0)
diff --git a/policy/modules/contrib/links.if b/policy/modules/contrib/links.if
new file mode 100644
index 00000000..61254fc3
--- /dev/null
+++ b/policy/modules/contrib/links.if
@@ -0,0 +1,46 @@
+## <summary>Links web browser</summary>
+
+#######################################
+## <summary>
+##      The role interface for the links module.
+## </summary>
+## <param name="user_role">
+##      <summary>
+##      The role associated with the user domain.
+##      </summary>
+## </param>
+## <param name="user_domain">
+##      <summary>
+##      The type of the user domain.
+##      </summary>
+## </param>
+#
+interface(`links_role',`
+	gen_require(`
+		type links_t, links_exec_t, links_tmpfs_t, links_home_t;
+	')
+
+	#######################################
+	#
+	# Declarations
+	#
+	
+	role $1 types links_t;
+
+	############################
+	#
+	# Policy
+	#
+
+	manage_dirs_pattern($2, links_home_t, links_home_t)
+	manage_files_pattern($2, links_home_t, links_home_t)
+	manage_lnk_files_pattern($2, links_home_t, links_home_t)
+
+	relabel_dirs_pattern($2, links_home_t, links_home_t)
+	relabel_files_pattern($2, links_home_t, links_home_t)
+	relabel_lnk_files_pattern($2, links_home_t, links_home_t)
+
+	domtrans_pattern($2, links_exec_t, links_t)
+
+	ps_process_pattern($2, links_t)
+')	
diff --git a/policy/modules/contrib/links.te b/policy/modules/contrib/links.te
new file mode 100644
index 00000000..a36703f2
--- /dev/null
+++ b/policy/modules/contrib/links.te
@@ -0,0 +1,67 @@
+policy_module(links, 1.0.0)
+
+############################
+# 
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow links to manage files in users home directories (download files)
+## </p>
+## </desc>
+gen_tunable(links_manage_user_files, false)
+
+type links_t;
+type links_exec_t;
+userdom_user_application_domain(links_t, links_exec_t)
+
+type links_home_t;
+userdom_user_home_content(links_home_t)
+
+type links_tmpfs_t;
+userdom_user_tmpfs_file(links_tmpfs_t)
+
+############################
+#
+# Policy
+#
+
+allow links_t self:process signal_perms;
+allow links_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(links_t, links_home_t, links_home_t)
+manage_files_pattern(links_t, links_home_t, links_home_t)
+manage_lnk_files_pattern(links_t, links_home_t, links_home_t)
+manage_sock_files_pattern(links_t, links_home_t, links_home_t)
+manage_fifo_files_pattern(links_t, links_home_t, links_home_t)
+userdom_user_home_dir_filetrans(links_t, links_home_t, dir)
+
+manage_fifo_files_pattern(links_t, links_t, links_t)
+
+manage_files_pattern(links_t, links_tmpfs_t, links_tmpfs_t)
+manage_lnk_files_pattern(links_t, links_tmpfs_t, links_tmpfs_t)
+manage_fifo_files_pattern(links_t, links_tmpfs_t, links_tmpfs_t)
+manage_sock_files_pattern(links_t, links_tmpfs_t, links_tmpfs_t)
+fs_tmpfs_filetrans(links_t, links_tmpfs_t, { file lnk_file sock_file fifo_file })
+
+
+domain_use_interactive_fds(links_t)
+
+auth_use_nsswitch(links_t)
+
+userdom_use_user_terminals(links_t)
+
+corenet_tcp_connect_http_port(links_t)
+
+miscfiles_read_localization(links_t)
+
+tunable_policy(`links_manage_user_files',`
+	userdom_manage_user_home_content_dirs(links_t)
+	userdom_manage_user_home_content_files(links_t)
+')
+
+
+optional_policy(`
+	xserver_user_x_domain_template(links, links_t, links_tmpfs_t)
+')
diff --git a/policy/modules/contrib/lircd.fc b/policy/modules/contrib/lircd.fc
new file mode 100644
index 00000000..49e04e58
--- /dev/null
+++ b/policy/modules/contrib/lircd.fc
@@ -0,0 +1,10 @@
+/dev/lircd		-s	gen_context(system_u:object_r:lircd_sock_t,s0)
+
+/etc/rc\.d/init\.d/lirc	--	gen_context(system_u:object_r:lircd_initrc_exec_t,s0)
+/etc/lircd\.conf	--	gen_context(system_u:object_r:lircd_etc_t,s0)
+
+/usr/sbin/lircd		--	gen_context(system_u:object_r:lircd_exec_t,s0)
+
+/var/run/lirc(/.*)?		gen_context(system_u:object_r:lircd_var_run_t,s0)
+/var/run/lircd(/.*)?		gen_context(system_u:object_r:lircd_var_run_t,s0)
+/var/run/lircd\.pid		gen_context(system_u:object_r:lircd_var_run_t,s0)
diff --git a/policy/modules/contrib/lircd.if b/policy/modules/contrib/lircd.if
new file mode 100644
index 00000000..418cc811
--- /dev/null
+++ b/policy/modules/contrib/lircd.if
@@ -0,0 +1,96 @@
+## <summary>Linux infared remote control daemon</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run lircd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`lircd_domtrans',`
+	gen_require(`
+		type lircd_t, lircd_exec_t;
+	')
+
+	domain_auto_trans($1, lircd_exec_t, lircd_t)
+
+')
+
+######################################
+## <summary>
+##	Connect to lircd over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lircd_stream_connect',`
+	gen_require(`
+		type lircd_var_run_t, lircd_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, lircd_var_run_t, lircd_var_run_t, lircd_t)
+')
+
+#######################################
+## <summary>
+##	Read lircd etc file
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lircd_read_config',`
+	gen_require(`
+		type lircd_etc_t;
+	')
+
+	read_files_pattern($1, lircd_etc_t, lircd_etc_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	a lircd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the syslog domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`lircd_admin',`
+	gen_require(`
+		type lircd_t, lircd_var_run_t;
+		type lircd_initrc_exec_t, lircd_etc_t;
+	')
+
+	allow $1 lircd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, lircd_t)
+
+	init_labeled_script_domtrans($1, lircd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 lircd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_search_etc($1)
+	admin_pattern($1, lircd_etc_t)
+
+	files_search_pids($1)
+	admin_pattern($1, lircd_var_run_t)
+')
diff --git a/policy/modules/contrib/lircd.te b/policy/modules/contrib/lircd.te
new file mode 100644
index 00000000..6a78de1e
--- /dev/null
+++ b/policy/modules/contrib/lircd.te
@@ -0,0 +1,64 @@
+policy_module(lircd, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type lircd_t;
+type lircd_exec_t;
+init_daemon_domain(lircd_t, lircd_exec_t)
+
+type lircd_initrc_exec_t;
+init_script_file(lircd_initrc_exec_t)
+
+type lircd_etc_t;
+files_type(lircd_etc_t)
+
+type lircd_var_run_t alias lircd_sock_t;
+files_pid_file(lircd_var_run_t)
+
+########################################
+#
+# lircd local policy
+#
+
+allow lircd_t self:capability { chown kill sys_admin };
+allow lircd_t self:fifo_file rw_fifo_file_perms;
+allow lircd_t self:unix_dgram_socket create_socket_perms;
+allow lircd_t self:tcp_socket create_stream_socket_perms;
+
+# etc file
+read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t)
+
+manage_dirs_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
+manage_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
+manage_sock_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
+files_pid_filetrans(lircd_t, lircd_var_run_t, { dir file })
+# /dev/lircd socket
+dev_filetrans(lircd_t, lircd_var_run_t, sock_file)
+
+corenet_tcp_sendrecv_generic_if(lircd_t)
+corenet_tcp_bind_generic_node(lircd_t)
+corenet_tcp_bind_lirc_port(lircd_t)
+corenet_tcp_sendrecv_all_ports(lircd_t)
+corenet_tcp_connect_lirc_port(lircd_t)
+
+dev_read_generic_usb_dev(lircd_t)
+dev_read_mouse(lircd_t)
+dev_filetrans_lirc(lircd_t)
+dev_rw_lirc(lircd_t)
+dev_rw_input_dev(lircd_t)
+
+files_read_etc_files(lircd_t)
+files_list_var(lircd_t)
+files_manage_generic_locks(lircd_t)
+files_read_all_locks(lircd_t)
+
+term_use_ptmx(lircd_t)
+
+logging_send_syslog_msg(lircd_t)
+
+miscfiles_read_localization(lircd_t)
+
+sysnet_dns_name_resolve(lircd_t)
diff --git a/policy/modules/contrib/livecd.fc b/policy/modules/contrib/livecd.fc
new file mode 100644
index 00000000..34937fcf
--- /dev/null
+++ b/policy/modules/contrib/livecd.fc
@@ -0,0 +1 @@
+/usr/bin/livecd-creator	--	gen_context(system_u:object_r:livecd_exec_t,s0)
diff --git a/policy/modules/contrib/livecd.if b/policy/modules/contrib/livecd.if
new file mode 100644
index 00000000..ae29d9f6
--- /dev/null
+++ b/policy/modules/contrib/livecd.if
@@ -0,0 +1,100 @@
+## <summary>Livecd tool for building alternate livecd for different os and policy versions.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run livecd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`livecd_domtrans',`
+	gen_require(`
+		type livecd_t, livecd_exec_t;
+	')
+
+	domtrans_pattern($1, livecd_exec_t, livecd_t)
+')
+
+########################################
+## <summary>
+##	Execute livecd in the livecd domain, and
+##	allow the specified role the livecd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`livecd_run',`
+	gen_require(`
+		attribute_role livecd_roles;
+	')
+
+	livecd_domtrans($1)
+	roleattribute $2 livecd_roles;
+')
+
+########################################
+## <summary>
+##	Read livecd temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`livecd_read_tmp_files',`
+	gen_require(`
+		type livecd_tmp_t;
+	')
+
+	files_search_tmp($1)
+	read_files_pattern($1, livecd_tmp_t, livecd_tmp_t)
+')
+
+########################################
+## <summary>
+##	Read and write livecd temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`livecd_rw_tmp_files',`
+	gen_require(`
+		type livecd_tmp_t;
+	')
+
+	files_search_tmp($1)
+	rw_files_pattern($1, livecd_tmp_t, livecd_tmp_t)
+')
+
+########################################
+## <summary>
+##	Allow read and write access to livecd semaphores.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`livecd_rw_semaphores',`
+	gen_require(`
+		type livecd_t;
+	')
+
+	allow $1 livecd_t:sem { unix_read unix_write associate read write };
+')
diff --git a/policy/modules/contrib/livecd.te b/policy/modules/contrib/livecd.te
new file mode 100644
index 00000000..008f7186
--- /dev/null
+++ b/policy/modules/contrib/livecd.te
@@ -0,0 +1,43 @@
+policy_module(livecd, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role livecd_roles;
+roleattribute system_r livecd_roles;
+
+type livecd_t;
+type livecd_exec_t;
+application_domain(livecd_t, livecd_exec_t)
+role livecd_roles types livecd_t;
+
+type livecd_tmp_t;
+files_tmp_file(livecd_tmp_t)
+
+########################################
+#
+# livecd local policy
+#
+
+dontaudit livecd_t self:capability2 mac_admin;
+
+domain_ptrace_all_domains(livecd_t)
+
+manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
+manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
+files_tmp_filetrans(livecd_t, livecd_tmp_t, { dir file })
+
+optional_policy(`
+	mount_run(livecd_t, livecd_roles)
+')
+
+optional_policy(`
+	hal_dbus_chat(livecd_t)
+')
+
+optional_policy(`
+	unconfined_domain(livecd_t)
+')
+
diff --git a/policy/modules/contrib/loadkeys.fc b/policy/modules/contrib/loadkeys.fc
new file mode 100644
index 00000000..8549f9fe
--- /dev/null
+++ b/policy/modules/contrib/loadkeys.fc
@@ -0,0 +1,3 @@
+
+/bin/loadkeys		--	gen_context(system_u:object_r:loadkeys_exec_t,s0)
+/bin/unikeys		--	gen_context(system_u:object_r:loadkeys_exec_t,s0)
diff --git a/policy/modules/contrib/loadkeys.if b/policy/modules/contrib/loadkeys.if
new file mode 100644
index 00000000..b55edd05
--- /dev/null
+++ b/policy/modules/contrib/loadkeys.if
@@ -0,0 +1,67 @@
+## <summary>Load keyboard mappings.</summary>
+
+########################################
+## <summary>
+##	Execute the loadkeys program in the loadkeys domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`loadkeys_domtrans',`
+	gen_require(`
+		type loadkeys_t, loadkeys_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, loadkeys_exec_t, loadkeys_t)
+
+	ifdef(`hide_broken_symptoms',`
+		dontaudit loadkeys_t $1:socket_class_set { read write };
+	')
+')
+
+########################################
+## <summary>
+##	Execute the loadkeys program in the loadkeys domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the loadkeys domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`loadkeys_run',`
+	gen_require(`
+		type loadkeys_t;
+	')
+
+	loadkeys_domtrans($1)
+	role $2 types loadkeys_t;
+')
+
+########################################
+## <summary>
+##	Execute the loadkeys program in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`loadkeys_exec',`
+	gen_require(`
+		type loadkeys_exec_t;
+	')
+
+	can_exec($1, loadkeys_exec_t)
+')
diff --git a/policy/modules/contrib/loadkeys.te b/policy/modules/contrib/loadkeys.te
new file mode 100644
index 00000000..2523758c
--- /dev/null
+++ b/policy/modules/contrib/loadkeys.te
@@ -0,0 +1,50 @@
+policy_module(loadkeys, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+# cjp: this should probably be rewritten
+# per user domain, since it can rw
+# all user domain ttys
+type loadkeys_t;
+type loadkeys_exec_t;
+init_system_domain(loadkeys_t, loadkeys_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow loadkeys_t self:capability { dac_override dac_read_search setuid sys_tty_config };
+allow loadkeys_t self:fifo_file rw_fifo_file_perms;
+
+kernel_read_system_state(loadkeys_t)
+
+corecmd_exec_bin(loadkeys_t)
+corecmd_exec_shell(loadkeys_t)
+
+files_read_etc_files(loadkeys_t)
+files_read_etc_runtime_files(loadkeys_t)
+
+term_dontaudit_use_console(loadkeys_t)
+term_use_unallocated_ttys(loadkeys_t)
+
+init_dontaudit_use_fds(loadkeys_t)
+init_dontaudit_use_script_ptys(loadkeys_t)
+
+locallogin_use_fds(loadkeys_t)
+
+miscfiles_read_localization(loadkeys_t)
+
+userdom_use_user_ttys(loadkeys_t)
+userdom_list_user_home_content(loadkeys_t)
+
+ifdef(`hide_broken_symptoms',`
+	dev_dontaudit_rw_lvm_control(loadkeys_t)
+')
+
+optional_policy(`
+	nscd_dontaudit_search_pid(loadkeys_t)
+')
diff --git a/policy/modules/contrib/lockdev.fc b/policy/modules/contrib/lockdev.fc
new file mode 100644
index 00000000..8b5ce032
--- /dev/null
+++ b/policy/modules/contrib/lockdev.fc
@@ -0,0 +1,2 @@
+
+/usr/sbin/lockdev	--	gen_context(system_u:object_r:lockdev_exec_t,s0)
diff --git a/policy/modules/contrib/lockdev.if b/policy/modules/contrib/lockdev.if
new file mode 100644
index 00000000..8e7d279a
--- /dev/null
+++ b/policy/modules/contrib/lockdev.if
@@ -0,0 +1,33 @@
+## <summary>device locking policy for lockdev</summary>
+
+########################################
+## <summary>
+##	Role access for lockdev
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`lockdev_role',`
+	gen_require(`
+		type lockdev_t, lockdev_exec_t;
+		type lockdev_lock_t;
+	')
+
+	role $1 types lockdev_t;
+
+	# Transition from the user domain to the derived domain.
+	domtrans_pattern($2, lockdev_exec_t, lockdev_t)
+	allow lockdev_t $2:process signull;
+
+	# allow ps to show lockdev
+	ps_process_pattern($2, lockdev_t)
+	allow $2 lockdev_t:process signal;
+')
diff --git a/policy/modules/contrib/lockdev.te b/policy/modules/contrib/lockdev.te
new file mode 100644
index 00000000..572b5dbb
--- /dev/null
+++ b/policy/modules/contrib/lockdev.te
@@ -0,0 +1,37 @@
+policy_module(lockdev, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+
+type lockdev_t;
+type lockdev_exec_t;
+typealias lockdev_t alias { user_lockdev_t staff_lockdev_t sysadm_lockdev_t };
+typealias lockdev_t alias { auditadm_lockdev_t secadm_lockdev_t };
+userdom_user_application_domain(lockdev_t, lockdev_exec_t)
+
+type lockdev_lock_t;
+typealias lockdev_lock_t alias { user_lockdev_lock_t staff_lockdev_lock_t sysadm_lockdev_lock_t };
+typealias lockdev_lock_t alias { auditadm_lockdev_lock_t secadm_lockdev_lock_t };
+files_lock_file(lockdev_lock_t)
+ubac_constrained(lockdev_lock_t)
+
+########################################
+#
+# Local policy
+#
+
+# Use capabilities.
+allow lockdev_t self:capability setgid;
+
+allow lockdev_t lockdev_lock_t:file manage_file_perms;
+files_lock_filetrans(lockdev_t, lockdev_lock_t, file)
+
+files_read_all_locks(lockdev_t)
+
+fs_getattr_xattr_fs(lockdev_t)
+
+logging_send_syslog_msg(lockdev_t)
+
+userdom_use_user_terminals(lockdev_t)
diff --git a/policy/modules/contrib/logrotate.fc b/policy/modules/contrib/logrotate.fc
new file mode 100644
index 00000000..36c8de7f
--- /dev/null
+++ b/policy/modules/contrib/logrotate.fc
@@ -0,0 +1,9 @@
+/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0)
+
+/usr/sbin/logrotate	--	gen_context(system_u:object_r:logrotate_exec_t,s0)
+
+ifdef(`distro_debian', `
+/var/lib/logrotate(/.*)?	gen_context(system_u:object_r:logrotate_var_lib_t,s0)
+', `
+/var/lib/logrotate\.status --	gen_context(system_u:object_r:logrotate_var_lib_t,s0)
+')
diff --git a/policy/modules/contrib/logrotate.if b/policy/modules/contrib/logrotate.if
new file mode 100644
index 00000000..9cd6b0b8
--- /dev/null
+++ b/policy/modules/contrib/logrotate.if
@@ -0,0 +1,120 @@
+## <summary>Rotate and archive system logs</summary>
+
+########################################
+## <summary>
+##	Execute logrotate in the logrotate domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`logrotate_domtrans',`
+	gen_require(`
+		type logrotate_t, logrotate_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, logrotate_exec_t, logrotate_t)
+')
+
+########################################
+## <summary>
+##	Execute logrotate in the logrotate domain, and
+##	allow the specified role the logrotate domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logrotate_run',`
+	gen_require(`
+		type logrotate_t;
+	')
+
+	logrotate_domtrans($1)
+	role $2 types logrotate_t;
+')
+
+########################################
+## <summary>
+##	Execute logrotate in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logrotate_exec',`
+	gen_require(`
+		type logrotate_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, logrotate_exec_t)
+')
+
+########################################
+## <summary>
+##	Inherit and use logrotate file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logrotate_use_fds',`
+	gen_require(`
+		type logrotate_t;
+	')
+
+	allow $1 logrotate_t:fd use;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to inherit logrotate file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`logrotate_dontaudit_use_fds',`
+	gen_require(`
+		type logrotate_t;
+	')
+
+	dontaudit $1 logrotate_t:fd use;
+')
+
+########################################
+## <summary>
+##	Read a logrotate temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logrotate_read_tmp_files',`
+	gen_require(`
+		type logrotate_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 logrotate_tmp_t:file read_file_perms;
+')
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
new file mode 100644
index 00000000..7090dae7
--- /dev/null
+++ b/policy/modules/contrib/logrotate.te
@@ -0,0 +1,230 @@
+policy_module(logrotate, 1.14.0)
+
+########################################
+#
+# Declarations
+#
+
+type logrotate_t;
+domain_type(logrotate_t)
+domain_obj_id_change_exemption(logrotate_t)
+domain_system_change_exemption(logrotate_t)
+role system_r types logrotate_t;
+
+type logrotate_exec_t;
+domain_entry_file(logrotate_t, logrotate_exec_t)
+
+type logrotate_lock_t;
+files_lock_file(logrotate_lock_t)
+
+type logrotate_tmp_t;
+files_tmp_file(logrotate_tmp_t)
+
+type logrotate_var_lib_t;
+files_type(logrotate_var_lib_t)
+
+########################################
+#
+# Local policy
+#
+
+# Change ownership on log files.
+allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
+# for mailx
+dontaudit logrotate_t self:capability { setuid setgid sys_ptrace };
+
+allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+
+# Set a context other than the default one for newly created files.
+allow logrotate_t self:process setfscreate;
+
+allow logrotate_t self:fd use;
+allow logrotate_t self:fifo_file rw_fifo_file_perms;
+allow logrotate_t self:unix_dgram_socket create_socket_perms;
+allow logrotate_t self:unix_stream_socket create_stream_socket_perms;
+allow logrotate_t self:unix_dgram_socket sendto;
+allow logrotate_t self:unix_stream_socket connectto;
+allow logrotate_t self:shm create_shm_perms;
+allow logrotate_t self:sem create_sem_perms;
+allow logrotate_t self:msgq create_msgq_perms;
+allow logrotate_t self:msg { send receive };
+
+allow logrotate_t logrotate_lock_t:file manage_file_perms;
+files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
+
+can_exec(logrotate_t, logrotate_tmp_t)
+
+manage_dirs_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t)
+manage_files_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t)
+files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
+
+# for /var/lib/logrotate.status and /var/lib/logcheck
+create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
+manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
+files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file)
+
+kernel_read_system_state(logrotate_t)
+kernel_read_kernel_sysctls(logrotate_t)
+
+dev_read_urand(logrotate_t)
+
+fs_search_auto_mountpoints(logrotate_t)
+fs_getattr_xattr_fs(logrotate_t)
+fs_list_inotifyfs(logrotate_t)
+
+mls_file_read_all_levels(logrotate_t)
+mls_file_write_all_levels(logrotate_t)
+mls_file_upgrade(logrotate_t)
+
+selinux_get_fs_mount(logrotate_t)
+selinux_get_enforce_mode(logrotate_t)
+
+auth_manage_login_records(logrotate_t)
+auth_use_nsswitch(logrotate_t)
+
+# Run helper programs.
+corecmd_exec_bin(logrotate_t)
+corecmd_exec_shell(logrotate_t)
+
+domain_signal_all_domains(logrotate_t)
+domain_use_interactive_fds(logrotate_t)
+domain_getattr_all_entry_files(logrotate_t)
+# Read /proc/PID directories for all domains.
+domain_read_all_domains_state(logrotate_t)
+
+files_read_usr_files(logrotate_t)
+files_read_etc_files(logrotate_t)
+files_read_etc_runtime_files(logrotate_t)
+files_read_all_pids(logrotate_t)
+files_search_all(logrotate_t)
+files_read_var_lib_files(logrotate_t)
+# Write to /var/spool/slrnpull - should be moved into its own type.
+files_manage_generic_spool(logrotate_t)
+files_manage_generic_spool_dirs(logrotate_t)
+files_getattr_generic_locks(logrotate_t)
+
+# cjp: why is this needed?
+init_domtrans_script(logrotate_t)
+
+logging_manage_all_logs(logrotate_t)
+logging_send_syslog_msg(logrotate_t)
+logging_send_audit_msgs(logrotate_t)
+# cjp: why is this needed?
+logging_exec_all_logs(logrotate_t)
+
+miscfiles_read_localization(logrotate_t)
+
+seutil_dontaudit_read_config(logrotate_t)
+
+userdom_use_user_terminals(logrotate_t)
+userdom_list_user_home_dirs(logrotate_t)
+userdom_use_unpriv_users_fds(logrotate_t)
+
+cron_system_entry(logrotate_t, logrotate_exec_t)
+cron_search_spool(logrotate_t)
+
+mta_send_mail(logrotate_t)
+
+ifdef(`distro_debian', `
+	allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
+	# for savelog
+	can_exec(logrotate_t, logrotate_exec_t)
+
+	# for syslogd-listfiles
+	logging_read_syslog_config(logrotate_t)
+
+	# for "test -x /sbin/syslogd"
+	logging_check_exec_syslog(logrotate_t)
+')
+
+optional_policy(`
+	abrt_cache_manage(logrotate_t)
+')
+
+optional_policy(`
+	acct_domtrans(logrotate_t)
+	acct_manage_data(logrotate_t)
+	acct_exec_data(logrotate_t)
+')
+
+optional_policy(`
+	apache_read_config(logrotate_t)
+	apache_domtrans(logrotate_t)
+	apache_signull(logrotate_t)
+')
+
+optional_policy(`
+	asterisk_domtrans(logrotate_t)
+')
+
+optional_policy(`
+	bind_manage_cache(logrotate_t)
+')
+
+optional_policy(`
+	consoletype_exec(logrotate_t)
+')
+
+optional_policy(`
+	cups_domtrans(logrotate_t)
+')
+
+optional_policy(`
+	fail2ban_stream_connect(logrotate_t)
+')
+
+optional_policy(`
+	hostname_exec(logrotate_t)
+')
+
+optional_policy(`
+	icecast_signal(logrotate_t)
+')
+
+optional_policy(`
+	mailman_domtrans(logrotate_t)
+	mailman_search_data(logrotate_t)
+	mailman_manage_log(logrotate_t)
+')
+
+optional_policy(`
+	munin_read_config(logrotate_t)
+	munin_stream_connect(logrotate_t)
+	munin_search_lib(logrotate_t)
+')
+
+optional_policy(`
+	mysql_read_config(logrotate_t)
+	mysql_search_db(logrotate_t)
+	mysql_stream_connect(logrotate_t)
+')
+
+optional_policy(`
+	psad_domtrans(logrotate_t)
+')
+
+
+optional_policy(`
+	samba_exec_log(logrotate_t)
+')
+
+optional_policy(`
+	sssd_domtrans(logrotate_t)
+')
+
+optional_policy(`
+	slrnpull_manage_spool(logrotate_t)
+')
+
+optional_policy(`
+	squid_domtrans(logrotate_t)
+')
+
+optional_policy(`
+	#Red Hat bug 564565
+	su_exec(logrotate_t)
+')
+
+optional_policy(`
+	varnishd_manage_log(logrotate_t)
+')
diff --git a/policy/modules/contrib/logwatch.fc b/policy/modules/contrib/logwatch.fc
new file mode 100644
index 00000000..3c7b1e8b
--- /dev/null
+++ b/policy/modules/contrib/logwatch.fc
@@ -0,0 +1,7 @@
+/usr/sbin/logcheck	--	gen_context(system_u:object_r:logwatch_exec_t,s0)
+
+/usr/share/logwatch/scripts/logwatch\.pl -- gen_context(system_u:object_r:logwatch_exec_t, s0)
+
+/var/cache/logwatch(/.*)?	gen_context(system_u:object_r:logwatch_cache_t, s0)
+/var/lib/logcheck(/.*)?		gen_context(system_u:object_r:logwatch_cache_t,s0)
+/var/log/logcheck/.+	--	gen_context(system_u:object_r:logwatch_lock_t,s0)
diff --git a/policy/modules/contrib/logwatch.if b/policy/modules/contrib/logwatch.if
new file mode 100644
index 00000000..d878e752
--- /dev/null
+++ b/policy/modules/contrib/logwatch.if
@@ -0,0 +1,38 @@
+## <summary>System log analyzer and reporter</summary>
+
+########################################
+## <summary>
+##	Read logwatch temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logwatch_read_tmp_files',`
+	gen_require(`
+		type logwatch_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 logwatch_tmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Search logwatch cache directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logwatch_search_cache_dir',`
+	gen_require(`
+		type logwatch_cache_t;
+	')
+
+	allow $1 logwatch_cache_t:dir search_dir_perms;
+')
diff --git a/policy/modules/contrib/logwatch.te b/policy/modules/contrib/logwatch.te
new file mode 100644
index 00000000..75ce30f3
--- /dev/null
+++ b/policy/modules/contrib/logwatch.te
@@ -0,0 +1,147 @@
+policy_module(logwatch, 1.11.0)
+
+#################################
+#
+# Declarations
+#
+
+type logwatch_t;
+type logwatch_exec_t;
+application_domain(logwatch_t, logwatch_exec_t)
+role system_r types logwatch_t;
+
+type logwatch_cache_t;
+files_type(logwatch_cache_t)
+
+type logwatch_lock_t;
+files_lock_file(logwatch_lock_t)
+
+type logwatch_tmp_t;
+files_tmp_file(logwatch_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow logwatch_t self:capability { dac_override dac_read_search setgid };
+allow logwatch_t self:process signal;
+allow logwatch_t self:fifo_file rw_file_perms;
+allow logwatch_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
+manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
+
+allow logwatch_t logwatch_lock_t:file manage_file_perms;
+files_lock_filetrans(logwatch_t, logwatch_lock_t, file)
+
+manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
+manage_files_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
+files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir })
+
+kernel_read_fs_sysctls(logwatch_t)
+kernel_read_kernel_sysctls(logwatch_t)
+kernel_read_system_state(logwatch_t)
+kernel_read_net_sysctls(logwatch_t)
+kernel_read_network_state(logwatch_t)
+
+corecmd_exec_bin(logwatch_t)
+corecmd_exec_shell(logwatch_t)
+
+dev_read_urand(logwatch_t)
+dev_read_sysfs(logwatch_t)
+
+# Read /proc/PID directories for all domains.
+domain_read_all_domains_state(logwatch_t)
+
+files_list_var(logwatch_t)
+files_read_var_symlinks(logwatch_t)
+files_read_etc_files(logwatch_t)
+files_read_etc_runtime_files(logwatch_t)
+files_read_usr_files(logwatch_t)
+files_search_spool(logwatch_t)
+files_search_mnt(logwatch_t)
+files_dontaudit_search_home(logwatch_t)
+files_dontaudit_search_boot(logwatch_t)
+# Execs df and if file system mounted with a context avc raised
+files_dontaudit_search_all_dirs(logwatch_t)
+
+fs_getattr_all_fs(logwatch_t)
+fs_dontaudit_list_auto_mountpoints(logwatch_t)
+fs_list_inotifyfs(logwatch_t)
+
+term_dontaudit_getattr_pty_dirs(logwatch_t)
+term_dontaudit_list_ptys(logwatch_t)
+
+auth_use_nsswitch(logwatch_t)
+auth_dontaudit_read_shadow(logwatch_t)
+
+init_read_utmp(logwatch_t)
+init_dontaudit_write_utmp(logwatch_t)
+
+libs_read_lib_files(logwatch_t)
+
+logging_read_all_logs(logwatch_t)
+logging_send_syslog_msg(logwatch_t) 
+
+miscfiles_read_localization(logwatch_t)
+
+selinux_dontaudit_getattr_dir(logwatch_t)
+
+sysnet_dns_name_resolve(logwatch_t)
+sysnet_exec_ifconfig(logwatch_t)
+
+userdom_dontaudit_search_user_home_dirs(logwatch_t)
+
+mta_send_mail(logwatch_t)
+
+ifdef(`distro_redhat',`
+	files_search_all(logwatch_t)
+	files_getattr_all_file_type_fs(logwatch_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_list_nfs(logwatch_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_list_cifs(logwatch_t)
+')
+
+optional_policy(`
+	apache_read_log(logwatch_t)
+')
+
+optional_policy(`
+	avahi_dontaudit_search_pid(logwatch_t)
+')
+
+optional_policy(`
+	bind_read_config(logwatch_t)
+	bind_read_zone(logwatch_t)
+')
+
+optional_policy(`
+	cron_system_entry(logwatch_t, logwatch_exec_t)
+')
+
+optional_policy(`
+	hostname_exec(logwatch_t)
+')
+
+optional_policy(`
+	mta_getattr_spool(logwatch_t)
+')
+
+optional_policy(`
+	ntp_domtrans(logwatch_t)
+')
+
+optional_policy(`
+	rpc_search_nfs_state_data(logwatch_t)
+')
+
+optional_policy(`
+	samba_read_log(logwatch_t)
+	samba_read_share_files(logwatch_t)
+')
diff --git a/policy/modules/contrib/lpd.fc b/policy/modules/contrib/lpd.fc
new file mode 100644
index 00000000..5c9eb683
--- /dev/null
+++ b/policy/modules/contrib/lpd.fc
@@ -0,0 +1,37 @@
+#
+# /dev
+#
+/dev/printer		-s	gen_context(system_u:object_r:printer_t,s0)
+
+/opt/gutenprint/s?bin(/.*)?	gen_context(system_u:object_r:lpr_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/cancel(\.cups)? --	gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lp(\.cups)?	--	gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpoptions	--	gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpq(\.cups)?	--	gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpr(\.cups)?	--	gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lprm(\.cups)?	--	gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpstat(\.cups)? --	gen_context(system_u:object_r:lpr_exec_t,s0)
+
+/usr/sbin/accept	--	gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/sbin/checkpc	--	gen_context(system_u:object_r:checkpc_exec_t,s0)
+/usr/sbin/lpd		--	gen_context(system_u:object_r:lpd_exec_t,s0)
+/usr/sbin/lpadmin	--	gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/sbin/lpc(\.cups)?	--	gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/sbin/lpinfo	--	gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/sbin/lpmove	--	gen_context(system_u:object_r:lpr_exec_t,s0)
+
+/usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
+
+/usr/share/printconf/.* --	gen_context(system_u:object_r:printconf_t,s0)
+
+#
+# /var
+#
+/var/spool/cups(/.*)?		gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
+/var/spool/cups-pdf(/.*)?	gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
+/var/spool/lpd(/.*)?		gen_context(system_u:object_r:print_spool_t,s0)
+/var/run/lprng(/.*)?		gen_context(system_u:object_r:lpd_var_run_t,s0)
diff --git a/policy/modules/contrib/lpd.if b/policy/modules/contrib/lpd.if
new file mode 100644
index 00000000..a4f32f54
--- /dev/null
+++ b/policy/modules/contrib/lpd.if
@@ -0,0 +1,214 @@
+## <summary>Line printer daemon</summary>
+
+########################################
+## <summary>
+##	Role access for lpd
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`lpd_role',`
+	gen_require(`
+		type lpr_t, lpr_exec_t, print_spool_t;
+	')
+
+	role $1 types lpr_t;
+
+	# Transition from the user domain to the derived domain.
+	domtrans_pattern($2, lpr_exec_t, lpr_t)
+	dontaudit lpr_t $2:unix_stream_socket { read write };
+
+	ps_process_pattern($2, lpr_t)
+	allow $2 lpr_t:process signull;
+
+	optional_policy(`
+		cups_read_config($2)
+	')
+')
+
+########################################
+## <summary>
+##	Execute lpd in the lpd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`lpd_domtrans_checkpc',`
+	gen_require(`
+		type checkpc_t, checkpc_exec_t;
+	')
+
+	domtrans_pattern($1, checkpc_exec_t, checkpc_t)
+')
+
+########################################
+## <summary>
+##	Execute amrecover in the lpd domain, and
+##	allow the specified role the lpd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`lpd_run_checkpc',`
+	gen_require(`
+		type checkpc_t;
+	')
+
+	lpd_domtrans_checkpc($1)
+	role $2 types checkpc_t;
+')
+
+########################################
+## <summary>
+##	List the contents of the printer spool directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lpd_list_spool',`
+	gen_require(`
+		type print_spool_t;
+	')
+
+	files_search_spool($1)
+	allow $1 print_spool_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read the printer spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lpd_read_spool',`
+	gen_require(`
+		type print_spool_t;
+	')
+
+	files_search_spool($1)
+	read_files_pattern($1, print_spool_t, print_spool_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete printer spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lpd_manage_spool',`
+	gen_require(`
+		type print_spool_t;
+	')
+
+	files_search_spool($1)
+	manage_dirs_pattern($1, print_spool_t, print_spool_t)
+	manage_files_pattern($1, print_spool_t, print_spool_t)
+	manage_lnk_files_pattern($1, print_spool_t, print_spool_t)
+')
+
+########################################
+## <summary>
+##	Relabel from and to the spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lpd_relabel_spool',`
+	gen_require(`
+		type print_spool_t;
+	')
+
+	files_search_spool($1)
+	allow $1 print_spool_t:file { relabelto relabelfrom };
+')
+
+########################################
+## <summary>
+##	List the contents of the printer spool directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`lpd_read_config',`
+	gen_require(`
+		type printconf_t;
+	')
+
+	allow $1 printconf_t:dir list_dir_perms;
+	read_files_pattern($1, printconf_t, printconf_t)
+')
+
+########################################
+## <summary>
+##	Transition to a user lpr domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+template(`lpd_domtrans_lpr',`
+	gen_require(`
+		type lpr_t, lpr_exec_t;
+	')
+
+	domtrans_pattern($1, lpr_exec_t, lpr_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to execute lpr
+##	in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lpd_exec_lpr',`
+	gen_require(`
+		type lpr_exec_t;
+	')
+
+	can_exec($1, lpr_exec_t)
+')
diff --git a/policy/modules/contrib/lpd.te b/policy/modules/contrib/lpd.te
new file mode 100644
index 00000000..a03b63a9
--- /dev/null
+++ b/policy/modules/contrib/lpd.te
@@ -0,0 +1,328 @@
+policy_module(lpd, 1.13.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Use lpd server instead of cups
+## </p>
+## </desc>
+gen_tunable(use_lpd_server, false)
+
+type checkpc_t;
+type checkpc_exec_t;
+init_system_domain(checkpc_t, checkpc_exec_t)
+role system_r types checkpc_t;
+
+type checkpc_log_t;
+logging_log_file(checkpc_log_t)
+
+type lpd_t;
+type lpd_exec_t;
+init_daemon_domain(lpd_t, lpd_exec_t)
+
+type lpd_tmp_t;
+files_tmp_file(lpd_tmp_t)
+
+type lpd_var_run_t;
+files_pid_file(lpd_var_run_t)
+
+type lpr_t;
+type lpr_exec_t;
+typealias lpr_t alias { user_lpr_t staff_lpr_t sysadm_lpr_t };
+typealias lpr_t alias { auditadm_lpr_t secadm_lpr_t };
+userdom_user_application_domain(lpr_t, lpr_exec_t)
+
+type lpr_tmp_t;
+typealias lpr_tmp_t alias { user_lpr_tmp_t staff_lpr_tmp_t sysadm_lpr_tmp_t };
+typealias lpr_tmp_t alias { auditadm_lpr_tmp_t secadm_lpr_tmp_t };
+userdom_user_tmp_file(lpr_tmp_t)
+
+# Type for spool files.
+type print_spool_t;
+typealias print_spool_t alias { user_print_spool_t staff_print_spool_t sysadm_print_spool_t };
+typealias print_spool_t alias { auditadm_print_spool_t secadm_print_spool_t };
+files_type(print_spool_t)
+ubac_constrained(print_spool_t)
+
+type printer_t;
+files_type(printer_t)
+
+type printconf_t;
+files_type(printconf_t)
+
+########################################
+#
+# Checkpc local policy
+#
+
+# Allow checkpc to access the lpd spool so it can check & fix it.
+# This requires that /usr/sbin/checkpc have type checkpc_t.
+
+allow checkpc_t self:capability { setgid setuid dac_override };
+allow checkpc_t self:process signal_perms;
+allow checkpc_t self:unix_stream_socket create_socket_perms;
+allow checkpc_t self:tcp_socket create_socket_perms;
+allow checkpc_t self:udp_socket create_socket_perms;
+
+allow checkpc_t checkpc_log_t:file manage_file_perms;
+logging_log_filetrans(checkpc_t, checkpc_log_t, file)
+
+allow checkpc_t lpd_var_run_t:dir search_dir_perms;
+files_search_pids(checkpc_t)
+
+rw_files_pattern(checkpc_t, print_spool_t, print_spool_t)
+delete_files_pattern(checkpc_t, print_spool_t, print_spool_t)
+files_search_spool(checkpc_t)
+
+allow checkpc_t printconf_t:file getattr;
+allow checkpc_t printconf_t:dir list_dir_perms;
+
+kernel_read_system_state(checkpc_t)
+
+corenet_all_recvfrom_unlabeled(checkpc_t)
+corenet_all_recvfrom_netlabel(checkpc_t)
+corenet_tcp_sendrecv_generic_if(checkpc_t)
+corenet_udp_sendrecv_generic_if(checkpc_t)
+corenet_tcp_sendrecv_generic_node(checkpc_t)
+corenet_udp_sendrecv_generic_node(checkpc_t)
+corenet_tcp_sendrecv_all_ports(checkpc_t)
+corenet_udp_sendrecv_all_ports(checkpc_t)
+corenet_tcp_connect_all_ports(checkpc_t)
+corenet_sendrecv_all_client_packets(checkpc_t)
+
+dev_append_printer(checkpc_t)
+
+# This is less desirable, but checkpc demands /bin/bash and /bin/chown:
+corecmd_exec_shell(checkpc_t)
+corecmd_exec_bin(checkpc_t)
+
+domain_use_interactive_fds(checkpc_t)
+
+files_read_etc_files(checkpc_t)
+files_read_etc_runtime_files(checkpc_t)
+
+init_use_script_ptys(checkpc_t)
+# Allow access to /dev/console through the fd:
+init_use_fds(checkpc_t)
+
+sysnet_read_config(checkpc_t)
+
+userdom_use_user_terminals(checkpc_t)
+
+optional_policy(`
+	cron_system_entry(checkpc_t, checkpc_exec_t)
+')
+
+optional_policy(`
+	logging_send_syslog_msg(checkpc_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(checkpc_t)
+')
+
+########################################
+#
+# Lpd local policy
+#
+
+allow lpd_t self:capability { setgid setuid net_bind_service dac_read_search dac_override chown fowner };
+dontaudit lpd_t self:capability sys_tty_config;
+allow lpd_t self:process signal_perms;
+allow lpd_t self:fifo_file rw_fifo_file_perms;
+allow lpd_t self:unix_stream_socket create_stream_socket_perms;
+allow lpd_t self:unix_dgram_socket create_socket_perms;
+allow lpd_t self:tcp_socket create_stream_socket_perms;
+allow lpd_t self:udp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t)
+manage_files_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t)
+files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir })
+
+manage_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t)
+manage_sock_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t)
+files_pid_filetrans(lpd_t, lpd_var_run_t, file)
+
+# Write to /var/spool/lpd.
+manage_files_pattern(lpd_t, print_spool_t, print_spool_t)
+files_search_spool(lpd_t)
+
+# lpd must be able to execute the filter utilities in /usr/share/printconf.
+allow lpd_t printconf_t:dir list_dir_perms;
+can_exec(lpd_t, printconf_t)
+
+# Create and bind to /dev/printer.
+allow lpd_t printer_t:lnk_file manage_lnk_file_perms;
+dev_filetrans(lpd_t, printer_t, lnk_file)
+
+kernel_read_kernel_sysctls(lpd_t)
+# bash wants access to /proc/meminfo
+kernel_read_system_state(lpd_t)
+
+corenet_all_recvfrom_unlabeled(lpd_t)
+corenet_all_recvfrom_netlabel(lpd_t)
+corenet_tcp_sendrecv_generic_if(lpd_t)
+corenet_udp_sendrecv_generic_if(lpd_t)
+corenet_tcp_sendrecv_generic_node(lpd_t)
+corenet_udp_sendrecv_generic_node(lpd_t)
+corenet_tcp_sendrecv_all_ports(lpd_t)
+corenet_udp_sendrecv_all_ports(lpd_t)
+corenet_tcp_bind_generic_node(lpd_t)
+corenet_tcp_bind_printer_port(lpd_t)
+corenet_sendrecv_printer_server_packets(lpd_t)
+
+dev_read_sysfs(lpd_t)
+dev_rw_printer(lpd_t)
+
+fs_getattr_all_fs(lpd_t)
+fs_search_auto_mountpoints(lpd_t)
+
+# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
+corecmd_exec_bin(lpd_t)
+corecmd_exec_shell(lpd_t)
+
+domain_use_interactive_fds(lpd_t)
+
+files_read_etc_runtime_files(lpd_t)
+files_read_usr_files(lpd_t)
+# for defoma
+files_list_world_readable(lpd_t)
+files_read_world_readable_files(lpd_t)
+files_read_world_readable_symlinks(lpd_t)
+files_list_var_lib(lpd_t)
+files_read_var_lib_files(lpd_t)
+files_read_var_lib_symlinks(lpd_t)
+# config files for lpd are of type etc_t, probably should change this
+files_read_etc_files(lpd_t)
+
+logging_send_syslog_msg(lpd_t)
+
+miscfiles_read_fonts(lpd_t)
+miscfiles_read_localization(lpd_t)
+
+sysnet_read_config(lpd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(lpd_t)
+userdom_dontaudit_search_user_home_dirs(lpd_t)
+
+optional_policy(`
+	nis_use_ypbind(lpd_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(lpd_t)
+')
+
+optional_policy(`
+	udev_read_db(lpd_t)
+')
+
+##############################
+#
+# Local policy
+#
+
+allow lpr_t self:capability { setuid dac_override net_bind_service chown };
+allow lpr_t self:unix_stream_socket create_stream_socket_perms;
+allow lpr_t self:tcp_socket create_socket_perms;
+allow lpr_t self:udp_socket create_socket_perms;
+
+can_exec(lpr_t, lpr_exec_t)
+
+# Allow lpd to read, rename, and unlink spool files.
+allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_perms };
+
+kernel_read_kernel_sysctls(lpr_t)
+
+corenet_all_recvfrom_unlabeled(lpr_t)
+corenet_all_recvfrom_netlabel(lpr_t)
+corenet_tcp_sendrecv_generic_if(lpr_t)
+corenet_udp_sendrecv_generic_if(lpr_t)
+corenet_tcp_sendrecv_generic_node(lpr_t)
+corenet_udp_sendrecv_generic_node(lpr_t)
+corenet_tcp_sendrecv_all_ports(lpr_t)
+corenet_udp_sendrecv_all_ports(lpr_t)
+corenet_tcp_connect_all_ports(lpr_t)
+corenet_sendrecv_all_client_packets(lpr_t)
+
+dev_read_rand(lpr_t)
+dev_read_urand(lpr_t)
+
+domain_use_interactive_fds(lpr_t)
+
+files_search_spool(lpr_t)
+# for lpd config files (should have a new type)
+files_read_etc_files(lpr_t)
+# for test print
+files_read_usr_files(lpr_t)
+#Added to cover read_content macro
+files_list_home(lpr_t)
+files_read_generic_tmp_files(lpr_t)
+
+fs_getattr_xattr_fs(lpr_t)
+
+# Access the terminal.
+term_use_controlling_term(lpr_t)
+term_use_generic_ptys(lpr_t)
+
+auth_use_nsswitch(lpr_t)
+
+miscfiles_read_localization(lpr_t)
+
+userdom_read_user_tmp_symlinks(lpr_t)
+# Write to the user domain tty.
+userdom_use_user_terminals(lpr_t)
+userdom_read_user_home_content_files(lpr_t)
+userdom_read_user_tmp_files(lpr_t)
+
+tunable_policy(`use_lpd_server',`
+	# lpr can run in lightweight mode, without a local print spooler.
+	allow lpr_t lpd_var_run_t:dir search;
+	allow lpr_t lpd_var_run_t:sock_file write;
+	files_read_var_files(lpr_t)
+
+	# Connect to lpd via a Unix domain socket.
+	allow lpr_t printer_t:sock_file rw_sock_file_perms;
+	allow lpr_t lpd_t:unix_stream_socket connectto;
+	# Send SIGHUP to lpd.
+	allow lpr_t lpd_t:process signal;
+
+	manage_dirs_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t)
+	manage_files_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t)
+	files_tmp_filetrans(lpr_t, lpr_tmp_t, { file dir })
+
+	manage_files_pattern(lpr_t, print_spool_t, print_spool_t)
+	filetrans_pattern(lpr_t, print_spool_t, print_spool_t, file)
+	# Read and write shared files in the spool directory.
+	allow lpr_t print_spool_t:file rw_file_perms;
+
+	allow lpr_t printconf_t:dir list_dir_perms;
+	read_files_pattern(lpr_t, printconf_t, printconf_t)
+	read_lnk_files_pattern(lpr_t, printconf_t, printconf_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_list_auto_mountpoints(lpr_t)
+	fs_read_nfs_files(lpr_t)
+	fs_read_nfs_symlinks(lpr_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_list_auto_mountpoints(lpr_t)
+	fs_read_cifs_files(lpr_t)
+	fs_read_cifs_symlinks(lpr_t)
+')
+
+optional_policy(`
+	cups_read_config(lpr_t)
+	cups_stream_connect(lpr_t)
+	cups_read_pid_files(lpr_t)
+')
+
+optional_policy(`
+	logging_send_syslog_msg(lpr_t)
+')
diff --git a/policy/modules/contrib/mailman.fc b/policy/modules/contrib/mailman.fc
new file mode 100644
index 00000000..14ad1896
--- /dev/null
+++ b/policy/modules/contrib/mailman.fc
@@ -0,0 +1,34 @@
+/usr/lib(64)?/mailman/bin/mailmanctl --	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/cron/.*	--	gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+
+/var/lib/mailman(/.*)?			gen_context(system_u:object_r:mailman_data_t,s0)
+/var/lib/mailman/archives(/.*)?		gen_context(system_u:object_r:mailman_archive_t,s0)
+/var/lock/mailman(/.*)?			gen_context(system_u:object_r:mailman_lock_t,s0)
+/var/log/mailman(/.*)?			gen_context(system_u:object_r:mailman_log_t,s0)
+/var/run/mailman(/.*)?			gen_context(system_u:object_r:mailman_lock_t,s0)
+
+#
+# distro_debian
+#
+ifdef(`distro_debian', `
+/etc/cron\.daily/mailman 	-- 	gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+/etc/cron\.monthly/mailman 	-- 	gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+
+/usr/lib/cgi-bin/mailman/.*	--	gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
+/usr/lib/mailman/mail/wrapper 	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/mailman/mail/wrapper	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+')
+
+#
+# distro_redhat
+#
+ifdef(`distro_redhat', `
+/etc/mailman(/.*)?			gen_context(system_u:object_r:mailman_data_t,s0)
+
+/usr/lib(64)?/mailman/bin/qrunner --	gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+/usr/lib(64)?/mailman/cgi-bin/.* --	gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
+/usr/lib(64)?/mailman/mail/mailman --	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib(64)?/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+
+/var/spool/mailman(/.*)?		gen_context(system_u:object_r:mailman_data_t,s0)
+')
diff --git a/policy/modules/contrib/mailman.if b/policy/modules/contrib/mailman.if
new file mode 100644
index 00000000..67c7fddf
--- /dev/null
+++ b/policy/modules/contrib/mailman.if
@@ -0,0 +1,352 @@
+## <summary>Mailman is for managing electronic mail discussion and e-newsletter lists</summary>
+
+#######################################
+## <summary>
+##	The template to define a mailmain domain.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a domain to be used for
+##	a new mailman daemon.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The type of daemon to be used eg, cgi would give mailman_cgi_
+##	</summary>
+## </param>
+#
+template(`mailman_domain_template', `
+	type mailman_$1_t;
+	domain_type(mailman_$1_t)
+	role system_r types mailman_$1_t;
+
+	type mailman_$1_exec_t;
+	domain_entry_file(mailman_$1_t, mailman_$1_exec_t)
+
+	type mailman_$1_tmp_t;
+	files_tmp_file(mailman_$1_tmp_t)
+
+	allow mailman_$1_t self:{ unix_stream_socket unix_dgram_socket } create_socket_perms;
+	allow mailman_$1_t self:tcp_socket create_stream_socket_perms;
+	allow mailman_$1_t self:udp_socket create_socket_perms;
+
+	files_search_spool(mailman_$1_t)
+
+	manage_dirs_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t)
+	manage_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t)
+	manage_lnk_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t)
+
+	manage_dirs_pattern(mailman_$1_t, mailman_data_t, mailman_data_t)
+	manage_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t)
+	manage_lnk_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t)
+
+	manage_files_pattern(mailman_$1_t, mailman_lock_t, mailman_lock_t)
+	files_lock_filetrans(mailman_$1_t, mailman_lock_t, file)
+
+	manage_files_pattern(mailman_$1_t, mailman_log_t, mailman_log_t)
+	logging_log_filetrans(mailman_$1_t, mailman_log_t, file)
+
+	manage_dirs_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t)
+	manage_files_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t)
+	files_tmp_filetrans(mailman_$1_t, mailman_$1_tmp_t, { file dir })
+
+	kernel_read_kernel_sysctls(mailman_$1_t)
+	kernel_read_system_state(mailman_$1_t)
+
+	corenet_all_recvfrom_unlabeled(mailman_$1_t)
+	corenet_all_recvfrom_netlabel(mailman_$1_t)
+	corenet_tcp_sendrecv_generic_if(mailman_$1_t)
+	corenet_udp_sendrecv_generic_if(mailman_$1_t)
+	corenet_raw_sendrecv_generic_if(mailman_$1_t)
+	corenet_tcp_sendrecv_generic_node(mailman_$1_t)
+	corenet_udp_sendrecv_generic_node(mailman_$1_t)
+	corenet_raw_sendrecv_generic_node(mailman_$1_t)
+	corenet_tcp_sendrecv_all_ports(mailman_$1_t)
+	corenet_udp_sendrecv_all_ports(mailman_$1_t)
+	corenet_tcp_bind_generic_node(mailman_$1_t)
+	corenet_udp_bind_generic_node(mailman_$1_t)
+	corenet_tcp_connect_smtp_port(mailman_$1_t)
+	corenet_sendrecv_smtp_client_packets(mailman_$1_t)
+
+	fs_getattr_xattr_fs(mailman_$1_t)
+
+	corecmd_exec_all_executables(mailman_$1_t)
+
+	files_exec_etc_files(mailman_$1_t)
+	files_list_usr(mailman_$1_t)
+	files_list_var(mailman_$1_t)
+	files_list_var_lib(mailman_$1_t)
+	files_read_var_lib_symlinks(mailman_$1_t)
+	files_read_etc_runtime_files(mailman_$1_t)
+
+	auth_use_nsswitch(mailman_$1_t)
+
+	libs_exec_ld_so(mailman_$1_t)
+	libs_exec_lib_files(mailman_$1_t)
+
+	logging_send_syslog_msg(mailman_$1_t)
+
+	miscfiles_read_localization(mailman_$1_t)
+')
+
+#######################################
+## <summary>
+##	Execute mailman in the mailman domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`mailman_domtrans',`
+	gen_require(`
+		type mailman_mail_exec_t, mailman_mail_t;
+	')
+
+	domtrans_pattern($1, mailman_mail_exec_t, mailman_mail_t)
+')
+
+#######################################
+## <summary>
+##	Execute mailman CGI scripts in the 
+##	mailman CGI domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`mailman_domtrans_cgi',`
+	gen_require(`
+		type mailman_cgi_exec_t, mailman_cgi_t;
+	')
+
+	domtrans_pattern($1, mailman_cgi_exec_t, mailman_cgi_t)
+')
+
+#######################################
+## <summary>
+##	Execute mailman in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowd access.
+##	</summary>
+## </param>
+#
+interface(`mailman_exec',`
+	gen_require(`
+		type mailman_mail_exec_t;
+	')
+
+	can_exec($1, mailman_mail_exec_t)
+')
+
+#######################################
+## <summary>
+##	Send generic signals to the mailman cgi domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mailman_signal_cgi',`
+	gen_require(`
+		type mailman_cgi_t;
+	')
+
+	allow $1 mailman_cgi_t:process signal;
+')
+
+#######################################
+## <summary>
+##	Allow domain to search data directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mailman_search_data',`
+	gen_require(`
+		type mailman_data_t;
+	')
+
+	allow $1 mailman_data_t:dir search_dir_perms;
+')
+
+#######################################
+## <summary>
+##	Allow domain to to read mailman data files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mailman_read_data_files',`
+	gen_require(`
+		type mailman_data_t;
+	')
+
+	list_dirs_pattern($1, mailman_data_t, mailman_data_t)
+	read_files_pattern($1, mailman_data_t, mailman_data_t)
+	read_lnk_files_pattern($1, mailman_data_t, mailman_data_t)
+')
+
+#######################################
+## <summary>
+##	Allow domain to to create mailman data files
+##	and write the directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mailman_manage_data_files',`
+	gen_require(`
+		type mailman_data_t;
+	')
+
+	manage_dirs_pattern($1, mailman_data_t, mailman_data_t)
+	manage_files_pattern($1, mailman_data_t, mailman_data_t)
+')
+
+#######################################
+## <summary>
+##	List the contents of mailman data directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mailman_list_data',`
+	gen_require(`
+		type mailman_data_t;
+	')
+
+	allow $1 mailman_data_t:dir list_dir_perms;
+')
+
+#######################################
+## <summary>
+##	Allow read acces to mailman data symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mailman_read_data_symlinks',`
+	gen_require(`
+		type mailman_data_t;
+	')
+
+	read_lnk_files_pattern($1, mailman_data_t, mailman_data_t)
+')
+
+#######################################
+## <summary>
+##	Read mailman logs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mailman_read_log',`
+	gen_require(`
+		type mailman_log_t;
+	')
+
+	read_files_pattern($1, mailman_log_t, mailman_log_t)
+')
+
+#######################################
+## <summary>
+##	Append to mailman logs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mailman_append_log',`
+	gen_require(`
+		type mailman_log_t;
+	')
+
+	append_files_pattern($1, mailman_log_t, mailman_log_t)
+')
+
+#######################################
+## <summary>
+##	Create, read, write, and delete
+##	mailman logs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mailman_manage_log',`
+	gen_require(`
+		type mailman_log_t;
+	')
+
+	manage_files_pattern($1, mailman_log_t, mailman_log_t)
+	manage_lnk_files_pattern($1, mailman_log_t, mailman_log_t)
+')
+
+#######################################
+## <summary>
+##	Allow domain to read mailman archive files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mailman_read_archive',`
+	gen_require(`
+		type mailman_archive_t;
+	')
+
+	allow $1 mailman_archive_t:dir list_dir_perms;
+	read_files_pattern($1, mailman_archive_t, mailman_archive_t)
+	read_lnk_files_pattern($1, mailman_archive_t, mailman_archive_t)
+')
+
+#######################################
+## <summary>
+##	Execute mailman_queue in the mailman_queue domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`mailman_domtrans_queue',`
+	gen_require(`
+		type mailman_queue_exec_t, mailman_queue_t;
+	')
+
+	domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t)
+')
diff --git a/policy/modules/contrib/mailman.te b/policy/modules/contrib/mailman.te
new file mode 100644
index 00000000..af4d5728
--- /dev/null
+++ b/policy/modules/contrib/mailman.te
@@ -0,0 +1,128 @@
+policy_module(mailman, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+mailman_domain_template(cgi)
+
+type mailman_data_t;
+files_type(mailman_data_t)
+
+type mailman_archive_t;
+files_type(mailman_archive_t)
+
+type mailman_log_t;
+logging_log_file(mailman_log_t)
+
+type mailman_lock_t;
+files_lock_file(mailman_lock_t)
+
+mailman_domain_template(mail)
+init_daemon_domain(mailman_mail_t, mailman_mail_exec_t)
+
+mailman_domain_template(queue)
+
+########################################
+#
+# Mailman CGI local policy
+#
+
+# cjp: the template invocation for cgi should be
+# in the below optional policy; however, there are no
+# optionals for file contexts yet, so it is promoted
+# to global scope until such facilities exist.
+
+optional_policy(`
+	dev_read_urand(mailman_cgi_t)
+
+	manage_dirs_pattern(mailman_cgi_t, mailman_archive_t, mailman_archive_t)
+	manage_files_pattern(mailman_cgi_t, mailman_archive_t, mailman_archive_t)
+	manage_lnk_files_pattern(mailman_cgi_t, mailman_archive_t, mailman_archive_t)
+
+	files_search_spool(mailman_cgi_t)
+
+	term_use_controlling_term(mailman_cgi_t)
+
+	# for python pre-compile foolishness
+	libs_dontaudit_write_lib_dirs(mailman_cgi_t)
+
+	apache_sigchld(mailman_cgi_t)
+	apache_use_fds(mailman_cgi_t)
+	apache_dontaudit_append_log(mailman_cgi_t)
+	apache_search_sys_script_state(mailman_cgi_t)
+	apache_read_config(mailman_cgi_t)
+	apache_dontaudit_rw_stream_sockets(mailman_cgi_t)
+')
+
+########################################
+#
+# Mailman mail local policy
+#
+
+allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
+allow mailman_mail_t self:process { signal signull };
+allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config };
+
+manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
+manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
+manage_lnk_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
+
+files_search_spool(mailman_mail_t)
+
+fs_rw_anon_inodefs_files(mailman_mail_t)
+
+mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
+mta_dontaudit_rw_queue(mailman_mail_t)
+
+optional_policy(`
+	courier_read_spool(mailman_mail_t)
+')
+
+optional_policy(`
+	cron_read_pipes(mailman_mail_t)
+')
+
+optional_policy(`
+	postfix_search_spool(mailman_mail_t)
+')
+
+########################################
+#
+# Mailman queue local policy
+#
+
+allow mailman_queue_t self:capability { setgid setuid };
+allow mailman_queue_t self:process signal;
+allow mailman_queue_t self:fifo_file rw_fifo_file_perms;
+allow mailman_queue_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t)
+manage_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t)
+manage_lnk_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t)
+
+kernel_read_proc_symlinks(mailman_queue_t)
+
+auth_domtrans_chk_passwd(mailman_queue_t)
+
+files_dontaudit_search_pids(mailman_queue_t)
+
+# for su
+seutil_dontaudit_search_config(mailman_queue_t)
+
+# some of the following could probably be changed to dontaudit, someone who
+# knows mailman well should test this out and send the changes
+userdom_search_user_home_dirs(mailman_queue_t)
+
+optional_policy(`
+	apache_read_config(mailman_queue_t)
+')
+
+optional_policy(`
+	cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
+')
+
+optional_policy(`
+	su_exec(mailman_queue_t)
+')
\ No newline at end of file
diff --git a/policy/modules/contrib/mcelog.fc b/policy/modules/contrib/mcelog.fc
new file mode 100644
index 00000000..56c43c08
--- /dev/null
+++ b/policy/modules/contrib/mcelog.fc
@@ -0,0 +1 @@
+/usr/sbin/mcelog	--	gen_context(system_u:object_r:mcelog_exec_t,s0)
diff --git a/policy/modules/contrib/mcelog.if b/policy/modules/contrib/mcelog.if
new file mode 100644
index 00000000..3d4cb1ae
--- /dev/null
+++ b/policy/modules/contrib/mcelog.if
@@ -0,0 +1,20 @@
+## <summary>policy for mcelog</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run mcelog.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`mcelog_domtrans',`
+	gen_require(`
+		type mcelog_t, mcelog_exec_t;
+	')
+
+	domtrans_pattern($1, mcelog_exec_t, mcelog_t)
+')
+
diff --git a/policy/modules/contrib/mcelog.te b/policy/modules/contrib/mcelog.te
new file mode 100644
index 00000000..56719779
--- /dev/null
+++ b/policy/modules/contrib/mcelog.te
@@ -0,0 +1,32 @@
+policy_module(mcelog, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type mcelog_t;
+type mcelog_exec_t;
+application_domain(mcelog_t, mcelog_exec_t)
+cron_system_entry(mcelog_t, mcelog_exec_t)
+
+########################################
+#
+# mcelog local policy
+#
+
+allow mcelog_t self:capability sys_admin;
+
+kernel_read_system_state(mcelog_t)
+
+dev_read_raw_memory(mcelog_t)
+dev_read_kmsg(mcelog_t)
+
+files_read_etc_files(mcelog_t)
+
+# for /dev/mem access
+mls_file_read_all_levels(mcelog_t)
+
+logging_send_syslog_msg(mcelog_t)
+
+miscfiles_read_localization(mcelog_t)
diff --git a/policy/modules/contrib/mediawiki.fc b/policy/modules/contrib/mediawiki.fc
new file mode 100644
index 00000000..a78b34ae
--- /dev/null
+++ b/policy/modules/contrib/mediawiki.fc
@@ -0,0 +1,8 @@
+/usr/lib/mediawiki/math/texvc	--	gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
+/usr/lib/mediawiki/math/texvc_tex --	gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
+/usr/lib/mediawiki/math/texvc_tes --	gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
+
+/usr/share/mediawiki(/.*)?		gen_context(system_u:object_r:httpd_mediawiki_content_t,s0)
+
+/var/www/wiki(/.*)?			gen_context(system_u:object_r:httpd_mediawiki_rw_content_t,s0)
+/var/www/wiki/.*\.php	--		gen_context(system_u:object_r:httpd_mediawiki_content_t,s0)
diff --git a/policy/modules/contrib/mediawiki.if b/policy/modules/contrib/mediawiki.if
new file mode 100644
index 00000000..98d28b42
--- /dev/null
+++ b/policy/modules/contrib/mediawiki.if
@@ -0,0 +1 @@
+## <summary>Mediawiki policy</summary>
diff --git a/policy/modules/contrib/mediawiki.te b/policy/modules/contrib/mediawiki.te
new file mode 100644
index 00000000..d7cb9e4c
--- /dev/null
+++ b/policy/modules/contrib/mediawiki.te
@@ -0,0 +1,17 @@
+policy_module(mediawiki, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+apache_content_template(mediawiki)
+
+########################################
+#
+# mediawiki local policy
+#
+
+files_search_var_lib(httpd_mediawiki_script_t)
+
+miscfiles_read_tetex_data(httpd_mediawiki_script_t)
diff --git a/policy/modules/contrib/memcached.fc b/policy/modules/contrib/memcached.fc
new file mode 100644
index 00000000..4d694775
--- /dev/null
+++ b/policy/modules/contrib/memcached.fc
@@ -0,0 +1,5 @@
+/etc/rc\.d/init\.d/memcached	--	gen_context(system_u:object_r:memcached_initrc_exec_t,s0)
+
+/usr/bin/memcached		--	gen_context(system_u:object_r:memcached_exec_t,s0)
+
+/var/run/memcached(/.*)?		gen_context(system_u:object_r:memcached_var_run_t,s0)
diff --git a/policy/modules/contrib/memcached.if b/policy/modules/contrib/memcached.if
new file mode 100644
index 00000000..db4fd6fb
--- /dev/null
+++ b/policy/modules/contrib/memcached.if
@@ -0,0 +1,73 @@
+## <summary>high-performance memory object caching system</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run memcached.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`memcached_domtrans',`
+	gen_require(`
+		type memcached_t;
+		type memcached_exec_t;
+	')
+
+	domtrans_pattern($1, memcached_exec_t, memcached_t)
+')
+
+########################################
+## <summary>
+##	Read memcached PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`memcached_read_pid_files',`
+	gen_require(`
+		type memcached_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 memcached_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an memcached environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the memcached domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`memcached_admin',`
+	gen_require(`
+		type memcached_t;
+		type memcached_initrc_exec_t;
+	')
+
+	allow $1 memcached_t:process { ptrace signal_perms };
+	ps_process_pattern($1, memcached_t)
+
+	init_labeled_script_domtrans($1, memcached_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 memcached_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	admin_pattern($1, memcached_var_run_t)
+')
diff --git a/policy/modules/contrib/memcached.te b/policy/modules/contrib/memcached.te
new file mode 100644
index 00000000..b6816087
--- /dev/null
+++ b/policy/modules/contrib/memcached.te
@@ -0,0 +1,58 @@
+policy_module(memcached, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type memcached_t;
+type memcached_exec_t;
+init_daemon_domain(memcached_t, memcached_exec_t)
+
+type memcached_initrc_exec_t;
+init_script_file(memcached_initrc_exec_t)
+
+type memcached_var_run_t;
+files_pid_file(memcached_var_run_t)
+
+########################################
+#
+# memcached local policy
+#
+
+allow memcached_t self:capability { setuid setgid };
+dontaudit memcached_t self:capability sys_tty_config;
+allow memcached_t self:process { setrlimit signal_perms };
+allow memcached_t self:tcp_socket create_stream_socket_perms;
+allow memcached_t self:udp_socket { create_socket_perms listen };
+allow memcached_t self:fifo_file rw_fifo_file_perms;
+allow memcached_t self:unix_stream_socket create_stream_socket_perms;
+
+corenet_all_recvfrom_unlabeled(memcached_t)
+corenet_udp_sendrecv_generic_if(memcached_t)
+corenet_udp_sendrecv_generic_node(memcached_t)
+corenet_udp_sendrecv_all_ports(memcached_t)
+corenet_udp_bind_generic_node(memcached_t)
+corenet_tcp_sendrecv_generic_if(memcached_t)
+corenet_tcp_sendrecv_generic_node(memcached_t)
+corenet_tcp_sendrecv_all_ports(memcached_t)
+corenet_tcp_bind_generic_node(memcached_t)
+corenet_tcp_bind_memcache_port(memcached_t)
+corenet_udp_bind_memcache_port(memcached_t)
+
+manage_dirs_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
+manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
+files_pid_filetrans(memcached_t, memcached_var_run_t, { file dir })
+
+kernel_read_kernel_sysctls(memcached_t)
+kernel_read_system_state(memcached_t)
+
+files_read_etc_files(memcached_t)
+
+term_dontaudit_use_all_ptys(memcached_t)
+term_dontaudit_use_all_ttys(memcached_t)
+term_dontaudit_use_console(memcached_t)
+
+auth_use_nsswitch(memcached_t)
+
+miscfiles_read_localization(memcached_t)
diff --git a/policy/modules/contrib/metadata.xml b/policy/modules/contrib/metadata.xml
new file mode 100644
index 00000000..71d9e256
--- /dev/null
+++ b/policy/modules/contrib/metadata.xml
@@ -0,0 +1 @@
+<summary>Contributed Reference Policy modules.</summary>
diff --git a/policy/modules/contrib/milter.fc b/policy/modules/contrib/milter.fc
new file mode 100644
index 00000000..1ec5a6cd
--- /dev/null
+++ b/policy/modules/contrib/milter.fc
@@ -0,0 +1,15 @@
+/usr/sbin/milter-greylist	--	gen_context(system_u:object_r:greylist_milter_exec_t,s0)
+/usr/sbin/milter-regex		--	gen_context(system_u:object_r:regex_milter_exec_t,s0)
+/usr/sbin/spamass-milter	--	gen_context(system_u:object_r:spamass_milter_exec_t,s0)
+
+/var/lib/milter-greylist(/.*)?		gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/lib/spamass-milter(/.*)?		gen_context(system_u:object_r:spamass_milter_state_t,s0)
+
+/var/run/milter-greylist(/.*)?		gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/run/milter-greylist\.pid	--	gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/run/spamass(/.*)?			gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/var/run/spamass-milter(/.*)?		gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/var/run/spamass-milter\.pid	--	gen_context(system_u:object_r:spamass_milter_data_t,s0)
+
+/var/spool/milter-regex(/.*)?		gen_context(system_u:object_r:regex_milter_data_t,s0)
+/var/spool/postfix/spamass(/.*)?	gen_context(system_u:object_r:spamass_milter_data_t,s0)
diff --git a/policy/modules/contrib/milter.if b/policy/modules/contrib/milter.if
new file mode 100644
index 00000000..ee72cbed
--- /dev/null
+++ b/policy/modules/contrib/milter.if
@@ -0,0 +1,106 @@
+## <summary>Milter mail filters</summary>
+
+########################################
+## <summary>
+##	Create a set of derived types for various
+##	mail filter applications using the milter interface.
+## </summary>
+## <param name="milter_name">
+##	<summary>
+##	The name to be used for deriving type names.
+##	</summary>
+## </param>
+#
+template(`milter_template',`
+	# attributes common to all milters
+	gen_require(`
+		attribute milter_data_type, milter_domains;
+	')
+
+	type $1_milter_t, milter_domains;
+	type $1_milter_exec_t;
+	init_daemon_domain($1_milter_t, $1_milter_exec_t)
+	role system_r types $1_milter_t;
+
+	# Type for the milter data (e.g. the socket used to communicate with the MTA)
+	type $1_milter_data_t, milter_data_type;
+	files_type($1_milter_data_t)
+
+	allow $1_milter_t self:fifo_file rw_fifo_file_perms;
+	# Allow communication with MTA over a TCP socket
+	allow $1_milter_t self:tcp_socket create_stream_socket_perms;
+
+	# Allow communication with MTA over a unix-domain socket
+	manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
+
+	# Create other data files and directories in the data directory
+	manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
+
+	corenet_tcp_bind_generic_node($1_milter_t)
+	corenet_tcp_bind_milter_port($1_milter_t)
+
+	files_read_etc_files($1_milter_t)
+
+	miscfiles_read_localization($1_milter_t)
+
+	logging_send_syslog_msg($1_milter_t)
+')
+
+########################################
+## <summary>
+##	MTA communication with milter sockets
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`milter_stream_connect_all',`
+	gen_require(`
+		attribute milter_data_type, milter_domains;
+	')
+
+	getattr_dirs_pattern($1, milter_data_type, milter_data_type)
+	stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains)
+')
+
+########################################
+## <summary>
+##	Allow getattr of milter sockets
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`milter_getattr_all_sockets',`
+	gen_require(`
+		attribute milter_data_type;
+	')
+
+	getattr_dirs_pattern($1, milter_data_type, milter_data_type)
+	getattr_sock_files_pattern($1, milter_data_type, milter_data_type)
+')
+
+########################################
+## <summary>
+##	Manage spamassassin milter state
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`milter_manage_spamass_state',`
+	gen_require(`
+		type spamass_milter_state_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
+	manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
+	manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
+')
diff --git a/policy/modules/contrib/milter.te b/policy/modules/contrib/milter.te
new file mode 100644
index 00000000..26101cbb
--- /dev/null
+++ b/policy/modules/contrib/milter.te
@@ -0,0 +1,96 @@
+policy_module(milter, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+
+# attributes common to all milters
+attribute milter_domains;
+attribute milter_data_type;
+
+# currently-supported milters are milter-greylist, milter-regex and spamass-milter
+milter_template(greylist)
+milter_template(regex)
+milter_template(spamass)
+
+# Type for the spamass-milter home directory, under which spamassassin will
+# store system-wide preferences, bayes databases etc. if not configured to
+# use per-user configuration
+type spamass_milter_state_t;
+files_type(spamass_milter_state_t)
+
+########################################
+#
+# milter-greylist local policy
+#   ensure smtp clients retry mail like real MTAs and not spamware
+#   http://hcpnet.free.fr/milter-greylist/
+#
+
+# It removes any existing socket (not owned by root) whilst running as root,
+# fixes permissions, renices itself and then calls setgid() and setuid() to
+# drop privileges
+allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
+allow greylist_milter_t self:process { setsched getsched };
+
+# It creates a pid file /var/run/milter-greylist.pid
+files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file)
+
+kernel_read_kernel_sysctls(greylist_milter_t)
+
+# Allow the milter to read a GeoIP database in /usr/share
+files_read_usr_files(greylist_milter_t)
+# The milter runs from /var/lib/milter-greylist and maintains files there
+files_search_var_lib(greylist_milter_t)
+
+# Look up username for dropping privs
+auth_use_nsswitch(greylist_milter_t)
+
+# Config is in /etc/mail/greylist.conf
+mta_read_config(greylist_milter_t)
+
+########################################
+#
+# milter-regex local policy
+#   filter emails using regular expressions
+#   http://www.benzedrine.cx/milter-regex.html
+#
+
+# It removes any existing socket (not owned by root) whilst running as root
+# and then calls setgid() and setuid() to drop privileges
+allow regex_milter_t self:capability { setuid setgid dac_override };
+
+# The milter's socket directory lives under /var/spool
+files_search_spool(regex_milter_t)
+
+# Look up username for dropping privs
+auth_use_nsswitch(regex_milter_t)
+
+# Config is in /etc/mail/milter-regex.conf
+mta_read_config(regex_milter_t)
+
+########################################
+#
+# spamass-milter local policy
+#   pipe emails through SpamAssassin
+#   http://savannah.nongnu.org/projects/spamass-milt/
+#
+
+# The milter runs from /var/lib/spamass-milter
+allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
+files_search_var_lib(spamass_milter_t)
+
+kernel_read_system_state(spamass_milter_t)
+
+# When used with -b or -B options, the milter invokes sendmail to send mail
+# to a spamtrap address, using popen()
+corecmd_exec_shell(spamass_milter_t)
+corecmd_read_bin_symlinks(spamass_milter_t)
+corecmd_search_bin(spamass_milter_t)
+
+mta_send_mail(spamass_milter_t)
+
+# The main job of the milter is to pipe spam through spamc and act on the result
+optional_policy(`
+	spamassassin_domtrans_client(spamass_milter_t)
+')
diff --git a/policy/modules/contrib/modemmanager.fc b/policy/modules/contrib/modemmanager.fc
new file mode 100644
index 00000000..a83894c6
--- /dev/null
+++ b/policy/modules/contrib/modemmanager.fc
@@ -0,0 +1 @@
+/usr/sbin/modem-manager	--	gen_context(system_u:object_r:modemmanager_exec_t,s0)
diff --git a/policy/modules/contrib/modemmanager.if b/policy/modules/contrib/modemmanager.if
new file mode 100644
index 00000000..33686991
--- /dev/null
+++ b/policy/modules/contrib/modemmanager.if
@@ -0,0 +1,40 @@
+## <summary>Provides a DBus interface to communicate with mobile broadband (GSM, CDMA, UMTS, ...) cards.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run modemmanager.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`modemmanager_domtrans',`
+	gen_require(`
+		type modemmanager_t, modemmanager_exec_t;
+	')
+
+	domtrans_pattern($1, modemmanager_exec_t, modemmanager_t)
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	modemmanager over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`modemmanager_dbus_chat',`
+	gen_require(`
+		type modemmanager_t;
+		class dbus send_msg;
+	')
+
+	allow $1 modemmanager_t:dbus send_msg;
+	allow modemmanager_t $1:dbus send_msg;
+')
diff --git a/policy/modules/contrib/modemmanager.te b/policy/modules/contrib/modemmanager.te
new file mode 100644
index 00000000..b3ace161
--- /dev/null
+++ b/policy/modules/contrib/modemmanager.te
@@ -0,0 +1,41 @@
+policy_module(modemmanager, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type modemmanager_t;
+type modemmanager_exec_t;
+dbus_system_domain(modemmanager_t, modemmanager_exec_t)
+typealias modemmanager_t alias ModemManager_t;
+typealias modemmanager_exec_t alias ModemManager_exec_t;
+
+########################################
+#
+# ModemManager local policy
+#
+
+allow modemmanager_t self:process signal;
+allow modemmanager_t self:fifo_file rw_file_perms;
+allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
+allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+kernel_read_system_state(modemmanager_t)
+
+dev_read_sysfs(modemmanager_t)
+dev_rw_modem(modemmanager_t)
+
+files_read_etc_files(modemmanager_t)
+
+term_use_unallocated_ttys(modemmanager_t)
+
+miscfiles_read_localization(modemmanager_t)
+
+logging_send_syslog_msg(modemmanager_t)
+
+networkmanager_dbus_chat(modemmanager_t)
+
+optional_policy(`
+	udev_read_db(modemmanager_t)
+')
diff --git a/policy/modules/contrib/mojomojo.fc b/policy/modules/contrib/mojomojo.fc
new file mode 100644
index 00000000..824c9793
--- /dev/null
+++ b/policy/modules/contrib/mojomojo.fc
@@ -0,0 +1,5 @@
+/usr/bin/mojomojo_fastcgi\.pl	--	gen_context(system_u:object_r:httpd_mojomojo_script_exec_t,s0)
+
+/usr/share/mojomojo/root(/.*)?		gen_context(system_u:object_r:httpd_mojomojo_content_t,s0)
+
+/var/lib/mojomojo(/.*)?			gen_context(system_u:object_r:httpd_mojomojo_rw_content_t,s0)
diff --git a/policy/modules/contrib/mojomojo.if b/policy/modules/contrib/mojomojo.if
new file mode 100644
index 00000000..657a9fc2
--- /dev/null
+++ b/policy/modules/contrib/mojomojo.if
@@ -0,0 +1,40 @@
+## <summary>MojoMojo Wiki</summary>
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an mojomojo environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mojomojo_admin',`
+	gen_require(`
+		type httpd_mojomojo_script_t;
+		type httpd_mojomojo_content_t, httpd_mojomojo_ra_content_t;
+		type httpd_mojomojo_rw_content_t;
+		type httpd_mojomojo_script_exec_t, httpd_mojomojo_htaccess_t;
+	')
+
+	allow $1 httpd_mojomojo_script_t:process { ptrace signal_perms };
+	ps_process_pattern($1, httpd_mojomojo_script_t)
+
+	files_search_var_lib(httpd_mojomojo_script_t)
+
+	apache_search_sys_content($1)
+	admin_pattern($1, httpd_mojomojo_script_exec_t)
+	admin_pattern($1, httpd_mojomojo_script_t)
+	admin_pattern($1, httpd_mojomojo_content_t)
+	admin_pattern($1, httpd_mojomojo_htaccess_t)
+	admin_pattern($1, httpd_mojomojo_rw_content_t)
+	admin_pattern($1, httpd_mojomojo_ra_content_t)
+')
diff --git a/policy/modules/contrib/mojomojo.te b/policy/modules/contrib/mojomojo.te
new file mode 100644
index 00000000..83f002c3
--- /dev/null
+++ b/policy/modules/contrib/mojomojo.te
@@ -0,0 +1,36 @@
+policy_module(mojomojo, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+apache_content_template(mojomojo)
+
+########################################
+#
+# mojomojo local policy
+#
+
+allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
+
+corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t)
+corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t)
+corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t)
+corenet_sendrecv_postgresql_client_packets(httpd_mojomojo_script_t)
+corenet_sendrecv_mysqld_client_packets(httpd_mojomojo_script_t)
+corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t)
+
+files_search_var_lib(httpd_mojomojo_script_t)
+
+sysnet_dns_name_resolve(httpd_mojomojo_script_t)
+
+mta_send_mail(httpd_mojomojo_script_t)
+
+optional_policy(`
+	mysql_stream_connect(httpd_mojomojo_script_t)
+')
+
+optional_policy(`
+	postgresql_stream_connect(httpd_mojomojo_script_t)
+')
diff --git a/policy/modules/contrib/mono.fc b/policy/modules/contrib/mono.fc
new file mode 100644
index 00000000..b01bc913
--- /dev/null
+++ b/policy/modules/contrib/mono.fc
@@ -0,0 +1 @@
+/usr/bin/mono.*	--	gen_context(system_u:object_r:mono_exec_t,s0)
diff --git a/policy/modules/contrib/mono.if b/policy/modules/contrib/mono.if
new file mode 100644
index 00000000..7b08e138
--- /dev/null
+++ b/policy/modules/contrib/mono.if
@@ -0,0 +1,138 @@
+## <summary>Run .NET server and client applications on Linux.</summary>
+
+#######################################
+## <summary>
+##	The role template for the mono module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for mono applications.
+##	</p>
+## </desc>
+## <param name="role_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+template(`mono_role_template',`
+	gen_require(`
+		type mono_exec_t;
+	')
+
+	type $1_mono_t;
+	domain_type($1_mono_t)
+	domain_entry_file($1_mono_t, mono_exec_t)
+	role $2 types $1_mono_t;
+
+	domain_interactive_fd($1_mono_t)
+	application_type($1_mono_t)
+
+	allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack };
+
+	allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
+
+	domtrans_pattern($3, mono_exec_t, $1_mono_t)
+
+	fs_dontaudit_rw_tmpfs_files($1_mono_t)
+	corecmd_bin_domtrans($1_mono_t, $1_t)
+
+	userdom_manage_user_tmpfs_files($1_mono_t)
+
+	optional_policy(`
+		xserver_role($1_r, $1_mono_t)
+	')
+')
+
+########################################
+## <summary>
+##	Execute the mono program in the mono domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`mono_domtrans',`
+	gen_require(`
+		type mono_t, mono_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, mono_exec_t, mono_t)
+')
+
+########################################
+## <summary>
+##	Execute mono in the mono domain, and
+##	allow the specified role the mono domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`mono_run',`
+	gen_require(`
+		type mono_t;
+	')
+
+	mono_domtrans($1)
+	role $2 types mono_t;
+')
+
+########################################
+## <summary>
+##	Execute the mono program in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mono_exec',`
+	gen_require(`
+		type mono_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, mono_exec_t)
+')
+
+########################################
+## <summary>
+##	Read and write to mono shared memory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mono_rw_shm',`
+	gen_require(`
+		type mono_t;
+	')
+
+	allow $1 mono_t:shm rw_shm_perms;
+')
diff --git a/policy/modules/contrib/mono.te b/policy/modules/contrib/mono.te
new file mode 100644
index 00000000..dff0f127
--- /dev/null
+++ b/policy/modules/contrib/mono.te
@@ -0,0 +1,52 @@
+policy_module(mono, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type mono_t;
+type mono_exec_t;
+application_type(mono_t)
+init_system_domain(mono_t, mono_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow mono_t self:process { ptrace signal getsched execheap execmem execstack };
+
+init_dbus_chat_script(mono_t)
+
+userdom_user_home_dir_filetrans_user_home_content(mono_t, { dir file lnk_file fifo_file sock_file })
+
+optional_policy(`
+	avahi_dbus_chat(mono_t)
+')
+
+optional_policy(`
+	cups_dbus_chat(mono_t)
+')
+
+optional_policy(`
+	hal_dbus_chat(mono_t)
+')
+
+optional_policy(`
+	networkmanager_dbus_chat(mono_t)
+')
+
+optional_policy(`
+	rpm_dbus_chat(mono_t)
+')
+
+optional_policy(`
+	unconfined_domain(mono_t)
+	unconfined_dbus_chat(mono_t)
+	unconfined_dbus_connect(mono_t)
+')
+
+optional_policy(`
+	xserver_rw_shm(mono_t)
+')
diff --git a/policy/modules/contrib/monop.fc b/policy/modules/contrib/monop.fc
new file mode 100644
index 00000000..9ee40284
--- /dev/null
+++ b/policy/modules/contrib/monop.fc
@@ -0,0 +1,4 @@
+/etc/monopd\.conf	--	gen_context(system_u:object_r:monopd_etc_t,s0)
+
+/usr/sbin/monopd	--	gen_context(system_u:object_r:monopd_exec_t,s0)
+/usr/share/monopd/games(/.*)?	gen_context(system_u:object_r:monopd_share_t,s0)
diff --git a/policy/modules/contrib/monop.if b/policy/modules/contrib/monop.if
new file mode 100644
index 00000000..2611351e
--- /dev/null
+++ b/policy/modules/contrib/monop.if
@@ -0,0 +1 @@
+## <summary>Monopoly daemon</summary>
diff --git a/policy/modules/contrib/monop.te b/policy/modules/contrib/monop.te
new file mode 100644
index 00000000..6647a356
--- /dev/null
+++ b/policy/modules/contrib/monop.te
@@ -0,0 +1,85 @@
+policy_module(monop, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type monopd_t;
+type monopd_exec_t;
+init_daemon_domain(monopd_t, monopd_exec_t)
+
+type monopd_etc_t;
+files_config_file(monopd_etc_t)
+
+type monopd_share_t;
+files_type(monopd_share_t)
+
+type monopd_var_run_t;
+files_pid_file(monopd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit monopd_t self:capability sys_tty_config;
+allow monopd_t self:process signal_perms;
+allow monopd_t self:tcp_socket create_stream_socket_perms;
+allow monopd_t self:udp_socket create_socket_perms;
+
+allow monopd_t monopd_etc_t:file read_file_perms;
+files_search_etc(monopd_t)
+
+allow monopd_t monopd_share_t:dir list_dir_perms;
+read_files_pattern(monopd_t, monopd_share_t, monopd_share_t)
+read_lnk_files_pattern(monopd_t, monopd_share_t, monopd_share_t)
+
+manage_files_pattern(monopd_t, monopd_var_run_t, monopd_var_run_t)
+files_pid_filetrans(monopd_t, monopd_var_run_t, file)
+
+kernel_read_kernel_sysctls(monopd_t)
+kernel_list_proc(monopd_t)
+kernel_read_proc_symlinks(monopd_t)
+
+corenet_all_recvfrom_unlabeled(monopd_t)
+corenet_all_recvfrom_netlabel(monopd_t)
+corenet_tcp_sendrecv_generic_if(monopd_t)
+corenet_udp_sendrecv_generic_if(monopd_t)
+corenet_tcp_sendrecv_generic_node(monopd_t)
+corenet_udp_sendrecv_generic_node(monopd_t)
+corenet_tcp_sendrecv_all_ports(monopd_t)
+corenet_udp_sendrecv_all_ports(monopd_t)
+corenet_tcp_bind_generic_node(monopd_t)
+corenet_tcp_bind_monopd_port(monopd_t)
+corenet_sendrecv_monopd_server_packets(monopd_t)
+
+dev_read_sysfs(monopd_t)
+
+domain_use_interactive_fds(monopd_t)
+
+files_read_etc_files(monopd_t)
+
+fs_getattr_all_fs(monopd_t)
+fs_search_auto_mountpoints(monopd_t)
+
+logging_send_syslog_msg(monopd_t)
+
+miscfiles_read_localization(monopd_t)
+
+sysnet_read_config(monopd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(monopd_t)
+userdom_dontaudit_search_user_home_dirs(monopd_t)
+
+optional_policy(`
+	nis_use_ypbind(monopd_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(monopd_t)
+')
+
+optional_policy(`
+	udev_read_db(monopd_t)
+')
diff --git a/policy/modules/contrib/mozilla.fc b/policy/modules/contrib/mozilla.fc
new file mode 100644
index 00000000..1847b92c
--- /dev/null
+++ b/policy/modules/contrib/mozilla.fc
@@ -0,0 +1,47 @@
+HOME_DIR/\.config/chromium(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.galeon(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.java(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.mozilla(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.netscape(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.phoenix(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
+
+#
+# /bin
+#
+/usr/bin/netscape		--	gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/mozilla		--	gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/mozilla-snapshot	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/epiphany-bin		--	gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/epiphany		--	gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/firefox-bin		--	gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/mozilla-[0-9].*	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/mozilla-bin-[0-9].*	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
+
+ifdef(`distro_debian',`
+/usr/lib/iceweasel/iceweasel	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
+')
+
+#
+# /lib
+#
+/usr/lib(64)?/galeon/galeon 	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/mozilla[^/]*/reg.+ --	gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/[^/]*firefox[^/]*/firefox --	gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/[^/]*firefox[^/]*/plugin-container	--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+/usr/lib64/[^/]*firefox[^/]*/plugin-container	--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+
+
+#
+# /opt
+#
+/opt/firefox/libxul\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/firefox/firefox		--	gen_context(system_u:object_r:mozilla_exec_t,s0)
+/opt/firefox/run-mozilla\.sh	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
+/opt/firefox/firefox-bin	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
+/opt/firefox/plugin-container	--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
diff --git a/policy/modules/contrib/mozilla.if b/policy/modules/contrib/mozilla.if
new file mode 100644
index 00000000..b397fde5
--- /dev/null
+++ b/policy/modules/contrib/mozilla.if
@@ -0,0 +1,302 @@
+## <summary>Policy for Mozilla and related web browsers</summary>
+
+########################################
+## <summary>
+##	Role access for mozilla
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`mozilla_role',`
+	gen_require(`
+		type mozilla_t, mozilla_exec_t, mozilla_home_t;
+		attribute_role mozilla_roles;
+	')
+
+	roleattribute $1 mozilla_roles;
+
+	domain_auto_trans($2, mozilla_exec_t, mozilla_t)
+	# Unrestricted inheritance from the caller.
+	allow $2 mozilla_t:process { noatsecure siginh rlimitinh };
+	allow mozilla_t $2:fd use;
+	allow mozilla_t $2:process { sigchld signull };
+	allow mozilla_t $2:unix_stream_socket connectto;
+
+	# Allow the user domain to signal/ps.
+	ps_process_pattern($2, mozilla_t)
+	allow $2 mozilla_t:process signal_perms;
+
+	allow $2 mozilla_t:fd use;
+	allow $2 mozilla_t:shm { associate getattr };
+	allow $2 mozilla_t:shm { unix_read unix_write };
+	allow $2 mozilla_t:unix_stream_socket connectto;
+
+	# X access, Home files
+	manage_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
+	manage_files_pattern($2, mozilla_home_t, mozilla_home_t)
+	manage_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
+	relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
+	relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
+	relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
+
+	mozilla_dbus_chat($2)
+')
+
+########################################
+## <summary>
+##	Read mozilla home directory content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mozilla_read_user_home_files',`
+	gen_require(`
+		type mozilla_home_t;
+	')
+
+	allow $1 mozilla_home_t:dir list_dir_perms;
+	allow $1 mozilla_home_t:file read_file_perms;
+	allow $1 mozilla_home_t:lnk_file read_lnk_file_perms;
+	userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+##	Write mozilla home directory content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mozilla_write_user_home_files',`
+	gen_require(`
+		type mozilla_home_t;
+	')
+
+	write_files_pattern($1, mozilla_home_t, mozilla_home_t)
+	userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+##	Dontaudit attempts to read/write mozilla home directory content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`mozilla_dontaudit_rw_user_home_files',`
+	gen_require(`
+		type mozilla_home_t;
+	')
+
+	dontaudit $1 mozilla_home_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Dontaudit attempts to write mozilla home directory content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`mozilla_dontaudit_manage_user_home_files',`
+	gen_require(`
+		type mozilla_home_t;
+	')
+
+	dontaudit $1 mozilla_home_t:dir manage_dir_perms;
+	dontaudit $1 mozilla_home_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute mozilla home directory content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mozilla_exec_user_home_files',`
+	gen_require(`
+		type mozilla_home_t;
+	')
+
+	can_exec($1, mozilla_home_t)
+')
+
+########################################
+## <summary>
+##	Execmod mozilla home directory content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mozilla_execmod_user_home_files',`
+	gen_require(`
+		type mozilla_home_t;
+	')
+
+	allow $1 mozilla_home_t:file execmod;
+')
+
+########################################
+## <summary>
+##	Run mozilla in the mozilla domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`mozilla_domtrans',`
+	gen_require(`
+		type mozilla_t, mozilla_exec_t;
+	')
+
+	domtrans_pattern($1, mozilla_exec_t, mozilla_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run mozilla_plugin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mozilla_domtrans_plugin',`
+	gen_require(`
+		type mozilla_plugin_t, mozilla_plugin_exec_t, mozilla_plugin_tmpfs_t;
+		class dbus send_msg;
+	')
+
+	domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t)
+	allow mozilla_plugin_t $1:process signull;
+')
+
+########################################
+## <summary>
+##	Execute mozilla_plugin in the mozilla_plugin domain, and
+##	allow the specified role the mozilla_plugin domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the mozilla_plugin domain.
+##	</summary>
+## </param>
+#
+interface(`mozilla_run_plugin',`
+	gen_require(`
+		type mozilla_plugin_t;
+	')
+
+	mozilla_domtrans_plugin($1)
+	role $2 types mozilla_plugin_t;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	mozilla over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mozilla_dbus_chat',`
+	gen_require(`
+		type mozilla_t;
+		class dbus send_msg;
+	')
+
+	allow $1 mozilla_t:dbus send_msg;
+	allow mozilla_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	read/write mozilla per user tcp_socket
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mozilla_rw_tcp_sockets',`
+	gen_require(`
+		type mozilla_t;
+	')
+
+	allow $1 mozilla_t:tcp_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+##	Read mozilla_plugin tmpfs files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`mozilla_plugin_read_tmpfs_files',`
+	gen_require(`
+		type mozilla_plugin_tmpfs_t;
+	')
+
+	allow $1 mozilla_plugin_tmpfs_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Delete mozilla_plugin tmpfs files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`mozilla_plugin_delete_tmpfs_files',`
+	gen_require(`
+		type mozilla_plugin_tmpfs_t;
+	')
+
+	allow $1 mozilla_plugin_tmpfs_t:file unlink;
+')
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
new file mode 100644
index 00000000..6a85b282
--- /dev/null
+++ b/policy/modules/contrib/mozilla.te
@@ -0,0 +1,480 @@
+policy_module(mozilla, 2.5.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow confined web browsers to read home directory content
+## </p>
+## </desc>
+gen_tunable(mozilla_read_content, false)
+
+attribute_role mozilla_roles;
+
+type mozilla_t;
+type mozilla_exec_t;
+typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
+typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
+userdom_user_application_domain(mozilla_t, mozilla_exec_t)
+role mozilla_roles types mozilla_t;
+
+type mozilla_conf_t;
+files_config_file(mozilla_conf_t)
+
+type mozilla_home_t;
+typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
+typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
+userdom_user_home_content(mozilla_home_t)
+
+type mozilla_plugin_t;
+type mozilla_plugin_exec_t;
+application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
+role mozilla_roles types mozilla_plugin_t;
+
+type mozilla_plugin_tmp_t;
+userdom_user_tmp_file(mozilla_plugin_tmp_t)
+
+type mozilla_plugin_tmpfs_t;
+userdom_user_tmpfs_file(mozilla_plugin_tmpfs_t)
+
+type mozilla_tmp_t;
+userdom_user_tmp_file(mozilla_tmp_t)
+
+type mozilla_tmpfs_t;
+typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sysadm_mozilla_tmpfs_t };
+typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
+userdom_user_tmpfs_file(mozilla_tmpfs_t)
+
+########################################
+#
+# Local policy
+#
+
+allow mozilla_t self:capability { sys_nice setgid setuid };
+allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
+allow mozilla_t self:fifo_file rw_fifo_file_perms;
+allow mozilla_t self:shm { unix_read unix_write read write destroy create };
+allow mozilla_t self:sem create_sem_perms;
+allow mozilla_t self:socket create_socket_perms;
+allow mozilla_t self:unix_stream_socket { listen accept };
+# Browse the web, connect to printer
+allow mozilla_t self:tcp_socket create_socket_perms;
+allow mozilla_t self:netlink_route_socket r_netlink_socket_perms;
+# Make sure plugin works
+allow mozilla_t mozilla_plugin_t:process { rlimitinh siginh noatsecure };
+allow mozilla_t mozilla_plugin_t:fd { use };
+allow mozilla_t mozilla_plugin_t:unix_stream_socket { read write };
+
+# for bash - old mozilla binary
+can_exec(mozilla_t, mozilla_exec_t)
+
+# X access, Home files
+manage_dirs_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
+manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
+manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
+userdom_search_user_home_dirs(mozilla_t)
+userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir)
+
+# Mozpluggerrc
+allow mozilla_t mozilla_conf_t:file read_file_perms;
+
+manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
+manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
+files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir })
+
+manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
+
+kernel_read_kernel_sysctls(mozilla_t)
+kernel_read_network_state(mozilla_t)
+# Access /proc, sysctl
+kernel_read_system_state(mozilla_t)
+kernel_read_net_sysctls(mozilla_t)
+
+# Look for plugins
+corecmd_list_bin(mozilla_t)
+# for bash - old mozilla binary
+corecmd_exec_shell(mozilla_t)
+corecmd_exec_bin(mozilla_t)
+
+# Browse the web, connect to printer
+corenet_all_recvfrom_unlabeled(mozilla_t)
+corenet_all_recvfrom_netlabel(mozilla_t)
+corenet_tcp_sendrecv_generic_if(mozilla_t)
+corenet_raw_sendrecv_generic_if(mozilla_t)
+corenet_tcp_sendrecv_generic_node(mozilla_t)
+corenet_raw_sendrecv_generic_node(mozilla_t)
+corenet_tcp_sendrecv_http_port(mozilla_t)
+corenet_tcp_sendrecv_http_cache_port(mozilla_t)
+corenet_tcp_sendrecv_squid_port(mozilla_t)
+corenet_tcp_sendrecv_ftp_port(mozilla_t)
+corenet_tcp_sendrecv_ipp_port(mozilla_t)
+corenet_tcp_sendrecv_tor_port(mozilla_t)
+corenet_tcp_connect_http_port(mozilla_t)
+corenet_tcp_connect_http_cache_port(mozilla_t)
+corenet_tcp_connect_squid_port(mozilla_t)
+corenet_tcp_connect_ftp_port(mozilla_t)
+corenet_tcp_connect_ipp_port(mozilla_t)
+corenet_tcp_connect_generic_port(mozilla_t)
+corenet_tcp_connect_soundd_port(mozilla_t)
+corenet_tcp_connect_tor_port(mozilla_t)
+corenet_sendrecv_http_client_packets(mozilla_t)
+corenet_sendrecv_http_cache_client_packets(mozilla_t)
+corenet_sendrecv_squid_client_packets(mozilla_t)
+corenet_sendrecv_ftp_client_packets(mozilla_t)
+corenet_sendrecv_ipp_client_packets(mozilla_t)
+corenet_sendrecv_generic_client_packets(mozilla_t)
+corenet_sendrecv_tor_client_packets(mozilla_t)
+# Should not need other ports
+corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t)
+corenet_dontaudit_tcp_bind_generic_port(mozilla_t)
+corenet_tcp_connect_speech_port(mozilla_t)
+
+dev_read_urand(mozilla_t)
+dev_read_rand(mozilla_t)
+dev_write_sound(mozilla_t)
+dev_read_sound(mozilla_t)
+dev_dontaudit_rw_dri(mozilla_t)
+dev_getattr_sysfs_dirs(mozilla_t)
+
+domain_dontaudit_read_all_domains_state(mozilla_t)
+
+files_read_etc_runtime_files(mozilla_t)
+files_read_usr_files(mozilla_t)
+files_read_etc_files(mozilla_t)
+# /var/lib
+files_read_var_lib_files(mozilla_t)
+# interacting with gstreamer
+files_read_var_files(mozilla_t)
+files_read_var_symlinks(mozilla_t)
+files_dontaudit_getattr_boot_dirs(mozilla_t)
+
+fs_dontaudit_getattr_all_fs(mozilla_t)
+fs_search_auto_mountpoints(mozilla_t)
+fs_list_inotifyfs(mozilla_t)
+fs_rw_tmpfs_files(mozilla_t)
+
+term_dontaudit_getattr_pty_dirs(mozilla_t)
+
+logging_send_syslog_msg(mozilla_t)
+
+miscfiles_read_fonts(mozilla_t)
+miscfiles_read_localization(mozilla_t)
+miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
+
+# Browse the web, connect to printer
+sysnet_dns_name_resolve(mozilla_t)
+
+userdom_use_user_ptys(mozilla_t)
+
+mozilla_run_plugin(mozilla_t, mozilla_roles)
+
+
+xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
+xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
+xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
+
+tunable_policy(`allow_execmem',`
+	allow mozilla_t self:process { execmem execstack };
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(mozilla_t)
+	fs_manage_nfs_files(mozilla_t)
+	fs_manage_nfs_symlinks(mozilla_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(mozilla_t)
+	fs_manage_cifs_files(mozilla_t)
+	fs_manage_cifs_symlinks(mozilla_t)
+')
+
+# Uploads, local html
+tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
+	fs_list_auto_mountpoints(mozilla_t)
+	files_list_home(mozilla_t)
+	fs_read_nfs_files(mozilla_t)
+	fs_read_nfs_symlinks(mozilla_t)
+
+',`
+	files_dontaudit_list_home(mozilla_t)
+	fs_dontaudit_list_auto_mountpoints(mozilla_t)
+	fs_dontaudit_read_nfs_files(mozilla_t)
+	fs_dontaudit_list_nfs(mozilla_t)
+')
+
+tunable_policy(`mozilla_read_content && use_samba_home_dirs',`
+	fs_list_auto_mountpoints(mozilla_t)
+	files_list_home(mozilla_t)
+	fs_read_cifs_files(mozilla_t)
+	fs_read_cifs_symlinks(mozilla_t)
+',`
+	files_dontaudit_list_home(mozilla_t)
+	fs_dontaudit_list_auto_mountpoints(mozilla_t)
+	fs_dontaudit_read_cifs_files(mozilla_t)
+	fs_dontaudit_list_cifs(mozilla_t)
+')
+
+tunable_policy(`mozilla_read_content',`
+	userdom_list_user_tmp(mozilla_t)
+	userdom_read_user_tmp_files(mozilla_t)
+	userdom_read_user_tmp_symlinks(mozilla_t)
+	userdom_read_user_home_content_files(mozilla_t)
+	userdom_read_user_home_content_symlinks(mozilla_t)
+
+	ifndef(`enable_mls',`
+		fs_search_removable(mozilla_t)
+		fs_read_removable_files(mozilla_t)
+		fs_read_removable_symlinks(mozilla_t)
+	')
+',`
+	files_dontaudit_list_tmp(mozilla_t)
+	files_dontaudit_list_home(mozilla_t)
+	fs_dontaudit_list_removable(mozilla_t)
+	fs_dontaudit_read_removable_files(mozilla_t)
+	userdom_dontaudit_list_user_tmp(mozilla_t)
+	userdom_dontaudit_read_user_tmp_files(mozilla_t)
+	userdom_dontaudit_list_user_home_dirs(mozilla_t)
+	userdom_dontaudit_read_user_home_content_files(mozilla_t)
+')
+
+optional_policy(`
+	apache_read_user_scripts(mozilla_t)
+	apache_read_user_content(mozilla_t)
+')
+
+optional_policy(`
+	automount_dontaudit_getattr_tmp_dirs(mozilla_t)
+')
+
+optional_policy(`
+	cups_read_rw_config(mozilla_t)
+	cups_dbus_chat(mozilla_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(mozilla_t)
+	dbus_session_bus_client(mozilla_t)
+
+	optional_policy(`
+		networkmanager_dbus_chat(mozilla_t)
+	')
+')
+
+optional_policy(`
+	gnome_stream_connect_gconf(mozilla_t)
+	gnome_manage_config(mozilla_t)
+')
+
+optional_policy(`
+	java_domtrans(mozilla_t)
+')
+
+optional_policy(`
+	lpd_domtrans_lpr(mozilla_t)
+')
+
+optional_policy(`
+	mplayer_domtrans(mozilla_t)
+	mplayer_read_user_home_files(mozilla_t)
+')
+
+optional_policy(`
+	nscd_socket_use(mozilla_t)
+')
+
+optional_policy(`
+	pulseaudio_role(mozilla_roles, mozilla_t)
+	pulseaudio_stream_connect(mozilla_t)
+	pulseaudio_manage_home_files(mozilla_t)
+')
+
+optional_policy(`
+	thunderbird_domtrans(mozilla_t)
+')
+
+optional_policy(`
+	xdg_read_generic_config_home_files(mozilla_t)
+	xdg_read_generic_data_home_files(mozilla_t)
+')
+
+########################################
+#
+# mozilla_plugin local policy
+#
+
+dontaudit mozilla_plugin_t self:capability { sys_ptrace };
+allow mozilla_plugin_t self:process { getsched setsched signal_perms execmem };
+allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
+allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
+allow mozilla_plugin_t self:udp_socket create_socket_perms;
+allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+allow mozilla_plugin_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow mozilla_plugin_t self:sem create_sem_perms;
+allow mozilla_plugin_t self:shm create_shm_perms;
+
+allow mozilla_plugin_t mozilla_t:unix_stream_socket { read write };
+
+can_exec(mozilla_plugin_t, mozilla_home_t)
+manage_dirs_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+manage_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+
+manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
+userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
+
+manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
+
+
+can_exec(mozilla_plugin_t, mozilla_exec_t)
+
+kernel_read_kernel_sysctls(mozilla_plugin_t)
+kernel_read_system_state(mozilla_plugin_t)
+kernel_read_network_state(mozilla_plugin_t)
+kernel_request_load_module(mozilla_plugin_t)
+
+corecmd_exec_bin(mozilla_plugin_t)
+corecmd_exec_shell(mozilla_plugin_t)
+
+corenet_all_recvfrom_netlabel(mozilla_plugin_t)
+corenet_all_recvfrom_unlabeled(mozilla_plugin_t)
+corenet_tcp_sendrecv_generic_if(mozilla_plugin_t)
+corenet_tcp_sendrecv_generic_node(mozilla_plugin_t)
+corenet_tcp_connect_generic_port(mozilla_plugin_t)
+corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
+corenet_tcp_connect_http_port(mozilla_plugin_t)
+corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
+corenet_tcp_connect_squid_port(mozilla_plugin_t)
+corenet_tcp_connect_ipp_port(mozilla_plugin_t)
+corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
+corenet_tcp_connect_speech_port(mozilla_plugin_t)
+
+dev_read_rand(mozilla_plugin_t)
+dev_read_urand(mozilla_plugin_t)
+dev_read_video_dev(mozilla_plugin_t)
+dev_write_video_dev(mozilla_plugin_t)
+dev_read_sysfs(mozilla_plugin_t)
+dev_read_sound(mozilla_plugin_t)
+dev_write_sound(mozilla_plugin_t)
+# for nvidia driver
+dev_rw_xserver_misc(mozilla_plugin_t)
+dev_dontaudit_rw_dri(mozilla_plugin_t)
+
+domain_use_interactive_fds(mozilla_plugin_t)
+domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+
+files_read_config_files(mozilla_plugin_t)
+files_read_usr_files(mozilla_plugin_t)
+files_list_mnt(mozilla_plugin_t)
+
+fs_getattr_all_fs(mozilla_plugin_t)
+fs_list_dos(mozilla_plugin_t)
+fs_read_dos_files(mozilla_plugin_t)
+
+application_dontaudit_signull(mozilla_plugin_t)
+
+auth_use_nsswitch(mozilla_plugin_t)
+
+logging_send_syslog_msg(mozilla_plugin_t)
+
+miscfiles_read_localization(mozilla_plugin_t)
+miscfiles_read_fonts(mozilla_plugin_t)
+miscfiles_read_generic_certs(mozilla_plugin_t)
+miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t)
+miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t)
+
+sysnet_dns_name_resolve(mozilla_plugin_t)
+
+term_getattr_all_ttys(mozilla_plugin_t)
+term_getattr_all_ptys(mozilla_plugin_t)
+
+userdom_rw_user_tmpfs_files(mozilla_plugin_t)
+userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
+userdom_manage_user_tmp_sockets(mozilla_plugin_t)
+userdom_manage_user_tmp_dirs(mozilla_plugin_t)
+userdom_read_user_tmp_files(mozilla_plugin_t)
+userdom_read_user_tmp_symlinks(mozilla_plugin_t)
+userdom_read_user_home_content_files(mozilla_plugin_t)
+userdom_read_user_home_content_symlinks(mozilla_plugin_t)
+
+
+xserver_user_x_domain_template(mozilla_plugin_t, mozilla_plugin_t, mozilla_plugin_tmpfs_t)
+
+tunable_policy(`allow_execmem',`
+	allow mozilla_plugin_t self:process { execmem execstack };
+')
+
+tunable_policy(`allow_execstack',`
+	allow mozilla_plugin_t self:process { execstack };
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(mozilla_plugin_t)
+	fs_manage_nfs_files(mozilla_plugin_t)
+	fs_manage_nfs_symlinks(mozilla_plugin_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(mozilla_plugin_t)
+	fs_manage_cifs_files(mozilla_plugin_t)
+	fs_manage_cifs_symlinks(mozilla_plugin_t)
+')
+
+optional_policy(`
+	alsa_read_rw_config(mozilla_plugin_t)
+	alsa_read_home_files(mozilla_plugin_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(mozilla_plugin_t)
+	dbus_session_bus_client(mozilla_plugin_t)
+	dbus_read_lib_files(mozilla_plugin_t)
+')
+
+optional_policy(`
+	gnome_manage_config(mozilla_plugin_t)
+')
+
+optional_policy(`
+	java_exec(mozilla_plugin_t)
+')
+
+optional_policy(`
+	mplayer_exec(mozilla_plugin_t)
+	mplayer_read_user_home_files(mozilla_plugin_t)
+')
+
+optional_policy(`
+	pcscd_stream_connect(mozilla_plugin_t)
+')
+
+optional_policy(`
+	pulseaudio_exec(mozilla_plugin_t)
+	pulseaudio_stream_connect(mozilla_plugin_t)
+	pulseaudio_setattr_home_dir(mozilla_plugin_t)
+	pulseaudio_manage_home_files(mozilla_plugin_t)
+')
+
+optional_policy(`
+	xdg_read_generic_config_home_files(mozilla_plugin_t)
+')
+
+optional_policy(`
+	xserver_read_xdm_pid(mozilla_plugin_t)
+	xserver_stream_connect(mozilla_plugin_t)
+	xserver_use_user_fonts(mozilla_plugin_t)
+')
diff --git a/policy/modules/contrib/mpd.fc b/policy/modules/contrib/mpd.fc
new file mode 100644
index 00000000..ddc14d6b
--- /dev/null
+++ b/policy/modules/contrib/mpd.fc
@@ -0,0 +1,8 @@
+/etc/mpd\.conf		--	gen_context(system_u:object_r:mpd_etc_t,s0)
+/etc/rc\.d/init\.d/mpd	--	gen_context(system_u:object_r:mpd_initrc_exec_t,s0)
+
+/usr/bin/mpd		--	gen_context(system_u:object_r:mpd_exec_t,s0)
+
+/var/lib/mpd(/.*)?		gen_context(system_u:object_r:mpd_var_lib_t,s0)
+/var/lib/mpd/music(/.*)?	gen_context(system_u:object_r:mpd_data_t,s0)
+/var/lib/mpd/playlists(/.*)?	gen_context(system_u:object_r:mpd_data_t,s0)
diff --git a/policy/modules/contrib/mpd.if b/policy/modules/contrib/mpd.if
new file mode 100644
index 00000000..d72276ff
--- /dev/null
+++ b/policy/modules/contrib/mpd.if
@@ -0,0 +1,267 @@
+## <summary>Music Player Daemon</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run mpd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`mpd_domtrans',`
+	gen_require(`
+		type mpd_t, mpd_exec_t;
+	')
+
+	domtrans_pattern($1, mpd_exec_t, mpd_t)
+')
+
+########################################
+## <summary>
+##	Execute mpd server in the mpd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`mpd_initrc_domtrans',`
+	gen_require(`
+		type mpd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, mpd_initrc_exec_t)
+')
+
+#######################################
+## <summary>
+##	Read mpd data files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mpd_read_data_files',`
+	gen_require(`
+		type mpd_data_t;
+	')
+
+	mpd_search_lib($1)
+	read_files_pattern($1, mpd_data_t, mpd_data_t)
+')
+
+######################################
+## <summary>
+##	Manage mpd data files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mpd_manage_data_files',`
+	gen_require(`
+		type mpd_data_t;
+	')
+
+	mpd_search_lib($1)
+	manage_files_pattern($1, mpd_data_t, mpd_data_t)
+')
+
+#######################################
+## <summary>
+##	Read mpd tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mpd_read_tmpfs_files',`
+	gen_require(`
+		type mpd_tmpfs_t;
+	')
+
+	fs_search_tmpfs($1)
+	read_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
+')
+
+###################################
+## <summary>
+##	Manage mpd tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mpd_manage_tmpfs_files',`
+	gen_require(`
+		type mpd_tmpfs_t;
+	')
+
+	fs_search_tmpfs($1)
+	manage_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
+	manage_lnk_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
+')
+
+########################################
+## <summary>
+##	Search mpd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mpd_search_lib',`
+	gen_require(`
+		type mpd_var_lib_t;
+	')
+
+	allow $1 mpd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read mpd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mpd_read_lib_files',`
+	gen_require(`
+		type mpd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	mpd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mpd_manage_lib_files',`
+	gen_require(`
+		type mpd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t)
+')
+
+#######################################
+## <summary>
+##	Create an object in the root directory, with a private
+##	type using a type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private type">
+##	<summary>
+##	The type of the object to be created.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+#
+interface(`mpd_var_lib_filetrans',`
+	gen_require(`
+		type mpd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	filetrans_pattern($1, mpd_var_lib_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Manage mpd lib dirs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mpd_manage_lib_dirs',`
+	gen_require(`
+		type mpd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, mpd_var_lib_t, mpd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an mpd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mpd_admin',`
+	gen_require(`
+		type mpd_t, mpd_initrc_exec_t, mpd_etc_t;
+		type mpd_data_t, mpd_log_t, mpd_var_lib_t;
+		type mpd_tmpfs_t;
+	')
+
+	allow $1 mpd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, mpd_t)
+
+	mpd_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 mpd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	admin_pattern($1, mpd_etc_t)
+	files_list_etc($1)
+
+	files_list_var_lib($1)
+	admin_pattern($1, mpd_var_lib_t)
+
+	admin_pattern($1, mpd_data_t)
+
+	admin_pattern($1, mpd_log_t)
+
+	fs_list_tmpfs($1)
+	admin_pattern($1, mpd_tmpfs_t)
+')
diff --git a/policy/modules/contrib/mpd.te b/policy/modules/contrib/mpd.te
new file mode 100644
index 00000000..7f688728
--- /dev/null
+++ b/policy/modules/contrib/mpd.te
@@ -0,0 +1,126 @@
+policy_module(mpd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type mpd_t;
+type mpd_exec_t;
+init_daemon_domain(mpd_t, mpd_exec_t)
+
+# type for music content
+type mpd_data_t;
+files_type(mpd_data_t)
+
+type mpd_etc_t;
+files_config_file(mpd_etc_t)
+
+type mpd_initrc_exec_t;
+init_script_file(mpd_initrc_exec_t)
+
+type mpd_log_t;
+logging_log_file(mpd_log_t)
+
+type mpd_tmp_t;
+files_tmp_file(mpd_tmp_t)
+
+type mpd_tmpfs_t;
+files_tmpfs_file(mpd_tmpfs_t)
+
+type mpd_var_lib_t;
+files_type(mpd_var_lib_t)
+
+########################################
+#
+# mpd local policy
+#
+
+# dac_override bug in mpd relating to mpd.log file
+allow mpd_t self:capability { dac_override kill setgid setuid };
+allow mpd_t self:process { getsched setsched setrlimit signal signull };
+allow mpd_t self:fifo_file rw_fifo_file_perms;
+allow mpd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow mpd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow mpd_t self:tcp_socket create_stream_socket_perms;
+allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+manage_dirs_pattern(mpd_t, mpd_data_t, mpd_data_t)
+manage_files_pattern(mpd_t, mpd_data_t, mpd_data_t)
+manage_lnk_files_pattern(mpd_t, mpd_data_t, mpd_data_t)
+
+read_files_pattern(mpd_t, mpd_etc_t, mpd_etc_t)
+
+manage_dirs_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
+manage_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
+manage_sock_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
+files_tmp_filetrans(mpd_t, mpd_tmp_t, { dir file sock_file })
+
+manage_files_pattern(mpd_t, mpd_tmpfs_t, mpd_tmpfs_t)
+manage_dirs_pattern(mpd_t, mpd_tmpfs_t, mpd_tmpfs_t)
+fs_tmpfs_filetrans(mpd_t, mpd_tmpfs_t, file )
+
+manage_dirs_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
+manage_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
+manage_lnk_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
+files_var_lib_filetrans(mpd_t, mpd_var_lib_t, { dir file lnk_file })
+
+# needed by pulseaudio
+kernel_getattr_proc(mpd_t)
+kernel_read_system_state(mpd_t)
+kernel_read_kernel_sysctls(mpd_t)
+
+corecmd_exec_bin(mpd_t)
+
+corenet_all_recvfrom_unlabeled(mpd_t)
+corenet_all_recvfrom_netlabel(mpd_t)
+corenet_tcp_sendrecv_generic_if(mpd_t)
+corenet_tcp_sendrecv_generic_node(mpd_t)
+corenet_tcp_bind_mpd_port(mpd_t)
+corenet_tcp_bind_soundd_port(mpd_t)
+corenet_tcp_connect_http_port(mpd_t)
+corenet_tcp_connect_http_cache_port(mpd_t)
+corenet_tcp_connect_pulseaudio_port(mpd_t)
+corenet_tcp_connect_soundd_port(mpd_t)
+corenet_sendrecv_http_client_packets(mpd_t)
+corenet_sendrecv_http_cache_client_packets(mpd_t)
+corenet_sendrecv_pulseaudio_client_packets(mpd_t)
+corenet_sendrecv_soundd_client_packets(mpd_t)
+
+dev_read_sound(mpd_t)
+dev_write_sound(mpd_t)
+dev_read_sysfs(mpd_t)
+
+files_read_usr_files(mpd_t)
+
+fs_getattr_tmpfs(mpd_t)
+fs_list_inotifyfs(mpd_t)
+fs_rw_anon_inodefs_files(mpd_t)
+
+auth_use_nsswitch(mpd_t)
+
+logging_send_syslog_msg(mpd_t)
+
+miscfiles_read_localization(mpd_t)
+
+optional_policy(`
+	alsa_read_rw_config(mpd_t)
+')
+
+optional_policy(`
+	consolekit_dbus_chat(mpd_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(mpd_t)
+')
+
+optional_policy(`
+	pulseaudio_exec(mpd_t)
+	pulseaudio_stream_connect(mpd_t)
+	pulseaudio_signull(mpd_t)
+')
+
+optional_policy(`
+	udev_read_db(mpd_t)
+')
diff --git a/policy/modules/contrib/mplayer.fc b/policy/modules/contrib/mplayer.fc
new file mode 100644
index 00000000..5a37c50d
--- /dev/null
+++ b/policy/modules/contrib/mplayer.fc
@@ -0,0 +1,14 @@
+#
+# /etc
+#
+/etc/mplayer(/.*)?		gen_context(system_u:object_r:mplayer_etc_t,s0)
+
+#
+# /usr
+#
+/usr/bin/mplayer	--	gen_context(system_u:object_r:mplayer_exec_t,s0)
+/usr/bin/mencoder	--	gen_context(system_u:object_r:mencoder_exec_t,s0)
+/usr/bin/vlc		--	gen_context(system_u:object_r:mplayer_exec_t,s0)
+/usr/bin/xine		--	gen_context(system_u:object_r:mplayer_exec_t,s0)
+
+HOME_DIR/\.mplayer(/.*)?	gen_context(system_u:object_r:mplayer_home_t,s0)
diff --git a/policy/modules/contrib/mplayer.if b/policy/modules/contrib/mplayer.if
new file mode 100644
index 00000000..d8ea41d1
--- /dev/null
+++ b/policy/modules/contrib/mplayer.if
@@ -0,0 +1,104 @@
+## <summary>Mplayer media player and encoder</summary>
+
+########################################
+## <summary>
+##	Role access for mplayer
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`mplayer_role',`
+	gen_require(`
+		type mencoder_t, mencoder_exec_t;
+		type mplayer_t, mplayer_exec_t;
+		type mplayer_home_t;
+	')
+
+	role $1 types { mencoder_t mplayer_t };
+
+	# domain transition
+	domtrans_pattern($2, mencoder_exec_t, mencoder_t)
+
+	# Allow the user domain to signal/ps.
+	ps_process_pattern($2, mencoder_t)
+	allow $2 mencoder_t:process signal_perms;
+
+	# Home access
+	manage_dirs_pattern($2, mplayer_home_t, mplayer_home_t)
+	manage_files_pattern($2, mplayer_home_t, mplayer_home_t)
+	manage_lnk_files_pattern($2, mplayer_home_t, mplayer_home_t)
+	relabel_dirs_pattern($2, mplayer_home_t, mplayer_home_t)
+	relabel_files_pattern($2, mplayer_home_t, mplayer_home_t)
+	relabel_lnk_files_pattern($2, mplayer_home_t, mplayer_home_t)
+
+	# domain transition
+	domtrans_pattern($2, mplayer_exec_t, mplayer_t)
+
+	# Allow the user domain to signal/ps.
+	ps_process_pattern($2, mplayer_t)
+	allow $2 mplayer_t:process signal_perms;
+')
+
+########################################
+## <summary>
+##	Run mplayer in mplayer domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`mplayer_domtrans',`
+	gen_require(`
+		type mplayer_t, mplayer_exec_t;
+	')
+
+	domtrans_pattern($1, mplayer_exec_t, mplayer_t)
+')
+
+########################################
+## <summary>
+##	Execute mplayer in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+interface(`mplayer_exec',`
+	gen_require(`
+		type mplayer_exec_t;
+	')
+
+	can_exec($1, mplayer_exec_t)
+')
+
+########################################
+## <summary>
+##	Read mplayer per user homedir
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mplayer_read_user_home_files',`
+	gen_require(`
+		type mplayer_home_t;
+	')
+
+	read_files_pattern($1, mplayer_home_t, mplayer_home_t)
+	userdom_search_user_home_dirs($1)
+')
diff --git a/policy/modules/contrib/mplayer.te b/policy/modules/contrib/mplayer.te
new file mode 100644
index 00000000..0cdea57a
--- /dev/null
+++ b/policy/modules/contrib/mplayer.te
@@ -0,0 +1,311 @@
+policy_module(mplayer, 2.4.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow mplayer executable stack
+## </p>
+## </desc>
+gen_tunable(allow_mplayer_execstack, false)
+
+type mencoder_t;
+type mencoder_exec_t;
+typealias mencoder_t alias { user_mencoder_t staff_mencoder_t sysadm_mencoder_t };
+typealias mencoder_t alias { auditadm_mencoder_t secadm_mencoder_t };
+userdom_user_application_domain(mencoder_t, mencoder_exec_t)
+
+type mplayer_t;
+type mplayer_exec_t;
+typealias mplayer_t alias { user_mplayer_t staff_mplayer_t sysadm_mplayer_t };
+typealias mplayer_t alias { auditadm_mplayer_t secadm_mplayer_t };
+userdom_user_application_domain(mplayer_t, mplayer_exec_t)
+
+type mplayer_etc_t;
+files_config_file(mplayer_etc_t)
+
+type mplayer_home_t;
+typealias mplayer_home_t alias { user_mplayer_home_t staff_mplayer_home_t sysadm_mplayer_home_t };
+typealias mplayer_home_t alias { auditadm_mplayer_home_t secadm_mplayer_home_t };
+userdom_user_home_content(mplayer_home_t)
+
+type mplayer_tmpfs_t;
+typealias mplayer_tmpfs_t alias { user_mplayer_tmpfs_t staff_mplayer_tmpfs_t sysadm_mplayer_tmpfs_t };
+typealias mplayer_tmpfs_t alias { auditadm_mplayer_tmpfs_t secadm_mplayer_tmpfs_t };
+userdom_user_tmpfs_file(mplayer_tmpfs_t)
+
+########################################
+#
+# mencoder local policy
+#
+
+manage_dirs_pattern(mencoder_t, mplayer_home_t, mplayer_home_t)
+manage_files_pattern(mencoder_t, mplayer_home_t, mplayer_home_t)
+manage_lnk_files_pattern(mencoder_t, mplayer_home_t, mplayer_home_t)
+
+# Read global config
+allow mencoder_t mplayer_etc_t:dir list_dir_perms;
+read_files_pattern(mencoder_t, mplayer_etc_t, mplayer_etc_t)
+read_lnk_files_pattern(mencoder_t, mplayer_etc_t, mplayer_etc_t)
+
+# Read /proc files and directories
+# Necessary for /proc/meminfo, /proc/cpuinfo, etc..
+kernel_read_system_state(mencoder_t)
+# Sysctl on kernel version 
+kernel_read_kernel_sysctls(mencoder_t)
+
+# Required for win32 binary loader 
+dev_rwx_zero(mencoder_t)
+# Access to DVD/CD/V4L
+dev_read_video_dev(mencoder_t)
+
+# Read data in /usr/share (fonts, icons..)
+files_read_usr_files(mencoder_t)
+files_read_usr_symlinks(mencoder_t)
+
+fs_search_auto_mountpoints(mencoder_t)
+
+# Access to DVD/CD/V4L
+storage_raw_read_removable_device(mencoder_t)
+
+miscfiles_read_localization(mencoder_t)
+
+userdom_use_user_terminals(mencoder_t)
+# Handle removable media, /tmp, and /home
+userdom_list_user_tmp(mencoder_t)
+userdom_read_user_tmp_files(mencoder_t)
+userdom_read_user_tmp_symlinks(mencoder_t)
+userdom_read_user_home_content_files(mencoder_t)
+userdom_read_user_home_content_symlinks(mencoder_t)
+
+# Read content to encode
+ifndef(`enable_mls',`
+	fs_search_removable(mencoder_t)
+	fs_read_removable_files(mencoder_t)
+	fs_read_removable_symlinks(mencoder_t)
+')
+
+tunable_policy(`allow_execmem',`
+	allow mencoder_t self:process execmem;
+')
+
+tunable_policy(`allow_execmod',`
+	dev_execmod_zero(mencoder_t)
+')
+
+tunable_policy(`allow_mplayer_execstack',`
+	allow mencoder_t self:process { execmem execstack };
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(mencoder_t)
+	fs_manage_nfs_files(mencoder_t)
+	fs_manage_nfs_symlinks(mencoder_t)
+
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(mencoder_t)
+	fs_manage_cifs_files(mencoder_t)
+	fs_manage_cifs_symlinks(mencoder_t)
+
+')
+
+# Read content to encode
+tunable_policy(`use_nfs_home_dirs',`
+	fs_list_auto_mountpoints(mencoder_t)
+	files_list_home(mencoder_t)
+	fs_read_nfs_files(mencoder_t)
+	fs_read_nfs_symlinks(mencoder_t)
+
+',`
+	files_dontaudit_list_home(mencoder_t)
+	fs_dontaudit_list_auto_mountpoints(mencoder_t)
+	fs_dontaudit_read_nfs_files(mencoder_t)
+	fs_dontaudit_list_nfs(mencoder_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_list_auto_mountpoints(mencoder_t)
+	files_list_home(mencoder_t)
+	fs_read_cifs_files(mencoder_t)
+	fs_read_cifs_symlinks(mencoder_t)
+',`
+	files_dontaudit_list_home(mencoder_t)
+	fs_dontaudit_list_auto_mountpoints(mencoder_t)
+	fs_dontaudit_read_cifs_files(mencoder_t)
+	fs_dontaudit_list_cifs(mencoder_t)
+')
+
+########################################
+#
+# mplayer local policy
+#
+
+allow mplayer_t self:process { signal_perms getsched };
+allow mplayer_t self:fifo_file rw_fifo_file_perms;
+allow mplayer_t self:sem create_sem_perms;
+allow mplayer_t self:netlink_route_socket create_netlink_socket_perms;
+allow mplayer_t self:tcp_socket create_socket_perms;
+allow mplayer_t self:unix_dgram_socket sendto;
+
+manage_dirs_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
+manage_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
+manage_lnk_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
+userdom_user_home_dir_filetrans(mplayer_t, mplayer_home_t, dir)
+
+manage_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
+manage_lnk_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
+manage_fifo_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
+manage_sock_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
+fs_tmpfs_filetrans(mplayer_t, mplayer_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+# Read global config
+allow mplayer_t mplayer_etc_t:dir list_dir_perms;
+read_files_pattern(mplayer_t, mplayer_etc_t, mplayer_etc_t)
+read_lnk_files_pattern(mplayer_t, mplayer_etc_t, mplayer_etc_t)
+
+kernel_dontaudit_list_unlabeled(mplayer_t)
+kernel_dontaudit_getattr_unlabeled_files(mplayer_t)
+kernel_dontaudit_read_unlabeled_files(mplayer_t)
+# Necessary for /proc/meminfo, /proc/cpuinfo, etc..
+kernel_read_system_state(mplayer_t)
+# Sysctl on kernel version 
+kernel_read_kernel_sysctls(mplayer_t)
+
+corenet_all_recvfrom_netlabel(mplayer_t)
+corenet_all_recvfrom_unlabeled(mplayer_t)
+corenet_tcp_sendrecv_generic_if(mplayer_t)
+corenet_tcp_sendrecv_generic_node(mplayer_t)
+corenet_tcp_bind_generic_node(mplayer_t)
+corenet_tcp_connect_pulseaudio_port(mplayer_t)
+corenet_sendrecv_pulseaudio_client_packets(mplayer_t)
+
+# Run bash/sed (??) 
+corecmd_exec_bin(mplayer_t)
+corecmd_exec_shell(mplayer_t)
+
+dev_read_rand(mplayer_t)
+dev_read_urand(mplayer_t)
+# Required for win32 binary loader 
+dev_rwx_zero(mplayer_t)
+# Access to DVD/CD/V4L
+dev_read_video_dev(mplayer_t)
+dev_write_video_dev(mplayer_t)
+# Audio, alsa.conf
+dev_read_sound_mixer(mplayer_t)
+dev_write_sound_mixer(mplayer_t)
+# RTC clock 
+dev_read_realtime_clock(mplayer_t)
+
+domain_use_interactive_fds(mplayer_t)
+
+# Access to DVD/CD/V4L
+storage_raw_read_removable_device(mplayer_t)
+
+files_read_etc_files(mplayer_t)
+files_dontaudit_list_non_security(mplayer_t)
+files_dontaudit_getattr_non_security_files(mplayer_t)
+files_read_non_security_files(mplayer_t)
+# Unfortunately the ancient file dialog starts in /
+files_list_home(mplayer_t)
+# Read /etc/mtab
+files_read_etc_runtime_files(mplayer_t)
+# Read data in /usr/share (fonts, icons..)
+files_read_usr_files(mplayer_t)
+files_read_usr_symlinks(mplayer_t)
+
+fs_dontaudit_getattr_all_fs(mplayer_t)
+fs_search_auto_mountpoints(mplayer_t)
+fs_list_inotifyfs(mplayer_t)
+
+miscfiles_read_localization(mplayer_t)
+miscfiles_read_fonts(mplayer_t)
+
+userdom_use_user_terminals(mplayer_t)
+# Read media files
+userdom_list_user_tmp(mplayer_t)
+userdom_read_user_tmp_files(mplayer_t)
+userdom_read_user_tmp_symlinks(mplayer_t)
+userdom_read_user_home_content_files(mplayer_t)
+userdom_read_user_home_content_symlinks(mplayer_t)
+userdom_write_user_tmp_sockets(mplayer_t)
+
+xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
+
+# Read songs
+ifdef(`enable_mls',`',`
+	fs_search_removable(mplayer_t)
+	fs_read_removable_files(mplayer_t)
+	fs_read_removable_symlinks(mplayer_t)
+')
+
+tunable_policy(`allow_execmem',`
+	allow mplayer_t self:process execmem;
+')
+
+tunable_policy(`allow_execmod',`
+	dev_execmod_zero(mplayer_t)
+')
+
+tunable_policy(`allow_mplayer_execstack',`
+	allow mplayer_t self:process { execmem execstack };
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(mplayer_t)
+	fs_manage_nfs_files(mplayer_t)
+	fs_manage_nfs_symlinks(mplayer_t)
+')
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(mplayer_t)
+	fs_manage_cifs_files(mplayer_t)
+	fs_manage_cifs_symlinks(mplayer_t)
+')
+
+# Legacy domain issues
+tunable_policy(`allow_mplayer_execstack',`
+	allow mplayer_t mplayer_tmpfs_t:file execute;
+')
+
+# Read songs
+tunable_policy(`use_nfs_home_dirs',`
+	fs_list_auto_mountpoints(mplayer_t)
+	files_list_home(mplayer_t)
+	fs_read_nfs_files(mplayer_t)
+	fs_read_nfs_symlinks(mplayer_t)
+
+',`
+	files_dontaudit_list_home(mplayer_t)
+	fs_dontaudit_list_auto_mountpoints(mplayer_t)
+	fs_dontaudit_read_nfs_files(mplayer_t)
+	fs_dontaudit_list_nfs(mplayer_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_list_auto_mountpoints(mplayer_t)
+	files_list_home(mplayer_t)
+	fs_read_cifs_files(mplayer_t)
+	fs_read_cifs_symlinks(mplayer_t)
+',`
+	files_dontaudit_list_home(mplayer_t)
+	fs_dontaudit_list_auto_mountpoints(mplayer_t)
+	fs_dontaudit_read_cifs_files(mplayer_t)
+	fs_dontaudit_list_cifs(mplayer_t)
+')
+
+optional_policy(`
+	alsa_read_rw_config(mplayer_t)
+')
+
+optional_policy(`
+	nscd_socket_use(mplayer_t)
+')
+
+optional_policy(`
+	pulseaudio_exec(mplayer_t)
+	pulseaudio_stream_connect(mplayer_t)
+')
diff --git a/policy/modules/contrib/mrtg.fc b/policy/modules/contrib/mrtg.fc
new file mode 100644
index 00000000..37fb9536
--- /dev/null
+++ b/policy/modules/contrib/mrtg.fc
@@ -0,0 +1,18 @@
+#
+# /etc
+#
+/etc/mrtg.*			gen_context(system_u:object_r:mrtg_etc_t,s0)
+
+#
+# /usr
+#
+/usr/bin/mrtg		--	gen_context(system_u:object_r:mrtg_exec_t,s0)
+/etc/mrtg/mrtg\.ok	--	gen_context(system_u:object_r:mrtg_lock_t,s0)
+
+#
+# /var
+#
+/var/lib/mrtg(/.*)?		gen_context(system_u:object_r:mrtg_var_lib_t,s0)
+/var/lock/mrtg(/.*)?		gen_context(system_u:object_r:mrtg_lock_t,s0)
+/var/log/mrtg(/.*)?		gen_context(system_u:object_r:mrtg_log_t,s0)
+/var/run/mrtg\.pid		gen_context(system_u:object_r:mrtg_var_run_t,s0)
diff --git a/policy/modules/contrib/mrtg.if b/policy/modules/contrib/mrtg.if
new file mode 100644
index 00000000..5970b9c0
--- /dev/null
+++ b/policy/modules/contrib/mrtg.if
@@ -0,0 +1,20 @@
+## <summary>Network traffic graphing</summary>
+
+########################################
+## <summary>
+##	Create and append mrtg logs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mrtg_append_create_logs',`
+	gen_require(`
+		type mrtg_log_t;
+	')
+
+	append_files_pattern($1, mrtg_log_t, mrtg_log_t)
+	create_files_pattern($1, mrtg_log_t, mrtg_log_t)
+')
diff --git a/policy/modules/contrib/mrtg.te b/policy/modules/contrib/mrtg.te
new file mode 100644
index 00000000..0e19d802
--- /dev/null
+++ b/policy/modules/contrib/mrtg.te
@@ -0,0 +1,160 @@
+policy_module(mrtg, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type mrtg_t;
+type mrtg_exec_t;
+init_system_domain(mrtg_t, mrtg_exec_t)
+
+type mrtg_etc_t;
+files_config_file(mrtg_etc_t)
+
+type mrtg_lock_t;
+files_lock_file(mrtg_lock_t)
+
+type mrtg_log_t;
+logging_log_file(mrtg_log_t)
+
+type mrtg_var_lib_t;
+files_type(mrtg_var_lib_t)
+
+type mrtg_var_run_t;
+files_pid_file(mrtg_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow mrtg_t self:capability { setgid setuid chown };
+dontaudit mrtg_t self:capability sys_tty_config;
+allow mrtg_t self:process signal_perms;
+allow mrtg_t self:fifo_file rw_fifo_file_perms;
+allow mrtg_t self:unix_stream_socket create_socket_perms;
+allow mrtg_t self:tcp_socket create_socket_perms;
+allow mrtg_t self:udp_socket create_socket_perms;
+
+allow mrtg_t mrtg_etc_t:dir list_dir_perms;
+read_files_pattern(mrtg_t, mrtg_etc_t, mrtg_etc_t)
+read_lnk_files_pattern(mrtg_t, mrtg_etc_t, mrtg_etc_t)
+dontaudit mrtg_t mrtg_etc_t:dir write;
+dontaudit mrtg_t mrtg_etc_t:file { write ioctl };
+
+manage_files_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t)
+manage_lnk_files_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t)
+
+manage_files_pattern(mrtg_t, mrtg_log_t, mrtg_log_t)
+logging_log_filetrans(mrtg_t, mrtg_log_t, { file dir })
+
+manage_files_pattern(mrtg_t, mrtg_var_lib_t, mrtg_var_lib_t)
+manage_lnk_files_pattern(mrtg_t, mrtg_var_lib_t, mrtg_var_lib_t)
+
+allow mrtg_t mrtg_var_run_t:file manage_file_perms;
+files_pid_filetrans(mrtg_t, mrtg_var_run_t, file)
+
+kernel_read_system_state(mrtg_t)
+kernel_read_network_state(mrtg_t)
+kernel_read_kernel_sysctls(mrtg_t)
+
+corecmd_exec_bin(mrtg_t)
+corecmd_exec_shell(mrtg_t)
+
+corenet_all_recvfrom_unlabeled(mrtg_t)
+corenet_all_recvfrom_netlabel(mrtg_t)
+corenet_tcp_sendrecv_generic_if(mrtg_t)
+corenet_udp_sendrecv_generic_if(mrtg_t)
+corenet_tcp_sendrecv_generic_node(mrtg_t)
+corenet_udp_sendrecv_generic_node(mrtg_t)
+corenet_tcp_sendrecv_all_ports(mrtg_t)
+corenet_udp_sendrecv_all_ports(mrtg_t)
+corenet_tcp_connect_all_ports(mrtg_t)
+corenet_sendrecv_all_client_packets(mrtg_t)
+
+dev_read_sysfs(mrtg_t)
+dev_read_urand(mrtg_t)
+
+domain_use_interactive_fds(mrtg_t)
+domain_dontaudit_search_all_domains_state(mrtg_t)
+
+files_read_usr_files(mrtg_t)
+files_search_var(mrtg_t)
+files_search_locks(mrtg_t)
+files_search_var_lib(mrtg_t)
+files_search_spool(mrtg_t)
+files_getattr_tmp_dirs(mrtg_t)
+# for uptime
+files_read_etc_runtime_files(mrtg_t)
+# read config files
+files_read_etc_files(mrtg_t)
+
+fs_search_auto_mountpoints(mrtg_t)
+fs_getattr_xattr_fs(mrtg_t)
+fs_list_inotifyfs(mrtg_t)
+
+term_dontaudit_use_console(mrtg_t)
+
+init_use_fds(mrtg_t)
+init_use_script_ptys(mrtg_t)
+# for uptime
+init_read_utmp(mrtg_t)
+init_dontaudit_write_utmp(mrtg_t)
+
+auth_use_nsswitch(mrtg_t)
+
+libs_read_lib_files(mrtg_t)
+
+logging_send_syslog_msg(mrtg_t)
+
+miscfiles_read_localization(mrtg_t)
+
+selinux_dontaudit_getattr_dir(mrtg_t)
+
+userdom_use_user_terminals(mrtg_t)
+userdom_dontaudit_read_user_home_content_files(mrtg_t)
+userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
+
+netutils_domtrans_ping(mrtg_t)
+
+ifdef(`enable_mls',`
+	corenet_udp_sendrecv_lo_if(mrtg_t)
+')
+
+ifdef(`distro_redhat',`
+	allow mrtg_t mrtg_lock_t:file manage_file_perms;
+	filetrans_pattern(mrtg_t, mrtg_etc_t, mrtg_lock_t, file)
+')
+
+optional_policy(`
+	apache_manage_sys_content(mrtg_t)
+')
+
+optional_policy(`
+	cron_system_entry(mrtg_t, mrtg_exec_t)
+')
+
+optional_policy(`
+	hostname_exec(mrtg_t)
+')
+
+optional_policy(`
+	hddtemp_domtrans(mrtg_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(mrtg_t)
+')
+
+optional_policy(`
+	quota_dontaudit_getattr_db(mrtg_t)
+')
+
+optional_policy(`
+	snmp_read_snmp_var_lib_files(mrtg_t)
+')
+
+optional_policy(`
+	udev_read_db(mrtg_t)
+')
diff --git a/policy/modules/contrib/mta.fc b/policy/modules/contrib/mta.fc
new file mode 100644
index 00000000..256166a9
--- /dev/null
+++ b/policy/modules/contrib/mta.fc
@@ -0,0 +1,30 @@
+HOME_DIR/\.forward	--	gen_context(system_u:object_r:mail_forward_t,s0)
+
+/bin/mail(x)?		--	gen_context(system_u:object_r:sendmail_exec_t,s0)
+
+/etc/aliases		--	gen_context(system_u:object_r:etc_aliases_t,s0)
+/etc/aliases\.db	--	gen_context(system_u:object_r:etc_aliases_t,s0)
+/etc/mail(/.*)?			gen_context(system_u:object_r:etc_mail_t,s0)
+/etc/mail/aliases	--	gen_context(system_u:object_r:etc_aliases_t,s0)
+/etc/mail/aliases\.db	--	gen_context(system_u:object_r:etc_aliases_t,s0)
+ifdef(`distro_redhat',`
+/etc/postfix/aliases.*		gen_context(system_u:object_r:etc_aliases_t,s0)
+')
+
+/usr/bin/esmtp			-- gen_context(system_u:object_r:sendmail_exec_t,s0)
+
+/usr/lib(64)?/sendmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/lib/courier/bin/sendmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
+
+/usr/sbin/rmail		--	gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/sbin/sendmail\.postfix --	gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/sbin/ssmtp 		-- gen_context(system_u:object_r:sendmail_exec_t,s0)
+
+/var/mail(/.*)?			gen_context(system_u:object_r:mail_spool_t,s0)
+
+/var/qmail/bin/sendmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
+
+/var/spool/imap(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
+/var/spool/mail(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/policy/modules/contrib/mta.if b/policy/modules/contrib/mta.if
new file mode 100644
index 00000000..4e2a5bad
--- /dev/null
+++ b/policy/modules/contrib/mta.if
@@ -0,0 +1,903 @@
+## <summary>Policy common to all email tranfer agents.</summary>
+
+########################################
+## <summary>
+##	MTA stub interface.  No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mta_stub',`
+	gen_require(`
+		type sendmail_exec_t;
+	')
+')
+
+#######################################
+## <summary>
+##	Basic mail transfer agent domain template.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domain which is
+##	a email transfer agent, which sends mail on
+##	behalf of the user.
+##	</p>
+##	<p>
+##	This is the basic types and rules, common
+##	to the system agent and user agents.
+##	</p>
+## </desc>
+## <param name="domain_prefix">
+##	<summary>
+##	The prefix of the domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+#
+template(`mta_base_mail_template',`
+
+	gen_require(`
+		attribute user_mail_domain;
+		type sendmail_exec_t;
+	')
+
+	##############################
+	#
+	# $1_mail_t declarations
+	#
+
+	type $1_mail_t, user_mail_domain;
+	application_domain($1_mail_t, sendmail_exec_t)
+
+	type $1_mail_tmp_t;
+	files_tmp_file($1_mail_tmp_t)
+
+	##############################
+	#
+	# $1_mail_t local policy
+	#
+
+	allow $1_mail_t self:capability { setuid setgid chown };
+	allow $1_mail_t self:process { signal_perms setrlimit };
+	allow $1_mail_t self:tcp_socket create_socket_perms;
+
+	# re-exec itself
+	can_exec($1_mail_t, sendmail_exec_t)
+	allow $1_mail_t sendmail_exec_t:lnk_file read_lnk_file_perms;
+
+	kernel_read_system_state($1_mail_t)
+	kernel_read_kernel_sysctls($1_mail_t)
+
+	corenet_all_recvfrom_unlabeled($1_mail_t)
+	corenet_all_recvfrom_netlabel($1_mail_t)
+	corenet_tcp_sendrecv_generic_if($1_mail_t)
+	corenet_tcp_sendrecv_generic_node($1_mail_t)
+	corenet_tcp_sendrecv_all_ports($1_mail_t)
+	corenet_tcp_connect_all_ports($1_mail_t)
+	corenet_tcp_connect_smtp_port($1_mail_t)
+	corenet_sendrecv_smtp_client_packets($1_mail_t)
+
+	corecmd_exec_bin($1_mail_t)
+
+	files_read_etc_files($1_mail_t)
+	files_search_spool($1_mail_t)
+	# It wants to check for nscd
+	files_dontaudit_search_pids($1_mail_t)
+
+	auth_use_nsswitch($1_mail_t)
+
+	init_dontaudit_rw_utmp($1_mail_t)
+
+	logging_send_syslog_msg($1_mail_t)
+
+	miscfiles_read_localization($1_mail_t)
+
+	optional_policy(`
+		exim_read_log($1_mail_t)
+		exim_append_log($1_mail_t)
+		exim_manage_spool_files($1_mail_t)
+	')
+
+	optional_policy(`
+		postfix_domtrans_user_mail_handler($1_mail_t)
+	')
+
+	optional_policy(`
+		procmail_exec($1_mail_t)
+	')
+
+	optional_policy(`
+		qmail_domtrans_inject($1_mail_t)
+	')
+
+	optional_policy(`
+		gen_require(`
+			type etc_mail_t, mail_spool_t, mqueue_spool_t;
+		')
+
+		manage_dirs_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
+		manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
+		files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir })
+
+		allow $1_mail_t etc_mail_t:dir search_dir_perms;
+
+		# Write to /var/spool/mail and /var/spool/mqueue.
+		manage_files_pattern($1_mail_t, mail_spool_t, mail_spool_t)
+		manage_files_pattern($1_mail_t, mqueue_spool_t, mqueue_spool_t)
+
+		# Check available space.
+		fs_getattr_xattr_fs($1_mail_t)
+
+		files_read_etc_runtime_files($1_mail_t)
+
+		# Write to /var/log/sendmail.st
+		sendmail_manage_log($1_mail_t)
+		sendmail_create_log($1_mail_t)
+	')
+
+	optional_policy(`
+		uucp_manage_spool($1_mail_t)
+	')
+')
+
+########################################
+## <summary>
+##	Role access for mta
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`mta_role',`
+	gen_require(`
+		attribute mta_user_agent;
+		type user_mail_t, sendmail_exec_t;
+	')
+
+	role $1 types { user_mail_t mta_user_agent };
+
+	# Transition from the user domain to the derived domain.
+	domtrans_pattern($2, sendmail_exec_t, user_mail_t)
+	allow $2 sendmail_exec_t:lnk_file { getattr read };
+
+	allow mta_user_agent $2:fd use;
+	allow mta_user_agent $2:process sigchld;
+	allow mta_user_agent $2:fifo_file { read write };
+')
+
+########################################
+## <summary>
+##	Make the specified domain usable for a mail server.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used as a mail server domain.
+##	</summary>
+## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program to be used as an entry point to this domain.
+##	</summary>
+## </param>
+#
+interface(`mta_mailserver',`
+	gen_require(`
+		attribute mailserver_domain;
+	')
+
+	init_daemon_domain($1, $2)
+	typeattribute $1 mailserver_domain;
+')
+
+########################################
+## <summary>
+##	Make the specified type a MTA executable file.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used as a mail client.
+##	</summary>
+## </param>
+#
+interface(`mta_agent_executable',`
+	gen_require(`
+		attribute mta_exec_type;
+	')
+
+	typeattribute $1 mta_exec_type;
+
+	application_executable_file($1)
+')
+
+########################################
+## <summary>
+##	Make the specified type by a system MTA.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used as a mail client.
+##	</summary>
+## </param>
+#
+interface(`mta_system_content',`
+	gen_require(`
+		attribute mailcontent_type;
+	')
+
+	typeattribute $1 mailcontent_type;
+')
+
+########################################
+## <summary>
+##	Modified mailserver interface for
+##	sendmail daemon use.
+## </summary>
+## <desc>
+##	<p>
+##	A modified MTA mail server interface for
+##	the sendmail program.  It's design does
+##	not fit well with policy, and using the
+##	regular interface causes a type_transition
+##	conflict if direct running of init scripts
+##	is enabled.
+##	</p>
+##	<p>
+##	This interface should most likely only be used
+##	by the sendmail policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	The type to be used for the mail server.
+##	</summary>
+## </param>
+#
+interface(`mta_sendmail_mailserver',`
+	gen_require(`
+		attribute mailserver_domain;
+		type sendmail_exec_t;
+	')
+
+	init_system_domain($1, sendmail_exec_t)
+	typeattribute $1 mailserver_domain;
+')
+
+#######################################
+## <summary>
+##	Make a type a mailserver type used
+##	for sending mail.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Mail server domain type used for sending mail.
+##	</summary>
+## </param>
+#
+interface(`mta_mailserver_sender',`
+	gen_require(`
+		attribute mailserver_sender;
+	')
+
+	typeattribute $1 mailserver_sender;
+')
+
+#######################################
+## <summary>
+##	Make a type a mailserver type used
+##	for delivering mail to local users.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Mail server domain type used for delivering mail.
+##	</summary>
+## </param>
+#
+interface(`mta_mailserver_delivery',`
+	gen_require(`
+		attribute mailserver_delivery;
+		type mail_spool_t;
+	')
+
+	typeattribute $1 mailserver_delivery;
+')
+
+#######################################
+## <summary>
+##	Make a type a mailserver type used
+##	for sending mail on behalf of local
+##	users to the local mail spool.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Mail server domain type used for sending local mail.
+##	</summary>
+## </param>
+#
+interface(`mta_mailserver_user_agent',`
+	gen_require(`
+		attribute mta_user_agent;
+	')
+
+	typeattribute $1 mta_user_agent;
+
+	optional_policy(`
+		# apache should set close-on-exec
+		apache_dontaudit_rw_stream_sockets($1)
+		apache_dontaudit_rw_sys_script_stream_sockets($1)
+	')
+')
+
+########################################
+## <summary>
+##	Send mail from the system.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`mta_send_mail',`
+	gen_require(`
+		attribute mta_user_agent;
+		type system_mail_t;
+		attribute mta_exec_type;
+	')
+
+	allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
+	corecmd_read_bin_symlinks($1)
+	domtrans_pattern($1, mta_exec_type, system_mail_t)
+
+	allow mta_user_agent $1:fd use;
+	allow mta_user_agent $1:process sigchld;
+	allow mta_user_agent $1:fifo_file rw_fifo_file_perms;
+
+	dontaudit mta_user_agent $1:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+##	Execute send mail in a specified domain.
+## </summary>
+## <desc>
+##	<p>
+##	Execute send mail in a specified domain.
+##	</p>
+##	<p>
+##	No interprocess communication (signals, pipes,
+##	etc.) is provided by this interface since
+##	the domains are not owned by this module.
+##	</p>
+## </desc>
+## <param name="source_domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="target_domain">
+##	<summary>
+##	Domain to transition to.
+##	</summary>
+## </param>
+#
+interface(`mta_sendmail_domtrans',`
+	gen_require(`
+		type sendmail_exec_t;
+	')
+
+	files_search_usr($1)
+	corecmd_read_bin_symlinks($1)
+	domain_auto_trans($1, sendmail_exec_t, $2)
+')
+
+########################################
+## <summary>
+##	Send system mail client a signal
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+interface(`mta_signal_system_mail',`
+	gen_require(`
+		type system_mail_t;
+	')
+
+	allow $1 system_mail_t:process signal;
+')
+
+########################################
+## <summary>
+##	Execute sendmail in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mta_sendmail_exec',`
+	gen_require(`
+		type sendmail_exec_t;
+	')
+
+	can_exec($1, sendmail_exec_t)
+')
+
+########################################
+## <summary>
+##	Read mail server configuration.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mta_read_config',`
+	gen_require(`
+		type etc_mail_t;
+	')
+
+	files_search_etc($1)
+	allow $1 etc_mail_t:dir list_dir_perms;
+	read_files_pattern($1, etc_mail_t, etc_mail_t)
+	read_lnk_files_pattern($1, etc_mail_t, etc_mail_t)
+')
+
+########################################
+## <summary>
+##	write mail server configuration.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mta_write_config',`
+	gen_require(`
+		type etc_mail_t;
+	')
+
+	write_files_pattern($1, etc_mail_t, etc_mail_t)
+')
+
+########################################
+## <summary>
+##	Read mail address aliases.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mta_read_aliases',`
+	gen_require(`
+		type etc_aliases_t;
+	')
+
+	files_search_etc($1)
+	allow $1 etc_aliases_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete mail address aliases.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mta_manage_aliases',`
+	gen_require(`
+		type etc_aliases_t;
+	')
+
+	files_search_etc($1)
+	manage_files_pattern($1, etc_aliases_t, etc_aliases_t)
+	manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t)
+')
+
+########################################
+## <summary>
+##	Type transition files created in /etc
+##	to the mail address aliases type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mta_etc_filetrans_aliases',`
+	gen_require(`
+		type etc_aliases_t;
+	')
+
+	files_etc_filetrans($1, etc_aliases_t, file)
+')
+
+########################################
+## <summary>
+##	Read and write mail aliases.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mta_rw_aliases',`
+	gen_require(`
+		type etc_aliases_t;
+	')
+
+	files_search_etc($1)
+	allow $1 etc_aliases_t:file { rw_file_perms setattr };
+')
+
+#######################################
+## <summary>
+##	Do not audit attempts to read and write TCP
+##	sockets of mail delivery domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
+	gen_require(`
+		attribute mailserver_delivery;
+	')
+
+	dontaudit $1 mailserver_delivery:tcp_socket { read write };
+')
+
+#######################################
+## <summary>
+##	Connect to all mail servers over TCP.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mta_tcp_connect_all_mailservers',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
+
+#######################################
+## <summary>
+##	Do not audit attempts to read a symlink
+##	in the mail spool.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`mta_dontaudit_read_spool_symlinks',`
+	gen_require(`
+		type mail_spool_t;
+	')
+
+	dontaudit $1 mail_spool_t:lnk_file read;
+')
+
+########################################
+## <summary>
+##	Get the attributes of mail spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mta_getattr_spool',`
+	gen_require(`
+		type mail_spool_t;
+	')
+
+	files_search_spool($1)
+	allow $1 mail_spool_t:dir list_dir_perms;
+	getattr_files_pattern($1, mail_spool_t, mail_spool_t)
+	read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of mail spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`mta_dontaudit_getattr_spool_files',`
+	gen_require(`
+		type mail_spool_t;
+	')
+
+	files_dontaudit_search_spool($1)
+	dontaudit $1 mail_spool_t:dir search_dir_perms;
+	dontaudit $1 mail_spool_t:lnk_file read;
+	dontaudit $1 mail_spool_t:file getattr;
+')
+
+#######################################
+## <summary>
+##	Create private objects in the
+##	mail spool directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private type">
+##	<summary>
+##	The type of the object to be created.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+#
+interface(`mta_spool_filetrans',`
+	gen_require(`
+		type mail_spool_t;
+	')
+
+	files_search_spool($1)
+	filetrans_pattern($1, mail_spool_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Read and write the mail spool.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mta_rw_spool',`
+	gen_require(`
+		type mail_spool_t;
+	')
+
+	files_search_spool($1)
+	allow $1 mail_spool_t:dir list_dir_perms;
+	allow $1 mail_spool_t:file setattr;
+	rw_files_pattern($1, mail_spool_t, mail_spool_t)
+	read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
+')
+
+#######################################
+## <summary>
+##	Create, read, and write the mail spool.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mta_append_spool',`
+	gen_require(`
+		type mail_spool_t;
+	')
+
+	files_search_spool($1)
+	allow $1 mail_spool_t:dir list_dir_perms;
+	create_files_pattern($1, mail_spool_t, mail_spool_t)
+	write_files_pattern($1, mail_spool_t, mail_spool_t)
+	read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
+')
+
+#######################################
+## <summary>
+##	Delete from the mail spool.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mta_delete_spool',`
+	gen_require(`
+		type mail_spool_t;
+	')
+
+	files_search_spool($1)
+	delete_files_pattern($1, mail_spool_t, mail_spool_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete mail spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mta_manage_spool',`
+	gen_require(`
+		type mail_spool_t;
+	')
+
+	files_search_spool($1)
+	manage_dirs_pattern($1, mail_spool_t, mail_spool_t)
+	manage_files_pattern($1, mail_spool_t, mail_spool_t)
+	manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
+')
+
+########################################
+## <summary>
+##	Search mail queue dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mta_search_queue',`
+	gen_require(`
+		type mqueue_spool_t;
+	')
+
+	files_search_spool($1)
+	allow $1 mqueue_spool_t:dir search_dir_perms;
+')
+
+#######################################
+## <summary>
+##	List the mail queue.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mta_list_queue',`
+	gen_require(`
+		type mqueue_spool_t;
+	')
+
+	allow $1 mqueue_spool_t:dir list_dir_perms;
+	files_search_spool($1)
+')
+
+#######################################
+## <summary>
+##	Read the mail queue.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mta_read_queue',`
+	gen_require(`
+		type mqueue_spool_t;
+	')
+
+	read_files_pattern($1, mqueue_spool_t, mqueue_spool_t)
+	files_search_spool($1)
+')
+
+#######################################
+## <summary>
+##	Do not audit attempts to read and
+##	write the mail queue.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`mta_dontaudit_rw_queue',`
+	gen_require(`
+		type mqueue_spool_t;
+	')
+
+	dontaudit $1 mqueue_spool_t:dir search_dir_perms;
+	dontaudit $1 mqueue_spool_t:file { getattr read write };
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	mail queue files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mta_manage_queue',`
+	gen_require(`
+		type mqueue_spool_t;
+	')
+
+	files_search_spool($1)
+	manage_dirs_pattern($1, mqueue_spool_t, mqueue_spool_t)
+	manage_files_pattern($1, mqueue_spool_t, mqueue_spool_t)
+')
+
+#######################################
+## <summary>
+##	Read sendmail binary.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+# cjp: added for postfix
+interface(`mta_read_sendmail_bin',`
+	gen_require(`
+		type sendmail_exec_t;
+	')
+
+	allow $1 sendmail_exec_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+##	Read and write unix domain stream sockets
+##	of user mail domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mta_rw_user_mail_stream_sockets',`
+	gen_require(`
+		attribute user_mail_domain;
+	')
+
+	allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
+')
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
new file mode 100644
index 00000000..51be8ac7
--- /dev/null
+++ b/policy/modules/contrib/mta.te
@@ -0,0 +1,294 @@
+policy_module(mta, 2.4.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute mailcontent_type;
+attribute mta_exec_type;
+attribute mta_user_agent;
+attribute mailserver_delivery;
+attribute mailserver_domain;
+attribute mailserver_sender;
+
+attribute user_mail_domain;
+
+type etc_aliases_t;
+files_type(etc_aliases_t)
+
+type etc_mail_t;
+files_config_file(etc_mail_t)
+
+type mail_forward_t;
+files_type(mail_forward_t)
+
+type mqueue_spool_t;
+files_mountpoint(mqueue_spool_t)
+
+type mail_spool_t;
+files_mountpoint(mail_spool_t)
+
+type sendmail_exec_t;
+mta_agent_executable(sendmail_exec_t)
+
+mta_base_mail_template(system)
+role system_r types system_mail_t;
+
+mta_base_mail_template(user)
+typealias user_mail_t alias { staff_mail_t sysadm_mail_t };
+typealias user_mail_t alias { auditadm_mail_t secadm_mail_t };
+typealias user_mail_tmp_t alias { staff_mail_tmp_t sysadm_mail_tmp_t };
+typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t };
+userdom_user_application_type(user_mail_t)
+userdom_user_tmp_file(user_mail_tmp_t)
+
+########################################
+#
+# System mail local policy
+#
+
+# newalias required this, not sure if it is needed in 'if' file
+allow system_mail_t self:capability { dac_override fowner };
+allow system_mail_t self:fifo_file rw_fifo_file_perms;
+
+read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
+
+read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
+
+allow system_mail_t mail_forward_t:file read_file_perms;
+
+allow system_mail_t mta_exec_type:file entrypoint;
+
+can_exec(system_mail_t, mta_exec_type)
+
+kernel_read_system_state(system_mail_t)
+kernel_read_network_state(system_mail_t)
+kernel_request_load_module(system_mail_t)
+
+dev_read_sysfs(system_mail_t)
+dev_read_rand(system_mail_t)
+dev_read_urand(system_mail_t)
+
+files_read_usr_files(system_mail_t)
+
+fs_rw_anon_inodefs_files(system_mail_t)
+
+selinux_getattr_fs(system_mail_t)
+
+term_dontaudit_use_unallocated_ttys(system_mail_t)
+
+init_use_script_ptys(system_mail_t)
+
+userdom_use_user_terminals(system_mail_t)
+userdom_dontaudit_search_user_home_dirs(system_mail_t)
+
+optional_policy(`
+	apache_read_squirrelmail_data(system_mail_t)
+	apache_append_squirrelmail_data(system_mail_t)
+
+	# apache should set close-on-exec
+	apache_dontaudit_append_log(system_mail_t)
+	apache_dontaudit_rw_stream_sockets(system_mail_t)
+	apache_dontaudit_rw_tcp_sockets(system_mail_t)
+	apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
+')
+
+optional_policy(`
+	arpwatch_manage_tmp_files(system_mail_t)
+
+	ifdef(`hide_broken_symptoms', `
+		arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
+	')
+')
+
+optional_policy(`
+	clamav_stream_connect(system_mail_t)
+	clamav_append_log(system_mail_t)
+')
+
+optional_policy(`
+	cron_read_system_job_tmp_files(system_mail_t)
+	cron_dontaudit_write_pipes(system_mail_t)
+	cron_rw_system_job_stream_sockets(system_mail_t)
+')
+
+optional_policy(`
+	courier_manage_spool_dirs(system_mail_t)
+	courier_manage_spool_files(system_mail_t)
+	courier_rw_spool_pipes(system_mail_t)
+')
+
+optional_policy(`
+	cvs_read_data(system_mail_t)
+')
+
+optional_policy(`
+	exim_domtrans(system_mail_t)
+	exim_manage_log(system_mail_t)
+')
+
+optional_policy(`
+	fail2ban_append_log(system_mail_t)
+')
+
+optional_policy(`
+	logrotate_read_tmp_files(system_mail_t)
+')
+
+optional_policy(`
+	logwatch_read_tmp_files(system_mail_t)
+')
+
+optional_policy(`
+	# newaliases runs as system_mail_t when the sendmail initscript does a restart
+	milter_getattr_all_sockets(system_mail_t)
+')
+
+optional_policy(`
+	nagios_read_tmp_files(system_mail_t)
+')
+
+optional_policy(`
+	manage_dirs_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
+	manage_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
+	manage_lnk_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
+	manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
+	manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
+	files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
+
+	domain_use_interactive_fds(system_mail_t)
+
+	# postfix needs this for newaliases
+	files_getattr_tmp_dirs(system_mail_t)
+
+	postfix_exec_master(system_mail_t)
+	postfix_read_config(system_mail_t)
+	postfix_search_spool(system_mail_t)
+
+	ifdef(`distro_redhat',`
+		# compatability for old default main.cf
+		postfix_config_filetrans(system_mail_t, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
+	')
+')
+
+optional_policy(`
+	qmail_domtrans_inject(system_mail_t)
+')
+
+optional_policy(`
+	sxid_read_log(system_mail_t)
+')
+
+optional_policy(`
+	userdom_dontaudit_use_user_ptys(system_mail_t)
+
+	optional_policy(`
+		cron_dontaudit_append_system_job_tmp_files(system_mail_t)
+	')
+')
+
+optional_policy(`
+	smartmon_read_tmp_files(system_mail_t)
+')
+
+# should break this up among sections:
+
+optional_policy(`
+	# why is mail delivered to a directory of type arpwatch_data_t?
+	arpwatch_search_data(mailserver_delivery)
+	arpwatch_manage_tmp_files(mta_user_agent)
+
+	ifdef(`hide_broken_symptoms', `
+		arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
+	')
+
+	optional_policy(`
+		cron_read_system_job_tmp_files(mta_user_agent)
+	')
+')
+
+########################################
+#
+# Mailserver delivery local policy
+#
+
+allow mailserver_delivery mail_spool_t:dir list_dir_perms;
+create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+read_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+
+read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t)
+
+read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(mailserver_delivery)
+	fs_manage_cifs_files(mailserver_delivery)
+	fs_manage_cifs_symlinks(mailserver_delivery)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(mailserver_delivery)
+	fs_manage_nfs_files(mailserver_delivery)
+	fs_manage_nfs_symlinks(mailserver_delivery)
+')
+
+optional_policy(`
+	dovecot_manage_spool(mailserver_delivery)
+	dovecot_domtrans_deliver(mailserver_delivery)
+')
+
+optional_policy(`
+	# so MTA can access /var/lib/mailman/mail/wrapper
+	files_search_var_lib(mailserver_delivery)
+
+	mailman_domtrans(mailserver_delivery)
+	mailman_read_data_symlinks(mailserver_delivery)
+')
+
+########################################
+#
+# User send mail local policy
+#
+
+domain_use_interactive_fds(user_mail_t)
+
+userdom_use_user_terminals(user_mail_t)
+# Write to the user domain tty. cjp: why?
+userdom_use_user_terminals(mta_user_agent)
+# Create dead.letter in user home directories.
+userdom_manage_user_home_content_files(user_mail_t)
+userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
+# for reading .forward - maybe we need a new type for it?
+# also for delivering mail to maildir
+userdom_manage_user_home_content_dirs(mailserver_delivery)
+userdom_manage_user_home_content_files(mailserver_delivery)
+userdom_manage_user_home_content_symlinks(mailserver_delivery)
+userdom_manage_user_home_content_pipes(mailserver_delivery)
+userdom_manage_user_home_content_sockets(mailserver_delivery)
+userdom_user_home_dir_filetrans_user_home_content(mailserver_delivery, { dir file lnk_file fifo_file sock_file })
+# Read user temporary files.
+userdom_read_user_tmp_files(user_mail_t)
+userdom_dontaudit_append_user_tmp_files(user_mail_t)
+# cjp: this should probably be read all user tmp
+# files in an appropriate place for mta_user_agent
+userdom_read_user_tmp_files(mta_user_agent)
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_files(user_mail_t)
+	fs_manage_cifs_symlinks(user_mail_t)
+')
+
+optional_policy(`
+	allow user_mail_t self:capability dac_override;
+
+	# Read user temporary files.
+	# postfix seems to need write access if the file handle is opened read/write
+	userdom_rw_user_tmp_files(user_mail_t)
+
+	postfix_read_config(user_mail_t)
+	postfix_list_spool(user_mail_t)
+')
diff --git a/policy/modules/contrib/munin.fc b/policy/modules/contrib/munin.fc
new file mode 100644
index 00000000..fd71d69f
--- /dev/null
+++ b/policy/modules/contrib/munin.fc
@@ -0,0 +1,69 @@
+/etc/munin(/.*)?			gen_context(system_u:object_r:munin_etc_t,s0)
+/etc/rc\.d/init\.d/munin-node	--	gen_context(system_u:object_r:munin_initrc_exec_t,s0)
+
+/usr/bin/munin-.*		--	gen_context(system_u:object_r:munin_exec_t,s0)
+/usr/sbin/munin-.*		--	gen_context(system_u:object_r:munin_exec_t,s0)
+/usr/share/munin/munin-.*	--	gen_context(system_u:object_r:munin_exec_t,s0)
+/usr/share/munin/plugins/.*	--	gen_context(system_u:object_r:munin_exec_t,s0)
+
+# disk plugins
+/usr/share/munin/plugins/diskstat.* --	gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/df.*	--	gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/hddtemp.* --	gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/smart_.* --	gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
+
+# mail plugins
+/usr/share/munin/plugins/courier_mta_.*	-- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/exim_mail.* --	gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/mailman --	gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/mailscanner --	gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/postfix_mail.*	-- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/sendmail_.* --	gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/qmail.* --	gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+
+# services plugins
+/usr/share/munin/plugins/apache_.* --	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/asterisk_.* --	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/http_loadtime -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/fail2ban --	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/lpstat	--	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/mysql_.* --	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/named	--	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/ntp_.*	--	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/nut.*	--	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/openvpn --	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/ping_ 	--	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/postgres_.* --	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/samba	--	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/slapd_.* --	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/snmp_.* --	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/squid_.* --	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/tomcat_.* --	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/varnish_.* --	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+
+# system plugins
+/usr/share/munin/plugins/acpi	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/cpu.*	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/forks	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/if_.*	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/iostat.* --	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/interrupts --	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/irqstats --	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/load	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/memory	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/netstat --	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/nfs.*	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/open_files --	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/proc_pri --	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/processes --	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/swap	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/threads --	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/uptime	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/users	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/yum	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+
+/var/lib/munin(/.*)?			gen_context(system_u:object_r:munin_var_lib_t,s0)
+/var/log/munin.*			gen_context(system_u:object_r:munin_log_t,s0)
+/var/run/munin(/.*)?			gen_context(system_u:object_r:munin_var_run_t,s0)
+/var/www/html/munin(/.*)?		gen_context(system_u:object_r:httpd_munin_content_t,s0)
+/var/www/html/munin/cgi(/.*)?		gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
diff --git a/policy/modules/contrib/munin.if b/policy/modules/contrib/munin.if
new file mode 100644
index 00000000..c358d8fb
--- /dev/null
+++ b/policy/modules/contrib/munin.if
@@ -0,0 +1,203 @@
+## <summary>Munin network-wide load graphing (formerly LRRD)</summary>
+
+########################################
+## <summary>
+##	Create a set of derived types for various
+##	munin plugins,
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The name to be used for deriving type names.
+##	</summary>
+## </param>
+#
+template(`munin_plugin_template',`
+	gen_require(`
+		type munin_t, munin_exec_t, munin_etc_t;
+	')
+
+	type $1_munin_plugin_t;
+	type $1_munin_plugin_exec_t;
+	typealias $1_munin_plugin_t alias munin_$1_plugin_t;
+	typealias $1_munin_plugin_exec_t alias munin_$1_plugin_exec_t;
+	application_domain($1_munin_plugin_t, $1_munin_plugin_exec_t)
+	role system_r types $1_munin_plugin_t;
+
+	type $1_munin_plugin_tmp_t;
+	typealias $1_munin_plugin_tmp_t alias munin_$1_plugin_tmp_t;
+	files_tmp_file($1_munin_plugin_tmp_t)
+
+	allow $1_munin_plugin_t self:fifo_file rw_fifo_file_perms;
+
+	manage_files_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t)
+	manage_dirs_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t)
+	files_tmp_filetrans($1_munin_plugin_t, $1_munin_plugin_tmp_t, { dir file })
+
+	# automatic transition rules from munin domain
+	# to specific munin plugin domain
+	domtrans_pattern(munin_t, $1_munin_plugin_exec_t, $1_munin_plugin_t)
+
+	allow $1_munin_plugin_t munin_exec_t:file read_file_perms;
+	allow $1_munin_plugin_t munin_t:tcp_socket rw_socket_perms;
+
+	read_lnk_files_pattern($1_munin_plugin_t, munin_etc_t, munin_etc_t)
+
+	kernel_read_system_state($1_munin_plugin_t)
+
+	corecmd_exec_bin($1_munin_plugin_t)
+
+	miscfiles_read_localization($1_munin_plugin_t)
+')
+
+########################################
+## <summary>
+##	Connect to munin over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`munin_stream_connect',`
+	gen_require(`
+		type munin_var_run_t, munin_t;
+	')
+
+	allow $1 munin_t:unix_stream_socket connectto;
+	allow $1 munin_var_run_t:sock_file { getattr write };
+	files_search_pids($1)
+')
+
+#######################################
+## <summary>
+##	Read munin configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`munin_read_config',`
+	gen_require(`
+		type munin_etc_t;
+	')
+
+	allow $1 munin_etc_t:dir list_dir_perms;
+	allow $1 munin_etc_t:file read_file_perms;
+	allow $1 munin_etc_t:lnk_file { getattr read };
+	files_search_etc($1)
+')
+
+#######################################
+## <summary>
+##	Append to the munin log.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`munin_append_log',`
+	gen_require(`
+		type munin_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 munin_log_t:dir list_dir_perms;
+	append_files_pattern($1, munin_log_t, munin_log_t)
+')
+
+#######################################
+## <summary>
+##	Search munin library directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`munin_search_lib',`
+	gen_require(`
+		type munin_var_lib_t;
+	')
+
+	allow $1 munin_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+#######################################
+## <summary>
+##	Do not audit attempts to search
+##	munin library directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`munin_dontaudit_search_lib',`
+	gen_require(`
+		type munin_var_lib_t;
+	')
+
+	dontaudit $1 munin_var_lib_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an munin environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the munin domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`munin_admin',`
+	gen_require(`
+		type munin_t, munin_etc_t, munin_tmp_t;
+		type munin_log_t, munin_var_lib_t, munin_var_run_t;
+		type httpd_munin_content_t;
+		type munin_initrc_exec_t;
+	')
+
+	allow $1 munin_t:process { ptrace signal_perms };
+	ps_process_pattern($1, munin_t)
+
+	init_labeled_script_domtrans($1, munin_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 munin_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, munin_tmp_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, munin_log_t)
+
+	files_list_etc($1)
+	admin_pattern($1, munin_etc_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, munin_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, munin_var_run_t)
+
+	admin_pattern($1, httpd_munin_content_t)
+')
diff --git a/policy/modules/contrib/munin.te b/policy/modules/contrib/munin.te
new file mode 100644
index 00000000..f17583b6
--- /dev/null
+++ b/policy/modules/contrib/munin.te
@@ -0,0 +1,315 @@
+policy_module(munin, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type munin_t alias lrrd_t;
+type munin_exec_t alias lrrd_exec_t;
+init_daemon_domain(munin_t, munin_exec_t)
+
+type munin_etc_t alias lrrd_etc_t;
+files_config_file(munin_etc_t)
+
+type munin_initrc_exec_t;
+init_script_file(munin_initrc_exec_t)
+
+type munin_log_t alias lrrd_log_t;
+logging_log_file(munin_log_t)
+
+type munin_tmp_t alias lrrd_tmp_t;
+files_tmp_file(munin_tmp_t)
+
+type munin_var_lib_t alias lrrd_var_lib_t;
+files_type(munin_var_lib_t)
+
+type munin_var_run_t alias lrrd_var_run_t;
+files_pid_file(munin_var_run_t)
+
+munin_plugin_template(disk)
+
+munin_plugin_template(mail)
+
+munin_plugin_template(services)
+
+munin_plugin_template(system)
+
+########################################
+#
+# Local policy
+#
+
+allow munin_t self:capability { chown dac_override setgid setuid };
+dontaudit munin_t self:capability sys_tty_config;
+allow munin_t self:process { getsched setsched signal_perms };
+allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow munin_t self:unix_dgram_socket { create_socket_perms sendto };
+allow munin_t self:tcp_socket create_stream_socket_perms;
+allow munin_t self:udp_socket create_socket_perms;
+allow munin_t self:fifo_file manage_fifo_file_perms;
+
+allow munin_t munin_etc_t:dir list_dir_perms;
+read_files_pattern(munin_t, munin_etc_t, munin_etc_t)
+read_lnk_files_pattern(munin_t, munin_etc_t, munin_etc_t)
+files_search_etc(munin_t)
+
+can_exec(munin_t, munin_exec_t)
+
+manage_dirs_pattern(munin_t, munin_log_t, munin_log_t)
+manage_files_pattern(munin_t, munin_log_t, munin_log_t)
+logging_log_filetrans(munin_t, munin_log_t, { file dir })
+
+manage_dirs_pattern(munin_t, munin_tmp_t, munin_tmp_t)
+manage_files_pattern(munin_t, munin_tmp_t, munin_tmp_t)
+manage_sock_files_pattern(munin_t, munin_tmp_t, munin_tmp_t)
+files_tmp_filetrans(munin_t, munin_tmp_t, { file dir sock_file })
+
+# Allow access to the munin databases
+manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
+manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
+manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
+files_search_var_lib(munin_t)
+
+manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
+manage_sock_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
+files_pid_filetrans(munin_t, munin_var_run_t, file)
+
+kernel_read_system_state(munin_t)
+kernel_read_network_state(munin_t)
+kernel_read_all_sysctls(munin_t)
+
+corecmd_exec_bin(munin_t)
+corecmd_exec_shell(munin_t)
+
+corenet_all_recvfrom_unlabeled(munin_t)
+corenet_all_recvfrom_netlabel(munin_t)
+corenet_tcp_sendrecv_generic_if(munin_t)
+corenet_udp_sendrecv_generic_if(munin_t)
+corenet_tcp_sendrecv_generic_node(munin_t)
+corenet_udp_sendrecv_generic_node(munin_t)
+corenet_tcp_sendrecv_all_ports(munin_t)
+corenet_udp_sendrecv_all_ports(munin_t)
+corenet_tcp_bind_generic_node(munin_t)
+corenet_tcp_bind_munin_port(munin_t)
+corenet_tcp_connect_munin_port(munin_t)
+corenet_tcp_connect_http_port(munin_t)
+
+dev_read_sysfs(munin_t)
+dev_read_urand(munin_t)
+
+domain_use_interactive_fds(munin_t)
+domain_read_all_domains_state(munin_t)
+
+files_read_etc_files(munin_t)
+files_read_etc_runtime_files(munin_t)
+files_read_usr_files(munin_t)
+files_list_spool(munin_t)
+
+fs_getattr_all_fs(munin_t)
+fs_search_auto_mountpoints(munin_t)
+
+auth_use_nsswitch(munin_t)
+
+logging_send_syslog_msg(munin_t)
+logging_read_all_logs(munin_t)
+
+miscfiles_read_fonts(munin_t)
+miscfiles_read_localization(munin_t)
+
+sysnet_exec_ifconfig(munin_t)
+
+userdom_dontaudit_use_unpriv_user_fds(munin_t)
+userdom_dontaudit_search_user_home_dirs(munin_t)
+
+optional_policy(`
+	apache_content_template(munin)
+
+	manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+	manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+	apache_search_sys_content(munin_t)
+')
+
+optional_policy(`
+	cron_system_entry(munin_t, munin_exec_t)
+')
+
+optional_policy(`
+	fstools_domtrans(munin_t)
+')
+
+optional_policy(`
+	lpd_domtrans_lpr(munin_t)
+')
+
+optional_policy(`
+	mta_read_config(munin_t)
+	mta_send_mail(munin_t)
+	mta_read_queue(munin_t)
+')
+
+optional_policy(`
+	mysql_read_config(munin_t)
+	mysql_stream_connect(munin_t)
+')
+
+optional_policy(`
+	netutils_domtrans_ping(munin_t)
+')
+
+optional_policy(`
+	postfix_list_spool(munin_t)
+')
+
+optional_policy(`
+	rpc_search_nfs_state_data(munin_t)
+')
+
+optional_policy(`
+	sendmail_read_log(munin_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(munin_t)
+')
+
+optional_policy(`
+	udev_read_db(munin_t)
+')
+
+###################################
+#
+# local policy for disk plugins
+#
+
+allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+
+rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
+
+corecmd_exec_shell(disk_munin_plugin_t)
+
+corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
+
+files_read_etc_files(disk_munin_plugin_t)
+files_read_etc_runtime_files(disk_munin_plugin_t)
+
+fs_getattr_all_fs(disk_munin_plugin_t)
+
+dev_read_sysfs(disk_munin_plugin_t)
+dev_read_urand(disk_munin_plugin_t)
+
+storage_getattr_fixed_disk_dev(disk_munin_plugin_t)
+
+sysnet_read_config(disk_munin_plugin_t)
+
+optional_policy(`
+	hddtemp_exec(disk_munin_plugin_t)
+')
+
+optional_policy(`
+	fstools_exec(disk_munin_plugin_t)
+')
+
+####################################
+#
+# local policy for mail plugins
+#
+
+allow mail_munin_plugin_t self:capability dac_override;
+
+rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
+
+dev_read_urand(mail_munin_plugin_t)
+
+files_read_etc_files(mail_munin_plugin_t)
+
+fs_getattr_all_fs(mail_munin_plugin_t)
+
+logging_read_generic_logs(mail_munin_plugin_t)
+
+mta_read_config(mail_munin_plugin_t)
+mta_send_mail(mail_munin_plugin_t)
+mta_read_queue(mail_munin_plugin_t)
+
+optional_policy(`
+	postfix_read_config(mail_munin_plugin_t)
+	postfix_list_spool(mail_munin_plugin_t)
+')
+
+optional_policy(`
+	sendmail_read_log(mail_munin_plugin_t)
+')
+
+###################################
+#
+# local policy for service plugins
+#
+
+allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+allow services_munin_plugin_t self:udp_socket create_socket_perms;
+allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+
+corenet_tcp_connect_all_ports(services_munin_plugin_t)
+corenet_tcp_connect_http_port(services_munin_plugin_t)
+
+dev_read_urand(services_munin_plugin_t)
+dev_read_rand(services_munin_plugin_t)
+
+fs_getattr_all_fs(services_munin_plugin_t)
+
+files_read_etc_files(services_munin_plugin_t)
+
+sysnet_read_config(services_munin_plugin_t)
+
+optional_policy(`
+	cups_stream_connect(services_munin_plugin_t)
+')
+
+optional_policy(`
+	lpd_exec_lpr(services_munin_plugin_t)
+')
+
+optional_policy(`
+	mysql_read_config(services_munin_plugin_t)
+	mysql_stream_connect(services_munin_plugin_t)
+')
+
+optional_policy(`
+	netutils_domtrans_ping(services_munin_plugin_t)
+')
+
+optional_policy(`
+	postgresql_stream_connect(services_munin_plugin_t)
+')
+
+optional_policy(`
+	snmp_read_snmp_var_lib_files(services_munin_plugin_t)
+')
+
+##################################
+#
+# local policy for system plugins
+#
+
+allow system_munin_plugin_t self:udp_socket create_socket_perms;
+
+rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
+
+kernel_read_network_state(system_munin_plugin_t)
+kernel_read_all_sysctls(system_munin_plugin_t)
+
+corecmd_exec_shell(system_munin_plugin_t)
+
+fs_getattr_all_fs(system_munin_plugin_t)
+
+dev_read_sysfs(system_munin_plugin_t)
+dev_read_urand(system_munin_plugin_t)
+
+domain_read_all_domains_state(system_munin_plugin_t)
+
+# needed by users plugin
+init_read_utmp(system_munin_plugin_t)
+
+sysnet_exec_ifconfig(system_munin_plugin_t)
+
+term_getattr_unallocated_ttys(system_munin_plugin_t)
diff --git a/policy/modules/contrib/mutt.fc b/policy/modules/contrib/mutt.fc
new file mode 100644
index 00000000..9d645292
--- /dev/null
+++ b/policy/modules/contrib/mutt.fc
@@ -0,0 +1,10 @@
+HOME_DIR/\.mutt(/.*)?     gen_context(system_u:object_r:mutt_home_t,s0)
+HOME_DIR/\.muttrc      -- gen_context(system_u:object_r:mutt_conf_t,s0)
+HOME_DIR/\.mutt_cache	--	gen_context(system_u:object_r:mutt_home_t,s0)
+HOME_DIR/\.mutt_certificates	--	gen_context(system_u:object_r:mutt_home_t,s0)
+
+/etc/Muttrc	--	gen_context(system_u:object_r:mutt_etc_t,s0)
+/etc/Muttrc\.local	--	gen_context(system_u:object_r:mutt_etc_t,s0)
+/etc/mutt(/.*)?           gen_context(system_u:object_r:mutt_etc_t,s0)
+
+/usr/bin/mutt          -- gen_context(system_u:object_r:mutt_exec_t,s0)
diff --git a/policy/modules/contrib/mutt.if b/policy/modules/contrib/mutt.if
new file mode 100644
index 00000000..5327f866
--- /dev/null
+++ b/policy/modules/contrib/mutt.if
@@ -0,0 +1,104 @@
+## <summary>Mutt e-mail client</summary>
+
+#######################################
+## <summary>
+##      The role for using the mutt application.
+## </summary>
+## <param name="role">
+##      <summary>
+##      The role associated with the user domain.
+##      </summary>
+## </param>
+## <param name="domain">
+##      <summary>
+##      The user domain.
+##      </summary>
+## </param>
+#
+interface(`mutt_role',`
+	gen_require(`
+		type mutt_t, mutt_exec_t, mutt_home_t, mutt_conf_t, mutt_etc_t;
+		type mutt_tmp_t;
+	')
+
+	role $1 types mutt_t;
+
+	domtrans_pattern($2, mutt_exec_t, mutt_t)
+	
+	allow $2 mutt_t:process { ptrace signal_perms };
+
+	manage_dirs_pattern($2, mutt_home_t, mutt_home_t)
+	manage_files_pattern($2, mutt_home_t, mutt_home_t)
+	
+	manage_dirs_pattern($2, mutt_conf_t, mutt_conf_t)
+	manage_files_pattern($2, mutt_conf_t, mutt_conf_t)
+
+	relabel_dirs_pattern($2, mutt_home_t, mutt_home_t)
+	relabel_files_pattern($2, mutt_home_t, mutt_home_t)
+	
+	relabel_dirs_pattern($2, mutt_conf_t, mutt_conf_t)
+	relabel_files_pattern($2, mutt_conf_t, mutt_conf_t)
+
+	relabel_dirs_pattern($2, mutt_tmp_t, mutt_tmp_t)
+	relabel_files_pattern($2, mutt_tmp_t, mutt_tmp_t)
+
+	ps_process_pattern($2, mutt_t)
+')	
+
+#######################################
+## <summary>
+##      Allow other domains to read mutt's home files 
+## </summary>
+## <param name="domain">
+##      <summary>
+##      The domain that is allowed read access to the mutt_home_t files
+##      </summary>
+## </param>
+#
+interface(`mutt_read_home_files',`
+	gen_require(`
+		type mutt_home_t;
+	')
+
+	read_files_pattern($1, mutt_home_t, mutt_home_t)
+')
+
+#######################################
+## <summary>
+##      Allow other domains to read mutt's temporary files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      The domain that is allowed read access to the temporary files
+##      </summary>
+## </param>
+#
+interface(`mutt_read_tmp_files',`
+	gen_require(`
+		type mutt_tmp_t;
+	')
+
+	read_files_pattern($1, mutt_tmp_t, mutt_tmp_t)
+')
+
+#######################################
+## <summary>
+##      Allow other domains to handle mutt's temporary files (used for instance
+##      for e-mail drafts)
+## </summary>
+## <param name="domain">
+##      <summary>
+##      The domain that is allowed read/write access to the temporary files
+##      </summary>
+## </param>
+#
+interface(`mutt_rw_tmp_files',`
+	gen_require(`
+		type mutt_tmp_t;
+	')
+
+	# The use of rw_files_pattern here is not needed, since this incurs the open privilege as well
+	allow $1 mutt_tmp_t:dir search_dir_perms;
+	allow $1 mutt_tmp_t:file { read write };
+	files_search_tmp($1)
+')
diff --git a/policy/modules/contrib/mutt.te b/policy/modules/contrib/mutt.te
new file mode 100644
index 00000000..e73ad17a
--- /dev/null
+++ b/policy/modules/contrib/mutt.te
@@ -0,0 +1,101 @@
+policy_module(mutt, 1.0.0)
+
+############################
+# 
+# Declarations
+#
+
+## <desc>
+## <p>
+##   Be able to manage user files (needed to support attachment handling)
+## </p>
+## </desc>
+gen_tunable(mutt_manage_user_content, false)
+
+type mutt_t;
+type mutt_exec_t;
+application_domain(mutt_t, mutt_exec_t)
+ubac_constrained(mutt_t)
+
+type mutt_conf_t;
+userdom_user_home_content(mutt_conf_t)
+
+type mutt_etc_t;
+files_config_file(mutt_etc_t)
+
+type mutt_home_t;
+userdom_user_home_content(mutt_home_t)
+
+type mutt_tmp_t;
+files_tmp_file(mutt_tmp_t)
+ubac_constrained(mutt_tmp_t)
+
+############################
+#
+# Local Policy Rules
+#
+
+allow mutt_t self:process signal_perms;
+allow mutt_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(mutt_t, mutt_home_t, mutt_home_t)
+manage_files_pattern(mutt_t, mutt_home_t, mutt_home_t)
+userdom_user_home_dir_filetrans(mutt_t, mutt_home_t, { dir file })
+
+manage_dirs_pattern(mutt_t, mutt_tmp_t, mutt_tmp_t)
+manage_files_pattern(mutt_t, mutt_tmp_t, mutt_tmp_t)
+files_tmp_filetrans(mutt_t, mutt_tmp_t, { file dir })
+
+read_files_pattern(mutt_t, mutt_etc_t, mutt_etc_t)
+
+read_files_pattern(mutt_t, mutt_conf_t, mutt_conf_t)
+
+
+kernel_read_system_state(mutt_t)
+kernel_dontaudit_search_sysctl(mutt_t)
+
+corecmd_exec_bin(mutt_t)
+corecmd_exec_shell(mutt_t)
+
+corenet_all_recvfrom_netlabel(mutt_t)
+corenet_all_recvfrom_unlabeled(mutt_t)
+corenet_sendrecv_pop_client_packets(mutt_t)
+corenet_sendrecv_smtp_client_packets(mutt_t)
+corenet_tcp_bind_generic_node(mutt_t)
+corenet_tcp_connect_pop_port(mutt_t)
+corenet_tcp_connect_smtp_port(mutt_t)
+corenet_tcp_sendrecv_generic_if(mutt_t)
+corenet_tcp_sendrecv_generic_node(mutt_t)
+corenet_tcp_sendrecv_pop_port(mutt_t)
+corenet_tcp_sendrecv_smtp_port(mutt_t)
+
+dev_read_rand(mutt_t)
+dev_read_urand(mutt_t)
+
+domain_use_interactive_fds(mutt_t)
+
+files_read_usr_files(mutt_t)
+
+
+auth_use_nsswitch(mutt_t)
+
+miscfiles_read_localization(mutt_t)
+
+userdom_search_user_home_content(mutt_t)
+userdom_use_user_terminals(mutt_t)
+
+optional_policy(`
+	gpg_domtrans(mutt_t)
+')
+
+optional_policy(`
+	xdg_manage_generic_cache_home_content(mutt_t)
+	xdg_read_generic_config_home_files(mutt_t)
+')
+
+tunable_policy(`mutt_manage_user_content',`
+	# Needed for handling attachments
+	userdom_manage_user_home_content_files(mutt_t)
+	userdom_manage_user_home_content_dirs(mutt_t)
+')
+
diff --git a/policy/modules/contrib/mysql.fc b/policy/modules/contrib/mysql.fc
new file mode 100644
index 00000000..716d6667
--- /dev/null
+++ b/policy/modules/contrib/mysql.fc
@@ -0,0 +1,32 @@
+# mysql database server
+
+#
+# /etc
+#
+/etc/my\.cnf		--	gen_context(system_u:object_r:mysqld_etc_t,s0)
+/etc/mysql(/.*)?		gen_context(system_u:object_r:mysqld_etc_t,s0)
+/etc/rc\.d/init\.d/mysqld --	gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/mysqld_safe	--	gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
+/usr/bin/mysql_upgrade	--	gen_context(system_u:object_r:mysqld_exec_t,s0)
+
+/usr/libexec/mysqld	--	gen_context(system_u:object_r:mysqld_exec_t,s0)
+
+/usr/sbin/mysqld(-max)?	--	gen_context(system_u:object_r:mysqld_exec_t,s0)
+/usr/sbin/mysqlmanager	--	gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
+/usr/sbin/ndbd		--	gen_context(system_u:object_r:mysqld_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/mysql(/.*)?		gen_context(system_u:object_r:mysqld_db_t,s0)
+/var/lib/mysql/mysql\.sock -s	gen_context(system_u:object_r:mysqld_var_run_t,s0)
+
+/var/log/mysql.*	--	gen_context(system_u:object_r:mysqld_log_t,s0)
+
+/var/run/mysqld(/.*)?		gen_context(system_u:object_r:mysqld_var_run_t,s0)
+/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
diff --git a/policy/modules/contrib/mysql.if b/policy/modules/contrib/mysql.if
new file mode 100644
index 00000000..e9c09824
--- /dev/null
+++ b/policy/modules/contrib/mysql.if
@@ -0,0 +1,355 @@
+## <summary>Policy for MySQL</summary>
+
+######################################
+## <summary>
+##	Execute MySQL in the mysql domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`mysql_domtrans',`
+	gen_require(`
+		type mysqld_t, mysqld_exec_t;
+	')
+
+	domtrans_pattern($1, mysqld_exec_t, mysqld_t)
+')
+
+########################################
+## <summary>
+##	Send a generic signal to MySQL.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mysql_signal',`
+	gen_require(`
+		type mysqld_t;
+	')
+
+	allow $1 mysqld_t:process signal;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to connect to postgresql with a tcp socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mysql_tcp_connect',`
+	gen_require(`
+		type mysqld_t;
+	')
+
+	corenet_tcp_recvfrom_labeled($1, mysqld_t)
+	corenet_tcp_sendrecv_mysqld_port($1)
+	corenet_tcp_connect_mysqld_port($1)
+	corenet_sendrecv_mysqld_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Connect to MySQL using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mysql_stream_connect',`
+	gen_require(`
+		type mysqld_t, mysqld_var_run_t, mysqld_db_t;
+	')
+
+	stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
+	stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
+')
+
+########################################
+## <summary>
+##	Read MySQL configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mysql_read_config',`
+	gen_require(`
+		type mysqld_etc_t;
+	')
+
+	allow $1 mysqld_etc_t:dir list_dir_perms;
+	allow $1 mysqld_etc_t:file read_file_perms;
+	allow $1 mysqld_etc_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+##	Search the directories that contain MySQL
+##	database storage.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+# cjp: "_dir" in the name is added to clarify that this
+# is not searching the database itself.
+interface(`mysql_search_db',`
+	gen_require(`
+		type mysqld_db_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 mysqld_db_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read and write to the MySQL database directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mysql_rw_db_dirs',`
+	gen_require(`
+		type mysqld_db_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 mysqld_db_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete MySQL database directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mysql_manage_db_dirs',`
+	gen_require(`
+		type mysqld_db_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 mysqld_db_t:dir manage_dir_perms;
+')
+
+#######################################
+## <summary>
+##	Append to the MySQL database directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mysql_append_db_files',`
+	gen_require(`
+		type mysqld_db_t;
+	')
+
+	files_search_var_lib($1)
+	append_files_pattern($1, mysqld_db_t, mysqld_db_t)
+')
+
+#######################################
+## <summary>
+##	Read and write to the MySQL database directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mysql_rw_db_files',`
+	gen_require(`
+		type mysqld_db_t;
+	')
+
+	files_search_var_lib($1)
+	rw_files_pattern($1, mysqld_db_t, mysqld_db_t)
+')
+
+#######################################
+## <summary>
+##	Create, read, write, and delete MySQL database files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mysql_manage_db_files',`
+	gen_require(`
+		type mysqld_db_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, mysqld_db_t, mysqld_db_t)
+')
+
+########################################
+## <summary>
+##	Read and write to the MySQL database
+##	named socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mysql_rw_db_sockets',`
+	gen_require(`
+		type mysqld_db_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 mysqld_db_t:dir search_dir_perms;
+	allow $1 mysqld_db_t:sock_file rw_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	Write to the MySQL log.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mysql_write_log',`
+	gen_require(`
+		type mysqld_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 mysqld_log_t:file { write_file_perms setattr };
+')
+
+######################################
+## <summary>
+##	Execute MySQL server in the mysql domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`mysql_domtrans_mysql_safe',`
+	gen_require(`
+		type mysqld_safe_t, mysqld_safe_exec_t;
+	')
+
+	domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t)
+')
+
+#####################################
+## <summary>
+##	Read MySQL PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mysql_read_pid_files',`
+	gen_require(`
+		type mysqld_var_run_t;
+	')
+
+	mysql_search_pid_files($1)
+	read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
+')
+
+#####################################
+## <summary>
+##	Search MySQL PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+##
+#
+interface(`mysql_search_pid_files',`
+	gen_require(`
+		type mysqld_var_run_t;
+	')
+
+	search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate an mysql environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the mysql domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mysql_admin',`
+	gen_require(`
+		type mysqld_t, mysqld_var_run_t;
+		type mysqld_tmp_t, mysqld_db_t;
+		type mysqld_etc_t, mysqld_log_t;
+		type mysqld_initrc_exec_t;
+	')
+
+	allow $1 mysqld_t:process { ptrace signal_perms };
+	ps_process_pattern($1, mysqld_t)
+
+	init_labeled_script_domtrans($1, mysqld_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 mysqld_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	admin_pattern($1, mysqld_var_run_t)
+
+	admin_pattern($1, mysqld_db_t)
+
+	admin_pattern($1, mysqld_etc_t)
+
+	admin_pattern($1, mysqld_log_t)
+
+	admin_pattern($1, mysqld_tmp_t)
+')
diff --git a/policy/modules/contrib/mysql.te b/policy/modules/contrib/mysql.te
new file mode 100644
index 00000000..1cf05a3a
--- /dev/null
+++ b/policy/modules/contrib/mysql.te
@@ -0,0 +1,239 @@
+policy_module(mysql, 1.13.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow mysqld to connect to all ports
+## </p>
+## </desc>
+gen_tunable(mysql_connect_any, false)
+
+type mysqld_t;
+type mysqld_exec_t;
+init_daemon_domain(mysqld_t, mysqld_exec_t)
+
+type mysqld_safe_t;
+type mysqld_safe_exec_t;
+init_daemon_domain(mysqld_safe_t, mysqld_safe_exec_t)
+
+type mysqld_var_run_t;
+files_pid_file(mysqld_var_run_t)
+
+type mysqld_db_t;
+files_type(mysqld_db_t)
+
+type mysqld_etc_t alias etc_mysqld_t;
+files_config_file(mysqld_etc_t)
+
+type mysqld_initrc_exec_t;
+init_script_file(mysqld_initrc_exec_t)
+
+type mysqld_log_t;
+logging_log_file(mysqld_log_t)
+
+type mysqld_tmp_t;
+files_tmp_file(mysqld_tmp_t)
+
+type mysqlmanagerd_t;
+type mysqlmanagerd_exec_t;
+init_daemon_domain(mysqlmanagerd_t, mysqlmanagerd_exec_t)
+
+type mysqlmanagerd_initrc_exec_t;
+init_script_file(mysqlmanagerd_initrc_exec_t)
+
+type mysqlmanagerd_var_run_t;
+files_pid_file(mysqlmanagerd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource net_bind_service };
+dontaudit mysqld_t self:capability sys_tty_config;
+allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
+allow mysqld_t self:fifo_file rw_fifo_file_perms;
+allow mysqld_t self:shm create_shm_perms;
+allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
+allow mysqld_t self:tcp_socket create_stream_socket_perms;
+allow mysqld_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
+manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
+manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
+files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
+
+allow mysqld_t mysqld_etc_t:file read_file_perms;
+allow mysqld_t mysqld_etc_t:lnk_file { getattr read };
+allow mysqld_t mysqld_etc_t:dir list_dir_perms;
+
+allow mysqld_t mysqld_log_t:file manage_file_perms;
+logging_log_filetrans(mysqld_t, mysqld_log_t, file)
+
+manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
+manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
+files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
+
+manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
+manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
+files_pid_filetrans(mysqld_t, mysqld_var_run_t, { file sock_file })
+
+kernel_read_system_state(mysqld_t)
+kernel_read_kernel_sysctls(mysqld_t)
+
+corenet_all_recvfrom_unlabeled(mysqld_t)
+corenet_all_recvfrom_netlabel(mysqld_t)
+corenet_tcp_sendrecv_generic_if(mysqld_t)
+corenet_udp_sendrecv_generic_if(mysqld_t)
+corenet_tcp_sendrecv_generic_node(mysqld_t)
+corenet_udp_sendrecv_generic_node(mysqld_t)
+corenet_tcp_sendrecv_all_ports(mysqld_t)
+corenet_udp_sendrecv_all_ports(mysqld_t)
+corenet_tcp_bind_generic_node(mysqld_t)
+corenet_tcp_bind_mysqld_port(mysqld_t)
+corenet_tcp_connect_mysqld_port(mysqld_t)
+corenet_sendrecv_mysqld_client_packets(mysqld_t)
+corenet_sendrecv_mysqld_server_packets(mysqld_t)
+
+dev_read_sysfs(mysqld_t)
+dev_read_urand(mysqld_t)
+
+fs_getattr_all_fs(mysqld_t)
+fs_search_auto_mountpoints(mysqld_t)
+fs_rw_hugetlbfs_files(mysqld_t)
+
+domain_use_interactive_fds(mysqld_t)
+
+files_getattr_var_lib_dirs(mysqld_t)
+files_read_etc_runtime_files(mysqld_t)
+files_read_etc_files(mysqld_t)
+files_read_usr_files(mysqld_t)
+files_search_var_lib(mysqld_t)
+
+auth_use_nsswitch(mysqld_t)
+
+logging_send_syslog_msg(mysqld_t)
+
+miscfiles_read_localization(mysqld_t)
+
+sysnet_read_config(mysqld_t)
+
+userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
+# for /root/.my.cnf - should not be needed:
+userdom_read_user_home_content_files(mysqld_t)
+
+ifdef(`distro_redhat',`
+	# because Fedora has the sock_file in the database directory
+	type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t;
+')
+
+tunable_policy(`mysql_connect_any',`
+	corenet_tcp_connect_all_ports(mysqld_t)
+	corenet_sendrecv_all_client_packets(mysqld_t)
+')
+
+optional_policy(`
+	daemontools_service_domain(mysqld_t, mysqld_exec_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(mysqld_t)
+')
+
+optional_policy(`
+	udev_read_db(mysqld_t)
+')
+
+#######################################
+#
+# Local mysqld_safe policy
+#
+
+allow mysqld_safe_t self:capability { chown dac_override fowner kill };
+dontaudit mysqld_safe_t self:capability sys_ptrace;
+allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
+
+read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
+
+domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
+
+allow mysqld_safe_t mysqld_log_t:file manage_file_perms;
+
+manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
+delete_sock_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
+
+kernel_read_system_state(mysqld_safe_t)
+kernel_read_kernel_sysctls(mysqld_safe_t)
+
+corecmd_exec_bin(mysqld_safe_t)
+
+dev_list_sysfs(mysqld_safe_t)
+
+domain_read_all_domains_state(mysqld_safe_t)
+
+files_read_etc_files(mysqld_safe_t)
+files_read_usr_files(mysqld_safe_t)
+files_dontaudit_getattr_all_dirs(mysqld_safe_t)
+
+logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
+
+hostname_exec(mysqld_safe_t)
+
+miscfiles_read_localization(mysqld_safe_t)
+
+mysql_manage_db_files(mysqld_safe_t)
+mysql_read_config(mysqld_safe_t)
+mysql_search_pid_files(mysqld_safe_t)
+mysql_write_log(mysqld_safe_t)
+
+########################################
+#
+# MySQL Manager Policy
+#
+
+allow mysqlmanagerd_t self:capability { dac_override kill };
+allow mysqlmanagerd_t self:process signal;
+allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
+allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
+
+mysql_read_config(initrc_t)
+mysql_read_config(mysqlmanagerd_t)
+mysql_read_pid_files(mysqlmanagerd_t)
+mysql_search_db(mysqlmanagerd_t)
+mysql_signal(mysqlmanagerd_t)
+mysql_stream_connect(mysqlmanagerd_t)
+
+domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
+
+manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
+
+kernel_read_system_state(mysqlmanagerd_t)
+
+corecmd_exec_shell(mysqlmanagerd_t)
+
+corenet_all_recvfrom_unlabeled(mysqlmanagerd_t)
+corenet_all_recvfrom_netlabel(mysqlmanagerd_t)
+corenet_tcp_sendrecv_generic_if(mysqlmanagerd_t)
+corenet_tcp_sendrecv_generic_node(mysqlmanagerd_t)
+corenet_tcp_sendrecv_all_ports(mysqlmanagerd_t)
+corenet_tcp_bind_generic_node(mysqlmanagerd_t)
+corenet_tcp_bind_mysqlmanagerd_port(mysqlmanagerd_t)
+corenet_tcp_connect_mysqlmanagerd_port(mysqlmanagerd_t)
+corenet_sendrecv_mysqlmanagerd_server_packets(mysqlmanagerd_t)
+corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_t)
+
+dev_read_urand(mysqlmanagerd_t)
+
+files_read_etc_files(mysqlmanagerd_t)
+files_read_usr_files(mysqlmanagerd_t)
+
+miscfiles_read_localization(mysqlmanagerd_t)
+
+userdom_getattr_user_home_dirs(mysqlmanagerd_t)
diff --git a/policy/modules/contrib/nagios.fc b/policy/modules/contrib/nagios.fc
new file mode 100644
index 00000000..1fc99057
--- /dev/null
+++ b/policy/modules/contrib/nagios.fc
@@ -0,0 +1,88 @@
+/etc/nagios(/.*)?					gen_context(system_u:object_r:nagios_etc_t,s0)
+/etc/nagios/nrpe\.cfg				--	gen_context(system_u:object_r:nrpe_etc_t,s0)
+/etc/rc\.d/init\.d/nagios			--	gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/nrpe				--	gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
+
+/usr/s?bin/nagios				--	gen_context(system_u:object_r:nagios_exec_t,s0)
+/usr/s?bin/nrpe					--	gen_context(system_u:object_r:nrpe_exec_t,s0)
+
+/usr/lib(64)?/cgi-bin/netsaint(/.*)?			gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+/usr/lib(64)?/nagios/cgi(/.*)?				gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+
+/var/log/nagios(/.*)?					gen_context(system_u:object_r:nagios_log_t,s0)
+/var/log/netsaint(/.*)?					gen_context(system_u:object_r:nagios_log_t,s0)
+
+/var/run/nagios.*					gen_context(system_u:object_r:nagios_var_run_t,s0)
+
+/var/spool/nagios(/.*)?					gen_context(system_u:object_r:nagios_spool_t,s0)
+
+ifdef(`distro_debian',`
+/usr/sbin/nagios				--	gen_context(system_u:object_r:nagios_exec_t,s0)
+')
+/usr/lib(64)?/cgi-bin/nagios(/.+)?			gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+/usr/lib(64)?/nagios/cgi-bin(/.*)?			gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+
+# admin plugins
+/usr/lib(64)?/nagios/plugins/check_file_age	--	gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0)
+
+# check disk plugins
+/usr/lib(64)?/nagios/plugins/check_disk		--	gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_disk_smb	--	gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ide_smart	--	gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_linux_raid	--	gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+
+# mail plugins
+/usr/lib(64)?/nagios/plugins/check_mailq	--	gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
+
+# system plugins
+/usr/lib(64)?/nagios/plugins/check_breeze	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dummy	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_flexlm	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ifoperstatus	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ifstatus	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_load		--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_log		--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mrtg		--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mrtgtraf	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nagios	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nwstat	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_overcr	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_procs	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_sensors	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_swap		--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_users	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_wave		--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+
+# services plugins
+/usr/lib(64)?/nagios/plugins/check_cluster	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dhcp		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dig		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dns		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_game		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_fping	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_hpjd		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_http		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_icmp		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ircd		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ldap		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mysql	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mysql_query 	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nrpe		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nt		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ntp.*	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_oracle	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_pgsql	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ping		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_radius	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_real		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_rpc		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_tcp		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_time		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_sip		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_smtp		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_snmp.*	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ssh		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ups		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+
+# unconfined plugins
+/usr/lib(64)?/nagios/plugins/check_by_ssh	--	gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
diff --git a/policy/modules/contrib/nagios.if b/policy/modules/contrib/nagios.if
new file mode 100644
index 00000000..8581040e
--- /dev/null
+++ b/policy/modules/contrib/nagios.if
@@ -0,0 +1,229 @@
+## <summary>Net Saint / NAGIOS - network monitoring server</summary>
+
+########################################
+## <summary>
+##	Create a set of derived types for various
+##	nagios plugins,
+## </summary>
+## <param name="plugins_group_name">
+##	<summary>
+##	The name to be used for deriving type names.
+##	</summary>
+## </param>
+#
+template(`nagios_plugin_template',`
+
+	gen_require(`
+		type nagios_t, nrpe_t;
+		type nagios_log_t;
+	')
+
+	type nagios_$1_plugin_t;
+	type nagios_$1_plugin_exec_t;
+	application_domain(nagios_$1_plugin_t, nagios_$1_plugin_exec_t)
+	role system_r types nagios_$1_plugin_t;
+
+	allow nagios_$1_plugin_t self:fifo_file rw_fifo_file_perms;
+
+	domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
+
+	# needed by command.cfg
+	domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
+
+	allow nagios_t nagios_$1_plugin_t:process signal_perms;
+
+	# cjp: leaked file descriptor
+	dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write };
+	dontaudit nagios_$1_plugin_t nagios_log_t:file { read write };
+
+	miscfiles_read_localization(nagios_$1_plugin_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read or write nagios
+##	unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`nagios_dontaudit_rw_pipes',`
+	gen_require(`
+		type nagios_t;
+	')
+
+	dontaudit $1 nagios_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read
+##	nagios configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`nagios_read_config',`
+	gen_require(`
+		type nagios_etc_t;
+	')
+
+	allow $1 nagios_etc_t:dir list_dir_perms;
+	allow $1 nagios_etc_t:file read_file_perms;
+	files_search_etc($1)
+')
+
+######################################
+## <summary>
+##	Read nagios logs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nagios_read_log',`
+	gen_require(`
+		type nagios_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, nagios_log_t, nagios_log_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read or write nagios logs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`nagios_dontaudit_rw_log',`
+	gen_require(`
+		type nagios_log_t;
+	')
+
+	dontaudit $1 nagios_log_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Search nagios spool directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nagios_search_spool',`
+	gen_require(`
+		type nagios_spool_t;
+	')
+
+	allow $1 nagios_spool_t:dir search_dir_perms;
+	files_search_spool($1)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read
+##	nagios temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nagios_read_tmp_files',`
+	gen_require(`
+		type nagios_tmp_t;
+	')
+
+	allow $1 nagios_tmp_t:file read_file_perms;
+	files_search_tmp($1)
+')
+
+########################################
+## <summary>
+##	Execute the nagios NRPE with
+##	a domain transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`nagios_domtrans_nrpe',`
+	gen_require(`
+		type nrpe_t, nrpe_exec_t;
+	')
+
+	domtrans_pattern($1, nrpe_exec_t, nrpe_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an nagios environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the nagios domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`nagios_admin',`
+	gen_require(`
+		type nagios_t, nrpe_t;
+		type nagios_tmp_t, nagios_log_t;
+		type nagios_etc_t, nrpe_etc_t;
+		type nagios_spool_t, nagios_var_run_t;
+		type nagios_initrc_exec_t;
+	')
+
+	allow $1 nagios_t:process { ptrace signal_perms };
+	ps_process_pattern($1, nagios_t)
+
+	init_labeled_script_domtrans($1, nagios_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 nagios_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, nagios_tmp_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, nagios_log_t)
+
+	files_list_etc($1)
+	admin_pattern($1, nagios_etc_t)
+
+	files_list_spool($1)
+	admin_pattern($1, nagios_spool_t)
+
+	files_list_pids($1)
+	admin_pattern($1, nagios_var_run_t)
+
+	admin_pattern($1, nrpe_etc_t)
+')
diff --git a/policy/modules/contrib/nagios.te b/policy/modules/contrib/nagios.te
new file mode 100644
index 00000000..e3e005b0
--- /dev/null
+++ b/policy/modules/contrib/nagios.te
@@ -0,0 +1,393 @@
+policy_module(nagios, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+type nagios_t;
+type nagios_exec_t;
+init_daemon_domain(nagios_t, nagios_exec_t)
+
+type nagios_etc_t;
+files_config_file(nagios_etc_t)
+
+type nagios_initrc_exec_t;
+init_script_file(nagios_initrc_exec_t)
+
+type nagios_log_t;
+logging_log_file(nagios_log_t)
+
+type nagios_tmp_t;
+files_tmp_file(nagios_tmp_t)
+
+type nagios_var_run_t;
+files_pid_file(nagios_var_run_t)
+
+type nagios_spool_t;
+files_type(nagios_spool_t)
+
+nagios_plugin_template(admin)
+nagios_plugin_template(checkdisk)
+nagios_plugin_template(mail)
+nagios_plugin_template(services)
+nagios_plugin_template(system)
+nagios_plugin_template(unconfined)
+
+type nagios_system_plugin_tmp_t;
+files_tmp_file(nagios_system_plugin_tmp_t)
+
+type nrpe_t;
+type nrpe_exec_t;
+init_daemon_domain(nrpe_t, nrpe_exec_t)
+
+type nrpe_etc_t;
+files_config_file(nrpe_etc_t)
+
+type nrpe_var_run_t;
+files_pid_file(nrpe_var_run_t)
+
+########################################
+#
+# Nagios local policy
+#
+
+allow nagios_t self:capability { dac_override setgid setuid };
+dontaudit nagios_t self:capability sys_tty_config;
+allow nagios_t self:process { setpgid signal_perms };
+allow nagios_t self:fifo_file rw_file_perms;
+allow nagios_t self:tcp_socket create_stream_socket_perms;
+allow nagios_t self:udp_socket create_socket_perms;
+
+read_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t)
+read_lnk_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t)
+allow nagios_t nagios_etc_t:dir list_dir_perms;
+
+manage_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
+manage_fifo_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
+logging_log_filetrans(nagios_t, nagios_log_t, { file dir })
+
+manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
+manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
+files_tmp_filetrans(nagios_t, nagios_tmp_t, { file dir })
+
+manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
+files_pid_filetrans(nagios_t, nagios_var_run_t, file)
+
+manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
+files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file)
+
+kernel_read_system_state(nagios_t)
+kernel_read_kernel_sysctls(nagios_t)
+
+corecmd_exec_bin(nagios_t)
+corecmd_exec_shell(nagios_t)
+
+corenet_all_recvfrom_unlabeled(nagios_t)
+corenet_all_recvfrom_netlabel(nagios_t)
+corenet_tcp_sendrecv_generic_if(nagios_t)
+corenet_udp_sendrecv_generic_if(nagios_t)
+corenet_tcp_sendrecv_generic_node(nagios_t)
+corenet_udp_sendrecv_generic_node(nagios_t)
+corenet_tcp_sendrecv_all_ports(nagios_t)
+corenet_udp_sendrecv_all_ports(nagios_t)
+corenet_tcp_connect_all_ports(nagios_t)
+
+corenet_dontaudit_tcp_bind_all_reserved_ports(nagios_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(nagios_t)
+
+dev_read_sysfs(nagios_t)
+dev_read_urand(nagios_t)
+
+domain_use_interactive_fds(nagios_t)
+# for ps
+domain_read_all_domains_state(nagios_t)
+
+files_read_etc_files(nagios_t)
+files_read_etc_runtime_files(nagios_t)
+files_read_kernel_symbol_table(nagios_t)
+files_search_spool(nagios_t)
+
+fs_getattr_all_fs(nagios_t)
+fs_search_auto_mountpoints(nagios_t)
+
+# for who
+init_read_utmp(nagios_t)
+
+auth_use_nsswitch(nagios_t)
+
+logging_send_syslog_msg(nagios_t)
+
+miscfiles_read_localization(nagios_t)
+
+userdom_dontaudit_use_unpriv_user_fds(nagios_t)
+userdom_dontaudit_search_user_home_dirs(nagios_t)
+
+mta_send_mail(nagios_t)
+
+optional_policy(`
+	netutils_domtrans_ping(nagios_t)
+	netutils_signal_ping(nagios_t)
+	netutils_kill_ping(nagios_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(nagios_t)
+')
+
+optional_policy(`
+	udev_read_db(nagios_t)
+')
+
+########################################
+#
+# Nagios CGI local policy
+#
+optional_policy(`
+	apache_content_template(nagios)
+	typealias httpd_nagios_script_t alias nagios_cgi_t;
+	typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t;
+
+	allow httpd_nagios_script_t self:process signal_perms;
+
+	read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
+	read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
+
+	files_search_spool(httpd_nagios_script_t)
+	rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t)
+
+	allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms;
+	read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t)
+	read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t)
+
+	allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms;
+	read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
+	read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
+
+	kernel_read_system_state(httpd_nagios_script_t)
+
+	domain_dontaudit_read_all_domains_state(httpd_nagios_script_t)
+
+	files_read_etc_runtime_files(httpd_nagios_script_t)
+	files_read_kernel_symbol_table(httpd_nagios_script_t)
+
+	logging_send_syslog_msg(httpd_nagios_script_t)
+')
+
+########################################
+#
+# Nagios remote plugin executor local policy
+#
+
+allow nrpe_t self:capability { setuid setgid };
+dontaudit nrpe_t self:capability {sys_tty_config sys_resource};
+allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
+allow nrpe_t self:fifo_file rw_fifo_file_perms;
+allow nrpe_t self:tcp_socket create_stream_socket_perms;
+
+domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
+
+read_files_pattern(nrpe_t, nagios_etc_t, nrpe_etc_t)
+files_search_etc(nrpe_t)
+
+manage_files_pattern(nrpe_t, nrpe_var_run_t, nrpe_var_run_t)
+files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
+
+kernel_read_kernel_sysctls(nrpe_t)
+kernel_read_software_raid_state(nrpe_t)
+kernel_read_system_state(nrpe_t)
+
+corecmd_exec_bin(nrpe_t)
+corecmd_exec_shell(nrpe_t)
+
+corenet_tcp_bind_generic_node(nrpe_t)
+corenet_tcp_bind_inetd_child_port(nrpe_t)
+corenet_sendrecv_unlabeled_packets(nrpe_t)
+
+dev_read_sysfs(nrpe_t)
+dev_read_urand(nrpe_t)
+
+domain_use_interactive_fds(nrpe_t)
+domain_read_all_domains_state(nrpe_t)
+
+files_read_etc_runtime_files(nrpe_t)
+files_read_etc_files(nrpe_t)
+
+fs_getattr_all_fs(nrpe_t)
+fs_search_auto_mountpoints(nrpe_t)
+
+auth_use_nsswitch(nrpe_t)
+
+logging_send_syslog_msg(nrpe_t)
+
+miscfiles_read_localization(nrpe_t)
+
+userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
+
+optional_policy(`
+	inetd_tcp_service_domain(nrpe_t, nrpe_exec_t)
+')
+
+optional_policy(`
+	mta_send_mail(nrpe_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(nrpe_t)
+')
+
+optional_policy(`
+	tcpd_wrapped_domain(nrpe_t, nrpe_exec_t)
+')
+
+optional_policy(`
+	udev_read_db(nrpe_t)
+')
+
+#####################################
+#
+# local policy for admin check plugins
+#
+
+corecmd_read_bin_files(nagios_admin_plugin_t)
+corecmd_read_bin_symlinks(nagios_admin_plugin_t)
+
+dev_read_urand(nagios_admin_plugin_t)
+dev_getattr_all_chr_files(nagios_admin_plugin_t)
+dev_getattr_all_blk_files(nagios_admin_plugin_t)
+
+files_read_etc_files(nagios_admin_plugin_t)
+# for check_file_age plugin
+files_getattr_all_dirs(nagios_admin_plugin_t)
+files_getattr_all_files(nagios_admin_plugin_t)
+files_getattr_all_symlinks(nagios_admin_plugin_t)
+files_getattr_all_pipes(nagios_admin_plugin_t)
+files_getattr_all_sockets(nagios_admin_plugin_t)
+files_getattr_all_file_type_fs(nagios_admin_plugin_t)
+
+######################################
+#
+# local policy for mail check plugins
+#
+
+allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
+
+allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms;
+allow nagios_mail_plugin_t self:udp_socket create_socket_perms;
+
+kernel_read_system_state(nagios_mail_plugin_t)
+kernel_read_kernel_sysctls(nagios_mail_plugin_t)
+
+corecmd_read_bin_files(nagios_mail_plugin_t)
+corecmd_read_bin_symlinks(nagios_mail_plugin_t)
+
+dev_read_urand(nagios_mail_plugin_t)
+
+files_read_etc_files(nagios_mail_plugin_t)
+
+logging_send_syslog_msg(nagios_mail_plugin_t)
+
+sysnet_read_config(nagios_mail_plugin_t)
+
+optional_policy(`
+	mta_send_mail(nagios_mail_plugin_t)
+')
+
+optional_policy(`
+	nscd_dontaudit_search_pid(nagios_mail_plugin_t)
+')
+
+optional_policy(`
+	postfix_stream_connect_master(nagios_mail_plugin_t)
+	posftix_exec_postqueue(nagios_mail_plugin_t)
+')
+
+######################################
+#
+# local policy for disk check plugins
+#
+
+# needed by ioctl()
+allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
+
+files_getattr_all_mountpoints(nagios_checkdisk_plugin_t)
+files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
+
+fs_getattr_all_fs(nagios_checkdisk_plugin_t)
+
+storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+
+#######################################
+#
+# local policy for service check plugins
+#
+
+allow nagios_services_plugin_t self:capability { net_bind_service net_raw };
+allow nagios_services_plugin_t self:process { signal sigkill };
+
+allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
+allow nagios_services_plugin_t self:udp_socket create_socket_perms;
+
+corecmd_exec_bin(nagios_services_plugin_t)
+
+corenet_tcp_connect_all_ports(nagios_services_plugin_t)
+corenet_udp_bind_dhcpc_port(nagios_services_plugin_t)
+
+auth_use_nsswitch(nagios_services_plugin_t)
+
+domain_read_all_domains_state(nagios_services_plugin_t)
+
+files_read_usr_files(nagios_services_plugin_t)
+
+optional_policy(`
+	netutils_domtrans_ping(nagios_services_plugin_t)
+')
+
+optional_policy(`
+	mysql_stream_connect(nagios_services_plugin_t)
+')
+
+optional_policy(`
+	snmp_read_snmp_var_lib_files(nagios_services_plugin_t)
+')
+
+######################################
+#
+# local policy for system check plugins
+#
+
+allow nagios_system_plugin_t self:capability dac_override;
+dontaudit nagios_system_plugin_t self:capability { setuid setgid };
+
+# check_log
+manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
+manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
+files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
+
+kernel_read_system_state(nagios_system_plugin_t)
+kernel_read_kernel_sysctls(nagios_system_plugin_t)
+
+corecmd_exec_bin(nagios_system_plugin_t)
+corecmd_exec_shell(nagios_system_plugin_t)
+
+dev_read_sysfs(nagios_system_plugin_t)
+dev_read_urand(nagios_system_plugin_t)
+
+domain_read_all_domains_state(nagios_system_plugin_t)
+
+files_read_etc_files(nagios_system_plugin_t)
+
+# needed by check_users plugin
+optional_policy(`
+	init_read_utmp(nagios_system_plugin_t)
+')
+
+########################################
+#
+# Unconfined plugin policy
+#
+
+optional_policy(`
+	unconfined_domain(nagios_unconfined_plugin_t)
+')
diff --git a/policy/modules/contrib/ncftool.fc b/policy/modules/contrib/ncftool.fc
new file mode 100644
index 00000000..ca1a0e28
--- /dev/null
+++ b/policy/modules/contrib/ncftool.fc
@@ -0,0 +1 @@
+/usr/bin/ncftool	--	gen_context(system_u:object_r:ncftool_exec_t,s0)
diff --git a/policy/modules/contrib/ncftool.if b/policy/modules/contrib/ncftool.if
new file mode 100644
index 00000000..a648982c
--- /dev/null
+++ b/policy/modules/contrib/ncftool.if
@@ -0,0 +1,44 @@
+## <summary>Netcf network configuration tool (ncftool).</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run ncftool.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ncftool_domtrans',`
+	gen_require(`
+		type ncftool_t, ncftool_exec_t;
+	')
+
+	domtrans_pattern($1, ncftool_exec_t, ncftool_t)
+')
+
+########################################
+## <summary>
+##	Execute ncftool in the ncftool domain, and
+##	allow the specified role the ncftool domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the ncftool domain.
+##	</summary>
+## </param>
+#
+interface(`ncftool_run',`
+	gen_require(`
+		attribute_role ncftool_roles;
+	')
+
+	ncftool_domtrans($1)
+	roleattribute $2 ncftool_roles;
+')
diff --git a/policy/modules/contrib/ncftool.te b/policy/modules/contrib/ncftool.te
new file mode 100644
index 00000000..f19ca0bf
--- /dev/null
+++ b/policy/modules/contrib/ncftool.te
@@ -0,0 +1,81 @@
+policy_module(ncftool, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role ncftool_roles;
+roleattribute system_r ncftool_roles;
+
+type ncftool_t;
+type ncftool_exec_t;
+application_domain(ncftool_t, ncftool_exec_t)
+domain_obj_id_change_exemption(ncftool_t)
+domain_system_change_exemption(ncftool_t)
+role ncftool_roles types ncftool_t;
+
+########################################
+#
+# ncftool local policy
+#
+
+allow ncftool_t self:capability { net_admin sys_ptrace };
+allow ncftool_t self:process signal;
+allow ncftool_t self:fifo_file manage_fifo_file_perms;
+allow ncftool_t self:unix_stream_socket create_stream_socket_perms;
+allow ncftool_t self:tcp_socket create_stream_socket_perms;
+allow ncftool_t self:netlink_route_socket create_netlink_socket_perms;
+
+kernel_read_kernel_sysctls(ncftool_t)
+kernel_read_modprobe_sysctls(ncftool_t)
+kernel_read_network_state(ncftool_t)
+kernel_read_system_state(ncftool_t)
+kernel_request_load_module(ncftool_t)
+kernel_rw_net_sysctls(ncftool_t)
+
+corecmd_exec_bin(ncftool_t)
+corecmd_exec_shell(ncftool_t)
+
+domain_read_all_domains_state(ncftool_t)
+
+dev_read_sysfs(ncftool_t)
+
+files_read_etc_files(ncftool_t)
+files_read_etc_runtime_files(ncftool_t)
+files_read_usr_files(ncftool_t)
+
+miscfiles_read_localization(ncftool_t)
+
+sysnet_delete_dhcpc_pid(ncftool_t)
+sysnet_run_dhcpc(ncftool_t, ncftool_roles)
+sysnet_run_ifconfig(ncftool_t, ncftool_roles)
+sysnet_etc_filetrans_config(ncftool_t)
+sysnet_manage_config(ncftool_t)
+sysnet_read_dhcpc_state(ncftool_t)
+sysnet_read_dhcpc_pid(ncftool_t)
+sysnet_signal_dhcpc(ncftool_t)
+
+userdom_use_user_terminals(ncftool_t)
+userdom_read_user_tmp_files(ncftool_t)
+
+optional_policy(`
+	consoletype_exec(ncftool_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(ncftool_t)
+')
+
+optional_policy(`
+	iptables_initrc_domtrans(ncftool_t)
+')
+
+optional_policy(`
+	modutils_read_module_config(ncftool_t)
+	modutils_run_insmod(ncftool_t, ncftool_roles)
+')
+
+optional_policy(`
+	netutils_run(ncftool_t, ncftool_roles)
+')
diff --git a/policy/modules/contrib/nessus.fc b/policy/modules/contrib/nessus.fc
new file mode 100644
index 00000000..74da57f8
--- /dev/null
+++ b/policy/modules/contrib/nessus.fc
@@ -0,0 +1,10 @@
+
+/etc/nessus/nessusd\.conf --	gen_context(system_u:object_r:nessusd_etc_t,s0)
+
+/usr/lib(64)?/nessus/plugins/.* -- gen_context(system_u:object_r:nessusd_exec_t,s0)
+
+/usr/sbin/nessusd	--	gen_context(system_u:object_r:nessusd_exec_t,s0)
+
+/var/lib/nessus(/.*)?		gen_context(system_u:object_r:nessusd_db_t,s0)
+
+/var/log/nessus(/.*)?		gen_context(system_u:object_r:nessusd_log_t,s0)
diff --git a/policy/modules/contrib/nessus.if b/policy/modules/contrib/nessus.if
new file mode 100644
index 00000000..6ec80038
--- /dev/null
+++ b/policy/modules/contrib/nessus.if
@@ -0,0 +1,15 @@
+## <summary>Nessus network scanning daemon</summary>
+
+########################################
+## <summary>
+##	Connect to nessus over a TCP socket  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nessus_tcp_connect',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
diff --git a/policy/modules/contrib/nessus.te b/policy/modules/contrib/nessus.te
new file mode 100644
index 00000000..b16c3873
--- /dev/null
+++ b/policy/modules/contrib/nessus.te
@@ -0,0 +1,105 @@
+policy_module(nessus, 1.7.0)
+
+########################################
+#
+# Local policy
+#
+
+type nessusd_t;
+type nessusd_exec_t;
+init_daemon_domain(nessusd_t, nessusd_exec_t)
+
+type nessusd_db_t;
+files_type(nessusd_db_t)
+
+type nessusd_etc_t;
+files_config_file(nessusd_etc_t)
+
+type nessusd_log_t;
+logging_log_file(nessusd_log_t)
+
+type nessusd_var_run_t;
+files_pid_file(nessusd_var_run_t)
+
+########################################
+#
+# Declarations
+#
+
+allow nessusd_t self:capability net_raw;
+dontaudit nessusd_t self:capability sys_tty_config;
+allow nessusd_t self:process { setsched signal_perms };
+allow nessusd_t self:fifo_file rw_fifo_file_perms;
+allow nessusd_t self:tcp_socket create_stream_socket_perms;
+allow nessusd_t self:udp_socket create_socket_perms;
+allow nessusd_t self:rawip_socket create_socket_perms;
+allow nessusd_t self:packet_socket create_socket_perms;
+
+# Allow access to the nessusd authentication database
+manage_dirs_pattern(nessusd_t, nessusd_db_t, nessusd_db_t)
+manage_files_pattern(nessusd_t, nessusd_db_t, nessusd_db_t)
+manage_lnk_files_pattern(nessusd_t, nessusd_db_t, nessusd_db_t)
+files_list_var_lib(nessusd_t)
+
+allow nessusd_t nessusd_etc_t:file read_file_perms;
+files_search_etc(nessusd_t)
+
+manage_files_pattern(nessusd_t, nessusd_log_t, nessusd_log_t)
+logging_log_filetrans(nessusd_t, nessusd_log_t, { file dir })
+
+manage_files_pattern(nessusd_t, nessusd_var_run_t, nessusd_var_run_t)
+files_pid_filetrans(nessusd_t, nessusd_var_run_t, file)
+
+kernel_read_system_state(nessusd_t)
+kernel_read_kernel_sysctls(nessusd_t)
+
+# for nmap etc
+corecmd_exec_bin(nessusd_t)
+
+corenet_all_recvfrom_unlabeled(nessusd_t)
+corenet_all_recvfrom_netlabel(nessusd_t)
+corenet_tcp_sendrecv_generic_if(nessusd_t)
+corenet_udp_sendrecv_generic_if(nessusd_t)
+corenet_raw_sendrecv_generic_if(nessusd_t)
+corenet_tcp_sendrecv_generic_node(nessusd_t)
+corenet_udp_sendrecv_generic_node(nessusd_t)
+corenet_raw_sendrecv_generic_node(nessusd_t)
+corenet_tcp_sendrecv_all_ports(nessusd_t)
+corenet_udp_sendrecv_all_ports(nessusd_t)
+corenet_tcp_bind_generic_node(nessusd_t)
+corenet_tcp_bind_nessus_port(nessusd_t)
+corenet_tcp_connect_all_ports(nessusd_t)
+corenet_sendrecv_all_client_packets(nessusd_t)
+corenet_sendrecv_nessus_server_packets(nessusd_t)
+
+dev_read_sysfs(nessusd_t)
+dev_read_urand(nessusd_t)
+
+domain_use_interactive_fds(nessusd_t)
+
+files_read_etc_files(nessusd_t)
+files_read_etc_runtime_files(nessusd_t)
+
+fs_getattr_all_fs(nessusd_t)
+fs_search_auto_mountpoints(nessusd_t)
+
+logging_send_syslog_msg(nessusd_t)
+
+miscfiles_read_localization(nessusd_t)
+
+sysnet_read_config(nessusd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(nessusd_t)
+userdom_dontaudit_search_user_home_dirs(nessusd_t)
+
+optional_policy(`
+	nis_use_ypbind(nessusd_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(nessusd_t)
+')
+
+optional_policy(`
+	udev_read_db(nessusd_t)
+')
diff --git a/policy/modules/contrib/networkmanager.fc b/policy/modules/contrib/networkmanager.fc
new file mode 100644
index 00000000..fdd48780
--- /dev/null
+++ b/policy/modules/contrib/networkmanager.fc
@@ -0,0 +1,28 @@
+/etc/rc\.d/init\.d/wicd		--	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+
+/etc/NetworkManager/dispatcher\.d(/.*)	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+
+/usr/libexec/nm-dispatcher.action --	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+
+/sbin/wpa_cli			--	gen_context(system_u:object_r:wpa_cli_exec_t,s0)
+/sbin/wpa_supplicant		--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+
+/usr/s?bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/s?bin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/NetworkManagerDispatcher --	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/nm-system-settings	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/wicd 			--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+
+/var/lib/wicd(/.*)?			gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
+/var/lib/NetworkManager(/.*)?		gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
+
+/var/log/wicd(/.*)? 			gen_context(system_u:object_r:NetworkManager_log_t,s0)
+/var/log/wpa_supplicant.*	--	gen_context(system_u:object_r:NetworkManager_log_t,s0)
+
+/var/run/NetworkManager\.pid	--	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/NetworkManager(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/nm-dhclient.*			gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/wpa_supplicant-global	-s	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/wpa_cli-.*		--	gen_context(system_u:object_r:wpa_cli_var_run_t,s0)
+/usr/bin/wpa_cli		--	gen_context(system_u:object_r:wpa_cli_exec_t,s0)
diff --git a/policy/modules/contrib/networkmanager.if b/policy/modules/contrib/networkmanager.if
new file mode 100644
index 00000000..adb90d4e
--- /dev/null
+++ b/policy/modules/contrib/networkmanager.if
@@ -0,0 +1,258 @@
+## <summary>Manager for dynamically switching between networks.</summary>
+
+########################################
+## <summary>
+##	Read and write NetworkManager UDP sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+# cjp: added for named.
+interface(`networkmanager_rw_udp_sockets',`
+	gen_require(`
+		type NetworkManager_t;
+	')
+
+	allow $1 NetworkManager_t:udp_socket { read write };
+')
+
+########################################
+## <summary>
+##	Read and write NetworkManager packet sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+# cjp: added for named.
+interface(`networkmanager_rw_packet_sockets',`
+	gen_require(`
+		type NetworkManager_t;
+	')
+
+	allow $1 NetworkManager_t:packet_socket { read write };
+')
+
+#######################################
+## <summary>
+## Allow caller to relabel tun_socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_attach_tun_iface',`
+	gen_require(`
+		type NetworkManager_t;
+	')
+
+	allow $1 NetworkManager_t:tun_socket relabelfrom;
+	allow $1 self:tun_socket relabelto;
+')
+
+########################################
+## <summary>
+##	Read and write NetworkManager netlink
+##	routing sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+# cjp: added for named.
+interface(`networkmanager_rw_routing_sockets',`
+	gen_require(`
+		type NetworkManager_t;
+	')
+
+	allow $1 NetworkManager_t:netlink_route_socket { read write };
+')
+
+########################################
+## <summary>
+##	Execute NetworkManager with a domain transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`networkmanager_domtrans',`
+	gen_require(`
+		type NetworkManager_t, NetworkManager_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, NetworkManager_exec_t, NetworkManager_t)
+')
+
+########################################
+## <summary>
+##	Execute NetworkManager scripts with an automatic domain transition to initrc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`networkmanager_initrc_domtrans',`
+	gen_require(`
+		type NetworkManager_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	NetworkManager over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`networkmanager_dbus_chat',`
+	gen_require(`
+		type NetworkManager_t;
+		class dbus send_msg;
+	')
+
+	allow $1 NetworkManager_t:dbus send_msg;
+	allow NetworkManager_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Send a generic signal to NetworkManager
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`networkmanager_signal',`
+	gen_require(`
+		type NetworkManager_t;
+	')
+
+	allow $1 NetworkManager_t:process signal;
+')
+
+########################################
+## <summary>
+##	Read NetworkManager lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`networkmanager_read_lib_files',`
+	gen_require(`
+		type NetworkManager_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+	read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read NetworkManager PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`networkmanager_read_pid_files',`
+	gen_require(`
+		type NetworkManager_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 NetworkManager_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit use of wpa_cli file descriptors
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to dontaudit access.
+##	</summary>
+## </param>
+#
+interface(`networkmanager_dontaudit_use_wpa_cli_fds',`
+	gen_require(`
+		type wpa_cli_t;
+	')
+
+	dontaudit $1 wpa_cli_t:fd use;
+')
+
+
+########################################
+## <summary>
+##      Execute wpa_cli in the wpa_cli domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+#
+interface(`networkmanager_domtrans_wpa_cli',`
+        gen_require(`
+                type wpa_cli_t, wpa_cli_exec_t;
+        ')
+
+        corecmd_search_bin($1)
+        domtrans_pattern($1, wpa_cli_exec_t, wpa_cli_t)
+')
+
+########################################
+## <summary>
+##      Execute wpa cli in the wpa_cli domain, and
+##      allow the specified role the wpa_cli domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+## <param name="role">
+##      <summary>
+##      Role allowed access.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`networkmanager_run_wpa_cli',`
+        gen_require(`
+                type wpa_cli_exec_t;
+        ')
+
+        networkmanager_domtrans_wpa_cli($1)
+        role $2 types wpa_cli_t;
+')
+
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
new file mode 100644
index 00000000..8c101a8e
--- /dev/null
+++ b/policy/modules/contrib/networkmanager.te
@@ -0,0 +1,319 @@
+policy_module(networkmanager, 1.14.0)
+
+########################################
+#
+# Declarations
+#
+
+type NetworkManager_t;
+type NetworkManager_exec_t;
+init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
+
+type NetworkManager_initrc_exec_t;
+init_script_file(NetworkManager_initrc_exec_t)
+
+type NetworkManager_log_t;
+logging_log_file(NetworkManager_log_t)
+
+type NetworkManager_tmp_t;
+files_tmp_file(NetworkManager_tmp_t)
+
+type NetworkManager_var_lib_t;
+files_type(NetworkManager_var_lib_t)
+
+type NetworkManager_var_run_t;
+files_pid_file(NetworkManager_var_run_t)
+
+type wpa_cli_t;
+type wpa_cli_exec_t;
+init_system_domain(wpa_cli_t, wpa_cli_exec_t)
+
+type wpa_cli_var_run_t;
+files_pid_file(wpa_cli_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+# networkmanager will ptrace itself if gdb is installed
+# and it receives a unexpected signal (rh bug #204161)
+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock };
+dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
+allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
+allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
+allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
+allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
+allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
+allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
+allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom };
+allow NetworkManager_t self:udp_socket create_socket_perms;
+allow NetworkManager_t self:packet_socket create_socket_perms;
+
+allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
+
+can_exec(NetworkManager_t, NetworkManager_exec_t)
+
+manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
+logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
+
+manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
+manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
+files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
+
+manage_dirs_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+manage_files_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+files_var_lib_filetrans(NetworkManager_t, NetworkManager_var_lib_t, dir)
+
+manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
+manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
+manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
+files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
+
+manage_dirs_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t)
+manage_files_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t)
+manage_sock_files_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t)
+files_pid_filetrans(wpa_cli_t, wpa_cli_var_run_t, { dir file sock_file })
+
+kernel_read_system_state(NetworkManager_t)
+kernel_read_network_state(NetworkManager_t)
+kernel_read_kernel_sysctls(NetworkManager_t)
+kernel_request_load_module(NetworkManager_t)
+kernel_read_debugfs(NetworkManager_t)
+kernel_rw_net_sysctls(NetworkManager_t)
+
+corenet_all_recvfrom_unlabeled(NetworkManager_t)
+corenet_all_recvfrom_netlabel(NetworkManager_t)
+corenet_tcp_sendrecv_generic_if(NetworkManager_t)
+corenet_udp_sendrecv_generic_if(NetworkManager_t)
+corenet_raw_sendrecv_generic_if(NetworkManager_t)
+corenet_tcp_sendrecv_generic_node(NetworkManager_t)
+corenet_udp_sendrecv_generic_node(NetworkManager_t)
+corenet_raw_sendrecv_generic_node(NetworkManager_t)
+corenet_tcp_sendrecv_all_ports(NetworkManager_t)
+corenet_udp_sendrecv_all_ports(NetworkManager_t)
+corenet_udp_bind_generic_node(NetworkManager_t)
+corenet_udp_bind_isakmp_port(NetworkManager_t)
+corenet_udp_bind_dhcpc_port(NetworkManager_t)
+corenet_tcp_connect_all_ports(NetworkManager_t)
+corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
+corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
+corenet_sendrecv_all_client_packets(NetworkManager_t)
+corenet_rw_tun_tap_dev(NetworkManager_t)
+corenet_getattr_ppp_dev(NetworkManager_t)
+
+dev_read_sysfs(NetworkManager_t)
+dev_read_rand(NetworkManager_t)
+dev_read_urand(NetworkManager_t)
+dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
+dev_getattr_all_chr_files(NetworkManager_t)
+
+fs_getattr_all_fs(NetworkManager_t)
+fs_search_auto_mountpoints(NetworkManager_t)
+fs_list_inotifyfs(NetworkManager_t)
+
+mls_file_read_all_levels(NetworkManager_t)
+
+selinux_dontaudit_search_fs(NetworkManager_t)
+
+corecmd_exec_shell(NetworkManager_t)
+corecmd_exec_bin(NetworkManager_t)
+
+domain_use_interactive_fds(NetworkManager_t)
+domain_read_confined_domains_state(NetworkManager_t)
+
+files_read_etc_files(NetworkManager_t)
+files_read_etc_runtime_files(NetworkManager_t)
+files_read_usr_files(NetworkManager_t)
+files_read_usr_src_files(NetworkManager_t)
+
+storage_getattr_fixed_disk_dev(NetworkManager_t)
+
+init_read_utmp(NetworkManager_t)
+init_dontaudit_write_utmp(NetworkManager_t)
+init_domtrans_script(NetworkManager_t)
+init_domtrans_script(wpa_cli_t)
+
+auth_use_nsswitch(NetworkManager_t)
+
+logging_send_syslog_msg(NetworkManager_t)
+logging_send_syslog_msg(wpa_cli_t)
+
+miscfiles_read_localization(NetworkManager_t)
+miscfiles_read_generic_certs(NetworkManager_t)
+
+modutils_domtrans_insmod(NetworkManager_t)
+
+seutil_read_config(NetworkManager_t)
+
+sysnet_domtrans_ifconfig(NetworkManager_t)
+sysnet_domtrans_dhcpc(NetworkManager_t)
+sysnet_signal_dhcpc(NetworkManager_t)
+sysnet_read_dhcpc_pid(NetworkManager_t)
+sysnet_delete_dhcpc_pid(NetworkManager_t)
+sysnet_search_dhcp_state(NetworkManager_t)
+# in /etc created by NetworkManager will be labelled net_conf_t.
+sysnet_manage_config(NetworkManager_t)
+sysnet_etc_filetrans_config(NetworkManager_t)
+
+userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
+userdom_dontaudit_use_user_ttys(NetworkManager_t)
+userdom_use_user_ttys(wpa_cli_t)
+userdom_use_user_ptys(wpa_cli_t)
+# Read gnome-keyring
+userdom_read_user_home_content_files(NetworkManager_t)
+
+optional_policy(`
+	avahi_domtrans(NetworkManager_t)
+	avahi_kill(NetworkManager_t)
+	avahi_signal(NetworkManager_t)
+	avahi_signull(NetworkManager_t)
+')
+
+optional_policy(`
+	bind_domtrans(NetworkManager_t)
+	bind_manage_cache(NetworkManager_t)
+	bind_kill(NetworkManager_t)
+	bind_signal(NetworkManager_t)
+	bind_signull(NetworkManager_t)
+')
+
+optional_policy(`
+	bluetooth_dontaudit_read_helper_state(NetworkManager_t)
+')
+
+optional_policy(`
+	consoletype_exec(NetworkManager_t)
+')
+
+optional_policy(`
+	dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
+
+	optional_policy(`
+		consolekit_dbus_chat(NetworkManager_t)
+	')
+')
+
+optional_policy(`
+	dnsmasq_read_pid_files(NetworkManager_t)
+	dnsmasq_delete_pid_files(NetworkManager_t)
+	dnsmasq_domtrans(NetworkManager_t)
+	dnsmasq_initrc_domtrans(NetworkManager_t)
+	dnsmasq_kill(NetworkManager_t)
+	dnsmasq_signal(NetworkManager_t)
+	dnsmasq_signull(NetworkManager_t)
+')
+
+optional_policy(`
+	hal_write_log(NetworkManager_t)
+')
+
+optional_policy(`
+	howl_signal(NetworkManager_t)
+')
+
+optional_policy(`
+	iptables_domtrans(NetworkManager_t)
+')
+
+optional_policy(`
+	nscd_domtrans(NetworkManager_t)
+	nscd_signal(NetworkManager_t)
+	nscd_signull(NetworkManager_t)
+	nscd_kill(NetworkManager_t)
+	nscd_initrc_domtrans(NetworkManager_t)
+')
+
+optional_policy(`
+	# Dispatcher starting and stoping ntp
+	ntp_initrc_domtrans(NetworkManager_t)
+')
+
+optional_policy(`
+	openvpn_domtrans(NetworkManager_t)
+	openvpn_kill(NetworkManager_t)
+	openvpn_signal(NetworkManager_t)
+	openvpn_signull(NetworkManager_t)
+')
+
+optional_policy(`
+	policykit_dbus_chat(NetworkManager_t)
+	policykit_domtrans_auth(NetworkManager_t)
+	policykit_read_lib(NetworkManager_t)
+	policykit_read_reload(NetworkManager_t)
+	userdom_read_all_users_state(NetworkManager_t)
+')
+
+optional_policy(`
+	ppp_initrc_domtrans(NetworkManager_t)
+	ppp_domtrans(NetworkManager_t)
+	ppp_manage_pid_files(NetworkManager_t)
+	ppp_kill(NetworkManager_t)
+	ppp_signal(NetworkManager_t)
+	ppp_signull(NetworkManager_t)
+	ppp_read_config(NetworkManager_t)
+')
+
+optional_policy(`
+	rpm_exec(NetworkManager_t)
+	rpm_read_db(NetworkManager_t)
+	rpm_dontaudit_manage_db(NetworkManager_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(NetworkManager_t)
+')
+
+optional_policy(`
+	udev_exec(NetworkManager_t)
+	udev_read_db(NetworkManager_t)
+')
+
+optional_policy(`
+	vpn_domtrans(NetworkManager_t)
+	vpn_kill(NetworkManager_t)
+	vpn_signal(NetworkManager_t)
+	vpn_signull(NetworkManager_t)
+')
+
+########################################
+#
+# wpa_cli local policy
+#
+
+allow wpa_cli_t self:capability dac_override;
+allow wpa_cli_t self:unix_dgram_socket create_socket_perms;
+
+allow wpa_cli_t NetworkManager_t:unix_dgram_socket sendto;
+
+manage_sock_files_pattern(wpa_cli_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
+files_tmp_filetrans(wpa_cli_t, NetworkManager_tmp_t, sock_file)
+
+list_dirs_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
+rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
+
+init_dontaudit_use_fds(wpa_cli_t)
+init_use_script_ptys(wpa_cli_t)
+
+miscfiles_read_localization(wpa_cli_t)
+
+term_dontaudit_use_console(wpa_cli_t)
+
+fs_search_tmpfs(wpa_cli_t)
+fs_search_tmpfs(NetworkManager_t)
+fs_rw_tmpfs_files(wpa_cli_t)
+fs_rw_tmpfs_files(NetworkManager_t)
+fs_manage_tmpfs_dirs(wpa_cli_t)
+fs_manage_tmpfs_sockets(wpa_cli_t)
+fs_manage_tmpfs_sockets(NetworkManager_t)
+getty_use_fds(wpa_cli_t)
+files_search_pids(wpa_cli_t)
+corecmd_exec_shell(wpa_cli_t)
+corecmd_exec_bin(wpa_cli_t)
+domain_use_interactive_fds(wpa_cli_t)
+
+ifdef(`distro_gentoo',`
+       sysnet_domtrans_dhcpc(wpa_cli_t)
+       allow wpa_cli_t etc_t:file { getattr };
+')
diff --git a/policy/modules/contrib/nginx.fc b/policy/modules/contrib/nginx.fc
new file mode 100644
index 00000000..8a1cc51d
--- /dev/null
+++ b/policy/modules/contrib/nginx.fc
@@ -0,0 +1,63 @@
+###############################################################################
+# SELinux module for the NGINX Web Server
+#
+# Project Contact Information:
+#   Stuart Cianos
+#   Email: scianos@alphavida.com
+#
+###############################################################################
+# (C) Copyright 2009 by Stuart Cianos, d/b/a AlphaVida. All Rights Reserved.
+#
+#
+# Stuart Cianos licenses this file to You under the GNU General Public License,
+# Version 3.0 (the "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.gnu.org/licenses/gpl.txt
+#
+# or in the COPYING file included in the original archive.
+#
+# Disclaimer of Warranty.
+#
+# THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+# APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+# HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+# OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+# IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+# ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+#
+# Limitation of Liability.
+#
+# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+# THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+# GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+# USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+# DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+# PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+# EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGES.
+###############################################################################
+# nginx executable will have:
+# label: system_u:object_r:nginx_exec_t
+# MLS sensitivity: s0
+# MCS categories: <none>
+
+#
+# /etc
+#
+/etc/nginx(/.*)?				gen_context(system_u:object_r:nginx_conf_t,s0)
+/etc/ssl/nginx(/.*)?				gen_context(system_u:object_r:nginx_conf_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/nginx				--	gen_context(system_u:object_r:nginx_exec_t,s0)
+
+#
+# /var
+#
+/var/log/nginx(/.*)?				gen_context(system_u:object_r:nginx_log_t,s0)
+/var/tmp/nginx(/.*)?				gen_context(system_u:object_r:nginx_tmp_t,s0)
diff --git a/policy/modules/contrib/nginx.if b/policy/modules/contrib/nginx.if
new file mode 100644
index 00000000..8b41b378
--- /dev/null
+++ b/policy/modules/contrib/nginx.if
@@ -0,0 +1,101 @@
+###############################################################################
+# SELinux module for the NGINX Web Server
+#
+# Project Contact Information:
+#   Stuart Cianos
+#   Email: scianos@alphavida.com
+#
+###############################################################################
+# (C) Copyright 2009 by Stuart Cianos, d/b/a AlphaVida. All Rights Reserved.
+#
+#
+# Stuart Cianos licenses this file to You under the GNU General Public License,
+# Version 3.0 (the "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.gnu.org/licenses/gpl.txt
+#
+# or in the COPYING file included in the original archive.
+#
+# Disclaimer of Warranty.
+#
+# THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+# APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+# HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+# OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+# IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+# ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+#
+# Limitation of Liability.
+#
+# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+# THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+# GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+# USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+# DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+# PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+# EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGES.
+###############################################################################
+## <summary>policy for nginx</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run nginx.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`nginx_domtrans',`
+	gen_require(`
+		type nginx_t, nginx_exec_t;
+	')
+	allow nginx_t $1:fd use;
+	allow nginx_t $1:fifo_file rw_file_perms;
+	allow nginx_t $1:process sigchld;
+
+	domain_auto_trans($1,nginx_exec_t,nginx_t)
+')
+
+########################################
+## <summary>
+##   Administer the nginx domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the nginx domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`nginx_admin',`
+	gen_require(`
+		type nginx_t, nginx_conf_t, nginx_log_t, nginx_var_lib_t, nginx_var_run_t;
+	')
+
+	allow $1 nginx_t:process { ptrace signal_perms };
+	ps_process_pattern($1, nginx_t)
+
+	files_list_etc($1)
+	admin_pattern($1, nginx_conf_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, nginx_var_lib_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, nginx_log_t)
+
+	files_list_pids($1)
+	admin_pattern($1, nginx_var_run_t)
+')
diff --git a/policy/modules/contrib/nginx.te b/policy/modules/contrib/nginx.te
new file mode 100644
index 00000000..8b21d760
--- /dev/null
+++ b/policy/modules/contrib/nginx.te
@@ -0,0 +1,193 @@
+# SELinux module for the NGINX Web Server
+#
+# Project Contact Information:
+#   Stuart Cianos
+#   Email: scianos@alphavida.com
+#
+# (C) Copyright 2009 by Stuart Cianos, d/b/a AlphaVida. All Rights Reserved.
+#
+#
+# Stuart Cianos licenses this file to You under the GNU General Public License,
+# Version 3.0 (the "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.gnu.org/licenses/gpl.txt
+#
+# or in the COPYING file included in the original archive.
+#
+# Disclaimer of Warranty.
+#
+# THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+# APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+# HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+# OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+# IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+# ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+#
+# Limitation of Liability.
+#
+# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+# THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+# GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+# USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+# DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+# PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+# EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGES.
+###############################################################################
+policy_module(nginx,1.0.10)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow nginx to serve HTTP content (act as an http server)
+## </p>
+## </desc>
+gen_tunable(gentoo_nginx_enable_http_server, false)
+
+## <desc>
+## <p>
+## Allow nginx to act as an imap proxy server)
+## </p>
+## </desc>
+gen_tunable(gentoo_nginx_enable_imap_server, false)
+
+## <desc>
+## <p>
+## Allow nginx to act as a pop3 server)
+## </p>
+## </desc>
+gen_tunable(gentoo_nginx_enable_pop3_server, false)
+
+## <desc>
+## <p>
+## Allow nginx to act as an smtp server)
+## </p>
+## </desc>
+gen_tunable(gentoo_nginx_enable_smtp_server, false)
+
+## <desc>
+## <p>
+## Allow nginx to connect to remote HTTP servers
+## </p>
+## </desc>
+gen_tunable(gentoo_nginx_can_network_connect_http, false)
+
+## <desc>
+## <p>
+## Allow nginx to connect to remote servers (regardless of protocol)
+## </p>
+## </desc>
+gen_tunable(gentoo_nginx_can_network_connect, false)
+
+type nginx_t;
+type nginx_exec_t;
+init_daemon_domain(nginx_t, nginx_exec_t)
+
+# conf files
+type nginx_conf_t;
+files_type(nginx_conf_t)
+
+# log files
+type nginx_log_t;
+logging_log_file(nginx_log_t)
+
+# tmp files
+type nginx_tmp_t;
+files_tmp_file(nginx_tmp_t)
+
+# var/lib files
+type nginx_var_lib_t;
+files_type(nginx_var_lib_t)
+
+# pid files
+type nginx_var_run_t;
+files_pid_file(nginx_var_run_t)
+
+########################################
+#
+# nginx local policy
+#
+
+allow nginx_t self:fifo_file { read write };
+allow nginx_t self:unix_stream_socket create_stream_socket_perms;
+allow nginx_t self:tcp_socket { listen accept };
+allow nginx_t self:capability { setuid net_bind_service setgid chown };
+
+# conf files
+list_dirs_pattern(nginx_t, nginx_conf_t, nginx_conf_t)
+read_files_pattern(nginx_t, nginx_conf_t, nginx_conf_t)
+
+# log files
+manage_files_pattern(nginx_t, nginx_log_t, nginx_log_t)
+logging_log_filetrans(nginx_t, nginx_log_t, { file dir })
+
+
+# pid file
+manage_dirs_pattern(nginx_t, nginx_var_run_t, nginx_var_run_t)
+manage_files_pattern(nginx_t, nginx_var_run_t, nginx_var_run_t)
+files_pid_filetrans(nginx_t, nginx_var_run_t, file)
+
+# tmp files
+manage_files_pattern(nginx_t, nginx_tmp_t, nginx_tmp_t)
+manage_dirs_pattern(nginx_t, nginx_tmp_t, nginx_tmp_t)
+files_tmp_filetrans(nginx_t, nginx_tmp_t, dir)
+
+# var/lib files
+create_files_pattern(nginx_t, nginx_var_lib_t, nginx_var_lib_t)
+create_sock_files_pattern(nginx_t, nginx_var_lib_t, nginx_var_lib_t)
+files_var_lib_filetrans(nginx_t,nginx_var_lib_t, { file dir sock_file })
+
+
+kernel_read_kernel_sysctls(nginx_t)
+corenet_tcp_bind_generic_node(nginx_t)
+corenet_tcp_sendrecv_generic_if(nginx_t)
+corenet_tcp_sendrecv_generic_node(nginx_t)
+
+dev_read_rand(nginx_t)
+dev_read_urand(nginx_t)
+
+domain_use_interactive_fds(nginx_t)
+
+files_read_etc_files(nginx_t)
+
+
+miscfiles_read_localization(nginx_t)
+sysnet_dns_name_resolve(nginx_t)
+
+
+tunable_policy(`gentoo_nginx_enable_http_server',`
+	corenet_tcp_bind_http_port(nginx_t)
+	apache_read_sys_content(nginx_t)
+')
+
+# We enable both binding and connecting, since nginx acts here as a reverse proxy
+tunable_policy(`gentoo_nginx_enable_imap_server',`
+	corenet_tcp_bind_pop_port(nginx_t)
+	corenet_tcp_connect_pop_port(nginx_t)
+')
+
+tunable_policy(`gentoo_nginx_enable_pop3_server',`
+	corenet_tcp_bind_pop_port(nginx_t)
+	corenet_tcp_connect_pop_port(nginx_t)
+')
+
+tunable_policy(`gentoo_nginx_enable_smtp_server',`
+	corenet_tcp_bind_smtp_port(nginx_t)
+	corenet_tcp_connect_smtp_port(nginx_t)
+')
+
+tunable_policy(`gentoo_nginx_can_network_connect_http',`
+	corenet_tcp_connect_http_port(nginx_t)
+')
+
+tunable_policy(`gentoo_nginx_can_network_connect',`
+	corenet_tcp_connect_all_ports(nginx_t)
+')
diff --git a/policy/modules/contrib/nis.fc b/policy/modules/contrib/nis.fc
new file mode 100644
index 00000000..15448d53
--- /dev/null
+++ b/policy/modules/contrib/nis.fc
@@ -0,0 +1,21 @@
+/etc/rc\.d/init\.d/ypbind	--	gen_context(system_u:object_r:ypbind_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/yppasswd	--	gen_context(system_u:object_r:nis_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ypserv	--	gen_context(system_u:object_r:nis_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ypxfrd	--	gen_context(system_u:object_r:nis_initrc_exec_t,s0)
+/etc/ypserv\.conf	--	gen_context(system_u:object_r:ypserv_conf_t,s0)
+
+/sbin/ypbind		--	gen_context(system_u:object_r:ypbind_exec_t,s0)
+
+/usr/lib/yp/ypxfr	--	gen_context(system_u:object_r:ypxfr_exec_t,s0)
+/usr/lib64/yp/ypxfr	--	gen_context(system_u:object_r:ypxfr_exec_t,s0)
+
+/usr/sbin/rpc\.yppasswdd --	gen_context(system_u:object_r:yppasswdd_exec_t,s0)
+/usr/sbin/rpc\.ypxfrd	--	gen_context(system_u:object_r:ypxfr_exec_t,s0)
+/usr/sbin/ypserv	--	gen_context(system_u:object_r:ypserv_exec_t,s0)
+
+/var/yp(/.*)?			gen_context(system_u:object_r:var_yp_t,s0)
+
+/var/run/ypxfrd.*	--	gen_context(system_u:object_r:ypxfr_var_run_t,s0)
+/var/run/ypbind.*	--	gen_context(system_u:object_r:ypbind_var_run_t,s0)
+/var/run/ypserv.*	--	gen_context(system_u:object_r:ypserv_var_run_t,s0)
+/var/run/yppass.*	--	gen_context(system_u:object_r:yppasswdd_var_run_t,s0)
diff --git a/policy/modules/contrib/nis.if b/policy/modules/contrib/nis.if
new file mode 100644
index 00000000..abe3f7f3
--- /dev/null
+++ b/policy/modules/contrib/nis.if
@@ -0,0 +1,396 @@
+## <summary>Policy for NIS (YP) servers and clients</summary>
+
+########################################
+## <summary>
+##	Use the ypbind service to access NIS services
+##	unconditionally.
+## </summary>
+## <desc>
+##	<p>
+##	Use the ypbind service to access NIS services
+##	unconditionally.
+##	</p>
+##	<p>
+##	This interface was added because of apache and
+##	spamassassin, to fix a nested conditionals problem.
+##	When that support is added, this should be removed,
+##	and the regular	interface should be used.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nis_use_ypbind_uncond',`
+	gen_require(`
+		type var_yp_t;
+	')
+
+	allow $1 self:capability net_bind_service;
+
+	allow $1 self:tcp_socket create_stream_socket_perms;
+	allow $1 self:udp_socket create_socket_perms;
+
+	allow $1 var_yp_t:dir list_dir_perms;
+	allow $1 var_yp_t:lnk_file { getattr read };
+	allow $1 var_yp_t:file read_file_perms;
+
+	corenet_all_recvfrom_unlabeled($1)
+	corenet_all_recvfrom_netlabel($1)
+	corenet_tcp_sendrecv_generic_if($1)
+	corenet_udp_sendrecv_generic_if($1)
+	corenet_tcp_sendrecv_generic_node($1)
+	corenet_udp_sendrecv_generic_node($1)
+	corenet_tcp_sendrecv_all_ports($1)
+	corenet_udp_sendrecv_all_ports($1)
+	corenet_tcp_bind_generic_node($1)
+	corenet_udp_bind_generic_node($1)
+	corenet_tcp_bind_generic_port($1)
+	corenet_udp_bind_generic_port($1)
+	corenet_dontaudit_tcp_bind_all_reserved_ports($1)
+	corenet_dontaudit_udp_bind_all_reserved_ports($1)
+	corenet_dontaudit_tcp_bind_all_ports($1)
+	corenet_dontaudit_udp_bind_all_ports($1)
+	corenet_tcp_connect_portmap_port($1)
+	corenet_tcp_connect_reserved_port($1)
+	corenet_tcp_connect_generic_port($1)
+	corenet_dontaudit_tcp_connect_all_ports($1)
+	corenet_sendrecv_portmap_client_packets($1)
+	corenet_sendrecv_generic_client_packets($1)
+	corenet_sendrecv_generic_server_packets($1)
+
+	sysnet_read_config($1)
+')
+
+########################################
+## <summary>
+##	Use the ypbind service to access NIS services.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to use the ypbind service
+##	to access Network Information Service (NIS) services.
+##	Information that can be retreived from NIS includes
+##	usernames, passwords, home directories, and groups.
+##	If the network is configured to have a single sign-on
+##	using NIS, it is likely that any program that does
+##	authentication will need this access.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+## <rolecap/>
+#
+interface(`nis_use_ypbind',`
+	tunable_policy(`allow_ypbind',`
+		nis_use_ypbind_uncond($1)
+	')
+')
+
+########################################
+## <summary>
+##	Use the nis to authenticate passwords
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`nis_authenticate',`
+	tunable_policy(`allow_ypbind',`
+		nis_use_ypbind_uncond($1)
+		corenet_tcp_bind_all_rpc_ports($1)
+		corenet_udp_bind_all_rpc_ports($1)
+	')
+')
+
+########################################
+## <summary>
+##	Execute ypbind in the ypbind domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`nis_domtrans_ypbind',`
+	gen_require(`
+		type ypbind_t, ypbind_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, ypbind_exec_t, ypbind_t)
+')
+
+########################################
+## <summary>
+##	Execute ypbind in the ypbind domain, and
+##	allow the specified role the ypbind domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`nis_run_ypbind',`
+	gen_require(`
+		type ypbind_t;
+	')
+
+	nis_domtrans_ypbind($1)
+	role $2 types ypbind_t;
+')
+
+########################################
+## <summary>
+##	Send generic signals to ypbind.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nis_signal_ypbind',`
+	gen_require(`
+		type ypbind_t;
+	')
+
+	allow $1 ypbind_t:process signal;
+')
+
+########################################
+## <summary>
+##	List the contents of the NIS data directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nis_list_var_yp',`
+	gen_require(`
+		type var_yp_t;
+	')
+
+	files_search_var($1)
+	allow $1 var_yp_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Send UDP network traffic to NIS clients.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nis_udp_send_ypbind',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	Connect to ypbind over TCP.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nis_tcp_connect_ypbind',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	Read ypbind pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nis_read_ypbind_pid',`
+	gen_require(`
+		type ypbind_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 ypbind_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Delete ypbind pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nis_delete_ypbind_pid',`
+	gen_require(`
+		type ypbind_t;
+	')
+
+	# TODO: add delete pid from dir call to files
+	allow $1 ypbind_t:file unlink;
+')
+
+########################################
+## <summary>
+##	Read ypserv configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nis_read_ypserv_config',`
+	gen_require(`
+		type ypserv_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 ypserv_conf_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute ypxfr in the ypxfr domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`nis_domtrans_ypxfr',`
+	gen_require(`
+		type ypxfr_t, ypxfr_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, ypxfr_exec_t, ypxfr_t)
+')
+
+########################################
+## <summary>
+##	Execute nis server in the nis domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+#
+interface(`nis_initrc_domtrans',`
+	gen_require(`
+		type nis_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, nis_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute nis server in the nis domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`nis_initrc_domtrans_ypbind',`
+	gen_require(`
+		type ypbind_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, ypbind_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an nis environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`nis_admin',`
+	gen_require(`
+		type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t;
+		type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t;
+		type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t;
+		type ypbind_initrc_exec_t, nis_initrc_exec_t;
+	')
+
+	allow $1 ypbind_t:process { ptrace signal_perms };
+	ps_process_pattern($1, ypbind_t)
+
+	allow $1 yppasswdd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, yppasswdd_t)
+
+	allow $1 ypserv_t:process { ptrace signal_perms };
+	ps_process_pattern($1, ypserv_t)
+
+	allow $1 ypxfr_t:process { ptrace signal_perms };
+	ps_process_pattern($1, ypxfr_t)
+
+	nis_initrc_domtrans($1)
+	nis_initrc_domtrans_ypbind($1)
+	domain_system_change_exemption($1)
+	role_transition $2 nis_initrc_exec_t system_r;
+	role_transition $2 ypbind_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, ypbind_tmp_t)
+
+	files_list_pids($1)
+	admin_pattern($1, ypbind_var_run_t)
+
+	admin_pattern($1, yppasswdd_var_run_t)
+
+	files_list_etc($1)
+	admin_pattern($1, ypserv_conf_t)
+
+	admin_pattern($1, ypserv_tmp_t)
+
+	admin_pattern($1, ypserv_var_run_t)
+')
diff --git a/policy/modules/contrib/nis.te b/policy/modules/contrib/nis.te
new file mode 100644
index 00000000..4876caec
--- /dev/null
+++ b/policy/modules/contrib/nis.te
@@ -0,0 +1,347 @@
+policy_module(nis, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+
+type nis_initrc_exec_t;
+init_script_file(nis_initrc_exec_t)
+
+type var_yp_t;
+files_type(var_yp_t)
+
+type ypbind_t;
+type ypbind_exec_t;
+init_daemon_domain(ypbind_t, ypbind_exec_t)
+
+type ypbind_initrc_exec_t;
+init_script_file(ypbind_initrc_exec_t)
+
+type ypbind_tmp_t;
+files_tmp_file(ypbind_tmp_t)
+
+type ypbind_var_run_t;
+files_pid_file(ypbind_var_run_t)
+
+type yppasswdd_t;
+type yppasswdd_exec_t;
+init_daemon_domain(yppasswdd_t, yppasswdd_exec_t)
+domain_obj_id_change_exemption(yppasswdd_t)
+
+type yppasswdd_var_run_t;
+files_pid_file(yppasswdd_var_run_t)
+
+type ypserv_t;
+type ypserv_exec_t;
+init_daemon_domain(ypserv_t, ypserv_exec_t)
+
+type ypserv_conf_t;
+files_type(ypserv_conf_t)
+
+type ypserv_tmp_t;
+files_tmp_file(ypserv_tmp_t)
+
+type ypserv_var_run_t;
+files_pid_file(ypserv_var_run_t)
+
+type ypxfr_t;
+type ypxfr_exec_t;
+init_daemon_domain(ypxfr_t, ypxfr_exec_t)
+
+type ypxfr_var_run_t;
+files_pid_file(ypxfr_var_run_t)
+
+########################################
+#
+# ypbind local policy
+
+dontaudit ypbind_t self:capability { net_admin sys_tty_config };
+allow ypbind_t self:fifo_file rw_fifo_file_perms;
+allow ypbind_t self:process signal_perms;
+allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
+allow ypbind_t self:netlink_route_socket r_netlink_socket_perms;
+allow ypbind_t self:tcp_socket create_stream_socket_perms;
+allow ypbind_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(ypbind_t, ypbind_tmp_t, ypbind_tmp_t)
+manage_files_pattern(ypbind_t, ypbind_tmp_t, ypbind_tmp_t)
+files_tmp_filetrans(ypbind_t, ypbind_tmp_t, { file dir })
+
+manage_files_pattern(ypbind_t, ypbind_var_run_t, ypbind_var_run_t)
+files_pid_filetrans(ypbind_t, ypbind_var_run_t, file)
+
+manage_files_pattern(ypbind_t, var_yp_t, var_yp_t)
+
+kernel_read_system_state(ypbind_t)
+kernel_read_kernel_sysctls(ypbind_t)
+
+corenet_all_recvfrom_unlabeled(ypbind_t)
+corenet_all_recvfrom_netlabel(ypbind_t)
+corenet_tcp_sendrecv_generic_if(ypbind_t)
+corenet_udp_sendrecv_generic_if(ypbind_t)
+corenet_tcp_sendrecv_generic_node(ypbind_t)
+corenet_udp_sendrecv_generic_node(ypbind_t)
+corenet_tcp_sendrecv_all_ports(ypbind_t)
+corenet_udp_sendrecv_all_ports(ypbind_t)
+corenet_tcp_bind_generic_node(ypbind_t)
+corenet_udp_bind_generic_node(ypbind_t)
+corenet_tcp_bind_generic_port(ypbind_t)
+corenet_udp_bind_generic_port(ypbind_t)
+corenet_tcp_bind_reserved_port(ypbind_t)
+corenet_udp_bind_reserved_port(ypbind_t)
+corenet_tcp_bind_all_rpc_ports(ypbind_t)
+corenet_udp_bind_all_rpc_ports(ypbind_t)
+corenet_tcp_connect_all_ports(ypbind_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(ypbind_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t)
+corenet_sendrecv_all_client_packets(ypbind_t)
+corenet_sendrecv_generic_server_packets(ypbind_t)
+
+dev_read_sysfs(ypbind_t)
+
+fs_getattr_all_fs(ypbind_t)
+fs_search_auto_mountpoints(ypbind_t)
+
+domain_use_interactive_fds(ypbind_t)
+
+files_read_etc_files(ypbind_t)
+files_list_var(ypbind_t)
+
+logging_send_syslog_msg(ypbind_t)
+
+miscfiles_read_localization(ypbind_t)
+
+sysnet_read_config(ypbind_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ypbind_t)
+userdom_dontaudit_search_user_home_dirs(ypbind_t)
+
+optional_policy(`
+	dbus_system_bus_client(ypbind_t)
+	dbus_connect_system_bus(ypbind_t)
+	init_dbus_chat_script(ypbind_t)
+
+	optional_policy(`
+		networkmanager_dbus_chat(ypbind_t)
+	')
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(ypbind_t)
+')
+
+optional_policy(`
+	udev_read_db(ypbind_t)
+')
+
+########################################
+#
+# yppasswdd local policy
+#
+
+allow yppasswdd_t self:capability dac_override;
+dontaudit yppasswdd_t self:capability sys_tty_config;
+allow yppasswdd_t self:fifo_file rw_fifo_file_perms;
+allow yppasswdd_t self:process { getsched setfscreate signal_perms };
+allow yppasswdd_t self:unix_dgram_socket create_socket_perms;
+allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms;
+allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms;
+allow yppasswdd_t self:tcp_socket create_stream_socket_perms;
+allow yppasswdd_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(yppasswdd_t, yppasswdd_var_run_t, yppasswdd_var_run_t)
+files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file)
+
+manage_files_pattern(yppasswdd_t, var_yp_t, var_yp_t)
+manage_lnk_files_pattern(yppasswdd_t, var_yp_t, var_yp_t)
+
+kernel_list_proc(yppasswdd_t)
+kernel_read_proc_symlinks(yppasswdd_t)
+kernel_getattr_proc_files(yppasswdd_t)
+kernel_read_kernel_sysctls(yppasswdd_t)
+
+corenet_all_recvfrom_unlabeled(yppasswdd_t)
+corenet_all_recvfrom_netlabel(yppasswdd_t)
+corenet_tcp_sendrecv_generic_if(yppasswdd_t)
+corenet_udp_sendrecv_generic_if(yppasswdd_t)
+corenet_tcp_sendrecv_generic_node(yppasswdd_t)
+corenet_udp_sendrecv_generic_node(yppasswdd_t)
+corenet_tcp_sendrecv_all_ports(yppasswdd_t)
+corenet_udp_sendrecv_all_ports(yppasswdd_t)
+corenet_tcp_bind_generic_node(yppasswdd_t)
+corenet_udp_bind_generic_node(yppasswdd_t)
+corenet_tcp_bind_all_rpc_ports(yppasswdd_t)
+corenet_udp_bind_all_rpc_ports(yppasswdd_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t)
+corenet_sendrecv_generic_server_packets(yppasswdd_t)
+
+dev_read_sysfs(yppasswdd_t)
+
+fs_getattr_all_fs(yppasswdd_t)
+fs_search_auto_mountpoints(yppasswdd_t)
+
+selinux_get_fs_mount(yppasswdd_t)
+
+auth_manage_shadow(yppasswdd_t)
+auth_relabel_shadow(yppasswdd_t)
+auth_etc_filetrans_shadow(yppasswdd_t)
+
+corecmd_exec_bin(yppasswdd_t)
+corecmd_exec_shell(yppasswdd_t)
+
+domain_use_interactive_fds(yppasswdd_t)
+
+files_read_etc_files(yppasswdd_t)
+files_read_etc_runtime_files(yppasswdd_t)
+files_relabel_etc_files(yppasswdd_t)
+
+logging_send_syslog_msg(yppasswdd_t)
+
+miscfiles_read_localization(yppasswdd_t)
+
+sysnet_read_config(yppasswdd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(yppasswdd_t)
+userdom_dontaudit_search_user_home_dirs(yppasswdd_t)
+
+optional_policy(`
+	hostname_exec(yppasswdd_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(yppasswdd_t)
+')
+
+optional_policy(`
+	udev_read_db(yppasswdd_t)
+')
+
+########################################
+#
+# ypserv local policy
+#
+
+dontaudit ypserv_t self:capability sys_tty_config;
+allow ypserv_t self:fifo_file rw_fifo_file_perms;
+allow ypserv_t self:process signal_perms;
+allow ypserv_t self:unix_dgram_socket create_socket_perms;
+allow ypserv_t self:unix_stream_socket create_stream_socket_perms;
+allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
+allow ypserv_t self:tcp_socket connected_stream_socket_perms;
+allow ypserv_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(ypserv_t, var_yp_t, var_yp_t)
+
+allow ypserv_t ypserv_conf_t:file read_file_perms;
+
+manage_dirs_pattern(ypserv_t, ypserv_tmp_t, ypserv_tmp_t)
+manage_files_pattern(ypserv_t, ypserv_tmp_t, ypserv_tmp_t)
+files_tmp_filetrans(ypserv_t, ypserv_tmp_t, { file dir })
+
+manage_files_pattern(ypserv_t, ypserv_var_run_t, ypserv_var_run_t)
+files_pid_filetrans(ypserv_t, ypserv_var_run_t, file)
+
+kernel_read_kernel_sysctls(ypserv_t)
+kernel_list_proc(ypserv_t)
+kernel_read_proc_symlinks(ypserv_t)
+
+corenet_all_recvfrom_unlabeled(ypserv_t)
+corenet_all_recvfrom_netlabel(ypserv_t)
+corenet_tcp_sendrecv_generic_if(ypserv_t)
+corenet_udp_sendrecv_generic_if(ypserv_t)
+corenet_tcp_sendrecv_generic_node(ypserv_t)
+corenet_udp_sendrecv_generic_node(ypserv_t)
+corenet_tcp_sendrecv_all_ports(ypserv_t)
+corenet_udp_sendrecv_all_ports(ypserv_t)
+corenet_tcp_bind_generic_node(ypserv_t)
+corenet_udp_bind_generic_node(ypserv_t)
+corenet_tcp_bind_reserved_port(ypserv_t)
+corenet_udp_bind_reserved_port(ypserv_t)
+corenet_tcp_bind_all_rpc_ports(ypserv_t)
+corenet_udp_bind_all_rpc_ports(ypserv_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t)
+corenet_sendrecv_generic_server_packets(ypserv_t)
+
+dev_read_sysfs(ypserv_t)
+
+fs_getattr_all_fs(ypserv_t)
+fs_search_auto_mountpoints(ypserv_t)
+
+corecmd_exec_bin(ypserv_t)
+
+domain_use_interactive_fds(ypserv_t)
+
+files_read_var_files(ypserv_t)
+files_read_etc_files(ypserv_t)
+
+logging_send_syslog_msg(ypserv_t)
+
+miscfiles_read_localization(ypserv_t)
+
+nis_domtrans_ypxfr(ypserv_t)
+
+sysnet_read_config(ypserv_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ypserv_t)
+userdom_dontaudit_search_user_home_dirs(ypserv_t)
+
+optional_policy(`
+	seutil_sigchld_newrole(ypserv_t)
+')
+
+optional_policy(`
+	udev_read_db(ypserv_t)
+')
+
+########################################
+#
+# ypxfr local policy
+#
+
+allow ypxfr_t self:unix_stream_socket create_stream_socket_perms;
+allow ypxfr_t self:unix_dgram_socket create_stream_socket_perms;
+allow ypxfr_t self:tcp_socket create_stream_socket_perms;
+allow ypxfr_t self:udp_socket create_socket_perms;
+allow ypxfr_t self:netlink_route_socket r_netlink_socket_perms;
+
+manage_files_pattern(ypxfr_t, var_yp_t, var_yp_t)
+
+allow ypxfr_t ypserv_t:tcp_socket { read write };
+allow ypxfr_t ypserv_t:udp_socket { read write };
+
+allow ypxfr_t ypserv_conf_t:file read_file_perms;
+
+manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t)
+files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file)
+
+corenet_all_recvfrom_unlabeled(ypxfr_t)
+corenet_all_recvfrom_netlabel(ypxfr_t)
+corenet_tcp_sendrecv_generic_if(ypxfr_t)
+corenet_udp_sendrecv_generic_if(ypxfr_t)
+corenet_tcp_sendrecv_generic_node(ypxfr_t)
+corenet_udp_sendrecv_generic_node(ypxfr_t)
+corenet_tcp_sendrecv_all_ports(ypxfr_t)
+corenet_udp_sendrecv_all_ports(ypxfr_t)
+corenet_tcp_bind_generic_node(ypxfr_t)
+corenet_udp_bind_generic_node(ypxfr_t)
+corenet_tcp_bind_reserved_port(ypxfr_t)
+corenet_udp_bind_reserved_port(ypxfr_t)
+corenet_tcp_bind_all_rpc_ports(ypxfr_t)
+corenet_udp_bind_all_rpc_ports(ypxfr_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t)
+corenet_tcp_connect_all_ports(ypxfr_t)
+corenet_sendrecv_generic_server_packets(ypxfr_t)
+corenet_sendrecv_all_client_packets(ypxfr_t)
+
+files_read_etc_files(ypxfr_t)
+files_search_usr(ypxfr_t)
+
+logging_send_syslog_msg(ypxfr_t)
+
+miscfiles_read_localization(ypxfr_t)
+
+sysnet_read_config(ypxfr_t)
diff --git a/policy/modules/contrib/nscd.fc b/policy/modules/contrib/nscd.fc
new file mode 100644
index 00000000..623b7312
--- /dev/null
+++ b/policy/modules/contrib/nscd.fc
@@ -0,0 +1,13 @@
+/etc/rc\.d/init\.d/nscd	--	gen_context(system_u:object_r:nscd_initrc_exec_t,s0)
+
+/usr/sbin/nscd		--	gen_context(system_u:object_r:nscd_exec_t,s0)
+
+/var/db/nscd(/.*)?		gen_context(system_u:object_r:nscd_var_run_t,s0)
+/var/cache/nscd(/.*)?		gen_context(system_u:object_r:nscd_var_run_t,s0)
+
+/var/log/nscd\.log.*	--	gen_context(system_u:object_r:nscd_log_t,s0)
+
+/var/run/nscd\.pid	--	gen_context(system_u:object_r:nscd_var_run_t,s0)
+/var/run/\.nscd_socket	-s	gen_context(system_u:object_r:nscd_var_run_t,s0)
+
+/var/run/nscd(/.*)?		gen_context(system_u:object_r:nscd_var_run_t,s0)
diff --git a/policy/modules/contrib/nscd.if b/policy/modules/contrib/nscd.if
new file mode 100644
index 00000000..85188dc7
--- /dev/null
+++ b/policy/modules/contrib/nscd.if
@@ -0,0 +1,291 @@
+## <summary>Name service cache daemon</summary>
+
+########################################
+## <summary>
+##	Send generic signals to NSCD.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nscd_signal',`
+	gen_require(`
+		type nscd_t;
+	')
+
+	allow $1 nscd_t:process signal;
+')
+
+########################################
+## <summary>
+##	Send NSCD the kill signal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nscd_kill',`
+	gen_require(`
+		type nscd_t;
+	')
+
+	allow $1 nscd_t:process sigkill;
+')
+
+########################################
+## <summary>
+##	Send signulls to NSCD.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nscd_signull',`
+	gen_require(`
+		type nscd_t;
+	')
+
+	allow $1 nscd_t:process signull;
+')
+
+########################################
+## <summary>
+##	Execute NSCD in the nscd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`nscd_domtrans',`
+	gen_require(`
+		type nscd_t, nscd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, nscd_exec_t, nscd_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to execute nscd
+##	in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nscd_exec',`
+	gen_require(`
+		type nscd_exec_t;
+	')
+
+	can_exec($1, nscd_exec_t)
+')
+
+########################################
+## <summary>
+##	Use NSCD services by connecting using
+##	a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nscd_socket_use',`
+	gen_require(`
+		type nscd_t, nscd_var_run_t;
+		class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv };
+	')
+
+	allow $1 self:unix_stream_socket create_socket_perms;
+
+	allow $1 nscd_t:nscd { getpwd getgrp gethost };
+	dontaudit $1 nscd_t:fd use;
+	dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv };
+	files_search_pids($1)
+	stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
+	dontaudit $1 nscd_var_run_t:file { getattr read };
+')
+
+########################################
+## <summary>
+##	Use NSCD services by mapping the database from
+##	an inherited NSCD file descriptor.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nscd_shm_use',`
+	gen_require(`
+		type nscd_t, nscd_var_run_t;
+		class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
+	')
+
+	allow $1 nscd_var_run_t:dir list_dir_perms;
+	allow $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
+
+	# Receive fd from nscd and map the backing file with read access.
+	allow $1 nscd_t:fd use;
+
+	# cjp: these were originally inherited from the
+	# nscd_socket_domain macro. need to investigate
+	# if they are all actually required
+	allow $1 self:unix_stream_socket create_stream_socket_perms;
+	allow $1 nscd_t:unix_stream_socket connectto;
+	allow $1 nscd_var_run_t:sock_file rw_file_perms;
+	files_search_pids($1)
+	allow $1 nscd_t:nscd { getpwd getgrp gethost };
+	dontaudit $1 nscd_var_run_t:file { getattr read };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search the NSCD pid directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`nscd_dontaudit_search_pid',`
+	gen_require(`
+		type nscd_var_run_t;
+	')
+
+	dontaudit $1 nscd_var_run_t:dir search;
+')
+
+########################################
+## <summary>
+##	Read NSCD pid file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nscd_read_pid',`
+	gen_require(`
+		type nscd_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, nscd_var_run_t, nscd_var_run_t)
+')
+
+########################################
+## <summary>
+##	Unconfined access to NSCD services.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nscd_unconfined',`
+	gen_require(`
+		type nscd_t;
+		class nscd all_nscd_perms;
+	')
+
+	allow $1 nscd_t:nscd *;
+')
+
+########################################
+## <summary>
+##	Execute nscd in the nscd domain, and
+##	allow the specified role the nscd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`nscd_run',`
+	gen_require(`
+		type nscd_t;
+	')
+
+	nscd_domtrans($1)
+	role $2 types nscd_t;
+')
+
+########################################
+## <summary>
+##	Execute the nscd server init script.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`nscd_initrc_domtrans',`
+	gen_require(`
+		type nscd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, nscd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an nscd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the nscd domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`nscd_admin',`
+	gen_require(`
+		type nscd_t, nscd_log_t, nscd_var_run_t;
+		type nscd_initrc_exec_t;
+	')
+
+	allow $1 nscd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, nscd_t)
+
+	init_labeled_script_domtrans($1, nscd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 nscd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	logging_list_logs($1)
+	admin_pattern($1, nscd_log_t)
+
+	files_list_pids($1)
+	admin_pattern($1, nscd_var_run_t)
+')
diff --git a/policy/modules/contrib/nscd.te b/policy/modules/contrib/nscd.te
new file mode 100644
index 00000000..7936e09c
--- /dev/null
+++ b/policy/modules/contrib/nscd.te
@@ -0,0 +1,129 @@
+policy_module(nscd, 1.10.0)
+
+gen_require(`
+	class nscd all_nscd_perms;
+')
+
+########################################
+#
+# Declarations
+#
+
+# cjp: this is out of order because of an
+# ordering problem with loadable modules
+type nscd_var_run_t;
+files_pid_file(nscd_var_run_t)
+
+# nscd is both the client program and the daemon.
+type nscd_t;
+type nscd_exec_t;
+init_daemon_domain(nscd_t, nscd_exec_t)
+
+type nscd_initrc_exec_t;
+init_script_file(nscd_initrc_exec_t)
+
+type nscd_log_t;
+logging_log_file(nscd_log_t)
+
+########################################
+#
+# Local policy
+#
+
+allow nscd_t self:capability { kill setgid setuid };
+dontaudit nscd_t self:capability sys_tty_config;
+allow nscd_t self:process { getattr getcap setcap setsched signal_perms };
+allow nscd_t self:fifo_file read_fifo_file_perms;
+allow nscd_t self:unix_stream_socket create_stream_socket_perms;
+allow nscd_t self:unix_dgram_socket create_socket_perms;
+allow nscd_t self:netlink_selinux_socket create_socket_perms;
+allow nscd_t self:tcp_socket create_socket_perms;
+allow nscd_t self:udp_socket create_socket_perms;
+
+# For client program operation, invoked from sysadm_t.
+# Transition occurs to nscd_t due to direct_sysadm_daemon. 
+allow nscd_t self:nscd { admin getstat };
+
+allow nscd_t nscd_log_t:file manage_file_perms;
+logging_log_filetrans(nscd_t, nscd_log_t, file)
+
+manage_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
+manage_sock_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
+files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file })
+
+corecmd_search_bin(nscd_t)
+can_exec(nscd_t, nscd_exec_t)
+
+kernel_read_kernel_sysctls(nscd_t)
+kernel_list_proc(nscd_t)
+kernel_read_proc_symlinks(nscd_t)
+
+dev_read_sysfs(nscd_t)
+dev_read_rand(nscd_t)
+dev_read_urand(nscd_t)
+
+fs_getattr_all_fs(nscd_t)
+fs_search_auto_mountpoints(nscd_t)
+fs_list_inotifyfs(nscd_t)
+
+# for when /etc/passwd has just been updated and has the wrong type
+auth_getattr_shadow(nscd_t)
+auth_use_nsswitch(nscd_t)
+
+corenet_all_recvfrom_unlabeled(nscd_t)
+corenet_all_recvfrom_netlabel(nscd_t)
+corenet_tcp_sendrecv_generic_if(nscd_t)
+corenet_udp_sendrecv_generic_if(nscd_t)
+corenet_tcp_sendrecv_generic_node(nscd_t)
+corenet_udp_sendrecv_generic_node(nscd_t)
+corenet_tcp_sendrecv_all_ports(nscd_t)
+corenet_udp_sendrecv_all_ports(nscd_t)
+corenet_udp_bind_generic_node(nscd_t)
+corenet_tcp_connect_all_ports(nscd_t)
+corenet_sendrecv_all_client_packets(nscd_t)
+corenet_rw_tun_tap_dev(nscd_t)
+
+selinux_get_fs_mount(nscd_t)
+selinux_validate_context(nscd_t)
+selinux_compute_access_vector(nscd_t)
+selinux_compute_create_context(nscd_t)
+selinux_compute_relabel_context(nscd_t)
+selinux_compute_user_contexts(nscd_t)
+domain_use_interactive_fds(nscd_t)
+
+files_read_etc_files(nscd_t)
+files_read_generic_tmp_symlinks(nscd_t)
+# Needed to read files created by firstboot "/etc/hesiod.conf"
+files_read_etc_runtime_files(nscd_t)
+
+logging_send_audit_msgs(nscd_t)
+logging_send_syslog_msg(nscd_t)
+
+miscfiles_read_localization(nscd_t)
+
+seutil_read_config(nscd_t)
+seutil_read_default_contexts(nscd_t)
+seutil_sigchld_newrole(nscd_t)
+
+sysnet_read_config(nscd_t)
+
+userdom_dontaudit_use_user_terminals(nscd_t)
+userdom_dontaudit_use_unpriv_user_fds(nscd_t)
+userdom_dontaudit_search_user_home_dirs(nscd_t)
+
+optional_policy(`
+	cron_read_system_job_tmp_files(nscd_t)
+')
+
+optional_policy(`
+	kerberos_use(nscd_t)
+')
+
+optional_policy(`
+	udev_read_db(nscd_t)
+')
+
+optional_policy(`
+	xen_dontaudit_rw_unix_stream_sockets(nscd_t)
+	xen_append_log(nscd_t)
+')
diff --git a/policy/modules/contrib/nsd.fc b/policy/modules/contrib/nsd.fc
new file mode 100644
index 00000000..53cc8004
--- /dev/null
+++ b/policy/modules/contrib/nsd.fc
@@ -0,0 +1,14 @@
+
+/etc/nsd(/.*)?			gen_context(system_u:object_r:nsd_conf_t,s0)
+/etc/nsd/nsd\.db	--	gen_context(system_u:object_r:nsd_db_t,s0)
+/etc/nsd/primary(/.*)?		gen_context(system_u:object_r:nsd_zone_t,s0)
+/etc/nsd/secondary(/.*)?	gen_context(system_u:object_r:nsd_zone_t,s0)
+
+/usr/sbin/nsd		--	gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/sbin/nsdc		--	gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/sbin/nsd-notify	--	gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/sbin/zonec		--	gen_context(system_u:object_r:nsd_exec_t,s0)
+
+/var/lib/nsd(/.*)?		gen_context(system_u:object_r:nsd_zone_t,s0)
+/var/lib/nsd/nsd\.db	--	gen_context(system_u:object_r:nsd_db_t,s0)
+/var/run/nsd\.pid	--	gen_context(system_u:object_r:nsd_var_run_t,s0)
diff --git a/policy/modules/contrib/nsd.if b/policy/modules/contrib/nsd.if
new file mode 100644
index 00000000..a1371d53
--- /dev/null
+++ b/policy/modules/contrib/nsd.if
@@ -0,0 +1,29 @@
+## <summary>Authoritative only name server</summary>
+
+########################################
+## <summary>
+##	Send and receive datagrams from NSD.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nsd_udp_chat',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	Connect to NSD over a TCP socket  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nsd_tcp_connect',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
diff --git a/policy/modules/contrib/nsd.te b/policy/modules/contrib/nsd.te
new file mode 100644
index 00000000..4b15536c
--- /dev/null
+++ b/policy/modules/contrib/nsd.te
@@ -0,0 +1,180 @@
+policy_module(nsd, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type nsd_t;
+type nsd_exec_t;
+init_daemon_domain(nsd_t, nsd_exec_t)
+
+# A type for configuration files of nsd
+type nsd_conf_t;
+files_type(nsd_conf_t)
+
+type nsd_crond_t;
+domain_type(nsd_crond_t)
+domain_entry_file(nsd_crond_t, nsd_exec_t)
+role system_r types nsd_crond_t;
+
+# a type for nsd.db
+type nsd_db_t;
+files_type(nsd_db_t)
+
+type nsd_var_run_t;
+files_pid_file(nsd_var_run_t)
+
+# A type for zone files
+type nsd_zone_t;
+files_type(nsd_zone_t)
+
+########################################
+#
+# NSD Local policy
+#
+
+allow nsd_t self:capability { dac_override chown setuid setgid };
+dontaudit nsd_t self:capability sys_tty_config;
+allow nsd_t self:process signal_perms;
+allow nsd_t self:tcp_socket create_stream_socket_perms;
+allow nsd_t self:udp_socket create_socket_perms;
+
+allow nsd_t nsd_conf_t:dir list_dir_perms;
+read_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t)
+read_lnk_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t)
+
+allow nsd_t nsd_db_t:file manage_file_perms;
+filetrans_pattern(nsd_t, nsd_zone_t, nsd_db_t, file)
+
+manage_files_pattern(nsd_t, nsd_var_run_t, nsd_var_run_t)
+files_pid_filetrans(nsd_t, nsd_var_run_t, file)
+
+allow nsd_t nsd_zone_t:dir list_dir_perms;
+read_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
+read_lnk_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
+
+can_exec(nsd_t, nsd_exec_t)
+
+kernel_read_system_state(nsd_t)
+kernel_read_kernel_sysctls(nsd_t)
+
+corecmd_exec_bin(nsd_t)
+
+corenet_all_recvfrom_unlabeled(nsd_t)
+corenet_all_recvfrom_netlabel(nsd_t)
+corenet_tcp_sendrecv_generic_if(nsd_t)
+corenet_udp_sendrecv_generic_if(nsd_t)
+corenet_tcp_sendrecv_generic_node(nsd_t)
+corenet_udp_sendrecv_generic_node(nsd_t)
+corenet_tcp_sendrecv_all_ports(nsd_t)
+corenet_udp_sendrecv_all_ports(nsd_t)
+corenet_tcp_bind_generic_node(nsd_t)
+corenet_udp_bind_generic_node(nsd_t)
+corenet_tcp_bind_dns_port(nsd_t)
+corenet_udp_bind_dns_port(nsd_t)
+corenet_sendrecv_dns_server_packets(nsd_t)
+
+dev_read_sysfs(nsd_t)
+
+domain_use_interactive_fds(nsd_t)
+
+files_read_etc_files(nsd_t)
+files_read_etc_runtime_files(nsd_t)
+
+fs_getattr_all_fs(nsd_t)
+fs_search_auto_mountpoints(nsd_t)
+
+logging_send_syslog_msg(nsd_t)
+
+miscfiles_read_localization(nsd_t)
+
+sysnet_read_config(nsd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(nsd_t)
+userdom_dontaudit_search_user_home_dirs(nsd_t)
+
+optional_policy(`
+	nis_use_ypbind(nsd_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(nsd_t)
+')
+
+optional_policy(`
+	udev_read_db(nsd_t)
+')
+
+########################################
+#
+# Zone update cron job local policy
+#
+
+# kill capability for root cron job and non-root daemon
+allow nsd_crond_t self:capability { dac_override kill };
+dontaudit nsd_crond_t self:capability sys_nice;
+allow nsd_crond_t self:process { setsched signal_perms };
+allow nsd_crond_t self:fifo_file rw_fifo_file_perms;
+allow nsd_crond_t self:tcp_socket create_socket_perms;
+allow nsd_crond_t self:udp_socket create_socket_perms;
+
+allow nsd_crond_t nsd_conf_t:file read_file_perms;
+
+allow nsd_crond_t nsd_db_t:file manage_file_perms;
+filetrans_pattern(nsd_crond_t, nsd_zone_t, nsd_db_t, file)
+files_search_var_lib(nsd_crond_t)
+
+allow nsd_crond_t nsd_t:process signal;
+
+ps_process_pattern(nsd_crond_t, nsd_t)
+
+manage_files_pattern(nsd_crond_t, nsd_zone_t, nsd_zone_t)
+filetrans_pattern(nsd_crond_t, nsd_conf_t, nsd_zone_t, file)
+
+can_exec(nsd_crond_t, nsd_exec_t)
+
+kernel_read_system_state(nsd_crond_t)
+
+corecmd_exec_bin(nsd_crond_t)
+corecmd_exec_shell(nsd_crond_t)
+
+corenet_all_recvfrom_unlabeled(nsd_crond_t)
+corenet_all_recvfrom_netlabel(nsd_crond_t)
+corenet_tcp_sendrecv_generic_if(nsd_crond_t)
+corenet_udp_sendrecv_generic_if(nsd_crond_t)
+corenet_tcp_sendrecv_generic_node(nsd_crond_t)
+corenet_udp_sendrecv_generic_node(nsd_crond_t)
+corenet_tcp_sendrecv_all_ports(nsd_crond_t)
+corenet_udp_sendrecv_all_ports(nsd_crond_t)
+corenet_tcp_connect_all_ports(nsd_crond_t)
+corenet_sendrecv_all_client_packets(nsd_crond_t)
+
+# for SSP
+dev_read_urand(nsd_crond_t)
+
+domain_dontaudit_read_all_domains_state(nsd_crond_t)
+
+files_read_etc_files(nsd_crond_t)
+files_read_etc_runtime_files(nsd_crond_t)
+files_search_var_lib(nsd_t)
+
+logging_send_syslog_msg(nsd_crond_t)
+
+miscfiles_read_localization(nsd_crond_t)
+
+sysnet_read_config(nsd_crond_t)
+
+userdom_dontaudit_search_user_home_dirs(nsd_crond_t)
+
+optional_policy(`
+	cron_system_entry(nsd_crond_t, nsd_exec_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(nsd_crond_t)
+')
+
+optional_policy(`
+	nscd_read_pid(nsd_crond_t)
+')
diff --git a/policy/modules/contrib/nslcd.fc b/policy/modules/contrib/nslcd.fc
new file mode 100644
index 00000000..ce913b24
--- /dev/null
+++ b/policy/modules/contrib/nslcd.fc
@@ -0,0 +1,4 @@
+/etc/nss-ldapd.conf	--	gen_context(system_u:object_r:nslcd_conf_t,s0)
+/etc/rc\.d/init\.d/nslcd --	gen_context(system_u:object_r:nslcd_initrc_exec_t,s0)
+/usr/sbin/nslcd		--	gen_context(system_u:object_r:nslcd_exec_t,s0)
+/var/run/nslcd(/.*)?		gen_context(system_u:object_r:nslcd_var_run_t,s0)
diff --git a/policy/modules/contrib/nslcd.if b/policy/modules/contrib/nslcd.if
new file mode 100644
index 00000000..23c769cf
--- /dev/null
+++ b/policy/modules/contrib/nslcd.if
@@ -0,0 +1,114 @@
+## <summary>nslcd - local LDAP name service daemon.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run nslcd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`nslcd_domtrans',`
+	gen_require(`
+		type nslcd_t, nslcd_exec_t;
+	')
+
+	domtrans_pattern($1, nslcd_exec_t, nslcd_t)
+')
+
+########################################
+## <summary>
+##	Execute nslcd server in the nslcd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`nslcd_initrc_domtrans',`
+	gen_require(`
+		type nslcd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, nslcd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Read nslcd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nslcd_read_pid_files',`
+	gen_require(`
+		type nslcd_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 nslcd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Connect to nslcd over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nslcd_stream_connect',`
+	gen_require(`
+		type nslcd_t, nslcd_var_run_t;
+	')
+
+	stream_connect_pattern($1, nslcd_var_run_t, nslcd_var_run_t, nslcd_t)
+	files_search_pids($1)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an nslcd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`nslcd_admin',`
+	gen_require(`
+		type nslcd_t, nslcd_initrc_exec_t;
+		type nslcd_conf_t, nslcd_var_run_t;
+	')
+
+	ps_process_pattern($1, nslcd_t)
+	allow $1 nslcd_t:process { ptrace signal_perms };
+
+	# Allow nslcd_t to restart the apache service
+	nslcd_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 nslcd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	manage_files_pattern($1, nslcd_conf_t, nslcd_conf_t)
+
+	manage_dirs_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
+	manage_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
+	manage_lnk_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
+')
diff --git a/policy/modules/contrib/nslcd.te b/policy/modules/contrib/nslcd.te
new file mode 100644
index 00000000..4e28d582
--- /dev/null
+++ b/policy/modules/contrib/nslcd.te
@@ -0,0 +1,45 @@
+policy_module(nslcd, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type nslcd_t;
+type nslcd_exec_t;
+init_daemon_domain(nslcd_t, nslcd_exec_t)
+
+type nslcd_initrc_exec_t;
+init_script_file(nslcd_initrc_exec_t)
+
+type nslcd_var_run_t;
+files_pid_file(nslcd_var_run_t)
+
+type nslcd_conf_t;
+files_type(nslcd_conf_t)
+
+########################################
+#
+# nslcd local policy
+#
+
+allow nslcd_t self:capability { setgid setuid dac_override };
+allow nslcd_t self:process signal;
+allow nslcd_t self:unix_stream_socket create_stream_socket_perms;
+
+allow nslcd_t nslcd_conf_t:file read_file_perms;
+
+manage_dirs_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t)
+manage_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t)
+manage_sock_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t)
+files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir })
+
+kernel_read_system_state(nslcd_t)
+
+files_read_etc_files(nslcd_t)
+
+auth_use_nsswitch(nslcd_t)
+
+logging_send_syslog_msg(nslcd_t)
+
+miscfiles_read_localization(nslcd_t)
diff --git a/policy/modules/contrib/ntop.fc b/policy/modules/contrib/ntop.fc
new file mode 100644
index 00000000..18384324
--- /dev/null
+++ b/policy/modules/contrib/ntop.fc
@@ -0,0 +1,6 @@
+/etc/ntop(/.*)?			gen_context(system_u:object_r:ntop_etc_t,s0)
+
+/usr/bin/ntop		--	gen_context(system_u:object_r:ntop_exec_t,s0)
+
+/var/lib/ntop(/.*)?		gen_context(system_u:object_r:ntop_var_lib_t,s0)
+/var/run/ntop\.pid	--	gen_context(system_u:object_r:ntop_var_run_t,s0)
diff --git a/policy/modules/contrib/ntop.if b/policy/modules/contrib/ntop.if
new file mode 100644
index 00000000..4bf0a141
--- /dev/null
+++ b/policy/modules/contrib/ntop.if
@@ -0,0 +1 @@
+## <summary>Network Top</summary>
diff --git a/policy/modules/contrib/ntop.te b/policy/modules/contrib/ntop.te
new file mode 100644
index 00000000..ded9fb67
--- /dev/null
+++ b/policy/modules/contrib/ntop.te
@@ -0,0 +1,114 @@
+policy_module(ntop, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type ntop_t;
+type ntop_exec_t;
+init_daemon_domain(ntop_t, ntop_exec_t)
+application_domain(ntop_t, ntop_exec_t)
+
+type ntop_initrc_exec_t;
+init_script_file(ntop_initrc_exec_t)
+
+type ntop_etc_t;
+files_config_file(ntop_etc_t)
+
+type ntop_tmp_t;
+files_tmp_file(ntop_tmp_t)
+
+type ntop_var_lib_t;
+files_type(ntop_var_lib_t)
+
+type ntop_var_run_t;
+files_pid_file(ntop_var_run_t)
+
+########################################
+#
+# Local Policy
+#
+
+allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin };
+dontaudit ntop_t self:capability sys_tty_config;
+allow ntop_t self:process signal_perms;
+allow ntop_t self:fifo_file rw_fifo_file_perms;
+allow ntop_t self:tcp_socket create_stream_socket_perms;
+allow ntop_t self:udp_socket create_socket_perms;
+allow ntop_t self:unix_dgram_socket create_socket_perms;
+allow ntop_t self:unix_stream_socket create_stream_socket_perms;
+allow ntop_t self:packet_socket create_socket_perms;
+allow ntop_t self:socket create_socket_perms;
+
+allow ntop_t ntop_etc_t:dir list_dir_perms;
+read_files_pattern(ntop_t, ntop_etc_t, ntop_etc_t)
+read_lnk_files_pattern(ntop_t, ntop_etc_t, ntop_etc_t)
+
+manage_dirs_pattern(ntop_t, ntop_tmp_t, ntop_tmp_t)
+manage_files_pattern(ntop_t, ntop_tmp_t, ntop_tmp_t)
+files_tmp_filetrans(ntop_t, ntop_tmp_t, { file dir })
+
+manage_dirs_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t)
+manage_files_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t)
+files_var_lib_filetrans(ntop_t, ntop_var_lib_t, { file dir } )
+
+manage_files_pattern(ntop_t, ntop_var_run_t, ntop_var_run_t)
+files_pid_filetrans(ntop_t, ntop_var_run_t, file)
+
+kernel_request_load_module(ntop_t)
+kernel_read_system_state(ntop_t)
+kernel_read_network_state(ntop_t)
+kernel_read_kernel_sysctls(ntop_t)
+kernel_list_proc(ntop_t)
+kernel_read_proc_symlinks(ntop_t)
+
+corenet_all_recvfrom_unlabeled(ntop_t)
+corenet_all_recvfrom_netlabel(ntop_t)
+corenet_tcp_sendrecv_generic_if(ntop_t)
+corenet_udp_sendrecv_generic_if(ntop_t)
+corenet_raw_sendrecv_generic_if(ntop_t)
+corenet_tcp_sendrecv_generic_node(ntop_t)
+corenet_udp_sendrecv_generic_node(ntop_t)
+corenet_raw_sendrecv_generic_node(ntop_t)
+corenet_tcp_sendrecv_all_ports(ntop_t)
+corenet_udp_sendrecv_all_ports(ntop_t)
+corenet_tcp_bind_ntop_port(ntop_t)
+corenet_tcp_connect_ntop_port(ntop_t)
+corenet_tcp_connect_http_port(ntop_t)
+corenet_sendrecv_http_client_packets(ntop_t)
+corenet_sendrecv_ntop_client_packets(ntop_t)
+corenet_sendrecv_ntop_server_packets(ntop_t)
+
+dev_read_sysfs(ntop_t)
+dev_rw_generic_usb_dev(ntop_t)
+
+domain_use_interactive_fds(ntop_t)
+
+files_read_etc_files(ntop_t)
+files_read_usr_files(ntop_t)
+
+fs_getattr_all_fs(ntop_t)
+fs_search_auto_mountpoints(ntop_t)
+
+auth_use_nsswitch(ntop_t)
+
+logging_send_syslog_msg(ntop_t)
+
+miscfiles_read_localization(ntop_t)
+miscfiles_read_fonts(ntop_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ntop_t)
+userdom_dontaudit_search_user_home_dirs(ntop_t)
+
+optional_policy(`
+	apache_read_sys_content(ntop_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(ntop_t)
+')
+
+optional_policy(`
+	udev_read_db(ntop_t)
+')
diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
new file mode 100644
index 00000000..e79dccce
--- /dev/null
+++ b/policy/modules/contrib/ntp.fc
@@ -0,0 +1,22 @@
+
+/etc/cron\.(daily|weekly)/ntp-simple -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+/etc/cron\.(daily|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+
+/etc/ntpd?\.conf.*		--	gen_context(system_u:object_r:net_conf_t,s0)
+/etc/ntp/crypto(/.*)?			gen_context(system_u:object_r:ntpd_key_t,s0)
+/etc/ntp/data(/.*)?			gen_context(system_u:object_r:ntp_drift_t,s0)
+/etc/ntp/keys			--	gen_context(system_u:object_r:ntpd_key_t,s0)
+/etc/ntp/step-tickers.*		--	gen_context(system_u:object_r:net_conf_t,s0)
+
+/etc/rc\.d/init\.d/ntpd		--	gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
+
+/usr/sbin/ntpd			--	gen_context(system_u:object_r:ntpd_exec_t,s0)
+/usr/sbin/ntpdate		--	gen_context(system_u:object_r:ntpdate_exec_t,s0)
+
+/var/lib/ntp(/.*)?			gen_context(system_u:object_r:ntp_drift_t,s0)
+
+/var/log/ntp.*			--	gen_context(system_u:object_r:ntpd_log_t,s0)
+/var/log/ntpstats(/.*)?			gen_context(system_u:object_r:ntpd_log_t,s0)
+/var/log/xntpd.*		--	gen_context(system_u:object_r:ntpd_log_t,s0)
+
+/var/run/ntpd\.pid		--	gen_context(system_u:object_r:ntpd_var_run_t,s0)
diff --git a/policy/modules/contrib/ntp.if b/policy/modules/contrib/ntp.if
new file mode 100644
index 00000000..e80f8c06
--- /dev/null
+++ b/policy/modules/contrib/ntp.if
@@ -0,0 +1,165 @@
+## <summary>Network time protocol daemon</summary>
+
+########################################
+## <summary>
+##	NTP stub interface.  No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ntp_stub',`
+	gen_require(`
+		type ntpd_t;
+	')
+')
+
+########################################
+## <summary>
+##	Execute ntp server in the ntpd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ntp_domtrans',`
+	gen_require(`
+		type ntpd_t, ntpd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, ntpd_exec_t, ntpd_t)
+')
+
+########################################
+## <summary>
+##	Execute ntp in the ntp domain, and
+##	allow the specified role the ntp domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ntp_run',`
+	gen_require(`
+		type ntpd_t;
+	')
+
+	ntp_domtrans($1)
+	role $2 types ntpd_t;
+')
+
+########################################
+## <summary>
+##	Execute ntp server in the ntpd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ntp_domtrans_ntpdate',`
+	gen_require(`
+		type ntpd_t, ntpdate_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, ntpdate_exec_t, ntpd_t)
+')
+
+########################################
+## <summary>
+##	Execute ntp server in the ntpd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ntp_initrc_domtrans',`
+	gen_require(`
+		type ntpd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Read and write ntpd shared memory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ntp_rw_shm',`
+	gen_require(`
+		type ntpd_t, ntpd_tmpfs_t;
+	')
+
+	allow $1 ntpd_t:shm rw_shm_perms;
+	list_dirs_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t)
+	rw_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t)
+	read_lnk_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t)
+	fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an ntp environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the ntp domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ntp_admin',`
+	gen_require(`
+		type ntpd_t, ntpd_tmp_t, ntpd_log_t;
+		type ntpd_key_t, ntpd_var_run_t;
+		type ntpd_initrc_exec_t;
+	')
+
+	allow $1 ntpd_t:process { ptrace signal_perms getattr };
+	ps_process_pattern($1, ntpd_t)
+
+	init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 ntpd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	admin_pattern($1, ntpd_key_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, ntpd_log_t)
+
+	files_list_tmp($1)
+	admin_pattern($1, ntpd_tmp_t)
+
+	files_list_pids($1)
+	admin_pattern($1, ntpd_var_run_t)
+')
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
new file mode 100644
index 00000000..c61adc8d
--- /dev/null
+++ b/policy/modules/contrib/ntp.te
@@ -0,0 +1,156 @@
+policy_module(ntp, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+
+type ntp_drift_t;
+files_type(ntp_drift_t)
+
+type ntpd_t;
+type ntpd_exec_t;
+init_daemon_domain(ntpd_t, ntpd_exec_t)
+
+type ntpd_initrc_exec_t;
+init_script_file(ntpd_initrc_exec_t)
+
+type ntpd_key_t;
+files_type(ntpd_key_t)
+
+type ntpd_log_t;
+logging_log_file(ntpd_log_t)
+
+type ntpd_tmp_t;
+files_tmp_file(ntpd_tmp_t)
+
+type ntpd_tmpfs_t;
+files_tmpfs_file(ntpd_tmpfs_t)
+
+type ntpd_var_run_t;
+files_pid_file(ntpd_var_run_t)
+
+type ntpdate_exec_t;
+init_system_domain(ntpd_t, ntpdate_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+# sys_resource and setrlimit is for locking memory
+# ntpdate wants sys_nice
+allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource };
+dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
+allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
+allow ntpd_t self:fifo_file rw_fifo_file_perms;
+allow ntpd_t self:shm create_shm_perms;
+allow ntpd_t self:unix_dgram_socket create_socket_perms;
+allow ntpd_t self:unix_stream_socket create_socket_perms;
+allow ntpd_t self:tcp_socket create_stream_socket_perms;
+allow ntpd_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
+
+can_exec(ntpd_t, ntpd_exec_t)
+
+read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
+read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
+
+allow ntpd_t ntpd_log_t:dir setattr;
+manage_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
+logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir })
+
+# for some reason it creates a file in /tmp
+manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
+manage_files_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
+files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir })
+
+manage_dirs_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)
+manage_files_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)
+fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file })
+
+manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
+files_pid_filetrans(ntpd_t, ntpd_var_run_t, file)
+
+kernel_read_kernel_sysctls(ntpd_t)
+kernel_read_system_state(ntpd_t)
+kernel_read_network_state(ntpd_t)
+kernel_request_load_module(ntpd_t)
+
+corenet_all_recvfrom_unlabeled(ntpd_t)
+corenet_all_recvfrom_netlabel(ntpd_t)
+corenet_tcp_sendrecv_generic_if(ntpd_t)
+corenet_udp_sendrecv_generic_if(ntpd_t)
+corenet_tcp_sendrecv_generic_node(ntpd_t)
+corenet_udp_sendrecv_generic_node(ntpd_t)
+corenet_tcp_sendrecv_all_ports(ntpd_t)
+corenet_udp_sendrecv_all_ports(ntpd_t)
+corenet_tcp_bind_generic_node(ntpd_t)
+corenet_udp_bind_generic_node(ntpd_t)
+corenet_udp_bind_ntp_port(ntpd_t)
+corenet_tcp_connect_ntp_port(ntpd_t)
+corenet_sendrecv_ntp_server_packets(ntpd_t)
+corenet_sendrecv_ntp_client_packets(ntpd_t)
+
+dev_read_sysfs(ntpd_t)
+# for SSP
+dev_read_urand(ntpd_t)
+
+fs_getattr_all_fs(ntpd_t)
+fs_search_auto_mountpoints(ntpd_t)
+
+term_use_ptmx(ntpd_t)
+
+auth_use_nsswitch(ntpd_t)
+
+corecmd_exec_bin(ntpd_t)
+corecmd_exec_shell(ntpd_t)
+
+domain_use_interactive_fds(ntpd_t)
+domain_dontaudit_list_all_domains_state(ntpd_t)
+
+files_read_etc_files(ntpd_t)
+files_read_etc_runtime_files(ntpd_t)
+files_read_usr_files(ntpd_t)
+files_list_var_lib(ntpd_t)
+
+init_exec_script_files(ntpd_t)
+
+logging_send_syslog_msg(ntpd_t)
+
+miscfiles_read_localization(ntpd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
+userdom_list_user_home_dirs(ntpd_t)
+
+optional_policy(`
+	# for cron jobs
+	cron_system_entry(ntpd_t, ntpdate_exec_t)
+')
+
+optional_policy(`
+	gpsd_rw_shm(ntpd_t)
+')
+
+optional_policy(`
+	firstboot_dontaudit_use_fds(ntpd_t)
+	firstboot_dontaudit_rw_pipes(ntpd_t)
+	firstboot_dontaudit_rw_stream_sockets(ntpd_t)
+')
+
+optional_policy(`
+	hal_dontaudit_write_log(ntpd_t)
+')
+
+optional_policy(`
+	logrotate_exec(ntpd_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(ntpd_t)
+')
+
+optional_policy(`
+	udev_read_db(ntpd_t)
+')
diff --git a/policy/modules/contrib/nut.fc b/policy/modules/contrib/nut.fc
new file mode 100644
index 00000000..0a929ef4
--- /dev/null
+++ b/policy/modules/contrib/nut.fc
@@ -0,0 +1,12 @@
+/etc/ups(/.*)?		gen_context(system_u:object_r:nut_conf_t,s0)
+
+/sbin/upsdrvctl	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
+
+/usr/sbin/upsd	--	gen_context(system_u:object_r:nut_upsd_exec_t,s0)
+/usr/sbin/upsmon --	gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
+
+/var/run/nut(/.*)?	gen_context(system_u:object_r:nut_var_run_t,s0)
+
+/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
+/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
+/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
diff --git a/policy/modules/contrib/nut.if b/policy/modules/contrib/nut.if
new file mode 100644
index 00000000..56660c51
--- /dev/null
+++ b/policy/modules/contrib/nut.if
@@ -0,0 +1 @@
+## <summary>nut - Network UPS Tools </summary>
diff --git a/policy/modules/contrib/nut.te b/policy/modules/contrib/nut.te
new file mode 100644
index 00000000..ff962dd0
--- /dev/null
+++ b/policy/modules/contrib/nut.te
@@ -0,0 +1,171 @@
+policy_module(nut, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type nut_conf_t;
+files_config_file(nut_conf_t)
+
+type nut_upsd_t;
+type nut_upsd_exec_t;
+init_daemon_domain(nut_upsd_t, nut_upsd_exec_t)
+
+type nut_upsmon_t;
+type nut_upsmon_exec_t;
+init_daemon_domain(nut_upsmon_t, nut_upsmon_exec_t)
+
+type nut_upsdrvctl_t;
+type nut_upsdrvctl_exec_t;
+init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
+
+type nut_var_run_t;
+files_pid_file(nut_var_run_t)
+
+########################################
+#
+# Local policy for upsd
+#
+
+allow nut_upsd_t self:capability { setgid setuid dac_override };
+
+allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;
+
+allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto;
+
+read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t)
+
+# pid file
+manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
+manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
+manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
+files_pid_filetrans(nut_upsd_t, nut_var_run_t, { dir file sock_file })
+
+kernel_read_kernel_sysctls(nut_upsd_t)
+
+corenet_tcp_bind_ups_port(nut_upsd_t)
+corenet_tcp_bind_generic_port(nut_upsd_t)
+corenet_tcp_bind_all_nodes(nut_upsd_t)
+
+files_read_usr_files(nut_upsd_t)
+
+auth_use_nsswitch(nut_upsd_t)
+
+logging_send_syslog_msg(nut_upsd_t)
+
+miscfiles_read_localization(nut_upsd_t)
+
+########################################
+#
+# Local policy for upsmon
+#
+
+allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid };
+allow nut_upsmon_t self:fifo_file rw_fifo_file_perms;
+allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto };
+allow nut_upsmon_t self:tcp_socket create_socket_perms;
+
+read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
+
+# pid file
+manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
+manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
+files_pid_filetrans(nut_upsmon_t, nut_var_run_t, file)
+
+kernel_read_kernel_sysctls(nut_upsmon_t)
+kernel_read_system_state(nut_upsmon_t)
+
+corecmd_exec_bin(nut_upsmon_t)
+corecmd_exec_shell(nut_upsmon_t)
+
+corenet_tcp_connect_ups_port(nut_upsmon_t)
+corenet_tcp_connect_generic_port(nut_upsmon_t)
+
+# Creates /etc/killpower
+files_manage_etc_runtime_files(nut_upsmon_t)
+files_etc_filetrans_etc_runtime(nut_upsmon_t, file)
+files_search_usr(nut_upsmon_t)
+
+# /usr/bin/wall
+term_write_all_terms(nut_upsmon_t)
+
+# upsmon runs shutdown, probably need a shutdown domain
+init_rw_utmp(nut_upsmon_t)
+init_telinit(nut_upsmon_t)
+
+logging_send_syslog_msg(nut_upsmon_t)
+
+auth_use_nsswitch(nut_upsmon_t)
+
+miscfiles_read_localization(nut_upsmon_t)
+
+mta_send_mail(nut_upsmon_t)
+
+optional_policy(`
+	shutdown_domtrans(nut_upsmon_t)
+')
+
+########################################
+#
+# Local policy for upsdrvctl
+#
+
+allow nut_upsdrvctl_t self:capability { dac_override kill setgid setuid };
+allow nut_upsdrvctl_t self:process { sigchld signal signull };
+allow nut_upsdrvctl_t self:fd use;
+allow nut_upsdrvctl_t self:fifo_file rw_fifo_file_perms;
+allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nut_upsdrvctl_t self:udp_socket create_socket_perms;
+
+read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t)
+
+# pid file
+manage_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
+manage_dirs_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
+manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
+files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctls(nut_upsdrvctl_t)
+
+# /sbin/upsdrvctl executes other drivers
+corecmd_exec_bin(nut_upsdrvctl_t)
+
+dev_read_urand(nut_upsdrvctl_t)
+dev_rw_generic_usb_dev(nut_upsdrvctl_t)
+
+term_use_unallocated_ttys(nut_upsdrvctl_t)
+
+auth_use_nsswitch(nut_upsdrvctl_t)
+
+init_sigchld(nut_upsdrvctl_t)
+
+logging_send_syslog_msg(nut_upsdrvctl_t)
+
+miscfiles_read_localization(nut_upsdrvctl_t)
+
+#######################################
+#
+# Local policy for upscgi scripts
+# requires httpd_enable_cgi and httpd_can_network_connect
+#
+
+optional_policy(`
+	apache_content_template(nutups_cgi)
+
+	read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t)
+
+	corenet_all_recvfrom_unlabeled(httpd_nutups_cgi_script_t)
+	corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t)
+	corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
+	corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
+	corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
+	corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t)
+	corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
+	corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
+	corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
+
+	sysnet_dns_name_resolve(httpd_nutups_cgi_script_t)
+')
diff --git a/policy/modules/contrib/nx.fc b/policy/modules/contrib/nx.fc
new file mode 100644
index 00000000..c4d2dca8
--- /dev/null
+++ b/policy/modules/contrib/nx.fc
@@ -0,0 +1,12 @@
+/opt/NX/bin/nxserver		--	gen_context(system_u:object_r:nx_server_exec_t,s0)
+/opt/NX/home(/.*)?			gen_context(system_u:object_r:nx_server_var_lib_t,s0)
+/opt/NX/home/nx/\.ssh(/.*)?		gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
+/opt/NX/var(/.*)?			gen_context(system_u:object_r:nx_server_var_run_t,s0)
+
+/usr/libexec/nx/nxserver	--	gen_context(system_u:object_r:nx_server_exec_t,s0)
+/usr/NX/bin/nxserver		--	gen_context(system_u:object_r:nx_server_exec_t,s0)
+/usr/NX/home(/.*)?			gen_context(system_u:object_r:nx_server_var_lib_t,s0)
+/usr/NX/home/nx/\.ssh(/.*)?		gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
+
+/var/lib/nxserver(/.*)?			gen_context(system_u:object_r:nx_server_var_lib_t,s0)
+/var/lib/nxserver/home/.ssh(/.*)?	gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
diff --git a/policy/modules/contrib/nx.if b/policy/modules/contrib/nx.if
new file mode 100644
index 00000000..79a225ca
--- /dev/null
+++ b/policy/modules/contrib/nx.if
@@ -0,0 +1,85 @@
+## <summary>NX remote desktop</summary>
+
+########################################
+## <summary>
+##	Transition to NX server.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`nx_spec_domtrans_server',`
+	gen_require(`
+		type nx_server_t, nx_server_exec_t;
+	')
+
+	spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t)
+')
+
+########################################
+## <summary>
+##	Read nx home directory content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nx_read_home_files',`
+	gen_require(`
+		type nx_server_home_ssh_t, nx_server_var_lib_t;
+	')
+
+	allow $1 nx_server_var_lib_t:dir search_dir_perms;
+	read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
+')
+
+########################################
+## <summary>
+##	Read nx /var/lib content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nx_search_var_lib',`
+	gen_require(`
+		type nx_server_var_lib_t;
+	')
+
+	allow $1 nx_server_var_lib_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create an object in the root directory, with a private
+##	type using a type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private type">
+##	<summary>
+##	The type of the object to be created.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+#
+interface(`nx_var_lib_filetrans',`
+	gen_require(`
+		type nx_server_var_lib_t;
+	')
+
+	filetrans_pattern($1, nx_server_var_lib_t, $2, $3)
+')
diff --git a/policy/modules/contrib/nx.te b/policy/modules/contrib/nx.te
new file mode 100644
index 00000000..58e2972f
--- /dev/null
+++ b/policy/modules/contrib/nx.te
@@ -0,0 +1,98 @@
+policy_module(nx, 1.6.0)
+
+########################################
+#
+# Declarations
+#
+
+type nx_server_t;
+type nx_server_exec_t;
+domain_type(nx_server_t)
+domain_entry_file(nx_server_t, nx_server_exec_t)
+domain_user_exemption_target(nx_server_t)
+# we need an extra role because nxserver is called from sshd
+# cjp: do we really need this?
+role nx_server_r;
+role nx_server_r types nx_server_t;
+allow system_r nx_server_r;
+
+type nx_server_devpts_t;
+term_user_pty(nx_server_t, nx_server_devpts_t)
+
+type nx_server_tmp_t;
+files_tmp_file(nx_server_tmp_t)
+
+type nx_server_var_lib_t;
+files_type(nx_server_var_lib_t)
+
+type nx_server_var_run_t;
+files_pid_file(nx_server_var_run_t)
+
+########################################
+#
+# NX server local policy
+#
+
+allow nx_server_t self:fifo_file rw_fifo_file_perms;
+allow nx_server_t self:tcp_socket create_socket_perms;
+allow nx_server_t self:udp_socket create_socket_perms;
+
+allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr };
+term_create_pty(nx_server_t, nx_server_devpts_t)
+
+manage_dirs_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t)
+manage_files_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t)
+files_tmp_filetrans(nx_server_t, nx_server_tmp_t, { file dir })
+
+manage_files_pattern(nx_server_t, nx_server_var_lib_t, nx_server_var_lib_t)
+manage_dirs_pattern(nx_server_t, nx_server_var_lib_t, nx_server_var_lib_t)
+files_var_lib_filetrans(nx_server_t, nx_server_var_lib_t, { file dir })
+
+manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t)
+files_pid_filetrans(nx_server_t, nx_server_var_run_t, file)
+
+kernel_read_system_state(nx_server_t)
+kernel_read_kernel_sysctls(nx_server_t)
+
+# nxserver is a shell script --> call other programs
+corecmd_exec_shell(nx_server_t)
+corecmd_exec_bin(nx_server_t)
+
+corenet_all_recvfrom_unlabeled(nx_server_t)
+corenet_all_recvfrom_netlabel(nx_server_t)
+corenet_tcp_sendrecv_generic_if(nx_server_t)
+corenet_udp_sendrecv_generic_if(nx_server_t)
+corenet_tcp_sendrecv_generic_node(nx_server_t)
+corenet_udp_sendrecv_generic_node(nx_server_t)
+corenet_tcp_sendrecv_all_ports(nx_server_t)
+corenet_udp_sendrecv_all_ports(nx_server_t)
+corenet_tcp_connect_all_ports(nx_server_t)
+corenet_sendrecv_all_client_packets(nx_server_t)
+
+dev_read_urand(nx_server_t)
+
+files_read_etc_files(nx_server_t)
+files_read_etc_runtime_files(nx_server_t)
+# for reading the config files; maybe a separate type, 
+# but users need to be able to also read the config
+files_read_usr_files(nx_server_t)
+
+miscfiles_read_localization(nx_server_t)
+
+seutil_dontaudit_search_config(nx_server_t)
+
+sysnet_read_config(nx_server_t)
+
+ifdef(`TODO',`
+# clients already have create permissions; the nxclient wants to also have unlink rights
+allow userdomain xdm_tmp_t:sock_file unlink;
+# for a lockfile created by the client process
+allow nx_server_t user_tmpfile:file getattr;
+')
+
+########################################
+#
+# SSH component local policy
+#
+
+ssh_basic_client_template(nx_server, nx_server_t, nx_server_r)
diff --git a/policy/modules/contrib/oav.fc b/policy/modules/contrib/oav.fc
new file mode 100644
index 00000000..0a664745
--- /dev/null
+++ b/policy/modules/contrib/oav.fc
@@ -0,0 +1,9 @@
+/etc/oav-update(/.*)?			gen_context(system_u:object_r:oav_update_etc_t,s0)
+/etc/scannerdaemon/scannerdaemon\.conf -- gen_context(system_u:object_r:scannerdaemon_etc_t,s0)
+
+/usr/sbin/oav-update		--	gen_context(system_u:object_r:oav_update_exec_t,s0)
+/usr/sbin/scannerdaemon		--	gen_context(system_u:object_r:scannerdaemon_exec_t,s0)
+
+/var/lib/oav-virussignatures	--	gen_context(system_u:object_r:oav_update_var_lib_t,s0)
+/var/lib/oav-update(/.*)?		gen_context(system_u:object_r:oav_update_var_lib_t,s0)
+/var/log/scannerdaemon\.log 	--	gen_context(system_u:object_r:scannerdaemon_log_t,s0)
diff --git a/policy/modules/contrib/oav.if b/policy/modules/contrib/oav.if
new file mode 100644
index 00000000..7f0d6444
--- /dev/null
+++ b/policy/modules/contrib/oav.if
@@ -0,0 +1,46 @@
+## <summary>Open AntiVirus scannerdaemon and signature update</summary>
+
+########################################
+## <summary>
+##	Execute oav_update in the oav_update domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`oav_domtrans_update',`
+	gen_require(`
+		type oav_update_t, oav_update_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, oav_update_exec_t, oav_update_t)
+')
+
+########################################
+## <summary>
+##	Execute oav_update in the oav_update domain, and
+##	allow the specified role the oav_update domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`oav_run_update',`
+	gen_require(`
+		type oav_update_t;
+	')
+
+	oav_domtrans_update($1)
+	role $2 types oav_update_t;
+')
diff --git a/policy/modules/contrib/oav.te b/policy/modules/contrib/oav.te
new file mode 100644
index 00000000..b4c5f863
--- /dev/null
+++ b/policy/modules/contrib/oav.te
@@ -0,0 +1,146 @@
+policy_module(oav, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type oav_update_t;
+type oav_update_exec_t;
+application_domain(oav_update_t, oav_update_exec_t)
+
+# cjp: may be collapsable to etc_t
+type oav_update_etc_t;
+files_config_file(oav_update_etc_t)
+
+type oav_update_var_lib_t;
+files_type(oav_update_var_lib_t)
+
+type scannerdaemon_t;
+type scannerdaemon_exec_t;
+init_daemon_domain(scannerdaemon_t, scannerdaemon_exec_t)
+
+type scannerdaemon_etc_t;
+files_config_file(scannerdaemon_etc_t)
+
+type scannerdaemon_log_t;
+logging_log_file(scannerdaemon_log_t)
+
+type scannerdaemon_var_run_t;
+files_pid_file(scannerdaemon_var_run_t)
+
+########################################
+#
+# OAV update local policy
+#
+
+allow oav_update_t self:tcp_socket create_stream_socket_perms;
+allow oav_update_t self:udp_socket create_socket_perms;
+
+# Can read /etc/oav-update/* files
+allow oav_update_t oav_update_etc_t:dir list_dir_perms;
+allow oav_update_t oav_update_etc_t:file read_file_perms;
+
+# Can read /var/lib/oav-update/current
+manage_dirs_pattern(oav_update_t, oav_update_var_lib_t, oav_update_var_lib_t)
+manage_files_pattern(oav_update_t, oav_update_var_lib_t, oav_update_var_lib_t)
+read_lnk_files_pattern(oav_update_t, oav_update_var_lib_t, oav_update_var_lib_t)
+
+corecmd_exec_all_executables(oav_update_t)
+
+corenet_all_recvfrom_unlabeled(oav_update_t)
+corenet_all_recvfrom_netlabel(oav_update_t)
+corenet_tcp_sendrecv_generic_if(oav_update_t)
+corenet_udp_sendrecv_generic_if(oav_update_t)
+corenet_tcp_sendrecv_generic_node(oav_update_t)
+corenet_udp_sendrecv_generic_node(oav_update_t)
+corenet_tcp_sendrecv_all_ports(oav_update_t)
+corenet_udp_sendrecv_all_ports(oav_update_t)
+
+files_exec_etc_files(oav_update_t)
+
+libs_exec_ld_so(oav_update_t)
+libs_exec_lib_files(oav_update_t)
+
+logging_send_syslog_msg(oav_update_t)
+
+sysnet_read_config(oav_update_t)
+
+userdom_use_user_terminals(oav_update_t)
+
+optional_policy(`
+	cron_system_entry(oav_update_t, oav_update_exec_t)
+')
+
+########################################
+#
+# Scannerdaemon local policy
+#
+
+dontaudit scannerdaemon_t self:capability sys_tty_config;
+allow scannerdaemon_t self:process signal_perms;
+allow scannerdaemon_t self:fifo_file rw_fifo_file_perms;
+allow scannerdaemon_t self:tcp_socket create_stream_socket_perms;
+allow scannerdaemon_t self:udp_socket create_socket_perms;
+
+allow scannerdaemon_t oav_update_var_lib_t:dir list_dir_perms;
+allow scannerdaemon_t oav_update_var_lib_t:file read_file_perms;
+files_search_var_lib(scannerdaemon_t)
+
+allow scannerdaemon_t scannerdaemon_etc_t:file read_file_perms;
+
+allow scannerdaemon_t scannerdaemon_log_t:file manage_file_perms;
+logging_log_filetrans(scannerdaemon_t, scannerdaemon_log_t, file)
+
+manage_files_pattern(scannerdaemon_t, scannerdaemon_var_run_t, scannerdaemon_var_run_t)
+files_pid_filetrans(scannerdaemon_t, scannerdaemon_var_run_t, file)
+
+kernel_read_system_state(scannerdaemon_t)
+kernel_read_kernel_sysctls(scannerdaemon_t)
+
+# Can run kaffe
+corecmd_exec_all_executables(scannerdaemon_t)
+
+corenet_all_recvfrom_unlabeled(scannerdaemon_t)
+corenet_all_recvfrom_netlabel(scannerdaemon_t)
+corenet_tcp_sendrecv_generic_if(scannerdaemon_t)
+corenet_udp_sendrecv_generic_if(scannerdaemon_t)
+corenet_tcp_sendrecv_generic_node(scannerdaemon_t)
+corenet_udp_sendrecv_generic_node(scannerdaemon_t)
+corenet_tcp_sendrecv_all_ports(scannerdaemon_t)
+corenet_udp_sendrecv_all_ports(scannerdaemon_t)
+
+dev_read_sysfs(scannerdaemon_t)
+
+domain_use_interactive_fds(scannerdaemon_t)
+
+files_read_etc_files(scannerdaemon_t)
+files_read_etc_runtime_files(scannerdaemon_t)
+# Can run kaffe
+files_exec_etc_files(scannerdaemon_t)
+
+fs_getattr_all_fs(scannerdaemon_t)
+fs_search_auto_mountpoints(scannerdaemon_t)
+
+auth_dontaudit_read_shadow(scannerdaemon_t)
+
+# Can run kaffe
+libs_exec_ld_so(scannerdaemon_t)
+libs_exec_lib_files(scannerdaemon_t)
+
+logging_send_syslog_msg(scannerdaemon_t)
+
+miscfiles_read_localization(scannerdaemon_t)
+
+sysnet_read_config(scannerdaemon_t)
+
+userdom_dontaudit_use_unpriv_user_fds(scannerdaemon_t)
+userdom_dontaudit_search_user_home_dirs(scannerdaemon_t)
+
+optional_policy(`
+	seutil_sigchld_newrole(scannerdaemon_t)
+')
+
+optional_policy(`
+	udev_read_db(scannerdaemon_t)
+')
diff --git a/policy/modules/contrib/oddjob.fc b/policy/modules/contrib/oddjob.fc
new file mode 100644
index 00000000..734253ee
--- /dev/null
+++ b/policy/modules/contrib/oddjob.fc
@@ -0,0 +1,7 @@
+/usr/lib(64)?/oddjob/mkhomedir	--	gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+
+/usr/sbin/oddjobd		--	gen_context(system_u:object_r:oddjob_exec_t,s0)
+
+/sbin/mkhomedir_helper		--	gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+
+/var/run/oddjobd\.pid			gen_context(system_u:object_r:oddjob_var_run_t,s0)
diff --git a/policy/modules/contrib/oddjob.if b/policy/modules/contrib/oddjob.if
new file mode 100644
index 00000000..bd76ec26
--- /dev/null
+++ b/policy/modules/contrib/oddjob.if
@@ -0,0 +1,111 @@
+## <summary>
+##	Oddjob provides a mechanism by which unprivileged applications can
+##	request that specified privileged operations be performed on their
+##	behalf.
+## </summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run oddjob.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`oddjob_domtrans',`
+	gen_require(`
+		type oddjob_t, oddjob_exec_t;
+	')
+
+	domtrans_pattern($1, oddjob_exec_t, oddjob_t)
+')
+
+########################################
+## <summary>
+##	Make the specified program domain accessable
+##	from the oddjob.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process to transition to.
+##	</summary>
+## </param>
+## <param name="entrypoint">
+##	<summary>
+##	The type of the file used as an entrypoint to this domain.
+##	</summary>
+## </param>
+#
+interface(`oddjob_system_entry',`
+	gen_require(`
+		type oddjob_t;
+	')
+
+	domtrans_pattern(oddjob_t, $2, $1)
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	oddjob over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`oddjob_dbus_chat',`
+	gen_require(`
+		type oddjob_t;
+		class dbus send_msg;
+	')
+
+	allow $1 oddjob_t:dbus send_msg;
+	allow oddjob_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run oddjob_mkhomedir.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`oddjob_domtrans_mkhomedir',`
+	gen_require(`
+		type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t;
+	')
+
+	domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t)
+')
+
+########################################
+## <summary>
+##	Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`oddjob_run_mkhomedir',`
+	gen_require(`
+		type oddjob_mkhomedir_t;
+	')
+
+	oddjob_domtrans_mkhomedir($1)
+	role $2 types oddjob_mkhomedir_t;
+')
diff --git a/policy/modules/contrib/oddjob.te b/policy/modules/contrib/oddjob.te
new file mode 100644
index 00000000..f0535b91
--- /dev/null
+++ b/policy/modules/contrib/oddjob.te
@@ -0,0 +1,106 @@
+policy_module(oddjob, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type oddjob_t;
+type oddjob_exec_t;
+domain_type(oddjob_t)
+init_daemon_domain(oddjob_t, oddjob_exec_t)
+domain_obj_id_change_exemption(oddjob_t)
+domain_role_change_exemption(oddjob_t)
+domain_subj_id_change_exemption(oddjob_t)
+
+type oddjob_mkhomedir_t;
+type oddjob_mkhomedir_exec_t;
+domain_type(oddjob_mkhomedir_t)
+domain_obj_id_change_exemption(oddjob_mkhomedir_t)
+init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
+oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
+
+# pid files
+type oddjob_var_run_t;
+files_pid_file(oddjob_var_run_t)
+
+ifdef(`enable_mcs',`
+	init_ranged_daemon_domain(oddjob_t, oddjob_exec_t, s0 - mcs_systemhigh)
+')
+
+########################################
+#
+# oddjob local policy
+#
+
+allow oddjob_t self:capability setgid;
+allow oddjob_t self:process { setexec signal };
+allow oddjob_t self:fifo_file rw_fifo_file_perms;
+allow oddjob_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t)
+manage_sock_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t)
+files_pid_filetrans(oddjob_t, oddjob_var_run_t, { file sock_file })
+
+kernel_read_system_state(oddjob_t)
+
+corecmd_exec_bin(oddjob_t)
+corecmd_exec_shell(oddjob_t)
+
+mcs_process_set_categories(oddjob_t)
+
+selinux_compute_create_context(oddjob_t)
+
+files_read_etc_files(oddjob_t)
+
+miscfiles_read_localization(oddjob_t)
+
+locallogin_dontaudit_use_fds(oddjob_t)
+
+optional_policy(`
+	dbus_system_bus_client(oddjob_t)
+	dbus_connect_system_bus(oddjob_t)
+')
+
+optional_policy(`
+	unconfined_domtrans(oddjob_t)
+')
+
+########################################
+#
+# oddjob_mkhomedir local policy
+#
+
+allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override };
+allow oddjob_mkhomedir_t self:process setfscreate;
+allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms;
+allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_system_state(oddjob_mkhomedir_t)
+
+files_read_etc_files(oddjob_mkhomedir_t)
+
+auth_use_nsswitch(oddjob_mkhomedir_t)
+
+logging_send_syslog_msg(oddjob_mkhomedir_t)
+
+miscfiles_read_localization(oddjob_mkhomedir_t)
+
+selinux_get_fs_mount(oddjob_mkhomedir_t)
+selinux_validate_context(oddjob_mkhomedir_t)
+selinux_compute_access_vector(oddjob_mkhomedir_t)
+selinux_compute_create_context(oddjob_mkhomedir_t)
+selinux_compute_relabel_context(oddjob_mkhomedir_t)
+selinux_compute_user_contexts(oddjob_mkhomedir_t)
+
+seutil_read_config(oddjob_mkhomedir_t)
+seutil_read_file_contexts(oddjob_mkhomedir_t)
+seutil_read_default_contexts(oddjob_mkhomedir_t)
+
+# Add/remove user home directories
+userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t)
+userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
+userdom_manage_user_home_content_files(oddjob_mkhomedir_t)
+userdom_manage_user_home_dirs(oddjob_mkhomedir_t)
+userdom_user_home_dir_filetrans_user_home_content(oddjob_mkhomedir_t, notdevfile_class_set)
+
diff --git a/policy/modules/contrib/oident.fc b/policy/modules/contrib/oident.fc
new file mode 100644
index 00000000..5840ea87
--- /dev/null
+++ b/policy/modules/contrib/oident.fc
@@ -0,0 +1,8 @@
+HOME_DIR/\.oidentd.conf			gen_context(system_u:object_r:oidentd_home_t, s0)
+
+/etc/oidentd\.conf		--	gen_context(system_u:object_r:oidentd_config_t, s0)
+/etc/oidentd_masq\.conf		--	gen_context(system_u:object_r:oidentd_config_t, s0)
+
+/etc/rc\.d/init\.d/oidentd	--	gen_context(system_u:object_r:oidentd_initrc_exec_t, s0)
+
+/usr/sbin/oidentd		--	gen_context(system_u:object_r:oidentd_exec_t, s0)
diff --git a/policy/modules/contrib/oident.if b/policy/modules/contrib/oident.if
new file mode 100644
index 00000000..bb4fae51
--- /dev/null
+++ b/policy/modules/contrib/oident.if
@@ -0,0 +1,68 @@
+## <summary>SELinux policy for Oident daemon.</summary>
+## <desc>
+##	<p>
+##	Oident daemon is a server that implements the TCP/IP
+##	standard IDENT user identification protocol as
+##	specified in the RFC 1413 document.
+##	</p>
+## </desc>
+
+########################################
+## <summary>
+##	Allow the specified domain to read
+##	Oidentd personal configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`oident_read_user_content', `
+	gen_require(`
+		type oidentd_home_t;
+	')
+
+	allow $1 oidentd_home_t:file read_file_perms;
+	userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to create, read, write, and delete
+##	Oidentd personal configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`oident_manage_user_content', `
+	gen_require(`
+		type oidentd_home_t;
+	')
+
+	allow $1 oidentd_home_t:file manage_file_perms;
+	userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to relabel
+##	Oidentd personal configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`oident_relabel_user_content', `
+	gen_require(`
+		type oidentd_home_t;
+	')
+
+	allow $1 oidentd_home_t:file relabel_file_perms;
+	userdom_search_user_home_dirs($1)
+')
diff --git a/policy/modules/contrib/oident.te b/policy/modules/contrib/oident.te
new file mode 100644
index 00000000..8845174e
--- /dev/null
+++ b/policy/modules/contrib/oident.te
@@ -0,0 +1,75 @@
+policy_module(oident, 2.2.0)
+
+########################################
+#
+# Oident daemon private declarations
+#
+
+type oidentd_t;
+type oidentd_exec_t;
+init_daemon_domain(oidentd_t, oidentd_exec_t)
+
+type oidentd_home_t;
+typealias oidentd_home_t alias { oidentd_user_content_t oidentd_staff_content_t oidentd_sysadm_content_t };
+typealias oidentd_home_t alias { oidentd_secadm_content_t oidentd_auditadm_content_t };
+userdom_user_home_content(oidentd_home_t)
+
+type oidentd_initrc_exec_t;
+init_script_file(oidentd_initrc_exec_t)
+
+type oidentd_config_t;
+files_config_file(oidentd_config_t)
+
+########################################
+#
+# Oident daemon private policy
+#
+
+allow oidentd_t self:capability { setuid setgid };
+allow oidentd_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+allow oidentd_t self:netlink_tcpdiag_socket { write read create nlmsg_read };
+allow oidentd_t self:tcp_socket { setopt read bind create accept write getattr listen };
+allow oidentd_t self:udp_socket { write read create connect getattr ioctl };
+allow oidentd_t self:unix_dgram_socket { create connect };
+
+allow oidentd_t oidentd_config_t:file read_file_perms;
+
+corenet_all_recvfrom_unlabeled(oidentd_t)
+corenet_all_recvfrom_netlabel(oidentd_t)
+corenet_tcp_sendrecv_generic_if(oidentd_t)
+corenet_tcp_sendrecv_generic_node(oidentd_t)
+corenet_tcp_bind_generic_node(oidentd_t)
+corenet_tcp_bind_auth_port(oidentd_t)
+corenet_sendrecv_auth_server_packets(oidentd_t)
+
+files_read_etc_files(oidentd_t)
+
+kernel_read_kernel_sysctls(oidentd_t)
+kernel_read_network_state(oidentd_t)
+kernel_read_network_state_symlinks(oidentd_t)
+kernel_read_sysctl(oidentd_t)
+# oidentd requests the tcp_diag kernel module, otherwise
+# it will be stuck using the slow /proc/net/tcp interface
+kernel_request_load_module(oidentd_t)
+
+logging_send_syslog_msg(oidentd_t)
+
+miscfiles_read_localization(oidentd_t)
+
+sysnet_read_config(oidentd_t)
+
+oident_read_user_content(oidentd_t)
+
+optional_policy(`
+	nis_use_ypbind(oidentd_t)
+')
+
+tunable_policy(`use_samba_home_dirs', `
+	fs_list_cifs(oidentd_t)
+ 	fs_read_cifs_files(oidentd_t)
+')
+
+tunable_policy(`use_nfs_home_dirs', `
+	fs_list_nfs(oidentd_t)
+ 	fs_read_nfs_files(oidentd_t)
+')
diff --git a/policy/modules/contrib/openca.fc b/policy/modules/contrib/openca.fc
new file mode 100644
index 00000000..72a2db6d
--- /dev/null
+++ b/policy/modules/contrib/openca.fc
@@ -0,0 +1,9 @@
+/etc/openca(/.*)?			gen_context(system_u:object_r:openca_etc_t,s0)
+/etc/openca/.*\.in(/.*)?		gen_context(system_u:object_r:openca_etc_in_t,s0)
+/etc/openca/rbac(/.*)?			gen_context(system_u:object_r:openca_etc_writeable_t,s0)
+
+/usr/share/openca(/.*)?			gen_context(system_u:object_r:openca_usr_share_t,s0)
+/usr/share/openca/cgi-bin/ca/.+ --	gen_context(system_u:object_r:openca_ca_exec_t,s0)
+
+/var/lib/openca(/.*)?			gen_context(system_u:object_r:openca_var_lib_t,s0)
+/var/lib/openca/crypto/keys(/.*)?	gen_context(system_u:object_r:openca_var_lib_keys_t,s0)
diff --git a/policy/modules/contrib/openca.if b/policy/modules/contrib/openca.if
new file mode 100644
index 00000000..a8c1eefa
--- /dev/null
+++ b/policy/modules/contrib/openca.if
@@ -0,0 +1,76 @@
+## <summary>OpenCA - Open Certificate Authority</summary>
+
+########################################
+## <summary>
+##	Execute the OpenCA program with
+##	a domain transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`openca_domtrans',`
+	gen_require(`
+		type openca_ca_t, openca_ca_exec_t, openca_usr_share_t;
+	')
+
+	domtrans_pattern($1, openca_ca_exec_t, openca_ca_t)
+	allow $1 openca_usr_share_t:dir search_dir_perms;
+	files_search_usr($1)
+')
+
+########################################
+## <summary>
+##	Send OpenCA generic signals.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openca_signal',`
+	gen_require(`
+		type openca_ca_t;
+	')
+
+	allow $1 openca_ca_t:process signal;
+')
+
+########################################
+## <summary>
+##	Send OpenCA stop signals.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openca_sigstop',`
+	gen_require(`
+		type openca_ca_t;
+	')
+
+	allow $1 openca_ca_t:process sigstop;
+')
+
+########################################
+## <summary>
+##	Kill OpenCA.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openca_kill',`
+	gen_require(`
+		type openca_ca_t;
+	')
+
+	allow $1 openca_ca_t:process sigkill;
+')
diff --git a/policy/modules/contrib/openca.te b/policy/modules/contrib/openca.te
new file mode 100644
index 00000000..2df8170d
--- /dev/null
+++ b/policy/modules/contrib/openca.te
@@ -0,0 +1,82 @@
+policy_module(openca, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type openca_ca_t;
+type openca_ca_exec_t;
+domain_type(openca_ca_t)
+domain_entry_file(openca_ca_t, openca_ca_exec_t)
+role system_r types openca_ca_t;
+
+# cjp: seems like some of these types
+# can be removed and replaced with generic
+# etc or usr files.
+
+# /etc/openca standard files
+type openca_etc_t;
+files_config_file(openca_etc_t)
+
+# /etc/openca template files
+type openca_etc_in_t;
+files_type(openca_etc_in_t)
+
+# /etc/openca writeable (from CGI script) files
+type openca_etc_writeable_t;
+files_type(openca_etc_writeable_t)
+
+# /usr/share/openca/crypto/keys
+type openca_usr_share_t;
+files_type(openca_usr_share_t)
+
+# /var/lib/openca
+type openca_var_lib_t;
+files_type(openca_var_lib_t)
+
+# /var/lib/openca/crypto/keys
+type openca_var_lib_keys_t;
+files_type(openca_var_lib_keys_t)
+
+########################################
+#
+# Local policy
+#
+
+# Allow access to other files under /etc/openca
+allow openca_ca_t openca_etc_t:file read_file_perms;
+allow openca_ca_t openca_etc_t:dir list_dir_perms;
+
+# Allow access to writeable files under /etc/openca
+manage_dirs_pattern(openca_ca_t, openca_etc_writeable_t, openca_etc_writeable_t)
+manage_files_pattern(openca_ca_t, openca_etc_writeable_t, openca_etc_writeable_t)
+
+# Allow access to other /var/lib/openca files
+manage_dirs_pattern(openca_ca_t, openca_var_lib_t, openca_var_lib_t)
+manage_files_pattern(openca_ca_t, openca_var_lib_t, openca_var_lib_t)
+
+# Allow access to private CA key
+manage_dirs_pattern(openca_ca_t, openca_var_lib_keys_t, openca_var_lib_keys_t)
+manage_files_pattern(openca_ca_t, openca_var_lib_keys_t, openca_var_lib_keys_t)
+
+# Allow access to other /usr/share/openca files
+read_files_pattern(openca_ca_t, openca_usr_share_t, openca_usr_share_t)
+read_lnk_files_pattern(openca_ca_t, openca_usr_share_t, openca_usr_share_t)
+allow openca_ca_t openca_usr_share_t:dir list_dir_perms;
+
+# the perl executable will be able to run a perl script
+corecmd_exec_bin(openca_ca_t)
+
+dev_read_rand(openca_ca_t)
+
+files_list_default(openca_ca_t)
+
+init_use_fds(openca_ca_t)
+init_use_script_fds(openca_ca_t)
+
+libs_exec_lib_files(openca_ca_t)
+
+apache_append_log(openca_ca_t)
+# Allow the script to return its output
+apache_rw_cache_files(openca_ca_t)
diff --git a/policy/modules/contrib/openct.fc b/policy/modules/contrib/openct.fc
new file mode 100644
index 00000000..58c8816c
--- /dev/null
+++ b/policy/modules/contrib/openct.fc
@@ -0,0 +1,10 @@
+#
+# /usr
+#
+/usr/sbin/ifdhandler		--	gen_context(system_u:object_r:openct_exec_t,s0)
+/usr/sbin/openct-control	--	gen_context(system_u:object_r:openct_exec_t,s0)
+
+#
+# /var
+#
+/var/run/openct(/.*)?		gen_context(system_u:object_r:openct_var_run_t,s0)
diff --git a/policy/modules/contrib/openct.if b/policy/modules/contrib/openct.if
new file mode 100644
index 00000000..9d0a67bf
--- /dev/null
+++ b/policy/modules/contrib/openct.if
@@ -0,0 +1,95 @@
+## <summary>Service for handling smart card readers.</summary>
+
+########################################
+## <summary>
+##	Send openct a null signal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openct_signull',`
+	gen_require(`
+		type openct_t;
+	')
+
+	allow $1 openct_t:process signull;
+')
+
+########################################
+## <summary>
+##	Execute openct in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openct_exec',`
+	gen_require(`
+		type openct_t, openct_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, openct_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run openct.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`openct_domtrans',`
+	gen_require(`
+		type openct_t, openct_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, openct_exec_t, openct_t)
+')
+
+########################################
+## <summary>
+##	Read openct PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openct_read_pid_files',`
+	gen_require(`
+		type openct_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, openct_var_run_t, openct_var_run_t)
+')
+
+########################################
+## <summary>
+##	Connect to openct over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openct_stream_connect',`
+	gen_require(`
+		type openct_t, openct_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, openct_var_run_t, openct_var_run_t, openct_t)
+')
diff --git a/policy/modules/contrib/openct.te b/policy/modules/contrib/openct.te
new file mode 100644
index 00000000..7f8fdc2c
--- /dev/null
+++ b/policy/modules/contrib/openct.te
@@ -0,0 +1,61 @@
+policy_module(openct, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type openct_t;
+type openct_exec_t;
+init_daemon_domain(openct_t, openct_exec_t)
+
+type openct_var_run_t;
+files_pid_file(openct_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit openct_t self:capability sys_tty_config;
+allow openct_t self:process signal_perms;
+
+manage_dirs_pattern(openct_t, openct_var_run_t, openct_var_run_t)
+manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
+manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
+files_pid_filetrans(openct_t, openct_var_run_t, { dir file sock_file })
+
+kernel_read_kernel_sysctls(openct_t)
+kernel_list_proc(openct_t)
+kernel_read_proc_symlinks(openct_t)
+
+dev_read_sysfs(openct_t)
+# openct asks for this
+dev_rw_usbfs(openct_t)
+dev_rw_smartcard(openct_t)
+dev_rw_generic_usb_dev(openct_t)
+
+domain_use_interactive_fds(openct_t)
+
+# openct asks for this
+files_read_etc_files(openct_t)
+
+fs_getattr_all_fs(openct_t)
+fs_search_auto_mountpoints(openct_t)
+
+logging_send_syslog_msg(openct_t)
+
+miscfiles_read_localization(openct_t)
+
+userdom_dontaudit_use_unpriv_user_fds(openct_t)
+userdom_dontaudit_search_user_home_dirs(openct_t)
+
+openct_exec(openct_t)
+
+optional_policy(`
+	seutil_sigchld_newrole(openct_t)
+')
+
+optional_policy(`
+	udev_read_db(openct_t)
+')
diff --git a/policy/modules/contrib/openvpn.fc b/policy/modules/contrib/openvpn.fc
new file mode 100644
index 00000000..1c1086e6
--- /dev/null
+++ b/policy/modules/contrib/openvpn.fc
@@ -0,0 +1,18 @@
+#
+# /etc
+#
+/etc/openvpn(/.*)?		gen_context(system_u:object_r:openvpn_etc_t,s0)
+/etc/openvpn/ipp.txt	--	gen_context(system_u:object_r:openvpn_etc_rw_t,s0)
+/etc/rc\.d/init\.d/openvpn --	gen_context(system_u:object_r:openvpn_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/openvpn	--	gen_context(system_u:object_r:openvpn_exec_t,s0)
+
+#
+# /var
+#
+/var/log/openvpn.*		gen_context(system_u:object_r:openvpn_var_log_t,s0)
+/var/run/openvpn(/.*)?		gen_context(system_u:object_r:openvpn_var_run_t,s0)
+/var/run/openvpn\.client.* --	gen_context(system_u:object_r:openvpn_var_run_t,s0)
diff --git a/policy/modules/contrib/openvpn.if b/policy/modules/contrib/openvpn.if
new file mode 100644
index 00000000..d8832142
--- /dev/null
+++ b/policy/modules/contrib/openvpn.if
@@ -0,0 +1,163 @@
+## <summary>full-featured SSL VPN solution</summary>
+
+########################################
+## <summary>
+##	Execute OPENVPN clients in the openvpn domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`openvpn_domtrans',`
+	gen_require(`
+		type openvpn_t, openvpn_exec_t;
+	')
+
+	domtrans_pattern($1, openvpn_exec_t, openvpn_t)
+')
+
+########################################
+## <summary>
+##	Execute OPENVPN clients in the openvpn domain, and
+##	allow the specified role the openvpn domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`openvpn_run',`
+	gen_require(`
+		type openvpn_t;
+	')
+
+	openvpn_domtrans($1)
+	role $2 types openvpn_t;
+')
+
+########################################
+## <summary>
+##	Send OPENVPN clients the kill signal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openvpn_kill',`
+	gen_require(`
+		type openvpn_t;
+	')
+
+	allow $1 openvpn_t:process sigkill;
+')
+
+########################################
+## <summary>
+##	Send generic signals to OPENVPN clients.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openvpn_signal',`
+	gen_require(`
+		type openvpn_t;
+	')
+
+	allow $1 openvpn_t:process signal;
+')
+
+########################################
+## <summary>
+##	Send signulls to OPENVPN clients.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openvpn_signull',`
+	gen_require(`
+		type openvpn_t;
+	')
+
+	allow $1 openvpn_t:process signull;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read
+##	OpenVPN configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`openvpn_read_config',`
+	gen_require(`
+		type openvpn_etc_t;
+	')
+
+	files_search_etc($1)
+	allow $1 openvpn_etc_t:dir list_dir_perms;
+	read_files_pattern($1, openvpn_etc_t, openvpn_etc_t)
+	read_lnk_files_pattern($1, openvpn_etc_t, openvpn_etc_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an openvpn environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the openvpn domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`openvpn_admin',`
+	gen_require(`
+		type openvpn_t, openvpn_etc_t, openvpn_var_log_t;
+		type openvpn_var_run_t, openvpn_initrc_exec_t;
+	')
+
+	allow $1 openvpn_t:process { ptrace signal_perms };
+	ps_process_pattern($1, openvpn_t)
+
+	init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 openvpn_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_etc($1)
+	admin_pattern($1, openvpn_etc_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, openvpn_var_log_t)
+
+	files_list_pids($1)
+	admin_pattern($1, openvpn_var_run_t)
+')
diff --git a/policy/modules/contrib/openvpn.te b/policy/modules/contrib/openvpn.te
new file mode 100644
index 00000000..66a52ee0
--- /dev/null
+++ b/policy/modules/contrib/openvpn.te
@@ -0,0 +1,140 @@
+policy_module(openvpn, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow openvpn to read home directories
+## </p>
+## </desc>
+gen_tunable(openvpn_enable_homedirs, false)
+
+# main openvpn domain
+type openvpn_t;
+type openvpn_exec_t;
+init_daemon_domain(openvpn_t, openvpn_exec_t)
+
+# configuration files
+type openvpn_etc_t;
+files_config_file(openvpn_etc_t)
+
+type openvpn_etc_rw_t;
+files_config_file(openvpn_etc_rw_t)
+
+type openvpn_initrc_exec_t;
+init_script_file(openvpn_initrc_exec_t)
+
+# log files
+type openvpn_var_log_t;
+logging_log_file(openvpn_var_log_t)
+
+# pid files
+type openvpn_var_run_t;
+files_pid_file(openvpn_var_run_t)
+
+########################################
+#
+# openvpn local policy
+#
+
+allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config };
+allow openvpn_t self:process { signal getsched };
+allow openvpn_t self:fifo_file rw_fifo_file_perms;
+
+allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
+allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow openvpn_t self:udp_socket create_socket_perms;
+allow openvpn_t self:tcp_socket server_stream_socket_perms;
+allow openvpn_t self:tun_socket create;
+allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
+
+can_exec(openvpn_t, openvpn_etc_t)
+read_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
+read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
+
+manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t)
+filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
+
+allow openvpn_t openvpn_var_log_t:file manage_file_perms;
+logging_log_filetrans(openvpn_t, openvpn_var_log_t, file)
+
+manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
+files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir })
+
+kernel_read_kernel_sysctls(openvpn_t)
+kernel_read_net_sysctls(openvpn_t)
+kernel_read_network_state(openvpn_t)
+kernel_read_system_state(openvpn_t)
+
+corecmd_exec_bin(openvpn_t)
+corecmd_exec_shell(openvpn_t)
+
+corenet_all_recvfrom_unlabeled(openvpn_t)
+corenet_all_recvfrom_netlabel(openvpn_t)
+corenet_tcp_sendrecv_generic_if(openvpn_t)
+corenet_udp_sendrecv_generic_if(openvpn_t)
+corenet_tcp_sendrecv_generic_node(openvpn_t)
+corenet_udp_sendrecv_generic_node(openvpn_t)
+corenet_tcp_sendrecv_all_ports(openvpn_t)
+corenet_udp_sendrecv_all_ports(openvpn_t)
+corenet_tcp_bind_generic_node(openvpn_t)
+corenet_udp_bind_generic_node(openvpn_t)
+corenet_tcp_bind_openvpn_port(openvpn_t)
+corenet_udp_bind_openvpn_port(openvpn_t)
+corenet_tcp_bind_http_port(openvpn_t)
+corenet_tcp_connect_openvpn_port(openvpn_t)
+corenet_tcp_connect_http_port(openvpn_t)
+corenet_tcp_connect_http_cache_port(openvpn_t)
+corenet_rw_tun_tap_dev(openvpn_t)
+corenet_sendrecv_openvpn_server_packets(openvpn_t)
+corenet_sendrecv_openvpn_client_packets(openvpn_t)
+corenet_sendrecv_http_client_packets(openvpn_t)
+
+dev_search_sysfs(openvpn_t)
+dev_read_rand(openvpn_t)
+dev_read_urand(openvpn_t)
+
+files_read_etc_files(openvpn_t)
+files_read_etc_runtime_files(openvpn_t)
+
+auth_use_pam(openvpn_t)
+
+logging_send_syslog_msg(openvpn_t)
+
+miscfiles_read_localization(openvpn_t)
+miscfiles_read_all_certs(openvpn_t)
+
+sysnet_dns_name_resolve(openvpn_t)
+sysnet_exec_ifconfig(openvpn_t)
+sysnet_manage_config(openvpn_t)
+sysnet_etc_filetrans_config(openvpn_t)
+
+userdom_use_user_terminals(openvpn_t)
+
+tunable_policy(`openvpn_enable_homedirs',`
+	userdom_read_user_home_content_files(openvpn_t)
+')
+
+tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
+        fs_read_nfs_files(openvpn_t)
+        fs_read_nfs_symlinks(openvpn_t)
+')  
+
+tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
+        fs_read_cifs_files(openvpn_t)
+        fs_read_cifs_symlinks(openvpn_t)
+')  
+
+optional_policy(`
+	daemontools_service_domain(openvpn_t, openvpn_exec_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(openvpn_t)
+	dbus_connect_system_bus(openvpn_t)
+
+	networkmanager_dbus_chat(openvpn_t)
+')
diff --git a/policy/modules/contrib/pads.fc b/policy/modules/contrib/pads.fc
new file mode 100644
index 00000000..0870c560
--- /dev/null
+++ b/policy/modules/contrib/pads.fc
@@ -0,0 +1,10 @@
+/etc/pads-ether-codes	--	gen_context(system_u:object_r:pads_config_t, s0)
+/etc/pads-signature-list --	gen_context(system_u:object_r:pads_config_t, s0)
+/etc/pads.conf		--	gen_context(system_u:object_r:pads_config_t, s0)
+/etc/pads-assets.csv	--	gen_context(system_u:object_r:pads_config_t, s0)
+
+/etc/rc\.d/init\.d/pads --	gen_context(system_u:object_r:pads_initrc_exec_t, s0)
+
+/usr/bin/pads		--	gen_context(system_u:object_r:pads_exec_t, s0)
+
+/var/run/pads.pid	--	gen_context(system_u:object_r:pads_var_run_t, s0)
diff --git a/policy/modules/contrib/pads.if b/policy/modules/contrib/pads.if
new file mode 100644
index 00000000..8ac407e5
--- /dev/null
+++ b/policy/modules/contrib/pads.if
@@ -0,0 +1,44 @@
+## <summary>Passive Asset Detection System</summary>
+## <desc>
+##	<p>
+##	PADS is a libpcap based detection engine used to
+##	passively detect network assets.  It is designed to
+##	complement IDS technology by providing context to IDS
+##	alerts.
+##	</p>
+## </desc>
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an pads environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`pads_admin', `
+	gen_require(`
+		type pads_t, pads_config_t;
+		type pads_var_run_t, pads_initrc_exec_t;
+	')
+
+	allow $1 pads_t:process { ptrace signal_perms };
+	ps_process_pattern($1, pads_t)
+
+	init_labeled_script_domtrans($1, pads_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 pads_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	admin_pattern($1, pads_var_run_t)
+	admin_pattern($1, pads_config_t)
+')
diff --git a/policy/modules/contrib/pads.te b/policy/modules/contrib/pads.te
new file mode 100644
index 00000000..b246bdd5
--- /dev/null
+++ b/policy/modules/contrib/pads.te
@@ -0,0 +1,63 @@
+policy_module(pads, 1.0.0) 
+
+########################################
+#
+# Declarations
+#
+
+type pads_t;
+type pads_exec_t;
+init_daemon_domain(pads_t, pads_exec_t)
+role system_r types pads_t;
+
+type pads_initrc_exec_t;
+init_script_file(pads_initrc_exec_t)
+
+type pads_config_t;
+files_config_file(pads_config_t)
+
+type pads_var_run_t;
+files_pid_file(pads_var_run_t)
+
+########################################
+#
+# Declarations
+#
+
+allow pads_t self:capability { dac_override net_raw };
+allow pads_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+allow pads_t self:packet_socket { ioctl setopt getopt read bind create };
+allow pads_t self:udp_socket { create ioctl };
+allow pads_t self:unix_dgram_socket { write create connect };
+
+allow pads_t pads_config_t:file manage_file_perms;
+files_etc_filetrans(pads_t, pads_config_t, file)
+
+allow pads_t pads_var_run_t:file manage_file_perms;
+files_pid_filetrans(pads_t, pads_var_run_t, file)
+
+kernel_read_sysctl(pads_t)
+
+corecmd_search_bin(pads_t)
+
+corenet_all_recvfrom_unlabeled(pads_t)
+corenet_all_recvfrom_netlabel(pads_t)
+corenet_tcp_sendrecv_generic_if(pads_t)
+corenet_tcp_sendrecv_generic_node(pads_t)
+corenet_tcp_connect_prelude_port(pads_t)
+
+dev_read_rand(pads_t)
+dev_read_urand(pads_t)
+
+files_read_etc_files(pads_t)
+files_search_spool(pads_t)
+
+miscfiles_read_localization(pads_t)
+
+logging_send_syslog_msg(pads_t)
+
+sysnet_dns_name_resolve(pads_t)
+
+optional_policy(`
+	prelude_manage_spool(pads_t)
+')
diff --git a/policy/modules/contrib/pan.fc b/policy/modules/contrib/pan.fc
new file mode 100644
index 00000000..c2abdfd6
--- /dev/null
+++ b/policy/modules/contrib/pan.fc
@@ -0,0 +1,6 @@
+HOME_DIR/\.pan2(/.*)?		gen_context(system_u:object_r:pan_home_t,s0)
+
+#
+# /usr
+#
+/usr/bin/pan		--	gen_context(system_u:object_r:pan_exec_t,s0)
diff --git a/policy/modules/contrib/pan.if b/policy/modules/contrib/pan.if
new file mode 100644
index 00000000..e6c8abdc
--- /dev/null
+++ b/policy/modules/contrib/pan.if
@@ -0,0 +1,38 @@
+## <summary>Pan news reader client</summary>
+
+########################################
+## <summary>
+##	Role access for pan
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`pan_role',`
+	gen_require(`
+		type pan_t, pan_exec_t, pan_home_t;
+	')
+	role $1 types pan_t;
+
+	allow $2 pan_t:process signal_perms;
+
+	domtrans_pattern($2, pan_exec_t, pan_t)
+
+	ps_process_pattern($2, pan_t)
+
+        manage_dirs_pattern($2, pan_home_t, pan_home_t)
+        manage_files_pattern($2, pan_home_t, pan_home_t)
+        manage_lnk_files_pattern($2, pan_home_t, pan_home_t)
+
+        relabel_dirs_pattern($2, pan_home_t, pan_home_t)
+        relabel_files_pattern($2, pan_home_t, pan_home_t)
+        relabel_lnk_files_pattern($2, pan_home_t, pan_home_t)
+')
+
diff --git a/policy/modules/contrib/pan.te b/policy/modules/contrib/pan.te
new file mode 100644
index 00000000..8f738a0c
--- /dev/null
+++ b/policy/modules/contrib/pan.te
@@ -0,0 +1,116 @@
+policy_module(pan, 1.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+##   Be able to manage user files (needed to support sending and downloading
+##   attachments). Without this boolean set, only files marked as pan_home_t
+##   can be used for sending and receiving.
+## </p>
+## </desc>
+gen_tunable(pan_manage_user_content, false)
+
+
+type pan_t;
+type pan_exec_t;
+application_domain(pan_t, pan_exec_t)
+ubac_constrained(pan_t)
+
+type pan_home_t;
+userdom_user_home_content(pan_home_t)
+
+type pan_tmpfs_t;
+files_tmpfs_file(pan_tmpfs_t)
+ubac_constrained(pan_tmpfs_t)
+
+########################################
+#
+# Pan local policy
+#
+allow pan_t self:process { getsched signal };
+allow pan_t self:fifo_file rw_fifo_file_perms;
+allow pan_t pan_tmpfs_t:file { read write };
+
+# Allow pan to work with its ~/.pan2 location
+manage_dirs_pattern(pan_t, pan_home_t, pan_home_t)
+manage_files_pattern(pan_t, pan_home_t, pan_home_t)
+manage_lnk_files_pattern(pan_t, pan_home_t, pan_home_t)
+
+# Support for shared memory
+fs_tmpfs_filetrans(pan_t, pan_tmpfs_t, file)
+
+kernel_dontaudit_read_system_state(pan_t)
+
+corenet_all_recvfrom_netlabel(pan_t)
+corenet_all_recvfrom_unlabeled(pan_t)
+corenet_sendrecv_innd_client_packets(pan_t)
+corenet_tcp_connect_innd_port(pan_t)
+corenet_tcp_sendrecv_generic_if(pan_t)
+corenet_tcp_sendrecv_generic_node(pan_t)
+corenet_tcp_sendrecv_innd_port(pan_t)
+
+domain_dontaudit_use_interactive_fds(pan_t)
+
+files_read_etc_files(pan_t)
+files_read_usr_files(pan_t)
+
+miscfiles_read_localization(pan_t)
+
+sysnet_dns_name_resolve(pan_t)
+
+userdom_dontaudit_use_user_ttys(pan_t)
+userdom_use_user_ptys(pan_t)
+
+xserver_user_x_domain_template(pan, pan_t, pan_tmpfs_t)
+
+tunable_policy(`pan_manage_user_content',`
+	userdom_manage_user_home_content_dirs(pan_t)
+	userdom_manage_user_home_content_files(pan_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(pan_t)
+	fs_manage_nfs_files(pan_t)
+	fs_manage_nfs_symlinks(pan_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(pan_t)
+	fs_manage_cifs_files(pan_t)
+	fs_manage_cifs_symlinks(pan_t)
+')
+
+optional_policy(`
+	cups_read_rw_config(pan_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(pan_t)
+	dbus_session_bus_client(pan_t)
+')
+
+optional_policy(`
+	gnome_stream_connect_gconf(pan_t)
+')
+
+optional_policy(`
+	gpg_domtrans(pan_t)
+	gpg_signal(pan_t)
+')
+
+optional_policy(`
+	lpd_domtrans_lpr(pan_t)
+')
+
+optional_policy(`
+	mozilla_read_user_home_files(pan_t)
+	mozilla_domtrans(pan_t)
+')
+
+optional_policy(`
+	xdg_read_generic_data_home_files(pan_t)
+')
diff --git a/policy/modules/contrib/passenger.fc b/policy/modules/contrib/passenger.fc
new file mode 100644
index 00000000..545518dd
--- /dev/null
+++ b/policy/modules/contrib/passenger.fc
@@ -0,0 +1,11 @@
+/usr/lib/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable	-- 	gen_context(system_u:object_r:passenger_exec_t,s0)
+/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerWatchdog 			-- 	gen_context(system_u:object_r:passenger_exec_t,s0)
+/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerLoggingAgent			-- 	gen_context(system_u:object_r:passenger_exec_t,s0)
+/usr/lib/ruby/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent		-- 	gen_context(system_u:object_r:passenger_exec_t,s0)
+
+/var/lib/passenger(/.*)?		gen_context(system_u:object_r:passenger_var_lib_t,s0)
+
+/var/log/passenger(/.*)?		gen_context(system_u:object_r:passenger_log_t,s0)
+/var/log/passenger.*		--	gen_context(system_u:object_r:passenger_log_t,s0)
+
+/var/run/passenger(/.*)?		gen_context(system_u:object_r:passenger_var_run_t,s0)
diff --git a/policy/modules/contrib/passenger.if b/policy/modules/contrib/passenger.if
new file mode 100644
index 00000000..f68b5735
--- /dev/null
+++ b/policy/modules/contrib/passenger.if
@@ -0,0 +1,39 @@
+## <summary>Ruby on rails deployment for Apache and Nginx servers.</summary>
+
+######################################
+## <summary>
+##	Execute passenger in the passenger domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`passenger_domtrans',`
+	gen_require(`
+		type passenger_t, passenger_exec_t;
+	')
+
+	domtrans_pattern($1, passenger_exec_t, passenger_t)
+')
+
+########################################
+## <summary>
+##	Read passenger lib files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`passenger_read_lib_files',`
+	gen_require(`
+		type passenger_var_lib_t;
+	')
+
+	read_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
+	read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
+	files_search_var_lib($1)
+')
diff --git a/policy/modules/contrib/passenger.te b/policy/modules/contrib/passenger.te
new file mode 100644
index 00000000..3470036d
--- /dev/null
+++ b/policy/modules/contrib/passenger.te
@@ -0,0 +1,77 @@
+policy_module(passanger, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type passenger_t;
+type passenger_exec_t;
+domain_type(passenger_t)
+domain_entry_file(passenger_t, passenger_exec_t)
+role system_r types passenger_t;
+
+type passenger_log_t;
+logging_log_file(passenger_log_t)
+
+type passenger_tmp_t;
+files_tmp_file(passenger_tmp_t)
+
+type passenger_var_lib_t;
+files_type(passenger_var_lib_t)
+
+type passenger_var_run_t;
+files_pid_file(passenger_var_run_t)
+
+########################################
+#
+# passanger local policy
+#
+
+allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice };
+allow passenger_t self:process { setpgid setsched sigkill signal };
+allow passenger_t self:fifo_file rw_fifo_file_perms;
+allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+can_exec(passenger_t, passenger_exec_t)
+
+manage_dirs_pattern(passenger_t, passenger_log_t, passenger_log_t)
+manage_files_pattern(passenger_t, passenger_log_t, passenger_log_t)
+logging_log_filetrans(passenger_t, passenger_log_t, file)
+
+manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
+manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
+files_search_var_lib(passenger_t)
+
+manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
+manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
+manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
+manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
+files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file })
+
+kernel_read_system_state(passenger_t)
+kernel_read_kernel_sysctls(passenger_t)
+
+corenet_all_recvfrom_netlabel(passenger_t)
+corenet_all_recvfrom_unlabeled(passenger_t)
+corenet_tcp_sendrecv_generic_if(passenger_t)
+corenet_tcp_sendrecv_generic_node(passenger_t)
+corenet_tcp_connect_http_port(passenger_t)
+
+corecmd_exec_bin(passenger_t)
+corecmd_exec_shell(passenger_t)
+
+dev_read_urand(passenger_t)
+
+files_read_etc_files(passenger_t)
+
+auth_use_nsswitch(passenger_t)
+
+miscfiles_read_localization(passenger_t)
+
+userdom_dontaudit_use_user_terminals(passenger_t)
+
+optional_policy(`
+	apache_append_log(passenger_t)
+	apache_read_sys_content(passenger_t)
+')
diff --git a/policy/modules/contrib/pcmcia.fc b/policy/modules/contrib/pcmcia.fc
new file mode 100644
index 00000000..9cf0e564
--- /dev/null
+++ b/policy/modules/contrib/pcmcia.fc
@@ -0,0 +1,10 @@
+
+/etc/apm/event\.d/pcmcia --	gen_context(system_u:object_r:cardmgr_exec_t,s0)
+
+/sbin/cardctl		--	gen_context(system_u:object_r:cardctl_exec_t,s0)
+/sbin/cardmgr		--	gen_context(system_u:object_r:cardmgr_exec_t,s0)
+
+/var/lib/pcmcia(/.*)?		gen_context(system_u:object_r:cardmgr_var_run_t,s0)
+
+/var/run/cardmgr\.pid	--	gen_context(system_u:object_r:cardmgr_var_run_t,s0)
+/var/run/stab		--	gen_context(system_u:object_r:cardmgr_var_run_t,s0)
diff --git a/policy/modules/contrib/pcmcia.if b/policy/modules/contrib/pcmcia.if
new file mode 100644
index 00000000..aef445d3
--- /dev/null
+++ b/policy/modules/contrib/pcmcia.if
@@ -0,0 +1,156 @@
+## <summary>PCMCIA card management services</summary>
+
+########################################
+## <summary>
+##	PCMCIA stub interface.  No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pcmcia_stub',`
+	gen_require(`
+		type cardmgr_t;
+	')
+')
+
+########################################
+## <summary>
+##	Execute cardmgr in the cardmgr domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`pcmcia_domtrans_cardmgr',`
+	gen_require(`
+		type cardmgr_t, cardmgr_exec_t;
+	')
+
+	domtrans_pattern($1, cardmgr_exec_t, cardmgr_t)
+')
+
+########################################
+## <summary>
+##	Inherit and use file descriptors from cardmgr.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pcmcia_use_cardmgr_fds',`
+	gen_require(`
+		type cardmgr_t;
+	')
+
+	allow $1 cardmgr_t:fd use;
+')
+
+########################################
+## <summary>
+##	Execute cardctl in the cardmgr domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`pcmcia_domtrans_cardctl',`
+	gen_require(`
+		type cardmgr_t, cardctl_exec_t;
+	')
+
+	domtrans_pattern($1, cardctl_exec_t, cardmgr_t)
+')
+
+########################################
+## <summary>
+##	Execute cardmgr in the cardctl domain, and
+##	allow the specified role the cardmgr domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`pcmcia_run_cardctl',`
+	gen_require(`
+		type cardmgr_t;
+	')
+
+	pcmcia_domtrans_cardctl($1)
+	role $2 types cardmgr_t;
+')
+
+########################################
+## <summary>
+##	Read cardmgr pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pcmcia_read_pid',`
+	gen_require(`
+		type cardmgr_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, cardmgr_var_run_t, cardmgr_var_run_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	cardmgr pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pcmcia_manage_pid',`
+	gen_require(`
+		type cardmgr_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_files_pattern($1, cardmgr_var_run_t, cardmgr_var_run_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	cardmgr runtime character nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pcmcia_manage_pid_chr_files',`
+	gen_require(`
+		type cardmgr_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_chr_files_pattern($1, cardmgr_var_run_t, cardmgr_var_run_t)
+')
diff --git a/policy/modules/contrib/pcmcia.te b/policy/modules/contrib/pcmcia.te
new file mode 100644
index 00000000..4d06ae36
--- /dev/null
+++ b/policy/modules/contrib/pcmcia.te
@@ -0,0 +1,137 @@
+policy_module(pcmcia, 1.6.0)
+
+########################################
+#
+# Declarations
+#
+
+type cardmgr_t;
+type cardmgr_exec_t;
+init_daemon_domain(cardmgr_t, cardmgr_exec_t)
+
+# Create symbolic links in /dev.
+# cjp: this should probably be eliminated
+type cardmgr_lnk_t;
+files_type(cardmgr_lnk_t)
+
+type cardmgr_var_lib_t;
+files_type(cardmgr_var_lib_t)
+
+type cardmgr_var_run_t;
+files_pid_file(cardmgr_var_run_t)
+
+type cardctl_exec_t;
+application_domain(cardmgr_t, cardctl_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+# Use capabilities (net_admin for route), setuid for cardctl
+allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod };
+dontaudit cardmgr_t self:capability sys_tty_config;
+allow cardmgr_t self:process signal_perms;
+allow cardmgr_t self:fifo_file rw_fifo_file_perms;
+allow cardmgr_t self:unix_dgram_socket create_socket_perms;
+allow cardmgr_t self:unix_stream_socket create_socket_perms;
+
+allow cardmgr_t cardmgr_lnk_t:lnk_file manage_lnk_file_perms;
+dev_filetrans(cardmgr_t, cardmgr_lnk_t, lnk_file)
+
+# Create stab file
+manage_files_pattern(cardmgr_t, cardmgr_var_lib_t, cardmgr_var_lib_t)
+files_var_lib_filetrans(cardmgr_t, cardmgr_var_lib_t, file)
+
+allow cardmgr_t cardmgr_var_run_t:file manage_file_perms;
+files_pid_filetrans(cardmgr_t, cardmgr_var_run_t, file)
+
+kernel_read_system_state(cardmgr_t)
+kernel_read_kernel_sysctls(cardmgr_t)
+kernel_dontaudit_getattr_message_if(cardmgr_t)
+
+corecmd_exec_all_executables(cardmgr_t)
+
+dev_read_sysfs(cardmgr_t)
+dev_manage_cardmgr_dev(cardmgr_t)
+dev_filetrans_cardmgr(cardmgr_t)
+dev_getattr_all_chr_files(cardmgr_t)
+dev_getattr_all_blk_files(cardmgr_t)
+# for SSP
+dev_read_urand(cardmgr_t)
+
+domain_use_interactive_fds(cardmgr_t)
+# Read /proc/PID directories for all domains (for fuser).
+domain_read_confined_domains_state(cardmgr_t)
+domain_getattr_confined_domains(cardmgr_t)
+domain_dontaudit_ptrace_confined_domains(cardmgr_t)
+# cjp: these look excessive:
+domain_dontaudit_getattr_all_pipes(cardmgr_t)
+domain_dontaudit_getattr_all_sockets(cardmgr_t)
+
+files_search_kernel_modules(cardmgr_t)
+files_list_usr(cardmgr_t)
+files_search_home(cardmgr_t)
+files_read_etc_runtime_files(cardmgr_t)
+files_exec_etc_files(cardmgr_t)
+# for /var/lib/misc/pcmcia-scheme
+# would be better to have it in a different type if I knew how it was created..
+files_read_var_lib_files(cardmgr_t)
+# cjp: these look excessive:
+files_dontaudit_getattr_all_dirs(cardmgr_t)
+files_dontaudit_getattr_all_files(cardmgr_t)
+files_dontaudit_getattr_all_symlinks(cardmgr_t)
+files_dontaudit_getattr_all_pipes(cardmgr_t)
+files_dontaudit_getattr_all_sockets(cardmgr_t)
+
+fs_getattr_all_fs(cardmgr_t)
+fs_search_auto_mountpoints(cardmgr_t)
+
+term_use_unallocated_ttys(cardmgr_t)
+term_getattr_all_ttys(cardmgr_t)
+term_dontaudit_getattr_all_ptys(cardmgr_t)
+
+libs_exec_ld_so(cardmgr_t)
+libs_exec_lib_files(cardmgr_t)
+
+logging_send_syslog_msg(cardmgr_t)
+
+miscfiles_read_localization(cardmgr_t)
+
+modutils_domtrans_insmod(cardmgr_t)
+
+sysnet_domtrans_ifconfig(cardmgr_t)
+# for /etc/resolv.conf
+sysnet_etc_filetrans_config(cardmgr_t)
+sysnet_manage_config(cardmgr_t)
+
+userdom_use_user_terminals(cardmgr_t)
+userdom_dontaudit_use_unpriv_user_fds(cardmgr_t)
+userdom_dontaudit_search_user_home_dirs(cardmgr_t)
+
+optional_policy(`
+	seutil_dontaudit_read_config(cardmgr_t)
+	seutil_sigchld_newrole(cardmgr_t)
+')
+
+optional_policy(`
+	sysnet_domtrans_dhcpc(cardmgr_t)
+
+	sysnet_read_dhcpc_pid(cardmgr_t)
+	sysnet_delete_dhcpc_pid(cardmgr_t)
+	sysnet_kill_dhcpc(cardmgr_t)
+	sysnet_sigchld_dhcpc(cardmgr_t)
+	sysnet_signal_dhcpc(cardmgr_t)
+	sysnet_signull_dhcpc(cardmgr_t)
+	sysnet_sigstop_dhcpc(cardmgr_t)
+')
+
+optional_policy(`
+	udev_read_db(cardmgr_t)
+')
+
+# Create device files in /tmp.
+# cjp: why is this created all over the place?
+files_pid_filetrans(cardmgr_t, cardmgr_dev_t, { chr_file blk_file })
+files_tmp_filetrans(cardmgr_t, cardmgr_dev_t, { chr_file blk_file })
+filetrans_pattern(cardmgr_t, cardmgr_var_run_t, cardmgr_dev_t, { chr_file blk_file })
diff --git a/policy/modules/contrib/pcscd.fc b/policy/modules/contrib/pcscd.fc
new file mode 100644
index 00000000..87f17e8d
--- /dev/null
+++ b/policy/modules/contrib/pcscd.fc
@@ -0,0 +1,6 @@
+/var/run/pcscd\.comm	-s	gen_context(system_u:object_r:pcscd_var_run_t,s0)
+/var/run/pcscd\.pid	--	gen_context(system_u:object_r:pcscd_var_run_t,s0)
+/var/run/pcscd\.pub	--	gen_context(system_u:object_r:pcscd_var_run_t,s0)
+/var/run/pcscd\.events(/.*)?	gen_context(system_u:object_r:pcscd_var_run_t,s0)
+
+/usr/sbin/pcscd		--	gen_context(system_u:object_r:pcscd_exec_t,s0)
diff --git a/policy/modules/contrib/pcscd.if b/policy/modules/contrib/pcscd.if
new file mode 100644
index 00000000..1c2a0913
--- /dev/null
+++ b/policy/modules/contrib/pcscd.if
@@ -0,0 +1,95 @@
+## <summary>PCSC smart card service</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run pcscd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pcscd_domtrans',`
+	gen_require(`
+		type pcscd_t, pcscd_exec_t;
+	')
+
+	domtrans_pattern($1, pcscd_exec_t, pcscd_t)
+')
+
+########################################
+## <summary>
+##	Read pcscd pub files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pcscd_read_pub_files',`
+	gen_require(`
+		type pcscd_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 pcscd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Manage pcscd pub files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pcscd_manage_pub_files',`
+	gen_require(`
+		type pcscd_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_files_pattern($1, pcscd_var_run_t, pcscd_var_run_t)
+')
+
+########################################
+## <summary>
+##	Manage pcscd pub fifo files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pcscd_manage_pub_pipes',`
+	gen_require(`
+		type pcscd_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_fifo_files_pattern($1, pcscd_var_run_t, pcscd_var_run_t)
+')
+
+########################################
+## <summary>
+##	Connect to pcscd over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pcscd_stream_connect',`
+	gen_require(`
+		type pcscd_t, pcscd_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, pcscd_var_run_t, pcscd_var_run_t, pcscd_t)
+')
diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te
new file mode 100644
index 00000000..ceafba61
--- /dev/null
+++ b/policy/modules/contrib/pcscd.te
@@ -0,0 +1,79 @@
+policy_module(pcscd, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type pcscd_t;
+type pcscd_exec_t;
+domain_type(pcscd_t)
+init_daemon_domain(pcscd_t, pcscd_exec_t)
+
+# pid files
+type pcscd_var_run_t;
+files_pid_file(pcscd_var_run_t)
+
+########################################
+#
+# pcscd local policy
+#
+
+allow pcscd_t self:capability { dac_override dac_read_search };
+allow pcscd_t self:process signal;
+allow pcscd_t self:fifo_file rw_fifo_file_perms;
+allow pcscd_t self:unix_stream_socket create_stream_socket_perms;
+allow pcscd_t self:unix_dgram_socket create_socket_perms;
+allow pcscd_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+manage_fifo_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+manage_sock_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir })
+
+kernel_read_system_state(pcscd_t)
+
+corenet_all_recvfrom_unlabeled(pcscd_t)
+corenet_all_recvfrom_netlabel(pcscd_t)
+corenet_tcp_sendrecv_generic_if(pcscd_t)
+corenet_tcp_sendrecv_generic_node(pcscd_t)
+corenet_tcp_sendrecv_all_ports(pcscd_t)
+corenet_tcp_connect_http_port(pcscd_t)
+
+dev_rw_generic_usb_dev(pcscd_t)
+dev_rw_smartcard(pcscd_t)
+dev_rw_usbfs(pcscd_t)
+dev_read_sysfs(pcscd_t)
+
+files_read_etc_files(pcscd_t)
+files_read_etc_runtime_files(pcscd_t)
+
+term_use_unallocated_ttys(pcscd_t)
+term_dontaudit_getattr_pty_dirs(pcscd_t)
+
+locallogin_use_fds(pcscd_t)
+
+logging_send_syslog_msg(pcscd_t)
+
+miscfiles_read_localization(pcscd_t)
+
+sysnet_dns_name_resolve(pcscd_t)
+
+optional_policy(`
+	dbus_system_bus_client(pcscd_t)
+
+	optional_policy(`
+		hal_dbus_chat(pcscd_t)
+	')
+')
+
+optional_policy(`
+	openct_stream_connect(pcscd_t)
+	openct_read_pid_files(pcscd_t)
+	openct_signull(pcscd_t)
+')
+
+optional_policy(`
+	rpm_use_script_fds(pcscd_t)
+')
diff --git a/policy/modules/contrib/pegasus.fc b/policy/modules/contrib/pegasus.fc
new file mode 100644
index 00000000..95150438
--- /dev/null
+++ b/policy/modules/contrib/pegasus.fc
@@ -0,0 +1,12 @@
+
+/etc/Pegasus(/.*)?			gen_context(system_u:object_r:pegasus_conf_t,s0)
+/etc/Pegasus/pegasus_current\.conf	gen_context(system_u:object_r:pegasus_data_t,s0)
+
+/usr/sbin/cimserver		--	gen_context(system_u:object_r:pegasus_exec_t,s0)
+/usr/sbin/init_repository	-- 	gen_context(system_u:object_r:pegasus_exec_t,s0)
+
+/var/lib/Pegasus(/.*)?			gen_context(system_u:object_r:pegasus_data_t,s0)
+
+/var/run/tog-pegasus(/.*)?		gen_context(system_u:object_r:pegasus_var_run_t,s0)
+
+/usr/share/Pegasus/mof(/.*)?/.*\.mof	gen_context(system_u:object_r:pegasus_mof_t,s0)
diff --git a/policy/modules/contrib/pegasus.if b/policy/modules/contrib/pegasus.if
new file mode 100644
index 00000000..920b13ff
--- /dev/null
+++ b/policy/modules/contrib/pegasus.if
@@ -0,0 +1 @@
+## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
diff --git a/policy/modules/contrib/pegasus.te b/policy/modules/contrib/pegasus.te
new file mode 100644
index 00000000..31851146
--- /dev/null
+++ b/policy/modules/contrib/pegasus.te
@@ -0,0 +1,138 @@
+policy_module(pegasus, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type pegasus_t;
+type pegasus_exec_t;
+init_daemon_domain(pegasus_t, pegasus_exec_t)
+
+type pegasus_data_t;
+files_type(pegasus_data_t)
+
+type pegasus_tmp_t;
+files_tmp_file(pegasus_tmp_t)
+
+type pegasus_conf_t;
+files_type(pegasus_conf_t)
+
+type pegasus_mof_t;
+files_type(pegasus_mof_t)
+
+type pegasus_var_run_t;
+files_pid_file(pegasus_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow pegasus_t self:capability { chown sys_nice setuid setgid dac_override net_bind_service };
+dontaudit pegasus_t self:capability sys_tty_config;
+allow pegasus_t self:process signal;
+allow pegasus_t self:fifo_file rw_fifo_file_perms;
+allow pegasus_t self:unix_dgram_socket create_socket_perms;
+allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
+allow pegasus_t self:tcp_socket create_stream_socket_perms;
+
+allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
+allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink };
+allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
+
+manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
+manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
+manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
+filetrans_pattern(pegasus_t, pegasus_conf_t, pegasus_data_t, { file dir })
+
+can_exec(pegasus_t, pegasus_exec_t)
+
+allow pegasus_t pegasus_mof_t:dir list_dir_perms;
+read_files_pattern(pegasus_t, pegasus_mof_t, pegasus_mof_t)
+read_lnk_files_pattern(pegasus_t, pegasus_mof_t, pegasus_mof_t)
+
+manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
+manage_files_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
+files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir })
+
+allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink };
+manage_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
+files_pid_filetrans(pegasus_t, pegasus_var_run_t, file)
+
+kernel_read_kernel_sysctls(pegasus_t)
+kernel_read_fs_sysctls(pegasus_t)
+kernel_read_system_state(pegasus_t)
+kernel_search_vm_sysctl(pegasus_t)
+kernel_read_net_sysctls(pegasus_t)
+
+corenet_all_recvfrom_unlabeled(pegasus_t)
+corenet_all_recvfrom_netlabel(pegasus_t)
+corenet_tcp_sendrecv_generic_if(pegasus_t)
+corenet_tcp_sendrecv_generic_node(pegasus_t)
+corenet_tcp_sendrecv_all_ports(pegasus_t)
+corenet_tcp_bind_generic_node(pegasus_t)
+corenet_tcp_bind_pegasus_http_port(pegasus_t)
+corenet_tcp_bind_pegasus_https_port(pegasus_t)
+corenet_tcp_connect_pegasus_http_port(pegasus_t)
+corenet_tcp_connect_pegasus_https_port(pegasus_t)
+corenet_tcp_connect_generic_port(pegasus_t)
+corenet_sendrecv_generic_client_packets(pegasus_t)
+corenet_sendrecv_pegasus_http_client_packets(pegasus_t)
+corenet_sendrecv_pegasus_http_server_packets(pegasus_t)
+corenet_sendrecv_pegasus_https_client_packets(pegasus_t)
+corenet_sendrecv_pegasus_https_server_packets(pegasus_t)
+
+corecmd_exec_bin(pegasus_t)
+corecmd_exec_shell(pegasus_t)
+
+dev_read_sysfs(pegasus_t)
+dev_read_urand(pegasus_t)
+
+fs_getattr_all_fs(pegasus_t)
+fs_search_auto_mountpoints(pegasus_t)
+files_getattr_all_dirs(pegasus_t)
+
+auth_use_nsswitch(pegasus_t)
+auth_domtrans_chk_passwd(pegasus_t)
+
+domain_use_interactive_fds(pegasus_t)
+domain_read_all_domains_state(pegasus_t)
+
+files_read_etc_files(pegasus_t)
+files_list_var_lib(pegasus_t)
+files_read_var_lib_files(pegasus_t)
+files_read_var_lib_symlinks(pegasus_t)
+
+hostname_exec(pegasus_t)
+
+init_rw_utmp(pegasus_t)
+init_stream_connect_script(pegasus_t)
+
+logging_send_audit_msgs(pegasus_t)
+logging_send_syslog_msg(pegasus_t)
+
+miscfiles_read_localization(pegasus_t)
+
+sysnet_read_config(pegasus_t)
+sysnet_domtrans_ifconfig(pegasus_t)
+
+userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
+userdom_dontaudit_search_user_home_dirs(pegasus_t)
+
+optional_policy(`
+	rpm_exec(pegasus_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(pegasus_t)
+	seutil_dontaudit_read_config(pegasus_t)
+')
+
+optional_policy(`
+	udev_read_db(pegasus_t)
+')
+
+optional_policy(`
+	unconfined_signull(pegasus_t)
+')
diff --git a/policy/modules/contrib/perdition.fc b/policy/modules/contrib/perdition.fc
new file mode 100644
index 00000000..bcdf89b7
--- /dev/null
+++ b/policy/modules/contrib/perdition.fc
@@ -0,0 +1,3 @@
+/etc/perdition(/.*)?		gen_context(system_u:object_r:perdition_etc_t,s0)
+
+/usr/sbin/perdition	--	gen_context(system_u:object_r:perdition_exec_t,s0)
diff --git a/policy/modules/contrib/perdition.if b/policy/modules/contrib/perdition.if
new file mode 100644
index 00000000..2b0bd641
--- /dev/null
+++ b/policy/modules/contrib/perdition.if
@@ -0,0 +1,15 @@
+## <summary>Perdition POP and IMAP proxy</summary>
+
+########################################
+## <summary>
+##	Connect to perdition over a TCP socket  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`perdition_tcp_connect',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
diff --git a/policy/modules/contrib/perdition.te b/policy/modules/contrib/perdition.te
new file mode 100644
index 00000000..36362771
--- /dev/null
+++ b/policy/modules/contrib/perdition.te
@@ -0,0 +1,75 @@
+policy_module(perdition, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type perdition_t;
+type perdition_exec_t;
+init_daemon_domain(perdition_t, perdition_exec_t)
+
+type perdition_etc_t;
+files_config_file(perdition_etc_t)
+
+type perdition_var_run_t;
+files_pid_file(perdition_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow perdition_t self:capability { setgid setuid };
+dontaudit perdition_t self:capability sys_tty_config;
+allow perdition_t self:process signal_perms;
+allow perdition_t self:tcp_socket create_stream_socket_perms;
+allow perdition_t self:udp_socket create_socket_perms;
+
+allow perdition_t perdition_etc_t:file read_file_perms;
+files_search_etc(perdition_t)
+
+manage_files_pattern(perdition_t, perdition_var_run_t, perdition_var_run_t)
+files_pid_filetrans(perdition_t, perdition_var_run_t, file)
+
+kernel_read_kernel_sysctls(perdition_t)
+kernel_list_proc(perdition_t)
+kernel_read_proc_symlinks(perdition_t)
+
+corenet_all_recvfrom_unlabeled(perdition_t)
+corenet_all_recvfrom_netlabel(perdition_t)
+corenet_tcp_sendrecv_generic_if(perdition_t)
+corenet_udp_sendrecv_generic_if(perdition_t)
+corenet_tcp_sendrecv_generic_node(perdition_t)
+corenet_udp_sendrecv_generic_node(perdition_t)
+corenet_tcp_sendrecv_all_ports(perdition_t)
+corenet_udp_sendrecv_all_ports(perdition_t)
+corenet_tcp_bind_generic_node(perdition_t)
+corenet_tcp_bind_pop_port(perdition_t)
+corenet_sendrecv_pop_server_packets(perdition_t)
+
+dev_read_sysfs(perdition_t)
+
+domain_use_interactive_fds(perdition_t)
+
+fs_getattr_all_fs(perdition_t)
+fs_search_auto_mountpoints(perdition_t)
+
+files_read_etc_files(perdition_t)
+
+logging_send_syslog_msg(perdition_t)
+
+miscfiles_read_localization(perdition_t)
+
+sysnet_read_config(perdition_t)
+
+userdom_dontaudit_use_unpriv_user_fds(perdition_t)
+userdom_dontaudit_search_user_home_dirs(perdition_t)
+
+optional_policy(`
+	seutil_sigchld_newrole(perdition_t)
+')
+
+optional_policy(`
+	udev_read_db(perdition_t)
+')
diff --git a/policy/modules/contrib/pingd.fc b/policy/modules/contrib/pingd.fc
new file mode 100644
index 00000000..ea085f7e
--- /dev/null
+++ b/policy/modules/contrib/pingd.fc
@@ -0,0 +1,6 @@
+/etc/pingd.conf				--	gen_context(system_u:object_r:pingd_etc_t,s0)
+/etc/rc\.d/init\.d/whatsup-pingd	--	gen_context(system_u:object_r:pingd_initrc_exec_t,s0)
+
+/usr/lib/pingd(/.*)?				gen_context(system_u:object_r:pingd_modules_t,s0)
+
+/usr/sbin/pingd				--	gen_context(system_u:object_r:pingd_exec_t,s0)
diff --git a/policy/modules/contrib/pingd.if b/policy/modules/contrib/pingd.if
new file mode 100644
index 00000000..8688aaec
--- /dev/null
+++ b/policy/modules/contrib/pingd.if
@@ -0,0 +1,97 @@
+## <summary>Pingd of the Whatsup cluster node up/down detection utility</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run pingd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pingd_domtrans',`
+	gen_require(`
+		type pingd_t, pingd_exec_t;
+	')
+
+	domtrans_pattern($1, pingd_exec_t, pingd_t)
+')
+
+#######################################
+## <summary>
+##	Read pingd etc configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pingd_read_config',`
+	gen_require(`
+		type pingd_etc_t;
+	')
+
+	files_search_etc($1)
+	read_files_pattern($1, pingd_etc_t, pingd_etc_t)
+')
+
+#######################################
+## <summary>
+##	Manage pingd etc configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pingd_manage_config',`
+	gen_require(`
+		type pingd_etc_t;
+	')
+
+	files_search_etc($1)
+	manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t)
+	manage_files_pattern($1, pingd_etc_t, pingd_etc_t)
+
+')
+
+#######################################
+## <summary>
+##	All of the rules required to administrate 
+##	an pingd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the pingd domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`pingd_admin',`
+	gen_require(`
+		type pingd_t, pingd_etc_t;
+		type pingd_initrc_exec_t, pingd_modules_t;
+	')
+
+	allow $1 pingd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, pingd_t)
+
+	init_labeled_script_domtrans($1, pingd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 pingd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_etc($1)
+	admin_pattern($1, pingd_etc_t)
+
+	files_list_usr($1)
+	admin_pattern($1, pingd_modules_t)
+')
diff --git a/policy/modules/contrib/pingd.te b/policy/modules/contrib/pingd.te
new file mode 100644
index 00000000..e9cf8a49
--- /dev/null
+++ b/policy/modules/contrib/pingd.te
@@ -0,0 +1,47 @@
+policy_module(pingd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type pingd_t;
+type pingd_exec_t;
+init_daemon_domain(pingd_t, pingd_exec_t)
+
+# type for config
+type pingd_etc_t;
+files_type(pingd_etc_t)
+
+type pingd_initrc_exec_t;
+init_script_file(pingd_initrc_exec_t)
+
+# type for pingd modules
+type pingd_modules_t;
+files_type(pingd_modules_t)
+
+########################################
+#
+# pingd local policy
+#
+
+allow pingd_t self:capability net_raw;
+allow pingd_t self:tcp_socket create_stream_socket_perms;
+allow pingd_t self:rawip_socket { write read create bind };
+
+read_files_pattern(pingd_t, pingd_etc_t, pingd_etc_t)
+
+read_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t)
+mmap_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t)
+
+corenet_raw_bind_generic_node(pingd_t)
+corenet_tcp_bind_generic_node(pingd_t)
+corenet_tcp_bind_pingd_port(pingd_t)
+
+auth_use_nsswitch(pingd_t)
+
+files_search_usr(pingd_t)
+
+logging_send_syslog_msg(pingd_t)
+
+miscfiles_read_localization(pingd_t)
diff --git a/policy/modules/contrib/plymouthd.fc b/policy/modules/contrib/plymouthd.fc
new file mode 100644
index 00000000..5702ca42
--- /dev/null
+++ b/policy/modules/contrib/plymouthd.fc
@@ -0,0 +1,7 @@
+/bin/plymouth			--	gen_context(system_u:object_r:plymouth_exec_t,s0)
+
+/sbin/plymouthd			--	gen_context(system_u:object_r:plymouthd_exec_t,s0)
+
+/var/lib/plymouth(/.*)?			gen_context(system_u:object_r:plymouthd_var_lib_t,s0)
+/var/run/plymouth(/.*)?			gen_context(system_u:object_r:plymouthd_var_run_t,s0)
+/var/spool/plymouth(/.*)?		gen_context(system_u:object_r:plymouthd_spool_t,s0)
diff --git a/policy/modules/contrib/plymouthd.if b/policy/modules/contrib/plymouthd.if
new file mode 100644
index 00000000..9759ed80
--- /dev/null
+++ b/policy/modules/contrib/plymouthd.if
@@ -0,0 +1,260 @@
+## <summary>Plymouth graphical boot</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run plymouthd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`plymouthd_domtrans', `
+	gen_require(`
+		type plymouthd_t, plymouthd_exec_t;
+	')
+
+	domtrans_pattern($1, plymouthd_exec_t, plymouthd_t)
+')
+
+########################################
+## <summary>
+##	Execute the plymoth daemon in the current domain
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_exec', `
+	gen_require(`
+		type plymouthd_exec_t;
+	')
+
+	can_exec($1, plymouthd_exec_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to Stream socket connect
+##	to Plymouth daemon.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`plymouthd_stream_connect', `
+	gen_require(`
+		type plymouthd_t;
+	')
+
+	allow $1 plymouthd_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	Execute the plymoth command in the current domain
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_exec_plymouth', `
+	gen_require(`
+		type plymouth_exec_t;
+	')
+
+	can_exec($1, plymouth_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run plymouthd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`plymouthd_domtrans_plymouth', `
+	gen_require(`
+		type plymouth_t, plymouth_exec_t;
+	')
+
+	domtrans_pattern($1, plymouth_exec_t, plymouth_t)
+')
+
+########################################
+## <summary>
+##	Search plymouthd spool directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`plymouthd_search_spool', `
+	gen_require(`
+		type plymouthd_spool_t;
+	')
+
+	allow $1 plymouthd_spool_t:dir search_dir_perms;
+	files_search_spool($1)
+')
+
+########################################
+## <summary>
+##	Read plymouthd spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`plymouthd_read_spool_files', `
+	gen_require(`
+		type plymouthd_spool_t;
+	')
+
+	files_search_spool($1)
+	read_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	plymouthd spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`plymouthd_manage_spool_files', `
+	gen_require(`
+		type plymouthd_spool_t;
+	')
+
+	files_search_spool($1)
+	manage_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
+')
+
+########################################
+## <summary>
+##	Search plymouthd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`plymouthd_search_lib', `
+	gen_require(`
+		type plymouthd_var_lib_t;
+	')
+
+	allow $1 plymouthd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read plymouthd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`plymouthd_read_lib_files', `
+	gen_require(`
+		type plymouthd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	plymouthd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`plymouthd_manage_lib_files', `
+	gen_require(`
+		type plymouthd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read plymouthd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`plymouthd_read_pid_files', `
+	gen_require(`
+		type plymouthd_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 plymouthd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an plymouthd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`plymouthd_admin', `
+	gen_require(`
+		type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t;
+		type plymouthd_var_run_t;
+	')
+
+	allow $1 plymouthd_t:process { ptrace signal_perms getattr };
+	read_files_pattern($1, plymouthd_t, plymouthd_t)
+
+	admin_pattern($1, plymouthd_spool_t)
+
+	admin_pattern($1, plymouthd_var_lib_t)
+
+	admin_pattern($1, plymouthd_var_run_t)
+')
diff --git a/policy/modules/contrib/plymouthd.te b/policy/modules/contrib/plymouthd.te
new file mode 100644
index 00000000..86700edb
--- /dev/null
+++ b/policy/modules/contrib/plymouthd.te
@@ -0,0 +1,99 @@
+policy_module(plymouthd, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type plymouth_t;
+type plymouth_exec_t;
+application_domain(plymouth_t, plymouth_exec_t)
+
+type plymouthd_t;
+type plymouthd_exec_t;
+init_daemon_domain(plymouthd_t, plymouthd_exec_t)
+
+type plymouthd_spool_t;
+files_type(plymouthd_spool_t)
+
+type plymouthd_var_lib_t;
+files_type(plymouthd_var_lib_t)
+
+type plymouthd_var_run_t;
+files_pid_file(plymouthd_var_run_t)
+
+########################################
+#
+# Plymouthd private policy
+#
+
+allow plymouthd_t self:capability { sys_admin sys_tty_config };
+dontaudit plymouthd_t self:capability dac_override;
+allow plymouthd_t self:process { signal getsched };
+allow plymouthd_t self:fifo_file rw_fifo_file_perms;
+allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
+manage_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
+manage_sock_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
+files_spool_filetrans(plymouthd_t, plymouthd_spool_t, { file dir sock_file })
+
+manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
+manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
+files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir })
+
+manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
+manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
+files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir })
+
+kernel_read_system_state(plymouthd_t)
+kernel_request_load_module(plymouthd_t)
+kernel_change_ring_buffer_level(plymouthd_t)
+
+dev_rw_dri(plymouthd_t)
+dev_read_sysfs(plymouthd_t)
+dev_read_framebuffer(plymouthd_t)
+dev_write_framebuffer(plymouthd_t)
+
+domain_use_interactive_fds(plymouthd_t)
+
+files_read_etc_files(plymouthd_t)
+files_read_usr_files(plymouthd_t)
+
+miscfiles_read_localization(plymouthd_t)
+miscfiles_read_fonts(plymouthd_t)
+miscfiles_manage_fonts_cache(plymouthd_t)
+
+########################################
+#
+# Plymouth private policy
+#
+
+allow plymouth_t self:process signal;
+allow plymouth_t self:fifo_file rw_file_perms;
+allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_system_state(plymouth_t)
+
+domain_use_interactive_fds(plymouth_t)
+
+files_read_etc_files(plymouth_t)
+
+term_use_ptmx(plymouth_t)
+
+miscfiles_read_localization(plymouth_t)
+
+sysnet_read_config(plymouth_t)
+
+plymouthd_stream_connect(plymouth_t)
+
+ifdef(`hide_broken_symptoms', `
+	optional_policy(`
+		hal_dontaudit_write_log(plymouth_t)
+		hal_dontaudit_rw_pipes(plymouth_t)
+	')
+')
+
+optional_policy(`
+	lvm_domtrans(plymouth_t)
+')
diff --git a/policy/modules/contrib/podsleuth.fc b/policy/modules/contrib/podsleuth.fc
new file mode 100644
index 00000000..6fbc01c3
--- /dev/null
+++ b/policy/modules/contrib/podsleuth.fc
@@ -0,0 +1,3 @@
+/usr/bin/podsleuth	--	gen_context(system_u:object_r:podsleuth_exec_t,s0)
+/usr/libexec/hal-podsleuth --	gen_context(system_u:object_r:podsleuth_exec_t,s0)
+/var/cache/podsleuth(/.*)?	gen_context(system_u:object_r:podsleuth_cache_t,s0)
diff --git a/policy/modules/contrib/podsleuth.if b/policy/modules/contrib/podsleuth.if
new file mode 100644
index 00000000..d6d80a0c
--- /dev/null
+++ b/policy/modules/contrib/podsleuth.if
@@ -0,0 +1,45 @@
+## <summary>Podsleuth is a tool to get information about an Apple (TM) iPod (TM)</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run podsleuth.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`podsleuth_domtrans',`
+	gen_require(`
+		type podsleuth_t, podsleuth_exec_t;
+	')
+
+	domtrans_pattern($1, podsleuth_exec_t, podsleuth_t)
+	allow $1 podsleuth_t:process signal;
+')
+
+########################################
+## <summary>
+##	Execute podsleuth in the podsleuth domain, and
+##	allow the specified role the podsleuth domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`podsleuth_run',`
+	gen_require(`
+		type podsleuth_t;
+	')
+
+	podsleuth_domtrans($1)
+	role $2 types podsleuth_t;
+')
diff --git a/policy/modules/contrib/podsleuth.te b/policy/modules/contrib/podsleuth.te
new file mode 100644
index 00000000..4cffb072
--- /dev/null
+++ b/policy/modules/contrib/podsleuth.te
@@ -0,0 +1,87 @@
+policy_module(podsleuth, 1.6.0)
+
+########################################
+#
+# Declarations
+#
+
+type podsleuth_t;
+type podsleuth_exec_t;
+application_domain(podsleuth_t, podsleuth_exec_t)
+role system_r types podsleuth_t;
+
+type podsleuth_cache_t;
+files_type(podsleuth_cache_t)
+ubac_constrained(podsleuth_cache_t)
+
+type podsleuth_tmp_t;
+userdom_user_tmp_file(podsleuth_tmp_t)
+
+type podsleuth_tmpfs_t;
+userdom_user_tmpfs_file(podsleuth_tmpfs_t)
+
+########################################
+#
+# podsleuth local policy
+#
+allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
+allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack };
+allow podsleuth_t self:fifo_file rw_file_perms;
+allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
+allow podsleuth_t self:sem create_sem_perms;
+allow podsleuth_t self:tcp_socket create_stream_socket_perms;
+allow podsleuth_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t)
+manage_files_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t)
+files_var_filetrans(podsleuth_t, podsleuth_cache_t, { file dir })
+
+allow podsleuth_t podsleuth_tmp_t:dir mounton;
+manage_dirs_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t)
+manage_files_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t)
+files_tmp_filetrans(podsleuth_t, podsleuth_tmp_t, { file dir })
+
+manage_dirs_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t)
+manage_files_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t)
+manage_lnk_files_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t)
+fs_tmpfs_filetrans(podsleuth_t, podsleuth_tmpfs_t, { dir file lnk_file })
+
+kernel_read_system_state(podsleuth_t)
+kernel_request_load_module(podsleuth_t)
+
+corecmd_exec_bin(podsleuth_t)
+
+corenet_tcp_connect_http_port(podsleuth_t)
+
+dev_read_urand(podsleuth_t)
+
+files_read_etc_files(podsleuth_t)
+
+fs_mount_dos_fs(podsleuth_t)
+fs_unmount_dos_fs(podsleuth_t)
+fs_getattr_dos_fs(podsleuth_t)
+fs_read_dos_files(podsleuth_t)
+fs_search_dos(podsleuth_t)
+fs_getattr_tmpfs(podsleuth_t)
+fs_list_tmpfs(podsleuth_t)
+fs_rw_removable_blk_files(podsleuth_t)
+
+miscfiles_read_localization(podsleuth_t)
+
+sysnet_dns_name_resolve(podsleuth_t)
+
+userdom_signal_unpriv_users(podsleuth_t)
+userdom_signull_unpriv_users(podsleuth_t)
+userdom_read_user_tmpfs_files(podsleuth_t)
+
+optional_policy(`
+	dbus_system_bus_client(podsleuth_t)
+
+	optional_policy(`
+		hal_dbus_chat(podsleuth_t)
+	')
+')
+
+optional_policy(`
+	mono_exec(podsleuth_t)
+')
diff --git a/policy/modules/contrib/policykit.fc b/policy/modules/contrib/policykit.fc
new file mode 100644
index 00000000..63d00612
--- /dev/null
+++ b/policy/modules/contrib/policykit.fc
@@ -0,0 +1,16 @@
+/usr/lib/policykit/polkit-read-auth-helper --	gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/lib/policykit/polkit-grant-helper.* --	gen_context(system_u:object_r:policykit_grant_exec_t,s0)
+/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
+/usr/lib/policykit/polkitd		--	gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/lib/policykit-1/polkitd		--	gen_context(system_u:object_r:policykit_exec_t,s0)
+
+/usr/libexec/polkit-read-auth-helper	--	gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/libexec/polkit-grant-helper.*	--	gen_context(system_u:object_r:policykit_grant_exec_t,s0)
+/usr/libexec/polkit-resolve-exe-helper.* --	gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
+/usr/libexec/polkitd			--	gen_context(system_u:object_r:policykit_exec_t,s0)
+
+/var/lib/misc/PolicyKit.reload			gen_context(system_u:object_r:policykit_reload_t,s0)
+/var/lib/PolicyKit(/.*)?			gen_context(system_u:object_r:policykit_var_lib_t,s0)
+/var/lib/PolicyKit-public(/.*)?			gen_context(system_u:object_r:policykit_var_lib_t,s0)
+/var/run/PolicyKit(/.*)?			gen_context(system_u:object_r:policykit_var_run_t,s0)
+
diff --git a/policy/modules/contrib/policykit.if b/policy/modules/contrib/policykit.if
new file mode 100644
index 00000000..48ff1e8a
--- /dev/null
+++ b/policy/modules/contrib/policykit.if
@@ -0,0 +1,209 @@
+## <summary>Policy framework for controlling privileges for system-wide services.</summary>
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	policykit over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`policykit_dbus_chat',`
+	gen_require(`
+		type policykit_t;
+		class dbus send_msg;
+	')
+
+	allow $1 policykit_t:dbus send_msg;
+	allow policykit_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run polkit_auth.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`policykit_domtrans_auth',`
+	gen_require(`
+		type policykit_auth_t, policykit_auth_exec_t;
+	')
+
+	domtrans_pattern($1, policykit_auth_exec_t, policykit_auth_t)
+')
+
+########################################
+## <summary>
+##	Execute a policy_auth in the policy_auth domain, and
+##	allow the specified role the policy_auth domain,
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`policykit_run_auth',`
+	gen_require(`
+		type policykit_auth_t;
+	')
+
+	policykit_domtrans_auth($1)
+	role $2 types policykit_auth_t;
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run polkit_grant.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`policykit_domtrans_grant',`
+	gen_require(`
+		type policykit_grant_t, policykit_grant_exec_t;
+	')
+
+	domtrans_pattern($1, policykit_grant_exec_t, policykit_grant_t)
+')
+
+########################################
+## <summary>
+##	Execute a policy_grant in the policy_grant domain, and
+##	allow the specified role the policy_grant domain,
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`policykit_run_grant',`
+	gen_require(`
+		type policykit_grant_t;
+	')
+
+	policykit_domtrans_grant($1)
+	role $2 types policykit_grant_t;
+
+	allow $1 policykit_grant_t:process signal;
+
+	ps_process_pattern(policykit_grant_t, $1)
+')
+
+########################################
+## <summary>
+##	read policykit reload files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`policykit_read_reload',`
+	gen_require(`
+		type policykit_reload_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, policykit_reload_t, policykit_reload_t)
+')
+
+########################################
+## <summary>
+##	rw policykit reload files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`policykit_rw_reload',`
+	gen_require(`
+		type policykit_reload_t;
+	')
+
+	files_search_var_lib($1)
+	rw_files_pattern($1, policykit_reload_t, policykit_reload_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run polkit_resolve.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`policykit_domtrans_resolve',`
+	gen_require(`
+		type policykit_resolve_t, policykit_resolve_exec_t;
+	')
+
+	domtrans_pattern($1, policykit_resolve_exec_t, policykit_resolve_t)
+
+	ps_process_pattern(policykit_resolve_t, $1)
+')
+
+########################################
+## <summary>
+##	Search policykit lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`policykit_search_lib',`
+	gen_require(`
+		type policykit_var_lib_t;
+	')
+
+	allow $1 policykit_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	read policykit lib files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`policykit_read_lib',`
+	gen_require(`
+		type policykit_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t)
+')
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
new file mode 100644
index 00000000..44db896e
--- /dev/null
+++ b/policy/modules/contrib/policykit.te
@@ -0,0 +1,210 @@
+policy_module(policykit, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type policykit_t alias polkit_t;
+type policykit_exec_t alias polkit_exec_t;
+init_daemon_domain(policykit_t, policykit_exec_t)
+
+type policykit_auth_t alias polkit_auth_t;
+type policykit_auth_exec_t alias polkit_auth_exec_t;
+init_daemon_domain(policykit_auth_t, policykit_auth_exec_t)
+
+type policykit_grant_t alias polkit_grant_t;
+type policykit_grant_exec_t alias polkit_grant_exec_t;
+init_system_domain(policykit_grant_t, policykit_grant_exec_t)
+
+type policykit_resolve_t alias polkit_resolve_t;
+type policykit_resolve_exec_t alias polkit_resolve_exec_t;
+init_system_domain(policykit_resolve_t, policykit_resolve_exec_t)
+
+type policykit_reload_t alias polkit_reload_t;
+files_type(policykit_reload_t)
+
+type policykit_var_lib_t alias polkit_var_lib_t;
+files_type(policykit_var_lib_t)
+
+type policykit_var_run_t alias polkit_var_run_t;
+files_pid_file(policykit_var_run_t)
+
+########################################
+#
+# policykit local policy
+#
+
+allow policykit_t self:capability { setgid setuid };
+allow policykit_t self:process getattr;
+allow policykit_t self:fifo_file rw_file_perms;
+allow policykit_t self:unix_dgram_socket create_socket_perms;
+allow policykit_t self:unix_stream_socket create_stream_socket_perms;
+
+policykit_domtrans_auth(policykit_t)
+
+can_exec(policykit_t, policykit_exec_t)
+corecmd_exec_bin(policykit_t)
+
+rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
+
+policykit_domtrans_resolve(policykit_t)
+
+manage_files_pattern(policykit_t, policykit_var_lib_t, policykit_var_lib_t)
+
+manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
+manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
+files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
+
+kernel_read_kernel_sysctls(policykit_t)
+
+files_read_etc_files(policykit_t)
+files_read_usr_files(policykit_t)
+
+auth_use_nsswitch(policykit_t)
+
+logging_send_syslog_msg(policykit_t)
+
+miscfiles_read_localization(policykit_t)
+
+userdom_read_all_users_state(policykit_t)
+
+########################################
+#
+# polkit_auth local policy
+#
+
+allow policykit_auth_t self:capability setgid;
+allow policykit_auth_t self:process getattr;
+allow policykit_auth_t self:fifo_file rw_file_perms;
+allow policykit_auth_t self:unix_dgram_socket create_socket_perms;
+allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms;
+
+can_exec(policykit_auth_t, policykit_auth_exec_t)
+corecmd_search_bin(policykit_auth_t)
+
+rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
+
+manage_files_pattern(policykit_auth_t, policykit_var_lib_t, policykit_var_lib_t)
+
+manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
+manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
+files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
+
+kernel_read_system_state(policykit_auth_t)
+
+files_read_etc_files(policykit_auth_t)
+files_read_usr_files(policykit_auth_t)
+
+auth_use_nsswitch(policykit_auth_t)
+
+logging_send_syslog_msg(policykit_auth_t)
+
+miscfiles_read_localization(policykit_auth_t)
+
+userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
+
+optional_policy(`
+	dbus_system_bus_client(policykit_auth_t)
+	dbus_session_bus_client(policykit_auth_t)
+
+	optional_policy(`
+		consolekit_dbus_chat(policykit_auth_t)
+	')
+')
+
+optional_policy(`
+	kernel_search_proc(policykit_auth_t)
+	hal_read_state(policykit_auth_t)
+')
+
+########################################
+#
+# polkit_grant local policy
+#
+
+allow policykit_grant_t self:capability setuid;
+allow policykit_grant_t self:process getattr;
+allow policykit_grant_t self:fifo_file rw_file_perms;
+allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
+allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
+
+policykit_domtrans_auth(policykit_grant_t)
+
+policykit_domtrans_resolve(policykit_grant_t)
+
+can_exec(policykit_grant_t, policykit_grant_exec_t)
+corecmd_search_bin(policykit_grant_t)
+
+rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t)
+
+manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t)
+
+manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t)
+
+files_read_etc_files(policykit_grant_t)
+files_read_usr_files(policykit_grant_t)
+
+auth_use_nsswitch(policykit_grant_t)
+auth_domtrans_chk_passwd(policykit_grant_t)
+
+logging_send_syslog_msg(policykit_grant_t)
+
+miscfiles_read_localization(policykit_grant_t)
+
+userdom_read_all_users_state(policykit_grant_t)
+
+optional_policy(`
+	dbus_system_bus_client(policykit_grant_t)
+
+	optional_policy(`
+		consolekit_dbus_chat(policykit_grant_t)
+	')
+')
+
+########################################
+#
+# polkit_resolve local policy
+#
+
+allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
+allow policykit_resolve_t self:process getattr;
+allow policykit_resolve_t self:fifo_file rw_file_perms;
+allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
+allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
+
+policykit_domtrans_auth(policykit_resolve_t)
+
+read_files_pattern(policykit_resolve_t, policykit_reload_t, policykit_reload_t)
+
+read_files_pattern(policykit_resolve_t, policykit_var_lib_t, policykit_var_lib_t)
+
+can_exec(policykit_resolve_t, policykit_resolve_exec_t)
+corecmd_search_bin(policykit_resolve_t)
+
+files_read_etc_files(policykit_resolve_t)
+files_read_usr_files(policykit_resolve_t)
+
+mcs_ptrace_all(policykit_resolve_t)
+
+auth_use_nsswitch(policykit_resolve_t)
+
+logging_send_syslog_msg(policykit_resolve_t)
+
+miscfiles_read_localization(policykit_resolve_t)
+
+userdom_read_all_users_state(policykit_resolve_t)
+
+optional_policy(`
+	dbus_system_bus_client(policykit_resolve_t)
+
+	optional_policy(`
+		consolekit_dbus_chat(policykit_resolve_t)
+	')
+')
+
+optional_policy(`
+	kernel_search_proc(policykit_resolve_t)
+	hal_read_state(policykit_resolve_t)
+')
+
diff --git a/policy/modules/contrib/portage.fc b/policy/modules/contrib/portage.fc
new file mode 100644
index 00000000..8d426f52
--- /dev/null
+++ b/policy/modules/contrib/portage.fc
@@ -0,0 +1,35 @@
+/etc/make\.conf			--	gen_context(system_u:object_r:portage_conf_t,s0)
+/etc/make\.globals		--	gen_context(system_u:object_r:portage_conf_t,s0)
+/etc/portage(/.*)?			gen_context(system_u:object_r:portage_conf_t,s0)
+/etc/portage/gpg(/.*)?			gen_context(system_u:object_r:portage_gpg_t,s0)
+
+/usr/bin/gcc-config		--	gen_context(system_u:object_r:gcc_config_exec_t,s0)
+/usr/bin/glsa-check		--	gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/bin/layman			--	gen_context(system_u:object_r:portage_fetch_exec_t,s0)
+/usr/bin/sandbox		--	gen_context(system_u:object_r:portage_exec_t,s0)
+
+/usr/lib(64)?/portage/bin/ebuild --	gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib(64)?/portage/bin/emerge --	gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib(64)?/portage/bin/emerge-webrsync -- gen_context(system_u:object_r:portage_fetch_exec_t,s0)
+/usr/lib(64)?/portage/bin/quickpkg --	gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib(64)?/portage/bin/ebuild\.sh --	gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib(64)?/portage/bin/regenworld --	gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib(64)?/portage/bin/sandbox --	gen_context(system_u:object_r:portage_exec_t,s0)
+
+/usr/portage(/.*)?			gen_context(system_u:object_r:portage_ebuild_t,s0)
+/usr/portage/distfiles/cvs-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
+/usr/portage/distfiles/git-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
+/usr/portage/distfiles/egit-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
+/usr/portage/distfiles/svn-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
+
+/var/db/pkg(/.*)?			gen_context(system_u:object_r:portage_db_t,s0)
+/var/cache/edb(/.*)?			gen_context(system_u:object_r:portage_cache_t,s0)
+/var/log/emerge\.log.*		--	gen_context(system_u:object_r:portage_log_t,s0)
+/var/log/emerge-fetch.log	--	gen_context(system_u:object_r:portage_log_t,s0)
+/var/log/portage(/.*)?			gen_context(system_u:object_r:portage_log_t,s0)
+/var/lib/layman(/.*)?			gen_context(system_u:object_r:portage_ebuild_t,s0)
+/var/lib/portage(/.*)?			gen_context(system_u:object_r:portage_cache_t,s0)
+/var/tmp/binpkgs(/.*)?			gen_context(system_u:object_r:portage_tmp_t,s0)
+/var/tmp/emerge-webrsync(/.*)?		gen_context(system_u:object_r:portage_tmp_t,s0)
+/var/tmp/portage(/.*)?			gen_context(system_u:object_r:portage_tmp_t,s0)
+/var/tmp/portage-pkg(/.*)?		gen_context(system_u:object_r:portage_tmp_t,s0)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
new file mode 100644
index 00000000..45e60b62
--- /dev/null
+++ b/policy/modules/contrib/portage.if
@@ -0,0 +1,394 @@
+## <summary>
+##	Portage Package Management System. The primary package management and
+##	distribution system for Gentoo.
+## </summary>
+
+########################################
+## <summary>
+##	Execute emerge in the portage domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`portage_domtrans',`
+	gen_require(`
+		type portage_t, portage_exec_t;
+	')
+
+	files_search_usr($1)
+	corecmd_search_bin($1)
+
+	domtrans_pattern($1, portage_exec_t, portage_t)
+')
+
+########################################
+## <summary>
+##	Execute emerge in the portage domain, and
+##	allow the specified role the portage domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the portage domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`portage_run',`
+	gen_require(`
+		attribute_role portage_roles;
+	')
+
+	portage_domtrans($1)
+	roleattribute $2 portage_roles;
+')
+
+########################################
+## <summary>
+##	Template for portage sandbox.
+## </summary>
+## <desc>
+##	<p>
+##	Template for portage sandbox.  Portage
+##	does all compiling in the sandbox.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain Allowed Access
+##	</summary>
+## </param>
+#
+interface(`portage_compile_domain',`
+
+	gen_require(`
+		class dbus send_msg;
+		type portage_devpts_t, portage_log_t, portage_srcrepo_t, portage_tmp_t;
+		type portage_tmpfs_t;
+	')
+
+	allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
+	dontaudit $1 self:capability sys_chroot;
+	allow $1 self:process { setpgid setsched setrlimit signal_perms execmem setfscreate };
+	allow $1 self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
+	allow $1 self:fd use;
+	allow $1 self:fifo_file rw_fifo_file_perms;
+	allow $1 self:shm create_shm_perms;
+	allow $1 self:sem create_sem_perms;
+	allow $1 self:msgq create_msgq_perms;
+	allow $1 self:msg { send receive };
+	allow $1 self:unix_dgram_socket create_socket_perms;
+	allow $1 self:unix_stream_socket create_stream_socket_perms;
+	allow $1 self:unix_dgram_socket sendto;
+	allow $1 self:unix_stream_socket connectto;
+	# really shouldnt need this
+	allow $1 self:tcp_socket create_stream_socket_perms;
+	allow $1 self:udp_socket create_socket_perms;
+	# misc networking stuff (esp needed for compiling perl):
+	allow $1 self:rawip_socket { create ioctl };
+	# needed for merging dbus:
+	allow $1 self:netlink_selinux_socket { bind create read };
+	allow $1 self:dbus send_msg;
+
+	allow $1 portage_devpts_t:chr_file { rw_chr_file_perms setattr };
+	term_create_pty($1, portage_devpts_t)
+
+	# write compile logs
+	allow $1 portage_log_t:dir setattr;
+	allow $1 portage_log_t:file { write_file_perms setattr };
+
+	# Support live ebuilds (-9999)
+	manage_dirs_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
+	manage_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
+	manage_lnk_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
+
+	# run scripts out of the build directory
+	can_exec(portage_sandbox_t, portage_tmp_t)
+
+	manage_dirs_pattern($1, portage_tmp_t, portage_tmp_t)
+	manage_files_pattern($1, portage_tmp_t, portage_tmp_t)
+	manage_lnk_files_pattern($1, portage_tmp_t, portage_tmp_t)
+	manage_fifo_files_pattern($1, portage_tmp_t, portage_tmp_t)
+	manage_sock_files_pattern($1, portage_tmp_t, portage_tmp_t)
+	files_tmp_filetrans($1, portage_tmp_t, { dir file lnk_file sock_file fifo_file })
+	# SELinux-enabled programs running in the sandbox
+	allow $1 portage_tmp_t:file relabel_file_perms;
+
+	manage_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
+	manage_lnk_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
+	manage_fifo_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
+	manage_sock_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
+	fs_tmpfs_filetrans($1, portage_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+	kernel_read_system_state($1)
+	kernel_read_network_state($1)
+	kernel_read_software_raid_state($1)
+	kernel_getattr_core_if($1)
+	kernel_getattr_message_if($1)
+	kernel_read_kernel_sysctls($1)
+
+	corecmd_exec_all_executables($1)
+
+	# really shouldnt need this but some packages test
+	# network access, such as during configure
+	# also distcc--need to reinvestigate confining distcc client
+	corenet_all_recvfrom_unlabeled($1)
+	corenet_all_recvfrom_netlabel($1)
+	corenet_tcp_sendrecv_generic_if($1)
+	corenet_udp_sendrecv_generic_if($1)
+	corenet_raw_sendrecv_generic_if($1)
+	corenet_tcp_sendrecv_generic_node($1)
+	corenet_udp_sendrecv_generic_node($1)
+	corenet_raw_sendrecv_generic_node($1)
+	corenet_tcp_sendrecv_all_ports($1)
+	corenet_udp_sendrecv_all_ports($1)
+	corenet_tcp_connect_all_reserved_ports($1)
+	corenet_tcp_connect_distccd_port($1)
+	corenet_tcp_connect_git_port($1)
+
+	dev_read_sysfs($1)
+	dev_read_rand($1)
+	dev_read_urand($1)
+
+	domain_use_interactive_fds($1)
+	domain_dontaudit_read_all_domains_state($1)
+	# SELinux-aware installs doing relabels in the sandbox
+	domain_obj_id_change_exemption($1)
+
+	files_exec_etc_files($1)
+	files_exec_usr_src_files($1)
+
+	fs_getattr_xattr_fs($1)
+	fs_list_noxattr_fs($1)
+	fs_read_noxattr_fs_files($1)
+	fs_read_noxattr_fs_symlinks($1)
+	fs_search_auto_mountpoints($1)
+
+	selinux_validate_context($1)
+	# needed for merging dbus:
+	selinux_compute_access_vector($1)
+
+	auth_read_all_dirs_except_auth_files($1)
+	auth_read_all_files_except_auth_files($1)
+	auth_read_all_symlinks_except_auth_files($1)
+
+	libs_exec_lib_files($1)
+	# some config scripts use ldd
+	libs_exec_ld_so($1)
+	# this violates the idea of sandbox, but
+	# regular sandbox allows it
+	libs_domtrans_ldconfig($1)
+
+	logging_send_syslog_msg($1)
+
+	userdom_use_user_terminals($1)
+
+	# SELinux-enabled programs running in the sandbox
+	seutil_libselinux_linked($1)
+
+	tunable_policy(`portage_use_nfs',`
+		fs_getattr_nfs($1)
+		fs_manage_nfs_dirs($1)
+		fs_manage_nfs_files($1)
+		fs_manage_nfs_symlinks($1)
+	')
+
+	ifdef(`TODO',`
+	# some gui ebuilds want to interact with X server, like xawtv
+	optional_policy(`
+		allow $1 xdm_xserver_tmp_t:dir { add_name remove_name write };
+		allow $1 xdm_xserver_tmp_t:sock_file { create getattr unlink write };
+	')
+	') dnl end TODO
+')
+
+########################################
+## <summary>
+##	Execute tree management functions (fetching, layman, ...)
+##      in the portage_fetch_t domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`portage_domtrans_fetch',`
+	gen_require(`
+		type portage_fetch_t, portage_fetch_exec_t;
+	')
+
+	files_search_usr($1)
+	corecmd_search_bin($1)
+
+	domtrans_pattern($1, portage_fetch_exec_t, portage_fetch_t)
+')
+
+########################################
+## <summary>
+##   Execute tree management functions (fetching, layman, ...)
+##   in the portage_fetch_t domain, and allow the specified role
+##   the portage_fetch_t domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the portage_fetch domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`portage_run_fetch',`
+	gen_require(`
+		type portage_fetch_t;
+	')
+
+	portage_domtrans_fetch($1)
+	role $2 types portage_fetch_t;
+')
+
+
+########################################
+## <summary>
+##	Execute gcc-config in the gcc_config domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`portage_domtrans_gcc_config',`
+	gen_require(`
+		type gcc_config_t, gcc_config_exec_t;
+	')
+
+	files_search_usr($1)
+	corecmd_search_bin($1)
+
+	domtrans_pattern($1, gcc_config_exec_t, gcc_config_t)
+')
+
+########################################
+## <summary>
+##	Execute gcc-config in the gcc_config domain, and
+##	allow the specified role the gcc_config domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the gcc_config domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`portage_run_gcc_config',`
+	gen_require(`
+		type gcc_config_t;
+	')
+
+	portage_domtrans_gcc_config($1)
+	role $2 types gcc_config_t;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to use
+##	portage file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`portage_dontaudit_use_fds',`
+	gen_require(`
+		type portage_t;
+	')
+
+	dontaudit $1 portage_t:fd use;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search the
+##	portage temporary directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`portage_dontaudit_search_tmp',`
+	gen_require(`
+		type portage_tmp_t;
+	')
+
+	dontaudit $1 portage_tmp_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write
+##	the portage temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`portage_dontaudit_rw_tmp_files',`
+	gen_require(`
+		type portage_tmp_t;
+	')
+
+	dontaudit $1 portage_tmp_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##   Allow the domain to run within an eselect module script. 
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to allow within an eselect module
+##     </summary>
+## </param>
+#   Specific to Gentoo,
+#   eselect modules allow users to switch between different flavors or versions
+#   of underlying components. In return, eselect makes a wrapper binary which 
+#   makes the proper selections. If this binary is different from bin_t, it might
+#   not hold the necessary privileges for the wrapper to function. However, just
+#   marking the target binaries doesn't always work, since for python scripts the
+#   wrapper doesn't execute it, but treats the target as a library.
+#
+interface(`gentoo_portage_eselect_module',`
+       gen_require(`
+               type portage_t;
+       ')
+       allow $1 self:fifo_file { read write };
+
+       corecmd_exec_shell($1)  
+
+       # Support for /etc/env.d changes
+       files_manage_etc_runtime_files($1)
+')
+
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
new file mode 100644
index 00000000..1f83dd82
--- /dev/null
+++ b/policy/modules/contrib/portage.te
@@ -0,0 +1,367 @@
+policy_module(portage, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow the portage domains to use NFS mounts (regular nfs_t)
+## </p>
+## </desc>
+gen_tunable(portage_use_nfs, false)
+
+## <desc>
+## <p>
+## (deprecated) support for dontaudit tryouts
+## </p>
+## </desc>
+gen_tunable(gentoo_try_dontaudit, false)
+
+## <desc>
+## <p>
+## (deprecated) support for fixes
+## </p>
+## </desc>
+gen_tunable(gentoo_wait_requests, false)
+
+
+attribute_role portage_roles;
+
+type gcc_config_t;
+type gcc_config_exec_t;
+application_domain(gcc_config_t, gcc_config_exec_t)
+
+type gcc_config_tmp_t;
+files_tmp_file(gcc_config_tmp_t)
+
+# constraining type
+type portage_t;
+type portage_exec_t;
+application_domain(portage_t, portage_exec_t)
+domain_obj_id_change_exemption(portage_t)
+rsync_entry_type(portage_t)
+corecmd_shell_entry_type(portage_t)
+role portage_roles types portage_t;
+
+# portage compile sandbox domain
+type portage_sandbox_t;
+application_domain(portage_sandbox_t, portage_exec_t)
+# the shell is the entrypoint if regular sandbox is disabled
+# portage_exec_t is the entrypoint if regular sandbox is enabled
+corecmd_shell_entry_type(portage_sandbox_t)
+role portage_roles types portage_sandbox_t;
+
+# portage package fetching domain
+type portage_fetch_t;
+type portage_fetch_exec_t;
+application_domain(portage_fetch_t, portage_fetch_exec_t)
+corecmd_shell_entry_type(portage_fetch_t)
+rsync_entry_type(portage_fetch_t)
+role portage_roles types portage_fetch_t;
+
+type portage_devpts_t;
+term_pty(portage_devpts_t)
+
+type portage_ebuild_t;
+files_mountpoint(portage_ebuild_t)
+
+type portage_fetch_tmp_t;
+files_tmp_file(portage_fetch_tmp_t)
+
+type portage_db_t;
+files_type(portage_db_t)
+
+type portage_conf_t;
+files_type(portage_conf_t)
+
+type portage_cache_t;
+files_type(portage_cache_t)
+
+type portage_gpg_t;
+files_type(portage_gpg_t)
+
+type portage_log_t;
+logging_log_file(portage_log_t)
+
+type portage_srcrepo_t;
+files_type(portage_srcrepo_t)
+
+type portage_tmp_t;
+files_tmp_file(portage_tmp_t)
+
+type portage_tmpfs_t;
+files_tmpfs_file(portage_tmpfs_t)
+
+########################################
+#
+# gcc-config policy
+#
+
+allow gcc_config_t self:capability { chown fsetid };
+allow gcc_config_t self:fifo_file rw_file_perms;
+
+manage_files_pattern(gcc_config_t, gcc_config_tmp_t, gcc_config_tmp_t)
+files_tmp_filetrans(gcc_config_t, gcc_config_tmp_t, file)
+
+manage_files_pattern(gcc_config_t, portage_cache_t, portage_cache_t)
+
+read_files_pattern(gcc_config_t, portage_conf_t, portage_conf_t)
+
+allow gcc_config_t portage_ebuild_t:dir list_dir_perms;
+read_files_pattern(gcc_config_t, portage_ebuild_t, portage_ebuild_t)
+
+allow gcc_config_t portage_exec_t:file mmap_file_perms;
+
+kernel_read_system_state(gcc_config_t)
+kernel_read_kernel_sysctls(gcc_config_t)
+
+corecmd_exec_shell(gcc_config_t)
+corecmd_exec_bin(gcc_config_t)
+corecmd_manage_bin_files(gcc_config_t)
+
+domain_use_interactive_fds(gcc_config_t)
+
+files_manage_etc_files(gcc_config_t)
+files_manage_etc_runtime_files(gcc_config_t)
+files_manage_etc_runtime_lnk_files(gcc_config_t)
+files_read_usr_files(gcc_config_t)
+files_search_var_lib(gcc_config_t)
+files_search_pids(gcc_config_t)
+# complains loudly about not being able to list
+# the directory it is being run from
+files_list_all(gcc_config_t)
+
+# seems to be ok without this
+init_dontaudit_read_script_status_files(gcc_config_t)
+
+libs_read_lib_files(gcc_config_t)
+libs_run_ldconfig(gcc_config_t, portage_roles)
+libs_manage_shared_libs(gcc_config_t)
+# gcc-config creates a temp dir for the libs
+libs_manage_lib_dirs(gcc_config_t)
+
+logging_send_syslog_msg(gcc_config_t)
+
+miscfiles_read_localization(gcc_config_t)
+
+userdom_use_user_terminals(gcc_config_t)
+
+consoletype_exec(gcc_config_t)
+
+ifdef(`distro_gentoo',`
+	init_exec_rc(gcc_config_t)
+')
+
+tunable_policy(`portage_use_nfs',`
+	fs_read_nfs_files(gcc_config_t)
+')
+
+optional_policy(`
+	seutil_use_newrole_fds(gcc_config_t)
+')
+
+########################################
+#
+# Portage Merging Rules
+#
+
+# - setfscreate for merging to live fs
+# - setexec to run portage fetch
+allow portage_t self:process { setfscreate setexec };
+# - kill for mysql merging, at least
+allow portage_t self:capability { sys_nice kill setfcap };
+dontaudit portage_t self:capability { dac_read_search };
+dontaudit portage_t self:netlink_route_socket rw_netlink_socket_perms;
+
+# user post-sync scripts
+can_exec(portage_t, portage_conf_t)
+
+allow portage_t portage_log_t:file manage_file_perms;
+logging_log_filetrans(portage_t, portage_log_t, file)
+
+allow portage_t { portage_fetch_t portage_sandbox_t }:process signal;
+
+# transition for rsync and wget
+corecmd_shell_spec_domtrans(portage_t, portage_fetch_t)
+rsync_entry_domtrans(portage_t, portage_fetch_t)
+allow portage_fetch_t portage_t:fd use;
+allow portage_fetch_t portage_t:fifo_file rw_file_perms;
+allow portage_fetch_t portage_t:process sigchld;
+dontaudit portage_fetch_t portage_devpts_t:chr_file { read write };
+
+# transition to sandbox for compiling
+domain_trans(portage_t, portage_exec_t, portage_sandbox_t)
+corecmd_shell_spec_domtrans(portage_t, portage_sandbox_t)
+allow portage_sandbox_t portage_t:fd use;
+allow portage_sandbox_t portage_t:fifo_file rw_file_perms;
+allow portage_sandbox_t portage_t:process sigchld;
+allow portage_sandbox_t self:process ptrace;
+dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms;
+
+# run scripts out of the build directory
+can_exec(portage_t, portage_tmp_t)
+
+kernel_dontaudit_request_load_module(portage_t)
+# merging baselayout will need this:
+kernel_write_proc_files(portage_t)
+
+domain_dontaudit_read_all_domains_state(portage_t)
+
+# modify any files in the system
+files_manage_all_files(portage_t)
+
+selinux_get_fs_mount(portage_t)
+
+auth_manage_shadow(portage_t)
+
+# merging baselayout will need this:
+init_exec(portage_t)
+
+# run setfiles -r
+seutil_run_setfiles(portage_t, portage_roles)
+# run semodule
+seutil_run_semanage(portage_t, portage_roles)
+
+portage_run_gcc_config(portage_t, portage_roles)
+# if sesandbox is disabled, compiling is performed in this domain
+portage_compile_domain(portage_t)
+
+optional_policy(`
+	bootloader_run(portage_t, portage_roles)
+')
+
+optional_policy(`
+	cron_system_entry(portage_t, portage_exec_t)
+	cron_system_entry(portage_fetch_t, portage_fetch_exec_t)
+')
+
+optional_policy(`
+	modutils_run_depmod(portage_t, portage_roles)
+	modutils_run_update_mods(portage_t, portage_roles)
+	#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
+')
+
+optional_policy(`
+	usermanage_run_groupadd(portage_t, portage_roles)
+	usermanage_run_useradd(portage_t, portage_roles)
+')
+
+ifdef(`TODO',`
+# seems to work ok without these
+dontaudit portage_t device_t:{ blk_file chr_file } getattr;
+dontaudit portage_t proc_t:dir setattr;
+dontaudit portage_t device_type:chr_file read_chr_file_perms;
+dontaudit portage_t device_type:blk_file read_blk_file_perms;
+')
+
+##########################################
+#
+# Portage fetch domain
+# - for rsync and distfile fetching
+#
+
+allow portage_fetch_t self:process signal;
+allow portage_fetch_t self:capability { dac_override fowner fsetid chown };
+allow portage_fetch_t self:fifo_file rw_fifo_file_perms;
+allow portage_fetch_t self:tcp_socket create_stream_socket_perms;
+allow portage_fetch_t self:unix_stream_socket create_socket_perms;
+
+allow portage_fetch_t portage_conf_t:dir list_dir_perms;
+
+allow portage_fetch_t portage_gpg_t:dir rw_dir_perms;
+allow portage_fetch_t portage_gpg_t:file manage_file_perms;
+
+allow portage_fetch_t portage_tmp_t:dir manage_dir_perms;
+allow portage_fetch_t portage_tmp_t:file manage_file_perms;
+
+allow portage_fetch_t portage_devpts_t:chr_file { rw_chr_file_perms setattr };
+
+read_files_pattern(portage_fetch_t, portage_conf_t, portage_conf_t)
+
+manage_dirs_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t)
+manage_files_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t)
+
+manage_dirs_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t)
+manage_files_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t)
+files_tmp_filetrans(portage_fetch_t, portage_fetch_tmp_t, { file dir })
+
+kernel_read_system_state(portage_fetch_t)
+kernel_read_kernel_sysctls(portage_fetch_t)
+
+corecmd_exec_bin(portage_fetch_t)
+corecmd_exec_shell(portage_fetch_t)
+
+corenet_all_recvfrom_unlabeled(portage_fetch_t)
+corenet_all_recvfrom_netlabel(portage_fetch_t)
+corenet_tcp_sendrecv_generic_if(portage_fetch_t)
+corenet_tcp_sendrecv_generic_node(portage_fetch_t)
+corenet_tcp_sendrecv_all_ports(portage_fetch_t)
+corenet_tcp_connect_http_cache_port(portage_fetch_t)
+corenet_tcp_connect_git_port(portage_fetch_t)
+corenet_tcp_connect_rsync_port(portage_fetch_t)
+corenet_sendrecv_http_client_packets(portage_fetch_t)
+corenet_sendrecv_http_cache_client_packets(portage_fetch_t)
+corenet_sendrecv_git_client_packets(portage_fetch_t)
+corenet_sendrecv_rsync_client_packets(portage_fetch_t)
+# would rather not connect to unspecified ports, but
+# it occasionally comes up
+corenet_tcp_connect_all_reserved_ports(portage_fetch_t)
+corenet_tcp_connect_generic_port(portage_fetch_t)
+
+dev_dontaudit_read_rand(portage_fetch_t)
+
+domain_use_interactive_fds(portage_fetch_t)
+
+files_read_etc_files(portage_fetch_t)
+files_read_etc_runtime_files(portage_fetch_t)
+files_read_usr_files(portage_fetch_t)
+files_search_var_lib(portage_fetch_t)
+files_dontaudit_search_pids(portage_fetch_t)
+
+logging_list_logs(portage_fetch_t)
+logging_dontaudit_search_logs(portage_fetch_t)
+
+term_search_ptys(portage_fetch_t)
+
+miscfiles_read_localization(portage_fetch_t)
+
+sysnet_read_config(portage_fetch_t)
+sysnet_dns_name_resolve(portage_fetch_t)
+
+userdom_use_user_terminals(portage_fetch_t)
+userdom_dontaudit_read_user_home_content_files(portage_fetch_t)
+userdom_dontaudit_getattr_user_home_dirs(portage_fetch_t)
+userdom_dontaudit_search_user_home_dirs(portage_fetch_t)
+
+rsync_exec(portage_fetch_t)
+
+ifdef(`hide_broken_symptoms',`
+	dontaudit portage_fetch_t portage_cache_t:file read;
+')
+
+tunable_policy(`portage_use_nfs',`
+	fs_getattr_nfs(portage_fetch_t)
+	fs_manage_nfs_dirs(portage_fetch_t)
+	fs_manage_nfs_files(portage_fetch_t)
+	fs_manage_nfs_symlinks(portage_fetch_t)
+')
+
+optional_policy(`
+	gpg_exec(portage_fetch_t)
+')
+
+##########################################
+#
+# Portage sandbox domain
+# - SELinux-enforced sandbox
+#
+
+portage_compile_domain(portage_sandbox_t)
+
+ifdef(`hide_broken_symptoms',`
+	# leaked descriptors
+	dontaudit portage_sandbox_t portage_cache_t:dir { setattr };
+	dontaudit portage_sandbox_t portage_cache_t:file { setattr write };
+')
diff --git a/policy/modules/contrib/portmap.fc b/policy/modules/contrib/portmap.fc
new file mode 100644
index 00000000..3cdcd9f3
--- /dev/null
+++ b/policy/modules/contrib/portmap.fc
@@ -0,0 +1,16 @@
+
+/sbin/portmap		--	gen_context(system_u:object_r:portmap_exec_t,s0)
+
+ifdef(`distro_debian',`
+/sbin/pmap_dump		--	gen_context(system_u:object_r:portmap_helper_exec_t,s0)
+/sbin/pmap_set		--	gen_context(system_u:object_r:portmap_helper_exec_t,s0)
+', `
+/usr/sbin/pmap_dump	--	gen_context(system_u:object_r:portmap_helper_exec_t,s0)
+/usr/sbin/pmap_set	--	gen_context(system_u:object_r:portmap_helper_exec_t,s0)
+')
+
+/var/run/portmap\.upgrade-state -- gen_context(system_u:object_r:portmap_var_run_t,s0)
+
+ifdef(`distro_debian',`
+/var/run/portmap_mapping --	gen_context(system_u:object_r:portmap_var_run_t,s0)
+')
diff --git a/policy/modules/contrib/portmap.if b/policy/modules/contrib/portmap.if
new file mode 100644
index 00000000..374afcf7
--- /dev/null
+++ b/policy/modules/contrib/portmap.if
@@ -0,0 +1,89 @@
+## <summary>RPC port mapping service.</summary>
+
+########################################
+## <summary>
+##	Execute portmap_helper in the helper domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`portmap_domtrans_helper',`
+	gen_require(`
+		type portmap_helper_t, portmap_helper_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, portmap_helper_exec_t, portmap_helper_t)
+')
+
+########################################
+## <summary>
+##	Execute portmap helper in the helper domain, and
+##	allow the specified role the helper domain.
+##	Communicate with portmap.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`portmap_run_helper',`
+	gen_require(`
+		type portmap_t, portmap_helper_t;
+	')
+
+	portmap_domtrans_helper($1)
+	role $2 types portmap_helper_t;
+')
+
+########################################
+## <summary>
+##	Send UDP network traffic to portmap.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`portmap_udp_send',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	Send and receive UDP network traffic from portmap.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`portmap_udp_chat',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	Connect to portmap over a TCP socket  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`portmap_tcp_connect',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
diff --git a/policy/modules/contrib/portmap.te b/policy/modules/contrib/portmap.te
new file mode 100644
index 00000000..c1db6524
--- /dev/null
+++ b/policy/modules/contrib/portmap.te
@@ -0,0 +1,150 @@
+policy_module(portmap, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+
+type portmap_t;
+type portmap_exec_t;
+init_daemon_domain(portmap_t, portmap_exec_t)
+
+type portmap_helper_t;
+type portmap_helper_exec_t;
+init_system_domain(portmap_helper_t, portmap_helper_exec_t)
+role system_r types portmap_helper_t;
+
+type portmap_tmp_t;
+files_tmp_file(portmap_tmp_t)
+
+type portmap_var_run_t;
+files_pid_file(portmap_var_run_t)
+
+########################################
+#
+# Portmap local policy
+#
+
+allow portmap_t self:capability { setuid setgid };
+dontaudit portmap_t self:capability sys_tty_config;
+allow portmap_t self:netlink_route_socket r_netlink_socket_perms;
+allow portmap_t self:unix_dgram_socket create_socket_perms;
+allow portmap_t self:unix_stream_socket create_stream_socket_perms;
+allow portmap_t self:tcp_socket create_stream_socket_perms;
+allow portmap_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(portmap_t, portmap_tmp_t, portmap_tmp_t)
+manage_files_pattern(portmap_t, portmap_tmp_t, portmap_tmp_t)
+files_tmp_filetrans(portmap_t, portmap_tmp_t, { file dir })
+
+manage_files_pattern(portmap_t, portmap_var_run_t, portmap_var_run_t)
+files_pid_filetrans(portmap_t, portmap_var_run_t, file)
+
+kernel_read_system_state(portmap_t)
+kernel_read_kernel_sysctls(portmap_t)
+
+corenet_all_recvfrom_unlabeled(portmap_t)
+corenet_all_recvfrom_netlabel(portmap_t)
+corenet_tcp_sendrecv_generic_if(portmap_t)
+corenet_udp_sendrecv_generic_if(portmap_t)
+corenet_tcp_sendrecv_generic_node(portmap_t)
+corenet_udp_sendrecv_generic_node(portmap_t)
+corenet_tcp_sendrecv_all_ports(portmap_t)
+corenet_udp_sendrecv_all_ports(portmap_t)
+corenet_tcp_bind_generic_node(portmap_t)
+corenet_udp_bind_generic_node(portmap_t)
+corenet_tcp_bind_portmap_port(portmap_t)
+corenet_udp_bind_portmap_port(portmap_t)
+corenet_tcp_connect_all_ports(portmap_t)
+corenet_sendrecv_portmap_client_packets(portmap_t)
+corenet_sendrecv_portmap_server_packets(portmap_t)
+# portmap binds to arbitary ports
+corenet_tcp_bind_generic_port(portmap_t)
+corenet_udp_bind_generic_port(portmap_t)
+corenet_tcp_bind_reserved_port(portmap_t)
+corenet_udp_bind_reserved_port(portmap_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_t)
+corenet_dontaudit_udp_bind_all_ports(portmap_t)
+
+dev_read_sysfs(portmap_t)
+
+fs_getattr_all_fs(portmap_t)
+fs_search_auto_mountpoints(portmap_t)
+
+domain_use_interactive_fds(portmap_t)
+
+files_read_etc_files(portmap_t)
+
+logging_send_syslog_msg(portmap_t)
+
+miscfiles_read_localization(portmap_t)
+
+sysnet_read_config(portmap_t)
+
+userdom_dontaudit_use_unpriv_user_fds(portmap_t)
+userdom_dontaudit_search_user_home_dirs(portmap_t)
+
+optional_policy(`
+	nis_use_ypbind(portmap_t)
+')
+
+optional_policy(`
+	nscd_socket_use(portmap_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(portmap_t)
+')
+
+optional_policy(`
+	udev_read_db(portmap_t)
+')
+
+########################################
+#
+# Portmap helper local policy
+#
+
+dontaudit portmap_helper_t self:capability net_admin;
+allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
+allow portmap_helper_t self:tcp_socket create_stream_socket_perms;
+allow portmap_helper_t self:udp_socket create_socket_perms;
+
+allow portmap_helper_t portmap_var_run_t:file manage_file_perms;
+files_pid_filetrans(portmap_helper_t, portmap_var_run_t, file)
+
+corenet_all_recvfrom_unlabeled(portmap_helper_t)
+corenet_all_recvfrom_netlabel(portmap_helper_t)
+corenet_tcp_sendrecv_generic_if(portmap_helper_t)
+corenet_udp_sendrecv_generic_if(portmap_helper_t)
+corenet_raw_sendrecv_generic_if(portmap_helper_t)
+corenet_tcp_sendrecv_generic_node(portmap_helper_t)
+corenet_udp_sendrecv_generic_node(portmap_helper_t)
+corenet_raw_sendrecv_generic_node(portmap_helper_t)
+corenet_tcp_sendrecv_all_ports(portmap_helper_t)
+corenet_udp_sendrecv_all_ports(portmap_helper_t)
+corenet_tcp_bind_generic_node(portmap_helper_t)
+corenet_udp_bind_generic_node(portmap_helper_t)
+corenet_tcp_bind_reserved_port(portmap_helper_t)
+corenet_udp_bind_reserved_port(portmap_helper_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_helper_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(portmap_helper_t)
+corenet_tcp_connect_all_ports(portmap_helper_t)
+
+domain_dontaudit_use_interactive_fds(portmap_helper_t)
+
+files_read_etc_files(portmap_helper_t)
+files_rw_generic_pids(portmap_helper_t)
+
+init_rw_utmp(portmap_helper_t)
+
+logging_send_syslog_msg(portmap_helper_t)
+
+sysnet_read_config(portmap_helper_t)
+
+userdom_use_user_terminals(portmap_helper_t)
+userdom_dontaudit_use_all_users_fds(portmap_helper_t)
+
+optional_policy(`
+	nis_use_ypbind(portmap_helper_t)
+')
diff --git a/policy/modules/contrib/portreserve.fc b/policy/modules/contrib/portreserve.fc
new file mode 100644
index 00000000..4313a6f0
--- /dev/null
+++ b/policy/modules/contrib/portreserve.fc
@@ -0,0 +1,7 @@
+/etc/portreserve(/.*)?			gen_context(system_u:object_r:portreserve_etc_t,s0)
+
+/etc/rc\.d/init\.d/portreserve	--	gen_context(system_u:object_r:portreserve_initrc_exec_t,s0)
+
+/sbin/portreserve		--	gen_context(system_u:object_r:portreserve_exec_t,s0)
+
+/var/run/portreserve(/.*)? 		gen_context(system_u:object_r:portreserve_var_run_t,s0)
diff --git a/policy/modules/contrib/portreserve.if b/policy/modules/contrib/portreserve.if
new file mode 100644
index 00000000..7719d160
--- /dev/null
+++ b/policy/modules/contrib/portreserve.if
@@ -0,0 +1,120 @@
+## <summary>Reserve well-known ports in the RPC port range.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run portreserve.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`portreserve_domtrans',`
+	gen_require(`
+		type portreserve_t, portreserve_exec_t;
+	')
+
+	domtrans_pattern($1, portreserve_exec_t, portreserve_t)
+')
+
+#######################################
+## <summary>
+##	Allow the specified domain to read
+##	portreserve etcuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`portreserve_read_config',`
+	gen_require(`
+		type portreserve_etc_t;
+	')
+
+	files_search_etc($1)
+	allow $1 portreserve_etc_t:dir list_dir_perms;
+	read_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
+	read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
+')
+
+#######################################
+## <summary>
+##	Allow the specified domain to manage
+##	portreserve etcuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`portreserve_manage_config',`
+	gen_require(`
+		type portreserve_etc_t;
+	')
+
+	files_search_etc($1)
+	manage_dirs_pattern($1, portreserve_etc_t, portreserve_etc_t)
+	manage_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
+	read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
+')
+
+########################################
+## <summary>
+##	Execute portreserve in the portreserve domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`portreserve_initrc_domtrans',`
+	gen_require(`
+		type portreserve_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, portreserve_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an portreserve environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`portreserve_admin',`
+	gen_require(`
+		type portreserve_t, portreserve_etc_t, portreserve_var_run_t;
+		type portreserve_initrc_exec_t;
+	')
+
+	allow $1 portreserve_t:process { ptrace signal_perms };
+	ps_process_pattern($1, portreserve_t)
+
+	portreserve_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 portreserve_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_etc($1)
+	admin_pattern($1, portreserve_etc_t)
+
+	files_list_pids($1)
+	admin_pattern($1, portreserve_var_run_t)
+')
diff --git a/policy/modules/contrib/portreserve.te b/policy/modules/contrib/portreserve.te
new file mode 100644
index 00000000..152af929
--- /dev/null
+++ b/policy/modules/contrib/portreserve.te
@@ -0,0 +1,54 @@
+policy_module(portreserve, 1.3.0)
+
+########################################
+#
+# Declarations
+#
+
+type portreserve_t;
+type portreserve_exec_t;
+init_daemon_domain(portreserve_t, portreserve_exec_t)
+
+type portreserve_initrc_exec_t;
+init_script_file(portreserve_initrc_exec_t)
+
+type portreserve_etc_t;
+files_type(portreserve_etc_t)
+
+type portreserve_var_run_t;
+files_pid_file(portreserve_var_run_t)
+
+########################################
+#
+# Portreserve local policy
+#
+
+allow portreserve_t self:capability { dac_read_search dac_override };
+allow portreserve_t self:fifo_file rw_fifo_file_perms;
+allow portreserve_t self:unix_stream_socket create_stream_socket_perms;
+allow portreserve_t self:unix_dgram_socket { create_socket_perms sendto };
+allow portreserve_t self:tcp_socket create_socket_perms;
+allow portreserve_t self:udp_socket create_socket_perms;
+
+# Read etc files
+list_dirs_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t)
+read_files_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t)
+
+# Manage /var/run/portreserve/*
+manage_dirs_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
+manage_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
+manage_sock_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
+files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir })
+
+corecmd_getattr_bin_files(portreserve_t)
+
+corenet_all_recvfrom_unlabeled(portreserve_t)
+corenet_all_recvfrom_netlabel(portreserve_t)
+corenet_tcp_bind_generic_node(portreserve_t)
+corenet_udp_bind_generic_node(portreserve_t)
+corenet_tcp_bind_all_ports(portreserve_t)
+corenet_udp_bind_all_ports(portreserve_t)
+
+files_read_etc_files(portreserve_t)
+
+userdom_dontaudit_search_user_home_content(portreserve_t)
diff --git a/policy/modules/contrib/portslave.fc b/policy/modules/contrib/portslave.fc
new file mode 100644
index 00000000..2dd77861
--- /dev/null
+++ b/policy/modules/contrib/portslave.fc
@@ -0,0 +1,4 @@
+/etc/portslave(/.*)?		gen_context(system_u:object_r:portslave_etc_t,s0)
+
+/usr/sbin/ctlportslave	--	gen_context(system_u:object_r:portslave_exec_t,s0)
+/usr/sbin/portslave	--	gen_context(system_u:object_r:portslave_exec_t,s0)
diff --git a/policy/modules/contrib/portslave.if b/policy/modules/contrib/portslave.if
new file mode 100644
index 00000000..b53ff778
--- /dev/null
+++ b/policy/modules/contrib/portslave.if
@@ -0,0 +1,19 @@
+## <summary>Portslave terminal server software</summary>
+
+########################################
+## <summary>
+##	Execute portslave with a domain transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`portslave_domtrans',`
+	gen_require(`
+		type portslave_t, portslave_exec_t;
+	')
+
+	domtrans_pattern($1, portslave_exec_t, portslave_t)
+')
diff --git a/policy/modules/contrib/portslave.te b/policy/modules/contrib/portslave.te
new file mode 100644
index 00000000..69c331ee
--- /dev/null
+++ b/policy/modules/contrib/portslave.te
@@ -0,0 +1,125 @@
+policy_module(portslave, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type portslave_t;
+type portslave_exec_t;
+init_domain(portslave_t, portslave_exec_t)
+init_daemon_domain(portslave_t, portslave_exec_t)
+
+type portslave_etc_t;
+files_config_file(portslave_etc_t)
+
+type portslave_lock_t;
+files_lock_file(portslave_lock_t)
+
+########################################
+#
+# Local policy
+#
+
+# setuid setgid net_admin fsetid for pppd
+# sys_admin for ctlportslave
+# net_bind_service for rlogin
+allow portslave_t self:capability { setuid setgid net_admin fsetid net_bind_service sys_tty_config };
+dontaudit portslave_t self:capability sys_admin;
+allow portslave_t self:process signal_perms;
+allow portslave_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow portslave_t self:fd use;
+allow portslave_t self:fifo_file rw_fifo_file_perms;
+allow portslave_t self:unix_dgram_socket create_socket_perms;
+allow portslave_t self:unix_stream_socket create_stream_socket_perms;
+allow portslave_t self:unix_dgram_socket sendto;
+allow portslave_t self:unix_stream_socket connectto;
+allow portslave_t self:shm create_shm_perms;
+allow portslave_t self:sem create_sem_perms;
+allow portslave_t self:msgq create_msgq_perms;
+allow portslave_t self:msg { send receive };
+allow portslave_t self:tcp_socket create_stream_socket_perms;
+allow portslave_t self:udp_socket create_socket_perms;
+
+allow portslave_t portslave_etc_t:dir list_dir_perms;
+read_files_pattern(portslave_t, portslave_etc_t, portslave_etc_t)
+read_lnk_files_pattern(portslave_t, portslave_etc_t, portslave_etc_t)
+
+allow portslave_t portslave_lock_t:file manage_file_perms;
+files_lock_filetrans(portslave_t, portslave_lock_t, file)
+
+kernel_read_system_state(portslave_t)
+kernel_read_kernel_sysctls(portslave_t)
+
+corecmd_exec_bin(portslave_t)
+corecmd_exec_shell(portslave_t)
+
+corenet_all_recvfrom_unlabeled(portslave_t)
+corenet_all_recvfrom_netlabel(portslave_t)
+corenet_tcp_sendrecv_generic_if(portslave_t)
+corenet_udp_sendrecv_generic_if(portslave_t)
+corenet_tcp_sendrecv_generic_node(portslave_t)
+corenet_udp_sendrecv_generic_node(portslave_t)
+corenet_tcp_sendrecv_all_ports(portslave_t)
+corenet_udp_sendrecv_all_ports(portslave_t)
+corenet_rw_ppp_dev(portslave_t)
+
+dev_read_sysfs(portslave_t)
+# for ssh
+dev_read_urand(portslave_t)
+
+domain_use_interactive_fds(portslave_t)
+
+files_read_etc_files(portslave_t)
+files_read_etc_runtime_files(portslave_t)
+files_exec_etc_files(portslave_t)
+
+fs_search_auto_mountpoints(portslave_t)
+fs_getattr_xattr_fs(portslave_t)
+
+term_use_unallocated_ttys(portslave_t)
+term_setattr_unallocated_ttys(portslave_t)
+term_use_all_ttys(portslave_t)
+term_search_ptys(portslave_t)
+
+auth_rw_login_records(portslave_t)
+auth_domtrans_chk_passwd(portslave_t)
+
+init_rw_utmp(portslave_t)
+
+logging_send_syslog_msg(portslave_t)
+logging_search_logs(portslave_t)
+
+sysnet_read_config(portslave_t)
+
+userdom_use_unpriv_users_fds(portslave_t)
+# for ~/.ppprc - if it actually exists then you need some policy to read it
+userdom_search_user_home_dirs(portslave_t)
+
+mta_send_mail(portslave_t)
+
+# this should probably be a domtrans to pppd
+# instead of exec.
+ppp_read_rw_config(portslave_t)
+ppp_exec(portslave_t)
+ppp_read_secrets(portslave_t)
+ppp_manage_pid_files(portslave_t)
+ppp_pid_filetrans(portslave_t)
+
+ssh_exec(portslave_t)
+
+optional_policy(`
+	inetd_tcp_service_domain(portslave_t, portslave_exec_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(portslave_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(portslave_t)
+')
+
+optional_policy(`
+	udev_read_db(portslave_t)
+')
diff --git a/policy/modules/contrib/postfix.fc b/policy/modules/contrib/postfix.fc
new file mode 100644
index 00000000..8bfd46b5
--- /dev/null
+++ b/policy/modules/contrib/postfix.fc
@@ -0,0 +1,53 @@
+# postfix
+/etc/postfix(/.*)?		gen_context(system_u:object_r:postfix_etc_t,s0)
+ifdef(`distro_redhat', `
+/usr/libexec/postfix/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
+/usr/libexec/postfix/cleanup --	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+/usr/libexec/postfix/lmtp --	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/libexec/postfix/local --	gen_context(system_u:object_r:postfix_local_exec_t,s0)
+/usr/libexec/postfix/master --	gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/libexec/postfix/pickup --	gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
+/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+/usr/libexec/postfix/showq --	gen_context(system_u:object_r:postfix_showq_exec_t,s0)
+/usr/libexec/postfix/smtp --	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/libexec/postfix/scache --	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/libexec/postfix/smtpd --	gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
+/usr/libexec/postfix/bounce --	gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
+/usr/libexec/postfix/pipe --	gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+/usr/libexec/postfix/virtual --	gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
+', `
+/usr/lib(64)?/postfix/.*	-- gen_context(system_u:object_r:postfix_exec_t,s0)
+/usr/lib(64)?/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+/usr/lib(64)?/postfix/local	-- gen_context(system_u:object_r:postfix_local_exec_t,s0)
+/usr/lib(64)?/postfix/master	-- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/lib(64)?/postfix/pickup	-- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
+/usr/lib(64)?/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+/usr/lib(64)?/postfix/smtp	-- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib(64)?/postfix/lmtp	-- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib(64)?/postfix/scache	-- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib(64)?/postfix/smtpd	-- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
+/usr/lib(64)?/postfix/bounce	-- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
+/usr/lib(64)?/postfix/pipe	-- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+/usr/lib(64)?/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
+')
+/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+/etc/postfix/prng_exch	--	gen_context(system_u:object_r:postfix_prng_t,s0)
+/usr/sbin/postcat	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/sbin/postdrop	--	gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
+/usr/sbin/postfix	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/sbin/postkick	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/sbin/postlock	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/sbin/postlog	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/sbin/postmap	--	gen_context(system_u:object_r:postfix_map_exec_t,s0)
+/usr/sbin/postqueue	--	gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
+/usr/sbin/postsuper	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
+
+/var/lib/postfix(/.*)?		gen_context(system_u:object_r:postfix_data_t,s0)
+
+/var/spool/postfix(/.*)?		gen_context(system_u:object_r:postfix_spool_t,s0)
+/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
+/var/spool/postfix/pid(/.*)?	gen_context(system_u:object_r:postfix_var_run_t,s0)
+/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
+/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
+/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
+/var/spool/postfix/flush(/.*)?	gen_context(system_u:object_r:postfix_spool_flush_t,s0)
diff --git a/policy/modules/contrib/postfix.if b/policy/modules/contrib/postfix.if
new file mode 100644
index 00000000..4c6d5f05
--- /dev/null
+++ b/policy/modules/contrib/postfix.if
@@ -0,0 +1,683 @@
+## <summary>Postfix email server</summary>
+
+########################################
+## <summary>
+##	Postfix stub interface.  No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`postfix_stub',`
+	gen_require(`
+		type postfix_master_t;
+	')
+')
+
+########################################
+## <summary>
+##	Creates types and rules for a basic
+##	postfix process domain.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Prefix for the domain.
+##	</summary>
+## </param>
+#
+template(`postfix_domain_template',`
+	type postfix_$1_t;
+	type postfix_$1_exec_t;
+	domain_type(postfix_$1_t)
+	domain_entry_file(postfix_$1_t, postfix_$1_exec_t)
+	role system_r types postfix_$1_t;
+
+	dontaudit postfix_$1_t self:capability sys_tty_config;
+	allow postfix_$1_t self:process { signal_perms setpgid };
+	allow postfix_$1_t self:unix_dgram_socket create_socket_perms;
+	allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms;
+	allow postfix_$1_t self:unix_stream_socket connectto;
+
+	allow postfix_master_t postfix_$1_t:process signal;
+	#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456
+	allow postfix_$1_t postfix_master_t:file read;
+
+	allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
+	read_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t)
+	read_lnk_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t)
+
+	can_exec(postfix_$1_t, postfix_$1_exec_t)
+
+	allow postfix_$1_t postfix_exec_t:file { mmap_file_perms lock ioctl };
+
+	allow postfix_$1_t postfix_master_t:process sigchld;
+
+	allow postfix_$1_t postfix_spool_t:dir list_dir_perms;
+
+	allow postfix_$1_t postfix_var_run_t:file manage_file_perms;
+	allow postfix_$1_t postfix_var_run_t:dir rw_dir_perms;
+	files_pid_filetrans(postfix_$1_t, postfix_var_run_t, file)
+
+	kernel_read_system_state(postfix_$1_t)
+	kernel_read_network_state(postfix_$1_t)
+	kernel_read_all_sysctls(postfix_$1_t)
+
+	dev_read_sysfs(postfix_$1_t)
+	dev_read_rand(postfix_$1_t)
+	dev_read_urand(postfix_$1_t)
+
+	fs_search_auto_mountpoints(postfix_$1_t)
+	fs_getattr_xattr_fs(postfix_$1_t)
+	fs_rw_anon_inodefs_files(postfix_$1_t)
+
+	term_dontaudit_use_console(postfix_$1_t)
+
+	corecmd_exec_shell(postfix_$1_t)
+
+	files_read_etc_files(postfix_$1_t)
+	files_read_etc_runtime_files(postfix_$1_t)
+	files_read_usr_symlinks(postfix_$1_t)
+	files_search_spool(postfix_$1_t)
+	files_getattr_tmp_dirs(postfix_$1_t)
+	files_search_all_mountpoints(postfix_$1_t)
+
+	init_dontaudit_use_fds(postfix_$1_t)
+	init_sigchld(postfix_$1_t)
+
+	auth_use_nsswitch(postfix_$1_t)
+
+	logging_send_syslog_msg(postfix_$1_t)
+
+	miscfiles_read_localization(postfix_$1_t)
+	miscfiles_read_generic_certs(postfix_$1_t)
+
+	userdom_dontaudit_use_unpriv_user_fds(postfix_$1_t)
+
+	optional_policy(`
+		udev_read_db(postfix_$1_t)
+	')
+')
+
+########################################
+## <summary>
+##	Creates a postfix server process domain.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Prefix of the domain.
+##	</summary>
+## </param>
+#
+template(`postfix_server_domain_template',`
+	postfix_domain_template($1)
+
+	type postfix_$1_tmp_t;
+	files_tmp_file(postfix_$1_tmp_t)
+
+	allow postfix_$1_t self:capability { setuid setgid dac_override };
+	allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
+	allow postfix_$1_t self:tcp_socket create_socket_perms;
+	allow postfix_$1_t self:udp_socket create_socket_perms;
+
+	manage_dirs_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t)
+	manage_files_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t)
+	files_tmp_filetrans(postfix_$1_t, postfix_$1_tmp_t, { file dir })
+
+	domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
+
+	corenet_all_recvfrom_unlabeled(postfix_$1_t)
+	corenet_all_recvfrom_netlabel(postfix_$1_t)
+	corenet_tcp_sendrecv_generic_if(postfix_$1_t)
+	corenet_udp_sendrecv_generic_if(postfix_$1_t)
+	corenet_tcp_sendrecv_generic_node(postfix_$1_t)
+	corenet_udp_sendrecv_generic_node(postfix_$1_t)
+	corenet_tcp_sendrecv_all_ports(postfix_$1_t)
+	corenet_udp_sendrecv_all_ports(postfix_$1_t)
+	corenet_tcp_bind_generic_node(postfix_$1_t)
+	corenet_udp_bind_generic_node(postfix_$1_t)
+	corenet_tcp_connect_all_ports(postfix_$1_t)
+	corenet_sendrecv_all_client_packets(postfix_$1_t)
+')
+
+########################################
+## <summary>
+##	Creates a process domain for programs
+##	that are ran by users.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Prefix of the domain.
+##	</summary>
+## </param>
+#
+template(`postfix_user_domain_template',`
+	gen_require(`
+		attribute postfix_user_domains, postfix_user_domtrans;
+	')
+
+	postfix_domain_template($1)
+
+	typeattribute postfix_$1_t postfix_user_domains;
+
+	allow postfix_$1_t self:capability dac_override;
+
+	domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t)
+
+	domain_use_interactive_fds(postfix_$1_t)
+')
+
+########################################
+## <summary>
+##	Read postfix configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`postfix_read_config',`
+	gen_require(`
+		type postfix_etc_t;
+	')
+
+	read_files_pattern($1, postfix_etc_t, postfix_etc_t)
+	read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t)
+	files_search_etc($1)
+')
+
+########################################
+## <summary>
+##	Create files with the specified type in
+##	the postfix configuration directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private type">
+##	<summary>
+##	The type of the object to be created.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+#
+interface(`postfix_config_filetrans',`
+	gen_require(`
+		type postfix_etc_t;
+	')
+
+	files_search_etc($1)
+	filetrans_pattern($1, postfix_etc_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and
+##	write postfix local delivery
+##	TCP sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`postfix_dontaudit_rw_local_tcp_sockets',`
+	gen_require(`
+		type postfix_local_t;
+	')
+
+	dontaudit $1 postfix_local_t:tcp_socket { read write };
+')
+
+########################################
+## <summary>
+##	Allow read/write postfix local pipes
+##	TCP sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`postfix_rw_local_pipes',`
+	gen_require(`
+		type postfix_local_t;
+	')
+
+	allow $1 postfix_local_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow domain to read postfix local process state
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`postfix_read_local_state',`
+	gen_require(`
+		type postfix_local_t;
+	')
+
+	read_files_pattern($1, postfix_local_t, postfix_local_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to read postfix master process state
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`postfix_read_master_state',`
+	gen_require(`
+		type postfix_master_t;
+	')
+
+	read_files_pattern($1, postfix_master_t, postfix_master_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to use
+##	postfix master process file
+##	file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`postfix_dontaudit_use_fds',`
+	gen_require(`
+		type postfix_master_t;
+	')
+
+	dontaudit $1 postfix_master_t:fd use;
+')
+
+########################################
+## <summary>
+##	Execute postfix_map in the postfix_map domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`postfix_domtrans_map',`
+	gen_require(`
+		type postfix_map_t, postfix_map_exec_t;
+	')
+
+	domtrans_pattern($1, postfix_map_exec_t, postfix_map_t)
+')
+
+########################################
+## <summary>
+##	Execute postfix_map in the postfix_map domain, and
+##	allow the specified role the postfix_map domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`postfix_run_map',`
+	gen_require(`
+		type postfix_map_t;
+	')
+
+	postfix_domtrans_map($1)
+	role $2 types postfix_map_t;
+')
+
+########################################
+## <summary>
+##     Execute postfix_$1 in the postfix_$1 domain, and
+##     allow the specified role the postfix_$1 domain.
+## </summary>
+## <param name="subdomain">
+##      <summary>
+##      Postfix subdomain, like master, postqueue, map, ...
+##      </summary>
+## </param>
+## <param name="domain">
+##     <summary>
+##     Domain allowed to transition.
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     Role allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`postfix_run',`
+       gen_require(`
+               type postfix_$1_t;
+               type postfix_$1_exec_t;
+       ')
+
+       postfix_domtrans_$1($2)
+       role $3 types postfix_$1_t;
+')
+
+
+########################################
+## <summary>
+##	Execute the master postfix program in the
+##	postfix_master domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`postfix_domtrans_master',`
+	gen_require(`
+		type postfix_master_t, postfix_master_exec_t;
+	')
+
+	domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
+')
+
+########################################
+## <summary>
+##	Execute the master postfix program in the
+##	caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`postfix_exec_master',`
+	gen_require(`
+		type postfix_master_exec_t;
+	')
+
+	can_exec($1, postfix_master_exec_t)
+')
+
+########################################
+## <summary>
+##     Execute the master postfix programs in the
+##     master domain.
+## </summary>
+## <param name="role">
+##     <summary>
+##     Role allowed access.
+##     </summary>
+## </param>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`postfix_run_master',`
+       gen_require(`
+               type postfix_master_exec_t;
+               type postfix_master_t;
+       ')
+
+       role $1 types { postfix_master_exec_t postfix_master_t };
+       postfix_domtrans_master($2)
+')
+
+#######################################
+## <summary>
+##	Connect to postfix master process using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`postfix_stream_connect_master',`
+	gen_require(`
+		type postfix_master_t, postfix_public_t;
+	')
+
+	stream_connect_pattern($1, postfix_public_t, postfix_public_t, postfix_master_t)
+')
+
+########################################
+## <summary>
+##	Execute the master postdrop in the
+##	postfix_postdrop domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`postfix_domtrans_postdrop',`
+	gen_require(`
+		type postfix_postdrop_t, postfix_postdrop_exec_t;
+	')
+
+	domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t)
+')
+
+########################################
+## <summary>
+##	Execute the master postqueue in the
+##	postfix_postqueue domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`postfix_domtrans_postqueue',`
+	gen_require(`
+		type postfix_postqueue_t, postfix_postqueue_exec_t;
+	')
+
+	domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t)
+')
+
+#######################################
+## <summary>
+##	Execute the master postqueue in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`posftix_exec_postqueue',`
+	gen_require(`
+		type postfix_postqueue_exec_t;
+	')
+
+	can_exec($1, postfix_postqueue_exec_t)
+')
+
+########################################
+## <summary>
+##	Create a named socket in a postfix private directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`postfix_create_private_sockets',`
+	gen_require(`
+		type postfix_private_t;
+	')
+
+	allow $1 postfix_private_t:dir list_dir_perms;
+	create_sock_files_pattern($1, postfix_private_t, postfix_private_t)
+')
+
+########################################
+## <summary>
+##	manage named socket in a postfix private directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`postfix_manage_private_sockets',`
+	gen_require(`
+		type postfix_private_t;
+	')
+
+	allow $1 postfix_private_t:dir list_dir_perms;
+	manage_sock_files_pattern($1, postfix_private_t, postfix_private_t)
+')
+
+########################################
+## <summary>
+##	Execute the master postfix program in the
+##	postfix_master domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`postfix_domtrans_smtp',`
+	gen_require(`
+		type postfix_smtp_t, postfix_smtp_exec_t;
+	')
+
+	domtrans_pattern($1, postfix_smtp_exec_t, postfix_smtp_t)
+')
+
+########################################
+## <summary>
+##	Search postfix mail spool directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`postfix_search_spool',`
+	gen_require(`
+		type postfix_spool_t;
+	')
+
+	allow $1 postfix_spool_t:dir search_dir_perms;
+	files_search_spool($1)
+')
+
+########################################
+## <summary>
+##	List postfix mail spool directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`postfix_list_spool',`
+	gen_require(`
+		type postfix_spool_t;
+	')
+
+	allow $1 postfix_spool_t:dir list_dir_perms;
+	files_search_spool($1)
+')
+
+########################################
+## <summary>
+##	Read postfix mail spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`postfix_read_spool_files',`
+	gen_require(`
+		type postfix_spool_t;
+	')
+
+	files_search_spool($1)
+	read_files_pattern($1, postfix_spool_t, postfix_spool_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete postfix mail spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`postfix_manage_spool_files',`
+	gen_require(`
+		type postfix_spool_t;
+	')
+
+	files_search_spool($1)
+	manage_files_pattern($1, postfix_spool_t, postfix_spool_t)
+')
+
+########################################
+## <summary>
+##	Execute postfix user mail programs
+##	in their respective domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`postfix_domtrans_user_mail_handler',`
+	gen_require(`
+		attribute postfix_user_domtrans;
+	')
+
+	typeattribute $1 postfix_user_domtrans;
+')
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
new file mode 100644
index 00000000..499ea264
--- /dev/null
+++ b/policy/modules/contrib/postfix.te
@@ -0,0 +1,635 @@
+policy_module(postfix, 1.13.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute postfix_user_domains;
+# domains that transition to the
+# postfix user domains
+attribute postfix_user_domtrans;
+
+postfix_server_domain_template(bounce)
+
+type postfix_spool_bounce_t;
+files_type(postfix_spool_bounce_t)
+
+postfix_server_domain_template(cleanup)
+
+type postfix_etc_t;
+files_config_file(postfix_etc_t)
+
+type postfix_exec_t;
+application_executable_file(postfix_exec_t)
+
+postfix_server_domain_template(local)
+mta_mailserver_delivery(postfix_local_t)
+
+# Program for creating database files
+type postfix_map_t;
+type postfix_map_exec_t;
+application_domain(postfix_map_t, postfix_map_exec_t)
+role system_r types postfix_map_t;
+
+type postfix_map_tmp_t;
+files_tmp_file(postfix_map_tmp_t)
+
+postfix_domain_template(master)
+typealias postfix_master_t alias postfix_t;
+# alias is a hack to make the disable trans bool
+# generation macro work
+mta_mailserver(postfix_t, postfix_master_exec_t)
+
+postfix_server_domain_template(pickup)
+
+postfix_server_domain_template(pipe)
+
+postfix_user_domain_template(postdrop)
+mta_mailserver_user_agent(postfix_postdrop_t)
+
+postfix_user_domain_template(postqueue)
+
+type postfix_private_t;
+files_type(postfix_private_t)
+
+type postfix_prng_t;
+files_type(postfix_prng_t)
+
+postfix_server_domain_template(qmgr)
+
+postfix_user_domain_template(showq)
+
+postfix_server_domain_template(smtp)
+mta_mailserver_sender(postfix_smtp_t)
+
+postfix_server_domain_template(smtpd)
+
+type postfix_spool_t;
+files_type(postfix_spool_t)
+
+type postfix_spool_maildrop_t;
+files_type(postfix_spool_maildrop_t)
+
+type postfix_spool_flush_t;
+files_type(postfix_spool_flush_t)
+
+type postfix_public_t;
+files_type(postfix_public_t)
+
+type postfix_var_run_t;
+files_pid_file(postfix_var_run_t)
+
+# the data_directory config parameter
+type postfix_data_t;
+files_type(postfix_data_t)
+
+postfix_server_domain_template(virtual)
+mta_mailserver_delivery(postfix_virtual_t)
+
+########################################
+#
+# Postfix master process local policy
+#
+
+# chown is to set the correct ownership of queue dirs
+allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config dac_read_search fowner fsetid };
+allow postfix_master_t self:fifo_file rw_fifo_file_perms;
+allow postfix_master_t self:tcp_socket create_stream_socket_perms;
+allow postfix_master_t self:udp_socket create_socket_perms;
+allow postfix_master_t self:process setrlimit;
+
+allow postfix_master_t postfix_etc_t:file rw_file_perms;
+
+can_exec(postfix_master_t, postfix_exec_t)
+
+allow postfix_master_t postfix_data_t:dir manage_dir_perms;
+allow postfix_master_t postfix_data_t:file manage_file_perms;
+
+allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };
+
+allow postfix_master_t postfix_postdrop_exec_t:file getattr;
+
+allow postfix_master_t postfix_postqueue_exec_t:file getattr;
+
+manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+
+domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
+
+allow postfix_master_t postfix_prng_t:file rw_file_perms;
+
+manage_fifo_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
+manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
+
+domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
+
+# allow access to deferred queue and allow removing bogus incoming entries
+manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
+manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
+files_spool_filetrans(postfix_master_t, postfix_spool_t, dir)
+
+allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
+allow postfix_master_t postfix_spool_bounce_t:file getattr;
+
+manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
+manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
+manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
+
+delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+
+kernel_read_all_sysctls(postfix_master_t)
+
+corenet_all_recvfrom_unlabeled(postfix_master_t)
+corenet_all_recvfrom_netlabel(postfix_master_t)
+corenet_tcp_sendrecv_generic_if(postfix_master_t)
+corenet_udp_sendrecv_generic_if(postfix_master_t)
+corenet_tcp_sendrecv_generic_node(postfix_master_t)
+corenet_udp_sendrecv_generic_node(postfix_master_t)
+corenet_tcp_sendrecv_all_ports(postfix_master_t)
+corenet_udp_sendrecv_all_ports(postfix_master_t)
+corenet_tcp_bind_generic_node(postfix_master_t)
+corenet_tcp_bind_amavisd_send_port(postfix_master_t)
+corenet_tcp_bind_smtp_port(postfix_master_t)
+corenet_tcp_connect_all_ports(postfix_master_t)
+corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
+corenet_sendrecv_smtp_server_packets(postfix_master_t)
+corenet_sendrecv_all_client_packets(postfix_master_t)
+
+# for a find command
+selinux_dontaudit_search_fs(postfix_master_t)
+
+corecmd_exec_shell(postfix_master_t)
+corecmd_exec_bin(postfix_master_t)
+
+domain_use_interactive_fds(postfix_master_t)
+
+files_read_usr_files(postfix_master_t)
+
+term_dontaudit_search_ptys(postfix_master_t)
+
+miscfiles_read_man_pages(postfix_master_t)
+
+seutil_sigchld_newrole(postfix_master_t)
+# postfix does a "find" on startup for some reason - keep it quiet
+seutil_dontaudit_search_config(postfix_master_t)
+
+mta_rw_aliases(postfix_master_t)
+mta_read_sendmail_bin(postfix_master_t)
+mta_getattr_spool(postfix_master_t)
+
+ifdef(`distro_redhat',`
+	# for newer main.cf that uses /etc/aliases
+	mta_manage_aliases(postfix_master_t)
+	mta_etc_filetrans_aliases(postfix_master_t)
+')
+
+optional_policy(`
+	cyrus_stream_connect(postfix_master_t)
+')
+
+optional_policy(`
+	kerberos_keytab_template(postfix, postfix_t)
+')
+
+optional_policy(`
+#	for postalias
+	mailman_manage_data_files(postfix_master_t)
+')
+
+optional_policy(`
+	mysql_stream_connect(postfix_master_t)
+	mysql_stream_connect(postfix_cleanup_t)
+	mysql_stream_connect(postfix_local_t)
+')
+
+optional_policy(`
+	postgrey_search_spool(postfix_master_t)
+')
+
+optional_policy(`
+	sendmail_signal(postfix_master_t)
+')
+
+########################################
+#
+# Postfix bounce local policy
+#
+
+allow postfix_bounce_t self:capability dac_read_search;
+allow postfix_bounce_t self:tcp_socket create_socket_perms;
+
+allow postfix_bounce_t postfix_public_t:sock_file write;
+allow postfix_bounce_t postfix_public_t:dir search;
+
+manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
+manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
+manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
+files_spool_filetrans(postfix_bounce_t, postfix_spool_t, dir)
+
+manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
+manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
+manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
+
+########################################
+#
+# Postfix cleanup local policy
+#
+
+allow postfix_cleanup_t self:process setrlimit;
+
+# connect to master process
+stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t, postfix_master_t)
+
+rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
+write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
+
+manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
+manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
+manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
+files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir)
+
+allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
+
+corecmd_exec_bin(postfix_cleanup_t)
+
+mta_read_aliases(postfix_cleanup_t)
+
+optional_policy(`
+	mailman_read_data_files(postfix_cleanup_t)
+')
+
+########################################
+#
+# Postfix local local policy
+#
+
+allow postfix_local_t self:fifo_file rw_fifo_file_perms;
+allow postfix_local_t self:process { setsched setrlimit };
+
+# connect to master process
+stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
+
+# for .forward - maybe we need a new type for it?
+rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
+
+allow postfix_local_t postfix_spool_t:file rw_file_perms;
+
+corecmd_exec_shell(postfix_local_t)
+corecmd_exec_bin(postfix_local_t)
+
+files_read_etc_files(postfix_local_t)
+
+logging_dontaudit_search_logs(postfix_local_t)
+
+mta_read_aliases(postfix_local_t)
+mta_delete_spool(postfix_local_t)
+# For reading spamassasin
+mta_read_config(postfix_local_t)
+
+domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t)
+# Might be a leak, but I need a postfix expert to explain
+allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
+
+optional_policy(`
+	clamav_search_lib(postfix_local_t)
+	clamav_exec_clamscan(postfix_local_t)
+')
+
+optional_policy(`
+#	for postalias
+	mailman_manage_data_files(postfix_local_t)
+	mailman_append_log(postfix_local_t)
+	mailman_read_log(postfix_local_t)
+')
+
+optional_policy(`
+	procmail_domtrans(postfix_local_t)
+')
+
+########################################
+#
+# Postfix map local policy
+#
+allow postfix_map_t self:capability { dac_override setgid setuid };
+allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
+allow postfix_map_t self:unix_dgram_socket create_socket_perms;
+allow postfix_map_t self:tcp_socket create_stream_socket_perms;
+allow postfix_map_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t)
+manage_files_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t)
+manage_lnk_files_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t)
+
+manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
+manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
+files_tmp_filetrans(postfix_map_t, postfix_map_tmp_t, { file dir })
+
+kernel_read_kernel_sysctls(postfix_map_t)
+kernel_dontaudit_list_proc(postfix_map_t)
+kernel_dontaudit_read_system_state(postfix_map_t)
+
+corenet_all_recvfrom_unlabeled(postfix_map_t)
+corenet_all_recvfrom_netlabel(postfix_map_t)
+corenet_tcp_sendrecv_generic_if(postfix_map_t)
+corenet_udp_sendrecv_generic_if(postfix_map_t)
+corenet_tcp_sendrecv_generic_node(postfix_map_t)
+corenet_udp_sendrecv_generic_node(postfix_map_t)
+corenet_tcp_sendrecv_all_ports(postfix_map_t)
+corenet_udp_sendrecv_all_ports(postfix_map_t)
+corenet_tcp_connect_all_ports(postfix_map_t)
+corenet_sendrecv_all_client_packets(postfix_map_t)
+
+corecmd_list_bin(postfix_map_t)
+corecmd_read_bin_symlinks(postfix_map_t)
+corecmd_read_bin_files(postfix_map_t)
+corecmd_read_bin_pipes(postfix_map_t)
+corecmd_read_bin_sockets(postfix_map_t)
+
+files_list_home(postfix_map_t)
+files_read_usr_files(postfix_map_t)
+files_read_etc_files(postfix_map_t)
+files_read_etc_runtime_files(postfix_map_t)
+files_dontaudit_search_var(postfix_map_t)
+
+auth_use_nsswitch(postfix_map_t)
+
+logging_send_syslog_msg(postfix_map_t)
+
+miscfiles_read_localization(postfix_map_t)
+
+optional_policy(`
+	locallogin_dontaudit_use_fds(postfix_map_t)
+')
+
+optional_policy(`
+#	for postalias
+	mailman_manage_data_files(postfix_map_t)
+')
+
+########################################
+#
+# Postfix pickup local policy
+#
+
+allow postfix_pickup_t self:tcp_socket create_socket_perms;
+
+stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
+
+rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
+rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
+
+postfix_list_spool(postfix_pickup_t)
+
+allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms;
+read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+
+########################################
+#
+# Postfix pipe local policy
+#
+
+allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
+allow postfix_pipe_t self:process setrlimit;
+
+write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
+
+write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
+
+rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+
+domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
+
+optional_policy(`
+	dovecot_domtrans_deliver(postfix_pipe_t)
+')
+
+optional_policy(`
+	procmail_domtrans(postfix_pipe_t)
+')
+
+optional_policy(`
+	mailman_domtrans_queue(postfix_pipe_t)
+')
+
+optional_policy(`
+	mta_manage_spool(postfix_pipe_t)
+	mta_send_mail(postfix_pipe_t)
+')
+
+optional_policy(`
+	spamassassin_domtrans_client(postfix_pipe_t)
+')
+
+optional_policy(`
+	uucp_domtrans_uux(postfix_pipe_t)
+')
+
+########################################
+#
+# Postfix postdrop local policy
+#
+
+# usually it does not need a UDP socket
+allow postfix_postdrop_t self:capability sys_resource;
+allow postfix_postdrop_t self:tcp_socket create;
+allow postfix_postdrop_t self:udp_socket create_socket_perms;
+
+rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
+
+postfix_list_spool(postfix_postdrop_t)
+manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+
+corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
+corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
+
+term_dontaudit_use_all_ptys(postfix_postdrop_t)
+term_dontaudit_use_all_ttys(postfix_postdrop_t)
+
+mta_rw_user_mail_stream_sockets(postfix_postdrop_t)
+
+optional_policy(`
+	apache_dontaudit_rw_fifo_file(postfix_postdrop_t)
+')
+
+optional_policy(`
+	cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
+')
+
+# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=239951
+optional_policy(`
+	fstools_read_pipes(postfix_postdrop_t)
+')
+
+optional_policy(`
+	sendmail_rw_unix_stream_sockets(postfix_postdrop_t)
+')
+
+optional_policy(`
+	uucp_manage_spool(postfix_postdrop_t)
+')
+
+#######################################
+#
+# Postfix postqueue local policy
+#
+
+allow postfix_postqueue_t self:tcp_socket create;
+allow postfix_postqueue_t self:udp_socket { create ioctl };
+
+# wants to write to /var/spool/postfix/public/showq
+stream_connect_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t, postfix_master_t)
+
+# write to /var/spool/postfix/public/qmgr
+write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t)
+
+domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
+
+# to write the mailq output, it really should not need read access!
+term_use_all_ptys(postfix_postqueue_t)
+term_use_all_ttys(postfix_postqueue_t)
+
+init_sigchld_script(postfix_postqueue_t)
+init_use_script_fds(postfix_postqueue_t)
+
+optional_policy(`
+	cron_system_entry(postfix_postqueue_t, postfix_postqueue_exec_t)
+')
+
+optional_policy(`
+	ppp_use_fds(postfix_postqueue_t)
+	ppp_sigchld(postfix_postqueue_t)
+')
+
+########################################
+#
+# Postfix qmgr local policy
+#
+
+stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
+
+rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
+
+# for /var/spool/postfix/active
+manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
+manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
+manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
+files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+
+allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
+allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
+allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read };
+
+corecmd_exec_bin(postfix_qmgr_t)
+
+########################################
+#
+# Postfix showq local policy
+#
+
+allow postfix_showq_t self:capability { setuid setgid };
+allow postfix_showq_t self:tcp_socket create_socket_perms;
+
+allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
+
+allow postfix_showq_t postfix_spool_t:file read_file_perms;
+
+postfix_list_spool(postfix_showq_t)
+
+allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
+allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
+allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read };
+
+# to write the mailq output, it really should not need read access!
+term_use_all_ptys(postfix_showq_t)
+term_use_all_ttys(postfix_showq_t)
+
+########################################
+#
+# Postfix smtp delivery local policy
+#
+
+# connect to master process
+allow postfix_smtp_t self:capability sys_chroot;
+stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
+
+allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
+
+allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
+
+files_search_all_mountpoints(postfix_smtp_t)
+
+optional_policy(`
+	cyrus_stream_connect(postfix_smtp_t)
+')
+
+optional_policy(`
+	milter_stream_connect_all(postfix_smtp_t)
+')
+
+########################################
+#
+# Postfix smtpd local policy
+#
+allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
+
+# connect to master process
+stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
+
+# Connect to policy server
+corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
+
+# for prng_exch
+allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
+allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
+
+corecmd_exec_bin(postfix_smtpd_t)
+
+# for OpenSSL certificates
+files_read_usr_files(postfix_smtpd_t)
+mta_read_aliases(postfix_smtpd_t)
+mta_read_config(postfix_smtpd_t)
+
+optional_policy(`
+	dovecot_stream_connect_auth(postfix_smtpd_t)
+')
+
+optional_policy(`
+	mailman_read_data_files(postfix_smtpd_t)
+')
+
+optional_policy(`
+	postgrey_stream_connect(postfix_smtpd_t)
+')
+
+optional_policy(`
+	sasl_connect(postfix_smtpd_t)
+')
+
+########################################
+#
+# Postfix virtual local policy
+#
+
+allow postfix_virtual_t self:fifo_file rw_fifo_file_perms;
+allow postfix_virtual_t self:process { setsched setrlimit };
+
+allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
+
+# connect to master process
+stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
+
+corecmd_exec_shell(postfix_virtual_t)
+corecmd_exec_bin(postfix_virtual_t)
+
+files_read_etc_files(postfix_virtual_t)
+files_read_usr_files(postfix_virtual_t)
+
+mta_read_aliases(postfix_virtual_t)
+mta_delete_spool(postfix_virtual_t)
+# For reading spamassasin
+mta_read_config(postfix_virtual_t)
+mta_manage_spool(postfix_virtual_t)
diff --git a/policy/modules/contrib/postfixpolicyd.fc b/policy/modules/contrib/postfixpolicyd.fc
new file mode 100644
index 00000000..4361cb67
--- /dev/null
+++ b/policy/modules/contrib/postfixpolicyd.fc
@@ -0,0 +1,6 @@
+/etc/policyd.conf		--	gen_context(system_u:object_r:postfix_policyd_conf_t, s0)
+/etc/rc\.d/init\.d/postfixpolicyd --	gen_context(system_u:object_r:postfix_policyd_initrc_exec_t,s0)
+
+/usr/sbin/policyd		--	gen_context(system_u:object_r:postfix_policyd_exec_t, s0)
+
+/var/run/policyd\.pid		--	gen_context(system_u:object_r:postfix_policyd_var_run_t, s0)
diff --git a/policy/modules/contrib/postfixpolicyd.if b/policy/modules/contrib/postfixpolicyd.if
new file mode 100644
index 00000000..feae93b0
--- /dev/null
+++ b/policy/modules/contrib/postfixpolicyd.if
@@ -0,0 +1,40 @@
+## <summary>Postfix policy server</summary>
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an postfixpolicyd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the postfixpolicyd domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`postfixpolicyd_admin',`
+	gen_require(`
+		type postfix_policyd_t, postfix_policyd_conf_t;
+		type postfix_policyd_var_run_t;
+		type postfix_policyd_initrc_exec_t;	
+	')
+
+	allow $1 postfix_policyd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, postfix_policyd_t)
+
+	init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 postfix_policyd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_etc($1)
+	admin_pattern($1, postfix_policyd_conf_t)
+
+	files_list_pids($1)
+	admin_pattern($1, postfix_policyd_var_run_t)
+')
diff --git a/policy/modules/contrib/postfixpolicyd.te b/policy/modules/contrib/postfixpolicyd.te
new file mode 100644
index 00000000..72575268
--- /dev/null
+++ b/policy/modules/contrib/postfixpolicyd.te
@@ -0,0 +1,53 @@
+policy_module(postfixpolicyd, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type postfix_policyd_t;
+type postfix_policyd_exec_t;
+init_daemon_domain(postfix_policyd_t, postfix_policyd_exec_t)
+
+type postfix_policyd_conf_t;
+files_config_file(postfix_policyd_conf_t)
+
+type postfix_policyd_initrc_exec_t;
+init_script_file(postfix_policyd_initrc_exec_t)
+
+type postfix_policyd_var_run_t;
+files_pid_file(postfix_policyd_var_run_t)
+
+########################################
+#
+# Local Policy
+#
+
+allow postfix_policyd_t self:tcp_socket create_stream_socket_perms;
+allow postfix_policyd_t self:capability { sys_resource sys_chroot setgid setuid };
+allow postfix_policyd_t self:process setrlimit;
+allow postfix_policyd_t self:unix_dgram_socket { connect create write};
+
+allow postfix_policyd_t postfix_policyd_conf_t:dir list_dir_perms;
+allow postfix_policyd_t postfix_policyd_conf_t:file read_file_perms;
+allow postfix_policyd_t postfix_policyd_conf_t:lnk_file { getattr read };
+
+manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t)
+files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
+
+corenet_all_recvfrom_unlabeled(postfix_policyd_t)
+corenet_tcp_sendrecv_generic_if(postfix_policyd_t)
+corenet_tcp_sendrecv_generic_node(postfix_policyd_t)
+corenet_tcp_sendrecv_all_ports(postfix_policyd_t)
+corenet_tcp_bind_generic_node(postfix_policyd_t)
+corenet_tcp_bind_postfix_policyd_port(postfix_policyd_t)
+corenet_tcp_bind_mysqld_port(postfix_policyd_t)
+
+files_read_etc_files(postfix_policyd_t)
+files_read_usr_files(postfix_policyd_t)
+
+logging_send_syslog_msg(postfix_policyd_t)
+
+miscfiles_read_localization(postfix_policyd_t)
+
+sysnet_dns_name_resolve(postfix_policyd_t)
diff --git a/policy/modules/contrib/postgrey.fc b/policy/modules/contrib/postgrey.fc
new file mode 100644
index 00000000..e731841c
--- /dev/null
+++ b/policy/modules/contrib/postgrey.fc
@@ -0,0 +1,12 @@
+
+/etc/postgrey(/.*)?		gen_context(system_u:object_r:postgrey_etc_t,s0)
+/etc/rc\.d/init\.d/postgrey --	gen_context(system_u:object_r:postgrey_initrc_exec_t,s0)
+
+/usr/sbin/postgrey	--	gen_context(system_u:object_r:postgrey_exec_t,s0)
+
+/var/lib/postgrey(/.*)?		gen_context(system_u:object_r:postgrey_var_lib_t,s0)
+
+/var/run/postgrey(/.*)?		gen_context(system_u:object_r:postgrey_var_run_t,s0)
+/var/run/postgrey\.pid	--	gen_context(system_u:object_r:postgrey_var_run_t,s0)
+
+/var/spool/postfix/postgrey(/.*)? gen_context(system_u:object_r:postgrey_spool_t,s0)
diff --git a/policy/modules/contrib/postgrey.if b/policy/modules/contrib/postgrey.if
new file mode 100644
index 00000000..ad15fde7
--- /dev/null
+++ b/policy/modules/contrib/postgrey.if
@@ -0,0 +1,81 @@
+## <summary>Postfix grey-listing server</summary>
+
+########################################
+## <summary>
+##	Write to postgrey socket
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`postgrey_stream_connect',`
+	gen_require(`
+		type postgrey_var_run_t, postgrey_t, postgrey_spool_t;
+	')
+
+	stream_connect_pattern($1, postgrey_var_run_t, postgrey_var_run_t, postgrey_t)
+	stream_connect_pattern($1, postgrey_spool_t, postgrey_spool_t, postgrey_t)
+	files_search_pids($1)
+')
+
+########################################
+## <summary>
+##	Search the spool directory
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`postgrey_search_spool',`
+	gen_require(`
+		type postgrey_spool_t;
+	')
+
+	allow $1 postgrey_spool_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an postgrey environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the postgrey domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`postgrey_admin',`
+	gen_require(`
+		type postgrey_t, postgrey_etc_t;
+		type postgrey_var_lib_t, postgrey_var_run_t;
+		type postgrey_initrc_exec_t;
+	')
+
+	allow $1 postgrey_t:process { ptrace signal_perms };
+	ps_process_pattern($1, postgrey_t)
+
+	init_labeled_script_domtrans($1, postgrey_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 postgrey_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_etc($1)
+	admin_pattern($1, postgrey_etc_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, postgrey_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, postgrey_var_run_t)
+')
diff --git a/policy/modules/contrib/postgrey.te b/policy/modules/contrib/postgrey.te
new file mode 100644
index 00000000..db843e2c
--- /dev/null
+++ b/policy/modules/contrib/postgrey.te
@@ -0,0 +1,107 @@
+policy_module(postgrey, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type postgrey_t;
+type postgrey_exec_t;
+init_daemon_domain(postgrey_t, postgrey_exec_t)
+
+type postgrey_etc_t;
+files_config_file(postgrey_etc_t)
+
+type postgrey_initrc_exec_t;
+init_script_file(postgrey_initrc_exec_t)
+
+type postgrey_spool_t;
+files_type(postgrey_spool_t)
+
+type postgrey_var_lib_t;
+files_type(postgrey_var_lib_t)
+
+type postgrey_var_run_t;
+files_pid_file(postgrey_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow postgrey_t self:capability { chown dac_override setgid setuid };
+dontaudit postgrey_t self:capability sys_tty_config;
+allow postgrey_t self:process signal_perms;
+allow postgrey_t self:tcp_socket create_stream_socket_perms;
+allow postgrey_t self:fifo_file create_fifo_file_perms;
+
+allow postgrey_t postgrey_etc_t:dir list_dir_perms;
+read_files_pattern(postgrey_t, postgrey_etc_t, postgrey_etc_t)
+read_lnk_files_pattern(postgrey_t, postgrey_etc_t, postgrey_etc_t)
+
+manage_dirs_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
+manage_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
+manage_fifo_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
+manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
+
+manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t)
+files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file)
+
+manage_dirs_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t)
+manage_files_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t)
+manage_sock_files_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t)
+files_pid_filetrans(postgrey_t, postgrey_var_run_t, { dir file sock_file })
+
+kernel_read_system_state(postgrey_t)
+kernel_read_kernel_sysctls(postgrey_t)
+
+# for perl
+corecmd_search_bin(postgrey_t)
+
+corenet_all_recvfrom_unlabeled(postgrey_t)
+corenet_all_recvfrom_netlabel(postgrey_t)
+corenet_tcp_sendrecv_generic_if(postgrey_t)
+corenet_tcp_sendrecv_generic_node(postgrey_t)
+corenet_tcp_sendrecv_all_ports(postgrey_t)
+corenet_tcp_bind_generic_node(postgrey_t)
+corenet_tcp_bind_postgrey_port(postgrey_t)
+corenet_sendrecv_postgrey_server_packets(postgrey_t)
+
+dev_read_urand(postgrey_t)
+dev_read_sysfs(postgrey_t)
+
+domain_use_interactive_fds(postgrey_t)
+
+files_read_etc_files(postgrey_t)
+files_read_etc_runtime_files(postgrey_t)
+files_read_usr_files(postgrey_t)
+files_getattr_tmp_dirs(postgrey_t)
+
+fs_getattr_all_fs(postgrey_t)
+fs_search_auto_mountpoints(postgrey_t)
+
+logging_send_syslog_msg(postgrey_t)
+
+miscfiles_read_localization(postgrey_t)
+
+sysnet_read_config(postgrey_t)
+
+userdom_dontaudit_use_unpriv_user_fds(postgrey_t)
+userdom_dontaudit_search_user_home_dirs(postgrey_t)
+
+optional_policy(`
+	nis_use_ypbind(postgrey_t)
+')
+
+optional_policy(`
+	postfix_read_config(postgrey_t)
+	postfix_manage_spool_files(postgrey_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(postgrey_t)
+')
+
+optional_policy(`
+	udev_read_db(postgrey_t)
+')
diff --git a/policy/modules/contrib/ppp.fc b/policy/modules/contrib/ppp.fc
new file mode 100644
index 00000000..2d82c6d0
--- /dev/null
+++ b/policy/modules/contrib/ppp.fc
@@ -0,0 +1,38 @@
+#
+# /etc
+#
+/etc/rc\.d/init\.d/ppp		--	gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
+
+/etc/ppp			-d	gen_context(system_u:object_r:pppd_etc_t,s0)
+/etc/ppp(/.*)?			--	gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+/etc/ppp/peers(/.*)?			gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+/etc/ppp/.*secrets		--	gen_context(system_u:object_r:pppd_secret_t,s0)
+/etc/ppp/resolv\.conf 		--	gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+# Fix /etc/ppp {up,down} family scripts (see man pppd)
+/etc/ppp/(auth|ip(v6|x)?)-(up|down) --	gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
+
+/root/.ppprc			--	gen_context(system_u:object_r:pppd_etc_t,s0)
+
+#
+# /sbin
+#
+/sbin/ppp-watch			--	gen_context(system_u:object_r:pppd_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/pppd			--	gen_context(system_u:object_r:pppd_exec_t,s0)
+/usr/sbin/pptp 			--	gen_context(system_u:object_r:pptp_exec_t,s0)
+/usr/sbin/ipppd			--	gen_context(system_u:object_r:pppd_exec_t,s0)
+
+#
+# /var
+#
+/var/run/(i)?ppp.*pid[^/]*	--	gen_context(system_u:object_r:pppd_var_run_t,s0)
+/var/run/pppd[0-9]*\.tdb	--	gen_context(system_u:object_r:pppd_var_run_t,s0)
+/var/run/ppp(/.*)?			gen_context(system_u:object_r:pppd_var_run_t,s0)
+# Fix pptp sockets
+/var/run/pptp(/.*)?			gen_context(system_u:object_r:pptp_var_run_t,s0)
+
+/var/log/ppp-connect-errors.*	--	gen_context(system_u:object_r:pppd_log_t,s0)
+/var/log/ppp/.*			--	gen_context(system_u:object_r:pppd_log_t,s0)
diff --git a/policy/modules/contrib/ppp.if b/policy/modules/contrib/ppp.if
new file mode 100644
index 00000000..de4bdb7e
--- /dev/null
+++ b/policy/modules/contrib/ppp.if
@@ -0,0 +1,390 @@
+## <summary>Point to Point Protocol daemon creates links in ppp networks</summary>
+
+########################################
+## <summary>
+##	Use PPP file discriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ppp_use_fds',`
+	gen_require(`
+		type pppd_t;
+	')
+
+	allow $1 pppd_t:fd use;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to inherit
+##	and use PPP file discriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`ppp_dontaudit_use_fds',`
+	gen_require(`
+		type pppd_t;
+	')
+
+	dontaudit $1 pppd_t:fd use;
+')
+
+########################################
+## <summary>
+##	Send a SIGCHLD signal to PPP.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ppp_sigchld',`
+	gen_require(`
+		type pppd_t;
+
+	')
+
+	allow $1 pppd_t:process sigchld;
+')
+
+########################################
+## <summary>
+##	Send ppp a kill signal
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+interface(`ppp_kill',`
+	gen_require(`
+		type pppd_t;
+	')
+
+	allow $1 pppd_t:process sigkill;
+')
+
+########################################
+## <summary>
+##	Send a generic signal to PPP.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ppp_signal',`
+	gen_require(`
+		type pppd_t;
+	')
+
+	allow $1 pppd_t:process signal;
+')
+
+########################################
+## <summary>
+##	Send a generic signull to PPP.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ppp_signull',`
+	gen_require(`
+		type pppd_t;
+	')
+
+	allow $1 pppd_t:process signull;
+')
+
+########################################
+## <summary>
+##	 Execute domain in the ppp domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	 Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ppp_domtrans',`
+	gen_require(`
+		type pppd_t, pppd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, pppd_exec_t, pppd_t)
+')
+
+########################################
+## <summary>
+##	 Conditionally execute ppp daemon on behalf of a user or staff type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	 Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the ppp domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ppp_run_cond',`
+	gen_require(`
+		type pppd_t;
+	')
+
+	role $2 types pppd_t;
+
+	tunable_policy(`pppd_for_user',`
+		ppp_domtrans($1)
+	')
+')
+
+########################################
+## <summary>
+##	 Unconditionally execute ppp daemon on behalf of a user or staff type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	 Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the ppp domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ppp_run',`
+	gen_require(`
+		attribute_role pppd_roles;
+	')
+
+	ppp_domtrans($1)
+	roleattribute $2 pppd_roles;
+')
+
+########################################
+## <summary>
+##	 Execute domain in the ppp caller.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	 Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ppp_exec',`
+	gen_require(`
+		type pppd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, pppd_exec_t)
+')
+
+########################################
+## <summary>
+##	Read ppp configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ppp_read_config',`
+	gen_require(`
+		type pppd_etc_t;
+	')
+
+	read_files_pattern($1, pppd_etc_t, pppd_etc_t)
+	files_search_etc($1)
+')
+
+########################################
+## <summary>
+##	Read PPP-writable configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ppp_read_rw_config',`
+	gen_require(`
+		type pppd_etc_t, pppd_etc_rw_t;
+	')
+
+	allow $1 pppd_etc_t:dir list_dir_perms;
+	allow $1 pppd_etc_rw_t:file read_file_perms;
+	files_search_etc($1)
+')
+
+########################################
+## <summary>
+##	Read PPP secrets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ppp_read_secrets',`
+	gen_require(`
+		type pppd_etc_t, pppd_secret_t;
+	')
+
+	allow $1 pppd_etc_t:dir list_dir_perms;
+	allow $1 pppd_secret_t:file read_file_perms;
+	files_search_etc($1)
+')
+
+########################################
+## <summary>
+##	Read PPP pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ppp_read_pid_files',`
+	gen_require(`
+		type pppd_var_run_t;
+	')
+
+	allow $1 pppd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete PPP pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ppp_manage_pid_files',`
+	gen_require(`
+		type pppd_var_run_t;
+	')
+
+	allow $1 pppd_var_run_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete PPP pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ppp_pid_filetrans',`
+	gen_require(`
+		type pppd_var_run_t;
+	')
+
+	files_pid_filetrans($1, pppd_var_run_t, file)
+')
+
+########################################
+## <summary>
+##	Execute ppp server in the ntpd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ppp_initrc_domtrans',`
+	gen_require(`
+		type pppd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, pppd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an ppp environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ppp_admin',`
+	gen_require(`
+		type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t;
+		type pppd_etc_t, pppd_secret_t;
+		type pppd_etc_rw_t, pppd_var_run_t;
+
+		type pptp_t, pptp_log_t, pptp_var_run_t;
+ 		type pppd_initrc_exec_t;
+	')
+
+	allow $1 pppd_t:process { ptrace signal_perms getattr };
+	ps_process_pattern($1, pppd_t)
+
+	ppp_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 pppd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, pppd_tmp_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, pppd_log_t)
+
+	admin_pattern($1, pppd_lock_t)
+
+	files_list_etc($1)
+	admin_pattern($1, pppd_etc_t)
+
+	admin_pattern($1, pppd_etc_rw_t)
+
+	admin_pattern($1, pppd_secret_t)
+
+	files_list_pids($1)
+	admin_pattern($1, pppd_var_run_t)
+
+	allow $1 pptp_t:process { ptrace signal_perms getattr };
+	ps_process_pattern($1, pptp_t)
+
+	admin_pattern($1, pptp_log_t)
+
+	admin_pattern($1, pptp_var_run_t)
+')
diff --git a/policy/modules/contrib/ppp.te b/policy/modules/contrib/ppp.te
new file mode 100644
index 00000000..bcbf9acb
--- /dev/null
+++ b/policy/modules/contrib/ppp.te
@@ -0,0 +1,325 @@
+policy_module(ppp, 1.13.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow pppd to load kernel modules for certain modems
+## </p>
+## </desc>
+gen_tunable(pppd_can_insmod, false)
+
+## <desc>
+## <p>
+## Allow pppd to be run for a regular user
+## </p>
+## </desc>
+gen_tunable(pppd_for_user, false)
+
+attribute_role pppd_roles;
+
+# pppd_t is the domain for the pppd program.
+# pppd_exec_t is the type of the pppd executable.
+type pppd_t;
+type pppd_exec_t;
+init_daemon_domain(pppd_t, pppd_exec_t)
+role pppd_roles types pppd_t;
+
+type pppd_devpts_t;
+term_pty(pppd_devpts_t)
+
+# Define a separate type for /etc/ppp
+type pppd_etc_t;
+files_config_file(pppd_etc_t)
+
+# Define a separate type for writable files under /etc/ppp
+type pppd_etc_rw_t;
+files_type(pppd_etc_rw_t)
+
+type pppd_initrc_exec_t alias pppd_script_exec_t;
+init_script_file(pppd_initrc_exec_t)
+
+# pppd_secret_t is the type of the pap and chap password files
+type pppd_secret_t;
+files_type(pppd_secret_t)
+
+type pppd_log_t;
+logging_log_file(pppd_log_t)
+
+type pppd_lock_t;
+files_lock_file(pppd_lock_t)
+
+type pppd_tmp_t;
+files_tmp_file(pppd_tmp_t)
+
+type pppd_var_run_t;
+files_pid_file(pppd_var_run_t)
+
+type pptp_t;
+type pptp_exec_t;
+init_daemon_domain(pptp_t, pptp_exec_t)
+role pppd_roles types pptp_t;
+
+type pptp_log_t;
+logging_log_file(pptp_log_t)
+
+type pptp_var_run_t;
+files_pid_file(pptp_var_run_t)
+
+########################################
+#
+# PPPD Local policy
+#
+
+allow pppd_t self:capability { kill net_admin setuid setgid fsetid fowner net_raw dac_override };
+dontaudit pppd_t self:capability sys_tty_config;
+allow pppd_t self:process { getsched signal };
+allow pppd_t self:fifo_file rw_fifo_file_perms;
+allow pppd_t self:socket create_socket_perms;
+allow pppd_t self:unix_dgram_socket create_socket_perms;
+allow pppd_t self:unix_stream_socket create_socket_perms;
+allow pppd_t self:netlink_route_socket rw_netlink_socket_perms;
+allow pppd_t self:tcp_socket create_stream_socket_perms;
+allow pppd_t self:udp_socket { connect connected_socket_perms };
+allow pppd_t self:packet_socket create_socket_perms;
+
+domtrans_pattern(pppd_t, pptp_exec_t, pptp_t)
+
+allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr };
+
+allow pppd_t pppd_etc_t:dir rw_dir_perms;
+allow pppd_t pppd_etc_t:file read_file_perms;
+allow pppd_t pppd_etc_t:lnk_file { getattr read };
+
+manage_files_pattern(pppd_t, pppd_etc_rw_t, pppd_etc_rw_t)
+# Automatically label newly created files under /etc/ppp with this type
+filetrans_pattern(pppd_t, pppd_etc_t, pppd_etc_rw_t, file)
+
+allow pppd_t pppd_lock_t:file manage_file_perms;
+files_lock_filetrans(pppd_t, pppd_lock_t, file)
+
+allow pppd_t pppd_log_t:file manage_file_perms;
+logging_log_filetrans(pppd_t, pppd_log_t, file)
+
+manage_dirs_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t)
+manage_files_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t)
+files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir })
+
+manage_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t)
+files_pid_filetrans(pppd_t, pppd_var_run_t, file)
+
+allow pppd_t pptp_t:process signal;
+
+# for SSP
+# Access secret files
+allow pppd_t pppd_secret_t:file read_file_perms;
+
+ppp_initrc_domtrans(pppd_t)
+
+kernel_read_kernel_sysctls(pppd_t)
+kernel_read_system_state(pppd_t)
+kernel_rw_net_sysctls(pppd_t)
+kernel_read_network_state(pppd_t)
+kernel_request_load_module(pppd_t)
+
+dev_read_urand(pppd_t)
+dev_search_sysfs(pppd_t)
+dev_read_sysfs(pppd_t)
+dev_rw_modem(pppd_t)
+
+corenet_all_recvfrom_unlabeled(pppd_t)
+corenet_all_recvfrom_netlabel(pppd_t)
+corenet_tcp_sendrecv_generic_if(pppd_t)
+corenet_raw_sendrecv_generic_if(pppd_t)
+corenet_udp_sendrecv_generic_if(pppd_t)
+corenet_tcp_sendrecv_generic_node(pppd_t)
+corenet_raw_sendrecv_generic_node(pppd_t)
+corenet_udp_sendrecv_generic_node(pppd_t)
+corenet_tcp_sendrecv_all_ports(pppd_t)
+corenet_udp_sendrecv_all_ports(pppd_t)
+# Access /dev/ppp.
+corenet_rw_ppp_dev(pppd_t)
+
+fs_getattr_all_fs(pppd_t)
+fs_search_auto_mountpoints(pppd_t)
+
+term_use_unallocated_ttys(pppd_t)
+term_setattr_unallocated_ttys(pppd_t)
+term_ioctl_generic_ptys(pppd_t)
+# for pppoe
+term_create_pty(pppd_t, pppd_devpts_t)
+
+# allow running ip-up and ip-down scripts and running chat.
+corecmd_exec_bin(pppd_t)
+corecmd_exec_shell(pppd_t)
+
+domain_use_interactive_fds(pppd_t)
+
+files_exec_etc_files(pppd_t)
+files_manage_etc_runtime_files(pppd_t)
+files_dontaudit_write_etc_files(pppd_t)
+
+# for scripts
+files_read_etc_files(pppd_t)
+
+init_read_utmp(pppd_t)
+init_dontaudit_write_utmp(pppd_t)
+init_signal_script(pppd_t)
+
+auth_use_nsswitch(pppd_t)
+
+logging_send_syslog_msg(pppd_t)
+logging_send_audit_msgs(pppd_t)
+
+miscfiles_read_localization(pppd_t)
+
+sysnet_exec_ifconfig(pppd_t)
+sysnet_manage_config(pppd_t)
+sysnet_etc_filetrans_config(pppd_t)
+
+userdom_use_user_terminals(pppd_t)
+userdom_dontaudit_use_unpriv_user_fds(pppd_t)
+userdom_search_user_home_dirs(pppd_t)
+
+ppp_exec(pppd_t)
+
+optional_policy(`
+	ddclient_run(pppd_t, pppd_roles)
+')
+
+optional_policy(`
+	tunable_policy(`pppd_can_insmod',`
+		modutils_domtrans_insmod(pppd_t)
+	')
+')
+
+optional_policy(`
+	mta_send_mail(pppd_t)
+')
+
+optional_policy(`
+	networkmanager_signal(pppd_t)
+')
+
+optional_policy(`
+	postfix_domtrans_master(pppd_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(pppd_t)
+')
+
+optional_policy(`
+	udev_read_db(pppd_t)
+')
+
+########################################
+#
+# PPTP Local policy
+#
+
+allow pptp_t self:capability { dac_override dac_read_search net_raw net_admin };
+dontaudit pptp_t self:capability sys_tty_config;
+allow pptp_t self:process signal;
+allow pptp_t self:fifo_file rw_fifo_file_perms;
+allow pptp_t self:unix_dgram_socket create_socket_perms;
+allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow pptp_t self:rawip_socket create_socket_perms;
+allow pptp_t self:tcp_socket create_socket_perms;
+allow pptp_t self:udp_socket create_socket_perms;
+allow pptp_t self:netlink_route_socket rw_netlink_socket_perms;
+
+allow pptp_t pppd_etc_t:dir list_dir_perms;
+allow pptp_t pppd_etc_t:file read_file_perms;
+allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
+
+allow pptp_t pppd_etc_rw_t:dir list_dir_perms;
+allow pptp_t pppd_etc_rw_t:file read_file_perms;
+allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms;
+can_exec(pptp_t, pppd_etc_rw_t)
+
+# Allow pptp to append to pppd log files
+allow pptp_t pppd_log_t:file append_file_perms;
+
+allow pptp_t pptp_log_t:file manage_file_perms;
+logging_log_filetrans(pptp_t, pptp_log_t, file)
+
+manage_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
+manage_sock_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
+files_pid_filetrans(pptp_t, pptp_var_run_t, file)
+
+kernel_list_proc(pptp_t)
+kernel_read_kernel_sysctls(pptp_t)
+kernel_read_proc_symlinks(pptp_t)
+kernel_read_system_state(pptp_t)
+
+dev_read_sysfs(pptp_t)
+
+corecmd_exec_shell(pptp_t)
+corecmd_read_bin_symlinks(pptp_t)
+
+corenet_all_recvfrom_unlabeled(pptp_t)
+corenet_all_recvfrom_netlabel(pptp_t)
+corenet_tcp_sendrecv_generic_if(pptp_t)
+corenet_raw_sendrecv_generic_if(pptp_t)
+corenet_tcp_sendrecv_generic_node(pptp_t)
+corenet_raw_sendrecv_generic_node(pptp_t)
+corenet_tcp_sendrecv_all_ports(pptp_t)
+corenet_tcp_bind_generic_node(pptp_t)
+corenet_tcp_connect_generic_port(pptp_t)
+corenet_tcp_connect_all_reserved_ports(pptp_t)
+corenet_sendrecv_generic_client_packets(pptp_t)
+
+files_read_etc_files(pptp_t)
+
+fs_getattr_all_fs(pptp_t)
+fs_search_auto_mountpoints(pptp_t)
+
+term_ioctl_generic_ptys(pptp_t)
+term_search_ptys(pptp_t)
+term_use_ptmx(pptp_t)
+
+domain_use_interactive_fds(pptp_t)
+
+auth_use_nsswitch(pptp_t)
+
+logging_send_syslog_msg(pptp_t)
+
+miscfiles_read_localization(pptp_t)
+
+sysnet_exec_ifconfig(pptp_t)
+
+userdom_dontaudit_use_unpriv_user_fds(pptp_t)
+userdom_dontaudit_search_user_home_dirs(pptp_t)
+userdom_signal_unpriv_users(pptp_t)
+
+optional_policy(`
+	consoletype_exec(pppd_t)
+')
+
+optional_policy(`
+	dbus_system_domain(pppd_t, pppd_exec_t)
+
+	optional_policy(`
+		networkmanager_dbus_chat(pppd_t)
+	')
+')
+
+optional_policy(`
+	hostname_exec(pptp_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(pptp_t)
+')
+
+optional_policy(`
+	udev_read_db(pptp_t)
+')
+
+optional_policy(`
+	postfix_read_config(pppd_t)
+')
diff --git a/policy/modules/contrib/prelink.fc b/policy/modules/contrib/prelink.fc
new file mode 100644
index 00000000..ec0e76a4
--- /dev/null
+++ b/policy/modules/contrib/prelink.fc
@@ -0,0 +1,11 @@
+/etc/cron\.daily/prelink	--	gen_context(system_u:object_r:prelink_cron_system_exec_t,s0)
+
+/etc/prelink\.cache		--	gen_context(system_u:object_r:prelink_cache_t,s0)
+
+/usr/sbin/prelink(\.bin)?	--	gen_context(system_u:object_r:prelink_exec_t,s0)
+
+/var/log/prelink\.log		--	gen_context(system_u:object_r:prelink_log_t,s0)
+/var/log/prelink(/.*)?			gen_context(system_u:object_r:prelink_log_t,s0)
+
+/var/lib/misc/prelink.*		--	gen_context(system_u:object_r:prelink_var_lib_t,s0)
+/var/lib/prelink(/.*)?			gen_context(system_u:object_r:prelink_var_lib_t,s0)
diff --git a/policy/modules/contrib/prelink.if b/policy/modules/contrib/prelink.if
new file mode 100644
index 00000000..93ec1755
--- /dev/null
+++ b/policy/modules/contrib/prelink.if
@@ -0,0 +1,204 @@
+## <summary>Prelink ELF shared library mappings.</summary>
+
+########################################
+## <summary>
+##	Execute the prelink program in the prelink domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`prelink_domtrans',`
+	gen_require(`
+		type prelink_t, prelink_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, prelink_exec_t, prelink_t)
+
+	ifdef(`hide_broken_symptoms', `
+		dontaudit prelink_t $1:socket_class_set { read write };
+		dontaudit prelink_t $1:fifo_file setattr;
+	')
+')
+
+########################################
+## <summary>
+##	Execute the prelink program in the current domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`prelink_exec',`
+	gen_require(`
+		type prelink_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, prelink_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute the prelink program in the prelink domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the prelink domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`prelink_run',`
+	gen_require(`
+		type prelink_t;
+	')
+
+	prelink_domtrans($1)
+	role $2 types prelink_t;
+')
+
+########################################
+## <summary>
+##	Make the specified file type prelinkable.
+## </summary>
+## <param name="file_type">
+##	<summary>
+##	File type to be prelinked.
+##	</summary>
+## </param>
+#
+# cjp: added for misc non-entrypoint objects
+interface(`prelink_object_file',`
+	gen_require(`
+		attribute prelink_object;
+	')
+
+	typeattribute $1 prelink_object;
+')
+
+########################################
+## <summary>
+##	Read the prelink cache.
+## </summary>
+## <param name="file_type">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`prelink_read_cache',`
+	gen_require(`
+		type prelink_cache_t;
+	')
+
+	files_search_etc($1)
+	allow $1 prelink_cache_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Delete the prelink cache.
+## </summary>
+## <param name="file_type">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`prelink_delete_cache',`
+	gen_require(`
+		type prelink_cache_t;
+	')
+
+	allow $1 prelink_cache_t:file unlink;
+	files_rw_etc_dirs($1)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	prelink log files.
+## </summary>
+## <param name="file_type">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`prelink_manage_log',`
+	gen_require(`
+		type prelink_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_files_pattern($1, prelink_log_t, prelink_log_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	prelink var_lib files.
+## </summary>
+## <param name="file_type">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`prelink_manage_lib',`
+	gen_require(`
+		type prelink_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Relabel from files in the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`prelink_relabelfrom_lib',`
+	gen_require(`
+		type prelink_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	relabelfrom_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Relabel from files in the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`prelink_relabel_lib',`
+	gen_require(`
+		type prelink_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
+')
diff --git a/policy/modules/contrib/prelink.te b/policy/modules/contrib/prelink.te
new file mode 100644
index 00000000..af553699
--- /dev/null
+++ b/policy/modules/contrib/prelink.te
@@ -0,0 +1,164 @@
+policy_module(prelink, 1.10.0)
+
+########################################
+#
+# Declarations
+
+attribute prelink_object;
+
+type prelink_t;
+type prelink_exec_t;
+init_system_domain(prelink_t, prelink_exec_t)
+domain_obj_id_change_exemption(prelink_t)
+
+type prelink_cache_t;
+files_type(prelink_cache_t)
+
+type prelink_cron_system_t;
+type prelink_cron_system_exec_t;
+domain_type(prelink_cron_system_t)
+domain_entry_file(prelink_cron_system_t, prelink_cron_system_exec_t)
+
+type prelink_log_t;
+logging_log_file(prelink_log_t)
+
+type prelink_tmp_t;
+files_tmp_file(prelink_tmp_t)
+
+type prelink_tmpfs_t;
+files_tmpfs_file(prelink_tmpfs_t)
+
+type prelink_var_lib_t;
+files_type(prelink_var_lib_t)
+
+########################################
+#
+# Local policy
+#
+
+allow prelink_t self:capability { chown dac_override fowner fsetid sys_resource };
+allow prelink_t self:process { execheap execmem execstack signal };
+allow prelink_t self:fifo_file rw_fifo_file_perms;
+
+allow prelink_t prelink_cache_t:file manage_file_perms;
+files_etc_filetrans(prelink_t, prelink_cache_t, file)
+
+allow prelink_t prelink_log_t:dir setattr;
+create_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
+append_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
+read_lnk_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
+logging_log_filetrans(prelink_t, prelink_log_t, file)
+
+allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod };
+files_tmp_filetrans(prelink_t, prelink_tmp_t, file)
+
+allow prelink_t prelink_tmpfs_t:file { manage_file_perms execute relabelfrom execmod };
+fs_tmpfs_filetrans(prelink_t, prelink_tmpfs_t, file)
+
+manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
+manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
+relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
+files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file })
+
+# prelink misc objects that are not system
+# libraries or entrypoints
+allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom };
+
+kernel_read_system_state(prelink_t)
+kernel_read_kernel_sysctls(prelink_t)
+
+corecmd_manage_all_executables(prelink_t)
+corecmd_relabel_all_executables(prelink_t)
+corecmd_mmap_all_executables(prelink_t)
+corecmd_read_bin_symlinks(prelink_t)
+
+dev_read_urand(prelink_t)
+
+files_list_all(prelink_t)
+files_getattr_all_files(prelink_t)
+files_write_non_security_dirs(prelink_t)
+files_read_etc_files(prelink_t)
+files_read_etc_runtime_files(prelink_t)
+files_dontaudit_read_all_symlinks(prelink_t)
+files_manage_usr_files(prelink_t)
+files_manage_var_files(prelink_t)
+files_relabelfrom_usr_files(prelink_t)
+
+fs_getattr_xattr_fs(prelink_t)
+
+selinux_get_enforce_mode(prelink_t)
+
+libs_exec_ld_so(prelink_t)
+libs_legacy_use_shared_libs(prelink_t)
+libs_manage_ld_so(prelink_t)
+libs_relabel_ld_so(prelink_t)
+libs_manage_shared_libs(prelink_t)
+libs_relabel_shared_libs(prelink_t)
+libs_delete_lib_symlinks(prelink_t)
+
+miscfiles_read_localization(prelink_t)
+
+userdom_use_user_terminals(prelink_t)
+
+optional_policy(`
+	amanda_manage_lib(prelink_t)
+')
+
+optional_policy(`
+	cron_system_entry(prelink_t, prelink_exec_t)
+')
+
+optional_policy(`
+	rpm_manage_tmp_files(prelink_t)
+')
+
+optional_policy(`
+	unconfined_domain(prelink_t)
+')
+
+########################################
+#
+# Prelink Cron system Policy
+#
+
+optional_policy(`
+	allow prelink_cron_system_t self:capability setuid;
+	allow prelink_cron_system_t self:process { setsched setfscreate signal };
+	allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms;
+	allow prelink_cron_system_t self:unix_dgram_socket { write bind create setopt };
+
+	read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
+	allow prelink_cron_system_t prelink_cache_t:file unlink;
+
+	domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
+	allow prelink_cron_system_t prelink_t:process noatsecure;
+
+	manage_files_pattern(prelink_cron_system_t, prelink_log_t, prelink_log_t)
+
+	manage_files_pattern(prelink_cron_system_t, prelink_var_lib_t, prelink_var_lib_t)
+	files_var_lib_filetrans(prelink_cron_system_t, prelink_var_lib_t, file)
+	allow prelink_cron_system_t prelink_var_lib_t:file { relabelfrom relabelto };
+
+	kernel_read_system_state(prelink_cron_system_t)
+
+	corecmd_exec_bin(prelink_cron_system_t)
+	corecmd_exec_shell(prelink_cron_system_t)
+
+	files_dontaudit_search_all_mountpoints(prelink_cron_system_t)
+	files_read_etc_files(prelink_cron_system_t)
+	files_search_var_lib(prelink_cron_system_t)
+
+	init_exec(prelink_cron_system_t)
+
+	libs_exec_ld_so(prelink_cron_system_t)
+
+	logging_search_logs(prelink_cron_system_t)
+
+	miscfiles_read_localization(prelink_cron_system_t)
+
+	cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t)
+
+	optional_policy(`
+		rpm_read_db(prelink_cron_system_t)
+	')
+')
diff --git a/policy/modules/contrib/prelude.fc b/policy/modules/contrib/prelude.fc
new file mode 100644
index 00000000..3bd847af
--- /dev/null
+++ b/policy/modules/contrib/prelude.fc
@@ -0,0 +1,18 @@
+/etc/prelude-correlator(/.*)?		gen_context(system_u:object_r:prelude_correlator_config_t, s0)
+/etc/rc\.d/init\.d/prelude-correlator -- gen_context(system_u:object_r:prelude_initrc_exec_t, s0)
+/etc/rc\.d/init\.d/prelude-lml --	gen_context(system_u:object_r:prelude_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/prelude-manager --	gen_context(system_u:object_r:prelude_initrc_exec_t,s0)
+
+/sbin/audisp-prelude		--	gen_context(system_u:object_r:prelude_audisp_exec_t,s0)
+
+/usr/bin/prelude-correlator	--	gen_context(system_u:object_r:prelude_correlator_exec_t, s0)
+/usr/bin/prelude-lml		--	gen_context(system_u:object_r:prelude_lml_exec_t,s0)
+/usr/bin/prelude-manager	--	gen_context(system_u:object_r:prelude_exec_t,s0)
+/usr/share/prewikka/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_prewikka_script_exec_t,s0)
+
+/var/lib/prelude-lml(/.*)?		gen_context(system_u:object_r:prelude_var_lib_t,s0)
+/var/log/prelude.*			gen_context(system_u:object_r:prelude_log_t,s0)
+/var/run/prelude-lml.pid	--	gen_context(system_u:object_r:prelude_lml_var_run_t,s0)
+/var/run/prelude-manager(/.*)?		gen_context(system_u:object_r:prelude_var_run_t,s0)
+/var/spool/prelude-manager(/.*)?	gen_context(system_u:object_r:prelude_spool_t,s0)
+/var/spool/prelude(/.*)?		gen_context(system_u:object_r:prelude_spool_t,s0)
diff --git a/policy/modules/contrib/prelude.if b/policy/modules/contrib/prelude.if
new file mode 100644
index 00000000..23166537
--- /dev/null
+++ b/policy/modules/contrib/prelude.if
@@ -0,0 +1,144 @@
+## <summary>Prelude hybrid intrusion detection system</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run prelude.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`prelude_domtrans',`
+	gen_require(`
+		type prelude_t, prelude_exec_t;
+	')
+
+	domtrans_pattern($1, prelude_exec_t, prelude_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run prelude_audisp.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`prelude_domtrans_audisp',`
+	gen_require(`
+		type prelude_audisp_t, prelude_audisp_exec_t;
+	')
+
+	domtrans_pattern($1, prelude_audisp_exec_t, prelude_audisp_t)
+')
+
+########################################
+## <summary>
+##	Signal the prelude_audisp domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed acccess.
+## </summary>
+## </param>
+#
+interface(`prelude_signal_audisp',`
+	gen_require(`
+		type prelude_audisp_t;
+	')
+
+	allow $1 prelude_audisp_t:process signal;
+')
+
+########################################
+## <summary>
+##	Read the prelude spool files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`prelude_read_spool',`
+	gen_require(`
+		type prelude_spool_t;
+	')
+
+	files_search_spool($1)
+	read_files_pattern($1, prelude_spool_t, prelude_spool_t)
+')
+
+########################################
+## <summary>
+##	Manage to prelude-manager spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`prelude_manage_spool',`
+	gen_require(`
+		type prelude_spool_t;
+	')
+
+	files_search_spool($1)
+	manage_dirs_pattern($1, prelude_spool_t, prelude_spool_t)
+	manage_files_pattern($1, prelude_spool_t, prelude_spool_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an prelude environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`prelude_admin',`
+	gen_require(`
+		type prelude_t, prelude_spool_t;
+		type prelude_var_run_t, prelude_var_lib_t;
+		type prelude_audisp_t, prelude_audisp_var_run_t;
+		type prelude_initrc_exec_t;
+
+		type prelude_lml_t, prelude_lml_tmp_t;
+		type prelude_lml_var_run_t;
+	')
+
+	allow $1 prelude_t:process { ptrace signal_perms };
+	ps_process_pattern($1, prelude_t)
+
+	allow $1 prelude_audisp_t:process { ptrace signal_perms };
+	ps_process_pattern($1, prelude_audisp_t)
+
+	allow $1 prelude_lml_t:process { ptrace signal_perms };
+	ps_process_pattern($1, prelude_lml_t)
+
+	init_labeled_script_domtrans($1, prelude_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 prelude_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	admin_pattern($1, prelude_spool_t)
+	admin_pattern($1, prelude_var_lib_t)
+	admin_pattern($1, prelude_var_run_t)
+	admin_pattern($1, prelude_audisp_var_run_t)
+	admin_pattern($1, prelude_lml_tmp_t)
+	admin_pattern($1, prelude_lml_var_run_t)
+')
diff --git a/policy/modules/contrib/prelude.te b/policy/modules/contrib/prelude.te
new file mode 100644
index 00000000..b1bc02c7
--- /dev/null
+++ b/policy/modules/contrib/prelude.te
@@ -0,0 +1,308 @@
+policy_module(prelude, 1.3.0)
+
+########################################
+#
+# Declarations
+#
+
+type prelude_t;
+type prelude_exec_t;
+init_daemon_domain(prelude_t, prelude_exec_t)
+
+type prelude_initrc_exec_t;
+init_script_file(prelude_initrc_exec_t)
+
+type prelude_spool_t;
+files_type(prelude_spool_t)
+
+type prelude_log_t;
+logging_log_file(prelude_log_t)
+
+type prelude_var_run_t;
+files_pid_file(prelude_var_run_t)
+
+type prelude_var_lib_t;
+files_type(prelude_var_lib_t)
+
+type prelude_audisp_t;
+type prelude_audisp_exec_t;
+init_daemon_domain(prelude_audisp_t, prelude_audisp_exec_t)
+logging_dispatcher_domain(prelude_audisp_t, prelude_audisp_exec_t)
+
+type prelude_audisp_var_run_t;
+files_pid_file(prelude_audisp_var_run_t)
+
+type prelude_correlator_t;
+type prelude_correlator_exec_t;
+init_daemon_domain(prelude_correlator_t, prelude_correlator_exec_t)
+role system_r types prelude_correlator_t;
+
+type prelude_correlator_config_t;
+files_config_file(prelude_correlator_config_t)
+
+type prelude_lml_t;
+type prelude_lml_exec_t;
+init_daemon_domain(prelude_lml_t, prelude_lml_exec_t)
+
+type prelude_lml_tmp_t;
+files_tmp_file(prelude_lml_tmp_t)
+
+type prelude_lml_var_run_t;
+files_pid_file(prelude_lml_var_run_t)
+
+########################################
+#
+# prelude local policy
+#
+
+allow prelude_t self:capability { dac_override sys_tty_config };
+allow prelude_t self:fifo_file rw_file_perms;
+allow prelude_t self:unix_stream_socket create_stream_socket_perms;
+allow prelude_t self:netlink_route_socket r_netlink_socket_perms;
+allow prelude_t self:tcp_socket create_stream_socket_perms;
+
+manage_files_pattern(prelude_t, prelude_log_t, prelude_log_t)
+logging_log_filetrans(prelude_t, prelude_log_t, file)
+
+manage_dirs_pattern(prelude_t, prelude_spool_t, prelude_spool_t)
+manage_files_pattern(prelude_t, prelude_spool_t, prelude_spool_t)
+files_search_spool(prelude_t)
+
+manage_dirs_pattern(prelude_t, prelude_var_lib_t, prelude_var_lib_t)
+manage_files_pattern(prelude_t, prelude_var_lib_t, prelude_var_lib_t)
+files_search_var_lib(prelude_t)
+
+manage_dirs_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t)
+manage_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t)
+manage_sock_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t)
+files_pid_filetrans(prelude_t, prelude_var_run_t, { dir file })
+
+kernel_read_system_state(prelude_t)
+kernel_read_sysctl(prelude_t)
+
+corecmd_search_bin(prelude_t)
+
+corenet_all_recvfrom_unlabeled(prelude_t)
+corenet_all_recvfrom_netlabel(prelude_t)
+corenet_tcp_sendrecv_generic_if(prelude_t)
+corenet_tcp_sendrecv_generic_node(prelude_t)
+corenet_tcp_bind_generic_node(prelude_t)
+corenet_tcp_bind_prelude_port(prelude_t)
+corenet_tcp_connect_prelude_port(prelude_t)
+corenet_tcp_connect_postgresql_port(prelude_t)
+corenet_tcp_connect_mysqld_port(prelude_t)
+
+dev_read_rand(prelude_t)
+dev_read_urand(prelude_t)
+
+files_read_etc_files(prelude_t)
+files_read_etc_runtime_files(prelude_t)
+files_read_usr_files(prelude_t)
+files_search_tmp(prelude_t)
+
+fs_rw_anon_inodefs_files(prelude_t)
+
+auth_use_nsswitch(prelude_t)
+
+logging_send_audit_msgs(prelude_t)
+logging_send_syslog_msg(prelude_t)
+
+miscfiles_read_localization(prelude_t)
+
+optional_policy(`
+	mysql_search_db(prelude_t)
+	mysql_stream_connect(prelude_t)
+')
+
+optional_policy(`
+	postgresql_stream_connect(prelude_t)
+')
+
+########################################
+#
+# prelude_audisp local policy
+#
+
+allow prelude_audisp_t self:capability { dac_override ipc_lock setpcap };
+allow prelude_audisp_t self:process { getcap setcap };
+allow prelude_audisp_t self:fifo_file rw_file_perms;
+allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms;
+allow prelude_audisp_t self:unix_dgram_socket create_socket_perms;
+allow prelude_audisp_t self:netlink_route_socket r_netlink_socket_perms;
+allow prelude_audisp_t self:tcp_socket create_socket_perms;
+
+manage_dirs_pattern(prelude_audisp_t, prelude_spool_t, prelude_spool_t)
+manage_files_pattern(prelude_audisp_t, prelude_spool_t, prelude_spool_t)
+files_search_spool(prelude_audisp_t)
+
+manage_sock_files_pattern(prelude_audisp_t, prelude_audisp_var_run_t, prelude_audisp_var_run_t)
+files_pid_filetrans(prelude_audisp_t, prelude_audisp_var_run_t, sock_file)
+
+kernel_read_sysctl(prelude_audisp_t)
+kernel_read_system_state(prelude_audisp_t)
+
+corecmd_search_bin(prelude_audisp_t)
+
+corenet_all_recvfrom_unlabeled(prelude_audisp_t)
+corenet_all_recvfrom_netlabel(prelude_audisp_t)
+corenet_tcp_sendrecv_generic_if(prelude_audisp_t)
+corenet_tcp_sendrecv_generic_node(prelude_audisp_t)
+corenet_tcp_bind_generic_node(prelude_audisp_t)
+corenet_tcp_connect_prelude_port(prelude_audisp_t)
+
+dev_read_rand(prelude_audisp_t)
+dev_read_urand(prelude_audisp_t)
+
+# Init script handling
+domain_use_interactive_fds(prelude_audisp_t)
+
+files_read_etc_files(prelude_audisp_t)
+files_read_etc_runtime_files(prelude_audisp_t)
+files_search_tmp(prelude_audisp_t)
+
+logging_send_syslog_msg(prelude_audisp_t)
+
+miscfiles_read_localization(prelude_audisp_t)
+
+sysnet_dns_name_resolve(prelude_audisp_t)
+
+########################################
+#
+# prelude_correlator local policy
+#
+
+allow prelude_correlator_t self:capability dac_override;
+allow prelude_correlator_t self:netlink_route_socket r_netlink_socket_perms;
+allow prelude_correlator_t self:tcp_socket create_stream_socket_perms;
+allow prelude_correlator_t self:unix_dgram_socket create_socket_perms;
+
+allow prelude_correlator_t prelude_correlator_config_t:dir list_dir_perms;
+read_files_pattern(prelude_correlator_t, prelude_correlator_config_t, prelude_correlator_config_t)
+
+kernel_read_sysctl(prelude_correlator_t)
+
+corecmd_search_bin(prelude_correlator_t)
+
+corenet_all_recvfrom_unlabeled(prelude_correlator_t)
+corenet_all_recvfrom_netlabel(prelude_correlator_t)
+corenet_tcp_sendrecv_generic_if(prelude_correlator_t)
+corenet_tcp_sendrecv_generic_node(prelude_correlator_t)
+corenet_tcp_connect_prelude_port(prelude_correlator_t)
+
+dev_read_rand(prelude_correlator_t)
+dev_read_urand(prelude_correlator_t)
+
+files_read_etc_files(prelude_correlator_t)
+files_read_usr_files(prelude_correlator_t)
+files_search_spool(prelude_correlator_t)
+
+logging_send_syslog_msg(prelude_correlator_t)
+
+miscfiles_read_localization(prelude_correlator_t)
+
+sysnet_dns_name_resolve(prelude_correlator_t)
+
+prelude_manage_spool(prelude_correlator_t)
+
+########################################
+#
+# prelude_lml local declarations
+#
+
+allow prelude_lml_t self:capability dac_override;
+allow prelude_lml_t self:tcp_socket { write getattr setopt read create connect };
+allow prelude_lml_t self:unix_dgram_socket { write create connect };
+allow prelude_lml_t self:fifo_file rw_fifo_file_perms;
+allow prelude_lml_t self:unix_stream_socket connectto;
+
+manage_dirs_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t)
+manage_files_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t)
+files_tmp_filetrans(prelude_lml_t, prelude_lml_tmp_t, { file dir })
+files_list_tmp(prelude_lml_t)
+
+manage_dirs_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t)
+manage_files_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t)
+files_search_spool(prelude_lml_t)
+
+manage_dirs_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t)
+manage_files_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t)
+files_search_var_lib(prelude_lml_t)
+
+manage_files_pattern(prelude_lml_t, prelude_lml_var_run_t, prelude_lml_var_run_t)
+files_pid_filetrans(prelude_lml_t, prelude_lml_var_run_t, file)
+
+kernel_read_system_state(prelude_lml_t)
+kernel_read_sysctl(prelude_lml_t)
+
+corecmd_exec_bin(prelude_lml_t)
+
+corenet_tcp_sendrecv_generic_if(prelude_lml_t)
+corenet_tcp_sendrecv_generic_node(prelude_lml_t)
+corenet_tcp_recvfrom_netlabel(prelude_lml_t)
+corenet_tcp_recvfrom_unlabeled(prelude_lml_t)
+corenet_sendrecv_unlabeled_packets(prelude_lml_t)
+corenet_tcp_connect_prelude_port(prelude_lml_t)
+
+dev_read_rand(prelude_lml_t)
+dev_read_urand(prelude_lml_t)
+
+files_list_etc(prelude_lml_t)
+files_read_etc_files(prelude_lml_t)
+files_read_etc_runtime_files(prelude_lml_t)
+
+fs_getattr_all_fs(prelude_lml_t)
+fs_list_inotifyfs(prelude_lml_t)
+fs_rw_anon_inodefs_files(prelude_lml_t)
+
+auth_use_nsswitch(prelude_lml_t)
+
+libs_exec_lib_files(prelude_lml_t)
+libs_read_lib_files(prelude_lml_t)
+
+logging_send_syslog_msg(prelude_lml_t)
+logging_read_generic_logs(prelude_lml_t)
+
+miscfiles_read_localization(prelude_lml_t)
+
+sysnet_dns_name_resolve(prelude_lml_t)
+
+userdom_read_all_users_state(prelude_lml_t)
+
+optional_policy(`
+	apache_search_sys_content(prelude_lml_t)
+	apache_read_log(prelude_lml_t)
+')
+
+########################################
+#
+# prewikka_cgi Declarations
+#
+
+optional_policy(`
+	apache_content_template(prewikka)
+
+	can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t)
+
+	files_read_etc_files(httpd_prewikka_script_t)
+	files_search_tmp(httpd_prewikka_script_t)
+
+	kernel_read_sysctl(httpd_prewikka_script_t)
+	kernel_search_network_sysctl(httpd_prewikka_script_t)
+
+	corenet_tcp_connect_postgresql_port(httpd_prewikka_script_t)
+
+	auth_use_nsswitch(httpd_prewikka_script_t)
+
+	logging_send_syslog_msg(httpd_prewikka_script_t)
+
+	apache_search_sys_content(httpd_prewikka_script_t)
+
+	optional_policy(`
+		mysql_search_db(httpd_prewikka_script_t)
+		mysql_stream_connect(httpd_prewikka_script_t)
+	')
+
+	optional_policy(`
+		postgresql_stream_connect(httpd_prewikka_script_t)
+	')
+')
diff --git a/policy/modules/contrib/privoxy.fc b/policy/modules/contrib/privoxy.fc
new file mode 100644
index 00000000..be4998ab
--- /dev/null
+++ b/policy/modules/contrib/privoxy.fc
@@ -0,0 +1,6 @@
+/etc/privoxy/[^/]*\.action --	gen_context(system_u:object_r:privoxy_etc_rw_t,s0)
+/etc/rc\.d/init\.d/privoxy --	gen_context(system_u:object_r:privoxy_initrc_exec_t,s0)
+
+/usr/sbin/privoxy	--	gen_context(system_u:object_r:privoxy_exec_t,s0)
+
+/var/log/privoxy(/.*)?		gen_context(system_u:object_r:privoxy_log_t,s0)
diff --git a/policy/modules/contrib/privoxy.if b/policy/modules/contrib/privoxy.if
new file mode 100644
index 00000000..afd17516
--- /dev/null
+++ b/policy/modules/contrib/privoxy.if
@@ -0,0 +1,42 @@
+## <summary>Privacy enhancing web proxy.</summary>
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an privoxy environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`privoxy_admin',`
+	gen_require(`
+		type privoxy_t, privoxy_log_t, privoxy_initrc_exec_t;
+		type privoxy_etc_rw_t, privoxy_var_run_t;
+	')
+
+	allow $1 privoxy_t:process { ptrace signal_perms };
+	ps_process_pattern($1, privoxy_t)
+
+	init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 privoxy_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	logging_list_logs($1)
+	admin_pattern($1, privoxy_log_t)
+
+	files_list_etc($1)
+	admin_pattern($1, privoxy_etc_rw_t)
+
+	files_list_pids($1)
+	admin_pattern($1, privoxy_var_run_t)
+')
diff --git a/policy/modules/contrib/privoxy.te b/policy/modules/contrib/privoxy.te
new file mode 100644
index 00000000..2dbf4d49
--- /dev/null
+++ b/policy/modules/contrib/privoxy.te
@@ -0,0 +1,103 @@
+policy_module(privoxy, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow privoxy to connect to all ports, not just
+## HTTP, FTP, and Gopher ports.
+## </p>
+## </desc>
+gen_tunable(privoxy_connect_any, false)
+
+type privoxy_t; # web_client_domain
+type privoxy_exec_t;
+init_daemon_domain(privoxy_t, privoxy_exec_t)
+
+type privoxy_initrc_exec_t;
+init_script_file(privoxy_initrc_exec_t)
+
+type privoxy_etc_rw_t;
+files_type(privoxy_etc_rw_t)
+
+type privoxy_log_t;
+logging_log_file(privoxy_log_t)
+
+type privoxy_var_run_t;
+files_pid_file(privoxy_var_run_t)
+
+########################################
+#
+# Local Policy
+#
+
+allow privoxy_t self:capability { setgid setuid };
+dontaudit privoxy_t self:capability sys_tty_config;
+allow privoxy_t self:tcp_socket create_stream_socket_perms;
+
+allow privoxy_t privoxy_etc_rw_t:file rw_file_perms;
+
+manage_files_pattern(privoxy_t, privoxy_log_t, privoxy_log_t)
+logging_log_filetrans(privoxy_t, privoxy_log_t, file)
+
+manage_files_pattern(privoxy_t, privoxy_var_run_t, privoxy_var_run_t)
+files_pid_filetrans(privoxy_t, privoxy_var_run_t, file)
+
+kernel_read_system_state(privoxy_t)
+kernel_read_kernel_sysctls(privoxy_t)
+
+corenet_all_recvfrom_unlabeled(privoxy_t)
+corenet_all_recvfrom_netlabel(privoxy_t)
+corenet_tcp_sendrecv_generic_if(privoxy_t)
+corenet_tcp_sendrecv_generic_node(privoxy_t)
+corenet_tcp_sendrecv_all_ports(privoxy_t)
+corenet_tcp_bind_generic_node(privoxy_t)
+corenet_tcp_bind_http_cache_port(privoxy_t)
+corenet_tcp_connect_http_port(privoxy_t)
+corenet_tcp_connect_http_cache_port(privoxy_t)
+corenet_tcp_connect_squid_port(privoxy_t)
+corenet_tcp_connect_ftp_port(privoxy_t)
+corenet_tcp_connect_pgpkeyserver_port(privoxy_t)
+corenet_tcp_connect_tor_port(privoxy_t)
+corenet_sendrecv_http_cache_client_packets(privoxy_t)
+corenet_sendrecv_squid_client_packets(privoxy_t)
+corenet_sendrecv_http_cache_server_packets(privoxy_t)
+corenet_sendrecv_http_client_packets(privoxy_t)
+corenet_sendrecv_ftp_client_packets(privoxy_t)
+corenet_sendrecv_tor_client_packets(privoxy_t)
+
+dev_read_sysfs(privoxy_t)
+
+fs_getattr_all_fs(privoxy_t)
+fs_search_auto_mountpoints(privoxy_t)
+
+domain_use_interactive_fds(privoxy_t)
+
+files_read_etc_files(privoxy_t)
+
+auth_use_nsswitch(privoxy_t)
+
+logging_send_syslog_msg(privoxy_t)
+
+miscfiles_read_localization(privoxy_t)
+
+userdom_dontaudit_use_unpriv_user_fds(privoxy_t)
+userdom_dontaudit_search_user_home_dirs(privoxy_t)
+# cjp: this should really not be needed
+userdom_use_user_terminals(privoxy_t)
+
+tunable_policy(`privoxy_connect_any',`
+	corenet_tcp_connect_all_ports(privoxy_t)
+	corenet_sendrecv_all_client_packets(privoxy_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(privoxy_t)
+')
+
+optional_policy(`
+	udev_read_db(privoxy_t)
+')
diff --git a/policy/modules/contrib/procmail.fc b/policy/modules/contrib/procmail.fc
new file mode 100644
index 00000000..1343621b
--- /dev/null
+++ b/policy/modules/contrib/procmail.fc
@@ -0,0 +1,5 @@
+
+/usr/bin/procmail	--	gen_context(system_u:object_r:procmail_exec_t,s0)
+
+/var/log/procmail\.log.* --	gen_context(system_u:object_r:procmail_log_t,s0)
+/var/log/procmail(/.*)?		gen_context(system_u:object_r:procmail_log_t,s0) 
diff --git a/policy/modules/contrib/procmail.if b/policy/modules/contrib/procmail.if
new file mode 100644
index 00000000..b64b02fd
--- /dev/null
+++ b/policy/modules/contrib/procmail.if
@@ -0,0 +1,79 @@
+## <summary>Procmail mail delivery agent</summary>
+
+########################################
+## <summary>
+##	Execute procmail with a domain transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`procmail_domtrans',`
+	gen_require(`
+		type procmail_exec_t, procmail_t;
+	')
+
+	files_search_usr($1)
+	corecmd_search_bin($1)
+	domtrans_pattern($1, procmail_exec_t, procmail_t)
+')
+
+########################################
+## <summary>
+##	Execute procmail in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`procmail_exec',`
+	gen_require(`
+		type procmail_exec_t;
+	')
+
+	files_search_usr($1)
+	corecmd_search_bin($1)
+	can_exec($1, procmail_exec_t)
+')
+
+########################################
+## <summary>
+##	Read procmail tmp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`procmail_read_tmp_files',`
+	gen_require(`
+		type procmail_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 procmail_tmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Read/write procmail tmp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`procmail_rw_tmp_files',`
+	gen_require(`
+		type procmail_tmp_t;
+	')
+
+	files_search_tmp($1)
+	rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t)
+')
diff --git a/policy/modules/contrib/procmail.te b/policy/modules/contrib/procmail.te
new file mode 100644
index 00000000..29b92956
--- /dev/null
+++ b/policy/modules/contrib/procmail.te
@@ -0,0 +1,150 @@
+policy_module(procmail, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+type procmail_t;
+type procmail_exec_t;
+application_domain(procmail_t, procmail_exec_t)
+role system_r types procmail_t;
+
+type procmail_log_t;
+logging_log_file(procmail_log_t) 
+
+type procmail_tmp_t;
+files_tmp_file(procmail_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_override };
+allow procmail_t self:process { setsched signal signull };
+allow procmail_t self:fifo_file rw_fifo_file_perms;
+allow procmail_t self:unix_stream_socket create_socket_perms;
+allow procmail_t self:unix_dgram_socket create_socket_perms;
+allow procmail_t self:tcp_socket create_stream_socket_perms;
+allow procmail_t self:udp_socket create_socket_perms;
+
+can_exec(procmail_t, procmail_exec_t)
+
+# Write log to /var/log/procmail.log or /var/log/procmail/.*
+allow procmail_t procmail_log_t:dir setattr;
+create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
+append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
+read_lnk_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
+logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
+
+allow procmail_t procmail_tmp_t:file manage_file_perms;
+files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
+
+kernel_read_system_state(procmail_t)
+kernel_read_kernel_sysctls(procmail_t)
+
+corenet_all_recvfrom_unlabeled(procmail_t)
+corenet_all_recvfrom_netlabel(procmail_t)
+corenet_tcp_sendrecv_generic_if(procmail_t)
+corenet_udp_sendrecv_generic_if(procmail_t)
+corenet_tcp_sendrecv_generic_node(procmail_t)
+corenet_udp_sendrecv_generic_node(procmail_t)
+corenet_tcp_sendrecv_all_ports(procmail_t)
+corenet_udp_sendrecv_all_ports(procmail_t)
+corenet_udp_bind_generic_node(procmail_t)
+corenet_tcp_connect_spamd_port(procmail_t)
+corenet_sendrecv_spamd_client_packets(procmail_t)
+corenet_sendrecv_comsat_client_packets(procmail_t)
+
+dev_read_urand(procmail_t)
+
+fs_getattr_xattr_fs(procmail_t)
+fs_search_auto_mountpoints(procmail_t)
+fs_rw_anon_inodefs_files(procmail_t)
+
+auth_use_nsswitch(procmail_t)
+
+corecmd_exec_bin(procmail_t)
+corecmd_exec_shell(procmail_t)
+corecmd_read_bin_symlinks(procmail_t)
+
+files_read_etc_files(procmail_t)
+files_read_etc_runtime_files(procmail_t)
+files_search_pids(procmail_t)
+# for spamassasin
+files_read_usr_files(procmail_t)
+
+logging_send_syslog_msg(procmail_t)
+
+miscfiles_read_localization(procmail_t)
+
+# only works until we define a different type for maildir
+userdom_manage_user_home_content_dirs(procmail_t)
+userdom_manage_user_home_content_files(procmail_t)
+userdom_manage_user_home_content_symlinks(procmail_t)
+userdom_manage_user_home_content_pipes(procmail_t)
+userdom_manage_user_home_content_sockets(procmail_t)
+userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file })
+
+# Do not audit attempts to access /root.
+userdom_dontaudit_search_user_home_dirs(procmail_t)
+
+mta_manage_spool(procmail_t)
+mta_read_queue(procmail_t)
+
+ifdef(`hide_broken_symptoms',`
+	mta_dontaudit_rw_queue(procmail_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(procmail_t)
+	fs_manage_nfs_files(procmail_t)
+	fs_manage_nfs_symlinks(procmail_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(procmail_t)
+	fs_manage_cifs_files(procmail_t)
+	fs_manage_cifs_symlinks(procmail_t)
+')
+
+optional_policy(`
+	clamav_domtrans_clamscan(procmail_t)
+	clamav_search_lib(procmail_t)
+')
+
+optional_policy(`
+	munin_dontaudit_search_lib(procmail_t)
+')
+
+optional_policy(`
+	# for a bug in the postfix local program
+	postfix_dontaudit_rw_local_tcp_sockets(procmail_t)
+	postfix_dontaudit_use_fds(procmail_t)
+	postfix_read_spool_files(procmail_t)
+	postfix_read_local_state(procmail_t)
+	postfix_read_master_state(procmail_t)
+')
+
+optional_policy(`
+	pyzor_domtrans(procmail_t)
+	pyzor_signal(procmail_t)
+')
+
+optional_policy(`
+	mta_read_config(procmail_t)
+	sendmail_domtrans(procmail_t)
+	sendmail_signal(procmail_t)
+	sendmail_dontaudit_rw_tcp_sockets(procmail_t)
+	sendmail_dontaudit_rw_unix_stream_sockets(procmail_t)
+')
+
+optional_policy(`
+	corenet_udp_bind_generic_port(procmail_t)
+	corenet_dontaudit_udp_bind_all_ports(procmail_t)
+
+	spamassassin_domtrans_local_client(procmail_t)
+	spamassassin_domtrans_client(procmail_t)
+	spamassassin_read_lib_files(procmail_t)
+')
diff --git a/policy/modules/contrib/psad.fc b/policy/modules/contrib/psad.fc
new file mode 100644
index 00000000..6c66d448
--- /dev/null
+++ b/policy/modules/contrib/psad.fc
@@ -0,0 +1,8 @@
+/etc/rc\.d/init\.d/psad --		gen_context(system_u:object_r:psad_initrc_exec_t,s0)
+/etc/psad(/.*)?				gen_context(system_u:object_r:psad_etc_t,s0)
+
+/usr/sbin/psad		--		gen_context(system_u:object_r:psad_exec_t,s0)
+
+/var/lib/psad(/.*)?			gen_context(system_u:object_r:psad_var_lib_t,s0)
+/var/log/psad(/.*)?			gen_context(system_u:object_r:psad_var_log_t,s0)
+/var/run/psad(/.*)?			gen_context(system_u:object_r:psad_var_run_t,s0)
diff --git a/policy/modules/contrib/psad.if b/policy/modules/contrib/psad.if
new file mode 100644
index 00000000..bc329d18
--- /dev/null
+++ b/policy/modules/contrib/psad.if
@@ -0,0 +1,262 @@
+## <summary>Intrusion Detection and Log Analysis with iptables</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run psad.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`psad_domtrans',`
+	gen_require(`
+		type psad_t, psad_exec_t;
+	')
+
+	domtrans_pattern($1, psad_exec_t, psad_t)
+')
+
+########################################
+## <summary>
+##	Send a generic signal to psad
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`psad_signal',`
+	gen_require(`
+		type psad_t;
+	')
+
+	allow $1 psad_t:process signal;
+')
+
+#######################################
+## <summary>
+##	Send a null signal to psad.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`psad_signull',`
+	gen_require(`
+		type psad_t;
+	')
+
+	allow $1 psad_t:process signull;
+')
+
+########################################
+## <summary>
+##	Read psad etc configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`psad_read_config',`
+	gen_require(`
+		type psad_etc_t;
+	')
+
+	files_search_etc($1)
+	read_files_pattern($1, psad_etc_t, psad_etc_t)
+')
+
+########################################
+## <summary>
+##	Manage psad etc configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`psad_manage_config',`
+	gen_require(`
+		type psad_etc_t;
+	')
+
+	files_search_etc($1)
+	manage_dirs_pattern($1, psad_etc_t, psad_etc_t)
+	manage_files_pattern($1, psad_etc_t, psad_etc_t)
+
+')
+
+########################################
+## <summary>
+##	Read psad PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`psad_read_pid_files',`
+	gen_require(`
+		type psad_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, psad_var_run_t, psad_var_run_t)
+')
+
+########################################
+## <summary>
+##	Read psad PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`psad_rw_pid_files',`
+	gen_require(`
+		type psad_var_run_t;
+	')
+
+	files_search_pids($1)
+	rw_files_pattern($1, psad_var_run_t, psad_var_run_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read psad's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`psad_read_log',`
+	gen_require(`
+		type psad_var_log_t;
+	')
+
+	logging_search_logs($1)
+	list_dirs_pattern($1, psad_var_log_t, psad_var_log_t)
+	read_files_pattern($1, psad_var_log_t, psad_var_log_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to append to psad's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`psad_append_log',`
+	gen_require(`
+		type psad_var_log_t;
+	')
+
+	logging_search_logs($1)
+	list_dirs_pattern($1, psad_var_log_t, psad_var_log_t)
+	append_files_pattern($1, psad_var_log_t, psad_var_log_t)
+')
+
+########################################
+## <summary>
+##	Read and write psad fifo files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`psad_rw_fifo_file',`
+	gen_require(`
+		type psad_t;
+	')
+
+	files_search_var_lib($1)
+	search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t)
+	rw_fifo_files_pattern($1, psad_var_lib_t, psad_var_lib_t)
+')
+
+#######################################
+## <summary>
+##	Read and write psad tmp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`psad_rw_tmp_files',`
+	gen_require(`
+		type psad_tmp_t;
+	')
+
+	files_search_tmp($1)
+	rw_files_pattern($1, psad_tmp_t, psad_tmp_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an psad environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the syslog domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`psad_admin',`
+	gen_require(`
+		type psad_t, psad_var_run_t, psad_var_log_t;
+		type psad_initrc_exec_t, psad_var_lib_t;
+		type psad_tmp_t;
+	')
+
+	allow $1 psad_t:process { ptrace signal_perms };
+	ps_process_pattern($1, psad_t)
+
+	init_labeled_script_domtrans($1, psad_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 psad_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_search_etc($1)
+	admin_pattern($1, psad_etc_t)
+
+	files_search_pids($1)
+	admin_pattern($1, psad_var_run_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, psad_var_log_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, psad_var_lib_t)
+
+	files_search_tmp($1)
+	admin_pattern($1, psad_tmp_t)
+')
diff --git a/policy/modules/contrib/psad.te b/policy/modules/contrib/psad.te
new file mode 100644
index 00000000..d4000e0d
--- /dev/null
+++ b/policy/modules/contrib/psad.te
@@ -0,0 +1,106 @@
+policy_module(psad, 1.0.0) 
+
+########################################
+#
+# Declarations
+#
+
+type psad_t;
+type psad_exec_t;
+init_daemon_domain(psad_t, psad_exec_t)
+
+# config files
+type psad_etc_t;
+files_type(psad_etc_t)
+
+type psad_initrc_exec_t;
+init_script_file(psad_initrc_exec_t)
+
+# var/lib files
+type psad_var_lib_t;
+files_type(psad_var_lib_t)
+
+# log files
+type psad_var_log_t;
+logging_log_file(psad_var_log_t)
+
+# pid files
+type psad_var_run_t;
+files_pid_file(psad_var_run_t)
+
+# tmp files
+type psad_tmp_t;
+files_tmp_file(psad_tmp_t)
+
+########################################
+#
+# psad local policy
+#
+
+allow psad_t self:capability { net_admin net_raw setuid setgid dac_override };
+dontaudit psad_t self:capability sys_tty_config;
+allow psad_t self:process signull;
+allow psad_t self:fifo_file rw_fifo_file_perms;
+allow psad_t self:rawip_socket create_socket_perms;
+
+# config files
+read_files_pattern(psad_t, psad_etc_t, psad_etc_t)
+list_dirs_pattern(psad_t, psad_etc_t, psad_etc_t)
+
+# log files
+manage_files_pattern(psad_t, psad_var_log_t, psad_var_log_t)
+manage_dirs_pattern(psad_t, psad_var_log_t, psad_var_log_t)
+logging_log_filetrans(psad_t, psad_var_log_t, { file dir })
+
+# pid file
+manage_files_pattern(psad_t, psad_var_run_t, psad_var_run_t)
+manage_sock_files_pattern(psad_t, psad_var_run_t, psad_var_run_t)
+files_pid_filetrans(psad_t, psad_var_run_t, { file sock_file })
+
+# tmp files
+manage_dirs_pattern(psad_t, psad_tmp_t, psad_tmp_t)
+manage_files_pattern(psad_t, psad_tmp_t, psad_tmp_t)
+files_tmp_filetrans(psad_t, psad_tmp_t, { file dir })
+
+# /var/lib files
+search_dirs_pattern(psad_t, psad_var_lib_t, psad_var_lib_t)
+manage_fifo_files_pattern(psad_t, psad_var_lib_t, psad_var_lib_t)
+
+kernel_read_system_state(psad_t)
+kernel_read_network_state(psad_t)
+kernel_read_net_sysctls(psad_t)
+
+corecmd_exec_shell(psad_t)
+corecmd_exec_bin(psad_t)
+
+corenet_all_recvfrom_unlabeled(psad_t)
+corenet_all_recvfrom_netlabel(psad_t)
+corenet_tcp_sendrecv_generic_if(psad_t)
+corenet_tcp_sendrecv_generic_node(psad_t)
+corenet_tcp_bind_generic_node(psad_t)
+corenet_tcp_sendrecv_all_ports(psad_t)
+corenet_tcp_connect_whois_port(psad_t)
+corenet_sendrecv_whois_client_packets(psad_t)
+
+dev_read_urand(psad_t)
+
+files_read_etc_runtime_files(psad_t)
+
+fs_getattr_all_fs(psad_t)
+
+auth_use_nsswitch(psad_t)
+
+iptables_domtrans(psad_t)
+
+logging_read_generic_logs(psad_t)
+logging_read_syslog_config(psad_t)
+logging_send_syslog_msg(psad_t)
+
+miscfiles_read_localization(psad_t)
+
+sysnet_exec_ifconfig(psad_t)
+
+optional_policy(`
+	mta_send_mail(psad_t)
+	mta_read_queue(psad_t)
+')
diff --git a/policy/modules/contrib/ptchown.fc b/policy/modules/contrib/ptchown.fc
new file mode 100644
index 00000000..9fc398e8
--- /dev/null
+++ b/policy/modules/contrib/ptchown.fc
@@ -0,0 +1 @@
+/usr/libexec/pt_chown	--	gen_context(system_u:object_r:ptchown_exec_t,s0)
diff --git a/policy/modules/contrib/ptchown.if b/policy/modules/contrib/ptchown.if
new file mode 100644
index 00000000..96cc0237
--- /dev/null
+++ b/policy/modules/contrib/ptchown.if
@@ -0,0 +1,44 @@
+## <summary>helper function for grantpt(3), changes ownship and permissions of pseudotty</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run ptchown.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ptchown_domtrans',`
+	gen_require(`
+		type ptchown_t, ptchown_exec_t;
+	')
+
+	domtrans_pattern($1, ptchown_exec_t, ptchown_t)
+')
+
+########################################
+## <summary>
+##	Execute ptchown in the ptchown domain, and
+##	allow the specified role the ptchown domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`ptchown_run',`
+	gen_require(`
+		type ptchown_t;
+	')
+
+	ptchown_domtrans($1)
+	role $2 types ptchown_t;
+')
diff --git a/policy/modules/contrib/ptchown.te b/policy/modules/contrib/ptchown.te
new file mode 100644
index 00000000..d90245a2
--- /dev/null
+++ b/policy/modules/contrib/ptchown.te
@@ -0,0 +1,31 @@
+policy_module(ptchown, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type ptchown_t;
+type ptchown_exec_t;
+application_domain(ptchown_t, ptchown_exec_t)
+role system_r types ptchown_t;
+
+########################################
+#
+# ptchown local policy
+#
+
+allow ptchown_t self:capability { chown fowner fsetid setuid };
+allow ptchown_t self:process { getcap setcap };
+
+files_read_etc_files(ptchown_t)
+
+fs_rw_anon_inodefs_files(ptchown_t)
+
+term_setattr_generic_ptys(ptchown_t)
+term_getattr_all_ptys(ptchown_t)
+term_setattr_all_ptys(ptchown_t)
+term_use_generic_ptys(ptchown_t)
+term_use_ptmx(ptchown_t)
+
+miscfiles_read_localization(ptchown_t)
diff --git a/policy/modules/contrib/publicfile.fc b/policy/modules/contrib/publicfile.fc
new file mode 100644
index 00000000..5b20b688
--- /dev/null
+++ b/policy/modules/contrib/publicfile.fc
@@ -0,0 +1,7 @@
+
+/usr/bin/ftpd		--	gen_context(system_u:object_r:publicfile_exec_t,s0)
+/usr/bin/httpd		--	gen_context(system_u:object_r:publicfile_exec_t,s0)
+
+# this is the place where online content located
+# set this to suit your needs
+#/var/www(/.*)?			gen_context(system_u:object_r:publicfile_content_t,s0)
diff --git a/policy/modules/contrib/publicfile.if b/policy/modules/contrib/publicfile.if
new file mode 100644
index 00000000..5b075925
--- /dev/null
+++ b/policy/modules/contrib/publicfile.if
@@ -0,0 +1 @@
+## <summary>publicfile supplies files to the public through HTTP and FTP</summary>
diff --git a/policy/modules/contrib/publicfile.te b/policy/modules/contrib/publicfile.te
new file mode 100644
index 00000000..32edb73a
--- /dev/null
+++ b/policy/modules/contrib/publicfile.te
@@ -0,0 +1,34 @@
+policy_module(publicfile, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type publicfile_t;
+type publicfile_exec_t;
+init_daemon_domain(publicfile_t, publicfile_exec_t)
+
+type publicfile_content_t;
+files_type(publicfile_content_t)
+
+########################################
+#
+# Local policy
+#
+
+allow publicfile_t self:capability { dac_override setgid setuid sys_chroot };
+allow publicfile_t publicfile_content_t:dir list_dir_perms;
+allow publicfile_t publicfile_content_t:file read_file_perms;
+
+files_search_var(publicfile_t)
+
+optional_policy(`
+	daemontools_ipc_domain(publicfile_t)
+')
+
+optional_policy(`
+	ucspitcp_service_domain(publicfile_t, publicfile_exec_t)
+')
+
+#allow publicfile_t initrc_t:tcp_socket { read write };
diff --git a/policy/modules/contrib/pulseaudio.fc b/policy/modules/contrib/pulseaudio.fc
new file mode 100644
index 00000000..84f23dca
--- /dev/null
+++ b/policy/modules/contrib/pulseaudio.fc
@@ -0,0 +1,7 @@
+HOME_DIR/\.pulse-cookie		gen_context(system_u:object_r:pulseaudio_home_t,s0)
+HOME_DIR/\.pulse(/.*)?		gen_context(system_u:object_r:pulseaudio_home_t,s0)
+
+/usr/bin/pulseaudio	--	gen_context(system_u:object_r:pulseaudio_exec_t,s0)
+
+/var/lib/pulse(/.*)?		gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
+/var/run/pulse(/.*)?		gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
diff --git a/policy/modules/contrib/pulseaudio.if b/policy/modules/contrib/pulseaudio.if
new file mode 100644
index 00000000..f40c64dc
--- /dev/null
+++ b/policy/modules/contrib/pulseaudio.if
@@ -0,0 +1,260 @@
+## <summary>Pulseaudio network sound server.</summary>
+
+########################################
+## <summary>
+##	Role access for pulseaudio
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`pulseaudio_role',`
+	gen_require(`
+		type pulseaudio_t, pulseaudio_exec_t;
+		class dbus { acquire_svc send_msg };
+	')
+
+	role $1 types pulseaudio_t;
+
+	# Transition from the user domain to the derived domain.
+	domtrans_pattern($2, pulseaudio_exec_t, pulseaudio_t)
+
+	ps_process_pattern($2, pulseaudio_t)
+
+	allow pulseaudio_t $2:process { signal signull };
+	allow $2 pulseaudio_t:process { signal signull sigkill };
+	ps_process_pattern(pulseaudio_t, $2)
+
+	allow pulseaudio_t $2:unix_stream_socket connectto;
+	allow $2 pulseaudio_t:unix_stream_socket connectto;
+
+	allow $2 pulseaudio_t:dbus send_msg;
+	allow pulseaudio_t $2:dbus { acquire_svc send_msg };
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run pulseaudio.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_domtrans',`
+	gen_require(`
+		type pulseaudio_t, pulseaudio_exec_t;
+	')
+
+	domtrans_pattern($1, pulseaudio_exec_t, pulseaudio_t)
+')
+
+########################################
+## <summary>
+##	Execute pulseaudio in the pulseaudio domain, and
+##	allow the specified role the pulseaudio domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`pulseaudio_run',`
+	gen_require(`
+		type pulseaudio_t;
+	')
+
+	pulseaudio_domtrans($1)
+	role $2 types pulseaudio_t;
+')
+
+########################################
+## <summary>
+##	Execute a pulseaudio in the current domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_exec',`
+	gen_require(`
+		type pulseaudio_exec_t;
+	')
+
+	can_exec($1, pulseaudio_exec_t)
+')
+
+########################################
+## <summary>
+##	Do not audit to execute a pulseaudio.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_dontaudit_exec',`
+	gen_require(`
+		type pulseaudio_exec_t;
+	')
+
+	dontaudit $1 pulseaudio_exec_t:file exec_file_perms;
+')
+
+########################################
+## <summary>
+##	Send signull signal to pulseaudio
+##	processes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pulseaudio_signull',`
+	gen_require(`
+		type pulseaudio_t;
+	')
+
+	allow $1 pulseaudio_t:process signull;
+')
+
+#####################################
+## <summary>
+##	Connect to pulseaudio over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pulseaudio_stream_connect',`
+	gen_require(`
+		type pulseaudio_t, pulseaudio_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 pulseaudio_t:process signull;
+	allow pulseaudio_t $1:process signull;
+	stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t)
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	pulseaudio over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pulseaudio_dbus_chat',`
+	gen_require(`
+		type pulseaudio_t;
+		class dbus send_msg;
+	')
+
+	allow $1 pulseaudio_t:dbus send_msg;
+	allow pulseaudio_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Set the attributes of the pulseaudio homedir.
+## </summary>
+## <param name="user_domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pulseaudio_setattr_home_dir',`
+	gen_require(`
+		type pulseaudio_home_t;
+	')
+
+	allow $1 pulseaudio_home_t:dir setattr;
+')
+
+########################################
+## <summary>
+##	Read pulseaudio homedir files.
+## </summary>
+## <param name="user_domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pulseaudio_read_home_files',`
+	gen_require(`
+		type pulseaudio_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+	read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+')
+
+########################################
+## <summary>
+##	Read and write Pulse Audio files.
+## </summary>
+## <param name="user_domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pulseaudio_rw_home_files',`
+	gen_require(`
+		type pulseaudio_home_t;
+	')
+
+	rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+	read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+	userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete pulseaudio
+##	home directory files.
+## </summary>
+## <param name="user_domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pulseaudio_manage_home_files',`
+	gen_require(`
+		type pulseaudio_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+	read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+')
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
new file mode 100644
index 00000000..901ac9b1
--- /dev/null
+++ b/policy/modules/contrib/pulseaudio.te
@@ -0,0 +1,148 @@
+policy_module(pulseaudio, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type pulseaudio_t;
+type pulseaudio_exec_t;
+init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
+userdom_user_application_domain(pulseaudio_t, pulseaudio_exec_t)
+role system_r types pulseaudio_t;
+
+type pulseaudio_home_t;
+userdom_user_home_content(pulseaudio_home_t)
+
+type pulseaudio_tmpfs_t;
+userdom_user_tmpfs_file(pulseaudio_tmpfs_t)
+
+type pulseaudio_var_lib_t;
+files_type(pulseaudio_var_lib_t)
+ubac_constrained(pulseaudio_var_lib_t)
+
+type pulseaudio_var_run_t;
+files_pid_file(pulseaudio_var_run_t)
+ubac_constrained(pulseaudio_var_run_t)
+
+########################################
+#
+# pulseaudio local policy
+#
+
+allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config };
+allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull };
+allow pulseaudio_t self:fifo_file rw_file_perms;
+allow pulseaudio_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms };
+allow pulseaudio_t self:tcp_socket create_stream_socket_perms;
+allow pulseaudio_t self:udp_socket create_socket_perms;
+allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
+manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
+userdom_search_user_home_dirs(pulseaudio_t)
+
+manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
+manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
+manage_lnk_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
+files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
+
+manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
+manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
+manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
+files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file })
+
+can_exec(pulseaudio_t, pulseaudio_exec_t)
+
+kernel_getattr_proc(pulseaudio_t)
+kernel_read_system_state(pulseaudio_t)
+kernel_read_kernel_sysctls(pulseaudio_t)
+
+corecmd_exec_bin(pulseaudio_t)
+
+corenet_all_recvfrom_unlabeled(pulseaudio_t)
+corenet_all_recvfrom_netlabel(pulseaudio_t)
+corenet_tcp_bind_pulseaudio_port(pulseaudio_t)
+corenet_tcp_bind_soundd_port(pulseaudio_t)
+corenet_tcp_sendrecv_generic_if(pulseaudio_t)
+corenet_tcp_sendrecv_generic_node(pulseaudio_t)
+corenet_udp_bind_sap_port(pulseaudio_t)
+corenet_udp_sendrecv_generic_if(pulseaudio_t)
+corenet_udp_sendrecv_generic_node(pulseaudio_t)
+
+dev_read_sound(pulseaudio_t)
+dev_write_sound(pulseaudio_t)
+dev_read_sysfs(pulseaudio_t)
+dev_read_urand(pulseaudio_t)
+
+files_read_etc_files(pulseaudio_t)
+files_read_usr_files(pulseaudio_t)
+
+fs_rw_anon_inodefs_files(pulseaudio_t)
+fs_getattr_tmpfs(pulseaudio_t)
+fs_list_inotifyfs(pulseaudio_t)
+
+term_use_all_ttys(pulseaudio_t)
+term_use_all_ptys(pulseaudio_t)
+
+auth_use_nsswitch(pulseaudio_t)
+
+logging_send_syslog_msg(pulseaudio_t)
+
+miscfiles_read_localization(pulseaudio_t)
+
+# cjp: this seems excessive. need to confirm
+userdom_manage_user_home_content_files(pulseaudio_t)
+userdom_manage_user_tmp_files(pulseaudio_t)
+userdom_manage_user_tmpfs_files(pulseaudio_t)
+
+optional_policy(`
+	bluetooth_stream_connect(pulseaudio_t)
+')
+
+optional_policy(`
+	dbus_system_domain(pulseaudio_t, pulseaudio_exec_t)
+	dbus_system_bus_client(pulseaudio_t)
+	dbus_session_bus_client(pulseaudio_t)
+	dbus_connect_session_bus(pulseaudio_t)
+
+	optional_policy(`
+		consolekit_dbus_chat(pulseaudio_t)
+	')
+
+	optional_policy(`
+		hal_dbus_chat(pulseaudio_t)
+	')
+
+	optional_policy(`
+		policykit_dbus_chat(pulseaudio_t)
+	')
+
+	optional_policy(`
+		rpm_dbus_chat(pulseaudio_t)
+	')
+')
+
+optional_policy(`
+	rtkit_scheduled(pulseaudio_t)
+')
+
+optional_policy(`
+	policykit_domtrans_auth(pulseaudio_t)
+	policykit_read_lib(pulseaudio_t)
+	policykit_read_reload(pulseaudio_t)
+')
+
+optional_policy(`
+	udev_read_state(pulseaudio_t)
+	udev_read_db(pulseaudio_t)
+')
+
+optional_policy(`
+	xserver_stream_connect(pulseaudio_t)
+	xserver_manage_xdm_tmp_files(pulseaudio_t)
+	xserver_read_xdm_lib_files(pulseaudio_t)
+	xserver_read_xdm_pid(pulseaudio_t)
+	xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
+')
diff --git a/policy/modules/contrib/puppet.fc b/policy/modules/contrib/puppet.fc
new file mode 100644
index 00000000..f42490f3
--- /dev/null
+++ b/policy/modules/contrib/puppet.fc
@@ -0,0 +1,13 @@
+/etc/puppet(/.*)?			gen_context(system_u:object_r:puppet_etc_t,s0)
+
+/etc/rc\.d/init\.d/puppet	--	gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/puppetmaster --	gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
+
+/usr/bin/puppetd		--	gen_context(system_u:object_r:puppet_exec_t,s0)
+/usr/sbin/puppetd		--	gen_context(system_u:object_r:puppet_exec_t,s0)
+/usr/bin/puppetmasterd		--	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+/usr/sbin/puppetmasterd		--	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+
+/var/lib/puppet(/.*)?			gen_context(system_u:object_r:puppet_var_lib_t,s0)
+/var/log/puppet(/.*)?			gen_context(system_u:object_r:puppet_log_t,s0)
+/var/run/puppet(/.*)?			gen_context(system_u:object_r:puppet_var_run_t,s0)
diff --git a/policy/modules/contrib/puppet.if b/policy/modules/contrib/puppet.if
new file mode 100644
index 00000000..2855a443
--- /dev/null
+++ b/policy/modules/contrib/puppet.if
@@ -0,0 +1,31 @@
+## <summary>Puppet client daemon</summary>
+## <desc>
+##	<p>
+##	Puppet is a configuration management system written in Ruby.
+##	The client daemon is responsible for periodically requesting the
+##	desired system state from the server and ensuring the state of
+##	the client system matches.
+##	</p>
+## </desc>
+
+################################################
+## <summary>
+##	Read / Write to Puppet temp files.  Puppet uses
+##	some system binaries (groupadd, etc) that run in
+##	a non-puppet domain and redirects output into temp
+##	files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`puppet_rw_tmp', `
+	gen_require(`
+		type puppet_tmp_t;
+	')
+
+	allow $1 puppet_tmp_t:file rw_file_perms;
+	files_search_tmp($1)
+')
diff --git a/policy/modules/contrib/puppet.te b/policy/modules/contrib/puppet.te
new file mode 100644
index 00000000..8f92a8db
--- /dev/null
+++ b/policy/modules/contrib/puppet.te
@@ -0,0 +1,282 @@
+policy_module(puppet, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow Puppet client to manage all file
+## types.
+## </p>
+## </desc>
+gen_tunable(puppet_manage_all_files, false)
+
+type puppet_t;
+type puppet_exec_t;
+init_daemon_domain(puppet_t, puppet_exec_t)
+
+type puppet_etc_t;
+files_config_file(puppet_etc_t)
+
+type puppet_initrc_exec_t;
+init_script_file(puppet_initrc_exec_t)
+
+type puppet_log_t;
+logging_log_file(puppet_log_t)
+
+type puppet_tmp_t;
+files_tmp_file(puppet_tmp_t)
+
+type puppet_var_lib_t;
+files_type(puppet_var_lib_t)
+
+type puppet_var_run_t;
+files_pid_file(puppet_var_run_t)
+
+type puppetmaster_t;
+type puppetmaster_exec_t;
+init_daemon_domain(puppetmaster_t, puppetmaster_exec_t)
+
+type puppetmaster_initrc_exec_t;
+init_script_file(puppetmaster_initrc_exec_t)
+
+type puppetmaster_tmp_t;
+files_tmp_file(puppetmaster_tmp_t)
+
+########################################
+#
+# Puppet personal policy
+#
+
+allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config chown };
+allow puppet_t self:process { signal signull getsched setsched };
+allow puppet_t self:fifo_file rw_fifo_file_perms;
+allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
+allow puppet_t self:tcp_socket create_stream_socket_perms;
+allow puppet_t self:udp_socket create_socket_perms;
+
+read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
+
+manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
+manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
+files_search_var_lib(puppet_t)
+
+setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
+manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
+files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
+
+create_dirs_pattern(puppet_t, var_log_t, puppet_log_t)
+create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
+append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
+logging_log_filetrans(puppet_t, puppet_log_t, { file dir })
+
+manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
+manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
+files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
+
+kernel_dontaudit_search_sysctl(puppet_t)
+kernel_read_kernel_sysctls(puppet_t)
+kernel_read_network_state(puppet_t)
+kernel_read_system_state(puppet_t)
+kernel_read_crypto_sysctls(puppet_t)
+
+corecmd_exec_bin(puppet_t)
+corecmd_exec_shell(puppet_t)
+
+corenet_all_recvfrom_netlabel(puppet_t)
+corenet_all_recvfrom_unlabeled(puppet_t)
+corenet_tcp_sendrecv_generic_if(puppet_t)
+corenet_tcp_sendrecv_generic_node(puppet_t)
+corenet_tcp_bind_generic_node(puppet_t)
+corenet_tcp_connect_puppet_port(puppet_t)
+corenet_sendrecv_puppet_client_packets(puppet_t)
+
+dev_read_rand(puppet_t)
+dev_read_sysfs(puppet_t)
+dev_read_urand(puppet_t)
+
+domain_read_all_domains_state(puppet_t)
+domain_interactive_fd(puppet_t)
+
+files_manage_config_files(puppet_t)
+files_manage_config_dirs(puppet_t)
+files_manage_etc_dirs(puppet_t)
+files_manage_etc_files(puppet_t)
+files_read_usr_symlinks(puppet_t)
+files_relabel_config_dirs(puppet_t)
+files_relabel_config_files(puppet_t)
+
+selinux_search_fs(puppet_t)
+selinux_set_all_booleans(puppet_t)
+selinux_set_generic_booleans(puppet_t)
+selinux_validate_context(puppet_t)
+
+term_dontaudit_getattr_unallocated_ttys(puppet_t)
+term_dontaudit_getattr_all_ttys(puppet_t)
+
+init_all_labeled_script_domtrans(puppet_t)
+init_domtrans_script(puppet_t)
+init_read_utmp(puppet_t)
+init_signull_script(puppet_t)
+
+logging_send_syslog_msg(puppet_t)
+
+miscfiles_read_hwdata(puppet_t)
+miscfiles_read_localization(puppet_t)
+
+mount_domtrans(puppet_t)
+
+seutil_domtrans_setfiles(puppet_t)
+seutil_domtrans_semanage(puppet_t)
+
+sysnet_dns_name_resolve(puppet_t)
+sysnet_run_ifconfig(puppet_t, system_r)
+sysnet_use_ldap(puppet_t)
+
+usermanage_domtrans_passwd(puppet_t)
+
+tunable_policy(`gentoo_try_dontaudit',`
+	dontaudit puppet_t self:capability dac_read_search;
+	userdom_dontaudit_use_user_terminals(puppet_t)
+')
+
+tunable_policy(`puppet_manage_all_files',`
+	auth_manage_all_files_except_auth_files(puppet_t)
+
+	# We should use files_relabel_all_files here, but it calls
+	# seutil_relabelto_bin_policy which sets a "typeattribute type attr",
+	# which is not allowed within a tunable_policy.
+	# So, we duplicate the content of files_relabel_all_files except for
+	# the policy configuration stuff and hope users do that through Portage.
+
+	gen_require(`
+		attribute file_type;
+		attribute security_file_type;
+		type policy_config_t;
+	')
+
+	allow puppet_t { file_type -policy_config_t -security_file_type }:dir list_dir_perms;
+	relabel_dirs_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
+	relabel_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
+	relabel_lnk_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
+	relabel_fifo_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
+	relabel_sock_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
+	# this is only relabelfrom since there should be no
+	# device nodes with file types.
+	relabelfrom_blk_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
+	relabelfrom_chr_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
+')
+
+optional_policy(`
+	consoletype_domtrans(puppet_t)
+')
+
+optional_policy(`
+	hostname_exec(puppet_t)
+')
+
+optional_policy(`
+	portage_domtrans(puppet_t)
+	portage_domtrans_fetch(puppet_t)
+	portage_domtrans_gcc_config(puppet_t)
+')
+
+optional_policy(`
+	mta_send_mail(puppet_t)
+')
+
+optional_policy(`
+	init_exec_rc(puppet_t)
+	portage_run(puppet_t, system_r)
+')
+
+optional_policy(`
+	files_rw_var_files(puppet_t)
+
+	rpm_domtrans(puppet_t)
+	rpm_manage_db(puppet_t)
+	rpm_manage_log(puppet_t)
+')
+
+optional_policy(`
+	unconfined_domain(puppet_t)
+')
+
+optional_policy(`
+	usermanage_domtrans_groupadd(puppet_t)
+	usermanage_domtrans_useradd(puppet_t)
+')
+
+########################################
+#
+# Pupper master personal policy
+#
+
+allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
+allow puppetmaster_t self:process { signal_perms getsched setsched };
+allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
+allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
+allow puppetmaster_t self:socket create;
+allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
+allow puppetmaster_t self:udp_socket create_socket_perms;
+
+list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
+read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
+
+allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr };
+allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr };
+logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
+
+manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
+manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
+
+setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
+manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
+files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
+
+manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
+manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
+files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
+
+kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
+kernel_read_system_state(puppetmaster_t)
+kernel_read_crypto_sysctls(puppetmaster_t)
+
+corecmd_exec_bin(puppetmaster_t)
+corecmd_exec_shell(puppetmaster_t)
+
+corenet_all_recvfrom_netlabel(puppetmaster_t)
+corenet_all_recvfrom_unlabeled(puppetmaster_t)
+corenet_tcp_sendrecv_generic_if(puppetmaster_t)
+corenet_tcp_sendrecv_generic_node(puppetmaster_t)
+corenet_tcp_bind_generic_node(puppetmaster_t)
+corenet_tcp_bind_puppet_port(puppetmaster_t)
+corenet_sendrecv_puppet_server_packets(puppetmaster_t)
+
+dev_read_rand(puppetmaster_t)
+dev_read_urand(puppetmaster_t)
+
+domain_read_all_domains_state(puppetmaster_t)
+
+files_read_etc_files(puppetmaster_t)
+files_search_var_lib(puppetmaster_t)
+
+logging_send_syslog_msg(puppetmaster_t)
+
+miscfiles_read_localization(puppetmaster_t)
+
+sysnet_dns_name_resolve(puppetmaster_t)
+sysnet_run_ifconfig(puppetmaster_t, system_r)
+
+optional_policy(`
+	hostname_exec(puppetmaster_t)
+')
+
+optional_policy(`
+	files_read_usr_symlinks(puppetmaster_t)
+
+	rpm_exec(puppetmaster_t)
+	rpm_read_db(puppetmaster_t)
+')
diff --git a/policy/modules/contrib/pxe.fc b/policy/modules/contrib/pxe.fc
new file mode 100644
index 00000000..44b3a0c4
--- /dev/null
+++ b/policy/modules/contrib/pxe.fc
@@ -0,0 +1,6 @@
+
+/usr/sbin/pxe		--	gen_context(system_u:object_r:pxe_exec_t,s0)
+
+/var/log/pxe\.log	--	gen_context(system_u:object_r:pxe_log_t,s0)
+
+/var/run/pxe\.pid	--	gen_context(system_u:object_r:pxe_var_run_t,s0)
diff --git a/policy/modules/contrib/pxe.if b/policy/modules/contrib/pxe.if
new file mode 100644
index 00000000..d3d6a6b8
--- /dev/null
+++ b/policy/modules/contrib/pxe.if
@@ -0,0 +1 @@
+## <summary>Server for the PXE network boot protocol</summary>
diff --git a/policy/modules/contrib/pxe.te b/policy/modules/contrib/pxe.te
new file mode 100644
index 00000000..fec69ebd
--- /dev/null
+++ b/policy/modules/contrib/pxe.te
@@ -0,0 +1,63 @@
+policy_module(pxe, 1.4.0)
+
+# cjp: policy seems incomplete
+
+########################################
+#
+# Declarations
+#
+
+type pxe_t;
+type pxe_exec_t;
+init_daemon_domain(pxe_t, pxe_exec_t)
+
+type pxe_log_t;
+logging_log_file(pxe_log_t)
+
+type pxe_var_run_t;
+files_pid_file(pxe_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow pxe_t self:capability { chown setgid setuid };
+dontaudit pxe_t self:capability sys_tty_config;
+allow pxe_t self:process signal_perms;
+
+allow pxe_t pxe_log_t:file manage_file_perms;
+logging_log_filetrans(pxe_t, pxe_log_t, file)
+
+manage_files_pattern(pxe_t, pxe_var_run_t, pxe_var_run_t)
+files_pid_filetrans(pxe_t, pxe_var_run_t, file)
+
+kernel_read_kernel_sysctls(pxe_t)
+kernel_list_proc(pxe_t)
+kernel_read_proc_symlinks(pxe_t)
+
+corenet_udp_bind_pxe_port(pxe_t)
+
+dev_read_sysfs(pxe_t)
+
+domain_use_interactive_fds(pxe_t)
+
+files_read_etc_files(pxe_t)
+
+fs_getattr_all_fs(pxe_t)
+fs_search_auto_mountpoints(pxe_t)
+
+logging_send_syslog_msg(pxe_t)
+
+miscfiles_read_localization(pxe_t)
+
+userdom_dontaudit_use_unpriv_user_fds(pxe_t)
+userdom_dontaudit_search_user_home_dirs(pxe_t)
+
+optional_policy(`
+	seutil_sigchld_newrole(pxe_t)
+')
+
+optional_policy(`
+	udev_read_db(pxe_t)
+')
diff --git a/policy/modules/contrib/pyicqt.fc b/policy/modules/contrib/pyicqt.fc
new file mode 100644
index 00000000..491fe8f8
--- /dev/null
+++ b/policy/modules/contrib/pyicqt.fc
@@ -0,0 +1,7 @@
+/etc/pyicq-t(/.*)?			gen_context(system_u:object_r:pyicqt_conf_t,s0)
+
+/usr/share/pyicq-t/PyICQt\.py	--	gen_context(system_u:object_r:pyicqt_exec_t,s0)
+
+/var/run/pyicq-t(/.*)?			gen_context(system_u:object_r:pyicqt_var_run_t,s0)
+
+/var/spool/pyicq-t(/.*)?		gen_context(system_u:object_r:pyicqt_spool_t,s0)
diff --git a/policy/modules/contrib/pyicqt.if b/policy/modules/contrib/pyicqt.if
new file mode 100644
index 00000000..9604b6a0
--- /dev/null
+++ b/policy/modules/contrib/pyicqt.if
@@ -0,0 +1 @@
+## <summary>PyICQt is an ICQ transport for XMPP server.</summary>
diff --git a/policy/modules/contrib/pyicqt.te b/policy/modules/contrib/pyicqt.te
new file mode 100644
index 00000000..a841221a
--- /dev/null
+++ b/policy/modules/contrib/pyicqt.te
@@ -0,0 +1,59 @@
+policy_module(pyicqt, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type pyicqt_t;
+type pyicqt_exec_t;
+init_daemon_domain(pyicqt_t, pyicqt_exec_t)
+
+type pyicqt_conf_t;
+files_config_file(pyicqt_conf_t)
+
+type pyicqt_spool_t;
+files_type(pyicqt_spool_t)
+
+type pyicqt_var_run_t;
+files_pid_file(pyicqt_var_run_t)
+
+########################################
+#
+# PyICQt policy
+#
+
+allow pyicqt_t self:fifo_file rw_fifo_file_perms;
+allow pyicqt_t self:tcp_socket create_socket_perms;
+allow pyicqt_t self:udp_socket create_socket_perms;
+
+read_files_pattern(pyicqt_t, pyicqt_conf_t, pyicqt_conf_t)
+
+manage_dirs_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t)
+manage_files_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t)
+files_spool_filetrans(pyicqt_t, pyicqt_spool_t, { dir file })
+
+manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t)
+files_pid_filetrans(pyicqt_t, pyicqt_var_run_t, file)
+
+kernel_read_system_state(pyicqt_t)
+
+corecmd_exec_bin(pyicqt_t)
+
+corenet_all_recvfrom_unlabeled(pyicqt_t)
+corenet_all_recvfrom_netlabel(pyicqt_t)
+corenet_tcp_sendrecv_generic_if(pyicqt_t)
+corenet_tcp_sendrecv_generic_node(pyicqt_t)
+corenet_tcp_connect_generic_port(pyicqt_t)
+corenet_sendrecv_generic_client_packets(pyicqt_t)
+
+dev_read_urand(pyicqt_t)
+
+files_read_etc_files(pyicqt_t)
+files_read_usr_files(pyicqt_t)
+
+libs_read_lib_files(pyicqt_t)
+
+miscfiles_read_localization(pyicqt_t)
+
+sysnet_read_config(pyicqt_t)
diff --git a/policy/modules/contrib/pyzor.fc b/policy/modules/contrib/pyzor.fc
new file mode 100644
index 00000000..d4a77506
--- /dev/null
+++ b/policy/modules/contrib/pyzor.fc
@@ -0,0 +1,9 @@
+/etc/pyzor(/.*)?		gen_context(system_u:object_r:pyzor_etc_t, s0)
+
+HOME_DIR/\.pyzor(/.*)?		gen_context(system_u:object_r:pyzor_home_t,s0)
+
+/usr/bin/pyzor		--	gen_context(system_u:object_r:pyzor_exec_t,s0)
+/usr/bin/pyzord		--	gen_context(system_u:object_r:pyzord_exec_t,s0)
+
+/var/lib/pyzord(/.*)?		gen_context(system_u:object_r:pyzor_var_lib_t,s0)
+/var/log/pyzord\.log	--	gen_context(system_u:object_r:pyzord_log_t,s0)
diff --git a/policy/modules/contrib/pyzor.if b/policy/modules/contrib/pyzor.if
new file mode 100644
index 00000000..494f7e22
--- /dev/null
+++ b/policy/modules/contrib/pyzor.if
@@ -0,0 +1,90 @@
+## <summary>Pyzor is a distributed, collaborative spam detection and filtering network.</summary>
+
+########################################
+## <summary>
+##	Role access for pyzor
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`pyzor_role',`
+	gen_require(`
+		type pyzor_t, pyzor_exec_t;
+		type pyzor_home_t, pyzor_var_lib_t, pyzor_tmp_t;
+	')
+
+	role $1 types pyzor_t;
+
+	# Transition from the user domain to the derived domain.
+	domtrans_pattern($2, pyzor_exec_t, pyzor_t)
+
+	# allow ps to show pyzor and allow the user to kill it 
+	ps_process_pattern($2, pyzor_t)
+	allow $2 pyzor_t:process signal;
+')
+
+########################################
+## <summary>
+##	Send generic signals to pyzor
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pyzor_signal',`
+	gen_require(`
+		type pyzor_t;
+	')
+
+	allow $1 pyzor_t:process signal;
+')
+
+########################################
+## <summary>
+##	Execute pyzor with a domain transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`pyzor_domtrans',`
+	gen_require(`
+		type pyzor_exec_t, pyzor_t;
+	')
+
+	files_search_usr($1)
+	corecmd_search_bin($1)
+	domtrans_pattern($1, pyzor_exec_t, pyzor_t)
+')
+
+########################################
+## <summary>
+##	Execute pyzor in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pyzor_exec',`
+	gen_require(`
+		type pyzor_exec_t;
+	')
+
+	files_search_usr($1)
+	corecmd_search_bin($1)
+	can_exec($1, pyzor_exec_t)
+')
diff --git a/policy/modules/contrib/pyzor.te b/policy/modules/contrib/pyzor.te
new file mode 100644
index 00000000..c8fb70b4
--- /dev/null
+++ b/policy/modules/contrib/pyzor.te
@@ -0,0 +1,146 @@
+policy_module(pyzor, 2.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type pyzor_t;
+type pyzor_exec_t;
+typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t };
+typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t };
+userdom_user_application_domain(pyzor_t, pyzor_exec_t)
+role system_r types pyzor_t;
+
+type pyzor_etc_t;
+files_type(pyzor_etc_t)
+
+type pyzor_home_t;
+typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t };
+typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t };
+userdom_user_home_content(pyzor_home_t)
+
+type pyzor_tmp_t;
+typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t };
+typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t };
+userdom_user_tmp_file(pyzor_tmp_t)
+
+type pyzor_var_lib_t;
+typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t };
+typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t };
+files_type(pyzor_var_lib_t)
+ubac_constrained(pyzor_var_lib_t)
+
+type pyzord_t;
+type pyzord_exec_t;
+init_daemon_domain(pyzord_t, pyzord_exec_t)
+
+type pyzord_log_t;
+logging_log_file(pyzord_log_t)
+
+########################################
+#
+# Pyzor client local policy
+#
+
+allow pyzor_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(pyzor_t, pyzor_home_t, pyzor_home_t)
+manage_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t)
+manage_lnk_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t)
+userdom_user_home_dir_filetrans(pyzor_t, pyzor_home_t, { dir file lnk_file })
+
+allow pyzor_t pyzor_var_lib_t:dir list_dir_perms;
+read_files_pattern(pyzor_t, pyzor_var_lib_t, pyzor_var_lib_t)
+files_search_var_lib(pyzor_t)
+
+manage_files_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t)
+manage_dirs_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t)
+files_tmp_filetrans(pyzor_t, pyzor_tmp_t, { file dir })
+
+kernel_read_kernel_sysctls(pyzor_t)	
+kernel_read_system_state(pyzor_t)
+
+corecmd_list_bin(pyzor_t)
+corecmd_getattr_bin_files(pyzor_t)
+
+corenet_tcp_sendrecv_generic_if(pyzor_t)
+corenet_udp_sendrecv_generic_if(pyzor_t)
+corenet_tcp_sendrecv_generic_node(pyzor_t)
+corenet_udp_sendrecv_generic_node(pyzor_t)
+corenet_tcp_sendrecv_all_ports(pyzor_t)
+corenet_udp_sendrecv_all_ports(pyzor_t)
+corenet_tcp_connect_http_port(pyzor_t)
+
+dev_read_urand(pyzor_t)
+
+files_read_etc_files(pyzor_t)
+
+auth_use_nsswitch(pyzor_t)
+
+miscfiles_read_localization(pyzor_t)
+
+userdom_dontaudit_search_user_home_dirs(pyzor_t)
+
+optional_policy(`
+	amavis_manage_lib_files(pyzor_t)
+	amavis_manage_spool_files(pyzor_t)
+')
+
+optional_policy(`
+	spamassassin_signal_spamd(pyzor_t)
+	spamassassin_read_spamd_tmp_files(pyzor_t)
+')
+
+########################################
+#
+# Pyzor server local policy
+#
+
+allow pyzord_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(pyzord_t, pyzor_var_lib_t, pyzor_var_lib_t)
+allow pyzord_t pyzor_var_lib_t:dir setattr;
+files_var_lib_filetrans(pyzord_t, pyzor_var_lib_t, { file dir })
+
+read_files_pattern(pyzord_t, pyzor_etc_t, pyzor_etc_t)
+allow pyzord_t pyzor_etc_t:dir list_dir_perms;
+
+can_exec(pyzord_t, pyzor_exec_t)
+
+manage_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t)
+allow pyzord_t pyzord_log_t:dir setattr;
+logging_log_filetrans(pyzord_t, pyzord_log_t, { file dir } )
+
+kernel_read_kernel_sysctls(pyzord_t)
+kernel_read_system_state(pyzord_t)
+
+dev_read_urand(pyzord_t)
+
+corecmd_exec_bin(pyzord_t)
+
+corenet_all_recvfrom_unlabeled(pyzord_t)
+corenet_all_recvfrom_netlabel(pyzord_t)
+corenet_udp_sendrecv_generic_if(pyzord_t)
+corenet_udp_sendrecv_generic_node(pyzord_t)
+corenet_udp_sendrecv_all_ports(pyzord_t)
+corenet_udp_bind_generic_node(pyzord_t)
+corenet_udp_bind_pyzor_port(pyzord_t)
+corenet_sendrecv_pyzor_server_packets(pyzord_t)
+
+files_read_etc_files(pyzord_t)
+
+auth_use_nsswitch(pyzord_t)
+
+locallogin_dontaudit_use_fds(pyzord_t)
+
+miscfiles_read_localization(pyzord_t)
+
+# Do not audit attempts to access /root.
+userdom_dontaudit_search_user_home_dirs(pyzord_t)
+
+mta_manage_spool(pyzord_t)
+
+optional_policy(`
+	logging_send_syslog_msg(pyzord_t)
+')
diff --git a/policy/modules/contrib/qemu.fc b/policy/modules/contrib/qemu.fc
new file mode 100644
index 00000000..64d877ec
--- /dev/null
+++ b/policy/modules/contrib/qemu.fc
@@ -0,0 +1,4 @@
+/usr/bin/qemu		--	gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu-system-.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu-kvm	--	gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
diff --git a/policy/modules/contrib/qemu.if b/policy/modules/contrib/qemu.if
new file mode 100644
index 00000000..268d6913
--- /dev/null
+++ b/policy/modules/contrib/qemu.if
@@ -0,0 +1,309 @@
+## <summary>QEMU machine emulator and virtualizer</summary>
+
+########################################
+## <summary>
+##	Creates types and rules for a basic
+##	qemu process domain.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Prefix for the domain.
+##	</summary>
+## </param>
+#
+template(`qemu_domain_template',`
+
+	##############################
+	#
+	# Local Policy
+	#
+
+	type $1_t;
+	domain_type($1_t)
+
+	type $1_tmp_t;
+	files_tmp_file($1_tmp_t)
+
+	##############################
+	#
+	# Local Policy
+	#
+
+	allow $1_t self:capability { dac_read_search dac_override };
+	allow $1_t self:process { execstack execmem signal getsched };
+	allow $1_t self:fifo_file rw_file_perms;
+	allow $1_t self:shm create_shm_perms;
+	allow $1_t self:unix_stream_socket create_stream_socket_perms;
+	allow $1_t self:tcp_socket create_stream_socket_perms;
+	allow $1_t self:tun_socket create;
+
+	manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
+	manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+	files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
+
+	kernel_read_system_state($1_t)
+
+	corenet_all_recvfrom_unlabeled($1_t)
+	corenet_all_recvfrom_netlabel($1_t)
+	corenet_tcp_sendrecv_generic_if($1_t)
+	corenet_tcp_sendrecv_generic_node($1_t)
+	corenet_tcp_sendrecv_all_ports($1_t)
+	corenet_tcp_bind_generic_node($1_t)
+	corenet_tcp_bind_vnc_port($1_t)
+	corenet_rw_tun_tap_dev($1_t)
+
+#	dev_rw_kvm($1_t)
+
+	domain_use_interactive_fds($1_t)
+
+	files_read_etc_files($1_t)
+	files_read_usr_files($1_t)
+	files_read_var_files($1_t)
+	files_search_all($1_t)
+
+	fs_list_inotifyfs($1_t)
+	fs_rw_anon_inodefs_files($1_t)
+	fs_rw_tmpfs_files($1_t)
+
+	storage_raw_write_removable_device($1_t)
+	storage_raw_read_removable_device($1_t)
+
+	term_use_ptmx($1_t)
+	term_getattr_pty_fs($1_t)
+	term_use_generic_ptys($1_t)
+
+	miscfiles_read_localization($1_t)
+
+	sysnet_read_config($1_t)
+
+	userdom_use_user_terminals($1_t)
+	userdom_attach_admin_tun_iface($1_t)
+
+	optional_policy(`
+		samba_domtrans_smbd($1_t)
+	')
+
+	optional_policy(`
+		virt_manage_images($1_t)
+		virt_read_config($1_t)
+		virt_read_lib_files($1_t)
+		virt_attach_tun_iface($1_t)
+	')
+
+	optional_policy(`
+		xserver_stream_connect($1_t)
+		xserver_read_xdm_tmp_files($1_t)
+		xserver_read_xdm_pid($1_t)
+#		xserver_xdm_rw_shm($1_t)
+	')
+')
+
+#######################################
+## <summary>
+##	The per role template for the qemu module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for qemu web browser.
+##	</p>
+##	<p>
+##	This template is invoked automatically for each user, and
+##	generally does not need to be invoked directly
+##	by policy writers.
+##	</p>
+## </desc>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+template(`qemu_role',`
+	gen_require(`
+		type qemu_t, qemu_exec_t;
+		type qemu_config_t, qemu_config_exec_t;
+	')
+
+	role $1 types { qemu_t qemu_config_t };
+
+	domtrans_pattern($2, qemu_exec_t, qemu_t)
+ 	domtrans_pattern($2, qemu_config_exec_t, qemu_config_t)
+	allow qemu_t $2:process signull;
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run qemu.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`qemu_domtrans',`
+	gen_require(`
+		type qemu_t, qemu_exec_t;
+	')
+
+	domtrans_pattern($1, qemu_exec_t, qemu_t)
+')
+
+########################################
+## <summary>
+##	Execute qemu in the qemu domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the qemu domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`qemu_run',`
+	gen_require(`
+		type qemu_t;
+	')
+
+	qemu_domtrans($1)
+	role $2 types qemu_t;
+	allow qemu_t $1:process signull;
+	allow $1 qemu_t:process signull;
+')
+
+########################################
+## <summary>
+##	Allow the domain to read state files in /proc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to allow access.
+##	</summary>
+## </param>
+#
+interface(`qemu_read_state',`
+	gen_require(`
+		type qemu_t;
+	')
+
+	read_files_pattern($1, qemu_t, qemu_t)
+')
+
+########################################
+## <summary>
+##	Set the schedule on qemu.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`qemu_setsched',`
+	gen_require(`
+		type qemu_t;
+	')
+
+	allow $1 qemu_t:process setsched;
+')
+
+########################################
+## <summary>
+##	Send a signal to qemu.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`qemu_signal',`
+	gen_require(`
+		type qemu_t;
+	')
+
+	allow $1 qemu_t:process signal;
+')
+
+########################################
+## <summary>
+##	Send a sigill to qemu
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`qemu_kill',`
+	gen_require(`
+		type qemu_t;
+	')
+
+	allow $1 qemu_t:process sigkill;
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run qemu unconfined.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`qemu_domtrans_unconfined',`
+	gen_require(`
+		type unconfined_qemu_t, qemu_exec_t;
+	')
+
+	domtrans_pattern($1, qemu_exec_t, unconfined_qemu_t)
+')
+
+########################################
+## <summary>
+##	Manage qemu temporary dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`qemu_manage_tmp_dirs',`
+	gen_require(`
+		type qemu_tmp_t;
+	')
+
+	manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t)
+')
+
+########################################
+## <summary>
+##	Manage qemu temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`qemu_manage_tmp_files',`
+	gen_require(`
+		type qemu_tmp_t;
+	')
+
+	manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
+')
diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
new file mode 100644
index 00000000..44f407ce
--- /dev/null
+++ b/policy/modules/contrib/qemu.te
@@ -0,0 +1,135 @@
+policy_module(qemu, 1.6.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow qemu to connect fully to the network
+## </p>
+## </desc>
+gen_tunable(qemu_full_network, false)
+
+## <desc>
+## <p>
+## Allow qemu to use cifs/Samba file systems
+## </p>
+## </desc>
+gen_tunable(qemu_use_cifs, true)
+
+## <desc>
+## <p>
+## Allow qemu to use serial/parallel communication ports
+## </p>
+## </desc>
+gen_tunable(qemu_use_comm, false)
+
+## <desc>
+## <p>
+## Allow qemu to use nfs file systems
+## </p>
+## </desc>
+gen_tunable(qemu_use_nfs, true)
+
+## <desc>
+## <p>
+## Allow qemu to use usb devices
+## </p>
+## </desc>
+gen_tunable(qemu_use_usb, true)
+
+type qemu_exec_t;
+virt_domain_template(qemu)
+application_domain(qemu_t, qemu_exec_t)
+role system_r types qemu_t;
+
+########################################
+#
+# qemu local policy
+#
+dontaudit qemu_t self:socket create;
+
+can_exec(qemu_t, qemu_exec_t)
+
+storage_raw_write_removable_device(qemu_t)
+storage_raw_read_removable_device(qemu_t)
+
+userdom_search_user_home_content(qemu_t)
+userdom_read_user_tmpfs_files(qemu_t)
+
+tunable_policy(`qemu_full_network',`
+	allow qemu_t self:udp_socket create_socket_perms;
+
+	corenet_udp_sendrecv_generic_if(qemu_t)
+	corenet_udp_sendrecv_generic_node(qemu_t)
+	corenet_udp_sendrecv_all_ports(qemu_t)
+	corenet_udp_bind_generic_node(qemu_t)
+	corenet_udp_bind_all_ports(qemu_t)
+	corenet_tcp_bind_all_ports(qemu_t)
+	corenet_tcp_connect_all_ports(qemu_t)
+')
+
+tunable_policy(`qemu_use_cifs',`
+	fs_manage_cifs_dirs(qemu_t)
+	fs_manage_cifs_files(qemu_t)
+')
+
+tunable_policy(`qemu_use_comm',`
+	term_use_unallocated_ttys(qemu_t)
+	dev_rw_printer(qemu_t)
+')
+
+tunable_policy(`qemu_use_nfs',`
+	fs_manage_nfs_dirs(qemu_t)
+	fs_manage_nfs_files(qemu_t)
+')
+
+tunable_policy(`qemu_use_usb',`
+	dev_rw_usbfs(qemu_t)
+	fs_manage_dos_dirs(qemu_t)
+	fs_manage_dos_files(qemu_t)
+')
+
+optional_policy(`
+	dbus_read_lib_files(qemu_t)
+')
+
+optional_policy(`
+	pulseaudio_manage_home_files(qemu_t)
+	pulseaudio_stream_connect(qemu_t)
+')
+
+optional_policy(`
+	vde_connect(qemu_t)
+')
+
+optional_policy(`
+	virt_manage_images(qemu_t)
+	virt_append_log(qemu_t)
+')
+
+optional_policy(`
+	xen_rw_image_files(qemu_t)
+')
+
+optional_policy(`
+	xserver_read_xdm_pid(qemu_t)
+	xserver_stream_connect(qemu_t)
+')
+
+########################################
+#
+# Unconfined qemu local policy
+#
+
+optional_policy(`
+	type unconfined_qemu_t;
+	typealias unconfined_qemu_t alias qemu_unconfined_t;
+	application_type(unconfined_qemu_t)
+	unconfined_domain(unconfined_qemu_t)
+
+	allow unconfined_qemu_t self:process { execstack execmem };
+	allow unconfined_qemu_t qemu_exec_t:file execmod;
+')
diff --git a/policy/modules/contrib/qmail.fc b/policy/modules/contrib/qmail.fc
new file mode 100644
index 00000000..0055e54b
--- /dev/null
+++ b/policy/modules/contrib/qmail.fc
@@ -0,0 +1,47 @@
+
+/var/qmail/alias		-d	gen_context(system_u:object_r:qmail_alias_home_t,s0)
+/var/qmail/alias(/.*)?			gen_context(system_u:object_r:qmail_alias_home_t,s0)
+
+/var/qmail/bin/qmail-clean	--	gen_context(system_u:object_r:qmail_clean_exec_t,s0)
+/var/qmail/bin/qmail-getpw	--	gen_context(system_u:object_r:qmail_exec_t,s0)
+/var/qmail/bin/qmail-inject	--	gen_context(system_u:object_r:qmail_inject_exec_t,s0)
+/var/qmail/bin/qmail-local	--	gen_context(system_u:object_r:qmail_local_exec_t,s0)
+/var/qmail/bin/qmail-lspawn	--	gen_context(system_u:object_r:qmail_lspawn_exec_t,s0)
+/var/qmail/bin/qmail-queue	--	gen_context(system_u:object_r:qmail_queue_exec_t,s0)
+/var/qmail/bin/qmail-remote	--	gen_context(system_u:object_r:qmail_remote_exec_t,s0)
+/var/qmail/bin/qmail-rspawn	--	gen_context(system_u:object_r:qmail_rspawn_exec_t,s0)
+/var/qmail/bin/qmail-send	--	gen_context(system_u:object_r:qmail_send_exec_t,s0)
+/var/qmail/bin/qmail-smtpd	--	gen_context(system_u:object_r:qmail_smtpd_exec_t,s0)
+/var/qmail/bin/qmail-start	--	gen_context(system_u:object_r:qmail_start_exec_t,s0)
+/var/qmail/bin/splogger		--	gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
+/var/qmail/bin/tcp-env		--	gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
+
+/var/qmail/control(/.*)?		gen_context(system_u:object_r:qmail_etc_t,s0)
+
+/var/qmail/queue(/.*)?			gen_context(system_u:object_r:qmail_spool_t,s0)
+
+ifdef(`distro_debian', `
+/etc/qmail(/.*)?			gen_context(system_u:object_r:qmail_etc_t,s0)
+
+/usr/bin/tcp-env		--	gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
+
+#/usr/local/bin/serialmail/.*	--	gen_context(system_u:object_r:qmail_serialmail_exec_t,s0)
+
+/usr/sbin/qmail-clean		--	gen_context(system_u:object_r:qmail_clean_exec_t,s0)
+/usr/sbin/qmail-getpw		--	gen_context(system_u:object_r:qmail_exec_t,s0)
+/usr/sbin/qmail-inject		--	gen_context(system_u:object_r:qmail_inject_exec_t,s0)
+/usr/sbin/qmail-local		--	gen_context(system_u:object_r:qmail_local_exec_t,s0)
+/usr/sbin/qmail-lspawn		--	gen_context(system_u:object_r:qmail_lspawn_exec_t,s0)
+/usr/sbin/qmail-queue		--	gen_context(system_u:object_r:qmail_queue_exec_t,s0)
+/usr/sbin/qmail-remote		--	gen_context(system_u:object_r:qmail_remote_exec_t,s0)
+/usr/sbin/qmail-rspawn		--	gen_context(system_u:object_r:qmail_rspawn_exec_t,s0)
+/usr/sbin/qmail-send		--	gen_context(system_u:object_r:qmail_send_exec_t,s0)
+/usr/sbin/qmail-smtpd		--	gen_context(system_u:object_r:qmail_smtpd_exec_t,s0)
+/usr/sbin/qmail-start		--	gen_context(system_u:object_r:qmail_start_exec_t,s0)
+/usr/sbin/splogger		--	gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
+
+/var/qmail(/.*)?			gen_context(system_u:object_r:qmail_etc_t,s0)
+
+/var/spool/qmail(/.*)?			gen_context(system_u:object_r:qmail_spool_t,s0)
+')
+
diff --git a/policy/modules/contrib/qmail.if b/policy/modules/contrib/qmail.if
new file mode 100644
index 00000000..a55bf44b
--- /dev/null
+++ b/policy/modules/contrib/qmail.if
@@ -0,0 +1,151 @@
+## <summary>Qmail Mail Server</summary>
+
+########################################
+## <summary>
+##	Template for qmail parent/sub-domain pairs
+## </summary>
+## <param name="child_prefix">
+##	<summary>
+##	The prefix of the child domain
+##	</summary>
+## </param>
+## <param name="parent_domain">
+##	<summary>
+##	The name of the parent domain.
+##	</summary>
+## </param>
+#
+template(`qmail_child_domain_template',`
+	type $1_t;
+	domain_type($1_t)
+	type $1_exec_t;
+	domain_entry_file($1_t, $1_exec_t)
+	domain_auto_trans($2, $1_exec_t, $1_t)
+	role system_r types $1_t;
+
+	allow $1_t self:process signal_perms;
+
+	allow $1_t $2:fd use;
+	allow $1_t $2:fifo_file rw_file_perms;
+	allow $1_t $2:process sigchld;
+
+	allow $1_t qmail_etc_t:dir list_dir_perms;
+	allow $1_t qmail_etc_t:file read_file_perms;
+	allow $1_t qmail_etc_t:lnk_file read_lnk_file_perms;
+
+	allow $1_t qmail_start_t:fd use;
+
+	kernel_list_proc($2)
+	kernel_read_proc_symlinks($2)
+
+	corecmd_search_bin($1_t)
+
+	files_search_var($1_t)
+
+	fs_getattr_xattr_fs($1_t)
+
+	miscfiles_read_localization($1_t)
+')
+
+########################################
+## <summary>
+##	Transition to qmail_inject_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`qmail_domtrans_inject',`
+	gen_require(`
+		type qmail_inject_t, qmail_inject_exec_t;
+	')
+
+	domtrans_pattern($1, qmail_inject_exec_t, qmail_inject_t)
+
+	ifdef(`distro_debian',`
+		files_search_usr($1)
+		corecmd_search_bin($1)
+	',`
+		files_search_var($1)
+		corecmd_search_bin($1)
+	')
+')
+
+########################################
+## <summary>
+##	Transition to qmail_queue_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`qmail_domtrans_queue',`
+	gen_require(`
+		type qmail_queue_t, qmail_queue_exec_t;
+	')
+
+	domtrans_pattern($1, qmail_queue_exec_t, qmail_queue_t)
+
+	ifdef(`distro_debian',`
+		files_search_usr($1)
+		corecmd_search_bin($1)
+	',`
+		files_search_var($1)
+		corecmd_search_bin($1)
+	')
+')
+
+########################################
+## <summary>
+##	Read qmail configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`qmail_read_config',`
+	gen_require(`
+		type qmail_etc_t;
+	')
+
+	allow $1 qmail_etc_t:dir list_dir_perms;
+	allow $1 qmail_etc_t:file read_file_perms;
+	allow $1 qmail_etc_t:lnk_file read_lnk_file_perms;
+	files_search_var($1)
+
+	ifdef(`distro_debian',`
+		# handle /etc/qmail
+		files_search_etc($1)
+	')
+')
+
+########################################
+## <summary>
+##	Define the specified domain as a qmail-smtp service. 
+##	Needed by antivirus/antispam filters.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="entrypoint">
+##	<summary>
+##	The type associated with the process program.
+##	</summary>
+## </param>
+#
+interface(`qmail_smtpd_service_domain',`
+	gen_require(`
+		type qmail_smtpd_t;
+	')
+
+	domtrans_pattern(qmail_smtpd_t, $2, $1)
+')
diff --git a/policy/modules/contrib/qmail.te b/policy/modules/contrib/qmail.te
new file mode 100644
index 00000000..355b2a28
--- /dev/null
+++ b/policy/modules/contrib/qmail.te
@@ -0,0 +1,321 @@
+policy_module(qmail, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute qmail_user_domains;
+
+type qmail_alias_home_t;
+files_type(qmail_alias_home_t)
+
+qmail_child_domain_template(qmail_clean, qmail_start_t)
+
+type qmail_etc_t;
+files_config_file(qmail_etc_t)
+
+type qmail_exec_t;
+files_type(qmail_exec_t)
+
+type qmail_inject_t, qmail_user_domains;
+type qmail_inject_exec_t;
+domain_type(qmail_inject_t)
+domain_entry_file(qmail_inject_t, qmail_inject_exec_t)
+mta_mailserver_user_agent(qmail_inject_t)
+role system_r types qmail_inject_t;
+
+qmail_child_domain_template(qmail_local, qmail_lspawn_t)
+mta_mailserver_delivery(qmail_local_t)
+
+qmail_child_domain_template(qmail_lspawn, qmail_start_t)
+mta_mailserver_delivery(qmail_lspawn_t)
+
+qmail_child_domain_template(qmail_queue, qmail_inject_t)
+typeattribute qmail_queue_t qmail_user_domains;
+mta_mailserver_user_agent(qmail_queue_t)
+
+qmail_child_domain_template(qmail_remote, qmail_rspawn_t)
+mta_mailserver_sender(qmail_remote_t)
+
+qmail_child_domain_template(qmail_rspawn, qmail_start_t)
+
+qmail_child_domain_template(qmail_send, qmail_start_t)
+
+qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t)
+
+qmail_child_domain_template(qmail_splogger, qmail_start_t)
+
+type qmail_spool_t;
+files_type(qmail_spool_t)
+
+type qmail_start_t;
+type qmail_start_exec_t;
+init_daemon_domain(qmail_start_t, qmail_start_exec_t)
+
+type qmail_tcp_env_t;
+type qmail_tcp_env_exec_t;
+application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
+
+########################################
+#
+# qmail-clean local policy
+#   this component cleans up the queue directory
+#
+
+read_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
+delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
+
+########################################
+#
+# qmail-inject local policy
+#   this component preprocesses mail from stdin and invokes qmail-queue
+#
+
+allow qmail_inject_t self:fifo_file write_fifo_file_perms;
+allow qmail_inject_t self:process signal_perms;
+
+allow qmail_inject_t qmail_queue_exec_t:file read_file_perms;
+
+corecmd_search_bin(qmail_inject_t)
+
+files_search_var(qmail_inject_t)
+
+miscfiles_read_localization(qmail_inject_t)
+
+qmail_read_config(qmail_inject_t)
+
+########################################
+#
+# qmail-local local policy
+#   this component delivers a mail message
+#
+
+allow qmail_local_t self:fifo_file write_file_perms;
+allow qmail_local_t self:process signal_perms;
+allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
+manage_files_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
+
+can_exec(qmail_local_t, qmail_local_exec_t)
+
+allow qmail_local_t qmail_queue_exec_t:file read_file_perms;
+
+allow qmail_local_t qmail_spool_t:file read_file_perms;
+
+kernel_read_system_state(qmail_local_t)
+
+corecmd_exec_bin(qmail_local_t)
+corecmd_exec_shell(qmail_local_t)
+
+files_read_etc_files(qmail_local_t)
+files_read_etc_runtime_files(qmail_local_t)
+
+auth_use_nsswitch(qmail_local_t)
+
+logging_send_syslog_msg(qmail_local_t)
+
+mta_append_spool(qmail_local_t)
+
+qmail_domtrans_queue(qmail_local_t)
+
+optional_policy(`
+	spamassassin_domtrans_client(qmail_local_t)
+')
+
+########################################
+#
+# qmail-lspawn local policy
+#   this component schedules local deliveries
+#
+
+allow qmail_lspawn_t self:capability { setuid setgid };
+allow qmail_lspawn_t self:process signal_perms;
+allow qmail_lspawn_t self:fifo_file rw_fifo_file_perms;
+allow qmail_lspawn_t self:unix_stream_socket create_socket_perms;
+
+can_exec(qmail_lspawn_t, qmail_exec_t)
+
+allow qmail_lspawn_t qmail_local_exec_t:file read_file_perms;
+
+read_files_pattern(qmail_lspawn_t, qmail_spool_t, qmail_spool_t)
+
+corecmd_search_bin(qmail_lspawn_t)
+
+files_read_etc_files(qmail_lspawn_t)
+files_search_pids(qmail_lspawn_t)
+files_search_tmp(qmail_lspawn_t)
+
+########################################
+#
+# qmail-queue local policy
+#   this component places a mail in a delivery queue, later to be processed by qmail-send
+#
+
+allow qmail_queue_t qmail_lspawn_t:fd use;
+allow qmail_queue_t qmail_lspawn_t:fifo_file write_fifo_file_perms;
+
+allow qmail_queue_t qmail_smtpd_t:fd use;
+allow qmail_queue_t qmail_smtpd_t:fifo_file read_fifo_file_perms;
+allow qmail_queue_t qmail_smtpd_t:process sigchld;
+
+manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
+manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
+rw_fifo_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
+
+corecmd_exec_bin(qmail_queue_t)
+
+logging_send_syslog_msg(qmail_queue_t)
+
+optional_policy(`
+	daemontools_ipc_domain(qmail_queue_t)
+')
+
+########################################
+#
+# qmail-remote local policy
+#   this component sends mail via SMTP
+#
+
+allow qmail_remote_t self:tcp_socket create_socket_perms;
+allow qmail_remote_t self:udp_socket create_socket_perms;
+
+rw_files_pattern(qmail_remote_t, qmail_spool_t, qmail_spool_t)
+
+corenet_all_recvfrom_unlabeled(qmail_remote_t)
+corenet_all_recvfrom_netlabel(qmail_remote_t)
+corenet_tcp_sendrecv_generic_if(qmail_remote_t)
+corenet_udp_sendrecv_generic_if(qmail_remote_t)
+corenet_tcp_sendrecv_generic_node(qmail_remote_t)
+corenet_udp_sendrecv_generic_node(qmail_remote_t)
+corenet_tcp_sendrecv_smtp_port(qmail_remote_t)
+corenet_udp_sendrecv_dns_port(qmail_remote_t)
+corenet_tcp_connect_smtp_port(qmail_remote_t)
+corenet_sendrecv_smtp_client_packets(qmail_remote_t)
+
+dev_read_rand(qmail_remote_t)
+dev_read_urand(qmail_remote_t)
+
+sysnet_read_config(qmail_remote_t)
+
+########################################
+#
+# qmail-rspawn local policy
+#   this component scedules remote deliveries
+#
+
+allow qmail_rspawn_t self:process signal_perms;
+allow qmail_rspawn_t self:fifo_file read_fifo_file_perms;
+
+allow qmail_rspawn_t qmail_remote_exec_t:file read_file_perms;
+
+rw_files_pattern(qmail_rspawn_t, qmail_spool_t, qmail_spool_t)
+
+corecmd_search_bin(qmail_rspawn_t)
+
+########################################
+#
+# qmail-send local policy
+#   this component delivers mail messages from the queue
+#
+
+allow qmail_send_t self:process signal_perms;
+allow qmail_send_t self:fifo_file write_fifo_file_perms;
+
+manage_dirs_pattern(qmail_send_t, qmail_spool_t, qmail_spool_t)
+manage_files_pattern(qmail_send_t, qmail_spool_t, qmail_spool_t)
+read_fifo_files_pattern(qmail_send_t, qmail_spool_t, qmail_spool_t)
+
+qmail_domtrans_queue(qmail_send_t)
+
+optional_policy(`
+	daemontools_ipc_domain(qmail_send_t)
+')
+
+########################################
+#
+# qmail-smtpd local policy
+#   this component receives mails via SMTP
+#
+
+allow qmail_smtpd_t self:process signal_perms;
+allow qmail_smtpd_t self:fifo_file write_fifo_file_perms;
+allow qmail_smtpd_t self:tcp_socket create_socket_perms;
+
+allow qmail_smtpd_t qmail_queue_exec_t:file read_file_perms;
+
+dev_read_rand(qmail_smtpd_t)
+dev_read_urand(qmail_smtpd_t)
+
+qmail_domtrans_queue(qmail_smtpd_t)
+
+optional_policy(`
+	daemontools_ipc_domain(qmail_smtpd_t)
+')
+
+optional_policy(`
+	kerberos_keytab_template(qmail, qmail_smtpd_t)
+')
+
+optional_policy(`
+	ucspitcp_service_domain(qmail_smtpd_t, qmail_smtpd_exec_t)
+')
+
+########################################
+#
+# splogger local policy
+#   this component creates entries in syslog
+#
+
+allow qmail_splogger_t self:unix_dgram_socket create_socket_perms;
+
+files_read_etc_files(qmail_splogger_t)
+
+init_dontaudit_use_script_fds(qmail_splogger_t)
+
+miscfiles_read_localization(qmail_splogger_t)
+
+########################################
+#
+# qmail-start local policy
+#   this component starts up the mail delivery component
+#
+
+allow qmail_start_t self:capability { setgid setuid };
+dontaudit qmail_start_t self:capability sys_tty_config;
+allow qmail_start_t self:fifo_file rw_fifo_file_perms;
+allow qmail_start_t self:process signal_perms;
+
+can_exec(qmail_start_t, qmail_start_exec_t)
+
+corecmd_search_bin(qmail_start_t)
+
+files_search_var(qmail_start_t)
+
+qmail_read_config(qmail_start_t)
+
+optional_policy(`
+	daemontools_service_domain(qmail_start_t, qmail_start_exec_t)
+	daemontools_ipc_domain(qmail_start_t)
+')
+
+########################################
+#
+# tcp-env local policy
+#   this component sets up TCP-related environment variables
+#
+
+allow qmail_tcp_env_t qmail_smtpd_exec_t:file read_file_perms;
+
+corecmd_search_bin(qmail_tcp_env_t)
+
+sysnet_read_config(qmail_tcp_env_t)
+
+optional_policy(`
+	inetd_tcp_service_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
+')
+
+optional_policy(`
+	ucspitcp_service_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
+')
diff --git a/policy/modules/contrib/qpid.fc b/policy/modules/contrib/qpid.fc
new file mode 100644
index 00000000..4f942292
--- /dev/null
+++ b/policy/modules/contrib/qpid.fc
@@ -0,0 +1,8 @@
+/etc/rc\.d/init\.d/qpidd	--	gen_context(system_u:object_r:qpidd_initrc_exec_t,s0)
+
+/usr/sbin/qpidd			--	gen_context(system_u:object_r:qpidd_exec_t,s0)
+
+/var/lib/qpidd(/.*)?			gen_context(system_u:object_r:qpidd_var_lib_t,s0)
+
+/var/run/qpidd(/.*)?			gen_context(system_u:object_r:qpidd_var_run_t,s0)
+/var/run/qpidd\.pid			gen_context(system_u:object_r:qpidd_var_run_t,s0)
diff --git a/policy/modules/contrib/qpid.if b/policy/modules/contrib/qpid.if
new file mode 100644
index 00000000..5a9630c0
--- /dev/null
+++ b/policy/modules/contrib/qpid.if
@@ -0,0 +1,186 @@
+## <summary>Apache QPID AMQP messaging server.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run qpidd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`qpidd_domtrans',`
+	gen_require(`
+		type qpidd_t, qpidd_exec_t;
+	')
+
+	domtrans_pattern($1, qpidd_exec_t, qpidd_t)
+')
+
+#####################################
+## <summary>
+##	Allow read and write access to qpidd semaphores.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`qpidd_rw_semaphores',`
+	gen_require(`
+		type qpidd_t;
+	')
+
+	allow $1 qpidd_t:sem rw_sem_perms;
+')
+
+########################################
+## <summary>
+##	Read and write to qpidd shared memory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`qpidd_rw_shm',`
+	gen_require(`
+		type qpidd_t;
+	')
+
+	allow $1 qpidd_t:shm rw_shm_perms;
+')
+
+########################################
+## <summary>
+##	Execute qpidd server in the qpidd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`qpidd_initrc_domtrans',`
+	gen_require(`
+		type qpidd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, qpidd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Read qpidd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`qpidd_read_pid_files',`
+	gen_require(`
+		type qpidd_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 qpidd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Search qpidd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`qpidd_search_lib',`
+	gen_require(`
+		type qpidd_var_lib_t;
+	')
+
+	allow $1 qpidd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read qpidd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`qpidd_read_lib_files',`
+	gen_require(`
+		type qpidd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	qpidd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`qpidd_manage_lib_files',`
+	gen_require(`
+		type qpidd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an qpidd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`qpidd_admin',`
+	gen_require(`
+		type qpidd_t, qpidd_initrc_exec_t;
+	')
+
+	allow $1 qpidd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, qpidd_t)
+
+	# Allow qpidd_t to restart the apache service
+	qpidd_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 qpidd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	admin_pattern($1, qpidd_var_lib_t)
+
+	admin_pattern($1, qpidd_var_run_t)
+')
diff --git a/policy/modules/contrib/qpid.te b/policy/modules/contrib/qpid.te
new file mode 100644
index 00000000..cb7ecb54
--- /dev/null
+++ b/policy/modules/contrib/qpid.te
@@ -0,0 +1,63 @@
+policy_module(qpid, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type qpidd_t;
+type qpidd_exec_t;
+init_daemon_domain(qpidd_t, qpidd_exec_t)
+
+type qpidd_initrc_exec_t;
+init_script_file(qpidd_initrc_exec_t)
+
+type qpidd_var_lib_t;
+files_type(qpidd_var_lib_t)
+
+type qpidd_var_run_t;
+files_pid_file(qpidd_var_run_t)
+
+########################################
+#
+# qpidd local policy
+#
+
+allow qpidd_t self:process { setsched signull };
+allow qpidd_t self:fifo_file rw_fifo_file_perms;
+allow qpidd_t self:sem create_sem_perms;
+allow qpidd_t self:shm create_shm_perms;
+allow qpidd_t self:tcp_socket create_stream_socket_perms;
+allow qpidd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
+manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
+files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir })
+
+manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
+manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
+files_pid_filetrans(qpidd_t, qpidd_var_run_t, { file dir })
+
+kernel_read_system_state(qpidd_t)
+
+corenet_all_recvfrom_unlabeled(qpidd_t)
+corenet_all_recvfrom_netlabel(qpidd_t)
+corenet_tcp_sendrecv_generic_if(qpidd_t)
+corenet_tcp_sendrecv_generic_node(qpidd_t)
+corenet_tcp_sendrecv_all_ports(qpidd_t)
+corenet_tcp_bind_generic_node(qpidd_t)
+corenet_tcp_bind_amqp_port(qpidd_t)
+
+dev_read_urand(qpidd_t)
+
+files_read_etc_files(qpidd_t)
+
+logging_send_syslog_msg(qpidd_t)
+
+miscfiles_read_localization(qpidd_t)
+
+sysnet_dns_name_resolve(qpidd_t)
+
+optional_policy(`
+	corosync_stream_connect(qpidd_t)
+')
diff --git a/policy/modules/contrib/quota.fc b/policy/modules/contrib/quota.fc
new file mode 100644
index 00000000..f3872307
--- /dev/null
+++ b/policy/modules/contrib/quota.fc
@@ -0,0 +1,19 @@
+HOME_ROOT/a?quota\.(user|group)	--	gen_context(system_u:object_r:quota_db_t,s0)
+
+/a?quota\.(user|group)	--	gen_context(system_u:object_r:quota_db_t,s0)
+
+/boot/a?quota\.(user|group)	--	gen_context(system_u:object_r:quota_db_t,s0)
+
+/etc/a?quota\.(user|group)	--	gen_context(system_u:object_r:quota_db_t,s0)
+
+/sbin/quota(check|on)		--	gen_context(system_u:object_r:quota_exec_t,s0)
+
+/var/a?quota\.(user|group)	--	gen_context(system_u:object_r:quota_db_t,s0)
+/var/lib/quota(/.*)?			gen_context(system_u:object_r:quota_flag_t,s0)
+/var/spool/a?quota\.(user|group) --	gen_context(system_u:object_r:quota_db_t,s0)
+
+ifdef(`distro_redhat',`
+/usr/sbin/convertquota		--	gen_context(system_u:object_r:quota_exec_t,s0)
+',`
+/sbin/convertquota		--	gen_context(system_u:object_r:quota_exec_t,s0)
+')
diff --git a/policy/modules/contrib/quota.if b/policy/modules/contrib/quota.if
new file mode 100644
index 00000000..bf75d999
--- /dev/null
+++ b/policy/modules/contrib/quota.if
@@ -0,0 +1,85 @@
+## <summary>File system quota management</summary>
+
+########################################
+## <summary>
+##	Execute quota management tools in the quota domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`quota_domtrans',`
+	gen_require(`
+		type quota_t, quota_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, quota_exec_t, quota_t)
+')
+
+########################################
+## <summary>
+##	Execute quota management tools in the quota domain, and
+##	allow the specified role the quota domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`quota_run',`
+	gen_require(`
+		type quota_t;
+	')
+
+	quota_domtrans($1)
+	role $2 types quota_t;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of filesystem quota data files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`quota_dontaudit_getattr_db',`
+	gen_require(`
+		type quota_db_t;
+	')
+
+	dontaudit $1 quota_db_t:file getattr_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete quota
+##	flag files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`quota_manage_flags',`
+	gen_require(`
+		type quota_flag_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, quota_flag_t, quota_flag_t)
+')
diff --git a/policy/modules/contrib/quota.te b/policy/modules/contrib/quota.te
new file mode 100644
index 00000000..5dd42f5f
--- /dev/null
+++ b/policy/modules/contrib/quota.te
@@ -0,0 +1,84 @@
+policy_module(quota, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type quota_t;
+type quota_exec_t;
+init_system_domain(quota_t, quota_exec_t)
+
+type quota_db_t;
+files_type(quota_db_t)
+
+type quota_flag_t;
+files_type(quota_flag_t)
+
+########################################
+#
+# Local policy
+#
+
+allow quota_t self:capability { sys_admin dac_override };
+dontaudit quota_t self:capability sys_tty_config;
+allow quota_t self:process signal_perms;
+
+# for /quota.*
+allow quota_t quota_db_t:file { manage_file_perms quotaon };
+files_root_filetrans(quota_t, quota_db_t, file)
+files_boot_filetrans(quota_t, quota_db_t, file)
+files_etc_filetrans(quota_t, quota_db_t, file)
+files_tmp_filetrans(quota_t, quota_db_t, file)
+files_home_filetrans(quota_t, quota_db_t, file)
+files_usr_filetrans(quota_t, quota_db_t, file)
+files_var_filetrans(quota_t, quota_db_t, file)
+files_spool_filetrans(quota_t, quota_db_t, file)
+
+kernel_list_proc(quota_t)
+kernel_read_proc_symlinks(quota_t)
+kernel_read_kernel_sysctls(quota_t)
+kernel_setsched(quota_t)
+
+dev_read_sysfs(quota_t)
+dev_getattr_all_blk_files(quota_t)
+dev_getattr_all_chr_files(quota_t)
+
+fs_get_xattr_fs_quotas(quota_t)
+fs_set_xattr_fs_quotas(quota_t)
+fs_getattr_xattr_fs(quota_t)
+fs_remount_xattr_fs(quota_t)
+fs_search_auto_mountpoints(quota_t)
+
+mls_file_read_all_levels(quota_t)
+
+storage_raw_read_fixed_disk(quota_t)
+
+term_dontaudit_use_console(quota_t)
+
+domain_use_interactive_fds(quota_t)
+
+files_list_all(quota_t)
+files_read_all_files(quota_t)
+files_read_all_symlinks(quota_t)
+files_getattr_all_pipes(quota_t)
+files_getattr_all_sockets(quota_t)
+files_getattr_all_file_type_fs(quota_t)
+# Read /etc/mtab.
+files_read_etc_runtime_files(quota_t)
+
+init_use_fds(quota_t)
+init_use_script_ptys(quota_t)
+
+logging_send_syslog_msg(quota_t)
+
+userdom_use_user_terminals(quota_t)
+userdom_dontaudit_use_unpriv_user_fds(quota_t)
+
+optional_policy(`
+	seutil_sigchld_newrole(quota_t)
+')
+
+optional_policy(`
+	udev_read_db(quota_t)
+')
diff --git a/policy/modules/contrib/radius.fc b/policy/modules/contrib/radius.fc
new file mode 100644
index 00000000..09f7b501
--- /dev/null
+++ b/policy/modules/contrib/radius.fc
@@ -0,0 +1,23 @@
+
+/etc/cron\.(daily|monthly)/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
+/etc/cron\.(daily|weekly|monthly)/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
+/etc/rc\.d/init\.d/radiusd --	gen_context(system_u:object_r:radiusd_initrc_exec_t,s0)
+
+/etc/raddb(/.*)?		gen_context(system_u:object_r:radiusd_etc_t,s0)
+/etc/raddb/db\.daily	--	gen_context(system_u:object_r:radiusd_etc_rw_t,s0)
+
+/usr/sbin/radiusd	--	gen_context(system_u:object_r:radiusd_exec_t,s0)
+/usr/sbin/freeradius	--	gen_context(system_u:object_r:radiusd_exec_t,s0)
+
+/var/lib/radiousd(/.*)?		gen_context(system_u:object_r:radiusd_var_lib_t,s0)
+
+/var/log/freeradius(/.*)?	gen_context(system_u:object_r:radiusd_log_t,s0)
+/var/log/radacct(/.*)?		gen_context(system_u:object_r:radiusd_log_t,s0)
+/var/log/radius(/.*)?		gen_context(system_u:object_r:radiusd_log_t,s0)
+/var/log/radius\.log.*	--	gen_context(system_u:object_r:radiusd_log_t,s0)
+/var/log/radiusd-freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
+/var/log/radutmp	--	gen_context(system_u:object_r:radiusd_log_t,s0)
+/var/log/radwtmp.*	--	gen_context(system_u:object_r:radiusd_log_t,s0)
+
+/var/run/radiusd(/.*)?		gen_context(system_u:object_r:radiusd_var_run_t,s0)
+/var/run/radiusd\.pid	--	gen_context(system_u:object_r:radiusd_var_run_t,s0)
diff --git a/policy/modules/contrib/radius.if b/policy/modules/contrib/radius.if
new file mode 100644
index 00000000..75e5dc40
--- /dev/null
+++ b/policy/modules/contrib/radius.if
@@ -0,0 +1,62 @@
+## <summary>RADIUS authentication and accounting server.</summary>
+
+########################################
+## <summary>
+##	Use radius over a UDP connection.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`radius_use',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an radius environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`radius_admin',`
+	gen_require(`
+		type radiusd_t, radiusd_etc_t, radiusd_log_t;
+		type radiusd_etc_rw_t, radiusd_var_lib_t, radiusd_var_run_t;
+		type radiusd_initrc_exec_t;
+	')
+
+	allow $1 radiusd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, radiusd_t)
+
+	init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 radiusd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_etc($1)
+	admin_pattern($1, radiusd_etc_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, radiusd_log_t)
+
+	admin_pattern($1, radiusd_etc_rw_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, radiusd_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, radiusd_var_run_t)
+')
diff --git a/policy/modules/contrib/radius.te b/policy/modules/contrib/radius.te
new file mode 100644
index 00000000..b1ed1bf4
--- /dev/null
+++ b/policy/modules/contrib/radius.te
@@ -0,0 +1,143 @@
+policy_module(radius, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+type radiusd_t;
+type radiusd_exec_t;
+init_daemon_domain(radiusd_t, radiusd_exec_t)
+
+type radiusd_etc_t;
+files_config_file(radiusd_etc_t)
+
+type radiusd_etc_rw_t;
+files_type(radiusd_etc_rw_t)
+
+type radiusd_initrc_exec_t;
+init_script_file(radiusd_initrc_exec_t)
+
+type radiusd_log_t;
+logging_log_file(radiusd_log_t)
+
+type radiusd_var_lib_t;
+files_type(radiusd_var_lib_t)
+
+type radiusd_var_run_t;
+files_pid_file(radiusd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+# fsetid is for gzip which needs it when run from scripts
+# gzip also needs chown access to preserve GID for radwtmp files
+allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
+dontaudit radiusd_t self:capability sys_tty_config;
+allow radiusd_t self:process { getsched setrlimit setsched sigkill signal };
+allow radiusd_t self:fifo_file rw_fifo_file_perms;
+allow radiusd_t self:unix_stream_socket create_stream_socket_perms;
+allow radiusd_t self:tcp_socket create_stream_socket_perms;
+allow radiusd_t self:udp_socket create_socket_perms;
+
+allow radiusd_t radiusd_etc_t:dir list_dir_perms;
+read_files_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_t)
+read_lnk_files_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_t)
+files_search_etc(radiusd_t)
+
+manage_dirs_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t)
+manage_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t)
+manage_lnk_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t)
+filetrans_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_rw_t, { dir file lnk_file })
+
+manage_dirs_pattern(radiusd_t, radiusd_log_t, radiusd_log_t)
+manage_files_pattern(radiusd_t, radiusd_log_t, radiusd_log_t)
+logging_log_filetrans(radiusd_t, radiusd_log_t, { file dir })
+
+manage_files_pattern(radiusd_t, radiusd_var_lib_t, radiusd_var_lib_t)
+
+manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
+manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
+manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
+files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir })
+
+kernel_read_kernel_sysctls(radiusd_t)
+kernel_read_system_state(radiusd_t)
+
+corenet_all_recvfrom_unlabeled(radiusd_t)
+corenet_all_recvfrom_netlabel(radiusd_t)
+corenet_tcp_sendrecv_generic_if(radiusd_t)
+corenet_udp_sendrecv_generic_if(radiusd_t)
+corenet_tcp_sendrecv_generic_node(radiusd_t)
+corenet_udp_sendrecv_generic_node(radiusd_t)
+corenet_tcp_sendrecv_all_ports(radiusd_t)
+corenet_udp_sendrecv_all_ports(radiusd_t)
+corenet_udp_bind_generic_node(radiusd_t)
+corenet_udp_bind_radacct_port(radiusd_t)
+corenet_udp_bind_radius_port(radiusd_t)
+corenet_tcp_connect_mysqld_port(radiusd_t)
+corenet_tcp_connect_snmp_port(radiusd_t)
+corenet_sendrecv_radius_server_packets(radiusd_t)
+corenet_sendrecv_radacct_server_packets(radiusd_t)
+corenet_sendrecv_mysqld_client_packets(radiusd_t)
+corenet_sendrecv_snmp_client_packets(radiusd_t)
+# for RADIUS proxy port
+corenet_udp_bind_generic_port(radiusd_t)
+corenet_dontaudit_udp_bind_all_ports(radiusd_t)
+corenet_sendrecv_generic_server_packets(radiusd_t)
+
+dev_read_sysfs(radiusd_t)
+
+fs_getattr_all_fs(radiusd_t)
+fs_search_auto_mountpoints(radiusd_t)
+
+corecmd_exec_bin(radiusd_t)
+corecmd_exec_shell(radiusd_t)
+
+domain_use_interactive_fds(radiusd_t)
+
+files_read_usr_files(radiusd_t)
+files_read_etc_files(radiusd_t)
+files_read_etc_runtime_files(radiusd_t)
+
+auth_use_nsswitch(radiusd_t)
+auth_read_shadow(radiusd_t)
+auth_domtrans_chk_passwd(radiusd_t)
+
+libs_exec_lib_files(radiusd_t)
+
+logging_send_syslog_msg(radiusd_t)
+
+miscfiles_read_localization(radiusd_t)
+miscfiles_read_generic_certs(radiusd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
+userdom_dontaudit_search_user_home_dirs(radiusd_t)
+
+optional_policy(`
+	cron_system_entry(radiusd_t, radiusd_exec_t)
+')
+
+optional_policy(`
+	logrotate_exec(radiusd_t)
+')
+
+optional_policy(`
+	mysql_read_config(radiusd_t)
+	mysql_stream_connect(radiusd_t)
+')
+
+optional_policy(`
+	samba_domtrans_winbind_helper(radiusd_t)
+	samba_read_var_files(radiusd_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(radiusd_t)
+')
+
+optional_policy(`
+	udev_read_db(radiusd_t)
+')
diff --git a/policy/modules/contrib/radvd.fc b/policy/modules/contrib/radvd.fc
new file mode 100644
index 00000000..cc98d83b
--- /dev/null
+++ b/policy/modules/contrib/radvd.fc
@@ -0,0 +1,7 @@
+/etc/radvd\.conf	--	gen_context(system_u:object_r:radvd_etc_t,s0)
+/etc/rc\.d/init\.d/radvd --	gen_context(system_u:object_r:radvd_initrc_exec_t,s0)
+
+/usr/sbin/radvd		--	gen_context(system_u:object_r:radvd_exec_t,s0)
+
+/var/run/radvd\.pid	--	gen_context(system_u:object_r:radvd_var_run_t,s0)
+/var/run/radvd(/.*)?		gen_context(system_u:object_r:radvd_var_run_t,s0)
diff --git a/policy/modules/contrib/radvd.if b/policy/modules/contrib/radvd.if
new file mode 100644
index 00000000..be05bff5
--- /dev/null
+++ b/policy/modules/contrib/radvd.if
@@ -0,0 +1,39 @@
+## <summary>IPv6 router advertisement daemon</summary>
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an radvd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`radvd_admin',`
+	gen_require(`
+		type radvd_t, radvd_etc_t;
+		type radvd_var_run_t, radvd_initrc_exec_t;
+	')
+
+	allow $1 radvd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, radvd_t)
+
+	init_labeled_script_domtrans($1, radvd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 radvd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_etc($1)
+	admin_pattern($1, radvd_etc_t)
+
+	files_list_pids($1)
+	admin_pattern($1, radvd_var_run_t)
+')
diff --git a/policy/modules/contrib/radvd.te b/policy/modules/contrib/radvd.te
new file mode 100644
index 00000000..f9a21622
--- /dev/null
+++ b/policy/modules/contrib/radvd.te
@@ -0,0 +1,82 @@
+policy_module(radvd, 1.13.0)
+
+########################################
+#
+# Declarations
+#
+type radvd_t;
+type radvd_exec_t;
+init_daemon_domain(radvd_t, radvd_exec_t)
+
+type radvd_initrc_exec_t;
+init_script_file(radvd_initrc_exec_t)
+
+type radvd_var_run_t;
+files_pid_file(radvd_var_run_t)
+
+type radvd_etc_t;
+files_config_file(radvd_etc_t)
+
+########################################
+#
+# Local policy
+#
+allow radvd_t self:capability { kill setgid setuid net_raw net_admin };
+dontaudit radvd_t self:capability sys_tty_config;
+allow radvd_t self:process { fork signal_perms };
+allow radvd_t self:unix_dgram_socket create_socket_perms;
+allow radvd_t self:unix_stream_socket create_socket_perms;
+allow radvd_t self:rawip_socket create_socket_perms;
+allow radvd_t self:tcp_socket create_stream_socket_perms;
+allow radvd_t self:udp_socket create_socket_perms;
+allow radvd_t self:fifo_file rw_file_perms;
+
+allow radvd_t radvd_etc_t:file read_file_perms;
+
+manage_dirs_pattern(radvd_t, radvd_var_run_t, radvd_var_run_t)
+manage_files_pattern(radvd_t, radvd_var_run_t, radvd_var_run_t)
+files_pid_filetrans(radvd_t, radvd_var_run_t, { dir file })
+
+kernel_read_kernel_sysctls(radvd_t)
+kernel_rw_net_sysctls(radvd_t)
+kernel_read_network_state(radvd_t)
+kernel_read_system_state(radvd_t)
+kernel_request_load_module(radvd_t)
+
+corenet_all_recvfrom_unlabeled(radvd_t)
+corenet_all_recvfrom_netlabel(radvd_t)
+corenet_tcp_sendrecv_generic_if(radvd_t)
+corenet_udp_sendrecv_generic_if(radvd_t)
+corenet_raw_sendrecv_generic_if(radvd_t)
+corenet_tcp_sendrecv_generic_node(radvd_t)
+corenet_udp_sendrecv_generic_node(radvd_t)
+corenet_raw_sendrecv_generic_node(radvd_t)
+corenet_tcp_sendrecv_all_ports(radvd_t)
+corenet_udp_sendrecv_all_ports(radvd_t)
+
+dev_read_sysfs(radvd_t)
+
+fs_getattr_all_fs(radvd_t)
+fs_search_auto_mountpoints(radvd_t)
+
+domain_use_interactive_fds(radvd_t)
+
+files_read_etc_files(radvd_t)
+files_list_usr(radvd_t)
+
+auth_use_nsswitch(radvd_t)
+
+logging_send_syslog_msg(radvd_t)
+
+miscfiles_read_localization(radvd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(radvd_t)
+userdom_dontaudit_search_user_home_dirs(radvd_t)
+
+optional_policy(`
+	seutil_sigchld_newrole(radvd_t)
+')
+
+optional_policy(`
+	udev_read_db(radvd_t)
+')
diff --git a/policy/modules/contrib/raid.fc b/policy/modules/contrib/raid.fc
new file mode 100644
index 00000000..ed9c70d4
--- /dev/null
+++ b/policy/modules/contrib/raid.fc
@@ -0,0 +1,6 @@
+/dev/.mdadm.map		--	gen_context(system_u:object_r:mdadm_map_t,s0)
+
+/sbin/mdadm		--	gen_context(system_u:object_r:mdadm_exec_t,s0)
+/sbin/mdmpd		--	gen_context(system_u:object_r:mdadm_exec_t,s0)
+
+/var/run/mdadm(/.*)?		gen_context(system_u:object_r:mdadm_var_run_t,s0)
diff --git a/policy/modules/contrib/raid.if b/policy/modules/contrib/raid.if
new file mode 100644
index 00000000..b1a85b51
--- /dev/null
+++ b/policy/modules/contrib/raid.if
@@ -0,0 +1,75 @@
+## <summary>RAID array management tools</summary>
+
+########################################
+## <summary>
+##	Execute software raid tools in the mdadm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`raid_domtrans_mdadm',`
+	gen_require(`
+		type mdadm_t, mdadm_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, mdadm_exec_t, mdadm_t)
+')
+
+######################################
+## <summary>
+##	Execute a domain transition to mdadm_t for the
+##	specified role, allowing it to use the mdadm_t
+##	domain
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed to access mdadm_t domain
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition to mdadm_t
+##	</summary>
+## </param>
+#
+interface(`raid_run_mdadm',`
+	gen_require(`
+		type mdadm_t;
+	')
+
+	role $1 types mdadm_t;
+	raid_domtrans_mdadm($2)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete the mdadm pid files.
+## </summary>
+## <desc>
+##	<p>
+##	Create, read, write, and delete the mdadm pid files.
+##	</p>
+##	<p>
+##	Added for use in the init module.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`raid_manage_mdadm_pid',`
+	gen_require(`
+		type mdadm_var_run_t;
+	')
+
+	# FIXME: maybe should have a type_transition.  not
+	# clear what this is doing, from the original
+	# mdadm policy
+	allow $1 mdadm_var_run_t:file manage_file_perms;
+')
diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te
new file mode 100644
index 00000000..458d42ec
--- /dev/null
+++ b/policy/modules/contrib/raid.te
@@ -0,0 +1,102 @@
+policy_module(raid, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+type mdadm_t;
+type mdadm_exec_t;
+init_daemon_domain(mdadm_t, mdadm_exec_t)
+role system_r types mdadm_t;
+
+type mdadm_map_t;
+files_type(mdadm_map_t)
+
+type mdadm_var_run_t;
+files_pid_file(mdadm_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
+dontaudit mdadm_t self:capability sys_tty_config;
+allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
+allow mdadm_t self:fifo_file rw_fifo_file_perms;
+
+# create .mdadm files in /dev
+allow mdadm_t mdadm_map_t:file manage_file_perms;
+dev_filetrans(mdadm_t, mdadm_map_t, file)
+
+manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
+files_pid_filetrans(mdadm_t, mdadm_var_run_t, file)
+
+kernel_read_system_state(mdadm_t)
+kernel_read_kernel_sysctls(mdadm_t)
+kernel_rw_software_raid_state(mdadm_t)
+kernel_getattr_core_if(mdadm_t)
+
+# Helper program access
+corecmd_exec_bin(mdadm_t)
+corecmd_exec_shell(mdadm_t)
+
+dev_rw_sysfs(mdadm_t)
+# Ignore attempts to read every device file
+dev_dontaudit_getattr_all_blk_files(mdadm_t)
+dev_dontaudit_getattr_all_chr_files(mdadm_t)
+dev_dontaudit_getattr_generic_files(mdadm_t)
+dev_dontaudit_getattr_generic_chr_files(mdadm_t)
+dev_dontaudit_getattr_generic_blk_files(mdadm_t)
+dev_read_realtime_clock(mdadm_t)
+# unfortunately needed for DMI decoding:
+dev_read_raw_memory(mdadm_t)
+
+domain_use_interactive_fds(mdadm_t)
+
+files_read_etc_files(mdadm_t)
+files_read_etc_runtime_files(mdadm_t)
+files_dontaudit_getattr_all_files(mdadm_t)
+
+fs_search_auto_mountpoints(mdadm_t)
+fs_dontaudit_list_tmpfs(mdadm_t)
+
+mls_file_read_all_levels(mdadm_t)
+mls_file_write_all_levels(mdadm_t)
+
+# RAID block device access
+storage_manage_fixed_disk(mdadm_t)
+storage_dev_filetrans_fixed_disk(mdadm_t)
+storage_read_scsi_generic(mdadm_t)
+
+term_dontaudit_list_ptys(mdadm_t)
+term_dontaudit_use_unallocated_ttys(mdadm_t)
+
+init_dontaudit_getattr_initctl(mdadm_t)
+
+logging_send_syslog_msg(mdadm_t)
+
+miscfiles_read_localization(mdadm_t)
+
+userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
+userdom_dontaudit_search_user_home_content(mdadm_t)
+userdom_dontaudit_use_user_terminals(mdadm_t)
+
+mta_send_mail(mdadm_t)
+
+optional_policy(`
+	gpm_dontaudit_getattr_gpmctl(mdadm_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(mdadm_t)
+')
+
+optional_policy(`
+	udev_read_db(mdadm_t)
+')
+
+optional_policy(`
+	unconfined_domain(mdadm_t)
+')
diff --git a/policy/modules/contrib/razor.fc b/policy/modules/contrib/razor.fc
new file mode 100644
index 00000000..1efba0c0
--- /dev/null
+++ b/policy/modules/contrib/razor.fc
@@ -0,0 +1,8 @@
+HOME_DIR/\.razor(/.*)?		gen_context(system_u:object_r:razor_home_t,s0)
+
+/etc/razor(/.*)?		gen_context(system_u:object_r:razor_etc_t,s0)
+
+/usr/bin/razor.*	--	gen_context(system_u:object_r:razor_exec_t,s0)
+
+/var/lib/razor(/.*)?		gen_context(system_u:object_r:razor_var_lib_t,s0)
+/var/log/razor-agent\.log --	gen_context(system_u:object_r:razor_log_t,s0)
diff --git a/policy/modules/contrib/razor.if b/policy/modules/contrib/razor.if
new file mode 100644
index 00000000..f04a5950
--- /dev/null
+++ b/policy/modules/contrib/razor.if
@@ -0,0 +1,159 @@
+## <summary>A distributed, collaborative, spam detection and filtering network.</summary>
+## <desc>
+##	<p>
+##	A distributed, collaborative, spam detection and filtering network.
+##	</p>
+##	<p>
+##	This policy will work with either the ATrpms provided config
+##	file in /etc/razor, or with the default of dumping everything into
+##	$HOME/.razor.
+##	</p>
+## </desc>
+
+#######################################
+## <summary>
+##	Template to create types and rules common to
+##	all razor domains.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+#
+template(`razor_common_domain_template',`
+	gen_require(`
+		type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t;
+	')
+	type $1_t;
+	domain_type($1_t)
+	domain_entry_file($1_t, razor_exec_t)
+
+	allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+	allow $1_t self:fd use;
+	allow $1_t self:fifo_file rw_fifo_file_perms;
+	allow $1_t self:unix_dgram_socket create_socket_perms;
+	allow $1_t self:unix_stream_socket create_stream_socket_perms;
+	allow $1_t self:unix_dgram_socket sendto;
+	allow $1_t self:unix_stream_socket connectto;
+	allow $1_t self:shm create_shm_perms;
+	allow $1_t self:sem create_sem_perms;
+	allow $1_t self:msgq create_msgq_perms;
+	allow $1_t self:msg { send receive };
+	allow $1_t self:tcp_socket create_socket_perms;
+
+	# Read system config file
+	allow $1_t razor_etc_t:dir list_dir_perms;
+	allow $1_t razor_etc_t:file read_file_perms;
+	allow $1_t razor_etc_t:lnk_file { getattr read };
+
+	manage_dirs_pattern($1_t, razor_log_t, razor_log_t)
+	manage_files_pattern($1_t, razor_log_t, razor_log_t)
+	manage_lnk_files_pattern($1_t, razor_log_t, razor_log_t)
+	logging_log_filetrans($1_t, razor_log_t, file)
+
+	manage_dirs_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
+	manage_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
+	manage_lnk_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
+	files_search_var_lib($1_t)
+
+	# Razor is one executable and several symlinks
+	allow $1_t razor_exec_t:file read_file_perms;
+	allow $1_t razor_exec_t:lnk_file read_lnk_file_perms;
+
+	kernel_read_system_state($1_t)
+	kernel_read_network_state($1_t)
+	kernel_read_software_raid_state($1_t)
+	kernel_getattr_core_if($1_t)
+	kernel_getattr_message_if($1_t)
+	kernel_read_kernel_sysctls($1_t)
+
+	corecmd_exec_bin($1_t)
+
+	corenet_all_recvfrom_unlabeled($1_t)
+	corenet_all_recvfrom_netlabel($1_t)
+	corenet_tcp_sendrecv_generic_if($1_t)
+	corenet_raw_sendrecv_generic_if($1_t)
+	corenet_tcp_sendrecv_generic_node($1_t)
+	corenet_raw_sendrecv_generic_node($1_t)
+	corenet_tcp_sendrecv_razor_port($1_t)
+
+	# mktemp and other randoms
+	dev_read_rand($1_t)
+	dev_read_urand($1_t)
+
+	files_search_pids($1_t)
+	# Allow access to various files in the /etc/directory including mtab
+	# and nsswitch
+	files_read_etc_files($1_t)
+	files_read_etc_runtime_files($1_t)
+
+	fs_search_auto_mountpoints($1_t)
+
+	libs_read_lib_files($1_t)
+
+	miscfiles_read_localization($1_t)
+
+	sysnet_read_config($1_t)
+	sysnet_dns_name_resolve($1_t)
+
+	optional_policy(`
+		nis_use_ypbind($1_t)
+	')
+')
+
+########################################
+## <summary>
+##	Role access for razor
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`razor_role',`
+	gen_require(`
+		type razor_t, razor_exec_t, razor_home_t;
+	')
+
+	role $1 types razor_t;
+
+	# Transition from the user domain to the derived domain.
+	domtrans_pattern($2, razor_exec_t, razor_t)
+
+	# allow ps to show razor and allow the user to kill it 
+	ps_process_pattern($2, razor_t)
+	allow $2 razor_t:process signal;
+
+	manage_dirs_pattern($2, razor_home_t, razor_home_t)
+	manage_files_pattern($2, razor_home_t, razor_home_t)
+	manage_lnk_files_pattern($2, razor_home_t, razor_home_t)
+	relabel_dirs_pattern($2, razor_home_t, razor_home_t)
+	relabel_files_pattern($2, razor_home_t, razor_home_t)
+	relabel_lnk_files_pattern($2, razor_home_t, razor_home_t)
+')
+
+########################################
+## <summary>
+##	Execute razor in the system razor domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`razor_domtrans',`
+	gen_require(`
+		type razor_t, razor_exec_t;
+	')
+
+	domtrans_pattern($1, razor_exec_t, razor_t)
+')
diff --git a/policy/modules/contrib/razor.te b/policy/modules/contrib/razor.te
new file mode 100644
index 00000000..9353d5eb
--- /dev/null
+++ b/policy/modules/contrib/razor.te
@@ -0,0 +1,121 @@
+policy_module(razor, 2.3.0)
+
+########################################
+#
+# Declarations
+#
+
+type razor_exec_t;
+corecmd_executable_file(razor_exec_t)
+
+type razor_etc_t;
+files_config_file(razor_etc_t)
+
+type razor_home_t;
+typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
+typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
+userdom_user_home_content(razor_home_t)
+
+type razor_log_t;
+logging_log_file(razor_log_t)
+
+type razor_tmp_t;
+typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
+typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
+userdom_user_tmp_file(razor_tmp_t)
+
+type razor_var_lib_t;
+files_type(razor_var_lib_t)
+
+# these are here due to ordering issues:
+razor_common_domain_template(razor)
+typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t };
+typealias razor_t alias { auditadm_razor_t secadm_razor_t };
+userdom_user_application_type(razor_t)
+
+razor_common_domain_template(system_razor)
+role system_r types system_razor_t;
+
+########################################
+#
+# System razor local policy
+#
+
+# this version of razor is invoked typically
+# via the system spam filter
+
+allow system_razor_t self:tcp_socket create_socket_perms;
+
+manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+files_search_etc(system_razor_t)
+
+allow system_razor_t razor_log_t:file manage_file_perms;
+logging_log_filetrans(system_razor_t, razor_log_t, file)
+
+manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
+files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file)
+
+corenet_all_recvfrom_unlabeled(system_razor_t)
+corenet_all_recvfrom_netlabel(system_razor_t)
+corenet_tcp_sendrecv_generic_if(system_razor_t)
+corenet_raw_sendrecv_generic_if(system_razor_t)
+corenet_tcp_sendrecv_generic_node(system_razor_t)
+corenet_raw_sendrecv_generic_node(system_razor_t)
+corenet_tcp_sendrecv_razor_port(system_razor_t)
+corenet_tcp_connect_razor_port(system_razor_t)
+corenet_sendrecv_razor_client_packets(system_razor_t)
+
+sysnet_read_config(system_razor_t)
+
+# cjp: this shouldn't be needed
+userdom_use_unpriv_users_fds(system_razor_t)
+
+optional_policy(`
+	logging_send_syslog_msg(system_razor_t)
+')
+
+optional_policy(`
+	nscd_socket_use(system_razor_t)
+')
+
+########################################
+#
+# User razor local policy
+#
+
+# Allow razor to be run by hand.  Needed by any action other than
+# invocation from a spam filter.
+
+allow razor_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(razor_t, razor_home_t, razor_home_t)
+manage_files_pattern(razor_t, razor_home_t, razor_home_t)
+manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t)
+userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir)
+
+manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t)
+manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
+files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
+
+logging_send_syslog_msg(razor_t)
+
+userdom_search_user_home_dirs(razor_t)
+userdom_use_user_terminals(razor_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(razor_t)
+	fs_manage_nfs_files(razor_t)
+	fs_manage_nfs_symlinks(razor_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(razor_t)
+	fs_manage_cifs_files(razor_t)
+	fs_manage_cifs_symlinks(razor_t)
+')
+
+optional_policy(`
+	nscd_socket_use(razor_t)
+')
diff --git a/policy/modules/contrib/rdisc.fc b/policy/modules/contrib/rdisc.fc
new file mode 100644
index 00000000..dee4adcd
--- /dev/null
+++ b/policy/modules/contrib/rdisc.fc
@@ -0,0 +1,2 @@
+
+/sbin/rdisc	--	gen_context(system_u:object_r:rdisc_exec_t,s0)
diff --git a/policy/modules/contrib/rdisc.if b/policy/modules/contrib/rdisc.if
new file mode 100644
index 00000000..fe24d25d
--- /dev/null
+++ b/policy/modules/contrib/rdisc.if
@@ -0,0 +1,20 @@
+## <summary>Network router discovery daemon</summary>
+
+######################################
+## <summary>
+##	Execute rdisc in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rdisc_exec',`
+	gen_require(`
+		type rdisc_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, rdisc_exec_t)
+')
diff --git a/policy/modules/contrib/rdisc.te b/policy/modules/contrib/rdisc.te
new file mode 100644
index 00000000..0f076850
--- /dev/null
+++ b/policy/modules/contrib/rdisc.te
@@ -0,0 +1,58 @@
+policy_module(rdisc, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type rdisc_t;
+type rdisc_exec_t;
+init_daemon_domain(rdisc_t, rdisc_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow rdisc_t self:capability net_raw;
+dontaudit rdisc_t self:capability sys_tty_config;
+allow rdisc_t self:process signal_perms;
+allow rdisc_t self:unix_stream_socket create_stream_socket_perms;
+allow rdisc_t self:udp_socket create_socket_perms;
+allow rdisc_t self:rawip_socket create_socket_perms;
+
+kernel_list_proc(rdisc_t)
+kernel_read_proc_symlinks(rdisc_t)
+kernel_read_kernel_sysctls(rdisc_t)
+
+corenet_all_recvfrom_unlabeled(rdisc_t)
+corenet_all_recvfrom_netlabel(rdisc_t)
+corenet_udp_sendrecv_generic_if(rdisc_t)
+corenet_raw_sendrecv_generic_if(rdisc_t)
+corenet_udp_sendrecv_generic_node(rdisc_t)
+corenet_raw_sendrecv_generic_node(rdisc_t)
+corenet_udp_sendrecv_all_ports(rdisc_t)
+
+dev_read_sysfs(rdisc_t)
+
+fs_search_auto_mountpoints(rdisc_t)
+
+domain_use_interactive_fds(rdisc_t)
+
+files_read_etc_files(rdisc_t)
+
+logging_send_syslog_msg(rdisc_t)
+
+miscfiles_read_localization(rdisc_t)
+
+sysnet_read_config(rdisc_t)
+
+userdom_dontaudit_use_unpriv_user_fds(rdisc_t)
+
+optional_policy(`
+	seutil_sigchld_newrole(rdisc_t)
+')
+
+optional_policy(`
+	udev_read_db(rdisc_t)
+')
diff --git a/policy/modules/contrib/readahead.fc b/policy/modules/contrib/readahead.fc
new file mode 100644
index 00000000..70774134
--- /dev/null
+++ b/policy/modules/contrib/readahead.fc
@@ -0,0 +1,3 @@
+/usr/sbin/readahead.*	--	gen_context(system_u:object_r:readahead_exec_t,s0)
+/sbin/readahead.*	--	gen_context(system_u:object_r:readahead_exec_t,s0)
+/var/lib/readahead(/.*)?	gen_context(system_u:object_r:readahead_var_lib_t,s0)
diff --git a/policy/modules/contrib/readahead.if b/policy/modules/contrib/readahead.if
new file mode 100644
index 00000000..47c4723c
--- /dev/null
+++ b/policy/modules/contrib/readahead.if
@@ -0,0 +1 @@
+## <summary>Readahead, read files into page cache for improved performance</summary>
diff --git a/policy/modules/contrib/readahead.te b/policy/modules/contrib/readahead.te
new file mode 100644
index 00000000..b4ac57e2
--- /dev/null
+++ b/policy/modules/contrib/readahead.te
@@ -0,0 +1,101 @@
+policy_module(readahead, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+type readahead_t;
+type readahead_exec_t;
+init_daemon_domain(readahead_t, readahead_exec_t)
+application_domain(readahead_t, readahead_exec_t)
+
+type readahead_var_lib_t;
+files_type(readahead_var_lib_t)
+typealias readahead_var_lib_t alias readahead_etc_rw_t;
+
+type readahead_var_run_t;
+files_pid_file(readahead_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow readahead_t self:capability { fowner dac_override dac_read_search };
+dontaudit readahead_t self:capability { net_admin sys_tty_config };
+allow readahead_t self:process { setsched signal_perms };
+
+manage_dirs_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t)
+manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t)
+files_search_var_lib(readahead_t)
+
+manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
+files_pid_filetrans(readahead_t, readahead_var_run_t, file)
+
+kernel_read_all_sysctls(readahead_t)
+kernel_read_system_state(readahead_t)
+kernel_dontaudit_getattr_core_if(readahead_t)
+
+dev_read_sysfs(readahead_t)
+dev_getattr_generic_chr_files(readahead_t)
+dev_getattr_generic_blk_files(readahead_t)
+dev_getattr_all_chr_files(readahead_t)
+dev_getattr_all_blk_files(readahead_t)
+dev_dontaudit_read_all_blk_files(readahead_t)
+dev_dontaudit_getattr_memory_dev(readahead_t)
+dev_dontaudit_getattr_nvram_dev(readahead_t)
+# Early devtmpfs, before udev relabel
+dev_dontaudit_rw_generic_chr_files(readahead_t)
+
+domain_use_interactive_fds(readahead_t)
+domain_read_all_domains_state(readahead_t)
+
+files_list_non_security(readahead_t)
+files_read_non_security_files(readahead_t)
+files_create_boot_flag(readahead_t)
+files_getattr_all_pipes(readahead_t)
+files_dontaudit_getattr_all_sockets(readahead_t)
+files_dontaudit_getattr_non_security_blk_files(readahead_t)
+
+fs_getattr_all_fs(readahead_t)
+fs_search_auto_mountpoints(readahead_t)
+fs_getattr_all_pipes(readahead_t)
+fs_getattr_all_files(readahead_t)
+fs_read_cgroup_files(readahead_t)
+fs_read_tmpfs_files(readahead_t)
+fs_read_tmpfs_symlinks(readahead_t)
+fs_list_inotifyfs(readahead_t)
+fs_dontaudit_search_ramfs(readahead_t)
+fs_dontaudit_read_ramfs_pipes(readahead_t)
+fs_dontaudit_read_ramfs_files(readahead_t)
+fs_dontaudit_use_tmpfs_chr_dev(readahead_t)
+
+mls_file_read_all_levels(readahead_t)
+
+storage_raw_read_fixed_disk(readahead_t)
+
+term_dontaudit_use_console(readahead_t)
+
+auth_dontaudit_read_shadow(readahead_t)
+
+init_use_fds(readahead_t)
+init_use_script_ptys(readahead_t)
+init_getattr_initctl(readahead_t)
+
+logging_send_syslog_msg(readahead_t)
+logging_set_audit_parameters(readahead_t)
+logging_dontaudit_search_audit_config(readahead_t)
+
+miscfiles_read_localization(readahead_t)
+
+userdom_dontaudit_use_unpriv_user_fds(readahead_t)
+userdom_dontaudit_search_user_home_dirs(readahead_t)
+
+optional_policy(`
+	cron_system_entry(readahead_t, readahead_exec_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(readahead_t)
+')
diff --git a/policy/modules/contrib/remotelogin.fc b/policy/modules/contrib/remotelogin.fc
new file mode 100644
index 00000000..d8691bd1
--- /dev/null
+++ b/policy/modules/contrib/remotelogin.fc
@@ -0,0 +1,2 @@
+
+# Remote login currently has no file contexts.
diff --git a/policy/modules/contrib/remotelogin.if b/policy/modules/contrib/remotelogin.if
new file mode 100644
index 00000000..31be9714
--- /dev/null
+++ b/policy/modules/contrib/remotelogin.if
@@ -0,0 +1,37 @@
+## <summary>Policy for rshd, rlogind, and telnetd.</summary>
+
+########################################
+## <summary>
+##	Domain transition to the remote login domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`remotelogin_domtrans',`
+	gen_require(`
+		type remote_login_t;
+	')
+
+	auth_domtrans_login_program($1, remote_login_t)
+')
+
+########################################
+## <summary>
+##	allow Domain to signal remote login domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`remotelogin_signal',`
+	gen_require(`
+		type remote_login_t;
+	')
+
+	allow $1 remote_login_t:process signal;
+')
diff --git a/policy/modules/contrib/remotelogin.te b/policy/modules/contrib/remotelogin.te
new file mode 100644
index 00000000..0a760273
--- /dev/null
+++ b/policy/modules/contrib/remotelogin.te
@@ -0,0 +1,123 @@
+policy_module(remotelogin, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type remote_login_t;
+domain_interactive_fd(remote_login_t)
+auth_login_pgm_domain(remote_login_t)
+auth_login_entry_type(remote_login_t)
+
+type remote_login_tmp_t;
+files_tmp_file(remote_login_tmp_t)
+
+########################################
+#
+# Remote login remote policy
+#
+
+allow remote_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
+allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow remote_login_t self:process { setrlimit setexec };
+allow remote_login_t self:fd use;
+allow remote_login_t self:fifo_file rw_fifo_file_perms;
+allow remote_login_t self:sock_file read_sock_file_perms;
+allow remote_login_t self:unix_dgram_socket create_socket_perms;
+allow remote_login_t self:unix_stream_socket create_stream_socket_perms;
+allow remote_login_t self:unix_dgram_socket sendto;
+allow remote_login_t self:unix_stream_socket connectto;
+allow remote_login_t self:shm create_shm_perms;
+allow remote_login_t self:sem create_sem_perms;
+allow remote_login_t self:msgq create_msgq_perms;
+allow remote_login_t self:msg { send receive };
+allow remote_login_t self:key write;
+
+manage_dirs_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t)
+manage_files_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t)
+files_tmp_filetrans(remote_login_t, remote_login_tmp_t, { file dir })
+
+kernel_read_system_state(remote_login_t)
+kernel_read_kernel_sysctls(remote_login_t)
+
+dev_getattr_mouse_dev(remote_login_t)
+dev_setattr_mouse_dev(remote_login_t)
+dev_dontaudit_search_sysfs(remote_login_t)
+
+fs_getattr_xattr_fs(remote_login_t)
+fs_search_auto_mountpoints(remote_login_t)
+
+term_relabel_all_ptys(remote_login_t)
+
+auth_rw_login_records(remote_login_t)
+auth_rw_faillog(remote_login_t)
+auth_manage_pam_console_data(remote_login_t)
+auth_domtrans_pam_console(remote_login_t)
+
+corecmd_list_bin(remote_login_t)
+corecmd_read_bin_symlinks(remote_login_t)
+# cjp: these are probably not needed:
+corecmd_read_bin_files(remote_login_t)
+corecmd_read_bin_pipes(remote_login_t)
+corecmd_read_bin_sockets(remote_login_t)
+
+domain_read_all_entry_files(remote_login_t)
+
+files_read_etc_files(remote_login_t)
+files_read_etc_runtime_files(remote_login_t)
+files_list_home(remote_login_t)
+files_read_usr_files(remote_login_t)
+files_list_world_readable(remote_login_t)
+files_read_world_readable_files(remote_login_t)
+files_read_world_readable_symlinks(remote_login_t)
+files_read_world_readable_pipes(remote_login_t)
+files_read_world_readable_sockets(remote_login_t)
+files_list_mnt(remote_login_t)
+# for when /var/mail is a sym-link
+files_read_var_symlinks(remote_login_t)
+
+sysnet_dns_name_resolve(remote_login_t)
+
+miscfiles_read_localization(remote_login_t)
+
+userdom_use_unpriv_users_fds(remote_login_t)
+userdom_search_user_home_content(remote_login_t)
+# Only permit unprivileged user domains to be entered via rlogin,
+# since very weak authentication is used.
+userdom_signal_unpriv_users(remote_login_t)
+userdom_spec_domtrans_unpriv_users(remote_login_t)
+
+# Search for mail spool file.
+mta_getattr_spool(remote_login_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_read_nfs_files(remote_login_t)
+	fs_read_nfs_symlinks(remote_login_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_read_cifs_files(remote_login_t)
+	fs_read_cifs_symlinks(remote_login_t)
+')
+
+optional_policy(`
+	alsa_domtrans(remote_login_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(remote_login_t)
+')
+
+optional_policy(`
+	nscd_socket_use(remote_login_t)
+')
+
+optional_policy(`
+	unconfined_domain(remote_login_t)
+	unconfined_shell_domtrans(remote_login_t)
+')
+
+optional_policy(`
+	usermanage_read_crack_db(remote_login_t)
+')
diff --git a/policy/modules/contrib/resmgr.fc b/policy/modules/contrib/resmgr.fc
new file mode 100644
index 00000000..af810b94
--- /dev/null
+++ b/policy/modules/contrib/resmgr.fc
@@ -0,0 +1,7 @@
+
+/etc/resmgr\.conf	--	gen_context(system_u:object_r:resmgrd_etc_t,s0)
+
+/sbin/resmgrd		--	gen_context(system_u:object_r:resmgrd_exec_t,s0)
+
+/var/run/\.resmgr_socket -s	gen_context(system_u:object_r:resmgrd_var_run_t,s0)
+/var/run/resmgr\.pid	--	gen_context(system_u:object_r:resmgrd_var_run_t,s0)
diff --git a/policy/modules/contrib/resmgr.if b/policy/modules/contrib/resmgr.if
new file mode 100644
index 00000000..d457736d
--- /dev/null
+++ b/policy/modules/contrib/resmgr.if
@@ -0,0 +1,22 @@
+## <summary>Resource management daemon</summary>
+
+########################################
+## <summary>
+##	Connect to resmgrd over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`resmgr_stream_connect',`
+	gen_require(`
+		type resmgrd_var_run_t, resmgrd_t;
+	')
+
+	allow $1 resmgrd_t:unix_stream_socket connectto;
+	allow $1 resmgrd_var_run_t:sock_file { getattr write };
+	files_search_pids($1)
+')
diff --git a/policy/modules/contrib/resmgr.te b/policy/modules/contrib/resmgr.te
new file mode 100644
index 00000000..bf5efbff
--- /dev/null
+++ b/policy/modules/contrib/resmgr.te
@@ -0,0 +1,66 @@
+policy_module(resmgr, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type resmgrd_t;
+type resmgrd_exec_t;
+init_daemon_domain(resmgrd_t, resmgrd_exec_t)
+
+type resmgrd_etc_t;
+files_config_file(resmgrd_etc_t)
+
+type resmgrd_var_run_t;
+files_pid_file(resmgrd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow resmgrd_t self:capability { dac_override sys_admin sys_rawio };
+dontaudit resmgrd_t self:capability sys_tty_config;
+allow resmgrd_t self:process signal_perms;
+
+allow resmgrd_t resmgrd_etc_t:file read_file_perms;
+files_search_etc(resmgrd_t)
+
+allow resmgrd_t resmgrd_var_run_t:file manage_file_perms;
+allow resmgrd_t resmgrd_var_run_t:sock_file manage_sock_file_perms;
+files_pid_filetrans(resmgrd_t, resmgrd_var_run_t, { file sock_file })
+
+kernel_list_proc(resmgrd_t)
+kernel_read_proc_symlinks(resmgrd_t)
+kernel_read_kernel_sysctls(resmgrd_t)
+
+dev_read_sysfs(resmgrd_t)
+dev_getattr_scanner_dev(resmgrd_t)
+
+domain_use_interactive_fds(resmgrd_t)
+
+files_read_etc_files(resmgrd_t)
+
+fs_search_auto_mountpoints(resmgrd_t)
+
+storage_dontaudit_read_fixed_disk(resmgrd_t)
+storage_read_scsi_generic(resmgrd_t)
+storage_raw_read_removable_device(resmgrd_t)
+# not sure if it needs write access, needs to be investigated further...
+storage_write_scsi_generic(resmgrd_t)
+storage_raw_write_removable_device(resmgrd_t)
+
+logging_send_syslog_msg(resmgrd_t)
+
+miscfiles_read_localization(resmgrd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(resmgrd_t)
+
+optional_policy(`
+	seutil_sigchld_newrole(resmgrd_t)
+')
+
+optional_policy(`
+	udev_read_db(resmgrd_t)
+')
diff --git a/policy/modules/contrib/rgmanager.fc b/policy/modules/contrib/rgmanager.fc
new file mode 100644
index 00000000..3c97ef04
--- /dev/null
+++ b/policy/modules/contrib/rgmanager.fc
@@ -0,0 +1,7 @@
+/usr/sbin/rgmanager			--	gen_context(system_u:object_r:rgmanager_exec_t,s0)
+
+/var/log/cluster/rgmanager\.log		--	gen_context(system_u:object_r:rgmanager_var_log_t,s0)
+
+/var/run/cluster/rgmanager\.sk		-s	gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+
+/var/run/rgmanager\.pid			--	gen_context(system_u:object_r:rgmanager_var_run_t,s0)
diff --git a/policy/modules/contrib/rgmanager.if b/policy/modules/contrib/rgmanager.if
new file mode 100644
index 00000000..7dc38d15
--- /dev/null
+++ b/policy/modules/contrib/rgmanager.if
@@ -0,0 +1,77 @@
+## <summary>rgmanager - Resource Group Manager</summary>
+
+#######################################
+## <summary>
+##	Execute a domain transition to run rgmanager.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rgmanager_domtrans',`
+	gen_require(`
+		type rgmanager_t, rgmanager_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, rgmanager_exec_t, rgmanager_t)
+')
+
+########################################
+## <summary>
+##	Connect to rgmanager over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rgmanager_stream_connect',`
+	gen_require(`
+		type rgmanager_t, rgmanager_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t, rgmanager_t)
+')
+
+######################################
+## <summary>
+##	Allow manage rgmanager tmp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rgmanager_manage_tmp_files',`
+	gen_require(`
+		type rgmanager_tmp_t;
+	')
+
+	files_search_tmp($1)
+	manage_files_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t)
+')
+
+######################################
+## <summary>
+##	Allow manage rgmanager tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rgmanager_manage_tmpfs_files',`
+	gen_require(`
+		type rgmanager_tmpfs_t;
+	')
+
+	fs_search_tmpfs($1)
+	manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
+')
diff --git a/policy/modules/contrib/rgmanager.te b/policy/modules/contrib/rgmanager.te
new file mode 100644
index 00000000..c5370009
--- /dev/null
+++ b/policy/modules/contrib/rgmanager.te
@@ -0,0 +1,202 @@
+policy_module(rgmanager, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow rgmanager domain to connect to the network using TCP.
+## </p>
+## </desc>
+gen_tunable(rgmanager_can_network_connect, false)
+
+type rgmanager_t;
+type rgmanager_exec_t;
+domain_type(rgmanager_t)
+init_daemon_domain(rgmanager_t, rgmanager_exec_t)
+
+type rgmanager_tmp_t;
+files_tmp_file(rgmanager_tmp_t)
+
+type rgmanager_tmpfs_t;
+files_tmpfs_file(rgmanager_tmpfs_t)
+
+type rgmanager_var_log_t;
+logging_log_file(rgmanager_var_log_t)
+
+type rgmanager_var_run_t;
+files_pid_file(rgmanager_var_run_t)
+
+########################################
+#
+# rgmanager local policy
+#
+
+allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
+dontaudit rgmanager_t self:capability { sys_ptrace };
+allow rgmanager_t self:process { setsched signal };
+dontaudit rgmanager_t self:process { ptrace };
+
+allow rgmanager_t self:fifo_file rw_fifo_file_perms;
+allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms };
+allow rgmanager_t self:unix_dgram_socket create_socket_perms;
+allow rgmanager_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
+manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
+files_tmp_filetrans(rgmanager_t, rgmanager_tmp_t, { file dir })
+
+manage_dirs_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
+manage_files_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
+fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file })
+
+manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t)
+logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file })
+
+manage_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
+manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
+files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctls(rgmanager_t)
+kernel_read_system_state(rgmanager_t)
+kernel_rw_rpc_sysctls(rgmanager_t)
+kernel_search_debugfs(rgmanager_t)
+kernel_search_network_state(rgmanager_t)
+
+corecmd_exec_bin(rgmanager_t)
+corecmd_exec_shell(rgmanager_t)
+consoletype_exec(rgmanager_t)
+
+# need to write to /dev/misc/dlm-control
+dev_rw_dlm_control(rgmanager_t)
+dev_setattr_dlm_control(rgmanager_t)
+dev_search_sysfs(rgmanager_t)
+
+domain_read_all_domains_state(rgmanager_t)
+domain_getattr_all_domains(rgmanager_t)
+domain_dontaudit_ptrace_all_domains(rgmanager_t)
+
+files_list_all(rgmanager_t)
+files_getattr_all_symlinks(rgmanager_t)
+files_manage_mnt_dirs(rgmanager_t)
+files_manage_isid_type_dirs(rgmanager_t)
+
+fs_getattr_xattr_fs(rgmanager_t)
+fs_getattr_all_fs(rgmanager_t)
+
+storage_getattr_fixed_disk_dev(rgmanager_t)
+
+term_getattr_pty_fs(rgmanager_t)
+#term_use_ptmx(rgmanager_t)
+
+# needed by resources scripts
+auth_read_all_files_except_auth_files(rgmanager_t)
+auth_dontaudit_getattr_shadow(rgmanager_t)
+auth_use_nsswitch(rgmanager_t)
+
+logging_send_syslog_msg(rgmanager_t)
+
+miscfiles_read_localization(rgmanager_t)
+
+mount_domtrans(rgmanager_t)
+
+tunable_policy(`rgmanager_can_network_connect',`
+	corenet_tcp_connect_all_ports(rgmanager_t)
+')
+
+# rgmanager can run resource scripts
+optional_policy(`
+	aisexec_stream_connect(rgmanager_t)
+	corosync_stream_connect(rgmanager_t)
+')
+
+optional_policy(`
+	apache_domtrans(rgmanager_t)
+	apache_signal(rgmanager_t)
+')
+
+optional_policy(`
+	fstools_domtrans(rgmanager_t)
+')
+
+optional_policy(`
+	rhcs_stream_connect_groupd(rgmanager_t)
+')
+
+optional_policy(`
+	hostname_exec(rgmanager_t)
+')
+
+optional_policy(`
+	ccs_manage_config(rgmanager_t)
+	ccs_stream_connect(rgmanager_t)
+	rhcs_stream_connect_gfs_controld(rgmanager_t)
+')
+
+optional_policy(`
+	lvm_domtrans(rgmanager_t)
+')
+
+optional_policy(`
+	mysql_domtrans_mysql_safe(rgmanager_t)
+	mysql_stream_connect(rgmanager_t)
+')
+
+optional_policy(`
+	netutils_domtrans(rgmanager_t)
+	netutils_domtrans_ping(rgmanager_t)
+')
+
+optional_policy(`
+	postgresql_domtrans(rgmanager_t)
+	postgresql_signal(rgmanager_t)
+')
+
+optional_policy(`
+	rdisc_exec(rgmanager_t)
+')
+
+optional_policy(`
+	ricci_dontaudit_rw_modcluster_pipes(rgmanager_t)
+')
+
+optional_policy(`
+	rpc_initrc_domtrans_nfsd(rgmanager_t)
+	rpc_initrc_domtrans_rpcd(rgmanager_t)
+
+	rpc_domtrans_nfsd(rgmanager_t)
+	rpc_domtrans_rpcd(rgmanager_t)
+	rpc_manage_nfs_state_data(rgmanager_t)
+')
+
+optional_policy(`
+	samba_initrc_domtrans(rgmanager_t)
+	samba_domtrans_smbd(rgmanager_t)
+	samba_domtrans_nmbd(rgmanager_t)
+	samba_manage_var_files(rgmanager_t)
+	samba_rw_config(rgmanager_t)
+	samba_signal_smbd(rgmanager_t)
+	samba_signal_nmbd(rgmanager_t)
+')
+
+optional_policy(`
+	sysnet_domtrans_ifconfig(rgmanager_t)
+')
+
+optional_policy(`
+	udev_read_db(rgmanager_t)
+')
+
+optional_policy(`
+	virt_stream_connect(rgmanager_t)
+')
+
+optional_policy(`
+	unconfined_domain(rgmanager_t)
+')
+
+optional_policy(`
+	xen_domtrans_xm(rgmanager_t)
+')
diff --git a/policy/modules/contrib/rhcs.fc b/policy/modules/contrib/rhcs.fc
new file mode 100644
index 00000000..c2ba53b3
--- /dev/null
+++ b/policy/modules/contrib/rhcs.fc
@@ -0,0 +1,22 @@
+/usr/sbin/dlm_controld			--	gen_context(system_u:object_r:dlm_controld_exec_t,s0)
+/usr/sbin/fenced			--	gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_node			--	gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/gfs_controld			--	gen_context(system_u:object_r:gfs_controld_exec_t,s0)
+/usr/sbin/groupd			--	gen_context(system_u:object_r:groupd_exec_t,s0)
+/usr/sbin/qdiskd			--	gen_context(system_u:object_r:qdiskd_exec_t,s0)
+
+/var/lock/fence_manual\.lock		--	gen_context(system_u:object_r:fenced_lock_t,s0)
+
+/var/lib/qdiskd(/.*)?				gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
+
+/var/log/cluster/dlm_controld\.log.*	--	gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
+/var/log/cluster/fenced\.log.*		--	gen_context(system_u:object_r:fenced_var_log_t,s0)
+/var/log/cluster/gfs_controld\.log.*	--	gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
+/var/log/cluster/qdiskd\.log.*		--	gen_context(system_u:object_r:qdiskd_var_log_t,s0)
+
+/var/run/cluster/fenced_override	--	gen_context(system_u:object_r:fenced_var_run_t,s0)
+/var/run/dlm_controld\.pid		--	gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
+/var/run/fenced\.pid			--	gen_context(system_u:object_r:fenced_var_run_t,s0)
+/var/run/gfs_controld\.pid		--	gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
+/var/run/groupd\.pid			--	gen_context(system_u:object_r:groupd_var_run_t,s0)
+/var/run/qdiskd\.pid			--	gen_context(system_u:object_r:qdiskd_var_run_t,s0)
diff --git a/policy/modules/contrib/rhcs.if b/policy/modules/contrib/rhcs.if
new file mode 100644
index 00000000..de37806c
--- /dev/null
+++ b/policy/modules/contrib/rhcs.if
@@ -0,0 +1,355 @@
+## <summary>RHCS - Red Hat Cluster Suite</summary>
+
+#######################################
+## <summary>
+##	Creates types and rules for a basic
+##	rhcs init daemon domain.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Prefix for the domain.
+##	</summary>
+## </param>
+#
+template(`rhcs_domain_template',`
+	gen_require(`
+		attribute cluster_domain;
+	')
+
+	##############################
+	#
+	# Declarations
+	#
+
+	type $1_t, cluster_domain;
+	type $1_exec_t;
+	init_daemon_domain($1_t, $1_exec_t)
+
+	type $1_tmpfs_t;
+	files_tmpfs_file($1_tmpfs_t)
+
+	type $1_var_log_t;
+	logging_log_file($1_var_log_t)
+
+	type $1_var_run_t;
+	files_pid_file($1_var_run_t)
+
+	##############################
+	#
+	# Local policy
+	#
+
+	manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+	manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+	fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file })
+
+	manage_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
+	manage_sock_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
+	logging_log_filetrans($1_t, $1_var_log_t, { file sock_file })
+
+	manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+	manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+	manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+	files_pid_filetrans($1_t, $1_var_run_t, { file fifo_file })
+
+')
+
+######################################
+## <summary>
+##	Execute a domain transition to run dlm_controld.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rhcs_domtrans_dlm_controld',`
+	gen_require(`
+	type dlm_controld_t, dlm_controld_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, dlm_controld_exec_t, dlm_controld_t)
+')
+
+#####################################
+## <summary>
+##	Connect to dlm_controld over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhcs_stream_connect_dlm_controld',`
+	gen_require(`
+		type dlm_controld_t, dlm_controld_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t)
+')
+
+#####################################
+## <summary>
+##	Allow read and write access to dlm_controld semaphores.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhcs_rw_dlm_controld_semaphores',`
+	gen_require(`
+		type dlm_controld_t, dlm_controld_tmpfs_t;
+	')
+
+	allow $1 dlm_controld_t:sem { rw_sem_perms destroy };
+
+	fs_search_tmpfs($1)
+	manage_files_pattern($1, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t)
+')
+
+######################################
+## <summary>
+##	Execute a domain transition to run fenced.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`rhcs_domtrans_fenced',`
+	gen_require(`
+		type fenced_t, fenced_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, fenced_exec_t, fenced_t)
+')
+
+######################################
+## <summary>
+##	Allow read and write access to fenced semaphores.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhcs_rw_fenced_semaphores',`
+	gen_require(`
+		type fenced_t, fenced_tmpfs_t;
+	')
+
+	allow $1 fenced_t:sem { rw_sem_perms destroy };
+
+	fs_search_tmpfs($1)
+	manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t)
+')
+
+######################################
+## <summary>
+##	Connect to fenced over an unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhcs_stream_connect_fenced',`
+	gen_require(`
+		type fenced_var_run_t, fenced_t;
+	')
+
+	allow $1 fenced_t:unix_stream_socket connectto;
+	allow $1 fenced_var_run_t:sock_file { getattr write };
+	files_search_pids($1)
+')
+
+#####################################
+## <summary>
+##	Execute a domain transition to run gfs_controld.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`rhcs_domtrans_gfs_controld',`
+	gen_require(`
+	type gfs_controld_t, gfs_controld_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, gfs_controld_exec_t, gfs_controld_t)
+')
+
+####################################
+## <summary>
+##	Allow read and write access to gfs_controld semaphores.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhcs_rw_gfs_controld_semaphores',`
+	gen_require(`
+		type gfs_controld_t, gfs_controld_tmpfs_t;
+	')
+
+	allow $1 gfs_controld_t:sem { rw_sem_perms destroy };
+
+	fs_search_tmpfs($1)
+	manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
+')
+
+########################################
+## <summary>
+##	Read and write to gfs_controld_t shared memory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhcs_rw_gfs_controld_shm',`
+	gen_require(`
+		type gfs_controld_t, gfs_controld_tmpfs_t;
+	')
+
+	allow $1 gfs_controld_t:shm { rw_shm_perms destroy };
+
+	fs_search_tmpfs($1)
+	manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
+')
+
+#####################################
+## <summary>
+##	Connect to gfs_controld_t over an unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhcs_stream_connect_gfs_controld',`
+	gen_require(`
+		type gfs_controld_t, gfs_controld_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, gfs_controld_var_run_t, gfs_controld_var_run_t, gfs_controld_t)
+')
+
+######################################
+## <summary>
+##	Execute a domain transition to run groupd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rhcs_domtrans_groupd',`
+	gen_require(`
+		type groupd_t, groupd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, groupd_exec_t, groupd_t)
+')
+
+#####################################
+## <summary>
+##	Connect to groupd over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhcs_stream_connect_groupd',`
+	gen_require(`
+		type groupd_t, groupd_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t)
+')
+
+#####################################
+## <summary>
+##	Allow read and write access to groupd semaphores.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhcs_rw_groupd_semaphores',`
+	gen_require(`
+		type groupd_t, groupd_tmpfs_t;
+	')
+
+	allow $1 groupd_t:sem { rw_sem_perms destroy };
+
+	fs_search_tmpfs($1)
+	manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+')
+
+########################################
+## <summary>
+##	Read and write to group shared memory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhcs_rw_groupd_shm',`
+	gen_require(`
+		type groupd_t, groupd_tmpfs_t;
+	')
+
+	allow $1 groupd_t:shm { rw_shm_perms destroy };
+
+	fs_search_tmpfs($1)
+	manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+')
+
+######################################
+## <summary>
+##	Execute a domain transition to run qdiskd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`rhcs_domtrans_qdiskd',`
+	gen_require(`
+		type qdiskd_t, qdiskd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, qdiskd_exec_t, qdiskd_t)
+')
diff --git a/policy/modules/contrib/rhcs.te b/policy/modules/contrib/rhcs.te
new file mode 100644
index 00000000..93c896a8
--- /dev/null
+++ b/policy/modules/contrib/rhcs.te
@@ -0,0 +1,240 @@
+policy_module(rhcs, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow fenced domain to connect to the network using TCP.
+## </p>
+## </desc>
+gen_tunable(fenced_can_network_connect, false)
+
+attribute cluster_domain;
+
+rhcs_domain_template(dlm_controld)
+
+rhcs_domain_template(fenced)
+
+type fenced_lock_t;
+files_lock_file(fenced_lock_t)
+
+type fenced_tmp_t;
+files_tmp_file(fenced_tmp_t)
+
+rhcs_domain_template(gfs_controld)
+
+rhcs_domain_template(groupd)
+
+rhcs_domain_template(qdiskd)
+
+type qdiskd_var_lib_t;
+files_type(qdiskd_var_lib_t)
+
+#####################################
+#
+# dlm_controld local policy
+#
+
+allow dlm_controld_t self:capability { net_admin sys_admin sys_resource };
+
+allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
+stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
+
+kernel_read_system_state(dlm_controld_t)
+
+dev_rw_dlm_control(dlm_controld_t)
+dev_rw_sysfs(dlm_controld_t)
+
+fs_manage_configfs_files(dlm_controld_t)
+fs_manage_configfs_dirs(dlm_controld_t)
+
+init_rw_script_tmp_files(dlm_controld_t)
+
+optional_policy(`
+	ccs_stream_connect(dlm_controld_t)
+')
+
+#######################################
+#
+# fenced local policy
+#
+
+allow fenced_t self:capability { sys_rawio sys_resource };
+allow fenced_t self:process getsched;
+
+allow fenced_t self:tcp_socket create_stream_socket_perms;
+allow fenced_t self:udp_socket create_socket_perms;
+
+can_exec(fenced_t, fenced_exec_t)
+
+manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
+files_lock_filetrans(fenced_t, fenced_lock_t, file)
+
+manage_dirs_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
+manage_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
+manage_fifo_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
+files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+
+stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
+
+corecmd_exec_bin(fenced_t)
+
+corenet_tcp_connect_http_port(fenced_t)
+
+dev_read_sysfs(fenced_t)
+dev_read_urand(fenced_t)
+
+files_read_usr_symlinks(fenced_t)
+
+storage_raw_read_fixed_disk(fenced_t)
+storage_raw_write_fixed_disk(fenced_t)
+storage_raw_read_removable_device(fenced_t)
+
+term_getattr_pty_fs(fenced_t)
+term_use_ptmx(fenced_t)
+
+auth_use_nsswitch(fenced_t)
+
+tunable_policy(`fenced_can_network_connect',`
+	corenet_tcp_connect_all_ports(fenced_t)
+')
+
+optional_policy(`
+	ccs_read_config(fenced_t)
+	ccs_stream_connect(fenced_t)
+')
+
+optional_policy(`
+	lvm_domtrans(fenced_t)
+	lvm_read_config(fenced_t)
+')
+
+######################################
+#
+# gfs_controld local policy
+#
+
+allow gfs_controld_t self:capability { net_admin sys_resource };
+
+allow gfs_controld_t self:shm create_shm_perms;
+allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t)
+stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
+stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
+
+kernel_read_system_state(gfs_controld_t)
+
+dev_rw_dlm_control(gfs_controld_t)
+dev_setattr_dlm_control(gfs_controld_t)
+dev_rw_sysfs(gfs_controld_t)
+
+storage_getattr_removable_dev(gfs_controld_t)
+
+init_rw_script_tmp_files(gfs_controld_t)
+
+optional_policy(`
+	ccs_stream_connect(gfs_controld_t)
+')
+
+optional_policy(`
+	lvm_exec(gfs_controld_t)
+	dev_rw_lvm_control(gfs_controld_t)
+')
+
+#######################################
+#
+# groupd local policy
+#
+
+allow groupd_t self:capability { sys_nice sys_resource };
+allow groupd_t self:process setsched;
+
+allow groupd_t self:shm create_shm_perms;
+
+dev_list_sysfs(groupd_t)
+
+files_read_etc_files(groupd_t)
+
+init_rw_script_tmp_files(groupd_t)
+
+######################################
+#
+# qdiskd local policy
+#
+
+allow qdiskd_t self:capability ipc_lock;
+
+allow qdiskd_t self:tcp_socket create_stream_socket_perms;
+allow qdiskd_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
+manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
+manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
+files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file })
+
+kernel_read_system_state(qdiskd_t)
+kernel_read_software_raid_state(qdiskd_t)
+kernel_getattr_core_if(qdiskd_t)
+
+corecmd_getattr_bin_files(qdiskd_t)
+corecmd_exec_shell(qdiskd_t)
+
+dev_read_sysfs(qdiskd_t)
+dev_list_all_dev_nodes(qdiskd_t)
+dev_getattr_all_blk_files(qdiskd_t)
+dev_getattr_all_chr_files(qdiskd_t)
+dev_manage_generic_blk_files(qdiskd_t)
+dev_manage_generic_chr_files(qdiskd_t)
+
+domain_dontaudit_getattr_all_pipes(qdiskd_t)
+domain_dontaudit_getattr_all_sockets(qdiskd_t)
+
+files_dontaudit_getattr_all_sockets(qdiskd_t)
+files_dontaudit_getattr_all_pipes(qdiskd_t)
+files_read_etc_files(qdiskd_t)
+
+storage_raw_read_removable_device(qdiskd_t)
+storage_raw_write_removable_device(qdiskd_t)
+storage_raw_read_fixed_disk(qdiskd_t)
+storage_raw_write_fixed_disk(qdiskd_t)
+
+auth_use_nsswitch(qdiskd_t)
+
+optional_policy(`
+	ccs_stream_connect(qdiskd_t)
+')
+
+optional_policy(`
+	netutils_domtrans_ping(qdiskd_t)
+')
+
+optional_policy(`
+	udev_read_db(qdiskd_t)
+')
+
+#####################################
+#
+# rhcs domains common policy
+#
+
+allow cluster_domain self:capability { sys_nice };
+allow cluster_domain self:process setsched;
+
+allow cluster_domain self:sem create_sem_perms;
+allow cluster_domain self:fifo_file rw_fifo_file_perms;
+allow cluster_domain self:unix_stream_socket create_stream_socket_perms;
+allow cluster_domain self:unix_dgram_socket create_socket_perms;
+
+logging_send_syslog_msg(cluster_domain)
+
+miscfiles_read_localization(cluster_domain)
+
+optional_policy(`
+	corosync_stream_connect(cluster_domain)
+')
diff --git a/policy/modules/contrib/rhgb.fc b/policy/modules/contrib/rhgb.fc
new file mode 100644
index 00000000..9e5d31b5
--- /dev/null
+++ b/policy/modules/contrib/rhgb.fc
@@ -0,0 +1,4 @@
+#
+# /usr
+#
+/usr/bin/rhgb		--	gen_context(system_u:object_r:rhgb_exec_t,s0)
diff --git a/policy/modules/contrib/rhgb.if b/policy/modules/contrib/rhgb.if
new file mode 100644
index 00000000..96efae7f
--- /dev/null
+++ b/policy/modules/contrib/rhgb.if
@@ -0,0 +1,198 @@
+## <summary> Red Hat Graphical Boot </summary>
+
+########################################
+## <summary>
+##	RHGB stub interface.  No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+##	<summary>
+##	N/A
+##	</summary>
+## </param>
+#
+interface(`rhgb_stub',`
+	gen_require(`
+		type rhgb_t;
+	')
+')
+
+########################################
+## <summary>
+##	Use a rhgb file descriptor.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhgb_use_fds',`
+	gen_require(`
+		type rhgb_t;
+	')
+
+	allow $1 rhgb_t:fd use;
+')
+
+########################################
+## <summary>
+##	Get the process group of rhgb.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhgb_getpgid',`
+	gen_require(`
+		type rhgb_t;
+	')
+
+	allow $1 rhgb_t:process getpgid;
+')
+
+########################################
+## <summary>
+##	Send a signal to rhgb.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhgb_signal',`
+	gen_require(`
+		type rhgb_t;
+	')
+
+	allow $1 rhgb_t:process signal;
+')
+
+########################################
+## <summary>
+##	Read and write to unix stream sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhgb_rw_stream_sockets',`
+	gen_require(`
+		type rhgb_t;
+	')
+
+	allow $1 rhgb_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write
+##	rhgb unix domain stream sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`rhgb_dontaudit_rw_stream_sockets',`
+	gen_require(`
+		type rhgb_t;
+	')
+
+	dontaudit $1 rhgb_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+##	Connected to rhgb unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhgb_stream_connect',`
+	gen_require(`
+		type rhgb_t;
+	')
+
+	allow $1 rhgb_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	Read and write to rhgb shared memory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhgb_rw_shm',`
+	gen_require(`
+		type rhgb_t;
+	')
+
+	allow $1 rhgb_t:shm rw_shm_perms;
+')
+
+########################################
+## <summary>
+##	Read from and write to the rhgb devpts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhgb_use_ptys',`
+	gen_require(`
+		type rhgb_devpts_t;
+	')
+
+	allow $1 rhgb_devpts_t:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+##	dontaudit Read from and write to the rhgb devpts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`rhgb_dontaudit_use_ptys',`
+	gen_require(`
+		type rhgb_devpts_t;
+	')
+
+	dontaudit $1 rhgb_devpts_t:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+##	Read and write to rhgb temporary file system.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhgb_rw_tmpfs_files',`
+	gen_require(`
+		type rhgb_tmpfs_t;
+	')
+
+	allow $1 rhgb_tmpfs_t:file rw_file_perms;
+')
diff --git a/policy/modules/contrib/rhgb.te b/policy/modules/contrib/rhgb.te
new file mode 100644
index 00000000..0f262a7d
--- /dev/null
+++ b/policy/modules/contrib/rhgb.te
@@ -0,0 +1,142 @@
+policy_module(rhgb, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type rhgb_t;
+type rhgb_exec_t;
+init_daemon_domain(rhgb_t, rhgb_exec_t)
+
+type rhgb_tmpfs_t;
+files_tmpfs_file(rhgb_tmpfs_t)
+
+type rhgb_devpts_t;
+term_pty(rhgb_devpts_t)
+
+########################################
+#
+# Local policy
+#
+
+allow rhgb_t self:capability { fsetid setgid setuid sys_admin sys_tty_config };
+dontaudit rhgb_t self:capability sys_tty_config;
+allow rhgb_t self:process { setpgid signal_perms };
+allow rhgb_t self:shm create_shm_perms;
+allow rhgb_t self:unix_stream_socket create_stream_socket_perms;
+allow rhgb_t self:fifo_file rw_fifo_file_perms;
+allow rhgb_t self:tcp_socket create_socket_perms;
+allow rhgb_t self:udp_socket create_socket_perms;
+allow rhgb_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr };
+term_create_pty(rhgb_t, rhgb_devpts_t)
+
+manage_dirs_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
+manage_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
+manage_lnk_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
+manage_fifo_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
+manage_sock_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
+fs_tmpfs_filetrans(rhgb_t, rhgb_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_read_kernel_sysctls(rhgb_t)
+kernel_read_system_state(rhgb_t)
+
+corecmd_exec_bin(rhgb_t)
+corecmd_exec_shell(rhgb_t)
+
+corenet_all_recvfrom_unlabeled(rhgb_t)
+corenet_all_recvfrom_netlabel(rhgb_t)
+corenet_tcp_sendrecv_generic_if(rhgb_t)
+corenet_udp_sendrecv_generic_if(rhgb_t)
+corenet_tcp_sendrecv_generic_node(rhgb_t)
+corenet_udp_sendrecv_generic_node(rhgb_t)
+corenet_tcp_sendrecv_all_ports(rhgb_t)
+corenet_udp_sendrecv_all_ports(rhgb_t)
+corenet_tcp_connect_all_ports(rhgb_t)
+corenet_sendrecv_all_client_packets(rhgb_t)
+
+dev_read_sysfs(rhgb_t)
+dev_read_urand(rhgb_t)
+
+domain_use_interactive_fds(rhgb_t)
+
+files_read_etc_files(rhgb_t)
+files_read_var_files(rhgb_t)
+files_read_etc_runtime_files(rhgb_t)
+files_search_tmp(rhgb_t)
+files_read_usr_files(rhgb_t)
+files_mounton_mnt(rhgb_t)
+files_dontaudit_rw_root_dir(rhgb_t)
+files_dontaudit_read_default_files(rhgb_t)
+files_dontaudit_search_pids(rhgb_t)
+# for nscd
+files_dontaudit_search_var(rhgb_t)
+
+fs_search_auto_mountpoints(rhgb_t)
+fs_mount_ramfs(rhgb_t)
+fs_unmount_ramfs(rhgb_t)
+fs_getattr_tmpfs(rhgb_t)
+# for ramfs file systems
+fs_manage_ramfs_dirs(rhgb_t)
+fs_manage_ramfs_files(rhgb_t)
+fs_manage_ramfs_pipes(rhgb_t)
+fs_manage_ramfs_sockets(rhgb_t)
+
+selinux_dontaudit_read_fs(rhgb_t)
+
+term_use_unallocated_ttys(rhgb_t)
+term_use_ptmx(rhgb_t)
+term_getattr_pty_fs(rhgb_t)
+
+init_write_initctl(rhgb_t)
+
+# for localization
+libs_read_lib_files(rhgb_t)
+
+logging_send_syslog_msg(rhgb_t)
+
+miscfiles_read_localization(rhgb_t)
+miscfiles_read_fonts(rhgb_t)
+miscfiles_dontaudit_write_fonts(rhgb_t)
+
+seutil_search_default_contexts(rhgb_t)
+seutil_read_config(rhgb_t)
+
+sysnet_read_config(rhgb_t)
+sysnet_domtrans_ifconfig(rhgb_t)
+
+userdom_dontaudit_use_unpriv_user_fds(rhgb_t)
+userdom_dontaudit_search_user_home_content(rhgb_t)
+
+xserver_read_tmp_files(rhgb_t)
+xserver_kill(rhgb_t)
+# for running setxkbmap
+xserver_read_xkb_libs(rhgb_t)
+xserver_domtrans(rhgb_t)
+xserver_signal(rhgb_t)
+xserver_read_xdm_tmp_files(rhgb_t)
+xserver_stream_connect(rhgb_t)
+
+optional_policy(`
+	consoletype_exec(rhgb_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(rhgb_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(rhgb_t)
+')
+
+optional_policy(`
+	udev_read_db(rhgb_t)
+')
+
+ifdef(`TODO',`
+	#this seems a bit much
+	allow domain rhgb_devpts_t:chr_file { read write };
+	allow initrc_t rhgb_gph_t:fd use;
+')
diff --git a/policy/modules/contrib/rhsmcertd.fc b/policy/modules/contrib/rhsmcertd.fc
new file mode 100644
index 00000000..c7add8bf
--- /dev/null
+++ b/policy/modules/contrib/rhsmcertd.fc
@@ -0,0 +1,11 @@
+/etc/rc\.d/init\.d/rhsmcertd	--	gen_context(system_u:object_r:rhsmcertd_initrc_exec_t,s0)
+
+/usr/bin/rhsmcertd		--	gen_context(system_u:object_r:rhsmcertd_exec_t,s0)
+
+/var/lib/rhsm(/.*)?			gen_context(system_u:object_r:rhsmcertd_var_lib_t,s0)
+
+/var/lock/subsys/rhsmcertd	--	gen_context(system_u:object_r:rhsmcertd_lock_t,s0)
+
+/var/log/rhsm(/.*)?			gen_context(system_u:object_r:rhsmcertd_log_t,s0)
+
+/var/run/rhsm(/.*)?			gen_context(system_u:object_r:rhsmcertd_var_run_t,s0)
diff --git a/policy/modules/contrib/rhsmcertd.if b/policy/modules/contrib/rhsmcertd.if
new file mode 100644
index 00000000..137605a2
--- /dev/null
+++ b/policy/modules/contrib/rhsmcertd.if
@@ -0,0 +1,296 @@
+## <summary>Subscription Management Certificate Daemon policy</summary>
+
+########################################
+## <summary>
+##	Transition to rhsmcertd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`rhsmcertd_domtrans',`
+	gen_require(`
+		type rhsmcertd_t, rhsmcertd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, rhsmcertd_exec_t, rhsmcertd_t)
+')
+
+########################################
+## <summary>
+##	Execute rhsmcertd server in the rhsmcertd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhsmcertd_initrc_domtrans',`
+	gen_require(`
+		type rhsmcertd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, rhsmcertd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Read rhsmcertd's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`rhsmcertd_read_log',`
+	gen_require(`
+		type rhsmcertd_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t)
+')
+
+########################################
+## <summary>
+##	Append to rhsmcertd log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhsmcertd_append_log',`
+	gen_require(`
+		type rhsmcertd_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t)
+')
+
+########################################
+## <summary>
+##	Manage rhsmcertd log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhsmcertd_manage_log',`
+	gen_require(`
+		type rhsmcertd_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_dirs_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t)
+	manage_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t)
+	manage_lnk_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t)
+')
+
+########################################
+## <summary>
+##	Search rhsmcertd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhsmcertd_search_lib',`
+	gen_require(`
+		type rhsmcertd_var_lib_t;
+	')
+
+	allow $1 rhsmcertd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read rhsmcertd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhsmcertd_read_lib_files',`
+	gen_require(`
+		type rhsmcertd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage rhsmcertd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhsmcertd_manage_lib_files',`
+	gen_require(`
+		type rhsmcertd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage rhsmcertd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhsmcertd_manage_lib_dirs',`
+	gen_require(`
+		type rhsmcertd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read rhsmcertd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhsmcertd_read_pid_files',`
+	gen_require(`
+		type rhsmcertd_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 rhsmcertd_var_run_t:file read_file_perms;
+')
+
+####################################
+## <summary>
+##	Connect to rhsmcertd over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhsmcertd_stream_connect',`
+	gen_require(`
+		type rhsmcertd_t, rhsmcertd_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, rhsmcertd_var_run_t, rhsmcertd_var_run_t, rhsmcertd_t)
+')
+
+#######################################
+## <summary>
+##	Send and receive messages from
+##	rhsmcertd over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhsmcertd_dbus_chat',`
+	gen_require(`
+		type rhsmcertd_t;
+		class dbus send_msg;
+	')
+
+	allow $1 rhsmcertd_t:dbus send_msg;
+	allow rhsmcertd_t $1:dbus send_msg;
+')
+
+######################################
+## <summary>
+##	Dontaudit Send and receive messages from
+##	rhsmcertd over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhsmcertd_dontaudit_dbus_chat',`
+	gen_require(`
+	type rhsmcertd_t;
+	class dbus send_msg;
+	')
+
+	dontaudit $1 rhsmcertd_t:dbus send_msg;
+	dontaudit rhsmcertd_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an rhsmcertd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`rhsmcertd_admin',`
+	gen_require(`
+		type rhsmcertd_t, rhsmcertd_initrc_exec_t, rhsmcertd_log_t;
+		type rhsmcertd_var_lib_t, rhsmcertd_var_run_t;
+	')
+
+	allow $1 rhsmcertd_t:process signal_perms;
+	ps_process_pattern($1, rhsmcertd_t)
+
+	rhsmcertd_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 rhsmcertd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	logging_search_logs($1)
+	admin_pattern($1, rhsmcertd_log_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, rhsmcertd_var_lib_t)
+
+	files_search_pids($1)
+	admin_pattern($1, rhsmcertd_var_run_t)
+')
diff --git a/policy/modules/contrib/rhsmcertd.te b/policy/modules/contrib/rhsmcertd.te
new file mode 100644
index 00000000..783f6788
--- /dev/null
+++ b/policy/modules/contrib/rhsmcertd.te
@@ -0,0 +1,59 @@
+policy_module(rhsmcertd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type rhsmcertd_t;
+type rhsmcertd_exec_t;
+init_daemon_domain(rhsmcertd_t, rhsmcertd_exec_t)
+
+type rhsmcertd_initrc_exec_t;
+init_script_file(rhsmcertd_initrc_exec_t)
+
+type rhsmcertd_log_t;
+logging_log_file(rhsmcertd_log_t)
+
+type rhsmcertd_lock_t;
+files_lock_file(rhsmcertd_lock_t)
+
+type rhsmcertd_var_lib_t;
+files_type(rhsmcertd_var_lib_t)
+
+type rhsmcertd_var_run_t;
+files_pid_file(rhsmcertd_var_run_t)
+
+########################################
+#
+# rhsmcertd local policy
+#
+
+allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
+allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
+manage_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
+
+manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t)
+files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file)
+
+manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
+manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
+
+manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
+manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
+
+kernel_read_system_state(rhsmcertd_t)
+
+corecmd_exec_bin(rhsmcertd_t)
+
+dev_read_urand(rhsmcertd_t)
+
+files_read_etc_files(rhsmcertd_t)
+files_read_usr_files(rhsmcertd_t)
+
+miscfiles_read_localization(rhsmcertd_t)
+miscfiles_read_generic_certs(rhsmcertd_t)
+
+sysnet_dns_name_resolve(rhsmcertd_t)
diff --git a/policy/modules/contrib/ricci.fc b/policy/modules/contrib/ricci.fc
new file mode 100644
index 00000000..5b08327f
--- /dev/null
+++ b/policy/modules/contrib/ricci.fc
@@ -0,0 +1,16 @@
+/usr/libexec/modcluster		--	gen_context(system_u:object_r:ricci_modcluster_exec_t,s0)
+/usr/libexec/ricci-modlog	--	gen_context(system_u:object_r:ricci_modlog_exec_t,s0)
+/usr/libexec/ricci-modrpm	--	gen_context(system_u:object_r:ricci_modrpm_exec_t,s0)
+/usr/libexec/ricci-modservice	--	gen_context(system_u:object_r:ricci_modservice_exec_t,s0)
+/usr/libexec/ricci-modstorage	--	gen_context(system_u:object_r:ricci_modstorage_exec_t,s0)
+
+/usr/sbin/modclusterd		--	gen_context(system_u:object_r:ricci_modclusterd_exec_t,s0)
+/usr/sbin/ricci			--	gen_context(system_u:object_r:ricci_exec_t,s0)
+
+/var/lib/ricci(/.*)?			gen_context(system_u:object_r:ricci_var_lib_t,s0)
+
+/var/log/clumond\.log 		--	gen_context(system_u:object_r:ricci_modcluster_var_log_t,s0)
+
+/var/run/clumond\.sock 		-s	gen_context(system_u:object_r:ricci_modcluster_var_run_t,s0)
+/var/run/modclusterd\.pid	--	gen_context(system_u:object_r:ricci_modcluster_var_run_t,s0)
+/var/run/ricci\.pid		--	gen_context(system_u:object_r:ricci_var_run_t,s0)
diff --git a/policy/modules/contrib/ricci.if b/policy/modules/contrib/ricci.if
new file mode 100644
index 00000000..f7826f94
--- /dev/null
+++ b/policy/modules/contrib/ricci.if
@@ -0,0 +1,167 @@
+## <summary>Ricci cluster management agent</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run ricci.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ricci_domtrans',`
+	gen_require(`
+		type ricci_t, ricci_exec_t;
+	')
+
+	domtrans_pattern($1, ricci_exec_t, ricci_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run ricci_modcluster.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ricci_domtrans_modcluster',`
+	gen_require(`
+		type ricci_modcluster_t, ricci_modcluster_exec_t;
+	')
+
+	domtrans_pattern($1, ricci_modcluster_exec_t, ricci_modcluster_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to use
+##	ricci_modcluster file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`ricci_dontaudit_use_modcluster_fds',`
+	gen_require(`
+		type ricci_modcluster_t;
+	')
+
+	dontaudit $1 ricci_modcluster_t:fd use;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read write
+##	ricci_modcluster unamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`ricci_dontaudit_rw_modcluster_pipes',`
+	gen_require(`
+		type ricci_modcluster_t;
+	')
+
+	dontaudit $1 ricci_modcluster_t:fifo_file { read write };
+')
+
+########################################
+## <summary>
+##	Connect to ricci_modclusterd over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ricci_stream_connect_modclusterd',`
+	gen_require(`
+		type ricci_modclusterd_t, ricci_modcluster_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 ricci_modcluster_var_run_t:sock_file write;
+	allow $1 ricci_modclusterd_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run ricci_modlog.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ricci_domtrans_modlog',`
+	gen_require(`
+		type ricci_modlog_t, ricci_modlog_exec_t;
+	')
+
+	domtrans_pattern($1, ricci_modlog_exec_t, ricci_modlog_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run ricci_modrpm.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ricci_domtrans_modrpm',`
+	gen_require(`
+		type ricci_modrpm_t, ricci_modrpm_exec_t;
+	')
+
+	domtrans_pattern($1, ricci_modrpm_exec_t, ricci_modrpm_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run ricci_modservice.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ricci_domtrans_modservice',`
+	gen_require(`
+		type ricci_modservice_t, ricci_modservice_exec_t;
+	')
+
+	domtrans_pattern($1, ricci_modservice_exec_t, ricci_modservice_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run ricci_modstorage.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ricci_domtrans_modstorage',`
+	gen_require(`
+		type ricci_modstorage_t, ricci_modstorage_exec_t;
+	')
+
+	domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t)
+')
diff --git a/policy/modules/contrib/ricci.te b/policy/modules/contrib/ricci.te
new file mode 100644
index 00000000..33e72e80
--- /dev/null
+++ b/policy/modules/contrib/ricci.te
@@ -0,0 +1,488 @@
+policy_module(ricci, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type ricci_t;
+type ricci_exec_t;
+domain_type(ricci_t)
+init_daemon_domain(ricci_t, ricci_exec_t)
+
+type ricci_tmp_t;
+files_tmp_file(ricci_tmp_t)
+
+type ricci_var_lib_t;
+files_type(ricci_var_lib_t)
+
+type ricci_var_log_t;
+logging_log_file(ricci_var_log_t)
+
+type ricci_var_run_t;
+files_pid_file(ricci_var_run_t)
+
+type ricci_modcluster_t;
+type ricci_modcluster_exec_t;
+domain_type(ricci_modcluster_t)
+domain_entry_file(ricci_modcluster_t, ricci_modcluster_exec_t)
+role system_r types ricci_modcluster_t;
+
+type ricci_modcluster_var_lib_t;
+files_type(ricci_modcluster_var_lib_t)
+
+type ricci_modcluster_var_log_t;
+logging_log_file(ricci_modcluster_var_log_t)
+
+type ricci_modcluster_var_run_t;
+files_pid_file(ricci_modcluster_var_run_t)
+
+type ricci_modclusterd_t;
+type ricci_modclusterd_exec_t;
+domain_type(ricci_modclusterd_t)
+init_daemon_domain(ricci_modclusterd_t, ricci_modclusterd_exec_t)
+
+type ricci_modlog_t;
+type ricci_modlog_exec_t;
+domain_type(ricci_modlog_t)
+domain_entry_file(ricci_modlog_t, ricci_modlog_exec_t)
+role system_r types ricci_modlog_t;
+
+type ricci_modrpm_t;
+type ricci_modrpm_exec_t;
+domain_type(ricci_modrpm_t)
+domain_entry_file(ricci_modrpm_t, ricci_modrpm_exec_t)
+role system_r types ricci_modrpm_t;
+
+type ricci_modservice_t;
+type ricci_modservice_exec_t;
+domain_type(ricci_modservice_t)
+domain_entry_file(ricci_modservice_t, ricci_modservice_exec_t)
+role system_r types ricci_modservice_t;
+
+type ricci_modstorage_t;
+type ricci_modstorage_exec_t;
+domain_type(ricci_modstorage_t)
+domain_entry_file(ricci_modstorage_t, ricci_modstorage_exec_t)
+role system_r types ricci_modstorage_t;
+
+type ricci_modstorage_lock_t;
+files_lock_file(ricci_modstorage_lock_t)
+
+########################################
+#
+# ricci local policy
+#
+
+allow ricci_t self:capability { setuid sys_nice sys_boot };
+allow ricci_t self:process setsched;
+allow ricci_t self:fifo_file rw_fifo_file_perms;
+allow ricci_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow ricci_t self:tcp_socket create_stream_socket_perms;
+
+domain_auto_trans(ricci_t, ricci_modcluster_exec_t, ricci_modcluster_t)
+domain_auto_trans(ricci_t, ricci_modlog_exec_t, ricci_modlog_t)
+domain_auto_trans(ricci_t, ricci_modrpm_exec_t, ricci_modrpm_t)
+domain_auto_trans(ricci_t, ricci_modservice_exec_t, ricci_modservice_t)
+domain_auto_trans(ricci_t, ricci_modstorage_exec_t, ricci_modstorage_t)
+
+manage_dirs_pattern(ricci_t, ricci_tmp_t, ricci_tmp_t)
+manage_files_pattern(ricci_t, ricci_tmp_t, ricci_tmp_t)
+files_tmp_filetrans(ricci_t, ricci_tmp_t, { file dir })
+
+manage_dirs_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
+manage_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
+manage_sock_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
+files_var_lib_filetrans(ricci_t, ricci_var_lib_t, { file dir sock_file })
+
+allow ricci_t ricci_var_log_t:dir setattr;
+manage_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
+manage_sock_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
+logging_log_filetrans(ricci_t, ricci_var_log_t, { sock_file file dir })
+
+manage_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t)
+manage_sock_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t)
+files_pid_filetrans(ricci_t, ricci_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctls(ricci_t)
+
+corecmd_exec_bin(ricci_t)
+
+corenet_all_recvfrom_unlabeled(ricci_t)
+corenet_all_recvfrom_netlabel(ricci_t)
+corenet_tcp_sendrecv_generic_if(ricci_t)
+corenet_tcp_sendrecv_generic_node(ricci_t)
+corenet_tcp_sendrecv_all_ports(ricci_t)
+corenet_tcp_bind_generic_node(ricci_t)
+corenet_udp_bind_generic_node(ricci_t)
+corenet_tcp_bind_ricci_port(ricci_t)
+corenet_udp_bind_ricci_port(ricci_t)
+corenet_tcp_connect_http_port(ricci_t)
+
+dev_read_urand(ricci_t)
+
+domain_read_all_domains_state(ricci_t)
+
+files_read_etc_files(ricci_t)
+files_read_etc_runtime_files(ricci_t)
+files_create_boot_flag(ricci_t)
+
+auth_domtrans_chk_passwd(ricci_t)
+auth_append_login_records(ricci_t)
+
+init_stream_connect_script(ricci_t)
+
+locallogin_dontaudit_use_fds(ricci_t)
+
+logging_send_syslog_msg(ricci_t)
+
+miscfiles_read_localization(ricci_t)
+
+sysnet_dns_name_resolve(ricci_t)
+
+optional_policy(`
+	ccs_read_config(ricci_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(ricci_t)
+
+	oddjob_dbus_chat(ricci_t)
+')
+
+optional_policy(`
+	# Needed so oddjob can run halt/reboot on behalf of ricci
+	corecmd_bin_entry_type(ricci_t)
+	term_dontaudit_search_ptys(ricci_t)
+	init_exec(ricci_t)
+	init_telinit(ricci_t)
+	init_rw_utmp(ricci_t)
+
+	oddjob_system_entry(ricci_t, ricci_exec_t)
+')
+
+optional_policy(`
+	rpm_use_script_fds(ricci_t)
+')
+
+optional_policy(`
+	sasl_connect(ricci_t)
+')
+
+optional_policy(`
+	unconfined_use_fds(ricci_t)
+')
+
+optional_policy(`
+	xen_domtrans_xm(ricci_t)
+')
+
+########################################
+#
+# ricci_modcluster local policy
+#
+
+allow ricci_modcluster_t self:capability { net_bind_service sys_nice };
+allow ricci_modcluster_t self:process setsched;
+allow ricci_modcluster_t self:fifo_file rw_fifo_file_perms;
+
+kernel_read_kernel_sysctls(ricci_modcluster_t)
+kernel_read_system_state(ricci_modcluster_t)
+
+corecmd_exec_shell(ricci_modcluster_t)
+corecmd_exec_bin(ricci_modcluster_t)
+
+corenet_tcp_bind_cluster_port(ricci_modclusterd_t)
+corenet_tcp_bind_reserved_port(ricci_modclusterd_t)
+
+domain_read_all_domains_state(ricci_modcluster_t)
+
+files_search_locks(ricci_modcluster_t)
+files_read_etc_runtime_files(ricci_modcluster_t)
+files_read_etc_files(ricci_modcluster_t)
+files_search_usr(ricci_modcluster_t)
+
+init_exec(ricci_modcluster_t)
+init_domtrans_script(ricci_modcluster_t)
+
+logging_send_syslog_msg(ricci_modcluster_t)
+
+miscfiles_read_localization(ricci_modcluster_t)
+
+modutils_domtrans_insmod(ricci_modcluster_t)
+
+mount_domtrans(ricci_modcluster_t)
+
+consoletype_exec(ricci_modcluster_t)
+
+ricci_stream_connect_modclusterd(ricci_modcluster_t)
+
+optional_policy(`
+	aisexec_stream_connect(ricci_modcluster_t)
+	corosync_stream_connect(ricci_modcluster_t)
+')
+
+optional_policy(`
+	ccs_stream_connect(ricci_modcluster_t)
+	ccs_domtrans(ricci_modcluster_t)
+	ccs_manage_config(ricci_modcluster_t)
+')
+
+optional_policy(`
+	lvm_domtrans(ricci_modcluster_t)
+')
+
+optional_policy(`
+	nscd_socket_use(ricci_modcluster_t)
+')
+
+optional_policy(`
+	oddjob_system_entry(ricci_modcluster_t, ricci_modcluster_exec_t)
+')
+
+optional_policy(`
+	# XXX This has got to go.
+	unconfined_domain(ricci_modcluster_t)
+')
+
+########################################
+#
+# ricci_modclusterd local policy
+#
+
+allow ricci_modclusterd_t self:capability { sys_nice sys_tty_config };
+allow ricci_modclusterd_t self:process { signal sigkill setsched };
+allow ricci_modclusterd_t self:fifo_file rw_fifo_file_perms;
+allow ricci_modclusterd_t self:unix_stream_socket create_stream_socket_perms;
+allow ricci_modclusterd_t self:tcp_socket create_stream_socket_perms;
+# cjp: this needs to be fixed for a specific socket type:
+allow ricci_modclusterd_t self:socket create_socket_perms;
+
+allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
+allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms;
+
+allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
+manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
+manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
+logging_log_filetrans(ricci_modclusterd_t, ricci_modcluster_var_log_t, { sock_file file dir })
+
+manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t)
+manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t)
+files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctls(ricci_modclusterd_t)
+kernel_read_system_state(ricci_modclusterd_t)
+
+corecmd_exec_bin(ricci_modclusterd_t)
+
+corenet_tcp_sendrecv_generic_if(ricci_modclusterd_t)
+corenet_tcp_sendrecv_all_ports(ricci_modclusterd_t)
+corenet_tcp_bind_generic_node(ricci_modclusterd_t)
+corenet_tcp_bind_ricci_modcluster_port(ricci_modclusterd_t)
+corenet_tcp_connect_ricci_modcluster_port(ricci_modclusterd_t)
+
+domain_read_all_domains_state(ricci_modclusterd_t)
+
+files_read_etc_files(ricci_modclusterd_t)
+files_read_etc_runtime_files(ricci_modclusterd_t)
+
+fs_getattr_xattr_fs(ricci_modclusterd_t)
+
+auth_use_nsswitch(ricci_modclusterd_t)
+
+init_stream_connect_script(ricci_modclusterd_t)
+
+locallogin_dontaudit_use_fds(ricci_modclusterd_t)
+
+logging_send_syslog_msg(ricci_modclusterd_t)
+
+miscfiles_read_localization(ricci_modclusterd_t)
+
+sysnet_domtrans_ifconfig(ricci_modclusterd_t)
+
+optional_policy(`
+	aisexec_stream_connect(ricci_modclusterd_t)
+	corosync_stream_connect(ricci_modclusterd_t)
+')
+
+optional_policy(`
+	ccs_domtrans(ricci_modclusterd_t)
+	ccs_stream_connect(ricci_modclusterd_t)
+	ccs_read_config(ricci_modclusterd_t)
+')
+
+optional_policy(`
+	rgmanager_stream_connect(ricci_modclusterd_t)
+')
+
+optional_policy(`
+	unconfined_use_fds(ricci_modclusterd_t)
+')
+
+########################################
+#
+# ricci_modlog local policy
+#
+
+allow ricci_modlog_t self:capability sys_nice;
+allow ricci_modlog_t self:process setsched;
+
+kernel_read_kernel_sysctls(ricci_modlog_t)
+kernel_read_system_state(ricci_modlog_t)
+
+corecmd_exec_bin(ricci_modlog_t)
+
+domain_read_all_domains_state(ricci_modlog_t)
+
+files_read_etc_files(ricci_modlog_t)
+files_search_usr(ricci_modlog_t)
+
+logging_read_generic_logs(ricci_modlog_t)
+
+miscfiles_read_localization(ricci_modlog_t)
+
+optional_policy(`
+	nscd_dontaudit_search_pid(ricci_modlog_t)
+')
+
+optional_policy(`
+	oddjob_system_entry(ricci_modlog_t, ricci_modlog_exec_t)
+')
+
+########################################
+#
+# ricci_modrpm local policy
+#
+
+allow ricci_modrpm_t self:fifo_file read_fifo_file_perms;
+
+kernel_read_kernel_sysctls(ricci_modrpm_t)
+
+corecmd_exec_bin(ricci_modrpm_t)
+
+files_search_usr(ricci_modrpm_t)
+files_read_etc_files(ricci_modrpm_t)
+
+miscfiles_read_localization(ricci_modrpm_t)
+
+optional_policy(`
+	oddjob_system_entry(ricci_modrpm_t, ricci_modrpm_exec_t)
+')
+
+optional_policy(`
+	rpm_domtrans(ricci_modrpm_t)
+')
+
+########################################
+#
+# ricci_modservice local policy
+#
+
+allow ricci_modservice_t self:capability { dac_override sys_nice };
+allow ricci_modservice_t self:fifo_file rw_fifo_file_perms;
+allow ricci_modservice_t self:process setsched;
+
+kernel_read_kernel_sysctls(ricci_modservice_t)
+kernel_read_system_state(ricci_modservice_t)
+
+corecmd_exec_bin(ricci_modservice_t)
+corecmd_exec_shell(ricci_modservice_t)
+
+files_read_etc_files(ricci_modservice_t)
+files_read_etc_runtime_files(ricci_modservice_t)
+files_search_usr(ricci_modservice_t)
+# Needed for running chkconfig
+files_manage_etc_symlinks(ricci_modservice_t)
+
+consoletype_exec(ricci_modservice_t)
+
+init_domtrans_script(ricci_modservice_t)
+
+miscfiles_read_localization(ricci_modservice_t)
+
+optional_policy(`
+	ccs_read_config(ricci_modservice_t)
+')
+
+optional_policy(`
+	nscd_dontaudit_search_pid(ricci_modservice_t)
+')
+
+optional_policy(`
+	oddjob_system_entry(ricci_modservice_t, ricci_modservice_exec_t)
+')
+
+########################################
+#
+# ricci_modstorage local policy
+#
+
+allow ricci_modstorage_t self:process { setsched signal };
+dontaudit ricci_modstorage_t self:process ptrace;
+allow ricci_modstorage_t self:capability { mknod sys_nice };
+allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms;
+allow ricci_modstorage_t self:unix_dgram_socket create_socket_perms;
+
+kernel_read_kernel_sysctls(ricci_modstorage_t)
+kernel_read_system_state(ricci_modstorage_t)
+
+create_files_pattern(ricci_modstorage_t, ricci_modstorage_lock_t, ricci_modstorage_lock_t)
+files_lock_filetrans(ricci_modstorage_t, ricci_modstorage_lock_t, file)
+
+corecmd_exec_shell(ricci_modstorage_t)
+corecmd_exec_bin(ricci_modstorage_t)
+
+dev_read_sysfs(ricci_modstorage_t)
+dev_read_urand(ricci_modstorage_t)
+dev_manage_generic_blk_files(ricci_modstorage_t)
+
+domain_read_all_domains_state(ricci_modstorage_t)
+
+#Needed for editing /etc/fstab
+files_manage_etc_files(ricci_modstorage_t)
+files_read_etc_runtime_files(ricci_modstorage_t)
+files_read_usr_files(ricci_modstorage_t)
+files_read_kernel_modules(ricci_modstorage_t)
+
+storage_raw_read_fixed_disk(ricci_modstorage_t)
+
+term_dontaudit_use_console(ricci_modstorage_t)
+
+fstools_domtrans(ricci_modstorage_t)
+
+logging_send_syslog_msg(ricci_modstorage_t)
+
+miscfiles_read_localization(ricci_modstorage_t)
+
+modutils_read_module_deps(ricci_modstorage_t)
+
+consoletype_exec(ricci_modstorage_t)
+
+mount_domtrans(ricci_modstorage_t)
+
+optional_policy(`
+	aisexec_stream_connect(ricci_modstorage_t)
+	corosync_stream_connect(ricci_modstorage_t)
+')
+
+optional_policy(`
+	ccs_stream_connect(ricci_modstorage_t)
+	ccs_read_config(ricci_modstorage_t)
+')
+
+optional_policy(`
+	lvm_domtrans(ricci_modstorage_t)
+	lvm_manage_config(ricci_modstorage_t)
+')
+
+optional_policy(`
+	nscd_socket_use(ricci_modstorage_t)
+')
+
+optional_policy(`
+	oddjob_system_entry(ricci_modstorage_t, ricci_modstorage_exec_t)
+')
+
+optional_policy(`
+	raid_domtrans_mdadm(ricci_modstorage_t)
+')
diff --git a/policy/modules/contrib/rlogin.fc b/policy/modules/contrib/rlogin.fc
new file mode 100644
index 00000000..27853373
--- /dev/null
+++ b/policy/modules/contrib/rlogin.fc
@@ -0,0 +1,7 @@
+HOME_DIR/\.rlogin		--	gen_context(system_u:object_r:rlogind_home_t,s0)
+
+/usr/kerberos/sbin/klogind	--	gen_context(system_u:object_r:rlogind_exec_t,s0)
+
+/usr/lib(64)?/telnetlogin	--	gen_context(system_u:object_r:rlogind_exec_t,s0)
+
+/usr/sbin/in\.rlogind		--	gen_context(system_u:object_r:rlogind_exec_t,s0)
diff --git a/policy/modules/contrib/rlogin.if b/policy/modules/contrib/rlogin.if
new file mode 100644
index 00000000..63e78c60
--- /dev/null
+++ b/policy/modules/contrib/rlogin.if
@@ -0,0 +1,47 @@
+## <summary>Remote login daemon</summary>
+
+########################################
+## <summary>
+##	Execute rlogind in the rlogin domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`rlogin_domtrans',`
+	gen_require(`
+		type rlogind_t, rlogind_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, rlogind_exec_t, rlogind_t)
+')
+
+########################################
+## <summary>
+##	read rlogin homedir content (.config)
+## </summary>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+template(`rlogin_read_home_content',`
+	gen_require(`
+		type rlogind_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	list_dirs_pattern($1, rlogind_home_t, rlogind_home_t)
+	read_files_pattern($1, rlogind_home_t, rlogind_home_t)
+	read_lnk_files_pattern($1, rlogind_home_t, rlogind_home_t)
+')
diff --git a/policy/modules/contrib/rlogin.te b/policy/modules/contrib/rlogin.te
new file mode 100644
index 00000000..779fa445
--- /dev/null
+++ b/policy/modules/contrib/rlogin.te
@@ -0,0 +1,116 @@
+policy_module(rlogin, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type rlogind_t;
+type rlogind_exec_t;
+inetd_service_domain(rlogind_t, rlogind_exec_t)
+role system_r types rlogind_t;
+
+type rlogind_devpts_t; #, userpty_type;
+term_login_pty(rlogind_devpts_t)
+
+type rlogind_home_t;
+userdom_user_home_content(rlogind_home_t)
+
+type rlogind_tmp_t;
+files_tmp_file(rlogind_tmp_t)
+
+type rlogind_var_run_t;
+files_pid_file(rlogind_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow rlogind_t self:capability { fsetid chown fowner sys_tty_config dac_override };
+allow rlogind_t self:process signal_perms;
+allow rlogind_t self:fifo_file rw_fifo_file_perms;
+allow rlogind_t self:tcp_socket connected_stream_socket_perms;
+# for identd; cjp: this should probably only be inetd_child rules?
+allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow rlogind_t self:capability { setuid setgid };
+
+allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr };
+term_create_pty(rlogind_t, rlogind_devpts_t)
+
+# for /usr/lib/telnetlogin
+can_exec(rlogind_t, rlogind_exec_t)
+
+manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
+manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
+files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { file dir })
+
+manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t)
+files_pid_filetrans(rlogind_t, rlogind_var_run_t, file)
+
+kernel_read_kernel_sysctls(rlogind_t)
+kernel_read_system_state(rlogind_t)
+kernel_read_network_state(rlogind_t)
+
+corenet_all_recvfrom_unlabeled(rlogind_t)
+corenet_all_recvfrom_netlabel(rlogind_t)
+corenet_tcp_sendrecv_generic_if(rlogind_t)
+corenet_udp_sendrecv_generic_if(rlogind_t)
+corenet_tcp_sendrecv_generic_node(rlogind_t)
+corenet_udp_sendrecv_generic_node(rlogind_t)
+corenet_tcp_sendrecv_all_ports(rlogind_t)
+corenet_udp_sendrecv_all_ports(rlogind_t)
+
+dev_read_urand(rlogind_t)
+
+domain_interactive_fd(rlogind_t)
+
+fs_getattr_xattr_fs(rlogind_t)
+fs_search_auto_mountpoints(rlogind_t)
+
+auth_domtrans_chk_passwd(rlogind_t)
+auth_rw_login_records(rlogind_t)
+auth_use_nsswitch(rlogind_t)
+
+files_read_etc_files(rlogind_t)
+files_read_etc_runtime_files(rlogind_t)
+files_search_home(rlogind_t)
+files_search_default(rlogind_t)
+
+init_rw_utmp(rlogind_t)
+
+logging_send_syslog_msg(rlogind_t)
+
+miscfiles_read_localization(rlogind_t)
+
+seutil_read_config(rlogind_t)
+
+userdom_setattr_user_ptys(rlogind_t)
+# cjp: this is egregious
+userdom_read_user_home_content_files(rlogind_t)
+
+remotelogin_domtrans(rlogind_t)
+remotelogin_signal(rlogind_t)
+
+rlogin_read_home_content(rlogind_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_list_nfs(rlogind_t)
+	fs_read_nfs_files(rlogind_t)
+	fs_read_nfs_symlinks(rlogind_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_list_cifs(rlogind_t)
+	fs_read_cifs_files(rlogind_t)
+	fs_read_cifs_symlinks(rlogind_t)
+')
+
+optional_policy(`
+	kerberos_keytab_template(rlogind, rlogind_t)
+	kerberos_manage_host_rcache(rlogind_t)
+')
+
+optional_policy(`
+	tcpd_wrapped_domain(rlogind_t, rlogind_exec_t)
+')
diff --git a/policy/modules/contrib/roundup.fc b/policy/modules/contrib/roundup.fc
new file mode 100644
index 00000000..e4110e6e
--- /dev/null
+++ b/policy/modules/contrib/roundup.fc
@@ -0,0 +1,11 @@
+/etc/rc\.d/init\.d/roundup --	gen_context(system_u:object_r:roundup_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/roundup-server	 --	gen_context(system_u:object_r:roundup_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/roundup(/.*)?	--	gen_context(system_u:object_r:roundup_var_lib_t,s0)
diff --git a/policy/modules/contrib/roundup.if b/policy/modules/contrib/roundup.if
new file mode 100644
index 00000000..30c4b756
--- /dev/null
+++ b/policy/modules/contrib/roundup.if
@@ -0,0 +1,39 @@
+## <summary>Roundup Issue Tracking System policy</summary>
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an roundup environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the roundup domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`roundup_admin',`
+	gen_require(`
+		type roundup_t, roundup_var_lib_t, roundup_var_run_t;
+		type roundup_initrc_exec_t;
+	')
+
+	allow $1 roundup_t:process { ptrace signal_perms };
+	ps_process_pattern($1, roundup_t)
+
+	init_labeled_script_domtrans($1, roundup_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 roundup_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_var_lib($1)
+	admin_pattern($1, roundup_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, roundup_var_run_t)
+')
diff --git a/policy/modules/contrib/roundup.te b/policy/modules/contrib/roundup.te
new file mode 100644
index 00000000..57f839f4
--- /dev/null
+++ b/policy/modules/contrib/roundup.te
@@ -0,0 +1,96 @@
+policy_module(roundup, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type roundup_t;
+type roundup_exec_t;
+init_daemon_domain(roundup_t, roundup_exec_t)
+
+type roundup_initrc_exec_t;
+init_script_file(roundup_initrc_exec_t)
+
+type roundup_var_run_t;
+files_pid_file(roundup_var_run_t)
+
+type roundup_var_lib_t;
+files_type(roundup_var_lib_t)
+
+########################################
+#
+# Local policy
+#
+
+allow roundup_t self:capability { setgid setuid };
+dontaudit roundup_t self:capability sys_tty_config;
+allow roundup_t self:process signal_perms;
+allow roundup_t self:unix_stream_socket create_stream_socket_perms;
+allow roundup_t self:tcp_socket create_stream_socket_perms;
+allow roundup_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(roundup_t, roundup_var_lib_t, roundup_var_lib_t)
+files_var_lib_filetrans(roundup_t, roundup_var_lib_t, file)
+
+manage_files_pattern(roundup_t, roundup_var_run_t, roundup_var_run_t)
+files_pid_filetrans(roundup_t, roundup_var_run_t, file)
+
+kernel_read_kernel_sysctls(roundup_t)
+kernel_list_proc(roundup_t)
+kernel_read_proc_symlinks(roundup_t)
+
+dev_read_sysfs(roundup_t)
+
+# execute python
+corecmd_exec_bin(roundup_t)
+
+corenet_all_recvfrom_unlabeled(roundup_t)
+corenet_all_recvfrom_netlabel(roundup_t)
+corenet_tcp_sendrecv_generic_if(roundup_t)
+corenet_udp_sendrecv_generic_if(roundup_t)
+corenet_raw_sendrecv_generic_if(roundup_t)
+corenet_tcp_sendrecv_generic_node(roundup_t)
+corenet_udp_sendrecv_generic_node(roundup_t)
+corenet_raw_sendrecv_generic_node(roundup_t)
+corenet_tcp_sendrecv_all_ports(roundup_t)
+corenet_udp_sendrecv_all_ports(roundup_t)
+corenet_tcp_bind_generic_node(roundup_t)
+corenet_tcp_bind_http_cache_port(roundup_t)
+corenet_tcp_connect_smtp_port(roundup_t)
+corenet_sendrecv_http_cache_server_packets(roundup_t)
+corenet_sendrecv_smtp_client_packets(roundup_t)
+
+# /usr/share/mysql/charsets/Index.xml
+dev_read_urand(roundup_t)
+
+domain_use_interactive_fds(roundup_t)
+
+# /usr/share/mysql/charsets/Index.xml
+files_read_usr_files(roundup_t)
+files_read_etc_files(roundup_t)
+
+fs_getattr_all_fs(roundup_t)
+fs_search_auto_mountpoints(roundup_t)
+
+logging_send_syslog_msg(roundup_t)
+
+miscfiles_read_localization(roundup_t)
+
+sysnet_read_config(roundup_t)
+
+userdom_dontaudit_use_unpriv_user_fds(roundup_t)
+userdom_dontaudit_search_user_home_dirs(roundup_t)
+
+optional_policy(`
+	mysql_stream_connect(roundup_t)
+	mysql_search_db(roundup_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(roundup_t)
+')
+
+optional_policy(`
+	udev_read_db(roundup_t)
+')
diff --git a/policy/modules/contrib/rpc.fc b/policy/modules/contrib/rpc.fc
new file mode 100644
index 00000000..5c70c0cc
--- /dev/null
+++ b/policy/modules/contrib/rpc.fc
@@ -0,0 +1,31 @@
+#
+# /etc
+#
+/etc/exports		--	gen_context(system_u:object_r:exports_t,s0)
+/etc/rc\.d/init\.d/nfs	 --	gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/nfslock --	gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/rpcidmapd --	gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+
+#
+# /sbin
+#
+/sbin/rpc\..*		--	gen_context(system_u:object_r:rpcd_exec_t,s0)
+/sbin/sm-notify		--	gen_context(system_u:object_r:rpcd_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/rpc\.idmapd	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
+/usr/sbin/rpc\.gssd	--	gen_context(system_u:object_r:gssd_exec_t,s0)
+/usr/sbin/rpc\.mountd	--	gen_context(system_u:object_r:nfsd_exec_t,s0)
+/usr/sbin/rpc\.nfsd	--	gen_context(system_u:object_r:nfsd_exec_t,s0)
+/usr/sbin/rpc\.rquotad	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
+/usr/sbin/rpc\.svcgssd	--	gen_context(system_u:object_r:gssd_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/nfs(/.*)?		gen_context(system_u:object_r:var_lib_nfs_t,s0)
+
+/var/run/rpc\.statd(/.*)?	gen_context(system_u:object_r:rpcd_var_run_t,s0)
+/var/run/rpc\.statd\.pid --	gen_context(system_u:object_r:rpcd_var_run_t,s0)
diff --git a/policy/modules/contrib/rpc.if b/policy/modules/contrib/rpc.if
new file mode 100644
index 00000000..f92551df
--- /dev/null
+++ b/policy/modules/contrib/rpc.if
@@ -0,0 +1,436 @@
+## <summary>Remote Procedure Call Daemon for managment of network based process communication</summary>
+
+########################################
+## <summary>
+##	RPC stub interface.  No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpc_stub',`
+	gen_require(`
+		type exports_t;
+	')
+')
+
+#######################################
+## <summary>
+##	The template to define a rpc domain.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a domain to be used for
+##	a new rpc daemon.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The type of daemon to be used.
+##	</summary>
+## </param>
+#
+template(`rpc_domain_template', `
+	########################################
+	#
+	# Declarations
+	#
+
+	type $1_t;
+	type $1_exec_t;
+	init_daemon_domain($1_t, $1_exec_t)
+	domain_use_interactive_fds($1_t)
+
+	####################################
+	#
+	# Local Policy
+	#
+
+	dontaudit $1_t self:capability { net_admin sys_tty_config };
+	allow $1_t self:capability net_bind_service;
+	allow $1_t self:process signal_perms;
+	allow $1_t self:unix_dgram_socket create_socket_perms;
+	allow $1_t self:unix_stream_socket create_stream_socket_perms;
+	allow $1_t self:tcp_socket create_stream_socket_perms;
+	allow $1_t self:udp_socket create_socket_perms;
+
+	manage_dirs_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t)
+	manage_files_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t)
+
+	kernel_list_proc($1_t)
+	kernel_read_proc_symlinks($1_t)
+	kernel_read_kernel_sysctls($1_t)
+	# bind to arbitary unused ports
+	kernel_rw_rpc_sysctls($1_t)
+
+	dev_read_sysfs($1_t)
+	dev_read_urand($1_t)
+	dev_read_rand($1_t)
+
+	corenet_all_recvfrom_unlabeled($1_t)
+	corenet_all_recvfrom_netlabel($1_t)
+	corenet_tcp_sendrecv_generic_if($1_t)
+	corenet_udp_sendrecv_generic_if($1_t)
+	corenet_tcp_sendrecv_generic_node($1_t)
+	corenet_udp_sendrecv_generic_node($1_t)
+	corenet_tcp_sendrecv_all_ports($1_t)
+	corenet_udp_sendrecv_all_ports($1_t)
+	corenet_tcp_bind_generic_node($1_t)
+	corenet_udp_bind_generic_node($1_t)
+	corenet_tcp_bind_reserved_port($1_t)
+	corenet_tcp_connect_all_ports($1_t)
+	corenet_sendrecv_portmap_client_packets($1_t)
+	# do not log when it tries to bind to a port belonging to another domain
+	corenet_dontaudit_tcp_bind_all_ports($1_t)
+	corenet_dontaudit_udp_bind_all_ports($1_t)
+	# bind to arbitary unused ports
+	corenet_tcp_bind_generic_port($1_t)
+	corenet_udp_bind_generic_port($1_t)
+	corenet_tcp_bind_all_rpc_ports($1_t)
+	corenet_udp_bind_all_rpc_ports($1_t)
+	corenet_sendrecv_generic_server_packets($1_t)
+
+	fs_rw_rpc_named_pipes($1_t)
+	fs_search_auto_mountpoints($1_t)
+
+	files_read_etc_files($1_t)
+	files_read_etc_runtime_files($1_t)
+	files_search_var($1_t)
+	files_search_var_lib($1_t)
+	files_list_home($1_t)
+
+	auth_use_nsswitch($1_t)
+
+	logging_send_syslog_msg($1_t)
+
+	miscfiles_read_localization($1_t)
+
+	userdom_dontaudit_use_unpriv_user_fds($1_t)
+
+	optional_policy(`
+		rpcbind_stream_connect($1_t)
+	')
+
+	optional_policy(`
+		seutil_sigchld_newrole($1_t)
+	')
+
+	optional_policy(`
+		udev_read_db($1_t)
+	')
+')
+
+########################################
+## <summary>
+##	Send UDP network traffic to rpc and recieve UDP traffic from rpc.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpc_udp_send',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of the NFS export file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`rpc_dontaudit_getattr_exports',`
+	gen_require(`
+		type exports_t;
+	')
+
+	dontaudit $1 exports_t:file getattr;
+')
+
+########################################
+## <summary>
+##	Allow read access to exports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpc_read_exports',`
+	gen_require(`
+		type exports_t;
+	')
+
+	allow $1 exports_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow write access to exports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpc_write_exports',`
+	gen_require(`
+		type exports_t;
+	')
+
+	allow $1 exports_t:file write;
+')
+
+########################################
+## <summary>
+##	Execute domain in nfsd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`rpc_domtrans_nfsd',`
+	gen_require(`
+		type nfsd_t, nfsd_exec_t;
+	')
+
+	domtrans_pattern($1, nfsd_exec_t, nfsd_t)
+')
+
+#######################################
+## <summary>
+##	Execute domain in nfsd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`rpc_initrc_domtrans_nfsd',`
+	gen_require(`
+		type nfsd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, nfsd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute domain in rpcd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`rpc_domtrans_rpcd',`
+	gen_require(`
+		type rpcd_t, rpcd_exec_t;
+	')
+
+	domtrans_pattern($1, rpcd_exec_t, rpcd_t)
+	allow rpcd_t $1:process signal;
+')
+
+#######################################
+## <summary>
+##	Execute domain in rpcd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`rpc_initrc_domtrans_rpcd',`
+	gen_require(`
+		type rpcd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, rpcd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Read NFS exported content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`rpc_read_nfs_content',`
+	gen_require(`
+		type nfsd_ro_t, nfsd_rw_t;
+	')
+
+	allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms;
+	allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms;
+	allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+##	Allow domain to create read and write NFS directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`rpc_manage_nfs_rw_content',`
+	gen_require(`
+		type nfsd_rw_t;
+	')
+
+	manage_dirs_pattern($1, nfsd_rw_t, nfsd_rw_t)
+	manage_files_pattern($1, nfsd_rw_t, nfsd_rw_t)
+	manage_lnk_files_pattern($1, nfsd_rw_t, nfsd_rw_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to create read and write NFS directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`rpc_manage_nfs_ro_content',`
+	gen_require(`
+		type nfsd_ro_t;
+	')
+
+	manage_dirs_pattern($1, nfsd_ro_t, nfsd_ro_t)
+	manage_files_pattern($1, nfsd_ro_t, nfsd_ro_t)
+	manage_lnk_files_pattern($1, nfsd_ro_t, nfsd_ro_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to read and write to an NFS TCP socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpc_tcp_rw_nfs_sockets',`
+	gen_require(`
+		type nfsd_t;
+	')
+
+	allow $1 nfsd_t:tcp_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+##	Allow domain to read and write to an NFS UDP socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpc_udp_rw_nfs_sockets',`
+	gen_require(`
+		type nfsd_t;
+	')
+
+	allow $1 nfsd_t:udp_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+##	Send UDP traffic to NFSd.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpc_udp_send_nfs',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	Search NFS state data in /var/lib/nfs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpc_search_nfs_state_data',`
+	gen_require(`
+		type var_lib_nfs_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 var_lib_nfs_t:dir search;
+')
+
+########################################
+## <summary>
+##	Read NFS state data in /var/lib/nfs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpc_read_nfs_state_data',`
+	gen_require(`
+		type var_lib_nfs_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
+')
+
+########################################
+## <summary>
+##	Manage NFS state data in /var/lib/nfs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpc_manage_nfs_state_data',`
+	gen_require(`
+		type var_lib_nfs_t;
+	')
+
+	files_search_var_lib($1)
+	rw_dirs_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
+	manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
+')
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
new file mode 100644
index 00000000..7f48e511
--- /dev/null
+++ b/policy/modules/contrib/rpc.te
@@ -0,0 +1,237 @@
+policy_module(rpc, 1.13.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow gssd to read temp directory.  For access to kerberos tgt.
+## </p>
+## </desc>
+gen_tunable(allow_gssd_read_tmp, true)
+
+## <desc>
+## <p>
+## Allow nfs servers to modify public files
+## used for public file transfer services.  Files/Directories must be
+## labeled public_content_rw_t.
+## </p>
+## </desc>
+gen_tunable(allow_nfsd_anon_write, false)
+
+type exports_t;
+files_config_file(exports_t)
+
+rpc_domain_template(gssd)
+
+type gssd_tmp_t;
+files_tmp_file(gssd_tmp_t)
+
+type rpcd_var_run_t;
+files_pid_file(rpcd_var_run_t)
+
+# rpcd_t is the domain of rpc daemons.
+# rpc_exec_t is the type of rpc daemon programs.
+rpc_domain_template(rpcd)
+
+type rpcd_initrc_exec_t;
+init_script_file(rpcd_initrc_exec_t)
+
+rpc_domain_template(nfsd)
+
+type nfsd_initrc_exec_t;
+init_script_file(nfsd_initrc_exec_t)
+
+type nfsd_rw_t;
+files_type(nfsd_rw_t)
+
+type nfsd_ro_t;
+files_type(nfsd_ro_t)
+
+type var_lib_nfs_t;
+files_mountpoint(var_lib_nfs_t)
+
+########################################
+#
+# RPC local policy
+#
+
+allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid };
+allow rpcd_t self:process { getcap setcap };
+allow rpcd_t self:fifo_file rw_fifo_file_perms;
+
+allow rpcd_t rpcd_var_run_t:dir setattr;
+manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
+files_pid_filetrans(rpcd_t, rpcd_var_run_t, file)
+
+# rpc.statd executes sm-notify
+can_exec(rpcd_t, rpcd_exec_t)
+
+kernel_read_system_state(rpcd_t)
+kernel_read_network_state(rpcd_t)
+# for rpc.rquotad
+kernel_read_sysctl(rpcd_t)
+kernel_rw_fs_sysctls(rpcd_t)
+kernel_dontaudit_getattr_core_if(rpcd_t)
+kernel_signal(rpcd_t)
+
+corecmd_exec_bin(rpcd_t)
+
+files_manage_mounttab(rpcd_t)
+files_getattr_all_dirs(rpcd_t)
+
+fs_list_rpc(rpcd_t)
+fs_read_rpc_files(rpcd_t)
+fs_read_rpc_symlinks(rpcd_t)
+fs_rw_rpc_sockets(rpcd_t)
+fs_get_all_fs_quotas(rpcd_t)
+fs_getattr_all_fs(rpcd_t)
+
+storage_getattr_fixed_disk_dev(rpcd_t)
+
+selinux_dontaudit_read_fs(rpcd_t)
+
+miscfiles_read_generic_certs(rpcd_t)
+
+seutil_dontaudit_search_config(rpcd_t)
+
+optional_policy(`
+	automount_signal(rpcd_t)
+	automount_dontaudit_write_pipes(rpcd_t)
+')
+
+optional_policy(`
+	nis_read_ypserv_config(rpcd_t)
+')
+
+########################################
+#
+# NFSD local policy
+#
+
+allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
+allow nfsd_t self:udp_socket listen;
+allow nfsd_t exports_t:file read_file_perms;
+allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
+
+# for /proc/fs/nfs/exports - should we have a new type?
+kernel_read_system_state(nfsd_t)
+kernel_read_network_state(nfsd_t)
+kernel_dontaudit_getattr_core_if(nfsd_t)
+
+corenet_tcp_bind_all_rpc_ports(nfsd_t)
+corenet_udp_bind_all_rpc_ports(nfsd_t)
+
+dev_dontaudit_getattr_all_blk_files(nfsd_t)
+dev_dontaudit_getattr_all_chr_files(nfsd_t)
+dev_rw_lvm_control(nfsd_t)
+
+# does not really need this, but it is easier to just allow it
+files_search_pids(nfsd_t)
+# for exportfs and rpc.mountd
+files_getattr_tmp_dirs(nfsd_t)
+# cjp: this should really have its own type
+files_manage_mounttab(nfsd_t)
+files_read_etc_runtime_files(nfsd_t)
+
+fs_mount_nfsd_fs(nfsd_t)
+fs_search_nfsd_fs(nfsd_t)
+fs_getattr_all_fs(nfsd_t)
+fs_getattr_all_dirs(nfsd_t)
+fs_rw_nfsd_fs(nfsd_t)
+
+storage_dontaudit_read_fixed_disk(nfsd_t)
+storage_raw_read_removable_device(nfsd_t)
+
+# Read access to public_content_t and public_content_rw_t
+miscfiles_read_public_files(nfsd_t)
+
+# Write access to public_content_t and public_content_rw_t
+tunable_policy(`allow_nfsd_anon_write',`
+	miscfiles_manage_public_files(nfsd_t)
+')
+
+tunable_policy(`nfs_export_all_rw',`
+	dev_getattr_all_blk_files(nfsd_t)
+	dev_getattr_all_chr_files(nfsd_t)
+
+	fs_read_noxattr_fs_files(nfsd_t)
+	auth_manage_all_files_except_auth_files(nfsd_t)
+')
+
+tunable_policy(`nfs_export_all_ro',`
+	dev_getattr_all_blk_files(nfsd_t)
+	dev_getattr_all_chr_files(nfsd_t)
+
+	files_getattr_all_pipes(nfsd_t)
+	files_getattr_all_sockets(nfsd_t)
+
+	fs_read_noxattr_fs_files(nfsd_t)
+
+	auth_read_all_dirs_except_auth_files(nfsd_t)
+	auth_read_all_files_except_auth_files(nfsd_t)
+')
+
+########################################
+#
+# GSSD local policy
+#
+
+allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
+allow gssd_t self:process { getsched setsched };
+allow gssd_t self:fifo_file rw_file_perms;
+
+manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
+
+kernel_read_system_state(gssd_t)
+kernel_read_network_state(gssd_t)
+kernel_read_network_state_symlinks(gssd_t)
+kernel_request_load_module(gssd_t)
+kernel_search_network_sysctl(gssd_t)
+kernel_signal(gssd_t)
+
+corecmd_exec_bin(gssd_t)
+
+fs_list_rpc(gssd_t)
+fs_rw_rpc_sockets(gssd_t)
+fs_read_rpc_files(gssd_t)
+
+fs_list_inotifyfs(gssd_t)
+files_list_tmp(gssd_t)
+files_read_usr_symlinks(gssd_t)
+files_dontaudit_write_var_dirs(gssd_t)
+
+auth_use_nsswitch(gssd_t)
+auth_manage_cache(gssd_t)
+
+miscfiles_read_generic_certs(gssd_t)
+
+mount_signal(gssd_t)
+
+userdom_signal_all_users(gssd_t)
+
+tunable_policy(`allow_gssd_read_tmp',`
+	userdom_list_user_tmp(gssd_t)
+	userdom_read_user_tmp_files(gssd_t)
+	userdom_read_user_tmp_symlinks(gssd_t)
+')
+
+optional_policy(`
+	automount_signal(gssd_t)
+')
+
+optional_policy(`
+	kerberos_keytab_template(gssd, gssd_t)
+')
+
+optional_policy(`
+	pcscd_read_pub_files(gssd_t)
+')
+
+optional_policy(`
+	xserver_rw_xdm_tmp_files(gssd_t)
+')
diff --git a/policy/modules/contrib/rpcbind.fc b/policy/modules/contrib/rpcbind.fc
new file mode 100644
index 00000000..f5c47d64
--- /dev/null
+++ b/policy/modules/contrib/rpcbind.fc
@@ -0,0 +1,9 @@
+/etc/rc\.d/init\.d/rpcbind	--	gen_context(system_u:object_r:rpcbind_initrc_exec_t,s0)
+
+/sbin/rpcbind		--	gen_context(system_u:object_r:rpcbind_exec_t,s0)
+
+/var/lib/rpcbind(/.*)?		gen_context(system_u:object_r:rpcbind_var_lib_t,s0)
+
+/var/run/rpc.statd\.pid	--	gen_context(system_u:object_r:rpcbind_var_run_t,s0)
+/var/run/rpcbind\.lock	--	gen_context(system_u:object_r:rpcbind_var_run_t,s0)
+/var/run/rpcbind\.sock	-s	gen_context(system_u:object_r:rpcbind_var_run_t,s0)
diff --git a/policy/modules/contrib/rpcbind.if b/policy/modules/contrib/rpcbind.if
new file mode 100644
index 00000000..a96249cf
--- /dev/null
+++ b/policy/modules/contrib/rpcbind.if
@@ -0,0 +1,148 @@
+## <summary>Universal Addresses to RPC Program Number Mapper</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run rpcbind.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rpcbind_domtrans',`
+	gen_require(`
+		type rpcbind_t, rpcbind_exec_t;
+	')
+
+	domtrans_pattern($1, rpcbind_exec_t, rpcbind_t)
+')
+
+########################################
+## <summary>
+##	Connect to rpcbindd over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpcbind_stream_connect',`
+	gen_require(`
+		type rpcbind_t, rpcbind_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 rpcbind_var_run_t:sock_file write;
+	allow $1 rpcbind_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	Read rpcbind PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpcbind_read_pid_files',`
+	gen_require(`
+		type rpcbind_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 rpcbind_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Search rpcbind lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpcbind_search_lib',`
+	gen_require(`
+		type rpcbind_var_lib_t;
+	')
+
+	allow $1 rpcbind_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read rpcbind lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpcbind_read_lib_files',`
+	gen_require(`
+		type rpcbind_var_lib_t;
+	')
+
+	read_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t)
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	rpcbind lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpcbind_manage_lib_files',`
+	gen_require(`
+		type rpcbind_var_lib_t;
+	')
+
+	manage_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t)
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an rpcbind environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the rpcbind domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`rpcbind_admin',`
+	gen_require(`
+		type rpcbind_t, rpcbind_var_lib_t, rpcbind_var_run_t;
+		type rpcbind_initrc_exec_t;
+	')
+
+	allow $1 rpcbind_t:process { ptrace signal_perms };
+	ps_process_pattern($1, rpcbind_t)
+
+	init_labeled_script_domtrans($1, rbcbind_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 rpcbind_initrc_exec_t system_r;
+	allow $2 system_r;
+')
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
new file mode 100644
index 00000000..a63e9eee
--- /dev/null
+++ b/policy/modules/contrib/rpcbind.te
@@ -0,0 +1,69 @@
+policy_module(rpcbind, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type rpcbind_t;
+type rpcbind_exec_t;
+init_daemon_domain(rpcbind_t, rpcbind_exec_t)
+
+type rpcbind_initrc_exec_t;
+init_script_file(rpcbind_initrc_exec_t)
+
+type rpcbind_var_run_t;
+files_pid_file(rpcbind_var_run_t)
+
+type rpcbind_var_lib_t;
+files_type(rpcbind_var_lib_t)
+
+########################################
+#
+# rpcbind local policy
+#
+
+allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config };
+allow rpcbind_t self:fifo_file rw_file_perms;
+allow rpcbind_t self:unix_stream_socket create_stream_socket_perms;
+allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms;
+allow rpcbind_t self:udp_socket create_socket_perms;
+allow rpcbind_t self:tcp_socket create_stream_socket_perms;
+
+manage_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t)
+manage_sock_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t)
+files_pid_filetrans(rpcbind_t, rpcbind_var_run_t, { file sock_file })
+
+manage_dirs_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t)
+manage_files_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t)
+manage_sock_files_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t)
+files_var_lib_filetrans(rpcbind_t, rpcbind_var_lib_t, { file dir sock_file })
+
+kernel_read_system_state(rpcbind_t)
+kernel_read_network_state(rpcbind_t)
+kernel_request_load_module(rpcbind_t)
+
+corenet_all_recvfrom_unlabeled(rpcbind_t)
+corenet_all_recvfrom_netlabel(rpcbind_t)
+corenet_tcp_sendrecv_generic_if(rpcbind_t)
+corenet_udp_sendrecv_generic_if(rpcbind_t)
+corenet_tcp_sendrecv_generic_node(rpcbind_t)
+corenet_udp_sendrecv_generic_node(rpcbind_t)
+corenet_tcp_sendrecv_all_ports(rpcbind_t)
+corenet_udp_sendrecv_all_ports(rpcbind_t)
+corenet_tcp_bind_generic_node(rpcbind_t)
+corenet_udp_bind_generic_node(rpcbind_t)
+corenet_tcp_bind_portmap_port(rpcbind_t)
+corenet_udp_bind_portmap_port(rpcbind_t)
+corenet_udp_bind_all_rpc_ports(rpcbind_t)
+
+domain_use_interactive_fds(rpcbind_t)
+
+files_read_etc_files(rpcbind_t)
+files_read_etc_runtime_files(rpcbind_t)
+
+logging_send_syslog_msg(rpcbind_t)
+
+miscfiles_read_localization(rpcbind_t)
+
+sysnet_dns_name_resolve(rpcbind_t)
diff --git a/policy/modules/contrib/rpm.fc b/policy/modules/contrib/rpm.fc
new file mode 100644
index 00000000..b206bf68
--- /dev/null
+++ b/policy/modules/contrib/rpm.fc
@@ -0,0 +1,52 @@
+
+/bin/rpm 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
+
+/usr/bin/debuginfo-install	--	gen_context(system_u:object_r:debuginfo_exec_t,s0)
+/usr/bin/rpm 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/smart 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
+
+/usr/bin/yum 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
+
+/usr/libexec/yumDBUSBackend.py	--	gen_context(system_u:object_r:rpm_exec_t,s0)
+
+/usr/sbin/yum-complete-transaction --	gen_context(system_u:object_r:rpm_exec_t,s0)
+
+/usr/sbin/system-install-packages --	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/yum-updatesd		--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/packagekitd		--	gen_context(system_u:object_r:rpm_exec_t,s0)
+
+/usr/share/yumex/yumex-yum-backend --	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/share/yumex/yum_childtask\.py --	gen_context(system_u:object_r:rpm_exec_t,s0)
+
+ifdef(`distro_redhat', `
+/usr/bin/fedora-rmdevelrpms	--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/rpmdev-rmdevelrpms	--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/pirut			--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/pup			--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/rhn_check		--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/up2date		--	gen_context(system_u:object_r:rpm_exec_t,s0)
+')
+
+/var/cache/yum(/.*)?			gen_context(system_u:object_r:rpm_var_cache_t,s0)
+
+/var/lib/alternatives(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/rpm(/.*)?			gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/yum(/.*)?			gen_context(system_u:object_r:rpm_var_lib_t,s0)
+
+/var/log/rpmpkgs.*		--	gen_context(system_u:object_r:rpm_log_t,s0)
+/var/log/yum\.log.*		--	gen_context(system_u:object_r:rpm_log_t,s0)
+
+/var/run/yum.*			--	gen_context(system_u:object_r:rpm_var_run_t,s0)
+/var/run/PackageKit(/.*)?		gen_context(system_u:object_r:rpm_var_run_t,s0)
+
+# SuSE
+ifdef(`distro_suse', `
+/usr/bin/online_update		--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/sbin/yast2			--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/var/lib/YaST2(/.*)?			gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/log/YaST2(/.*)?			gen_context(system_u:object_r:rpm_log_t,s0)
+')
+
+ifdef(`enable_mls',`
+/sbin/cpio			--	gen_context(system_u:object_r:rpm_exec_t,s0)
+')
diff --git a/policy/modules/contrib/rpm.if b/policy/modules/contrib/rpm.if
new file mode 100644
index 00000000..951d8f6b
--- /dev/null
+++ b/policy/modules/contrib/rpm.if
@@ -0,0 +1,575 @@
+## <summary>Policy for the RPM package manager.</summary>
+
+########################################
+## <summary>
+##	Execute rpm programs in the rpm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`rpm_domtrans',`
+	gen_require(`
+		type rpm_t, rpm_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, rpm_exec_t, rpm_t)
+')
+
+########################################
+## <summary>
+##	Execute debuginfo_install programs in the rpm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`rpm_debuginfo_domtrans',`
+	gen_require(`
+		type rpm_t, debuginfo_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, debuginfo_exec_t, rpm_t)
+')
+
+########################################
+## <summary>
+##	Execute rpm_script programs in the rpm_script domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`rpm_domtrans_script',`
+	gen_require(`
+		type rpm_script_t;
+	')
+
+	# transition to rpm script:
+	corecmd_shell_domtrans($1, rpm_script_t)
+	allow rpm_script_t $1:fd use;
+	allow rpm_script_t $1:fifo_file rw_file_perms;
+	allow rpm_script_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute RPM programs in the RPM domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the RPM domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`rpm_run',`
+	gen_require(`
+		attribute_role rpm_roles;
+	')
+
+	rpm_domtrans($1)
+	roleattribute $2 rpm_roles;
+')
+
+########################################
+## <summary>
+##	Execute the rpm client in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_exec',`
+	gen_require(`
+		type rpm_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, rpm_exec_t)
+')
+
+########################################
+## <summary>
+##	Send a null signal to rpm.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_signull',`
+	gen_require(`
+		type rpm_t;
+	')
+
+	allow $1 rpm_t:process signull;
+')
+
+########################################
+## <summary>
+##	Inherit and use file descriptors from RPM.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_use_fds',`
+	gen_require(`
+		type rpm_t;
+	')
+
+	allow $1 rpm_t:fd use;
+')
+
+########################################
+## <summary>
+##	Read from an unnamed RPM pipe.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_read_pipes',`
+	gen_require(`
+		type rpm_t;
+	')
+
+	allow $1 rpm_t:fifo_file read_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Read and write an unnamed RPM pipe.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_rw_pipes',`
+	gen_require(`
+		type rpm_t;
+	')
+
+	allow $1 rpm_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	rpm over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_dbus_chat',`
+	gen_require(`
+		type rpm_t;
+		class dbus send_msg;
+	')
+
+	allow $1 rpm_t:dbus send_msg;
+	allow rpm_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and
+##	receive messages from rpm over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`rpm_dontaudit_dbus_chat',`
+	gen_require(`
+		type rpm_t;
+		class dbus send_msg;
+	')
+
+	dontaudit $1 rpm_t:dbus send_msg;
+	dontaudit rpm_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	rpm_script over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_script_dbus_chat',`
+	gen_require(`
+		type rpm_script_t;
+		class dbus send_msg;
+	')
+
+	allow $1 rpm_script_t:dbus send_msg;
+	allow rpm_script_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Search RPM log directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_search_log',`
+	gen_require(`
+		type rpm_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 rpm_log_t:dir search_dir_perms;
+')
+
+#####################################
+## <summary>
+##	Allow the specified domain to append
+##	to rpm log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_append_log',`
+	gen_require(`
+		type rpm_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, rpm_log_t, rpm_log_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete the RPM log.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_manage_log',`
+	gen_require(`
+		type rpm_log_t;
+	')
+
+	logging_rw_generic_log_dirs($1)
+	allow $1 rpm_log_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Inherit and use file descriptors from RPM scripts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_use_script_fds',`
+	gen_require(`
+		type rpm_script_t;
+	')
+
+	allow $1 rpm_script_t:fd use;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete RPM
+##	script temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_manage_script_tmp_files',`
+	gen_require(`
+		type rpm_script_tmp_t;
+	')
+
+	files_search_tmp($1)
+	manage_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
+')
+
+#####################################
+## <summary>
+##	Allow the specified domain to append
+##	to rpm tmp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_append_tmp_files',`
+	gen_require(`
+		type rpm_tmp_t;
+	')
+
+	files_search_tmp($1)
+	append_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete RPM
+##	 temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_manage_tmp_files',`
+	gen_require(`
+		type rpm_tmp_t;
+	')
+
+	files_search_tmp($1)
+	manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
+')
+
+########################################
+## <summary>
+##	Read RPM script temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_read_script_tmp_files',`
+	gen_require(`
+		type rpm_script_tmp_t;
+	')
+
+	files_search_tmp($1)
+	read_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
+	read_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
+')
+
+########################################
+## <summary>
+##	Read the RPM cache.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_read_cache',`
+	gen_require(`
+		type rpm_var_cache_t;
+	')
+
+	files_search_var($1)
+	allow $1 rpm_var_cache_t:dir list_dir_perms;
+	read_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+	read_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete the RPM package database.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_manage_cache',`
+	gen_require(`
+		type rpm_var_cache_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+	manage_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+	manage_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+')
+
+########################################
+## <summary>
+##	Read the RPM package database.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_read_db',`
+	gen_require(`
+		type rpm_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 rpm_var_lib_t:dir list_dir_perms;
+	read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
+	read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Delete the RPM package database.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_delete_db',`
+	gen_require(`
+		type rpm_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	delete_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete the RPM package database.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_manage_db',`
+	gen_require(`
+		type rpm_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
+	manage_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to create, read,
+##	write, and delete the RPM package database.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`rpm_dontaudit_manage_db',`
+	gen_require(`
+		type rpm_var_lib_t;
+	')
+
+	dontaudit $1 rpm_var_lib_t:dir rw_dir_perms;
+	dontaudit $1 rpm_var_lib_t:file manage_file_perms;
+	dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
+')
+
+#####################################
+## <summary>
+##	Read rpm pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_read_pid_files',`
+	gen_require(`
+		type rpm_var_run_t;
+	')
+
+	read_files_pattern($1, rpm_var_run_t, rpm_var_run_t)
+	files_search_pids($1)
+')
+
+#####################################
+## <summary>
+##	Create, read, write, and delete rpm pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_manage_pid_files',`
+	gen_require(`
+		type rpm_var_run_t;
+	')
+
+	manage_files_pattern($1, rpm_var_run_t, rpm_var_run_t)
+	files_search_pids($1)
+')
+
+######################################
+## <summary>
+##	Create files in /var/run with the rpm pid file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_pid_filetrans',`
+	gen_require(`
+		type rpm_var_run_t;
+	')
+
+	files_pid_filetrans($1, rpm_var_run_t, file)
+')
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
new file mode 100644
index 00000000..e9f1f161
--- /dev/null
+++ b/policy/modules/contrib/rpm.te
@@ -0,0 +1,399 @@
+policy_module(rpm, 1.14.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role rpm_roles;
+
+type debuginfo_exec_t;
+domain_entry_file(rpm_t, debuginfo_exec_t)
+
+type rpm_t;
+type rpm_exec_t;
+init_system_domain(rpm_t, rpm_exec_t)
+domain_obj_id_change_exemption(rpm_t)
+domain_role_change_exemption(rpm_t)
+domain_system_change_exemption(rpm_t)
+domain_interactive_fd(rpm_t)
+role rpm_roles types rpm_t;
+
+type rpm_file_t;
+files_type(rpm_file_t)
+
+type rpm_tmp_t;
+files_tmp_file(rpm_tmp_t)
+
+type rpm_tmpfs_t;
+files_tmpfs_file(rpm_tmpfs_t)
+
+type rpm_log_t;
+logging_log_file(rpm_log_t)
+
+type rpm_var_lib_t;
+files_type(rpm_var_lib_t)
+typealias rpm_var_lib_t alias var_lib_rpm_t;
+
+type rpm_var_cache_t;
+files_type(rpm_var_cache_t)
+
+type rpm_var_run_t;
+files_pid_file(rpm_var_run_t)
+
+type rpm_script_t;
+type rpm_script_exec_t;
+domain_obj_id_change_exemption(rpm_script_t)
+domain_system_change_exemption(rpm_script_t)
+corecmd_shell_entry_type(rpm_script_t)
+corecmd_bin_entry_type(rpm_script_t)
+domain_type(rpm_script_t)
+domain_entry_file(rpm_t, rpm_script_exec_t)
+domain_interactive_fd(rpm_script_t)
+role rpm_roles types rpm_script_t;
+role system_r types rpm_script_t;
+
+type rpm_script_tmp_t;
+files_tmp_file(rpm_script_tmp_t)
+
+type rpm_script_tmpfs_t;
+files_tmpfs_file(rpm_script_tmpfs_t)
+
+########################################
+#
+# rpm Local policy
+#
+
+allow rpm_t self:capability { chown dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
+allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
+allow rpm_t self:process { getattr setexec setfscreate setrlimit };
+allow rpm_t self:fd use;
+allow rpm_t self:fifo_file rw_fifo_file_perms;
+allow rpm_t self:unix_dgram_socket create_socket_perms;
+allow rpm_t self:unix_stream_socket rw_stream_socket_perms;
+allow rpm_t self:unix_dgram_socket sendto;
+allow rpm_t self:unix_stream_socket connectto;
+allow rpm_t self:udp_socket { connect };
+allow rpm_t self:udp_socket create_socket_perms;
+allow rpm_t self:tcp_socket create_stream_socket_perms;
+allow rpm_t self:shm create_shm_perms;
+allow rpm_t self:sem create_sem_perms;
+allow rpm_t self:msgq create_msgq_perms;
+allow rpm_t self:msg { send receive };
+
+allow rpm_t rpm_log_t:file manage_file_perms;
+logging_log_filetrans(rpm_t, rpm_log_t, file)
+
+manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
+manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
+files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir })
+can_exec(rpm_t, rpm_tmp_t)
+
+manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
+manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
+manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
+manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
+manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
+fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+can_exec(rpm_t, rpm_tmpfs_t)
+
+manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
+manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
+files_var_filetrans(rpm_t, rpm_var_cache_t, dir)
+
+# Access /var/lib/rpm files
+manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
+files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
+
+manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
+files_pid_filetrans(rpm_t, rpm_var_run_t, file)
+
+kernel_read_crypto_sysctls(rpm_t)
+kernel_read_network_state(rpm_t)
+kernel_read_system_state(rpm_t)
+kernel_read_kernel_sysctls(rpm_t)
+
+corecmd_exec_all_executables(rpm_t)
+
+corenet_all_recvfrom_unlabeled(rpm_t)
+corenet_all_recvfrom_netlabel(rpm_t)
+corenet_tcp_sendrecv_generic_if(rpm_t)
+corenet_raw_sendrecv_generic_if(rpm_t)
+corenet_udp_sendrecv_generic_if(rpm_t)
+corenet_tcp_sendrecv_generic_node(rpm_t)
+corenet_raw_sendrecv_generic_node(rpm_t)
+corenet_udp_sendrecv_generic_node(rpm_t)
+corenet_tcp_sendrecv_all_ports(rpm_t)
+corenet_udp_sendrecv_all_ports(rpm_t)
+corenet_tcp_connect_all_ports(rpm_t)
+corenet_sendrecv_all_client_packets(rpm_t)
+
+dev_list_sysfs(rpm_t)
+dev_list_usbfs(rpm_t)
+dev_read_urand(rpm_t)
+
+fs_getattr_all_dirs(rpm_t)
+fs_list_inotifyfs(rpm_t)
+fs_manage_nfs_dirs(rpm_t)
+fs_manage_nfs_files(rpm_t)
+fs_manage_nfs_symlinks(rpm_t)
+fs_getattr_all_fs(rpm_t)
+fs_search_auto_mountpoints(rpm_t)
+
+mls_file_read_all_levels(rpm_t)
+mls_file_write_all_levels(rpm_t)
+mls_file_upgrade(rpm_t)
+mls_file_downgrade(rpm_t)
+
+selinux_get_fs_mount(rpm_t)
+selinux_validate_context(rpm_t)
+selinux_compute_access_vector(rpm_t)
+selinux_compute_create_context(rpm_t)
+selinux_compute_relabel_context(rpm_t)
+selinux_compute_user_contexts(rpm_t)
+
+storage_raw_write_fixed_disk(rpm_t)
+# for installing kernel packages
+storage_raw_read_fixed_disk(rpm_t)
+
+term_list_ptys(rpm_t)
+
+auth_relabel_all_files_except_auth_files(rpm_t)
+auth_manage_all_files_except_auth_files(rpm_t)
+auth_dontaudit_read_shadow(rpm_t)
+auth_use_nsswitch(rpm_t)
+
+# transition to rpm script:
+rpm_domtrans_script(rpm_t)
+
+domain_read_all_domains_state(rpm_t)
+domain_getattr_all_domains(rpm_t)
+domain_dontaudit_ptrace_all_domains(rpm_t)
+domain_use_interactive_fds(rpm_t)
+domain_dontaudit_getattr_all_pipes(rpm_t)
+domain_dontaudit_getattr_all_tcp_sockets(rpm_t)
+domain_dontaudit_getattr_all_udp_sockets(rpm_t)
+domain_dontaudit_getattr_all_packet_sockets(rpm_t)
+domain_dontaudit_getattr_all_raw_sockets(rpm_t)
+domain_dontaudit_getattr_all_stream_sockets(rpm_t)
+domain_dontaudit_getattr_all_dgram_sockets(rpm_t)
+
+files_exec_etc_files(rpm_t)
+
+init_domtrans_script(rpm_t)
+init_use_script_ptys(rpm_t)
+
+libs_exec_ld_so(rpm_t)
+libs_exec_lib_files(rpm_t)
+libs_run_ldconfig(rpm_t, rpm_roles)
+
+logging_send_syslog_msg(rpm_t)
+
+# allow compiling and loading new policy
+seutil_manage_src_policy(rpm_t)
+seutil_manage_bin_policy(rpm_t)
+
+userdom_use_user_terminals(rpm_t)
+userdom_use_unpriv_users_fds(rpm_t)
+
+optional_policy(`
+	cron_system_entry(rpm_t, rpm_exec_t)
+')
+
+optional_policy(`
+	dbus_system_domain(rpm_t, rpm_exec_t)
+	dbus_system_domain(rpm_t, debuginfo_exec_t)
+
+	optional_policy(`
+		hal_dbus_chat(rpm_t)
+	')
+
+	optional_policy(`
+		networkmanager_dbus_chat(rpm_t)
+	')
+')
+
+optional_policy(`
+	prelink_run(rpm_t, rpm_roles)
+')
+
+optional_policy(`
+	unconfined_domain(rpm_t)
+	# yum-updatesd requires this
+	unconfined_dbus_chat(rpm_t)
+	unconfined_dbus_chat(rpm_script_t)
+')
+
+########################################
+#
+# rpm-script Local policy
+#
+
+allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_ptrace sys_rawio sys_nice mknod kill net_admin };
+allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
+allow rpm_script_t self:fd use;
+allow rpm_script_t self:fifo_file rw_fifo_file_perms;
+allow rpm_script_t self:unix_dgram_socket create_socket_perms;
+allow rpm_script_t self:unix_stream_socket rw_stream_socket_perms;
+allow rpm_script_t self:unix_dgram_socket sendto;
+allow rpm_script_t self:unix_stream_socket connectto;
+allow rpm_script_t self:shm create_shm_perms;
+allow rpm_script_t self:sem create_sem_perms;
+allow rpm_script_t self:msgq create_msgq_perms;
+allow rpm_script_t self:msg { send receive };
+allow rpm_script_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+allow rpm_script_t rpm_tmp_t:file read_file_perms;
+
+allow rpm_script_t rpm_script_tmp_t:dir mounton;
+manage_dirs_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
+manage_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
+manage_blk_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
+manage_chr_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
+files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
+can_exec(rpm_script_t, rpm_script_tmp_t)
+
+manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
+manage_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
+manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
+manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
+manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
+fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+can_exec(rpm_script_t, rpm_script_tmpfs_t)
+
+kernel_read_crypto_sysctls(rpm_script_t)
+kernel_read_kernel_sysctls(rpm_script_t)
+kernel_read_system_state(rpm_script_t)
+kernel_read_network_state(rpm_script_t)
+kernel_read_software_raid_state(rpm_script_t)
+
+dev_list_sysfs(rpm_script_t)
+
+# ideally we would not need this
+dev_manage_generic_blk_files(rpm_script_t)
+dev_manage_generic_chr_files(rpm_script_t)
+dev_manage_all_blk_files(rpm_script_t)
+dev_manage_all_chr_files(rpm_script_t)
+
+fs_manage_nfs_files(rpm_script_t)
+fs_getattr_nfs(rpm_script_t)
+fs_search_all(rpm_script_t)
+fs_getattr_all_fs(rpm_script_t)
+# why is this not using mount?
+fs_getattr_xattr_fs(rpm_script_t)
+fs_mount_xattr_fs(rpm_script_t)
+fs_unmount_xattr_fs(rpm_script_t)
+fs_search_auto_mountpoints(rpm_script_t)
+
+mcs_killall(rpm_script_t)
+mcs_ptrace_all(rpm_script_t)
+
+mls_file_read_all_levels(rpm_script_t)
+mls_file_write_all_levels(rpm_script_t)
+
+selinux_get_fs_mount(rpm_script_t)
+selinux_validate_context(rpm_script_t)
+selinux_compute_access_vector(rpm_script_t)
+selinux_compute_create_context(rpm_script_t)
+selinux_compute_relabel_context(rpm_script_t)
+selinux_compute_user_contexts(rpm_script_t)
+
+storage_raw_read_fixed_disk(rpm_script_t)
+storage_raw_write_fixed_disk(rpm_script_t)
+
+term_getattr_unallocated_ttys(rpm_script_t)
+term_list_ptys(rpm_script_t)
+term_use_all_terms(rpm_script_t)
+
+auth_dontaudit_getattr_shadow(rpm_script_t)
+auth_use_nsswitch(rpm_script_t)
+# ideally we would not need this
+auth_manage_all_files_except_auth_files(rpm_script_t)
+auth_relabel_shadow(rpm_script_t)
+
+corecmd_exec_all_executables(rpm_script_t)
+
+domain_read_all_domains_state(rpm_script_t)
+domain_getattr_all_domains(rpm_script_t)
+domain_dontaudit_ptrace_all_domains(rpm_script_t)
+domain_use_interactive_fds(rpm_script_t)
+domain_signal_all_domains(rpm_script_t)
+domain_signull_all_domains(rpm_script_t)
+
+files_exec_etc_files(rpm_script_t)
+files_read_etc_runtime_files(rpm_script_t)
+files_exec_usr_files(rpm_script_t)
+files_relabel_all_files(rpm_script_t)
+
+init_domtrans_script(rpm_script_t)
+init_telinit(rpm_script_t)
+
+libs_exec_ld_so(rpm_script_t)
+libs_exec_lib_files(rpm_script_t)
+libs_run_ldconfig(rpm_script_t, rpm_roles)
+
+logging_send_syslog_msg(rpm_script_t)
+
+miscfiles_read_localization(rpm_script_t)
+
+modutils_run_depmod(rpm_script_t, rpm_roles)
+modutils_run_insmod(rpm_script_t, rpm_roles)
+
+seutil_run_loadpolicy(rpm_script_t, rpm_roles)
+seutil_run_setfiles(rpm_script_t, rpm_roles)
+seutil_run_semanage(rpm_script_t, rpm_roles)
+
+userdom_use_all_users_fds(rpm_script_t)
+
+ifdef(`distro_redhat',`
+	optional_policy(`
+		mta_send_mail(rpm_script_t)
+	')
+')
+
+tunable_policy(`allow_execmem',`
+	allow rpm_script_t self:process execmem;
+')
+
+optional_policy(`
+	bootloader_run(rpm_script_t, rpm_roles)
+')
+
+optional_policy(`
+	dbus_system_bus_client(rpm_script_t)
+')
+
+optional_policy(`
+	lvm_run(rpm_script_t, rpm_roles)
+')
+
+optional_policy(`
+	ntp_domtrans(rpm_script_t)
+')
+
+optional_policy(`
+	tzdata_run(rpm_t, rpm_roles)
+	tzdata_run(rpm_script_t, rpm_roles)
+')
+
+optional_policy(`
+	udev_domtrans(rpm_script_t)
+')
+
+optional_policy(`
+	unconfined_domain(rpm_script_t)
+	unconfined_domtrans(rpm_script_t)
+
+	optional_policy(`
+		java_domtrans_unconfined(rpm_script_t)
+	')
+
+	optional_policy(`
+		mono_domtrans(rpm_script_t)
+	')
+')
+
+optional_policy(`
+	usermanage_run_groupadd(rpm_script_t, rpm_roles)
+	usermanage_run_useradd(rpm_script_t, rpm_roles)
+')
diff --git a/policy/modules/contrib/rshd.fc b/policy/modules/contrib/rshd.fc
new file mode 100644
index 00000000..6a4db031
--- /dev/null
+++ b/policy/modules/contrib/rshd.fc
@@ -0,0 +1,5 @@
+
+/usr/kerberos/sbin/kshd	--	gen_context(system_u:object_r:rshd_exec_t,s0)
+
+/usr/sbin/in\.rexecd	--	gen_context(system_u:object_r:rshd_exec_t,s0)
+/usr/sbin/in\.rshd	--	gen_context(system_u:object_r:rshd_exec_t,s0)
diff --git a/policy/modules/contrib/rshd.if b/policy/modules/contrib/rshd.if
new file mode 100644
index 00000000..2e87d76b
--- /dev/null
+++ b/policy/modules/contrib/rshd.if
@@ -0,0 +1,21 @@
+## <summary>Remote shell service.</summary>
+
+########################################
+## <summary>
+##	Domain transition to rshd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`rshd_domtrans',`
+	gen_require(`
+		type rshd_exec_t, rshd_t;
+	')
+
+	files_search_usr($1)
+	corecmd_search_bin($1)
+	domtrans_pattern($1, rshd_exec_t, rshd_t)
+')
diff --git a/policy/modules/contrib/rshd.te b/policy/modules/contrib/rshd.te
new file mode 100644
index 00000000..0b405d10
--- /dev/null
+++ b/policy/modules/contrib/rshd.te
@@ -0,0 +1,96 @@
+policy_module(rshd, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+type rshd_t;
+type rshd_exec_t;
+inetd_tcp_service_domain(rshd_t, rshd_exec_t)
+domain_subj_id_change_exemption(rshd_t)
+domain_role_change_exemption(rshd_t)
+role system_r types rshd_t;
+
+########################################
+#
+# Local policy
+#
+allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override };
+allow rshd_t self:process { signal_perms fork setsched setpgid setexec };
+allow rshd_t self:fifo_file rw_fifo_file_perms;
+allow rshd_t self:tcp_socket create_stream_socket_perms;
+
+kernel_read_kernel_sysctls(rshd_t)
+
+corenet_all_recvfrom_unlabeled(rshd_t)
+corenet_all_recvfrom_netlabel(rshd_t)
+corenet_tcp_sendrecv_generic_if(rshd_t)
+corenet_udp_sendrecv_generic_if(rshd_t)
+corenet_tcp_sendrecv_generic_node(rshd_t)
+corenet_udp_sendrecv_generic_node(rshd_t)
+corenet_tcp_sendrecv_all_ports(rshd_t)
+corenet_udp_sendrecv_all_ports(rshd_t)
+corenet_tcp_bind_generic_node(rshd_t)
+corenet_tcp_bind_rsh_port(rshd_t)
+corenet_tcp_bind_all_rpc_ports(rshd_t)
+corenet_tcp_connect_all_ports(rshd_t)
+corenet_tcp_connect_all_rpc_ports(rshd_t)
+corenet_sendrecv_rsh_server_packets(rshd_t)
+
+dev_read_urand(rshd_t)
+
+selinux_get_fs_mount(rshd_t)
+selinux_validate_context(rshd_t)
+selinux_compute_access_vector(rshd_t)
+selinux_compute_create_context(rshd_t)
+selinux_compute_relabel_context(rshd_t)
+selinux_compute_user_contexts(rshd_t)
+
+corecmd_read_bin_symlinks(rshd_t)
+
+files_list_home(rshd_t)
+files_read_etc_files(rshd_t)
+files_search_tmp(rshd_t)
+
+auth_login_pgm_domain(rshd_t)
+auth_write_login_records(rshd_t)
+
+init_rw_utmp(rshd_t)
+
+logging_send_syslog_msg(rshd_t)
+logging_search_logs(rshd_t)
+
+miscfiles_read_localization(rshd_t)
+
+seutil_read_config(rshd_t)
+seutil_read_default_contexts(rshd_t)
+
+userdom_search_user_home_content(rshd_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_read_nfs_files(rshd_t)
+	fs_read_nfs_symlinks(rshd_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_read_cifs_files(rshd_t)
+	fs_read_cifs_symlinks(rshd_t)
+')
+
+optional_policy(`
+	kerberos_keytab_template(rshd, rshd_t)
+	kerberos_manage_host_rcache(rshd_t)
+')
+
+optional_policy(`
+	rlogin_read_home_content(rshd_t)
+')
+
+optional_policy(`
+	tcpd_wrapped_domain(rshd_t, rshd_exec_t)
+')
+
+optional_policy(`
+	unconfined_shell_domtrans(rshd_t)
+	unconfined_signal(rshd_t)
+')
diff --git a/policy/modules/contrib/rssh.fc b/policy/modules/contrib/rssh.fc
new file mode 100644
index 00000000..4c091ca3
--- /dev/null
+++ b/policy/modules/contrib/rssh.fc
@@ -0,0 +1 @@
+/usr/bin/rssh	--	gen_context(system_u:object_r:rssh_exec_t,s0)
diff --git a/policy/modules/contrib/rssh.if b/policy/modules/contrib/rssh.if
new file mode 100644
index 00000000..cb3d9737
--- /dev/null
+++ b/policy/modules/contrib/rssh.if
@@ -0,0 +1,103 @@
+## <summary>Restricted (scp/sftp) only shell</summary>
+
+########################################
+## <summary>
+##	Role access for rssh
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`rssh_role',`
+	gen_require(`
+		type rssh_t;
+	')
+
+	role $1 types rssh_t;
+
+	# allow ps to show irc
+	ps_process_pattern($2, rssh_t)
+	allow $2 rssh_t:process signal;
+')
+
+########################################
+## <summary>
+##	Transition to all user rssh domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`rssh_spec_domtrans',`
+	gen_require(`
+		type rssh_t, rssh_exec_t;
+	')
+
+	spec_domtrans_pattern($1, rssh_exec_t, rssh_t)
+')
+
+########################################
+## <summary>
+##	Execute the rssh program
+##	in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rssh_exec',`
+	gen_require(`
+		type rssh_exec_t;
+	')
+
+	can_exec($1, rssh_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run rssh_chroot_helper.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rssh_domtrans_chroot_helper',`
+	gen_require(`
+		type rssh_chroot_helper_t, rssh_chroot_helper_exec_t;
+	')
+
+	domtrans_pattern($1, rssh_chroot_helper_exec_t, rssh_chroot_helper_t)
+')
+
+########################################
+## <summary>
+##	Read all users rssh read-only content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rssh_read_ro_content',`
+	gen_require(`
+		type rssh_ro_t;
+	')
+
+	allow $1 rssh_ro_t:dir list_dir_perms;
+	read_files_pattern($1, rssh_ro_t, rssh_ro_t)
+	read_lnk_files_pattern($1, rssh_ro_t, rssh_ro_t)
+')
diff --git a/policy/modules/contrib/rssh.te b/policy/modules/contrib/rssh.te
new file mode 100644
index 00000000..ffb9605c
--- /dev/null
+++ b/policy/modules/contrib/rssh.te
@@ -0,0 +1,104 @@
+policy_module(rssh, 2.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type rssh_t;
+type rssh_exec_t;
+typealias rssh_t alias { user_rssh_t staff_rssh_t sysadm_rssh_t };
+typealias rssh_t alias { auditadm_rssh_t secadm_rssh_t };
+userdom_user_application_domain(rssh_t, rssh_exec_t)
+domain_user_exemption_target(rssh_t)
+domain_interactive_fd(rssh_t)
+role system_r types rssh_t;
+
+type rssh_chroot_helper_t;
+type rssh_chroot_helper_exec_t;
+init_system_domain(rssh_chroot_helper_t, rssh_chroot_helper_exec_t)
+
+type rssh_devpts_t;
+typealias rssh_devpts_t alias { user_rssh_devpts_t staff_rssh_devpts_t sysadm_rssh_devpts_t };
+typealias rssh_devpts_t alias { auditadm_rssh_devpts_t secadm_rssh_devpts_t };
+term_user_pty(rssh_t, rssh_devpts_t)
+ubac_constrained(rssh_devpts_t)
+
+type rssh_ro_t;
+typealias rssh_ro_t alias { user_rssh_ro_t staff_rssh_ro_t sysadm_rssh_ro_t };
+typealias rssh_ro_t alias { auditadm_rssh_ro_t secadm_rssh_ro_t };
+userdom_user_home_content(rssh_ro_t)
+
+type rssh_rw_t;
+typealias rssh_rw_t alias { user_rssh_rw_t staff_rssh_rw_t sysadm_rssh_rw_t };
+typealias rssh_rw_t alias { auditadm_rssh_rw_t secadm_rssh_rw_t };
+userdom_user_home_content(rssh_rw_t)
+
+##############################
+#
+# Local policy
+#
+
+allow rssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow rssh_t self:fd use;
+allow rssh_t self:fifo_file rw_fifo_file_perms;
+allow rssh_t self:unix_dgram_socket create_socket_perms;
+allow rssh_t self:unix_stream_socket create_stream_socket_perms;
+allow rssh_t self:unix_dgram_socket sendto;
+allow rssh_t self:unix_stream_socket connectto;
+allow rssh_t self:shm create_shm_perms;
+allow rssh_t self:sem create_sem_perms;
+allow rssh_t self:msgq create_msgq_perms;
+allow rssh_t self:msg { send receive };
+
+allow rssh_t rssh_devpts_t:chr_file { rw_file_perms setattr };
+term_create_pty(rssh_t, rssh_devpts_t)
+
+allow rssh_t rssh_ro_t:dir list_dir_perms;
+read_files_pattern(rssh_t, rssh_ro_t, rssh_ro_t)
+
+manage_dirs_pattern(rssh_t, rssh_rw_t, rssh_rw_t)
+manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t)
+
+kernel_read_system_state(rssh_t)
+kernel_read_kernel_sysctls(rssh_t)
+
+files_read_etc_files(rssh_t)
+files_read_etc_runtime_files(rssh_t)
+files_list_home(rssh_t)
+files_read_usr_files(rssh_t)
+files_list_var(rssh_t)
+
+fs_search_auto_mountpoints(rssh_t)
+
+logging_send_syslog_msg(rssh_t)
+
+miscfiles_read_localization(rssh_t)
+
+rssh_domtrans_chroot_helper(rssh_t)
+
+ssh_rw_tcp_sockets(rssh_t)
+ssh_rw_stream_sockets(rssh_t)
+
+optional_policy(`
+	nis_use_ypbind(rssh_t)
+')
+
+########################################
+#
+# rssh_chroot_helper local policy
+#
+
+allow rssh_chroot_helper_t self:capability { sys_chroot setuid };
+allow rssh_chroot_helper_t self:fifo_file rw_fifo_file_perms;
+allow rssh_chroot_helper_t self:unix_stream_socket create_stream_socket_perms;
+
+domain_use_interactive_fds(rssh_chroot_helper_t)
+
+files_read_etc_files(rssh_chroot_helper_t)
+
+auth_use_nsswitch(rssh_chroot_helper_t)
+
+logging_send_syslog_msg(rssh_chroot_helper_t)
+
+miscfiles_read_localization(rssh_chroot_helper_t)
diff --git a/policy/modules/contrib/rsync.fc b/policy/modules/contrib/rsync.fc
new file mode 100644
index 00000000..479615be
--- /dev/null
+++ b/policy/modules/contrib/rsync.fc
@@ -0,0 +1,7 @@
+/etc/rsyncd\.conf	--	gen_context(system_u:object_r:rsync_etc_t, s0)
+
+/usr/bin/rsync		--	gen_context(system_u:object_r:rsync_exec_t,s0)
+
+/var/log/rsync\.log	--	gen_context(system_u:object_r:rsync_log_t,s0)
+
+/var/run/rsyncd\.lock	--	gen_context(system_u:object_r:rsync_var_run_t,s0)
diff --git a/policy/modules/contrib/rsync.if b/policy/modules/contrib/rsync.if
new file mode 100644
index 00000000..3386f297
--- /dev/null
+++ b/policy/modules/contrib/rsync.if
@@ -0,0 +1,143 @@
+## <summary>Fast incremental file transfer for synchronization</summary>
+
+########################################
+## <summary>
+##	Make rsync an entry point for
+##	the specified domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain for which init scripts are an entrypoint.
+##	</summary>
+## </param>
+# cjp: added for portage
+interface(`rsync_entry_type',`
+	gen_require(`
+		type rsync_exec_t;
+	')
+
+	domain_entry_file($1, rsync_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute a rsync in a specified domain.
+## </summary>
+## <desc>
+##	<p>
+##	Execute a rsync in a specified domain.
+##	</p>
+##	<p>
+##	No interprocess communication (signals, pipes,
+##	etc.) is provided by this interface since
+##	the domains are not owned by this module.
+##	</p>
+## </desc>
+## <param name="source_domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="target_domain">
+##	<summary>
+##	Domain to transition to.
+##	</summary>
+## </param>
+# cjp: added for portage
+interface(`rsync_entry_spec_domtrans',`
+	gen_require(`
+		type rsync_exec_t;
+	')
+
+	domain_trans($1, rsync_exec_t, $2)
+')
+
+########################################
+## <summary>
+##	Execute a rsync in a specified domain.
+## </summary>
+## <desc>
+##	<p>
+##	Execute a rsync in a specified domain.
+##	</p>
+##	<p>
+##	No interprocess communication (signals, pipes,
+##	etc.) is provided by this interface since
+##	the domains are not owned by this module.
+##	</p>
+## </desc>
+## <param name="source_domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="target_domain">
+##	<summary>
+##	Domain to transition to.
+##	</summary>
+## </param>
+# cjp: added for portage
+interface(`rsync_entry_domtrans',`
+	gen_require(`
+		type rsync_exec_t;
+	')
+
+	domain_auto_trans($1, rsync_exec_t, $2)
+')
+
+########################################
+## <summary>
+##	Execute rsync in the caller domain domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`rsync_exec',`
+	gen_require(`
+		type rsync_exec_t;
+	')
+
+	can_exec($1, rsync_exec_t)
+')
+
+########################################
+## <summary>
+##	Read rsync config files.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rsync_read_config',`
+	gen_require(`
+		type rsync_etc_t;
+	')
+
+	allow $1 rsync_etc_t:file read_file_perms;
+	files_search_etc($1)
+')
+
+########################################
+## <summary>
+##	Write to rsync config files.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rsync_write_config',`
+	gen_require(`
+		type rsync_etc_t;
+	')
+
+	allow $1 rsync_etc_t:file read_file_perms;
+	files_search_etc($1)
+')
diff --git a/policy/modules/contrib/rsync.te b/policy/modules/contrib/rsync.te
new file mode 100644
index 00000000..5c17e847
--- /dev/null
+++ b/policy/modules/contrib/rsync.te
@@ -0,0 +1,133 @@
+policy_module(rsync, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow rsync to export any files/directories read only.
+## </p>
+## </desc>
+gen_tunable(rsync_export_all_ro, false)
+
+## <desc>
+## <p>
+## Allow rsync to modify public files
+## used for public file transfer services.  Files/Directories must be
+## labeled public_content_rw_t.
+## </p>
+## </desc>
+gen_tunable(allow_rsync_anon_write, false)
+
+type rsync_t;
+type rsync_exec_t;
+init_daemon_domain(rsync_t, rsync_exec_t)
+application_executable_file(rsync_exec_t)
+role system_r types rsync_t;
+
+type rsync_etc_t;
+files_config_file(rsync_etc_t)
+
+type rsync_data_t;
+files_type(rsync_data_t)
+
+type rsync_log_t;
+logging_log_file(rsync_log_t)
+
+type rsync_tmp_t;
+files_tmp_file(rsync_tmp_t)
+
+type rsync_var_run_t;
+files_pid_file(rsync_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot };
+allow rsync_t self:process signal_perms;
+allow rsync_t self:fifo_file rw_fifo_file_perms;
+allow rsync_t self:tcp_socket create_stream_socket_perms;
+allow rsync_t self:udp_socket connected_socket_perms;
+
+# for identd
+# cjp: this should probably only be inetd_child_t rules?
+# search home and kerberos also.
+allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+#end for identd
+
+allow rsync_t rsync_etc_t:file read_file_perms;
+
+allow rsync_t rsync_data_t:dir list_dir_perms;
+read_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+read_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+
+manage_files_pattern(rsync_t, rsync_log_t, rsync_log_t)
+logging_log_filetrans(rsync_t, rsync_log_t, file)
+
+manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
+manage_files_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
+files_tmp_filetrans(rsync_t, rsync_tmp_t, { file dir })
+
+manage_files_pattern(rsync_t, rsync_var_run_t, rsync_var_run_t)
+files_pid_filetrans(rsync_t, rsync_var_run_t, file)
+
+kernel_read_kernel_sysctls(rsync_t)
+kernel_read_system_state(rsync_t)
+kernel_read_network_state(rsync_t)
+
+corenet_all_recvfrom_unlabeled(rsync_t)
+corenet_all_recvfrom_netlabel(rsync_t)
+corenet_tcp_sendrecv_generic_if(rsync_t)
+corenet_udp_sendrecv_generic_if(rsync_t)
+corenet_tcp_sendrecv_generic_node(rsync_t)
+corenet_udp_sendrecv_generic_node(rsync_t)
+corenet_tcp_sendrecv_all_ports(rsync_t)
+corenet_udp_sendrecv_all_ports(rsync_t)
+corenet_tcp_bind_generic_node(rsync_t)
+corenet_tcp_bind_rsync_port(rsync_t)
+corenet_sendrecv_rsync_server_packets(rsync_t)
+
+dev_read_urand(rsync_t)
+
+fs_getattr_xattr_fs(rsync_t)
+
+files_read_etc_files(rsync_t)
+files_search_home(rsync_t)
+
+auth_use_nsswitch(rsync_t)
+
+logging_send_syslog_msg(rsync_t)
+
+miscfiles_read_localization(rsync_t)
+miscfiles_read_public_files(rsync_t)
+
+tunable_policy(`allow_rsync_anon_write',`
+	miscfiles_manage_public_files(rsync_t)
+')
+
+optional_policy(`
+	daemontools_service_domain(rsync_t, rsync_exec_t)
+')
+
+optional_policy(`
+	kerberos_use(rsync_t)
+')
+
+optional_policy(`
+	inetd_service_domain(rsync_t, rsync_exec_t)
+')
+
+tunable_policy(`rsync_export_all_ro',`
+	fs_read_noxattr_fs_files(rsync_t)
+	fs_read_nfs_files(rsync_t)
+	fs_read_cifs_files(rsync_t)
+	auth_read_all_dirs_except_auth_files(rsync_t)
+	auth_read_all_files_except_auth_files(rsync_t)
+	auth_read_all_symlinks_except_auth_files(rsync_t)
+	auth_tunable_read_shadow(rsync_t)
+')
+auth_can_read_shadow_passwords(rsync_t)
diff --git a/policy/modules/contrib/rtkit.fc b/policy/modules/contrib/rtkit.fc
new file mode 100644
index 00000000..52c441e1
--- /dev/null
+++ b/policy/modules/contrib/rtkit.fc
@@ -0,0 +1 @@
+/usr/libexec/rtkit-daemon	--	gen_context(system_u:object_r:rtkit_daemon_exec_t,s0)
diff --git a/policy/modules/contrib/rtkit.if b/policy/modules/contrib/rtkit.if
new file mode 100644
index 00000000..46dad1f9
--- /dev/null
+++ b/policy/modules/contrib/rtkit.if
@@ -0,0 +1,60 @@
+## <summary>Realtime scheduling for user processes.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run rtkit_daemon.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rtkit_daemon_domtrans',`
+	gen_require(`
+		type rtkit_daemon_t, rtkit_daemon_exec_t;
+	')
+
+	domtrans_pattern($1, rtkit_daemon_exec_t, rtkit_daemon_t)
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	rtkit_daemon over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rtkit_daemon_dbus_chat',`
+	gen_require(`
+		type rtkit_daemon_t;
+		class dbus send_msg;
+	')
+
+	allow $1 rtkit_daemon_t:dbus send_msg;
+	allow rtkit_daemon_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Allow rtkit to control scheduling for your process
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rtkit_scheduled',`
+	gen_require(`
+		type rtkit_daemon_t;
+	')
+
+	ps_process_pattern(rtkit_daemon_t, $1)
+	allow rtkit_daemon_t $1:process { getsched setsched };
+	rtkit_daemon_dbus_chat($1)
+')
diff --git a/policy/modules/contrib/rtkit.te b/policy/modules/contrib/rtkit.te
new file mode 100644
index 00000000..6f8e2682
--- /dev/null
+++ b/policy/modules/contrib/rtkit.te
@@ -0,0 +1,35 @@
+policy_module(rtkit, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type rtkit_daemon_t;
+type rtkit_daemon_exec_t;
+dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
+
+########################################
+#
+# rtkit_daemon local policy
+#
+
+allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace };
+allow rtkit_daemon_t self:process { setsched getcap setcap setrlimit };
+
+kernel_read_system_state(rtkit_daemon_t)
+
+domain_getsched_all_domains(rtkit_daemon_t)
+domain_read_all_domains_state(rtkit_daemon_t)
+
+fs_rw_anon_inodefs_files(rtkit_daemon_t)
+
+auth_use_nsswitch(rtkit_daemon_t)
+
+logging_send_syslog_msg(rtkit_daemon_t)
+
+miscfiles_read_localization(rtkit_daemon_t)
+
+optional_policy(`
+	policykit_dbus_chat(rtkit_daemon_t)
+')
diff --git a/policy/modules/contrib/rwho.fc b/policy/modules/contrib/rwho.fc
new file mode 100644
index 00000000..bc048cef
--- /dev/null
+++ b/policy/modules/contrib/rwho.fc
@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/rwhod --	gen_context(system_u:object_r:rwho_initrc_exec_t,s0)
+
+/usr/sbin/rwhod		--	gen_context(system_u:object_r:rwho_exec_t,s0)
+
+/var/spool/rwho(/.*)?		gen_context(system_u:object_r:rwho_spool_t,s0)
+
+/var/log/rwhod(/.*)?		gen_context(system_u:object_r:rwho_log_t,s0)
diff --git a/policy/modules/contrib/rwho.if b/policy/modules/contrib/rwho.if
new file mode 100644
index 00000000..71ea0eab
--- /dev/null
+++ b/policy/modules/contrib/rwho.if
@@ -0,0 +1,154 @@
+## <summary>Who is logged in on other machines?</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run rwho.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rwho_domtrans',`
+	gen_require(`
+		type rwho_t, rwho_exec_t;
+	')
+
+	domtrans_pattern($1, rwho_exec_t, rwho_t)
+')
+
+########################################
+## <summary>
+##	Search rwho log directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rwho_search_log',`
+	gen_require(`
+		type rwho_log_t;
+	')
+
+	allow $1 rwho_log_t:dir search_dir_perms;
+	logging_search_logs($1)
+')
+
+########################################
+## <summary>
+##	Read rwho log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rwho_read_log_files',`
+	gen_require(`
+		type rwho_log_t;
+	')
+
+	allow $1 rwho_log_t:file read_file_perms;
+	allow $1 rwho_log_t:dir list_dir_perms;
+	logging_search_logs($1)
+')
+
+########################################
+## <summary>
+##	Search rwho spool directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rwho_search_spool',`
+	gen_require(`
+		type rwho_spool_t;
+	')
+
+	allow $1 rwho_spool_t:dir search_dir_perms;
+	files_search_spool($1)
+')
+
+########################################
+## <summary>
+##	Read rwho spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rwho_read_spool_files',`
+	gen_require(`
+		type rwho_spool_t;
+	')
+
+	read_files_pattern($1, rwho_spool_t, rwho_spool_t)
+	files_search_spool($1)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	rwho spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rwho_manage_spool_files',`
+	gen_require(`
+		type rwho_spool_t;
+	')
+
+	manage_files_pattern($1, rwho_spool_t, rwho_spool_t)
+	files_search_spool($1)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an rwho environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`rwho_admin',`
+	gen_require(`
+		type rwho_t, rwho_log_t, rwho_spool_t;
+		type rwho_initrc_exec_t;
+	')
+
+	allow $1 rwho_t:process { ptrace signal_perms };
+	ps_process_pattern($1, rwho_t)
+
+	init_labeled_script_domtrans($1, rwho_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 rwho_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	logging_list_logs($1)
+	admin_pattern($1, rwho_log_t)
+
+	files_list_spool($1)
+	admin_pattern($1, rwho_spool_t)
+')
diff --git a/policy/modules/contrib/rwho.te b/policy/modules/contrib/rwho.te
new file mode 100644
index 00000000..a07b2f40
--- /dev/null
+++ b/policy/modules/contrib/rwho.te
@@ -0,0 +1,60 @@
+policy_module(rwho, 1.6.0)
+
+########################################
+#
+# Declarations
+#
+
+type rwho_t;
+type rwho_exec_t;
+init_daemon_domain(rwho_t, rwho_exec_t)
+
+type rwho_initrc_exec_t;
+init_script_file(rwho_initrc_exec_t)
+
+type rwho_log_t;
+files_type(rwho_log_t)
+
+type rwho_spool_t;
+files_type(rwho_spool_t)
+
+########################################
+#
+# rwho local policy
+#
+
+allow rwho_t self:capability sys_chroot;
+allow rwho_t self:unix_dgram_socket create;
+allow rwho_t self:fifo_file rw_file_perms;
+allow rwho_t self:unix_stream_socket create_stream_socket_perms;
+allow rwho_t self:udp_socket create_socket_perms;
+
+allow rwho_t rwho_log_t:dir manage_dir_perms;
+allow rwho_t rwho_log_t:file manage_file_perms;
+logging_log_filetrans(rwho_t, rwho_log_t, { file dir })
+
+allow rwho_t rwho_spool_t:dir manage_dir_perms;
+allow rwho_t rwho_spool_t:file manage_file_perms;
+files_spool_filetrans(rwho_t, rwho_spool_t, { file dir })
+
+kernel_read_system_state(rwho_t)
+
+corenet_all_recvfrom_unlabeled(rwho_t)
+corenet_all_recvfrom_netlabel(rwho_t)
+corenet_udp_sendrecv_generic_if(rwho_t)
+corenet_udp_sendrecv_generic_node(rwho_t)
+corenet_udp_sendrecv_all_ports(rwho_t)
+corenet_udp_bind_generic_node(rwho_t)
+corenet_udp_bind_rwho_port(rwho_t)
+corenet_sendrecv_rwho_server_packets(rwho_t)
+
+domain_use_interactive_fds(rwho_t)
+
+files_read_etc_files(rwho_t)
+
+init_read_utmp(rwho_t)
+init_dontaudit_write_utmp(rwho_t)
+
+miscfiles_read_localization(rwho_t)
+
+sysnet_dns_name_resolve(rwho_t)
diff --git a/policy/modules/contrib/samba.fc b/policy/modules/contrib/samba.fc
new file mode 100644
index 00000000..69a6074f
--- /dev/null
+++ b/policy/modules/contrib/samba.fc
@@ -0,0 +1,53 @@
+
+#
+# /etc
+#
+/etc/rc\.d/init\.d/nmb		--	gen_context(system_u:object_r:samba_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/smb		--	gen_context(system_u:object_r:samba_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/winbind	--	gen_context(system_u:object_r:samba_initrc_exec_t,s0)
+/etc/samba/MACHINE\.SID		--	gen_context(system_u:object_r:samba_secrets_t,s0)
+/etc/samba/passdb\.tdb		--	gen_context(system_u:object_r:samba_secrets_t,s0)
+/etc/samba/secrets\.tdb		--	gen_context(system_u:object_r:samba_secrets_t,s0)
+/etc/samba/smbpasswd		--	gen_context(system_u:object_r:samba_secrets_t,s0)
+/etc/samba(/.*)?			gen_context(system_u:object_r:samba_etc_t,s0)
+
+#
+# /usr
+#
+/usr/bin/net			--	gen_context(system_u:object_r:samba_net_exec_t,s0)
+/usr/bin/ntlm_auth		--	gen_context(system_u:object_r:winbind_helper_exec_t,s0)
+/usr/bin/smbcontrol		--	gen_context(system_u:object_r:smbcontrol_exec_t,s0)
+/usr/bin/smbmount		--	gen_context(system_u:object_r:smbmount_exec_t,s0)
+/usr/bin/smbmnt			--	gen_context(system_u:object_r:smbmount_exec_t,s0)
+
+/usr/sbin/swat			--	gen_context(system_u:object_r:swat_exec_t,s0)
+/usr/sbin/nmbd			--	gen_context(system_u:object_r:nmbd_exec_t,s0)
+/usr/sbin/smbd			--	gen_context(system_u:object_r:smbd_exec_t,s0)
+/usr/sbin/winbindd		--	gen_context(system_u:object_r:winbind_exec_t,s0)
+
+#
+# /var
+#
+/var/cache/samba(/.*)?			gen_context(system_u:object_r:samba_var_t,s0)
+/var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
+
+/var/lib/samba(/.*)?			gen_context(system_u:object_r:samba_var_t,s0)
+/var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
+
+/var/log/samba(/.*)?			gen_context(system_u:object_r:samba_log_t,s0)
+
+/var/run/samba/brlock\.tdb	--	gen_context(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba/connections\.tdb	--	gen_context(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba/gencache\.tdb	--	gen_context(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba/locking\.tdb 	--	gen_context(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba/messages\.tdb	--	gen_context(system_u:object_r:nmbd_var_run_t,s0)
+/var/run/samba/namelist\.debug	--	gen_context(system_u:object_r:nmbd_var_run_t,s0)
+/var/run/samba/nmbd\.pid	--	gen_context(system_u:object_r:nmbd_var_run_t,s0)
+/var/run/samba/sessionid\.tdb	--	gen_context(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba/share_info\.tdb	--	gen_context(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba/smbd\.pid	--	gen_context(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba/unexpected\.tdb	--	gen_context(system_u:object_r:nmbd_var_run_t,s0)
+
+/var/run/winbindd(/.*)?			gen_context(system_u:object_r:winbind_var_run_t,s0)
+
+/var/spool/samba(/.*)?			gen_context(system_u:object_r:samba_var_t,s0)
diff --git a/policy/modules/contrib/samba.if b/policy/modules/contrib/samba.if
new file mode 100644
index 00000000..82cb169c
--- /dev/null
+++ b/policy/modules/contrib/samba.if
@@ -0,0 +1,730 @@
+## <summary>
+##	SMB and CIFS client/server programs for UNIX and
+##	name  Service  Switch  daemon for resolving names
+##	from Windows NT servers.
+## </summary>
+
+########################################
+## <summary>
+##	Execute nmbd net in the nmbd_t domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`samba_domtrans_nmbd',`
+	gen_require(`
+		type nmbd_t, nmbd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, nmbd_exec_t, nmbd_t)
+')
+
+#######################################
+## <summary>
+##	Allow domain to signal samba
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samba_signal_nmbd',`
+	gen_require(`
+		type nmbd_t;
+	')
+	allow $1 nmbd_t:process signal;
+')
+
+########################################
+## <summary>
+##	Execute samba server in the samba domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`samba_initrc_domtrans',`
+	gen_require(`
+		type samba_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, samba_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute samba net in the samba_net domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`samba_domtrans_net',`
+	gen_require(`
+		type samba_net_t, samba_net_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, samba_net_exec_t, samba_net_t)
+')
+
+########################################
+## <summary>
+##	Execute samba net in the samba_net domain, and
+##	allow the specified role the samba_net domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`samba_run_net',`
+	gen_require(`
+		type samba_net_t;
+	')
+
+	samba_domtrans_net($1)
+	role $2 types samba_net_t;
+')
+
+########################################
+## <summary>
+##	Execute smbmount in the smbmount domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`samba_domtrans_smbmount',`
+	gen_require(`
+		type smbmount_t, smbmount_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, smbmount_exec_t, smbmount_t)
+')
+
+########################################
+## <summary>
+##	Execute smbmount interactively and do
+##	a domain transition to the smbmount domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`samba_run_smbmount',`
+	gen_require(`
+		type smbmount_t;
+	')
+
+	samba_domtrans_smbmount($1)
+	role $2 types smbmount_t;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read
+##	samba configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`samba_read_config',`
+	gen_require(`
+		type samba_etc_t;
+	')
+
+	files_search_etc($1)
+	read_files_pattern($1, samba_etc_t, samba_etc_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read
+##	and write samba configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`samba_rw_config',`
+	gen_require(`
+		type samba_etc_t;
+	')
+
+	files_search_etc($1)
+	rw_files_pattern($1, samba_etc_t, samba_etc_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read
+##	and write samba configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`samba_manage_config',`
+	gen_require(`
+		type samba_etc_t;
+	')
+
+	files_search_etc($1)
+	manage_dirs_pattern($1, samba_etc_t, samba_etc_t)
+	manage_files_pattern($1, samba_etc_t, samba_etc_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read samba's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`samba_read_log',`
+	gen_require(`
+		type samba_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 samba_log_t:dir list_dir_perms;
+	read_files_pattern($1, samba_log_t, samba_log_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to append to samba's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`samba_append_log',`
+	gen_require(`
+		type samba_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 samba_log_t:dir list_dir_perms;
+	allow $1 samba_log_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute samba log in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samba_exec_log',`
+	gen_require(`
+		type samba_log_t;
+	')
+
+	logging_search_logs($1)
+	can_exec($1, samba_log_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read samba's secrets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samba_read_secrets',`
+	gen_require(`
+		type samba_secrets_t;
+	')
+
+	files_search_etc($1)
+	allow $1 samba_secrets_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read samba's shares
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samba_read_share_files',`
+	gen_require(`
+		type samba_share_t;
+	')
+
+	allow $1 samba_share_t:filesystem getattr;
+	read_files_pattern($1, samba_share_t, samba_share_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to search
+##	samba /var directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samba_search_var',`
+	gen_require(`
+		type samba_var_t;
+	')
+
+	files_search_var($1)
+	files_search_var_lib($1)
+	allow $1 samba_var_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to
+##	read samba /var files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samba_read_var_files',`
+	gen_require(`
+		type samba_var_t;
+	')
+
+	files_search_var($1)
+	files_search_var_lib($1)
+	read_files_pattern($1, samba_var_t, samba_var_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write samba
+##	/var files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`samba_dontaudit_write_var_files',`
+	gen_require(`
+		type samba_var_t;
+	')
+
+	dontaudit $1 samba_var_t:file write;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to
+##	read and write samba /var files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samba_rw_var_files',`
+	gen_require(`
+		type samba_var_t;
+	')
+
+	files_search_var($1)
+	files_search_var_lib($1)
+	rw_files_pattern($1, samba_var_t, samba_var_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to
+##	read and write samba /var files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samba_manage_var_files',`
+	gen_require(`
+		type samba_var_t;
+	')
+
+	files_search_var($1)
+	files_search_var_lib($1)
+	manage_files_pattern($1, samba_var_t, samba_var_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run smbcontrol.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`samba_domtrans_smbcontrol',`
+	gen_require(`
+		type smbcontrol_t;
+		type smbcontrol_exec_t;
+	')
+
+	domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t)
+')
+
+########################################
+## <summary>
+##	Execute smbcontrol in the smbcontrol domain, and
+##	allow the specified role the smbcontrol domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`samba_run_smbcontrol',`
+	gen_require(`
+		type smbcontrol_t;
+	')
+
+	samba_domtrans_smbcontrol($1)
+	role $2 types smbcontrol_t;
+')
+
+########################################
+## <summary>
+##	Execute smbd in the smbd_t domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`samba_domtrans_smbd',`
+	gen_require(`
+		type smbd_t, smbd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, smbd_exec_t, smbd_t)
+')
+
+######################################
+## <summary>
+##	Allow domain to signal samba
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samba_signal_smbd',`
+	gen_require(`
+		type smbd_t;
+	')
+	allow $1 smbd_t:process signal;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to use file descriptors from samba.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`samba_dontaudit_use_fds',`
+	gen_require(`
+		type smbd_t;
+	')
+
+	dontaudit $1 smbd_t:fd use; 
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to write to smbmount tcp sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samba_write_smbmount_tcp_sockets',`
+	gen_require(`
+		type smbmount_t;
+	')
+
+	allow $1 smbmount_t:tcp_socket write;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read and write to smbmount tcp sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samba_rw_smbmount_tcp_sockets',`
+	gen_require(`
+		type smbmount_t;
+	')
+
+	allow $1 smbmount_t:tcp_socket { read write };
+')
+
+########################################
+## <summary>
+##	Execute winbind_helper in the winbind_helper domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`samba_domtrans_winbind_helper',`
+	gen_require(`
+		type winbind_helper_t, winbind_helper_exec_t;
+	')
+
+	domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
+')
+
+########################################
+## <summary>
+##	Execute winbind_helper in the winbind_helper domain, and
+##	allow the specified role the winbind_helper domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`samba_run_winbind_helper',`
+	gen_require(`
+		type winbind_helper_t;
+	')
+
+	samba_domtrans_winbind_helper($1)
+	role $2 types winbind_helper_t;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read the winbind pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samba_read_winbind_pid',`
+	gen_require(`
+		type winbind_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 winbind_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Connect to winbind.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samba_stream_connect_winbind',`
+	gen_require(`
+		type samba_var_t, winbind_t, winbind_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 samba_var_t:dir search_dir_perms;
+	stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t)
+
+	ifndef(`distro_redhat',`
+		gen_require(`
+			type winbind_tmp_t;
+		')
+
+		# the default for the socket is (poorly named):
+		# /tmp/.winbindd/pipe
+		files_search_tmp($1)
+		stream_connect_pattern($1, winbind_tmp_t, winbind_tmp_t, winbind_t)
+	')
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an samba environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the samba domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`samba_admin',`
+	gen_require(`
+		type nmbd_t, nmbd_var_run_t;
+		type smbd_t, smbd_tmp_t;
+		type smbd_var_run_t;
+		type smbd_spool_t;
+
+		type samba_log_t, samba_var_t;
+		type samba_etc_t, samba_share_t;
+		type samba_secrets_t;
+
+		type swat_var_run_t, swat_tmp_t;
+
+		type winbind_var_run_t, winbind_tmp_t;
+		type winbind_log_t;
+
+		type samba_initrc_exec_t;
+	')
+
+	allow $1 smbd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, smbd_t)
+
+	allow $1 nmbd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, nmbd_t)
+
+	samba_run_smbcontrol($1, $2, $3)
+	samba_run_winbind_helper($1, $2, $3)
+	samba_run_smbmount($1, $2, $3)
+	samba_run_net($1, $2, $3)
+
+	init_labeled_script_domtrans($1, samba_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 samba_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	admin_pattern($1, nmbd_var_run_t)
+
+	admin_pattern($1, samba_etc_t)
+	files_list_etc($1)
+
+	admin_pattern($1, samba_log_t)
+	logging_list_logs($1)
+
+	admin_pattern($1, samba_secrets_t)
+
+	admin_pattern($1, samba_share_t)
+
+	admin_pattern($1, samba_var_t)
+	files_list_var($1)
+
+	admin_pattern($1, smbd_spool_t)
+	files_list_spool($1)
+
+	admin_pattern($1, smbd_var_run_t)
+	files_list_pids($1)
+
+	admin_pattern($1, smbd_tmp_t)
+	files_list_tmp($1)
+
+	admin_pattern($1, swat_var_run_t)
+
+	admin_pattern($1, swat_tmp_t)
+
+	admin_pattern($1, winbind_log_t)
+
+	admin_pattern($1, winbind_tmp_t)
+
+	admin_pattern($1, winbind_var_run_t)
+')
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
new file mode 100644
index 00000000..fff6675d
--- /dev/null
+++ b/policy/modules/contrib/samba.te
@@ -0,0 +1,939 @@
+policy_module(samba, 1.14.0)
+
+#################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow samba to modify public files used for public file
+## transfer services.  Files/Directories must be labeled
+## public_content_rw_t.
+## </p>
+## </desc>
+gen_tunable(allow_smbd_anon_write, false)
+
+## <desc>
+## <p>
+## Allow samba to create new home directories (e.g. via PAM)
+## </p>
+## </desc>
+gen_tunable(samba_create_home_dirs, false)
+
+## <desc>
+## <p>
+## Allow samba to act as the domain controller, add users,
+## groups and change passwords.
+##
+## </p>
+## </desc>
+gen_tunable(samba_domain_controller, false)
+
+## <desc>
+## <p>
+## Allow samba to share users home directories.
+## </p>
+## </desc>
+gen_tunable(samba_enable_home_dirs, false)
+
+## <desc>
+## <p>
+## Allow samba to share any file/directory read only.
+## </p>
+## </desc>
+gen_tunable(samba_export_all_ro, false)
+
+## <desc>
+## <p>
+## Allow samba to share any file/directory read/write.
+## </p>
+## </desc>
+gen_tunable(samba_export_all_rw, false)
+
+## <desc>
+## <p>
+## Allow samba to run unconfined scripts
+## </p>
+## </desc>
+gen_tunable(samba_run_unconfined, false)
+
+## <desc>
+## <p>
+## Allow samba to export NFS volumes.
+## </p>
+## </desc>
+gen_tunable(samba_share_nfs, false)
+
+## <desc>
+## <p>
+## Allow samba to export ntfs/fusefs volumes.
+## </p>
+## </desc>
+gen_tunable(samba_share_fusefs, false)
+
+type nmbd_t;
+type nmbd_exec_t;
+init_daemon_domain(nmbd_t, nmbd_exec_t)
+
+type nmbd_var_run_t;
+files_pid_file(nmbd_var_run_t)
+
+type samba_etc_t;
+files_config_file(samba_etc_t)
+
+type samba_initrc_exec_t;
+init_script_file(samba_initrc_exec_t)
+
+type samba_log_t;
+logging_log_file(samba_log_t)
+
+type samba_net_t;
+type samba_net_exec_t;
+application_domain(samba_net_t, samba_net_exec_t)
+role system_r types samba_net_t;
+
+type samba_net_tmp_t;
+files_tmp_file(samba_net_tmp_t)
+
+type samba_secrets_t;
+files_type(samba_secrets_t)
+
+type samba_share_t; # customizable
+files_type(samba_share_t)
+
+type samba_var_t;
+files_type(samba_var_t)
+
+type smbcontrol_t;
+type smbcontrol_exec_t;
+application_domain(smbcontrol_t, smbcontrol_exec_t)
+role system_r types smbcontrol_t;
+
+type smbd_t;
+type smbd_exec_t;
+init_daemon_domain(smbd_t, smbd_exec_t)
+
+type smbd_tmp_t;
+files_tmp_file(smbd_tmp_t)
+
+type smbd_var_run_t;
+files_pid_file(smbd_var_run_t)
+
+type smbmount_t;
+domain_type(smbmount_t)
+
+type smbmount_exec_t;
+domain_entry_file(smbmount_t, smbmount_exec_t)
+
+type swat_t;
+type swat_exec_t;
+domain_type(swat_t)
+domain_entry_file(swat_t, swat_exec_t)
+role system_r types swat_t;
+
+type swat_tmp_t;
+files_tmp_file(swat_tmp_t)
+
+type swat_var_run_t;
+files_pid_file(swat_var_run_t)
+
+type winbind_t;
+type winbind_exec_t;
+init_daemon_domain(winbind_t, winbind_exec_t)
+
+type winbind_helper_t;
+domain_type(winbind_helper_t)
+role system_r types winbind_helper_t;
+
+type winbind_helper_exec_t;
+domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
+
+type winbind_log_t;
+logging_log_file(winbind_log_t)
+
+type winbind_tmp_t;
+files_tmp_file(winbind_tmp_t)
+
+type winbind_var_run_t;
+files_pid_file(winbind_var_run_t)
+
+########################################
+#
+# Samba net local policy
+#
+allow samba_net_t self:capability { sys_chroot sys_nice dac_read_search dac_override };
+allow samba_net_t self:process { getsched setsched };
+allow samba_net_t self:unix_dgram_socket create_socket_perms;
+allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
+allow samba_net_t self:udp_socket create_socket_perms;
+allow samba_net_t self:tcp_socket create_socket_perms;
+
+allow samba_net_t samba_etc_t:file read_file_perms;
+
+manage_files_pattern(samba_net_t, samba_etc_t, samba_secrets_t)
+filetrans_pattern(samba_net_t, samba_etc_t, samba_secrets_t, file)
+
+manage_dirs_pattern(samba_net_t, samba_net_tmp_t, samba_net_tmp_t)
+manage_files_pattern(samba_net_t, samba_net_tmp_t, samba_net_tmp_t)
+files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
+
+manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t)
+manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
+manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
+
+kernel_read_proc_symlinks(samba_net_t)
+kernel_read_system_state(samba_net_t)
+
+corenet_all_recvfrom_unlabeled(samba_net_t)
+corenet_all_recvfrom_netlabel(samba_net_t)
+corenet_tcp_sendrecv_generic_if(samba_net_t)
+corenet_udp_sendrecv_generic_if(samba_net_t)
+corenet_raw_sendrecv_generic_if(samba_net_t)
+corenet_tcp_sendrecv_generic_node(samba_net_t)
+corenet_udp_sendrecv_generic_node(samba_net_t)
+corenet_raw_sendrecv_generic_node(samba_net_t)
+corenet_tcp_sendrecv_all_ports(samba_net_t)
+corenet_udp_sendrecv_all_ports(samba_net_t)
+corenet_tcp_bind_generic_node(samba_net_t)
+corenet_udp_bind_generic_node(samba_net_t)
+corenet_tcp_connect_smbd_port(samba_net_t)
+
+dev_read_urand(samba_net_t)
+
+domain_use_interactive_fds(samba_net_t)
+
+files_read_etc_files(samba_net_t)
+files_read_usr_symlinks(samba_net_t)
+
+auth_use_nsswitch(samba_net_t)
+auth_manage_cache(samba_net_t)
+
+logging_send_syslog_msg(samba_net_t)
+
+miscfiles_read_localization(samba_net_t)
+
+samba_read_var_files(samba_net_t)
+
+userdom_use_user_terminals(samba_net_t)
+userdom_list_user_home_dirs(samba_net_t)
+
+optional_policy(`
+	pcscd_read_pub_files(samba_net_t)
+')
+
+optional_policy(`
+	kerberos_use(samba_net_t)
+')
+
+########################################
+#
+# smbd Local policy
+#
+allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search };
+dontaudit smbd_t self:capability sys_tty_config;
+allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow smbd_t self:process setrlimit;
+allow smbd_t self:fd use;
+allow smbd_t self:fifo_file rw_fifo_file_perms;
+allow smbd_t self:msg { send receive };
+allow smbd_t self:msgq create_msgq_perms;
+allow smbd_t self:sem create_sem_perms;
+allow smbd_t self:shm create_shm_perms;
+allow smbd_t self:sock_file read_sock_file_perms;
+allow smbd_t self:tcp_socket create_stream_socket_perms;
+allow smbd_t self:udp_socket create_socket_perms;
+allow smbd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+allow smbd_t nmbd_t:process { signal signull };
+
+allow smbd_t nmbd_var_run_t:file rw_file_perms;
+
+allow smbd_t samba_etc_t:file { rw_file_perms setattr };
+
+manage_dirs_pattern(smbd_t, samba_log_t, samba_log_t)
+manage_files_pattern(smbd_t, samba_log_t, samba_log_t)
+
+allow smbd_t samba_net_tmp_t:file getattr;
+
+manage_files_pattern(smbd_t, samba_secrets_t, samba_secrets_t)
+filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
+
+manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
+manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
+manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
+allow smbd_t samba_share_t:filesystem getattr;
+
+manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
+manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
+manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
+manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
+
+allow smbd_t smbcontrol_t:process { signal signull };
+
+manage_dirs_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
+manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
+files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
+
+manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
+manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
+manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
+files_pid_filetrans(smbd_t, smbd_var_run_t, file)
+
+allow smbd_t swat_t:process signal;
+
+allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms;
+
+allow smbd_t winbind_t:process { signal signull };
+
+kernel_getattr_core_if(smbd_t)
+kernel_getattr_message_if(smbd_t)
+kernel_read_network_state(smbd_t)
+kernel_read_fs_sysctls(smbd_t)
+kernel_read_kernel_sysctls(smbd_t)
+kernel_read_software_raid_state(smbd_t)
+kernel_read_system_state(smbd_t)
+
+corecmd_exec_shell(smbd_t)
+corecmd_exec_bin(smbd_t)
+
+corenet_all_recvfrom_unlabeled(smbd_t)
+corenet_all_recvfrom_netlabel(smbd_t)
+corenet_tcp_sendrecv_generic_if(smbd_t)
+corenet_udp_sendrecv_generic_if(smbd_t)
+corenet_raw_sendrecv_generic_if(smbd_t)
+corenet_tcp_sendrecv_generic_node(smbd_t)
+corenet_udp_sendrecv_generic_node(smbd_t)
+corenet_raw_sendrecv_generic_node(smbd_t)
+corenet_tcp_sendrecv_all_ports(smbd_t)
+corenet_udp_sendrecv_all_ports(smbd_t)
+corenet_tcp_bind_generic_node(smbd_t)
+corenet_udp_bind_generic_node(smbd_t)
+corenet_tcp_bind_smbd_port(smbd_t)
+corenet_tcp_connect_ipp_port(smbd_t)
+corenet_tcp_connect_smbd_port(smbd_t)
+
+dev_read_sysfs(smbd_t)
+dev_read_urand(smbd_t)
+dev_getattr_mtrr_dev(smbd_t)
+dev_dontaudit_getattr_usbfs_dirs(smbd_t)
+# For redhat bug 566984
+dev_getattr_all_blk_files(smbd_t)
+dev_getattr_all_chr_files(smbd_t)
+
+fs_getattr_all_fs(smbd_t)
+fs_get_xattr_fs_quotas(smbd_t)
+fs_search_auto_mountpoints(smbd_t)
+fs_getattr_rpc_dirs(smbd_t)
+fs_list_inotifyfs(smbd_t)
+
+auth_use_nsswitch(smbd_t)
+auth_domtrans_chk_passwd(smbd_t)
+auth_domtrans_upd_passwd(smbd_t)
+auth_manage_cache(smbd_t)
+
+domain_use_interactive_fds(smbd_t)
+domain_dontaudit_list_all_domains_state(smbd_t)
+
+files_list_var_lib(smbd_t)
+files_read_etc_files(smbd_t)
+files_read_etc_runtime_files(smbd_t)
+files_read_usr_files(smbd_t)
+files_search_spool(smbd_t)
+# smbd seems to getattr all mountpoints
+files_dontaudit_getattr_all_dirs(smbd_t)
+# Allow samba to list mnt_t for potential mounted dirs
+files_list_mnt(smbd_t)
+
+init_rw_utmp(smbd_t)
+
+logging_search_logs(smbd_t)
+logging_send_syslog_msg(smbd_t)
+
+miscfiles_read_localization(smbd_t)
+miscfiles_read_public_files(smbd_t)
+
+userdom_use_unpriv_users_fds(smbd_t)
+userdom_search_user_home_content(smbd_t)
+userdom_signal_all_users(smbd_t)
+
+usermanage_read_crack_db(smbd_t)
+
+term_use_ptmx(smbd_t)
+
+ifdef(`hide_broken_symptoms', `
+	files_dontaudit_getattr_default_dirs(smbd_t)
+	files_dontaudit_getattr_boot_dirs(smbd_t)
+	fs_dontaudit_getattr_tmpfs_dirs(smbd_t)
+')
+
+tunable_policy(`allow_smbd_anon_write',`
+	miscfiles_manage_public_files(smbd_t)
+')
+
+tunable_policy(`samba_domain_controller',`
+	gen_require(`
+		class passwd passwd;
+	')
+
+	usermanage_domtrans_passwd(smbd_t)
+	usermanage_kill_passwd(smbd_t)
+	usermanage_domtrans_useradd(smbd_t)
+	usermanage_domtrans_groupadd(smbd_t)
+	allow smbd_t self:passwd passwd;
+')
+
+tunable_policy(`samba_enable_home_dirs',`
+	userdom_manage_user_home_content_dirs(smbd_t)
+	userdom_manage_user_home_content_files(smbd_t)
+	userdom_manage_user_home_content_symlinks(smbd_t)
+	userdom_manage_user_home_content_sockets(smbd_t)
+	userdom_manage_user_home_content_pipes(smbd_t)
+	userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file })
+')
+
+# Support Samba sharing of NFS mount points
+tunable_policy(`samba_share_nfs',`
+	fs_manage_nfs_dirs(smbd_t)
+	fs_manage_nfs_files(smbd_t)
+	fs_manage_nfs_symlinks(smbd_t)
+	fs_manage_nfs_named_pipes(smbd_t)
+	fs_manage_nfs_named_sockets(smbd_t)
+')
+
+# Support Samba sharing of ntfs/fusefs mount points
+tunable_policy(`samba_share_fusefs',`
+	fs_manage_fusefs_dirs(smbd_t)
+	fs_manage_fusefs_files(smbd_t)
+',`
+	fs_search_fusefs(smbd_t)
+')
+
+optional_policy(`
+	cups_read_rw_config(smbd_t)
+	cups_stream_connect(smbd_t)
+')
+
+optional_policy(`
+	kerberos_use(smbd_t)
+	kerberos_keytab_template(smbd, smbd_t)
+')
+
+optional_policy(`
+	lpd_exec_lpr(smbd_t)
+')
+
+optional_policy(`
+	qemu_manage_tmp_dirs(smbd_t)
+	qemu_manage_tmp_files(smbd_t)
+')
+
+optional_policy(`
+	rpc_search_nfs_state_data(smbd_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(smbd_t)
+')
+
+optional_policy(`
+	udev_read_db(smbd_t)
+')
+
+tunable_policy(`samba_create_home_dirs',`
+	allow smbd_t self:capability chown;
+	userdom_create_user_home_dirs(smbd_t)
+	userdom_home_filetrans_user_home_dir(smbd_t)
+')
+
+tunable_policy(`samba_export_all_ro',`
+	fs_read_noxattr_fs_files(smbd_t)
+	auth_read_all_dirs_except_auth_files(smbd_t)
+	auth_read_all_files_except_auth_files(smbd_t)
+	fs_read_noxattr_fs_files(nmbd_t)
+	auth_read_all_dirs_except_auth_files(nmbd_t)
+	auth_read_all_files_except_auth_files(nmbd_t)
+')
+
+tunable_policy(`samba_export_all_rw',`
+	fs_read_noxattr_fs_files(smbd_t)
+	auth_manage_all_files_except_auth_files(smbd_t)
+	fs_read_noxattr_fs_files(nmbd_t)
+	auth_manage_all_files_except_auth_files(nmbd_t)
+	userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
+')
+
+########################################
+#
+# nmbd Local policy
+#
+
+dontaudit nmbd_t self:capability sys_tty_config;
+allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow nmbd_t self:fd use;
+allow nmbd_t self:fifo_file rw_fifo_file_perms;
+allow nmbd_t self:msg { send receive };
+allow nmbd_t self:msgq create_msgq_perms;
+allow nmbd_t self:sem create_sem_perms;
+allow nmbd_t self:shm create_shm_perms;
+allow nmbd_t self:sock_file read_sock_file_perms;
+allow nmbd_t self:tcp_socket create_stream_socket_perms;
+allow nmbd_t self:udp_socket create_socket_perms;
+allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
+files_pid_filetrans(nmbd_t, nmbd_var_run_t, file)
+
+read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+
+manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
+manage_files_pattern(nmbd_t, samba_log_t, samba_log_t)
+
+manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
+
+allow nmbd_t smbcontrol_t:process signal;
+
+allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
+
+kernel_getattr_core_if(nmbd_t)
+kernel_getattr_message_if(nmbd_t)
+kernel_read_kernel_sysctls(nmbd_t)
+kernel_read_network_state(nmbd_t)
+kernel_read_software_raid_state(nmbd_t)
+kernel_read_system_state(nmbd_t)
+
+corenet_all_recvfrom_unlabeled(nmbd_t)
+corenet_all_recvfrom_netlabel(nmbd_t)
+corenet_tcp_sendrecv_generic_if(nmbd_t)
+corenet_udp_sendrecv_generic_if(nmbd_t)
+corenet_tcp_sendrecv_generic_node(nmbd_t)
+corenet_udp_sendrecv_generic_node(nmbd_t)
+corenet_tcp_sendrecv_all_ports(nmbd_t)
+corenet_udp_sendrecv_all_ports(nmbd_t)
+corenet_udp_bind_generic_node(nmbd_t)
+corenet_udp_bind_nmbd_port(nmbd_t)
+corenet_sendrecv_nmbd_server_packets(nmbd_t)
+corenet_sendrecv_nmbd_client_packets(nmbd_t)
+corenet_tcp_connect_smbd_port(nmbd_t)
+
+dev_read_sysfs(nmbd_t)
+dev_getattr_mtrr_dev(nmbd_t)
+
+fs_getattr_all_fs(nmbd_t)
+fs_search_auto_mountpoints(nmbd_t)
+
+domain_use_interactive_fds(nmbd_t)
+
+files_read_usr_files(nmbd_t)
+files_read_etc_files(nmbd_t)
+files_list_var_lib(nmbd_t)
+
+auth_use_nsswitch(nmbd_t)
+
+logging_search_logs(nmbd_t)
+logging_send_syslog_msg(nmbd_t)
+
+miscfiles_read_localization(nmbd_t)
+
+userdom_use_unpriv_users_fds(nmbd_t)
+userdom_dontaudit_search_user_home_dirs(nmbd_t)
+
+optional_policy(`
+	seutil_sigchld_newrole(nmbd_t)
+')
+
+optional_policy(`
+	udev_read_db(nmbd_t)
+')
+
+########################################
+#
+# smbcontrol local policy
+#
+
+# internal communication is often done using fifo and unix sockets.
+allow smbcontrol_t self:fifo_file rw_file_perms;
+allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
+
+allow smbcontrol_t nmbd_t:process { signal signull };
+
+allow smbcontrol_t nmbd_var_run_t:file { read lock };
+
+allow smbcontrol_t smbd_t:process signal;
+
+allow smbcontrol_t winbind_t:process { signal signull };
+
+samba_read_config(smbcontrol_t)
+samba_rw_var_files(smbcontrol_t)
+samba_search_var(smbcontrol_t)
+samba_read_winbind_pid(smbcontrol_t)
+
+domain_use_interactive_fds(smbcontrol_t)
+
+files_read_etc_files(smbcontrol_t)
+
+miscfiles_read_localization(smbcontrol_t)
+
+userdom_use_user_terminals(smbcontrol_t)
+
+########################################
+#
+# smbmount Local policy
+#
+
+allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown }; # FIXME: is all of this really necessary?
+allow smbmount_t self:process { fork signal_perms };
+allow smbmount_t self:tcp_socket create_stream_socket_perms;
+allow smbmount_t self:udp_socket connect;
+allow smbmount_t self:unix_dgram_socket create_socket_perms;
+allow smbmount_t self:unix_stream_socket create_socket_perms;
+
+allow smbmount_t samba_etc_t:dir list_dir_perms;
+allow smbmount_t samba_etc_t:file read_file_perms;
+
+can_exec(smbmount_t, smbmount_exec_t)
+
+allow smbmount_t samba_log_t:dir list_dir_perms;
+allow smbmount_t samba_log_t:file manage_file_perms;
+
+allow smbmount_t samba_secrets_t:file manage_file_perms;
+
+manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+files_list_var_lib(smbmount_t)
+
+kernel_read_system_state(smbmount_t)
+
+corenet_all_recvfrom_unlabeled(smbmount_t)
+corenet_all_recvfrom_netlabel(smbmount_t)
+corenet_tcp_sendrecv_generic_if(smbmount_t)
+corenet_raw_sendrecv_generic_if(smbmount_t)
+corenet_udp_sendrecv_generic_if(smbmount_t)
+corenet_tcp_sendrecv_generic_node(smbmount_t)
+corenet_raw_sendrecv_generic_node(smbmount_t)
+corenet_udp_sendrecv_generic_node(smbmount_t)
+corenet_tcp_sendrecv_all_ports(smbmount_t)
+corenet_udp_sendrecv_all_ports(smbmount_t)
+corenet_tcp_bind_generic_node(smbmount_t)
+corenet_udp_bind_generic_node(smbmount_t)
+corenet_tcp_connect_all_ports(smbmount_t)
+
+fs_getattr_cifs(smbmount_t)
+fs_mount_cifs(smbmount_t)
+fs_remount_cifs(smbmount_t)
+fs_unmount_cifs(smbmount_t)
+fs_list_cifs(smbmount_t)
+fs_read_cifs_files(smbmount_t)
+
+storage_raw_read_fixed_disk(smbmount_t)
+storage_raw_write_fixed_disk(smbmount_t)
+
+corecmd_list_bin(smbmount_t)
+
+files_list_mnt(smbmount_t)
+files_mounton_mnt(smbmount_t)
+files_manage_etc_runtime_files(smbmount_t)
+files_etc_filetrans_etc_runtime(smbmount_t, file)
+files_read_etc_files(smbmount_t)
+
+auth_use_nsswitch(smbmount_t)
+
+miscfiles_read_localization(smbmount_t)
+
+mount_use_fds(smbmount_t)
+
+locallogin_use_fds(smbmount_t)
+
+logging_search_logs(smbmount_t)
+
+userdom_use_user_terminals(smbmount_t)
+userdom_use_all_users_fds(smbmount_t)
+
+optional_policy(`
+	cups_read_rw_config(smbmount_t)
+')
+
+########################################
+#
+# SWAT Local policy
+#
+
+allow swat_t self:capability { dac_override setuid setgid sys_resource };
+allow swat_t self:process { setrlimit signal_perms };
+allow swat_t self:fifo_file rw_fifo_file_perms;
+allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow swat_t self:tcp_socket create_stream_socket_perms;
+allow swat_t self:udp_socket create_socket_perms;
+allow swat_t self:unix_stream_socket connectto;
+
+samba_domtrans_smbd(swat_t)
+allow swat_t smbd_t:process { signal signull };
+
+samba_domtrans_nmbd(swat_t)
+allow swat_t nmbd_t:process { signal signull };
+allow nmbd_t swat_t:process signal;
+
+allow swat_t smbd_var_run_t:file { lock unlink };
+
+allow swat_t smbd_port_t:tcp_socket name_bind;
+
+allow swat_t nmbd_port_t:udp_socket name_bind;
+
+rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
+read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t)
+
+manage_dirs_pattern(swat_t, samba_log_t, samba_log_t)
+manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+
+manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
+
+manage_files_pattern(swat_t, samba_var_t, samba_var_t)
+
+allow swat_t smbd_exec_t:file mmap_file_perms ;
+
+allow swat_t smbd_t:process signull;
+
+allow swat_t smbd_var_run_t:file read_file_perms;
+
+manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
+manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
+files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+
+manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
+files_pid_filetrans(swat_t, swat_var_run_t, file)
+
+allow swat_t winbind_exec_t:file mmap_file_perms;
+domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
+allow swat_t winbind_t:process { signal signull };
+
+allow swat_t winbind_var_run_t:dir { write add_name remove_name };
+allow swat_t winbind_var_run_t:sock_file { create unlink };
+
+kernel_read_kernel_sysctls(swat_t)
+kernel_read_system_state(swat_t)
+kernel_read_network_state(swat_t)
+
+corecmd_search_bin(swat_t)
+
+corenet_all_recvfrom_unlabeled(swat_t)
+corenet_all_recvfrom_netlabel(swat_t)
+corenet_tcp_sendrecv_generic_if(swat_t)
+corenet_udp_sendrecv_generic_if(swat_t)
+corenet_raw_sendrecv_generic_if(swat_t)
+corenet_tcp_sendrecv_generic_node(swat_t)
+corenet_udp_sendrecv_generic_node(swat_t)
+corenet_raw_sendrecv_generic_node(swat_t)
+corenet_tcp_sendrecv_all_ports(swat_t)
+corenet_udp_sendrecv_all_ports(swat_t)
+corenet_tcp_connect_smbd_port(swat_t)
+corenet_tcp_connect_ipp_port(swat_t)
+corenet_sendrecv_smbd_client_packets(swat_t)
+corenet_sendrecv_ipp_client_packets(swat_t)
+
+dev_read_urand(swat_t)
+
+files_list_var_lib(swat_t)
+files_read_etc_files(swat_t)
+files_search_home(swat_t)
+files_read_usr_files(swat_t)
+fs_getattr_xattr_fs(swat_t)
+
+auth_domtrans_chk_passwd(swat_t)
+auth_use_nsswitch(swat_t)
+
+init_read_utmp(swat_t)
+init_dontaudit_write_utmp(swat_t)
+
+logging_send_syslog_msg(swat_t)
+logging_send_audit_msgs(swat_t)
+logging_search_logs(swat_t)
+
+miscfiles_read_localization(swat_t)
+
+optional_policy(`
+	cups_read_rw_config(swat_t)
+	cups_stream_connect(swat_t)
+')
+
+optional_policy(`
+	inetd_service_domain(swat_t, swat_exec_t)
+')
+
+optional_policy(`
+	kerberos_use(swat_t)
+')
+
+########################################
+#
+# Winbind local policy
+#
+
+allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
+dontaudit winbind_t self:capability sys_tty_config;
+allow winbind_t self:process { signal_perms getsched setsched };
+allow winbind_t self:fifo_file rw_fifo_file_perms;
+allow winbind_t self:unix_dgram_socket create_socket_perms;
+allow winbind_t self:unix_stream_socket create_stream_socket_perms;
+allow winbind_t self:tcp_socket create_stream_socket_perms;
+allow winbind_t self:udp_socket create_socket_perms;
+
+allow winbind_t nmbd_t:process { signal signull };
+
+allow winbind_t nmbd_var_run_t:file read_file_perms;
+
+allow winbind_t samba_etc_t:dir list_dir_perms;
+read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
+read_lnk_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
+
+manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
+
+manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
+manage_files_pattern(winbind_t, samba_log_t, samba_log_t)
+manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
+
+manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
+manage_files_pattern(winbind_t, samba_var_t, samba_var_t)
+manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t)
+files_list_var_lib(winbind_t)
+
+rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+
+allow winbind_t winbind_log_t:file manage_file_perms;
+logging_log_filetrans(winbind_t, winbind_log_t, file)
+
+manage_dirs_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
+manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
+manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
+files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir })
+
+manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
+manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
+files_pid_filetrans(winbind_t, winbind_var_run_t, file)
+
+kernel_read_kernel_sysctls(winbind_t)
+kernel_read_system_state(winbind_t)
+
+corecmd_exec_bin(winbind_t)
+
+corenet_all_recvfrom_unlabeled(winbind_t)
+corenet_all_recvfrom_netlabel(winbind_t)
+corenet_tcp_sendrecv_generic_if(winbind_t)
+corenet_udp_sendrecv_generic_if(winbind_t)
+corenet_raw_sendrecv_generic_if(winbind_t)
+corenet_tcp_sendrecv_generic_node(winbind_t)
+corenet_udp_sendrecv_generic_node(winbind_t)
+corenet_raw_sendrecv_generic_node(winbind_t)
+corenet_tcp_sendrecv_all_ports(winbind_t)
+corenet_udp_sendrecv_all_ports(winbind_t)
+corenet_tcp_bind_generic_node(winbind_t)
+corenet_udp_bind_generic_node(winbind_t)
+corenet_tcp_connect_smbd_port(winbind_t)
+corenet_tcp_connect_epmap_port(winbind_t)
+corenet_tcp_connect_all_unreserved_ports(winbind_t)
+
+dev_read_sysfs(winbind_t)
+dev_read_urand(winbind_t)
+
+fs_getattr_all_fs(winbind_t)
+fs_search_auto_mountpoints(winbind_t)
+
+auth_domtrans_chk_passwd(winbind_t)
+auth_use_nsswitch(winbind_t)
+auth_manage_cache(winbind_t)
+
+domain_use_interactive_fds(winbind_t)
+
+files_read_etc_files(winbind_t)
+files_read_usr_symlinks(winbind_t)
+
+logging_send_syslog_msg(winbind_t)
+
+miscfiles_read_localization(winbind_t)
+
+userdom_dontaudit_use_unpriv_user_fds(winbind_t)
+userdom_manage_user_home_content_dirs(winbind_t)
+userdom_manage_user_home_content_files(winbind_t)
+userdom_manage_user_home_content_symlinks(winbind_t)
+userdom_manage_user_home_content_pipes(winbind_t)
+userdom_manage_user_home_content_sockets(winbind_t)
+userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
+
+optional_policy(`
+	kerberos_use(winbind_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(winbind_t)
+')
+
+optional_policy(`
+	udev_read_db(winbind_t)
+')
+
+########################################
+#
+# Winbind helper local policy
+#
+
+allow winbind_helper_t self:unix_dgram_socket create_socket_perms;
+allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms;
+
+allow winbind_helper_t samba_etc_t:dir list_dir_perms;
+read_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t)
+read_lnk_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t)
+
+allow winbind_helper_t samba_var_t:dir search_dir_perms;
+files_list_var_lib(winbind_helper_t)
+
+allow winbind_t smbcontrol_t:process signal;
+
+stream_connect_pattern(winbind_helper_t, winbind_var_run_t, winbind_var_run_t, winbind_t)
+
+term_list_ptys(winbind_helper_t)
+
+domain_use_interactive_fds(winbind_helper_t)
+
+auth_use_nsswitch(winbind_helper_t)
+
+logging_send_syslog_msg(winbind_helper_t)
+
+miscfiles_read_localization(winbind_helper_t)
+
+userdom_use_user_terminals(winbind_helper_t)
+
+optional_policy(`
+	apache_append_log(winbind_helper_t)
+')
+
+optional_policy(`
+	squid_read_log(winbind_helper_t)
+	squid_append_log(winbind_helper_t)
+	squid_rw_stream_sockets(winbind_helper_t)
+')
+
+########################################
+#
+# samba_unconfined_script_t local policy
+#
+
+optional_policy(`
+	type samba_unconfined_script_t;
+	type samba_unconfined_script_exec_t;
+	domain_type(samba_unconfined_script_t)
+	domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t)
+	corecmd_shell_entry_type(samba_unconfined_script_t)
+	role system_r types samba_unconfined_script_t;
+
+	allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
+	allow smbd_t samba_unconfined_script_exec_t:file ioctl;
+
+	unconfined_domain(samba_unconfined_script_t)
+
+	tunable_policy(`samba_run_unconfined',`
+		domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
+	')
+')
diff --git a/policy/modules/contrib/sambagui.fc b/policy/modules/contrib/sambagui.fc
new file mode 100644
index 00000000..c13d607c
--- /dev/null
+++ b/policy/modules/contrib/sambagui.fc
@@ -0,0 +1 @@
+/usr/share/system-config-samba/system-config-samba-mechanism.py		--	gen_context(system_u:object_r:sambagui_exec_t,s0)
diff --git a/policy/modules/contrib/sambagui.if b/policy/modules/contrib/sambagui.if
new file mode 100644
index 00000000..b31ed107
--- /dev/null
+++ b/policy/modules/contrib/sambagui.if
@@ -0,0 +1,2 @@
+## <summary>system-config-samba dbus service policy</summary>
+
diff --git a/policy/modules/contrib/sambagui.te b/policy/modules/contrib/sambagui.te
new file mode 100644
index 00000000..1898dbde
--- /dev/null
+++ b/policy/modules/contrib/sambagui.te
@@ -0,0 +1,61 @@
+policy_module(sambagui, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type sambagui_t;
+type sambagui_exec_t;
+dbus_system_domain(sambagui_t, sambagui_exec_t)
+
+########################################
+#
+# system-config-samba local policy
+#
+
+allow sambagui_t self:capability dac_override;
+allow sambagui_t self:fifo_file rw_fifo_file_perms;
+allow sambagui_t self:unix_dgram_socket create_socket_perms;
+
+# read meminfo
+kernel_read_system_state(sambagui_t)
+
+# execut apps of system-config-samba
+corecmd_exec_shell(sambagui_t)
+corecmd_exec_bin(sambagui_t)
+
+dev_dontaudit_read_urand(sambagui_t)
+
+files_read_etc_files(sambagui_t)
+files_search_var_lib(sambagui_t)
+files_read_usr_files(sambagui_t)
+
+auth_use_nsswitch(sambagui_t)
+
+logging_send_syslog_msg(sambagui_t)
+
+miscfiles_read_localization(sambagui_t)
+
+optional_policy(`
+	consoletype_exec(sambagui_t)
+')
+
+optional_policy(`
+	nscd_dontaudit_search_pid(sambagui_t)
+')
+
+optional_policy(`
+	policykit_dbus_chat(sambagui_t)
+')
+
+optional_policy(`
+	# handling with samba conf files
+	samba_append_log(sambagui_t)
+	samba_manage_config(sambagui_t)
+	samba_manage_var_files(sambagui_t)
+	samba_read_secrets(sambagui_t)
+	samba_initrc_domtrans(sambagui_t)
+	samba_domtrans_smbd(sambagui_t)
+	samba_domtrans_nmbd(sambagui_t)
+')
diff --git a/policy/modules/contrib/samhain.fc b/policy/modules/contrib/samhain.fc
new file mode 100644
index 00000000..94b2f738
--- /dev/null
+++ b/policy/modules/contrib/samhain.fc
@@ -0,0 +1,13 @@
+/etc/rc\.d/init\.d/samhain	--	gen_context(system_u:object_r:samhain_initrc_exec_t,s0)
+
+/etc/samhainrc			--	gen_context(system_u:object_r:samhain_etc_t,mls_systemhigh)
+
+/usr/sbin/samhain		--	gen_context(system_u:object_r:samhain_exec_t,s0)
+/usr/sbin/samhain_setpwd	--	gen_context(system_u:object_r:samhain_exec_t,s0)
+
+/var/lib/samhain(/.*)?			gen_context(system_u:object_r:samhain_db_t,mls_systemhigh)
+
+/var/log/samhain_log		--	gen_context(system_u:object_r:samhain_log_t,mls_systemhigh)
+/var/log/samhain_log\.lock	--	gen_context(system_u:object_r:samhain_log_t,mls_systemhigh)
+
+/var/run/samhain\.pid		--	gen_context(system_u:object_r:samhain_var_run_t,mls_systemhigh)
diff --git a/policy/modules/contrib/samhain.if b/policy/modules/contrib/samhain.if
new file mode 100644
index 00000000..c040ebf8
--- /dev/null
+++ b/policy/modules/contrib/samhain.if
@@ -0,0 +1,292 @@
+## <summary>Samhain - check file integrity</summary>
+
+#######################################
+## <summary>
+##	The template containing the most basic rules
+##	common to the samhain domains.
+## </summary>
+## <param name="samhaindomain_prefix">
+##	<summary>
+##	The prefix of the samhain domains(e.g., samhain
+##	for the domain of command line access, samhaind
+##	for the domain started by init script).
+##	</summary>
+## </param>
+## <rolebase/>
+#
+template(`samhain_service_template',`
+	gen_require(`
+		type etc_t, samhain_etc_t, samhain_exec_t;
+		type samhain_log_t, samhain_var_run_t;
+	')
+
+	type $1_t;
+	domain_type($1_t)
+	domain_entry_file($1_t, samhain_exec_t)
+
+	allow $1_t self:capability { dac_override dac_read_search fowner ipc_lock };
+	dontaudit $1_t self:capability { sys_resource sys_ptrace };
+	allow $1_t self:fd use;
+	allow $1_t self:process { setsched setrlimit signull };
+
+	allow $1_t samhain_etc_t:file read_file_perms;
+	files_search_etc($1_t)
+
+	manage_files_pattern($1_t, samhain_log_t, samhain_log_t)
+	logging_log_filetrans($1_t, samhain_log_t, file)
+
+	manage_files_pattern($1_t, samhain_var_run_t, samhain_var_run_t)
+	files_pid_filetrans($1_t, samhain_var_run_t, file)
+
+	# Samhain needs to get the attribute of /proc/kcore.
+	kernel_getattr_core_if($1_t)
+
+	corecmd_list_bin($1_t)
+	corecmd_read_bin_symlinks($1_t)
+
+	# To get entropy
+	dev_read_urand($1_t)
+	dev_dontaudit_read_rand($1_t)
+
+	# Get the attributes of all kinds of files in the rootfs.
+	dev_getattr_all_blk_files($1_t)
+	dev_getattr_all_chr_files($1_t)
+	dev_getattr_generic_blk_files($1_t)
+	dev_getattr_generic_chr_files($1_t)
+
+	files_getattr_all_dirs($1_t)
+	files_getattr_all_files($1_t)
+	files_getattr_all_symlinks($1_t)
+	files_getattr_all_pipes($1_t)
+	files_getattr_all_sockets($1_t)
+	files_getattr_all_mountpoints($1_t)
+	files_read_all_files($1_t)
+	files_read_all_symlinks($1_t)
+
+	# Get the attribute of other filesystems mountpoint, such as /selinux
+	# /proc, /sys and /tmp, but not the contents inside, which suggests
+	# that following rules should be set in samhain configuration file:
+	# [Attributes]
+	#    file = /tmp
+	#    file = /proc
+	#    file = /sys
+	#    file = /selinux
+	# [IgnoreALL]
+	#    dir = -1/tmp
+	#    dir = -1/proc
+	#    dir = -1/sys
+	#    dir = -1/selinux
+	fs_getattr_all_dirs($1_t)
+
+	# Samhain pid, log and log.lock files are all in directories of s0,
+	# while samhain daemon is running with the clearance level.
+	mls_file_write_all_levels($1_t)
+
+	# Read from utmp when monitoring login/logout events.
+	auth_read_login_records($1_t)
+
+	# Read from wtmp when monitoring login/logout events.
+	init_read_utmp($1_t)
+
+	logging_send_syslog_msg($1_t)
+')
+
+########################################
+## <summary>
+##	Execute samhain in the samhain domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`samhain_domtrans',`
+	gen_require(`
+		type samhain_t, samhain_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, samhain_exec_t, samhain_t)
+')
+
+########################################
+## <summary>
+##	Execute samhain in the samhain domain with the clearance security
+##	level and allow the specifiled role the samhain domain.
+## </summary>
+## <desc>
+##	<p>
+##	Execute samhain in the samhain domain with the clearance security
+##	level and allow the specifiled role the samhain domain.
+##	</p>
+##	<p>
+##	The range_transition rule used in this interface requires that
+##	the calling domain should have the clearance security level
+##	otherwise the MLS constraint for process transition would fail.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed to access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`samhain_run',`
+	gen_require(`
+		type samhain_t, samhain_exec_t;
+	')
+
+	samhain_domtrans($1)
+	role $2 types samhain_t;
+
+	ifdef(`enable_mls', `
+		range_transition $1 samhain_exec_t:process mls_systemhigh;
+	')
+')
+
+########################################
+## <summary>
+##	Manage samhain configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samhain_manage_config_files',`
+	gen_require(`
+		type samhain_etc_t;
+	')
+
+	files_rw_etc_dirs($1)
+	allow $1 samhain_etc_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Manage samhain database files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samhain_manage_db_files',`
+	gen_require(`
+		type samhain_db_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, samhain_db_t, samhain_db_t)
+')
+
+#######################################
+## <summary>
+##	Manage samhain init script files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samhain_manage_init_script_files',`
+	gen_require(`
+		type samhain_initrc_exec_t;
+	')
+
+	files_search_etc($1)
+	manage_files_pattern($1, samhain_initrc_exec_t, samhain_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Manage samhain log and log.lock files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samhain_manage_log_files',`
+	gen_require(`
+		type samhain_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_files_pattern($1, samhain_log_t, samhain_log_t)
+')
+
+########################################
+## <summary>
+##	Manage samhain pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samhain_manage_pid_files',`
+	gen_require(`
+		type samhain_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_files_pattern($1, samhain_var_run_t, samhain_var_run_t)
+')
+
+#######################################
+## <summary>
+##	All of the rules required to administrate
+##	the samhain environment.
+## </summary>
+## <desc>
+##	<p>
+##	This interface assumes that the calling domain has been able to
+##	remove an entry from /var/lib/ or /var/log/ and belongs to the
+##	mlsfilewrite attribute, since samhain files may be of clearance
+##	security level while their parent directories are of s0.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samhain_admin',`
+	gen_require(`
+		type samhain_t, samhaind_t, samhain_db_t, samhain_etc_t;
+		type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t;
+	')
+
+	allow $1 samhain_t:process { ptrace signal_perms };
+	ps_process_pattern($1, samhain_t)
+
+	allow $1 samhaind_t:process { ptrace signal_perms };
+	ps_process_pattern($1, samhaind_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, samhain_db_t)
+
+	files_list_etc($1)
+	admin_pattern($1, samhain_etc_t)
+	admin_pattern($1, samhain_initrc_exec_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, samhain_log_t)
+
+	files_list_pids($1)
+	admin_pattern($1, samhain_var_run_t)
+')
diff --git a/policy/modules/contrib/samhain.te b/policy/modules/contrib/samhain.te
new file mode 100644
index 00000000..acd17003
--- /dev/null
+++ b/policy/modules/contrib/samhain.te
@@ -0,0 +1,76 @@
+policy_module(samhain, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type samhain_etc_t;
+files_config_file(samhain_etc_t)
+
+type samhain_exec_t;
+corecmd_executable_file(samhain_exec_t)
+
+type samhain_log_t;
+logging_log_file(samhain_log_t)
+
+# Filesystem signature database
+type samhain_db_t;
+files_type(samhain_db_t)
+
+type samhain_initrc_exec_t;
+init_script_file(samhain_initrc_exec_t)
+
+type samhain_var_run_t;
+files_pid_file(samhain_var_run_t)
+
+# Domain for command line access
+samhain_service_template(samhain)
+application_domain(samhain_t, samhain_exec_t)
+
+# Domain for samhain service started by samhain init script
+samhain_service_template(samhaind)
+
+ifdef(`enable_mcs',`
+	# This is system instead of daemon to work around
+	# a type transition conflict
+	init_ranged_system_domain(samhaind_t, samhain_exec_t, mcs_systemhigh)
+')
+
+ifdef(`enable_mls',`
+	# This is system instead of daemon to work around
+	# a type transition conflict
+	init_ranged_system_domain(samhaind_t, samhain_exec_t, mls_systemhigh)
+')
+
+########################################
+#
+# Samhain local policy
+#
+
+manage_files_pattern(samhain_t, samhain_db_t, samhain_db_t)
+files_var_lib_filetrans(samhain_t, samhain_db_t, { file dir })
+
+domain_use_interactive_fds(samhain_t)
+
+seutil_sigchld_newrole(samhain_t)
+
+userdom_use_user_terminals(samhain_t)
+
+########################################
+#
+# Samhaind local policy
+#
+
+# Need signal_perms to send SIGABRT/SIGKILL to termiate samhain_t
+# Need signull to get the status of samhain_t
+allow samhaind_t { samhain_t self }:process signal_perms;
+
+# Only needed when starting samhain daemon from its init script.
+can_exec(samhaind_t, samhain_exec_t)
+
+read_files_pattern(samhaind_t, samhain_db_t, samhain_db_t)
+
+# init script ptys are the stdin/out/err
+# when using run_init
+init_use_script_ptys(samhaind_t)
diff --git a/policy/modules/contrib/sanlock.fc b/policy/modules/contrib/sanlock.fc
new file mode 100644
index 00000000..5d1826c4
--- /dev/null
+++ b/policy/modules/contrib/sanlock.fc
@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/sanlock	--	gen_context(system_u:object_r:sanlock_initrc_exec_t,s0)
+
+/var/run/sanlock(/.*)?			gen_context(system_u:object_r:sanlock_var_run_t,s0)
+
+/var/log/sanlock\.log			gen_context(system_u:object_r:sanlock_log_t,s0)
+
+/usr/sbin/sanlock		--	gen_context(system_u:object_r:sanlock_exec_t,s0)
diff --git a/policy/modules/contrib/sanlock.if b/policy/modules/contrib/sanlock.if
new file mode 100644
index 00000000..cfe31720
--- /dev/null
+++ b/policy/modules/contrib/sanlock.if
@@ -0,0 +1,107 @@
+## <summary>policy for sanlock</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run sanlock.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sanlock_domtrans',`
+	gen_require(`
+		type sanlock_t, sanlock_exec_t;
+	')
+
+	domtrans_pattern($1, sanlock_exec_t, sanlock_t)
+')
+
+########################################
+## <summary>
+##	Execute sanlock server in the sanlock domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`sanlock_initrc_domtrans',`
+	gen_require(`
+		type sanlock_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, sanlock_initrc_exec_t)
+')
+
+######################################
+## <summary>
+##	Create, read, write, and delete sanlock PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sanlock_manage_pid_files',`
+	gen_require(`
+		type sanlock_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_files_pattern($1, sanlock_var_run_t, sanlock_var_run_t)
+')
+
+########################################
+## <summary>
+##	Connect to sanlock over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sanlock_stream_connect',`
+	gen_require(`
+		type sanlock_t, sanlock_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, sanlock_var_run_t, sanlock_var_run_t, sanlock_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an sanlock environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`sanlock_admin',`
+	gen_require(`
+		type sanlock_t;
+		type sanlock_initrc_exec_t;
+	')
+
+	allow $1 sanlock_t:process signal_perms;
+	ps_process_pattern($1, sanlock_t)
+
+	sanlock_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 sanlock_initrc_exec_t system_r;
+	allow $2 system_r;
+')
diff --git a/policy/modules/contrib/sanlock.te b/policy/modules/contrib/sanlock.te
new file mode 100644
index 00000000..e02eb6c9
--- /dev/null
+++ b/policy/modules/contrib/sanlock.te
@@ -0,0 +1,93 @@
+policy_module(sanlock, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow confined virtual guests to manage nfs files
+## </p>
+## </desc>
+gen_tunable(sanlock_use_nfs, false)
+
+## <desc>
+## <p>
+## Allow confined virtual guests to manage cifs files
+## </p>
+## </desc>
+gen_tunable(sanlock_use_samba, false)
+
+type sanlock_t;
+type sanlock_exec_t;
+init_daemon_domain(sanlock_t, sanlock_exec_t)
+
+type sanlock_var_run_t;
+files_pid_file(sanlock_var_run_t)
+
+type sanlock_log_t;
+logging_log_file(sanlock_log_t)
+
+type sanlock_initrc_exec_t;
+init_script_file(sanlock_initrc_exec_t)
+
+ifdef(`enable_mcs',`
+	init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mcs_systemhigh)
+')
+
+ifdef(`enable_mls',`
+	init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mls_systemhigh)
+')
+
+########################################
+#
+# sanlock local policy
+#
+allow sanlock_t self:capability { sys_nice ipc_lock };
+allow sanlock_t self:process { setsched signull };
+allow sanlock_t self:fifo_file rw_fifo_file_perms;
+allow sanlock_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
+logging_log_filetrans(sanlock_t, sanlock_log_t, file)
+
+manage_dirs_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
+manage_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
+manage_sock_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
+files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
+
+kernel_read_system_state(sanlock_t)
+
+domain_use_interactive_fds(sanlock_t)
+
+files_read_etc_files(sanlock_t)
+
+storage_raw_rw_fixed_disk(sanlock_t)
+
+dev_read_urand(sanlock_t)
+
+init_read_utmp(sanlock_t)
+init_dontaudit_write_utmp(sanlock_t)
+
+logging_send_syslog_msg(sanlock_t)
+
+miscfiles_read_localization(sanlock_t)
+
+tunable_policy(`sanlock_use_nfs',`
+	fs_manage_nfs_dirs(sanlock_t)
+	fs_manage_nfs_files(sanlock_t)
+	fs_manage_nfs_named_sockets(sanlock_t)
+	fs_read_nfs_symlinks(sanlock_t)
+')
+
+tunable_policy(`sanlock_use_samba',`
+	fs_manage_cifs_dirs(sanlock_t)
+	fs_manage_cifs_files(sanlock_t)
+	fs_manage_cifs_named_sockets(sanlock_t)
+	fs_read_cifs_symlinks(sanlock_t)
+')
+
+optional_policy(`
+	virt_manage_lib_files(sanlock_t)
+')
diff --git a/policy/modules/contrib/sasl.fc b/policy/modules/contrib/sasl.fc
new file mode 100644
index 00000000..7e586796
--- /dev/null
+++ b/policy/modules/contrib/sasl.fc
@@ -0,0 +1,12 @@
+/etc/rc\.d/init\.d/sasl	--	gen_context(system_u:object_r:saslauthd_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/saslauthd	--	gen_context(system_u:object_r:saslauthd_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/sasl2(/.*)?		gen_context(system_u:object_r:saslauthd_var_run_t,s0)
+/var/run/saslauthd(/.*)?	gen_context(system_u:object_r:saslauthd_var_run_t,s0)
diff --git a/policy/modules/contrib/sasl.if b/policy/modules/contrib/sasl.if
new file mode 100644
index 00000000..f1aea88a
--- /dev/null
+++ b/policy/modules/contrib/sasl.if
@@ -0,0 +1,58 @@
+## <summary>SASL authentication server</summary>
+
+########################################
+## <summary>
+##	Connect to SASL.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sasl_connect',`
+	gen_require(`
+		type saslauthd_t, saslauthd_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, saslauthd_var_run_t, saslauthd_var_run_t, saslauthd_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an sasl environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`sasl_admin',`
+	gen_require(`
+		type saslauthd_t, saslauthd_tmp_t, saslauthd_var_run_t;
+		type saslauthd_initrc_exec_t;
+	')
+
+	allow $1 saslauthd_t:process { ptrace signal_perms getattr };
+	ps_process_pattern($1, saslauthd_t)
+
+	init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 saslauthd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, saslauthd_tmp_t)
+
+	files_list_pids($1)
+	admin_pattern($1, saslauthd_var_run_t)
+')
diff --git a/policy/modules/contrib/sasl.te b/policy/modules/contrib/sasl.te
new file mode 100644
index 00000000..9d9f8cef
--- /dev/null
+++ b/policy/modules/contrib/sasl.te
@@ -0,0 +1,110 @@
+policy_module(sasl, 1.14.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow sasl to read shadow
+## </p>
+## </desc>
+gen_tunable(allow_saslauthd_read_shadow, false)
+
+type saslauthd_t;
+type saslauthd_exec_t;
+init_daemon_domain(saslauthd_t, saslauthd_exec_t)
+
+type saslauthd_initrc_exec_t;
+init_script_file(saslauthd_initrc_exec_t)
+
+type saslauthd_tmp_t;
+files_tmp_file(saslauthd_tmp_t)
+
+type saslauthd_var_run_t;
+files_pid_file(saslauthd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow saslauthd_t self:capability { setgid setuid };
+dontaudit saslauthd_t self:capability sys_tty_config;
+allow saslauthd_t self:process signal_perms;
+allow saslauthd_t self:fifo_file rw_fifo_file_perms;
+allow saslauthd_t self:unix_dgram_socket create_socket_perms;
+allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
+allow saslauthd_t self:tcp_socket create_socket_perms;
+
+allow saslauthd_t saslauthd_tmp_t:dir setattr;
+manage_files_pattern(saslauthd_t, saslauthd_tmp_t, saslauthd_tmp_t)
+files_tmp_filetrans(saslauthd_t, saslauthd_tmp_t, file)
+
+manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
+manage_sock_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
+files_pid_filetrans(saslauthd_t, saslauthd_var_run_t, file)
+
+kernel_read_kernel_sysctls(saslauthd_t)
+kernel_read_system_state(saslauthd_t)
+
+corenet_all_recvfrom_unlabeled(saslauthd_t)
+corenet_all_recvfrom_netlabel(saslauthd_t)
+corenet_tcp_sendrecv_generic_if(saslauthd_t)
+corenet_tcp_sendrecv_generic_node(saslauthd_t)
+corenet_tcp_sendrecv_all_ports(saslauthd_t)
+corenet_tcp_connect_pop_port(saslauthd_t)
+corenet_sendrecv_pop_client_packets(saslauthd_t)
+
+dev_read_urand(saslauthd_t)
+
+fs_getattr_all_fs(saslauthd_t)
+fs_search_auto_mountpoints(saslauthd_t)
+
+selinux_compute_access_vector(saslauthd_t)
+
+auth_use_pam(saslauthd_t)
+
+domain_use_interactive_fds(saslauthd_t)
+
+files_read_etc_files(saslauthd_t)
+files_dontaudit_read_etc_runtime_files(saslauthd_t)
+files_search_var_lib(saslauthd_t)
+files_dontaudit_getattr_home_dir(saslauthd_t)
+files_dontaudit_getattr_tmp_dirs(saslauthd_t)
+
+init_dontaudit_stream_connect_script(saslauthd_t)
+
+logging_send_syslog_msg(saslauthd_t)
+
+miscfiles_read_localization(saslauthd_t)
+miscfiles_read_generic_certs(saslauthd_t)
+
+seutil_dontaudit_read_config(saslauthd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(saslauthd_t)
+userdom_dontaudit_search_user_home_dirs(saslauthd_t)
+
+# cjp: typeattribute doesnt work in conditionals
+auth_can_read_shadow_passwords(saslauthd_t)
+tunable_policy(`allow_saslauthd_read_shadow',`
+	auth_tunable_read_shadow(saslauthd_t) 
+')
+
+optional_policy(`
+	kerberos_keytab_template(saslauthd, saslauthd_t)
+')
+
+optional_policy(`
+	mysql_search_db(saslauthd_t)
+	mysql_stream_connect(saslauthd_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(saslauthd_t)
+')
+
+optional_policy(`
+	udev_read_db(saslauthd_t)
+')
diff --git a/policy/modules/contrib/sblim.fc b/policy/modules/contrib/sblim.fc
new file mode 100644
index 00000000..17a8a85d
--- /dev/null
+++ b/policy/modules/contrib/sblim.fc
@@ -0,0 +1,5 @@
+/usr/sbin/gatherd	--	gen_context(system_u:object_r:sblim_gatherd_exec_t,s0)
+
+/usr/sbin/reposd	--	gen_context(system_u:object_r:sblim_reposd_exec_t,s0)
+
+/var/run/gather(/.*)?		gen_context(system_u:object_r:sblim_var_run_t,s0)
diff --git a/policy/modules/contrib/sblim.if b/policy/modules/contrib/sblim.if
new file mode 100644
index 00000000..fa24879e
--- /dev/null
+++ b/policy/modules/contrib/sblim.if
@@ -0,0 +1,73 @@
+## <summary> policy for SBLIM Gatherer </summary>
+
+########################################
+## <summary>
+##	Transition to gatherd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`sblim_domtrans_gatherd',`
+	gen_require(`
+		type sblim_gatherd_t, sblim_gatherd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, sblim_gatherd_exec_t, sblim_gatherd_t)
+')
+
+########################################
+## <summary>
+##	Read gatherd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sblim_read_pid_files',`
+	gen_require(`
+		type sblim_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 sblim_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an gatherd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`sblim_admin',`
+	gen_require(`
+		type sblim_gatherd_t;
+		type sblim_reposd_t;
+		type sblim_var_run_t;
+	')
+
+	allow $1 sblim_gatherd_t:process signal_perms;
+	ps_process_pattern($1, sblim_gatherd_t)
+
+	allow $1 sblim_reposd_t:process signal_perms;
+	ps_process_pattern($1, sblim_reposd_t)
+
+	files_search_pids($1)
+	admin_pattern($1, sblim_var_run_t)
+')
diff --git a/policy/modules/contrib/sblim.te b/policy/modules/contrib/sblim.te
new file mode 100644
index 00000000..869f9761
--- /dev/null
+++ b/policy/modules/contrib/sblim.te
@@ -0,0 +1,104 @@
+policy_module(sblim, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute sblim_domain;
+
+type sblim_gatherd_t, sblim_domain;
+type sblim_gatherd_exec_t;
+init_daemon_domain(sblim_gatherd_t, sblim_gatherd_exec_t)
+
+type sblim_reposd_t, sblim_domain;
+type sblim_reposd_exec_t;
+init_daemon_domain(sblim_reposd_t, sblim_reposd_exec_t)
+
+type sblim_var_run_t;
+files_pid_file(sblim_var_run_t)
+
+########################################
+#
+# sblim_gatherd local policy
+#
+allow sblim_gatherd_t self:capability dac_override;
+allow sblim_gatherd_t self:process signal;
+allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
+allow sblim_gatherd_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_fs_sysctls(sblim_gatherd_t)
+kernel_read_kernel_sysctls(sblim_gatherd_t)
+
+corecmd_exec_bin(sblim_gatherd_t)
+corecmd_exec_shell(sblim_gatherd_t)
+
+corenet_tcp_connect_repository_port(sblim_gatherd_t)
+
+dev_read_rand(sblim_gatherd_t)
+dev_read_urand(sblim_gatherd_t)
+
+domain_read_all_domains_state(sblim_gatherd_t)
+
+fs_getattr_all_fs(sblim_gatherd_t)
+
+sysnet_dns_name_resolve(sblim_gatherd_t)
+
+term_getattr_pty_fs(sblim_gatherd_t)
+
+init_read_utmp(sblim_gatherd_t)
+
+userdom_signull_unpriv_users(sblim_gatherd_t)
+
+optional_policy(`
+	locallogin_signull(sblim_gatherd_t)
+')
+
+optional_policy(`
+	rpc_search_nfs_state_data(sblim_gatherd_t)
+')
+
+optional_policy(`
+	ssh_signull(sblim_gatherd_t)
+')
+
+optional_policy(`
+	virt_stream_connect(sblim_gatherd_t)
+')
+
+optional_policy(`
+	xen_stream_connect(sblim_gatherd_t)
+	xen_stream_connect_xenstore(sblim_gatherd_t)
+')
+
+#######################################
+#
+# sblim_reposd local policy
+#
+
+domtrans_pattern(sblim_gatherd_t, sblim_reposd_exec_t, sblim_reposd_t)
+
+corenet_tcp_bind_all_nodes(sblim_reposd_t)
+corenet_tcp_bind_repository_port(sblim_reposd_t)
+
+######################################
+#
+# sblim_domain local policy
+#
+
+allow sblim_domain self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
+manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
+manage_sock_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
+
+kernel_read_network_state(sblim_domain)
+kernel_read_system_state(sblim_domain)
+
+dev_read_sysfs(sblim_domain)
+
+logging_send_syslog_msg(sblim_domain)
+
+files_read_etc_files(sblim_domain)
+
+miscfiles_read_localization(sblim_domain)
diff --git a/policy/modules/contrib/screen.fc b/policy/modules/contrib/screen.fc
new file mode 100644
index 00000000..c8254dd8
--- /dev/null
+++ b/policy/modules/contrib/screen.fc
@@ -0,0 +1,15 @@
+#
+# /home
+#
+HOME_DIR/\.screen(/.*)?			gen_context(system_u:object_r:screen_home_t,s0)
+HOME_DIR/\.screenrc		--	gen_context(system_u:object_r:screen_home_t,s0)
+
+#
+# /usr
+#
+/usr/bin/screen			--	gen_context(system_u:object_r:screen_exec_t,s0)
+
+#
+# /var
+#
+/var/run/screen(/.*)?			gen_context(system_u:object_r:screen_var_run_t,s0)
diff --git a/policy/modules/contrib/screen.if b/policy/modules/contrib/screen.if
new file mode 100644
index 00000000..c50a4443
--- /dev/null
+++ b/policy/modules/contrib/screen.if
@@ -0,0 +1,162 @@
+## <summary>GNU terminal multiplexer</summary>
+
+#######################################
+## <summary>
+##	The role template for the screen module.
+## </summary>
+## <param name="role_prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+template(`screen_role_template',`
+	gen_require(`
+		type screen_exec_t, screen_tmp_t;
+		type screen_home_t, screen_var_run_t;
+	')
+
+	########################################
+	#
+	# Declarations
+	#
+
+	type $1_screen_t;
+	userdom_user_application_domain($1_screen_t, screen_exec_t)
+	domain_interactive_fd($1_screen_t)
+	role $2 types $1_screen_t;
+
+	########################################
+	#
+	# Local policy
+	#
+
+	allow $1_screen_t self:capability { setuid setgid fsetid };
+	allow $1_screen_t self:process signal_perms;
+	allow $1_screen_t self:fifo_file rw_fifo_file_perms;
+	allow $1_screen_t self:tcp_socket create_stream_socket_perms;
+	allow $1_screen_t self:udp_socket create_socket_perms;
+	# Internal screen networking
+	allow $1_screen_t self:fd use;
+	allow $1_screen_t self:unix_stream_socket { create_socket_perms connectto };
+	allow $1_screen_t self:unix_dgram_socket create_socket_perms;
+
+	manage_dirs_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
+	manage_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
+	manage_fifo_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
+	files_tmp_filetrans($1_screen_t, screen_tmp_t, { file dir })
+
+	# Create fifo
+	manage_fifo_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
+	manage_dirs_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
+	manage_sock_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
+	files_pid_filetrans($1_screen_t, screen_var_run_t, dir)
+
+	allow $1_screen_t screen_home_t:dir list_dir_perms;
+	manage_dirs_pattern($1_screen_t, screen_home_t, screen_home_t)
+	manage_fifo_files_pattern($1_screen_t, screen_home_t, screen_home_t)
+	userdom_user_home_dir_filetrans($1_screen_t, screen_home_t, dir)
+	read_files_pattern($1_screen_t, screen_home_t, screen_home_t)
+	read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t)
+
+	allow $1_screen_t $3:process signal;
+
+	domtrans_pattern($3, screen_exec_t, $1_screen_t)
+	allow $3 $1_screen_t:process { signal sigchld };
+	dontaudit $3 $1_screen_t:unix_stream_socket { read write };
+	allow $1_screen_t $3:process signal;
+
+	manage_fifo_files_pattern($3, screen_home_t, screen_home_t)
+	manage_dirs_pattern($3, screen_home_t, screen_home_t)
+	manage_files_pattern($3, screen_home_t, screen_home_t)
+	manage_lnk_files_pattern($3, screen_home_t, screen_home_t)
+	relabel_dirs_pattern($3, screen_home_t, screen_home_t)
+	relabel_files_pattern($3, screen_home_t, screen_home_t)
+	relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
+
+	manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
+	manage_files_pattern($3, screen_var_run_t, screen_var_run_t)
+	manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t)
+	manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t)
+
+	kernel_read_system_state($1_screen_t)
+	kernel_read_kernel_sysctls($1_screen_t)
+
+	corecmd_list_bin($1_screen_t)
+	corecmd_read_bin_files($1_screen_t)
+	corecmd_read_bin_symlinks($1_screen_t)
+	corecmd_read_bin_pipes($1_screen_t)
+	corecmd_read_bin_sockets($1_screen_t)
+	# Revert to the user domain when a shell is executed.
+	corecmd_shell_domtrans($1_screen_t, $3)
+	corecmd_bin_domtrans($1_screen_t, $3)
+
+	corenet_all_recvfrom_unlabeled($1_screen_t)
+	corenet_all_recvfrom_netlabel($1_screen_t)
+	corenet_tcp_sendrecv_generic_if($1_screen_t)
+	corenet_udp_sendrecv_generic_if($1_screen_t)
+	corenet_tcp_sendrecv_generic_node($1_screen_t)
+	corenet_udp_sendrecv_generic_node($1_screen_t)
+	corenet_tcp_sendrecv_all_ports($1_screen_t)
+	corenet_udp_sendrecv_all_ports($1_screen_t)
+	corenet_tcp_connect_all_ports($1_screen_t)
+
+	dev_dontaudit_getattr_all_chr_files($1_screen_t)
+	dev_dontaudit_getattr_all_blk_files($1_screen_t)
+	# for SSP
+	dev_read_urand($1_screen_t)
+
+	domain_use_interactive_fds($1_screen_t)
+
+	files_search_tmp($1_screen_t)
+	files_search_home($1_screen_t)
+	files_list_home($1_screen_t)
+	files_read_usr_files($1_screen_t)
+	files_read_etc_files($1_screen_t)
+
+	fs_search_auto_mountpoints($1_screen_t)
+	fs_getattr_xattr_fs($1_screen_t)
+
+	auth_domtrans_chk_passwd($1_screen_t)
+	auth_use_nsswitch($1_screen_t)
+	auth_dontaudit_read_shadow($1_screen_t)
+	auth_dontaudit_exec_utempter($1_screen_t)
+
+	# Write to utmp.
+	init_rw_utmp($1_screen_t)
+
+	logging_send_syslog_msg($1_screen_t)
+
+	miscfiles_read_localization($1_screen_t)
+
+	seutil_read_config($1_screen_t)
+
+	userdom_use_user_terminals($1_screen_t)
+	userdom_create_user_pty($1_screen_t)
+	userdom_user_home_domtrans($1_screen_t, $3)
+	userdom_setattr_user_ptys($1_screen_t)
+	userdom_setattr_user_ttys($1_screen_t)
+
+	tunable_policy(`use_samba_home_dirs',`
+		fs_cifs_domtrans($1_screen_t, $3)
+		fs_read_cifs_symlinks($1_screen_t)
+		fs_list_cifs($1_screen_t)
+	')
+
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_nfs_domtrans($1_screen_t, $3)
+		fs_list_nfs($1_screen_t)
+		fs_read_nfs_symlinks($1_screen_t)
+	')
+')
diff --git a/policy/modules/contrib/screen.te b/policy/modules/contrib/screen.te
new file mode 100644
index 00000000..25836261
--- /dev/null
+++ b/policy/modules/contrib/screen.te
@@ -0,0 +1,25 @@
+policy_module(screen, 2.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type screen_exec_t;
+application_executable_file(screen_exec_t)
+
+type screen_home_t;
+typealias screen_home_t alias { user_screen_home_t staff_screen_home_t sysadm_screen_home_t };
+typealias screen_home_t alias { auditadm_screen_home_t secadm_screen_home_t };
+userdom_user_home_content(screen_home_t)
+
+type screen_tmp_t;
+typealias screen_tmp_t alias { user_screen_tmp_t staff_screen_tmp_t sysadm_screen_tmp_t };
+typealias screen_tmp_t alias { auditadm_screen_tmp_t secadm_screen_tmp_t };
+userdom_user_tmp_file(screen_tmp_t)
+
+type screen_var_run_t;
+typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t };
+typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t };
+files_pid_file(screen_var_run_t)
+ubac_constrained(screen_var_run_t)
diff --git a/policy/modules/contrib/sectoolm.fc b/policy/modules/contrib/sectoolm.fc
new file mode 100644
index 00000000..1ed68709
--- /dev/null
+++ b/policy/modules/contrib/sectoolm.fc
@@ -0,0 +1,4 @@
+/usr/libexec/sectool-mechanism\.py	--	gen_context(system_u:object_r:sectoolm_exec_t,s0)
+
+/var/lib/sectool(/.*)?				gen_context(system_u:object_r:sectool_var_lib_t,s0)
+/var/log/sectool\.log			--	gen_context(system_u:object_r:sectool_var_log_t,s0)
diff --git a/policy/modules/contrib/sectoolm.if b/policy/modules/contrib/sectoolm.if
new file mode 100644
index 00000000..90074511
--- /dev/null
+++ b/policy/modules/contrib/sectoolm.if
@@ -0,0 +1,2 @@
+## <summary>Sectool security audit tool</summary>
+
diff --git a/policy/modules/contrib/sectoolm.te b/policy/modules/contrib/sectoolm.te
new file mode 100644
index 00000000..c8ef84b9
--- /dev/null
+++ b/policy/modules/contrib/sectoolm.te
@@ -0,0 +1,106 @@
+policy_module(sectoolm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type sectoolm_t;
+type sectoolm_exec_t;
+dbus_system_domain(sectoolm_t, sectoolm_exec_t)
+
+type sectool_var_lib_t;
+files_type(sectool_var_lib_t)
+
+type sectool_var_log_t;
+logging_log_file(sectool_var_log_t)
+
+type sectool_tmp_t;
+files_tmp_file(sectool_tmp_t)
+
+########################################
+#
+# sectool local policy
+#
+
+allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace };
+allow sectoolm_t self:process { getcap getsched	signull setsched };
+dontaudit sectoolm_t self:process { execstack execmem };
+allow sectoolm_t self:fifo_file rw_fifo_file_perms;
+allow sectoolm_t self:unix_dgram_socket { create_socket_perms sendto };
+
+manage_dirs_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t)
+manage_files_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t)
+files_tmp_filetrans(sectoolm_t, sectool_tmp_t, { file dir })
+
+manage_files_pattern(sectoolm_t, sectool_var_lib_t, sectool_var_lib_t)
+manage_dirs_pattern(sectoolm_t, sectool_var_lib_t, sectool_var_lib_t)
+files_var_lib_filetrans(sectoolm_t, sectool_var_lib_t, { file dir })
+
+manage_files_pattern(sectoolm_t, sectool_var_log_t, sectool_var_log_t)
+logging_log_filetrans(sectoolm_t, sectool_var_log_t, file)
+
+kernel_read_net_sysctls(sectoolm_t)
+kernel_read_network_state(sectoolm_t)
+kernel_read_kernel_sysctls(sectoolm_t)
+
+corecmd_exec_bin(sectoolm_t)
+corecmd_exec_shell(sectoolm_t)
+
+dev_read_sysfs(sectoolm_t)
+dev_read_urand(sectoolm_t)
+dev_getattr_all_blk_files(sectoolm_t)
+dev_getattr_all_chr_files(sectoolm_t)
+
+domain_getattr_all_domains(sectoolm_t)
+domain_read_all_domains_state(sectoolm_t)
+
+files_getattr_all_pipes(sectoolm_t)
+files_getattr_all_sockets(sectoolm_t)
+files_read_all_files(sectoolm_t)
+files_read_all_symlinks(sectoolm_t)
+
+fs_getattr_all_fs(sectoolm_t)
+fs_list_noxattr_fs(sectoolm_t)
+
+selinux_validate_context(sectoolm_t)
+
+# tcp_wrappers test
+application_exec_all(sectoolm_t)
+
+auth_use_nsswitch(sectoolm_t)
+
+# tests related to network
+hostname_exec(sectoolm_t)
+
+# tests related to network
+iptables_domtrans(sectoolm_t)
+
+libs_exec_ld_so(sectoolm_t)
+
+logging_send_syslog_msg(sectoolm_t)
+
+# tests related to network
+sysnet_domtrans_ifconfig(sectoolm_t)
+
+userdom_manage_user_tmp_sockets(sectoolm_t)
+
+optional_policy(`
+	mount_exec(sectoolm_t)
+')
+
+optional_policy(`
+	policykit_dbus_chat(sectoolm_t)
+')
+
+# suid test using
+# rpm -Vf option
+optional_policy(`
+	prelink_domtrans(sectoolm_t)
+')
+
+optional_policy(`
+	rpm_exec(sectoolm_t)
+	rpm_dontaudit_manage_db(sectoolm_t)
+')
+
diff --git a/policy/modules/contrib/sendmail.fc b/policy/modules/contrib/sendmail.fc
new file mode 100644
index 00000000..a86ec50e
--- /dev/null
+++ b/policy/modules/contrib/sendmail.fc
@@ -0,0 +1,6 @@
+
+/var/log/sendmail\.st		--	gen_context(system_u:object_r:sendmail_log_t,s0)
+/var/log/mail(/.*)?			gen_context(system_u:object_r:sendmail_log_t,s0)
+
+/var/run/sendmail\.pid		--	gen_context(system_u:object_r:sendmail_var_run_t,s0)
+/var/run/sm-client\.pid		--	gen_context(system_u:object_r:sendmail_var_run_t,s0)
diff --git a/policy/modules/contrib/sendmail.if b/policy/modules/contrib/sendmail.if
new file mode 100644
index 00000000..7e94c7cf
--- /dev/null
+++ b/policy/modules/contrib/sendmail.if
@@ -0,0 +1,297 @@
+## <summary>Policy for sendmail.</summary>
+
+########################################
+## <summary>
+##	Sendmail stub interface.  No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sendmail_stub',`
+	gen_require(`
+		type sendmail_t;
+	')
+')
+
+########################################
+## <summary>
+##	Allow attempts to read and write to
+##	sendmail unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sendmail_rw_pipes',`
+	gen_require(`
+		type sendmail_t;
+	')
+
+	allow $1 sendmail_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Domain transition to sendmail.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`sendmail_domtrans',`
+	gen_require(`
+		type sendmail_t;
+	')
+
+	mta_sendmail_domtrans($1, sendmail_t)
+
+	allow sendmail_t $1:fd use;
+	allow sendmail_t $1:fifo_file rw_file_perms;
+	allow sendmail_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute the sendmail program in the sendmail domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the sendmail domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`sendmail_run',`
+	gen_require(`
+		type sendmail_t;
+	')
+
+	sendmail_domtrans($1)
+	role $2 types sendmail_t;
+')
+
+########################################
+## <summary>
+##	Send generic signals to sendmail.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sendmail_signal',`
+	gen_require(`
+		type sendmail_t;
+	')
+
+	allow $1 sendmail_t:process signal;
+')
+
+########################################
+## <summary>
+##	Read and write sendmail TCP sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sendmail_rw_tcp_sockets',`
+	gen_require(`
+		type sendmail_t;
+	')
+
+	allow $1 sendmail_t:tcp_socket { read write };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write
+##	sendmail TCP sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sendmail_dontaudit_rw_tcp_sockets',`
+	gen_require(`
+		type sendmail_t;
+	')
+
+	dontaudit $1 sendmail_t:tcp_socket { read write };
+')
+
+########################################
+## <summary>
+##	Read and write sendmail unix_stream_sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sendmail_rw_unix_stream_sockets',`
+	gen_require(`
+		type sendmail_t;
+	')
+
+	allow $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write
+##	sendmail unix_stream_sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sendmail_dontaudit_rw_unix_stream_sockets',`
+	gen_require(`
+		type sendmail_t;
+	')
+
+	dontaudit $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
+')
+
+########################################
+## <summary>
+##	Read sendmail logs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`sendmail_read_log',`
+	gen_require(`
+		type sendmail_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, sendmail_log_t, sendmail_log_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete sendmail logs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`sendmail_manage_log',`
+	gen_require(`
+		type sendmail_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_files_pattern($1, sendmail_log_t, sendmail_log_t)
+')
+
+########################################
+## <summary>
+##	Create sendmail logs with the correct type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sendmail_create_log',`
+	gen_require(`
+		type sendmail_log_t;
+	')
+
+	logging_log_filetrans($1, sendmail_log_t, file)
+')
+
+########################################
+## <summary>
+##	Manage sendmail tmp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sendmail_manage_tmp_files',`
+	gen_require(`
+		type sendmail_tmp_t;
+	')
+
+	files_search_tmp($1)
+	manage_files_pattern($1, sendmail_tmp_t, sendmail_tmp_t)
+')
+
+########################################
+## <summary>
+##	Execute sendmail in the unconfined sendmail domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`sendmail_domtrans_unconfined',`
+	gen_require(`
+		type unconfined_sendmail_t;
+	')
+
+	mta_sendmail_domtrans($1, unconfined_sendmail_t)
+')
+
+########################################
+## <summary>
+##	Execute sendmail in the unconfined sendmail domain, and
+##	allow the specified role the unconfined sendmail domain,
+##	and use the caller's terminal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`sendmail_run_unconfined',`
+	gen_require(`
+		type unconfined_sendmail_t;
+	')
+
+	sendmail_domtrans_unconfined($1)
+	role $2 types unconfined_sendmail_t;
+')
diff --git a/policy/modules/contrib/sendmail.te b/policy/modules/contrib/sendmail.te
new file mode 100644
index 00000000..22dac1fe
--- /dev/null
+++ b/policy/modules/contrib/sendmail.te
@@ -0,0 +1,187 @@
+policy_module(sendmail, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+type sendmail_log_t;
+logging_log_file(sendmail_log_t)
+
+type sendmail_tmp_t;
+files_tmp_file(sendmail_tmp_t)
+
+type sendmail_var_run_t;
+files_pid_file(sendmail_var_run_t)
+
+type sendmail_t;
+mta_sendmail_mailserver(sendmail_t)
+mta_mailserver_delivery(sendmail_t)
+mta_mailserver_sender(sendmail_t)
+
+type unconfined_sendmail_t;
+application_domain(unconfined_sendmail_t, sendmail_exec_t)
+role system_r types unconfined_sendmail_t;
+
+########################################
+#
+# Sendmail local policy
+#
+
+allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config };
+allow sendmail_t self:process { setsched setpgid setrlimit signal signull };
+allow sendmail_t self:fifo_file rw_fifo_file_perms;
+allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
+allow sendmail_t self:unix_dgram_socket create_socket_perms;
+allow sendmail_t self:tcp_socket create_stream_socket_perms;
+allow sendmail_t self:udp_socket create_socket_perms;
+
+allow sendmail_t sendmail_log_t:dir setattr;
+manage_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t)
+logging_log_filetrans(sendmail_t, sendmail_log_t, { file dir })
+
+manage_dirs_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t)
+manage_files_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t)
+files_tmp_filetrans(sendmail_t, sendmail_tmp_t, { file dir })
+
+allow sendmail_t sendmail_var_run_t:file manage_file_perms;
+files_pid_filetrans(sendmail_t, sendmail_var_run_t, file)
+
+kernel_read_network_state(sendmail_t)
+kernel_read_kernel_sysctls(sendmail_t)
+# for piping mail to a command
+kernel_read_system_state(sendmail_t)
+
+corenet_all_recvfrom_unlabeled(sendmail_t)
+corenet_all_recvfrom_netlabel(sendmail_t)
+corenet_tcp_sendrecv_generic_if(sendmail_t)
+corenet_tcp_sendrecv_generic_node(sendmail_t)
+corenet_tcp_sendrecv_all_ports(sendmail_t)
+corenet_tcp_bind_generic_node(sendmail_t)
+corenet_tcp_bind_smtp_port(sendmail_t)
+corenet_tcp_connect_all_ports(sendmail_t)
+corenet_sendrecv_smtp_server_packets(sendmail_t)
+corenet_sendrecv_smtp_client_packets(sendmail_t)
+
+dev_read_urand(sendmail_t)
+dev_read_sysfs(sendmail_t)
+
+fs_getattr_all_fs(sendmail_t)
+fs_search_auto_mountpoints(sendmail_t)
+fs_rw_anon_inodefs_files(sendmail_t)
+
+term_dontaudit_use_console(sendmail_t)
+term_dontaudit_use_generic_ptys(sendmail_t)
+
+# for piping mail to a command
+corecmd_exec_shell(sendmail_t)
+corecmd_exec_bin(sendmail_t)
+
+domain_use_interactive_fds(sendmail_t)
+
+files_read_etc_files(sendmail_t)
+files_read_usr_files(sendmail_t)
+files_search_spool(sendmail_t)
+# for piping mail to a command
+files_read_etc_runtime_files(sendmail_t)
+
+init_use_fds(sendmail_t)
+init_use_script_ptys(sendmail_t)
+# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
+init_read_utmp(sendmail_t)
+init_dontaudit_write_utmp(sendmail_t)
+
+auth_use_nsswitch(sendmail_t)
+
+# Read /usr/lib/sasl2/.*
+libs_read_lib_files(sendmail_t)
+
+logging_send_syslog_msg(sendmail_t)
+logging_dontaudit_write_generic_logs(sendmail_t)
+
+miscfiles_read_generic_certs(sendmail_t)
+miscfiles_read_localization(sendmail_t)
+
+userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
+userdom_dontaudit_search_user_home_dirs(sendmail_t)
+
+mta_read_config(sendmail_t)
+mta_etc_filetrans_aliases(sendmail_t)
+# Write to /etc/aliases and /etc/mail.
+mta_manage_aliases(sendmail_t)
+# Write to /var/spool/mail and /var/spool/mqueue.
+mta_manage_queue(sendmail_t)
+mta_manage_spool(sendmail_t)
+mta_sendmail_exec(sendmail_t)
+
+optional_policy(`
+	cron_read_pipes(sendmail_t)
+')
+
+optional_policy(`
+	clamav_search_lib(sendmail_t)
+	clamav_stream_connect(sendmail_t)
+')
+
+optional_policy(`
+	cyrus_stream_connect(sendmail_t)
+')
+
+optional_policy(`
+	exim_domtrans(sendmail_t)
+')
+
+optional_policy(`
+	fail2ban_read_lib_files(sendmail_t)
+	fail2ban_rw_stream_sockets(sendmail_t)
+')
+
+optional_policy(`
+	kerberos_keytab_template(sendmail, sendmail_t)
+')
+
+optional_policy(`
+	milter_stream_connect_all(sendmail_t)
+')
+
+optional_policy(`
+	munin_dontaudit_search_lib(sendmail_t)
+')
+
+optional_policy(`
+	postfix_domtrans_master(sendmail_t)
+	postfix_read_config(sendmail_t)
+	postfix_search_spool(sendmail_t)
+')
+
+optional_policy(`
+	procmail_domtrans(sendmail_t)
+	procmail_rw_tmp_files(sendmail_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(sendmail_t)
+')
+
+optional_policy(`
+	sasl_connect(sendmail_t)
+')
+
+optional_policy(`
+	udev_read_db(sendmail_t)
+')
+
+optional_policy(`
+	uucp_domtrans_uux(sendmail_t)
+')
+
+########################################
+#
+# Unconfined sendmail local policy
+# Allow unconfined domain to run newalias and have transitions work
+#
+
+optional_policy(`
+	mta_etc_filetrans_aliases(unconfined_sendmail_t)
+	unconfined_domain(unconfined_sendmail_t)
+')
diff --git a/policy/modules/contrib/setroubleshoot.fc b/policy/modules/contrib/setroubleshoot.fc
new file mode 100644
index 00000000..397a5225
--- /dev/null
+++ b/policy/modules/contrib/setroubleshoot.fc
@@ -0,0 +1,9 @@
+/usr/sbin/setroubleshootd	--	gen_context(system_u:object_r:setroubleshootd_exec_t,s0)
+
+/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
+
+/var/run/setroubleshoot(/.*)?		gen_context(system_u:object_r:setroubleshoot_var_run_t,s0)
+
+/var/log/setroubleshoot(/.*)?		gen_context(system_u:object_r:setroubleshoot_var_log_t,s0)
+
+/var/lib/setroubleshoot(/.*)?		gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0)
diff --git a/policy/modules/contrib/setroubleshoot.if b/policy/modules/contrib/setroubleshoot.if
new file mode 100644
index 00000000..bcdd16c7
--- /dev/null
+++ b/policy/modules/contrib/setroubleshoot.if
@@ -0,0 +1,135 @@
+## <summary>SELinux troubleshooting service</summary>
+
+########################################
+## <summary>
+##	Connect to setroubleshootd over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`setroubleshoot_stream_connect',`
+	gen_require(`
+		type setroubleshootd_t, setroubleshoot_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, setroubleshoot_var_run_t, setroubleshoot_var_run_t, setroubleshootd_t)
+	allow $1 setroubleshoot_var_run_t:sock_file read;
+')
+
+########################################
+## <summary>
+##	Dontaudit attempts to connect to setroubleshootd
+##	over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`setroubleshoot_dontaudit_stream_connect',`
+	gen_require(`
+		type setroubleshootd_t, setroubleshoot_var_run_t;
+	')
+
+	dontaudit $1 setroubleshoot_var_run_t:sock_file rw_sock_file_perms;
+	dontaudit $1 setroubleshootd_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	setroubleshoot over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`setroubleshoot_dbus_chat',`
+	gen_require(`
+		type setroubleshootd_t;
+		class dbus send_msg;
+	')
+
+	allow $1 setroubleshootd_t:dbus send_msg;
+	allow setroubleshootd_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit send and receive messages from
+##	setroubleshoot over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`setroubleshoot_dontaudit_dbus_chat',`
+	gen_require(`
+		type setroubleshootd_t;
+		class dbus send_msg;
+	')
+
+	dontaudit $1 setroubleshootd_t:dbus send_msg;
+	dontaudit setroubleshootd_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	setroubleshoot fixit over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`setroubleshoot_dbus_chat_fixit',`
+	gen_require(`
+		type setroubleshoot_fixit_t;
+		class dbus send_msg;
+	')
+
+	allow $1 setroubleshoot_fixit_t:dbus send_msg;
+	allow setroubleshoot_fixit_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an setroubleshoot environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`setroubleshoot_admin',`
+	gen_require(`
+		type setroubleshootd_t, setroubleshoot_log_t;
+		type setroubleshoot_var_lib_t, setroubleshoot_var_run_t;
+	')
+
+	allow $1 setroubleshootd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, setroubleshootd_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, setroubleshoot_log_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, setroubleshoot_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, setroubleshoot_var_run_t)
+')
diff --git a/policy/modules/contrib/setroubleshoot.te b/policy/modules/contrib/setroubleshoot.te
new file mode 100644
index 00000000..086cd5fe
--- /dev/null
+++ b/policy/modules/contrib/setroubleshoot.te
@@ -0,0 +1,177 @@
+policy_module(setroubleshoot, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+type setroubleshootd_t alias setroubleshoot_t;
+type setroubleshootd_exec_t;
+domain_type(setroubleshootd_t)
+init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
+
+type setroubleshoot_fixit_t;
+type setroubleshoot_fixit_exec_t;
+dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t)
+
+type setroubleshoot_var_lib_t;
+files_type(setroubleshoot_var_lib_t)
+
+# log files
+type setroubleshoot_var_log_t;
+logging_log_file(setroubleshoot_var_log_t)
+
+# pid files
+type setroubleshoot_var_run_t;
+files_pid_file(setroubleshoot_var_run_t)
+
+########################################
+#
+# setroubleshootd local policy
+#
+
+allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config };
+allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal };
+allow setroubleshootd_t self:fifo_file rw_fifo_file_perms;
+allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
+allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow setroubleshootd_t self:unix_dgram_socket create_socket_perms;
+
+# database files
+allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr;
+manage_files_pattern(setroubleshootd_t, setroubleshoot_var_lib_t, setroubleshoot_var_lib_t)
+files_var_lib_filetrans(setroubleshootd_t, setroubleshoot_var_lib_t, { file dir })
+
+# log files
+allow setroubleshootd_t setroubleshoot_var_log_t:dir setattr;
+manage_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t)
+manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t)
+logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir })
+
+# pid file
+manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
+manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
+files_pid_filetrans(setroubleshootd_t, setroubleshoot_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctls(setroubleshootd_t)
+kernel_read_system_state(setroubleshootd_t)
+kernel_read_net_sysctls(setroubleshootd_t)
+kernel_read_network_state(setroubleshootd_t)
+
+corecmd_exec_bin(setroubleshootd_t)
+corecmd_exec_shell(setroubleshootd_t)
+
+corenet_all_recvfrom_unlabeled(setroubleshootd_t)
+corenet_all_recvfrom_netlabel(setroubleshootd_t)
+corenet_tcp_sendrecv_generic_if(setroubleshootd_t)
+corenet_tcp_sendrecv_generic_node(setroubleshootd_t)
+corenet_tcp_sendrecv_all_ports(setroubleshootd_t)
+corenet_tcp_bind_generic_node(setroubleshootd_t)
+corenet_tcp_connect_smtp_port(setroubleshootd_t)
+corenet_sendrecv_smtp_client_packets(setroubleshootd_t)
+
+dev_read_urand(setroubleshootd_t)
+dev_read_sysfs(setroubleshootd_t)
+dev_getattr_all_blk_files(setroubleshootd_t)
+dev_getattr_all_chr_files(setroubleshootd_t)
+
+domain_dontaudit_search_all_domains_state(setroubleshootd_t)
+domain_signull_all_domains(setroubleshootd_t)
+
+files_read_usr_files(setroubleshootd_t)
+files_read_etc_files(setroubleshootd_t)
+files_list_all(setroubleshootd_t)
+files_getattr_all_files(setroubleshootd_t)
+files_getattr_all_pipes(setroubleshootd_t)
+files_getattr_all_sockets(setroubleshootd_t)
+files_read_all_symlinks(setroubleshootd_t)
+
+fs_getattr_all_dirs(setroubleshootd_t)
+fs_getattr_all_files(setroubleshootd_t)
+fs_read_fusefs_symlinks(setroubleshootd_t)
+fs_list_inotifyfs(setroubleshootd_t)
+fs_dontaudit_read_nfs_files(setroubleshootd_t)
+fs_dontaudit_read_cifs_files(setroubleshootd_t)
+
+selinux_get_enforce_mode(setroubleshootd_t)
+selinux_validate_context(setroubleshootd_t)
+
+term_dontaudit_use_all_ptys(setroubleshootd_t)
+term_dontaudit_use_all_ttys(setroubleshootd_t)
+
+auth_use_nsswitch(setroubleshootd_t)
+
+init_read_utmp(setroubleshootd_t)
+init_dontaudit_write_utmp(setroubleshootd_t)
+
+miscfiles_read_localization(setroubleshootd_t)
+
+locallogin_dontaudit_use_fds(setroubleshootd_t)
+
+logging_send_audit_msgs(setroubleshootd_t)
+logging_send_syslog_msg(setroubleshootd_t)
+logging_stream_connect_dispatcher(setroubleshootd_t)
+
+modutils_read_module_config(setroubleshootd_t)
+
+seutil_read_config(setroubleshootd_t)
+seutil_read_file_contexts(setroubleshootd_t)
+seutil_read_bin_policy(setroubleshootd_t)
+
+userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
+
+optional_policy(`
+	dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
+')
+
+optional_policy(`
+	rpm_signull(setroubleshootd_t)
+	rpm_read_db(setroubleshootd_t)
+	rpm_dontaudit_manage_db(setroubleshootd_t)
+	rpm_use_script_fds(setroubleshootd_t)
+')
+
+########################################
+#
+# setroubleshoot_fixit local policy
+#
+
+allow setroubleshoot_fixit_t self:capability sys_nice;
+allow setroubleshoot_fixit_t self:process { setsched getsched };
+allow setroubleshoot_fixit_t self:fifo_file rw_fifo_file_perms;
+allow setroubleshoot_fixit_t self:unix_dgram_socket create_socket_perms;
+
+allow setroubleshoot_fixit_t setroubleshootd_t:process signull;
+
+setroubleshoot_dbus_chat(setroubleshoot_fixit_t)
+setroubleshoot_stream_connect(setroubleshoot_fixit_t)
+
+kernel_read_system_state(setroubleshoot_fixit_t)
+
+corecmd_exec_bin(setroubleshoot_fixit_t)
+corecmd_exec_shell(setroubleshoot_fixit_t)
+
+seutil_domtrans_setfiles(setroubleshoot_fixit_t)
+
+files_read_usr_files(setroubleshoot_fixit_t)
+files_read_etc_files(setroubleshoot_fixit_t)
+files_list_tmp(setroubleshoot_fixit_t)
+
+auth_use_nsswitch(setroubleshoot_fixit_t)
+
+logging_send_audit_msgs(setroubleshoot_fixit_t)
+logging_send_syslog_msg(setroubleshoot_fixit_t)
+
+miscfiles_read_localization(setroubleshoot_fixit_t)
+
+optional_policy(`
+	rpm_signull(setroubleshoot_fixit_t)
+	rpm_read_db(setroubleshoot_fixit_t)
+	rpm_dontaudit_manage_db(setroubleshoot_fixit_t)
+	rpm_use_script_fds(setroubleshoot_fixit_t)
+')
+
+optional_policy(`
+	policykit_dbus_chat(setroubleshoot_fixit_t)
+	userdom_read_all_users_state(setroubleshoot_fixit_t)
+')
diff --git a/policy/modules/contrib/shorewall.fc b/policy/modules/contrib/shorewall.fc
new file mode 100644
index 00000000..48d13634
--- /dev/null
+++ b/policy/modules/contrib/shorewall.fc
@@ -0,0 +1,16 @@
+/etc/rc\.d/init\.d/shorewall		--	gen_context(system_u:object_r:shorewall_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/shorewall-lite	--	gen_context(system_u:object_r:shorewall_initrc_exec_t,s0)
+
+/etc/shorewall(/.*)?				gen_context(system_u:object_r:shorewall_etc_t,s0)
+/etc/shorewall-lite(/.*)?			gen_context(system_u:object_r:shorewall_etc_t,s0)
+
+/sbin/shorewall6?			--	gen_context(system_u:object_r:shorewall_exec_t,s0)
+/sbin/shorewall-lite			--	gen_context(system_u:object_r:shorewall_exec_t,s0)
+
+/var/lib/shorewall(/.*)?			gen_context(system_u:object_r:shorewall_var_lib_t,s0)
+/var/lib/shorewall6(/.*)?			gen_context(system_u:object_r:shorewall_var_lib_t,s0)
+/var/lib/shorewall-lite(/.*)?			gen_context(system_u:object_r:shorewall_var_lib_t,s0)
+
+/var/lock/subsys/shorewall		--	gen_context(system_u:object_r:shorewall_lock_t,s0)
+
+/var/log/shorewall.*				gen_context(system_u:object_r:shorewall_log_t,s0)
diff --git a/policy/modules/contrib/shorewall.if b/policy/modules/contrib/shorewall.if
new file mode 100644
index 00000000..781ad7e8
--- /dev/null
+++ b/policy/modules/contrib/shorewall.if
@@ -0,0 +1,202 @@
+## <summary>Shoreline Firewall high-level tool for configuring netfilter</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run shorewall.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`shorewall_domtrans',`
+	gen_require(`
+		type shorewall_t, shorewall_exec_t;
+	')
+
+	domtrans_pattern($1, shorewall_exec_t, shorewall_t)
+')
+
+######################################
+## <summary>
+##	Execute a domain transition to run shorewall.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`shorewall_lib_domtrans',`
+	gen_require(`
+		type shorewall_t, shorewall_var_lib_t;
+	')
+
+	domtrans_pattern($1, shorewall_var_lib_t, shorewall_t)
+')
+
+#######################################
+## <summary>
+##	Read shorewall etc configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`shorewall_read_config',`
+	gen_require(`
+		type shorewall_etc_t;
+	')
+
+	files_search_etc($1)
+	read_files_pattern($1, shorewall_etc_t, shorewall_etc_t)
+')
+
+#######################################
+## <summary>
+##	Read shorewall PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`shorewall_read_pid_files',`
+	gen_require(`
+		type shorewall_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
+')
+
+#######################################
+## <summary>
+##	Read and write shorewall PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`shorewall_rw_pid_files',`
+	gen_require(`
+		type shorewall_var_run_t;
+	')
+
+	files_search_pids($1)
+	rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
+')
+
+######################################
+## <summary>
+##      Read shorewall /var/lib files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`shorewall_read_lib_files',`
+        gen_require(`
+                type shorewall_t;
+       ')
+
+        files_search_var_lib($1)
+        search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+        read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+')
+
+#######################################
+## <summary>
+##      Read and write shorewall /var/lib files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`shorewall_rw_lib_files',`
+        gen_require(`
+                type shorewall_var_lib_t;
+       ')
+
+        files_search_var_lib($1)
+        search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+        rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+')
+
+#######################################
+## <summary>
+##	Read shorewall tmp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`shorewall_read_tmp_files',`
+	gen_require(`
+		type shorewall_tmp_t;
+	')
+
+	files_search_tmp($1)
+	read_files_pattern($1, shorewall_tmp_t, shorewall_tmp_t)
+')
+
+#######################################
+## <summary>
+##	All of the rules required to administrate
+##	an shorewall environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the syslog domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`shorewall_admin',`
+	gen_require(`
+		type shorewall_t, shorewall_lock_t;
+		type shorewall_log_t;
+		type shorewall_initrc_exec_t, shorewall_var_lib_t;
+		type shorewall_tmp_t, shorewall_etc_t;
+	')
+
+	allow $1 shorewall_t:process { ptrace signal_perms };
+	ps_process_pattern($1, shorewall_t)
+
+	init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 shorewall_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_etc($1)
+	admin_pattern($1, shorewall_etc_t)
+
+	files_list_locks($1)
+	admin_pattern($1, shorewall_lock_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, shorewall_log_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, shorewall_var_lib_t)
+
+	files_list_tmp($1)
+	admin_pattern($1, shorewall_tmp_t)
+')
diff --git a/policy/modules/contrib/shorewall.te b/policy/modules/contrib/shorewall.te
new file mode 100644
index 00000000..4723c6b9
--- /dev/null
+++ b/policy/modules/contrib/shorewall.te
@@ -0,0 +1,108 @@
+policy_module(shorewall, 1.3.0)
+
+########################################
+#
+# Declarations
+#
+
+type shorewall_t;
+type shorewall_exec_t;
+init_daemon_domain(shorewall_t, shorewall_exec_t)
+
+type shorewall_initrc_exec_t;
+init_script_file(shorewall_initrc_exec_t)
+
+# etc files
+type shorewall_etc_t;
+files_config_file(shorewall_etc_t)
+
+# lock files
+type shorewall_lock_t;
+files_lock_file(shorewall_lock_t)
+
+# tmp files
+type shorewall_tmp_t;
+files_tmp_file(shorewall_tmp_t)
+
+# var/lib files
+type shorewall_var_lib_t;
+files_type(shorewall_var_lib_t)
+domain_entry_file(shorewall_t, shorewall_var_lib_t)
+
+type shorewall_log_t;
+logging_log_file(shorewall_log_t)
+
+########################################
+#
+# shorewall local policy
+#
+
+allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace };
+dontaudit shorewall_t self:capability sys_tty_config;
+allow shorewall_t self:fifo_file rw_fifo_file_perms;
+
+read_files_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
+list_dirs_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
+
+manage_files_pattern(shorewall_t, shorewall_lock_t, shorewall_lock_t)
+files_lock_filetrans(shorewall_t, shorewall_lock_t, file)
+
+manage_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
+manage_dirs_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
+logging_log_filetrans(shorewall_t, shorewall_log_t, { file dir })
+
+manage_dirs_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t)
+manage_files_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t)
+files_tmp_filetrans(shorewall_t, shorewall_tmp_t, { file dir })
+
+exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
+manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
+manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
+files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file })
+
+allow shorewall_t shorewall_initrc_exec_t:file read_file_perms;
+
+kernel_read_kernel_sysctls(shorewall_t)
+kernel_read_network_state(shorewall_t)
+kernel_read_system_state(shorewall_t)
+kernel_rw_net_sysctls(shorewall_t)
+
+corecmd_exec_bin(shorewall_t)
+corecmd_exec_shell(shorewall_t)
+
+dev_read_urand(shorewall_t)
+
+domain_read_all_domains_state(shorewall_t)
+
+files_getattr_kernel_modules(shorewall_t)
+files_read_etc_files(shorewall_t)
+files_read_usr_files(shorewall_t)
+files_search_kernel_modules(shorewall_t)
+
+fs_getattr_all_fs(shorewall_t)
+
+init_rw_utmp(shorewall_t)
+
+logging_send_syslog_msg(shorewall_t)
+
+miscfiles_read_localization(shorewall_t)
+
+sysnet_domtrans_ifconfig(shorewall_t)
+
+userdom_dontaudit_list_user_home_dirs(shorewall_t)
+
+optional_policy(`
+	hostname_exec(shorewall_t)
+')
+
+optional_policy(`
+	iptables_domtrans(shorewall_t)
+')
+
+optional_policy(`
+	modutils_domtrans_insmod(shorewall_t)
+')
+
+optional_policy(`
+	ulogd_search_log(shorewall_t)
+')
diff --git a/policy/modules/contrib/shutdown.fc b/policy/modules/contrib/shutdown.fc
new file mode 100644
index 00000000..97671a33
--- /dev/null
+++ b/policy/modules/contrib/shutdown.fc
@@ -0,0 +1,7 @@
+/etc/nologin		--	gen_context(system_u:object_r:shutdown_etc_t,s0)
+
+/lib/upstart/shutdown	--	gen_context(system_u:object_r:shutdown_exec_t,s0)
+
+/sbin/shutdown		--	gen_context(system_u:object_r:shutdown_exec_t,s0)
+
+/var/run/shutdown\.pid	--	gen_context(system_u:object_r:shutdown_var_run_t,s0)
diff --git a/policy/modules/contrib/shutdown.if b/policy/modules/contrib/shutdown.if
new file mode 100644
index 00000000..d0604cfe
--- /dev/null
+++ b/policy/modules/contrib/shutdown.if
@@ -0,0 +1,69 @@
+## <summary>System shutdown command</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run shutdown.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`shutdown_domtrans',`
+	gen_require(`
+		type shutdown_t, shutdown_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, shutdown_exec_t, shutdown_t)
+
+	ifdef(`hide_broken_symptoms', `
+		dontaudit shutdown_t $1:socket_class_set { read write };
+		dontaudit shutdown_t $1:fifo_file { read write };
+	')
+')
+
+########################################
+## <summary>
+##	Execute shutdown in the shutdown domain, and
+##	allow the specified role the shutdown domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`shutdown_run',`
+	gen_require(`
+		type shutdown_t;
+	')
+
+	shutdown_domtrans($1)
+	role $2 types shutdown_t;
+')
+
+########################################
+## <summary>
+##	Get attributes of shutdown executable.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`shutdown_getattr_exec_files',`
+	gen_require(`
+		type shutdown_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	allow $1 shutdown_exec_t:file getattr_file_perms;
+')
diff --git a/policy/modules/contrib/shutdown.te b/policy/modules/contrib/shutdown.te
new file mode 100644
index 00000000..8966ec95
--- /dev/null
+++ b/policy/modules/contrib/shutdown.te
@@ -0,0 +1,63 @@
+policy_module(shutdown, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type shutdown_t;
+type shutdown_exec_t;
+application_domain(shutdown_t, shutdown_exec_t)
+role system_r types shutdown_t;
+
+type shutdown_etc_t;
+files_config_file(shutdown_etc_t)
+
+type shutdown_var_run_t;
+files_pid_file(shutdown_var_run_t)
+
+########################################
+#
+# shutdown local policy
+#
+
+allow shutdown_t self:capability { dac_override kill setuid sys_tty_config };
+allow shutdown_t self:process { fork signal signull };
+
+allow shutdown_t self:fifo_file manage_fifo_file_perms;
+allow shutdown_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(shutdown_t, shutdown_etc_t, shutdown_etc_t)
+files_etc_filetrans(shutdown_t, shutdown_etc_t, file)
+
+manage_files_pattern(shutdown_t, shutdown_var_run_t, shutdown_var_run_t)
+files_pid_filetrans(shutdown_t, shutdown_var_run_t, file)
+
+domain_use_interactive_fds(shutdown_t)
+
+files_read_etc_files(shutdown_t)
+files_read_generic_pids(shutdown_t)
+
+term_use_all_terms(shutdown_t)
+
+auth_use_nsswitch(shutdown_t)
+auth_write_login_records(shutdown_t)
+
+init_dontaudit_write_utmp(shutdown_t)
+init_read_utmp(shutdown_t)
+init_stream_connect(shutdown_t)
+init_telinit(shutdown_t)
+
+logging_search_logs(shutdown_t)
+logging_send_audit_msgs(shutdown_t)
+
+miscfiles_read_localization(shutdown_t)
+
+optional_policy(`
+	dbus_system_bus_client(shutdown_t)
+	dbus_connect_system_bus(shutdown_t)
+')
+
+optional_policy(`
+	xserver_dontaudit_write_log(shutdown_t)
+')
diff --git a/policy/modules/contrib/skype.fc b/policy/modules/contrib/skype.fc
new file mode 100644
index 00000000..f7105935
--- /dev/null
+++ b/policy/modules/contrib/skype.fc
@@ -0,0 +1,11 @@
+HOME_DIR/\.Skype(/.*)?    gen_context(system_u:object_r:skype_home_t,s0)
+
+#
+# /opt
+#
+/opt/skype/skype       -- gen_context(system_u:object_r:skype_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/skype         -- gen_context(system_u:object_r:skype_exec_t,s0)
diff --git a/policy/modules/contrib/skype.if b/policy/modules/contrib/skype.if
new file mode 100644
index 00000000..789b8f8a
--- /dev/null
+++ b/policy/modules/contrib/skype.if
@@ -0,0 +1,39 @@
+## <summary>Skype softphone.</summary>
+
+#######################################
+## <summary>
+##      Role access for the skype module.
+## </summary>
+## <param name="role">
+##      <summary>
+##      The role associated with the user domain.
+##      </summary>
+## </param>
+## <param name="user_domain">
+##      <summary>
+##      The type of the user domain.
+##      </summary>
+## </param>
+#
+interface(`skype_role',`
+	gen_require(`
+		type skype_t, skype_exec_t, skype_tmpfs_t, skype_home_t;
+	')
+	
+	role $1 types skype_t;
+	
+	domtrans_pattern($2, skype_exec_t, skype_t)
+
+	allow $2 skype_t:process { ptrace signal_perms };
+	dontaudit skype_t $2:unix_stream_socket { connectto };
+
+	manage_dirs_pattern($2, skype_home_t, skype_home_t)
+	manage_files_pattern($2, skype_home_t, skype_home_t)
+	manage_lnk_files_pattern($2, skype_home_t, skype_home_t)
+
+	relabel_dirs_pattern($2, skype_home_t, skype_home_t)
+	relabel_files_pattern($2, skype_home_t, skype_home_t)
+	relabel_lnk_files_pattern($2, skype_home_t, skype_home_t)
+
+	ps_process_pattern($2, skype_t)
+')	
diff --git a/policy/modules/contrib/skype.te b/policy/modules/contrib/skype.te
new file mode 100644
index 00000000..fde968a1
--- /dev/null
+++ b/policy/modules/contrib/skype.te
@@ -0,0 +1,111 @@
+policy_module(skype, 0.0.2)
+
+############################
+# 
+# Declarations
+#
+
+## <desc>
+## <p>
+##   Be able to manage user files (needed to support sending and receiving files).
+##   Without this boolean set, only files marked as skype_home_t can be used for
+##   sending and receiving.
+## </p>
+## </desc>
+gen_tunable(skype_manage_user_content, false)
+
+type skype_t;
+type skype_exec_t;
+application_domain(skype_t, skype_exec_t)
+
+type skype_home_t;
+userdom_user_home_dir_filetrans(skype_t, skype_home_t, dir)
+userdom_user_home_content(skype_home_t)
+
+type skype_tmpfs_t;
+files_tmpfs_file(skype_tmpfs_t)
+ubac_constrained(skype_tmpfs_t)
+
+############################
+#
+# Policy
+#
+
+allow skype_t self:process { getsched setsched execmem signal };
+allow skype_t self:fifo_file rw_fifo_file_perms;
+allow skype_t self:unix_stream_socket create_socket_perms;
+allow skype_t self:sem create_sem_perms;
+allow skype_t self:tcp_socket create_stream_socket_perms;
+
+# Allow skype to work with its ~/.skype location
+manage_dirs_pattern(skype_t, skype_home_t, skype_home_t)
+manage_files_pattern(skype_t, skype_home_t, skype_home_t)
+manage_lnk_files_pattern(skype_t, skype_home_t, skype_home_t)
+
+# Needed for supporting X11 & shared memory
+manage_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t)
+manage_lnk_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t)
+manage_fifo_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t)
+manage_sock_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t)
+fs_tmpfs_filetrans(skype_t, skype_tmpfs_t, { file lnk_file sock_file fifo_file })
+
+kernel_dontaudit_search_sysctl(skype_t)
+kernel_read_network_state(skype_t)
+kernel_read_system_state(skype_t)
+
+corecmd_exec_bin(skype_t)
+corecmd_exec_shell(skype_t)
+
+can_exec(skype_t, skype_exec_t)
+
+corenet_all_recvfrom_netlabel(skype_t)
+corenet_all_recvfrom_unlabeled(skype_t)
+corenet_sendrecv_http_client_packets(skype_t)
+corenet_tcp_bind_generic_node(skype_t)
+corenet_tcp_bind_generic_port(skype_t) 
+corenet_tcp_connect_generic_port(skype_t)
+corenet_tcp_connect_http_port(skype_t)
+corenet_tcp_sendrecv_http_port(skype_t)
+corenet_udp_bind_generic_node(skype_t)
+corenet_udp_bind_generic_port(skype_t) 
+
+dev_dontaudit_search_sysfs(skype_t)
+dev_read_sound(skype_t)
+dev_read_video_dev(skype_t)
+dev_write_sound(skype_t)
+dev_write_video_dev(skype_t)
+
+domain_dontaudit_use_interactive_fds(skype_t)
+
+files_read_etc_files(skype_t)
+files_read_usr_files(skype_t)
+
+fs_dontaudit_getattr_xattr_fs(skype_t)
+
+auth_use_nsswitch(skype_t)
+
+miscfiles_dontaudit_setattr_fonts_dirs(skype_t)
+miscfiles_read_localization(skype_t)
+
+userdom_dontaudit_use_user_ttys(skype_t)
+userdom_use_user_ptys(skype_t)
+
+xserver_user_x_domain_template(skype, skype_t, skype_tmpfs_t)
+
+tunable_policy(`skype_manage_user_content',`
+	userdom_manage_user_home_content_dirs(skype_t)
+	userdom_manage_user_home_content_files(skype_t)
+')
+
+optional_policy(`
+	alsa_read_rw_config(skype_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(skype_t)
+	dbus_session_bus_client(skype_t)
+')
+
+optional_policy(`
+	xdg_manage_generic_config_home_content(skype_t)
+')
diff --git a/policy/modules/contrib/slocate.fc b/policy/modules/contrib/slocate.fc
new file mode 100644
index 00000000..1951c4b3
--- /dev/null
+++ b/policy/modules/contrib/slocate.fc
@@ -0,0 +1,2 @@
+/usr/bin/updatedb		--	gen_context(system_u:object_r:locate_exec_t, s0)
+/var/lib/[sm]locate(/.*)?		gen_context(system_u:object_r:locate_var_lib_t,s0)
diff --git a/policy/modules/contrib/slocate.if b/policy/modules/contrib/slocate.if
new file mode 100644
index 00000000..b7505a0b
--- /dev/null
+++ b/policy/modules/contrib/slocate.if
@@ -0,0 +1,41 @@
+## <summary>Update database for mlocate</summary>
+
+########################################
+## <summary>
+##	Create the locate log with append mode.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`slocate_create_append_log',`
+	gen_require(`
+		type locate_log_t;
+	')
+
+	logging_search_logs($1)
+	create_files_pattern($1, locate_log_t, locate_log_t)
+	append_files_pattern($1, locate_log_t, locate_log_t)
+')
+
+########################################
+## <summary>
+##	Read locate lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`locate_read_lib_files',`
+	gen_require(`
+		type locate_var_lib_t;
+	')
+
+	read_files_pattern($1, locate_var_lib_t, locate_var_lib_t)
+	allow $1 locate_var_lib_t:dir list_dir_perms;
+	files_search_var_lib($1)
+')
diff --git a/policy/modules/contrib/slocate.te b/policy/modules/contrib/slocate.te
new file mode 100644
index 00000000..a225c02c
--- /dev/null
+++ b/policy/modules/contrib/slocate.te
@@ -0,0 +1,70 @@
+policy_module(slocate, 1.11.0)
+
+#################################
+#
+# Declarations
+#
+
+type locate_t;
+type locate_exec_t;
+init_system_domain(locate_t, locate_exec_t)
+
+type locate_log_t;
+logging_log_file(locate_log_t)
+
+type locate_var_lib_t;
+files_type(locate_var_lib_t)
+
+########################################
+#
+# Local policy
+#
+
+allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid };
+allow locate_t self:process { execmem execheap execstack signal };
+allow locate_t self:fifo_file rw_fifo_file_perms;
+allow locate_t self:unix_stream_socket create_socket_perms;
+
+manage_dirs_pattern(locate_t, locate_var_lib_t, locate_var_lib_t)
+manage_files_pattern(locate_t, locate_var_lib_t, locate_var_lib_t)
+
+kernel_read_system_state(locate_t)
+kernel_dontaudit_search_network_state(locate_t)
+kernel_dontaudit_search_sysctl(locate_t)
+
+corecmd_exec_bin(locate_t)
+
+dev_getattr_all_blk_files(locate_t)
+dev_getattr_all_chr_files(locate_t)
+
+files_list_all(locate_t)
+files_dontaudit_read_all_symlinks(locate_t)
+files_getattr_all_files(locate_t)
+files_getattr_all_pipes(locate_t)
+files_getattr_all_sockets(locate_t)
+files_read_etc_runtime_files(locate_t)
+files_read_etc_files(locate_t)
+
+fs_getattr_all_fs(locate_t)
+fs_getattr_all_files(locate_t)
+fs_getattr_all_pipes(locate_t)
+fs_getattr_all_symlinks(locate_t)
+fs_getattr_all_blk_files(locate_t)
+fs_getattr_all_chr_files(locate_t)
+fs_list_all(locate_t)
+fs_list_inotifyfs(locate_t)
+fs_read_noxattr_fs_symlinks(locate_t)
+
+# getpwnam
+auth_use_nsswitch(locate_t)
+
+miscfiles_read_localization(locate_t)
+
+ifdef(`enable_mls',`
+	# On MLS machines will not be allowed to getattr Anything but SystemLow
+	files_dontaudit_getattr_all_dirs(locate_t)
+')
+
+optional_policy(`
+	cron_system_entry(locate_t, locate_exec_t)
+')
diff --git a/policy/modules/contrib/slrnpull.fc b/policy/modules/contrib/slrnpull.fc
new file mode 100644
index 00000000..1714ce0e
--- /dev/null
+++ b/policy/modules/contrib/slrnpull.fc
@@ -0,0 +1,10 @@
+#
+# /usr
+#
+
+/usr/bin/slrnpull	--	gen_context(system_u:object_r:slrnpull_exec_t,s0)
+
+#
+# /var
+#
+/var/spool/slrnpull(/.*)?	gen_context(system_u:object_r:slrnpull_spool_t,s0)
diff --git a/policy/modules/contrib/slrnpull.if b/policy/modules/contrib/slrnpull.if
new file mode 100644
index 00000000..d7e8289e
--- /dev/null
+++ b/policy/modules/contrib/slrnpull.if
@@ -0,0 +1,42 @@
+## <summary>Service for downloading news feeds the slrn newsreader.</summary>
+
+########################################
+## <summary>
+##	Allow the domain to search slrnpull spools.
+## </summary>
+## <param name="pty_type">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`slrnpull_search_spool',`
+	gen_require(`
+		type slrnpull_spool_t;
+	')
+
+	files_search_spool($1)
+	allow $1 slrnpull_spool_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Allow the domain to create, read,
+##	write, and delete slrnpull spools.
+## </summary>
+## <param name="pty_type">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`slrnpull_manage_spool',`
+	gen_require(`
+		type slrnpull_spool_t;
+	')
+
+	files_search_spool($1)
+	manage_dirs_pattern($1, slrnpull_spool_t, slrnpull_spool_t)
+	manage_files_pattern($1, slrnpull_spool_t, slrnpull_spool_t)
+	manage_lnk_files_pattern($1, slrnpull_spool_t, slrnpull_spool_t)
+')
diff --git a/policy/modules/contrib/slrnpull.te b/policy/modules/contrib/slrnpull.te
new file mode 100644
index 00000000..e5e72fd9
--- /dev/null
+++ b/policy/modules/contrib/slrnpull.te
@@ -0,0 +1,70 @@
+policy_module(slrnpull, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+
+type slrnpull_t;
+type slrnpull_exec_t;
+init_daemon_domain(slrnpull_t, slrnpull_exec_t)
+
+type slrnpull_var_run_t;
+files_pid_file(slrnpull_var_run_t)
+
+type slrnpull_spool_t;
+files_type(slrnpull_spool_t)
+
+type slrnpull_log_t;
+logging_log_file(slrnpull_log_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit slrnpull_t self:capability sys_tty_config;
+allow slrnpull_t self:process signal_perms;
+
+allow slrnpull_t slrnpull_log_t:file manage_file_perms;
+logging_log_filetrans(slrnpull_t, slrnpull_log_t, file)
+
+manage_dirs_pattern(slrnpull_t, slrnpull_spool_t, slrnpull_spool_t)
+manage_files_pattern(slrnpull_t, slrnpull_spool_t, slrnpull_spool_t)
+manage_lnk_files_pattern(slrnpull_t, slrnpull_spool_t, slrnpull_spool_t)
+files_search_spool(slrnpull_t)
+
+manage_files_pattern(slrnpull_t, slrnpull_var_run_t, slrnpull_var_run_t)
+files_pid_filetrans(slrnpull_t, slrnpull_var_run_t, file)
+
+kernel_list_proc(slrnpull_t)
+kernel_read_kernel_sysctls(slrnpull_t)
+kernel_read_proc_symlinks(slrnpull_t)
+
+dev_read_sysfs(slrnpull_t)
+
+domain_use_interactive_fds(slrnpull_t)
+
+files_read_etc_files(slrnpull_t)
+
+fs_getattr_all_fs(slrnpull_t)
+fs_search_auto_mountpoints(slrnpull_t)
+
+logging_send_syslog_msg(slrnpull_t)
+
+miscfiles_read_localization(slrnpull_t)
+
+userdom_dontaudit_use_unpriv_user_fds(slrnpull_t)
+userdom_dontaudit_search_user_home_dirs(slrnpull_t)
+
+optional_policy(`
+	cron_system_entry(slrnpull_t, slrnpull_exec_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(slrnpull_t)
+')
+
+optional_policy(`
+	udev_read_db(slrnpull_t)
+')
diff --git a/policy/modules/contrib/smartmon.fc b/policy/modules/contrib/smartmon.fc
new file mode 100644
index 00000000..268ae3d6
--- /dev/null
+++ b/policy/modules/contrib/smartmon.fc
@@ -0,0 +1,12 @@
+/etc/rc\.d/init\.d/smartd --	gen_context(system_u:object_r:fsdaemon_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/smartd	--	gen_context(system_u:object_r:fsdaemon_exec_t,s0)
+
+#
+# /var
+#
+/var/run/smartd\.pid	--	gen_context(system_u:object_r:fsdaemon_var_run_t,s0)
+
diff --git a/policy/modules/contrib/smartmon.if b/policy/modules/contrib/smartmon.if
new file mode 100644
index 00000000..adea9f92
--- /dev/null
+++ b/policy/modules/contrib/smartmon.if
@@ -0,0 +1,57 @@
+## <summary>Smart disk monitoring daemon policy</summary>
+
+#######################################
+## <summary>
+##	Allow caller to read smartmon temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`smartmon_read_tmp_files',`
+	gen_require(`
+		type fsdaemon_tmp_t;
+	')
+
+	allow $1 fsdaemon_tmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an smartmon environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`smartmon_admin',`
+	gen_require(`
+		type fsdaemon_t, fsdaemon_tmp_t, fsdaemon_var_run_t;
+		type fsdaemon_initrc_exec_t;
+	')
+
+	allow $1 fsdaemon_t:process { ptrace signal_perms getattr };
+	ps_process_pattern($1, fsdaemon_t)
+
+	init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 fsdaemon_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, fsdaemon_tmp_t)
+
+	files_list_pids($1)
+	admin_pattern($1, fsdaemon_var_run_t)
+')
diff --git a/policy/modules/contrib/smartmon.te b/policy/modules/contrib/smartmon.te
new file mode 100644
index 00000000..6b3322b7
--- /dev/null
+++ b/policy/modules/contrib/smartmon.te
@@ -0,0 +1,121 @@
+policy_module(smartmon, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Enable additional permissions needed to support
+## devices on 3ware controllers.
+## </p>
+## </desc>
+gen_tunable(smartmon_3ware, false)
+
+type fsdaemon_t;
+type fsdaemon_exec_t;
+init_daemon_domain(fsdaemon_t, fsdaemon_exec_t)
+
+type fsdaemon_initrc_exec_t;
+init_script_file(fsdaemon_initrc_exec_t)
+
+type fsdaemon_var_run_t;
+files_pid_file(fsdaemon_var_run_t)
+
+type fsdaemon_tmp_t;
+files_tmp_file(fsdaemon_tmp_t)
+
+ifdef(`enable_mls',`
+	init_ranged_daemon_domain(fsdaemon_t, fsdaemon_exec_t, mls_systemhigh)
+')
+
+########################################
+#
+# Local policy
+#
+
+allow fsdaemon_t self:capability { setpcap setgid sys_rawio sys_admin };
+dontaudit fsdaemon_t self:capability sys_tty_config;
+allow fsdaemon_t self:process { getcap setcap signal_perms };
+allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
+allow fsdaemon_t self:unix_dgram_socket create_socket_perms;
+allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms;
+allow fsdaemon_t self:udp_socket create_socket_perms;
+allow fsdaemon_t self:netlink_route_socket r_netlink_socket_perms;
+
+manage_dirs_pattern(fsdaemon_t, fsdaemon_tmp_t, fsdaemon_tmp_t)
+manage_files_pattern(fsdaemon_t, fsdaemon_tmp_t, fsdaemon_tmp_t)
+files_tmp_filetrans(fsdaemon_t, fsdaemon_tmp_t, { file dir })
+
+manage_files_pattern(fsdaemon_t, fsdaemon_var_run_t, fsdaemon_var_run_t)
+files_pid_filetrans(fsdaemon_t, fsdaemon_var_run_t, file)
+
+kernel_read_kernel_sysctls(fsdaemon_t)
+kernel_read_software_raid_state(fsdaemon_t)
+kernel_read_system_state(fsdaemon_t)
+
+corecmd_exec_all_executables(fsdaemon_t)
+
+corenet_all_recvfrom_unlabeled(fsdaemon_t)
+corenet_all_recvfrom_netlabel(fsdaemon_t)
+corenet_udp_sendrecv_generic_if(fsdaemon_t)
+corenet_udp_sendrecv_generic_node(fsdaemon_t)
+corenet_udp_sendrecv_all_ports(fsdaemon_t)
+
+dev_read_sysfs(fsdaemon_t)
+dev_read_urand(fsdaemon_t)
+
+domain_use_interactive_fds(fsdaemon_t)
+
+files_exec_etc_files(fsdaemon_t)
+files_read_etc_runtime_files(fsdaemon_t)
+files_read_usr_files(fsdaemon_t)
+# for config
+files_read_etc_files(fsdaemon_t)
+
+fs_getattr_all_fs(fsdaemon_t)
+fs_search_auto_mountpoints(fsdaemon_t)
+
+mls_file_read_all_levels(fsdaemon_t)
+#mls_rangetrans_target(fsdaemon_t)
+
+storage_raw_read_fixed_disk(fsdaemon_t)
+storage_raw_write_fixed_disk(fsdaemon_t)
+storage_raw_read_removable_device(fsdaemon_t)
+
+term_dontaudit_search_ptys(fsdaemon_t)
+
+libs_exec_ld_so(fsdaemon_t)
+libs_exec_lib_files(fsdaemon_t)
+
+logging_send_syslog_msg(fsdaemon_t)
+
+miscfiles_read_localization(fsdaemon_t)
+
+seutil_sigchld_newrole(fsdaemon_t)
+
+sysnet_dns_name_resolve(fsdaemon_t)
+
+userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t)
+userdom_dontaudit_search_user_home_dirs(fsdaemon_t)
+
+tunable_policy(`smartmon_3ware',`
+	allow fsdaemon_t self:process setfscreate;
+
+	storage_create_fixed_disk_dev(fsdaemon_t)
+	storage_delete_fixed_disk_dev(fsdaemon_t)
+	storage_dev_filetrans_fixed_disk(fsdaemon_t)
+
+	selinux_validate_context(fsdaemon_t)
+
+	seutil_read_file_contexts(fsdaemon_t)
+')
+
+optional_policy(`
+	mta_send_mail(fsdaemon_t)
+')
+
+optional_policy(`
+	udev_read_db(fsdaemon_t)
+')
diff --git a/policy/modules/contrib/smokeping.fc b/policy/modules/contrib/smokeping.fc
new file mode 100644
index 00000000..9ff2d99d
--- /dev/null
+++ b/policy/modules/contrib/smokeping.fc
@@ -0,0 +1,9 @@
+/etc/rc\.d/init\.d/smokeping	--	gen_context(system_u:object_r:smokeping_initrc_exec_t,s0)
+
+/usr/sbin/smokeping		--	gen_context(system_u:object_r:smokeping_exec_t,s0)
+
+/usr/share/smokeping/cgi(/.*)?		gen_context(system_u:object_r:httpd_smokeping_cgi_script_exec_t,s0)
+
+/var/lib/smokeping(/.*)?		gen_context(system_u:object_r:smokeping_var_lib_t,s0)
+
+/var/run/smokeping(/.*)?		gen_context(system_u:object_r:smokeping_var_run_t,s0)
diff --git a/policy/modules/contrib/smokeping.if b/policy/modules/contrib/smokeping.if
new file mode 100644
index 00000000..82652781
--- /dev/null
+++ b/policy/modules/contrib/smokeping.if
@@ -0,0 +1,167 @@
+## <summary>Smokeping network latency measurement.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run smokeping.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`smokeping_domtrans',`
+	gen_require(`
+		type smokeping_t, smokeping_exec_t;
+	')
+
+	domtrans_pattern($1, smokeping_exec_t, smokeping_t)
+')
+
+########################################
+## <summary>
+##	Execute smokeping server in the smokeping domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`smokeping_initrc_domtrans',`
+	gen_require(`
+		type smokeping_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, smokeping_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Read smokeping PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`smokeping_read_pid_files',`
+	gen_require(`
+		type smokeping_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 smokeping_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Manage smokeping PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`smokeping_manage_pid_files',`
+	gen_require(`
+		type smokeping_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_files_pattern($1, smokeping_var_run_t, smokeping_var_run_t)
+')
+
+########################################
+## <summary>
+##	Get attributes of smokeping lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`smokeping_getattr_lib_files',`
+	gen_require(`
+		type smokeping_var_lib_t;
+	')
+
+	getattr_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t)
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read smokeping lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`smokeping_read_lib_files',`
+	gen_require(`
+		type smokeping_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage smokeping lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`smokeping_manage_lib_files',`
+	gen_require(`
+		type smokeping_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	a smokeping environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`smokeping_admin',`
+	gen_require(`
+		type smokeping_t, smokeping_initrc_exec_t;
+	')
+
+	allow $1 smokeping_t:process { ptrace signal_perms };
+	ps_process_pattern($1, smokeping_t)
+
+	smokeping_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 smokeping_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	smokeping_manage_pid_files($1)
+
+	smokeping_manage_lib_files($1)
+')
diff --git a/policy/modules/contrib/smokeping.te b/policy/modules/contrib/smokeping.te
new file mode 100644
index 00000000..740994ac
--- /dev/null
+++ b/policy/modules/contrib/smokeping.te
@@ -0,0 +1,77 @@
+policy_module(smokeping, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type smokeping_t;
+type smokeping_exec_t;
+init_daemon_domain(smokeping_t, smokeping_exec_t)
+
+type smokeping_initrc_exec_t;
+init_script_file(smokeping_initrc_exec_t)
+
+type smokeping_var_run_t;
+files_pid_file(smokeping_var_run_t)
+
+type smokeping_var_lib_t;
+files_type(smokeping_var_lib_t)
+
+########################################
+#
+# smokeping local policy
+#
+
+dontaudit smokeping_t self:capability { dac_read_search dac_override };
+allow smokeping_t self:fifo_file rw_fifo_file_perms;
+allow smokeping_t self:udp_socket create_socket_perms;
+allow smokeping_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(smokeping_t, smokeping_var_run_t, smokeping_var_run_t)
+manage_files_pattern(smokeping_t, smokeping_var_run_t, smokeping_var_run_t)
+files_pid_filetrans(smokeping_t, smokeping_var_run_t, { file dir })
+
+manage_dirs_pattern(smokeping_t, smokeping_var_lib_t, smokeping_var_lib_t)
+manage_files_pattern(smokeping_t, smokeping_var_lib_t, smokeping_var_lib_t)
+files_var_lib_filetrans(smokeping_t, smokeping_var_lib_t, { file dir } )
+
+corecmd_read_bin_symlinks(smokeping_t)
+
+dev_read_urand(smokeping_t)
+
+files_read_etc_files(smokeping_t)
+files_read_usr_files(smokeping_t)
+files_search_tmp(smokeping_t)
+
+auth_use_nsswitch(smokeping_t)
+auth_dontaudit_read_shadow(smokeping_t)
+
+logging_send_syslog_msg(smokeping_t)
+
+miscfiles_read_localization(smokeping_t)
+
+mta_send_mail(smokeping_t)
+
+netutils_domtrans_ping(smokeping_t)
+
+#######################################
+#
+# local policy for smokeping cgi scripts
+#
+
+optional_policy(`
+	apache_content_template(smokeping_cgi)
+
+	allow httpd_smokeping_cgi_script_t self:udp_socket create_socket_perms;
+
+	manage_dirs_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
+	manage_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
+
+	getattr_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t)
+
+	files_search_tmp(httpd_smokeping_cgi_script_t)
+	files_search_var_lib(httpd_smokeping_cgi_script_t)
+
+	sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t)
+')
diff --git a/policy/modules/contrib/smoltclient.fc b/policy/modules/contrib/smoltclient.fc
new file mode 100644
index 00000000..47cc4405
--- /dev/null
+++ b/policy/modules/contrib/smoltclient.fc
@@ -0,0 +1,2 @@
+/usr/share/smolt/client/sendProfile.py	--	gen_context(system_u:object_r:smoltclient_exec_t,s0)	
+
diff --git a/policy/modules/contrib/smoltclient.if b/policy/modules/contrib/smoltclient.if
new file mode 100644
index 00000000..a54079b7
--- /dev/null
+++ b/policy/modules/contrib/smoltclient.if
@@ -0,0 +1 @@
+## <summary>The Fedora hardware profiler client</summary>
diff --git a/policy/modules/contrib/smoltclient.te b/policy/modules/contrib/smoltclient.te
new file mode 100644
index 00000000..bc00875d
--- /dev/null
+++ b/policy/modules/contrib/smoltclient.te
@@ -0,0 +1,68 @@
+policy_module(smoltclient, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type smoltclient_t;
+type smoltclient_exec_t;
+application_domain(smoltclient_t, smoltclient_exec_t)
+cron_system_entry(smoltclient_t, smoltclient_exec_t)
+
+type smoltclient_tmp_t;
+files_tmp_file(smoltclient_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow smoltclient_t self:process { setsched getsched };
+
+allow smoltclient_t self:fifo_file rw_fifo_file_perms;
+allow smoltclient_t self:tcp_socket create_socket_perms;
+allow smoltclient_t self:udp_socket create_socket_perms;
+
+can_exec(smoltclient_t, smoltclient_tmp_t)
+manage_dirs_pattern(smoltclient_t, smoltclient_tmp_t, smoltclient_tmp_t)
+manage_files_pattern(smoltclient_t, smoltclient_tmp_t, smoltclient_tmp_t)
+files_tmp_filetrans(smoltclient_t, smoltclient_tmp_t, { dir file })
+
+kernel_read_system_state(smoltclient_t)
+kernel_read_network_state(smoltclient_t)
+kernel_read_kernel_sysctls(smoltclient_t)
+
+corecmd_exec_bin(smoltclient_t)
+corecmd_exec_shell(smoltclient_t)
+
+corenet_tcp_connect_http_port(smoltclient_t)
+
+dev_read_sysfs(smoltclient_t)
+
+fs_getattr_all_fs(smoltclient_t)
+fs_getattr_all_dirs(smoltclient_t)
+fs_list_auto_mountpoints(smoltclient_t)
+
+files_getattr_generic_locks(smoltclient_t)
+files_read_etc_files(smoltclient_t)
+files_read_usr_files(smoltclient_t)
+
+auth_use_nsswitch(smoltclient_t)
+
+logging_send_syslog_msg(smoltclient_t)
+
+miscfiles_read_localization(smoltclient_t)
+
+optional_policy(`
+	dbus_system_bus_client(smoltclient_t)
+')
+
+optional_policy(`
+	hal_dbus_chat(smoltclient_t)
+')
+
+optional_policy(`
+	rpm_exec(smoltclient_t)
+	rpm_read_db(smoltclient_t)
+')
diff --git a/policy/modules/contrib/snmp.fc b/policy/modules/contrib/snmp.fc
new file mode 100644
index 00000000..623c8fad
--- /dev/null
+++ b/policy/modules/contrib/snmp.fc
@@ -0,0 +1,24 @@
+/etc/rc\.d/init\.d/snmpd --	gen_context(system_u:object_r:snmpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/snmptrapd --	gen_context(system_u:object_r:snmpd_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/snmp(trap)?d	--	gen_context(system_u:object_r:snmpd_exec_t,s0)
+
+/usr/share/snmp/mibs/\.index -- gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+
+#
+# /var
+#
+/var/agentx(/.*)?		gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+
+/var/lib/net-snmp(/.*)?		gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+/var/lib/snmp(/.*)?		gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+
+/var/log/snmpd\.log	--	gen_context(system_u:object_r:snmpd_log_t,s0)
+
+/var/net-snmp(/.*)		gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+
+/var/run/snmpd(/.*)?		gen_context(system_u:object_r:snmpd_var_run_t,s0)
+/var/run/snmpd\.pid	--	gen_context(system_u:object_r:snmpd_var_run_t,s0)
diff --git a/policy/modules/contrib/snmp.if b/policy/modules/contrib/snmp.if
new file mode 100644
index 00000000..275f9fb5
--- /dev/null
+++ b/policy/modules/contrib/snmp.if
@@ -0,0 +1,147 @@
+## <summary>Simple network management protocol services</summary>
+
+########################################
+## <summary>
+##	Connect to snmpd using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`snmp_stream_connect',`
+	 gen_require(`
+		type snmpd_t, snmpd_var_lib_t;
+	 ')
+
+	 files_search_var_lib($1)
+	 stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t)
+')
+
+########################################
+## <summary>
+##	Use snmp over a TCP connection.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`snmp_tcp_connect',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic to SNMP  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`snmp_udp_chat',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	Read snmpd libraries.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`snmp_read_snmp_var_lib_files',`
+	gen_require(`
+		type snmpd_var_lib_t;
+	')
+
+	allow $1 snmpd_var_lib_t:dir list_dir_perms;
+	read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
+	read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	dontaudit Read snmpd libraries.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`snmp_dontaudit_read_snmp_var_lib_files',`
+	gen_require(`
+		type snmpd_var_lib_t;
+	')
+	dontaudit $1 snmpd_var_lib_t:dir list_dir_perms;
+	dontaudit $1 snmpd_var_lib_t:file read_file_perms;
+	dontaudit $1 snmpd_var_lib_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+##	dontaudit write snmpd libraries files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`snmp_dontaudit_write_snmp_var_lib_files',`
+	gen_require(`
+		type snmpd_var_lib_t;
+	')
+
+	dontaudit $1 snmpd_var_lib_t:file write;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an snmp environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the snmp domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`snmp_admin',`
+	gen_require(`
+		type snmpd_t, snmpd_log_t;
+		type snmpd_var_lib_t, snmpd_var_run_t;
+		type snmpd_initrc_exec_t;
+	')
+
+	allow $1 snmpd_t:process { ptrace signal_perms getattr };
+	ps_process_pattern($1, snmpd_t)
+
+	init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 snmpd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	logging_list_logs($1)
+	admin_pattern($1, snmpd_log_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, snmpd_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, snmpd_var_run_t)
+')
diff --git a/policy/modules/contrib/snmp.te b/policy/modules/contrib/snmp.te
new file mode 100644
index 00000000..eb3c1d00
--- /dev/null
+++ b/policy/modules/contrib/snmp.te
@@ -0,0 +1,172 @@
+policy_module(snmp, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+type snmpd_t;
+type snmpd_exec_t;
+init_daemon_domain(snmpd_t, snmpd_exec_t)
+
+type snmpd_initrc_exec_t;
+init_script_file(snmpd_initrc_exec_t)
+
+type snmpd_log_t;
+logging_log_file(snmpd_log_t)
+
+type snmpd_var_run_t;
+files_pid_file(snmpd_var_run_t)
+
+type snmpd_var_lib_t;
+files_type(snmpd_var_lib_t)
+
+########################################
+#
+# Local policy
+#
+allow snmpd_t self:capability { chown dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config };
+dontaudit snmpd_t self:capability { sys_module sys_tty_config };
+allow snmpd_t self:process { signal_perms getsched setsched };
+allow snmpd_t self:fifo_file rw_fifo_file_perms;
+allow snmpd_t self:unix_dgram_socket create_socket_perms;
+allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
+allow snmpd_t self:tcp_socket create_stream_socket_perms;
+allow snmpd_t self:udp_socket connected_stream_socket_perms;
+
+allow snmpd_t snmpd_log_t:file manage_file_perms;
+logging_log_filetrans(snmpd_t, snmpd_log_t, file)
+
+manage_dirs_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
+manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
+manage_sock_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
+files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file)
+files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file })
+files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, file)
+
+manage_files_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t)
+files_pid_filetrans(snmpd_t, snmpd_var_run_t, file)
+
+kernel_read_device_sysctls(snmpd_t)
+kernel_read_kernel_sysctls(snmpd_t)
+kernel_read_fs_sysctls(snmpd_t)
+kernel_read_net_sysctls(snmpd_t)
+kernel_read_proc_symlinks(snmpd_t)
+kernel_read_system_state(snmpd_t)
+kernel_read_network_state(snmpd_t)
+
+corecmd_exec_bin(snmpd_t)
+corecmd_exec_shell(snmpd_t)
+
+corenet_all_recvfrom_unlabeled(snmpd_t)
+corenet_all_recvfrom_netlabel(snmpd_t)
+corenet_tcp_sendrecv_generic_if(snmpd_t)
+corenet_udp_sendrecv_generic_if(snmpd_t)
+corenet_tcp_sendrecv_generic_node(snmpd_t)
+corenet_udp_sendrecv_generic_node(snmpd_t)
+corenet_tcp_sendrecv_all_ports(snmpd_t)
+corenet_udp_sendrecv_all_ports(snmpd_t)
+corenet_tcp_bind_generic_node(snmpd_t)
+corenet_udp_bind_generic_node(snmpd_t)
+corenet_tcp_bind_snmp_port(snmpd_t)
+corenet_udp_bind_snmp_port(snmpd_t)
+corenet_sendrecv_snmp_server_packets(snmpd_t)
+corenet_tcp_connect_agentx_port(snmpd_t)
+corenet_tcp_bind_agentx_port(snmpd_t)
+corenet_udp_bind_agentx_port(snmpd_t)
+
+dev_list_sysfs(snmpd_t)
+dev_read_sysfs(snmpd_t)
+dev_read_urand(snmpd_t)
+dev_read_rand(snmpd_t)
+dev_getattr_usbfs_dirs(snmpd_t)
+
+domain_use_interactive_fds(snmpd_t)
+domain_signull_all_domains(snmpd_t)
+domain_read_all_domains_state(snmpd_t)
+domain_dontaudit_ptrace_all_domains(snmpd_t)
+domain_exec_all_entry_files(snmpd_t)
+
+files_read_etc_files(snmpd_t)
+files_read_usr_files(snmpd_t)
+files_read_etc_runtime_files(snmpd_t)
+files_search_home(snmpd_t)
+
+fs_getattr_all_dirs(snmpd_t)
+fs_getattr_all_fs(snmpd_t)
+fs_search_auto_mountpoints(snmpd_t)
+
+storage_dontaudit_read_fixed_disk(snmpd_t)
+storage_dontaudit_read_removable_device(snmpd_t)
+
+auth_use_nsswitch(snmpd_t)
+auth_read_all_dirs_except_auth_files(snmpd_t)
+
+init_read_utmp(snmpd_t)
+init_dontaudit_write_utmp(snmpd_t)
+
+logging_send_syslog_msg(snmpd_t)
+
+miscfiles_read_localization(snmpd_t)
+
+seutil_dontaudit_search_config(snmpd_t)
+
+sysnet_read_config(snmpd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
+userdom_dontaudit_search_user_home_dirs(snmpd_t)
+
+ifdef(`distro_redhat', `
+	optional_policy(`
+		rpm_read_db(snmpd_t)
+		rpm_dontaudit_manage_db(snmpd_t)
+	')
+')
+
+optional_policy(`
+	amanda_dontaudit_read_dumpdates(snmpd_t)
+')
+
+optional_policy(`
+	consoletype_exec(snmpd_t)
+')
+
+optional_policy(`
+	cups_read_rw_config(snmpd_t)
+')
+
+optional_policy(`
+	mta_read_config(snmpd_t)
+	mta_search_queue(snmpd_t)
+')
+
+optional_policy(`
+	rpc_search_nfs_state_data(snmpd_t)
+')
+
+optional_policy(`
+	sendmail_read_log(snmpd_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(snmpd_t)
+')
+
+optional_policy(`
+	squid_read_config(snmpd_t)
+')
+
+optional_policy(`
+	udev_read_db(snmpd_t)
+')
+
+optional_policy(`
+	virt_stream_connect(snmpd_t)
+')
+
+optional_policy(`
+	kernel_read_xen_state(snmpd_t)
+	kernel_write_xen_state(snmpd_t)
+
+	xen_stream_connect(snmpd_t)
+	xen_stream_connect_xenstore(snmpd_t)
+')
diff --git a/policy/modules/contrib/snort.fc b/policy/modules/contrib/snort.fc
new file mode 100644
index 00000000..7bedd2f8
--- /dev/null
+++ b/policy/modules/contrib/snort.fc
@@ -0,0 +1,9 @@
+/etc/rc\.d/init\.d/snortd --	gen_context(system_u:object_r:snort_initrc_exec_t,s0)
+/etc/snort(/.*)?		gen_context(system_u:object_r:snort_etc_t,s0)
+
+/usr/s?bin/snort	--	gen_context(system_u:object_r:snort_exec_t,s0)
+/usr/sbin/snort-plain	--	gen_context(system_u:object_r:snort_exec_t,s0)
+
+/var/log/snort(/.*)?		gen_context(system_u:object_r:snort_log_t,s0)
+
+/var/run/snort.*	--	gen_context(system_u:object_r:snort_var_run_t,s0)
diff --git a/policy/modules/contrib/snort.if b/policy/modules/contrib/snort.if
new file mode 100644
index 00000000..c117e8b5
--- /dev/null
+++ b/policy/modules/contrib/snort.if
@@ -0,0 +1,60 @@
+## <summary>Snort network intrusion detection system</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run snort.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`snort_domtrans',`
+	gen_require(`
+		type snort_t, snort_exec_t;
+	')
+
+	domtrans_pattern($1, snort_exec_t, snort_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an snort environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the snort domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`snort_admin',`
+	gen_require(`
+		type snort_t, snort_var_run_t, snort_log_t;
+		type snort_etc_t, snort_initrc_exec_t;
+	')
+
+	allow $1 snort_t:process { ptrace signal_perms };
+	ps_process_pattern($1, snort_t)
+
+	init_labeled_script_domtrans($1, snort_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 snort_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	admin_pattern($1, snort_etc_t)
+	files_search_etc($1)
+
+	admin_pattern($1, snort_log_t)
+	logging_search_logs($1)
+
+	admin_pattern($1, snort_var_run_t)
+	files_search_pids($1)
+')
diff --git a/policy/modules/contrib/snort.te b/policy/modules/contrib/snort.te
new file mode 100644
index 00000000..179bc1b0
--- /dev/null
+++ b/policy/modules/contrib/snort.te
@@ -0,0 +1,117 @@
+policy_module(snort, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+
+type snort_t;
+type snort_exec_t;
+init_daemon_domain(snort_t, snort_exec_t)
+
+type snort_etc_t;
+files_config_file(snort_etc_t)
+
+type snort_initrc_exec_t;
+init_script_file(snort_initrc_exec_t)
+
+type snort_log_t;
+logging_log_file(snort_log_t)
+
+type snort_tmp_t;
+files_tmp_file(snort_tmp_t)
+
+type snort_var_run_t;
+files_pid_file(snort_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
+dontaudit snort_t self:capability sys_tty_config;
+allow snort_t self:process signal_perms;
+allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow snort_t self:tcp_socket create_stream_socket_perms;
+allow snort_t self:udp_socket create_socket_perms;
+allow snort_t self:packet_socket create_socket_perms;
+allow snort_t self:socket create_socket_perms;
+# Snort IPS node. unverified.
+allow snort_t self:netlink_firewall_socket { bind create getattr };
+
+allow snort_t snort_etc_t:dir list_dir_perms;
+allow snort_t snort_etc_t:file read_file_perms;
+allow snort_t snort_etc_t:lnk_file { getattr read };
+
+manage_files_pattern(snort_t, snort_log_t, snort_log_t)
+create_dirs_pattern(snort_t, snort_log_t, snort_log_t)
+logging_log_filetrans(snort_t, snort_log_t, { file dir })
+
+manage_dirs_pattern(snort_t, snort_tmp_t, snort_tmp_t)
+manage_files_pattern(snort_t, snort_tmp_t, snort_tmp_t)
+files_tmp_filetrans(snort_t, snort_tmp_t, { file dir })
+
+manage_files_pattern(snort_t, snort_var_run_t, snort_var_run_t)
+files_pid_filetrans(snort_t, snort_var_run_t, file)
+
+kernel_read_kernel_sysctls(snort_t)
+kernel_read_sysctl(snort_t)
+kernel_list_proc(snort_t)
+kernel_read_proc_symlinks(snort_t)
+kernel_request_load_module(snort_t)
+kernel_dontaudit_read_system_state(snort_t)
+kernel_read_network_state(snort_t)
+
+corenet_all_recvfrom_unlabeled(snort_t)
+corenet_all_recvfrom_netlabel(snort_t)
+corenet_tcp_sendrecv_generic_if(snort_t)
+corenet_udp_sendrecv_generic_if(snort_t)
+corenet_raw_sendrecv_generic_if(snort_t)
+corenet_tcp_sendrecv_generic_node(snort_t)
+corenet_udp_sendrecv_generic_node(snort_t)
+corenet_raw_sendrecv_generic_node(snort_t)
+corenet_tcp_sendrecv_all_ports(snort_t)
+corenet_udp_sendrecv_all_ports(snort_t)
+corenet_tcp_connect_prelude_port(snort_t)
+
+dev_read_sysfs(snort_t)
+dev_read_rand(snort_t)
+dev_read_urand(snort_t)
+dev_read_usbmon_dev(snort_t)
+# Red Hat bug 559861: Snort wants read, write, and ioctl on /dev/usbmon
+# Snort uses libpcap, which can also monitor USB traffic. Maybe this is a side effect?
+dev_rw_generic_usb_dev(snort_t)
+
+domain_use_interactive_fds(snort_t)
+
+files_read_etc_files(snort_t)
+files_dontaudit_read_etc_runtime_files(snort_t)
+
+fs_getattr_all_fs(snort_t)
+fs_search_auto_mountpoints(snort_t)
+
+init_read_utmp(snort_t)
+
+logging_send_syslog_msg(snort_t)
+
+miscfiles_read_localization(snort_t)
+
+sysnet_read_config(snort_t)
+# snorts must be able to resolve dns in case it wants to relay to a remote prelude-manager
+sysnet_dns_name_resolve(snort_t)
+
+userdom_dontaudit_use_unpriv_user_fds(snort_t)
+userdom_dontaudit_search_user_home_dirs(snort_t)
+
+optional_policy(`
+	prelude_manage_spool(snort_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(snort_t)
+')
+
+optional_policy(`
+	udev_read_db(snort_t)
+')
diff --git a/policy/modules/contrib/sosreport.fc b/policy/modules/contrib/sosreport.fc
new file mode 100644
index 00000000..a40478eb
--- /dev/null
+++ b/policy/modules/contrib/sosreport.fc
@@ -0,0 +1 @@
+/usr/sbin/sosreport	--	gen_context(system_u:object_r:sosreport_exec_t,s0)
diff --git a/policy/modules/contrib/sosreport.if b/policy/modules/contrib/sosreport.if
new file mode 100644
index 00000000..94c01b54
--- /dev/null
+++ b/policy/modules/contrib/sosreport.if
@@ -0,0 +1,129 @@
+## <summary>sosreport - Generate debugging information for system</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run sosreport.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`sosreport_domtrans',`
+	gen_require(`
+		type sosreport_t, sosreport_exec_t;
+	')
+
+	domtrans_pattern($1, sosreport_exec_t, sosreport_t)
+')
+
+########################################
+## <summary>
+##	Execute sosreport in the sosreport domain, and
+##	allow the specified role the sosreport domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`sosreport_run',`
+	gen_require(`
+		type sosreport_t;
+	')
+
+	sosreport_domtrans($1)
+	role $2 types sosreport_t;
+')
+
+########################################
+## <summary>
+##	Role access for sosreport
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`sosreport_role',`
+	gen_require(`
+		type sosreport_t;
+	')
+
+	role $1 types sosreport_t;
+
+	sosreport_domtrans($2)
+
+	ps_process_pattern($2, sosreport_t)
+	allow $2 sosreport_t:process signal;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read
+##	sosreport tmp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sosreport_read_tmp_files',`
+	gen_require(`
+		type sosreport_tmp_t;
+	')
+
+	files_search_tmp($1)
+	read_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t)
+')
+
+########################################
+## <summary>
+##	Append sosreport tmp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sosreport_append_tmp_files',`
+	gen_require(`
+		type sosreport_tmp_t;
+	')
+
+	append_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t)
+')
+
+########################################
+## <summary>
+##	Delete sosreport tmp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sosreport_delete_tmp_files',`
+	gen_require(`
+		type sosreport_tmp_t;
+	')
+
+	files_delete_tmp_dir_entry($1)
+	delete_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t)
+')
diff --git a/policy/modules/contrib/sosreport.te b/policy/modules/contrib/sosreport.te
new file mode 100644
index 00000000..ebaff2f4
--- /dev/null
+++ b/policy/modules/contrib/sosreport.te
@@ -0,0 +1,148 @@
+policy_module(sosreport, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type sosreport_t;
+type sosreport_exec_t;
+application_domain(sosreport_t, sosreport_exec_t)
+role system_r types sosreport_t;
+
+type sosreport_tmp_t;
+files_tmp_file(sosreport_tmp_t)
+
+type sosreport_tmpfs_t;
+files_tmpfs_file(sosreport_tmpfs_t)
+
+########################################
+#
+# sosreport local policy
+#
+
+allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice sys_ptrace dac_override };
+allow sosreport_t self:process { setsched signull };
+allow sosreport_t self:fifo_file rw_fifo_file_perms;
+allow sosreport_t self:tcp_socket create_stream_socket_perms;
+allow sosreport_t self:udp_socket create_socket_perms;
+allow sosreport_t self:unix_dgram_socket create_socket_perms;
+allow sosreport_t self:netlink_route_socket r_netlink_socket_perms;
+allow sosreport_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
+manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
+manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
+files_tmp_filetrans(sosreport_t, sosreport_tmp_t, { file dir })
+
+manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t)
+fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t, file)
+
+kernel_read_network_state(sosreport_t)
+kernel_read_all_sysctls(sosreport_t)
+kernel_read_software_raid_state(sosreport_t)
+kernel_search_debugfs(sosreport_t)
+kernel_read_messages(sosreport_t)
+
+corecmd_exec_all_executables(sosreport_t)
+
+dev_getattr_all_chr_files(sosreport_t)
+dev_getattr_all_blk_files(sosreport_t)
+dev_getattr_mtrr_dev(sosreport_t)
+dev_read_rand(sosreport_t)
+dev_read_urand(sosreport_t)
+dev_read_raw_memory(sosreport_t)
+dev_read_sysfs(sosreport_t)
+
+domain_getattr_all_domains(sosreport_t)
+domain_read_all_domains_state(sosreport_t)
+domain_getattr_all_sockets(sosreport_t)
+domain_getattr_all_pipes(sosreport_t)
+domain_signull_all_domains(sosreport_t)
+
+files_getattr_all_sockets(sosreport_t)
+files_exec_etc_files(sosreport_t)
+files_list_all(sosreport_t)
+files_read_config_files(sosreport_t)
+files_read_etc_files(sosreport_t)
+files_read_generic_tmp_files(sosreport_t)
+files_read_usr_files(sosreport_t)
+files_read_var_lib_files(sosreport_t)
+files_read_var_symlinks(sosreport_t)
+files_read_kernel_modules(sosreport_t)
+files_read_all_symlinks(sosreport_t)
+# for blkid.tab
+files_manage_etc_runtime_files(sosreport_t)
+files_etc_filetrans_etc_runtime(sosreport_t, file)
+
+fs_getattr_all_fs(sosreport_t)
+fs_list_inotifyfs(sosreport_t)
+
+# some config files do not have configfile attribute
+# sosreport needs to read various files on system
+auth_read_all_files_except_auth_files(sosreport_t)
+auth_use_nsswitch(sosreport_t)
+
+init_domtrans_script(sosreport_t)
+
+libs_domtrans_ldconfig(sosreport_t)
+
+logging_read_all_logs(sosreport_t)
+logging_send_syslog_msg(sosreport_t)
+
+miscfiles_read_localization(sosreport_t)
+
+# needed by modinfo
+modutils_read_module_deps(sosreport_t)
+
+sysnet_read_config(sosreport_t)
+
+optional_policy(`
+	abrt_manage_pid_files(sosreport_t)
+')
+
+optional_policy(`
+	cups_stream_connect(sosreport_t)
+')
+
+optional_policy(`
+	dmesg_domtrans(sosreport_t)
+')
+
+optional_policy(`
+	fstools_domtrans(sosreport_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(sosreport_t)
+
+	optional_policy(`
+		hal_dbus_chat(sosreport_t)
+	')
+')
+
+optional_policy(`
+	lvm_domtrans(sosreport_t)
+')
+
+optional_policy(`
+	mount_domtrans(sosreport_t)
+')
+
+optional_policy(`
+	pulseaudio_stream_connect(sosreport_t)
+')
+
+optional_policy(`
+	rpm_exec(sosreport_t)
+	rpm_dontaudit_manage_db(sosreport_t)
+	rpm_read_db(sosreport_t)
+')
+
+optional_policy(`
+	xserver_stream_connect(sosreport_t)
+')
+
+optional_policy(`
+	unconfined_domain(sosreport_t)
+')
diff --git a/policy/modules/contrib/soundserver.fc b/policy/modules/contrib/soundserver.fc
new file mode 100644
index 00000000..d89b2cb6
--- /dev/null
+++ b/policy/modules/contrib/soundserver.fc
@@ -0,0 +1,13 @@
+/etc/nas(/.*)?			gen_context(system_u:object_r:soundd_etc_t,s0)
+/etc/rc\.d/init\.d/nasd	--	gen_context(system_u:object_r:soundd_initrc_exec_t,s0)
+/etc/yiff(/.*)?			gen_context(system_u:object_r:soundd_etc_t,s0)
+
+/usr/bin/nasd		--	gen_context(system_u:object_r:soundd_exec_t,s0)
+/usr/bin/gpe-soundserver --	gen_context(system_u:object_r:soundd_exec_t,s0)
+
+/usr/sbin/yiff		--	gen_context(system_u:object_r:soundd_exec_t,s0)
+
+/var/run/nasd(/.*)?		gen_context(system_u:object_r:soundd_var_run_t,s0)
+/var/run/yiff-[0-9]+\.pid --	gen_context(system_u:object_r:soundd_var_run_t,s0)
+
+/var/state/yiff(/.*)?		gen_context(system_u:object_r:soundd_state_t,s0)
diff --git a/policy/modules/contrib/soundserver.if b/policy/modules/contrib/soundserver.if
new file mode 100644
index 00000000..93fe7bf8
--- /dev/null
+++ b/policy/modules/contrib/soundserver.if
@@ -0,0 +1,57 @@
+## <summary>sound server for network audio server programs, nasd, yiff, etc</summary>
+
+########################################
+## <summary>
+##	Connect to the sound server over a TCP socket  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`soundserver_tcp_connect',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an soundd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the soundd domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`soundserver_admin',`
+	gen_require(`
+		type soundd_t, soundd_etc_t;
+		type soundd_tmp_t, soundd_var_run_t;
+		type soundd_initrc_exec_t;
+	')
+
+	allow $1 soundd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, soundd_t)
+
+	init_labeled_script_domtrans($1, soundd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 soundd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_etc($1)
+	admin_pattern($1, soundd_etc_t)
+
+	files_list_tmp($1)
+	admin_pattern($1, soundd_tmp_t)
+
+	files_list_pids($1)
+	admin_pattern($1, soundd_var_run_t)
+')
diff --git a/policy/modules/contrib/soundserver.te b/policy/modules/contrib/soundserver.te
new file mode 100644
index 00000000..3217605d
--- /dev/null
+++ b/policy/modules/contrib/soundserver.te
@@ -0,0 +1,114 @@
+policy_module(soundserver, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type soundd_t;
+type soundd_exec_t;
+init_daemon_domain(soundd_t, soundd_exec_t)
+
+type soundd_etc_t alias etc_soundd_t;
+files_config_file(soundd_etc_t)
+
+type soundd_initrc_exec_t;
+init_script_file(soundd_initrc_exec_t)
+
+type soundd_state_t;
+files_type(soundd_state_t)
+
+type soundd_tmp_t;
+files_tmp_file(soundd_tmp_t)
+
+# for yiff - probably need some rules for the client support too
+type soundd_tmpfs_t;
+files_tmpfs_file(soundd_tmpfs_t)
+
+type soundd_var_run_t;
+files_pid_file(soundd_var_run_t)
+
+########################################
+#
+# Declarations
+#
+
+allow soundd_t self:capability dac_override;
+dontaudit soundd_t self:capability sys_tty_config;
+allow soundd_t self:process { setpgid signal_perms };
+allow soundd_t self:tcp_socket create_stream_socket_perms;
+allow soundd_t self:udp_socket create_socket_perms;
+allow soundd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+
+# for yiff
+allow soundd_t self:shm create_shm_perms;
+
+read_files_pattern(soundd_t, soundd_etc_t, soundd_etc_t)
+read_lnk_files_pattern(soundd_t, soundd_etc_t, soundd_etc_t)
+
+manage_files_pattern(soundd_t, soundd_state_t, soundd_state_t)
+manage_lnk_files_pattern(soundd_t, soundd_state_t, soundd_state_t)
+
+manage_dirs_pattern(soundd_t, soundd_tmp_t, soundd_tmp_t)
+manage_files_pattern(soundd_t, soundd_tmp_t, soundd_tmp_t)
+files_tmp_filetrans(soundd_t, soundd_tmp_t, { file dir })
+
+manage_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t)
+manage_lnk_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t)
+manage_fifo_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t)
+manage_sock_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t)
+fs_tmpfs_filetrans(soundd_t, soundd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+manage_sock_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t)
+manage_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t)
+manage_dirs_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t)
+files_pid_filetrans(soundd_t, soundd_var_run_t, { file dir })
+
+kernel_read_kernel_sysctls(soundd_t)
+kernel_list_proc(soundd_t)
+kernel_read_proc_symlinks(soundd_t)
+
+corenet_all_recvfrom_unlabeled(soundd_t)
+corenet_all_recvfrom_netlabel(soundd_t)
+corenet_tcp_sendrecv_generic_if(soundd_t)
+corenet_udp_sendrecv_generic_if(soundd_t)
+corenet_tcp_sendrecv_generic_node(soundd_t)
+corenet_udp_sendrecv_generic_node(soundd_t)
+corenet_tcp_sendrecv_all_ports(soundd_t)
+corenet_udp_sendrecv_all_ports(soundd_t)
+corenet_tcp_bind_generic_node(soundd_t)
+corenet_tcp_bind_soundd_port(soundd_t)
+corenet_sendrecv_soundd_server_packets(soundd_t)
+
+dev_read_sysfs(soundd_t)
+dev_read_sound(soundd_t)
+dev_write_sound(soundd_t)
+
+domain_use_interactive_fds(soundd_t)
+
+files_read_etc_files(soundd_t)
+files_read_etc_runtime_files(soundd_t)
+
+fs_getattr_all_fs(soundd_t)
+fs_search_auto_mountpoints(soundd_t)
+
+logging_send_syslog_msg(soundd_t)
+
+miscfiles_read_localization(soundd_t)
+
+sysnet_read_config(soundd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(soundd_t)
+userdom_dontaudit_search_user_home_dirs(soundd_t)
+
+optional_policy(`
+	alsa_domtrans(soundd_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(soundd_t)
+')
+
+optional_policy(`
+	udev_read_db(soundd_t)
+')
diff --git a/policy/modules/contrib/spamassassin.fc b/policy/modules/contrib/spamassassin.fc
new file mode 100644
index 00000000..6b3abf9e
--- /dev/null
+++ b/policy/modules/contrib/spamassassin.fc
@@ -0,0 +1,15 @@
+HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:spamassassin_home_t,s0)
+
+/usr/bin/sa-learn	--	gen_context(system_u:object_r:spamc_exec_t,s0)
+/usr/bin/spamassassin	--	gen_context(system_u:object_r:spamassassin_exec_t,s0)
+/usr/bin/spamc		--	gen_context(system_u:object_r:spamc_exec_t,s0)
+/usr/bin/spamd		--	gen_context(system_u:object_r:spamd_exec_t,s0)
+
+/usr/sbin/spamd		--	gen_context(system_u:object_r:spamd_exec_t,s0)
+
+/var/lib/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_var_lib_t,s0)
+
+/var/run/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
+
+/var/spool/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_spool_t,s0)
+/var/spool/spamd(/.*)?		gen_context(system_u:object_r:spamd_spool_t,s0)
diff --git a/policy/modules/contrib/spamassassin.if b/policy/modules/contrib/spamassassin.if
new file mode 100644
index 00000000..c954f319
--- /dev/null
+++ b/policy/modules/contrib/spamassassin.if
@@ -0,0 +1,227 @@
+## <summary>Filter used for removing unsolicited email.</summary>
+
+########################################
+## <summary>
+##	Role access for spamassassin
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`spamassassin_role',`
+	gen_require(`
+		type spamc_t, spamc_exec_t, spamc_tmp_t;
+		type spamassassin_t, spamassassin_exec_t;
+		type spamassassin_home_t, spamassassin_tmp_t;
+	')
+
+	role $1 types { spamc_t spamassassin_t };
+
+	domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
+	ps_process_pattern($2, spamassassin_t)
+
+	domtrans_pattern($2, spamc_exec_t, spamc_t)
+	ps_process_pattern($2, spamc_t)
+
+	manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t)
+	manage_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
+	manage_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
+	relabel_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t)
+	relabel_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
+	relabel_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
+')
+
+########################################
+## <summary>
+##	Execute the standalone spamassassin
+##	program in the caller directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`spamassassin_exec',`
+	gen_require(`
+		type spamassassin_exec_t;
+	')
+
+	can_exec($1, spamassassin_exec_t)
+
+')
+
+########################################
+## <summary>
+##	Singnal the spam assassin daemon
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`spamassassin_signal_spamd',`
+	gen_require(`
+		type spamd_t;
+	')
+
+	allow $1 spamd_t:process signal;
+')
+
+########################################
+## <summary>
+##	Execute the spamassassin daemon
+##	program in the caller directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`spamassassin_exec_spamd',`
+	gen_require(`
+		type spamd_exec_t;
+	')
+
+	can_exec($1, spamd_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute spamassassin client in the spamassassin client domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`spamassassin_domtrans_client',`
+	gen_require(`
+		type spamc_t, spamc_exec_t;
+	')
+
+	domtrans_pattern($1, spamc_exec_t, spamc_t)
+')
+
+########################################
+## <summary>
+##	Execute the spamassassin client
+##	program in the caller directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`spamassassin_exec_client',`
+	gen_require(`
+		type spamc_exec_t;
+	')
+
+	can_exec($1, spamc_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute spamassassin standalone client in the user spamassassin domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`spamassassin_domtrans_local_client',`
+	gen_require(`
+		type spamassassin_t, spamassassin_exec_t;
+	')
+
+	domtrans_pattern($1, spamassassin_exec_t, spamassassin_t)
+')
+
+########################################
+## <summary>
+##	read spamd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`spamassassin_read_lib_files',`
+	gen_require(`
+		type spamd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	spamd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`spamassassin_manage_lib_files',`
+	gen_require(`
+		type spamd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read temporary spamd file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`spamassassin_read_spamd_tmp_files',`
+	gen_require(`
+		type spamd_tmp_t;
+	')
+
+	allow $1 spamd_tmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get attributes of temporary
+##	spamd sockets/
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
+	gen_require(`
+		type spamd_tmp_t;
+	')
+
+	dontaudit $1 spamd_tmp_t:sock_file getattr;
+')
diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
new file mode 100644
index 00000000..1bbf73bb
--- /dev/null
+++ b/policy/modules/contrib/spamassassin.te
@@ -0,0 +1,449 @@
+policy_module(spamassassin, 2.5.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow user spamassassin clients to use the network.
+## </p>
+## </desc>
+gen_tunable(spamassassin_can_network, false)
+
+## <desc>
+## <p>
+## Allow spamd to read/write user home directories.
+## </p>
+## </desc>
+gen_tunable(spamd_enable_home_dirs, true)
+
+type spamassassin_t;
+type spamassassin_exec_t;
+typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
+typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t };
+userdom_user_application_domain(spamassassin_t, spamassassin_exec_t)
+
+type spamassassin_home_t;
+typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
+typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
+userdom_user_home_content(spamassassin_home_t)
+
+type spamassassin_tmp_t;
+typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
+typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
+userdom_user_tmp_file(spamassassin_tmp_t)
+
+type spamc_t;
+type spamc_exec_t;
+typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
+typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
+userdom_user_application_domain(spamc_t, spamc_exec_t)
+
+type spamc_tmp_t;
+typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
+typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
+userdom_user_tmp_file(spamc_tmp_t)
+
+type spamd_t;
+type spamd_exec_t;
+init_daemon_domain(spamd_t, spamd_exec_t)
+
+type spamd_spool_t;
+files_type(spamd_spool_t)
+
+type spamd_tmp_t;
+files_tmp_file(spamd_tmp_t)
+
+# var/lib files
+type spamd_var_lib_t;
+files_type(spamd_var_lib_t)
+
+type spamd_var_run_t;
+files_pid_file(spamd_var_run_t)
+
+##############################
+#
+# Standalone program local policy
+#
+
+allow spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow spamassassin_t self:fd use;
+allow spamassassin_t self:fifo_file rw_fifo_file_perms;
+allow spamassassin_t self:sock_file read_sock_file_perms;
+allow spamassassin_t self:unix_dgram_socket create_socket_perms;
+allow spamassassin_t self:unix_stream_socket create_stream_socket_perms;
+allow spamassassin_t self:unix_dgram_socket sendto;
+allow spamassassin_t self:unix_stream_socket connectto;
+allow spamassassin_t self:shm create_shm_perms;
+allow spamassassin_t self:sem create_sem_perms;
+allow spamassassin_t self:msgq create_msgq_perms;
+allow spamassassin_t self:msg { send receive };
+
+manage_dirs_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
+manage_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
+manage_lnk_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
+manage_fifo_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
+manage_sock_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
+userdom_user_home_dir_filetrans(spamassassin_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file })
+
+manage_dirs_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t)
+manage_files_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t)
+files_tmp_filetrans(spamassassin_t, spamassassin_tmp_t, { file dir })
+
+manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_read_kernel_sysctls(spamassassin_t)
+
+dev_read_urand(spamassassin_t)
+
+fs_search_auto_mountpoints(spamassassin_t)
+
+# this should probably be removed
+corecmd_list_bin(spamassassin_t)
+corecmd_read_bin_symlinks(spamassassin_t)
+corecmd_read_bin_files(spamassassin_t)
+corecmd_read_bin_pipes(spamassassin_t)
+corecmd_read_bin_sockets(spamassassin_t)
+
+domain_use_interactive_fds(spamassassin_t)
+
+files_read_etc_files(spamassassin_t)
+files_read_etc_runtime_files(spamassassin_t)
+files_list_home(spamassassin_t)
+files_read_usr_files(spamassassin_t)
+files_dontaudit_search_var(spamassassin_t)
+
+logging_send_syslog_msg(spamassassin_t)
+
+miscfiles_read_localization(spamassassin_t)
+
+# cjp: this could probably be removed
+seutil_read_config(spamassassin_t)
+
+sysnet_dns_name_resolve(spamassassin_t)
+
+# set tunable if you have spamassassin do DNS lookups
+tunable_policy(`spamassassin_can_network',`
+	allow spamassassin_t self:tcp_socket create_stream_socket_perms;
+	allow spamassassin_t self:udp_socket create_socket_perms;
+
+	corenet_all_recvfrom_unlabeled(spamassassin_t)
+	corenet_all_recvfrom_netlabel(spamassassin_t)
+	corenet_tcp_sendrecv_generic_if(spamassassin_t)
+	corenet_udp_sendrecv_generic_if(spamassassin_t)
+	corenet_tcp_sendrecv_generic_node(spamassassin_t)
+	corenet_udp_sendrecv_generic_node(spamassassin_t)
+	corenet_tcp_sendrecv_all_ports(spamassassin_t)
+	corenet_udp_sendrecv_all_ports(spamassassin_t)
+	corenet_tcp_connect_all_ports(spamassassin_t)
+	corenet_sendrecv_all_client_packets(spamassassin_t)
+
+	sysnet_read_config(spamassassin_t)
+')
+
+tunable_policy(`spamd_enable_home_dirs',`
+	userdom_manage_user_home_content_dirs(spamd_t)
+	userdom_manage_user_home_content_files(spamd_t)
+	userdom_manage_user_home_content_symlinks(spamd_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(spamassassin_t)
+	fs_manage_nfs_files(spamassassin_t)
+	fs_manage_nfs_symlinks(spamassassin_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(spamassassin_t)
+	fs_manage_cifs_files(spamassassin_t)
+	fs_manage_cifs_symlinks(spamassassin_t)
+')
+
+optional_policy(`
+	# Write pid file and socket in ~/.evolution/cache/tmp
+	evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file })
+')
+
+optional_policy(`
+	tunable_policy(`spamassassin_can_network && allow_ypbind',`
+		nis_use_ypbind_uncond(spamassassin_t)
+	')
+')
+
+optional_policy(`
+	mta_read_config(spamassassin_t)
+	sendmail_stub(spamassassin_t)
+')
+
+########################################
+#
+# Client local policy
+#
+
+allow spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow spamc_t self:fd use;
+allow spamc_t self:fifo_file rw_fifo_file_perms;
+allow spamc_t self:sock_file read_sock_file_perms;
+allow spamc_t self:shm create_shm_perms;
+allow spamc_t self:sem create_sem_perms;
+allow spamc_t self:msgq create_msgq_perms;
+allow spamc_t self:msg { send receive };
+allow spamc_t self:unix_dgram_socket create_socket_perms;
+allow spamc_t self:unix_stream_socket create_stream_socket_perms;
+allow spamc_t self:unix_dgram_socket sendto;
+allow spamc_t self:unix_stream_socket connectto;
+allow spamc_t self:tcp_socket create_stream_socket_perms;
+allow spamc_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
+manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
+files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir })
+
+# Allow connecting to a local spamd
+allow spamc_t spamd_t:unix_stream_socket connectto;
+allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms;
+
+kernel_read_kernel_sysctls(spamc_t)
+
+corenet_all_recvfrom_unlabeled(spamc_t)
+corenet_all_recvfrom_netlabel(spamc_t)
+corenet_tcp_sendrecv_generic_if(spamc_t)
+corenet_udp_sendrecv_generic_if(spamc_t)
+corenet_tcp_sendrecv_generic_node(spamc_t)
+corenet_udp_sendrecv_generic_node(spamc_t)
+corenet_tcp_sendrecv_all_ports(spamc_t)
+corenet_udp_sendrecv_all_ports(spamc_t)
+corenet_tcp_connect_all_ports(spamc_t)
+corenet_sendrecv_all_client_packets(spamc_t)
+
+fs_search_auto_mountpoints(spamc_t)
+
+# cjp: these should probably be removed:
+corecmd_list_bin(spamc_t)
+corecmd_read_bin_symlinks(spamc_t)
+corecmd_read_bin_files(spamc_t)
+corecmd_read_bin_pipes(spamc_t)
+corecmd_read_bin_sockets(spamc_t)
+
+domain_use_interactive_fds(spamc_t)
+
+files_read_etc_files(spamc_t)
+files_read_etc_runtime_files(spamc_t)
+files_read_usr_files(spamc_t)
+files_dontaudit_search_var(spamc_t)
+# cjp: this may be removable:
+files_list_home(spamc_t)
+
+logging_send_syslog_msg(spamc_t)
+
+miscfiles_read_localization(spamc_t)
+
+# cjp: this should probably be removed:
+seutil_read_config(spamc_t)
+
+sysnet_read_config(spamc_t)
+
+optional_policy(`
+	# Allow connection to spamd socket above
+	evolution_stream_connect(spamc_t)
+')
+
+optional_policy(`
+	# Needed for pyzor/razor called from spamd
+	milter_manage_spamass_state(spamc_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(spamc_t)
+')
+
+optional_policy(`
+	nscd_socket_use(spamc_t)
+')
+
+optional_policy(`
+	mta_read_config(spamc_t)
+	sendmail_stub(spamc_t)
+')
+
+########################################
+#
+# Server local policy
+#
+
+# Spamassassin, when run as root and using per-user config files,
+# setuids to the user running spamc.  Comment this if you are not
+# using this ability.
+
+allow spamd_t self:capability { setuid setgid dac_override sys_tty_config };
+dontaudit spamd_t self:capability sys_tty_config;
+allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow spamd_t self:fd use;
+allow spamd_t self:fifo_file rw_fifo_file_perms;
+allow spamd_t self:sock_file read_sock_file_perms;
+allow spamd_t self:shm create_shm_perms;
+allow spamd_t self:sem create_sem_perms;
+allow spamd_t self:msgq create_msgq_perms;
+allow spamd_t self:msg { send receive };
+allow spamd_t self:unix_dgram_socket create_socket_perms;
+allow spamd_t self:unix_stream_socket create_stream_socket_perms;
+allow spamd_t self:unix_dgram_socket sendto;
+allow spamd_t self:unix_stream_socket connectto;
+allow spamd_t self:tcp_socket create_stream_socket_perms;
+allow spamd_t self:udp_socket create_socket_perms;
+allow spamd_t self:netlink_route_socket r_netlink_socket_perms;
+
+manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
+manage_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
+files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
+
+manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
+manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
+files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
+
+# var/lib files for spamd
+allow spamd_t spamd_var_lib_t:dir list_dir_perms;
+read_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
+
+manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
+
+kernel_read_all_sysctls(spamd_t)
+kernel_read_system_state(spamd_t)
+
+corenet_all_recvfrom_unlabeled(spamd_t)
+corenet_all_recvfrom_netlabel(spamd_t)
+corenet_tcp_sendrecv_generic_if(spamd_t)
+corenet_udp_sendrecv_generic_if(spamd_t)
+corenet_tcp_sendrecv_generic_node(spamd_t)
+corenet_udp_sendrecv_generic_node(spamd_t)
+corenet_tcp_sendrecv_all_ports(spamd_t)
+corenet_udp_sendrecv_all_ports(spamd_t)
+corenet_tcp_bind_generic_node(spamd_t)
+corenet_tcp_bind_spamd_port(spamd_t)
+corenet_tcp_connect_razor_port(spamd_t)
+corenet_tcp_connect_smtp_port(spamd_t)
+corenet_sendrecv_razor_client_packets(spamd_t)
+corenet_sendrecv_spamd_server_packets(spamd_t)
+# spamassassin 3.1 needs this for its
+# DnsResolver.pm module which binds to
+# random ports >= 1024.
+corenet_udp_bind_generic_node(spamd_t)
+corenet_udp_bind_generic_port(spamd_t)
+corenet_udp_bind_imaze_port(spamd_t)
+corenet_dontaudit_udp_bind_all_ports(spamd_t)
+corenet_sendrecv_imaze_server_packets(spamd_t)
+corenet_sendrecv_generic_server_packets(spamd_t)
+
+dev_read_sysfs(spamd_t)
+dev_read_urand(spamd_t)
+
+fs_getattr_all_fs(spamd_t)
+fs_search_auto_mountpoints(spamd_t)
+
+auth_dontaudit_read_shadow(spamd_t)
+
+corecmd_exec_bin(spamd_t)
+
+domain_use_interactive_fds(spamd_t)
+
+files_read_usr_files(spamd_t)
+files_read_etc_files(spamd_t)
+files_read_etc_runtime_files(spamd_t)
+# /var/lib/spamassin
+files_read_var_lib_files(spamd_t)
+
+init_dontaudit_rw_utmp(spamd_t)
+
+logging_send_syslog_msg(spamd_t)
+
+miscfiles_read_localization(spamd_t)
+
+sysnet_read_config(spamd_t)
+sysnet_use_ldap(spamd_t)
+sysnet_dns_name_resolve(spamd_t)
+
+userdom_use_unpriv_users_fds(spamd_t)
+userdom_search_user_home_dirs(spamd_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_files(spamd_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_files(spamd_t)
+')
+
+optional_policy(`
+	amavis_manage_lib_files(spamd_t)
+')
+
+optional_policy(`
+	cron_system_entry(spamd_t, spamd_exec_t)
+')
+
+optional_policy(`
+	daemontools_service_domain(spamd_t, spamd_exec_t)
+')
+
+optional_policy(`
+	dcc_domtrans_client(spamd_t)
+	dcc_stream_connect_dccifd(spamd_t)
+')
+
+optional_policy(`
+	milter_manage_spamass_state(spamd_t)
+')
+
+optional_policy(`
+	corenet_tcp_connect_mysqld_port(spamd_t)
+	corenet_sendrecv_mysqld_client_packets(spamd_t)
+
+	mysql_search_db(spamd_t)
+	mysql_stream_connect(spamd_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(spamd_t)
+')
+
+optional_policy(`
+	postfix_read_config(spamd_t)
+')
+
+optional_policy(`
+	corenet_tcp_connect_postgresql_port(spamd_t)
+	corenet_sendrecv_postgresql_client_packets(spamd_t)
+
+	postgresql_stream_connect(spamd_t)
+')
+
+optional_policy(`
+	pyzor_domtrans(spamd_t)
+	pyzor_signal(spamd_t)
+')
+
+optional_policy(`
+	razor_domtrans(spamd_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(spamd_t)
+')
+
+optional_policy(`
+	sendmail_stub(spamd_t)
+	mta_read_config(spamd_t)
+')
+
+optional_policy(`
+	udev_read_db(spamd_t)
+')
diff --git a/policy/modules/contrib/speedtouch.fc b/policy/modules/contrib/speedtouch.fc
new file mode 100644
index 00000000..9760d154
--- /dev/null
+++ b/policy/modules/contrib/speedtouch.fc
@@ -0,0 +1,2 @@
+/usr/sbin/speedmgmt	--	gen_context(system_u:object_r:speedmgmt_exec_t,s0)
+
diff --git a/policy/modules/contrib/speedtouch.if b/policy/modules/contrib/speedtouch.if
new file mode 100644
index 00000000..826e2db0
--- /dev/null
+++ b/policy/modules/contrib/speedtouch.if
@@ -0,0 +1 @@
+## <summary>Alcatel speedtouch USB ADSL modem</summary>
diff --git a/policy/modules/contrib/speedtouch.te b/policy/modules/contrib/speedtouch.te
new file mode 100644
index 00000000..ade10f5e
--- /dev/null
+++ b/policy/modules/contrib/speedtouch.te
@@ -0,0 +1,61 @@
+policy_module(speedtouch, 1.4.0)
+
+#######################################
+#
+# Rules for the speedmgmt_t domain.
+#
+
+type speedmgmt_t;
+type speedmgmt_exec_t;
+init_daemon_domain(speedmgmt_t, speedmgmt_exec_t)
+
+type speedmgmt_tmp_t;
+files_tmp_file(speedmgmt_tmp_t)
+
+type speedmgmt_var_run_t;
+files_pid_file(speedmgmt_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit speedmgmt_t self:capability sys_tty_config;
+allow speedmgmt_t self:process signal_perms;
+
+manage_dirs_pattern(speedmgmt_t, speedmgmt_tmp_t, speedmgmt_tmp_t)
+manage_files_pattern(speedmgmt_t, speedmgmt_tmp_t, speedmgmt_tmp_t)
+files_tmp_filetrans(speedmgmt_t, speedmgmt_tmp_t, { file dir })
+
+manage_files_pattern(speedmgmt_t, speedmgmt_var_run_t, speedmgmt_var_run_t)
+files_pid_filetrans(speedmgmt_t, speedmgmt_var_run_t, file)
+
+kernel_read_kernel_sysctls(speedmgmt_t)
+kernel_list_proc(speedmgmt_t)
+kernel_read_proc_symlinks(speedmgmt_t)
+
+dev_read_sysfs(speedmgmt_t)
+dev_read_usbfs(speedmgmt_t)
+
+domain_use_interactive_fds(speedmgmt_t)
+
+files_read_etc_files(speedmgmt_t)
+files_read_usr_files(speedmgmt_t)
+
+fs_getattr_all_fs(speedmgmt_t)
+fs_search_auto_mountpoints(speedmgmt_t)
+
+logging_send_syslog_msg(speedmgmt_t)
+
+miscfiles_read_localization(speedmgmt_t)
+
+userdom_dontaudit_use_unpriv_user_fds(speedmgmt_t)
+userdom_dontaudit_search_user_home_dirs(speedmgmt_t)
+
+optional_policy(`
+	seutil_sigchld_newrole(speedmgmt_t)
+')
+
+optional_policy(`
+	udev_read_db(speedmgmt_t)
+')
diff --git a/policy/modules/contrib/squid.fc b/policy/modules/contrib/squid.fc
new file mode 100644
index 00000000..6cc4a90a
--- /dev/null
+++ b/policy/modules/contrib/squid.fc
@@ -0,0 +1,14 @@
+/etc/rc\.d/init\.d/squid --	gen_context(system_u:object_r:squid_initrc_exec_t,s0)
+/etc/squid(/.*)?		gen_context(system_u:object_r:squid_conf_t,s0)
+
+/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
+/usr/lib64/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
+/usr/sbin/squid		--	gen_context(system_u:object_r:squid_exec_t,s0)
+/usr/share/squid(/.*)?		gen_context(system_u:object_r:squid_conf_t,s0)
+
+/var/cache/squid(/.*)?		gen_context(system_u:object_r:squid_cache_t,s0)
+/var/log/squid(/.*)?		gen_context(system_u:object_r:squid_log_t,s0)
+/var/log/squidGuard(/.*)?	gen_context(system_u:object_r:squid_log_t,s0)
+/var/run/squid\.pid	--	gen_context(system_u:object_r:squid_var_run_t,s0)
+/var/spool/squid(/.*)?		gen_context(system_u:object_r:squid_cache_t,s0)
+/var/squidGuard(/.*)?		gen_context(system_u:object_r:squid_cache_t,s0)
diff --git a/policy/modules/contrib/squid.if b/policy/modules/contrib/squid.if
new file mode 100644
index 00000000..d2496bd7
--- /dev/null
+++ b/policy/modules/contrib/squid.if
@@ -0,0 +1,233 @@
+## <summary>Squid caching http proxy server</summary>
+
+########################################
+## <summary>
+##	Execute squid in the squid domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`squid_domtrans',`
+	gen_require(`
+		type squid_t, squid_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, squid_exec_t, squid_t)
+')
+
+########################################
+## <summary>
+##	Execute squid 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`squid_exec',`
+	gen_require(`
+		type squid_exec_t;
+	')
+
+	can_exec($1, squid_exec_t)
+')
+
+########################################
+## <summary>
+##	Send generic signals to squid.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`squid_signal',`
+	gen_require(`
+		type squid_t;
+	')
+
+	allow $1 squid_t:process signal;
+')
+
+########################################
+## <summary>
+##	Allow read and write squid
+##	unix domain stream sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`squid_rw_stream_sockets',`
+	gen_require(`
+		type squid_t;
+	')
+
+	allow $1 squid_t:unix_stream_socket { getattr read write };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search squid cache dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`squid_dontaudit_search_cache',`
+	gen_require(`
+		type squid_cache_t;
+	')
+
+	dontaudit $1 squid_cache_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read squid configuration file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`squid_read_config',`
+	gen_require(`
+		type squid_conf_t;
+	')
+
+	files_search_etc($1)
+	read_files_pattern($1, squid_conf_t, squid_conf_t)
+')
+
+########################################
+## <summary>
+##	Append squid logs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`squid_read_log',`
+	gen_require(`
+		type squid_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, squid_log_t, squid_log_t)
+')
+
+########################################
+## <summary>
+##	Append squid logs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`squid_append_log',`
+	gen_require(`
+		type squid_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, squid_log_t, squid_log_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	squid logs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`squid_manage_logs',`
+	gen_require(`
+		type squid_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_files_pattern($1, squid_log_t, squid_log_t)
+')
+
+########################################
+## <summary>
+##	Use squid services by connecting over TCP.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`squid_use',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an squid environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the squid domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`squid_admin',`
+	gen_require(`
+		type squid_t, squid_cache_t, squid_conf_t;
+		type squid_log_t, squid_var_run_t;
+		type squid_initrc_exec_t;
+	')
+
+	allow $1 squid_t:process { ptrace signal_perms };
+	ps_process_pattern($1, squid_t)
+
+	init_labeled_script_domtrans($1, squid_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 squid_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_var($1)
+	admin_pattern($1, squid_cache_t)
+
+	files_list_etc($1)
+	admin_pattern($1, squid_conf_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, squid_log_t)
+
+	files_list_pids($1)
+	admin_pattern($1, squid_var_run_t)
+')
diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te
new file mode 100644
index 00000000..4b2230e7
--- /dev/null
+++ b/policy/modules/contrib/squid.te
@@ -0,0 +1,208 @@
+policy_module(squid, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow squid to connect to all ports, not just
+## HTTP, FTP, and Gopher ports.
+## </p>
+## </desc>
+gen_tunable(squid_connect_any, false)
+
+## <desc>
+## <p>
+## Allow squid to run as a transparent proxy (TPROXY)
+## </p>
+## </desc>
+gen_tunable(squid_use_tproxy, false)
+
+type squid_t;
+type squid_exec_t;
+init_daemon_domain(squid_t, squid_exec_t)
+
+# type for /var/cache/squid
+type squid_cache_t;
+files_type(squid_cache_t)
+
+type squid_conf_t;
+files_type(squid_conf_t)
+
+type squid_initrc_exec_t;
+init_script_file(squid_initrc_exec_t)
+
+type squid_log_t;
+logging_log_file(squid_log_t)
+
+type squid_tmpfs_t;
+files_tmpfs_file(squid_tmpfs_t)
+
+type squid_var_run_t;
+files_pid_file(squid_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow squid_t self:capability { setgid kill setuid dac_override sys_resource };
+dontaudit squid_t self:capability sys_tty_config;
+allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
+allow squid_t self:fifo_file rw_fifo_file_perms;
+allow squid_t self:sock_file read_sock_file_perms;
+allow squid_t self:fd use;
+allow squid_t self:shm create_shm_perms;
+allow squid_t self:sem create_sem_perms;
+allow squid_t self:msgq create_msgq_perms;
+allow squid_t self:msg { send receive };
+allow squid_t self:unix_stream_socket create_stream_socket_perms;
+allow squid_t self:unix_dgram_socket create_socket_perms;
+allow squid_t self:unix_dgram_socket sendto;
+allow squid_t self:unix_stream_socket connectto;
+allow squid_t self:tcp_socket create_stream_socket_perms;
+allow squid_t self:udp_socket create_socket_perms;
+
+# Grant permissions to create, access, and delete cache files.
+manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t)
+manage_files_pattern(squid_t, squid_cache_t, squid_cache_t)
+manage_lnk_files_pattern(squid_t, squid_cache_t, squid_cache_t)
+
+allow squid_t squid_conf_t:dir list_dir_perms;
+read_files_pattern(squid_t, squid_conf_t, squid_conf_t)
+read_lnk_files_pattern(squid_t, squid_conf_t, squid_conf_t)
+
+can_exec(squid_t, squid_exec_t)
+
+manage_dirs_pattern(squid_t, squid_log_t, squid_log_t)
+manage_files_pattern(squid_t, squid_log_t, squid_log_t)
+manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t)
+logging_log_filetrans(squid_t, squid_log_t, { file dir })
+
+#squid requires the following when run in diskd mode, the recommended setting
+manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
+fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
+
+manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t)
+files_pid_filetrans(squid_t, squid_var_run_t, file)
+
+kernel_read_kernel_sysctls(squid_t)
+kernel_read_system_state(squid_t)
+
+files_dontaudit_getattr_boot_dirs(squid_t)
+
+corenet_all_recvfrom_unlabeled(squid_t)
+corenet_all_recvfrom_netlabel(squid_t)
+corenet_tcp_sendrecv_generic_if(squid_t)
+corenet_udp_sendrecv_generic_if(squid_t)
+corenet_tcp_sendrecv_generic_node(squid_t)
+corenet_udp_sendrecv_generic_node(squid_t)
+corenet_tcp_sendrecv_all_ports(squid_t)
+corenet_udp_sendrecv_all_ports(squid_t)
+corenet_tcp_bind_generic_node(squid_t)
+corenet_udp_bind_generic_node(squid_t)
+corenet_tcp_bind_http_port(squid_t)
+corenet_tcp_bind_http_cache_port(squid_t)
+corenet_udp_bind_http_cache_port(squid_t)
+corenet_tcp_bind_ftp_port(squid_t)
+corenet_tcp_bind_gopher_port(squid_t)
+corenet_udp_bind_gopher_port(squid_t)
+corenet_tcp_bind_squid_port(squid_t)
+corenet_udp_bind_squid_port(squid_t)
+corenet_udp_bind_wccp_port(squid_t)
+corenet_tcp_connect_ftp_port(squid_t)
+corenet_tcp_connect_gopher_port(squid_t)
+corenet_tcp_connect_http_port(squid_t)
+corenet_tcp_connect_http_cache_port(squid_t)
+corenet_tcp_connect_pgpkeyserver_port(squid_t)
+corenet_sendrecv_ftp_client_packets(squid_t)
+corenet_sendrecv_gopher_client_packets(squid_t)
+corenet_sendrecv_http_client_packets(squid_t)
+corenet_sendrecv_http_server_packets(squid_t)
+corenet_sendrecv_http_cache_server_packets(squid_t)
+corenet_sendrecv_http_cache_client_packets(squid_t)
+corenet_sendrecv_pgpkeyserver_client_packets(squid_t)
+corenet_sendrecv_squid_client_packets(squid_t)
+corenet_sendrecv_squid_server_packets(squid_t)
+corenet_sendrecv_wccp_server_packets(squid_t)
+
+dev_read_sysfs(squid_t)
+dev_read_urand(squid_t)
+
+fs_getattr_all_fs(squid_t)
+fs_search_auto_mountpoints(squid_t)
+fs_list_inotifyfs(squid_t)
+
+selinux_dontaudit_getattr_dir(squid_t)
+
+term_dontaudit_getattr_pty_dirs(squid_t)
+
+# to allow running programs from /usr/lib/squid (IE unlinkd)
+corecmd_exec_bin(squid_t)
+corecmd_exec_shell(squid_t)
+
+domain_use_interactive_fds(squid_t)
+
+files_read_etc_files(squid_t)
+files_read_etc_runtime_files(squid_t)
+files_read_usr_files(squid_t)
+files_search_spool(squid_t)
+files_dontaudit_getattr_tmp_dirs(squid_t)
+files_getattr_home_dir(squid_t)
+
+auth_use_nsswitch(squid_t)
+auth_domtrans_chk_passwd(squid_t)
+
+# to allow running programs from /usr/lib/squid (IE unlinkd)
+libs_exec_lib_files(squid_t)
+
+logging_send_syslog_msg(squid_t)
+
+miscfiles_read_generic_certs(squid_t)
+miscfiles_read_localization(squid_t)
+
+userdom_use_unpriv_users_fds(squid_t)
+userdom_dontaudit_search_user_home_dirs(squid_t)
+
+tunable_policy(`squid_connect_any',`
+	corenet_tcp_connect_all_ports(squid_t)
+	corenet_tcp_bind_all_ports(squid_t)
+	corenet_sendrecv_all_packets(squid_t)
+')
+
+tunable_policy(`squid_use_tproxy',`
+	allow squid_t self:capability net_admin;
+	corenet_tcp_bind_netport_port(squid_t)
+')
+
+optional_policy(`
+	apache_content_template(squid)
+
+	allow httpd_squid_script_t self:tcp_socket create_socket_perms;
+
+	corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
+	corenet_all_recvfrom_netlabel(httpd_squid_script_t)
+	corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
+
+	sysnet_dns_name_resolve(httpd_squid_script_t)
+
+	squid_read_config(httpd_squid_script_t)
+')
+
+optional_policy(`
+	cron_system_entry(squid_t, squid_exec_t)
+')
+
+optional_policy(`
+	samba_domtrans_winbind_helper(squid_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(squid_t)
+')
+
+optional_policy(`
+	udev_read_db(squid_t)
+')
diff --git a/policy/modules/contrib/sssd.fc b/policy/modules/contrib/sssd.fc
new file mode 100644
index 00000000..4271815b
--- /dev/null
+++ b/policy/modules/contrib/sssd.fc
@@ -0,0 +1,11 @@
+/etc/rc\.d/init\.d/sssd	--	gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
+
+/usr/sbin/sssd		--	gen_context(system_u:object_r:sssd_exec_t,s0)
+
+/var/lib/sss(/.*)?		gen_context(system_u:object_r:sssd_var_lib_t,s0)
+
+/var/lib/sss/pubconf(/.*)?	gen_context(system_u:object_r:sssd_public_t,s0)
+
+/var/log/sssd(/.*)?		gen_context(system_u:object_r:sssd_var_log_t,s0)
+
+/var/run/sssd.pid	--	gen_context(system_u:object_r:sssd_var_run_t,s0)
diff --git a/policy/modules/contrib/sssd.if b/policy/modules/contrib/sssd.if
new file mode 100644
index 00000000..941380a7
--- /dev/null
+++ b/policy/modules/contrib/sssd.if
@@ -0,0 +1,255 @@
+## <summary>System Security Services Daemon</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run sssd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`sssd_domtrans',`
+	gen_require(`
+		type sssd_t, sssd_exec_t;
+	')
+
+	domtrans_pattern($1, sssd_exec_t, sssd_t)
+')
+
+########################################
+## <summary>
+##	Execute sssd server in the sssd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`sssd_initrc_domtrans',`
+	gen_require(`
+		type sssd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, sssd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Read sssd public files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sssd_read_public_files',`
+	gen_require(`
+		type sssd_public_t;
+	')
+
+	sssd_search_lib($1)
+	read_files_pattern($1, sssd_public_t, sssd_public_t)
+')
+
+########################################
+## <summary>
+##	Read sssd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sssd_read_pid_files',`
+	gen_require(`
+		type sssd_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 sssd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Manage sssd var_run files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sssd_manage_pids',`
+	gen_require(`
+		type sssd_var_run_t;
+	')
+
+	manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
+	manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
+')
+
+########################################
+## <summary>
+##	Search sssd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sssd_search_lib',`
+	gen_require(`
+		type sssd_var_lib_t;
+	')
+
+	allow $1 sssd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search sssd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sssd_dontaudit_search_lib',`
+	gen_require(`
+		type sssd_var_lib_t;
+	')
+
+	dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read sssd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sssd_read_lib_files',`
+	gen_require(`
+		type sssd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	sssd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sssd_manage_lib_files',`
+	gen_require(`
+		type sssd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	sssd over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sssd_dbus_chat',`
+	gen_require(`
+		type sssd_t;
+		class dbus send_msg;
+	')
+
+	allow $1 sssd_t:dbus send_msg;
+	allow sssd_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Connect to sssd over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sssd_stream_connect',`
+	gen_require(`
+		type sssd_t, sssd_var_lib_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, sssd_var_lib_t, sssd_var_lib_t, sssd_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an sssd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the sssd domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the user terminal.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`sssd_admin',`
+	gen_require(`
+		type sssd_t, sssd_public_t;
+		type sssd_initrc_exec_t;
+	')
+
+	allow $1 sssd_t:process { ptrace signal_perms getattr };
+	read_files_pattern($1, sssd_t, sssd_t)
+
+	# Allow sssd_t to restart the apache service
+	sssd_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 sssd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	sssd_manage_pids($1)
+
+	sssd_manage_lib_files($1)
+
+	admin_pattern($1, sssd_public_t)
+')
diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te
new file mode 100644
index 00000000..8ffa2577
--- /dev/null
+++ b/policy/modules/contrib/sssd.te
@@ -0,0 +1,90 @@
+policy_module(sssd, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type sssd_t;
+type sssd_exec_t;
+init_daemon_domain(sssd_t, sssd_exec_t)
+
+type sssd_initrc_exec_t;
+init_script_file(sssd_initrc_exec_t)
+
+type sssd_public_t;
+files_pid_file(sssd_public_t)
+
+type sssd_var_lib_t;
+files_type(sssd_var_lib_t)
+
+type sssd_var_log_t;
+logging_log_file(sssd_var_log_t)
+
+type sssd_var_run_t;
+files_pid_file(sssd_var_run_t)
+
+########################################
+#
+# sssd local policy
+#
+allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid };
+allow sssd_t self:process { setfscreate setsched sigkill signal getsched };
+allow sssd_t self:fifo_file rw_file_perms;
+allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
+manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
+
+manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } )
+
+manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
+logging_log_filetrans(sssd_t, sssd_var_log_t, file)
+
+manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
+manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
+files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+
+kernel_read_system_state(sssd_t)
+
+corecmd_exec_bin(sssd_t)
+
+dev_read_urand(sssd_t)
+
+domain_read_all_domains_state(sssd_t)
+domain_obj_id_change_exemption(sssd_t)
+
+files_list_tmp(sssd_t)
+files_read_etc_files(sssd_t)
+files_read_usr_files(sssd_t)
+
+fs_list_inotifyfs(sssd_t)
+
+selinux_validate_context(sssd_t)
+
+seutil_read_file_contexts(sssd_t)
+
+mls_file_read_to_clearance(sssd_t)
+
+auth_use_nsswitch(sssd_t)
+auth_domtrans_chk_passwd(sssd_t)
+auth_domtrans_upd_passwd(sssd_t)
+
+init_read_utmp(sssd_t)
+
+logging_send_syslog_msg(sssd_t)
+logging_send_audit_msgs(sssd_t)
+
+miscfiles_read_localization(sssd_t)
+
+optional_policy(`
+	dbus_system_bus_client(sssd_t)
+	dbus_connect_system_bus(sssd_t)
+')
+
+optional_policy(`
+	kerberos_manage_host_rcache(sssd_t)
+')
diff --git a/policy/modules/contrib/stunnel.fc b/policy/modules/contrib/stunnel.fc
new file mode 100644
index 00000000..50e29aa8
--- /dev/null
+++ b/policy/modules/contrib/stunnel.fc
@@ -0,0 +1,7 @@
+/etc/stunnel(/.*)?		gen_context(system_u:object_r:stunnel_etc_t,s0)
+
+/usr/bin/stunnel	--	gen_context(system_u:object_r:stunnel_exec_t,s0)
+
+/usr/sbin/stunnel	--	gen_context(system_u:object_r:stunnel_exec_t,s0)
+
+/var/run/stunnel(/.*)?		gen_context(system_u:object_r:stunnel_var_run_t,s0)
diff --git a/policy/modules/contrib/stunnel.if b/policy/modules/contrib/stunnel.if
new file mode 100644
index 00000000..6073656f
--- /dev/null
+++ b/policy/modules/contrib/stunnel.if
@@ -0,0 +1,25 @@
+## <summary>SSL Tunneling Proxy</summary>
+
+########################################
+## <summary>
+##	Define the specified domain as a stunnel inetd service.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type associated with the stunnel inetd service process.
+##	</summary>
+## </param>
+## <param name="entrypoint">
+##	<summary>
+##	The type associated with the process program.
+##	</summary>
+## </param>
+#
+interface(`stunnel_service_domain',`
+	gen_require(`
+		type stunnel_t;
+	')
+
+	domtrans_pattern(stunnel_t,$2,$1)
+	allow $1 stunnel_t:tcp_socket rw_socket_perms;
+')
diff --git a/policy/modules/contrib/stunnel.te b/policy/modules/contrib/stunnel.te
new file mode 100644
index 00000000..f646c666
--- /dev/null
+++ b/policy/modules/contrib/stunnel.te
@@ -0,0 +1,123 @@
+policy_module(stunnel, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+
+type stunnel_t;
+domain_type(stunnel_t)
+role system_r types stunnel_t;
+
+type stunnel_exec_t;
+domain_entry_file(stunnel_t, stunnel_exec_t)
+
+ifdef(`distro_gentoo',`
+	init_daemon_domain(stunnel_t, stunnel_exec_t)
+',`
+	inetd_tcp_service_domain(stunnel_t, stunnel_exec_t)
+')
+
+type stunnel_etc_t;
+files_config_file(stunnel_etc_t)
+
+type stunnel_tmp_t;
+files_tmp_file(stunnel_tmp_t)
+
+type stunnel_var_run_t;
+files_pid_file(stunnel_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow stunnel_t self:capability { setgid setuid sys_chroot };
+allow stunnel_t self:process signal_perms;
+allow stunnel_t self:fifo_file rw_fifo_file_perms;
+allow stunnel_t self:tcp_socket create_stream_socket_perms;
+allow stunnel_t self:udp_socket create_socket_perms;
+
+allow stunnel_t stunnel_etc_t:dir list_dir_perms;
+allow stunnel_t stunnel_etc_t:file read_file_perms;
+allow stunnel_t stunnel_etc_t:lnk_file { getattr read };
+
+manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
+manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
+files_tmp_filetrans(stunnel_t, stunnel_tmp_t, { file dir })
+
+manage_dirs_pattern(stunnel_t, stunnel_var_run_t, stunnel_var_run_t)
+manage_files_pattern(stunnel_t, stunnel_var_run_t, stunnel_var_run_t)
+files_pid_filetrans(stunnel_t, stunnel_var_run_t, { dir file })
+
+kernel_read_kernel_sysctls(stunnel_t)
+kernel_read_system_state(stunnel_t)
+kernel_read_network_state(stunnel_t)
+
+corecmd_exec_bin(stunnel_t)
+
+corenet_all_recvfrom_unlabeled(stunnel_t)
+corenet_all_recvfrom_netlabel(stunnel_t)
+corenet_tcp_sendrecv_generic_if(stunnel_t)
+corenet_udp_sendrecv_generic_if(stunnel_t)
+corenet_tcp_sendrecv_generic_node(stunnel_t)
+corenet_udp_sendrecv_generic_node(stunnel_t)
+corenet_tcp_sendrecv_all_ports(stunnel_t)
+corenet_udp_sendrecv_all_ports(stunnel_t)
+corenet_tcp_bind_generic_node(stunnel_t)
+corenet_tcp_connect_all_ports(stunnel_t)
+
+fs_getattr_all_fs(stunnel_t)
+
+auth_use_nsswitch(stunnel_t)
+
+logging_send_syslog_msg(stunnel_t)
+
+miscfiles_read_localization(stunnel_t)
+
+sysnet_read_config(stunnel_t)
+
+ifdef(`distro_gentoo', `
+	dontaudit stunnel_t self:capability sys_tty_config;
+	allow stunnel_t self:udp_socket create_socket_perms;
+
+	dev_read_sysfs(stunnel_t)
+
+	fs_search_auto_mountpoints(stunnel_t)
+
+	domain_use_interactive_fds(stunnel_t)
+
+	userdom_dontaudit_use_unpriv_user_fds(stunnel_t)
+	userdom_dontaudit_search_user_home_dirs(stunnel_t)
+
+	optional_policy(`
+		daemontools_service_domain(stunnel_t, stunnel_exec_t)
+	')
+
+	optional_policy(`
+		seutil_sigchld_newrole(stunnel_t)
+	')
+
+	optional_policy(`
+		udev_read_db(stunnel_t)
+	')
+',`
+	allow stunnel_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+
+	dev_read_urand(stunnel_t)
+
+	files_read_etc_files(stunnel_t)
+	files_read_etc_runtime_files(stunnel_t)
+	files_search_home(stunnel_t)
+
+	optional_policy(`
+		kerberos_use(stunnel_t)
+	')
+')
+
+# hack since this port has no interfaces since it doesnt
+# have net_contexts
+gen_require(`
+	type stunnel_port_t;
+')
+allow stunnel_t stunnel_port_t:tcp_socket name_bind;
diff --git a/policy/modules/contrib/sxid.fc b/policy/modules/contrib/sxid.fc
new file mode 100644
index 00000000..bc3797bc
--- /dev/null
+++ b/policy/modules/contrib/sxid.fc
@@ -0,0 +1,6 @@
+/usr/bin/sxid		--	gen_context(system_u:object_r:sxid_exec_t,s0)
+/usr/sbin/checksecurity\.se --	gen_context(system_u:object_r:sxid_exec_t,s0)
+
+/var/log/setuid.*	--	gen_context(system_u:object_r:sxid_log_t,s0)
+/var/log/setuid\.today.* --	gen_context(system_u:object_r:sxid_log_t,s0)
+/var/log/sxid\.log.*	--	gen_context(system_u:object_r:sxid_log_t,s0)
diff --git a/policy/modules/contrib/sxid.if b/policy/modules/contrib/sxid.if
new file mode 100644
index 00000000..dd8ac62e
--- /dev/null
+++ b/policy/modules/contrib/sxid.if
@@ -0,0 +1,22 @@
+## <summary>SUID/SGID program monitoring</summary>
+
+########################################
+## <summary>
+##	Allow the specified domain to read
+##	sxid log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`sxid_read_log',`
+	gen_require(`
+		type sxid_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 sxid_log_t:file read_file_perms;
+')
diff --git a/policy/modules/contrib/sxid.te b/policy/modules/contrib/sxid.te
new file mode 100644
index 00000000..045fb862
--- /dev/null
+++ b/policy/modules/contrib/sxid.te
@@ -0,0 +1,97 @@
+policy_module(sxid, 1.6.0)
+
+########################################
+#
+# Declarations
+#
+
+type sxid_t;
+type sxid_exec_t;
+application_domain(sxid_t, sxid_exec_t)
+
+type sxid_log_t;
+logging_log_file(sxid_log_t)
+
+type sxid_tmp_t;
+files_tmp_file(sxid_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow sxid_t self:capability { dac_override dac_read_search fsetid };
+dontaudit sxid_t self:capability { setuid setgid sys_tty_config };
+allow sxid_t self:process signal_perms;
+allow sxid_t self:fifo_file rw_fifo_file_perms;
+allow sxid_t self:tcp_socket create_stream_socket_perms;
+allow sxid_t self:udp_socket create_socket_perms;
+
+allow sxid_t sxid_log_t:file manage_file_perms;
+logging_log_filetrans(sxid_t, sxid_log_t, file)
+
+manage_dirs_pattern(sxid_t, sxid_tmp_t, sxid_tmp_t)
+manage_files_pattern(sxid_t, sxid_tmp_t, sxid_tmp_t)
+files_tmp_filetrans(sxid_t, sxid_tmp_t, { file dir })
+
+kernel_read_system_state(sxid_t)
+kernel_read_kernel_sysctls(sxid_t)
+
+corecmd_exec_bin(sxid_t)
+corecmd_exec_shell(sxid_t)
+
+corenet_all_recvfrom_unlabeled(sxid_t)
+corenet_all_recvfrom_netlabel(sxid_t)
+corenet_tcp_sendrecv_generic_if(sxid_t)
+corenet_udp_sendrecv_generic_if(sxid_t)
+corenet_tcp_sendrecv_generic_node(sxid_t)
+corenet_udp_sendrecv_generic_node(sxid_t)
+corenet_tcp_sendrecv_all_ports(sxid_t)
+corenet_udp_sendrecv_all_ports(sxid_t)
+
+dev_read_sysfs(sxid_t)
+dev_getattr_all_blk_files(sxid_t)
+dev_getattr_all_chr_files(sxid_t)
+
+domain_use_interactive_fds(sxid_t)
+
+files_list_all(sxid_t)
+files_getattr_all_symlinks(sxid_t)
+files_getattr_all_pipes(sxid_t)
+files_getattr_all_sockets(sxid_t)
+
+fs_getattr_xattr_fs(sxid_t)
+fs_search_auto_mountpoints(sxid_t)
+fs_list_all(sxid_t)
+
+term_dontaudit_use_console(sxid_t)
+
+auth_read_all_files_except_auth_files(sxid_t)
+auth_dontaudit_getattr_shadow(sxid_t)
+
+init_use_fds(sxid_t)
+init_use_script_ptys(sxid_t)
+
+logging_send_syslog_msg(sxid_t)
+
+miscfiles_read_localization(sxid_t)
+
+mount_exec(sxid_t)
+
+sysnet_read_config(sxid_t)
+
+userdom_dontaudit_use_unpriv_user_fds(sxid_t)
+
+cron_system_entry(sxid_t, sxid_exec_t)
+
+optional_policy(`
+	mta_send_mail(sxid_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(sxid_t)
+')
+
+optional_policy(`
+	udev_read_db(sxid_t)
+')
diff --git a/policy/modules/contrib/sysstat.fc b/policy/modules/contrib/sysstat.fc
new file mode 100644
index 00000000..08d999cf
--- /dev/null
+++ b/policy/modules/contrib/sysstat.fc
@@ -0,0 +1,8 @@
+
+/usr/lib(64)?/atsar/atsa.*	--	gen_context(system_u:object_r:sysstat_exec_t,s0)
+/usr/lib(64)?/sa/sa.*		--	gen_context(system_u:object_r:sysstat_exec_t,s0)
+/usr/lib(64)?/sysstat/sa.*	--	gen_context(system_u:object_r:sysstat_exec_t,s0)
+
+/var/log/atsar(/.*)?			gen_context(system_u:object_r:sysstat_log_t,s0)
+/var/log/sa(/.*)?			gen_context(system_u:object_r:sysstat_log_t,s0)
+/var/log/sysstat(/.*)?			gen_context(system_u:object_r:sysstat_log_t,s0)
diff --git a/policy/modules/contrib/sysstat.if b/policy/modules/contrib/sysstat.if
new file mode 100644
index 00000000..7a23b3b8
--- /dev/null
+++ b/policy/modules/contrib/sysstat.if
@@ -0,0 +1,21 @@
+## <summary>Policy for sysstat. Reports on various system states</summary>
+
+########################################
+## <summary>
+##	Manage sysstat logs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`sysstat_manage_log',`
+	gen_require(`
+		type sysstat_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_files_pattern($1, sysstat_log_t, sysstat_log_t)
+')
diff --git a/policy/modules/contrib/sysstat.te b/policy/modules/contrib/sysstat.te
new file mode 100644
index 00000000..52f0d6c2
--- /dev/null
+++ b/policy/modules/contrib/sysstat.te
@@ -0,0 +1,70 @@
+policy_module(sysstat, 1.6.0)
+
+########################################
+#
+# Declarations
+#
+
+type sysstat_t;
+type sysstat_exec_t;
+init_system_domain(sysstat_t, sysstat_exec_t)
+role system_r types sysstat_t;
+
+type sysstat_log_t;
+logging_log_file(sysstat_log_t)
+
+########################################
+#
+# Local policy
+#
+
+allow sysstat_t self:capability { dac_override sys_resource sys_tty_config };
+dontaudit sysstat_t self:capability sys_admin;
+allow sysstat_t self:fifo_file rw_fifo_file_perms;
+
+can_exec(sysstat_t, sysstat_exec_t)
+
+manage_dirs_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
+manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
+manage_lnk_files_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
+logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir })
+
+# get info from /proc
+kernel_read_system_state(sysstat_t)
+kernel_read_network_state(sysstat_t)
+kernel_read_kernel_sysctls(sysstat_t)
+kernel_read_fs_sysctls(sysstat_t)
+kernel_read_rpc_sysctls(sysstat_t)
+
+corecmd_exec_bin(sysstat_t)
+
+dev_read_urand(sysstat_t)
+dev_read_sysfs(sysstat_t)
+
+files_search_var(sysstat_t)
+# for mtab
+files_read_etc_runtime_files(sysstat_t)
+#for fstab
+files_read_etc_files(sysstat_t)
+
+fs_getattr_xattr_fs(sysstat_t)
+fs_list_inotifyfs(sysstat_t)
+
+term_use_console(sysstat_t)
+term_use_all_terms(sysstat_t)
+
+init_use_fds(sysstat_t)
+
+locallogin_use_fds(sysstat_t)
+
+miscfiles_read_localization(sysstat_t)
+
+userdom_dontaudit_list_user_home_dirs(sysstat_t)
+
+optional_policy(`
+	cron_system_entry(sysstat_t, sysstat_exec_t)
+')
+
+optional_policy(`
+	logging_send_syslog_msg(sysstat_t)
+')
diff --git a/policy/modules/contrib/tcpd.fc b/policy/modules/contrib/tcpd.fc
new file mode 100644
index 00000000..2e8d7a1d
--- /dev/null
+++ b/policy/modules/contrib/tcpd.fc
@@ -0,0 +1,2 @@
+
+/usr/sbin/tcpd		--	gen_context(system_u:object_r:tcpd_exec_t,s0)
diff --git a/policy/modules/contrib/tcpd.if b/policy/modules/contrib/tcpd.if
new file mode 100644
index 00000000..2075ebb5
--- /dev/null
+++ b/policy/modules/contrib/tcpd.if
@@ -0,0 +1,45 @@
+## <summary>Policy for TCP daemon.</summary>
+
+########################################
+## <summary>
+##	Execute tcpd in the tcpd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`tcpd_domtrans',`
+	gen_require(`
+		type tcpd_t, tcpd_exec_t;
+	')
+
+	domtrans_pattern($1, tcpd_exec_t, tcpd_t)
+')
+
+########################################
+## <summary>
+##	Create a domain for services that
+##	utilize tcp wrappers.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Type to be used as a domain.
+##	</summary>
+## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program to be used as an entry point to this domain.
+##	</summary>
+## </param>
+#
+interface(`tcpd_wrapped_domain',`
+	gen_require(`
+		type tcpd_t;
+		role system_r;
+	')
+
+	domtrans_pattern(tcpd_t, $2, $1)
+	role system_r types $1;
+')
diff --git a/policy/modules/contrib/tcpd.te b/policy/modules/contrib/tcpd.te
new file mode 100644
index 00000000..7038b559
--- /dev/null
+++ b/policy/modules/contrib/tcpd.te
@@ -0,0 +1,50 @@
+policy_module(tcpd, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+type tcpd_t;
+type tcpd_exec_t;
+inetd_tcp_service_domain(tcpd_t, tcpd_exec_t)
+role system_r types tcpd_t;
+
+type tcpd_tmp_t;
+files_tmp_file(tcpd_tmp_t)
+
+########################################
+#
+# Local policy
+#
+allow tcpd_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t)
+manage_files_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t)
+files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir })
+
+corenet_all_recvfrom_unlabeled(tcpd_t)
+corenet_all_recvfrom_netlabel(tcpd_t)
+corenet_tcp_sendrecv_generic_if(tcpd_t)
+corenet_tcp_sendrecv_generic_node(tcpd_t)
+corenet_tcp_sendrecv_all_ports(tcpd_t)
+
+fs_getattr_xattr_fs(tcpd_t)
+
+# Run other daemons in the inetd child domain.
+corecmd_search_bin(tcpd_t)
+
+files_read_etc_files(tcpd_t)
+# no good reason for files_dontaudit_search_var, probably nscd
+files_dontaudit_search_var(tcpd_t)
+
+logging_send_syslog_msg(tcpd_t)
+
+miscfiles_read_localization(tcpd_t)
+
+sysnet_read_config(tcpd_t)
+
+inetd_domtrans_child(tcpd_t)
+
+optional_policy(`
+	nis_use_ypbind(tcpd_t)
+')
diff --git a/policy/modules/contrib/tcsd.fc b/policy/modules/contrib/tcsd.fc
new file mode 100644
index 00000000..1a6527cd
--- /dev/null
+++ b/policy/modules/contrib/tcsd.fc
@@ -0,0 +1,3 @@
+/etc/rc\.d/init\.d/tcsd	--	gen_context(system_u:object_r:tcsd_initrc_exec_t,s0)
+/usr/sbin/tcsd		--	gen_context(system_u:object_r:tcsd_exec_t,s0)
+/var/lib/tpm(/.*)?		gen_context(system_u:object_r:tcsd_var_lib_t,s0)
diff --git a/policy/modules/contrib/tcsd.if b/policy/modules/contrib/tcsd.if
new file mode 100644
index 00000000..595f5a7e
--- /dev/null
+++ b/policy/modules/contrib/tcsd.if
@@ -0,0 +1,150 @@
+## <summary>TSS Core Services (TCS) daemon (tcsd) policy</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run tcsd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tcsd_domtrans',`
+	gen_require(`
+		type tcsd_t, tcsd_exec_t;
+	')
+
+	domtrans_pattern($1, tcsd_exec_t, tcsd_t)
+')
+
+########################################
+## <summary>
+##	Execute tcsd server in the tcsd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`tcsd_initrc_domtrans',`
+	gen_require(`
+		type tcsd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, tcsd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Search tcsd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tcsd_search_lib',`
+	gen_require(`
+		type tcsd_var_lib_t;
+	')
+
+	allow $1 tcsd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Manage tcsd lib dirs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tcsd_manage_lib_dirs',`
+	gen_require(`
+		type tcsd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read tcsd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tcsd_read_lib_files',`
+	gen_require(`
+		type tcsd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	tcsd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tcsd_manage_lib_files',`
+	gen_require(`
+		type tcsd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an tcsd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`tcsd_admin',`
+	gen_require(`
+		type tcsd_t;
+		type tcsd_initrc_exec_t;
+		type tcsd_var_lib_t;
+	')
+
+	allow $1 tcsd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, tcsd_t)
+
+	tcsd_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 tcsd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_search_var_lib($1)
+	admin_pattern($1, tcsd_var_lib_t)
+')
diff --git a/policy/modules/contrib/tcsd.te b/policy/modules/contrib/tcsd.te
new file mode 100644
index 00000000..ee9f3c6e
--- /dev/null
+++ b/policy/modules/contrib/tcsd.te
@@ -0,0 +1,50 @@
+policy_module(tcsd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type tcsd_t;
+type tcsd_exec_t;
+domain_type(tcsd_t)
+init_daemon_domain(tcsd_t, tcsd_exec_t)
+
+type tcsd_initrc_exec_t;
+init_script_file(tcsd_initrc_exec_t)
+
+type tcsd_var_lib_t;
+files_type(tcsd_var_lib_t)
+
+########################################
+#
+# tcsd local policy
+#
+
+allow tcsd_t self:capability { dac_override setuid };
+allow tcsd_t self:process { signal sigkill };
+allow tcsd_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t)
+manage_files_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t)
+files_var_lib_filetrans(tcsd_t, tcsd_var_lib_t, { file dir })
+
+# Accept connections on the TCS port over loopback.
+corenet_all_recvfrom_unlabeled(tcsd_t)
+corenet_tcp_bind_generic_node(tcsd_t)
+corenet_tcp_bind_tcs_port(tcsd_t)
+
+dev_read_urand(tcsd_t)
+# Access /dev/tpm0.
+dev_rw_tpm(tcsd_t)
+
+files_read_etc_files(tcsd_t)
+files_read_usr_files(tcsd_t)
+
+auth_use_nsswitch(tcsd_t)
+
+logging_send_syslog_msg(tcsd_t)
+
+miscfiles_read_localization(tcsd_t)
+
+sysnet_dns_name_resolve(tcsd_t)
diff --git a/policy/modules/contrib/telepathy.fc b/policy/modules/contrib/telepathy.fc
new file mode 100644
index 00000000..b07ee196
--- /dev/null
+++ b/policy/modules/contrib/telepathy.fc
@@ -0,0 +1,18 @@
+HOME_DIR/\.cache/\.mc_connections	--	gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0)
+HOME_DIR/\.cache/telepathy/logger/sqlite-data-journal -- gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0)
+HOME_DIR/\.cache/telepathy/gabble(/.*)?		gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
+HOME_DIR/\.cache/wocky(/.*)?			gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
+HOME_DIR/\.mission-control(/.*)?		gen_context(system_u:object_r:telepathy_mission_control_home_t, s0)
+HOME_DIR/\.telepathy-sunshine(/.*)?		gen_context(system_u:object_r:telepathy_sunshine_home_t, s0)
+HOME_DIR/\.local/share/TpLogger(/.*)?		gen_context(system_u:object_r:telepathy_logger_data_home_t,s0)
+
+/usr/libexec/mission-control-5		--	gen_context(system_u:object_r:telepathy_mission_control_exec_t, s0)
+/usr/libexec/telepathy-butterfly	--	gen_context(system_u:object_r:telepathy_msn_exec_t, s0)
+/usr/libexec/telepathy-gabble		--	gen_context(system_u:object_r:telepathy_gabble_exec_t, s0)
+/usr/libexec/telepathy-haze		--	gen_context(system_u:object_r:telepathy_msn_exec_t, s0)
+/usr/libexec/telepathy-idle		--	gen_context(system_u:object_r:telepathy_idle_exec_t, s0)
+/usr/libexec/telepathy-logger		--	gen_context(system_u:object_r:telepathy_logger_exec_t,s0)
+/usr/libexec/telepathy-salut		--	gen_context(system_u:object_r:telepathy_salut_exec_t, s0)
+/usr/libexec/telepathy-sofiasip		--	gen_context(system_u:object_r:telepathy_sofiasip_exec_t, s0)
+/usr/libexec/telepathy-stream-engine	--	gen_context(system_u:object_r:telepathy_stream_engine_exec_t, s0)
+/usr/libexec/telepathy-sunshine		--	gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0)
diff --git a/policy/modules/contrib/telepathy.if b/policy/modules/contrib/telepathy.if
new file mode 100644
index 00000000..6bf75ef9
--- /dev/null
+++ b/policy/modules/contrib/telepathy.if
@@ -0,0 +1,178 @@
+## <summary>Telepathy communications framework.</summary>
+
+#######################################
+## <summary>
+##	Creates basic types for telepathy
+##	domain
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Prefix for the domain.
+##	</summary>
+## </param>
+#
+#
+template(`telepathy_domain_template',`
+	gen_require(`
+		attribute telepathy_domain;
+		attribute telepathy_executable;
+	')
+
+	type telepathy_$1_t, telepathy_domain;
+	type telepathy_$1_exec_t, telepathy_executable;
+	userdom_user_application_domain(telepathy_$1_t, telepathy_$1_exec_t)
+
+	type telepathy_$1_tmp_t;
+	userdom_user_tmp_file(telepathy_$1_tmp_t)
+')
+
+#######################################
+## <summary>
+##		Role access for telepathy domains
+###     that executes via dbus-session
+## </summary>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+template(`telepathy_role', `
+	gen_require(`
+		attribute telepathy_domain;
+		type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t;
+		type telepathy_mission_control_t, telepathy_salut_t, telepathy_sunshine_t;
+		type telepathy_stream_engine_t, telepathy_msn_t, telepathy_gabble_exec_t;
+		type telepathy_sofiasip_exec_t, telepathy_idle_exec_t;
+		type telepathy_logger_t, telepathy_logger_exec_t;
+		type telepathy_mission_control_exec_t, telepathy_salut_exec_t;
+		type telepathy_sunshine_exec_t, telepathy_stream_engine_exec_t;
+		type telepathy_msn_exec_t;
+	')
+
+	role $1 types telepathy_domain;
+
+	allow $2 telepathy_domain:process signal_perms;
+	ps_process_pattern($2, telepathy_domain)
+
+	telepathy_gabble_stream_connect($2)
+	telepathy_msn_stream_connect($2)
+	telepathy_salut_stream_connect($2)
+
+	dbus_session_domain($3, telepathy_gabble_exec_t, telepathy_gabble_t)
+	dbus_session_domain($3, telepathy_sofiasip_exec_t, telepathy_sofiasip_t)
+	dbus_session_domain($3, telepathy_idle_exec_t, telepathy_idle_t)
+	dbus_session_domain($3, telepathy_logger_exec_t, telepathy_logger_t)
+	dbus_session_domain($3, telepathy_mission_control_exec_t, telepathy_mission_control_t)
+	dbus_session_domain($3, telepathy_salut_exec_t, telepathy_salut_t)
+	dbus_session_domain($3, telepathy_sunshine_exec_t, telepathy_sunshine_t)
+	dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t)
+	dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t)
+')
+
+########################################
+## <summary>
+##	Stream connect to Telepathy Gabble
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`telepathy_gabble_stream_connect', `
+	gen_require(`
+		type telepathy_gabble_t, telepathy_gabble_tmp_t;
+	')
+
+	stream_connect_pattern($1, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t, telepathy_gabble_t)
+	files_search_tmp($1)
+')
+
+########################################
+## <summary>
+##	Send DBus messages to and from
+##	Telepathy Gabble.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`telepathy_gabble_dbus_chat', `
+	gen_require(`
+		type telepathy_gabble_t;
+		class dbus send_msg;
+	')
+
+	allow $1 telepathy_gabble_t:dbus send_msg;
+	allow telepathy_gabble_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Read telepathy mission control state.
+## </summary>
+## <param name="role_prefix">
+## 	<summary>
+##	Prefix to be used.
+##	</summary>
+## </param>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`telepathy_mission_control_read_state',`
+	gen_require(`
+		type telepathy_mission_control_t;
+	')
+
+	kernel_search_proc($1)
+	ps_process_pattern($1, telepathy_mission_control_t)
+')
+
+#######################################
+## <summary>
+##	Stream connect to telepathy MSN managers
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`telepathy_msn_stream_connect', `
+	gen_require(`
+		type telepathy_msn_t, telepathy_msn_tmp_t;
+	')
+
+	stream_connect_pattern($1, telepathy_msn_tmp_t, telepathy_msn_tmp_t, telepathy_msn_t)
+	files_search_tmp($1)
+')
+
+########################################
+## <summary>
+##	Stream connect to Telepathy Salut
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`telepathy_salut_stream_connect', `
+	gen_require(`
+		type telepathy_salut_t, telepathy_salut_tmp_t;
+	')
+
+	stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t)
+	files_search_tmp($1)
+')
diff --git a/policy/modules/contrib/telepathy.te b/policy/modules/contrib/telepathy.te
new file mode 100644
index 00000000..ad6a38d8
--- /dev/null
+++ b/policy/modules/contrib/telepathy.te
@@ -0,0 +1,380 @@
+policy_module(telepathy, 1.2.0)
+
+########################################
+#
+# Declarations.
+#
+
+## <desc>
+## <p>
+##	Allow the Telepathy connection managers
+##	to connect to any generic TCP port.
+## </p>
+## </desc>
+gen_tunable(telepathy_tcp_connect_generic_network_ports, false)
+
+## <desc>
+## <p>
+##	Allow the Telepathy connection managers
+##	to connect to any network port.
+## </p>
+## </desc>
+gen_tunable(telepathy_connect_all_ports, false)
+
+attribute telepathy_domain;
+attribute telepathy_executable;
+
+telepathy_domain_template(gabble)
+
+type telepathy_gabble_cache_home_t;
+userdom_user_home_content(telepathy_gabble_cache_home_t)
+
+telepathy_domain_template(idle)
+telepathy_domain_template(logger)
+
+type telepathy_logger_cache_home_t;
+userdom_user_home_content(telepathy_logger_cache_home_t)
+
+type telepathy_logger_data_home_t;
+userdom_user_home_content(telepathy_logger_data_home_t)
+
+telepathy_domain_template(mission_control)
+
+type telepathy_mission_control_home_t;
+userdom_user_home_content(telepathy_mission_control_home_t)
+
+type telepathy_mission_control_cache_home_t;
+userdom_user_home_content(telepathy_mission_control_cache_home_t)
+
+telepathy_domain_template(msn)
+telepathy_domain_template(salut)
+telepathy_domain_template(sofiasip)
+telepathy_domain_template(stream_engine)
+telepathy_domain_template(sunshine)
+
+type telepathy_sunshine_home_t;
+userdom_user_home_content(telepathy_sunshine_home_t)
+
+#######################################
+#
+# Telepathy Gabble local policy.
+#
+
+allow telepathy_gabble_t self:tcp_socket create_stream_socket_perms;
+allow telepathy_gabble_t self:unix_dgram_socket { create_socket_perms sendto };
+
+manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
+manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
+files_tmp_filetrans(telepathy_gabble_t, telepathy_gabble_tmp_t, { dir sock_file })
+
+corenet_all_recvfrom_netlabel(telepathy_gabble_t)
+corenet_all_recvfrom_unlabeled(telepathy_gabble_t)
+corenet_tcp_sendrecv_generic_if(telepathy_gabble_t)
+corenet_tcp_sendrecv_generic_node(telepathy_gabble_t)
+corenet_tcp_connect_http_port(telepathy_gabble_t)
+corenet_tcp_connect_jabber_client_port(telepathy_gabble_t)
+corenet_tcp_connect_vnc_port(telepathy_gabble_t)
+corenet_sendrecv_http_client_packets(telepathy_gabble_t)
+corenet_sendrecv_jabber_client_client_packets(telepathy_gabble_t)
+corenet_sendrecv_vnc_client_packets(telepathy_gabble_t)
+
+dev_read_rand(telepathy_gabble_t)
+
+files_read_config_files(telepathy_gabble_t)
+files_read_usr_files(telepathy_gabble_t)
+
+fs_getattr_all_fs(telepathy_gabble_t)
+
+miscfiles_read_all_certs(telepathy_gabble_t)
+
+tunable_policy(`telepathy_connect_all_ports',`
+	corenet_tcp_connect_all_ports(telepathy_gabble_t)
+	corenet_tcp_sendrecv_all_ports(telepathy_gabble_t)
+	corenet_udp_sendrecv_all_ports(telepathy_gabble_t)
+')
+
+tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+	corenet_tcp_connect_generic_port(telepathy_gabble_t)
+	corenet_sendrecv_generic_client_packets(telepathy_gabble_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(telepathy_gabble_t)
+	fs_manage_nfs_files(telepathy_gabble_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(telepathy_gabble_t)
+	fs_manage_cifs_files(telepathy_gabble_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(telepathy_gabble_t)
+')
+
+#######################################
+#
+# Telepathy Idle local policy.
+#
+
+corenet_all_recvfrom_netlabel(telepathy_idle_t)
+corenet_all_recvfrom_unlabeled(telepathy_idle_t)
+corenet_tcp_sendrecv_generic_if(telepathy_idle_t)
+corenet_tcp_sendrecv_generic_node(telepathy_idle_t)
+corenet_tcp_connect_gatekeeper_port(telepathy_idle_t)
+corenet_tcp_connect_ircd_port(telepathy_idle_t)
+corenet_sendrecv_ircd_client_packets(telepathy_idle_t)
+
+dev_read_rand(telepathy_idle_t)
+
+files_read_etc_files(telepathy_idle_t)
+
+tunable_policy(`telepathy_connect_all_ports',`
+	corenet_tcp_connect_all_ports(telepathy_idle_t)
+	corenet_tcp_sendrecv_all_ports(telepathy_idle_t)
+	corenet_udp_sendrecv_all_ports(telepathy_idle_t)
+')
+
+tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+	corenet_tcp_connect_generic_port(telepathy_idle_t)
+	corenet_sendrecv_generic_client_packets(telepathy_idle_t)
+')
+
+#######################################
+#
+# Telepathy Logger local policy.
+#
+
+allow telepathy_logger_t self:unix_stream_socket create_socket_perms;
+
+manage_files_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t)
+
+manage_dirs_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
+manage_files_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
+
+files_read_etc_files(telepathy_logger_t)
+files_read_usr_files(telepathy_logger_t)
+files_search_pids(telepathy_logger_t)
+
+fs_getattr_all_fs(telepathy_logger_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(telepathy_logger_t)
+	fs_manage_nfs_files(telepathy_logger_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(telepathy_logger_t)
+	fs_manage_cifs_files(telepathy_logger_t)
+')
+
+#######################################
+#
+# Telepathy Mission-Control local policy.
+#
+
+manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
+manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
+userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file })
+
+dev_read_rand(telepathy_mission_control_t)
+
+fs_getattr_all_fs(telepathy_mission_control_t)
+
+files_read_etc_files(telepathy_mission_control_t)
+files_read_usr_files(telepathy_mission_control_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(telepathy_mission_control_t)
+	fs_manage_nfs_files(telepathy_mission_control_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(telepathy_mission_control_t)
+	fs_manage_cifs_files(telepathy_mission_control_t)
+')
+
+#######################################
+#
+# Telepathy Butterfly and Haze local policy.
+#
+
+allow telepathy_msn_t self:process setsched;
+allow telepathy_msn_t self:unix_dgram_socket { write create connect };
+
+manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
+manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
+manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
+files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
+userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
+
+corenet_all_recvfrom_netlabel(telepathy_msn_t)
+corenet_all_recvfrom_unlabeled(telepathy_msn_t)
+corenet_tcp_sendrecv_generic_if(telepathy_msn_t)
+corenet_tcp_sendrecv_generic_node(telepathy_msn_t)
+corenet_tcp_bind_generic_node(telepathy_msn_t)
+corenet_tcp_connect_http_port(telepathy_msn_t)
+corenet_tcp_connect_mmcc_port(telepathy_msn_t)
+corenet_tcp_connect_msnp_port(telepathy_msn_t)
+corenet_tcp_connect_sip_port(telepathy_msn_t)
+corenet_sendrecv_http_client_packets(telepathy_msn_t)
+corenet_sendrecv_mmcc_client_packets(telepathy_msn_t)
+corenet_sendrecv_msnp_client_packets(telepathy_msn_t)
+
+corecmd_exec_bin(telepathy_msn_t)
+corecmd_exec_shell(telepathy_msn_t)
+corecmd_read_bin_symlinks(telepathy_msn_t)
+
+files_read_etc_files(telepathy_msn_t)
+files_read_usr_files(telepathy_msn_t)
+
+libs_exec_ldconfig(telepathy_msn_t)
+
+logging_send_syslog_msg(telepathy_msn_t)
+
+miscfiles_read_all_certs(telepathy_msn_t)
+
+tunable_policy(`telepathy_connect_all_ports',`
+	corenet_tcp_connect_all_ports(telepathy_msn_t)
+	corenet_tcp_sendrecv_all_ports(telepathy_msn_t)
+	corenet_udp_sendrecv_all_ports(telepathy_msn_t)
+')
+
+tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+	corenet_tcp_connect_generic_port(telepathy_msn_t)
+	corenet_sendrecv_generic_client_packets(telepathy_msn_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(telepathy_msn_t)
+
+	optional_policy(`
+		networkmanager_dbus_chat(telepathy_msn_t)
+	')
+')
+
+#######################################
+#
+# Telepathy Salut local policy.
+#
+
+allow telepathy_salut_t self:tcp_socket create_stream_socket_perms;
+
+manage_sock_files_pattern(telepathy_salut_t, telepathy_salut_tmp_t, telepathy_salut_tmp_t)
+files_tmp_filetrans(telepathy_salut_t, telepathy_salut_tmp_t, sock_file)
+
+corenet_all_recvfrom_netlabel(telepathy_salut_t)
+corenet_all_recvfrom_unlabeled(telepathy_salut_t)
+corenet_tcp_sendrecv_generic_if(telepathy_salut_t)
+corenet_tcp_sendrecv_generic_node(telepathy_salut_t)
+corenet_tcp_bind_generic_node(telepathy_salut_t)
+corenet_tcp_bind_presence_port(telepathy_salut_t)
+corenet_tcp_connect_presence_port(telepathy_salut_t)
+corenet_sendrecv_presence_server_packets(telepathy_salut_t)
+
+files_read_etc_files(telepathy_salut_t)
+
+tunable_policy(`telepathy_connect_all_ports',`
+	corenet_tcp_connect_all_ports(telepathy_salut_t)
+	corenet_tcp_sendrecv_all_ports(telepathy_salut_t)
+	corenet_udp_sendrecv_all_ports(telepathy_salut_t)
+')
+
+tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+	corenet_tcp_connect_generic_port(telepathy_salut_t)
+	corenet_sendrecv_generic_client_packets(telepathy_salut_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(telepathy_salut_t)
+
+	optional_policy(`
+		avahi_dbus_chat(telepathy_salut_t)
+	')
+')
+
+#######################################
+#
+# Telepathy Sofiasip local policy.
+#
+
+allow telepathy_sofiasip_t self:rawip_socket { create_socket_perms listen };
+allow telepathy_sofiasip_t self:tcp_socket create_stream_socket_perms;
+
+corenet_all_recvfrom_netlabel(telepathy_sofiasip_t)
+corenet_all_recvfrom_unlabeled(telepathy_sofiasip_t)
+corenet_tcp_sendrecv_generic_if(telepathy_sofiasip_t)
+corenet_raw_sendrecv_generic_if(telepathy_sofiasip_t)
+corenet_raw_sendrecv_generic_node(telepathy_sofiasip_t)
+corenet_tcp_sendrecv_generic_node(telepathy_sofiasip_t)
+corenet_tcp_bind_generic_node(telepathy_sofiasip_t)
+corenet_raw_bind_generic_node(telepathy_sofiasip_t)
+corenet_tcp_bind_all_unreserved_ports(telepathy_sofiasip_t)
+corenet_dontaudit_tcp_bind_all_ports(telepathy_sofiasip_t)
+corenet_tcp_connect_sip_port(telepathy_sofiasip_t)
+corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t)
+
+kernel_request_load_module(telepathy_sofiasip_t)
+
+tunable_policy(`telepathy_connect_all_ports',`
+	corenet_tcp_connect_all_ports(telepathy_sofiasip_t)
+	corenet_tcp_sendrecv_all_ports(telepathy_sofiasip_t)
+	corenet_udp_sendrecv_all_ports(telepathy_sofiasip_t)
+')
+
+tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+	corenet_tcp_connect_generic_port(telepathy_sofiasip_t)
+	corenet_sendrecv_generic_client_packets(telepathy_sofiasip_t)
+')
+
+#######################################
+#
+# Telepathy Sunshine local policy.
+#
+
+manage_dirs_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t)
+manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t)
+userdom_user_home_dir_filetrans(telepathy_sunshine_t, telepathy_sunshine_home_t, { dir file })
+userdom_search_user_home_dirs(telepathy_sunshine_t)
+
+manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t)
+exec_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t)
+files_tmp_filetrans(telepathy_sunshine_t, telepathy_sunshine_tmp_t, file)
+
+corecmd_exec_bin(telepathy_sunshine_t)
+
+files_read_etc_files(telepathy_sunshine_t)
+files_read_usr_files(telepathy_sunshine_t)
+
+optional_policy(`
+	xserver_read_xdm_pid(telepathy_sunshine_t)
+	xserver_stream_connect(telepathy_sunshine_t)
+')
+
+#######################################
+#
+# telepathy domains common policy
+#
+
+allow telepathy_domain self:process { getsched signal sigkill };
+allow telepathy_domain self:fifo_file rw_fifo_file_perms;
+allow telepathy_domain self:tcp_socket create_socket_perms;
+allow telepathy_domain self:udp_socket create_socket_perms;
+
+dev_read_urand(telepathy_domain)
+
+kernel_read_system_state(telepathy_domain)
+
+fs_search_auto_mountpoints(telepathy_domain)
+
+auth_use_nsswitch(telepathy_domain)
+
+miscfiles_read_localization(telepathy_domain)
+
+optional_policy(`
+	automount_dontaudit_getattr_tmp_dirs(telepathy_domain)
+')
+
+optional_policy(`
+	xserver_rw_xdm_pipes(telepathy_domain)
+')
diff --git a/policy/modules/contrib/telnet.fc b/policy/modules/contrib/telnet.fc
new file mode 100644
index 00000000..7405170a
--- /dev/null
+++ b/policy/modules/contrib/telnet.fc
@@ -0,0 +1,4 @@
+
+/usr/sbin/in\.telnetd		--	gen_context(system_u:object_r:telnetd_exec_t,s0)
+
+/usr/kerberos/sbin/telnetd 	--	gen_context(system_u:object_r:telnetd_exec_t,s0)
diff --git a/policy/modules/contrib/telnet.if b/policy/modules/contrib/telnet.if
new file mode 100644
index 00000000..58e7ec00
--- /dev/null
+++ b/policy/modules/contrib/telnet.if
@@ -0,0 +1 @@
+## <summary>Telnet daemon</summary>
diff --git a/policy/modules/contrib/telnet.te b/policy/modules/contrib/telnet.te
new file mode 100644
index 00000000..6de3d82e
--- /dev/null
+++ b/policy/modules/contrib/telnet.te
@@ -0,0 +1,102 @@
+policy_module(telnet, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+
+type telnetd_t;
+type telnetd_exec_t;
+inetd_service_domain(telnetd_t, telnetd_exec_t)
+role system_r types telnetd_t;
+
+type telnetd_devpts_t; #, userpty_type;
+term_login_pty(telnetd_devpts_t)
+
+type telnetd_tmp_t;
+files_tmp_file(telnetd_tmp_t)
+
+type telnetd_var_run_t;
+files_pid_file(telnetd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow telnetd_t self:capability { fsetid chown fowner sys_tty_config dac_override };
+allow telnetd_t self:process signal_perms;
+allow telnetd_t self:fifo_file rw_fifo_file_perms;
+allow telnetd_t self:tcp_socket connected_stream_socket_perms;
+allow telnetd_t self:udp_socket create_socket_perms;
+# for identd; cjp: this should probably only be inetd_child rules?
+allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow telnetd_t self:capability { setuid setgid };
+
+allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr };
+term_create_pty(telnetd_t, telnetd_devpts_t)
+
+manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
+manage_files_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
+files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir })
+
+manage_files_pattern(telnetd_t, telnetd_var_run_t, telnetd_var_run_t)
+files_pid_filetrans(telnetd_t, telnetd_var_run_t, file)
+
+kernel_read_kernel_sysctls(telnetd_t)
+kernel_read_system_state(telnetd_t)
+kernel_read_network_state(telnetd_t)
+
+corenet_all_recvfrom_unlabeled(telnetd_t)
+corenet_all_recvfrom_netlabel(telnetd_t)
+corenet_tcp_sendrecv_generic_if(telnetd_t)
+corenet_udp_sendrecv_generic_if(telnetd_t)
+corenet_tcp_sendrecv_generic_node(telnetd_t)
+corenet_udp_sendrecv_generic_node(telnetd_t)
+corenet_tcp_sendrecv_all_ports(telnetd_t)
+corenet_udp_sendrecv_all_ports(telnetd_t)
+
+dev_read_urand(telnetd_t)
+
+domain_interactive_fd(telnetd_t)
+
+fs_getattr_xattr_fs(telnetd_t)
+
+auth_rw_login_records(telnetd_t)
+auth_use_nsswitch(telnetd_t)
+
+corecmd_search_bin(telnetd_t)
+
+files_read_usr_files(telnetd_t)
+files_read_etc_files(telnetd_t)
+files_read_etc_runtime_files(telnetd_t)
+# for identd; cjp: this should probably only be inetd_child rules?
+files_search_home(telnetd_t)
+
+init_rw_utmp(telnetd_t)
+
+logging_send_syslog_msg(telnetd_t)
+
+miscfiles_read_localization(telnetd_t)
+
+seutil_read_config(telnetd_t)
+
+userdom_search_user_home_dirs(telnetd_t)
+userdom_setattr_user_ptys(telnetd_t)
+
+optional_policy(`
+	kerberos_keytab_template(telnetd, telnetd_t)
+	kerberos_manage_host_rcache(telnetd_t)
+')
+
+optional_policy(`
+	remotelogin_domtrans(telnetd_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_search_nfs(telnetd_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_search_cifs(telnetd_t)
+')
diff --git a/policy/modules/contrib/tftp.fc b/policy/modules/contrib/tftp.fc
new file mode 100644
index 00000000..25eee439
--- /dev/null
+++ b/policy/modules/contrib/tftp.fc
@@ -0,0 +1,8 @@
+
+/usr/sbin/atftpd	--	gen_context(system_u:object_r:tftpd_exec_t,s0)
+/usr/sbin/in\.tftpd	--	gen_context(system_u:object_r:tftpd_exec_t,s0)
+
+/tftpboot		-d	gen_context(system_u:object_r:tftpdir_t,s0)
+/tftpboot/.*			gen_context(system_u:object_r:tftpdir_t,s0)
+
+/var/lib/tftpboot(/.*)?		gen_context(system_u:object_r:tftpdir_rw_t,s0)
diff --git a/policy/modules/contrib/tftp.if b/policy/modules/contrib/tftp.if
new file mode 100644
index 00000000..38bb3127
--- /dev/null
+++ b/policy/modules/contrib/tftp.if
@@ -0,0 +1,67 @@
+## <summary>Trivial file transfer protocol daemon</summary>
+
+########################################
+## <summary>
+##	Read tftp content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tftp_read_content',`
+	gen_require(`
+		type tftpdir_t;
+	')
+
+	read_files_pattern($1, tftpdir_t, tftpdir_t)
+')
+
+########################################
+## <summary>
+##	Manage tftp /var/lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tftp_manage_rw_content',`
+	gen_require(`
+		type tftpdir_rw_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+	manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an tftp environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`tftp_admin',`
+	gen_require(`
+		type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t;
+	')
+
+	allow $1 tftpd_t:process { ptrace signal_perms getattr };
+	ps_process_pattern($1, tftpd_t)
+
+	admin_pattern($1, tftpdir_rw_t)
+
+	admin_pattern($1, tftpdir_t)
+
+	files_list_pids($1)
+	admin_pattern($1, tftpd_var_run_t)
+')
diff --git a/policy/modules/contrib/tftp.te b/policy/modules/contrib/tftp.te
new file mode 100644
index 00000000..d50c10d0
--- /dev/null
+++ b/policy/modules/contrib/tftp.te
@@ -0,0 +1,106 @@
+policy_module(tftp, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow tftp to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(tftp_anon_write, false)
+
+type tftpd_t;
+type tftpd_exec_t;
+init_daemon_domain(tftpd_t, tftpd_exec_t)
+
+type tftpd_var_run_t;
+files_pid_file(tftpd_var_run_t)
+
+type tftpdir_t;
+files_type(tftpdir_t)
+
+type tftpdir_rw_t;
+files_type(tftpdir_rw_t)
+
+########################################
+#
+# Local policy
+#
+
+allow tftpd_t self:capability { setgid setuid sys_chroot };
+allow tftpd_t self:tcp_socket create_stream_socket_perms;
+allow tftpd_t self:udp_socket create_socket_perms;
+allow tftpd_t self:unix_dgram_socket create_socket_perms;
+allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
+dontaudit tftpd_t self:capability sys_tty_config;
+
+allow tftpd_t tftpdir_t:dir list_dir_perms;
+allow tftpd_t tftpdir_t:file read_file_perms;
+allow tftpd_t tftpdir_t:lnk_file { getattr read };
+
+manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
+manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
+manage_lnk_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
+
+manage_files_pattern(tftpd_t, tftpd_var_run_t, tftpd_var_run_t)
+files_pid_filetrans(tftpd_t, tftpd_var_run_t, file)
+
+kernel_read_system_state(tftpd_t)
+kernel_read_kernel_sysctls(tftpd_t)
+
+corenet_all_recvfrom_unlabeled(tftpd_t)
+corenet_all_recvfrom_netlabel(tftpd_t)
+corenet_tcp_sendrecv_generic_if(tftpd_t)
+corenet_udp_sendrecv_generic_if(tftpd_t)
+corenet_tcp_sendrecv_generic_node(tftpd_t)
+corenet_udp_sendrecv_generic_node(tftpd_t)
+corenet_tcp_sendrecv_all_ports(tftpd_t)
+corenet_udp_sendrecv_all_ports(tftpd_t)
+corenet_tcp_bind_generic_node(tftpd_t)
+corenet_udp_bind_generic_node(tftpd_t)
+corenet_udp_bind_tftp_port(tftpd_t)
+corenet_sendrecv_tftp_server_packets(tftpd_t)
+
+dev_read_sysfs(tftpd_t)
+
+fs_getattr_all_fs(tftpd_t)
+fs_search_auto_mountpoints(tftpd_t)
+
+domain_use_interactive_fds(tftpd_t)
+
+files_read_etc_files(tftpd_t)
+files_read_etc_runtime_files(tftpd_t)
+files_read_var_files(tftpd_t)
+files_read_var_symlinks(tftpd_t)
+files_search_var(tftpd_t)
+
+auth_use_nsswitch(tftpd_t)
+
+logging_send_syslog_msg(tftpd_t)
+
+miscfiles_read_localization(tftpd_t)
+miscfiles_read_public_files(tftpd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(tftpd_t)
+userdom_dontaudit_use_user_terminals(tftpd_t)
+userdom_dontaudit_search_user_home_dirs(tftpd_t)
+
+tunable_policy(`tftp_anon_write',`
+	miscfiles_manage_public_files(tftpd_t)
+')
+
+optional_policy(`
+	inetd_udp_service_domain(tftpd_t, tftpd_exec_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(tftpd_t)
+')
+
+optional_policy(`
+	udev_read_db(tftpd_t)
+')
diff --git a/policy/modules/contrib/tgtd.fc b/policy/modules/contrib/tgtd.fc
new file mode 100644
index 00000000..8294f6fc
--- /dev/null
+++ b/policy/modules/contrib/tgtd.fc
@@ -0,0 +1,3 @@
+/etc/rc\.d/init\.d/tgtd		--	gen_context(system_u:object_r:tgtd_initrc_exec_t,s0)
+/usr/sbin/tgtd			--	gen_context(system_u:object_r:tgtd_exec_t,s0)
+/var/lib/tgtd(/.*)?			gen_context(system_u:object_r:tgtd_var_lib_t,s0)
diff --git a/policy/modules/contrib/tgtd.if b/policy/modules/contrib/tgtd.if
new file mode 100644
index 00000000..c2ed23a8
--- /dev/null
+++ b/policy/modules/contrib/tgtd.if
@@ -0,0 +1,46 @@
+## <summary>Linux Target Framework Daemon.</summary>
+## <desc>
+##	<p>
+##	Linux target framework (tgt) aims to simplify various
+##	SCSI target driver (iSCSI, Fibre Channel, SRP, etc) creation
+##	and maintenance. Our key goals are the clean integration into
+##	the scsi-mid layer and implementing a great portion of tgt
+##	in user space.
+##	</p>
+## </desc>
+
+#####################################
+## <summary>
+##	Allow read and write access to tgtd semaphores.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tgtd_rw_semaphores',`
+	gen_require(`
+		type tgtd_t;
+	')
+
+	allow $1 tgtd_t:sem rw_sem_perms;
+')
+
+######################################
+## <summary>
+##	Manage tgtd sempaphores.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tgtd_manage_semaphores',`
+	gen_require(`
+		type tgtd_t;
+	')
+
+	allow $1 tgtd_t:sem create_sem_perms;
+')
diff --git a/policy/modules/contrib/tgtd.te b/policy/modules/contrib/tgtd.te
new file mode 100644
index 00000000..80fe75ce
--- /dev/null
+++ b/policy/modules/contrib/tgtd.te
@@ -0,0 +1,66 @@
+policy_module(tgtd, 1.2.0)
+
+########################################
+#
+# TGTD personal declarations.
+#
+
+type tgtd_t;
+type tgtd_exec_t;
+init_daemon_domain(tgtd_t, tgtd_exec_t)
+
+type tgtd_initrc_exec_t;
+init_script_file(tgtd_initrc_exec_t)
+
+type tgtd_tmp_t;
+files_tmp_file(tgtd_tmp_t)
+
+type tgtd_tmpfs_t;
+files_tmpfs_file(tgtd_tmpfs_t)
+
+type tgtd_var_lib_t;
+files_type(tgtd_var_lib_t)
+
+########################################
+#
+# TGTD personal policy.
+#
+
+allow tgtd_t self:capability sys_resource;
+allow tgtd_t self:process { setrlimit signal };
+allow tgtd_t self:fifo_file rw_fifo_file_perms;
+allow tgtd_t self:netlink_route_socket { create_socket_perms nlmsg_read };
+allow tgtd_t self:shm create_shm_perms;
+allow tgtd_t self:sem create_sem_perms;
+allow tgtd_t self:tcp_socket create_stream_socket_perms;
+allow tgtd_t self:udp_socket create_socket_perms;
+allow tgtd_t self:unix_dgram_socket create_socket_perms;
+
+manage_sock_files_pattern(tgtd_t, tgtd_tmp_t, tgtd_tmp_t)
+files_tmp_filetrans(tgtd_t, tgtd_tmp_t, { sock_file })
+
+manage_files_pattern(tgtd_t, tgtd_tmpfs_t, tgtd_tmpfs_t)
+fs_tmpfs_filetrans(tgtd_t, tgtd_tmpfs_t, file)
+
+manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
+manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
+files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file })
+
+kernel_read_fs_sysctls(tgtd_t)
+
+corenet_all_recvfrom_netlabel(tgtd_t)
+corenet_all_recvfrom_unlabeled(tgtd_t)
+corenet_tcp_sendrecv_generic_if(tgtd_t)
+corenet_tcp_sendrecv_generic_node(tgtd_t)
+corenet_tcp_sendrecv_iscsi_port(tgtd_t)
+corenet_tcp_bind_generic_node(tgtd_t)
+corenet_tcp_bind_iscsi_port(tgtd_t)
+corenet_sendrecv_iscsi_server_packets(tgtd_t)
+
+files_read_etc_files(tgtd_t)
+
+storage_manage_fixed_disk(tgtd_t)
+
+logging_send_syslog_msg(tgtd_t)
+
+miscfiles_read_localization(tgtd_t)
diff --git a/policy/modules/contrib/thunderbird.fc b/policy/modules/contrib/thunderbird.fc
new file mode 100644
index 00000000..fb43a7b4
--- /dev/null
+++ b/policy/modules/contrib/thunderbird.fc
@@ -0,0 +1,6 @@
+#
+# /usr
+#
+/usr/bin/thunderbird.*			--	gen_context(system_u:object_r:thunderbird_exec_t,s0)
+
+HOME_DIR/\.thunderbird(/.*)?			gen_context(system_u:object_r:thunderbird_home_t,s0)
diff --git a/policy/modules/contrib/thunderbird.if b/policy/modules/contrib/thunderbird.if
new file mode 100644
index 00000000..a76e9f94
--- /dev/null
+++ b/policy/modules/contrib/thunderbird.if
@@ -0,0 +1,63 @@
+## <summary>Thunderbird email client</summary>
+
+########################################
+## <summary>
+##	Role access for thunderbird
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`thunderbird_role',`
+	gen_require(`
+		type thunderbird_t, thunderbird_exec_t;
+		type thunderbird_home_t, thunderbird_tmpfs_t;
+	')
+
+	role $1 types thunderbird_t;
+
+	domain_auto_trans($2, thunderbird_exec_t, thunderbird_t)
+	allow $2 thunderbird_t:fd use;
+	allow $2 thunderbird_t:shm { associate getattr };
+	allow $2 thunderbird_t:unix_stream_socket connectto;
+	allow thunderbird_t $2:fd use;
+	allow thunderbird_t $2:process sigchld;
+	allow thunderbird_t $2:unix_stream_socket connectto;
+
+	# allow ps to show thunderbird and allow the user to kill it 
+	ps_process_pattern($2, thunderbird_t)
+	allow $2 thunderbird_t:process signal;
+
+	# Access ~/.thunderbird
+	manage_dirs_pattern($2, thunderbird_home_t, thunderbird_home_t)
+	manage_files_pattern($2, thunderbird_home_t, thunderbird_home_t)
+	manage_lnk_files_pattern($2, thunderbird_home_t, thunderbird_home_t)
+	relabel_dirs_pattern($2, thunderbird_home_t, thunderbird_home_t)
+	relabel_files_pattern($2, thunderbird_home_t, thunderbird_home_t)
+	relabel_lnk_files_pattern($2, thunderbird_home_t, thunderbird_home_t)
+')
+
+########################################
+## <summary>
+##	Run thunderbird in the user thunderbird domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`thunderbird_domtrans',`
+	gen_require(`
+		type thunderbird_t, thunderbird_exec_t;
+	')
+
+	domtrans_pattern($1, thunderbird_exec_t, thunderbird_t)
+')
diff --git a/policy/modules/contrib/thunderbird.te b/policy/modules/contrib/thunderbird.te
new file mode 100644
index 00000000..bf37d98b
--- /dev/null
+++ b/policy/modules/contrib/thunderbird.te
@@ -0,0 +1,208 @@
+policy_module(thunderbird, 2.3.0)
+
+########################################
+#
+# Declarations
+#
+
+type thunderbird_t;
+type thunderbird_exec_t;
+typealias thunderbird_t alias { user_thunderbird_t staff_thunderbird_t sysadm_thunderbird_t };
+typealias thunderbird_t alias { auditadm_thunderbird_t secadm_thunderbird_t };
+userdom_user_application_domain(thunderbird_t, thunderbird_exec_t)
+
+type thunderbird_home_t;
+typealias thunderbird_home_t alias { user_thunderbird_home_t staff_thunderbird_home_t sysadm_thunderbird_home_t };
+typealias thunderbird_home_t alias { auditadm_thunderbird_home_t secadm_thunderbird_home_t };
+userdom_user_home_content(thunderbird_home_t)
+
+type thunderbird_tmpfs_t;
+typealias thunderbird_tmpfs_t alias { user_thunderbird_tmpfs_t staff_thunderbird_tmpfs_t sysadm_thunderbird_tmpfs_t };
+typealias thunderbird_tmpfs_t alias { auditadm_thunderbird_tmpfs_t secadm_thunderbird_tmpfs_t };
+userdom_user_tmpfs_file(thunderbird_tmpfs_t)
+
+########################################
+#
+# Local policy
+#
+
+allow thunderbird_t self:capability sys_nice;
+allow thunderbird_t self:process { signal_perms setsched getsched execheap execmem execstack };
+allow thunderbird_t self:fifo_file { ioctl read write getattr };
+allow thunderbird_t self:unix_dgram_socket { create connect };
+allow thunderbird_t self:unix_stream_socket { create accept connect write getattr read listen bind };
+allow thunderbird_t self:tcp_socket create_socket_perms;
+allow thunderbird_t self:shm { read write create destroy unix_read unix_write };
+
+# Access ~/.thunderbird
+manage_dirs_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t)
+manage_files_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t)
+manage_lnk_files_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t)
+userdom_search_user_home_dirs(thunderbird_t)
+
+manage_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t)
+manage_lnk_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t)
+manage_fifo_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t)
+manage_sock_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t)
+fs_tmpfs_filetrans(thunderbird_t, thunderbird_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+# Allow netstat
+kernel_read_network_state(thunderbird_t)
+kernel_read_net_sysctls(thunderbird_t)
+kernel_read_system_state(thunderbird_t)
+
+# Startup shellscript
+corecmd_exec_shell(thunderbird_t)
+
+corenet_all_recvfrom_unlabeled(thunderbird_t)
+corenet_all_recvfrom_netlabel(thunderbird_t)
+corenet_tcp_sendrecv_generic_if(thunderbird_t)
+corenet_tcp_sendrecv_generic_node(thunderbird_t)
+corenet_tcp_sendrecv_ipp_port(thunderbird_t)
+corenet_tcp_sendrecv_ldap_port(thunderbird_t)
+corenet_tcp_sendrecv_innd_port(thunderbird_t)
+corenet_tcp_sendrecv_smtp_port(thunderbird_t)
+corenet_tcp_sendrecv_pop_port(thunderbird_t)
+corenet_tcp_sendrecv_http_port(thunderbird_t)
+corenet_tcp_connect_ipp_port(thunderbird_t)
+corenet_tcp_connect_ldap_port(thunderbird_t)
+corenet_tcp_connect_innd_port(thunderbird_t)
+corenet_tcp_connect_smtp_port(thunderbird_t)
+corenet_tcp_connect_pop_port(thunderbird_t)
+corenet_tcp_connect_http_port(thunderbird_t)
+corenet_sendrecv_ipp_client_packets(thunderbird_t)
+corenet_sendrecv_ldap_client_packets(thunderbird_t)
+corenet_sendrecv_innd_client_packets(thunderbird_t)
+corenet_sendrecv_smtp_client_packets(thunderbird_t)
+corenet_sendrecv_pop_client_packets(thunderbird_t)
+corenet_sendrecv_http_client_packets(thunderbird_t)
+
+dev_read_urand(thunderbird_t)
+dev_dontaudit_search_sysfs(thunderbird_t)
+
+files_list_tmp(thunderbird_t)
+files_read_usr_files(thunderbird_t)
+files_read_etc_files(thunderbird_t)
+files_read_etc_runtime_files(thunderbird_t)
+files_read_var_files(thunderbird_t)
+files_read_var_symlinks(thunderbird_t)
+files_dontaudit_getattr_all_tmp_files(thunderbird_t)
+files_dontaudit_getattr_boot_dirs(thunderbird_t)
+files_dontaudit_getattr_lost_found_dirs(thunderbird_t)
+files_dontaudit_search_mnt(thunderbird_t)
+
+fs_getattr_xattr_fs(thunderbird_t)
+fs_list_inotifyfs(thunderbird_t)
+# Access ~/.thunderbird
+fs_search_auto_mountpoints(thunderbird_t)
+
+auth_use_nsswitch(thunderbird_t)
+
+miscfiles_read_fonts(thunderbird_t)
+miscfiles_read_localization(thunderbird_t)
+
+userdom_manage_user_tmp_dirs(thunderbird_t)
+userdom_read_user_tmp_files(thunderbird_t)
+userdom_manage_user_tmp_sockets(thunderbird_t)
+# .kde/....gtkrc
+userdom_read_user_home_content_files(thunderbird_t)
+
+xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t)
+xserver_read_xdm_tmp_files(thunderbird_t)
+xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t)
+
+# Access ~/.thunderbird
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(thunderbird_t)
+	fs_manage_nfs_files(thunderbird_t)
+	fs_manage_nfs_symlinks(thunderbird_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(thunderbird_t)
+	fs_manage_cifs_files(thunderbird_t)
+	fs_manage_cifs_symlinks(thunderbird_t)
+')
+
+tunable_policy(`mail_read_content && use_nfs_home_dirs',`
+	files_list_home(thunderbird_t)
+
+	fs_list_auto_mountpoints(thunderbird_t)
+	fs_read_nfs_files(thunderbird_t)
+	fs_read_nfs_symlinks(thunderbird_t)
+',`
+	files_dontaudit_list_home(thunderbird_t)
+
+	fs_dontaudit_list_auto_mountpoints(thunderbird_t)
+	fs_dontaudit_list_nfs(thunderbird_t)
+	fs_dontaudit_read_nfs_files(thunderbird_t)
+')
+
+tunable_policy(`mail_read_content && use_samba_home_dirs',`
+	files_list_home(thunderbird_t)
+
+	fs_list_auto_mountpoints(thunderbird_t)
+	fs_read_cifs_files(thunderbird_t)
+	fs_read_cifs_symlinks(thunderbird_t)
+',`
+	files_dontaudit_list_home(thunderbird_t)
+
+	fs_dontaudit_list_auto_mountpoints(thunderbird_t)
+	fs_dontaudit_read_cifs_files(thunderbird_t)
+	fs_dontaudit_list_cifs(thunderbird_t)
+')
+
+tunable_policy(`mail_read_content',`
+	userdom_list_user_tmp(thunderbird_t)
+	userdom_read_user_tmp_files(thunderbird_t)
+	userdom_read_user_tmp_symlinks(thunderbird_t)
+	userdom_search_user_home_dirs(thunderbird_t)
+	userdom_read_user_home_content_files(thunderbird_t)
+
+	ifndef(`enable_mls',`
+		fs_search_removable(thunderbird_t)
+		fs_read_removable_files(thunderbird_t)
+		fs_read_removable_symlinks(thunderbird_t)
+	')
+',`
+	files_dontaudit_list_tmp(thunderbird_t)
+	files_dontaudit_list_home(thunderbird_t)
+
+	fs_dontaudit_list_removable(thunderbird_t)
+	fs_dontaudit_read_removable_files(thunderbird_t)
+
+	userdom_dontaudit_list_user_tmp(thunderbird_t)
+	userdom_dontaudit_read_user_tmp_files(thunderbird_t)
+	userdom_dontaudit_list_user_home_dirs(thunderbird_t)
+	userdom_dontaudit_read_user_home_content_files(thunderbird_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(thunderbird_t)
+	dbus_session_bus_client(thunderbird_t)
+')
+
+optional_policy(`
+	cups_read_rw_config(thunderbird_t)
+	cups_dbus_chat(thunderbird_t)
+')
+
+optional_policy(`
+	gnome_stream_connect_gconf(thunderbird_t)
+	gnome_domtrans_gconfd(thunderbird_t)
+	gnome_manage_config(thunderbird_t)
+')
+
+optional_policy(`
+	gpg_domtrans(thunderbird_t)
+')
+
+optional_policy(`
+	lpd_domtrans_lpr(thunderbird_t)
+')
+
+optional_policy(`
+	mozilla_read_user_home_files(thunderbird_t)
+	mozilla_domtrans(thunderbird_t)
+	mozilla_dbus_chat(thunderbird_t)
+')
diff --git a/policy/modules/contrib/timidity.fc b/policy/modules/contrib/timidity.fc
new file mode 100644
index 00000000..ed5eef38
--- /dev/null
+++ b/policy/modules/contrib/timidity.fc
@@ -0,0 +1,2 @@
+
+/usr/bin/timidity	--	gen_context(system_u:object_r:timidity_exec_t,s0)
diff --git a/policy/modules/contrib/timidity.if b/policy/modules/contrib/timidity.if
new file mode 100644
index 00000000..989b2409
--- /dev/null
+++ b/policy/modules/contrib/timidity.if
@@ -0,0 +1 @@
+## <summary>MIDI to WAV converter and player configured as a service</summary>
diff --git a/policy/modules/contrib/timidity.te b/policy/modules/contrib/timidity.te
new file mode 100644
index 00000000..67b5592f
--- /dev/null
+++ b/policy/modules/contrib/timidity.te
@@ -0,0 +1,85 @@
+policy_module(timidity, 1.9.0)
+
+# Note: You only need this policy if you want to run timidity as a server
+
+########################################
+#
+# Declarations
+#
+
+type timidity_t;
+type timidity_exec_t;
+init_daemon_domain(timidity_t, timidity_exec_t)
+application_domain(timidity_t, timidity_exec_t)
+
+type timidity_tmpfs_t;
+files_tmpfs_file(timidity_tmpfs_t)
+
+########################################
+#
+# Local policy
+#
+
+allow timidity_t self:capability { dac_override dac_read_search };
+dontaudit timidity_t self:capability sys_tty_config;
+allow timidity_t self:process { signal_perms getsched };
+allow timidity_t self:shm create_shm_perms;
+allow timidity_t self:unix_stream_socket create_stream_socket_perms;
+allow timidity_t self:tcp_socket create_stream_socket_perms;
+allow timidity_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t)
+manage_files_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t)
+manage_lnk_files_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t)
+manage_fifo_files_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t)
+manage_sock_files_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t)
+fs_tmpfs_filetrans(timidity_t, timidity_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_read_kernel_sysctls(timidity_t)
+# read /proc/cpuinfo
+kernel_read_system_state(timidity_t)
+
+corenet_all_recvfrom_unlabeled(timidity_t)
+corenet_all_recvfrom_netlabel(timidity_t)
+corenet_tcp_sendrecv_generic_if(timidity_t)
+corenet_udp_sendrecv_generic_if(timidity_t)
+corenet_tcp_sendrecv_generic_node(timidity_t)
+corenet_udp_sendrecv_generic_node(timidity_t)
+corenet_tcp_sendrecv_all_ports(timidity_t)
+corenet_udp_sendrecv_all_ports(timidity_t)
+
+dev_read_sysfs(timidity_t)
+dev_read_sound(timidity_t)
+dev_write_sound(timidity_t)
+
+fs_search_auto_mountpoints(timidity_t)
+
+domain_use_interactive_fds(timidity_t)
+
+files_search_tmp(timidity_t)
+# read /usr/share/alsa/alsa.conf
+files_read_usr_files(timidity_t)
+# read /etc/esd.conf
+files_read_etc_files(timidity_t)
+
+# read libartscbackend.la
+libs_read_lib_files(timidity_t)
+
+logging_send_syslog_msg(timidity_t)
+
+sysnet_read_config(timidity_t)
+
+userdom_dontaudit_use_unpriv_user_fds(timidity_t)
+
+# stupid timidity won't start if it can't search its current directory.
+# allow this so /etc/init.d/alsasound start works from /root
+# cjp: this should be fixed if possible so this rule can be removed.
+userdom_search_user_home_dirs(timidity_t)
+
+optional_policy(`
+	seutil_sigchld_newrole(timidity_t)
+')
+
+optional_policy(`
+	udev_read_db(timidity_t)
+')
diff --git a/policy/modules/contrib/tmpreaper.fc b/policy/modules/contrib/tmpreaper.fc
new file mode 100644
index 00000000..fcc10e89
--- /dev/null
+++ b/policy/modules/contrib/tmpreaper.fc
@@ -0,0 +1,7 @@
+ifdef(`distro_debian',`
+/etc/init\.d/mountall-bootclean.sh --	gen_context(system_u:object_r:tmpreaper_exec_t,s0)
+/etc/init\.d/mountnfs-bootclean.sh --	gen_context(system_u:object_r:tmpreaper_exec_t,s0)
+')
+
+/usr/sbin/tmpreaper		--	gen_context(system_u:object_r:tmpreaper_exec_t,s0)
+/usr/sbin/tmpwatch		--	gen_context(system_u:object_r:tmpreaper_exec_t,s0)
diff --git a/policy/modules/contrib/tmpreaper.if b/policy/modules/contrib/tmpreaper.if
new file mode 100644
index 00000000..8dfbd809
--- /dev/null
+++ b/policy/modules/contrib/tmpreaper.if
@@ -0,0 +1,21 @@
+## <summary>Manage temporary directory sizes and file ages</summary>
+
+########################################
+## <summary>
+##	Execute tmpreaper in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpreaper_exec',`
+	gen_require(`
+		type tmpreaper_exec_t;
+	')
+
+	files_search_usr($1)
+	corecmd_search_bin($1)
+	can_exec($1, tmpreaper_exec_t)
+')
diff --git a/policy/modules/contrib/tmpreaper.te b/policy/modules/contrib/tmpreaper.te
new file mode 100644
index 00000000..0521d5af
--- /dev/null
+++ b/policy/modules/contrib/tmpreaper.te
@@ -0,0 +1,74 @@
+policy_module(tmpreaper, 1.6.0)
+
+########################################
+#
+# Declarations
+#
+
+type tmpreaper_t;
+type tmpreaper_exec_t;
+application_domain(tmpreaper_t, tmpreaper_exec_t)
+role system_r types tmpreaper_t;
+
+########################################
+#
+# Local Policy
+#
+
+allow tmpreaper_t self:process { fork sigchld };
+allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
+
+dev_read_urand(tmpreaper_t)
+
+fs_getattr_xattr_fs(tmpreaper_t)
+
+files_read_etc_files(tmpreaper_t)
+files_read_var_lib_files(tmpreaper_t)
+files_purge_tmp(tmpreaper_t)
+# why does it need setattr?
+files_setattr_all_tmp_dirs(tmpreaper_t)
+files_getattr_all_dirs(tmpreaper_t)
+files_getattr_all_files(tmpreaper_t)
+
+mls_file_read_all_levels(tmpreaper_t)
+mls_file_write_all_levels(tmpreaper_t)
+
+logging_send_syslog_msg(tmpreaper_t)
+
+miscfiles_read_localization(tmpreaper_t)
+miscfiles_delete_man_pages(tmpreaper_t)
+
+cron_system_entry(tmpreaper_t, tmpreaper_exec_t)
+
+ifdef(`distro_redhat',`
+	userdom_list_user_home_content(tmpreaper_t)
+	userdom_delete_user_home_content_dirs(tmpreaper_t)
+	userdom_delete_user_home_content_files(tmpreaper_t)
+	userdom_delete_user_home_content_symlinks(tmpreaper_t)
+')
+
+optional_policy(`
+	amavis_manage_spool_files(tmpreaper_t)
+')
+
+optional_policy(`
+	apache_list_cache(tmpreaper_t)
+	apache_delete_cache_files(tmpreaper_t)
+	apache_setattr_cache_dirs(tmpreaper_t)
+')
+
+optional_policy(`
+	kismet_manage_log(tmpreaper_t)
+')
+
+optional_policy(`
+	lpd_manage_spool(tmpreaper_t)
+')
+
+optional_policy(`
+	rpm_manage_cache(tmpreaper_t)
+')
+
+optional_policy(`
+	unconfined_domain(tmpreaper_t)
+')
diff --git a/policy/modules/contrib/tor.fc b/policy/modules/contrib/tor.fc
new file mode 100644
index 00000000..e2e06b28
--- /dev/null
+++ b/policy/modules/contrib/tor.fc
@@ -0,0 +1,12 @@
+/etc/rc\.d/init\.d/tor	--	gen_context(system_u:object_r:tor_initrc_exec_t,s0)
+/etc/tor(/.*)?			gen_context(system_u:object_r:tor_etc_t,s0)
+
+/usr/bin/tor		--	gen_context(system_u:object_r:tor_exec_t,s0)
+/usr/sbin/tor		--	gen_context(system_u:object_r:tor_exec_t,s0)
+
+/var/lib/tor(/.*)?		gen_context(system_u:object_r:tor_var_lib_t,s0)
+/var/lib/tor-data(/.*)?		gen_context(system_u:object_r:tor_var_lib_t,s0)
+
+/var/log/tor(/.*)?		gen_context(system_u:object_r:tor_var_log_t,s0)
+
+/var/run/tor(/.*)?		gen_context(system_u:object_r:tor_var_run_t,s0)
diff --git a/policy/modules/contrib/tor.if b/policy/modules/contrib/tor.if
new file mode 100644
index 00000000..904f13e1
--- /dev/null
+++ b/policy/modules/contrib/tor.if
@@ -0,0 +1,64 @@
+## <summary>TOR, the onion router</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run TOR.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`tor_domtrans',`
+	gen_require(`
+		type tor_t, tor_exec_t;
+	')
+
+	domtrans_pattern($1, tor_exec_t, tor_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an tor environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the tor domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`tor_admin',`
+	gen_require(`
+		type tor_t, tor_var_log_t, tor_etc_t;
+		type tor_var_lib_t, tor_var_run_t;
+		type tor_initrc_exec_t;
+	')
+
+	allow $1 tor_t:process { ptrace signal_perms getattr };
+	ps_process_pattern($1, tor_t)
+
+	init_labeled_script_domtrans($1, tor_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 tor_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_etc($1)
+	admin_pattern($1, tor_etc_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, tor_var_lib_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, tor_var_log_t)
+
+	files_list_pids($1)
+	admin_pattern($1, tor_var_run_t)
+')
diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te
new file mode 100644
index 00000000..c842cadf
--- /dev/null
+++ b/policy/modules/contrib/tor.te
@@ -0,0 +1,120 @@
+policy_module(tor, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow tor daemon to bind
+## tcp sockets to all unreserved ports.
+## </p>
+## </desc>
+gen_tunable(tor_bind_all_unreserved_ports, false)
+
+type tor_t;
+type tor_exec_t;
+init_daemon_domain(tor_t, tor_exec_t)
+
+# etc/tor
+type tor_etc_t;
+files_config_file(tor_etc_t)
+
+type tor_initrc_exec_t;
+init_script_file(tor_initrc_exec_t)
+
+# var/lib/tor
+type tor_var_lib_t;
+files_type(tor_var_lib_t)
+
+# log files
+type tor_var_log_t;
+logging_log_file(tor_var_log_t)
+
+# pid files
+type tor_var_run_t;
+files_pid_file(tor_var_run_t)
+
+########################################
+#
+# tor local policy
+#
+
+allow tor_t self:capability { setgid setuid sys_tty_config };
+allow tor_t self:fifo_file rw_fifo_file_perms;
+allow tor_t self:unix_stream_socket create_stream_socket_perms;
+allow tor_t self:netlink_route_socket r_netlink_socket_perms;
+allow tor_t self:tcp_socket create_stream_socket_perms;
+
+# configuration files
+allow tor_t tor_etc_t:dir list_dir_perms;
+read_files_pattern(tor_t, tor_etc_t, tor_etc_t)
+read_lnk_files_pattern(tor_t, tor_etc_t, tor_etc_t)
+
+# var/lib/tor files
+manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
+manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
+manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
+files_usr_filetrans(tor_t, tor_var_lib_t, file)
+files_var_filetrans(tor_t, tor_var_lib_t, { file dir sock_file })
+files_var_lib_filetrans(tor_t, tor_var_lib_t, file)
+
+# log files
+allow tor_t tor_var_log_t:dir setattr;
+manage_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
+manage_sock_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
+logging_log_filetrans(tor_t, tor_var_log_t, { sock_file file dir })
+
+# pid file
+manage_dirs_pattern(tor_t, tor_var_run_t, tor_var_run_t)
+manage_files_pattern(tor_t, tor_var_run_t, tor_var_run_t)
+manage_sock_files_pattern(tor_t, tor_var_run_t, tor_var_run_t)
+files_pid_filetrans(tor_t, tor_var_run_t, { dir file sock_file })
+
+kernel_read_system_state(tor_t)
+
+# networking basics
+corenet_all_recvfrom_unlabeled(tor_t)
+corenet_all_recvfrom_netlabel(tor_t)
+corenet_tcp_sendrecv_generic_if(tor_t)
+corenet_udp_sendrecv_generic_if(tor_t)
+corenet_tcp_sendrecv_generic_node(tor_t)
+corenet_udp_sendrecv_generic_node(tor_t)
+corenet_tcp_sendrecv_all_ports(tor_t)
+corenet_udp_sendrecv_dns_port(tor_t)
+corenet_tcp_sendrecv_all_reserved_ports(tor_t)
+corenet_tcp_bind_generic_node(tor_t)
+corenet_udp_bind_generic_node(tor_t)
+corenet_tcp_bind_tor_port(tor_t)
+corenet_udp_bind_dns_port(tor_t)
+corenet_sendrecv_tor_server_packets(tor_t)
+corenet_sendrecv_dns_server_packets(tor_t)
+# TOR will need to connect to various ports
+corenet_tcp_connect_all_ports(tor_t)
+corenet_sendrecv_all_client_packets(tor_t)
+# ... especially including port 80 and other privileged ports
+corenet_tcp_connect_all_reserved_ports(tor_t)
+
+# tor uses crypto and needs random
+dev_read_urand(tor_t)
+
+domain_use_interactive_fds(tor_t)
+
+files_read_etc_files(tor_t)
+files_read_etc_runtime_files(tor_t)
+files_read_usr_files(tor_t)
+
+auth_use_nsswitch(tor_t)
+
+logging_send_syslog_msg(tor_t)
+
+miscfiles_read_localization(tor_t)
+
+tunable_policy(`tor_bind_all_unreserved_ports', `
+	corenet_tcp_bind_all_unreserved_ports(tor_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(tor_t)
+')
diff --git a/policy/modules/contrib/transproxy.fc b/policy/modules/contrib/transproxy.fc
new file mode 100644
index 00000000..ce33f179
--- /dev/null
+++ b/policy/modules/contrib/transproxy.fc
@@ -0,0 +1,3 @@
+/usr/sbin/tproxy	--	gen_context(system_u:object_r:transproxy_exec_t,s0)
+
+/var/run/tproxy\.pid	--	gen_context(system_u:object_r:transproxy_var_run_t,s0)
diff --git a/policy/modules/contrib/transproxy.if b/policy/modules/contrib/transproxy.if
new file mode 100644
index 00000000..23323f9a
--- /dev/null
+++ b/policy/modules/contrib/transproxy.if
@@ -0,0 +1 @@
+## <summary>HTTP transperant proxy</summary>
diff --git a/policy/modules/contrib/transproxy.te b/policy/modules/contrib/transproxy.te
new file mode 100644
index 00000000..95cf0c07
--- /dev/null
+++ b/policy/modules/contrib/transproxy.te
@@ -0,0 +1,65 @@
+policy_module(transproxy, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type transproxy_t;
+type transproxy_exec_t;
+init_daemon_domain(transproxy_t, transproxy_exec_t)
+
+type transproxy_var_run_t;
+files_pid_file(transproxy_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow transproxy_t self:capability { setgid setuid };
+dontaudit transproxy_t self:capability sys_tty_config;
+allow transproxy_t self:process signal_perms;
+allow transproxy_t self:tcp_socket create_stream_socket_perms;
+
+manage_files_pattern(transproxy_t, transproxy_var_run_t, transproxy_var_run_t)
+files_pid_filetrans(transproxy_t, transproxy_var_run_t, file)
+
+kernel_read_kernel_sysctls(transproxy_t)
+kernel_list_proc(transproxy_t)
+kernel_read_proc_symlinks(transproxy_t)
+
+corenet_all_recvfrom_unlabeled(transproxy_t)
+corenet_all_recvfrom_netlabel(transproxy_t)
+corenet_tcp_sendrecv_generic_if(transproxy_t)
+corenet_tcp_sendrecv_generic_node(transproxy_t)
+corenet_tcp_sendrecv_all_ports(transproxy_t)
+corenet_tcp_bind_generic_node(transproxy_t)
+corenet_tcp_bind_transproxy_port(transproxy_t)
+corenet_sendrecv_transproxy_server_packets(transproxy_t)
+
+dev_read_sysfs(transproxy_t)
+
+domain_use_interactive_fds(transproxy_t)
+
+files_read_etc_files(transproxy_t)
+
+fs_getattr_all_fs(transproxy_t)
+fs_search_auto_mountpoints(transproxy_t)
+
+logging_send_syslog_msg(transproxy_t)
+
+miscfiles_read_localization(transproxy_t)
+
+sysnet_read_config(transproxy_t)
+
+userdom_dontaudit_use_unpriv_user_fds(transproxy_t)
+userdom_dontaudit_search_user_home_dirs(transproxy_t)
+
+optional_policy(`
+	seutil_sigchld_newrole(transproxy_t)
+')
+
+optional_policy(`
+	udev_read_db(transproxy_t)
+')
diff --git a/policy/modules/contrib/tripwire.fc b/policy/modules/contrib/tripwire.fc
new file mode 100644
index 00000000..962662fd
--- /dev/null
+++ b/policy/modules/contrib/tripwire.fc
@@ -0,0 +1,10 @@
+
+/etc/tripwire(/.*)?			gen_context(system_u:object_r:tripwire_etc_t,s0)
+
+/usr/sbin/siggen		--	gen_context(system_u:object_r:siggen_exec_t,s0)
+/usr/sbin/tripwire		--	gen_context(system_u:object_r:tripwire_exec_t,s0)
+/usr/sbin/twadmin		--	gen_context(system_u:object_r:twadmin_exec_t,s0)
+/usr/sbin/twprint		--	gen_context(system_u:object_r:twprint_exec_t,s0)
+
+/var/lib/tripwire(/.*)?			gen_context(system_u:object_r:tripwire_var_lib_t,s0)
+/var/lib/tripwire/report(/.*)?		gen_context(system_u:object_r:tripwire_report_t,s0)
diff --git a/policy/modules/contrib/tripwire.if b/policy/modules/contrib/tripwire.if
new file mode 100644
index 00000000..27abd880
--- /dev/null
+++ b/policy/modules/contrib/tripwire.if
@@ -0,0 +1,190 @@
+## <summary>Tripwire file integrity checker.</summary>
+## <desc>
+##	<p>
+##	Tripwire file integrity checker.
+##	</p>
+##	<p>
+##	NOTE: Tripwire creates temp file in its current working directory.
+##	This policy does not allow write access to home directories, so
+##	users will need to either cd to a directory where they have write
+##	permission, or set the TEMPDIRECTORY variable in the tripwire config
+##	file.  The latter is preferable, as then the file_type_auto_trans
+##	rules will kick in and label the files as private to tripwire.
+##	</p>
+## </desc>
+
+########################################
+## <summary>
+##	Execute tripwire in the tripwire domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`tripwire_domtrans_tripwire',`
+	gen_require(`
+		type tripwire_t, tripwire_exec_t;
+	')
+
+	domtrans_pattern($1, tripwire_exec_t, tripwire_t)
+')
+
+########################################
+## <summary>
+##	Execute tripwire in the tripwire domain, and
+##	allow the specified role the tripwire domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`tripwire_run_tripwire',`
+	gen_require(`
+		type tripwire_t;
+	')
+
+	tripwire_domtrans_tripwire($1)
+	role $2 types tripwire_t;
+')
+
+########################################
+## <summary>
+##	Execute twadmin in the twadmin domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`tripwire_domtrans_twadmin',`
+	gen_require(`
+		type twadmin_t, twadmin_exec_t;
+	')
+
+	domtrans_pattern($1, twadmin_exec_t, twadmin_t)
+')
+
+########################################
+## <summary>
+##	Execute twadmin in the twadmin domain, and
+##	allow the specified role the twadmin domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`tripwire_run_twadmin',`
+	gen_require(`
+		type twadmin_t;
+	')
+
+	tripwire_domtrans_twadmin($1)
+	role $2 types twadmin_t;
+')
+
+########################################
+## <summary>
+##	Execute twprint in the twprint domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`tripwire_domtrans_twprint',`
+	gen_require(`
+		type twprint_t, twprint_exec_t;
+	')
+
+	domtrans_pattern($1, twprint_exec_t, twprint_t)
+')
+
+########################################
+## <summary>
+##	Execute twprint in the twprint domain, and
+##	allow the specified role the twprint domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`tripwire_run_twprint',`
+	gen_require(`
+		type twprint_t;
+	')
+
+	tripwire_domtrans_twprint($1)
+	role $2 types twprint_t;
+')
+
+########################################
+## <summary>
+##	Execute siggen in the siggen domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`tripwire_domtrans_siggen',`
+	gen_require(`
+		type siggen_t, siggen_exec_t;
+	')
+
+	domtrans_pattern($1, siggen_exec_t, siggen_t)
+')
+
+########################################
+## <summary>
+##	Execute siggen in the siggen domain, and
+##	allow the specified role the siggen domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`tripwire_run_siggen',`
+	gen_require(`
+		type siggen_t;
+	')
+
+	tripwire_domtrans_siggen($1)
+	role $2 types siggen_t;
+')
diff --git a/policy/modules/contrib/tripwire.te b/policy/modules/contrib/tripwire.te
new file mode 100644
index 00000000..2ae8b62c
--- /dev/null
+++ b/policy/modules/contrib/tripwire.te
@@ -0,0 +1,146 @@
+policy_module(tripwire, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type siggen_t;
+type siggen_exec_t;
+application_domain(siggen_t, siggen_exec_t)
+
+type tripwire_t;
+type tripwire_exec_t;
+application_domain(tripwire_t, tripwire_exec_t)
+role system_r types tripwire_t;
+
+type tripwire_etc_t;
+files_config_file(tripwire_etc_t)
+
+type tripwire_report_t;
+files_type(tripwire_report_t)
+
+type tripwire_tmp_t;
+files_tmp_file(tripwire_tmp_t)
+
+type tripwire_var_lib_t;
+files_type(tripwire_var_lib_t)
+
+type twadmin_t;
+type twadmin_exec_t;
+application_domain(twadmin_t, twadmin_exec_t)
+
+type twprint_t;
+type twprint_exec_t;
+application_domain(twprint_t, twprint_exec_t)
+
+########################################
+#
+# Tripwire local policy
+#
+
+allow tripwire_t self:capability { setgid setuid dac_override };
+
+allow tripwire_t tripwire_etc_t:dir list_dir_perms;
+read_files_pattern(tripwire_t, tripwire_etc_t, tripwire_etc_t)
+read_lnk_files_pattern(tripwire_t, tripwire_etc_t, tripwire_etc_t)
+files_search_etc(tripwire_t)
+
+# Tripwire report files
+manage_dirs_pattern(tripwire_t, tripwire_report_t, tripwire_report_t)
+manage_files_pattern(tripwire_t, tripwire_report_t, tripwire_report_t)
+manage_lnk_files_pattern(tripwire_t, tripwire_report_t, tripwire_report_t)
+
+manage_dirs_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t)
+manage_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t)
+manage_lnk_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t)
+manage_fifo_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t)
+manage_sock_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t)
+files_tmp_filetrans(tripwire_t, tripwire_tmp_t,{ dir file lnk_file sock_file fifo_file })
+
+manage_files_pattern(tripwire_t, tripwire_var_lib_t, tripwire_var_lib_t)
+files_var_lib_filetrans(tripwire_t, tripwire_var_lib_t, file)
+
+kernel_read_system_state(tripwire_t)
+kernel_read_network_state(tripwire_t)
+kernel_read_software_raid_state(tripwire_t)
+kernel_getattr_core_if(tripwire_t)
+kernel_getattr_message_if(tripwire_t)
+kernel_read_kernel_sysctls(tripwire_t)
+
+corecmd_exec_shell(tripwire_t)
+corecmd_exec_bin(tripwire_t)
+
+domain_use_interactive_fds(tripwire_t)
+
+files_read_all_files(tripwire_t)
+files_read_all_symlinks(tripwire_t)
+files_getattr_all_pipes(tripwire_t)
+files_getattr_all_sockets(tripwire_t)
+
+logging_send_syslog_msg(tripwire_t)
+
+userdom_use_user_terminals(tripwire_t)
+
+optional_policy(`
+	cron_system_entry(tripwire_t, tripwire_exec_t)
+')
+
+########################################
+#
+# Twadmin local policy
+#
+
+manage_dirs_pattern(twadmin_t, tripwire_etc_t, tripwire_etc_t)
+manage_files_pattern(twadmin_t, tripwire_etc_t, tripwire_etc_t)
+manage_lnk_files_pattern(twadmin_t, tripwire_etc_t, tripwire_etc_t)
+
+domain_use_interactive_fds(twadmin_t)
+
+logging_send_syslog_msg(twadmin_t)
+
+miscfiles_read_localization(twadmin_t)
+
+userdom_use_user_terminals(twadmin_t)
+
+########################################
+#
+# Twprint local policy
+#
+
+allow twprint_t tripwire_etc_t:dir list_dir_perms;
+read_files_pattern(twprint_t, tripwire_etc_t, tripwire_etc_t)
+read_lnk_files_pattern(twprint_t, tripwire_etc_t, tripwire_etc_t)
+
+allow twprint_t tripwire_report_t:dir list_dir_perms;
+read_files_pattern(twprint_t, tripwire_report_t, tripwire_report_t)
+read_lnk_files_pattern(twprint_t, tripwire_report_t, tripwire_report_t)
+
+allow twprint_t tripwire_var_lib_t:dir list_dir_perms;
+read_files_pattern(twprint_t, tripwire_var_lib_t, tripwire_var_lib_t)
+read_lnk_files_pattern(twprint_t, tripwire_var_lib_t, tripwire_var_lib_t)
+files_search_var_lib(twprint_t)
+
+domain_use_interactive_fds(twprint_t)
+
+logging_send_syslog_msg(twprint_t)
+
+miscfiles_read_localization(twprint_t)
+
+userdom_use_user_terminals(twprint_t)
+
+########################################
+#
+# Siggen local policy
+#
+
+domain_use_interactive_fds(siggen_t)
+
+# Need permission to read files
+files_read_all_files(siggen_t)
+
+logging_send_syslog_msg(siggen_t)
+
+miscfiles_read_localization(siggen_t)
+
+userdom_use_user_terminals(siggen_t)
diff --git a/policy/modules/contrib/tuned.fc b/policy/modules/contrib/tuned.fc
new file mode 100644
index 00000000..639c962c
--- /dev/null
+++ b/policy/modules/contrib/tuned.fc
@@ -0,0 +1,8 @@
+/etc/rc\.d/init\.d/tuned	--	gen_context(system_u:object_r:tuned_initrc_exec_t,s0)
+
+/usr/sbin/tuned			--	gen_context(system_u:object_r:tuned_exec_t,s0)
+
+/var/log/tuned(/.*)?			gen_context(system_u:object_r:tuned_log_t,s0)
+/var/log/tuned\.log		--	gen_context(system_u:object_r:tuned_log_t,s0)
+
+/var/run/tuned\.pid		--	gen_context(system_u:object_r:tuned_var_run_t,s0)
diff --git a/policy/modules/contrib/tuned.if b/policy/modules/contrib/tuned.if
new file mode 100644
index 00000000..54b86059
--- /dev/null
+++ b/policy/modules/contrib/tuned.if
@@ -0,0 +1,129 @@
+## <summary>Dynamic adaptive system tuning daemon</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run tuned.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`tuned_domtrans',`
+	gen_require(`
+		type tuned_t, tuned_exec_t;
+	')
+
+	domtrans_pattern($1, tuned_exec_t, tuned_t)
+')
+
+#######################################
+## <summary>
+##	Execute tuned in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tuned_exec',`
+	gen_require(`
+		type tuned_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, tuned_exec_t)
+')
+
+######################################
+## <summary>
+##	Read tuned PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tuned_read_pid_files',`
+	gen_require(`
+		type tuned_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, tuned_var_run_t, tuned_var_run_t)
+')
+
+#######################################
+## <summary>
+##	Manage tuned PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tuned_manage_pid_files',`
+	gen_require(`
+		type tuned_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_files_pattern($1, tuned_var_run_t, tuned_var_run_t)
+')
+
+########################################
+## <summary>
+##	Execute tuned server in the tuned domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tuned_initrc_domtrans',`
+	gen_require(`
+		type tuned_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, tuned_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an tuned environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`tuned_admin',`
+	gen_require(`
+		type tuned_t, tuned_var_run_t;
+		type tuned_initrc_exec_t;
+	')
+
+	allow $1 tuned_t:process { ptrace signal_perms };
+	ps_process_pattern($1, tuned_t)
+
+	tuned_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 tuned_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_search_pids($1)
+	admin_pattern($1, tuned_var_run_t)
+')
diff --git a/policy/modules/contrib/tuned.te b/policy/modules/contrib/tuned.te
new file mode 100644
index 00000000..db9d2a59
--- /dev/null
+++ b/policy/modules/contrib/tuned.te
@@ -0,0 +1,64 @@
+policy_module(tuned, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type tuned_t;
+type tuned_exec_t;
+init_daemon_domain(tuned_t, tuned_exec_t)
+
+type tuned_initrc_exec_t;
+init_script_file(tuned_initrc_exec_t)
+
+type tuned_log_t;
+logging_log_file(tuned_log_t)
+
+type tuned_var_run_t;
+files_pid_file(tuned_var_run_t)
+
+########################################
+#
+# tuned local policy
+#
+
+dontaudit tuned_t self:capability { dac_override sys_tty_config };
+
+manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
+manage_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
+logging_log_filetrans(tuned_t, tuned_log_t, file)
+
+manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
+files_pid_filetrans(tuned_t, tuned_var_run_t, file)
+
+corecmd_exec_shell(tuned_t)
+corecmd_exec_bin(tuned_t)
+
+kernel_read_system_state(tuned_t)
+kernel_read_network_state(tuned_t)
+
+dev_read_urand(tuned_t)
+dev_read_sysfs(tuned_t)
+# to allow cpu tuning
+dev_rw_netcontrol(tuned_t)
+
+files_read_etc_files(tuned_t)
+files_read_usr_files(tuned_t)
+files_dontaudit_search_home(tuned_t)
+
+logging_send_syslog_msg(tuned_t)
+
+miscfiles_read_localization(tuned_t)
+
+userdom_dontaudit_search_user_home_dirs(tuned_t)
+
+# to allow disk tuning
+optional_policy(`
+	fstools_domtrans(tuned_t)
+')
+
+# to allow network interface tuning
+optional_policy(`
+	sysnet_domtrans_ifconfig(tuned_t)
+')
diff --git a/policy/modules/contrib/tvtime.fc b/policy/modules/contrib/tvtime.fc
new file mode 100644
index 00000000..8698a613
--- /dev/null
+++ b/policy/modules/contrib/tvtime.fc
@@ -0,0 +1,5 @@
+#
+# /usr
+#
+/usr/bin/tvtime		--	gen_context(system_u:object_r:tvtime_exec_t,s0)
+
diff --git a/policy/modules/contrib/tvtime.if b/policy/modules/contrib/tvtime.if
new file mode 100644
index 00000000..8d89f211
--- /dev/null
+++ b/policy/modules/contrib/tvtime.if
@@ -0,0 +1,40 @@
+## <summary> tvtime - a high quality television application </summary>
+
+########################################
+## <summary>
+##	Role access for tvtime
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`tvtime_role',`
+	gen_require(`
+		type tvtime_t, tvtime_exec_t;
+		type tvtime_home_t, tvtime_tmpfs_t;
+	')
+
+	role $1 types tvtime_t;
+
+	# Type transition
+	domtrans_pattern($2, tvtime_exec_t, tvtime_t)
+
+	# X access, Home files
+	manage_dirs_pattern($2, tvtime_home_t, tvtime_home_t)
+	manage_files_pattern($2, tvtime_home_t, tvtime_home_t)
+	manage_lnk_files_pattern($2, tvtime_home_t, tvtime_home_t)
+	relabel_dirs_pattern($2, tvtime_home_t, tvtime_home_t)
+	relabel_files_pattern($2, tvtime_home_t, tvtime_home_t)
+	relabel_lnk_files_pattern($2, tvtime_home_t, tvtime_home_t)
+
+	# Allow the user domain to signal/ps.
+	ps_process_pattern($2, tvtime_t)
+	allow $2 tvtime_t:process signal_perms;
+')
diff --git a/policy/modules/contrib/tvtime.te b/policy/modules/contrib/tvtime.te
new file mode 100644
index 00000000..531b1f12
--- /dev/null
+++ b/policy/modules/contrib/tvtime.te
@@ -0,0 +1,90 @@
+policy_module(tvtime, 2.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type tvtime_t;
+type tvtime_exec_t;
+typealias tvtime_t alias { user_tvtime_t staff_tvtime_t sysadm_tvtime_t };
+typealias tvtime_t alias { auditadm_tvtime_t secadm_tvtime_t };
+userdom_user_application_domain(tvtime_t, tvtime_exec_t)
+
+type tvtime_home_t alias tvtime_rw_t;
+typealias tvtime_home_t alias { user_tvtime_home_t staff_tvtime_home_t sysadm_tvtime_home_t };
+typealias tvtime_home_t alias { auditadm_tvtime_home_t secadm_tvtime_home_t };
+userdom_user_home_content(tvtime_home_t)
+
+type tvtime_tmp_t;
+typealias tvtime_tmp_t alias { user_tvtime_tmp_t staff_tvtime_tmp_t sysadm_tvtime_tmp_t };
+typealias tvtime_tmp_t alias { auditadm_tvtime_tmp_t secadm_tvtime_tmp_t };
+userdom_user_tmp_file(tvtime_tmp_t)
+
+type tvtime_tmpfs_t;
+typealias tvtime_tmpfs_t alias { user_tvtime_tmpfs_t staff_tvtime_tmpfs_t sysadm_tvtime_tmpfs_t };
+typealias tvtime_tmpfs_t alias { auditadm_tvtime_tmpfs_t secadm_tvtime_tmpfs_t };
+userdom_user_tmpfs_file(tvtime_tmpfs_t)
+
+########################################
+#
+# Local policy
+#
+
+allow tvtime_t self:capability { setuid sys_nice sys_resource };
+allow tvtime_t self:process setsched;
+allow tvtime_t self:unix_dgram_socket rw_socket_perms;
+allow tvtime_t self:unix_stream_socket rw_stream_socket_perms;
+
+# X access, Home files
+manage_dirs_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)
+manage_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)
+manage_lnk_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)
+userdom_user_home_dir_filetrans(tvtime_t, tvtime_home_t, dir)
+
+manage_dirs_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t)
+manage_files_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t)
+files_tmp_filetrans(tvtime_t, tvtime_tmp_t,{ file dir })
+
+manage_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t)
+manage_lnk_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t)
+manage_fifo_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t)
+manage_sock_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t)
+fs_tmpfs_filetrans(tvtime_t, tvtime_tmpfs_t,{ file lnk_file sock_file fifo_file })
+
+kernel_read_all_sysctls(tvtime_t)
+kernel_get_sysvipc_info(tvtime_t)
+
+dev_read_urand(tvtime_t)
+dev_read_realtime_clock(tvtime_t)
+dev_read_sound(tvtime_t)
+
+files_read_usr_files(tvtime_t)
+files_search_pids(tvtime_t)
+# Read /etc/tvtime
+files_read_etc_files(tvtime_t)
+
+# X access, Home files
+fs_search_auto_mountpoints(tvtime_t)
+
+miscfiles_read_localization(tvtime_t)
+miscfiles_read_fonts(tvtime_t)
+
+userdom_use_user_terminals(tvtime_t)
+userdom_read_user_home_content_files(tvtime_t)
+
+# X access, Home files
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(tvtime_t)
+	fs_manage_nfs_files(tvtime_t)
+	fs_manage_nfs_symlinks(tvtime_t)
+')
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(tvtime_t)
+	fs_manage_cifs_files(tvtime_t)
+	fs_manage_cifs_symlinks(tvtime_t)
+')
+
+optional_policy(`
+	xserver_user_x_domain_template(tvtime, tvtime_t, tvtime_tmpfs_t)
+')
diff --git a/policy/modules/contrib/tzdata.fc b/policy/modules/contrib/tzdata.fc
new file mode 100644
index 00000000..04b85488
--- /dev/null
+++ b/policy/modules/contrib/tzdata.fc
@@ -0,0 +1 @@
+/usr/sbin/tzdata-update	--	gen_context(system_u:object_r:tzdata_exec_t,s0)
diff --git a/policy/modules/contrib/tzdata.if b/policy/modules/contrib/tzdata.if
new file mode 100644
index 00000000..01c6c864
--- /dev/null
+++ b/policy/modules/contrib/tzdata.if
@@ -0,0 +1,45 @@
+## <summary>Time zone updater</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run tzdata.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`tzdata_domtrans',`
+	gen_require(`
+		type tzdata_t, tzdata_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, tzdata_exec_t, tzdata_t)
+')
+
+########################################
+## <summary>
+##	Execute the tzdata program in the tzdata domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the tzdata domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`tzdata_run',`
+	gen_require(`
+		type tzdata_t;
+	')
+
+	tzdata_domtrans($1)
+	role $2 types tzdata_t;
+')
diff --git a/policy/modules/contrib/tzdata.te b/policy/modules/contrib/tzdata.te
new file mode 100644
index 00000000..d0f2a640
--- /dev/null
+++ b/policy/modules/contrib/tzdata.te
@@ -0,0 +1,36 @@
+policy_module(tzdata, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+
+type tzdata_t;
+type tzdata_exec_t;
+init_daemon_domain(tzdata_t, tzdata_exec_t)
+application_domain(tzdata_t, tzdata_exec_t)
+
+########################################
+#
+# tzdata local policy
+#
+
+files_read_etc_files(tzdata_t)
+files_search_spool(tzdata_t)
+
+fs_getattr_xattr_fs(tzdata_t)
+
+term_dontaudit_list_ptys(tzdata_t)
+
+locallogin_dontaudit_use_fds(tzdata_t)
+
+miscfiles_read_localization(tzdata_t)
+miscfiles_manage_localization(tzdata_t)
+miscfiles_etc_filetrans_localization(tzdata_t)
+
+userdom_use_user_terminals(tzdata_t)
+
+# tzdata looks for /var/spool/postfix/etc/localtime.
+optional_policy(`
+	postfix_search_spool(tzdata_t)
+')
diff --git a/policy/modules/contrib/ucspitcp.fc b/policy/modules/contrib/ucspitcp.fc
new file mode 100644
index 00000000..667d0b5f
--- /dev/null
+++ b/policy/modules/contrib/ucspitcp.fc
@@ -0,0 +1,3 @@
+
+/usr/bin/rblsmtpd	--	gen_context(system_u:object_r:rblsmtpd_exec_t,s0)
+/usr/bin/tcpserver	--	gen_context(system_u:object_r:ucspitcp_exec_t,s0)
diff --git a/policy/modules/contrib/ucspitcp.if b/policy/modules/contrib/ucspitcp.if
new file mode 100644
index 00000000..c1feba4f
--- /dev/null
+++ b/policy/modules/contrib/ucspitcp.if
@@ -0,0 +1,38 @@
+## <summary>ucspitcp policy</summary>
+## <desc>
+##	<p>
+##	Policy for DJB's ucspi-tcpd
+##	</p>
+## </desc>
+
+########################################
+## <summary>
+##	Define a specified domain as a ucspitcp service.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="entrypoint">
+##	<summary>
+##	The type associated with the process program.
+##	</summary>
+## </param>
+#
+interface(`ucspitcp_service_domain', `
+	gen_require(`
+		type ucspitcp_t;
+		role system_r;
+	')
+
+	domain_type($1)
+	domain_entry_file($1, $2)
+
+	role system_r types $1;
+
+	domain_auto_trans(ucspitcp_t, $2, $1)
+	allow $1 ucspitcp_t:fd use;
+	allow $1 ucspitcp_t:process sigchld;
+	allow $1 ucspitcp_t:tcp_socket rw_stream_socket_perms;
+')
diff --git a/policy/modules/contrib/ucspitcp.te b/policy/modules/contrib/ucspitcp.te
new file mode 100644
index 00000000..a0794bf5
--- /dev/null
+++ b/policy/modules/contrib/ucspitcp.te
@@ -0,0 +1,93 @@
+policy_module(ucspitcp, 1.3.0)
+
+########################################
+#
+# Declarations
+#
+
+type rblsmtpd_t;
+type rblsmtpd_exec_t;
+init_system_domain(rblsmtpd_t, rblsmtpd_exec_t)
+role system_r types rblsmtpd_t;
+
+type ucspitcp_t;
+type ucspitcp_exec_t;
+init_system_domain(ucspitcp_t, ucspitcp_exec_t)
+role system_r types ucspitcp_t;
+
+########################################
+#
+# Local policy for rblsmtpd
+#
+
+ucspitcp_service_domain(rblsmtpd_t, rblsmtpd_exec_t)
+
+corecmd_search_bin(rblsmtpd_t)
+
+corenet_all_recvfrom_unlabeled(rblsmtpd_t)
+corenet_all_recvfrom_netlabel(rblsmtpd_t)
+corenet_tcp_sendrecv_generic_if(rblsmtpd_t)
+corenet_udp_sendrecv_generic_if(rblsmtpd_t)
+corenet_tcp_sendrecv_generic_node(rblsmtpd_t)
+corenet_udp_sendrecv_generic_node(rblsmtpd_t)
+corenet_tcp_sendrecv_all_ports(rblsmtpd_t)
+corenet_udp_sendrecv_all_ports(rblsmtpd_t)
+corenet_tcp_bind_generic_node(rblsmtpd_t)
+corenet_udp_bind_generic_port(rblsmtpd_t)
+
+files_read_etc_files(rblsmtpd_t)
+files_search_var(rblsmtpd_t)
+
+optional_policy(`
+	daemontools_ipc_domain(rblsmtpd_t)
+')
+
+########################################
+#
+# Local policy for tcpserver
+#
+
+allow ucspitcp_t self:capability { setgid setuid };
+allow ucspitcp_t self:fifo_file rw_fifo_file_perms;
+allow ucspitcp_t self:tcp_socket create_stream_socket_perms;
+allow ucspitcp_t self:udp_socket create_socket_perms;
+
+corecmd_search_bin(ucspitcp_t)
+
+# base networking:
+corenet_all_recvfrom_unlabeled(ucspitcp_t)
+corenet_all_recvfrom_netlabel(ucspitcp_t)
+corenet_tcp_sendrecv_generic_if(ucspitcp_t)
+corenet_udp_sendrecv_generic_if(ucspitcp_t)
+corenet_tcp_sendrecv_generic_node(ucspitcp_t)
+corenet_udp_sendrecv_generic_node(ucspitcp_t)
+corenet_tcp_sendrecv_all_ports(ucspitcp_t)
+corenet_udp_sendrecv_all_ports(ucspitcp_t)
+corenet_tcp_bind_generic_node(ucspitcp_t)
+corenet_udp_bind_generic_node(ucspitcp_t)
+
+# server ports:
+corenet_tcp_bind_ftp_port(ucspitcp_t)
+corenet_tcp_bind_ftp_data_port(ucspitcp_t)
+corenet_tcp_bind_http_port(ucspitcp_t)
+corenet_tcp_bind_smtp_port(ucspitcp_t)
+corenet_tcp_bind_dns_port(ucspitcp_t)
+corenet_udp_bind_dns_port(ucspitcp_t)
+corenet_udp_bind_generic_port(ucspitcp_t)
+
+# server packets:
+corenet_sendrecv_ftp_server_packets(ucspitcp_t)
+corenet_sendrecv_http_server_packets(ucspitcp_t)
+corenet_sendrecv_smtp_server_packets(ucspitcp_t)
+corenet_sendrecv_dns_server_packets(ucspitcp_t)
+corenet_sendrecv_generic_server_packets(ucspitcp_t)
+
+files_search_var(ucspitcp_t)
+files_read_etc_files(ucspitcp_t)
+
+sysnet_read_config(ucspitcp_t)
+
+optional_policy(`
+	daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t)
+	daemontools_read_svc(ucspitcp_t)
+')
diff --git a/policy/modules/contrib/ulogd.fc b/policy/modules/contrib/ulogd.fc
new file mode 100644
index 00000000..831b4a36
--- /dev/null
+++ b/policy/modules/contrib/ulogd.fc
@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/ulogd	--	gen_context(system_u:object_r:ulogd_initrc_exec_t,s0)
+/etc/ulogd.conf			--	gen_context(system_u:object_r:ulogd_etc_t,s0)
+
+/usr/lib/ulogd(/.*)?			gen_context(system_u:object_r:ulogd_modules_t,s0)	
+/usr/sbin/ulogd			--	gen_context(system_u:object_r:ulogd_exec_t,s0)
+
+/var/log/ulogd(/.*)?			gen_context(system_u:object_r:ulogd_var_log_t,s0)
diff --git a/policy/modules/contrib/ulogd.if b/policy/modules/contrib/ulogd.if
new file mode 100644
index 00000000..d23be5ce
--- /dev/null
+++ b/policy/modules/contrib/ulogd.if
@@ -0,0 +1,142 @@
+## <summary>Iptables/netfilter userspace logging daemon.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run ulogd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ulogd_domtrans',`
+	gen_require(`
+		type ulogd_t, ulogd_exec_t;
+	')
+
+	domtrans_pattern($1, ulogd_exec_t, ulogd_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read
+##	ulogd configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ulogd_read_config',`
+	gen_require(`
+		type ulogd_etc_t;
+	')
+
+	files_search_etc($1)
+	read_files_pattern($1, ulogd_etc_t, ulogd_etc_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read ulogd's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ulogd_read_log',`
+	gen_require(`
+		type ulogd_var_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 ulogd_var_log_t:dir list_dir_perms;
+	read_files_pattern($1, ulogd_var_log_t, ulogd_var_log_t)
+')
+
+#######################################
+## <summary>
+##	Allow the specified domain to search ulogd's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ulogd_search_log',`
+	gen_require(`
+		type ulogd_var_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 ulogd_var_log_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to append to ulogd's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ulogd_append_log',`
+	gen_require(`
+		type ulogd_var_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 ulogd_var_log_t:dir list_dir_perms;
+	allow $1 ulogd_var_log_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an ulogd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the syslog domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ulogd_admin',`
+	gen_require(`
+		type ulogd_t, ulogd_etc_t, ulogd_modules_t;
+		type ulogd_var_log_t, ulogd_initrc_exec_t;
+	')
+
+	allow $1 ulogd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, ulogd_t)
+
+	init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 ulogd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_etc($1)
+	admin_pattern($1, ulogd_etc_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, ulogd_var_log_t)
+
+	files_list_usr($1)
+	admin_pattern($1, ulogd_modules_t)
+')
diff --git a/policy/modules/contrib/ulogd.te b/policy/modules/contrib/ulogd.te
new file mode 100644
index 00000000..3b953f57
--- /dev/null
+++ b/policy/modules/contrib/ulogd.te
@@ -0,0 +1,67 @@
+policy_module(ulogd, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type ulogd_t;
+type ulogd_exec_t;
+init_daemon_domain(ulogd_t, ulogd_exec_t)
+
+# config files
+type ulogd_etc_t;
+files_type(ulogd_etc_t)
+
+type ulogd_initrc_exec_t;
+init_script_file(ulogd_initrc_exec_t)
+
+# /usr/lib files
+type ulogd_modules_t;
+files_type(ulogd_modules_t)
+
+# log files
+type ulogd_var_log_t;
+logging_log_file(ulogd_var_log_t)
+
+########################################
+#
+# ulogd local policy
+#
+
+allow ulogd_t self:capability net_admin;
+allow ulogd_t self:netlink_nflog_socket create_socket_perms;
+
+# config files
+read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t)
+
+# modules for ulogd
+list_dirs_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t)
+mmap_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t)
+
+# log files
+manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
+logging_log_filetrans(ulogd_t, ulogd_var_log_t, file)
+
+files_read_etc_files(ulogd_t)
+files_read_usr_files(ulogd_t)
+
+miscfiles_read_localization(ulogd_t)
+
+optional_policy(`
+	allow ulogd_t self:tcp_socket create_stream_socket_perms;
+
+	mysql_stream_connect(ulogd_t)
+	mysql_tcp_connect(ulogd_t)
+
+	sysnet_dns_name_resolve(ulogd_t)
+')
+
+optional_policy(`
+	allow ulogd_t self:tcp_socket create_stream_socket_perms;
+
+	postgresql_stream_connect(ulogd_t)
+	postgresql_tcp_connect(ulogd_t)
+
+	sysnet_dns_name_resolve(ulogd_t)
+')
diff --git a/policy/modules/contrib/uml.fc b/policy/modules/contrib/uml.fc
new file mode 100644
index 00000000..b8b9520c
--- /dev/null
+++ b/policy/modules/contrib/uml.fc
@@ -0,0 +1,14 @@
+#
+# HOME_DIR/
+#
+HOME_DIR/\.uml(/.*)?		gen_context(system_u:object_r:uml_rw_t,s0)
+
+#
+# /usr
+#
+/usr/bin/uml_switch	--	gen_context(system_u:object_r:uml_switch_exec_t,s0)
+
+#
+# /var
+#
+/var/run/uml-utilities(/.*)?	gen_context(system_u:object_r:uml_switch_var_run_t,s0)
diff --git a/policy/modules/contrib/uml.if b/policy/modules/contrib/uml.if
new file mode 100644
index 00000000..d2ab7cba
--- /dev/null
+++ b/policy/modules/contrib/uml.if
@@ -0,0 +1,99 @@
+## <summary>Policy for UML</summary>
+
+########################################
+## <summary>
+##	Role access for uml
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`uml_role',`
+	gen_require(`
+		type uml_t, uml_exec_t;
+		type uml_ro_t, uml_rw_t, uml_tmp_t;
+		type uml_devpts_t, uml_tmpfs_t;
+	')
+
+	role $1 types uml_t;
+
+	# Transition from the user domain to this domain.
+	domtrans_pattern($2, uml_exec_t, uml_t)
+
+	# for mconsole
+	allow $2 uml_t:unix_dgram_socket sendto;
+	allow uml_t $2:unix_dgram_socket sendto;
+
+	# allow ps, ptrace, signal
+	ps_process_pattern($2, uml_t)
+	allow $2 uml_t:process { ptrace signal_perms };
+
+	allow $2 uml_ro_t:dir list_dir_perms;
+	read_files_pattern($2, uml_ro_t, uml_ro_t)
+	read_lnk_files_pattern($2, uml_ro_t, uml_ro_t)
+
+	manage_dirs_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+	manage_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+	manage_lnk_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+	manage_fifo_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+	manage_sock_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+	relabel_dirs_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+	relabel_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+	relabel_lnk_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+	relabel_fifo_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+	relabel_sock_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+
+	manage_dirs_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t })
+	manage_files_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t })
+	relabel_dirs_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t })
+	relabel_files_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t })
+
+	manage_dirs_pattern($2, uml_tmp_t, uml_tmp_t)
+	manage_files_pattern($2, uml_tmp_t, uml_tmp_t)
+	manage_lnk_files_pattern($2, uml_tmp_t, uml_tmp_t)
+	manage_sock_files_pattern($2, uml_tmp_t, uml_tmp_t)
+')
+
+########################################
+## <summary>
+##	Set attributes on uml utility socket files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`uml_setattr_util_sockets',`
+	gen_require(`
+		type uml_switch_var_run_t;
+	')
+
+	allow $1 uml_switch_var_run_t:sock_file setattr;
+')
+
+########################################
+## <summary>
+##	Manage uml utility files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`uml_manage_util_files',`
+	gen_require(`
+		type uml_switch_var_run_t;
+	')
+
+	manage_files_pattern($1, uml_switch_var_run_t, uml_switch_var_run_t)
+	manage_lnk_files_pattern($1, uml_switch_var_run_t, uml_switch_var_run_t)
+')
diff --git a/policy/modules/contrib/uml.te b/policy/modules/contrib/uml.te
new file mode 100644
index 00000000..ff094e52
--- /dev/null
+++ b/policy/modules/contrib/uml.te
@@ -0,0 +1,188 @@
+policy_module(uml, 2.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type uml_t;
+type uml_exec_t;
+typealias uml_t alias { user_uml_t staff_uml_t sysadm_uml_t };
+typealias uml_t alias { auditadm_uml_t secadm_uml_t };
+userdom_user_application_domain(uml_t, uml_exec_t)
+
+type uml_ro_t;
+typealias uml_ro_t alias { user_uml_ro_t staff_uml_ro_t sysadm_uml_ro_t };
+typealias uml_ro_t alias { auditadm_uml_ro_t secadm_uml_ro_t };
+userdom_user_home_content(uml_ro_t)
+
+type uml_rw_t;
+typealias uml_rw_t alias { user_uml_rw_t staff_uml_rw_t sysadm_uml_rw_t };
+typealias uml_rw_t alias { auditadm_uml_rw_t secadm_uml_rw_t };
+userdom_user_home_content(uml_rw_t)
+
+type uml_tmp_t;
+typealias uml_tmp_t alias { user_uml_tmp_t staff_uml_tmp_t sysadm_uml_tmp_t };
+typealias uml_tmp_t alias { auditadm_uml_tmp_t secadm_uml_tmp_t };
+userdom_user_tmp_file(uml_tmp_t)
+
+type uml_tmpfs_t;
+typealias uml_tmpfs_t alias { user_uml_tmpfs_t staff_uml_tmpfs_t sysadm_uml_tmpfs_t };
+typealias uml_tmpfs_t alias { auditadm_uml_tmpfs_t secadm_uml_tmpfs_t };
+userdom_user_tmpfs_file(uml_tmpfs_t)
+
+type uml_devpts_t;
+typealias uml_devpts_t alias { user_uml_devpts_t staff_uml_devpts_t sysadm_uml_devpts_t };
+typealias uml_devpts_t alias { auditadm_uml_devpts_t secadm_uml_devpts_t };
+term_pty(uml_devpts_t)
+ubac_constrained(uml_devpts_t)
+
+type uml_switch_t;
+type uml_switch_exec_t;
+init_daemon_domain(uml_switch_t, uml_switch_exec_t)
+
+type uml_switch_var_run_t;
+files_pid_file(uml_switch_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow uml_t self:fifo_file rw_fifo_file_perms;
+allow uml_t self:process { signal_perms ptrace };
+allow uml_t self:unix_stream_socket create_stream_socket_perms;
+allow uml_t self:unix_dgram_socket create_socket_perms;
+# Use the network.
+allow uml_t self:tcp_socket create_stream_socket_perms;
+allow uml_t self:udp_socket create_socket_perms;
+allow uml_t self:tun_socket create;
+# for mconsole
+allow uml_t self:unix_dgram_socket sendto;
+
+# allow the UML thing to happen
+allow uml_t uml_devpts_t:chr_file { rw_file_perms setattr };
+term_create_pty(uml_t, uml_devpts_t)
+
+manage_dirs_pattern(uml_t, uml_tmp_t, uml_tmp_t)
+manage_files_pattern(uml_t, uml_tmp_t, uml_tmp_t)
+files_tmp_filetrans(uml_t, uml_tmp_t, { file dir })
+can_exec(uml_t, uml_tmp_t)
+
+manage_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t)
+manage_lnk_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t)
+manage_fifo_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t)
+manage_sock_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t)
+fs_tmpfs_filetrans(uml_t, uml_tmpfs_t, { file lnk_file sock_file fifo_file })
+can_exec(uml_t, uml_tmpfs_t)
+
+# access config files
+allow uml_t { uml_ro_t uml_ro_t }:dir list_dir_perms;
+read_files_pattern(uml_t, { uml_ro_t uml_ro_t }, { uml_ro_t uml_ro_t })
+read_lnk_files_pattern(uml_t, { uml_ro_t uml_ro_t }, { uml_ro_t uml_ro_t })
+
+manage_dirs_pattern(uml_t, uml_rw_t, uml_rw_t)
+manage_files_pattern(uml_t, uml_rw_t, uml_rw_t)
+manage_lnk_files_pattern(uml_t, uml_rw_t, uml_rw_t)
+manage_fifo_files_pattern(uml_t, uml_rw_t, uml_rw_t)
+manage_sock_files_pattern(uml_t, uml_rw_t, uml_rw_t)
+userdom_user_home_dir_filetrans(uml_t, uml_rw_t, { file lnk_file sock_file fifo_file })
+
+can_exec(uml_t, { uml_exec_t uml_exec_t })
+
+kernel_read_system_state(uml_t)
+# for SKAS - need something better
+kernel_write_proc_files(uml_t)
+
+# for xterm
+corecmd_exec_bin(uml_t)
+
+corenet_all_recvfrom_unlabeled(uml_t)
+corenet_all_recvfrom_netlabel(uml_t)
+corenet_tcp_sendrecv_generic_if(uml_t)
+corenet_udp_sendrecv_generic_if(uml_t)
+corenet_tcp_sendrecv_generic_node(uml_t)
+corenet_udp_sendrecv_generic_node(uml_t)
+corenet_tcp_sendrecv_all_ports(uml_t)
+corenet_udp_sendrecv_all_ports(uml_t)
+corenet_tcp_connect_all_ports(uml_t)
+corenet_sendrecv_all_client_packets(uml_t)
+corenet_rw_tun_tap_dev(uml_t)
+
+domain_use_interactive_fds(uml_t)
+
+# for xterm
+files_read_etc_files(uml_t)
+files_dontaudit_read_etc_runtime_files(uml_t)
+# putting uml data under /var is usual...
+files_search_var(uml_t)
+
+fs_getattr_xattr_fs(uml_t)
+
+init_read_utmp(uml_t)
+init_dontaudit_write_utmp(uml_t)
+
+# for xterm
+libs_exec_lib_files(uml_t)
+
+# Inherit and use descriptors from newrole.
+seutil_use_newrole_fds(uml_t)
+
+# Use the network.
+sysnet_read_config(uml_t)
+
+userdom_use_user_terminals(uml_t)
+userdom_attach_admin_tun_iface(uml_t)
+
+optional_policy(`
+	nis_use_ypbind(uml_t)
+')
+
+optional_policy(`
+	virt_attach_tun_iface(uml_t)
+')
+
+########################################
+#
+# Local policy
+#
+
+dontaudit uml_switch_t self:capability sys_tty_config;
+allow uml_switch_t self:process signal_perms;
+allow uml_switch_t self:unix_dgram_socket create_socket_perms;
+allow uml_switch_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(uml_switch_t, uml_switch_var_run_t, uml_switch_var_run_t)
+manage_sock_files_pattern(uml_switch_t, uml_switch_var_run_t, uml_switch_var_run_t)
+files_pid_filetrans(uml_switch_t, uml_switch_var_run_t, file)
+
+kernel_read_kernel_sysctls(uml_switch_t)
+kernel_list_proc(uml_switch_t)
+kernel_read_proc_symlinks(uml_switch_t)
+
+dev_read_sysfs(uml_switch_t)
+
+domain_use_interactive_fds(uml_switch_t)
+
+fs_getattr_all_fs(uml_switch_t)
+fs_search_auto_mountpoints(uml_switch_t)
+
+term_dontaudit_use_console(uml_switch_t)
+
+init_use_fds(uml_switch_t)
+init_use_script_ptys(uml_switch_t)
+
+logging_send_syslog_msg(uml_switch_t)
+
+miscfiles_read_localization(uml_switch_t)
+
+userdom_dontaudit_use_unpriv_user_fds(uml_switch_t)
+userdom_dontaudit_search_user_home_dirs(uml_switch_t)
+
+optional_policy(`
+	seutil_sigchld_newrole(uml_switch_t)
+')
+
+optional_policy(`
+	udev_read_db(uml_switch_t)
+')
diff --git a/policy/modules/contrib/updfstab.fc b/policy/modules/contrib/updfstab.fc
new file mode 100644
index 00000000..e534c88b
--- /dev/null
+++ b/policy/modules/contrib/updfstab.fc
@@ -0,0 +1,3 @@
+
+/usr/sbin/fstab-sync	--	gen_context(system_u:object_r:updfstab_exec_t,s0)
+/usr/sbin/updfstab	--	gen_context(system_u:object_r:updfstab_exec_t,s0)
diff --git a/policy/modules/contrib/updfstab.if b/policy/modules/contrib/updfstab.if
new file mode 100644
index 00000000..4d4b60e0
--- /dev/null
+++ b/policy/modules/contrib/updfstab.if
@@ -0,0 +1,21 @@
+## <summary>Red Hat utility to change /etc/fstab.</summary>
+
+########################################
+## <summary>
+##	Execute updfstab in the updfstab domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`updfstab_domtrans',`
+	gen_require(`
+		type updfstab_t, updfstab_exec_t;
+	')
+
+	files_search_usr($1)
+	corecmd_search_bin($1)
+	domtrans_pattern($1, updfstab_exec_t, updfstab_t)
+')
diff --git a/policy/modules/contrib/updfstab.te b/policy/modules/contrib/updfstab.te
new file mode 100644
index 00000000..ef12ed52
--- /dev/null
+++ b/policy/modules/contrib/updfstab.te
@@ -0,0 +1,116 @@
+policy_module(updfstab, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type updfstab_t;
+type updfstab_exec_t;
+init_system_domain(updfstab_t, updfstab_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow updfstab_t self:capability dac_override;
+dontaudit updfstab_t self:capability { sys_admin sys_tty_config };
+allow updfstab_t self:process signal_perms;
+allow updfstab_t self:fifo_file rw_fifo_file_perms;
+
+kernel_use_fds(updfstab_t)
+kernel_read_kernel_sysctls(updfstab_t)
+kernel_dontaudit_write_kernel_sysctl(updfstab_t)
+# for /proc/partitions
+kernel_read_system_state(updfstab_t)
+# cjp: why is this required
+kernel_change_ring_buffer_level(updfstab_t)
+
+dev_read_sysfs(updfstab_t)
+dev_manage_generic_symlinks(updfstab_t)
+
+fs_getattr_xattr_fs(updfstab_t)
+fs_getattr_tmpfs(updfstab_t)
+fs_getattr_tmpfs_dirs(updfstab_t)
+fs_search_auto_mountpoints(updfstab_t)
+
+selinux_get_fs_mount(updfstab_t)
+selinux_validate_context(updfstab_t)
+selinux_compute_access_vector(updfstab_t)
+selinux_compute_create_context(updfstab_t)
+selinux_compute_relabel_context(updfstab_t)
+selinux_compute_user_contexts(updfstab_t)
+
+storage_raw_read_fixed_disk(updfstab_t)
+storage_raw_write_fixed_disk(updfstab_t)
+storage_raw_read_removable_device(updfstab_t)
+storage_raw_write_removable_device(updfstab_t)
+storage_read_scsi_generic(updfstab_t)
+storage_write_scsi_generic(updfstab_t)
+
+term_dontaudit_use_console(updfstab_t)
+
+corecmd_exec_bin(updfstab_t)
+
+domain_use_interactive_fds(updfstab_t)
+
+files_manage_mnt_files(updfstab_t)
+files_manage_mnt_dirs(updfstab_t)
+files_manage_mnt_symlinks(updfstab_t)
+files_manage_etc_files(updfstab_t)
+files_dontaudit_search_home(updfstab_t)
+# for /etc/mtab
+files_read_etc_runtime_files(updfstab_t)
+
+init_use_fds(updfstab_t)
+init_use_script_ptys(updfstab_t)
+
+logging_send_syslog_msg(updfstab_t)
+logging_search_logs(updfstab_t)
+
+miscfiles_read_localization(updfstab_t)
+
+seutil_read_config(updfstab_t)
+seutil_read_default_contexts(updfstab_t)
+seutil_read_file_contexts(updfstab_t)
+
+userdom_dontaudit_search_user_home_content(updfstab_t)
+userdom_dontaudit_use_unpriv_user_fds(updfstab_t)
+
+optional_policy(`
+	auth_domtrans_pam_console(updfstab_t)
+')
+
+optional_policy(`
+	init_dbus_chat_script(updfstab_t)
+
+	dbus_system_bus_client(updfstab_t)
+')
+
+optional_policy(`
+	fstools_getattr_swap_files(updfstab_t)
+')
+
+optional_policy(`
+	hal_stream_connect(updfstab_t)
+	hal_dbus_chat(updfstab_t)
+')
+
+optional_policy(`
+	modutils_read_module_config(updfstab_t)
+	modutils_exec_insmod(updfstab_t)
+	modutils_read_module_deps(updfstab_t)
+')
+
+optional_policy(`
+	nscd_socket_use(updfstab_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(updfstab_t)
+')
+
+optional_policy(`
+	udev_read_db(updfstab_t)
+')
diff --git a/policy/modules/contrib/uptime.fc b/policy/modules/contrib/uptime.fc
new file mode 100644
index 00000000..e30d6fc0
--- /dev/null
+++ b/policy/modules/contrib/uptime.fc
@@ -0,0 +1,6 @@
+
+/etc/uptimed\.conf	--	gen_context(system_u:object_r:uptimed_etc_t,s0)
+
+/usr/sbin/uptimed	--	gen_context(system_u:object_r:uptimed_exec_t,s0)
+
+/var/spool/uptimed(/.*)?	gen_context(system_u:object_r:uptimed_spool_t,s0)
diff --git a/policy/modules/contrib/uptime.if b/policy/modules/contrib/uptime.if
new file mode 100644
index 00000000..447abf76
--- /dev/null
+++ b/policy/modules/contrib/uptime.if
@@ -0,0 +1 @@
+## <summary>Uptime daemon</summary>
diff --git a/policy/modules/contrib/uptime.te b/policy/modules/contrib/uptime.te
new file mode 100644
index 00000000..c2cf97e2
--- /dev/null
+++ b/policy/modules/contrib/uptime.te
@@ -0,0 +1,73 @@
+policy_module(uptime, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+
+type uptimed_t;
+type uptimed_exec_t;
+init_daemon_domain(uptimed_t, uptimed_exec_t)
+
+type uptimed_etc_t alias etc_uptimed_t;
+files_config_file(uptimed_etc_t)
+
+type uptimed_spool_t;
+files_type(uptimed_spool_t)
+
+type uptimed_var_run_t;
+files_pid_file(uptimed_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit uptimed_t self:capability sys_tty_config;
+allow uptimed_t self:process signal_perms;
+allow uptimed_t self:fifo_file write_file_perms;
+
+allow uptimed_t uptimed_etc_t:file read_file_perms;
+files_search_etc(uptimed_t)
+
+allow uptimed_t uptimed_spool_t:file manage_file_perms;
+
+manage_files_pattern(uptimed_t, uptimed_var_run_t, uptimed_var_run_t)
+files_pid_filetrans(uptimed_t, uptimed_var_run_t, file)
+
+manage_dirs_pattern(uptimed_t, uptimed_spool_t, uptimed_spool_t)
+manage_files_pattern(uptimed_t, uptimed_spool_t, uptimed_spool_t)
+files_spool_filetrans(uptimed_t, uptimed_spool_t, { dir file })
+
+kernel_read_system_state(uptimed_t)
+kernel_read_kernel_sysctls(uptimed_t)
+
+corecmd_exec_shell(uptimed_t)
+
+dev_read_sysfs(uptimed_t)
+
+domain_use_interactive_fds(uptimed_t)
+
+files_read_etc_runtime_files(uptimed_t)
+
+fs_getattr_all_fs(uptimed_t)
+fs_search_auto_mountpoints(uptimed_t)
+
+logging_send_syslog_msg(uptimed_t)
+
+miscfiles_read_localization(uptimed_t)
+
+userdom_dontaudit_use_unpriv_user_fds(uptimed_t)
+userdom_dontaudit_search_user_home_dirs(uptimed_t)
+
+optional_policy(`
+	mta_send_mail(uptimed_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(uptimed_t)
+')
+
+optional_policy(`
+	udev_read_db(uptimed_t)
+')
diff --git a/policy/modules/contrib/usbmodules.fc b/policy/modules/contrib/usbmodules.fc
new file mode 100644
index 00000000..a008efb5
--- /dev/null
+++ b/policy/modules/contrib/usbmodules.fc
@@ -0,0 +1,9 @@
+#
+# /sbin
+#
+/sbin/usbmodules		--	gen_context(system_u:object_r:usbmodules_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/usbmodules	--	gen_context(system_u:object_r:usbmodules_exec_t,s0)
diff --git a/policy/modules/contrib/usbmodules.if b/policy/modules/contrib/usbmodules.if
new file mode 100644
index 00000000..b7eade34
--- /dev/null
+++ b/policy/modules/contrib/usbmodules.if
@@ -0,0 +1,46 @@
+## <summary>List kernel modules of USB devices</summary>
+
+########################################
+## <summary>
+##	Execute usbmodules in the usbmodules domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`usbmodules_domtrans',`
+	gen_require(`
+		type usbmodules_t, usbmodules_exec_t;
+	')
+
+	domtrans_pattern($1, usbmodules_exec_t, usbmodules_t)
+')
+
+########################################
+## <summary>
+##	Execute usbmodules in the usbmodules domain, and
+##	allow the specified role the usbmodules domain,
+##	and use the caller's terminal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`usbmodules_run',`
+	gen_require(`
+		type usbmodules_t;
+	')
+
+	usbmodules_domtrans($1)
+	role $2 types usbmodules_t;
+')
diff --git a/policy/modules/contrib/usbmodules.te b/policy/modules/contrib/usbmodules.te
new file mode 100644
index 00000000..74354da7
--- /dev/null
+++ b/policy/modules/contrib/usbmodules.te
@@ -0,0 +1,47 @@
+policy_module(usbmodules, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type usbmodules_t;
+type usbmodules_exec_t;
+init_system_domain(usbmodules_t, usbmodules_exec_t)
+role system_r types usbmodules_t;
+
+########################################
+#
+# Local policy
+#
+
+kernel_list_proc(usbmodules_t)
+
+files_list_kernel_modules(usbmodules_t)
+
+dev_list_usbfs(usbmodules_t)
+# allow usb device access
+dev_rw_usbfs(usbmodules_t)
+
+files_list_etc(usbmodules_t)
+# needs etc_t read access for the hotplug config, maybe should have a new type
+files_read_etc_files(usbmodules_t)
+
+term_read_console(usbmodules_t)
+term_write_console(usbmodules_t)
+
+init_use_fds(usbmodules_t)
+
+miscfiles_read_hwdata(usbmodules_t)
+
+modutils_read_module_deps(usbmodules_t)
+
+userdom_use_user_terminals(usbmodules_t)
+
+optional_policy(`
+	hotplug_read_config(usbmodules_t)
+')
+
+optional_policy(`
+	logging_send_syslog_msg(usbmodules_t)
+')
diff --git a/policy/modules/contrib/usbmuxd.fc b/policy/modules/contrib/usbmuxd.fc
new file mode 100644
index 00000000..40b8b8d3
--- /dev/null
+++ b/policy/modules/contrib/usbmuxd.fc
@@ -0,0 +1,3 @@
+/usr/sbin/usbmuxd	--	gen_context(system_u:object_r:usbmuxd_exec_t,s0)
+
+/var/run/usbmuxd.*	 	gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
diff --git a/policy/modules/contrib/usbmuxd.if b/policy/modules/contrib/usbmuxd.if
new file mode 100644
index 00000000..53792d33
--- /dev/null
+++ b/policy/modules/contrib/usbmuxd.if
@@ -0,0 +1,39 @@
+## <summary>USB multiplexing daemon for communicating with Apple iPod Touch and iPhone</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run usbmuxd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`usbmuxd_domtrans',`
+	gen_require(`
+		type usbmuxd_t, usbmuxd_exec_t;
+	')
+
+	domtrans_pattern($1, usbmuxd_exec_t, usbmuxd_t)
+')
+
+#####################################
+## <summary>
+##	Connect to usbmuxd over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`usbmuxd_stream_connect',`
+	gen_require(`
+		type usbmuxd_t, usbmuxd_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t)
+')
diff --git a/policy/modules/contrib/usbmuxd.te b/policy/modules/contrib/usbmuxd.te
new file mode 100644
index 00000000..4440aa68
--- /dev/null
+++ b/policy/modules/contrib/usbmuxd.te
@@ -0,0 +1,42 @@
+policy_module(usbmuxd, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type usbmuxd_t;
+type usbmuxd_exec_t;
+application_domain(usbmuxd_t, usbmuxd_exec_t)
+role system_r types usbmuxd_t;
+
+type usbmuxd_var_run_t;
+files_pid_file(usbmuxd_var_run_t)
+
+########################################
+#
+# usbmuxd local policy
+#
+
+allow usbmuxd_t self:capability { kill setgid setuid };
+allow usbmuxd_t self:process { fork signal signull };
+allow usbmuxd_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
+manage_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
+manage_sock_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
+files_pid_filetrans(usbmuxd_t, usbmuxd_var_run_t, { file dir sock_file })
+
+kernel_read_kernel_sysctls(usbmuxd_t)
+kernel_read_system_state(usbmuxd_t)
+
+dev_read_sysfs(usbmuxd_t)
+dev_rw_generic_usb_dev(usbmuxd_t)
+
+files_read_etc_files(usbmuxd_t)
+
+miscfiles_read_localization(usbmuxd_t)
+
+auth_use_nsswitch(usbmuxd_t)
+
+logging_send_syslog_msg(usbmuxd_t)
diff --git a/policy/modules/contrib/userhelper.fc b/policy/modules/contrib/userhelper.fc
new file mode 100644
index 00000000..e70b0e8b
--- /dev/null
+++ b/policy/modules/contrib/userhelper.fc
@@ -0,0 +1,9 @@
+#
+# /etc
+#
+/etc/security/console\.apps(/.*)?		gen_context(system_u:object_r:userhelper_conf_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/userhelper		--	gen_context(system_u:object_r:userhelper_exec_t,s0)
diff --git a/policy/modules/contrib/userhelper.if b/policy/modules/contrib/userhelper.if
new file mode 100644
index 00000000..65baaac6
--- /dev/null
+++ b/policy/modules/contrib/userhelper.if
@@ -0,0 +1,257 @@
+## <summary>SELinux utility to run a shell with a new role</summary>
+
+#######################################
+## <summary>
+##	The role template for the userhelper module.
+## </summary>
+## <param name="userrole_prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <param name="user_role">
+##	<summary>
+##	The user role.
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The user domain associated with the role.
+##	</summary>
+## </param>
+#
+template(`userhelper_role_template',`
+	gen_require(`
+		attribute userhelper_type;
+		type userhelper_exec_t, userhelper_conf_t;
+	')
+
+	########################################
+	#
+	# Declarations
+	#
+
+	type $1_userhelper_t, userhelper_type;
+	userdom_user_application_domain($1_userhelper_t, userhelper_exec_t)
+	domain_role_change_exemption($1_userhelper_t)
+	domain_obj_id_change_exemption($1_userhelper_t)
+	domain_interactive_fd($1_userhelper_t)
+	domain_subj_id_change_exemption($1_userhelper_t)
+	role $2 types $1_userhelper_t;
+
+	########################################
+	#
+	# Local policy
+	#
+	allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config };
+	allow $1_userhelper_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+	allow $1_userhelper_t self:process setexec;
+	allow $1_userhelper_t self:fd use;
+	allow $1_userhelper_t self:fifo_file rw_fifo_file_perms;
+	allow $1_userhelper_t self:shm create_shm_perms;
+	allow $1_userhelper_t self:sem create_sem_perms;
+	allow $1_userhelper_t self:msgq create_msgq_perms;
+	allow $1_userhelper_t self:msg { send receive };
+	allow $1_userhelper_t self:unix_dgram_socket create_socket_perms;
+	allow $1_userhelper_t self:unix_stream_socket create_stream_socket_perms;
+	allow $1_userhelper_t self:unix_dgram_socket sendto;
+	allow $1_userhelper_t self:unix_stream_socket connectto;
+	allow $1_userhelper_t self:sock_file read_sock_file_perms;
+
+	#Transition to the derived domain.
+	domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t)
+
+	allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms;
+	rw_files_pattern($1_userhelper_t, userhelper_conf_t, userhelper_conf_t)
+
+	can_exec($1_userhelper_t, userhelper_exec_t)
+
+	dontaudit $3 $1_userhelper_t:process signal;
+
+	kernel_read_all_sysctls($1_userhelper_t)
+	kernel_getattr_debugfs($1_userhelper_t)
+	kernel_read_system_state($1_userhelper_t)
+
+	# Execute shells
+	corecmd_exec_shell($1_userhelper_t)
+	# By default, revert to the calling domain when a program is executed
+	corecmd_bin_domtrans($1_userhelper_t, $3)
+
+	# Inherit descriptors from the current session.
+	domain_use_interactive_fds($1_userhelper_t)
+	# for when the user types "exec userhelper" at the command line
+	domain_sigchld_interactive_fds($1_userhelper_t)
+
+	dev_read_urand($1_userhelper_t)
+	# Read /dev directories and any symbolic links.
+	dev_list_all_dev_nodes($1_userhelper_t)
+
+	files_list_var_lib($1_userhelper_t)
+	# Read the /etc/security/default_type file
+	files_read_etc_files($1_userhelper_t)
+	# Read /var.
+	files_read_var_files($1_userhelper_t)
+	files_read_var_symlinks($1_userhelper_t)
+	# for some PAM modules and for cwd
+	files_search_home($1_userhelper_t)
+
+	fs_search_auto_mountpoints($1_userhelper_t)
+	fs_read_nfs_files($1_userhelper_t)
+	fs_read_nfs_symlinks($1_userhelper_t)
+
+	# Allow $1_userhelper to obtain contexts to relabel TTYs
+	selinux_get_fs_mount($1_userhelper_t)
+	selinux_validate_context($1_userhelper_t)
+	selinux_compute_access_vector($1_userhelper_t)
+	selinux_compute_create_context($1_userhelper_t)
+	selinux_compute_relabel_context($1_userhelper_t)
+	selinux_compute_user_contexts($1_userhelper_t)
+
+	# Read the devpts root directory.
+	term_list_ptys($1_userhelper_t)
+	# Relabel terminals.
+	term_relabel_all_ttys($1_userhelper_t)
+	term_relabel_all_ptys($1_userhelper_t)
+	# Access terminals.
+	term_use_all_ttys($1_userhelper_t)
+	term_use_all_ptys($1_userhelper_t)
+
+	auth_domtrans_chk_passwd($1_userhelper_t)
+	auth_manage_pam_pid($1_userhelper_t)
+	auth_manage_var_auth($1_userhelper_t)
+	auth_search_pam_console_data($1_userhelper_t)
+
+	# Inherit descriptors from the current session.
+	init_use_fds($1_userhelper_t)
+	# Write to utmp.
+	init_manage_utmp($1_userhelper_t)
+	init_pid_filetrans_utmp($1_userhelper_t)
+
+	miscfiles_read_localization($1_userhelper_t)
+
+	seutil_read_config($1_userhelper_t)
+	seutil_read_default_contexts($1_userhelper_t)
+
+	# Allow $1_userhelper_t to transition to user domains.
+	userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t)
+	userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t)
+
+	ifdef(`distro_redhat',`
+		optional_policy(`
+			# Allow transitioning to rpm_t, for up2date
+			rpm_domtrans($1_userhelper_t)
+		')
+	')
+
+	optional_policy(`
+		logging_send_syslog_msg($1_userhelper_t)
+	')
+
+	optional_policy(`
+		nis_use_ypbind($1_userhelper_t)
+	')
+
+	optional_policy(`
+		nscd_socket_use($1_userhelper_t)
+	')
+
+	optional_policy(`
+		tunable_policy(`! secure_mode',`
+			#if we are not in secure mode then we can transition to sysadm_t
+			sysadm_bin_spec_domtrans($1_userhelper_t)
+			sysadm_entry_spec_domtrans($1_userhelper_t)
+		')
+	')
+')
+
+########################################
+## <summary>
+##	Search the userhelper configuration directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userhelper_search_config',`
+	gen_require(`
+		type userhelper_conf_t;
+	')
+
+	allow $1 userhelper_conf_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search
+##	the userhelper configuration directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`userhelper_dontaudit_search_config',`
+	gen_require(`
+		type userhelper_conf_t;
+	')
+
+	dontaudit $1 userhelper_conf_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Allow domain to use userhelper file descriptor.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userhelper_use_fd',`
+	gen_require(`
+		attribute userhelper_type;
+	')
+
+	allow $1 userhelper_type:fd use;
+')
+
+########################################
+## <summary>
+##	Allow domain to send sigchld to userhelper.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userhelper_sigchld',`
+	gen_require(`
+		attribute userhelper_type;
+	')
+
+	allow $1 userhelper_type:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute the userhelper program in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userhelper_exec',`
+	gen_require(`
+		type userhelper_exec_t;
+	')
+
+	can_exec($1, userhelper_exec_t)
+')
diff --git a/policy/modules/contrib/userhelper.te b/policy/modules/contrib/userhelper.te
new file mode 100644
index 00000000..f25ed61f
--- /dev/null
+++ b/policy/modules/contrib/userhelper.te
@@ -0,0 +1,14 @@
+policy_module(userhelper, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute userhelper_type;
+
+type userhelper_conf_t;
+files_type(userhelper_conf_t)
+
+type userhelper_exec_t;
+application_executable_file(userhelper_exec_t)
diff --git a/policy/modules/contrib/usernetctl.fc b/policy/modules/contrib/usernetctl.fc
new file mode 100644
index 00000000..aa07e1e4
--- /dev/null
+++ b/policy/modules/contrib/usernetctl.fc
@@ -0,0 +1,2 @@
+
+/usr/sbin/usernetctl	--	gen_context(system_u:object_r:usernetctl_exec_t,s0)
diff --git a/policy/modules/contrib/usernetctl.if b/policy/modules/contrib/usernetctl.if
new file mode 100644
index 00000000..d45c7151
--- /dev/null
+++ b/policy/modules/contrib/usernetctl.if
@@ -0,0 +1,45 @@
+## <summary>User network interface configuration helper</summary>
+
+########################################
+## <summary>
+##	Execute usernetctl in the usernetctl domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`usernetctl_domtrans',`
+	gen_require(`
+		type usernetctl_t, usernetctl_exec_t;
+	')
+
+	domtrans_pattern($1, usernetctl_exec_t, usernetctl_t)
+')
+
+########################################
+## <summary>
+##	Execute usernetctl in the usernetctl domain, and
+##	allow the specified role the usernetctl domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`usernetctl_run',`
+	gen_require(`
+		attribute_role usernetctl_roles;
+	')
+
+	usernetctl_domtrans($1)
+	roleattribute $2 usernetctl_roles;
+')
diff --git a/policy/modules/contrib/usernetctl.te b/policy/modules/contrib/usernetctl.te
new file mode 100644
index 00000000..19c70bb1
--- /dev/null
+++ b/policy/modules/contrib/usernetctl.te
@@ -0,0 +1,90 @@
+policy_module(usernetctl, 1.6.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role usernetctl_roles;
+
+type usernetctl_t;
+type usernetctl_exec_t;
+application_domain(usernetctl_t, usernetctl_exec_t)
+domain_interactive_fd(usernetctl_t)
+role usernetctl_roles types usernetctl_t;
+
+########################################
+#
+# Local policy
+#
+
+allow usernetctl_t self:capability { setuid setgid dac_override };
+allow usernetctl_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow usernetctl_t self:fd use;
+allow usernetctl_t self:fifo_file rw_fifo_file_perms;
+allow usernetctl_t self:shm create_shm_perms;
+allow usernetctl_t self:sem create_sem_perms;
+allow usernetctl_t self:msgq create_msgq_perms;
+allow usernetctl_t self:msg { send receive };
+allow usernetctl_t self:unix_dgram_socket create_socket_perms;
+allow usernetctl_t self:unix_stream_socket create_stream_socket_perms;
+allow usernetctl_t self:unix_dgram_socket sendto;
+allow usernetctl_t self:unix_stream_socket connectto;
+
+can_exec(usernetctl_t, usernetctl_exec_t)
+
+kernel_read_system_state(usernetctl_t)
+kernel_read_kernel_sysctls(usernetctl_t)
+
+corecmd_list_bin(usernetctl_t)
+corecmd_exec_bin(usernetctl_t)
+corecmd_exec_shell(usernetctl_t)
+
+domain_dontaudit_read_all_domains_state(usernetctl_t)
+
+files_read_etc_files(usernetctl_t)
+files_exec_etc_files(usernetctl_t)
+files_read_etc_runtime_files(usernetctl_t)
+files_list_pids(usernetctl_t)
+files_list_home(usernetctl_t)
+files_read_usr_files(usernetctl_t)
+
+fs_search_auto_mountpoints(usernetctl_t)
+
+auth_use_nsswitch(usernetctl_t)
+
+logging_send_syslog_msg(usernetctl_t)
+
+miscfiles_read_localization(usernetctl_t)
+
+seutil_read_config(usernetctl_t)
+
+sysnet_read_config(usernetctl_t)
+sysnet_run_ifconfig(usernetctl_t, usernetctl_roles)
+sysnet_run_dhcpc(usernetctl_t, usernetctl_roles)
+
+userdom_use_user_terminals(usernetctl_t)
+
+optional_policy(`
+	consoletype_run(usernetctl_t, usernetctl_roles)
+')
+
+optional_policy(`
+	hostname_exec(usernetctl_t)
+')
+
+optional_policy(`
+	iptables_run(usernetctl_t, usernetctl_roles)
+')
+
+optional_policy(`
+	modutils_run_insmod(usernetctl_t, usernetctl_roles)
+')
+
+optional_policy(`
+	nis_use_ypbind(usernetctl_t)
+')
+
+optional_policy(`
+	ppp_run(usernetctl_t, usernetctl_roles)
+')
diff --git a/policy/modules/contrib/uucp.fc b/policy/modules/contrib/uucp.fc
new file mode 100644
index 00000000..e1c0d8d8
--- /dev/null
+++ b/policy/modules/contrib/uucp.fc
@@ -0,0 +1,11 @@
+
+/usr/bin/uux 		--	gen_context(system_u:object_r:uux_exec_t,s0)
+
+/usr/sbin/uucico	--	gen_context(system_u:object_r:uucpd_exec_t,s0)
+
+/var/spool/uucp(/.*)?		gen_context(system_u:object_r:uucpd_spool_t,s0)
+/var/spool/uucppublic(/.*)?	gen_context(system_u:object_r:uucpd_spool_t,s0)
+
+/var/lock/uucp(/.*)?		gen_context(system_u:object_r:uucpd_lock_t,s0)
+
+/var/log/uucp(/.*)?		gen_context(system_u:object_r:uucpd_log_t,s0)
diff --git a/policy/modules/contrib/uucp.if b/policy/modules/contrib/uucp.if
new file mode 100644
index 00000000..ebc5414f
--- /dev/null
+++ b/policy/modules/contrib/uucp.if
@@ -0,0 +1,120 @@
+## <summary>Unix to Unix Copy</summary>
+
+########################################
+## <summary>
+##	Execute the uucico program in the
+##	uucpd_t domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`uucp_domtrans',`
+	gen_require(`
+		type uucpd_t, uucpd_exec_t;
+	')
+
+	domtrans_pattern($1, uucpd_exec_t, uucpd_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to append
+##	to uucp log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`uucp_append_log',`
+	gen_require(`
+		type uucpd_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 uucpd_log_t:dir list_dir_perms;
+	append_files_pattern($1, uucpd_log_t, uucpd_log_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete uucp spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`uucp_manage_spool',`
+	gen_require(`
+		type uucpd_spool_t;
+	')
+
+	files_search_spool($1)
+	manage_dirs_pattern($1, uucpd_spool_t, uucpd_spool_t)
+	manage_files_pattern($1, uucpd_spool_t, uucpd_spool_t)
+	manage_lnk_files_pattern($1, uucpd_spool_t, uucpd_spool_t)
+')
+
+########################################
+## <summary>
+##	Execute the master uux program in the
+##	uux_t domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`uucp_domtrans_uux',`
+	gen_require(`
+		type uux_t, uux_exec_t;
+	')
+
+	domtrans_pattern($1, uux_exec_t, uux_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an uucp environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`uucp_admin',`
+	gen_require(`
+		type uucpd_t, uucpd_tmp_t, uucpd_log_t;
+		type uucpd_spool_t, uucpd_ro_t, uucpd_rw_t;
+		type uucpd_var_run_t;
+	')
+
+	allow $1 uucpd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, uucpd_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, uucpd_log_t)
+
+	files_list_spool($1)
+	admin_pattern($1, uucpd_spool_t)
+
+	admin_pattern($1, uucpd_ro_t)
+
+	admin_pattern($1, uucpd_rw_t)
+
+	files_list_tmp($1)
+	admin_pattern($1, uucpd_tmp_t)
+
+	files_list_pids($1)
+	admin_pattern($1, uucpd_var_run_t)
+')
diff --git a/policy/modules/contrib/uucp.te b/policy/modules/contrib/uucp.te
new file mode 100644
index 00000000..d4349e90
--- /dev/null
+++ b/policy/modules/contrib/uucp.te
@@ -0,0 +1,149 @@
+policy_module(uucp, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+type uucpd_t;
+type uucpd_exec_t;
+inetd_tcp_service_domain(uucpd_t, uucpd_exec_t)
+
+type uucpd_lock_t;
+files_lock_file(uucpd_lock_t)
+
+type uucpd_tmp_t;
+files_tmp_file(uucpd_tmp_t)
+
+type uucpd_var_run_t;
+files_pid_file(uucpd_var_run_t)
+
+type uucpd_rw_t;
+files_type(uucpd_rw_t)
+
+type uucpd_ro_t;
+files_type(uucpd_ro_t)
+
+type uucpd_spool_t;
+files_type(uucpd_spool_t)
+
+type uucpd_log_t;
+logging_log_file(uucpd_log_t)
+
+type uux_t;
+type uux_exec_t;
+application_domain(uux_t, uux_exec_t)
+role system_r types uux_t;
+
+########################################
+#
+# UUCPd Local policy
+#
+allow uucpd_t self:capability { setuid setgid };
+allow uucpd_t self:process signal_perms;
+allow uucpd_t self:fifo_file rw_fifo_file_perms;
+allow uucpd_t self:tcp_socket connected_stream_socket_perms;
+allow uucpd_t self:udp_socket create_socket_perms;
+allow uucpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+
+allow uucpd_t uucpd_log_t:dir setattr;
+manage_files_pattern(uucpd_t, uucpd_log_t, uucpd_log_t)
+logging_log_filetrans(uucpd_t, uucpd_log_t, { file dir })
+
+allow uucpd_t uucpd_ro_t:dir list_dir_perms;
+read_files_pattern(uucpd_t, uucpd_ro_t, uucpd_ro_t)
+read_lnk_files_pattern(uucpd_t, uucpd_ro_t, uucpd_ro_t)
+
+manage_dirs_pattern(uucpd_t, uucpd_rw_t, uucpd_rw_t)
+manage_files_pattern(uucpd_t, uucpd_rw_t, uucpd_rw_t)
+manage_lnk_files_pattern(uucpd_t, uucpd_rw_t, uucpd_rw_t)
+
+uucp_manage_spool(uucpd_t)
+
+manage_dirs_pattern(uucpd_t, uucpd_lock_t, uucpd_lock_t)
+manage_files_pattern(uucpd_t, uucpd_lock_t, uucpd_lock_t)
+files_search_locks(uucpd_t)
+
+manage_dirs_pattern(uucpd_t, uucpd_tmp_t, uucpd_tmp_t)
+manage_files_pattern(uucpd_t, uucpd_tmp_t, uucpd_tmp_t)
+files_tmp_filetrans(uucpd_t, uucpd_tmp_t, { file dir })
+
+manage_files_pattern(uucpd_t, uucpd_var_run_t, uucpd_var_run_t)
+files_pid_filetrans(uucpd_t, uucpd_var_run_t, file)
+
+kernel_read_kernel_sysctls(uucpd_t)
+kernel_read_system_state(uucpd_t)
+kernel_read_network_state(uucpd_t)
+
+corenet_all_recvfrom_unlabeled(uucpd_t)
+corenet_all_recvfrom_netlabel(uucpd_t)
+corenet_tcp_sendrecv_generic_if(uucpd_t)
+corenet_udp_sendrecv_generic_if(uucpd_t)
+corenet_tcp_sendrecv_generic_node(uucpd_t)
+corenet_udp_sendrecv_generic_node(uucpd_t)
+corenet_tcp_sendrecv_all_ports(uucpd_t)
+corenet_udp_sendrecv_all_ports(uucpd_t)
+corenet_tcp_connect_ssh_port(uucpd_t)
+
+dev_read_urand(uucpd_t)
+
+fs_getattr_xattr_fs(uucpd_t)
+
+corecmd_exec_bin(uucpd_t)
+corecmd_exec_shell(uucpd_t)
+
+files_read_etc_files(uucpd_t)
+files_search_home(uucpd_t)
+files_search_spool(uucpd_t)
+
+term_setattr_controlling_term(uucpd_t)
+
+auth_use_nsswitch(uucpd_t)
+
+logging_send_syslog_msg(uucpd_t)
+
+miscfiles_read_localization(uucpd_t)
+
+mta_send_mail(uucpd_t)
+
+optional_policy(`
+	cron_system_entry(uucpd_t, uucpd_exec_t)
+')
+
+optional_policy(`
+	kerberos_use(uucpd_t)
+')
+
+optional_policy(`
+	ssh_exec(uucpd_t)
+')
+
+########################################
+#
+# UUX Local policy
+#
+
+allow uux_t self:capability { setuid setgid };
+allow uux_t self:fifo_file write_fifo_file_perms;
+
+uucp_append_log(uux_t)
+uucp_manage_spool(uux_t)
+
+corecmd_exec_bin(uux_t)
+
+files_read_etc_files(uux_t)
+
+fs_rw_anon_inodefs_files(uux_t)
+
+logging_send_syslog_msg(uux_t)
+
+miscfiles_read_localization(uux_t)
+
+optional_policy(`
+	mta_send_mail(uux_t)
+	mta_read_queue(uux_t)
+	sendmail_dontaudit_rw_unix_stream_sockets(uux_t)
+')
+
+optional_policy(`
+	nscd_socket_use(uux_t)
+')
diff --git a/policy/modules/contrib/uuidd.fc b/policy/modules/contrib/uuidd.fc
new file mode 100644
index 00000000..a7c93816
--- /dev/null
+++ b/policy/modules/contrib/uuidd.fc
@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/uuidd --	gen_context(system_u:object_r:uuidd_initrc_exec_t,s0)
+
+/usr/sbin/uuidd		--	gen_context(system_u:object_r:uuidd_exec_t,s0)
+
+/var/lib/libuuid(/.*)?		gen_context(system_u:object_r:uuidd_var_lib_t,s0)
+
+/var/run/uuidd(/.*)?		gen_context(system_u:object_r:uuidd_var_run_t,s0)
diff --git a/policy/modules/contrib/uuidd.if b/policy/modules/contrib/uuidd.if
new file mode 100644
index 00000000..5d43bd56
--- /dev/null
+++ b/policy/modules/contrib/uuidd.if
@@ -0,0 +1,190 @@
+## <summary>policy for uuidd</summary>
+
+########################################
+## <summary>
+##	Transition to uuidd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`uuidd_domtrans',`
+	gen_require(`
+		type uuidd_t, uuidd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, uuidd_exec_t, uuidd_t)
+')
+
+########################################
+## <summary>
+##	Execute uuidd server in the uuidd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`uuidd_initrc_domtrans',`
+	gen_require(`
+		type uuidd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, uuidd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Search uuidd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`uuidd_search_lib',`
+	gen_require(`
+		type uuidd_var_lib_t;
+	')
+
+	allow $1 uuidd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read uuidd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`uuidd_read_lib_files',`
+	gen_require(`
+		type uuidd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage uuidd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`uuidd_manage_lib_files',`
+	gen_require(`
+		type uuidd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage uuidd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`uuidd_manage_lib_dirs',`
+	gen_require(`
+		type uuidd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read uuidd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`uuidd_read_pid_files',`
+	gen_require(`
+		type uuidd_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 uuidd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Connect to uuidd over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`uuidd_stream_connect_manager',`
+	gen_require(`
+		type uuidd_t, uuidd_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, uuidd_var_run_t, uuidd_var_run_t, uuidd_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an uuidd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`uuidd_admin',`
+	gen_require(`
+		type uuidd_t, uuidd_initrc_exec_t;
+		type uuidd_var_run_t, uuidd_var_lib_t;
+	')
+
+	allow $1 uuidd_t:process signal_perms;
+	ps_process_pattern($1, uuidd_t)
+
+	uuidd_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 uuidd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_search_var_lib($1)
+	admin_pattern($1, uuidd_var_lib_t)
+
+	files_search_pids($1)
+	admin_pattern($1, uuidd_var_run_t)
+')
diff --git a/policy/modules/contrib/uuidd.te b/policy/modules/contrib/uuidd.te
new file mode 100644
index 00000000..04589dc0
--- /dev/null
+++ b/policy/modules/contrib/uuidd.te
@@ -0,0 +1,44 @@
+policy_module(uuidd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type uuidd_t;
+type uuidd_exec_t;
+init_daemon_domain(uuidd_t, uuidd_exec_t)
+
+type uuidd_initrc_exec_t;
+init_script_file(uuidd_initrc_exec_t)
+
+type uuidd_var_lib_t;
+files_type(uuidd_var_lib_t)
+
+type uuidd_var_run_t;
+files_pid_file(uuidd_var_run_t)
+
+########################################
+#
+# uuidd local policy
+#
+allow uuidd_t self:capability setuid;
+allow uuidd_t self:process signal;
+allow uuidd_t self:fifo_file rw_fifo_file_perms;
+allow uuidd_t self:unix_stream_socket create_stream_socket_perms;
+allow uuidd_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(uuidd_t, uuidd_var_lib_t, uuidd_var_lib_t)
+manage_files_pattern(uuidd_t, uuidd_var_lib_t, uuidd_var_lib_t)
+
+manage_dirs_pattern(uuidd_t, uuidd_var_run_t, uuidd_var_run_t)
+manage_files_pattern(uuidd_t, uuidd_var_run_t, uuidd_var_run_t)
+manage_sock_files_pattern(uuidd_t, uuidd_var_run_t, uuidd_var_run_t)
+
+dev_read_urand(uuidd_t)
+
+domain_use_interactive_fds(uuidd_t)
+
+files_read_etc_files(uuidd_t)
+
+miscfiles_read_localization(uuidd_t)
diff --git a/policy/modules/contrib/uwimap.fc b/policy/modules/contrib/uwimap.fc
new file mode 100644
index 00000000..43bdef0c
--- /dev/null
+++ b/policy/modules/contrib/uwimap.fc
@@ -0,0 +1,2 @@
+
+/usr/sbin/imapd		-- 	gen_context(system_u:object_r:imapd_exec_t,s0)
diff --git a/policy/modules/contrib/uwimap.if b/policy/modules/contrib/uwimap.if
new file mode 100644
index 00000000..83376844
--- /dev/null
+++ b/policy/modules/contrib/uwimap.if
@@ -0,0 +1,20 @@
+## <summary>University of Washington IMAP toolkit POP3 and IMAP mail server</summary>
+
+########################################
+## <summary>
+##	Execute the UW IMAP/POP3 servers with a domain transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`uwimap_domtrans',`
+	gen_require(`
+		type imapd_t, imapd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, imapd_exec_t, imapd_t)
+')
diff --git a/policy/modules/contrib/uwimap.te b/policy/modules/contrib/uwimap.te
new file mode 100644
index 00000000..46d98116
--- /dev/null
+++ b/policy/modules/contrib/uwimap.te
@@ -0,0 +1,98 @@
+policy_module(uwimap, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type imapd_t;
+type imapd_exec_t;
+init_daemon_domain(imapd_t, imapd_exec_t)
+
+type imapd_tmp_t;
+files_tmp_file(imapd_tmp_t)
+
+type imapd_var_run_t;
+files_pid_file(imapd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow imapd_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
+dontaudit imapd_t self:capability sys_tty_config;
+allow imapd_t self:process signal_perms;
+allow imapd_t self:fifo_file rw_fifo_file_perms;
+allow imapd_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(imapd_t, imapd_tmp_t, imapd_tmp_t)
+manage_files_pattern(imapd_t, imapd_tmp_t, imapd_tmp_t)
+files_tmp_filetrans(imapd_t, imapd_tmp_t, { file dir })
+
+manage_files_pattern(imapd_t, imapd_var_run_t, imapd_var_run_t)
+files_pid_filetrans(imapd_t, imapd_var_run_t, file)
+
+kernel_read_kernel_sysctls(imapd_t)
+kernel_list_proc(imapd_t)
+kernel_read_proc_symlinks(imapd_t)
+
+corenet_all_recvfrom_unlabeled(imapd_t)
+corenet_all_recvfrom_netlabel(imapd_t)
+corenet_tcp_sendrecv_generic_if(imapd_t)
+corenet_tcp_sendrecv_generic_node(imapd_t)
+corenet_tcp_sendrecv_all_ports(imapd_t)
+corenet_tcp_bind_generic_node(imapd_t)
+corenet_tcp_bind_pop_port(imapd_t)
+corenet_tcp_connect_all_ports(imapd_t)
+corenet_sendrecv_pop_server_packets(imapd_t)
+corenet_sendrecv_all_client_packets(imapd_t)
+
+dev_read_sysfs(imapd_t)
+#urandom, for ssl
+dev_read_rand(imapd_t)
+dev_read_urand(imapd_t)
+
+domain_use_interactive_fds(imapd_t)
+
+#read /etc/ for hostname nsswitch.conf
+files_read_etc_files(imapd_t)
+
+fs_getattr_all_fs(imapd_t)
+fs_search_auto_mountpoints(imapd_t)
+
+auth_domtrans_chk_passwd(imapd_t)
+
+logging_send_syslog_msg(imapd_t)
+
+miscfiles_read_localization(imapd_t)
+
+sysnet_read_config(imapd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(imapd_t)
+# cjp: this is excessive, should be limited to the
+# mail directories
+userdom_manage_user_home_content_dirs(imapd_t)
+userdom_manage_user_home_content_files(imapd_t)
+userdom_manage_user_home_content_symlinks(imapd_t)
+userdom_manage_user_home_content_pipes(imapd_t)
+userdom_manage_user_home_content_sockets(imapd_t)
+userdom_user_home_dir_filetrans_user_home_content(imapd_t, { dir file lnk_file fifo_file sock_file })
+
+mta_rw_spool(imapd_t)
+
+optional_policy(`
+	inetd_tcp_service_domain(imapd_t, imapd_exec_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(imapd_t)
+')
+
+optional_policy(`
+	tcpd_wrapped_domain(imapd_t, imapd_exec_t)
+')
+
+optional_policy(`
+	udev_read_db(imapd_t)
+')
diff --git a/policy/modules/contrib/varnishd.fc b/policy/modules/contrib/varnishd.fc
new file mode 100644
index 00000000..194d123c
--- /dev/null
+++ b/policy/modules/contrib/varnishd.fc
@@ -0,0 +1,18 @@
+/etc/rc\.d/init\.d/varnish	--	gen_context(system_u:object_r:varnishd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/varnishlog	--	gen_context(system_u:object_r:varnishlog_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/varnishncsa	--	gen_context(system_u:object_r:varnishlog_initrc_exec_t,s0)
+
+/etc/varnish(/.*)?			gen_context(system_u:object_r:varnishd_etc_t,s0)
+
+/usr/bin/varnishlog		--	gen_context(system_u:object_r:varnishlog_exec_t,s0)
+/usr/bin/varnisncsa		--	gen_context(system_u:object_r:varnishlog_exec_t,s0)
+
+/usr/sbin/varnishd		--	gen_context(system_u:object_r:varnishd_exec_t,s0)
+
+/var/lib/varnish(/.*)?			gen_context(system_u:object_r:varnishd_var_lib_t,s0)
+
+/var/log/varnish(/.*)?			gen_context(system_u:object_r:varnishlog_log_t,s0)
+
+/var/run/varnish\.pid		--	gen_context(system_u:object_r:varnishd_var_run_t,s0)
+/var/run/varnishlog\.pid	--	gen_context(system_u:object_r:varnishlog_var_run_t,s0)
+/var/run/varnishncsa\.pid	--	gen_context(system_u:object_r:varnishlog_var_run_t,s0)
diff --git a/policy/modules/contrib/varnishd.if b/policy/modules/contrib/varnishd.if
new file mode 100644
index 00000000..93975d6d
--- /dev/null
+++ b/policy/modules/contrib/varnishd.if
@@ -0,0 +1,216 @@
+## <summary>Varnishd http accelerator daemon</summary>
+
+#######################################
+## <summary>
+##	Execute varnishd in the varnishd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`varnishd_domtrans',`
+	gen_require(`
+		type varnishd_t, varnishd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, varnishd_exec_t, varnishd_t)
+')
+
+#######################################
+## <summary>
+##	Execute varnishd
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`varnishd_exec',`
+	gen_require(`
+		type varnishd_exec_t;
+	')
+
+	can_exec($1, varnishd_exec_t)
+')
+
+######################################
+## <summary>
+##	Read varnishd configuration file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`varnishd_read_config',`
+	gen_require(`
+		type varnishd_etc_t;
+	')
+
+	files_search_etc($1)
+	read_files_pattern($1, varnishd_etc_t, varnishd_etc_t)
+')
+
+#####################################
+## <summary>
+##	Read varnish lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`varnishd_read_lib_files',`
+	gen_require(`
+		type varnishd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, varnishd_var_lib_t, varnishd_var_lib_t)
+')
+
+#######################################
+## <summary>
+##	Read varnish logs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`varnishd_read_log',`
+	gen_require(`
+		type varnishlog_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, varnishlog_log_t, varnishlog_log_t)
+')
+
+######################################
+## <summary>
+##	Append varnish logs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`varnishd_append_log',`
+	gen_require(`
+		type varnishlog_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, varnishlog_log_t, varnishlog_log_t)
+')
+
+#####################################
+## <summary>
+##	Manage varnish logs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`varnishd_manage_log',`
+	gen_require(`
+		type varnishlog_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_files_pattern($1, varnishlog_log_t, varnishlog_log_t)
+')
+
+######################################
+## <summary>
+##	All of the rules required to administrate
+##	an varnishlog environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the varnishlog domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`varnishd_admin_varnishlog',`
+	gen_require(`
+		type varnishlog_t, varnishlog_initrc_exec_t, varnishlog_log_t;
+		type varnishlog_var_run_t;
+	')
+
+	allow $1 varnishlog_t:process { ptrace signal_perms };
+	ps_process_pattern($1, varnishlog_t)
+
+	init_labeled_script_domtrans($1, varnishlog_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 varnishlog_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_pids($1)
+	admin_pattern($1, varnishlog_var_run_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, varnishlog_log_t)
+')
+
+#######################################
+## <summary>
+##	All of the rules required to administrate
+##	an varnishd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the varnishd domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`varnishd_admin',`
+	gen_require(`
+		type varnishd_t, varnishd_var_lib_t, varnishd_etc_t;
+		type varnishd_var_run_t, varnishd_tmp_t;
+		type varnishd_initrc_exec_t;
+	')
+
+	allow $1 varnishd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, varnishd_t)
+
+	init_labeled_script_domtrans($1, varnishd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 varnishd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_var_lib($1)
+	admin_pattern($1, varnishd_var_lib_t)
+
+	files_list_etc($1)
+	admin_pattern($1, varnishd_etc_t)
+
+	files_list_pids($1)
+	admin_pattern($1, varnishd_var_run_t)
+
+	files_list_tmp($1)
+	admin_pattern($1, varnishd_tmp_t)
+')
diff --git a/policy/modules/contrib/varnishd.te b/policy/modules/contrib/varnishd.te
new file mode 100644
index 00000000..f9310f3a
--- /dev/null
+++ b/policy/modules/contrib/varnishd.te
@@ -0,0 +1,118 @@
+policy_module(varnishd, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow varnishd to connect to all ports,
+## not just HTTP.
+## </p>
+## </desc>
+gen_tunable(varnishd_connect_any, false)
+
+type varnishd_t;
+type varnishd_exec_t;
+init_daemon_domain(varnishd_t, varnishd_exec_t)
+
+type varnishd_initrc_exec_t;
+init_script_file(varnishd_initrc_exec_t)
+
+type varnishd_etc_t;
+files_type(varnishd_etc_t)
+
+type varnishd_tmp_t;
+files_tmp_file(varnishd_tmp_t)
+
+type varnishd_var_lib_t;
+files_type(varnishd_var_lib_t)
+
+type varnishd_var_run_t;
+files_pid_file(varnishd_var_run_t)
+
+type varnishlog_t;
+type varnishlog_exec_t;
+init_daemon_domain(varnishlog_t, varnishlog_exec_t)
+
+type varnishlog_initrc_exec_t;
+init_script_file(varnishlog_initrc_exec_t)
+
+type varnishlog_var_run_t;
+files_pid_file(varnishlog_var_run_t)
+
+type varnishlog_log_t;
+files_type(varnishlog_log_t)
+
+########################################
+#
+# varnishd local policy
+#
+
+allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid };
+dontaudit varnishd_t self:capability sys_tty_config;
+allow varnishd_t self:process signal;
+allow varnishd_t self:fifo_file rw_fifo_file_perms;
+allow varnishd_t self:tcp_socket create_stream_socket_perms;
+allow varnishd_t self:udp_socket create_socket_perms;
+
+read_files_pattern(varnishd_t, varnishd_etc_t, varnishd_etc_t)
+list_dirs_pattern(varnishd_t, varnishd_etc_t, varnishd_etc_t)
+
+manage_dirs_pattern(varnishd_t, varnishd_tmp_t, varnishd_tmp_t)
+manage_files_pattern(varnishd_t, varnishd_tmp_t, varnishd_tmp_t)
+files_tmp_filetrans(varnishd_t, varnishd_tmp_t, { file dir })
+
+exec_files_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t)
+manage_dirs_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t)
+manage_files_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t)
+files_var_lib_filetrans(varnishd_t, varnishd_var_lib_t, { dir file })
+
+manage_files_pattern(varnishd_t, varnishd_var_run_t, varnishd_var_run_t)
+files_pid_filetrans(varnishd_t, varnishd_var_run_t, file)
+
+kernel_read_system_state(varnishd_t)
+
+corecmd_exec_bin(varnishd_t)
+corecmd_exec_shell(varnishd_t)
+
+corenet_tcp_sendrecv_generic_if(varnishd_t)
+corenet_tcp_bind_generic_node(varnishd_t)
+corenet_tcp_bind_http_port(varnishd_t)
+corenet_tcp_bind_http_cache_port(varnishd_t)
+corenet_tcp_bind_varnishd_port(varnishd_t)
+corenet_tcp_connect_http_cache_port(varnishd_t)
+corenet_tcp_connect_http_port(varnishd_t)
+
+dev_read_urand(varnishd_t)
+
+fs_getattr_all_fs(varnishd_t)
+
+auth_use_nsswitch(varnishd_t)
+
+logging_send_syslog_msg(varnishd_t)
+
+miscfiles_read_localization(varnishd_t)
+
+sysnet_read_config(varnishd_t)
+
+tunable_policy(`varnishd_connect_any',`
+	corenet_tcp_connect_all_ports(varnishd_t)
+	corenet_tcp_bind_all_ports(varnishd_t)
+')
+
+#######################################
+#
+# varnishlog local policy
+#
+
+manage_files_pattern(varnishlog_t, varnishlog_var_run_t, varnishlog_var_run_t)
+files_pid_filetrans(varnishlog_t, varnishlog_var_run_t, file)
+
+manage_dirs_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t)
+manage_files_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t)
+logging_log_filetrans(varnishlog_t, varnishlog_log_t, { file dir })
+
+files_search_var_lib(varnishlog_t)
+read_files_pattern(varnishlog_t, varnishd_var_lib_t, varnishd_var_lib_t)
diff --git a/policy/modules/contrib/vbetool.fc b/policy/modules/contrib/vbetool.fc
new file mode 100644
index 00000000..d00970f1
--- /dev/null
+++ b/policy/modules/contrib/vbetool.fc
@@ -0,0 +1 @@
+/usr/sbin/vbetool	--	gen_context(system_u:object_r:vbetool_exec_t,s0)
diff --git a/policy/modules/contrib/vbetool.if b/policy/modules/contrib/vbetool.if
new file mode 100644
index 00000000..f46ab176
--- /dev/null
+++ b/policy/modules/contrib/vbetool.if
@@ -0,0 +1,45 @@
+## <summary>run real-mode video BIOS code to alter hardware state</summary>
+
+########################################
+## <summary>
+##	Execute vbetool application in the vbetool domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`vbetool_domtrans',`
+	gen_require(`
+		type vbetool_t, vbetool_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, vbetool_exec_t, vbetool_t)
+')
+
+########################################
+## <summary>
+##	Execute vbetool in the vbetool domain, and
+##	allow the specified role the vbetool domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`vbetool_run',`
+	gen_require(`
+		type vbetool_t;
+	')
+
+	vbetool_domtrans($1)
+	role $2 types vbetool_t;
+')
diff --git a/policy/modules/contrib/vbetool.te b/policy/modules/contrib/vbetool.te
new file mode 100644
index 00000000..001c93c7
--- /dev/null
+++ b/policy/modules/contrib/vbetool.te
@@ -0,0 +1,51 @@
+policy_module(vbetool, 1.6.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+##	Ignore vbetool mmap_zero errors.
+## </p>
+## </desc>
+gen_tunable(vbetool_mmap_zero_ignore, false)
+
+type vbetool_t;
+type vbetool_exec_t;
+init_system_domain(vbetool_t, vbetool_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow vbetool_t self:capability { dac_override sys_tty_config sys_admin };
+allow vbetool_t self:process execmem;
+
+dev_wx_raw_memory(vbetool_t)
+dev_read_raw_memory(vbetool_t)
+dev_rwx_zero(vbetool_t)
+dev_rw_sysfs(vbetool_t)
+dev_rw_xserver_misc(vbetool_t)
+dev_rw_mtrr(vbetool_t)
+
+domain_mmap_low(vbetool_t)
+
+mls_file_read_all_levels(vbetool_t)
+mls_file_write_all_levels(vbetool_t)
+
+term_use_unallocated_ttys(vbetool_t)
+
+miscfiles_read_localization(vbetool_t)
+
+tunable_policy(`vbetool_mmap_zero_ignore',`
+	dontaudit vbetool_t self:memprotect mmap_zero;
+')
+
+optional_policy(`
+	hal_rw_pid_files(vbetool_t)
+	hal_write_log(vbetool_t)
+	hal_dontaudit_append_lib_files(vbetool_t)
+')
diff --git a/policy/modules/contrib/vdagent.fc b/policy/modules/contrib/vdagent.fc
new file mode 100644
index 00000000..21c5f418
--- /dev/null
+++ b/policy/modules/contrib/vdagent.fc
@@ -0,0 +1,7 @@
+/usr/sbin/spice-vdagentd	--	gen_context(system_u:object_r:vdagent_exec_t,s0)
+
+/var/log/spice-vdagentd(/.*)?		gen_context(system_u:object_r:vdagent_log_t,s0)
+/var/log/spice-vdagentd\.log	--	gen_context(system_u:object_r:vdagent_log_t,s0)
+
+/var/run/spice-vdagentd(/.*)?		gen_context(system_u:object_r:vdagent_var_run_t,s0)
+/var/run/spice-vdagentd.\pid	--	gen_context(system_u:object_r:vdagent_var_run_t,s0)
diff --git a/policy/modules/contrib/vdagent.if b/policy/modules/contrib/vdagent.if
new file mode 100644
index 00000000..e59a0745
--- /dev/null
+++ b/policy/modules/contrib/vdagent.if
@@ -0,0 +1,124 @@
+## <summary>policy for vdagent</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run vdagent.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vdagent_domtrans',`
+	gen_require(`
+		type vdagent_t, vdagent_exec_t;
+	')
+
+	domtrans_pattern($1, vdagent_exec_t, vdagent_t)
+')
+
+#####################################
+## <summary>
+##	Getattr on vdagent executable.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vdagent_getattr_exec_files',`
+	gen_require(`
+		type vdagent_exec_t;
+	')
+
+	allow $1 vdagent_exec_t:file getattr;
+')
+
+#######################################
+## <summary>
+##	Get the attributes of vdagent logs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vdagent_getattr_log',`
+	gen_require(`
+		type vdagent_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 vdagent_log_t:file getattr_file_perms;
+')
+
+########################################
+## <summary>
+##	Read vdagent PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vdagent_read_pid_files',`
+	gen_require(`
+		type vdagent_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 vdagent_var_run_t:file read_file_perms;
+')
+
+#####################################
+## <summary>
+##	Connect to vdagent over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vdagent_stream_connect',`
+	gen_require(`
+		type vdagent_var_run_t, vdagent_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, vdagent_var_run_t, vdagent_var_run_t, vdagent_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an vdagent environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`vdagent_admin',`
+	gen_require(`
+		type vdagent_t, vdagent_var_run_t;
+	')
+
+	allow $1 vdagent_t:process signal_perms;
+	ps_process_pattern($1, vdagent_t)
+
+	files_search_pids($1)
+	admin_pattern($1, vdagent_var_run_t)
+')
diff --git a/policy/modules/contrib/vdagent.te b/policy/modules/contrib/vdagent.te
new file mode 100644
index 00000000..29e24e28
--- /dev/null
+++ b/policy/modules/contrib/vdagent.te
@@ -0,0 +1,51 @@
+policy_module(vdagent, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type vdagent_t;
+type vdagent_exec_t;
+init_daemon_domain(vdagent_t, vdagent_exec_t)
+
+type vdagent_var_run_t;
+files_pid_file(vdagent_var_run_t)
+
+type vdagent_log_t;
+logging_log_file(vdagent_log_t)
+
+########################################
+#
+# vdagent local policy
+#
+
+dontaudit vdagent_t self:capability sys_admin;
+
+allow vdagent_t self:fifo_file rw_fifo_file_perms;
+allow vdagent_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t)
+manage_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t)
+manage_sock_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t)
+files_pid_filetrans(vdagent_t, vdagent_var_run_t, { dir file sock_file })
+
+manage_dirs_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
+manage_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
+logging_log_filetrans(vdagent_t, vdagent_log_t, file)
+
+dev_rw_input_dev(vdagent_t)
+dev_read_sysfs(vdagent_t)
+dev_dontaudit_write_mtrr(vdagent_t)
+
+files_read_etc_files(vdagent_t)
+
+miscfiles_read_localization(vdagent_t)
+
+optional_policy(`
+	consolekit_dbus_chat(vdagent_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(vdagent_t)
+')
diff --git a/policy/modules/contrib/vde.fc b/policy/modules/contrib/vde.fc
new file mode 100644
index 00000000..ab984b06
--- /dev/null
+++ b/policy/modules/contrib/vde.fc
@@ -0,0 +1,5 @@
+/etc/init.d/vde		--	gen_context(system_u:object_r:vde_initrc_exec_t,s0)
+/usr/bin/vde_switch	--	gen_context(system_u:object_r:vde_exec_t,s0)
+/usr/sbin/vde_tunctl	--	gen_context(system_u:object_r:vde_exec_t,s0)
+/var/run/vde\.ctl(/.*)?		gen_context(system_u:object_r:vde_var_run_t,s0)
+/tmp/vde.[0-9-]*	-s	gen_context(system_u:object_r:vde_tmp_t,s0)
diff --git a/policy/modules/contrib/vde.if b/policy/modules/contrib/vde.if
new file mode 100644
index 00000000..c5c71b03
--- /dev/null
+++ b/policy/modules/contrib/vde.if
@@ -0,0 +1,65 @@
+## <summary>Virtual Distributed Ethernet switch service</summary>
+
+########################################
+## <summary>
+#    The rules needed to manage the VDE switches
+## </summary>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the vde domain.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`vde_role',`
+	gen_require(`
+		type vde_t, vde_tmp_t;
+		type vde_var_run_t;
+		type vde_initrc_exec_t, vde_exec_t;
+	')
+
+	role $1 types vde_t;
+
+	allow $2 vde_t:process { ptrace signal_perms };
+	allow vde_t $2:process { sigchld signull };
+	allow vde_t $2:fd use;
+	allow vde_t $2:tun_socket { relabelfrom };
+	allow vde_t self:tun_socket { relabelfrom relabelto };
+	ps_process_pattern($2, vde_t)
+
+	domain_auto_trans($2, vde_exec_t, vde_t)
+')
+
+########################################
+## <summary>
+#    Allow communication with the VDE service 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`vde_connect',`
+	gen_require(`
+		type vde_t, vde_var_run_t, vde_tmp_t;
+	')
+	
+	allow $1 vde_var_run_t:sock_file write_sock_file_perms;
+	allow $1 vde_t:unix_stream_socket { connectto };
+	allow $1 vde_t:unix_dgram_socket { sendto };
+	allow vde_t $1:unix_dgram_socket { sendto };
+
+	allow $1 vde_tmp_t:sock_file manage_sock_file_perms;
+	files_tmp_filetrans($1, vde_tmp_t, sock_file)
+
+	tunable_policy(`gentoo_try_dontaudit',`
+		dontaudit $1 vde_var_run_t:sock_file { setattr };
+	')
+')
diff --git a/policy/modules/contrib/vde.te b/policy/modules/contrib/vde.te
new file mode 100644
index 00000000..3b894916
--- /dev/null
+++ b/policy/modules/contrib/vde.te
@@ -0,0 +1,49 @@
+policy_module(vde, 0.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type vde_t;
+type vde_exec_t;
+init_daemon_domain(vde_t, vde_exec_t)
+
+type vde_initrc_exec_t;
+init_script_file(vde_initrc_exec_t)
+
+type vde_var_lib_t;
+files_type(vde_var_lib_t)
+
+type vde_var_run_t;
+files_pid_file(vde_var_run_t)
+
+type vde_tmp_t;
+files_tmp_file(vde_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow vde_t self:process { signal_perms getcap setcap };
+allow vde_t self:capability { chown net_admin dac_override fowner fsetid };
+
+allow vde_t vde_tmp_t:sock_file manage_sock_file_perms;
+allow vde_t self:unix_stream_socket {  create_stream_socket_perms connectto };
+allow vde_t self:unix_dgram_socket create_socket_perms;
+files_tmp_filetrans(vde_t, vde_tmp_t, sock_file)
+
+manage_dirs_pattern(vde_t, vde_var_run_t, vde_var_run_t)
+manage_files_pattern(vde_t, vde_var_run_t, vde_var_run_t)
+manage_sock_files_pattern(vde_t, vde_var_run_t, vde_var_run_t)
+files_pid_filetrans(vde_t, vde_var_run_t, { dir file sock_file unix_dgram_socket })
+
+files_read_etc_files(vde_t)
+
+domain_use_interactive_fds(vde_t)
+userdom_use_user_terminals(vde_t)
+miscfiles_read_localization(vde_t)
+corenet_rw_tun_tap_dev(vde_t)
+
+logging_send_syslog_msg(vde_t)
diff --git a/policy/modules/contrib/vhostmd.fc b/policy/modules/contrib/vhostmd.fc
new file mode 100644
index 00000000..c1fb3292
--- /dev/null
+++ b/policy/modules/contrib/vhostmd.fc
@@ -0,0 +1,5 @@
+/etc/rc.d/init.d/vhostmd	--	gen_context(system_u:object_r:vhostmd_initrc_exec_t,s0)
+
+/usr/sbin/vhostmd		--	gen_context(system_u:object_r:vhostmd_exec_t,s0)
+
+/var/run/vhostmd.pid		--	gen_context(system_u:object_r:vhostmd_var_run_t,s0)
diff --git a/policy/modules/contrib/vhostmd.if b/policy/modules/contrib/vhostmd.if
new file mode 100644
index 00000000..1f872b5e
--- /dev/null
+++ b/policy/modules/contrib/vhostmd.if
@@ -0,0 +1,224 @@
+## <summary>Virtual host metrics daemon</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run vhostmd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`vhostmd_domtrans',`
+	gen_require(`
+		type vhostmd_t, vhostmd_exec_t;
+	')
+
+	domtrans_pattern($1, vhostmd_exec_t, vhostmd_t)
+')
+
+########################################
+## <summary>
+##	Execute vhostmd server in the vhostmd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`vhostmd_initrc_domtrans',`
+	gen_require(`
+		type vhostmd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, vhostmd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to read, vhostmd tmpfs files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vhostmd_read_tmpfs_files',`
+	gen_require(`
+		type vhostmd_tmpfs_t;
+	')
+
+	allow $1 vhostmd_tmpfs_t:file read_file_perms;
+	files_search_tmp($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read,
+##	vhostmd tmpfs files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`vhostmd_dontaudit_read_tmpfs_files',`
+	gen_require(`
+		type vhostmd_tmpfs_t;
+	')
+
+	dontaudit $1 vhostmd_tmpfs_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+##	Allow domain to read and write vhostmd tmpfs files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vhostmd_rw_tmpfs_files',`
+	gen_require(`
+		type vhostmd_tmpfs_t;
+	')
+
+	rw_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
+	files_search_tmp($1)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete vhostmd tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vhostmd_manage_tmpfs_files',`
+	gen_require(`
+		type vhostmd_tmpfs_t;
+	')
+
+	manage_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
+	files_search_tmp($1)
+')
+
+########################################
+## <summary>
+##	Read vhostmd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vhostmd_read_pid_files',`
+	gen_require(`
+		type vhostmd_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 vhostmd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Manage vhostmd var_run files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vhostmd_manage_pid_files',`
+	gen_require(`
+		type vhostmd_var_run_t;
+	')
+
+	 manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t)
+')
+
+########################################
+## <summary>
+##	Connect to vhostmd over an unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vhostmd_stream_connect',`
+	gen_require(`
+		type vhostmd_t, vhostmd_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t, vhostmd_t)
+')
+
+#######################################
+## <summary>
+##	Dontaudit read and write to vhostmd
+##	over an unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`vhostmd_dontaudit_rw_stream_connect',`
+	gen_require(`
+		type vhostmd_t;
+	')
+
+	dontaudit $1 vhostmd_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an vhostmd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`vhostmd_admin',`
+	gen_require(`
+		type vhostmd_t, vhostmd_initrc_exec_t;
+	')
+
+	allow $1 vhostmd_t:process { ptrace signal_perms getattr };
+	ps_process_pattern($1, vhostmd_t)
+
+	vhostmd_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 vhostmd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	vhostmd_manage_tmpfs_files($1)
+
+	vhostmd_manage_pid_files($1)
+
+')
diff --git a/policy/modules/contrib/vhostmd.te b/policy/modules/contrib/vhostmd.te
new file mode 100644
index 00000000..32a3c135
--- /dev/null
+++ b/policy/modules/contrib/vhostmd.te
@@ -0,0 +1,76 @@
+policy_module(vhostmd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type vhostmd_t;
+type vhostmd_exec_t;
+init_daemon_domain(vhostmd_t, vhostmd_exec_t)
+
+type vhostmd_initrc_exec_t;
+init_script_file(vhostmd_initrc_exec_t)
+
+type vhostmd_tmpfs_t;
+files_tmpfs_file(vhostmd_tmpfs_t)
+
+type vhostmd_var_run_t;
+files_pid_file(vhostmd_var_run_t)
+
+########################################
+#
+# vhostmd local policy
+#
+
+allow vhostmd_t self:capability { dac_override ipc_lock	setuid setgid };
+allow vhostmd_t self:process { setsched getsched };
+allow vhostmd_t self:fifo_file rw_file_perms;
+
+manage_dirs_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
+manage_files_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
+fs_tmpfs_filetrans(vhostmd_t, vhostmd_tmpfs_t, { file dir })
+
+manage_dirs_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t)
+manage_files_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t)
+files_pid_filetrans(vhostmd_t, vhostmd_var_run_t, { file dir })
+
+kernel_read_system_state(vhostmd_t)
+kernel_read_network_state(vhostmd_t)
+kernel_write_xen_state(vhostmd_t)
+
+corecmd_exec_bin(vhostmd_t)
+corecmd_exec_shell(vhostmd_t)
+
+corenet_tcp_connect_soundd_port(vhostmd_t)
+
+files_read_etc_files(vhostmd_t)
+files_read_usr_files(vhostmd_t)
+
+dev_read_sysfs(vhostmd_t)
+
+auth_use_nsswitch(vhostmd_t)
+
+logging_send_syslog_msg(vhostmd_t)
+
+miscfiles_read_localization(vhostmd_t)
+
+optional_policy(`
+	hostname_exec(vhostmd_t)
+')
+
+optional_policy(`
+	rpm_exec(vhostmd_t)
+	rpm_read_db(vhostmd_t)
+')
+
+optional_policy(`
+	virt_stream_connect(vhostmd_t)
+')
+
+optional_policy(`
+	xen_domtrans_xm(vhostmd_t)
+	xen_stream_connect(vhostmd_t)
+	xen_stream_connect_xenstore(vhostmd_t)
+	xen_stream_connect_xm(vhostmd_t)
+')
diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
new file mode 100644
index 00000000..2124b6ad
--- /dev/null
+++ b/policy/modules/contrib/virt.fc
@@ -0,0 +1,29 @@
+HOME_DIR/.virtinst(/.*)? 	gen_context(system_u:object_r:virt_content_t,s0)
+HOME_DIR/VirtualMachines(/.*)? 	gen_context(system_u:object_r:virt_image_t,s0)
+HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+
+/etc/libvirt		-d	gen_context(system_u:object_r:virt_etc_t,s0)
+/etc/libvirt/[^/]*	--	gen_context(system_u:object_r:virt_etc_t,s0)
+/etc/libvirt/[^/]*	-d	gen_context(system_u:object_r:virt_etc_rw_t,s0)
+/etc/libvirt/.*/.*		gen_context(system_u:object_r:virt_etc_rw_t,s0)
+/etc/rc\.d/init\.d/libvirtd --	gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
+/etc/xen		-d	gen_context(system_u:object_r:virt_etc_t,s0)
+/etc/xen/[^/]*		--	gen_context(system_u:object_r:virt_etc_t,s0)
+/etc/xen/[^/]*		-d	gen_context(system_u:object_r:virt_etc_rw_t,s0)
+/etc/xen/.*/.*			gen_context(system_u:object_r:virt_etc_rw_t,s0)
+
+/usr/sbin/libvirtd	--	gen_context(system_u:object_r:virtd_exec_t,s0)
+
+/var/cache/libvirt(/.*)?	gen_context(system_u:object_r:svirt_cache_t,s0)
+
+/var/lib/libvirt(/.*)?		gen_context(system_u:object_r:virt_var_lib_t,s0)
+/var/lib/libvirt/boot(/.*)? 	gen_context(system_u:object_r:virt_content_t,s0)
+/var/lib/libvirt/images(/.*)? 	gen_context(system_u:object_r:virt_image_t,s0)
+/var/lib/libvirt/isos(/.*)? 	gen_context(system_u:object_r:virt_content_t,s0)
+/var/lib/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:svirt_var_run_t,s0)
+
+/var/log/libvirt(/.*)?		gen_context(system_u:object_r:virt_log_t,s0)
+/var/run/libvirt(/.*)?		gen_context(system_u:object_r:virt_var_run_t,s0)
+/var/run/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:svirt_var_run_t,s0)
+
+/var/vdsm(/.*)?			gen_context(system_u:object_r:virt_var_run_t,s0)
diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if
new file mode 100644
index 00000000..7c5d8d82
--- /dev/null
+++ b/policy/modules/contrib/virt.if
@@ -0,0 +1,518 @@
+## <summary>Libvirt virtualization API</summary>
+
+########################################
+## <summary>
+##	Creates types and rules for a basic
+##	qemu process domain.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Prefix for the domain.
+##	</summary>
+## </param>
+#
+template(`virt_domain_template',`
+	gen_require(`
+		type virtd_t;
+		attribute virt_image_type;
+		attribute virt_domain;
+	')
+
+	type $1_t, virt_domain;
+	domain_type($1_t)
+	domain_user_exemption_target($1_t)
+	role system_r types $1_t;
+
+	type $1_devpts_t;
+	term_pty($1_devpts_t)
+
+	type $1_tmp_t;
+	files_tmp_file($1_tmp_t)
+
+	type $1_tmpfs_t;
+	files_tmpfs_file($1_tmpfs_t)
+
+	type $1_image_t, virt_image_type;
+	files_type($1_image_t)
+	dev_node($1_image_t)
+
+	type $1_var_run_t;
+	files_pid_file($1_var_run_t)
+
+	allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr };
+	term_create_pty($1_t, $1_devpts_t)
+
+	manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
+	manage_files_pattern($1_t, $1_image_t, $1_image_t)
+	read_lnk_files_pattern($1_t, $1_image_t, $1_image_t)
+	rw_blk_files_pattern($1_t, $1_image_t, $1_image_t)
+
+	manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
+	manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+	manage_lnk_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+	files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
+
+	manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+	manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+	manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+	fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
+
+	stream_connect_pattern(virtd_t, $1_var_run_t, $1_var_run_t, virt_domain)
+	manage_dirs_pattern(virtd_t, $1_var_run_t, $1_var_run_t)
+	manage_files_pattern(virtd_t, $1_var_run_t, $1_var_run_t)
+	manage_sock_files_pattern(virtd_t, $1_var_run_t, $1_var_run_t)
+
+	manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
+	manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+	manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+	manage_lnk_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+	files_pid_filetrans($1_t, $1_var_run_t, { dir file })
+	stream_connect_pattern($1_t, $1_var_run_t, $1_var_run_t, virtd_t)
+
+	optional_policy(`
+		xserver_rw_shm($1_t)
+	')
+')
+
+########################################
+## <summary>
+##	Make the specified type usable as a virt image
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used as a virtual image
+##	</summary>
+## </param>
+#
+interface(`virt_image',`
+	gen_require(`
+		attribute virt_image_type;
+	')
+
+	typeattribute $1 virt_image_type;
+	files_type($1)
+
+	# virt images can be assigned to blk devices
+	dev_node($1)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run virt.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`virt_domtrans',`
+	gen_require(`
+		type virtd_t, virtd_exec_t;
+	')
+
+	domtrans_pattern($1, virtd_exec_t, virtd_t)
+')
+
+#######################################
+## <summary>
+##	Connect to virt over an unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_stream_connect',`
+	gen_require(`
+		type virtd_t, virt_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to attach to virt TUN devices
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_attach_tun_iface',`
+	gen_require(`
+		type virtd_t;
+	')
+
+	allow $1 virtd_t:tun_socket relabelfrom;
+	allow $1 self:tun_socket relabelto;
+')
+
+########################################
+## <summary>
+##	Read virt config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_read_config',`
+	gen_require(`
+		type virt_etc_t;
+		type virt_etc_rw_t;
+	')
+
+	files_search_etc($1)
+	read_files_pattern($1, virt_etc_t, virt_etc_t)
+	read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+')
+
+########################################
+## <summary>
+##	manage virt config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_manage_config',`
+	gen_require(`
+		type virt_etc_t;
+		type virt_etc_rw_t;
+	')
+
+	files_search_etc($1)
+	manage_files_pattern($1, virt_etc_t, virt_etc_t)
+	manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to manage virt image files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_read_content',`
+	gen_require(`
+		type virt_content_t;
+	')
+
+	virt_search_lib($1)
+	allow $1 virt_content_t:dir list_dir_perms;
+	list_dirs_pattern($1, virt_content_t, virt_content_t)
+	read_files_pattern($1, virt_content_t, virt_content_t)
+	read_lnk_files_pattern($1, virt_content_t, virt_content_t)
+	read_blk_files_pattern($1, virt_content_t, virt_content_t)
+
+	tunable_policy(`virt_use_nfs',`
+		fs_list_nfs($1)
+		fs_read_nfs_files($1)
+		fs_read_nfs_symlinks($1)
+	')
+
+	tunable_policy(`virt_use_samba',`
+		fs_list_cifs($1)
+		fs_read_cifs_files($1)
+		fs_read_cifs_symlinks($1)
+	')
+')
+
+########################################
+## <summary>
+##	Read virt PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_read_pid_files',`
+	gen_require(`
+		type virt_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, virt_var_run_t, virt_var_run_t)
+')
+
+########################################
+## <summary>
+##	Manage virt pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_manage_pid_files',`
+	gen_require(`
+		type virt_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
+')
+
+########################################
+## <summary>
+##	Search virt lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_search_lib',`
+	gen_require(`
+		type virt_var_lib_t;
+	')
+
+	allow $1 virt_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read virt lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_read_lib_files',`
+	gen_require(`
+		type virt_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+	read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	virt lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_manage_lib_files',`
+	gen_require(`
+		type virt_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read virt's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`virt_read_log',`
+	gen_require(`
+		type virt_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, virt_log_t, virt_log_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to append
+##	virt log files.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access.
+## 	</summary>
+## </param>
+#
+interface(`virt_append_log',`
+	gen_require(`
+		type virt_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, virt_log_t, virt_log_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to manage virt log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_manage_log',`
+	gen_require(`
+		type virt_log_t;
+	')
+
+	manage_dirs_pattern($1, virt_log_t, virt_log_t)
+	manage_files_pattern($1, virt_log_t, virt_log_t)
+	manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to read virt image files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_read_images',`
+	gen_require(`
+		type virt_var_lib_t;
+		attribute virt_image_type;
+	')
+
+	virt_search_lib($1)
+	allow $1 virt_image_type:dir list_dir_perms;
+	list_dirs_pattern($1, virt_image_type, virt_image_type)
+	read_files_pattern($1, virt_image_type, virt_image_type)
+	read_lnk_files_pattern($1, virt_image_type, virt_image_type)
+	read_blk_files_pattern($1, virt_image_type, virt_image_type)
+
+	tunable_policy(`virt_use_nfs',`
+		fs_list_nfs($1)
+		fs_read_nfs_files($1)
+		fs_read_nfs_symlinks($1)
+	')
+
+	tunable_policy(`virt_use_samba',`
+		fs_list_cifs($1)
+		fs_read_cifs_files($1)
+		fs_read_cifs_symlinks($1)
+	')
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	svirt cache files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_manage_svirt_cache',`
+	gen_require(`
+		type svirt_cache_t;
+	')
+
+	files_search_var($1)
+	manage_dirs_pattern($1, svirt_cache_t, svirt_cache_t)
+	manage_files_pattern($1, svirt_cache_t, svirt_cache_t)
+	manage_lnk_files_pattern($1, svirt_cache_t, svirt_cache_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to manage virt image files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_manage_images',`
+	gen_require(`
+		type virt_var_lib_t;
+		attribute virt_image_type;
+	')
+
+	virt_search_lib($1)
+	allow $1 virt_image_type:dir list_dir_perms;
+	manage_dirs_pattern($1, virt_image_type, virt_image_type)
+	manage_files_pattern($1, virt_image_type, virt_image_type)
+	read_lnk_files_pattern($1, virt_image_type, virt_image_type)
+	rw_blk_files_pattern($1, virt_image_type, virt_image_type)
+
+	tunable_policy(`virt_use_nfs',`
+		fs_manage_nfs_dirs($1)
+		fs_manage_nfs_files($1)
+		fs_read_nfs_symlinks($1)
+	')
+
+	tunable_policy(`virt_use_samba',`
+		fs_manage_cifs_files($1)
+		fs_manage_cifs_files($1)
+		fs_read_cifs_symlinks($1)
+	')
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an virt environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`virt_admin',`
+	gen_require(`
+		type virtd_t, virtd_initrc_exec_t;
+	')
+
+	allow $1 virtd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, virtd_t)
+
+	init_labeled_script_domtrans($1, virtd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 virtd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	virt_manage_pid_files($1)
+
+	virt_manage_lib_files($1)
+
+	virt_manage_log($1)
+')
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
new file mode 100644
index 00000000..fadbd88a
--- /dev/null
+++ b/policy/modules/contrib/virt.te
@@ -0,0 +1,473 @@
+policy_module(virt, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow virt to use serial/parallell communication ports
+## </p>
+## </desc>
+gen_tunable(virt_use_comm, false)
+
+## <desc>
+## <p>
+## Allow virt to read fuse files
+## </p>
+## </desc>
+gen_tunable(virt_use_fusefs, false)
+
+## <desc>
+## <p>
+## Allow virt to manage nfs files
+## </p>
+## </desc>
+gen_tunable(virt_use_nfs, false)
+
+## <desc>
+## <p>
+## Allow virt to manage cifs files
+## </p>
+## </desc>
+gen_tunable(virt_use_samba, false)
+
+## <desc>
+## <p>
+## Allow virt to manage device configuration, (pci)
+## </p>
+## </desc>
+gen_tunable(virt_use_sysfs, false)
+
+## <desc>
+## <p>
+## Allow virt to use usb devices
+## </p>
+## </desc>
+gen_tunable(virt_use_usb, true)
+
+virt_domain_template(svirt)
+role system_r types svirt_t;
+
+type svirt_cache_t;
+files_type(svirt_cache_t)
+
+attribute virt_domain;
+attribute virt_image_type;
+
+type virt_etc_t;
+files_config_file(virt_etc_t)
+
+type virt_etc_rw_t;
+files_type(virt_etc_rw_t)
+
+# virt Image files
+type virt_image_t; # customizable
+virt_image(virt_image_t)
+
+# virt Image files
+type virt_content_t; # customizable
+virt_image(virt_content_t)
+userdom_user_home_content(virt_content_t)
+
+type virt_log_t;
+logging_log_file(virt_log_t)
+
+type virt_tmp_t;
+files_tmp_file(virt_tmp_t)
+
+type virt_var_run_t;
+files_pid_file(virt_var_run_t)
+
+type virt_var_lib_t;
+files_type(virt_var_lib_t)
+
+type virtd_t;
+type virtd_exec_t;
+init_daemon_domain(virtd_t, virtd_exec_t)
+domain_obj_id_change_exemption(virtd_t)
+domain_subj_id_change_exemption(virtd_t)
+
+type virtd_initrc_exec_t;
+init_script_file(virtd_initrc_exec_t)
+
+ifdef(`enable_mcs',`
+	init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
+')
+
+ifdef(`enable_mls',`
+	init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
+')
+
+########################################
+#
+# svirt local policy
+#
+
+allow svirt_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
+manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
+files_var_filetrans(svirt_t, svirt_cache_t, { file dir })
+
+read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t)
+
+allow svirt_t svirt_image_t:dir search_dir_perms;
+manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t)
+manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t)
+fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
+
+list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
+read_files_pattern(svirt_t, virt_content_t, virt_content_t)
+dontaudit svirt_t virt_content_t:file write_file_perms;
+dontaudit svirt_t virt_content_t:dir write;
+
+corenet_udp_sendrecv_generic_if(svirt_t)
+corenet_udp_sendrecv_generic_node(svirt_t)
+corenet_udp_sendrecv_all_ports(svirt_t)
+corenet_udp_bind_generic_node(svirt_t)
+corenet_udp_bind_all_ports(svirt_t)
+corenet_tcp_bind_all_ports(svirt_t)
+corenet_tcp_connect_all_ports(svirt_t)
+
+dev_list_sysfs(svirt_t)
+
+userdom_search_user_home_content(svirt_t)
+userdom_read_user_home_content_symlinks(svirt_t)
+userdom_read_all_users_state(svirt_t)
+
+tunable_policy(`virt_use_comm',`
+	term_use_unallocated_ttys(svirt_t)
+	dev_rw_printer(svirt_t)
+')
+
+tunable_policy(`virt_use_fusefs',`
+	fs_read_fusefs_files(svirt_t)
+	fs_read_fusefs_symlinks(svirt_t)
+')
+
+tunable_policy(`virt_use_nfs',`
+	fs_manage_nfs_dirs(svirt_t)
+	fs_manage_nfs_files(svirt_t)
+')
+
+tunable_policy(`virt_use_samba',`
+	fs_manage_cifs_dirs(svirt_t)
+	fs_manage_cifs_files(svirt_t)
+')
+
+tunable_policy(`virt_use_sysfs',`
+	dev_rw_sysfs(svirt_t)
+')
+
+tunable_policy(`virt_use_usb',`
+	dev_rw_usbfs(svirt_t)
+	fs_manage_dos_dirs(svirt_t)
+	fs_manage_dos_files(svirt_t)
+')
+
+optional_policy(`
+	xen_rw_image_files(svirt_t)
+')
+
+########################################
+#
+# virtd local policy
+#
+
+allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsched };
+
+allow virtd_t self:fifo_file rw_fifo_file_perms;
+allow virtd_t self:unix_stream_socket create_stream_socket_perms;
+allow virtd_t self:tcp_socket create_stream_socket_perms;
+allow virtd_t self:tun_socket create_socket_perms;
+allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+manage_dirs_pattern(virtd_t, svirt_cache_t, svirt_cache_t)
+manage_files_pattern(virtd_t, svirt_cache_t, svirt_cache_t)
+
+manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t)
+manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
+
+allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
+
+read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
+read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
+
+manage_dirs_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
+
+manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
+manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
+allow virtd_t virt_image_type:file { relabelfrom relabelto };
+allow virtd_t virt_image_type:blk_file { relabelfrom relabelto };
+
+manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
+manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
+logging_log_filetrans(virtd_t, virt_log_t, { file dir })
+
+manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
+manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
+files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir })
+can_exec(virtd_t, virt_tmp_t)
+
+manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
+manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
+manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
+files_var_lib_filetrans(virtd_t, virt_var_lib_t, { file dir })
+
+manage_dirs_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
+
+kernel_read_system_state(virtd_t)
+kernel_read_network_state(virtd_t)
+kernel_rw_net_sysctls(virtd_t)
+kernel_request_load_module(virtd_t)
+kernel_search_debugfs(virtd_t)
+
+corecmd_exec_bin(virtd_t)
+corecmd_exec_shell(virtd_t)
+
+corenet_all_recvfrom_unlabeled(virtd_t)
+corenet_all_recvfrom_netlabel(virtd_t)
+corenet_tcp_sendrecv_generic_if(virtd_t)
+corenet_tcp_sendrecv_generic_node(virtd_t)
+corenet_tcp_sendrecv_all_ports(virtd_t)
+corenet_tcp_bind_generic_node(virtd_t)
+corenet_tcp_bind_virt_port(virtd_t)
+corenet_tcp_bind_vnc_port(virtd_t)
+corenet_tcp_connect_vnc_port(virtd_t)
+corenet_tcp_connect_soundd_port(virtd_t)
+corenet_rw_tun_tap_dev(virtd_t)
+
+dev_rw_sysfs(virtd_t)
+dev_read_rand(virtd_t)
+dev_rw_kvm(virtd_t)
+dev_getattr_all_chr_files(virtd_t)
+dev_rw_mtrr(virtd_t)
+
+# Init script handling
+domain_use_interactive_fds(virtd_t)
+domain_read_all_domains_state(virtd_t)
+
+files_read_usr_files(virtd_t)
+files_read_etc_files(virtd_t)
+files_read_etc_runtime_files(virtd_t)
+files_search_all(virtd_t)
+files_read_kernel_modules(virtd_t)
+files_read_usr_src_files(virtd_t)
+files_manage_etc_files(virtd_t)
+
+fs_list_auto_mountpoints(virtd_t)
+fs_getattr_xattr_fs(virtd_t)
+fs_rw_anon_inodefs_files(virtd_t)
+fs_list_inotifyfs(virtd_t)
+fs_manage_cgroup_dirs(virtd_t)
+fs_rw_cgroup_files(virtd_t)
+
+mcs_process_set_categories(virtd_t)
+
+storage_manage_fixed_disk(virtd_t)
+storage_relabel_fixed_disk(virtd_t)
+storage_raw_write_removable_device(virtd_t)
+storage_raw_read_removable_device(virtd_t)
+
+term_getattr_pty_fs(virtd_t)
+term_use_generic_ptys(virtd_t)
+term_use_ptmx(virtd_t)
+
+auth_use_nsswitch(virtd_t)
+
+miscfiles_read_localization(virtd_t)
+miscfiles_read_generic_certs(virtd_t)
+miscfiles_read_hwdata(virtd_t)
+
+modutils_read_module_deps(virtd_t)
+modutils_read_module_config(virtd_t)
+modutils_manage_module_config(virtd_t)
+
+logging_send_syslog_msg(virtd_t)
+
+seutil_read_config(virtd_t)
+seutil_read_default_contexts(virtd_t)
+
+sysnet_domtrans_ifconfig(virtd_t)
+sysnet_read_config(virtd_t)
+
+userdom_getattr_all_users(virtd_t)
+userdom_list_user_home_content(virtd_t)
+userdom_read_all_users_state(virtd_t)
+userdom_read_user_home_content_files(virtd_t)
+
+tunable_policy(`virt_use_nfs',`
+	fs_manage_nfs_dirs(virtd_t)
+	fs_manage_nfs_files(virtd_t)
+	fs_read_nfs_symlinks(virtd_t)
+')
+
+tunable_policy(`virt_use_samba',`
+	fs_manage_nfs_files(virtd_t)
+	fs_manage_cifs_files(virtd_t)
+	fs_read_cifs_symlinks(virtd_t)
+')
+
+optional_policy(`
+	brctl_domtrans(virtd_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(virtd_t)
+
+	optional_policy(`
+		avahi_dbus_chat(virtd_t)
+	')
+
+	optional_policy(`
+		consolekit_dbus_chat(virtd_t)
+	')
+
+	optional_policy(`
+		hal_dbus_chat(virtd_t)
+	')
+')
+
+optional_policy(`
+	dnsmasq_domtrans(virtd_t)
+	dnsmasq_signal(virtd_t)
+	dnsmasq_kill(virtd_t)
+	dnsmasq_read_pid_files(virtd_t)
+	dnsmasq_signull(virtd_t)
+')
+
+optional_policy(`
+	iptables_domtrans(virtd_t)
+	iptables_initrc_domtrans(virtd_t)
+
+	# Manages /etc/sysconfig/system-config-firewall
+	iptables_manage_config(virtd_t)
+')
+
+optional_policy(`
+	kerberos_keytab_template(virtd, virtd_t)
+')
+
+optional_policy(`
+	lvm_domtrans(virtd_t)
+')
+
+optional_policy(`
+	policykit_dbus_chat(virtd_t)
+	policykit_domtrans_auth(virtd_t)
+	policykit_domtrans_resolve(virtd_t)
+	policykit_read_lib(virtd_t)
+')
+
+optional_policy(`
+	qemu_domtrans(virtd_t)
+	qemu_read_state(virtd_t)
+	qemu_signal(virtd_t)
+	qemu_kill(virtd_t)
+	qemu_setsched(virtd_t)
+')
+
+optional_policy(`
+	sasl_connect(virtd_t)
+')
+
+optional_policy(`
+	kernel_read_xen_state(virtd_t)
+	kernel_write_xen_state(virtd_t)
+
+	xen_stream_connect(virtd_t)
+	xen_stream_connect_xenstore(virtd_t)
+	xen_read_image_files(virtd_t)
+')
+
+optional_policy(`
+	udev_domtrans(virtd_t)
+	udev_read_db(virtd_t)
+')
+
+optional_policy(`
+	unconfined_domain(virtd_t)
+')
+
+########################################
+#
+# virtual domains common policy
+#
+
+allow virt_domain self:capability { dac_read_search dac_override kill };
+allow virt_domain self:process { execmem execstack signal getsched signull };
+allow virt_domain self:fifo_file rw_file_perms;
+allow virt_domain self:shm create_shm_perms;
+allow virt_domain self:unix_stream_socket create_stream_socket_perms;
+allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
+allow virt_domain self:tcp_socket create_stream_socket_perms;
+
+append_files_pattern(virt_domain, virt_log_t, virt_log_t)
+
+append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
+
+kernel_read_system_state(virt_domain)
+
+corecmd_exec_bin(virt_domain)
+corecmd_exec_shell(virt_domain)
+
+corenet_all_recvfrom_unlabeled(virt_domain)
+corenet_all_recvfrom_netlabel(virt_domain)
+corenet_tcp_sendrecv_generic_if(virt_domain)
+corenet_tcp_sendrecv_generic_node(virt_domain)
+corenet_tcp_sendrecv_all_ports(virt_domain)
+corenet_tcp_bind_generic_node(virt_domain)
+corenet_tcp_bind_vnc_port(virt_domain)
+corenet_rw_tun_tap_dev(virt_domain)
+corenet_tcp_bind_virt_migration_port(virt_domain)
+corenet_tcp_connect_virt_migration_port(virt_domain)
+
+dev_read_rand(virt_domain)
+dev_read_sound(virt_domain)
+dev_read_urand(virt_domain)
+dev_write_sound(virt_domain)
+dev_rw_ksm(virt_domain)
+dev_rw_kvm(virt_domain)
+dev_rw_qemu(virt_domain)
+
+domain_use_interactive_fds(virt_domain)
+
+files_read_etc_files(virt_domain)
+files_read_usr_files(virt_domain)
+files_read_var_files(virt_domain)
+files_search_all(virt_domain)
+
+fs_getattr_tmpfs(virt_domain)
+fs_rw_anon_inodefs_files(virt_domain)
+fs_rw_tmpfs_files(virt_domain)
+
+term_use_all_terms(virt_domain)
+term_getattr_pty_fs(virt_domain)
+term_use_generic_ptys(virt_domain)
+term_use_ptmx(virt_domain)
+
+auth_use_nsswitch(virt_domain)
+
+logging_send_syslog_msg(virt_domain)
+
+miscfiles_read_localization(virt_domain)
+
+optional_policy(`
+	ptchown_domtrans(virt_domain)
+')
+
+optional_policy(`
+	virt_read_config(virt_domain)
+	virt_read_lib_files(virt_domain)
+	virt_read_content(virt_domain)
+	virt_stream_connect(virt_domain)
+')
diff --git a/policy/modules/contrib/vlock.fc b/policy/modules/contrib/vlock.fc
new file mode 100644
index 00000000..621d5fda
--- /dev/null
+++ b/policy/modules/contrib/vlock.fc
@@ -0,0 +1 @@
+/usr/sbin/vlock-main	--	gen_context(system_u:object_r:vlock_exec_t,s0)
diff --git a/policy/modules/contrib/vlock.if b/policy/modules/contrib/vlock.if
new file mode 100644
index 00000000..c5eeea08
--- /dev/null
+++ b/policy/modules/contrib/vlock.if
@@ -0,0 +1,46 @@
+## <summary>Lock one or more sessions on the Linux console.</summary>
+
+#######################################
+## <summary>
+## 	Execute vlock in the vlock domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`vlock_domtrans',`
+	gen_require(`
+		type vlock_t, vlock_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, vlock_exec_t, vlock_t)
+')
+
+########################################
+## <summary>
+##	Execute vlock in the vlock domain, and
+##	allow the specified role the vlock domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed to access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`vlock_run',`
+	gen_require(`
+		type vlock_t;
+	')
+
+	vlock_domtrans($1)
+	role $2 types vlock_t;
+')
diff --git a/policy/modules/contrib/vlock.te b/policy/modules/contrib/vlock.te
new file mode 100644
index 00000000..25110934
--- /dev/null
+++ b/policy/modules/contrib/vlock.te
@@ -0,0 +1,53 @@
+policy_module(vlock, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type vlock_t;
+type vlock_exec_t;
+application_domain(vlock_t, vlock_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+# --enable-pam is recommended when configuring vlock, making it
+# unnecessary to be a setuid program.
+dontaudit vlock_t self:capability { setuid setgid };
+allow vlock_t self:fd use;
+allow vlock_t self:fifo_file rw_fifo_file_perms;
+allow vlock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow vlock_t self:unix_dgram_socket { create connect };
+
+kernel_read_system_state(vlock_t)
+
+corecmd_list_bin(vlock_t)
+corecmd_read_bin_symlinks(vlock_t)
+
+# Must call this interface otherwise PAM session will fail
+# with message of "terminal=? res=failed"
+domain_use_interactive_fds(vlock_t)
+
+files_dontaudit_search_home(vlock_t)
+files_read_etc_files(vlock_t)
+
+# pam_tally2 module could be used by vlock for authentication,
+# /var/log/tallylog's SL is usually s0, while the caller's SL could
+# be higher than s0.
+mls_file_write_all_levels(vlock_t)
+
+selinux_dontaudit_getattr_fs(vlock_t)
+
+auth_domtrans_chk_passwd(vlock_t)
+
+init_dontaudit_rw_utmp(vlock_t)
+
+logging_send_syslog_msg(vlock_t)
+
+miscfiles_read_localization(vlock_t)
+
+userdom_dontaudit_search_user_home_dirs(vlock_t)
+userdom_use_user_terminals(vlock_t)
diff --git a/policy/modules/contrib/vmware.fc b/policy/modules/contrib/vmware.fc
new file mode 100644
index 00000000..f647c7e1
--- /dev/null
+++ b/policy/modules/contrib/vmware.fc
@@ -0,0 +1,71 @@
+#
+# HOME_DIR/
+#
+HOME_DIR/\.vmware(/.*)?			gen_context(system_u:object_r:vmware_file_t,s0)
+HOME_DIR/\.vmware[^/]*/.*\.cfg	--	gen_context(system_u:object_r:vmware_conf_t,s0)
+HOME_DIR/vmware(/.*)?			gen_context(system_u:object_r:vmware_file_t,s0)
+
+#
+# /etc
+#
+/etc/vmware.*(/.*)?			gen_context(system_u:object_r:vmware_sys_conf_t,s0)
+
+#
+# /usr
+#
+/usr/bin/vmnet-bridge		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmnet-dhcpd		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmnet-natd		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmnet-netifup		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmnet-sniffer		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-network		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-nmbd		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-ping		--	gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/bin/vmware-smbd		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-smbpasswd	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-smbpasswd\.bin	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-vmx		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-wizard		--	gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/bin/vmware			--	gen_context(system_u:object_r:vmware_exec_t,s0)
+
+/usr/lib/vmware/config		--	gen_context(system_u:object_r:vmware_sys_conf_t,s0)
+/usr/lib/vmware/bin/vmplayer	--	gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib/vmware/bin/vmware-mks	--	gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib/vmware/bin/vmware-ui	--	gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib/vmware/bin/vmware-vmx	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+
+ifdef(`distro_redhat',`
+/usr/lib/vmware-tools/sbin32/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/lib/vmware-tools/sbin64/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+')
+
+/usr/lib64/vmware/config	--	gen_context(system_u:object_r:vmware_sys_conf_t,s0)
+/usr/lib64/vmware/bin/vmware-mks --	gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib64/vmware/bin/vmware-ui --	gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib64/vmware/bin/vmplayer	--	gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib64/vmware/bin/vmware-vmx --	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+
+/usr/sbin/vmware-guest.*	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/sbin/vmware-serverd	--	gen_context(system_u:object_r:vmware_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+/opt/vmware/(workstation|player)/bin/vmnet-bridge --	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmnet-dhcpd --	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmnet-natd	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmnet-netifup --	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmnet-sniffer --	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmware-nmbd --	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmware-ping --	gen_context(system_u:object_r:vmware_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmware-smbd --	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmware-wizard --	gen_context(system_u:object_r:vmware_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmware --	gen_context(system_u:object_r:vmware_exec_t,s0)
+')
+
+/var/log/vmware.* 		--	gen_context(system_u:object_r:vmware_log_t,s0)
+/var/log/vnetlib.*		--	gen_context(system_u:object_r:vmware_log_t,s0)
+
+/var/run/vmnat.* 		-s	gen_context(system_u:object_r:vmware_var_run_t,s0)
+/var/run/vmnet.*			gen_context(system_u:object_r:vmware_var_run_t,s0)
+/var/run/vmware.* 			gen_context(system_u:object_r:vmware_var_run_t,s0)
diff --git a/policy/modules/contrib/vmware.if b/policy/modules/contrib/vmware.if
new file mode 100644
index 00000000..853f5754
--- /dev/null
+++ b/policy/modules/contrib/vmware.if
@@ -0,0 +1,104 @@
+## <summary>VMWare Workstation virtual machines</summary>
+
+########################################
+## <summary>
+##	Role access for vmware
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`vmware_role',`
+	gen_require(`
+		type vmware_t, vmware_exec_t;
+	')
+
+	role $1 types vmware_t;
+
+	# Transition from the user domain to the derived domain.
+	domtrans_pattern($2, vmware_exec_t, vmware_t)
+
+	# allow ps to show vmware and allow the user to kill it 
+	ps_process_pattern($2, vmware_t)
+	allow $2 vmware_t:process signal;
+')
+
+########################################
+## <summary>
+##	Execute vmware host executables
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vmware_exec_host',`
+	gen_require(`
+		type vmware_host_exec_t;
+	')
+
+	can_exec($1, vmware_host_exec_t)
+')
+
+########################################
+## <summary>
+##	Read VMWare system configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vmware_read_system_config',`
+	gen_require(`
+		type vmware_sys_conf_t;
+	')
+
+	allow $1 vmware_sys_conf_t:file { getattr read };
+')
+
+########################################
+## <summary>
+##	Append to VMWare system configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vmware_append_system_config',`
+	gen_require(`
+		type vmware_sys_conf_t;
+	')
+
+	allow $1 vmware_sys_conf_t:file append;
+')
+
+########################################
+## <summary>
+##	Append to VMWare log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vmware_append_log',`
+	gen_require(`
+		type vmware_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, vmware_log_t, vmware_log_t)
+')
diff --git a/policy/modules/contrib/vmware.te b/policy/modules/contrib/vmware.te
new file mode 100644
index 00000000..fed68080
--- /dev/null
+++ b/policy/modules/contrib/vmware.te
@@ -0,0 +1,282 @@
+policy_module(vmware, 2.5.0)
+
+########################################
+#
+# Declarations
+#
+
+# VMWare user program
+type vmware_t;
+type vmware_exec_t;
+typealias vmware_t alias { user_vmware_t staff_vmware_t sysadm_vmware_t };
+typealias vmware_t alias { auditadm_vmware_t secadm_vmware_t };
+userdom_user_application_domain(vmware_t, vmware_exec_t)
+
+type vmware_conf_t;
+typealias vmware_conf_t alias { user_vmware_conf_t staff_vmware_conf_t sysadm_vmware_conf_t };
+typealias vmware_conf_t alias { auditadm_vmware_conf_t secadm_vmware_conf_t };
+userdom_user_home_content(vmware_conf_t)
+
+type vmware_file_t;
+typealias vmware_file_t alias { user_vmware_file_t staff_vmware_file_t sysadm_vmware_file_t };
+typealias vmware_file_t alias { auditadm_vmware_file_t secadm_vmware_file_t };
+userdom_user_home_content(vmware_file_t)
+
+# VMWare host programs
+type vmware_host_t;
+type vmware_host_exec_t;
+init_daemon_domain(vmware_host_t, vmware_host_exec_t)
+
+type vmware_host_pid_t alias vmware_var_run_t;
+files_pid_file(vmware_host_pid_t)
+
+type vmware_host_tmp_t;
+userdom_user_tmp_file(vmware_host_tmp_t)
+
+type vmware_log_t;
+typealias vmware_log_t alias { user_vmware_log_t staff_vmware_log_t sysadm_vmware_log_t };
+typealias vmware_log_t alias { auditadm_vmware_log_t secadm_vmware_log_t };
+logging_log_file(vmware_log_t)
+ubac_constrained(vmware_log_t)
+
+type vmware_pid_t;
+typealias vmware_pid_t alias { user_vmware_pid_t staff_vmware_pid_t sysadm_vmware_pid_t };
+typealias vmware_pid_t alias { auditadm_vmware_pid_t secadm_vmware_pid_t };
+files_pid_file(vmware_pid_t)
+ubac_constrained(vmware_pid_t)
+
+# Systemwide configuration files
+type vmware_sys_conf_t;
+files_type(vmware_sys_conf_t)
+
+type vmware_tmp_t;
+typealias vmware_tmp_t alias { user_vmware_tmp_t staff_vmware_tmp_t sysadm_vmware_tmp_t };
+typealias vmware_tmp_t alias { auditadm_vmware_tmp_t secadm_vmware_tmp_t };
+userdom_user_tmp_file(vmware_tmp_t)
+
+type vmware_tmpfs_t;
+typealias vmware_tmpfs_t alias { user_vmware_tmpfs_t staff_vmware_tmpfs_t sysadm_vmware_tmpfs_t };
+typealias vmware_tmpfs_t alias { auditadm_vmware_tmpfs_t secadm_vmware_tmpfs_t };
+userdom_user_tmpfs_file(vmware_tmpfs_t)
+
+ifdef(`enable_mcs',`
+	init_ranged_daemon_domain(vmware_host_t, vmware_host_exec_t, s0 - mcs_systemhigh)
+')
+
+########################################
+#
+# VMWare host local policy
+#
+
+allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override };
+dontaudit vmware_host_t self:capability sys_tty_config;
+allow vmware_host_t self:process { execstack execmem signal_perms };
+allow vmware_host_t self:fifo_file rw_fifo_file_perms;
+allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
+allow vmware_host_t self:rawip_socket create_socket_perms;
+allow vmware_host_t self:tcp_socket create_socket_perms;
+
+can_exec(vmware_host_t, vmware_host_exec_t)
+
+# cjp: the ro and rw files should be split up
+manage_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t)
+manage_lnk_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t)
+
+manage_dirs_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
+manage_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
+manage_sock_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
+files_tmp_filetrans(vmware_host_t, vmware_host_tmp_t, { file dir })
+
+manage_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)
+manage_sock_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)
+files_pid_filetrans(vmware_host_t, vmware_var_run_t, { file sock_file })
+
+manage_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t)
+logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir })
+
+kernel_read_kernel_sysctls(vmware_host_t)
+kernel_read_system_state(vmware_host_t)
+kernel_read_network_state(vmware_host_t)
+
+corenet_all_recvfrom_unlabeled(vmware_host_t)
+corenet_all_recvfrom_netlabel(vmware_host_t)
+corenet_tcp_sendrecv_generic_if(vmware_host_t)
+corenet_udp_sendrecv_generic_if(vmware_host_t)
+corenet_raw_sendrecv_generic_if(vmware_host_t)
+corenet_tcp_sendrecv_generic_node(vmware_host_t)
+corenet_udp_sendrecv_generic_node(vmware_host_t)
+corenet_raw_sendrecv_generic_node(vmware_host_t)
+corenet_tcp_sendrecv_all_ports(vmware_host_t)
+corenet_udp_sendrecv_all_ports(vmware_host_t)
+corenet_raw_bind_generic_node(vmware_host_t)
+corenet_tcp_bind_generic_node(vmware_host_t)
+corenet_udp_bind_generic_node(vmware_host_t)
+corenet_tcp_connect_all_ports(vmware_host_t)
+corenet_sendrecv_all_client_packets(vmware_host_t)
+corenet_sendrecv_all_server_packets(vmware_host_t)
+
+corecmd_exec_bin(vmware_host_t)
+corecmd_exec_shell(vmware_host_t)
+
+dev_getattr_all_blk_files(vmware_host_t)
+dev_read_sysfs(vmware_host_t)
+dev_read_urand(vmware_host_t)
+dev_rw_vmware(vmware_host_t)
+
+domain_use_interactive_fds(vmware_host_t)
+domain_dontaudit_read_all_domains_state(vmware_host_t)
+
+files_list_tmp(vmware_host_t)
+files_read_etc_files(vmware_host_t)
+files_read_etc_runtime_files(vmware_host_t)
+files_read_usr_files(vmware_host_t)
+
+fs_getattr_all_fs(vmware_host_t)
+fs_search_auto_mountpoints(vmware_host_t)
+
+storage_getattr_fixed_disk_dev(vmware_host_t)
+
+term_dontaudit_use_console(vmware_host_t)
+
+init_use_fds(vmware_host_t)
+init_use_script_ptys(vmware_host_t)
+
+libs_exec_ld_so(vmware_host_t)
+
+logging_send_syslog_msg(vmware_host_t)
+
+miscfiles_read_localization(vmware_host_t)
+
+sysnet_dns_name_resolve(vmware_host_t)
+sysnet_domtrans_ifconfig(vmware_host_t)
+
+userdom_dontaudit_use_unpriv_user_fds(vmware_host_t)
+userdom_dontaudit_search_user_home_dirs(vmware_host_t)
+
+netutils_domtrans_ping(vmware_host_t)
+
+optional_policy(`
+	hostname_exec(vmware_host_t)
+')
+
+optional_policy(`
+	modutils_domtrans_insmod(vmware_host_t)
+')
+
+optional_policy(`
+	samba_read_config(vmware_host_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(vmware_host_t)
+')
+
+optional_policy(`
+	shutdown_domtrans(vmware_host_t)
+')
+
+optional_policy(`
+	udev_read_db(vmware_host_t)
+')
+
+optional_policy(`
+	xserver_read_tmp_files(vmware_host_t)
+	xserver_read_xdm_pid(vmware_host_t)
+')
+
+##############################
+#
+# VMWare guest local policy
+#
+
+allow vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown };
+dontaudit vmware_t self:capability sys_tty_config;
+allow vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow vmware_t self:process { execmem execstack };
+allow vmware_t self:fd use;
+allow vmware_t self:fifo_file rw_fifo_file_perms;
+allow vmware_t self:unix_dgram_socket { create_socket_perms sendto };
+allow vmware_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow vmware_t self:shm create_shm_perms;
+allow vmware_t self:sem create_sem_perms;
+allow vmware_t self:msgq create_msgq_perms;
+allow vmware_t self:msg { send receive };
+
+can_exec(vmware_t, vmware_exec_t)
+
+# User configuration files
+allow vmware_t vmware_conf_t:file manage_file_perms;
+
+# VMWare disks
+manage_files_pattern(vmware_t, vmware_file_t, vmware_file_t)
+manage_lnk_files_pattern(vmware_t, vmware_file_t, vmware_file_t)
+
+allow vmware_t vmware_tmp_t:file execute;
+manage_dirs_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t)
+manage_files_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t)
+manage_sock_files_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t)
+files_tmp_filetrans(vmware_t, vmware_tmp_t, { file dir })
+
+manage_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)
+manage_lnk_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)
+manage_fifo_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)
+manage_sock_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)
+fs_tmpfs_filetrans(vmware_t, vmware_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+# Read clobal configuration files
+allow vmware_t vmware_sys_conf_t:dir list_dir_perms;
+read_files_pattern(vmware_t, vmware_sys_conf_t, vmware_sys_conf_t)
+read_lnk_files_pattern(vmware_t, vmware_sys_conf_t, vmware_sys_conf_t)
+
+manage_dirs_pattern(vmware_t, vmware_pid_t, vmware_pid_t)
+manage_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t)
+manage_lnk_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t)
+manage_sock_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t)
+files_pid_filetrans(vmware_t, vmware_pid_t, { dir file lnk_file })
+
+kernel_read_system_state(vmware_t)
+kernel_read_network_state(vmware_t)
+kernel_read_kernel_sysctls(vmware_t)
+
+# startup scripts
+corecmd_exec_bin(vmware_t)
+corecmd_exec_shell(vmware_t)
+
+dev_read_raw_memory(vmware_t)
+dev_write_raw_memory(vmware_t)
+dev_read_mouse(vmware_t)
+dev_write_sound(vmware_t)
+dev_read_realtime_clock(vmware_t)
+dev_rwx_vmware(vmware_t)
+dev_rw_usbfs(vmware_t)
+dev_search_sysfs(vmware_t)
+
+domain_use_interactive_fds(vmware_t)
+
+files_read_etc_files(vmware_t)
+files_read_etc_runtime_files(vmware_t)
+files_read_usr_files(vmware_t)
+files_list_home(vmware_t)
+
+fs_getattr_all_fs(vmware_t)
+fs_search_auto_mountpoints(vmware_t)
+
+storage_raw_read_removable_device(vmware_t)
+storage_raw_write_removable_device(vmware_t)
+
+# startup scripts run ldd
+libs_exec_ld_so(vmware_t)
+# Access X11 config files
+libs_read_lib_files(vmware_t)
+
+miscfiles_read_localization(vmware_t)
+
+userdom_use_user_terminals(vmware_t)
+userdom_list_user_home_dirs(vmware_t)
+# cjp: why?
+userdom_read_user_home_content_files(vmware_t)
+
+sysnet_dns_name_resolve(vmware_t)
+sysnet_read_config(vmware_t)
+
+xserver_user_x_domain_template(vmware, vmware_t, vmware_tmpfs_t)
diff --git a/policy/modules/contrib/vnstatd.fc b/policy/modules/contrib/vnstatd.fc
new file mode 100644
index 00000000..11533ccc
--- /dev/null
+++ b/policy/modules/contrib/vnstatd.fc
@@ -0,0 +1,7 @@
+/usr/bin/vnstat		--	gen_context(system_u:object_r:vnstat_exec_t,s0)
+
+/usr/sbin/vnstatd	--	gen_context(system_u:object_r:vnstatd_exec_t,s0)
+
+/var/lib/vnstat(/.*)?		gen_context(system_u:object_r:vnstatd_var_lib_t,s0)
+
+/var/run/vnstat\.pid		gen_context(system_u:object_r:vnstatd_var_run_t,s0)
diff --git a/policy/modules/contrib/vnstatd.if b/policy/modules/contrib/vnstatd.if
new file mode 100644
index 00000000..727fe953
--- /dev/null
+++ b/policy/modules/contrib/vnstatd.if
@@ -0,0 +1,143 @@
+## <summary>Console network traffic monitor.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run vnstat.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`vnstatd_domtrans_vnstat',`
+	gen_require(`
+		type vnstat_t, vnstat_exec_t;
+	')
+
+	domtrans_pattern($1, vnstat_exec_t, vnstat_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run vnstatd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`vnstatd_domtrans',`
+	gen_require(`
+		type vnstatd_t, vnstatd_exec_t;
+	')
+
+	domtrans_pattern($1, vnstatd_exec_t, vnstatd_t)
+')
+
+########################################
+## <summary>
+##	Search vnstatd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vnstatd_search_lib',`
+	gen_require(`
+		type vnstatd_var_lib_t;
+	')
+
+	allow $1 vnstatd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Manage vnstatd lib dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vnstatd_manage_lib_dirs',`
+	gen_require(`
+		type vnstatd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read vnstatd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vnstatd_read_lib_files',`
+	gen_require(`
+		type vnstatd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	vnstatd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vnstatd_manage_lib_files',`
+	gen_require(`
+		type vnstatd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an vnstatd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`vnstatd_admin',`
+	gen_require(`
+		type vnstatd_t, vnstatd_var_lib_t;
+	')
+
+	allow $1 vnstatd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, vnstatd_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, vnstatd_var_lib_t)
+')
diff --git a/policy/modules/contrib/vnstatd.te b/policy/modules/contrib/vnstatd.te
new file mode 100644
index 00000000..8121937a
--- /dev/null
+++ b/policy/modules/contrib/vnstatd.te
@@ -0,0 +1,80 @@
+policy_module(vnstatd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type vnstat_t;
+type vnstat_exec_t;
+application_domain(vnstat_t, vnstat_exec_t)
+
+type vnstatd_t;
+type vnstatd_exec_t;
+init_daemon_domain(vnstatd_t, vnstatd_exec_t)
+
+type vnstatd_var_lib_t;
+files_type(vnstatd_var_lib_t)
+
+type vnstatd_var_run_t;
+files_pid_file(vnstatd_var_run_t)
+
+########################################
+#
+# vnstatd local policy
+#
+
+allow vnstatd_t self:process signal;
+allow vnstatd_t self:fifo_file rw_fifo_file_perms;
+allow vnstatd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file })
+
+manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
+manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
+files_pid_filetrans(vnstatd_t, vnstatd_var_run_t, { dir file })
+
+kernel_read_network_state(vnstatd_t)
+kernel_read_system_state(vnstatd_t)
+
+domain_use_interactive_fds(vnstatd_t)
+
+files_read_etc_files(vnstatd_t)
+
+fs_getattr_xattr_fs(vnstatd_t)
+
+logging_send_syslog_msg(vnstatd_t)
+
+miscfiles_read_localization(vnstatd_t)
+
+optional_policy(`
+	cron_system_entry(vnstat_t, vnstat_exec_t)
+')
+
+########################################
+#
+# vnstat local policy
+#
+
+allow vnstat_t self:process signal;
+allow vnstat_t self:fifo_file rw_fifo_file_perms;
+allow vnstat_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file })
+
+kernel_read_network_state(vnstat_t)
+kernel_read_system_state(vnstat_t)
+
+domain_use_interactive_fds(vnstat_t)
+
+files_read_etc_files(vnstat_t)
+
+fs_getattr_xattr_fs(vnstat_t)
+
+logging_send_syslog_msg(vnstat_t)
+
+miscfiles_read_localization(vnstat_t)
diff --git a/policy/modules/contrib/vpn.fc b/policy/modules/contrib/vpn.fc
new file mode 100644
index 00000000..076dcc3e
--- /dev/null
+++ b/policy/modules/contrib/vpn.fc
@@ -0,0 +1,13 @@
+#
+# sbin
+#
+/sbin/vpnc		--	gen_context(system_u:object_r:vpnc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/openconnect	--	gen_context(system_u:object_r:vpnc_exec_t,s0)
+
+/usr/sbin/vpnc		--	gen_context(system_u:object_r:vpnc_exec_t,s0)
+
+/var/run/vpnc(/.*)?		gen_context(system_u:object_r:vpnc_var_run_t,s0)
diff --git a/policy/modules/contrib/vpn.if b/policy/modules/contrib/vpn.if
new file mode 100644
index 00000000..7b93e071
--- /dev/null
+++ b/policy/modules/contrib/vpn.if
@@ -0,0 +1,138 @@
+## <summary>Virtual Private Networking client</summary>
+
+########################################
+## <summary>
+##	Execute VPN clients in the vpnc domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`vpn_domtrans',`
+	gen_require(`
+		type vpnc_t, vpnc_exec_t;
+	')
+
+	domtrans_pattern($1, vpnc_exec_t, vpnc_t)
+')
+
+########################################
+## <summary>
+##	Execute VPN clients in the vpnc domain, and
+##	allow the specified role the vpnc domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`vpn_run',`
+	gen_require(`
+		attribute_role vpnc_roles;
+	')
+
+	vpn_domtrans($1)
+	roleattribute $2 vpnc_roles;
+')
+
+########################################
+## <summary>
+##	Send VPN clients the kill signal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vpn_kill',`
+	gen_require(`
+		type vpnc_t;
+	')
+
+	allow $1 vpnc_t:process sigkill;
+')
+
+########################################
+## <summary>
+##	Send generic signals to VPN clients.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vpn_signal',`
+	gen_require(`
+		type vpnc_t;
+	')
+
+	allow $1 vpnc_t:process signal;
+')
+
+########################################
+## <summary>
+##	Send signull to VPN clients.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vpn_signull',`
+	gen_require(`
+		type vpnc_t;
+	')
+
+	allow $1 vpnc_t:process signull;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	Vpnc over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vpn_dbus_chat',`
+	gen_require(`
+		type vpnc_t;
+		class dbus send_msg;
+	')
+
+	allow $1 vpnc_t:dbus send_msg;
+	allow vpnc_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Relabelfrom from vpnc socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vpn_relabelfrom_tun_socket',`
+	gen_require(`
+		type vpnc_t;
+	')
+
+	allow $1 vpnc_t:tun_socket relabelfrom;
+')
diff --git a/policy/modules/contrib/vpn.te b/policy/modules/contrib/vpn.te
new file mode 100644
index 00000000..83a80ba1
--- /dev/null
+++ b/policy/modules/contrib/vpn.te
@@ -0,0 +1,125 @@
+policy_module(vpn, 1.15.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role vpnc_roles;
+roleattribute system_r vpnc_roles;
+
+type vpnc_t;
+type vpnc_exec_t;
+application_domain(vpnc_t, vpnc_exec_t)
+role vpnc_roles types vpnc_t;
+
+type vpnc_tmp_t;
+files_tmp_file(vpnc_tmp_t)
+
+type vpnc_var_run_t;
+files_pid_file(vpnc_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw };
+allow vpnc_t self:process { getsched signal };
+allow vpnc_t self:fifo_file rw_fifo_file_perms;
+allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
+allow vpnc_t self:tcp_socket create_stream_socket_perms;
+allow vpnc_t self:udp_socket create_socket_perms;
+allow vpnc_t self:rawip_socket create_socket_perms;
+allow vpnc_t self:unix_dgram_socket create_socket_perms;
+allow vpnc_t self:unix_stream_socket create_socket_perms;
+allow vpnc_t self:tun_socket { create_socket_perms relabelfrom };
+# cjp: this needs to be fixed
+allow vpnc_t self:socket create_socket_perms;
+
+manage_dirs_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t)
+manage_files_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t)
+files_tmp_filetrans(vpnc_t, vpnc_tmp_t, { file dir })
+
+manage_dirs_pattern(vpnc_t, vpnc_var_run_t, vpnc_var_run_t)
+manage_files_pattern(vpnc_t, vpnc_var_run_t, vpnc_var_run_t)
+files_pid_filetrans(vpnc_t, vpnc_var_run_t, { file dir})
+
+kernel_read_system_state(vpnc_t)
+kernel_read_network_state(vpnc_t)
+kernel_read_all_sysctls(vpnc_t)
+kernel_request_load_module(vpnc_t)
+kernel_rw_net_sysctls(vpnc_t)
+
+corenet_all_recvfrom_unlabeled(vpnc_t)
+corenet_all_recvfrom_netlabel(vpnc_t)
+corenet_tcp_sendrecv_generic_if(vpnc_t)
+corenet_udp_sendrecv_generic_if(vpnc_t)
+corenet_raw_sendrecv_generic_if(vpnc_t)
+corenet_tcp_sendrecv_generic_node(vpnc_t)
+corenet_udp_sendrecv_generic_node(vpnc_t)
+corenet_raw_sendrecv_generic_node(vpnc_t)
+corenet_tcp_sendrecv_all_ports(vpnc_t)
+corenet_udp_sendrecv_all_ports(vpnc_t)
+corenet_udp_bind_generic_node(vpnc_t)
+corenet_udp_bind_generic_port(vpnc_t)
+corenet_udp_bind_isakmp_port(vpnc_t)
+corenet_udp_bind_ipsecnat_port(vpnc_t)
+corenet_tcp_connect_all_ports(vpnc_t)
+corenet_sendrecv_all_client_packets(vpnc_t)
+corenet_sendrecv_isakmp_server_packets(vpnc_t)
+corenet_sendrecv_generic_server_packets(vpnc_t)
+corenet_rw_tun_tap_dev(vpnc_t)
+
+dev_read_rand(vpnc_t)
+dev_read_urand(vpnc_t)
+dev_read_sysfs(vpnc_t)
+
+domain_use_interactive_fds(vpnc_t)
+
+fs_getattr_xattr_fs(vpnc_t)
+fs_getattr_tmpfs(vpnc_t)
+
+term_use_all_ptys(vpnc_t)
+term_use_all_ttys(vpnc_t)
+
+corecmd_exec_all_executables(vpnc_t)
+
+files_exec_etc_files(vpnc_t)
+files_read_etc_runtime_files(vpnc_t)
+files_read_etc_files(vpnc_t)
+files_dontaudit_search_home(vpnc_t)
+
+auth_use_nsswitch(vpnc_t)
+
+libs_exec_ld_so(vpnc_t)
+libs_exec_lib_files(vpnc_t)
+
+locallogin_use_fds(vpnc_t)
+
+logging_send_syslog_msg(vpnc_t)
+logging_dontaudit_search_logs(vpnc_t)
+
+miscfiles_read_localization(vpnc_t)
+
+seutil_dontaudit_search_config(vpnc_t)
+seutil_use_newrole_fds(vpnc_t)
+
+sysnet_run_ifconfig(vpnc_t, vpnc_roles)
+sysnet_etc_filetrans_config(vpnc_t)
+sysnet_manage_config(vpnc_t)
+
+userdom_use_all_users_fds(vpnc_t)
+userdom_dontaudit_search_user_home_content(vpnc_t)
+
+optional_policy(`
+	dbus_system_bus_client(vpnc_t)
+
+	optional_policy(`
+		networkmanager_dbus_chat(vpnc_t)
+	')
+')
+
+optional_policy(`
+	networkmanager_attach_tun_iface(vpnc_t)
+')
diff --git a/policy/modules/contrib/w3c.fc b/policy/modules/contrib/w3c.fc
new file mode 100644
index 00000000..a9cc9a85
--- /dev/null
+++ b/policy/modules/contrib/w3c.fc
@@ -0,0 +1,4 @@
+/usr/lib/cgi-bin/check				gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
+
+/usr/share/w3c-markup-validator(/.*)?		gen_context(system_u:object_r:httpd_w3c_validator_content_t,s0)
+/usr/share/w3c-markup-validator/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
diff --git a/policy/modules/contrib/w3c.if b/policy/modules/contrib/w3c.if
new file mode 100644
index 00000000..8f678a9f
--- /dev/null
+++ b/policy/modules/contrib/w3c.if
@@ -0,0 +1 @@
+## <summary>W3C Markup Validator</summary>
diff --git a/policy/modules/contrib/w3c.te b/policy/modules/contrib/w3c.te
new file mode 100644
index 00000000..1174ad84
--- /dev/null
+++ b/policy/modules/contrib/w3c.te
@@ -0,0 +1,24 @@
+policy_module(w3c, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+apache_content_template(w3c_validator)
+
+########################################
+#
+# Local policy
+#
+
+corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t)
+corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t)
+corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
+corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t)
+corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t)
+corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t)
+
+miscfiles_read_generic_certs(httpd_w3c_validator_script_t)
+
+sysnet_dns_name_resolve(httpd_w3c_validator_script_t)
diff --git a/policy/modules/contrib/watchdog.fc b/policy/modules/contrib/watchdog.fc
new file mode 100644
index 00000000..7551c51b
--- /dev/null
+++ b/policy/modules/contrib/watchdog.fc
@@ -0,0 +1,5 @@
+/usr/sbin/watchdog	--	gen_context(system_u:object_r:watchdog_exec_t,s0)
+
+/var/log/watchdog(/.*)?		gen_context(system_u:object_r:watchdog_log_t,s0)
+
+/var/run/watchdog\.pid	--	gen_context(system_u:object_r:watchdog_var_run_t,s0)
diff --git a/policy/modules/contrib/watchdog.if b/policy/modules/contrib/watchdog.if
new file mode 100644
index 00000000..f8acf10a
--- /dev/null
+++ b/policy/modules/contrib/watchdog.if
@@ -0,0 +1 @@
+## <summary>Software watchdog</summary>
diff --git a/policy/modules/contrib/watchdog.te b/policy/modules/contrib/watchdog.te
new file mode 100644
index 00000000..b10bb053
--- /dev/null
+++ b/policy/modules/contrib/watchdog.te
@@ -0,0 +1,105 @@
+policy_module(watchdog, 1.7.0)
+
+#################################
+#
+# Rules for the watchdog_t domain.
+#
+
+type watchdog_t;
+type watchdog_exec_t;
+init_daemon_domain(watchdog_t, watchdog_exec_t)
+
+type watchdog_log_t;
+logging_log_file(watchdog_log_t)
+
+type watchdog_var_run_t;
+files_pid_file(watchdog_var_run_t)
+
+########################################
+#
+# Declarations
+#
+
+allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource };
+dontaudit watchdog_t self:capability sys_tty_config;
+allow watchdog_t self:process { setsched signal_perms };
+allow watchdog_t self:fifo_file rw_fifo_file_perms;
+allow watchdog_t self:unix_stream_socket create_socket_perms;
+allow watchdog_t self:tcp_socket create_stream_socket_perms;
+allow watchdog_t self:udp_socket create_socket_perms;
+
+allow watchdog_t watchdog_log_t:file manage_file_perms;
+logging_log_filetrans(watchdog_t, watchdog_log_t, file)
+
+manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t)
+files_pid_filetrans(watchdog_t, watchdog_var_run_t, file)
+
+kernel_read_system_state(watchdog_t)
+kernel_read_kernel_sysctls(watchdog_t)
+kernel_unmount_proc(watchdog_t)
+
+# for orderly shutdown
+corecmd_exec_shell(watchdog_t)
+
+# cjp: why networking?
+corenet_all_recvfrom_unlabeled(watchdog_t)
+corenet_all_recvfrom_netlabel(watchdog_t)
+corenet_tcp_sendrecv_generic_if(watchdog_t)
+corenet_udp_sendrecv_generic_if(watchdog_t)
+corenet_tcp_sendrecv_generic_node(watchdog_t)
+corenet_udp_sendrecv_generic_node(watchdog_t)
+corenet_tcp_sendrecv_all_ports(watchdog_t)
+corenet_udp_sendrecv_all_ports(watchdog_t)
+corenet_tcp_connect_all_ports(watchdog_t)
+corenet_sendrecv_all_client_packets(watchdog_t)
+
+dev_read_sysfs(watchdog_t)
+dev_write_watchdog(watchdog_t)
+# do not care about saving the random seed
+dev_dontaudit_read_rand(watchdog_t)
+dev_dontaudit_read_urand(watchdog_t)
+
+domain_use_interactive_fds(watchdog_t)
+domain_getsession_all_domains(watchdog_t)
+domain_sigchld_all_domains(watchdog_t)
+domain_sigstop_all_domains(watchdog_t)
+domain_signull_all_domains(watchdog_t)
+domain_signal_all_domains(watchdog_t)
+domain_kill_all_domains(watchdog_t)
+
+files_read_etc_files(watchdog_t)
+# for updating mtab on umount
+files_manage_etc_runtime_files(watchdog_t)
+files_etc_filetrans_etc_runtime(watchdog_t, file)
+
+fs_unmount_xattr_fs(watchdog_t)
+fs_getattr_all_fs(watchdog_t)
+fs_search_auto_mountpoints(watchdog_t)
+
+# record the fact that we are going down
+auth_append_login_records(watchdog_t)
+
+logging_send_syslog_msg(watchdog_t)
+
+miscfiles_read_localization(watchdog_t)
+
+sysnet_read_config(watchdog_t)
+
+userdom_dontaudit_use_unpriv_user_fds(watchdog_t)
+userdom_dontaudit_search_user_home_dirs(watchdog_t)
+
+optional_policy(`
+	mta_send_mail(watchdog_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(watchdog_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(watchdog_t)
+')
+
+optional_policy(`
+	udev_read_db(watchdog_t)
+')
diff --git a/policy/modules/contrib/webadm.fc b/policy/modules/contrib/webadm.fc
new file mode 100644
index 00000000..d46378a0
--- /dev/null
+++ b/policy/modules/contrib/webadm.fc
@@ -0,0 +1 @@
+# No webadm file contexts.
diff --git a/policy/modules/contrib/webadm.if b/policy/modules/contrib/webadm.if
new file mode 100644
index 00000000..cc34f8b4
--- /dev/null
+++ b/policy/modules/contrib/webadm.if
@@ -0,0 +1,50 @@
+## <summary>Web administrator role</summary>
+
+########################################
+## <summary>
+##	Change to the web administrator role.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`webadm_role_change',`
+	gen_require(`
+		role webadm_r;
+	')
+
+	allow $1 webadm_r;
+')
+
+########################################
+## <summary>
+##	Change from the web administrator role.
+## </summary>
+## <desc>
+##	<p>
+##	Change from the web administrator role to
+##	the specified role.
+##	</p>
+##	<p>
+##	This is an interface to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`webadm_role_change_to',`
+	gen_require(`
+		role webadm_r;
+	')
+
+	allow webadm_r $1;
+')
diff --git a/policy/modules/contrib/webadm.te b/policy/modules/contrib/webadm.te
new file mode 100644
index 00000000..0ecc7862
--- /dev/null
+++ b/policy/modules/contrib/webadm.te
@@ -0,0 +1,55 @@
+policy_module(webadm, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow webadm to manage files in users home directories
+## </p>
+## </desc>
+gen_tunable(webadm_manage_user_files, false)
+
+## <desc>
+## <p>
+## Allow webadm to read files in users home directories
+## </p>   
+## </desc>
+gen_tunable(webadm_read_user_files, false)
+
+role webadm_r;
+
+userdom_base_user_template(webadm)
+
+########################################
+#
+# webadmin local policy
+#
+
+allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
+
+files_dontaudit_search_all_dirs(webadm_t)
+files_manage_generic_locks(webadm_t)
+files_list_var(webadm_t)
+
+selinux_get_enforce_mode(webadm_t)
+seutil_domtrans_setfiles(webadm_t)
+
+logging_send_syslog_msg(webadm_t)
+
+userdom_dontaudit_search_user_home_dirs(webadm_t)
+
+apache_admin(webadm_t, webadm_r)
+
+tunable_policy(`webadm_manage_user_files',`
+	userdom_manage_user_home_content_files(webadm_t)
+	userdom_read_user_tmp_files(webadm_t)
+	userdom_write_user_tmp_files(webadm_t)
+')
+
+tunable_policy(`webadm_read_user_files',`
+	userdom_read_user_home_content_files(webadm_t)
+	userdom_read_user_tmp_files(webadm_t)
+')
diff --git a/policy/modules/contrib/webalizer.fc b/policy/modules/contrib/webalizer.fc
new file mode 100644
index 00000000..2f40f218
--- /dev/null
+++ b/policy/modules/contrib/webalizer.fc
@@ -0,0 +1,11 @@
+
+#
+# /usr
+#
+/usr/bin/awffull	--	gen_context(system_u:object_r:webalizer_exec_t,s0)
+/usr/bin/webalizer	--	gen_context(system_u:object_r:webalizer_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/webalizer(/.*)?	gen_context(system_u:object_r:webalizer_var_lib_t,s0)
diff --git a/policy/modules/contrib/webalizer.if b/policy/modules/contrib/webalizer.if
new file mode 100644
index 00000000..3c78e7ca
--- /dev/null
+++ b/policy/modules/contrib/webalizer.if
@@ -0,0 +1,45 @@
+## <summary>Web server log analysis</summary>
+
+########################################
+## <summary>
+##	Execute webalizer in the webalizer domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`webalizer_domtrans',`
+	gen_require(`
+		type webalizer_t, webalizer_exec_t;
+	')
+
+	domtrans_pattern($1, webalizer_exec_t, webalizer_t)
+')
+
+########################################
+## <summary>
+##	Execute webalizer in the webalizer domain, and
+##	allow the specified role the webalizer domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`webalizer_run',`
+	gen_require(`
+		type webalizer_t;
+	')
+
+	webalizer_domtrans($1)
+	role $2 types webalizer_t;
+')
diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te
new file mode 100644
index 00000000..32b4f76f
--- /dev/null
+++ b/policy/modules/contrib/webalizer.te
@@ -0,0 +1,109 @@
+policy_module(webalizer, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+type webalizer_t;
+type webalizer_exec_t;
+application_domain(webalizer_t, webalizer_exec_t)
+role system_r types webalizer_t;
+
+type webalizer_etc_t;
+files_config_file(webalizer_etc_t)
+
+type webalizer_usage_t;
+files_type(webalizer_usage_t)
+
+type webalizer_tmp_t;
+files_tmp_file(webalizer_tmp_t)
+
+type webalizer_var_lib_t;
+files_type(webalizer_var_lib_t)
+
+type webalizer_write_t;
+files_type(webalizer_write_t)
+
+########################################
+#
+# Local policy
+#
+
+allow webalizer_t self:capability dac_override;
+allow webalizer_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow webalizer_t self:fd use;
+allow webalizer_t self:fifo_file rw_fifo_file_perms;
+allow webalizer_t self:sock_file read_sock_file_perms;
+allow webalizer_t self:shm create_shm_perms;
+allow webalizer_t self:sem create_sem_perms;
+allow webalizer_t self:msgq create_msgq_perms;
+allow webalizer_t self:msg { send receive };
+allow webalizer_t self:unix_dgram_socket create_socket_perms;
+allow webalizer_t self:unix_stream_socket create_stream_socket_perms;
+allow webalizer_t self:unix_dgram_socket sendto;
+allow webalizer_t self:unix_stream_socket connectto;
+allow webalizer_t self:tcp_socket connected_stream_socket_perms;
+allow webalizer_t self:udp_socket { connect connected_socket_perms };
+allow webalizer_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow webalizer_t webalizer_etc_t:file read_file_perms;
+
+manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
+manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
+files_tmp_filetrans(webalizer_t, webalizer_tmp_t, { file dir })
+
+manage_files_pattern(webalizer_t, webalizer_var_lib_t, webalizer_var_lib_t)
+files_var_lib_filetrans(webalizer_t, webalizer_var_lib_t, file)
+
+kernel_read_kernel_sysctls(webalizer_t)
+kernel_read_system_state(webalizer_t)
+
+corenet_all_recvfrom_unlabeled(webalizer_t)
+corenet_all_recvfrom_netlabel(webalizer_t)
+corenet_tcp_sendrecv_generic_if(webalizer_t)
+corenet_tcp_sendrecv_generic_node(webalizer_t)
+corenet_tcp_sendrecv_all_ports(webalizer_t)
+
+fs_search_auto_mountpoints(webalizer_t)
+fs_getattr_xattr_fs(webalizer_t)
+fs_rw_anon_inodefs_files(webalizer_t)
+
+files_read_etc_files(webalizer_t)
+files_read_etc_runtime_files(webalizer_t)
+
+logging_list_logs(webalizer_t)
+logging_send_syslog_msg(webalizer_t)
+
+miscfiles_read_localization(webalizer_t)
+miscfiles_read_public_files(webalizer_t)
+
+sysnet_dns_name_resolve(webalizer_t)
+sysnet_read_config(webalizer_t)
+
+userdom_use_user_terminals(webalizer_t)
+userdom_use_unpriv_users_fds(webalizer_t)
+userdom_dontaudit_search_user_home_content(webalizer_t)
+
+apache_read_log(webalizer_t)
+apache_manage_sys_content(webalizer_t)
+
+optional_policy(`
+	cron_system_entry(webalizer_t, webalizer_exec_t)
+')
+
+optional_policy(`
+	ftp_read_log(webalizer_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(webalizer_t)
+')
+
+optional_policy(`
+	nscd_socket_use(webalizer_t)
+')
+
+optional_policy(`
+	squid_read_log(webalizer_t)
+')
diff --git a/policy/modules/contrib/wine.fc b/policy/modules/contrib/wine.fc
new file mode 100644
index 00000000..9d24449f
--- /dev/null
+++ b/policy/modules/contrib/wine.fc
@@ -0,0 +1,21 @@
+HOME_DIR/cxoffice/bin/wine.+	--	gen_context(system_u:object_r:wine_exec_t,s0)
+
+/opt/cxoffice/bin/wine.*	--	gen_context(system_u:object_r:wine_exec_t,s0)
+
+/opt/google/picasa(/.*)?/bin/msiexec --	gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/notepad --	gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/progman --	gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/regedit --	gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/wdi --	gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/wine.* --	gen_context(system_u:object_r:wine_exec_t,s0)
+
+/opt/picasa/wine/bin/wine.*	--	gen_context(system_u:object_r:wine_exec_t,s0)
+
+/usr/bin/msiexec		--	gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/notepad		--	gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/regsvr32		--	gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/regedit		--	gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/uninstaller		--	gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/wine.*			--	gen_context(system_u:object_r:wine_exec_t,s0)
diff --git a/policy/modules/contrib/wine.if b/policy/modules/contrib/wine.if
new file mode 100644
index 00000000..f9a73d04
--- /dev/null
+++ b/policy/modules/contrib/wine.if
@@ -0,0 +1,178 @@
+## <summary>Wine Is Not an Emulator.  Run Windows programs in Linux.</summary>
+
+#######################################
+## <summary>
+##	The per role template for the wine module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for wine applications.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+#
+template(`wine_role',`
+	gen_require(`
+		type wine_exec_t;
+	')
+
+	role $1 types wine_t;
+
+	domain_auto_trans($2, wine_exec_t, wine_t)
+	allow wine_t $2:fd use;
+	allow wine_t $2:process { sigchld signull };
+	allow wine_t $2:unix_stream_socket connectto;
+
+	# Allow the user domain to signal/ps.
+	ps_process_pattern($2, wine_t)
+	allow $2 wine_t:process signal_perms;
+
+	allow $2 wine_t:fd use;
+	allow $2 wine_t:shm { associate getattr };
+	allow $2 wine_t:shm { unix_read unix_write };
+	allow $2 wine_t:unix_stream_socket connectto;
+
+	# X access, Home files
+	manage_dirs_pattern($2, wine_home_t, wine_home_t)
+	manage_files_pattern($2, wine_home_t, wine_home_t)
+	manage_lnk_files_pattern($2, wine_home_t, wine_home_t)
+	relabel_dirs_pattern($2, wine_home_t, wine_home_t)
+	relabel_files_pattern($2, wine_home_t, wine_home_t)
+	relabel_lnk_files_pattern($2, wine_home_t, wine_home_t)
+')
+
+#######################################
+## <summary>
+##	The role template for the wine module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for wine applications.
+##	</p>
+## </desc>
+## <param name="role_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+template(`wine_role_template',`
+	gen_require(`
+		type wine_exec_t;
+	')
+
+	type $1_wine_t;
+	domain_type($1_wine_t)
+	domain_entry_file($1_wine_t, wine_exec_t)
+	ubac_constrained($1_wine_t)
+	role $2 types $1_wine_t;
+
+	allow $1_wine_t self:process { execmem execstack };
+	allow $3 $1_wine_t:process { getattr ptrace noatsecure signal_perms };
+	domtrans_pattern($3, wine_exec_t, $1_wine_t)
+	corecmd_bin_domtrans($1_wine_t, $1_t)
+
+	userdom_unpriv_usertype($1, $1_wine_t)
+	userdom_manage_user_tmpfs_files($1_wine_t)
+
+	domain_mmap_low($1_wine_t)
+
+	tunable_policy(`wine_mmap_zero_ignore',`
+		dontaudit $1_wine_t self:memprotect mmap_zero;
+	')
+
+	optional_policy(`
+		xserver_role($1_r, $1_wine_t)
+	')
+')
+
+########################################
+## <summary>
+##	Execute the wine program in the wine domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`wine_domtrans',`
+	gen_require(`
+		type wine_t, wine_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, wine_exec_t, wine_t)
+')
+
+########################################
+## <summary>
+##	Execute wine in the wine domain, and
+##	allow the specified role the wine domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`wine_run',`
+	gen_require(`
+		type wine_t;
+	')
+
+	wine_domtrans($1)
+	role $2 types wine_t;
+')
+
+########################################
+## <summary>
+##	Read and write wine Shared
+##	memory segments.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`wine_rw_shm',`
+	gen_require(`
+		type wine_t;
+	')
+
+	allow $1 wine_t:shm rw_shm_perms;
+')
diff --git a/policy/modules/contrib/wine.te b/policy/modules/contrib/wine.te
new file mode 100644
index 00000000..7a175163
--- /dev/null
+++ b/policy/modules/contrib/wine.te
@@ -0,0 +1,62 @@
+policy_module(wine, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+##	Ignore wine mmap_zero errors.
+## </p>
+## </desc>
+gen_tunable(wine_mmap_zero_ignore, false)
+
+type wine_t;
+type wine_exec_t;
+userdom_user_application_domain(wine_t, wine_exec_t)
+role system_r types wine_t;
+
+type wine_tmp_t;
+userdom_user_tmp_file(wine_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow wine_t self:process { execstack execmem execheap };
+allow wine_t self:fifo_file manage_fifo_file_perms;
+
+can_exec(wine_t, wine_exec_t)
+
+manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t)
+manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
+files_tmp_filetrans(wine_t, wine_tmp_t, { file dir })
+
+domain_mmap_low(wine_t)
+
+files_execmod_all_files(wine_t)
+
+userdom_use_user_terminals(wine_t)
+
+tunable_policy(`wine_mmap_zero_ignore',`
+	dontaudit wine_t self:memprotect mmap_zero;
+')
+
+optional_policy(`
+	hal_dbus_chat(wine_t)
+')
+
+optional_policy(`
+	policykit_dbus_chat(wine_t)
+')
+
+optional_policy(`
+	unconfined_domain(wine_t)
+')
+
+optional_policy(`
+	xserver_read_xdm_pid(wine_t)
+	xserver_rw_shm(wine_t)
+')
diff --git a/policy/modules/contrib/wireshark.fc b/policy/modules/contrib/wireshark.fc
new file mode 100644
index 00000000..96844ae7
--- /dev/null
+++ b/policy/modules/contrib/wireshark.fc
@@ -0,0 +1,3 @@
+HOME_DIR/\.wireshark(/.*)? 		gen_context(system_u:object_r:wireshark_home_t,s0)
+
+/usr/bin/wireshark		--	gen_context(system_u:object_r:wireshark_exec_t,s0)
diff --git a/policy/modules/contrib/wireshark.if b/policy/modules/contrib/wireshark.if
new file mode 100644
index 00000000..ea6ffe65
--- /dev/null
+++ b/policy/modules/contrib/wireshark.if
@@ -0,0 +1,55 @@
+## <summary>Wireshark packet capture tool.</summary>
+
+############################################################
+## <summary>
+##	Role access for wireshark
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`wireshark_role',`
+	gen_require(`
+		type wireshark_t, wireshark_exec_t;
+		type wireshark_home_t, wireshark_tmp_t;
+		type wireshark_tmpfs_t;
+	')
+
+	role $1 types wireshark_t;
+
+	domain_auto_trans($2, wireshark_exec_t, wireshark_t)
+	allow wireshark_t $2:fd use;
+	allow wireshark_t $2:process sigchld;
+
+	manage_dirs_pattern($2, wireshark_home_t, wireshark_home_t)
+	manage_files_pattern($2, wireshark_home_t, wireshark_home_t)
+	manage_lnk_files_pattern($2, wireshark_home_t, wireshark_home_t)
+	relabel_dirs_pattern($2, wireshark_home_t, wireshark_home_t)
+	relabel_files_pattern($2, wireshark_home_t, wireshark_home_t)
+	relabel_lnk_files_pattern($2, wireshark_home_t, wireshark_home_t)
+')
+
+########################################
+## <summary>
+##	Run wireshark in wireshark domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`wireshark_domtrans',`
+	gen_require(`
+		type wireshark_t, wireshark_exec_t;
+	')
+
+	domtrans_pattern($1, wireshark_exec_t, wireshark_t)
+')
diff --git a/policy/modules/contrib/wireshark.te b/policy/modules/contrib/wireshark.te
new file mode 100644
index 00000000..fc0adf86
--- /dev/null
+++ b/policy/modules/contrib/wireshark.te
@@ -0,0 +1,122 @@
+policy_module(wireshark, 2.3.0)
+
+########################################
+#
+# Declarations
+#
+
+type wireshark_t;
+type wireshark_exec_t;
+typealias wireshark_t alias { user_wireshark_t staff_wireshark_t sysadm_wireshark_t };
+typealias wireshark_t alias { auditadm_wireshark_t secadm_wireshark_t };
+userdom_user_application_domain(wireshark_t, wireshark_exec_t)
+
+type wireshark_home_t;
+typealias wireshark_home_t alias { user_wireshark_home_t staff_wireshark_home_t sysadm_wireshark_home_t };
+typealias wireshark_home_t alias { auditadm_wireshark_home_t secadm_wireshark_home_t };
+userdom_user_home_content(wireshark_home_t)
+
+type wireshark_tmp_t;
+typealias wireshark_tmp_t alias { user_wireshark_tmp_t staff_wireshark_tmp_t sysadm_wireshark_tmp_t };
+typealias wireshark_tmp_t alias { auditadm_wireshark_tmp_t secadm_wireshark_tmp_t };
+userdom_user_tmp_file(wireshark_tmp_t)
+
+type wireshark_tmpfs_t;
+typealias wireshark_tmpfs_t alias { user_wireshark_tmpfs_t staff_wireshark_tmpfs_t sysadm_wireshark_tmpfs_t };
+typealias wireshark_tmpfs_t alias { auditadm_wireshark_tmpfs_t secadm_wireshark_tmpfs_t };
+userdom_user_tmpfs_file(wireshark_tmpfs_t)
+
+##############################
+#
+# Local Policy
+#
+
+allow wireshark_t self:capability { net_admin net_raw setgid };
+allow wireshark_t self:process { signal getsched };
+allow wireshark_t self:fifo_file { getattr read write };
+allow wireshark_t self:shm destroy;
+allow wireshark_t self:shm create_shm_perms;
+allow wireshark_t self:netlink_route_socket { nlmsg_read create_socket_perms };
+allow wireshark_t self:packet_socket { setopt bind ioctl getopt create read write };
+allow wireshark_t self:tcp_socket create_socket_perms;
+allow wireshark_t self:udp_socket create_socket_perms;
+
+# Re-execute itself (why?)
+can_exec(wireshark_t, wireshark_exec_t)
+
+# /home/.wireshark
+manage_dirs_pattern(wireshark_t, wireshark_home_t, wireshark_home_t)
+manage_files_pattern(wireshark_t, wireshark_home_t, wireshark_home_t)
+manage_lnk_files_pattern(wireshark_t, wireshark_home_t, wireshark_home_t)
+userdom_user_home_dir_filetrans(wireshark_t, wireshark_home_t, dir)
+
+# Store temporary files
+manage_dirs_pattern(wireshark_t, wireshark_tmp_t, wireshark_tmp_t)
+manage_files_pattern(wireshark_t, wireshark_tmp_t, wireshark_tmp_t)
+files_tmp_filetrans(wireshark_t, wireshark_tmp_t, { dir file })
+
+manage_dirs_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t)
+manage_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t)
+manage_lnk_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t)
+manage_sock_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t)
+manage_fifo_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t)
+fs_tmpfs_filetrans(wireshark_t, wireshark_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_read_kernel_sysctls(wireshark_t)
+kernel_read_system_state(wireshark_t)
+kernel_read_sysctl(wireshark_t)
+
+corecmd_exec_bin(wireshark_t)
+corecmd_search_bin(wireshark_t)
+
+corenet_tcp_connect_generic_port(wireshark_t)
+corenet_tcp_sendrecv_generic_if(wireshark_t)
+
+dev_read_rand(wireshark_t)
+dev_read_sysfs(wireshark_t)
+dev_read_urand(wireshark_t)
+
+files_read_etc_files(wireshark_t)
+files_read_usr_files(wireshark_t)
+
+fs_list_inotifyfs(wireshark_t)
+fs_search_auto_mountpoints(wireshark_t)
+
+libs_read_lib_files(wireshark_t)
+
+miscfiles_read_fonts(wireshark_t)
+miscfiles_read_localization(wireshark_t)
+
+seutil_use_newrole_fds(wireshark_t)
+
+sysnet_read_config(wireshark_t)
+
+userdom_manage_user_home_content_files(wireshark_t)
+userdom_use_user_ptys(wireshark_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(wireshark_t)
+	fs_manage_nfs_files(wireshark_t)
+	fs_manage_nfs_symlinks(wireshark_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(wireshark_t)
+	fs_manage_cifs_files(wireshark_t)
+	fs_manage_cifs_symlinks(wireshark_t)
+')
+
+optional_policy(`
+	nscd_socket_use(wireshark_t)
+')
+
+# Manual transition from userhelper
+optional_policy(`
+	userhelper_use_fd(wireshark_t)
+	userhelper_sigchld(wireshark_t)
+')
+
+optional_policy(`
+	xserver_user_x_domain_template(wireshark, wireshark_t, wireshark_tmpfs_t)
+	xserver_create_xdm_tmp_sockets(wireshark_t)
+')
diff --git a/policy/modules/contrib/wm.fc b/policy/modules/contrib/wm.fc
new file mode 100644
index 00000000..c1d10a11
--- /dev/null
+++ b/policy/modules/contrib/wm.fc
@@ -0,0 +1,4 @@
+/usr/bin/gnome-shell	--	gen_context(system_u:object_r:wm_exec_t,s0)
+/usr/bin/openbox	--	gen_context(system_u:object_r:wm_exec_t,s0)
+/usr/bin/metacity	--	gen_context(system_u:object_r:wm_exec_t,s0)
+/usr/bin/twm		--	gen_context(system_u:object_r:wm_exec_t,s0)
diff --git a/policy/modules/contrib/wm.if b/policy/modules/contrib/wm.if
new file mode 100644
index 00000000..b3efef7b
--- /dev/null
+++ b/policy/modules/contrib/wm.if
@@ -0,0 +1,111 @@
+## <summary>X Window Managers</summary>
+
+#######################################
+## <summary>
+##	The role template for the wm module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for window manager applications.
+##	</p>
+## </desc>
+## <param name="role_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+template(`wm_role_template',`
+	gen_require(`
+		type wm_exec_t;
+		class dbus send_msg;
+	')
+
+	type $1_wm_t;
+	domain_type($1_wm_t)
+	domain_entry_file($1_wm_t, wm_exec_t)
+	role $2 types $1_wm_t;
+
+	allow $1_wm_t self:fifo_file rw_fifo_file_perms;
+	allow $1_wm_t self:process getsched;
+	allow $1_wm_t self:shm create_shm_perms;
+
+	allow $1_wm_t $3:unix_stream_socket connectto;
+	allow $3 $1_wm_t:unix_stream_socket connectto;
+	allow $3 $1_wm_t:process { signal sigchld signull };
+	allow $1_wm_t $3:process { signull sigkill };
+
+	allow $1_wm_t $3:dbus send_msg;
+	allow $3 $1_wm_t:dbus send_msg;
+
+	domtrans_pattern($3, wm_exec_t, $1_wm_t)
+
+	kernel_read_system_state($1_wm_t)
+
+	corecmd_bin_domtrans($1_wm_t, $3)
+	corecmd_shell_domtrans($1_wm_t, $3)
+
+	dev_read_urand($1_wm_t)
+
+	files_read_etc_files($1_wm_t)
+	files_read_usr_files($1_wm_t)
+
+	fs_getattr_tmpfs($1_wm_t)
+
+	mls_file_read_all_levels($1_wm_t)
+	mls_file_write_all_levels($1_wm_t)
+	mls_xwin_read_all_levels($1_wm_t)
+	mls_xwin_write_all_levels($1_wm_t)
+	mls_fd_use_all_levels($1_wm_t)
+
+	auth_use_nsswitch($1_wm_t)
+
+	application_signull($1_wm_t)
+
+	miscfiles_read_fonts($1_wm_t)
+	miscfiles_read_localization($1_wm_t)
+
+	optional_policy(`
+		dbus_system_bus_client($1_wm_t)
+		dbus_session_bus_client($1_wm_t)
+	')
+
+	optional_policy(`
+		pulseaudio_stream_connect($1_wm_t)
+	')
+
+	optional_policy(`
+		xserver_role($2, $1_wm_t)
+		xserver_manage_core_devices($1_wm_t)
+	')
+')
+
+########################################
+## <summary>
+##	Execute the wm program in the wm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`wm_exec',`
+	gen_require(`
+		type wm_exec_t;
+	')
+
+	can_exec($1, wm_exec_t)
+')
diff --git a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
new file mode 100644
index 00000000..19d447ed
--- /dev/null
+++ b/policy/modules/contrib/wm.te
@@ -0,0 +1,9 @@
+policy_module(wm, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type wm_exec_t;
+corecmd_executable_file(wm_exec_t)
diff --git a/policy/modules/contrib/xdg.fc b/policy/modules/contrib/xdg.fc
new file mode 100644
index 00000000..49a52d98
--- /dev/null
+++ b/policy/modules/contrib/xdg.fc
@@ -0,0 +1,8 @@
+HOME_DIR/\.cache(/.*)?		gen_context(system_u:object_r:xdg_cache_home_t,s0)
+HOME_DIR/\.config(/.*)?		gen_context(system_u:object_r:xdg_config_home_t,s0)
+HOME_DIR/\.local(/.*)?		gen_context(system_u:object_r:xdg_data_home_t,s0)
+
+#
+# /run
+#
+/run/user/USER(/.*)?			gen_context(system_u:object_r:xdg_runtime_home_t,s0)
diff --git a/policy/modules/contrib/xdg.if b/policy/modules/contrib/xdg.if
new file mode 100644
index 00000000..5bde948e
--- /dev/null
+++ b/policy/modules/contrib/xdg.if
@@ -0,0 +1,581 @@
+## <summary>Policy for xdg desktop standard</summary>
+
+########################################
+## <summary>
+##	Mark the selected type as an xdg_data_home_type
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to give the xdg_data_home_type attribute to
+##	</summary>
+## </param>
+#
+interface(`xdg_data_home_content',`
+	gen_require(`
+		attribute xdg_data_home_type;
+	')
+
+	typeattribute $1 xdg_data_home_type;
+
+	userdom_user_home_content($1)
+')
+
+########################################
+## <summary>
+##	Create objects in an xdg_data_home directory
+##	with an automatic type transition to
+##	a specified private type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to create.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+#
+interface(`xdg_data_home_spec_filetrans',`
+	gen_require(`
+		type xdg_data_home_t;
+	')
+
+	filetrans_pattern($1, xdg_data_home_t, $2, $3)
+
+	userdom_search_user_home_dirs($1)
+')
+
+# TODO Introduce xdg_data_home_filetrans when named file transitions are supported
+#      to support a filetrans from user_home_dir_t to xdg_data_home_t (~/.local)
+
+########################################
+## <summary>
+##	Mark the selected type as an xdg_cache_home_type
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to give the xdg_cache_home_type attribute to
+##	</summary>
+## </param>
+#
+interface(`xdg_cache_home_content',`
+	gen_require(`
+		attribute xdg_cache_home_type;
+	')
+
+	typeattribute $1 xdg_cache_home_type;
+
+	userdom_user_home_content($1)
+')
+
+########################################
+## <summary>
+##	Create objects in an xdg_cache_home directory
+##	with an automatic type transition to
+##	a specified private type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to create.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+#
+interface(`xdg_cache_home_spec_filetrans',`
+	gen_require(`
+		type xdg_cache_home_t;
+	')
+
+	filetrans_pattern($1, xdg_cache_home_t, $2, $3)
+	
+	userdom_search_user_home_dirs($1)
+')
+
+# TODO Introduce xdg_cache_home_filetrans when named file transitions are supported
+#      to support a filetrans from user_home_dir_t to xdg_cache_home_t (~/.cache)
+
+########################################
+## <summary>
+##	Mark the selected type as an xdg_config_home_type
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to give the xdg_config_home_type attribute to
+##	</summary>
+## </param>
+#
+interface(`xdg_config_home_content',`
+	gen_require(`
+		attribute xdg_config_home_type;
+	')
+
+	typeattribute $1 xdg_config_home_type;
+
+	userdom_user_home_content($1)
+')
+
+########################################
+## <summary>
+##	Create objects in an xdg_config_home directory
+##	with an automatic type transition to
+##	a specified private type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to create.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+#
+interface(`xdg_config_home_spec_filetrans',`
+	gen_require(`
+		type xdg_config_home_t;
+	')
+
+	filetrans_pattern($1, xdg_config_home_t, $2, $3)
+	
+	userdom_search_user_home_dirs($1)
+')
+
+# TODO Introduce xdg_config_home_filetrans when named file transitions are supported
+#      to support a filetrans from user_home_dir_t to xdg_config_home_t (~/.config)
+
+#
+########################################
+## <summary>
+##	Mark the selected type as an xdg_runtime_home_type
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to give the xdg_runtime_home_type attribute to
+##	</summary>
+## </param>
+#
+interface(`xdg_runtime_home_content',`
+	gen_require(`
+		attribute xdg_runtime_home_type;
+	')
+
+	typeattribute $1 xdg_runtime_home_type;
+
+	userdom_user_home_content($1)
+')
+
+########################################
+## <summary>
+##	Create objects in an xdg_runtime_home directory
+##	with an automatic type transition to
+##	a specified private type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to create.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+#
+interface(`xdg_runtime_home_spec_filetrans',`
+	gen_require(`
+		type xdg_runtime_home_t;
+	')
+
+	filetrans_pattern($1, xdg_runtime_home_t, $2, $3)
+
+	files_search_pids($1)
+')
+
+# TODO Introduce xdg_runtime_home_filetrans (if applicable) when named file transitions are supported
+#      to support a filetrans from whatever /run/user is to xdg_config_home_t
+
+########################################
+## <summary>
+##	Read the xdg cache home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_read_generic_cache_home_files',`
+	gen_require(`
+		type xdg_cache_home_t;	
+	')
+
+	read_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+	list_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+
+	userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+##	Read all xdg_cache_home_type files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_read_all_cache_home_files',`
+	gen_require(`
+		attribute xdg_cache_home_type;
+	')
+
+	read_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
+	
+	userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+##	Allow relabeling the xdg cache home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_relabel_generic_cache_home_content',`
+	gen_require(`
+		type xdg_cache_home_t;	
+	')
+
+	relabel_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+	relabel_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+	relabel_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+	relabel_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+	relabel_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+	
+	userdom_search_user_home_dirs($1)
+')
+
+
+########################################
+## <summary>
+##	Manage the xdg cache home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_manage_generic_cache_home_content',`
+	gen_require(`
+		type xdg_cache_home_t;	
+	')
+
+	manage_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+	manage_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+	manage_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+	manage_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+	manage_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+	
+	userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+##	Read the xdg config home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_read_generic_config_home_files',`
+	gen_require(`
+		type xdg_config_home_t;	
+	')
+
+	read_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+	list_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
+	
+	userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+##	Read all xdg_config_home_type files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_read_all_config_home_files',`
+	gen_require(`
+		attribute xdg_config_home_type;
+	')
+
+	read_files_pattern($1, xdg_config_home_type, xdg_config_home_type)
+	
+	userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+##	Allow relabeling the xdg config home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_relabel_generic_config_home_content',`
+	gen_require(`
+		type xdg_config_home_t;	
+	')
+
+	relabel_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
+	relabel_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+	relabel_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+	relabel_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+	relabel_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+	
+	userdom_search_user_home_dirs($1)
+')
+
+
+########################################
+## <summary>
+##	Manage the xdg config home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_manage_generic_config_home_content',`
+	gen_require(`
+		type xdg_config_home_t;	
+	')
+
+	manage_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
+	manage_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+	manage_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+	manage_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+	manage_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+	
+	userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+##	Read the xdg data home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_read_generic_data_home_files',`
+	gen_require(`
+		type xdg_data_home_t;	
+	')
+
+	read_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+	list_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
+	
+	userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+##	Read all xdg_data_home_type files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_read_all_data_home_files',`
+	gen_require(`
+		attribute xdg_data_home_type;
+	')
+
+	read_files_pattern($1, xdg_data_home_type, xdg_data_home_type)
+	
+	userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+##	Allow relabeling the xdg data home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_relabel_generic_data_home_content',`
+	gen_require(`
+		type xdg_data_home_t;	
+	')
+
+	relabel_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
+	relabel_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+	relabel_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+	relabel_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+	relabel_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+	
+	userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+##	Manage the xdg data home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_manage_generic_data_home_content',`
+	gen_require(`
+		type xdg_data_home_t;	
+	')
+
+	manage_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
+	manage_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+	manage_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+	manage_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+	manage_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+	
+	userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+##	Read the xdg runtime home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_read_generic_runtime_home_files',`
+	gen_require(`
+		type xdg_runtime_home_t;	
+	')
+
+	read_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+	list_dirs_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+
+	files_search_pids($1)
+')
+
+########################################
+## <summary>
+##	Read all xdg_runtime_home_type files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_read_all_runtime_home_files',`
+	gen_require(`
+		attribute xdg_runtime_home_type;
+	')
+
+	read_files_pattern($1, xdg_runtime_home_type, xdg_runtime_home_type)
+
+	files_search_pids($1)
+')
+
+########################################
+## <summary>
+##	Allow relabeling the xdg runtime home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_relabel_generic_runtime_home_content',`
+	gen_require(`
+		type xdg_runtime_home_t;	
+	')
+
+	relabel_dirs_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+	relabel_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+	relabel_lnk_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+	relabel_fifo_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+	relabel_sock_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+
+	files_search_pids($1)
+')
+
+########################################
+## <summary>
+##	Manage the xdg runtime home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_manage_generic_runtime_home_content',`
+	gen_require(`
+		type xdg_runtime_home_t;	
+	')
+
+	manage_dirs_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+	manage_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+	manage_lnk_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+	manage_fifo_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+	manage_sock_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+
+	files_search_pids($1)
+')
+
diff --git a/policy/modules/contrib/xdg.te b/policy/modules/contrib/xdg.te
new file mode 100644
index 00000000..f9088b4c
--- /dev/null
+++ b/policy/modules/contrib/xdg.te
@@ -0,0 +1,26 @@
+policy_module(xdg, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute xdg_data_home_type;
+
+attribute xdg_config_home_type;
+
+attribute xdg_cache_home_type;
+
+attribute xdg_runtime_home_type;
+
+type xdg_data_home_t;
+xdg_data_home_content(xdg_data_home_t)
+
+type xdg_config_home_t;
+xdg_config_home_content(xdg_config_home_t)
+
+type xdg_cache_home_t;
+xdg_cache_home_content(xdg_cache_home_t)
+
+type xdg_runtime_home_t;
+xdg_runtime_home_content(xdg_runtime_home_t)
diff --git a/policy/modules/contrib/xen.fc b/policy/modules/contrib/xen.fc
new file mode 100644
index 00000000..a865da76
--- /dev/null
+++ b/policy/modules/contrib/xen.fc
@@ -0,0 +1,43 @@
+/dev/xen/tapctrl.*	-p	gen_context(system_u:object_r:xenctl_t,s0)
+
+/usr/bin/virsh		--	gen_context(system_u:object_r:xm_exec_t,s0)
+
+/usr/sbin/blktapctrl	--	gen_context(system_u:object_r:blktap_exec_t,s0)
+/usr/sbin/evtchnd	--	gen_context(system_u:object_r:evtchnd_exec_t,s0)
+/usr/sbin/tapdisk	--	gen_context(system_u:object_r:blktap_exec_t,s0)
+
+/usr/lib(64)?/xen/bin/qemu-dm	-- gen_context(system_u:object_r:qemu_dm_exec_t,s0)
+
+ifdef(`distro_debian',`
+/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
+/usr/lib/xen-[^/]*/bin/xend --	gen_context(system_u:object_r:xend_exec_t,s0)
+/usr/lib/xen-[^/]*/bin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
+/usr/lib/xen-[^/]*/bin/xm --	gen_context(system_u:object_r:xm_exec_t,s0)
+',`
+/usr/sbin/xenconsoled	--	gen_context(system_u:object_r:xenconsoled_exec_t,s0)
+/usr/sbin/xend		--	gen_context(system_u:object_r:xend_exec_t,s0)
+/usr/sbin/xenstored	--	gen_context(system_u:object_r:xenstored_exec_t,s0)
+/usr/sbin/xm		--	gen_context(system_u:object_r:xm_exec_t,s0)
+')
+
+/var/lib/xen(/.*)?		gen_context(system_u:object_r:xend_var_lib_t,s0)
+/var/lib/xen/images(/.*)?	gen_context(system_u:object_r:xen_image_t,s0)
+/var/lib/xend(/.*)?		gen_context(system_u:object_r:xend_var_lib_t,s0)
+/var/lib/xenstored(/.*)?	gen_context(system_u:object_r:xenstored_var_lib_t,s0)
+
+/var/log/evtchnd\.log	--	gen_context(system_u:object_r:evtchnd_var_log_t,s0)
+/var/log/xen(/.*)?		gen_context(system_u:object_r:xend_var_log_t,s0)
+/var/log/xen-hotplug\.log --	gen_context(system_u:object_r:xend_var_log_t,s0)
+/var/log/xend\.log	--	gen_context(system_u:object_r:xend_var_log_t,s0)
+/var/log/xend-debug\.log --	gen_context(system_u:object_r:xend_var_log_t,s0)
+
+/var/run/evtchnd	-s	gen_context(system_u:object_r:evtchnd_var_run_t,s0)
+/var/run/evtchnd\.pid	--	gen_context(system_u:object_r:evtchnd_var_run_t,s0)
+/var/run/xenconsoled\.pid --	gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
+/var/run/xend(/.*)?		gen_context(system_u:object_r:xend_var_run_t,s0)
+/var/run/xend\.pid	--	gen_context(system_u:object_r:xend_var_run_t,s0)
+/var/run/xenner(/.*)?		gen_context(system_u:object_r:xend_var_run_t,s0)
+/var/run/xenstore\.pid	--	gen_context(system_u:object_r:xenstored_var_run_t,s0)
+/var/run/xenstored(/.*)?	gen_context(system_u:object_r:xenstored_var_run_t,s0)
+
+/xen(/.*)?			gen_context(system_u:object_r:xen_image_t,s0)
diff --git a/policy/modules/contrib/xen.if b/policy/modules/contrib/xen.if
new file mode 100644
index 00000000..77d41b64
--- /dev/null
+++ b/policy/modules/contrib/xen.if
@@ -0,0 +1,238 @@
+## <summary>Xen hypervisor</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run xend.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed to transition.
+## 	</summary>
+## </param>
+#
+interface(`xen_domtrans',`
+	gen_require(`
+		type xend_t, xend_exec_t;
+	')
+
+	domtrans_pattern($1, xend_exec_t, xend_t)
+')
+
+########################################
+## <summary>
+##	Inherit and use xen file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xen_use_fds',`
+	gen_require(`
+		type xend_t;
+	')
+
+	allow $1 xend_t:fd use;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to inherit
+##	xen file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`xen_dontaudit_use_fds',`
+	gen_require(`
+		type xend_t;
+	')
+
+	dontaudit $1 xend_t:fd use;
+')
+
+########################################
+## <summary>
+##	Read xend image files.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access.
+## 	</summary>
+## </param>
+#
+interface(`xen_read_image_files',`
+	gen_require(`
+		type xen_image_t, xend_var_lib_t;
+	')
+
+	files_list_var_lib($1)
+
+	list_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t)
+	read_files_pattern($1, { xend_var_lib_t xen_image_t }, xen_image_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read/write
+##	xend image files.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access.
+## 	</summary>
+## </param>
+#
+interface(`xen_rw_image_files',`
+	gen_require(`
+		type xen_image_t, xend_var_lib_t;
+	')
+
+	files_list_var_lib($1)
+	allow $1 xend_var_lib_t:dir search_dir_perms;
+	rw_files_pattern($1, xen_image_t, xen_image_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to append
+##	xend log files.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access.
+## 	</summary>
+## </param>
+#
+interface(`xen_append_log',`
+	gen_require(`
+		type xend_var_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, xend_var_log_t, xend_var_log_t)
+	dontaudit $1 xend_var_log_t:file write;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete the
+##	xend log files.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access.
+## 	</summary>
+## </param>
+#
+interface(`xen_manage_log',`
+	gen_require(`
+		type xend_var_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_dirs_pattern($1, xend_var_log_t, xend_var_log_t)
+	manage_files_pattern($1, xend_var_log_t, xend_var_log_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write
+##	Xen unix domain stream sockets.  These
+##	are leaked file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`xen_dontaudit_rw_unix_stream_sockets',`
+	gen_require(`
+		type xend_t;
+	')
+
+	dontaudit $1 xend_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+##	Connect to xenstored over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xen_stream_connect_xenstore',`
+	gen_require(`
+		type xenstored_t, xenstored_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, xenstored_var_run_t, xenstored_var_run_t, xenstored_t)
+')
+
+########################################
+## <summary>
+##	Connect to xend over an unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xen_stream_connect',`
+	gen_require(`
+		type xend_t, xend_var_run_t, xend_var_lib_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, xend_var_run_t, xend_var_run_t, xend_t)
+
+	files_search_var_lib($1)
+	stream_connect_pattern($1, xend_var_lib_t, xend_var_lib_t, xend_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run xm.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`xen_domtrans_xm',`
+	gen_require(`
+		type xm_t, xm_exec_t;
+	')
+
+	domtrans_pattern($1, xm_exec_t, xm_t)
+')
+
+########################################
+## <summary>
+##	Connect to xm over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xen_stream_connect_xm',`
+	gen_require(`
+		type xm_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, xenstored_var_run_t, xenstored_var_run_t, xm_t)
+')
diff --git a/policy/modules/contrib/xen.te b/policy/modules/contrib/xen.te
new file mode 100644
index 00000000..c4d18e89
--- /dev/null
+++ b/policy/modules/contrib/xen.te
@@ -0,0 +1,566 @@
+policy_module(xen, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow xend to run blktapctrl/tapdisk.
+## Not required if using dedicated logical volumes for disk images.
+## </p>
+## </desc>
+gen_tunable(xend_run_blktap, true)
+
+## <desc>
+## <p>
+## Allow xend to run qemu-dm.
+## Not required if using paravirt and no vfb.
+## </p>
+## </desc>
+gen_tunable(xend_run_qemu, true)
+
+## <desc>
+## <p>
+## Allow xen to manage nfs files
+## </p>
+## </desc>
+gen_tunable(xen_use_nfs, false)
+
+type blktap_t;
+type blktap_exec_t;
+domain_type(blktap_t)
+domain_entry_file(blktap_t, blktap_exec_t)
+role system_r types blktap_t;
+
+type blktap_var_run_t;
+files_pid_file(blktap_var_run_t)
+
+type evtchnd_t;
+type evtchnd_exec_t;
+init_daemon_domain(evtchnd_t, evtchnd_exec_t)
+
+# log files
+type evtchnd_var_log_t;
+logging_log_file(evtchnd_var_log_t)
+
+# pid files
+type evtchnd_var_run_t;
+files_pid_file(evtchnd_var_run_t)
+
+type qemu_dm_t;
+type qemu_dm_exec_t;
+domain_type(qemu_dm_t)
+domain_entry_file(qemu_dm_t, qemu_dm_exec_t)
+role system_r types qemu_dm_t;
+
+# console ptys
+type xen_devpts_t;
+term_pty(xen_devpts_t)
+files_type(xen_devpts_t)
+
+# Xen Image files
+type xen_image_t; # customizable
+files_type(xen_image_t)
+# xen_image_t can be assigned to blk devices
+dev_node(xen_image_t)
+
+type xenctl_t;
+files_type(xenctl_t)
+
+type xend_t;
+type xend_exec_t;
+domain_type(xend_t)
+init_daemon_domain(xend_t, xend_exec_t)
+
+# tmp files
+type xend_tmp_t;
+files_tmp_file(xend_tmp_t)
+
+# var/lib files
+type xend_var_lib_t;
+files_type(xend_var_lib_t)
+# for mounting an NFS store
+files_mountpoint(xend_var_lib_t)
+
+# log files
+type xend_var_log_t;
+logging_log_file(xend_var_log_t)
+
+# pid files
+type xend_var_run_t;
+files_pid_file(xend_var_run_t)
+files_mountpoint(xend_var_run_t)
+
+type xenstored_t;
+type xenstored_exec_t;
+init_daemon_domain(xenstored_t, xenstored_exec_t)
+
+type xenstored_tmp_t;
+files_tmp_file(xenstored_tmp_t)
+
+# var/lib files
+type xenstored_var_lib_t;
+files_type(xenstored_var_lib_t)
+files_mountpoint(xenstored_var_lib_t)
+
+# log files
+type xenstored_var_log_t;
+logging_log_file(xenstored_var_log_t)
+
+# pid files
+type xenstored_var_run_t;
+files_pid_file(xenstored_var_run_t)
+
+type xenconsoled_t;
+type xenconsoled_exec_t;
+init_daemon_domain(xenconsoled_t, xenconsoled_exec_t)
+
+# pid files
+type xenconsoled_var_run_t;
+files_pid_file(xenconsoled_var_run_t)
+
+type xm_t;
+type xm_exec_t;
+domain_type(xm_t)
+init_system_domain(xm_t, xm_exec_t)
+
+########################################
+#
+# blktap local policy
+#
+# Do we need to allow execution of blktap?
+tunable_policy(`xend_run_blktap',`
+        # If yes, transition to its own domain.
+	domtrans_pattern(xend_t, blktap_exec_t, blktap_t)
+
+	allow blktap_t self:fifo_file { read write };
+
+	dev_read_sysfs(blktap_t)
+	dev_rw_xen(blktap_t)
+
+	files_read_etc_files(blktap_t)
+
+	logging_send_syslog_msg(blktap_t)
+
+	miscfiles_read_localization(blktap_t)
+
+	xen_stream_connect_xenstore(blktap_t)
+',`
+        # If no, then silently refuse to run it.
+	dontaudit xend_t blktap_exec_t:file { execute execute_no_trans };
+')
+
+#######################################
+#
+# evtchnd local policy
+#
+
+manage_dirs_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t)
+manage_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t)
+logging_log_filetrans(evtchnd_t, evtchnd_var_log_t, { file dir })
+
+manage_dirs_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t)
+manage_files_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t)
+manage_sock_files_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t)
+files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir })
+
+########################################
+#
+# qemu-dm local policy
+#
+# Do we need to allow execution of qemu-dm?
+tunable_policy(`xend_run_qemu',`
+	allow qemu_dm_t self:capability sys_resource;
+	allow qemu_dm_t self:process setrlimit;
+	allow qemu_dm_t self:fifo_file { read write };
+	allow qemu_dm_t self:tcp_socket create_stream_socket_perms;
+
+	# If yes, transition to its own domain.
+	domtrans_pattern(xend_t, qemu_dm_exec_t, qemu_dm_t)
+
+	append_files_pattern(qemu_dm_t, xend_var_log_t, xend_var_log_t)
+
+	rw_fifo_files_pattern(qemu_dm_t, xend_var_run_t, xend_var_run_t)
+
+	corenet_tcp_bind_generic_node(qemu_dm_t)
+	corenet_tcp_bind_vnc_port(qemu_dm_t)
+
+	dev_rw_xen(qemu_dm_t)
+
+	files_read_etc_files(qemu_dm_t)
+	files_read_usr_files(qemu_dm_t)
+
+	fs_manage_xenfs_dirs(qemu_dm_t)
+	fs_manage_xenfs_files(qemu_dm_t)
+
+	miscfiles_read_localization(qemu_dm_t)
+
+	xen_stream_connect_xenstore(qemu_dm_t)
+',`
+        # If no, then silently refuse to run it.
+	dontaudit xend_t qemu_dm_exec_t:file { execute execute_no_trans };
+')
+
+########################################
+#
+# xend local policy
+#
+
+allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw };
+dontaudit xend_t self:capability { sys_ptrace };
+allow xend_t self:process { signal sigkill };
+dontaudit xend_t self:process ptrace;
+# internal communication is often done using fifo and unix sockets.
+allow xend_t self:fifo_file rw_fifo_file_perms;
+allow xend_t self:unix_stream_socket create_stream_socket_perms;
+allow xend_t self:unix_dgram_socket create_socket_perms;
+allow xend_t self:netlink_route_socket r_netlink_socket_perms;
+allow xend_t self:tcp_socket create_stream_socket_perms;
+allow xend_t self:packet_socket create_socket_perms;
+
+allow xend_t xen_image_t:dir list_dir_perms;
+manage_dirs_pattern(xend_t, xen_image_t, xen_image_t)
+manage_files_pattern(xend_t, xen_image_t, xen_image_t)
+read_lnk_files_pattern(xend_t, xen_image_t, xen_image_t)
+rw_blk_files_pattern(xend_t, xen_image_t, xen_image_t)
+
+allow xend_t xenctl_t:fifo_file manage_fifo_file_perms;
+dev_filetrans(xend_t, xenctl_t, fifo_file)
+
+manage_files_pattern(xend_t, xend_tmp_t, xend_tmp_t)
+manage_dirs_pattern(xend_t, xend_tmp_t, xend_tmp_t)
+files_tmp_filetrans(xend_t, xend_tmp_t, { file dir })
+
+# pid file
+manage_dirs_pattern(xend_t, xend_var_run_t, xend_var_run_t)
+manage_files_pattern(xend_t, xend_var_run_t, xend_var_run_t)
+manage_sock_files_pattern(xend_t, xend_var_run_t, xend_var_run_t)
+manage_fifo_files_pattern(xend_t, xend_var_run_t, xend_var_run_t)
+files_pid_filetrans(xend_t, xend_var_run_t, { file sock_file fifo_file dir })
+
+# log files
+manage_dirs_pattern(xend_t, xend_var_log_t, xend_var_log_t)
+manage_files_pattern(xend_t, xend_var_log_t, xend_var_log_t)
+manage_sock_files_pattern(xend_t, xend_var_log_t, xend_var_log_t)
+logging_log_filetrans(xend_t, xend_var_log_t, { sock_file file dir })
+
+# var/lib files for xend
+manage_dirs_pattern(xend_t, xend_var_lib_t, xend_var_lib_t)
+manage_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t)
+manage_sock_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t)
+manage_fifo_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t)
+files_var_lib_filetrans(xend_t, xend_var_lib_t, { file dir })
+
+# transition to store
+domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t)
+
+# manage xenstored pid file
+manage_files_pattern(xend_t, xenstored_var_run_t, xenstored_var_run_t)
+
+# mount tmpfs on /var/lib/xenstored
+allow xend_t xenstored_var_lib_t:dir read;
+
+# transition to console
+domtrans_pattern(xend_t, xenconsoled_exec_t, xenconsoled_t)
+
+kernel_read_kernel_sysctls(xend_t)
+kernel_read_system_state(xend_t)
+kernel_write_xen_state(xend_t)
+kernel_read_xen_state(xend_t)
+kernel_rw_net_sysctls(xend_t)
+kernel_read_network_state(xend_t)
+
+corecmd_exec_bin(xend_t)
+corecmd_exec_shell(xend_t)
+
+corenet_all_recvfrom_unlabeled(xend_t)
+corenet_all_recvfrom_netlabel(xend_t)
+corenet_tcp_sendrecv_generic_if(xend_t)
+corenet_tcp_sendrecv_generic_node(xend_t)
+corenet_tcp_sendrecv_all_ports(xend_t)
+corenet_tcp_bind_generic_node(xend_t)
+corenet_tcp_bind_xen_port(xend_t)
+corenet_tcp_bind_soundd_port(xend_t)
+corenet_tcp_bind_generic_port(xend_t)
+corenet_tcp_bind_vnc_port(xend_t)
+corenet_tcp_connect_xserver_port(xend_t)
+corenet_tcp_connect_xen_port(xend_t)
+corenet_sendrecv_xserver_client_packets(xend_t)
+corenet_sendrecv_xen_server_packets(xend_t)
+corenet_sendrecv_xen_client_packets(xend_t)
+corenet_sendrecv_soundd_server_packets(xend_t)
+corenet_rw_tun_tap_dev(xend_t)
+
+dev_read_urand(xend_t)
+dev_filetrans_xen(xend_t)
+dev_rw_sysfs(xend_t)
+dev_rw_xen(xend_t)
+
+domain_dontaudit_read_all_domains_state(xend_t)
+domain_dontaudit_ptrace_all_domains(xend_t)
+
+files_read_etc_files(xend_t)
+files_read_kernel_symbol_table(xend_t)
+files_read_kernel_img(xend_t)
+files_manage_etc_runtime_files(xend_t)
+files_etc_filetrans_etc_runtime(xend_t, file)
+files_read_usr_files(xend_t)
+files_read_default_symlinks(xend_t)
+
+term_getattr_all_ptys(xend_t)
+term_use_generic_ptys(xend_t)
+term_use_ptmx(xend_t)
+term_getattr_pty_fs(xend_t)
+
+init_stream_connect_script(xend_t)
+
+locallogin_dontaudit_use_fds(xend_t)
+
+logging_send_syslog_msg(xend_t)
+
+lvm_domtrans(xend_t)
+
+miscfiles_read_localization(xend_t)
+miscfiles_read_hwdata(xend_t)
+
+mount_domtrans(xend_t)
+
+sysnet_domtrans_dhcpc(xend_t)
+sysnet_signal_dhcpc(xend_t)
+sysnet_domtrans_ifconfig(xend_t)
+sysnet_dns_name_resolve(xend_t)
+sysnet_delete_dhcpc_pid(xend_t)
+sysnet_read_dhcpc_pid(xend_t)
+sysnet_rw_dhcp_config(xend_t)
+
+userdom_dontaudit_search_user_home_dirs(xend_t)
+
+xen_stream_connect_xenstore(xend_t)
+
+netutils_domtrans(xend_t)
+
+optional_policy(`
+	brctl_domtrans(xend_t)
+')
+
+optional_policy(`
+	consoletype_exec(xend_t)
+')
+
+########################################
+#
+# Xen console local policy
+#
+
+allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
+allow xenconsoled_t self:process setrlimit;
+allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
+allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
+
+allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
+
+# pid file
+manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t)
+manage_sock_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t)
+files_pid_filetrans(xenconsoled_t, xenconsoled_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctls(xenconsoled_t)
+kernel_write_xen_state(xenconsoled_t)
+kernel_read_xen_state(xenconsoled_t)
+
+dev_rw_xen(xenconsoled_t)
+dev_filetrans_xen(xenconsoled_t)
+dev_rw_sysfs(xenconsoled_t)
+
+domain_dontaudit_ptrace_all_domains(xenconsoled_t)
+
+files_read_etc_files(xenconsoled_t)
+files_read_usr_files(xenconsoled_t)
+
+fs_list_tmpfs(xenconsoled_t)
+fs_manage_xenfs_dirs(xenconsoled_t)
+fs_manage_xenfs_files(xenconsoled_t)
+
+term_create_pty(xenconsoled_t, xen_devpts_t)
+term_use_generic_ptys(xenconsoled_t)
+term_use_console(xenconsoled_t)
+
+init_use_fds(xenconsoled_t)
+init_use_script_ptys(xenconsoled_t)
+
+miscfiles_read_localization(xenconsoled_t)
+
+xen_manage_log(xenconsoled_t)
+xen_stream_connect_xenstore(xenconsoled_t)
+
+optional_policy(`
+	ptchown_domtrans(xenconsoled_t)
+')
+
+########################################
+#
+# Xen store local policy
+#
+
+allow xenstored_t self:capability { dac_override ipc_lock sys_resource };
+allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
+allow xenstored_t self:unix_dgram_socket create_socket_perms;
+
+manage_files_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
+manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
+files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir })
+
+# pid file
+manage_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t)
+manage_sock_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t)
+files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file })
+
+# log files
+manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
+manage_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
+manage_sock_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
+logging_log_filetrans(xenstored_t, xenstored_var_log_t, { sock_file file dir })
+
+# var/lib files for xenstored
+manage_dirs_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
+manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
+manage_sock_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
+files_var_lib_filetrans(xenstored_t, xenstored_var_lib_t, { file dir sock_file })
+
+stream_connect_pattern(xenstored_t, evtchnd_var_run_t, evtchnd_var_run_t, evtchnd_t)
+
+kernel_write_xen_state(xenstored_t)
+kernel_read_xen_state(xenstored_t)
+
+dev_filetrans_xen(xenstored_t)
+dev_rw_xen(xenstored_t)
+dev_read_sysfs(xenstored_t)
+
+files_read_etc_files(xenstored_t)
+
+files_read_usr_files(xenstored_t)
+
+fs_manage_xenfs_files(xenstored_t)
+
+term_use_generic_ptys(xenstored_t)
+
+init_use_fds(xenstored_t)
+init_use_script_ptys(xenstored_t)
+
+logging_send_syslog_msg(xenstored_t)
+
+miscfiles_read_localization(xenstored_t)
+
+xen_append_log(xenstored_t)
+
+########################################
+#
+# xm local policy
+#
+
+allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
+allow xm_t self:process { getsched signal };
+
+# internal communication is often done using fifo and unix sockets.
+allow xm_t self:fifo_file rw_fifo_file_perms;
+allow xm_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow xm_t self:tcp_socket create_stream_socket_perms;
+
+manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
+manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
+manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
+files_search_var_lib(xm_t)
+
+allow xm_t xen_image_t:dir rw_dir_perms;
+allow xm_t xen_image_t:file read_file_perms;
+allow xm_t xen_image_t:blk_file read_blk_file_perms;
+
+kernel_read_system_state(xm_t)
+kernel_read_kernel_sysctls(xm_t)
+kernel_read_sysctl(xm_t)
+kernel_read_xen_state(xm_t)
+kernel_write_xen_state(xm_t)
+
+corecmd_exec_bin(xm_t)
+corecmd_exec_shell(xm_t)
+
+corenet_tcp_sendrecv_generic_if(xm_t)
+corenet_tcp_sendrecv_generic_node(xm_t)
+corenet_tcp_connect_soundd_port(xm_t)
+
+dev_read_urand(xm_t)
+dev_read_sysfs(xm_t)
+
+files_read_etc_runtime_files(xm_t)
+files_read_usr_files(xm_t)
+files_list_mnt(xm_t)
+# Some common macros (you might be able to remove some)
+files_read_etc_files(xm_t)
+
+fs_getattr_all_fs(xm_t)
+fs_manage_xenfs_dirs(xm_t)
+fs_manage_xenfs_files(xm_t)
+
+term_use_all_terms(xm_t)
+
+init_stream_connect_script(xm_t)
+init_rw_script_stream_sockets(xm_t)
+init_use_fds(xm_t)
+
+miscfiles_read_localization(xm_t)
+
+sysnet_dns_name_resolve(xm_t)
+
+xen_append_log(xm_t)
+xen_stream_connect(xm_t)
+xen_stream_connect_xenstore(xm_t)
+
+optional_policy(`
+	dbus_system_bus_client(xm_t)
+
+	optional_policy(`
+		hal_dbus_chat(xm_t)
+	')
+')
+
+optional_policy(`
+	virt_domtrans(xm_t)
+	virt_manage_images(xm_t)
+	virt_manage_config(xm_t)
+	virt_stream_connect(xm_t)
+')
+
+########################################
+#
+# SSH component local policy
+#
+optional_policy(`
+	ssh_basic_client_template(xm, xm_t, system_r)
+
+	kernel_read_xen_state(xm_ssh_t)
+	kernel_write_xen_state(xm_ssh_t)
+
+	files_search_tmp(xm_ssh_t)
+
+	fs_manage_xenfs_dirs(xm_ssh_t)
+	fs_manage_xenfs_files(xm_ssh_t)
+
+	#Should have a boolean wrapping these
+	fs_list_auto_mountpoints(xend_t)
+	files_search_mnt(xend_t)
+	fs_getattr_all_fs(xend_t)
+	fs_read_dos_files(xend_t)
+	fs_manage_xenfs_dirs(xend_t)
+	fs_manage_xenfs_files(xend_t)
+
+	tunable_policy(`xen_use_nfs',`
+		fs_manage_nfs_files(xend_t)
+		fs_read_nfs_symlinks(xend_t)
+	')
+
+	optional_policy(`
+		unconfined_domain(xend_t)
+	')
+')
diff --git a/policy/modules/contrib/xfs.fc b/policy/modules/contrib/xfs.fc
new file mode 100644
index 00000000..8e70038b
--- /dev/null
+++ b/policy/modules/contrib/xfs.fc
@@ -0,0 +1,8 @@
+
+/tmp/\.font-unix(/.*)?		gen_context(system_u:object_r:xfs_tmp_t,s0)
+
+/usr/bin/xfs		--	gen_context(system_u:object_r:xfs_exec_t,s0)
+/usr/bin/xfstt		--	gen_context(system_u:object_r:xfs_exec_t,s0)
+
+/usr/X11R6/bin/xfs	--	gen_context(system_u:object_r:xfs_exec_t,s0)
+/usr/X11R6/bin/xfs-xtt	--	gen_context(system_u:object_r:xfs_exec_t,s0)
diff --git a/policy/modules/contrib/xfs.if b/policy/modules/contrib/xfs.if
new file mode 100644
index 00000000..aa6e5a8d
--- /dev/null
+++ b/policy/modules/contrib/xfs.if
@@ -0,0 +1,59 @@
+## <summary>X Windows Font Server </summary>
+
+########################################
+## <summary>
+##	Read a X font server named socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xfs_read_sockets',`
+	gen_require(`
+		type xfs_tmp_t;
+	')
+
+	files_search_tmp($1)
+	read_sock_files_pattern($1, xfs_tmp_t, xfs_tmp_t)
+')
+
+########################################
+## <summary>
+##	Connect to a X font server over
+##	a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xfs_stream_connect',`
+	gen_require(`
+		type xfs_tmp_t, xfs_t;
+	')
+
+	files_search_tmp($1)
+	stream_connect_pattern($1, xfs_tmp_t, xfs_tmp_t, xfs_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to execute xfs
+##	in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xfs_exec',`
+	gen_require(`
+		type xfs_exec_t;
+	')
+
+	can_exec($1, xfs_exec_t)
+')
diff --git a/policy/modules/contrib/xfs.te b/policy/modules/contrib/xfs.te
new file mode 100644
index 00000000..11c1b12b
--- /dev/null
+++ b/policy/modules/contrib/xfs.te
@@ -0,0 +1,87 @@
+policy_module(xfs, 1.6.0)
+
+########################################
+#
+# Declarations
+#
+
+type xfs_t;
+type xfs_exec_t;
+init_daemon_domain(xfs_t, xfs_exec_t)
+
+type xfs_tmp_t;
+files_tmp_file(xfs_tmp_t)
+
+type xfs_var_run_t;
+files_pid_file(xfs_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow xfs_t self:capability { dac_override setgid setuid };
+dontaudit xfs_t self:capability sys_tty_config;
+allow xfs_t self:process { signal_perms setpgid };
+allow xfs_t self:unix_stream_socket create_stream_socket_perms;
+allow xfs_t self:unix_dgram_socket create_socket_perms;
+allow xfs_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(xfs_t, xfs_tmp_t, xfs_tmp_t)
+manage_sock_files_pattern(xfs_t, xfs_tmp_t, xfs_tmp_t)
+files_tmp_filetrans(xfs_t, xfs_tmp_t, { sock_file dir })
+
+manage_files_pattern(xfs_t, xfs_var_run_t, xfs_var_run_t)
+files_pid_filetrans(xfs_t, xfs_var_run_t, file)
+
+kernel_read_kernel_sysctls(xfs_t)
+kernel_read_system_state(xfs_t)
+
+corenet_all_recvfrom_unlabeled(xfs_t)
+corenet_all_recvfrom_netlabel(xfs_t)
+corenet_tcp_sendrecv_generic_if(xfs_t)
+corenet_tcp_sendrecv_generic_node(xfs_t)
+corenet_tcp_sendrecv_all_ports(xfs_t)
+corenet_tcp_bind_generic_node(xfs_t)
+corenet_tcp_bind_xfs_port(xfs_t)
+corenet_sendrecv_xfs_server_packets(xfs_t)
+
+corecmd_list_bin(xfs_t)
+
+dev_read_sysfs(xfs_t)
+dev_read_urand(xfs_t)
+dev_read_rand(xfs_t)
+
+fs_getattr_all_fs(xfs_t)
+fs_search_auto_mountpoints(xfs_t)
+
+domain_use_interactive_fds(xfs_t)
+
+files_read_etc_files(xfs_t)
+files_read_etc_runtime_files(xfs_t)
+files_read_usr_files(xfs_t)
+
+auth_use_nsswitch(xfs_t)
+
+logging_send_syslog_msg(xfs_t)
+
+miscfiles_read_localization(xfs_t)
+miscfiles_read_fonts(xfs_t)
+
+userdom_dontaudit_use_unpriv_user_fds(xfs_t)
+userdom_dontaudit_search_user_home_dirs(xfs_t)
+
+xfs_exec(xfs_t)
+
+ifdef(`distro_debian',`
+	# for /tmp/.font-unix/fs7100
+	init_script_tmp_filetrans(xfs_t, xfs_tmp_t, sock_file)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(xfs_t)
+')
+
+optional_policy(`
+	udev_read_db(xfs_t)
+')
diff --git a/policy/modules/contrib/xguest.fc b/policy/modules/contrib/xguest.fc
new file mode 100644
index 00000000..601a7b02
--- /dev/null
+++ b/policy/modules/contrib/xguest.fc
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --git a/policy/modules/contrib/xguest.if b/policy/modules/contrib/xguest.if
new file mode 100644
index 00000000..d2234e32
--- /dev/null
+++ b/policy/modules/contrib/xguest.if
@@ -0,0 +1,50 @@
+## <summary>Least privledge xwindows user role</summary>
+
+########################################
+## <summary>
+##	Change to the xguest role.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`xguest_role_change',`
+	gen_require(`
+		role xguest_r;
+	')
+
+	allow $1 xguest_r;
+')
+
+########################################
+## <summary>
+##	Change from the xguest role.
+## </summary>
+## <desc>
+##	<p>
+##	Change from the xguest role to
+##	the specified role.
+##	</p>
+##	<p>
+##	This is an interface to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`xguest_role_change_to',`
+	gen_require(`
+		role xguest_r;
+	')
+
+	allow xguest_r $1;
+')
diff --git a/policy/modules/contrib/xguest.te b/policy/modules/contrib/xguest.te
new file mode 100644
index 00000000..e88b95f1
--- /dev/null
+++ b/policy/modules/contrib/xguest.te
@@ -0,0 +1,98 @@
+policy_module(xguest, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow xguest users to mount removable media
+## </p>
+## </desc>
+gen_tunable(xguest_mount_media, true)
+
+## <desc>
+## <p>
+## Allow xguest to configure Network Manager
+## </p>
+## </desc>
+gen_tunable(xguest_connect_network, true)
+
+## <desc>
+## <p>
+## Allow xguest to use blue tooth devices
+## </p>
+## </desc>
+gen_tunable(xguest_use_bluetooth, true)
+
+role xguest_r;
+
+userdom_restricted_xwindows_user_template(xguest)
+
+########################################
+#
+# Local policy
+#
+
+ifndef(`enable_mls',`
+	fs_exec_noxattr(xguest_t)
+
+	tunable_policy(`user_rw_noexattrfile',`
+		fs_manage_noxattr_fs_files(xguest_t)
+		fs_manage_noxattr_fs_dirs(xguest_t)
+		# Write floppies 
+		storage_raw_read_removable_device(xguest_t)
+		storage_raw_write_removable_device(xguest_t)
+	',`
+		storage_raw_read_removable_device(xguest_t)
+	')
+')
+
+# Allow mounting of file systems
+optional_policy(`
+	tunable_policy(`xguest_mount_media',`
+		kernel_read_fs_sysctls(xguest_t)
+
+		files_dontaudit_getattr_boot_dirs(xguest_t)
+		files_search_mnt(xguest_t)
+
+		fs_manage_noxattr_fs_files(xguest_t)
+		fs_manage_noxattr_fs_dirs(xguest_t)
+		fs_manage_noxattr_fs_dirs(xguest_t)
+		fs_getattr_noxattr_fs(xguest_t)
+		fs_read_noxattr_fs_symlinks(xguest_t)
+
+		auth_list_pam_console_data(xguest_t)
+
+		init_read_utmp(xguest_t)
+	')
+')
+
+optional_policy(`
+	tunable_policy(`xguest_use_bluetooth',`
+		bluetooth_dbus_chat(xguest_t)
+	')
+')
+
+optional_policy(`
+	hal_dbus_chat(xguest_t)
+')
+
+optional_policy(`
+	java_role(xguest_r, xguest_t)
+')
+
+optional_policy(`
+	mozilla_role(xguest_r, xguest_t)
+')
+
+optional_policy(`
+	tunable_policy(`xguest_connect_network',`
+		networkmanager_dbus_chat(xguest_t)
+		corenet_tcp_connect_pulseaudio_port(xguest_t)
+		corenet_tcp_connect_ipp_port(xguest_t)
+	')
+')
+
+#gen_user(xguest_u,, xguest_r, s0, s0)
diff --git a/policy/modules/contrib/xprint.fc b/policy/modules/contrib/xprint.fc
new file mode 100644
index 00000000..6a857fff
--- /dev/null
+++ b/policy/modules/contrib/xprint.fc
@@ -0,0 +1 @@
+/usr/bin/Xprt	--	gen_context(system_u:object_r:xprint_exec_t,s0)
diff --git a/policy/modules/contrib/xprint.if b/policy/modules/contrib/xprint.if
new file mode 100644
index 00000000..e69a82af
--- /dev/null
+++ b/policy/modules/contrib/xprint.if
@@ -0,0 +1 @@
+## <summary>X print server</summary>
diff --git a/policy/modules/contrib/xprint.te b/policy/modules/contrib/xprint.te
new file mode 100644
index 00000000..68d13e59
--- /dev/null
+++ b/policy/modules/contrib/xprint.te
@@ -0,0 +1,82 @@
+policy_module(xprint, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type xprint_t;
+type xprint_exec_t;
+init_daemon_domain(xprint_t, xprint_exec_t)
+
+type xprint_var_run_t;
+files_pid_file(xprint_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit xprint_t self:capability sys_tty_config;
+allow xprint_t self:process signal_perms;
+allow xprint_t self:fifo_file rw_file_perms;
+allow xprint_t self:tcp_socket create_stream_socket_perms;
+allow xprint_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(xprint_t, xprint_var_run_t, xprint_var_run_t)
+files_pid_filetrans(xprint_t, xprint_var_run_t, file)
+
+kernel_read_system_state(xprint_t)
+kernel_read_kernel_sysctls(xprint_t)
+
+corecmd_exec_bin(xprint_t)
+corecmd_exec_shell(xprint_t)
+
+corenet_all_recvfrom_unlabeled(xprint_t)
+corenet_all_recvfrom_netlabel(xprint_t)
+corenet_tcp_sendrecv_generic_if(xprint_t)
+corenet_udp_sendrecv_generic_if(xprint_t)
+corenet_tcp_sendrecv_generic_node(xprint_t)
+corenet_udp_sendrecv_generic_node(xprint_t)
+corenet_tcp_sendrecv_all_ports(xprint_t)
+corenet_udp_sendrecv_all_ports(xprint_t)
+
+dev_read_sysfs(xprint_t)
+dev_read_urand(xprint_t)
+
+domain_use_interactive_fds(xprint_t)
+
+files_read_etc_files(xprint_t)
+files_read_etc_runtime_files(xprint_t)
+files_read_usr_files(xprint_t)
+files_search_var_lib(xprint_t)
+files_search_tmp(xprint_t)
+
+fs_getattr_all_fs(xprint_t)
+fs_search_auto_mountpoints(xprint_t)
+
+logging_send_syslog_msg(xprint_t)
+
+miscfiles_read_fonts(xprint_t)
+miscfiles_read_localization(xprint_t)
+
+sysnet_read_config(xprint_t)
+
+userdom_dontaudit_use_unpriv_user_fds(xprint_t)
+userdom_dontaudit_search_user_home_dirs(xprint_t)
+
+optional_policy(`
+	cups_read_config(xprint_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(xprint_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(xprint_t)
+')
+
+optional_policy(`
+	udev_read_db(xprint_t)
+')
diff --git a/policy/modules/contrib/xscreensaver.fc b/policy/modules/contrib/xscreensaver.fc
new file mode 100644
index 00000000..29396daa
--- /dev/null
+++ b/policy/modules/contrib/xscreensaver.fc
@@ -0,0 +1 @@
+/usr/bin/xscreensaver	--	gen_context(system_u:object_r:xscreensaver_exec_t,s0)
diff --git a/policy/modules/contrib/xscreensaver.if b/policy/modules/contrib/xscreensaver.if
new file mode 100644
index 00000000..1067bd1f
--- /dev/null
+++ b/policy/modules/contrib/xscreensaver.if
@@ -0,0 +1,30 @@
+## <summary>X Screensaver</summary>
+
+########################################
+## <summary>
+##	Role access for xscreensaver
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`xscreensaver_role',`
+	gen_require(`
+		type xscreensaver_t, xscreensaver_exec_t;
+	')
+
+	role $1 types xscreensaver_t;
+
+	domtrans_pattern($2, xscreensaver_exec_t, xscreensaver_t)
+
+	# Allow the user domain to signal/ps.
+	ps_process_pattern($2, xscreensaver_t)
+	allow $2 xscreensaver_t:process signal_perms;
+')
diff --git a/policy/modules/contrib/xscreensaver.te b/policy/modules/contrib/xscreensaver.te
new file mode 100644
index 00000000..1487a4e5
--- /dev/null
+++ b/policy/modules/contrib/xscreensaver.te
@@ -0,0 +1,42 @@
+policy_module(xscreensaver, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type xscreensaver_t;
+type xscreensaver_exec_t;
+userdom_user_application_domain(xscreensaver_t, xscreensaver_exec_t)
+
+type xscreensaver_tmpfs_t;
+userdom_user_tmpfs_file(xscreensaver_tmpfs_t)
+
+########################################
+#
+# Local policy
+#
+
+allow xscreensaver_t self:fifo_file rw_fifo_file_perms;
+allow xscreensaver_t self:process signal;
+
+kernel_read_system_state(xscreensaver_t)
+
+files_read_usr_files(xscreensaver_t)
+
+auth_use_nsswitch(xscreensaver_t)
+auth_domtrans_chk_passwd(xscreensaver_t)
+
+#/var/run/utmp
+init_read_utmp(xscreensaver_t)
+
+logging_send_audit_msgs(xscreensaver_t)
+logging_send_syslog_msg(xscreensaver_t)
+
+miscfiles_read_localization(xscreensaver_t)
+
+userdom_use_user_ptys(xscreensaver_t)
+#access to .icons and ~/.xscreensaver
+userdom_read_user_home_content_files(xscreensaver_t)
+
+xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
diff --git a/policy/modules/contrib/yam.fc b/policy/modules/contrib/yam.fc
new file mode 100644
index 00000000..4ec6edeb
--- /dev/null
+++ b/policy/modules/contrib/yam.fc
@@ -0,0 +1,6 @@
+/etc/yam\.conf		--	gen_context(system_u:object_r:yam_etc_t,s0)
+
+/usr/bin/yam		--	gen_context(system_u:object_r:yam_exec_t,s0)
+
+/var/yam(/.*)?			gen_context(system_u:object_r:yam_content_t,s0)
+/var/www/yam(/.*)?		gen_context(system_u:object_r:yam_content_t,s0)
diff --git a/policy/modules/contrib/yam.if b/policy/modules/contrib/yam.if
new file mode 100644
index 00000000..07015a25
--- /dev/null
+++ b/policy/modules/contrib/yam.if
@@ -0,0 +1,66 @@
+## <summary>Yum/Apt Mirroring</summary>
+
+########################################
+## <summary>
+##	Execute yam in the yam domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`yam_domtrans',`
+	gen_require(`
+		type yam_t, yam_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, yam_exec_t, yam_t)
+')
+
+########################################
+## <summary>
+##	Execute yam in the yam domain, and
+##	allow the specified role the yam domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`yam_run',`
+	gen_require(`
+		type yam_t;
+	')
+
+	yam_domtrans($1)
+	role $2 types yam_t;
+')
+
+########################################
+## <summary>
+##	Read yam content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`yam_read_content',`
+	gen_require(`
+		type yam_content_t;
+	')
+
+	allow $1 yam_content_t:dir list_dir_perms;
+	read_files_pattern($1, yam_content_t, yam_content_t)
+	read_lnk_files_pattern($1, yam_content_t, yam_content_t)
+')
diff --git a/policy/modules/contrib/yam.te b/policy/modules/contrib/yam.te
new file mode 100644
index 00000000..223ad437
--- /dev/null
+++ b/policy/modules/contrib/yam.te
@@ -0,0 +1,124 @@
+policy_module(yam, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+
+type yam_t alias yam_crond_t;
+type yam_exec_t;
+application_domain(yam_t, yam_exec_t)
+
+type yam_content_t;
+files_mountpoint(yam_content_t)
+
+type yam_etc_t;
+files_config_file(yam_etc_t)
+
+type yam_tmp_t;
+files_tmp_file(yam_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow yam_t self:capability { chown fowner fsetid dac_override };
+allow yam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow yam_t self:process execmem;
+allow yam_t self:fd use;
+allow yam_t self:fifo_file rw_fifo_file_perms;
+allow yam_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow yam_t self:unix_dgram_socket { create_socket_perms sendto };
+allow yam_t self:shm create_shm_perms;
+allow yam_t self:sem create_sem_perms;
+allow yam_t self:msgq create_msgq_perms;
+allow yam_t self:msg { send receive };
+allow yam_t self:tcp_socket create_socket_perms;
+
+# Update the content being managed by yam.
+manage_dirs_pattern(yam_t, yam_content_t, yam_content_t)
+manage_files_pattern(yam_t, yam_content_t, yam_content_t)
+manage_lnk_files_pattern(yam_t, yam_content_t, yam_content_t)
+
+allow yam_t yam_etc_t:file read_file_perms;
+files_search_etc(yam_t)
+
+manage_files_pattern(yam_t, yam_tmp_t, yam_tmp_t)
+manage_dirs_pattern(yam_t, yam_tmp_t, yam_tmp_t)
+files_tmp_filetrans(yam_t, yam_tmp_t, { file dir })
+
+kernel_read_kernel_sysctls(yam_t)
+kernel_read_proc_symlinks(yam_t)
+# Python works fine without reading /proc/meminfo
+kernel_dontaudit_read_system_state(yam_t)
+
+corecmd_exec_shell(yam_t)
+corecmd_exec_bin(yam_t)
+
+# Rsync and lftp need to network.  They also set files attributes to
+# match whats on the remote server.
+corenet_all_recvfrom_unlabeled(yam_t)
+corenet_all_recvfrom_netlabel(yam_t)
+corenet_tcp_sendrecv_generic_if(yam_t)
+corenet_tcp_sendrecv_generic_node(yam_t)
+corenet_tcp_sendrecv_all_ports(yam_t)
+corenet_tcp_connect_http_port(yam_t)
+corenet_tcp_connect_rsync_port(yam_t)
+corenet_sendrecv_http_client_packets(yam_t)
+corenet_sendrecv_rsync_client_packets(yam_t)
+
+# mktemp
+dev_read_urand(yam_t)
+
+files_read_etc_files(yam_t)
+files_read_etc_runtime_files(yam_t)
+# /usr/share/createrepo/genpkgmetadata.py:
+files_exec_usr_files(yam_t)
+# Programs invoked to build package lists need various permissions.
+# genpkglist creates tmp files in /var/cache/apt/genpkglist
+files_rw_var_files(yam_t)
+
+fs_search_auto_mountpoints(yam_t)
+# Content can also be on ISO image files.
+fs_read_iso9660_files(yam_t)
+
+logging_send_syslog_msg(yam_t)
+
+miscfiles_read_localization(yam_t)
+
+seutil_read_config(yam_t)
+
+sysnet_dns_name_resolve(yam_t)
+sysnet_read_config(yam_t)
+
+userdom_use_user_terminals(yam_t)
+userdom_use_unpriv_users_fds(yam_t)
+# Reading dotfiles...
+# cjp: ?
+userdom_search_user_home_dirs(yam_t)
+
+# The whole point of this program is to make updates available on a
+# local web server.  Need to go through /var to get to /var/yam
+# Go through /var/www to get to /var/www/yam
+apache_search_sys_content(yam_t)
+
+optional_policy(`
+	cron_system_entry(yam_t, yam_exec_t)
+')
+
+optional_policy(`
+	mount_domtrans(yam_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(yam_t)
+')
+
+optional_policy(`
+	nscd_socket_use(yam_t)
+')
+
+optional_policy(`
+	rsync_exec(yam_t)
+')
diff --git a/policy/modules/contrib/zabbix.fc b/policy/modules/contrib/zabbix.fc
new file mode 100644
index 00000000..aa5a5211
--- /dev/null
+++ b/policy/modules/contrib/zabbix.fc
@@ -0,0 +1,9 @@
+/etc/rc\.d/init\.d/zabbix	--	gen_context(system_u:object_r:zabbix_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/zabbix-agentd --	gen_context(system_u:object_r:zabbix_agent_initrc_exec_t,s0)
+
+/usr/(s)?bin/zabbix_server	--	gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/(s)?bin/zabbix_agentd	--	gen_context(system_u:object_r:zabbix_agent_exec_t,s0)
+
+/var/log/zabbix(/.*)?			gen_context(system_u:object_r:zabbix_log_t,s0)
+
+/var/run/zabbix(/.*)?			gen_context(system_u:object_r:zabbix_var_run_t,s0)
diff --git a/policy/modules/contrib/zabbix.if b/policy/modules/contrib/zabbix.if
new file mode 100644
index 00000000..c9981d18
--- /dev/null
+++ b/policy/modules/contrib/zabbix.if
@@ -0,0 +1,158 @@
+## <summary>Distributed infrastructure monitoring</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run zabbix.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`zabbix_domtrans',`
+	gen_require(`
+		type zabbix_t, zabbix_exec_t;
+	')
+
+	domtrans_pattern($1, zabbix_exec_t, zabbix_t)
+')
+
+########################################
+## <summary>
+## 	Allow connectivity to the zabbix server
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`zabbix_tcp_connect',`
+	gen_require(`
+		type zabbix_t;
+	')
+
+	corenet_sendrecv_zabbix_agent_client_packets($1)
+	corenet_tcp_connect_zabbix_port($1)
+	corenet_tcp_recvfrom_labeled($1, zabbix_t)
+	corenet_tcp_sendrecv_zabbix_port($1)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read zabbix's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`zabbix_read_log',`
+	gen_require(`
+		type zabbix_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, zabbix_log_t, zabbix_log_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to append
+##	zabbix log files.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access.
+## 	</summary>
+## </param>
+#
+interface(`zabbix_append_log',`
+	gen_require(`
+		type zabbix_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, zabbix_log_t, zabbix_log_t)
+')
+
+########################################
+## <summary>
+##	Read zabbix PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`zabbix_read_pid_files',`
+	gen_require(`
+		type zabbix_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 zabbix_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## 	Allow connectivity to a zabbix agent
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`zabbix_agent_tcp_connect',`
+	gen_require(`
+		type zabbix_agent_t;
+	')
+
+	corenet_sendrecv_zabbix_agent_client_packets($1)
+	corenet_tcp_connect_zabbix_agent_port($1)
+	corenet_tcp_recvfrom_labeled($1, zabbix_t)
+	corenet_tcp_sendrecv_zabbix_agent_port($1)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an zabbix environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the zabbix domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`zabbix_admin',`
+	gen_require(`
+		type zabbix_t, zabbix_log_t, zabbix_var_run_t;
+		type zabbix_initrc_exec_t;
+	')
+
+	allow $1 zabbix_t:process { ptrace signal_perms };
+	ps_process_pattern($1, zabbix_t)
+
+	init_labeled_script_domtrans($1, zabbix_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 zabbix_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	logging_list_logs($1)
+	admin_pattern($1, zabbix_log_t)
+
+	files_list_pids($1)
+	admin_pattern($1, zabbix_var_run_t)
+')
diff --git a/policy/modules/contrib/zabbix.te b/policy/modules/contrib/zabbix.te
new file mode 100644
index 00000000..8c0bd708
--- /dev/null
+++ b/policy/modules/contrib/zabbix.te
@@ -0,0 +1,137 @@
+policy_module(zabbix, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type zabbix_t;
+type zabbix_exec_t;
+init_daemon_domain(zabbix_t, zabbix_exec_t)
+
+type zabbix_initrc_exec_t;
+init_script_file(zabbix_initrc_exec_t)
+
+type zabbix_agent_t;
+type zabbix_agent_exec_t;
+init_daemon_domain(zabbix_agent_t, zabbix_agent_exec_t)
+
+type zabbix_agent_initrc_exec_t;
+init_script_file(zabbix_agent_initrc_exec_t)
+
+# log files
+type zabbix_log_t;
+logging_log_file(zabbix_log_t)
+
+# shared memory
+type zabbix_tmpfs_t;
+files_tmpfs_file(zabbix_tmpfs_t)
+
+# pid files
+type zabbix_var_run_t;
+files_pid_file(zabbix_var_run_t)
+
+########################################
+#
+# zabbix local policy
+#
+
+allow zabbix_t self:capability { setuid setgid };
+allow zabbix_t self:fifo_file rw_file_perms;
+allow zabbix_t self:process { setsched getsched signal };
+allow zabbix_t self:unix_stream_socket create_stream_socket_perms;
+allow zabbix_t self:sem create_sem_perms;
+allow zabbix_t self:shm create_shm_perms;
+allow zabbix_t self:tcp_socket create_stream_socket_perms;
+
+# log files
+allow zabbix_t zabbix_log_t:dir setattr;
+manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
+logging_log_filetrans(zabbix_t, zabbix_log_t, file)
+
+# shared memory
+rw_files_pattern(zabbix_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
+fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, file)
+
+# pid file
+manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
+manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
+files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
+
+corenet_tcp_bind_generic_node(zabbix_t)
+corenet_tcp_bind_zabbix_port(zabbix_t)
+
+files_read_etc_files(zabbix_t)
+
+miscfiles_read_localization(zabbix_t)
+
+sysnet_dns_name_resolve(zabbix_t)
+
+zabbix_agent_tcp_connect(zabbix_t)
+
+optional_policy(`
+	mysql_stream_connect(zabbix_t)
+	mysql_tcp_connect(zabbix_t)
+')
+
+optional_policy(`
+	postgresql_stream_connect(zabbix_t)
+')
+
+########################################
+#
+# zabbix agent local policy
+#
+
+allow zabbix_agent_t self:capability { setuid setgid };
+allow zabbix_agent_t self:process { setsched getsched signal };
+allow zabbix_agent_t self:fifo_file rw_file_perms;
+allow zabbix_agent_t self:sem create_sem_perms;
+allow zabbix_agent_t self:shm create_shm_perms;
+allow zabbix_agent_t self:tcp_socket create_stream_socket_perms;
+allow zabbix_agent_t self:unix_stream_socket create_stream_socket_perms;
+
+# Logging access
+filetrans_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t, file)
+manage_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
+
+# Shared Memory support
+rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
+fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
+
+# PID file management
+manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t)
+files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
+
+kernel_read_all_sysctls(zabbix_agent_t)
+kernel_read_system_state(zabbix_agent_t)
+
+corecmd_read_all_executables(zabbix_agent_t)
+
+corenet_tcp_bind_generic_node(zabbix_agent_t)
+corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t)
+corenet_tcp_connect_ssh_port(zabbix_agent_t)
+corenet_tcp_connect_zabbix_port(zabbix_agent_t)
+
+dev_getattr_all_blk_files(zabbix_agent_t)
+dev_getattr_all_chr_files(zabbix_agent_t)
+
+domain_search_all_domains_state(zabbix_agent_t)
+
+files_getattr_all_dirs(zabbix_agent_t)
+files_getattr_all_files(zabbix_agent_t)
+files_read_all_symlinks(zabbix_agent_t)
+files_read_etc_files(zabbix_agent_t)
+
+fs_getattr_all_fs(zabbix_agent_t)
+
+init_read_utmp(zabbix_agent_t)
+
+logging_search_logs(zabbix_agent_t)
+
+miscfiles_read_localization(zabbix_agent_t)
+
+sysnet_dns_name_resolve(zabbix_agent_t)
+
+# Network access to zabbix server
+zabbix_tcp_connect(zabbix_agent_t)
diff --git a/policy/modules/contrib/zarafa.fc b/policy/modules/contrib/zarafa.fc
new file mode 100644
index 00000000..3defaa1f
--- /dev/null
+++ b/policy/modules/contrib/zarafa.fc
@@ -0,0 +1,26 @@
+/etc/zarafa(/.*)?		gen_context(system_u:object_r:zarafa_etc_t,s0)
+
+/usr/bin/zarafa-dagent		--	gen_context(system_u:object_r:zarafa_deliver_exec_t,s0)
+/usr/bin/zarafa-gateway		--	gen_context(system_u:object_r:zarafa_gateway_exec_t,s0)
+/usr/bin/zarafa-ical		--	gen_context(system_u:object_r:zarafa_ical_exec_t,s0)
+/usr/bin/zarafa-indexer		--	gen_context(system_u:object_r:zarafa_indexer_exec_t,s0)
+/usr/bin/zarafa-monitor		--	gen_context(system_u:object_r:zarafa_monitor_exec_t,s0)
+/usr/bin/zarafa-server		--	gen_context(system_u:object_r:zarafa_server_exec_t,s0)
+/usr/bin/zarafa-spooler		--	gen_context(system_u:object_r:zarafa_spooler_exec_t,s0)
+
+/var/lib/zarafa-.*			gen_context(system_u:object_r:zarafa_var_lib_t,s0)
+
+/var/log/zarafa/gateway\.log	--	gen_context(system_u:object_r:zarafa_gateway_log_t,s0)
+/var/log/zarafa/ical\.log	--	gen_context(system_u:object_r:zarafa_ical_log_t,s0)
+/var/log/zarafa/indexer\.log	--	gen_context(system_u:object_r:zarafa_indexer_log_t,s0)
+/var/log/zarafa/monitor\.log	--	gen_context(system_u:object_r:zarafa_monitor_log_t,s0)
+/var/log/zarafa/server\.log	--	gen_context(system_u:object_r:zarafa_server_log_t,s0)
+/var/log/zarafa/spooler\.log	--	gen_context(system_u:object_r:zarafa_spooler_log_t,s0)
+
+/var/run/zarafa			-s	gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
+/var/run/zarafa-gateway\.pid	--	gen_context(system_u:object_r:zarafa_gateway_var_run_t,s0)
+/var/run/zarafa-ical\.pid	--	gen_context(system_u:object_r:zarafa_ical_var_run_t,s0)
+/var/run/zarafa-indexer		--	gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
+/var/run/zarafa-monitor\.pid	--	gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0)
+/var/run/zarafa-server\.pid	--	gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
+/var/run/zarafa-spooler\.pid	--	gen_context(system_u:object_r:zarafa_spooler_var_run_t,s0)
diff --git a/policy/modules/contrib/zarafa.if b/policy/modules/contrib/zarafa.if
new file mode 100644
index 00000000..21ae6643
--- /dev/null
+++ b/policy/modules/contrib/zarafa.if
@@ -0,0 +1,120 @@
+## <summary>Zarafa collaboration platform.</summary>
+
+######################################
+## <summary>
+##	Creates types and rules for a basic
+##	zararfa init daemon domain.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Prefix for the domain.
+##	</summary>
+## </param>
+#
+template(`zarafa_domain_template',`
+	gen_require(`
+		attribute zarafa_domain;
+	')
+
+	##############################
+	#
+	# $1_t declarations
+	#
+
+	type zarafa_$1_t, zarafa_domain;
+	type zarafa_$1_exec_t;
+	init_daemon_domain(zarafa_$1_t, zarafa_$1_exec_t)
+
+	type zarafa_$1_log_t;
+	logging_log_file(zarafa_$1_log_t)
+
+	type zarafa_$1_var_run_t;
+	files_pid_file(zarafa_$1_var_run_t)
+
+	##############################
+	#
+	# $1_t local policy
+	#
+
+	manage_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t)
+	manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t)
+	files_pid_filetrans(zarafa_$1_t, zarafa_$1_var_run_t, { file sock_file })
+
+	manage_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t)
+	logging_log_filetrans(zarafa_$1_t, zarafa_$1_log_t, { file })
+')
+
+######################################
+## <summary>
+##	Allow the specified domain to search
+##	zarafa configuration dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`zarafa_search_config',`
+	gen_require(`
+		type zarafa_etc_t;
+	')
+
+	files_search_etc($1)
+	allow $1 zarafa_etc_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run zarafa_deliver.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`zarafa_domtrans_deliver',`
+	gen_require(`
+		type zarafa_deliver_t, zarafa_deliver_exec_t;
+	')
+
+	domtrans_pattern($1, zarafa_deliver_exec_t, zarafa_deliver_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run zarafa_server.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`zarafa_domtrans_server',`
+	gen_require(`
+		type zarafa_server_t, zarafa_server_exec_t;
+	')
+
+	domtrans_pattern($1, zarafa_server_exec_t, zarafa_server_t)
+')
+
+#######################################
+## <summary>
+##	Connect to zarafa-server unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`zarafa_stream_connect_server',`
+	gen_require(`
+		type zarafa_server_t, zarafa_server_var_run_t;
+	')
+
+	files_search_var_lib($1)
+	stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
+')
diff --git a/policy/modules/contrib/zarafa.te b/policy/modules/contrib/zarafa.te
new file mode 100644
index 00000000..9fb47472
--- /dev/null
+++ b/policy/modules/contrib/zarafa.te
@@ -0,0 +1,161 @@
+policy_module(zarafa, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute zarafa_domain;
+
+zarafa_domain_template(deliver)
+
+type zarafa_deliver_tmp_t;
+files_tmp_file(zarafa_deliver_tmp_t)
+
+type zarafa_etc_t;
+files_config_file(zarafa_etc_t)
+
+zarafa_domain_template(gateway)
+zarafa_domain_template(ical)
+zarafa_domain_template(indexer)
+zarafa_domain_template(monitor)
+zarafa_domain_template(server)
+
+type zarafa_server_tmp_t;
+files_tmp_file(zarafa_server_tmp_t)
+
+type zarafa_share_t;
+files_type(zarafa_share_t)
+
+zarafa_domain_template(spooler)
+
+type zarafa_var_lib_t;
+files_tmp_file(zarafa_var_lib_t)
+
+########################################
+#
+# zarafa-deliver local policy
+#
+
+manage_dirs_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t)
+manage_files_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t)
+files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir })
+
+########################################
+#
+# zarafa_gateway local policy
+#
+
+allow zarafa_gateway_t self:capability { chown kill };
+allow zarafa_gateway_t self:process setrlimit;
+
+corenet_all_recvfrom_unlabeled(zarafa_gateway_t)
+corenet_all_recvfrom_netlabel(zarafa_gateway_t)
+corenet_tcp_sendrecv_generic_if(zarafa_gateway_t)
+corenet_tcp_sendrecv_generic_node(zarafa_gateway_t)
+corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
+corenet_tcp_bind_generic_node(zarafa_gateway_t)
+corenet_tcp_bind_pop_port(zarafa_gateway_t)
+
+#######################################
+#
+# zarafa-ical local policy
+#
+
+allow zarafa_ical_t self:capability chown;
+
+corenet_all_recvfrom_unlabeled(zarafa_ical_t)
+corenet_all_recvfrom_netlabel(zarafa_ical_t)
+corenet_tcp_sendrecv_generic_if(zarafa_ical_t)
+corenet_tcp_sendrecv_generic_node(zarafa_ical_t)
+corenet_tcp_sendrecv_all_ports(zarafa_ical_t)
+corenet_tcp_bind_generic_node(zarafa_ical_t)
+corenet_tcp_bind_http_cache_port(zarafa_ical_t)
+
+######################################
+#
+# zarafa-monitor local policy
+#
+
+allow zarafa_monitor_t self:capability chown;
+
+########################################
+#
+# zarafa_server local policy
+#
+
+allow zarafa_server_t self:capability { chown kill net_bind_service };
+allow zarafa_server_t self:process setrlimit;
+
+manage_dirs_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t)
+manage_files_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t)
+files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir })
+
+manage_dirs_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
+manage_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
+files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir })
+
+stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t)
+
+corenet_all_recvfrom_unlabeled(zarafa_server_t)
+corenet_all_recvfrom_netlabel(zarafa_server_t)
+corenet_tcp_sendrecv_generic_if(zarafa_server_t)
+corenet_tcp_sendrecv_generic_node(zarafa_server_t)
+corenet_tcp_sendrecv_all_ports(zarafa_server_t)
+corenet_tcp_bind_generic_node(zarafa_server_t)
+corenet_tcp_bind_zarafa_port(zarafa_server_t)
+
+files_read_usr_files(zarafa_server_t)
+
+logging_send_syslog_msg(zarafa_server_t)
+logging_send_audit_msgs(zarafa_server_t)
+
+sysnet_dns_name_resolve(zarafa_server_t)
+
+optional_policy(`
+	kerberos_use(zarafa_server_t)
+')
+
+optional_policy(`
+	mysql_stream_connect(zarafa_server_t)
+')
+
+########################################
+#
+# zarafa_spooler local policy
+#
+
+allow zarafa_spooler_t self:capability { chown kill };
+
+can_exec(zarafa_spooler_t, zarafa_spooler_exec_t)
+
+corenet_all_recvfrom_unlabeled(zarafa_spooler_t)
+corenet_all_recvfrom_netlabel(zarafa_spooler_t)
+corenet_tcp_sendrecv_generic_if(zarafa_spooler_t)
+corenet_tcp_sendrecv_generic_node(zarafa_spooler_t)
+corenet_tcp_sendrecv_all_ports(zarafa_spooler_t)
+corenet_tcp_connect_smtp_port(zarafa_spooler_t)
+
+########################################
+#
+# zarafa domains local policy
+#
+
+# bad permission on /etc/zarafa
+allow zarafa_domain self:capability { dac_override setgid setuid };
+allow zarafa_domain self:process signal;
+allow zarafa_domain self:fifo_file rw_fifo_file_perms;
+allow zarafa_domain self:tcp_socket create_stream_socket_perms;
+allow zarafa_domain self:unix_stream_socket create_stream_socket_perms;
+
+stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
+
+read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t)
+
+kernel_read_system_state(zarafa_domain)
+
+files_read_etc_files(zarafa_domain)
+
+auth_use_nsswitch(zarafa_domain)
+
+miscfiles_read_localization(zarafa_domain)
diff --git a/policy/modules/contrib/zebra.fc b/policy/modules/contrib/zebra.fc
new file mode 100644
index 00000000..e1b30b25
--- /dev/null
+++ b/policy/modules/contrib/zebra.fc
@@ -0,0 +1,22 @@
+/etc/rc\.d/init\.d/bgpd	--	gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ospf6d --	gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ospfd --	gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ripd	--	gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ripngd --	gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/zebra --	gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+
+/usr/sbin/bgpd		--	gen_context(system_u:object_r:zebra_exec_t,s0)
+/usr/sbin/zebra		--	gen_context(system_u:object_r:zebra_exec_t,s0)
+
+/etc/quagga(/.*)?		gen_context(system_u:object_r:zebra_conf_t,s0)
+/etc/zebra(/.*)?		gen_context(system_u:object_r:zebra_conf_t,s0)
+
+/usr/sbin/ospf.*	--	gen_context(system_u:object_r:zebra_exec_t,s0)
+/usr/sbin/rip.*		--	gen_context(system_u:object_r:zebra_exec_t,s0)
+
+/var/log/quagga(/.*)?		gen_context(system_u:object_r:zebra_log_t,s0)
+/var/log/zebra(/.*)?		gen_context(system_u:object_r:zebra_log_t,s0)
+
+/var/run/\.zebra	-s	gen_context(system_u:object_r:zebra_var_run_t,s0)
+/var/run/\.zserv	-s	gen_context(system_u:object_r:zebra_var_run_t,s0)
+/var/run/quagga(/.*)?		gen_context(system_u:object_r:zebra_var_run_t,s0)
diff --git a/policy/modules/contrib/zebra.if b/policy/modules/contrib/zebra.if
new file mode 100644
index 00000000..6b876050
--- /dev/null
+++ b/policy/modules/contrib/zebra.if
@@ -0,0 +1,88 @@
+## <summary>Zebra border gateway protocol network routing service</summary>
+
+########################################
+## <summary>
+##	Read the configuration files for zebra.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`zebra_read_config',`
+	gen_require(`
+		type zebra_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 zebra_conf_t:dir list_dir_perms;
+	read_files_pattern($1, zebra_conf_t, zebra_conf_t)
+	read_lnk_files_pattern($1, zebra_conf_t, zebra_conf_t)
+')
+
+########################################
+## <summary>
+##	Connect to zebra over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`zebra_stream_connect',`
+	gen_require(`
+		type zebra_t, zebra_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 zebra_var_run_t:sock_file write;
+	allow $1 zebra_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an zebra environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the zebra domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`zebra_admin',`
+	gen_require(`
+		type zebra_t, zebra_tmp_t, zebra_log_t;
+		type zebra_conf_t, zebra_var_run_t;
+		type zebra_initrc_exec_t;
+	')
+
+	allow $1 zebra_t:process { ptrace signal_perms };
+	ps_process_pattern($1, zebra_t)
+
+	init_labeled_script_domtrans($1, zebra_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 zebra_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_etc($1)
+	admin_pattern($1, zebra_conf_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, zebra_log_t)
+
+	files_list_tmp($1)
+	admin_pattern($1, zebra_tmp_t)
+
+	files_list_pids($1)
+	admin_pattern($1, zebra_var_run_t)
+')
diff --git a/policy/modules/contrib/zebra.te b/policy/modules/contrib/zebra.te
new file mode 100644
index 00000000..ade6c2cc
--- /dev/null
+++ b/policy/modules/contrib/zebra.te
@@ -0,0 +1,140 @@
+policy_module(zebra, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow zebra daemon to write it configuration files
+## </p>
+## </desc>
+#
+gen_tunable(allow_zebra_write_config, false)
+
+type zebra_t;
+type zebra_exec_t;
+init_daemon_domain(zebra_t, zebra_exec_t)
+
+type zebra_conf_t;
+files_type(zebra_conf_t)
+
+type zebra_initrc_exec_t;
+init_script_file(zebra_initrc_exec_t)
+
+type zebra_log_t;
+logging_log_file(zebra_log_t)
+
+type zebra_tmp_t;
+files_tmp_file(zebra_tmp_t)
+
+type zebra_var_run_t;
+files_pid_file(zebra_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow zebra_t self:capability { setgid setuid net_admin net_raw };
+dontaudit zebra_t self:capability sys_tty_config;
+allow zebra_t self:process { signal_perms getcap setcap };
+allow zebra_t self:file rw_file_perms;
+allow zebra_t self:unix_dgram_socket create_socket_perms;
+allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow zebra_t self:netlink_route_socket rw_netlink_socket_perms;
+allow zebra_t self:tcp_socket { connect connected_stream_socket_perms };
+allow zebra_t self:udp_socket create_socket_perms;
+allow zebra_t self:rawip_socket create_socket_perms;
+
+allow zebra_t zebra_conf_t:dir list_dir_perms;
+read_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
+read_lnk_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
+
+allow zebra_t zebra_log_t:dir setattr;
+manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
+manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
+logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir })
+
+# /tmp/.bgpd is such a bad idea!
+allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms;
+files_tmp_filetrans(zebra_t, zebra_tmp_t, sock_file)
+
+manage_dirs_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
+manage_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
+manage_sock_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
+files_pid_filetrans(zebra_t, zebra_var_run_t, { dir file sock_file })
+
+kernel_read_system_state(zebra_t)
+kernel_read_network_state(zebra_t)
+kernel_read_kernel_sysctls(zebra_t)
+kernel_rw_net_sysctls(zebra_t)
+
+corenet_all_recvfrom_unlabeled(zebra_t)
+corenet_all_recvfrom_netlabel(zebra_t)
+corenet_tcp_sendrecv_generic_if(zebra_t)
+corenet_udp_sendrecv_generic_if(zebra_t)
+corenet_raw_sendrecv_generic_if(zebra_t)
+corenet_tcp_sendrecv_generic_node(zebra_t)
+corenet_udp_sendrecv_generic_node(zebra_t)
+corenet_raw_sendrecv_generic_node(zebra_t)
+corenet_tcp_sendrecv_all_ports(zebra_t)
+corenet_udp_sendrecv_all_ports(zebra_t)
+corenet_tcp_bind_generic_node(zebra_t)
+corenet_udp_bind_generic_node(zebra_t)
+corenet_tcp_bind_bgp_port(zebra_t)
+corenet_tcp_bind_zebra_port(zebra_t)
+corenet_udp_bind_router_port(zebra_t)
+corenet_tcp_connect_bgp_port(zebra_t)
+corenet_sendrecv_zebra_server_packets(zebra_t)
+corenet_sendrecv_router_server_packets(zebra_t)
+
+dev_associate_usbfs(zebra_var_run_t)
+dev_list_all_dev_nodes(zebra_t)
+dev_read_sysfs(zebra_t)
+dev_rw_zero(zebra_t)
+
+fs_getattr_all_fs(zebra_t)
+fs_search_auto_mountpoints(zebra_t)
+
+term_list_ptys(zebra_t)
+
+domain_use_interactive_fds(zebra_t)
+
+files_search_etc(zebra_t)
+files_read_etc_files(zebra_t)
+files_read_etc_runtime_files(zebra_t)
+
+logging_send_syslog_msg(zebra_t)
+
+miscfiles_read_localization(zebra_t)
+
+sysnet_read_config(zebra_t)
+
+userdom_dontaudit_use_unpriv_user_fds(zebra_t)
+userdom_dontaudit_search_user_home_dirs(zebra_t)
+
+tunable_policy(`allow_zebra_write_config',`
+	manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(zebra_t)
+')
+
+optional_policy(`
+	rpm_read_pipes(zebra_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(zebra_t)
+')
+
+optional_policy(`
+	udev_read_db(zebra_t)
+')
+
+optional_policy(`
+	unconfined_sigchld(zebra_t)
+')
diff --git a/policy/modules/contrib/zosremote.fc b/policy/modules/contrib/zosremote.fc
new file mode 100644
index 00000000..d719d0b9
--- /dev/null
+++ b/policy/modules/contrib/zosremote.fc
@@ -0,0 +1 @@
+/sbin/audispd-zos-remote	--	gen_context(system_u:object_r:zos_remote_exec_t,s0)
diff --git a/policy/modules/contrib/zosremote.if b/policy/modules/contrib/zosremote.if
new file mode 100644
index 00000000..702e7680
--- /dev/null
+++ b/policy/modules/contrib/zosremote.if
@@ -0,0 +1,45 @@
+## <summary>policy for z/OS Remote-services Audit dispatcher plugin</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run audispd-zos-remote.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`zosremote_domtrans',`
+	gen_require(`
+		type zos_remote_t, zos_remote_exec_t;
+	')
+
+	domtrans_pattern($1, zos_remote_exec_t, zos_remote_t)
+')
+
+########################################
+## <summary>
+##	Allow specified type and role to transition and
+##	run in the zos_remote_t domain. Allow specified type
+##	to use zos_remote_t terminal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`zosremote_run',`
+	gen_require(`
+		type zos_remote_t;
+	')
+
+	zosremote_domtrans($1)
+	role $2 types zos_remote_t;
+')
diff --git a/policy/modules/contrib/zosremote.te b/policy/modules/contrib/zosremote.te
new file mode 100644
index 00000000..f9a06d2c
--- /dev/null
+++ b/policy/modules/contrib/zosremote.te
@@ -0,0 +1,28 @@
+policy_module(zosremote, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type zos_remote_t;
+type zos_remote_exec_t;
+init_system_domain(zos_remote_t, zos_remote_exec_t)
+logging_dispatcher_domain(zos_remote_t, zos_remote_exec_t)
+
+########################################
+#
+# zos_remote local policy
+#
+
+allow zos_remote_t self:process signal;
+allow zos_remote_t self:fifo_file rw_file_perms;
+allow zos_remote_t self:unix_stream_socket create_stream_socket_perms;
+
+files_read_etc_files(zos_remote_t)
+
+auth_use_nsswitch(zos_remote_t)
+
+miscfiles_read_localization(zos_remote_t)
+
+logging_send_syslog_msg(zos_remote_t)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
new file mode 100644
index 00000000..6eae5275
--- /dev/null
+++ b/policy/modules/kernel/corecommands.fc
@@ -0,0 +1,425 @@
+#
+# /bin
+#
+/bin				-d	gen_context(system_u:object_r:bin_t,s0)
+/bin/.*					gen_context(system_u:object_r:bin_t,s0)
+/bin/d?ash			--	gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/bash			--	gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/bash2			--	gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/fish			--	gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/ksh.*			--	gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/mksh			--	gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/mountpoint			--	gen_context(system_u:object_r:bin_t,s0)
+/bin/sash			--	gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/tcsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/yash			--	gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/zsh.*			--	gen_context(system_u:object_r:shell_exec_t,s0)
+
+#
+# /dev
+#
+/dev/MAKEDEV			--	gen_context(system_u:object_r:bin_t,s0)
+
+#
+# /emul
+#
+ifdef(`distro_redhat',`
+/emul/ia32-linux/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/emul/ia32-linux/sbin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/emul/ia32-linux/usr(/.*)?/bin(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/emul/ia32-linux/usr(/.*)?/Bin(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
+/emul/ia32-linux/usr(/.*)?/sbin(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/emul/ia32-linux/usr/libexec(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+')
+
+#
+# /etc
+#
+/etc/acpi/actions(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+
+/etc/apcupsd/apccontrol		--	gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/changeme		--	gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/commfailure	--	gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/commok		--	gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/masterconnect	--	gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/mastertimeout	--	gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/offbattery		--	gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/onbattery		--	gen_context(system_u:object_r:bin_t,s0)
+
+/etc/avahi/.*\.action 		--	gen_context(system_u:object_r:bin_t,s0)
+
+/etc/cipe/ip-up.*		--	gen_context(system_u:object_r:bin_t,s0)
+/etc/cipe/ip-down.*		--	gen_context(system_u:object_r:bin_t,s0)
+
+/etc/ConsoleKit/run-seat\.d(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/etc/ConsoleKit/run-session\.d(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+
+/etc/cron.daily(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/etc/cron.hourly(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/etc/cron.weekly(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/etc/cron.monthly(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+
+/etc/dhcp/dhclient\.d(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+
+/etc/hotplug/.*agent		--	gen_context(system_u:object_r:bin_t,s0)
+/etc/hotplug/.*rc		-- 	gen_context(system_u:object_r:bin_t,s0)
+/etc/hotplug/hotplug\.functions --	gen_context(system_u:object_r:bin_t,s0)
+/etc/hotplug\.d/default/default.*	gen_context(system_u:object_r:bin_t,s0)
+
+/etc/init\.d/functions		--	gen_context(system_u:object_r:bin_t,s0)
+
+/etc/kde/env(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/etc/kde/shutdown(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+
+/etc/mail/make			--	gen_context(system_u:object_r:bin_t,s0)
+/etc/mcelog/cache-error-trigger	--	gen_context(system_u:object_r:bin_t,s0)
+/etc/mcelog/triggers(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/etc/mgetty\+sendfax/new_fax	--	gen_context(system_u:object_r:bin_t,s0)
+
+/etc/netplug\.d(/.*)? 	 		gen_context(system_u:object_r:bin_t,s0)
+
+/etc/PackageKit/events(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+
+/etc/pki/tls/certs/make-dummy-cert -- 	gen_context(system_u:object_r:bin_t,s0)
+/etc/pki/tls/misc(/.*)?		-- 	gen_context(system_u:object_r:bin_t,s0)
+
+/etc/pm/power\.d(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/etc/pm/sleep\.d(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+
+/etc/portage/bin(/.*)?		--	gen_context(system_u:object_r:bin_t,s0)
+
+/etc/ppp/ip-down\..*		--	gen_context(system_u:object_r:bin_t,s0)
+/etc/ppp/ip-up\..*		--	gen_context(system_u:object_r:bin_t,s0)
+/etc/ppp/ipv6-up\..*		--	gen_context(system_u:object_r:bin_t,s0)
+/etc/ppp/ipv6-down\..*		--	gen_context(system_u:object_r:bin_t,s0)
+
+/etc/profile.d(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+
+/etc/racoon/scripts(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+
+/etc/rc\.d/init\.d/functions	--	gen_context(system_u:object_r:bin_t,s0)
+
+/etc/security/namespace.init	--	gen_context(system_u:object_r:bin_t,s0)
+
+/etc/sysconfig/crond		--	gen_context(system_u:object_r:bin_t,s0)
+/etc/sysconfig/init		--	gen_context(system_u:object_r:bin_t,s0)
+/etc/sysconfig/libvirtd		--	gen_context(system_u:object_r:bin_t,s0)
+/etc/sysconfig/netconsole	--	gen_context(system_u:object_r:bin_t,s0)
+/etc/sysconfig/readonly-root 	--	gen_context(system_u:object_r:bin_t,s0)
+
+/etc/sysconfig/network-scripts/ifup.*	gen_context(system_u:object_r:bin_t,s0)
+/etc/sysconfig/network-scripts/ifdown.* gen_context(system_u:object_r:bin_t,s0)
+/etc/sysconfig/network-scripts/net.* gen_context(system_u:object_r:bin_t,s0)
+/etc/sysconfig/network-scripts/init.* gen_context(system_u:object_r:bin_t,s0)
+
+/etc/vmware-tools(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+
+/etc/wpa_supplicant/wpa_cli.sh	--	gen_context(system_u:object_r:bin_t,s0)
+
+/etc/X11/xdm/GiveConsole	--	gen_context(system_u:object_r:bin_t,s0)
+/etc/X11/xdm/TakeConsole	--	gen_context(system_u:object_r:bin_t,s0)
+/etc/X11/xdm/Xsetup_0		--	gen_context(system_u:object_r:bin_t,s0)
+/etc/X11/xinit(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+
+/etc/xen/qemu-ifup		--	gen_context(system_u:object_r:bin_t,s0)
+/etc/xen/scripts(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+
+ifdef(`distro_debian',`
+/etc/mysql/debian-start		--	gen_context(system_u:object_r:bin_t,s0)
+')
+
+#
+# /lib
+#
+
+/lib/readahead(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
+/lib/systemd/systemd.*		--	gen_context(system_u:object_r:bin_t,s0)
+/lib/udev/[^/]*			--	gen_context(system_u:object_r:bin_t,s0)
+/lib/udev/scsi_id		--	gen_context(system_u:object_r:bin_t,s0)
+/lib/upstart(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+
+/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
+/lib64/udev/[^/]*		--	gen_context(system_u:object_r:bin_t,s0)
+
+ifdef(`distro_gentoo',`
+/lib64/rcscripts/addons(/.*)?          gen_context(system_u:object_r:bin_t,s0)
+/lib64/rcscripts/sh(/.*)?                      gen_context(system_u:object_r:bin_t,s0)
+/lib64/rcscripts/net\.modules\.d/helpers\.d/dhclient-.* -- gen_context(system_u:object_r:bin_t,s0)
+/lib64/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
+/lib64/rc/bin/.*               --      gen_context(system_u:object_r:bin_t,s0)
+/lib64/rc/sbin/.*              --      gen_context(system_u:object_r:bin_t,s0)
+/lib64/rc/sh/.*                        --      gen_context(system_u:object_r:bin_t,s0)
+/lib64/dhcpcd/dhcpcd-run-hooks	--	gen_context(system_u:object_r:bin_t,s0)
+/lib/dhcpcd/dhcpcd-run-hooks	--	gen_context(system_u:object_r:bin_t,s0)
+/lib/rcscripts/addons(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/lib/rcscripts/sh(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/lib/rcscripts/net\.modules\.d/helpers\.d/dhclient-.* -- gen_context(system_u:object_r:bin_t,s0)
+/lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
+/lib/rc/bin/.*                 --      gen_context(system_u:object_r:bin_t,s0)
+/lib/rc/sbin/.*                --      gen_context(system_u:object_r:bin_t,s0)
+/lib/rc/sh/.*                  --      gen_context(system_u:object_r:bin_t,s0)
+')
+
+#
+# /sbin
+#
+/sbin				-d	gen_context(system_u:object_r:bin_t,s0)
+/sbin/.*				gen_context(system_u:object_r:bin_t,s0)
+/sbin/insmod_ksymoops_clean	--	gen_context(system_u:object_r:bin_t,s0)
+/sbin/mkfs\.cramfs		--	gen_context(system_u:object_r:bin_t,s0)
+/sbin/nologin			--	gen_context(system_u:object_r:shell_exec_t,s0)
+
+#
+# /opt
+#
+/opt/(.*/)?bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+
+/opt/(.*/)?libexec(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+
+/opt/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+
+/opt/google/talkplugin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+
+/opt/gutenprint/cups/lib/filter(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+
+/opt/OpenPrinting-Gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ifdef(`distro_gentoo',`
+/opt/RealPlayer/realplay(\.bin)?	gen_context(system_u:object_r:bin_t,s0)
+/opt/RealPlayer/postint(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
+')
+
+#
+# /usr
+#
+/usr/(.*/)?Bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/usr/(.*/)?bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/usr/bin/git-shell		--	gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/fish			--	gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/scponly		--	gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/tcsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
+
+/usr/lib(.*/)?bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+
+/usr/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(.*/)?sbin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib/ccache/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/fence(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/pgsql/test/regress/.*\.sh --	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/qt.*/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/wicd/monitor\.py 	-- 	gen_context(system_u:object_r:bin_t, s0)
+/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/apt/methods.+	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/ConsoleKit/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/courier(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/courier-imap/.*	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/cups(/.*)? 		gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/cyrus/.*		--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/cyrus-imapd/.*	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/dpkg/.+		--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/emacsen-common/.*		gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/gimp/.*/plug-ins(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/ipsec/.*		--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/mailman/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/mailman/mail(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/mediawiki/math/texvc.*	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/misc/glibc/getconf/.*	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/misc/sftp-server	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/nagios/plugins(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/netsaint/plugins(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/news/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/nspluginwrapper/np.*	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/portage/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/pm-utils(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/rpm/rpmd		-- 	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/rpm/rpmk		-- 	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/rpm/rpmq		-- 	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/rpm/rpmv		-- 	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/sftp-server	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/vte/gnome-pty-helper --	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/xfce4/panel/migrate --	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/xfce4/panel/wrapper --	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/xfce4/session/balou-export-theme -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/xfce4/session/balou-install-theme	-- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/xfce4/session/xfsm-shutdown-helper -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/xfce4/xfconf/xfconfd --	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/xfce4/xfwm4/helper-dialog -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/debug/bin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/debug/sbin(/.*)? --	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/debug/usr/bin(/.*)? --	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/debug/usr/sbin(/.*)? --	gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/[^/]*/run-mozilla\.sh --	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib64/nspluginwrapper/i386/linux/npviewer.bin     --      gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/nspluginwrapper/i386/linux/npviewer.bin       --      gen_context(system_u:object_r:bin_t,s0)
+/usr/lib64/nspluginwrapper/i386/linux/npviewer --      gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/lib/nspluginwrapper/i386/linux/npviewer   --      gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/lib64/xulrunner-.*/plugin-container       --      gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/xulrunner-.*/plugin-container         --      gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/xen/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+
+/usr/libexec(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/usr/libexec/git-core/git-shell	--	gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/libexec/sesh		--	gen_context(system_u:object_r:shell_exec_t,s0)
+
+/usr/libexec/openssh/sftp-server --	gen_context(system_u:object_r:bin_t,s0)
+
+/usr/local/lib(64)?/ipsec/.*	-- 	gen_context(system_u:object_r:bin_t,s0)
+/usr/local/Brother(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/local/Printer(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/local/linuxprinter/filters(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+
+/usr/sbin/scponlyc		--	gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/sbin/smrsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
+
+/usr/share/ajaxterm/ajaxterm.py.* --	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/ajaxterm/qweb.py.* --	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/apr-0/build/[^/]+\.sh --	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/apr-0/build/libtool --	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/build-1/mkdir.sh	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/dayplanner/dayplanner --	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/debconf/.+		--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/denyhosts/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/denyhosts/plugins(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/cluster/.*\.sh		gen_context(system_u:object_r:bin_t,s0)
+/usr/share/cluster/ocf-shellfuncs --	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/cluster/svclib_nfslock --	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/e16/misc(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/gitolite/hooks/gitolite-admin/post-update -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/GNUstep/Makefiles/*\.sh	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/GNUstep/Makefiles/mkinstalldirs	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/hal/scripts(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/share/mc/extfs/.*		--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/Modules/init(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/share/printconf/util/print\.py --	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/PackageKit/pk-upgrade-distro\.sh -- 	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/PackageKit/helpers(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/sandbox/sandboxX.sh	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/sectool/.*\.py	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/smolt/client(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall/compiler\.pl --	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall/configpath	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall-perl(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall-shell(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall-lite(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall6-lite(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0)
+/usr/share/texmf/web2c/mktexdir	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/turboprint/lib(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/vhostmd/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+
+/usr/X11R6/lib(64)?/X11/xkb/xkbcomp --	gen_context(system_u:object_r:bin_t,s0)
+
+ifdef(`distro_debian',`
+/usr/lib(64)?/ConsoleKit/.*	--	gen_context(system_u:object_r:bin_t,s0)
+')
+
+ifdef(`distro_gentoo', `
+/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/usr/.*-.*-linux-gnu/binutils-bin(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+')
+
+ifdef(`distro_redhat', `
+/etc/gdm/XKeepsCrashing[^/]*	--	gen_context(system_u:object_r:bin_t,s0)
+/etc/gdm/[^/]+			-d	gen_context(system_u:object_r:bin_t,s0)
+/etc/gdm/[^/]+/.*			gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib/.*/program(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/lib64/.*/program(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/bluetooth(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib64/bluetooth(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/vmware-tools/(s)?bin32(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/vmware-tools/(s)?bin64(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/authconfig/authconfig\.py --	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/cvs/contrib/rcs2log	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/clamav/clamd-gen	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/clamav/freshclam-sleep --	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/createrepo(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/share/fedora-usermgmt/wrapper --	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/hplip/[^/]*		--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/hwbrowser/hwbrowser --	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/pwlib/make/ptlib-config --	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/pydict/pydict\.py	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/rhn/rhn_applet/needed-packages\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/ssl/misc(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-httpd/system-config-httpd -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-keyboard/system-config-keyboard -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-language/system-config-language -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-lvm/system-config-lvm\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-mouse/system-config-mouse -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-netboot/system-config-netboot\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-netboot/pxeos\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-netboot/pxeboot\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-network(/netconfig)?/[^/]+\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-network/neat-control\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-nfs/nfs-export\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-nfs/system-config-nfs\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-printer/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-services/gui\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-services/serviceconf\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-services/system-config-services -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-soundcard/system-config-soundcard -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-users/system-config-users -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-logviewer/system-logviewer\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/texmf/web2c/mktexdir	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/texmf/web2c/mktexnam	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/texmf/web2c/mktexupd	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/texmf/texconfig/tcfmgr --	gen_context(system_u:object_r:bin_t,s0)
+')
+
+ifdef(`distro_suse', `
+/usr/lib/cron/run-crons		--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/samba/classic/.*	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/ssh/.*		--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/apache2/[^/]*	--	gen_context(system_u:object_r:bin_t,s0)
+')
+
+#
+# /var
+#
+/var/mailman/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+
+/var/ftp/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+
+/var/lib/asterisk/agi-bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/yp/.+			--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib64/yp/.+		--	gen_context(system_u:object_r:bin_t,s0)
+
+/var/qmail/bin			-d	gen_context(system_u:object_r:bin_t,s0)
+/var/qmail/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/var/qmail/rc			--	gen_context(system_u:object_r:bin_t,s0)
+
+ifdef(`distro_suse',`
+/var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
+')
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
new file mode 100644
index 00000000..9e9263a6
--- /dev/null
+++ b/policy/modules/kernel/corecommands.if
@@ -0,0 +1,1093 @@
+## <summary>
+## Core policy for shells, and generic programs
+## in /bin, /sbin, /usr/bin, and /usr/sbin.
+## </summary>
+## <required val="true">
+##	Contains the base bin and sbin directory types
+##	which need to be searched for the kernel to
+##	run init.
+## </required>
+
+########################################
+## <summary>
+##	Make the specified type usable for files
+##	that are exectuables, such as binary programs.
+##	This does not include shared libraries.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used for files.
+##	</summary>
+## </param>
+#
+interface(`corecmd_executable_file',`
+	gen_require(`
+		attribute exec_type;
+	')
+
+	typeattribute $1 exec_type;
+
+	files_type($1)
+')
+
+########################################
+## <summary>
+##	Create a aliased type to generic bin files.  (Deprecated)
+## </summary>
+## <desc>
+##	<p>
+##	Create a aliased type to generic bin files.  (Deprecated)
+##	</p>
+##	<p>
+##	This is added to support targeted policy.  Its
+##	use should be limited.  It has no effect
+##	on the strict policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Alias type for bin_t.
+##	</summary>
+## </param>
+#
+interface(`corecmd_bin_alias',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	Make general progams in bin an entrypoint for
+##	the specified domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain for which bin_t is an entrypoint.
+##	</summary>
+## </param>
+#
+interface(`corecmd_bin_entry_type',`
+	gen_require(`
+		type bin_t;
+	')
+
+	domain_entry_file($1, bin_t)
+')
+
+########################################
+## <summary>
+##	Make general progams in sbin an entrypoint for
+##	the specified domain.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain for which sbin programs are an entrypoint.
+##	</summary>
+## </param>
+#
+interface(`corecmd_sbin_entry_type',`
+	corecmd_bin_entry_type($1)
+	refpolicywarn(`$0() has been deprecated, please use corecmd_bin_entry_type() instead.')
+')
+
+########################################
+## <summary>
+##	Make the shell an entrypoint for the specified domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain for which the shell is an entrypoint.
+##	</summary>
+## </param>
+#
+interface(`corecmd_shell_entry_type',`
+	gen_require(`
+		type shell_exec_t;
+	')
+
+	domain_entry_file($1, shell_exec_t)
+')
+
+########################################
+## <summary>
+##	Search the contents of bin directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corecmd_search_bin',`
+	gen_require(`
+		type bin_t;
+	')
+
+	search_dirs_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search the contents of bin directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corecmd_dontaudit_search_bin',`
+	gen_require(`
+		type bin_t;
+	')
+
+	dontaudit $1 bin_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	List the contents of bin directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corecmd_list_bin',`
+	gen_require(`
+		type bin_t;
+	')
+
+	list_dirs_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write bin directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corecmd_dontaudit_write_bin_dirs',`
+	gen_require(`
+		type bin_t;
+	')
+
+	dontaudit $1 bin_t:dir write;
+')
+
+########################################
+## <summary>
+##	Get the attributes of files in bin directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corecmd_getattr_bin_files',`
+	gen_require(`
+		type bin_t;
+	')
+
+	getattr_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+##	Get the attributes of files in bin directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corecmd_dontaudit_getattr_bin_files',`
+	gen_require(`
+		type bin_t;
+	')
+
+	dontaudit $1 bin_t:dir search_dir_perms;
+	dontaudit $1 bin_t:file getattr_file_perms;
+')
+
+########################################
+## <summary>
+##	Read files in bin directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corecmd_read_bin_files',`
+	gen_require(`
+		type bin_t;
+	')
+
+	read_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write bin files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corecmd_dontaudit_write_bin_files',`
+	gen_require(`
+		type bin_t;
+	')
+
+	dontaudit $1 bin_t:file write;
+')
+
+########################################
+## <summary>
+##	Read symbolic links in bin directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corecmd_read_bin_symlinks',`
+	gen_require(`
+		type bin_t;
+	')
+
+	read_lnk_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+##	Read pipes in bin directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corecmd_read_bin_pipes',`
+	gen_require(`
+		type bin_t;
+	')
+
+	read_fifo_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+##	Read named sockets in bin directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corecmd_read_bin_sockets',`
+	gen_require(`
+		type bin_t;
+	')
+
+	read_sock_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+##	Execute generic programs in bin directories,
+##	in the caller domain.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to execute generic programs
+##	in system bin directories (/bin, /sbin, /usr/bin,
+##	/usr/sbin) a without domain transition.
+##	</p>
+##	<p>
+##	Typically, this interface should be used when the domain
+##	executes general system progams within the privileges
+##	of the source domain.  Some examples of these programs
+##	are ls, cp, sed, python, and tar. This does not include
+##	shells, such as bash.
+##	</p>
+##	<p>
+##	Related interface:
+##	</p>
+##	<ul>
+##		<li>corecmd_exec_shell()</li>
+##	</ul>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corecmd_exec_bin',`
+	gen_require(`
+		type bin_t;
+	')
+
+	read_lnk_files_pattern($1, bin_t, bin_t)
+	list_dirs_pattern($1, bin_t, bin_t)
+	can_exec($1, bin_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete bin files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corecmd_manage_bin_files',`
+	gen_require(`
+		type bin_t;
+	')
+
+	manage_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+##	Relabel to and from the bin type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corecmd_relabel_bin_files',`
+	gen_require(`
+		type bin_t;
+	')
+
+	relabel_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+##	Mmap a bin file as executable.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corecmd_mmap_bin_files',`
+	gen_require(`
+		type bin_t;
+	')
+
+	mmap_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+##	Execute a file in a bin directory
+##	in the specified domain but do not
+##	do it automatically. This is an explicit
+##	transition, requiring the caller to use setexeccon().
+## </summary>
+## <desc>
+##	<p>
+##	Execute a file in a bin directory
+##	in the specified domain.  This allows
+##	the specified domain to execute any file
+##	on these filesystems in the specified
+##	domain.  This is not suggested.
+##	</p>
+##	<p>
+##	No interprocess communication (signals, pipes,
+##	etc.) is provided by this interface since
+##	the domains are not owned by this module.
+##	</p>
+##	<p>
+##	This interface was added to handle
+##	the userhelper policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="target_domain">
+##	<summary>
+##	The type of the new process.
+##	</summary>
+## </param>
+#
+interface(`corecmd_bin_spec_domtrans',`
+	gen_require(`
+		type bin_t;
+	')
+
+	read_lnk_files_pattern($1, bin_t, bin_t)
+	domain_transition_pattern($1, bin_t, $2)
+')
+
+########################################
+## <summary>
+##	Execute a file in a bin directory
+##	in the specified domain.
+## </summary>
+## <desc>
+##	<p>
+##	Execute a file in a bin directory
+##	in the specified domain.  This allows
+##	the specified domain to execute any file
+##	on these filesystems in the specified
+##	domain.  This is not suggested.
+##	</p>
+##	<p>
+##	No interprocess communication (signals, pipes,
+##	etc.) is provided by this interface since
+##	the domains are not owned by this module.
+##	</p>
+##	<p>
+##	This interface was added to handle
+##	the ssh-agent policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="target_domain">
+##	<summary>
+##	The type of the new process.
+##	</summary>
+## </param>
+#
+interface(`corecmd_bin_domtrans',`
+	gen_require(`
+		type bin_t;
+	')
+
+	corecmd_bin_spec_domtrans($1, $2)
+	type_transition $1 bin_t:process $2;
+')
+
+########################################
+## <summary>
+##	Search the contents of sbin directories.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corecmd_search_sbin',`
+	corecmd_search_bin($1)
+	refpolicywarn(`$0() has been deprecated, please use corecmd_search_bin() instead.')
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search
+##	sbin directories.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corecmd_dontaudit_search_sbin',`
+	corecmd_dontaudit_search_bin($1)
+	refpolicywarn(`$0() has been deprecated, please use corecmd_dontaudit_search_bin() instead.')
+')
+
+########################################
+## <summary>
+##	List the contents of sbin directories.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corecmd_list_sbin',`
+	corecmd_list_bin($1)
+	refpolicywarn(`$0() has been deprecated, please use corecmd_list_bin() instead.')
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write
+##	sbin directories.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corecmd_dontaudit_write_sbin_dirs',`
+	corecmd_dontaudit_write_bin_dirs($1)
+	refpolicywarn(`$0() has been deprecated, please use corecmd_dontaudit_write_bin_dirs() instead.')
+')
+
+########################################
+## <summary>
+##	Get the attributes of sbin files.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corecmd_getattr_sbin_files',`
+	corecmd_getattr_bin_files($1)
+	refpolicywarn(`$0() has been deprecated, please use corecmd_getattr_bin_files() instead.')
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attibutes
+##	of sbin files.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corecmd_dontaudit_getattr_sbin_files',`
+	corecmd_dontaudit_getattr_bin_files($1)
+	refpolicywarn(`$0() has been deprecated, please use corecmd_dontaudit_getattr_bin_files() instead.')
+')
+
+########################################
+## <summary>
+##	Read files in sbin directories.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corecmd_read_sbin_files',`
+	corecmd_read_bin_files($1)
+	refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_files() instead.')
+')
+
+########################################
+## <summary>
+##	Read symbolic links in sbin directories.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corecmd_read_sbin_symlinks',`
+	corecmd_read_bin_symlinks($1)
+	refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_symlinks() instead.')
+')
+
+########################################
+## <summary>
+##	Read named pipes in sbin directories.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corecmd_read_sbin_pipes',`
+	corecmd_read_bin_pipes($1)
+	refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_pipes() instead.')
+')
+
+########################################
+## <summary>
+##	Read named sockets in sbin directories.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corecmd_read_sbin_sockets',`
+	corecmd_read_bin_sockets($1)
+	refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_sockets() instead.')
+')
+
+########################################
+## <summary>
+##	Execute generic programs in sbin directories,
+##	in the caller domain.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corecmd_exec_sbin',`
+	corecmd_exec_bin($1)
+	refpolicywarn(`$0() has been deprecated, please use corecmd_exec_bin() instead.')
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete sbin files.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+# cjp: added for prelink
+interface(`corecmd_manage_sbin_files',`
+	corecmd_manage_bin_files($1)
+	refpolicywarn(`$0() has been deprecated, please use corecmd_manage_bin_files() instead.')
+')
+
+########################################
+## <summary>
+##	Relabel to and from the sbin type.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+# cjp: added for prelink
+interface(`corecmd_relabel_sbin_files',`
+	corecmd_relabel_bin_files($1)
+	refpolicywarn(`$0() has been deprecated, please use corecmd_relabel_bin_files() instead.')
+')
+
+########################################
+## <summary>
+##	Mmap a sbin file as executable.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+# cjp: added for prelink
+interface(`corecmd_mmap_sbin_files',`
+	corecmd_mmap_bin_files($1)
+	refpolicywarn(`$0() has been deprecated, please use corecmd_mmap_bin_files() instead.')
+')
+
+########################################
+## <summary>
+##	Execute a file in a sbin directory
+##	in the specified domain.  (Deprecated)
+## </summary>
+## <desc>
+##	<p>
+##	Execute a file in a sbin directory
+##	in the specified domain.  This allows
+##	the specified domain to execute any file
+##	on these filesystems in the specified
+##	domain.  This is not suggested.  (Deprecated)
+##	</p>
+##	<p>
+##	No interprocess communication (signals, pipes,
+##	etc.) is provided by this interface since
+##	the domains are not owned by this module.
+##	</p>
+##	<p>
+##	This interface was added to handle
+##	the ssh-agent policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="target_domain">
+##	<summary>
+##	The type of the new process.
+##	</summary>
+## </param>
+#
+interface(`corecmd_sbin_domtrans',`
+	corecmd_bin_domtrans($1, $2)
+	refpolicywarn(`$0() has been deprecated, please use corecmd_bin_domtrans() instead.')
+')
+
+########################################
+## <summary>
+##	Execute a file in a sbin directory
+##	in the specified domain but do not
+##	do it automatically. This is an explicit
+##	transition, requiring the caller to use setexeccon().  (Deprecated)
+## </summary>
+## <desc>
+##	<p>
+##	Execute a file in a sbin directory
+##	in the specified domain.  This allows
+##	the specified domain to execute any file
+##	on these filesystems in the specified
+##	domain.  This is not suggested.  (Deprecated)
+##	</p>
+##	<p>
+##	No interprocess communication (signals, pipes,
+##	etc.) is provided by this interface since
+##	the domains are not owned by this module.
+##	</p>
+##	<p>
+##	This interface was added to handle
+##	the userhelper policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="target_domain">
+##	<summary>
+##	The type of the new process.
+##	</summary>
+## </param>
+#
+interface(`corecmd_sbin_spec_domtrans',`
+	corecmd_bin_spec_domtrans($1, $2)
+	refpolicywarn(`$0() has been deprecated, please use corecmd_bin_spec_domtrans() instead.')
+')
+
+########################################
+## <summary>
+##	Check if a shell is executable (DAC-wise).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corecmd_check_exec_shell',`
+	gen_require(`
+		type bin_t, shell_exec_t;
+	')
+
+	list_dirs_pattern($1, bin_t, bin_t)
+	read_lnk_files_pattern($1, bin_t, bin_t)
+	allow $1 shell_exec_t:file execute;
+')
+
+########################################
+## <summary>
+##	Execute shells in the caller domain.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to execute shells without
+##	a domain transition.
+##	</p>
+##	<p>
+##	Typically, this interface should be used when the domain
+##	executes shells within the privileges
+##	of the source domain.  Some examples of these programs
+##	are bash, tcsh, and zsh.
+##	</p>
+##	<p>
+##	Related interface:
+##	</p>
+##	<ul>
+##		<li>corecmd_exec_bin()</li>
+##	</ul>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corecmd_exec_shell',`
+	gen_require(`
+		type bin_t, shell_exec_t;
+	')
+
+	list_dirs_pattern($1, bin_t, bin_t)
+	read_lnk_files_pattern($1, bin_t, bin_t)
+	can_exec($1, shell_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute ls in the caller domain.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corecmd_exec_ls',`
+	corecmd_exec_bin($1)
+	refpolicywarn(`$0() has been deprecated, please use corecmd_exec_bin() instead.')
+')
+
+########################################
+## <summary>
+##	Execute a shell in the target domain.  This
+##	is an explicit transition, requiring the
+##	caller to use setexeccon().
+## </summary>
+## <desc>
+##	<p>
+##	Execute a shell in the target domain.  This
+##	is an explicit transition, requiring the
+##	caller to use setexeccon().
+##	</p>
+##	<p>
+##	No interprocess communication (signals, pipes,
+##	etc.) is provided by this interface since
+##	the domains are not owned by this module.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="target_domain">
+##	<summary>
+##	The type of the shell process.
+##	</summary>
+## </param>
+#
+interface(`corecmd_shell_spec_domtrans',`
+	gen_require(`
+		type bin_t, shell_exec_t;
+	')
+
+	list_dirs_pattern($1, bin_t, bin_t)
+	read_lnk_files_pattern($1, bin_t, bin_t)
+	domain_transition_pattern($1, shell_exec_t, $2)
+')
+
+########################################
+## <summary>
+##	Execute a shell in the specified domain.
+## </summary>
+## <desc>
+##	<p>
+##	Execute a shell in the specified domain.
+##	</p>
+##	<p>
+##	No interprocess communication (signals, pipes,
+##	etc.) is provided by this interface since
+##	the domains are not owned by this module.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="target_domain">
+##	<summary>
+##	The type of the shell process.
+##	</summary>
+## </param>
+#
+interface(`corecmd_shell_domtrans',`
+	gen_require(`
+		type shell_exec_t;
+	')
+
+	corecmd_shell_spec_domtrans($1, $2)
+	type_transition $1 shell_exec_t:process $2;
+')
+
+########################################
+## <summary>
+##	Execute chroot in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corecmd_exec_chroot',`
+	gen_require(`
+		type chroot_exec_t;
+	')
+
+	read_lnk_files_pattern($1, bin_t, bin_t)
+	can_exec($1, chroot_exec_t)
+	allow $1 self:capability sys_chroot;
+')
+
+########################################
+## <summary>
+##	Get the attributes of all executable files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`corecmd_getattr_all_executables',`
+	gen_require(`
+		attribute exec_type;
+		type bin_t;
+	')
+
+	allow $1 bin_t:dir list_dir_perms;
+	getattr_files_pattern($1, bin_t, exec_type)
+')
+
+########################################
+## <summary>
+##	Read all executable files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`corecmd_read_all_executables',`
+	gen_require(`
+		attribute exec_type;
+	')
+
+	read_files_pattern($1, exec_type, exec_type)
+')
+
+########################################
+## <summary>
+##	Execute all executable files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`corecmd_exec_all_executables',`
+	gen_require(`
+		attribute exec_type;
+		type bin_t;
+	')
+
+	can_exec($1, exec_type)
+	list_dirs_pattern($1, bin_t, bin_t)
+	read_lnk_files_pattern($1, bin_t, exec_type)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to execute all executables.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corecmd_dontaudit_exec_all_executables',`
+	gen_require(`
+		attribute exec_type;
+	')
+
+	dontaudit $1 exec_type:file { execute execute_no_trans };
+')
+
+########################################
+## <summary>
+##	Create, read, write, and all executable files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`corecmd_manage_all_executables',`
+	gen_require(`
+		attribute exec_type;
+		type bin_t;
+	')
+
+	manage_files_pattern($1, bin_t, exec_type)
+	manage_lnk_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+##	Relabel to and from the bin type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`corecmd_relabel_all_executables',`
+	gen_require(`
+		attribute exec_type;
+		type bin_t;
+	')
+
+	relabel_files_pattern($1, bin_t, exec_type)
+')
+
+########################################
+## <summary>
+##	Mmap all executables as executable.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corecmd_mmap_all_executables',`
+	gen_require(`
+		attribute exec_type;
+		type bin_t;
+	')
+
+	mmap_files_pattern($1, bin_t, exec_type)
+')
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
new file mode 100644
index 00000000..4fc5a9cb
--- /dev/null
+++ b/policy/modules/kernel/corecommands.te
@@ -0,0 +1,27 @@
+policy_module(corecommands, 1.16.0)
+
+########################################
+#
+# Declarations
+#
+
+#
+# Types with the exec_type attribute are executable files.
+#
+attribute exec_type;
+
+#
+# bin_t is the type of files in the system bin/sbin directories.
+#
+type bin_t alias { ls_exec_t sbin_t };
+corecmd_executable_file(bin_t)
+dev_associate(bin_t)	#For /dev/MAKEDEV
+
+#
+# shell_exec_t is the type of user shells such as /bin/bash.
+#
+type shell_exec_t;
+corecmd_executable_file(shell_exec_t)
+
+type chroot_exec_t;
+corecmd_executable_file(chroot_exec_t)
diff --git a/policy/modules/kernel/corenetwork.fc b/policy/modules/kernel/corenetwork.fc
new file mode 100644
index 00000000..f9b25c12
--- /dev/null
+++ b/policy/modules/kernel/corenetwork.fc
@@ -0,0 +1,10 @@
+
+/dev/ippp.*	-c	gen_context(system_u:object_r:ppp_device_t,s0)
+/dev/ppp	-c	gen_context(system_u:object_r:ppp_device_t,s0)
+/dev/pppox.*	-c	gen_context(system_u:object_r:ppp_device_t,s0)
+/dev/tap.*	-c	gen_context(system_u:object_r:tun_tap_device_t,s0)
+
+/dev/net/.*	-c	gen_context(system_u:object_r:tun_tap_device_t,s0)
+
+/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
+/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
diff --git a/policy/modules/kernel/corenetwork.if b/policy/modules/kernel/corenetwork.if
new file mode 100644
index 00000000..07c2bad0
--- /dev/null
+++ b/policy/modules/kernel/corenetwork.if
@@ -0,0 +1,78582 @@
+#
+# This is a generated file!  Instead of modifying this file, the
+# corenetwork.if.in or corenetwork.if.m4 file should be modified.
+#
+## <summary>Policy controlling access to network objects</summary>
+## <required val="true">
+##	Contains the initial SIDs for network objects.
+## </required>
+
+########################################
+## <summary>
+##	Define type to be a network port type
+## </summary>
+## <desc>
+##	<p>
+##	Define type to be a network port type
+##	</p>
+##	<p>
+##	This is for supporting third party modules and its
+##	use is not allowed in upstream reference policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type to be used for network ports.
+##	</summary>
+## </param>
+#
+interface(`corenet_port',`
+	gen_require(`
+		attribute port_type;
+	')
+
+	typeattribute $1 port_type;
+')
+
+########################################
+## <summary>
+##	Define network type to be a reserved port (lt 1024)
+## </summary>
+## <desc>
+##	<p>
+##	Define network type to be a reserved port (lt 1024)
+##	</p>
+##	<p>
+##	This is for supporting third party modules and its
+##	use is not allowed in upstream reference policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type to be used for network ports.
+##	</summary>
+## </param>
+#
+interface(`corenet_reserved_port',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	typeattribute $1 reserved_port_type;
+')
+
+########################################
+## <summary>
+##	Define network type to be a rpc port ( 512 lt PORT lt 1024)
+## </summary>
+## <desc>
+##	<p>
+##	Define network type to be a rpc port ( 512 lt PORT lt 1024)
+##	</p>
+##	<p>
+##	This is for supporting third party modules and its
+##	use is not allowed in upstream reference policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type to be used for network ports.
+##	</summary>
+## </param>
+#
+interface(`corenet_rpc_port',`
+	gen_require(`
+		attribute rpc_port_type;
+	')
+
+	typeattribute $1 rpc_port_type;
+')
+
+########################################
+## <summary>
+##	Define type to be a network node type
+## </summary>
+## <desc>
+##	<p>
+##	Define type to be a network node type
+##	</p>
+##	<p>
+##	This is for supporting third party modules and its
+##	use is not allowed in upstream reference policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type to be used for network nodes.
+##	</summary>
+## </param>
+#
+interface(`corenet_node',`
+	gen_require(`
+		attribute node_type;
+	')
+
+	typeattribute $1 node_type;
+')
+
+########################################
+## <summary>
+##	Define type to be a network packet type
+## </summary>
+## <desc>
+##	<p>
+##	Define type to be a network packet type
+##	</p>
+##	<p>
+##	This is for supporting third party modules and its
+##	use is not allowed in upstream reference policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type to be used for a network packet.
+##	</summary>
+## </param>
+#
+interface(`corenet_packet',`
+	gen_require(`
+		attribute packet_type;
+	')
+
+	typeattribute $1 packet_type;
+')
+
+########################################
+## <summary>
+##	Define type to be a network client packet type
+## </summary>
+## <desc>
+##	<p>
+##	Define type to be a network client packet type
+##	</p>
+##	<p>
+##	This is for supporting third party modules and its
+##	use is not allowed in upstream reference policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type to be used for a network client packet.
+##	</summary>
+## </param>
+#
+interface(`corenet_client_packet',`
+	gen_require(`
+		attribute packet_type, client_packet_type;
+	')
+
+	typeattribute $1 client_packet_type, packet_type;
+')
+
+########################################
+## <summary>
+##	Define type to be a network server packet type
+## </summary>
+## <desc>
+##	<p>
+##	Define type to be a network server packet type
+##	</p>
+##	<p>
+##	This is for supporting third party modules and its
+##	use is not allowed in upstream reference policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type to be used for a network server packet.
+##	</summary>
+## </param>
+#
+interface(`corenet_server_packet',`
+	gen_require(`
+		attribute packet_type, server_packet_type;
+	')
+
+	typeattribute $1 server_packet_type, packet_type;
+')
+
+########################################
+## <summary>
+##	Make the specified type usable
+##	for labeled ipsec.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Type to be used for labeled ipsec.
+##	</summary>
+## </param>
+#
+interface(`corenet_spd_type',`
+	gen_require(`
+		attribute ipsec_spd_type;
+	')
+
+	typeattribute $1 ipsec_spd_type;
+')
+
+########################################
+## <summary>
+##	Send and receive TCP network traffic on generic interfaces.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to send and receive TCP network
+##	traffic on generic network interfaces.
+##	</p>
+##	<p>
+##	Related interface:
+##	</p>
+##	<ul>
+##		<li>corenet_all_recvfrom_unlabeled()</li>
+##		<li>corenet_tcp_sendrecv_generic_node()</li>
+##		<li>corenet_tcp_sendrecv_all_ports()</li>
+##		<li>corenet_tcp_connect_all_ports()</li>
+##	</ul>
+##	<p>
+##	Example client being able to connect to all ports over
+##	generic nodes, without labeled networking:
+##	</p>
+##	<p>
+##	allow myclient_t self:tcp_socket create_stream_socket_perms;
+##	corenet_tcp_sendrecv_generic_if(myclient_t)
+##	corenet_tcp_sendrecv_generic_node(myclient_t)
+##	corenet_tcp_sendrecv_all_ports(myclient_t)
+##	corenet_tcp_connect_all_ports(myclient_t)
+##	corenet_all_recvfrom_unlabeled(myclient_t)
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_generic_if',`
+	gen_require(`
+		type netif_t;
+	')
+
+	allow $1 netif_t:netif { tcp_send tcp_recv egress ingress };
+')
+
+########################################
+## <summary>
+##	Send UDP network traffic on generic interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_send_generic_if',`
+	gen_require(`
+		type netif_t;
+	')
+
+	allow $1 netif_t:netif { udp_send egress };
+')
+
+########################################
+## <summary>
+##	Dontaudit attempts to send UDP network traffic
+##	on generic interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_send_generic_if',`
+	gen_require(`
+		type netif_t;
+	')
+
+	dontaudit $1 netif_t:netif { udp_send egress };
+')
+
+########################################
+## <summary>
+##	Receive UDP network traffic on generic interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_receive_generic_if',`
+	gen_require(`
+		type netif_t;
+	')
+
+	allow $1 netif_t:netif { udp_recv ingress };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP network
+##	traffic on generic interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_receive_generic_if',`
+	gen_require(`
+		type netif_t;
+	')
+
+	dontaudit $1 netif_t:netif { udp_recv ingress };
+')
+
+########################################
+## <summary>
+##	Send and receive UDP network traffic on generic interfaces.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to send and receive UDP network
+##	traffic on generic network interfaces.
+##	</p>
+##	<p>
+##	Related interface:
+##	</p>
+##	<ul>
+##		<li>corenet_all_recvfrom_unlabeled()</li>
+##		<li>corenet_udp_sendrecv_generic_node()</li>
+##		<li>corenet_udp_sendrecv_all_ports()</li>
+##	</ul>
+##	<p>
+##	Example client being able to send to all ports over
+##	generic nodes, without labeled networking:
+##	</p>
+##	<p>
+##	allow myclient_t self:udp_socket create_socket_perms;
+##	corenet_udp_sendrecv_generic_if(myclient_t)
+##	corenet_udp_sendrecv_generic_node(myclient_t)
+##	corenet_udp_sendrecv_all_ports(myclient_t)
+##	corenet_all_recvfrom_unlabeled(myclient_t)
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_generic_if',`
+	corenet_udp_send_generic_if($1)
+	corenet_udp_receive_generic_if($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive UDP network
+##	traffic on generic interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_sendrecv_generic_if',`
+	corenet_dontaudit_udp_send_generic_if($1)
+	corenet_dontaudit_udp_receive_generic_if($1)
+')
+
+########################################
+## <summary>
+##	Send raw IP packets on generic interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_raw_send_generic_if',`
+	gen_require(`
+		type netif_t;
+	')
+
+	allow $1 netif_t:netif { rawip_send egress };
+')
+
+########################################
+## <summary>
+##	Receive raw IP packets on generic interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_raw_receive_generic_if',`
+	gen_require(`
+		type netif_t;
+	')
+
+	allow $1 netif_t:netif { rawip_recv ingress };
+')
+
+########################################
+## <summary>
+##	Send and receive raw IP packets on generic interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_raw_sendrecv_generic_if',`
+	corenet_raw_send_generic_if($1)
+	corenet_raw_receive_generic_if($1)
+')
+
+########################################
+## <summary>
+##	Allow outgoing network traffic on the generic interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The peer label of the outgoing network traffic.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_out_generic_if',`
+	gen_require(`
+		type netif_t;
+	')
+
+	allow $1 netif_t:netif egress;
+')
+
+########################################
+## <summary>
+##	Allow incoming traffic on the generic interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The peer label of the incoming network traffic.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_in_generic_if',`
+	gen_require(`
+		type netif_t;
+	')
+
+	allow $1 netif_t:netif ingress;
+')
+
+########################################
+## <summary>
+##	Allow incoming and outgoing network traffic on the generic interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The peer label of the network traffic.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_inout_generic_if',`
+	corenet_in_generic_if($1)
+	corenet_out_generic_if($1)
+')
+
+########################################
+## <summary>
+##	Send and receive TCP network traffic on all interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_sendrecv_all_if',`
+	gen_require(`
+		attribute netif_type;
+	')
+
+	allow $1 netif_type:netif { tcp_send tcp_recv egress ingress };
+')
+
+########################################
+## <summary>
+##	Send UDP network traffic on all interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_send_all_if',`
+	gen_require(`
+		attribute netif_type;
+	')
+
+	allow $1 netif_type:netif { udp_send egress };
+')
+
+########################################
+## <summary>
+##	Receive UDP network traffic on all interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_receive_all_if',`
+	gen_require(`
+		attribute netif_type;
+	')
+
+	allow $1 netif_type:netif { udp_recv ingress };
+')
+
+########################################
+## <summary>
+##	Send and receive UDP network traffic on all interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_sendrecv_all_if',`
+	corenet_udp_send_all_if($1)
+	corenet_udp_receive_all_if($1)
+')
+
+########################################
+## <summary>
+##	Send raw IP packets on all interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_raw_send_all_if',`
+	gen_require(`
+		attribute netif_type;
+	')
+
+	allow $1 netif_type:netif { rawip_send egress };
+')
+
+########################################
+## <summary>
+##	Receive raw IP packets on all interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_raw_receive_all_if',`
+	gen_require(`
+		attribute netif_type;
+	')
+
+	allow $1 netif_type:netif { rawip_recv ingress };
+')
+
+########################################
+## <summary>
+##	Send and receive raw IP packets on all interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_raw_sendrecv_all_if',`
+	corenet_raw_send_all_if($1)
+	corenet_raw_receive_all_if($1)
+')
+
+########################################
+## <summary>
+##	Send and receive TCP network traffic on generic nodes.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to send and receive TCP network
+##	traffic to/from generic network nodes (hostnames/networks).
+##	</p>
+##	<p>
+##	Related interface:
+##	</p>
+##	<ul>
+##		<li>corenet_all_recvfrom_unlabeled()</li>
+##		<li>corenet_tcp_sendrecv_generic_if()</li>
+##		<li>corenet_tcp_sendrecv_all_ports()</li>
+##		<li>corenet_tcp_connect_all_ports()</li>
+##	</ul>
+##	<p>
+##	Example client being able to connect to all ports over
+##	generic nodes, without labeled networking:
+##	</p>
+##	<p>
+##	allow myclient_t self:tcp_socket create_stream_socket_perms;
+##	corenet_tcp_sendrecv_generic_if(myclient_t)
+##	corenet_tcp_sendrecv_generic_node(myclient_t)
+##	corenet_tcp_sendrecv_all_ports(myclient_t)
+##	corenet_tcp_connect_all_ports(myclient_t)
+##	corenet_all_recvfrom_unlabeled(myclient_t)
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_generic_node',`
+	gen_require(`
+		type node_t;
+	')
+
+	allow $1 node_t:node { tcp_send tcp_recv sendto recvfrom };
+')
+
+########################################
+## <summary>
+##	Send UDP network traffic on generic nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_send_generic_node',`
+	gen_require(`
+		type node_t;
+	')
+
+	allow $1 node_t:node { udp_send sendto };
+')
+
+########################################
+## <summary>
+##	Receive UDP network traffic on generic nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_receive_generic_node',`
+	gen_require(`
+		type node_t;
+	')
+
+	allow $1 node_t:node { udp_recv recvfrom };
+')
+
+########################################
+## <summary>
+##	Send and receive UDP network traffic on generic nodes.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to send and receive UDP network
+##	traffic to/from generic network nodes (hostnames/networks).
+##	</p>
+##	<p>
+##	Related interface:
+##	</p>
+##	<ul>
+##		<li>corenet_all_recvfrom_unlabeled()</li>
+##		<li>corenet_udp_sendrecv_generic_if()</li>
+##		<li>corenet_udp_sendrecv_all_ports()</li>
+##	</ul>
+##	<p>
+##	Example client being able to send to all ports over
+##	generic nodes, without labeled networking:
+##	</p>
+##	<p>
+##	allow myclient_t self:udp_socket create_socket_perms;
+##	corenet_udp_sendrecv_generic_if(myclient_t)
+##	corenet_udp_sendrecv_generic_node(myclient_t)
+##	corenet_udp_sendrecv_all_ports(myclient_t)
+##	corenet_all_recvfrom_unlabeled(myclient_t)
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_generic_node',`
+	corenet_udp_send_generic_node($1)
+	corenet_udp_receive_generic_node($1)
+')
+
+########################################
+## <summary>
+##	Send raw IP packets on generic nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_raw_send_generic_node',`
+	gen_require(`
+		type node_t;
+	')
+
+	allow $1 node_t:node { rawip_send sendto };
+')
+
+########################################
+## <summary>
+##	Receive raw IP packets on generic nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_raw_receive_generic_node',`
+	gen_require(`
+		type node_t;
+	')
+
+	allow $1 node_t:node { rawip_recv recvfrom };
+')
+
+########################################
+## <summary>
+##	Send and receive raw IP packets on generic nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_raw_sendrecv_generic_node',`
+	corenet_raw_send_generic_node($1)
+	corenet_raw_receive_generic_node($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to generic nodes.
+## </summary>
+## <desc>
+##	<p>
+##	Bind TCP sockets to generic nodes.  This is
+##	necessary for binding a socket so it
+##	can be used for servers to listen
+##	for incoming connections.
+##	</p>
+##	<p>
+##	Related interface:
+##	</p>
+##	<ul>
+##		<li>corenet_udp_bind_generic_node()</li>
+##	</ul>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="1"/>
+#
+interface(`corenet_tcp_bind_generic_node',`
+	gen_require(`
+		type node_t;
+	')
+
+	allow $1 node_t:tcp_socket node_bind;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to generic nodes.
+## </summary>
+## <desc>
+##	<p>
+##	Bind UDP sockets to generic nodes.  This is
+##	necessary for binding a socket so it
+##	can be used for servers to listen
+##	for incoming connections.
+##	</p>
+##	<p>
+##	Related interface:
+##	</p>
+##	<ul>
+##		<li>corenet_tcp_bind_generic_node()</li>
+##	</ul>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="1"/>
+#
+interface(`corenet_udp_bind_generic_node',`
+	gen_require(`
+		type node_t;
+	')
+
+	allow $1 node_t:udp_socket node_bind;
+')
+
+########################################
+## <summary>
+##	Bind raw sockets to genric nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+# rawip_socket node_bind does not make much sense.
+# cjp: vmware hits this too
+interface(`corenet_raw_bind_generic_node',`
+	gen_require(`
+		type node_t;
+	')
+
+	allow $1 node_t:rawip_socket node_bind;
+')
+
+########################################
+## <summary>
+##	Allow outgoing network traffic to generic nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The peer label of the outgoing network traffic.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_out_generic_node',`
+	gen_require(`
+		type node_t;
+	')
+
+	allow $1 node_t:node sendto;
+')
+
+########################################
+## <summary>
+##	Allow incoming network traffic from generic nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The peer label of the incoming network traffic.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_in_generic_node',`
+	gen_require(`
+		type node_t;
+	')
+
+	allow $1 node_t:node recvfrom;
+')
+
+########################################
+## <summary>
+##	Allow incoming and outgoing network traffic with generic nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The peer label of the network traffic.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_inout_generic_node',`
+	corenet_in_generic_node($1)
+	corenet_out_generic_node($1)
+')
+
+########################################
+## <summary>
+##	Send and receive TCP network traffic on all nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_sendrecv_all_nodes',`
+	gen_require(`
+		attribute node_type;
+	')
+
+	allow $1 node_type:node { tcp_send tcp_recv sendto recvfrom };
+')
+
+########################################
+## <summary>
+##	Send UDP network traffic on all nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_send_all_nodes',`
+	gen_require(`
+		attribute node_type;
+	')
+
+	allow $1 node_type:node { udp_send sendto };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP network
+##	traffic on any nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_send_all_nodes',`
+	gen_require(`
+		attribute node_type;
+	')
+
+	dontaudit $1 node_type:node { udp_send sendto };
+')
+
+########################################
+## <summary>
+##	Receive UDP network traffic on all nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_receive_all_nodes',`
+	gen_require(`
+		attribute node_type;
+	')
+
+	allow $1 node_type:node { udp_recv recvfrom };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP
+##	network traffic on all nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_receive_all_nodes',`
+	gen_require(`
+		attribute node_type;
+	')
+
+	dontaudit $1 node_type:node { udp_recv recvfrom };
+')
+
+########################################
+## <summary>
+##	Send and receive UDP network traffic on all nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_sendrecv_all_nodes',`
+	corenet_udp_send_all_nodes($1)
+	corenet_udp_receive_all_nodes($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive UDP
+##	network traffic on any nodes nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_sendrecv_all_nodes',`
+	corenet_dontaudit_udp_send_all_nodes($1)
+	corenet_dontaudit_udp_receive_all_nodes($1)
+')
+
+########################################
+## <summary>
+##	Send raw IP packets on all nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_raw_send_all_nodes',`
+	gen_require(`
+		attribute node_type;
+	')
+
+	allow $1 node_type:node { rawip_send sendto };
+')
+
+########################################
+## <summary>
+##	Receive raw IP packets on all nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_raw_receive_all_nodes',`
+	gen_require(`
+		attribute node_type;
+	')
+
+	allow $1 node_type:node { rawip_recv recvfrom };
+')
+
+########################################
+## <summary>
+##	Send and receive raw IP packets on all nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_raw_sendrecv_all_nodes',`
+	corenet_raw_send_all_nodes($1)
+	corenet_raw_receive_all_nodes($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to all nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_bind_all_nodes',`
+	gen_require(`
+		attribute node_type;
+	')
+
+	allow $1 node_type:tcp_socket node_bind;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to all nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_bind_all_nodes',`
+	gen_require(`
+		attribute node_type;
+	')
+
+	allow $1 node_type:udp_socket node_bind;
+')
+
+########################################
+## <summary>
+##	Bind raw sockets to all nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+# rawip_socket node_bind does not make much sense.
+# cjp: vmware hits this too
+interface(`corenet_raw_bind_all_nodes',`
+	gen_require(`
+		attribute node_type;
+	')
+
+	allow $1 node_type:rawip_socket node_bind;
+')
+
+########################################
+## <summary>
+##	Send and receive TCP network traffic on generic ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_sendrecv_generic_port',`
+	gen_require(`
+		type port_t;
+	')
+
+	allow $1 port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Do not audit send and receive TCP network traffic on generic ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_sendrecv_generic_port',`
+	gen_require(`
+		type port_t;
+	')
+
+	dontaudit $1 port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP network traffic on generic ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_send_generic_port',`
+	gen_require(`
+		type port_t;
+	')
+
+	allow $1 port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP network traffic on generic ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_receive_generic_port',`
+	gen_require(`
+		type port_t;
+	')
+
+	allow $1 port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP network traffic on generic ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_sendrecv_generic_port',`
+	corenet_udp_send_generic_port($1)
+	corenet_udp_receive_generic_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to generic ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_bind_generic_port',`
+	gen_require(`
+		type port_t;
+		attribute defined_port_type;
+	')
+
+	allow $1 port_t:tcp_socket name_bind;
+	dontaudit $1 defined_port_type:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
+##	Do not audit bind TCP sockets to generic ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_bind_generic_port',`
+	gen_require(`
+		type port_t;
+	')
+
+	dontaudit $1 port_t:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to generic ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_bind_generic_port',`
+	gen_require(`
+		type port_t;
+		attribute defined_port_type;
+	')
+
+	allow $1 port_t:udp_socket name_bind;
+	dontaudit $1 defined_port_type:udp_socket name_bind;
+')
+
+########################################
+## <summary>
+##	Connect TCP sockets to generic ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_generic_port',`
+	gen_require(`
+		type port_t;
+	')
+
+	allow $1 port_t:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+##	Send and receive TCP network traffic on all ports.
+## </summary>
+## <desc>
+##	<p>
+##	Send and receive TCP network traffic on all ports.
+##	Related interfaces:
+##	</p>
+##	<ul>
+##		<li>corenet_all_recvfrom_unlabeled()</li>
+##		<li>corenet_tcp_sendrecv_generic_if()</li>
+##		<li>corenet_tcp_sendrecv_generic_node()</li>
+##		<li>corenet_tcp_connect_all_ports()</li>
+##		<li>corenet_tcp_bind_all_ports()</li>
+##	</ul>
+##	<p>
+##	Example client being able to connect to all ports over
+##	generic nodes, without labeled networking:
+##	</p>
+##	<p>
+##	allow myclient_t self:tcp_socket create_stream_socket_perms;
+##	corenet_tcp_sendrecv_generic_if(myclient_t)
+##	corenet_tcp_sendrecv_generic_node(myclient_t)
+##	corenet_tcp_sendrecv_all_ports(myclient_t)
+##	corenet_tcp_connect_all_ports(myclient_t)
+##	corenet_all_recvfrom_unlabeled(myclient_t)
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_all_ports',`
+	gen_require(`
+		attribute port_type;
+	')
+
+	allow $1 port_type:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP network traffic on all ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_send_all_ports',`
+	gen_require(`
+		attribute port_type;
+	')
+
+	allow $1 port_type:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP network traffic on all ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_receive_all_ports',`
+	gen_require(`
+		attribute port_type;
+	')
+
+	allow $1 port_type:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP network traffic on all ports.
+## </summary>
+## <desc>
+##	<p>
+##	Send and receive UDP network traffic on all ports.
+##	Related interfaces:
+##	</p>
+##	<ul>
+##		<li>corenet_all_recvfrom_unlabeled()</li>
+##		<li>corenet_udp_sendrecv_generic_if()</li>
+##		<li>corenet_udp_sendrecv_generic_node()</li>
+##		<li>corenet_udp_bind_all_ports()</li>
+##	</ul>
+##	<p>
+##	Example client being able to send to all ports over
+##	generic nodes, without labeled networking:
+##	</p>
+##	<p>
+##	allow myclient_t self:udp_socket create_socket_perms;
+##	corenet_udp_sendrecv_generic_if(myclient_t)
+##	corenet_udp_sendrecv_generic_node(myclient_t)
+##	corenet_udp_sendrecv_all_ports(myclient_t)
+##	corenet_all_recvfrom_unlabeled(myclient_t)
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_all_ports',`
+	corenet_udp_send_all_ports($1)
+	corenet_udp_receive_all_ports($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to all ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_bind_all_ports',`
+	gen_require(`
+		attribute port_type;
+	')
+
+	allow $1 port_type:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Do not audit attepts to bind TCP sockets to any ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_bind_all_ports',`
+	gen_require(`
+		attribute port_type;
+	')
+
+	dontaudit $1 port_type:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to all ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_bind_all_ports',`
+	gen_require(`
+		attribute port_type;
+	')
+
+	allow $1 port_type:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Do not audit attepts to bind UDP sockets to any ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_bind_all_ports',`
+	gen_require(`
+		attribute port_type;
+	')
+
+	dontaudit $1 port_type:udp_socket name_bind;
+')
+
+########################################
+## <summary>
+##	Connect TCP sockets to all ports.
+## </summary>
+## <desc>
+##	<p>
+##	Connect TCP sockets to all ports
+##	</p>
+##	<p>
+##	Related interfaces:
+##	</p>
+##	<ul>
+##		<li>corenet_all_recvfrom_unlabeled()</li>
+##		<li>corenet_tcp_sendrecv_generic_if()</li>
+##		<li>corenet_tcp_sendrecv_generic_node()</li>
+##		<li>corenet_tcp_sendrecv_all_ports()</li>
+##		<li>corenet_tcp_bind_all_ports()</li>
+##	</ul>
+##	<p>
+##	Example client being able to connect to all ports over
+##	generic nodes, without labeled networking:
+##	</p>
+##	<p>
+##	allow myclient_t self:tcp_socket create_stream_socket_perms;
+##	corenet_tcp_sendrecv_generic_if(myclient_t)
+##	corenet_tcp_sendrecv_generic_node(myclient_t)
+##	corenet_tcp_sendrecv_all_ports(myclient_t)
+##	corenet_tcp_connect_all_ports(myclient_t)
+##	corenet_all_recvfrom_unlabeled(myclient_t)
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="1"/>
+#
+interface(`corenet_tcp_connect_all_ports',`
+	gen_require(`
+		attribute port_type;
+	')
+
+	allow $1 port_type:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to connect TCP sockets
+##	to all ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_connect_all_ports',`
+	gen_require(`
+		attribute port_type;
+	')
+
+	dontaudit $1 port_type:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+##	Send and receive TCP network traffic on generic reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_sendrecv_reserved_port',`
+	gen_require(`
+		type reserved_port_t;
+	')
+
+	allow $1 reserved_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP network traffic on generic reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_send_reserved_port',`
+	gen_require(`
+		type reserved_port_t;
+	')
+
+	allow $1 reserved_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP network traffic on generic reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_receive_reserved_port',`
+	gen_require(`
+		type reserved_port_t;
+	')
+
+	allow $1 reserved_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP network traffic on generic reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_sendrecv_reserved_port',`
+	corenet_udp_send_reserved_port($1)
+	corenet_udp_receive_reserved_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to generic reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_bind_reserved_port',`
+	gen_require(`
+		type reserved_port_t;
+	')
+
+	allow $1 reserved_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to generic reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_bind_reserved_port',`
+	gen_require(`
+		type reserved_port_t;
+	')
+
+	allow $1 reserved_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Connect TCP sockets to generic reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_reserved_port',`
+	gen_require(`
+		type reserved_port_t;
+	')
+
+	allow $1 reserved_port_t:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+##	Send and receive TCP network traffic on all reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_sendrecv_all_reserved_ports',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	allow $1 reserved_port_type:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP network traffic on all reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_send_all_reserved_ports',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	allow $1 reserved_port_type:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP network traffic on all reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_receive_all_reserved_ports',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	allow $1 reserved_port_type:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP network traffic on all reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_sendrecv_all_reserved_ports',`
+	corenet_udp_send_all_reserved_ports($1)
+	corenet_udp_receive_all_reserved_ports($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to all reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_bind_all_reserved_ports',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	allow $1 reserved_port_type:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to bind TCP sockets to all reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	dontaudit $1 reserved_port_type:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to all reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_bind_all_reserved_ports',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	allow $1 reserved_port_type:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to bind UDP sockets to all reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	dontaudit $1 reserved_port_type:udp_socket name_bind;
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_bind_all_unreserved_ports',`
+	gen_require(`
+		attribute unreserved_port_type;
+	')
+
+	allow $1 unreserved_port_type:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_bind_all_unreserved_ports',`
+	gen_require(`
+		attribute unreserved_port_type;
+	')
+
+	allow $1 unreserved_port_type:udp_socket name_bind;
+')
+
+########################################
+## <summary>
+##	Connect TCP sockets to reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_all_reserved_ports',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	allow $1 reserved_port_type:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+##	Connect TCP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_all_unreserved_ports',`
+	gen_require(`
+		attribute unreserved_port_type;
+	')
+
+	allow $1 unreserved_port_type:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to connect TCP sockets
+##	all reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	dontaudit $1 reserved_port_type:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+##	Connect TCP sockets to rpc ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_all_rpc_ports',`
+	gen_require(`
+		attribute rpc_port_type;
+	')
+
+	allow $1 rpc_port_type:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to connect TCP sockets
+##	all rpc ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
+	gen_require(`
+		attribute rpc_port_type;
+	')
+
+	dontaudit $1 rpc_port_type:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+##	Read and write the TUN/TAP virtual network device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_rw_tun_tap_dev',`
+	gen_require(`
+		type tun_tap_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 tun_tap_device_t:chr_file rw_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read or write the TUN/TAP
+##	virtual network device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_rw_tun_tap_dev',`
+	gen_require(`
+		type tun_tap_device_t;
+	')
+
+	dontaudit $1 tun_tap_device_t:chr_file { read write };
+')
+
+########################################
+## <summary>
+##	Getattr the point-to-point device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_getattr_ppp_dev',`
+	gen_require(`
+		type ppp_device_t;
+	')
+
+	allow $1 ppp_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Read and write the point-to-point device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_rw_ppp_dev',`
+	gen_require(`
+		type ppp_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 ppp_device_t:chr_file rw_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to all RPC ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_bind_all_rpc_ports',`
+	gen_require(`
+		attribute rpc_port_type;
+	')
+
+	allow $1 rpc_port_type:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to bind TCP sockets to all RPC ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_bind_all_rpc_ports',`
+	gen_require(`
+		attribute rpc_port_type;
+	')
+
+	dontaudit $1 rpc_port_type:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to all RPC ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_bind_all_rpc_ports',`
+	gen_require(`
+		attribute rpc_port_type;
+	')
+
+	allow $1 rpc_port_type:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to bind UDP sockets to all RPC ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_bind_all_rpc_ports',`
+	gen_require(`
+		attribute rpc_port_type;
+	')
+
+	dontaudit $1 rpc_port_type:udp_socket name_bind;
+')
+
+########################################
+## <summary>
+##	Send and receive messages on a
+##	non-encrypted (no IPSEC) network
+##	session.
+## </summary>
+## <desc>
+##	<p>
+##	Send and receive messages on a
+##	non-encrypted (no IPSEC) network
+##	session.  (Deprecated)
+##	</p>
+##	<p>
+##	The corenet_all_recvfrom_unlabeled() interface should be used instead
+##	of this one.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_non_ipsec_sendrecv',`
+	refpolicywarn(`$0($*) has been deprecated, use corenet_all_recvfrom_unlabeled() instead.')
+	corenet_all_recvfrom_unlabeled($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	messages on a non-encrypted (no IPSEC) network
+##	session.
+## </summary>
+## <desc>
+##	<p>
+##	Do not audit attempts to send and receive
+##	messages on a non-encrypted (no IPSEC) network
+##	session.
+##	</p>
+##	<p>
+##	The corenet_dontaudit_all_recvfrom_unlabeled() interface should be
+##	used instead of this one.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_non_ipsec_sendrecv',`
+	refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_all_recvfrom_unlabeled() instead.')
+	corenet_dontaudit_all_recvfrom_unlabeled($1)
+')
+
+########################################
+## <summary>
+##	Receive TCP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_recv_netlabel',`
+	refpolicywarn(`$0($*) has been deprecated, use corenet_tcp_recvfrom_netlabel() instead.')
+	corenet_tcp_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+##	Receive TCP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_recvfrom_netlabel',`
+	gen_require(`
+		type netlabel_peer_t;
+	')
+
+	allow $1 netlabel_peer_t:peer recv;
+	allow $1 netlabel_peer_t:tcp_socket recvfrom;
+')
+
+########################################
+## <summary>
+##	Receive TCP packets from an unlabled connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_recvfrom_unlabeled',`
+	kernel_tcp_recvfrom_unlabeled($1)
+	kernel_recvfrom_unlabeled_peer($1)
+
+	# XXX - at some point the oubound/send access check will be removed
+	# but for right now we need to keep this in place so as not to break
+	# older systems
+	kernel_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive TCP packets from a NetLabel
+##	connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_recv_netlabel',`
+	refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_tcp_recvfrom_netlabel() instead.')
+	corenet_dontaudit_tcp_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive TCP packets from a NetLabel
+##	connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
+	gen_require(`
+		type netlabel_peer_t;
+	')
+
+	dontaudit $1 netlabel_peer_t:peer recv;
+	dontaudit $1 netlabel_peer_t:tcp_socket recvfrom;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive TCP packets from an unlabeled
+##	connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_recvfrom_unlabeled',`
+	kernel_dontaudit_tcp_recvfrom_unlabeled($1)
+	kernel_dontaudit_recvfrom_unlabeled_peer($1)
+
+	# XXX - at some point the oubound/send access check will be removed
+	# but for right now we need to keep this in place so as not to break
+	# older systems
+	kernel_dontaudit_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+##	Receive UDP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_recv_netlabel',`
+	refpolicywarn(`$0($*) has been deprecated, use corenet_udp_recvfrom_netlabel() instead.')
+	corenet_udp_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+##	Receive UDP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_recvfrom_netlabel',`
+	gen_require(`
+		type netlabel_peer_t;
+	')
+
+	allow $1 netlabel_peer_t:peer recv;
+	allow $1 netlabel_peer_t:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+##	Receive UDP packets from an unlabeled connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_recvfrom_unlabeled',`
+	kernel_udp_recvfrom_unlabeled($1)
+	kernel_recvfrom_unlabeled_peer($1)
+
+	# XXX - at some point the oubound/send access check will be removed
+	# but for right now we need to keep this in place so as not to break
+	# older systems
+	kernel_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP packets from a NetLabel
+##	connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_recv_netlabel',`
+	refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_udp_recvfrom_netlabel($1) instead.')
+	corenet_dontaudit_udp_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP packets from a NetLabel
+##	connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_recvfrom_netlabel',`
+	gen_require(`
+		type netlabel_peer_t;
+	')
+
+	dontaudit $1 netlabel_peer_t:peer recv;
+	dontaudit $1 netlabel_peer_t:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP packets from an unlabeled
+##	connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_recvfrom_unlabeled',`
+	kernel_dontaudit_udp_recvfrom_unlabeled($1)
+	kernel_dontaudit_recvfrom_unlabeled_peer($1)
+
+	# XXX - at some point the oubound/send access check will be removed
+	# but for right now we need to keep this in place so as not to break
+	# older systems
+	kernel_dontaudit_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+##	Receive Raw IP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_raw_recv_netlabel',`
+	refpolicywarn(`$0($*) has been deprecated, use corenet_raw_recvfrom_netlabel() instead.')
+	corenet_raw_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+##	Receive Raw IP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_raw_recvfrom_netlabel',`
+	gen_require(`
+		type netlabel_peer_t;
+	')
+
+	allow $1 netlabel_peer_t:peer recv;
+	allow $1 netlabel_peer_t:rawip_socket recvfrom;
+')
+
+########################################
+## <summary>
+##	Receive Raw IP packets from an unlabeled connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_raw_recvfrom_unlabeled',`
+	kernel_raw_recvfrom_unlabeled($1)
+	kernel_recvfrom_unlabeled_peer($1)
+
+	# XXX - at some point the oubound/send access check will be removed
+	# but for right now we need to keep this in place so as not to break
+	# older systems
+	kernel_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive Raw IP packets from a NetLabel
+##	connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_raw_recv_netlabel',`
+	refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_raw_recvfrom_netlabel() instead.')
+	corenet_dontaudit_raw_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive Raw IP packets from a NetLabel
+##	connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_raw_recvfrom_netlabel',`
+	gen_require(`
+		type netlabel_peer_t;
+	')
+
+	dontaudit $1 netlabel_peer_t:peer recv;
+	dontaudit $1 netlabel_peer_t:rawip_socket recvfrom;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive Raw IP packets from an unlabeled
+##	connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
+	kernel_dontaudit_raw_recvfrom_unlabeled($1)
+	kernel_dontaudit_recvfrom_unlabeled_peer($1)
+
+	# XXX - at some point the oubound/send access check will be removed
+	# but for right now we need to keep this in place so as not to break
+	# older systems
+	kernel_dontaudit_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+##	Receive packets from an unlabeled connection.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to receive packets from an
+##	unlabeled connection.  On machines that do not utilize
+##	labeled networking, this will be required on all
+##	networking domains.  On machines tha do utilize
+##	labeled networking, this will be required for any
+##	networking domain that is allowed to receive
+##	network traffic that does not have a label.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_all_recvfrom_unlabeled',`
+	kernel_tcp_recvfrom_unlabeled($1)
+	kernel_udp_recvfrom_unlabeled($1)
+	kernel_raw_recvfrom_unlabeled($1)
+	kernel_recvfrom_unlabeled_peer($1)
+
+	# XXX - at some point the oubound/send access check will be removed
+	# but for right now we need to keep this in place so as not to break
+	# older systems
+	kernel_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+##	Receive packets from a NetLabel connection.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to receive NetLabel
+##	network traffic, which utilizes the Commercial IP
+##	Security Option (CIPSO) to set the MLS level
+##	of the network packets.  This is required for
+##	all networking domains that receive NetLabel
+##	network traffic.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_all_recvfrom_netlabel',`
+	gen_require(`
+		type netlabel_peer_t;
+	')
+
+	allow $1 netlabel_peer_t:peer recv;
+	allow $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive packets from an unlabeled connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
+	kernel_dontaudit_tcp_recvfrom_unlabeled($1)
+	kernel_dontaudit_udp_recvfrom_unlabeled($1)
+	kernel_dontaudit_raw_recvfrom_unlabeled($1)
+	kernel_dontaudit_recvfrom_unlabeled_peer($1)
+
+	# XXX - at some point the oubound/send access check will be removed
+	# but for right now we need to keep this in place so as not to break
+	# older systems
+	kernel_dontaudit_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive packets from a NetLabel
+##	connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_all_recvfrom_netlabel',`
+	gen_require(`
+		type netlabel_peer_t;
+	')
+
+	dontaudit $1 netlabel_peer_t:peer recv;
+	dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
+')
+
+########################################
+## <summary>
+##	Rules for receiving labeled TCP packets.
+## </summary>
+## <desc>
+##	<p>
+##	Rules for receiving labeled TCP packets.
+##	</p>
+##	<p>
+##	Due to the nature of TCP, this is bidirectional.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="peer_domain">
+##	<summary>
+##	Peer domain.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_recvfrom_labeled',`
+	allow { $1 $2 } self:association sendto;
+	allow $1 $2:{ association tcp_socket } recvfrom;
+	allow $2 $1:{ association tcp_socket } recvfrom;
+
+	allow $1 $2:peer recv;
+	allow $2 $1:peer recv;
+
+	# allow receiving packets from MLS-only peers using NetLabel
+	corenet_tcp_recvfrom_netlabel($1)
+	corenet_tcp_recvfrom_netlabel($2)
+')
+
+########################################
+## <summary>
+##	Rules for receiving labeled UDP packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="peer_domain">
+##	<summary>
+##	Peer domain.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_recvfrom_labeled',`
+	allow $2 self:association sendto;
+	allow $1 $2:{ association udp_socket } recvfrom;
+
+	allow $1 $2:peer recv;
+
+	# allow receiving packets from MLS-only peers using NetLabel
+	corenet_udp_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+##	Rules for receiving labeled raw IP packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="peer_domain">
+##	<summary>
+##	Peer domain.
+##	</summary>
+## </param>
+#
+interface(`corenet_raw_recvfrom_labeled',`
+	allow $2 self:association sendto;
+	allow $1 $2:{ association rawip_socket } recvfrom;
+
+	allow $1 $2:peer recv;
+
+	# allow receiving packets from MLS-only peers using NetLabel
+	corenet_raw_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+##	Rules for receiving labeled packets via TCP, UDP and raw IP.
+## </summary>
+## <desc>
+##	<p>
+##	Rules for receiving labeled packets via TCP, UDP and raw IP.
+##	</p>
+##	<p>
+##	Due to the nature of TCP, the rules (for TCP
+##	networking only) are bidirectional.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="peer_domain">
+##	<summary>
+##	Peer domain.
+##	</summary>
+## </param>
+#
+interface(`corenet_all_recvfrom_labeled',`
+	corenet_tcp_recvfrom_labeled($1, $2)
+	corenet_udp_recvfrom_labeled($1, $2)
+	corenet_raw_recvfrom_labeled($1, $2)
+')
+
+########################################
+## <summary>
+##	Make the specified type usable
+##	for labeled ipsec.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Type to be used for labeled ipsec.
+##	</summary>
+## </param>
+#
+interface(`corenet_setcontext_all_spds',`
+	gen_require(`
+		attribute ipsec_spd_type;
+	')
+
+	allow $1 ipsec_spd_type:association setcontext;
+')
+
+########################################
+## <summary>
+##	Send generic client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_send_generic_client_packets',`
+	gen_require(`
+		type client_packet_t;
+	')
+
+	allow $1 client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive generic client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_receive_generic_client_packets',`
+	gen_require(`
+		type client_packet_t;
+	')
+
+	allow $1 client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive generic client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sendrecv_generic_client_packets',`
+	corenet_send_generic_client_packets($1)
+	corenet_receive_generic_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to the generic client packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_generic_client_packets',`
+	gen_require(`
+		type client_packet_t;
+	')
+
+	allow $1 client_packet_t:packet relabelto;
+')
+
+########################################
+## <summary>
+##	Send generic server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_send_generic_server_packets',`
+	gen_require(`
+		type server_packet_t;
+	')
+
+	allow $1 server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive generic server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_receive_generic_server_packets',`
+	gen_require(`
+		type server_packet_t;
+	')
+
+	allow $1 server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive generic server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sendrecv_generic_server_packets',`
+	corenet_send_generic_server_packets($1)
+	corenet_receive_generic_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to the generic server packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_generic_server_packets',`
+	gen_require(`
+		type server_packet_t;
+	')
+
+	allow $1 server_packet_t:packet relabelto;
+')
+
+########################################
+## <summary>
+##	Send and receive unlabeled packets.
+## </summary>
+## <desc>
+##	<p>
+##	Send and receive unlabeled packets.
+##	These packets do not match any netfilter
+##	SECMARK rules.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sendrecv_unlabeled_packets',`
+	kernel_sendrecv_unlabeled_packets($1)
+')
+
+########################################
+## <summary>
+##	Send all client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_send_all_client_packets',`
+	gen_require(`
+		attribute client_packet_type;
+	')
+
+	allow $1 client_packet_type:packet send;
+')
+
+########################################
+## <summary>
+##	Receive all client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_receive_all_client_packets',`
+	gen_require(`
+		attribute client_packet_type;
+	')
+
+	allow $1 client_packet_type:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive all client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sendrecv_all_client_packets',`
+	corenet_send_all_client_packets($1)
+	corenet_receive_all_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to any client packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_all_client_packets',`
+	gen_require(`
+		attribute client_packet_type;
+	')
+
+	allow $1 client_packet_type:packet relabelto;
+')
+
+########################################
+## <summary>
+##	Send all server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_send_all_server_packets',`
+	gen_require(`
+		attribute server_packet_type;
+	')
+
+	allow $1 server_packet_type:packet send;
+')
+
+########################################
+## <summary>
+##	Receive all server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_receive_all_server_packets',`
+	gen_require(`
+		attribute server_packet_type;
+	')
+
+	allow $1 server_packet_type:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive all server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sendrecv_all_server_packets',`
+	corenet_send_all_server_packets($1)
+	corenet_receive_all_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to any server packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_all_server_packets',`
+	gen_require(`
+		attribute server_packet_type;
+	')
+
+	allow $1 server_packet_type:packet relabelto;
+')
+
+########################################
+## <summary>
+##	Send all packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_send_all_packets',`
+	gen_require(`
+		attribute packet_type;
+	')
+
+	allow $1 packet_type:packet send;
+')
+
+########################################
+## <summary>
+##	Receive all packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_receive_all_packets',`
+	gen_require(`
+		attribute packet_type;
+	')
+
+	allow $1 packet_type:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive all packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sendrecv_all_packets',`
+	corenet_send_all_packets($1)
+	corenet_receive_all_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to any packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_all_packets',`
+	gen_require(`
+		attribute packet_type;
+	')
+
+	allow $1 packet_type:packet relabelto;
+')
+
+########################################
+## <summary>
+##	Unconfined access to network objects.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_unconfined',`
+	gen_require(`
+		attribute corenet_unconfined_type;
+	')
+
+	typeattribute $1 corenet_unconfined_type;
+')
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the afs_bos port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_afs_bos_port',`
+	gen_require(`
+		type afs_bos_port_t;
+	')
+
+	allow $1 afs_bos_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the afs_bos port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_afs_bos_port',`
+	gen_require(`
+		type afs_bos_port_t;
+	')
+
+	allow $1 afs_bos_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the afs_bos port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_afs_bos_port',`
+	gen_require(`
+		type afs_bos_port_t;
+	')
+
+	dontaudit $1 afs_bos_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the afs_bos port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_afs_bos_port',`
+	gen_require(`
+		type afs_bos_port_t;
+	')
+
+	allow $1 afs_bos_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the afs_bos port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_afs_bos_port',`
+	gen_require(`
+		type afs_bos_port_t;
+	')
+
+	dontaudit $1 afs_bos_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the afs_bos port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_afs_bos_port',`
+	corenet_udp_send_afs_bos_port($1)
+	corenet_udp_receive_afs_bos_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the afs_bos port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_afs_bos_port',`
+	corenet_dontaudit_udp_send_afs_bos_port($1)
+	corenet_dontaudit_udp_receive_afs_bos_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the afs_bos port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_afs_bos_port',`
+	gen_require(`
+		type afs_bos_port_t;
+	')
+
+	allow $1 afs_bos_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the afs_bos port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_afs_bos_port',`
+	gen_require(`
+		type afs_bos_port_t;
+	')
+
+	allow $1 afs_bos_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the afs_bos port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_afs_bos_port',`
+	gen_require(`
+		type afs_bos_port_t;
+	')
+
+	allow $1 afs_bos_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send afs_bos_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_afs_bos_client_packets',`
+	gen_require(`
+		type afs_bos_client_packet_t;
+	')
+
+	allow $1 afs_bos_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send afs_bos_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_afs_bos_client_packets',`
+	gen_require(`
+		type afs_bos_client_packet_t;
+	')
+
+	dontaudit $1 afs_bos_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive afs_bos_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_afs_bos_client_packets',`
+	gen_require(`
+		type afs_bos_client_packet_t;
+	')
+
+	allow $1 afs_bos_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive afs_bos_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_afs_bos_client_packets',`
+	gen_require(`
+		type afs_bos_client_packet_t;
+	')
+
+	dontaudit $1 afs_bos_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive afs_bos_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_afs_bos_client_packets',`
+	corenet_send_afs_bos_client_packets($1)
+	corenet_receive_afs_bos_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive afs_bos_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_afs_bos_client_packets',`
+	corenet_dontaudit_send_afs_bos_client_packets($1)
+	corenet_dontaudit_receive_afs_bos_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to afs_bos_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_afs_bos_client_packets',`
+	gen_require(`
+		type afs_bos_client_packet_t;
+	')
+
+	allow $1 afs_bos_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send afs_bos_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_afs_bos_server_packets',`
+	gen_require(`
+		type afs_bos_server_packet_t;
+	')
+
+	allow $1 afs_bos_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send afs_bos_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_afs_bos_server_packets',`
+	gen_require(`
+		type afs_bos_server_packet_t;
+	')
+
+	dontaudit $1 afs_bos_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive afs_bos_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_afs_bos_server_packets',`
+	gen_require(`
+		type afs_bos_server_packet_t;
+	')
+
+	allow $1 afs_bos_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive afs_bos_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_afs_bos_server_packets',`
+	gen_require(`
+		type afs_bos_server_packet_t;
+	')
+
+	dontaudit $1 afs_bos_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive afs_bos_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_afs_bos_server_packets',`
+	corenet_send_afs_bos_server_packets($1)
+	corenet_receive_afs_bos_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive afs_bos_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_afs_bos_server_packets',`
+	corenet_dontaudit_send_afs_bos_server_packets($1)
+	corenet_dontaudit_receive_afs_bos_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to afs_bos_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_afs_bos_server_packets',`
+	gen_require(`
+		type afs_bos_server_packet_t;
+	')
+
+	allow $1 afs_bos_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the afs_fs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_afs_fs_port',`
+	gen_require(`
+		type afs_fs_port_t;
+	')
+
+	allow $1 afs_fs_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the afs_fs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_afs_fs_port',`
+	gen_require(`
+		type afs_fs_port_t;
+	')
+
+	allow $1 afs_fs_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the afs_fs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_afs_fs_port',`
+	gen_require(`
+		type afs_fs_port_t;
+	')
+
+	dontaudit $1 afs_fs_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the afs_fs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_afs_fs_port',`
+	gen_require(`
+		type afs_fs_port_t;
+	')
+
+	allow $1 afs_fs_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the afs_fs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_afs_fs_port',`
+	gen_require(`
+		type afs_fs_port_t;
+	')
+
+	dontaudit $1 afs_fs_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the afs_fs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_afs_fs_port',`
+	corenet_udp_send_afs_fs_port($1)
+	corenet_udp_receive_afs_fs_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the afs_fs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_afs_fs_port',`
+	corenet_dontaudit_udp_send_afs_fs_port($1)
+	corenet_dontaudit_udp_receive_afs_fs_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the afs_fs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_afs_fs_port',`
+	gen_require(`
+		type afs_fs_port_t;
+	')
+
+	allow $1 afs_fs_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the afs_fs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_afs_fs_port',`
+	gen_require(`
+		type afs_fs_port_t;
+	')
+
+	allow $1 afs_fs_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the afs_fs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_afs_fs_port',`
+	gen_require(`
+		type afs_fs_port_t;
+	')
+
+	allow $1 afs_fs_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send afs_fs_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_afs_fs_client_packets',`
+	gen_require(`
+		type afs_fs_client_packet_t;
+	')
+
+	allow $1 afs_fs_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send afs_fs_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_afs_fs_client_packets',`
+	gen_require(`
+		type afs_fs_client_packet_t;
+	')
+
+	dontaudit $1 afs_fs_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive afs_fs_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_afs_fs_client_packets',`
+	gen_require(`
+		type afs_fs_client_packet_t;
+	')
+
+	allow $1 afs_fs_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive afs_fs_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_afs_fs_client_packets',`
+	gen_require(`
+		type afs_fs_client_packet_t;
+	')
+
+	dontaudit $1 afs_fs_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive afs_fs_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_afs_fs_client_packets',`
+	corenet_send_afs_fs_client_packets($1)
+	corenet_receive_afs_fs_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive afs_fs_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_afs_fs_client_packets',`
+	corenet_dontaudit_send_afs_fs_client_packets($1)
+	corenet_dontaudit_receive_afs_fs_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to afs_fs_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_afs_fs_client_packets',`
+	gen_require(`
+		type afs_fs_client_packet_t;
+	')
+
+	allow $1 afs_fs_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send afs_fs_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_afs_fs_server_packets',`
+	gen_require(`
+		type afs_fs_server_packet_t;
+	')
+
+	allow $1 afs_fs_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send afs_fs_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_afs_fs_server_packets',`
+	gen_require(`
+		type afs_fs_server_packet_t;
+	')
+
+	dontaudit $1 afs_fs_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive afs_fs_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_afs_fs_server_packets',`
+	gen_require(`
+		type afs_fs_server_packet_t;
+	')
+
+	allow $1 afs_fs_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive afs_fs_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_afs_fs_server_packets',`
+	gen_require(`
+		type afs_fs_server_packet_t;
+	')
+
+	dontaudit $1 afs_fs_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive afs_fs_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_afs_fs_server_packets',`
+	corenet_send_afs_fs_server_packets($1)
+	corenet_receive_afs_fs_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive afs_fs_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_afs_fs_server_packets',`
+	corenet_dontaudit_send_afs_fs_server_packets($1)
+	corenet_dontaudit_receive_afs_fs_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to afs_fs_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_afs_fs_server_packets',`
+	gen_require(`
+		type afs_fs_server_packet_t;
+	')
+
+	allow $1 afs_fs_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the afs_ka port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_afs_ka_port',`
+	gen_require(`
+		type afs_ka_port_t;
+	')
+
+	allow $1 afs_ka_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the afs_ka port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_afs_ka_port',`
+	gen_require(`
+		type afs_ka_port_t;
+	')
+
+	allow $1 afs_ka_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the afs_ka port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_afs_ka_port',`
+	gen_require(`
+		type afs_ka_port_t;
+	')
+
+	dontaudit $1 afs_ka_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the afs_ka port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_afs_ka_port',`
+	gen_require(`
+		type afs_ka_port_t;
+	')
+
+	allow $1 afs_ka_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the afs_ka port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_afs_ka_port',`
+	gen_require(`
+		type afs_ka_port_t;
+	')
+
+	dontaudit $1 afs_ka_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the afs_ka port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_afs_ka_port',`
+	corenet_udp_send_afs_ka_port($1)
+	corenet_udp_receive_afs_ka_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the afs_ka port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_afs_ka_port',`
+	corenet_dontaudit_udp_send_afs_ka_port($1)
+	corenet_dontaudit_udp_receive_afs_ka_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the afs_ka port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_afs_ka_port',`
+	gen_require(`
+		type afs_ka_port_t;
+	')
+
+	allow $1 afs_ka_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the afs_ka port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_afs_ka_port',`
+	gen_require(`
+		type afs_ka_port_t;
+	')
+
+	allow $1 afs_ka_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the afs_ka port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_afs_ka_port',`
+	gen_require(`
+		type afs_ka_port_t;
+	')
+
+	allow $1 afs_ka_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send afs_ka_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_afs_ka_client_packets',`
+	gen_require(`
+		type afs_ka_client_packet_t;
+	')
+
+	allow $1 afs_ka_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send afs_ka_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_afs_ka_client_packets',`
+	gen_require(`
+		type afs_ka_client_packet_t;
+	')
+
+	dontaudit $1 afs_ka_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive afs_ka_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_afs_ka_client_packets',`
+	gen_require(`
+		type afs_ka_client_packet_t;
+	')
+
+	allow $1 afs_ka_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive afs_ka_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_afs_ka_client_packets',`
+	gen_require(`
+		type afs_ka_client_packet_t;
+	')
+
+	dontaudit $1 afs_ka_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive afs_ka_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_afs_ka_client_packets',`
+	corenet_send_afs_ka_client_packets($1)
+	corenet_receive_afs_ka_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive afs_ka_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_afs_ka_client_packets',`
+	corenet_dontaudit_send_afs_ka_client_packets($1)
+	corenet_dontaudit_receive_afs_ka_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to afs_ka_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_afs_ka_client_packets',`
+	gen_require(`
+		type afs_ka_client_packet_t;
+	')
+
+	allow $1 afs_ka_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send afs_ka_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_afs_ka_server_packets',`
+	gen_require(`
+		type afs_ka_server_packet_t;
+	')
+
+	allow $1 afs_ka_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send afs_ka_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_afs_ka_server_packets',`
+	gen_require(`
+		type afs_ka_server_packet_t;
+	')
+
+	dontaudit $1 afs_ka_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive afs_ka_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_afs_ka_server_packets',`
+	gen_require(`
+		type afs_ka_server_packet_t;
+	')
+
+	allow $1 afs_ka_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive afs_ka_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_afs_ka_server_packets',`
+	gen_require(`
+		type afs_ka_server_packet_t;
+	')
+
+	dontaudit $1 afs_ka_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive afs_ka_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_afs_ka_server_packets',`
+	corenet_send_afs_ka_server_packets($1)
+	corenet_receive_afs_ka_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive afs_ka_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_afs_ka_server_packets',`
+	corenet_dontaudit_send_afs_ka_server_packets($1)
+	corenet_dontaudit_receive_afs_ka_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to afs_ka_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_afs_ka_server_packets',`
+	gen_require(`
+		type afs_ka_server_packet_t;
+	')
+
+	allow $1 afs_ka_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the afs_pt port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_afs_pt_port',`
+	gen_require(`
+		type afs_pt_port_t;
+	')
+
+	allow $1 afs_pt_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the afs_pt port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_afs_pt_port',`
+	gen_require(`
+		type afs_pt_port_t;
+	')
+
+	allow $1 afs_pt_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the afs_pt port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_afs_pt_port',`
+	gen_require(`
+		type afs_pt_port_t;
+	')
+
+	dontaudit $1 afs_pt_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the afs_pt port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_afs_pt_port',`
+	gen_require(`
+		type afs_pt_port_t;
+	')
+
+	allow $1 afs_pt_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the afs_pt port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_afs_pt_port',`
+	gen_require(`
+		type afs_pt_port_t;
+	')
+
+	dontaudit $1 afs_pt_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the afs_pt port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_afs_pt_port',`
+	corenet_udp_send_afs_pt_port($1)
+	corenet_udp_receive_afs_pt_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the afs_pt port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_afs_pt_port',`
+	corenet_dontaudit_udp_send_afs_pt_port($1)
+	corenet_dontaudit_udp_receive_afs_pt_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the afs_pt port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_afs_pt_port',`
+	gen_require(`
+		type afs_pt_port_t;
+	')
+
+	allow $1 afs_pt_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the afs_pt port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_afs_pt_port',`
+	gen_require(`
+		type afs_pt_port_t;
+	')
+
+	allow $1 afs_pt_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the afs_pt port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_afs_pt_port',`
+	gen_require(`
+		type afs_pt_port_t;
+	')
+
+	allow $1 afs_pt_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send afs_pt_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_afs_pt_client_packets',`
+	gen_require(`
+		type afs_pt_client_packet_t;
+	')
+
+	allow $1 afs_pt_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send afs_pt_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_afs_pt_client_packets',`
+	gen_require(`
+		type afs_pt_client_packet_t;
+	')
+
+	dontaudit $1 afs_pt_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive afs_pt_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_afs_pt_client_packets',`
+	gen_require(`
+		type afs_pt_client_packet_t;
+	')
+
+	allow $1 afs_pt_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive afs_pt_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_afs_pt_client_packets',`
+	gen_require(`
+		type afs_pt_client_packet_t;
+	')
+
+	dontaudit $1 afs_pt_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive afs_pt_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_afs_pt_client_packets',`
+	corenet_send_afs_pt_client_packets($1)
+	corenet_receive_afs_pt_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive afs_pt_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_afs_pt_client_packets',`
+	corenet_dontaudit_send_afs_pt_client_packets($1)
+	corenet_dontaudit_receive_afs_pt_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to afs_pt_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_afs_pt_client_packets',`
+	gen_require(`
+		type afs_pt_client_packet_t;
+	')
+
+	allow $1 afs_pt_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send afs_pt_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_afs_pt_server_packets',`
+	gen_require(`
+		type afs_pt_server_packet_t;
+	')
+
+	allow $1 afs_pt_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send afs_pt_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_afs_pt_server_packets',`
+	gen_require(`
+		type afs_pt_server_packet_t;
+	')
+
+	dontaudit $1 afs_pt_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive afs_pt_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_afs_pt_server_packets',`
+	gen_require(`
+		type afs_pt_server_packet_t;
+	')
+
+	allow $1 afs_pt_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive afs_pt_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_afs_pt_server_packets',`
+	gen_require(`
+		type afs_pt_server_packet_t;
+	')
+
+	dontaudit $1 afs_pt_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive afs_pt_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_afs_pt_server_packets',`
+	corenet_send_afs_pt_server_packets($1)
+	corenet_receive_afs_pt_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive afs_pt_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_afs_pt_server_packets',`
+	corenet_dontaudit_send_afs_pt_server_packets($1)
+	corenet_dontaudit_receive_afs_pt_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to afs_pt_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_afs_pt_server_packets',`
+	gen_require(`
+		type afs_pt_server_packet_t;
+	')
+
+	allow $1 afs_pt_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the afs_vl port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_afs_vl_port',`
+	gen_require(`
+		type afs_vl_port_t;
+	')
+
+	allow $1 afs_vl_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the afs_vl port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_afs_vl_port',`
+	gen_require(`
+		type afs_vl_port_t;
+	')
+
+	allow $1 afs_vl_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the afs_vl port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_afs_vl_port',`
+	gen_require(`
+		type afs_vl_port_t;
+	')
+
+	dontaudit $1 afs_vl_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the afs_vl port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_afs_vl_port',`
+	gen_require(`
+		type afs_vl_port_t;
+	')
+
+	allow $1 afs_vl_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the afs_vl port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_afs_vl_port',`
+	gen_require(`
+		type afs_vl_port_t;
+	')
+
+	dontaudit $1 afs_vl_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the afs_vl port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_afs_vl_port',`
+	corenet_udp_send_afs_vl_port($1)
+	corenet_udp_receive_afs_vl_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the afs_vl port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_afs_vl_port',`
+	corenet_dontaudit_udp_send_afs_vl_port($1)
+	corenet_dontaudit_udp_receive_afs_vl_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the afs_vl port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_afs_vl_port',`
+	gen_require(`
+		type afs_vl_port_t;
+	')
+
+	allow $1 afs_vl_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the afs_vl port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_afs_vl_port',`
+	gen_require(`
+		type afs_vl_port_t;
+	')
+
+	allow $1 afs_vl_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the afs_vl port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_afs_vl_port',`
+	gen_require(`
+		type afs_vl_port_t;
+	')
+
+	allow $1 afs_vl_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send afs_vl_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_afs_vl_client_packets',`
+	gen_require(`
+		type afs_vl_client_packet_t;
+	')
+
+	allow $1 afs_vl_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send afs_vl_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_afs_vl_client_packets',`
+	gen_require(`
+		type afs_vl_client_packet_t;
+	')
+
+	dontaudit $1 afs_vl_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive afs_vl_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_afs_vl_client_packets',`
+	gen_require(`
+		type afs_vl_client_packet_t;
+	')
+
+	allow $1 afs_vl_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive afs_vl_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_afs_vl_client_packets',`
+	gen_require(`
+		type afs_vl_client_packet_t;
+	')
+
+	dontaudit $1 afs_vl_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive afs_vl_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_afs_vl_client_packets',`
+	corenet_send_afs_vl_client_packets($1)
+	corenet_receive_afs_vl_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive afs_vl_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_afs_vl_client_packets',`
+	corenet_dontaudit_send_afs_vl_client_packets($1)
+	corenet_dontaudit_receive_afs_vl_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to afs_vl_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_afs_vl_client_packets',`
+	gen_require(`
+		type afs_vl_client_packet_t;
+	')
+
+	allow $1 afs_vl_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send afs_vl_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_afs_vl_server_packets',`
+	gen_require(`
+		type afs_vl_server_packet_t;
+	')
+
+	allow $1 afs_vl_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send afs_vl_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_afs_vl_server_packets',`
+	gen_require(`
+		type afs_vl_server_packet_t;
+	')
+
+	dontaudit $1 afs_vl_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive afs_vl_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_afs_vl_server_packets',`
+	gen_require(`
+		type afs_vl_server_packet_t;
+	')
+
+	allow $1 afs_vl_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive afs_vl_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_afs_vl_server_packets',`
+	gen_require(`
+		type afs_vl_server_packet_t;
+	')
+
+	dontaudit $1 afs_vl_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive afs_vl_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_afs_vl_server_packets',`
+	corenet_send_afs_vl_server_packets($1)
+	corenet_receive_afs_vl_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive afs_vl_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_afs_vl_server_packets',`
+	corenet_dontaudit_send_afs_vl_server_packets($1)
+	corenet_dontaudit_receive_afs_vl_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to afs_vl_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_afs_vl_server_packets',`
+	gen_require(`
+		type afs_vl_server_packet_t;
+	')
+
+	allow $1 afs_vl_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the agentx port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_agentx_port',`
+	gen_require(`
+		type agentx_port_t;
+	')
+
+	allow $1 agentx_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the agentx port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_agentx_port',`
+	gen_require(`
+		type agentx_port_t;
+	')
+
+	allow $1 agentx_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the agentx port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_agentx_port',`
+	gen_require(`
+		type agentx_port_t;
+	')
+
+	dontaudit $1 agentx_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the agentx port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_agentx_port',`
+	gen_require(`
+		type agentx_port_t;
+	')
+
+	allow $1 agentx_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the agentx port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_agentx_port',`
+	gen_require(`
+		type agentx_port_t;
+	')
+
+	dontaudit $1 agentx_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the agentx port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_agentx_port',`
+	corenet_udp_send_agentx_port($1)
+	corenet_udp_receive_agentx_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the agentx port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_agentx_port',`
+	corenet_dontaudit_udp_send_agentx_port($1)
+	corenet_dontaudit_udp_receive_agentx_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the agentx port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_agentx_port',`
+	gen_require(`
+		type agentx_port_t;
+	')
+
+	allow $1 agentx_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the agentx port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_agentx_port',`
+	gen_require(`
+		type agentx_port_t;
+	')
+
+	allow $1 agentx_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the agentx port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_agentx_port',`
+	gen_require(`
+		type agentx_port_t;
+	')
+
+	allow $1 agentx_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send agentx_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_agentx_client_packets',`
+	gen_require(`
+		type agentx_client_packet_t;
+	')
+
+	allow $1 agentx_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send agentx_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_agentx_client_packets',`
+	gen_require(`
+		type agentx_client_packet_t;
+	')
+
+	dontaudit $1 agentx_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive agentx_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_agentx_client_packets',`
+	gen_require(`
+		type agentx_client_packet_t;
+	')
+
+	allow $1 agentx_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive agentx_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_agentx_client_packets',`
+	gen_require(`
+		type agentx_client_packet_t;
+	')
+
+	dontaudit $1 agentx_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive agentx_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_agentx_client_packets',`
+	corenet_send_agentx_client_packets($1)
+	corenet_receive_agentx_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive agentx_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_agentx_client_packets',`
+	corenet_dontaudit_send_agentx_client_packets($1)
+	corenet_dontaudit_receive_agentx_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to agentx_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_agentx_client_packets',`
+	gen_require(`
+		type agentx_client_packet_t;
+	')
+
+	allow $1 agentx_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send agentx_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_agentx_server_packets',`
+	gen_require(`
+		type agentx_server_packet_t;
+	')
+
+	allow $1 agentx_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send agentx_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_agentx_server_packets',`
+	gen_require(`
+		type agentx_server_packet_t;
+	')
+
+	dontaudit $1 agentx_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive agentx_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_agentx_server_packets',`
+	gen_require(`
+		type agentx_server_packet_t;
+	')
+
+	allow $1 agentx_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive agentx_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_agentx_server_packets',`
+	gen_require(`
+		type agentx_server_packet_t;
+	')
+
+	dontaudit $1 agentx_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive agentx_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_agentx_server_packets',`
+	corenet_send_agentx_server_packets($1)
+	corenet_receive_agentx_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive agentx_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_agentx_server_packets',`
+	corenet_dontaudit_send_agentx_server_packets($1)
+	corenet_dontaudit_receive_agentx_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to agentx_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_agentx_server_packets',`
+	gen_require(`
+		type agentx_server_packet_t;
+	')
+
+	allow $1 agentx_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the amanda port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_amanda_port',`
+	gen_require(`
+		type amanda_port_t;
+	')
+
+	allow $1 amanda_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the amanda port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_amanda_port',`
+	gen_require(`
+		type amanda_port_t;
+	')
+
+	allow $1 amanda_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the amanda port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_amanda_port',`
+	gen_require(`
+		type amanda_port_t;
+	')
+
+	dontaudit $1 amanda_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the amanda port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_amanda_port',`
+	gen_require(`
+		type amanda_port_t;
+	')
+
+	allow $1 amanda_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the amanda port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_amanda_port',`
+	gen_require(`
+		type amanda_port_t;
+	')
+
+	dontaudit $1 amanda_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the amanda port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_amanda_port',`
+	corenet_udp_send_amanda_port($1)
+	corenet_udp_receive_amanda_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the amanda port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_amanda_port',`
+	corenet_dontaudit_udp_send_amanda_port($1)
+	corenet_dontaudit_udp_receive_amanda_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the amanda port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_amanda_port',`
+	gen_require(`
+		type amanda_port_t;
+	')
+
+	allow $1 amanda_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the amanda port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_amanda_port',`
+	gen_require(`
+		type amanda_port_t;
+	')
+
+	allow $1 amanda_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the amanda port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_amanda_port',`
+	gen_require(`
+		type amanda_port_t;
+	')
+
+	allow $1 amanda_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send amanda_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_amanda_client_packets',`
+	gen_require(`
+		type amanda_client_packet_t;
+	')
+
+	allow $1 amanda_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send amanda_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_amanda_client_packets',`
+	gen_require(`
+		type amanda_client_packet_t;
+	')
+
+	dontaudit $1 amanda_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive amanda_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_amanda_client_packets',`
+	gen_require(`
+		type amanda_client_packet_t;
+	')
+
+	allow $1 amanda_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive amanda_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_amanda_client_packets',`
+	gen_require(`
+		type amanda_client_packet_t;
+	')
+
+	dontaudit $1 amanda_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive amanda_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_amanda_client_packets',`
+	corenet_send_amanda_client_packets($1)
+	corenet_receive_amanda_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive amanda_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_amanda_client_packets',`
+	corenet_dontaudit_send_amanda_client_packets($1)
+	corenet_dontaudit_receive_amanda_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to amanda_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_amanda_client_packets',`
+	gen_require(`
+		type amanda_client_packet_t;
+	')
+
+	allow $1 amanda_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send amanda_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_amanda_server_packets',`
+	gen_require(`
+		type amanda_server_packet_t;
+	')
+
+	allow $1 amanda_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send amanda_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_amanda_server_packets',`
+	gen_require(`
+		type amanda_server_packet_t;
+	')
+
+	dontaudit $1 amanda_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive amanda_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_amanda_server_packets',`
+	gen_require(`
+		type amanda_server_packet_t;
+	')
+
+	allow $1 amanda_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive amanda_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_amanda_server_packets',`
+	gen_require(`
+		type amanda_server_packet_t;
+	')
+
+	dontaudit $1 amanda_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive amanda_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_amanda_server_packets',`
+	corenet_send_amanda_server_packets($1)
+	corenet_receive_amanda_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive amanda_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_amanda_server_packets',`
+	corenet_dontaudit_send_amanda_server_packets($1)
+	corenet_dontaudit_receive_amanda_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to amanda_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_amanda_server_packets',`
+	gen_require(`
+		type amanda_server_packet_t;
+	')
+
+	allow $1 amanda_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the amavisd_recv port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_amavisd_recv_port',`
+	gen_require(`
+		type amavisd_recv_port_t;
+	')
+
+	allow $1 amavisd_recv_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the amavisd_recv port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_amavisd_recv_port',`
+	gen_require(`
+		type amavisd_recv_port_t;
+	')
+
+	allow $1 amavisd_recv_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the amavisd_recv port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_amavisd_recv_port',`
+	gen_require(`
+		type amavisd_recv_port_t;
+	')
+
+	dontaudit $1 amavisd_recv_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the amavisd_recv port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_amavisd_recv_port',`
+	gen_require(`
+		type amavisd_recv_port_t;
+	')
+
+	allow $1 amavisd_recv_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the amavisd_recv port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_amavisd_recv_port',`
+	gen_require(`
+		type amavisd_recv_port_t;
+	')
+
+	dontaudit $1 amavisd_recv_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the amavisd_recv port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_amavisd_recv_port',`
+	corenet_udp_send_amavisd_recv_port($1)
+	corenet_udp_receive_amavisd_recv_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the amavisd_recv port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_amavisd_recv_port',`
+	corenet_dontaudit_udp_send_amavisd_recv_port($1)
+	corenet_dontaudit_udp_receive_amavisd_recv_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the amavisd_recv port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_amavisd_recv_port',`
+	gen_require(`
+		type amavisd_recv_port_t;
+	')
+
+	allow $1 amavisd_recv_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the amavisd_recv port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_amavisd_recv_port',`
+	gen_require(`
+		type amavisd_recv_port_t;
+	')
+
+	allow $1 amavisd_recv_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the amavisd_recv port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_amavisd_recv_port',`
+	gen_require(`
+		type amavisd_recv_port_t;
+	')
+
+	allow $1 amavisd_recv_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send amavisd_recv_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_amavisd_recv_client_packets',`
+	gen_require(`
+		type amavisd_recv_client_packet_t;
+	')
+
+	allow $1 amavisd_recv_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send amavisd_recv_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_amavisd_recv_client_packets',`
+	gen_require(`
+		type amavisd_recv_client_packet_t;
+	')
+
+	dontaudit $1 amavisd_recv_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive amavisd_recv_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_amavisd_recv_client_packets',`
+	gen_require(`
+		type amavisd_recv_client_packet_t;
+	')
+
+	allow $1 amavisd_recv_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive amavisd_recv_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_amavisd_recv_client_packets',`
+	gen_require(`
+		type amavisd_recv_client_packet_t;
+	')
+
+	dontaudit $1 amavisd_recv_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive amavisd_recv_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_amavisd_recv_client_packets',`
+	corenet_send_amavisd_recv_client_packets($1)
+	corenet_receive_amavisd_recv_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive amavisd_recv_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_amavisd_recv_client_packets',`
+	corenet_dontaudit_send_amavisd_recv_client_packets($1)
+	corenet_dontaudit_receive_amavisd_recv_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to amavisd_recv_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_amavisd_recv_client_packets',`
+	gen_require(`
+		type amavisd_recv_client_packet_t;
+	')
+
+	allow $1 amavisd_recv_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send amavisd_recv_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_amavisd_recv_server_packets',`
+	gen_require(`
+		type amavisd_recv_server_packet_t;
+	')
+
+	allow $1 amavisd_recv_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send amavisd_recv_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_amavisd_recv_server_packets',`
+	gen_require(`
+		type amavisd_recv_server_packet_t;
+	')
+
+	dontaudit $1 amavisd_recv_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive amavisd_recv_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_amavisd_recv_server_packets',`
+	gen_require(`
+		type amavisd_recv_server_packet_t;
+	')
+
+	allow $1 amavisd_recv_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive amavisd_recv_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_amavisd_recv_server_packets',`
+	gen_require(`
+		type amavisd_recv_server_packet_t;
+	')
+
+	dontaudit $1 amavisd_recv_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive amavisd_recv_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_amavisd_recv_server_packets',`
+	corenet_send_amavisd_recv_server_packets($1)
+	corenet_receive_amavisd_recv_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive amavisd_recv_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_amavisd_recv_server_packets',`
+	corenet_dontaudit_send_amavisd_recv_server_packets($1)
+	corenet_dontaudit_receive_amavisd_recv_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to amavisd_recv_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_amavisd_recv_server_packets',`
+	gen_require(`
+		type amavisd_recv_server_packet_t;
+	')
+
+	allow $1 amavisd_recv_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the amavisd_send port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_amavisd_send_port',`
+	gen_require(`
+		type amavisd_send_port_t;
+	')
+
+	allow $1 amavisd_send_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the amavisd_send port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_amavisd_send_port',`
+	gen_require(`
+		type amavisd_send_port_t;
+	')
+
+	allow $1 amavisd_send_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the amavisd_send port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_amavisd_send_port',`
+	gen_require(`
+		type amavisd_send_port_t;
+	')
+
+	dontaudit $1 amavisd_send_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the amavisd_send port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_amavisd_send_port',`
+	gen_require(`
+		type amavisd_send_port_t;
+	')
+
+	allow $1 amavisd_send_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the amavisd_send port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_amavisd_send_port',`
+	gen_require(`
+		type amavisd_send_port_t;
+	')
+
+	dontaudit $1 amavisd_send_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the amavisd_send port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_amavisd_send_port',`
+	corenet_udp_send_amavisd_send_port($1)
+	corenet_udp_receive_amavisd_send_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the amavisd_send port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_amavisd_send_port',`
+	corenet_dontaudit_udp_send_amavisd_send_port($1)
+	corenet_dontaudit_udp_receive_amavisd_send_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the amavisd_send port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_amavisd_send_port',`
+	gen_require(`
+		type amavisd_send_port_t;
+	')
+
+	allow $1 amavisd_send_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the amavisd_send port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_amavisd_send_port',`
+	gen_require(`
+		type amavisd_send_port_t;
+	')
+
+	allow $1 amavisd_send_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the amavisd_send port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_amavisd_send_port',`
+	gen_require(`
+		type amavisd_send_port_t;
+	')
+
+	allow $1 amavisd_send_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send amavisd_send_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_amavisd_send_client_packets',`
+	gen_require(`
+		type amavisd_send_client_packet_t;
+	')
+
+	allow $1 amavisd_send_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send amavisd_send_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_amavisd_send_client_packets',`
+	gen_require(`
+		type amavisd_send_client_packet_t;
+	')
+
+	dontaudit $1 amavisd_send_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive amavisd_send_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_amavisd_send_client_packets',`
+	gen_require(`
+		type amavisd_send_client_packet_t;
+	')
+
+	allow $1 amavisd_send_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive amavisd_send_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_amavisd_send_client_packets',`
+	gen_require(`
+		type amavisd_send_client_packet_t;
+	')
+
+	dontaudit $1 amavisd_send_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive amavisd_send_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_amavisd_send_client_packets',`
+	corenet_send_amavisd_send_client_packets($1)
+	corenet_receive_amavisd_send_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive amavisd_send_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_amavisd_send_client_packets',`
+	corenet_dontaudit_send_amavisd_send_client_packets($1)
+	corenet_dontaudit_receive_amavisd_send_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to amavisd_send_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_amavisd_send_client_packets',`
+	gen_require(`
+		type amavisd_send_client_packet_t;
+	')
+
+	allow $1 amavisd_send_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send amavisd_send_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_amavisd_send_server_packets',`
+	gen_require(`
+		type amavisd_send_server_packet_t;
+	')
+
+	allow $1 amavisd_send_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send amavisd_send_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_amavisd_send_server_packets',`
+	gen_require(`
+		type amavisd_send_server_packet_t;
+	')
+
+	dontaudit $1 amavisd_send_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive amavisd_send_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_amavisd_send_server_packets',`
+	gen_require(`
+		type amavisd_send_server_packet_t;
+	')
+
+	allow $1 amavisd_send_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive amavisd_send_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_amavisd_send_server_packets',`
+	gen_require(`
+		type amavisd_send_server_packet_t;
+	')
+
+	dontaudit $1 amavisd_send_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive amavisd_send_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_amavisd_send_server_packets',`
+	corenet_send_amavisd_send_server_packets($1)
+	corenet_receive_amavisd_send_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive amavisd_send_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_amavisd_send_server_packets',`
+	corenet_dontaudit_send_amavisd_send_server_packets($1)
+	corenet_dontaudit_receive_amavisd_send_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to amavisd_send_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_amavisd_send_server_packets',`
+	gen_require(`
+		type amavisd_send_server_packet_t;
+	')
+
+	allow $1 amavisd_send_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the amqp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_amqp_port',`
+	gen_require(`
+		type amqp_port_t;
+	')
+
+	allow $1 amqp_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the amqp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_amqp_port',`
+	gen_require(`
+		type amqp_port_t;
+	')
+
+	allow $1 amqp_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the amqp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_amqp_port',`
+	gen_require(`
+		type amqp_port_t;
+	')
+
+	dontaudit $1 amqp_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the amqp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_amqp_port',`
+	gen_require(`
+		type amqp_port_t;
+	')
+
+	allow $1 amqp_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the amqp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_amqp_port',`
+	gen_require(`
+		type amqp_port_t;
+	')
+
+	dontaudit $1 amqp_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the amqp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_amqp_port',`
+	corenet_udp_send_amqp_port($1)
+	corenet_udp_receive_amqp_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the amqp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_amqp_port',`
+	corenet_dontaudit_udp_send_amqp_port($1)
+	corenet_dontaudit_udp_receive_amqp_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the amqp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_amqp_port',`
+	gen_require(`
+		type amqp_port_t;
+	')
+
+	allow $1 amqp_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the amqp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_amqp_port',`
+	gen_require(`
+		type amqp_port_t;
+	')
+
+	allow $1 amqp_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the amqp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_amqp_port',`
+	gen_require(`
+		type amqp_port_t;
+	')
+
+	allow $1 amqp_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send amqp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_amqp_client_packets',`
+	gen_require(`
+		type amqp_client_packet_t;
+	')
+
+	allow $1 amqp_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send amqp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_amqp_client_packets',`
+	gen_require(`
+		type amqp_client_packet_t;
+	')
+
+	dontaudit $1 amqp_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive amqp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_amqp_client_packets',`
+	gen_require(`
+		type amqp_client_packet_t;
+	')
+
+	allow $1 amqp_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive amqp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_amqp_client_packets',`
+	gen_require(`
+		type amqp_client_packet_t;
+	')
+
+	dontaudit $1 amqp_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive amqp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_amqp_client_packets',`
+	corenet_send_amqp_client_packets($1)
+	corenet_receive_amqp_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive amqp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_amqp_client_packets',`
+	corenet_dontaudit_send_amqp_client_packets($1)
+	corenet_dontaudit_receive_amqp_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to amqp_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_amqp_client_packets',`
+	gen_require(`
+		type amqp_client_packet_t;
+	')
+
+	allow $1 amqp_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send amqp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_amqp_server_packets',`
+	gen_require(`
+		type amqp_server_packet_t;
+	')
+
+	allow $1 amqp_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send amqp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_amqp_server_packets',`
+	gen_require(`
+		type amqp_server_packet_t;
+	')
+
+	dontaudit $1 amqp_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive amqp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_amqp_server_packets',`
+	gen_require(`
+		type amqp_server_packet_t;
+	')
+
+	allow $1 amqp_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive amqp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_amqp_server_packets',`
+	gen_require(`
+		type amqp_server_packet_t;
+	')
+
+	dontaudit $1 amqp_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive amqp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_amqp_server_packets',`
+	corenet_send_amqp_server_packets($1)
+	corenet_receive_amqp_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive amqp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_amqp_server_packets',`
+	corenet_dontaudit_send_amqp_server_packets($1)
+	corenet_dontaudit_receive_amqp_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to amqp_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_amqp_server_packets',`
+	gen_require(`
+		type amqp_server_packet_t;
+	')
+
+	allow $1 amqp_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the aol port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_aol_port',`
+	gen_require(`
+		type aol_port_t;
+	')
+
+	allow $1 aol_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the aol port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_aol_port',`
+	gen_require(`
+		type aol_port_t;
+	')
+
+	allow $1 aol_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the aol port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_aol_port',`
+	gen_require(`
+		type aol_port_t;
+	')
+
+	dontaudit $1 aol_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the aol port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_aol_port',`
+	gen_require(`
+		type aol_port_t;
+	')
+
+	allow $1 aol_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the aol port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_aol_port',`
+	gen_require(`
+		type aol_port_t;
+	')
+
+	dontaudit $1 aol_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the aol port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_aol_port',`
+	corenet_udp_send_aol_port($1)
+	corenet_udp_receive_aol_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the aol port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_aol_port',`
+	corenet_dontaudit_udp_send_aol_port($1)
+	corenet_dontaudit_udp_receive_aol_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the aol port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_aol_port',`
+	gen_require(`
+		type aol_port_t;
+	')
+
+	allow $1 aol_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the aol port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_aol_port',`
+	gen_require(`
+		type aol_port_t;
+	')
+
+	allow $1 aol_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the aol port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_aol_port',`
+	gen_require(`
+		type aol_port_t;
+	')
+
+	allow $1 aol_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send aol_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_aol_client_packets',`
+	gen_require(`
+		type aol_client_packet_t;
+	')
+
+	allow $1 aol_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send aol_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_aol_client_packets',`
+	gen_require(`
+		type aol_client_packet_t;
+	')
+
+	dontaudit $1 aol_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive aol_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_aol_client_packets',`
+	gen_require(`
+		type aol_client_packet_t;
+	')
+
+	allow $1 aol_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive aol_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_aol_client_packets',`
+	gen_require(`
+		type aol_client_packet_t;
+	')
+
+	dontaudit $1 aol_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive aol_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_aol_client_packets',`
+	corenet_send_aol_client_packets($1)
+	corenet_receive_aol_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive aol_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_aol_client_packets',`
+	corenet_dontaudit_send_aol_client_packets($1)
+	corenet_dontaudit_receive_aol_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to aol_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_aol_client_packets',`
+	gen_require(`
+		type aol_client_packet_t;
+	')
+
+	allow $1 aol_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send aol_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_aol_server_packets',`
+	gen_require(`
+		type aol_server_packet_t;
+	')
+
+	allow $1 aol_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send aol_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_aol_server_packets',`
+	gen_require(`
+		type aol_server_packet_t;
+	')
+
+	dontaudit $1 aol_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive aol_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_aol_server_packets',`
+	gen_require(`
+		type aol_server_packet_t;
+	')
+
+	allow $1 aol_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive aol_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_aol_server_packets',`
+	gen_require(`
+		type aol_server_packet_t;
+	')
+
+	dontaudit $1 aol_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive aol_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_aol_server_packets',`
+	corenet_send_aol_server_packets($1)
+	corenet_receive_aol_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive aol_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_aol_server_packets',`
+	corenet_dontaudit_send_aol_server_packets($1)
+	corenet_dontaudit_receive_aol_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to aol_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_aol_server_packets',`
+	gen_require(`
+		type aol_server_packet_t;
+	')
+
+	allow $1 aol_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the apcupsd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_apcupsd_port',`
+	gen_require(`
+		type apcupsd_port_t;
+	')
+
+	allow $1 apcupsd_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the apcupsd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_apcupsd_port',`
+	gen_require(`
+		type apcupsd_port_t;
+	')
+
+	allow $1 apcupsd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the apcupsd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_apcupsd_port',`
+	gen_require(`
+		type apcupsd_port_t;
+	')
+
+	dontaudit $1 apcupsd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the apcupsd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_apcupsd_port',`
+	gen_require(`
+		type apcupsd_port_t;
+	')
+
+	allow $1 apcupsd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the apcupsd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_apcupsd_port',`
+	gen_require(`
+		type apcupsd_port_t;
+	')
+
+	dontaudit $1 apcupsd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the apcupsd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_apcupsd_port',`
+	corenet_udp_send_apcupsd_port($1)
+	corenet_udp_receive_apcupsd_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the apcupsd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_apcupsd_port',`
+	corenet_dontaudit_udp_send_apcupsd_port($1)
+	corenet_dontaudit_udp_receive_apcupsd_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the apcupsd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_apcupsd_port',`
+	gen_require(`
+		type apcupsd_port_t;
+	')
+
+	allow $1 apcupsd_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the apcupsd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_apcupsd_port',`
+	gen_require(`
+		type apcupsd_port_t;
+	')
+
+	allow $1 apcupsd_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the apcupsd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_apcupsd_port',`
+	gen_require(`
+		type apcupsd_port_t;
+	')
+
+	allow $1 apcupsd_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send apcupsd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_apcupsd_client_packets',`
+	gen_require(`
+		type apcupsd_client_packet_t;
+	')
+
+	allow $1 apcupsd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send apcupsd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_apcupsd_client_packets',`
+	gen_require(`
+		type apcupsd_client_packet_t;
+	')
+
+	dontaudit $1 apcupsd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive apcupsd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_apcupsd_client_packets',`
+	gen_require(`
+		type apcupsd_client_packet_t;
+	')
+
+	allow $1 apcupsd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive apcupsd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_apcupsd_client_packets',`
+	gen_require(`
+		type apcupsd_client_packet_t;
+	')
+
+	dontaudit $1 apcupsd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive apcupsd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_apcupsd_client_packets',`
+	corenet_send_apcupsd_client_packets($1)
+	corenet_receive_apcupsd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive apcupsd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_apcupsd_client_packets',`
+	corenet_dontaudit_send_apcupsd_client_packets($1)
+	corenet_dontaudit_receive_apcupsd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to apcupsd_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_apcupsd_client_packets',`
+	gen_require(`
+		type apcupsd_client_packet_t;
+	')
+
+	allow $1 apcupsd_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send apcupsd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_apcupsd_server_packets',`
+	gen_require(`
+		type apcupsd_server_packet_t;
+	')
+
+	allow $1 apcupsd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send apcupsd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_apcupsd_server_packets',`
+	gen_require(`
+		type apcupsd_server_packet_t;
+	')
+
+	dontaudit $1 apcupsd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive apcupsd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_apcupsd_server_packets',`
+	gen_require(`
+		type apcupsd_server_packet_t;
+	')
+
+	allow $1 apcupsd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive apcupsd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_apcupsd_server_packets',`
+	gen_require(`
+		type apcupsd_server_packet_t;
+	')
+
+	dontaudit $1 apcupsd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive apcupsd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_apcupsd_server_packets',`
+	corenet_send_apcupsd_server_packets($1)
+	corenet_receive_apcupsd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive apcupsd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_apcupsd_server_packets',`
+	corenet_dontaudit_send_apcupsd_server_packets($1)
+	corenet_dontaudit_receive_apcupsd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to apcupsd_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_apcupsd_server_packets',`
+	gen_require(`
+		type apcupsd_server_packet_t;
+	')
+
+	allow $1 apcupsd_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the asterisk port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_asterisk_port',`
+	gen_require(`
+		type asterisk_port_t;
+	')
+
+	allow $1 asterisk_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the asterisk port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_asterisk_port',`
+	gen_require(`
+		type asterisk_port_t;
+	')
+
+	allow $1 asterisk_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the asterisk port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_asterisk_port',`
+	gen_require(`
+		type asterisk_port_t;
+	')
+
+	dontaudit $1 asterisk_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the asterisk port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_asterisk_port',`
+	gen_require(`
+		type asterisk_port_t;
+	')
+
+	allow $1 asterisk_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the asterisk port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_asterisk_port',`
+	gen_require(`
+		type asterisk_port_t;
+	')
+
+	dontaudit $1 asterisk_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the asterisk port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_asterisk_port',`
+	corenet_udp_send_asterisk_port($1)
+	corenet_udp_receive_asterisk_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the asterisk port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_asterisk_port',`
+	corenet_dontaudit_udp_send_asterisk_port($1)
+	corenet_dontaudit_udp_receive_asterisk_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the asterisk port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_asterisk_port',`
+	gen_require(`
+		type asterisk_port_t;
+	')
+
+	allow $1 asterisk_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the asterisk port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_asterisk_port',`
+	gen_require(`
+		type asterisk_port_t;
+	')
+
+	allow $1 asterisk_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the asterisk port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_asterisk_port',`
+	gen_require(`
+		type asterisk_port_t;
+	')
+
+	allow $1 asterisk_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send asterisk_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_asterisk_client_packets',`
+	gen_require(`
+		type asterisk_client_packet_t;
+	')
+
+	allow $1 asterisk_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send asterisk_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_asterisk_client_packets',`
+	gen_require(`
+		type asterisk_client_packet_t;
+	')
+
+	dontaudit $1 asterisk_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive asterisk_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_asterisk_client_packets',`
+	gen_require(`
+		type asterisk_client_packet_t;
+	')
+
+	allow $1 asterisk_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive asterisk_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_asterisk_client_packets',`
+	gen_require(`
+		type asterisk_client_packet_t;
+	')
+
+	dontaudit $1 asterisk_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive asterisk_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_asterisk_client_packets',`
+	corenet_send_asterisk_client_packets($1)
+	corenet_receive_asterisk_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive asterisk_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_asterisk_client_packets',`
+	corenet_dontaudit_send_asterisk_client_packets($1)
+	corenet_dontaudit_receive_asterisk_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to asterisk_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_asterisk_client_packets',`
+	gen_require(`
+		type asterisk_client_packet_t;
+	')
+
+	allow $1 asterisk_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send asterisk_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_asterisk_server_packets',`
+	gen_require(`
+		type asterisk_server_packet_t;
+	')
+
+	allow $1 asterisk_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send asterisk_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_asterisk_server_packets',`
+	gen_require(`
+		type asterisk_server_packet_t;
+	')
+
+	dontaudit $1 asterisk_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive asterisk_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_asterisk_server_packets',`
+	gen_require(`
+		type asterisk_server_packet_t;
+	')
+
+	allow $1 asterisk_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive asterisk_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_asterisk_server_packets',`
+	gen_require(`
+		type asterisk_server_packet_t;
+	')
+
+	dontaudit $1 asterisk_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive asterisk_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_asterisk_server_packets',`
+	corenet_send_asterisk_server_packets($1)
+	corenet_receive_asterisk_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive asterisk_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_asterisk_server_packets',`
+	corenet_dontaudit_send_asterisk_server_packets($1)
+	corenet_dontaudit_receive_asterisk_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to asterisk_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_asterisk_server_packets',`
+	gen_require(`
+		type asterisk_server_packet_t;
+	')
+
+	allow $1 asterisk_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the audit port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_audit_port',`
+	gen_require(`
+		type audit_port_t;
+	')
+
+	allow $1 audit_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the audit port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_audit_port',`
+	gen_require(`
+		type audit_port_t;
+	')
+
+	allow $1 audit_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the audit port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_audit_port',`
+	gen_require(`
+		type audit_port_t;
+	')
+
+	dontaudit $1 audit_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the audit port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_audit_port',`
+	gen_require(`
+		type audit_port_t;
+	')
+
+	allow $1 audit_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the audit port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_audit_port',`
+	gen_require(`
+		type audit_port_t;
+	')
+
+	dontaudit $1 audit_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the audit port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_audit_port',`
+	corenet_udp_send_audit_port($1)
+	corenet_udp_receive_audit_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the audit port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_audit_port',`
+	corenet_dontaudit_udp_send_audit_port($1)
+	corenet_dontaudit_udp_receive_audit_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the audit port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_audit_port',`
+	gen_require(`
+		type audit_port_t;
+	')
+
+	allow $1 audit_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the audit port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_audit_port',`
+	gen_require(`
+		type audit_port_t;
+	')
+
+	allow $1 audit_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the audit port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_audit_port',`
+	gen_require(`
+		type audit_port_t;
+	')
+
+	allow $1 audit_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send audit_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_audit_client_packets',`
+	gen_require(`
+		type audit_client_packet_t;
+	')
+
+	allow $1 audit_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send audit_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_audit_client_packets',`
+	gen_require(`
+		type audit_client_packet_t;
+	')
+
+	dontaudit $1 audit_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive audit_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_audit_client_packets',`
+	gen_require(`
+		type audit_client_packet_t;
+	')
+
+	allow $1 audit_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive audit_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_audit_client_packets',`
+	gen_require(`
+		type audit_client_packet_t;
+	')
+
+	dontaudit $1 audit_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive audit_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_audit_client_packets',`
+	corenet_send_audit_client_packets($1)
+	corenet_receive_audit_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive audit_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_audit_client_packets',`
+	corenet_dontaudit_send_audit_client_packets($1)
+	corenet_dontaudit_receive_audit_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to audit_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_audit_client_packets',`
+	gen_require(`
+		type audit_client_packet_t;
+	')
+
+	allow $1 audit_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send audit_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_audit_server_packets',`
+	gen_require(`
+		type audit_server_packet_t;
+	')
+
+	allow $1 audit_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send audit_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_audit_server_packets',`
+	gen_require(`
+		type audit_server_packet_t;
+	')
+
+	dontaudit $1 audit_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive audit_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_audit_server_packets',`
+	gen_require(`
+		type audit_server_packet_t;
+	')
+
+	allow $1 audit_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive audit_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_audit_server_packets',`
+	gen_require(`
+		type audit_server_packet_t;
+	')
+
+	dontaudit $1 audit_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive audit_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_audit_server_packets',`
+	corenet_send_audit_server_packets($1)
+	corenet_receive_audit_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive audit_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_audit_server_packets',`
+	corenet_dontaudit_send_audit_server_packets($1)
+	corenet_dontaudit_receive_audit_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to audit_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_audit_server_packets',`
+	gen_require(`
+		type audit_server_packet_t;
+	')
+
+	allow $1 audit_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the auth port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_auth_port',`
+	gen_require(`
+		type auth_port_t;
+	')
+
+	allow $1 auth_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the auth port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_auth_port',`
+	gen_require(`
+		type auth_port_t;
+	')
+
+	allow $1 auth_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the auth port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_auth_port',`
+	gen_require(`
+		type auth_port_t;
+	')
+
+	dontaudit $1 auth_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the auth port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_auth_port',`
+	gen_require(`
+		type auth_port_t;
+	')
+
+	allow $1 auth_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the auth port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_auth_port',`
+	gen_require(`
+		type auth_port_t;
+	')
+
+	dontaudit $1 auth_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the auth port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_auth_port',`
+	corenet_udp_send_auth_port($1)
+	corenet_udp_receive_auth_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the auth port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_auth_port',`
+	corenet_dontaudit_udp_send_auth_port($1)
+	corenet_dontaudit_udp_receive_auth_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the auth port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_auth_port',`
+	gen_require(`
+		type auth_port_t;
+	')
+
+	allow $1 auth_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the auth port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_auth_port',`
+	gen_require(`
+		type auth_port_t;
+	')
+
+	allow $1 auth_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the auth port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_auth_port',`
+	gen_require(`
+		type auth_port_t;
+	')
+
+	allow $1 auth_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send auth_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_auth_client_packets',`
+	gen_require(`
+		type auth_client_packet_t;
+	')
+
+	allow $1 auth_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send auth_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_auth_client_packets',`
+	gen_require(`
+		type auth_client_packet_t;
+	')
+
+	dontaudit $1 auth_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive auth_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_auth_client_packets',`
+	gen_require(`
+		type auth_client_packet_t;
+	')
+
+	allow $1 auth_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive auth_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_auth_client_packets',`
+	gen_require(`
+		type auth_client_packet_t;
+	')
+
+	dontaudit $1 auth_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive auth_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_auth_client_packets',`
+	corenet_send_auth_client_packets($1)
+	corenet_receive_auth_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive auth_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_auth_client_packets',`
+	corenet_dontaudit_send_auth_client_packets($1)
+	corenet_dontaudit_receive_auth_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to auth_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_auth_client_packets',`
+	gen_require(`
+		type auth_client_packet_t;
+	')
+
+	allow $1 auth_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send auth_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_auth_server_packets',`
+	gen_require(`
+		type auth_server_packet_t;
+	')
+
+	allow $1 auth_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send auth_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_auth_server_packets',`
+	gen_require(`
+		type auth_server_packet_t;
+	')
+
+	dontaudit $1 auth_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive auth_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_auth_server_packets',`
+	gen_require(`
+		type auth_server_packet_t;
+	')
+
+	allow $1 auth_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive auth_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_auth_server_packets',`
+	gen_require(`
+		type auth_server_packet_t;
+	')
+
+	dontaudit $1 auth_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive auth_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_auth_server_packets',`
+	corenet_send_auth_server_packets($1)
+	corenet_receive_auth_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive auth_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_auth_server_packets',`
+	corenet_dontaudit_send_auth_server_packets($1)
+	corenet_dontaudit_receive_auth_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to auth_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_auth_server_packets',`
+	gen_require(`
+		type auth_server_packet_t;
+	')
+
+	allow $1 auth_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the bgp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_bgp_port',`
+	gen_require(`
+		type bgp_port_t;
+	')
+
+	allow $1 bgp_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the bgp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_bgp_port',`
+	gen_require(`
+		type bgp_port_t;
+	')
+
+	allow $1 bgp_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the bgp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_bgp_port',`
+	gen_require(`
+		type bgp_port_t;
+	')
+
+	dontaudit $1 bgp_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the bgp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_bgp_port',`
+	gen_require(`
+		type bgp_port_t;
+	')
+
+	allow $1 bgp_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the bgp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_bgp_port',`
+	gen_require(`
+		type bgp_port_t;
+	')
+
+	dontaudit $1 bgp_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the bgp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_bgp_port',`
+	corenet_udp_send_bgp_port($1)
+	corenet_udp_receive_bgp_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the bgp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_bgp_port',`
+	corenet_dontaudit_udp_send_bgp_port($1)
+	corenet_dontaudit_udp_receive_bgp_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the bgp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_bgp_port',`
+	gen_require(`
+		type bgp_port_t;
+	')
+
+	allow $1 bgp_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the bgp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_bgp_port',`
+	gen_require(`
+		type bgp_port_t;
+	')
+
+	allow $1 bgp_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the bgp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_bgp_port',`
+	gen_require(`
+		type bgp_port_t;
+	')
+
+	allow $1 bgp_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send bgp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_bgp_client_packets',`
+	gen_require(`
+		type bgp_client_packet_t;
+	')
+
+	allow $1 bgp_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send bgp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_bgp_client_packets',`
+	gen_require(`
+		type bgp_client_packet_t;
+	')
+
+	dontaudit $1 bgp_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive bgp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_bgp_client_packets',`
+	gen_require(`
+		type bgp_client_packet_t;
+	')
+
+	allow $1 bgp_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive bgp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_bgp_client_packets',`
+	gen_require(`
+		type bgp_client_packet_t;
+	')
+
+	dontaudit $1 bgp_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive bgp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_bgp_client_packets',`
+	corenet_send_bgp_client_packets($1)
+	corenet_receive_bgp_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive bgp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_bgp_client_packets',`
+	corenet_dontaudit_send_bgp_client_packets($1)
+	corenet_dontaudit_receive_bgp_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to bgp_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_bgp_client_packets',`
+	gen_require(`
+		type bgp_client_packet_t;
+	')
+
+	allow $1 bgp_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send bgp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_bgp_server_packets',`
+	gen_require(`
+		type bgp_server_packet_t;
+	')
+
+	allow $1 bgp_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send bgp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_bgp_server_packets',`
+	gen_require(`
+		type bgp_server_packet_t;
+	')
+
+	dontaudit $1 bgp_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive bgp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_bgp_server_packets',`
+	gen_require(`
+		type bgp_server_packet_t;
+	')
+
+	allow $1 bgp_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive bgp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_bgp_server_packets',`
+	gen_require(`
+		type bgp_server_packet_t;
+	')
+
+	dontaudit $1 bgp_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive bgp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_bgp_server_packets',`
+	corenet_send_bgp_server_packets($1)
+	corenet_receive_bgp_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive bgp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_bgp_server_packets',`
+	corenet_dontaudit_send_bgp_server_packets($1)
+	corenet_dontaudit_receive_bgp_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to bgp_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_bgp_server_packets',`
+	gen_require(`
+		type bgp_server_packet_t;
+	')
+
+	allow $1 bgp_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the boinc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_boinc_port',`
+	gen_require(`
+		type boinc_port_t;
+	')
+
+	allow $1 boinc_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the boinc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_boinc_port',`
+	gen_require(`
+		type boinc_port_t;
+	')
+
+	allow $1 boinc_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the boinc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_boinc_port',`
+	gen_require(`
+		type boinc_port_t;
+	')
+
+	dontaudit $1 boinc_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the boinc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_boinc_port',`
+	gen_require(`
+		type boinc_port_t;
+	')
+
+	allow $1 boinc_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the boinc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_boinc_port',`
+	gen_require(`
+		type boinc_port_t;
+	')
+
+	dontaudit $1 boinc_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the boinc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_boinc_port',`
+	corenet_udp_send_boinc_port($1)
+	corenet_udp_receive_boinc_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the boinc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_boinc_port',`
+	corenet_dontaudit_udp_send_boinc_port($1)
+	corenet_dontaudit_udp_receive_boinc_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the boinc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_boinc_port',`
+	gen_require(`
+		type boinc_port_t;
+	')
+
+	allow $1 boinc_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the boinc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_boinc_port',`
+	gen_require(`
+		type boinc_port_t;
+	')
+
+	allow $1 boinc_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the boinc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_boinc_port',`
+	gen_require(`
+		type boinc_port_t;
+	')
+
+	allow $1 boinc_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send boinc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_boinc_client_packets',`
+	gen_require(`
+		type boinc_client_packet_t;
+	')
+
+	allow $1 boinc_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send boinc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_boinc_client_packets',`
+	gen_require(`
+		type boinc_client_packet_t;
+	')
+
+	dontaudit $1 boinc_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive boinc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_boinc_client_packets',`
+	gen_require(`
+		type boinc_client_packet_t;
+	')
+
+	allow $1 boinc_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive boinc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_boinc_client_packets',`
+	gen_require(`
+		type boinc_client_packet_t;
+	')
+
+	dontaudit $1 boinc_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive boinc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_boinc_client_packets',`
+	corenet_send_boinc_client_packets($1)
+	corenet_receive_boinc_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive boinc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_boinc_client_packets',`
+	corenet_dontaudit_send_boinc_client_packets($1)
+	corenet_dontaudit_receive_boinc_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to boinc_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_boinc_client_packets',`
+	gen_require(`
+		type boinc_client_packet_t;
+	')
+
+	allow $1 boinc_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send boinc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_boinc_server_packets',`
+	gen_require(`
+		type boinc_server_packet_t;
+	')
+
+	allow $1 boinc_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send boinc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_boinc_server_packets',`
+	gen_require(`
+		type boinc_server_packet_t;
+	')
+
+	dontaudit $1 boinc_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive boinc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_boinc_server_packets',`
+	gen_require(`
+		type boinc_server_packet_t;
+	')
+
+	allow $1 boinc_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive boinc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_boinc_server_packets',`
+	gen_require(`
+		type boinc_server_packet_t;
+	')
+
+	dontaudit $1 boinc_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive boinc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_boinc_server_packets',`
+	corenet_send_boinc_server_packets($1)
+	corenet_receive_boinc_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive boinc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_boinc_server_packets',`
+	corenet_dontaudit_send_boinc_server_packets($1)
+	corenet_dontaudit_receive_boinc_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to boinc_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_boinc_server_packets',`
+	gen_require(`
+		type boinc_server_packet_t;
+	')
+
+	allow $1 boinc_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the biff port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_biff_port',`
+	gen_require(`
+		type biff_port_t;
+	')
+
+	allow $1 biff_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the biff port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_biff_port',`
+	gen_require(`
+		type biff_port_t;
+	')
+
+	allow $1 biff_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the biff port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_biff_port',`
+	gen_require(`
+		type biff_port_t;
+	')
+
+	dontaudit $1 biff_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the biff port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_biff_port',`
+	gen_require(`
+		type biff_port_t;
+	')
+
+	allow $1 biff_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the biff port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_biff_port',`
+	gen_require(`
+		type biff_port_t;
+	')
+
+	dontaudit $1 biff_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the biff port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_biff_port',`
+	corenet_udp_send_biff_port($1)
+	corenet_udp_receive_biff_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the biff port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_biff_port',`
+	corenet_dontaudit_udp_send_biff_port($1)
+	corenet_dontaudit_udp_receive_biff_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the biff port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_biff_port',`
+	gen_require(`
+		type biff_port_t;
+	')
+
+	allow $1 biff_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the biff port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_biff_port',`
+	gen_require(`
+		type biff_port_t;
+	')
+
+	allow $1 biff_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the biff port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_biff_port',`
+	gen_require(`
+		type biff_port_t;
+	')
+
+	allow $1 biff_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send biff_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_biff_client_packets',`
+	gen_require(`
+		type biff_client_packet_t;
+	')
+
+	allow $1 biff_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send biff_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_biff_client_packets',`
+	gen_require(`
+		type biff_client_packet_t;
+	')
+
+	dontaudit $1 biff_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive biff_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_biff_client_packets',`
+	gen_require(`
+		type biff_client_packet_t;
+	')
+
+	allow $1 biff_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive biff_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_biff_client_packets',`
+	gen_require(`
+		type biff_client_packet_t;
+	')
+
+	dontaudit $1 biff_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive biff_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_biff_client_packets',`
+	corenet_send_biff_client_packets($1)
+	corenet_receive_biff_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive biff_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_biff_client_packets',`
+	corenet_dontaudit_send_biff_client_packets($1)
+	corenet_dontaudit_receive_biff_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to biff_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_biff_client_packets',`
+	gen_require(`
+		type biff_client_packet_t;
+	')
+
+	allow $1 biff_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send biff_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_biff_server_packets',`
+	gen_require(`
+		type biff_server_packet_t;
+	')
+
+	allow $1 biff_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send biff_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_biff_server_packets',`
+	gen_require(`
+		type biff_server_packet_t;
+	')
+
+	dontaudit $1 biff_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive biff_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_biff_server_packets',`
+	gen_require(`
+		type biff_server_packet_t;
+	')
+
+	allow $1 biff_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive biff_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_biff_server_packets',`
+	gen_require(`
+		type biff_server_packet_t;
+	')
+
+	dontaudit $1 biff_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive biff_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_biff_server_packets',`
+	corenet_send_biff_server_packets($1)
+	corenet_receive_biff_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive biff_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_biff_server_packets',`
+	corenet_dontaudit_send_biff_server_packets($1)
+	corenet_dontaudit_receive_biff_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to biff_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_biff_server_packets',`
+	gen_require(`
+		type biff_server_packet_t;
+	')
+
+	allow $1 biff_server_packet_t:packet relabelto;
+')
+
+ # no defined portcon
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the certmaster port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_certmaster_port',`
+	gen_require(`
+		type certmaster_port_t;
+	')
+
+	allow $1 certmaster_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the certmaster port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_certmaster_port',`
+	gen_require(`
+		type certmaster_port_t;
+	')
+
+	allow $1 certmaster_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the certmaster port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_certmaster_port',`
+	gen_require(`
+		type certmaster_port_t;
+	')
+
+	dontaudit $1 certmaster_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the certmaster port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_certmaster_port',`
+	gen_require(`
+		type certmaster_port_t;
+	')
+
+	allow $1 certmaster_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the certmaster port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_certmaster_port',`
+	gen_require(`
+		type certmaster_port_t;
+	')
+
+	dontaudit $1 certmaster_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the certmaster port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_certmaster_port',`
+	corenet_udp_send_certmaster_port($1)
+	corenet_udp_receive_certmaster_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the certmaster port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_certmaster_port',`
+	corenet_dontaudit_udp_send_certmaster_port($1)
+	corenet_dontaudit_udp_receive_certmaster_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the certmaster port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_certmaster_port',`
+	gen_require(`
+		type certmaster_port_t;
+	')
+
+	allow $1 certmaster_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the certmaster port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_certmaster_port',`
+	gen_require(`
+		type certmaster_port_t;
+	')
+
+	allow $1 certmaster_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the certmaster port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_certmaster_port',`
+	gen_require(`
+		type certmaster_port_t;
+	')
+
+	allow $1 certmaster_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send certmaster_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_certmaster_client_packets',`
+	gen_require(`
+		type certmaster_client_packet_t;
+	')
+
+	allow $1 certmaster_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send certmaster_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_certmaster_client_packets',`
+	gen_require(`
+		type certmaster_client_packet_t;
+	')
+
+	dontaudit $1 certmaster_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive certmaster_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_certmaster_client_packets',`
+	gen_require(`
+		type certmaster_client_packet_t;
+	')
+
+	allow $1 certmaster_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive certmaster_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_certmaster_client_packets',`
+	gen_require(`
+		type certmaster_client_packet_t;
+	')
+
+	dontaudit $1 certmaster_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive certmaster_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_certmaster_client_packets',`
+	corenet_send_certmaster_client_packets($1)
+	corenet_receive_certmaster_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive certmaster_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_certmaster_client_packets',`
+	corenet_dontaudit_send_certmaster_client_packets($1)
+	corenet_dontaudit_receive_certmaster_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to certmaster_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_certmaster_client_packets',`
+	gen_require(`
+		type certmaster_client_packet_t;
+	')
+
+	allow $1 certmaster_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send certmaster_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_certmaster_server_packets',`
+	gen_require(`
+		type certmaster_server_packet_t;
+	')
+
+	allow $1 certmaster_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send certmaster_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_certmaster_server_packets',`
+	gen_require(`
+		type certmaster_server_packet_t;
+	')
+
+	dontaudit $1 certmaster_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive certmaster_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_certmaster_server_packets',`
+	gen_require(`
+		type certmaster_server_packet_t;
+	')
+
+	allow $1 certmaster_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive certmaster_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_certmaster_server_packets',`
+	gen_require(`
+		type certmaster_server_packet_t;
+	')
+
+	dontaudit $1 certmaster_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive certmaster_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_certmaster_server_packets',`
+	corenet_send_certmaster_server_packets($1)
+	corenet_receive_certmaster_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive certmaster_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_certmaster_server_packets',`
+	corenet_dontaudit_send_certmaster_server_packets($1)
+	corenet_dontaudit_receive_certmaster_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to certmaster_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_certmaster_server_packets',`
+	gen_require(`
+		type certmaster_server_packet_t;
+	')
+
+	allow $1 certmaster_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the chronyd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_chronyd_port',`
+	gen_require(`
+		type chronyd_port_t;
+	')
+
+	allow $1 chronyd_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the chronyd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_chronyd_port',`
+	gen_require(`
+		type chronyd_port_t;
+	')
+
+	allow $1 chronyd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the chronyd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_chronyd_port',`
+	gen_require(`
+		type chronyd_port_t;
+	')
+
+	dontaudit $1 chronyd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the chronyd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_chronyd_port',`
+	gen_require(`
+		type chronyd_port_t;
+	')
+
+	allow $1 chronyd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the chronyd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_chronyd_port',`
+	gen_require(`
+		type chronyd_port_t;
+	')
+
+	dontaudit $1 chronyd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the chronyd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_chronyd_port',`
+	corenet_udp_send_chronyd_port($1)
+	corenet_udp_receive_chronyd_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the chronyd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_chronyd_port',`
+	corenet_dontaudit_udp_send_chronyd_port($1)
+	corenet_dontaudit_udp_receive_chronyd_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the chronyd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_chronyd_port',`
+	gen_require(`
+		type chronyd_port_t;
+	')
+
+	allow $1 chronyd_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the chronyd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_chronyd_port',`
+	gen_require(`
+		type chronyd_port_t;
+	')
+
+	allow $1 chronyd_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the chronyd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_chronyd_port',`
+	gen_require(`
+		type chronyd_port_t;
+	')
+
+	allow $1 chronyd_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send chronyd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_chronyd_client_packets',`
+	gen_require(`
+		type chronyd_client_packet_t;
+	')
+
+	allow $1 chronyd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send chronyd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_chronyd_client_packets',`
+	gen_require(`
+		type chronyd_client_packet_t;
+	')
+
+	dontaudit $1 chronyd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive chronyd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_chronyd_client_packets',`
+	gen_require(`
+		type chronyd_client_packet_t;
+	')
+
+	allow $1 chronyd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive chronyd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_chronyd_client_packets',`
+	gen_require(`
+		type chronyd_client_packet_t;
+	')
+
+	dontaudit $1 chronyd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive chronyd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_chronyd_client_packets',`
+	corenet_send_chronyd_client_packets($1)
+	corenet_receive_chronyd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive chronyd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_chronyd_client_packets',`
+	corenet_dontaudit_send_chronyd_client_packets($1)
+	corenet_dontaudit_receive_chronyd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to chronyd_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_chronyd_client_packets',`
+	gen_require(`
+		type chronyd_client_packet_t;
+	')
+
+	allow $1 chronyd_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send chronyd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_chronyd_server_packets',`
+	gen_require(`
+		type chronyd_server_packet_t;
+	')
+
+	allow $1 chronyd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send chronyd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_chronyd_server_packets',`
+	gen_require(`
+		type chronyd_server_packet_t;
+	')
+
+	dontaudit $1 chronyd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive chronyd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_chronyd_server_packets',`
+	gen_require(`
+		type chronyd_server_packet_t;
+	')
+
+	allow $1 chronyd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive chronyd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_chronyd_server_packets',`
+	gen_require(`
+		type chronyd_server_packet_t;
+	')
+
+	dontaudit $1 chronyd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive chronyd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_chronyd_server_packets',`
+	corenet_send_chronyd_server_packets($1)
+	corenet_receive_chronyd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive chronyd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_chronyd_server_packets',`
+	corenet_dontaudit_send_chronyd_server_packets($1)
+	corenet_dontaudit_receive_chronyd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to chronyd_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_chronyd_server_packets',`
+	gen_require(`
+		type chronyd_server_packet_t;
+	')
+
+	allow $1 chronyd_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the clamd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_clamd_port',`
+	gen_require(`
+		type clamd_port_t;
+	')
+
+	allow $1 clamd_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the clamd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_clamd_port',`
+	gen_require(`
+		type clamd_port_t;
+	')
+
+	allow $1 clamd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the clamd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_clamd_port',`
+	gen_require(`
+		type clamd_port_t;
+	')
+
+	dontaudit $1 clamd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the clamd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_clamd_port',`
+	gen_require(`
+		type clamd_port_t;
+	')
+
+	allow $1 clamd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the clamd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_clamd_port',`
+	gen_require(`
+		type clamd_port_t;
+	')
+
+	dontaudit $1 clamd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the clamd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_clamd_port',`
+	corenet_udp_send_clamd_port($1)
+	corenet_udp_receive_clamd_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the clamd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_clamd_port',`
+	corenet_dontaudit_udp_send_clamd_port($1)
+	corenet_dontaudit_udp_receive_clamd_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the clamd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_clamd_port',`
+	gen_require(`
+		type clamd_port_t;
+	')
+
+	allow $1 clamd_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the clamd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_clamd_port',`
+	gen_require(`
+		type clamd_port_t;
+	')
+
+	allow $1 clamd_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the clamd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_clamd_port',`
+	gen_require(`
+		type clamd_port_t;
+	')
+
+	allow $1 clamd_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send clamd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_clamd_client_packets',`
+	gen_require(`
+		type clamd_client_packet_t;
+	')
+
+	allow $1 clamd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send clamd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_clamd_client_packets',`
+	gen_require(`
+		type clamd_client_packet_t;
+	')
+
+	dontaudit $1 clamd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive clamd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_clamd_client_packets',`
+	gen_require(`
+		type clamd_client_packet_t;
+	')
+
+	allow $1 clamd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive clamd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_clamd_client_packets',`
+	gen_require(`
+		type clamd_client_packet_t;
+	')
+
+	dontaudit $1 clamd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive clamd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_clamd_client_packets',`
+	corenet_send_clamd_client_packets($1)
+	corenet_receive_clamd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive clamd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_clamd_client_packets',`
+	corenet_dontaudit_send_clamd_client_packets($1)
+	corenet_dontaudit_receive_clamd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to clamd_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_clamd_client_packets',`
+	gen_require(`
+		type clamd_client_packet_t;
+	')
+
+	allow $1 clamd_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send clamd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_clamd_server_packets',`
+	gen_require(`
+		type clamd_server_packet_t;
+	')
+
+	allow $1 clamd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send clamd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_clamd_server_packets',`
+	gen_require(`
+		type clamd_server_packet_t;
+	')
+
+	dontaudit $1 clamd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive clamd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_clamd_server_packets',`
+	gen_require(`
+		type clamd_server_packet_t;
+	')
+
+	allow $1 clamd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive clamd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_clamd_server_packets',`
+	gen_require(`
+		type clamd_server_packet_t;
+	')
+
+	dontaudit $1 clamd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive clamd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_clamd_server_packets',`
+	corenet_send_clamd_server_packets($1)
+	corenet_receive_clamd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive clamd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_clamd_server_packets',`
+	corenet_dontaudit_send_clamd_server_packets($1)
+	corenet_dontaudit_receive_clamd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to clamd_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_clamd_server_packets',`
+	gen_require(`
+		type clamd_server_packet_t;
+	')
+
+	allow $1 clamd_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the clockspeed port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_clockspeed_port',`
+	gen_require(`
+		type clockspeed_port_t;
+	')
+
+	allow $1 clockspeed_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the clockspeed port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_clockspeed_port',`
+	gen_require(`
+		type clockspeed_port_t;
+	')
+
+	allow $1 clockspeed_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the clockspeed port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_clockspeed_port',`
+	gen_require(`
+		type clockspeed_port_t;
+	')
+
+	dontaudit $1 clockspeed_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the clockspeed port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_clockspeed_port',`
+	gen_require(`
+		type clockspeed_port_t;
+	')
+
+	allow $1 clockspeed_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the clockspeed port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_clockspeed_port',`
+	gen_require(`
+		type clockspeed_port_t;
+	')
+
+	dontaudit $1 clockspeed_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the clockspeed port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_clockspeed_port',`
+	corenet_udp_send_clockspeed_port($1)
+	corenet_udp_receive_clockspeed_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the clockspeed port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_clockspeed_port',`
+	corenet_dontaudit_udp_send_clockspeed_port($1)
+	corenet_dontaudit_udp_receive_clockspeed_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the clockspeed port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_clockspeed_port',`
+	gen_require(`
+		type clockspeed_port_t;
+	')
+
+	allow $1 clockspeed_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the clockspeed port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_clockspeed_port',`
+	gen_require(`
+		type clockspeed_port_t;
+	')
+
+	allow $1 clockspeed_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the clockspeed port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_clockspeed_port',`
+	gen_require(`
+		type clockspeed_port_t;
+	')
+
+	allow $1 clockspeed_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send clockspeed_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_clockspeed_client_packets',`
+	gen_require(`
+		type clockspeed_client_packet_t;
+	')
+
+	allow $1 clockspeed_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send clockspeed_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_clockspeed_client_packets',`
+	gen_require(`
+		type clockspeed_client_packet_t;
+	')
+
+	dontaudit $1 clockspeed_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive clockspeed_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_clockspeed_client_packets',`
+	gen_require(`
+		type clockspeed_client_packet_t;
+	')
+
+	allow $1 clockspeed_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive clockspeed_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_clockspeed_client_packets',`
+	gen_require(`
+		type clockspeed_client_packet_t;
+	')
+
+	dontaudit $1 clockspeed_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive clockspeed_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_clockspeed_client_packets',`
+	corenet_send_clockspeed_client_packets($1)
+	corenet_receive_clockspeed_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive clockspeed_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_clockspeed_client_packets',`
+	corenet_dontaudit_send_clockspeed_client_packets($1)
+	corenet_dontaudit_receive_clockspeed_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to clockspeed_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_clockspeed_client_packets',`
+	gen_require(`
+		type clockspeed_client_packet_t;
+	')
+
+	allow $1 clockspeed_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send clockspeed_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_clockspeed_server_packets',`
+	gen_require(`
+		type clockspeed_server_packet_t;
+	')
+
+	allow $1 clockspeed_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send clockspeed_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_clockspeed_server_packets',`
+	gen_require(`
+		type clockspeed_server_packet_t;
+	')
+
+	dontaudit $1 clockspeed_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive clockspeed_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_clockspeed_server_packets',`
+	gen_require(`
+		type clockspeed_server_packet_t;
+	')
+
+	allow $1 clockspeed_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive clockspeed_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_clockspeed_server_packets',`
+	gen_require(`
+		type clockspeed_server_packet_t;
+	')
+
+	dontaudit $1 clockspeed_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive clockspeed_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_clockspeed_server_packets',`
+	corenet_send_clockspeed_server_packets($1)
+	corenet_receive_clockspeed_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive clockspeed_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_clockspeed_server_packets',`
+	corenet_dontaudit_send_clockspeed_server_packets($1)
+	corenet_dontaudit_receive_clockspeed_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to clockspeed_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_clockspeed_server_packets',`
+	gen_require(`
+		type clockspeed_server_packet_t;
+	')
+
+	allow $1 clockspeed_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the cluster port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_cluster_port',`
+	gen_require(`
+		type cluster_port_t;
+	')
+
+	allow $1 cluster_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the cluster port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_cluster_port',`
+	gen_require(`
+		type cluster_port_t;
+	')
+
+	allow $1 cluster_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the cluster port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_cluster_port',`
+	gen_require(`
+		type cluster_port_t;
+	')
+
+	dontaudit $1 cluster_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the cluster port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_cluster_port',`
+	gen_require(`
+		type cluster_port_t;
+	')
+
+	allow $1 cluster_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the cluster port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_cluster_port',`
+	gen_require(`
+		type cluster_port_t;
+	')
+
+	dontaudit $1 cluster_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the cluster port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_cluster_port',`
+	corenet_udp_send_cluster_port($1)
+	corenet_udp_receive_cluster_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the cluster port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_cluster_port',`
+	corenet_dontaudit_udp_send_cluster_port($1)
+	corenet_dontaudit_udp_receive_cluster_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the cluster port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_cluster_port',`
+	gen_require(`
+		type cluster_port_t;
+	')
+
+	allow $1 cluster_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the cluster port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_cluster_port',`
+	gen_require(`
+		type cluster_port_t;
+	')
+
+	allow $1 cluster_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the cluster port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_cluster_port',`
+	gen_require(`
+		type cluster_port_t;
+	')
+
+	allow $1 cluster_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send cluster_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_cluster_client_packets',`
+	gen_require(`
+		type cluster_client_packet_t;
+	')
+
+	allow $1 cluster_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send cluster_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_cluster_client_packets',`
+	gen_require(`
+		type cluster_client_packet_t;
+	')
+
+	dontaudit $1 cluster_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive cluster_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_cluster_client_packets',`
+	gen_require(`
+		type cluster_client_packet_t;
+	')
+
+	allow $1 cluster_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive cluster_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_cluster_client_packets',`
+	gen_require(`
+		type cluster_client_packet_t;
+	')
+
+	dontaudit $1 cluster_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive cluster_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_cluster_client_packets',`
+	corenet_send_cluster_client_packets($1)
+	corenet_receive_cluster_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive cluster_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_cluster_client_packets',`
+	corenet_dontaudit_send_cluster_client_packets($1)
+	corenet_dontaudit_receive_cluster_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to cluster_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_cluster_client_packets',`
+	gen_require(`
+		type cluster_client_packet_t;
+	')
+
+	allow $1 cluster_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send cluster_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_cluster_server_packets',`
+	gen_require(`
+		type cluster_server_packet_t;
+	')
+
+	allow $1 cluster_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send cluster_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_cluster_server_packets',`
+	gen_require(`
+		type cluster_server_packet_t;
+	')
+
+	dontaudit $1 cluster_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive cluster_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_cluster_server_packets',`
+	gen_require(`
+		type cluster_server_packet_t;
+	')
+
+	allow $1 cluster_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive cluster_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_cluster_server_packets',`
+	gen_require(`
+		type cluster_server_packet_t;
+	')
+
+	dontaudit $1 cluster_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive cluster_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_cluster_server_packets',`
+	corenet_send_cluster_server_packets($1)
+	corenet_receive_cluster_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive cluster_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_cluster_server_packets',`
+	corenet_dontaudit_send_cluster_server_packets($1)
+	corenet_dontaudit_receive_cluster_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to cluster_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_cluster_server_packets',`
+	gen_require(`
+		type cluster_server_packet_t;
+	')
+
+	allow $1 cluster_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the cobbler port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_cobbler_port',`
+	gen_require(`
+		type cobbler_port_t;
+	')
+
+	allow $1 cobbler_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the cobbler port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_cobbler_port',`
+	gen_require(`
+		type cobbler_port_t;
+	')
+
+	allow $1 cobbler_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the cobbler port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_cobbler_port',`
+	gen_require(`
+		type cobbler_port_t;
+	')
+
+	dontaudit $1 cobbler_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the cobbler port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_cobbler_port',`
+	gen_require(`
+		type cobbler_port_t;
+	')
+
+	allow $1 cobbler_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the cobbler port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_cobbler_port',`
+	gen_require(`
+		type cobbler_port_t;
+	')
+
+	dontaudit $1 cobbler_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the cobbler port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_cobbler_port',`
+	corenet_udp_send_cobbler_port($1)
+	corenet_udp_receive_cobbler_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the cobbler port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_cobbler_port',`
+	corenet_dontaudit_udp_send_cobbler_port($1)
+	corenet_dontaudit_udp_receive_cobbler_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the cobbler port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_cobbler_port',`
+	gen_require(`
+		type cobbler_port_t;
+	')
+
+	allow $1 cobbler_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the cobbler port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_cobbler_port',`
+	gen_require(`
+		type cobbler_port_t;
+	')
+
+	allow $1 cobbler_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the cobbler port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_cobbler_port',`
+	gen_require(`
+		type cobbler_port_t;
+	')
+
+	allow $1 cobbler_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send cobbler_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_cobbler_client_packets',`
+	gen_require(`
+		type cobbler_client_packet_t;
+	')
+
+	allow $1 cobbler_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send cobbler_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_cobbler_client_packets',`
+	gen_require(`
+		type cobbler_client_packet_t;
+	')
+
+	dontaudit $1 cobbler_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive cobbler_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_cobbler_client_packets',`
+	gen_require(`
+		type cobbler_client_packet_t;
+	')
+
+	allow $1 cobbler_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive cobbler_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_cobbler_client_packets',`
+	gen_require(`
+		type cobbler_client_packet_t;
+	')
+
+	dontaudit $1 cobbler_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive cobbler_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_cobbler_client_packets',`
+	corenet_send_cobbler_client_packets($1)
+	corenet_receive_cobbler_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive cobbler_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_cobbler_client_packets',`
+	corenet_dontaudit_send_cobbler_client_packets($1)
+	corenet_dontaudit_receive_cobbler_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to cobbler_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_cobbler_client_packets',`
+	gen_require(`
+		type cobbler_client_packet_t;
+	')
+
+	allow $1 cobbler_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send cobbler_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_cobbler_server_packets',`
+	gen_require(`
+		type cobbler_server_packet_t;
+	')
+
+	allow $1 cobbler_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send cobbler_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_cobbler_server_packets',`
+	gen_require(`
+		type cobbler_server_packet_t;
+	')
+
+	dontaudit $1 cobbler_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive cobbler_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_cobbler_server_packets',`
+	gen_require(`
+		type cobbler_server_packet_t;
+	')
+
+	allow $1 cobbler_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive cobbler_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_cobbler_server_packets',`
+	gen_require(`
+		type cobbler_server_packet_t;
+	')
+
+	dontaudit $1 cobbler_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive cobbler_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_cobbler_server_packets',`
+	corenet_send_cobbler_server_packets($1)
+	corenet_receive_cobbler_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive cobbler_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_cobbler_server_packets',`
+	corenet_dontaudit_send_cobbler_server_packets($1)
+	corenet_dontaudit_receive_cobbler_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to cobbler_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_cobbler_server_packets',`
+	gen_require(`
+		type cobbler_server_packet_t;
+	')
+
+	allow $1 cobbler_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the comsat port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_comsat_port',`
+	gen_require(`
+		type comsat_port_t;
+	')
+
+	allow $1 comsat_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the comsat port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_comsat_port',`
+	gen_require(`
+		type comsat_port_t;
+	')
+
+	allow $1 comsat_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the comsat port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_comsat_port',`
+	gen_require(`
+		type comsat_port_t;
+	')
+
+	dontaudit $1 comsat_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the comsat port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_comsat_port',`
+	gen_require(`
+		type comsat_port_t;
+	')
+
+	allow $1 comsat_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the comsat port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_comsat_port',`
+	gen_require(`
+		type comsat_port_t;
+	')
+
+	dontaudit $1 comsat_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the comsat port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_comsat_port',`
+	corenet_udp_send_comsat_port($1)
+	corenet_udp_receive_comsat_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the comsat port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_comsat_port',`
+	corenet_dontaudit_udp_send_comsat_port($1)
+	corenet_dontaudit_udp_receive_comsat_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the comsat port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_comsat_port',`
+	gen_require(`
+		type comsat_port_t;
+	')
+
+	allow $1 comsat_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the comsat port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_comsat_port',`
+	gen_require(`
+		type comsat_port_t;
+	')
+
+	allow $1 comsat_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the comsat port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_comsat_port',`
+	gen_require(`
+		type comsat_port_t;
+	')
+
+	allow $1 comsat_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send comsat_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_comsat_client_packets',`
+	gen_require(`
+		type comsat_client_packet_t;
+	')
+
+	allow $1 comsat_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send comsat_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_comsat_client_packets',`
+	gen_require(`
+		type comsat_client_packet_t;
+	')
+
+	dontaudit $1 comsat_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive comsat_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_comsat_client_packets',`
+	gen_require(`
+		type comsat_client_packet_t;
+	')
+
+	allow $1 comsat_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive comsat_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_comsat_client_packets',`
+	gen_require(`
+		type comsat_client_packet_t;
+	')
+
+	dontaudit $1 comsat_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive comsat_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_comsat_client_packets',`
+	corenet_send_comsat_client_packets($1)
+	corenet_receive_comsat_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive comsat_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_comsat_client_packets',`
+	corenet_dontaudit_send_comsat_client_packets($1)
+	corenet_dontaudit_receive_comsat_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to comsat_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_comsat_client_packets',`
+	gen_require(`
+		type comsat_client_packet_t;
+	')
+
+	allow $1 comsat_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send comsat_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_comsat_server_packets',`
+	gen_require(`
+		type comsat_server_packet_t;
+	')
+
+	allow $1 comsat_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send comsat_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_comsat_server_packets',`
+	gen_require(`
+		type comsat_server_packet_t;
+	')
+
+	dontaudit $1 comsat_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive comsat_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_comsat_server_packets',`
+	gen_require(`
+		type comsat_server_packet_t;
+	')
+
+	allow $1 comsat_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive comsat_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_comsat_server_packets',`
+	gen_require(`
+		type comsat_server_packet_t;
+	')
+
+	dontaudit $1 comsat_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive comsat_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_comsat_server_packets',`
+	corenet_send_comsat_server_packets($1)
+	corenet_receive_comsat_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive comsat_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_comsat_server_packets',`
+	corenet_dontaudit_send_comsat_server_packets($1)
+	corenet_dontaudit_receive_comsat_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to comsat_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_comsat_server_packets',`
+	gen_require(`
+		type comsat_server_packet_t;
+	')
+
+	allow $1 comsat_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the cvs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_cvs_port',`
+	gen_require(`
+		type cvs_port_t;
+	')
+
+	allow $1 cvs_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the cvs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_cvs_port',`
+	gen_require(`
+		type cvs_port_t;
+	')
+
+	allow $1 cvs_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the cvs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_cvs_port',`
+	gen_require(`
+		type cvs_port_t;
+	')
+
+	dontaudit $1 cvs_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the cvs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_cvs_port',`
+	gen_require(`
+		type cvs_port_t;
+	')
+
+	allow $1 cvs_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the cvs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_cvs_port',`
+	gen_require(`
+		type cvs_port_t;
+	')
+
+	dontaudit $1 cvs_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the cvs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_cvs_port',`
+	corenet_udp_send_cvs_port($1)
+	corenet_udp_receive_cvs_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the cvs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_cvs_port',`
+	corenet_dontaudit_udp_send_cvs_port($1)
+	corenet_dontaudit_udp_receive_cvs_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the cvs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_cvs_port',`
+	gen_require(`
+		type cvs_port_t;
+	')
+
+	allow $1 cvs_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the cvs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_cvs_port',`
+	gen_require(`
+		type cvs_port_t;
+	')
+
+	allow $1 cvs_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the cvs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_cvs_port',`
+	gen_require(`
+		type cvs_port_t;
+	')
+
+	allow $1 cvs_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send cvs_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_cvs_client_packets',`
+	gen_require(`
+		type cvs_client_packet_t;
+	')
+
+	allow $1 cvs_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send cvs_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_cvs_client_packets',`
+	gen_require(`
+		type cvs_client_packet_t;
+	')
+
+	dontaudit $1 cvs_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive cvs_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_cvs_client_packets',`
+	gen_require(`
+		type cvs_client_packet_t;
+	')
+
+	allow $1 cvs_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive cvs_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_cvs_client_packets',`
+	gen_require(`
+		type cvs_client_packet_t;
+	')
+
+	dontaudit $1 cvs_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive cvs_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_cvs_client_packets',`
+	corenet_send_cvs_client_packets($1)
+	corenet_receive_cvs_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive cvs_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_cvs_client_packets',`
+	corenet_dontaudit_send_cvs_client_packets($1)
+	corenet_dontaudit_receive_cvs_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to cvs_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_cvs_client_packets',`
+	gen_require(`
+		type cvs_client_packet_t;
+	')
+
+	allow $1 cvs_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send cvs_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_cvs_server_packets',`
+	gen_require(`
+		type cvs_server_packet_t;
+	')
+
+	allow $1 cvs_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send cvs_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_cvs_server_packets',`
+	gen_require(`
+		type cvs_server_packet_t;
+	')
+
+	dontaudit $1 cvs_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive cvs_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_cvs_server_packets',`
+	gen_require(`
+		type cvs_server_packet_t;
+	')
+
+	allow $1 cvs_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive cvs_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_cvs_server_packets',`
+	gen_require(`
+		type cvs_server_packet_t;
+	')
+
+	dontaudit $1 cvs_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive cvs_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_cvs_server_packets',`
+	corenet_send_cvs_server_packets($1)
+	corenet_receive_cvs_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive cvs_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_cvs_server_packets',`
+	corenet_dontaudit_send_cvs_server_packets($1)
+	corenet_dontaudit_receive_cvs_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to cvs_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_cvs_server_packets',`
+	gen_require(`
+		type cvs_server_packet_t;
+	')
+
+	allow $1 cvs_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the cyphesis port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_cyphesis_port',`
+	gen_require(`
+		type cyphesis_port_t;
+	')
+
+	allow $1 cyphesis_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the cyphesis port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_cyphesis_port',`
+	gen_require(`
+		type cyphesis_port_t;
+	')
+
+	allow $1 cyphesis_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the cyphesis port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_cyphesis_port',`
+	gen_require(`
+		type cyphesis_port_t;
+	')
+
+	dontaudit $1 cyphesis_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the cyphesis port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_cyphesis_port',`
+	gen_require(`
+		type cyphesis_port_t;
+	')
+
+	allow $1 cyphesis_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the cyphesis port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_cyphesis_port',`
+	gen_require(`
+		type cyphesis_port_t;
+	')
+
+	dontaudit $1 cyphesis_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the cyphesis port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_cyphesis_port',`
+	corenet_udp_send_cyphesis_port($1)
+	corenet_udp_receive_cyphesis_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the cyphesis port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_cyphesis_port',`
+	corenet_dontaudit_udp_send_cyphesis_port($1)
+	corenet_dontaudit_udp_receive_cyphesis_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the cyphesis port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_cyphesis_port',`
+	gen_require(`
+		type cyphesis_port_t;
+	')
+
+	allow $1 cyphesis_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the cyphesis port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_cyphesis_port',`
+	gen_require(`
+		type cyphesis_port_t;
+	')
+
+	allow $1 cyphesis_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the cyphesis port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_cyphesis_port',`
+	gen_require(`
+		type cyphesis_port_t;
+	')
+
+	allow $1 cyphesis_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send cyphesis_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_cyphesis_client_packets',`
+	gen_require(`
+		type cyphesis_client_packet_t;
+	')
+
+	allow $1 cyphesis_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send cyphesis_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_cyphesis_client_packets',`
+	gen_require(`
+		type cyphesis_client_packet_t;
+	')
+
+	dontaudit $1 cyphesis_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive cyphesis_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_cyphesis_client_packets',`
+	gen_require(`
+		type cyphesis_client_packet_t;
+	')
+
+	allow $1 cyphesis_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive cyphesis_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_cyphesis_client_packets',`
+	gen_require(`
+		type cyphesis_client_packet_t;
+	')
+
+	dontaudit $1 cyphesis_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive cyphesis_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_cyphesis_client_packets',`
+	corenet_send_cyphesis_client_packets($1)
+	corenet_receive_cyphesis_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive cyphesis_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_cyphesis_client_packets',`
+	corenet_dontaudit_send_cyphesis_client_packets($1)
+	corenet_dontaudit_receive_cyphesis_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to cyphesis_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_cyphesis_client_packets',`
+	gen_require(`
+		type cyphesis_client_packet_t;
+	')
+
+	allow $1 cyphesis_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send cyphesis_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_cyphesis_server_packets',`
+	gen_require(`
+		type cyphesis_server_packet_t;
+	')
+
+	allow $1 cyphesis_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send cyphesis_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_cyphesis_server_packets',`
+	gen_require(`
+		type cyphesis_server_packet_t;
+	')
+
+	dontaudit $1 cyphesis_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive cyphesis_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_cyphesis_server_packets',`
+	gen_require(`
+		type cyphesis_server_packet_t;
+	')
+
+	allow $1 cyphesis_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive cyphesis_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_cyphesis_server_packets',`
+	gen_require(`
+		type cyphesis_server_packet_t;
+	')
+
+	dontaudit $1 cyphesis_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive cyphesis_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_cyphesis_server_packets',`
+	corenet_send_cyphesis_server_packets($1)
+	corenet_receive_cyphesis_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive cyphesis_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_cyphesis_server_packets',`
+	corenet_dontaudit_send_cyphesis_server_packets($1)
+	corenet_dontaudit_receive_cyphesis_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to cyphesis_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_cyphesis_server_packets',`
+	gen_require(`
+		type cyphesis_server_packet_t;
+	')
+
+	allow $1 cyphesis_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the daap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_daap_port',`
+	gen_require(`
+		type daap_port_t;
+	')
+
+	allow $1 daap_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the daap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_daap_port',`
+	gen_require(`
+		type daap_port_t;
+	')
+
+	allow $1 daap_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the daap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_daap_port',`
+	gen_require(`
+		type daap_port_t;
+	')
+
+	dontaudit $1 daap_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the daap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_daap_port',`
+	gen_require(`
+		type daap_port_t;
+	')
+
+	allow $1 daap_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the daap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_daap_port',`
+	gen_require(`
+		type daap_port_t;
+	')
+
+	dontaudit $1 daap_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the daap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_daap_port',`
+	corenet_udp_send_daap_port($1)
+	corenet_udp_receive_daap_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the daap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_daap_port',`
+	corenet_dontaudit_udp_send_daap_port($1)
+	corenet_dontaudit_udp_receive_daap_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the daap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_daap_port',`
+	gen_require(`
+		type daap_port_t;
+	')
+
+	allow $1 daap_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the daap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_daap_port',`
+	gen_require(`
+		type daap_port_t;
+	')
+
+	allow $1 daap_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the daap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_daap_port',`
+	gen_require(`
+		type daap_port_t;
+	')
+
+	allow $1 daap_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send daap_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_daap_client_packets',`
+	gen_require(`
+		type daap_client_packet_t;
+	')
+
+	allow $1 daap_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send daap_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_daap_client_packets',`
+	gen_require(`
+		type daap_client_packet_t;
+	')
+
+	dontaudit $1 daap_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive daap_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_daap_client_packets',`
+	gen_require(`
+		type daap_client_packet_t;
+	')
+
+	allow $1 daap_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive daap_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_daap_client_packets',`
+	gen_require(`
+		type daap_client_packet_t;
+	')
+
+	dontaudit $1 daap_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive daap_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_daap_client_packets',`
+	corenet_send_daap_client_packets($1)
+	corenet_receive_daap_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive daap_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_daap_client_packets',`
+	corenet_dontaudit_send_daap_client_packets($1)
+	corenet_dontaudit_receive_daap_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to daap_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_daap_client_packets',`
+	gen_require(`
+		type daap_client_packet_t;
+	')
+
+	allow $1 daap_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send daap_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_daap_server_packets',`
+	gen_require(`
+		type daap_server_packet_t;
+	')
+
+	allow $1 daap_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send daap_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_daap_server_packets',`
+	gen_require(`
+		type daap_server_packet_t;
+	')
+
+	dontaudit $1 daap_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive daap_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_daap_server_packets',`
+	gen_require(`
+		type daap_server_packet_t;
+	')
+
+	allow $1 daap_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive daap_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_daap_server_packets',`
+	gen_require(`
+		type daap_server_packet_t;
+	')
+
+	dontaudit $1 daap_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive daap_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_daap_server_packets',`
+	corenet_send_daap_server_packets($1)
+	corenet_receive_daap_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive daap_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_daap_server_packets',`
+	corenet_dontaudit_send_daap_server_packets($1)
+	corenet_dontaudit_receive_daap_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to daap_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_daap_server_packets',`
+	gen_require(`
+		type daap_server_packet_t;
+	')
+
+	allow $1 daap_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the dbskkd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_dbskkd_port',`
+	gen_require(`
+		type dbskkd_port_t;
+	')
+
+	allow $1 dbskkd_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the dbskkd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_dbskkd_port',`
+	gen_require(`
+		type dbskkd_port_t;
+	')
+
+	allow $1 dbskkd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the dbskkd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_dbskkd_port',`
+	gen_require(`
+		type dbskkd_port_t;
+	')
+
+	dontaudit $1 dbskkd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the dbskkd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_dbskkd_port',`
+	gen_require(`
+		type dbskkd_port_t;
+	')
+
+	allow $1 dbskkd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the dbskkd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_dbskkd_port',`
+	gen_require(`
+		type dbskkd_port_t;
+	')
+
+	dontaudit $1 dbskkd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the dbskkd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_dbskkd_port',`
+	corenet_udp_send_dbskkd_port($1)
+	corenet_udp_receive_dbskkd_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the dbskkd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_dbskkd_port',`
+	corenet_dontaudit_udp_send_dbskkd_port($1)
+	corenet_dontaudit_udp_receive_dbskkd_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the dbskkd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_dbskkd_port',`
+	gen_require(`
+		type dbskkd_port_t;
+	')
+
+	allow $1 dbskkd_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the dbskkd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_dbskkd_port',`
+	gen_require(`
+		type dbskkd_port_t;
+	')
+
+	allow $1 dbskkd_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the dbskkd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_dbskkd_port',`
+	gen_require(`
+		type dbskkd_port_t;
+	')
+
+	allow $1 dbskkd_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send dbskkd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_dbskkd_client_packets',`
+	gen_require(`
+		type dbskkd_client_packet_t;
+	')
+
+	allow $1 dbskkd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send dbskkd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_dbskkd_client_packets',`
+	gen_require(`
+		type dbskkd_client_packet_t;
+	')
+
+	dontaudit $1 dbskkd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive dbskkd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_dbskkd_client_packets',`
+	gen_require(`
+		type dbskkd_client_packet_t;
+	')
+
+	allow $1 dbskkd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive dbskkd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_dbskkd_client_packets',`
+	gen_require(`
+		type dbskkd_client_packet_t;
+	')
+
+	dontaudit $1 dbskkd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive dbskkd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_dbskkd_client_packets',`
+	corenet_send_dbskkd_client_packets($1)
+	corenet_receive_dbskkd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive dbskkd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_dbskkd_client_packets',`
+	corenet_dontaudit_send_dbskkd_client_packets($1)
+	corenet_dontaudit_receive_dbskkd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to dbskkd_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_dbskkd_client_packets',`
+	gen_require(`
+		type dbskkd_client_packet_t;
+	')
+
+	allow $1 dbskkd_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send dbskkd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_dbskkd_server_packets',`
+	gen_require(`
+		type dbskkd_server_packet_t;
+	')
+
+	allow $1 dbskkd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send dbskkd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_dbskkd_server_packets',`
+	gen_require(`
+		type dbskkd_server_packet_t;
+	')
+
+	dontaudit $1 dbskkd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive dbskkd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_dbskkd_server_packets',`
+	gen_require(`
+		type dbskkd_server_packet_t;
+	')
+
+	allow $1 dbskkd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive dbskkd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_dbskkd_server_packets',`
+	gen_require(`
+		type dbskkd_server_packet_t;
+	')
+
+	dontaudit $1 dbskkd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive dbskkd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_dbskkd_server_packets',`
+	corenet_send_dbskkd_server_packets($1)
+	corenet_receive_dbskkd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive dbskkd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_dbskkd_server_packets',`
+	corenet_dontaudit_send_dbskkd_server_packets($1)
+	corenet_dontaudit_receive_dbskkd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to dbskkd_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_dbskkd_server_packets',`
+	gen_require(`
+		type dbskkd_server_packet_t;
+	')
+
+	allow $1 dbskkd_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the dcc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_dcc_port',`
+	gen_require(`
+		type dcc_port_t;
+	')
+
+	allow $1 dcc_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the dcc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_dcc_port',`
+	gen_require(`
+		type dcc_port_t;
+	')
+
+	allow $1 dcc_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the dcc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_dcc_port',`
+	gen_require(`
+		type dcc_port_t;
+	')
+
+	dontaudit $1 dcc_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the dcc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_dcc_port',`
+	gen_require(`
+		type dcc_port_t;
+	')
+
+	allow $1 dcc_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the dcc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_dcc_port',`
+	gen_require(`
+		type dcc_port_t;
+	')
+
+	dontaudit $1 dcc_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the dcc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_dcc_port',`
+	corenet_udp_send_dcc_port($1)
+	corenet_udp_receive_dcc_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the dcc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_dcc_port',`
+	corenet_dontaudit_udp_send_dcc_port($1)
+	corenet_dontaudit_udp_receive_dcc_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the dcc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_dcc_port',`
+	gen_require(`
+		type dcc_port_t;
+	')
+
+	allow $1 dcc_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the dcc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_dcc_port',`
+	gen_require(`
+		type dcc_port_t;
+	')
+
+	allow $1 dcc_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the dcc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_dcc_port',`
+	gen_require(`
+		type dcc_port_t;
+	')
+
+	allow $1 dcc_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send dcc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_dcc_client_packets',`
+	gen_require(`
+		type dcc_client_packet_t;
+	')
+
+	allow $1 dcc_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send dcc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_dcc_client_packets',`
+	gen_require(`
+		type dcc_client_packet_t;
+	')
+
+	dontaudit $1 dcc_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive dcc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_dcc_client_packets',`
+	gen_require(`
+		type dcc_client_packet_t;
+	')
+
+	allow $1 dcc_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive dcc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_dcc_client_packets',`
+	gen_require(`
+		type dcc_client_packet_t;
+	')
+
+	dontaudit $1 dcc_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive dcc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_dcc_client_packets',`
+	corenet_send_dcc_client_packets($1)
+	corenet_receive_dcc_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive dcc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_dcc_client_packets',`
+	corenet_dontaudit_send_dcc_client_packets($1)
+	corenet_dontaudit_receive_dcc_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to dcc_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_dcc_client_packets',`
+	gen_require(`
+		type dcc_client_packet_t;
+	')
+
+	allow $1 dcc_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send dcc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_dcc_server_packets',`
+	gen_require(`
+		type dcc_server_packet_t;
+	')
+
+	allow $1 dcc_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send dcc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_dcc_server_packets',`
+	gen_require(`
+		type dcc_server_packet_t;
+	')
+
+	dontaudit $1 dcc_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive dcc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_dcc_server_packets',`
+	gen_require(`
+		type dcc_server_packet_t;
+	')
+
+	allow $1 dcc_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive dcc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_dcc_server_packets',`
+	gen_require(`
+		type dcc_server_packet_t;
+	')
+
+	dontaudit $1 dcc_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive dcc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_dcc_server_packets',`
+	corenet_send_dcc_server_packets($1)
+	corenet_receive_dcc_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive dcc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_dcc_server_packets',`
+	corenet_dontaudit_send_dcc_server_packets($1)
+	corenet_dontaudit_receive_dcc_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to dcc_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_dcc_server_packets',`
+	gen_require(`
+		type dcc_server_packet_t;
+	')
+
+	allow $1 dcc_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the dccm port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_dccm_port',`
+	gen_require(`
+		type dccm_port_t;
+	')
+
+	allow $1 dccm_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the dccm port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_dccm_port',`
+	gen_require(`
+		type dccm_port_t;
+	')
+
+	allow $1 dccm_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the dccm port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_dccm_port',`
+	gen_require(`
+		type dccm_port_t;
+	')
+
+	dontaudit $1 dccm_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the dccm port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_dccm_port',`
+	gen_require(`
+		type dccm_port_t;
+	')
+
+	allow $1 dccm_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the dccm port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_dccm_port',`
+	gen_require(`
+		type dccm_port_t;
+	')
+
+	dontaudit $1 dccm_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the dccm port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_dccm_port',`
+	corenet_udp_send_dccm_port($1)
+	corenet_udp_receive_dccm_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the dccm port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_dccm_port',`
+	corenet_dontaudit_udp_send_dccm_port($1)
+	corenet_dontaudit_udp_receive_dccm_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the dccm port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_dccm_port',`
+	gen_require(`
+		type dccm_port_t;
+	')
+
+	allow $1 dccm_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the dccm port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_dccm_port',`
+	gen_require(`
+		type dccm_port_t;
+	')
+
+	allow $1 dccm_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the dccm port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_dccm_port',`
+	gen_require(`
+		type dccm_port_t;
+	')
+
+	allow $1 dccm_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send dccm_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_dccm_client_packets',`
+	gen_require(`
+		type dccm_client_packet_t;
+	')
+
+	allow $1 dccm_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send dccm_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_dccm_client_packets',`
+	gen_require(`
+		type dccm_client_packet_t;
+	')
+
+	dontaudit $1 dccm_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive dccm_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_dccm_client_packets',`
+	gen_require(`
+		type dccm_client_packet_t;
+	')
+
+	allow $1 dccm_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive dccm_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_dccm_client_packets',`
+	gen_require(`
+		type dccm_client_packet_t;
+	')
+
+	dontaudit $1 dccm_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive dccm_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_dccm_client_packets',`
+	corenet_send_dccm_client_packets($1)
+	corenet_receive_dccm_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive dccm_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_dccm_client_packets',`
+	corenet_dontaudit_send_dccm_client_packets($1)
+	corenet_dontaudit_receive_dccm_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to dccm_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_dccm_client_packets',`
+	gen_require(`
+		type dccm_client_packet_t;
+	')
+
+	allow $1 dccm_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send dccm_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_dccm_server_packets',`
+	gen_require(`
+		type dccm_server_packet_t;
+	')
+
+	allow $1 dccm_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send dccm_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_dccm_server_packets',`
+	gen_require(`
+		type dccm_server_packet_t;
+	')
+
+	dontaudit $1 dccm_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive dccm_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_dccm_server_packets',`
+	gen_require(`
+		type dccm_server_packet_t;
+	')
+
+	allow $1 dccm_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive dccm_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_dccm_server_packets',`
+	gen_require(`
+		type dccm_server_packet_t;
+	')
+
+	dontaudit $1 dccm_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive dccm_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_dccm_server_packets',`
+	corenet_send_dccm_server_packets($1)
+	corenet_receive_dccm_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive dccm_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_dccm_server_packets',`
+	corenet_dontaudit_send_dccm_server_packets($1)
+	corenet_dontaudit_receive_dccm_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to dccm_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_dccm_server_packets',`
+	gen_require(`
+		type dccm_server_packet_t;
+	')
+
+	allow $1 dccm_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the dhcpc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_dhcpc_port',`
+	gen_require(`
+		type dhcpc_port_t;
+	')
+
+	allow $1 dhcpc_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the dhcpc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_dhcpc_port',`
+	gen_require(`
+		type dhcpc_port_t;
+	')
+
+	allow $1 dhcpc_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the dhcpc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_dhcpc_port',`
+	gen_require(`
+		type dhcpc_port_t;
+	')
+
+	dontaudit $1 dhcpc_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the dhcpc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_dhcpc_port',`
+	gen_require(`
+		type dhcpc_port_t;
+	')
+
+	allow $1 dhcpc_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the dhcpc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_dhcpc_port',`
+	gen_require(`
+		type dhcpc_port_t;
+	')
+
+	dontaudit $1 dhcpc_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the dhcpc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_dhcpc_port',`
+	corenet_udp_send_dhcpc_port($1)
+	corenet_udp_receive_dhcpc_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the dhcpc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_dhcpc_port',`
+	corenet_dontaudit_udp_send_dhcpc_port($1)
+	corenet_dontaudit_udp_receive_dhcpc_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the dhcpc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_dhcpc_port',`
+	gen_require(`
+		type dhcpc_port_t;
+	')
+
+	allow $1 dhcpc_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the dhcpc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_dhcpc_port',`
+	gen_require(`
+		type dhcpc_port_t;
+	')
+
+	allow $1 dhcpc_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the dhcpc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_dhcpc_port',`
+	gen_require(`
+		type dhcpc_port_t;
+	')
+
+	allow $1 dhcpc_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send dhcpc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_dhcpc_client_packets',`
+	gen_require(`
+		type dhcpc_client_packet_t;
+	')
+
+	allow $1 dhcpc_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send dhcpc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_dhcpc_client_packets',`
+	gen_require(`
+		type dhcpc_client_packet_t;
+	')
+
+	dontaudit $1 dhcpc_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive dhcpc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_dhcpc_client_packets',`
+	gen_require(`
+		type dhcpc_client_packet_t;
+	')
+
+	allow $1 dhcpc_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive dhcpc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_dhcpc_client_packets',`
+	gen_require(`
+		type dhcpc_client_packet_t;
+	')
+
+	dontaudit $1 dhcpc_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive dhcpc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_dhcpc_client_packets',`
+	corenet_send_dhcpc_client_packets($1)
+	corenet_receive_dhcpc_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive dhcpc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_dhcpc_client_packets',`
+	corenet_dontaudit_send_dhcpc_client_packets($1)
+	corenet_dontaudit_receive_dhcpc_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to dhcpc_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_dhcpc_client_packets',`
+	gen_require(`
+		type dhcpc_client_packet_t;
+	')
+
+	allow $1 dhcpc_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send dhcpc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_dhcpc_server_packets',`
+	gen_require(`
+		type dhcpc_server_packet_t;
+	')
+
+	allow $1 dhcpc_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send dhcpc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_dhcpc_server_packets',`
+	gen_require(`
+		type dhcpc_server_packet_t;
+	')
+
+	dontaudit $1 dhcpc_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive dhcpc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_dhcpc_server_packets',`
+	gen_require(`
+		type dhcpc_server_packet_t;
+	')
+
+	allow $1 dhcpc_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive dhcpc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_dhcpc_server_packets',`
+	gen_require(`
+		type dhcpc_server_packet_t;
+	')
+
+	dontaudit $1 dhcpc_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive dhcpc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_dhcpc_server_packets',`
+	corenet_send_dhcpc_server_packets($1)
+	corenet_receive_dhcpc_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive dhcpc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_dhcpc_server_packets',`
+	corenet_dontaudit_send_dhcpc_server_packets($1)
+	corenet_dontaudit_receive_dhcpc_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to dhcpc_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_dhcpc_server_packets',`
+	gen_require(`
+		type dhcpc_server_packet_t;
+	')
+
+	allow $1 dhcpc_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the dhcpd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_dhcpd_port',`
+	gen_require(`
+		type dhcpd_port_t;
+	')
+
+	allow $1 dhcpd_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the dhcpd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_dhcpd_port',`
+	gen_require(`
+		type dhcpd_port_t;
+	')
+
+	allow $1 dhcpd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the dhcpd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_dhcpd_port',`
+	gen_require(`
+		type dhcpd_port_t;
+	')
+
+	dontaudit $1 dhcpd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the dhcpd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_dhcpd_port',`
+	gen_require(`
+		type dhcpd_port_t;
+	')
+
+	allow $1 dhcpd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the dhcpd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_dhcpd_port',`
+	gen_require(`
+		type dhcpd_port_t;
+	')
+
+	dontaudit $1 dhcpd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the dhcpd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_dhcpd_port',`
+	corenet_udp_send_dhcpd_port($1)
+	corenet_udp_receive_dhcpd_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the dhcpd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_dhcpd_port',`
+	corenet_dontaudit_udp_send_dhcpd_port($1)
+	corenet_dontaudit_udp_receive_dhcpd_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the dhcpd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_dhcpd_port',`
+	gen_require(`
+		type dhcpd_port_t;
+	')
+
+	allow $1 dhcpd_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the dhcpd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_dhcpd_port',`
+	gen_require(`
+		type dhcpd_port_t;
+	')
+
+	allow $1 dhcpd_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the dhcpd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_dhcpd_port',`
+	gen_require(`
+		type dhcpd_port_t;
+	')
+
+	allow $1 dhcpd_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send dhcpd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_dhcpd_client_packets',`
+	gen_require(`
+		type dhcpd_client_packet_t;
+	')
+
+	allow $1 dhcpd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send dhcpd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_dhcpd_client_packets',`
+	gen_require(`
+		type dhcpd_client_packet_t;
+	')
+
+	dontaudit $1 dhcpd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive dhcpd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_dhcpd_client_packets',`
+	gen_require(`
+		type dhcpd_client_packet_t;
+	')
+
+	allow $1 dhcpd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive dhcpd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_dhcpd_client_packets',`
+	gen_require(`
+		type dhcpd_client_packet_t;
+	')
+
+	dontaudit $1 dhcpd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive dhcpd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_dhcpd_client_packets',`
+	corenet_send_dhcpd_client_packets($1)
+	corenet_receive_dhcpd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive dhcpd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_dhcpd_client_packets',`
+	corenet_dontaudit_send_dhcpd_client_packets($1)
+	corenet_dontaudit_receive_dhcpd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to dhcpd_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_dhcpd_client_packets',`
+	gen_require(`
+		type dhcpd_client_packet_t;
+	')
+
+	allow $1 dhcpd_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send dhcpd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_dhcpd_server_packets',`
+	gen_require(`
+		type dhcpd_server_packet_t;
+	')
+
+	allow $1 dhcpd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send dhcpd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_dhcpd_server_packets',`
+	gen_require(`
+		type dhcpd_server_packet_t;
+	')
+
+	dontaudit $1 dhcpd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive dhcpd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_dhcpd_server_packets',`
+	gen_require(`
+		type dhcpd_server_packet_t;
+	')
+
+	allow $1 dhcpd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive dhcpd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_dhcpd_server_packets',`
+	gen_require(`
+		type dhcpd_server_packet_t;
+	')
+
+	dontaudit $1 dhcpd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive dhcpd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_dhcpd_server_packets',`
+	corenet_send_dhcpd_server_packets($1)
+	corenet_receive_dhcpd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive dhcpd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_dhcpd_server_packets',`
+	corenet_dontaudit_send_dhcpd_server_packets($1)
+	corenet_dontaudit_receive_dhcpd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to dhcpd_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_dhcpd_server_packets',`
+	gen_require(`
+		type dhcpd_server_packet_t;
+	')
+
+	allow $1 dhcpd_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the dict port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_dict_port',`
+	gen_require(`
+		type dict_port_t;
+	')
+
+	allow $1 dict_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the dict port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_dict_port',`
+	gen_require(`
+		type dict_port_t;
+	')
+
+	allow $1 dict_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the dict port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_dict_port',`
+	gen_require(`
+		type dict_port_t;
+	')
+
+	dontaudit $1 dict_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the dict port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_dict_port',`
+	gen_require(`
+		type dict_port_t;
+	')
+
+	allow $1 dict_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the dict port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_dict_port',`
+	gen_require(`
+		type dict_port_t;
+	')
+
+	dontaudit $1 dict_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the dict port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_dict_port',`
+	corenet_udp_send_dict_port($1)
+	corenet_udp_receive_dict_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the dict port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_dict_port',`
+	corenet_dontaudit_udp_send_dict_port($1)
+	corenet_dontaudit_udp_receive_dict_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the dict port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_dict_port',`
+	gen_require(`
+		type dict_port_t;
+	')
+
+	allow $1 dict_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the dict port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_dict_port',`
+	gen_require(`
+		type dict_port_t;
+	')
+
+	allow $1 dict_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the dict port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_dict_port',`
+	gen_require(`
+		type dict_port_t;
+	')
+
+	allow $1 dict_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send dict_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_dict_client_packets',`
+	gen_require(`
+		type dict_client_packet_t;
+	')
+
+	allow $1 dict_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send dict_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_dict_client_packets',`
+	gen_require(`
+		type dict_client_packet_t;
+	')
+
+	dontaudit $1 dict_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive dict_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_dict_client_packets',`
+	gen_require(`
+		type dict_client_packet_t;
+	')
+
+	allow $1 dict_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive dict_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_dict_client_packets',`
+	gen_require(`
+		type dict_client_packet_t;
+	')
+
+	dontaudit $1 dict_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive dict_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_dict_client_packets',`
+	corenet_send_dict_client_packets($1)
+	corenet_receive_dict_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive dict_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_dict_client_packets',`
+	corenet_dontaudit_send_dict_client_packets($1)
+	corenet_dontaudit_receive_dict_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to dict_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_dict_client_packets',`
+	gen_require(`
+		type dict_client_packet_t;
+	')
+
+	allow $1 dict_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send dict_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_dict_server_packets',`
+	gen_require(`
+		type dict_server_packet_t;
+	')
+
+	allow $1 dict_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send dict_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_dict_server_packets',`
+	gen_require(`
+		type dict_server_packet_t;
+	')
+
+	dontaudit $1 dict_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive dict_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_dict_server_packets',`
+	gen_require(`
+		type dict_server_packet_t;
+	')
+
+	allow $1 dict_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive dict_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_dict_server_packets',`
+	gen_require(`
+		type dict_server_packet_t;
+	')
+
+	dontaudit $1 dict_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive dict_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_dict_server_packets',`
+	corenet_send_dict_server_packets($1)
+	corenet_receive_dict_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive dict_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_dict_server_packets',`
+	corenet_dontaudit_send_dict_server_packets($1)
+	corenet_dontaudit_receive_dict_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to dict_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_dict_server_packets',`
+	gen_require(`
+		type dict_server_packet_t;
+	')
+
+	allow $1 dict_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the distccd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_distccd_port',`
+	gen_require(`
+		type distccd_port_t;
+	')
+
+	allow $1 distccd_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the distccd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_distccd_port',`
+	gen_require(`
+		type distccd_port_t;
+	')
+
+	allow $1 distccd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the distccd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_distccd_port',`
+	gen_require(`
+		type distccd_port_t;
+	')
+
+	dontaudit $1 distccd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the distccd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_distccd_port',`
+	gen_require(`
+		type distccd_port_t;
+	')
+
+	allow $1 distccd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the distccd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_distccd_port',`
+	gen_require(`
+		type distccd_port_t;
+	')
+
+	dontaudit $1 distccd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the distccd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_distccd_port',`
+	corenet_udp_send_distccd_port($1)
+	corenet_udp_receive_distccd_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the distccd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_distccd_port',`
+	corenet_dontaudit_udp_send_distccd_port($1)
+	corenet_dontaudit_udp_receive_distccd_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the distccd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_distccd_port',`
+	gen_require(`
+		type distccd_port_t;
+	')
+
+	allow $1 distccd_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the distccd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_distccd_port',`
+	gen_require(`
+		type distccd_port_t;
+	')
+
+	allow $1 distccd_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the distccd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_distccd_port',`
+	gen_require(`
+		type distccd_port_t;
+	')
+
+	allow $1 distccd_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send distccd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_distccd_client_packets',`
+	gen_require(`
+		type distccd_client_packet_t;
+	')
+
+	allow $1 distccd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send distccd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_distccd_client_packets',`
+	gen_require(`
+		type distccd_client_packet_t;
+	')
+
+	dontaudit $1 distccd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive distccd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_distccd_client_packets',`
+	gen_require(`
+		type distccd_client_packet_t;
+	')
+
+	allow $1 distccd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive distccd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_distccd_client_packets',`
+	gen_require(`
+		type distccd_client_packet_t;
+	')
+
+	dontaudit $1 distccd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive distccd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_distccd_client_packets',`
+	corenet_send_distccd_client_packets($1)
+	corenet_receive_distccd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive distccd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_distccd_client_packets',`
+	corenet_dontaudit_send_distccd_client_packets($1)
+	corenet_dontaudit_receive_distccd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to distccd_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_distccd_client_packets',`
+	gen_require(`
+		type distccd_client_packet_t;
+	')
+
+	allow $1 distccd_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send distccd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_distccd_server_packets',`
+	gen_require(`
+		type distccd_server_packet_t;
+	')
+
+	allow $1 distccd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send distccd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_distccd_server_packets',`
+	gen_require(`
+		type distccd_server_packet_t;
+	')
+
+	dontaudit $1 distccd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive distccd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_distccd_server_packets',`
+	gen_require(`
+		type distccd_server_packet_t;
+	')
+
+	allow $1 distccd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive distccd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_distccd_server_packets',`
+	gen_require(`
+		type distccd_server_packet_t;
+	')
+
+	dontaudit $1 distccd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive distccd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_distccd_server_packets',`
+	corenet_send_distccd_server_packets($1)
+	corenet_receive_distccd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive distccd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_distccd_server_packets',`
+	corenet_dontaudit_send_distccd_server_packets($1)
+	corenet_dontaudit_receive_distccd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to distccd_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_distccd_server_packets',`
+	gen_require(`
+		type distccd_server_packet_t;
+	')
+
+	allow $1 distccd_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the dns port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_dns_port',`
+	gen_require(`
+		type dns_port_t;
+	')
+
+	allow $1 dns_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the dns port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_dns_port',`
+	gen_require(`
+		type dns_port_t;
+	')
+
+	allow $1 dns_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the dns port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_dns_port',`
+	gen_require(`
+		type dns_port_t;
+	')
+
+	dontaudit $1 dns_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the dns port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_dns_port',`
+	gen_require(`
+		type dns_port_t;
+	')
+
+	allow $1 dns_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the dns port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_dns_port',`
+	gen_require(`
+		type dns_port_t;
+	')
+
+	dontaudit $1 dns_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the dns port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_dns_port',`
+	corenet_udp_send_dns_port($1)
+	corenet_udp_receive_dns_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the dns port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_dns_port',`
+	corenet_dontaudit_udp_send_dns_port($1)
+	corenet_dontaudit_udp_receive_dns_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the dns port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_dns_port',`
+	gen_require(`
+		type dns_port_t;
+	')
+
+	allow $1 dns_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the dns port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_dns_port',`
+	gen_require(`
+		type dns_port_t;
+	')
+
+	allow $1 dns_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the dns port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_dns_port',`
+	gen_require(`
+		type dns_port_t;
+	')
+
+	allow $1 dns_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send dns_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_dns_client_packets',`
+	gen_require(`
+		type dns_client_packet_t;
+	')
+
+	allow $1 dns_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send dns_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_dns_client_packets',`
+	gen_require(`
+		type dns_client_packet_t;
+	')
+
+	dontaudit $1 dns_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive dns_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_dns_client_packets',`
+	gen_require(`
+		type dns_client_packet_t;
+	')
+
+	allow $1 dns_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive dns_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_dns_client_packets',`
+	gen_require(`
+		type dns_client_packet_t;
+	')
+
+	dontaudit $1 dns_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive dns_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_dns_client_packets',`
+	corenet_send_dns_client_packets($1)
+	corenet_receive_dns_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive dns_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_dns_client_packets',`
+	corenet_dontaudit_send_dns_client_packets($1)
+	corenet_dontaudit_receive_dns_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to dns_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_dns_client_packets',`
+	gen_require(`
+		type dns_client_packet_t;
+	')
+
+	allow $1 dns_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send dns_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_dns_server_packets',`
+	gen_require(`
+		type dns_server_packet_t;
+	')
+
+	allow $1 dns_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send dns_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_dns_server_packets',`
+	gen_require(`
+		type dns_server_packet_t;
+	')
+
+	dontaudit $1 dns_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive dns_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_dns_server_packets',`
+	gen_require(`
+		type dns_server_packet_t;
+	')
+
+	allow $1 dns_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive dns_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_dns_server_packets',`
+	gen_require(`
+		type dns_server_packet_t;
+	')
+
+	dontaudit $1 dns_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive dns_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_dns_server_packets',`
+	corenet_send_dns_server_packets($1)
+	corenet_receive_dns_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive dns_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_dns_server_packets',`
+	corenet_dontaudit_send_dns_server_packets($1)
+	corenet_dontaudit_receive_dns_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to dns_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_dns_server_packets',`
+	gen_require(`
+		type dns_server_packet_t;
+	')
+
+	allow $1 dns_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the epmap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_epmap_port',`
+	gen_require(`
+		type epmap_port_t;
+	')
+
+	allow $1 epmap_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the epmap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_epmap_port',`
+	gen_require(`
+		type epmap_port_t;
+	')
+
+	allow $1 epmap_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the epmap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_epmap_port',`
+	gen_require(`
+		type epmap_port_t;
+	')
+
+	dontaudit $1 epmap_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the epmap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_epmap_port',`
+	gen_require(`
+		type epmap_port_t;
+	')
+
+	allow $1 epmap_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the epmap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_epmap_port',`
+	gen_require(`
+		type epmap_port_t;
+	')
+
+	dontaudit $1 epmap_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the epmap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_epmap_port',`
+	corenet_udp_send_epmap_port($1)
+	corenet_udp_receive_epmap_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the epmap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_epmap_port',`
+	corenet_dontaudit_udp_send_epmap_port($1)
+	corenet_dontaudit_udp_receive_epmap_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the epmap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_epmap_port',`
+	gen_require(`
+		type epmap_port_t;
+	')
+
+	allow $1 epmap_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the epmap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_epmap_port',`
+	gen_require(`
+		type epmap_port_t;
+	')
+
+	allow $1 epmap_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the epmap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_epmap_port',`
+	gen_require(`
+		type epmap_port_t;
+	')
+
+	allow $1 epmap_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send epmap_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_epmap_client_packets',`
+	gen_require(`
+		type epmap_client_packet_t;
+	')
+
+	allow $1 epmap_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send epmap_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_epmap_client_packets',`
+	gen_require(`
+		type epmap_client_packet_t;
+	')
+
+	dontaudit $1 epmap_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive epmap_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_epmap_client_packets',`
+	gen_require(`
+		type epmap_client_packet_t;
+	')
+
+	allow $1 epmap_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive epmap_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_epmap_client_packets',`
+	gen_require(`
+		type epmap_client_packet_t;
+	')
+
+	dontaudit $1 epmap_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive epmap_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_epmap_client_packets',`
+	corenet_send_epmap_client_packets($1)
+	corenet_receive_epmap_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive epmap_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_epmap_client_packets',`
+	corenet_dontaudit_send_epmap_client_packets($1)
+	corenet_dontaudit_receive_epmap_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to epmap_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_epmap_client_packets',`
+	gen_require(`
+		type epmap_client_packet_t;
+	')
+
+	allow $1 epmap_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send epmap_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_epmap_server_packets',`
+	gen_require(`
+		type epmap_server_packet_t;
+	')
+
+	allow $1 epmap_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send epmap_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_epmap_server_packets',`
+	gen_require(`
+		type epmap_server_packet_t;
+	')
+
+	dontaudit $1 epmap_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive epmap_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_epmap_server_packets',`
+	gen_require(`
+		type epmap_server_packet_t;
+	')
+
+	allow $1 epmap_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive epmap_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_epmap_server_packets',`
+	gen_require(`
+		type epmap_server_packet_t;
+	')
+
+	dontaudit $1 epmap_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive epmap_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_epmap_server_packets',`
+	corenet_send_epmap_server_packets($1)
+	corenet_receive_epmap_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive epmap_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_epmap_server_packets',`
+	corenet_dontaudit_send_epmap_server_packets($1)
+	corenet_dontaudit_receive_epmap_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to epmap_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_epmap_server_packets',`
+	gen_require(`
+		type epmap_server_packet_t;
+	')
+
+	allow $1 epmap_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the fingerd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_fingerd_port',`
+	gen_require(`
+		type fingerd_port_t;
+	')
+
+	allow $1 fingerd_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the fingerd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_fingerd_port',`
+	gen_require(`
+		type fingerd_port_t;
+	')
+
+	allow $1 fingerd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the fingerd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_fingerd_port',`
+	gen_require(`
+		type fingerd_port_t;
+	')
+
+	dontaudit $1 fingerd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the fingerd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_fingerd_port',`
+	gen_require(`
+		type fingerd_port_t;
+	')
+
+	allow $1 fingerd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the fingerd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_fingerd_port',`
+	gen_require(`
+		type fingerd_port_t;
+	')
+
+	dontaudit $1 fingerd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the fingerd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_fingerd_port',`
+	corenet_udp_send_fingerd_port($1)
+	corenet_udp_receive_fingerd_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the fingerd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_fingerd_port',`
+	corenet_dontaudit_udp_send_fingerd_port($1)
+	corenet_dontaudit_udp_receive_fingerd_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the fingerd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_fingerd_port',`
+	gen_require(`
+		type fingerd_port_t;
+	')
+
+	allow $1 fingerd_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the fingerd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_fingerd_port',`
+	gen_require(`
+		type fingerd_port_t;
+	')
+
+	allow $1 fingerd_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the fingerd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_fingerd_port',`
+	gen_require(`
+		type fingerd_port_t;
+	')
+
+	allow $1 fingerd_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send fingerd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_fingerd_client_packets',`
+	gen_require(`
+		type fingerd_client_packet_t;
+	')
+
+	allow $1 fingerd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send fingerd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_fingerd_client_packets',`
+	gen_require(`
+		type fingerd_client_packet_t;
+	')
+
+	dontaudit $1 fingerd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive fingerd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_fingerd_client_packets',`
+	gen_require(`
+		type fingerd_client_packet_t;
+	')
+
+	allow $1 fingerd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive fingerd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_fingerd_client_packets',`
+	gen_require(`
+		type fingerd_client_packet_t;
+	')
+
+	dontaudit $1 fingerd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive fingerd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_fingerd_client_packets',`
+	corenet_send_fingerd_client_packets($1)
+	corenet_receive_fingerd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive fingerd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_fingerd_client_packets',`
+	corenet_dontaudit_send_fingerd_client_packets($1)
+	corenet_dontaudit_receive_fingerd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to fingerd_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_fingerd_client_packets',`
+	gen_require(`
+		type fingerd_client_packet_t;
+	')
+
+	allow $1 fingerd_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send fingerd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_fingerd_server_packets',`
+	gen_require(`
+		type fingerd_server_packet_t;
+	')
+
+	allow $1 fingerd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send fingerd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_fingerd_server_packets',`
+	gen_require(`
+		type fingerd_server_packet_t;
+	')
+
+	dontaudit $1 fingerd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive fingerd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_fingerd_server_packets',`
+	gen_require(`
+		type fingerd_server_packet_t;
+	')
+
+	allow $1 fingerd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive fingerd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_fingerd_server_packets',`
+	gen_require(`
+		type fingerd_server_packet_t;
+	')
+
+	dontaudit $1 fingerd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive fingerd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_fingerd_server_packets',`
+	corenet_send_fingerd_server_packets($1)
+	corenet_receive_fingerd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive fingerd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_fingerd_server_packets',`
+	corenet_dontaudit_send_fingerd_server_packets($1)
+	corenet_dontaudit_receive_fingerd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to fingerd_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_fingerd_server_packets',`
+	gen_require(`
+		type fingerd_server_packet_t;
+	')
+
+	allow $1 fingerd_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the ftp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_ftp_port',`
+	gen_require(`
+		type ftp_port_t;
+	')
+
+	allow $1 ftp_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the ftp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_ftp_port',`
+	gen_require(`
+		type ftp_port_t;
+	')
+
+	allow $1 ftp_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the ftp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_ftp_port',`
+	gen_require(`
+		type ftp_port_t;
+	')
+
+	dontaudit $1 ftp_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the ftp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_ftp_port',`
+	gen_require(`
+		type ftp_port_t;
+	')
+
+	allow $1 ftp_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the ftp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_ftp_port',`
+	gen_require(`
+		type ftp_port_t;
+	')
+
+	dontaudit $1 ftp_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the ftp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_ftp_port',`
+	corenet_udp_send_ftp_port($1)
+	corenet_udp_receive_ftp_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the ftp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_ftp_port',`
+	corenet_dontaudit_udp_send_ftp_port($1)
+	corenet_dontaudit_udp_receive_ftp_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the ftp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_ftp_port',`
+	gen_require(`
+		type ftp_port_t;
+	')
+
+	allow $1 ftp_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the ftp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_ftp_port',`
+	gen_require(`
+		type ftp_port_t;
+	')
+
+	allow $1 ftp_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the ftp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_ftp_port',`
+	gen_require(`
+		type ftp_port_t;
+	')
+
+	allow $1 ftp_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send ftp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_ftp_client_packets',`
+	gen_require(`
+		type ftp_client_packet_t;
+	')
+
+	allow $1 ftp_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send ftp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_ftp_client_packets',`
+	gen_require(`
+		type ftp_client_packet_t;
+	')
+
+	dontaudit $1 ftp_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive ftp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_ftp_client_packets',`
+	gen_require(`
+		type ftp_client_packet_t;
+	')
+
+	allow $1 ftp_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive ftp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_ftp_client_packets',`
+	gen_require(`
+		type ftp_client_packet_t;
+	')
+
+	dontaudit $1 ftp_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive ftp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_ftp_client_packets',`
+	corenet_send_ftp_client_packets($1)
+	corenet_receive_ftp_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive ftp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_ftp_client_packets',`
+	corenet_dontaudit_send_ftp_client_packets($1)
+	corenet_dontaudit_receive_ftp_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to ftp_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_ftp_client_packets',`
+	gen_require(`
+		type ftp_client_packet_t;
+	')
+
+	allow $1 ftp_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send ftp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_ftp_server_packets',`
+	gen_require(`
+		type ftp_server_packet_t;
+	')
+
+	allow $1 ftp_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send ftp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_ftp_server_packets',`
+	gen_require(`
+		type ftp_server_packet_t;
+	')
+
+	dontaudit $1 ftp_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive ftp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_ftp_server_packets',`
+	gen_require(`
+		type ftp_server_packet_t;
+	')
+
+	allow $1 ftp_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive ftp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_ftp_server_packets',`
+	gen_require(`
+		type ftp_server_packet_t;
+	')
+
+	dontaudit $1 ftp_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive ftp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_ftp_server_packets',`
+	corenet_send_ftp_server_packets($1)
+	corenet_receive_ftp_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive ftp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_ftp_server_packets',`
+	corenet_dontaudit_send_ftp_server_packets($1)
+	corenet_dontaudit_receive_ftp_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to ftp_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_ftp_server_packets',`
+	gen_require(`
+		type ftp_server_packet_t;
+	')
+
+	allow $1 ftp_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the ftp_data port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_ftp_data_port',`
+	gen_require(`
+		type ftp_data_port_t;
+	')
+
+	allow $1 ftp_data_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the ftp_data port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_ftp_data_port',`
+	gen_require(`
+		type ftp_data_port_t;
+	')
+
+	allow $1 ftp_data_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the ftp_data port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_ftp_data_port',`
+	gen_require(`
+		type ftp_data_port_t;
+	')
+
+	dontaudit $1 ftp_data_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the ftp_data port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_ftp_data_port',`
+	gen_require(`
+		type ftp_data_port_t;
+	')
+
+	allow $1 ftp_data_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the ftp_data port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_ftp_data_port',`
+	gen_require(`
+		type ftp_data_port_t;
+	')
+
+	dontaudit $1 ftp_data_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the ftp_data port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_ftp_data_port',`
+	corenet_udp_send_ftp_data_port($1)
+	corenet_udp_receive_ftp_data_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the ftp_data port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_ftp_data_port',`
+	corenet_dontaudit_udp_send_ftp_data_port($1)
+	corenet_dontaudit_udp_receive_ftp_data_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the ftp_data port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_ftp_data_port',`
+	gen_require(`
+		type ftp_data_port_t;
+	')
+
+	allow $1 ftp_data_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the ftp_data port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_ftp_data_port',`
+	gen_require(`
+		type ftp_data_port_t;
+	')
+
+	allow $1 ftp_data_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the ftp_data port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_ftp_data_port',`
+	gen_require(`
+		type ftp_data_port_t;
+	')
+
+	allow $1 ftp_data_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send ftp_data_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_ftp_data_client_packets',`
+	gen_require(`
+		type ftp_data_client_packet_t;
+	')
+
+	allow $1 ftp_data_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send ftp_data_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_ftp_data_client_packets',`
+	gen_require(`
+		type ftp_data_client_packet_t;
+	')
+
+	dontaudit $1 ftp_data_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive ftp_data_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_ftp_data_client_packets',`
+	gen_require(`
+		type ftp_data_client_packet_t;
+	')
+
+	allow $1 ftp_data_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive ftp_data_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_ftp_data_client_packets',`
+	gen_require(`
+		type ftp_data_client_packet_t;
+	')
+
+	dontaudit $1 ftp_data_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive ftp_data_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_ftp_data_client_packets',`
+	corenet_send_ftp_data_client_packets($1)
+	corenet_receive_ftp_data_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive ftp_data_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_ftp_data_client_packets',`
+	corenet_dontaudit_send_ftp_data_client_packets($1)
+	corenet_dontaudit_receive_ftp_data_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to ftp_data_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_ftp_data_client_packets',`
+	gen_require(`
+		type ftp_data_client_packet_t;
+	')
+
+	allow $1 ftp_data_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send ftp_data_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_ftp_data_server_packets',`
+	gen_require(`
+		type ftp_data_server_packet_t;
+	')
+
+	allow $1 ftp_data_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send ftp_data_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_ftp_data_server_packets',`
+	gen_require(`
+		type ftp_data_server_packet_t;
+	')
+
+	dontaudit $1 ftp_data_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive ftp_data_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_ftp_data_server_packets',`
+	gen_require(`
+		type ftp_data_server_packet_t;
+	')
+
+	allow $1 ftp_data_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive ftp_data_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_ftp_data_server_packets',`
+	gen_require(`
+		type ftp_data_server_packet_t;
+	')
+
+	dontaudit $1 ftp_data_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive ftp_data_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_ftp_data_server_packets',`
+	corenet_send_ftp_data_server_packets($1)
+	corenet_receive_ftp_data_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive ftp_data_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_ftp_data_server_packets',`
+	corenet_dontaudit_send_ftp_data_server_packets($1)
+	corenet_dontaudit_receive_ftp_data_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to ftp_data_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_ftp_data_server_packets',`
+	gen_require(`
+		type ftp_data_server_packet_t;
+	')
+
+	allow $1 ftp_data_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the gatekeeper port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_gatekeeper_port',`
+	gen_require(`
+		type gatekeeper_port_t;
+	')
+
+	allow $1 gatekeeper_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the gatekeeper port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_gatekeeper_port',`
+	gen_require(`
+		type gatekeeper_port_t;
+	')
+
+	allow $1 gatekeeper_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the gatekeeper port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_gatekeeper_port',`
+	gen_require(`
+		type gatekeeper_port_t;
+	')
+
+	dontaudit $1 gatekeeper_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the gatekeeper port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_gatekeeper_port',`
+	gen_require(`
+		type gatekeeper_port_t;
+	')
+
+	allow $1 gatekeeper_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the gatekeeper port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_gatekeeper_port',`
+	gen_require(`
+		type gatekeeper_port_t;
+	')
+
+	dontaudit $1 gatekeeper_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the gatekeeper port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_gatekeeper_port',`
+	corenet_udp_send_gatekeeper_port($1)
+	corenet_udp_receive_gatekeeper_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the gatekeeper port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_gatekeeper_port',`
+	corenet_dontaudit_udp_send_gatekeeper_port($1)
+	corenet_dontaudit_udp_receive_gatekeeper_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the gatekeeper port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_gatekeeper_port',`
+	gen_require(`
+		type gatekeeper_port_t;
+	')
+
+	allow $1 gatekeeper_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the gatekeeper port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_gatekeeper_port',`
+	gen_require(`
+		type gatekeeper_port_t;
+	')
+
+	allow $1 gatekeeper_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the gatekeeper port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_gatekeeper_port',`
+	gen_require(`
+		type gatekeeper_port_t;
+	')
+
+	allow $1 gatekeeper_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send gatekeeper_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_gatekeeper_client_packets',`
+	gen_require(`
+		type gatekeeper_client_packet_t;
+	')
+
+	allow $1 gatekeeper_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send gatekeeper_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_gatekeeper_client_packets',`
+	gen_require(`
+		type gatekeeper_client_packet_t;
+	')
+
+	dontaudit $1 gatekeeper_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive gatekeeper_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_gatekeeper_client_packets',`
+	gen_require(`
+		type gatekeeper_client_packet_t;
+	')
+
+	allow $1 gatekeeper_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive gatekeeper_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_gatekeeper_client_packets',`
+	gen_require(`
+		type gatekeeper_client_packet_t;
+	')
+
+	dontaudit $1 gatekeeper_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive gatekeeper_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_gatekeeper_client_packets',`
+	corenet_send_gatekeeper_client_packets($1)
+	corenet_receive_gatekeeper_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive gatekeeper_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_gatekeeper_client_packets',`
+	corenet_dontaudit_send_gatekeeper_client_packets($1)
+	corenet_dontaudit_receive_gatekeeper_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to gatekeeper_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_gatekeeper_client_packets',`
+	gen_require(`
+		type gatekeeper_client_packet_t;
+	')
+
+	allow $1 gatekeeper_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send gatekeeper_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_gatekeeper_server_packets',`
+	gen_require(`
+		type gatekeeper_server_packet_t;
+	')
+
+	allow $1 gatekeeper_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send gatekeeper_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_gatekeeper_server_packets',`
+	gen_require(`
+		type gatekeeper_server_packet_t;
+	')
+
+	dontaudit $1 gatekeeper_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive gatekeeper_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_gatekeeper_server_packets',`
+	gen_require(`
+		type gatekeeper_server_packet_t;
+	')
+
+	allow $1 gatekeeper_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive gatekeeper_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_gatekeeper_server_packets',`
+	gen_require(`
+		type gatekeeper_server_packet_t;
+	')
+
+	dontaudit $1 gatekeeper_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive gatekeeper_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_gatekeeper_server_packets',`
+	corenet_send_gatekeeper_server_packets($1)
+	corenet_receive_gatekeeper_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive gatekeeper_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_gatekeeper_server_packets',`
+	corenet_dontaudit_send_gatekeeper_server_packets($1)
+	corenet_dontaudit_receive_gatekeeper_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to gatekeeper_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_gatekeeper_server_packets',`
+	gen_require(`
+		type gatekeeper_server_packet_t;
+	')
+
+	allow $1 gatekeeper_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the giftd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_giftd_port',`
+	gen_require(`
+		type giftd_port_t;
+	')
+
+	allow $1 giftd_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the giftd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_giftd_port',`
+	gen_require(`
+		type giftd_port_t;
+	')
+
+	allow $1 giftd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the giftd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_giftd_port',`
+	gen_require(`
+		type giftd_port_t;
+	')
+
+	dontaudit $1 giftd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the giftd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_giftd_port',`
+	gen_require(`
+		type giftd_port_t;
+	')
+
+	allow $1 giftd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the giftd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_giftd_port',`
+	gen_require(`
+		type giftd_port_t;
+	')
+
+	dontaudit $1 giftd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the giftd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_giftd_port',`
+	corenet_udp_send_giftd_port($1)
+	corenet_udp_receive_giftd_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the giftd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_giftd_port',`
+	corenet_dontaudit_udp_send_giftd_port($1)
+	corenet_dontaudit_udp_receive_giftd_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the giftd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_giftd_port',`
+	gen_require(`
+		type giftd_port_t;
+	')
+
+	allow $1 giftd_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the giftd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_giftd_port',`
+	gen_require(`
+		type giftd_port_t;
+	')
+
+	allow $1 giftd_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the giftd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_giftd_port',`
+	gen_require(`
+		type giftd_port_t;
+	')
+
+	allow $1 giftd_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send giftd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_giftd_client_packets',`
+	gen_require(`
+		type giftd_client_packet_t;
+	')
+
+	allow $1 giftd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send giftd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_giftd_client_packets',`
+	gen_require(`
+		type giftd_client_packet_t;
+	')
+
+	dontaudit $1 giftd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive giftd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_giftd_client_packets',`
+	gen_require(`
+		type giftd_client_packet_t;
+	')
+
+	allow $1 giftd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive giftd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_giftd_client_packets',`
+	gen_require(`
+		type giftd_client_packet_t;
+	')
+
+	dontaudit $1 giftd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive giftd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_giftd_client_packets',`
+	corenet_send_giftd_client_packets($1)
+	corenet_receive_giftd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive giftd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_giftd_client_packets',`
+	corenet_dontaudit_send_giftd_client_packets($1)
+	corenet_dontaudit_receive_giftd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to giftd_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_giftd_client_packets',`
+	gen_require(`
+		type giftd_client_packet_t;
+	')
+
+	allow $1 giftd_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send giftd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_giftd_server_packets',`
+	gen_require(`
+		type giftd_server_packet_t;
+	')
+
+	allow $1 giftd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send giftd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_giftd_server_packets',`
+	gen_require(`
+		type giftd_server_packet_t;
+	')
+
+	dontaudit $1 giftd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive giftd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_giftd_server_packets',`
+	gen_require(`
+		type giftd_server_packet_t;
+	')
+
+	allow $1 giftd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive giftd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_giftd_server_packets',`
+	gen_require(`
+		type giftd_server_packet_t;
+	')
+
+	dontaudit $1 giftd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive giftd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_giftd_server_packets',`
+	corenet_send_giftd_server_packets($1)
+	corenet_receive_giftd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive giftd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_giftd_server_packets',`
+	corenet_dontaudit_send_giftd_server_packets($1)
+	corenet_dontaudit_receive_giftd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to giftd_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_giftd_server_packets',`
+	gen_require(`
+		type giftd_server_packet_t;
+	')
+
+	allow $1 giftd_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the git port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_git_port',`
+	gen_require(`
+		type git_port_t;
+	')
+
+	allow $1 git_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the git port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_git_port',`
+	gen_require(`
+		type git_port_t;
+	')
+
+	allow $1 git_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the git port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_git_port',`
+	gen_require(`
+		type git_port_t;
+	')
+
+	dontaudit $1 git_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the git port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_git_port',`
+	gen_require(`
+		type git_port_t;
+	')
+
+	allow $1 git_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the git port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_git_port',`
+	gen_require(`
+		type git_port_t;
+	')
+
+	dontaudit $1 git_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the git port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_git_port',`
+	corenet_udp_send_git_port($1)
+	corenet_udp_receive_git_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the git port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_git_port',`
+	corenet_dontaudit_udp_send_git_port($1)
+	corenet_dontaudit_udp_receive_git_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the git port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_git_port',`
+	gen_require(`
+		type git_port_t;
+	')
+
+	allow $1 git_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the git port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_git_port',`
+	gen_require(`
+		type git_port_t;
+	')
+
+	allow $1 git_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the git port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_git_port',`
+	gen_require(`
+		type git_port_t;
+	')
+
+	allow $1 git_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send git_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_git_client_packets',`
+	gen_require(`
+		type git_client_packet_t;
+	')
+
+	allow $1 git_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send git_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_git_client_packets',`
+	gen_require(`
+		type git_client_packet_t;
+	')
+
+	dontaudit $1 git_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive git_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_git_client_packets',`
+	gen_require(`
+		type git_client_packet_t;
+	')
+
+	allow $1 git_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive git_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_git_client_packets',`
+	gen_require(`
+		type git_client_packet_t;
+	')
+
+	dontaudit $1 git_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive git_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_git_client_packets',`
+	corenet_send_git_client_packets($1)
+	corenet_receive_git_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive git_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_git_client_packets',`
+	corenet_dontaudit_send_git_client_packets($1)
+	corenet_dontaudit_receive_git_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to git_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_git_client_packets',`
+	gen_require(`
+		type git_client_packet_t;
+	')
+
+	allow $1 git_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send git_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_git_server_packets',`
+	gen_require(`
+		type git_server_packet_t;
+	')
+
+	allow $1 git_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send git_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_git_server_packets',`
+	gen_require(`
+		type git_server_packet_t;
+	')
+
+	dontaudit $1 git_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive git_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_git_server_packets',`
+	gen_require(`
+		type git_server_packet_t;
+	')
+
+	allow $1 git_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive git_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_git_server_packets',`
+	gen_require(`
+		type git_server_packet_t;
+	')
+
+	dontaudit $1 git_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive git_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_git_server_packets',`
+	corenet_send_git_server_packets($1)
+	corenet_receive_git_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive git_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_git_server_packets',`
+	corenet_dontaudit_send_git_server_packets($1)
+	corenet_dontaudit_receive_git_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to git_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_git_server_packets',`
+	gen_require(`
+		type git_server_packet_t;
+	')
+
+	allow $1 git_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the glance_registry port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_glance_registry_port',`
+	gen_require(`
+		type glance_registry_port_t;
+	')
+
+	allow $1 glance_registry_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the glance_registry port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_glance_registry_port',`
+	gen_require(`
+		type glance_registry_port_t;
+	')
+
+	allow $1 glance_registry_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the glance_registry port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_glance_registry_port',`
+	gen_require(`
+		type glance_registry_port_t;
+	')
+
+	dontaudit $1 glance_registry_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the glance_registry port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_glance_registry_port',`
+	gen_require(`
+		type glance_registry_port_t;
+	')
+
+	allow $1 glance_registry_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the glance_registry port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_glance_registry_port',`
+	gen_require(`
+		type glance_registry_port_t;
+	')
+
+	dontaudit $1 glance_registry_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the glance_registry port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_glance_registry_port',`
+	corenet_udp_send_glance_registry_port($1)
+	corenet_udp_receive_glance_registry_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the glance_registry port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_glance_registry_port',`
+	corenet_dontaudit_udp_send_glance_registry_port($1)
+	corenet_dontaudit_udp_receive_glance_registry_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the glance_registry port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_glance_registry_port',`
+	gen_require(`
+		type glance_registry_port_t;
+	')
+
+	allow $1 glance_registry_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the glance_registry port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_glance_registry_port',`
+	gen_require(`
+		type glance_registry_port_t;
+	')
+
+	allow $1 glance_registry_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the glance_registry port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_glance_registry_port',`
+	gen_require(`
+		type glance_registry_port_t;
+	')
+
+	allow $1 glance_registry_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send glance_registry_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_glance_registry_client_packets',`
+	gen_require(`
+		type glance_registry_client_packet_t;
+	')
+
+	allow $1 glance_registry_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send glance_registry_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_glance_registry_client_packets',`
+	gen_require(`
+		type glance_registry_client_packet_t;
+	')
+
+	dontaudit $1 glance_registry_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive glance_registry_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_glance_registry_client_packets',`
+	gen_require(`
+		type glance_registry_client_packet_t;
+	')
+
+	allow $1 glance_registry_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive glance_registry_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_glance_registry_client_packets',`
+	gen_require(`
+		type glance_registry_client_packet_t;
+	')
+
+	dontaudit $1 glance_registry_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive glance_registry_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_glance_registry_client_packets',`
+	corenet_send_glance_registry_client_packets($1)
+	corenet_receive_glance_registry_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive glance_registry_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_glance_registry_client_packets',`
+	corenet_dontaudit_send_glance_registry_client_packets($1)
+	corenet_dontaudit_receive_glance_registry_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to glance_registry_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_glance_registry_client_packets',`
+	gen_require(`
+		type glance_registry_client_packet_t;
+	')
+
+	allow $1 glance_registry_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send glance_registry_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_glance_registry_server_packets',`
+	gen_require(`
+		type glance_registry_server_packet_t;
+	')
+
+	allow $1 glance_registry_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send glance_registry_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_glance_registry_server_packets',`
+	gen_require(`
+		type glance_registry_server_packet_t;
+	')
+
+	dontaudit $1 glance_registry_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive glance_registry_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_glance_registry_server_packets',`
+	gen_require(`
+		type glance_registry_server_packet_t;
+	')
+
+	allow $1 glance_registry_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive glance_registry_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_glance_registry_server_packets',`
+	gen_require(`
+		type glance_registry_server_packet_t;
+	')
+
+	dontaudit $1 glance_registry_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive glance_registry_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_glance_registry_server_packets',`
+	corenet_send_glance_registry_server_packets($1)
+	corenet_receive_glance_registry_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive glance_registry_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_glance_registry_server_packets',`
+	corenet_dontaudit_send_glance_registry_server_packets($1)
+	corenet_dontaudit_receive_glance_registry_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to glance_registry_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_glance_registry_server_packets',`
+	gen_require(`
+		type glance_registry_server_packet_t;
+	')
+
+	allow $1 glance_registry_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the gopher port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_gopher_port',`
+	gen_require(`
+		type gopher_port_t;
+	')
+
+	allow $1 gopher_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the gopher port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_gopher_port',`
+	gen_require(`
+		type gopher_port_t;
+	')
+
+	allow $1 gopher_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the gopher port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_gopher_port',`
+	gen_require(`
+		type gopher_port_t;
+	')
+
+	dontaudit $1 gopher_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the gopher port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_gopher_port',`
+	gen_require(`
+		type gopher_port_t;
+	')
+
+	allow $1 gopher_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the gopher port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_gopher_port',`
+	gen_require(`
+		type gopher_port_t;
+	')
+
+	dontaudit $1 gopher_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the gopher port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_gopher_port',`
+	corenet_udp_send_gopher_port($1)
+	corenet_udp_receive_gopher_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the gopher port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_gopher_port',`
+	corenet_dontaudit_udp_send_gopher_port($1)
+	corenet_dontaudit_udp_receive_gopher_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the gopher port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_gopher_port',`
+	gen_require(`
+		type gopher_port_t;
+	')
+
+	allow $1 gopher_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the gopher port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_gopher_port',`
+	gen_require(`
+		type gopher_port_t;
+	')
+
+	allow $1 gopher_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the gopher port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_gopher_port',`
+	gen_require(`
+		type gopher_port_t;
+	')
+
+	allow $1 gopher_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send gopher_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_gopher_client_packets',`
+	gen_require(`
+		type gopher_client_packet_t;
+	')
+
+	allow $1 gopher_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send gopher_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_gopher_client_packets',`
+	gen_require(`
+		type gopher_client_packet_t;
+	')
+
+	dontaudit $1 gopher_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive gopher_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_gopher_client_packets',`
+	gen_require(`
+		type gopher_client_packet_t;
+	')
+
+	allow $1 gopher_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive gopher_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_gopher_client_packets',`
+	gen_require(`
+		type gopher_client_packet_t;
+	')
+
+	dontaudit $1 gopher_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive gopher_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_gopher_client_packets',`
+	corenet_send_gopher_client_packets($1)
+	corenet_receive_gopher_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive gopher_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_gopher_client_packets',`
+	corenet_dontaudit_send_gopher_client_packets($1)
+	corenet_dontaudit_receive_gopher_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to gopher_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_gopher_client_packets',`
+	gen_require(`
+		type gopher_client_packet_t;
+	')
+
+	allow $1 gopher_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send gopher_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_gopher_server_packets',`
+	gen_require(`
+		type gopher_server_packet_t;
+	')
+
+	allow $1 gopher_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send gopher_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_gopher_server_packets',`
+	gen_require(`
+		type gopher_server_packet_t;
+	')
+
+	dontaudit $1 gopher_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive gopher_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_gopher_server_packets',`
+	gen_require(`
+		type gopher_server_packet_t;
+	')
+
+	allow $1 gopher_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive gopher_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_gopher_server_packets',`
+	gen_require(`
+		type gopher_server_packet_t;
+	')
+
+	dontaudit $1 gopher_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive gopher_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_gopher_server_packets',`
+	corenet_send_gopher_server_packets($1)
+	corenet_receive_gopher_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive gopher_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_gopher_server_packets',`
+	corenet_dontaudit_send_gopher_server_packets($1)
+	corenet_dontaudit_receive_gopher_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to gopher_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_gopher_server_packets',`
+	gen_require(`
+		type gopher_server_packet_t;
+	')
+
+	allow $1 gopher_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the gpsd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_gpsd_port',`
+	gen_require(`
+		type gpsd_port_t;
+	')
+
+	allow $1 gpsd_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the gpsd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_gpsd_port',`
+	gen_require(`
+		type gpsd_port_t;
+	')
+
+	allow $1 gpsd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the gpsd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_gpsd_port',`
+	gen_require(`
+		type gpsd_port_t;
+	')
+
+	dontaudit $1 gpsd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the gpsd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_gpsd_port',`
+	gen_require(`
+		type gpsd_port_t;
+	')
+
+	allow $1 gpsd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the gpsd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_gpsd_port',`
+	gen_require(`
+		type gpsd_port_t;
+	')
+
+	dontaudit $1 gpsd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the gpsd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_gpsd_port',`
+	corenet_udp_send_gpsd_port($1)
+	corenet_udp_receive_gpsd_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the gpsd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_gpsd_port',`
+	corenet_dontaudit_udp_send_gpsd_port($1)
+	corenet_dontaudit_udp_receive_gpsd_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the gpsd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_gpsd_port',`
+	gen_require(`
+		type gpsd_port_t;
+	')
+
+	allow $1 gpsd_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the gpsd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_gpsd_port',`
+	gen_require(`
+		type gpsd_port_t;
+	')
+
+	allow $1 gpsd_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the gpsd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_gpsd_port',`
+	gen_require(`
+		type gpsd_port_t;
+	')
+
+	allow $1 gpsd_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send gpsd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_gpsd_client_packets',`
+	gen_require(`
+		type gpsd_client_packet_t;
+	')
+
+	allow $1 gpsd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send gpsd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_gpsd_client_packets',`
+	gen_require(`
+		type gpsd_client_packet_t;
+	')
+
+	dontaudit $1 gpsd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive gpsd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_gpsd_client_packets',`
+	gen_require(`
+		type gpsd_client_packet_t;
+	')
+
+	allow $1 gpsd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive gpsd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_gpsd_client_packets',`
+	gen_require(`
+		type gpsd_client_packet_t;
+	')
+
+	dontaudit $1 gpsd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive gpsd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_gpsd_client_packets',`
+	corenet_send_gpsd_client_packets($1)
+	corenet_receive_gpsd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive gpsd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_gpsd_client_packets',`
+	corenet_dontaudit_send_gpsd_client_packets($1)
+	corenet_dontaudit_receive_gpsd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to gpsd_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_gpsd_client_packets',`
+	gen_require(`
+		type gpsd_client_packet_t;
+	')
+
+	allow $1 gpsd_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send gpsd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_gpsd_server_packets',`
+	gen_require(`
+		type gpsd_server_packet_t;
+	')
+
+	allow $1 gpsd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send gpsd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_gpsd_server_packets',`
+	gen_require(`
+		type gpsd_server_packet_t;
+	')
+
+	dontaudit $1 gpsd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive gpsd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_gpsd_server_packets',`
+	gen_require(`
+		type gpsd_server_packet_t;
+	')
+
+	allow $1 gpsd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive gpsd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_gpsd_server_packets',`
+	gen_require(`
+		type gpsd_server_packet_t;
+	')
+
+	dontaudit $1 gpsd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive gpsd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_gpsd_server_packets',`
+	corenet_send_gpsd_server_packets($1)
+	corenet_receive_gpsd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive gpsd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_gpsd_server_packets',`
+	corenet_dontaudit_send_gpsd_server_packets($1)
+	corenet_dontaudit_receive_gpsd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to gpsd_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_gpsd_server_packets',`
+	gen_require(`
+		type gpsd_server_packet_t;
+	')
+
+	allow $1 gpsd_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the hadoop_datanode port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_hadoop_datanode_port',`
+	gen_require(`
+		type hadoop_datanode_port_t;
+	')
+
+	allow $1 hadoop_datanode_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the hadoop_datanode port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_hadoop_datanode_port',`
+	gen_require(`
+		type hadoop_datanode_port_t;
+	')
+
+	allow $1 hadoop_datanode_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the hadoop_datanode port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_hadoop_datanode_port',`
+	gen_require(`
+		type hadoop_datanode_port_t;
+	')
+
+	dontaudit $1 hadoop_datanode_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the hadoop_datanode port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_hadoop_datanode_port',`
+	gen_require(`
+		type hadoop_datanode_port_t;
+	')
+
+	allow $1 hadoop_datanode_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the hadoop_datanode port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_hadoop_datanode_port',`
+	gen_require(`
+		type hadoop_datanode_port_t;
+	')
+
+	dontaudit $1 hadoop_datanode_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the hadoop_datanode port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_hadoop_datanode_port',`
+	corenet_udp_send_hadoop_datanode_port($1)
+	corenet_udp_receive_hadoop_datanode_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the hadoop_datanode port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_hadoop_datanode_port',`
+	corenet_dontaudit_udp_send_hadoop_datanode_port($1)
+	corenet_dontaudit_udp_receive_hadoop_datanode_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the hadoop_datanode port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_hadoop_datanode_port',`
+	gen_require(`
+		type hadoop_datanode_port_t;
+	')
+
+	allow $1 hadoop_datanode_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the hadoop_datanode port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_hadoop_datanode_port',`
+	gen_require(`
+		type hadoop_datanode_port_t;
+	')
+
+	allow $1 hadoop_datanode_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the hadoop_datanode port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_hadoop_datanode_port',`
+	gen_require(`
+		type hadoop_datanode_port_t;
+	')
+
+	allow $1 hadoop_datanode_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send hadoop_datanode_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_hadoop_datanode_client_packets',`
+	gen_require(`
+		type hadoop_datanode_client_packet_t;
+	')
+
+	allow $1 hadoop_datanode_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send hadoop_datanode_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_hadoop_datanode_client_packets',`
+	gen_require(`
+		type hadoop_datanode_client_packet_t;
+	')
+
+	dontaudit $1 hadoop_datanode_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive hadoop_datanode_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_hadoop_datanode_client_packets',`
+	gen_require(`
+		type hadoop_datanode_client_packet_t;
+	')
+
+	allow $1 hadoop_datanode_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive hadoop_datanode_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_hadoop_datanode_client_packets',`
+	gen_require(`
+		type hadoop_datanode_client_packet_t;
+	')
+
+	dontaudit $1 hadoop_datanode_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive hadoop_datanode_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_hadoop_datanode_client_packets',`
+	corenet_send_hadoop_datanode_client_packets($1)
+	corenet_receive_hadoop_datanode_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive hadoop_datanode_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_hadoop_datanode_client_packets',`
+	corenet_dontaudit_send_hadoop_datanode_client_packets($1)
+	corenet_dontaudit_receive_hadoop_datanode_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to hadoop_datanode_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_hadoop_datanode_client_packets',`
+	gen_require(`
+		type hadoop_datanode_client_packet_t;
+	')
+
+	allow $1 hadoop_datanode_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send hadoop_datanode_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_hadoop_datanode_server_packets',`
+	gen_require(`
+		type hadoop_datanode_server_packet_t;
+	')
+
+	allow $1 hadoop_datanode_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send hadoop_datanode_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_hadoop_datanode_server_packets',`
+	gen_require(`
+		type hadoop_datanode_server_packet_t;
+	')
+
+	dontaudit $1 hadoop_datanode_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive hadoop_datanode_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_hadoop_datanode_server_packets',`
+	gen_require(`
+		type hadoop_datanode_server_packet_t;
+	')
+
+	allow $1 hadoop_datanode_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive hadoop_datanode_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_hadoop_datanode_server_packets',`
+	gen_require(`
+		type hadoop_datanode_server_packet_t;
+	')
+
+	dontaudit $1 hadoop_datanode_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive hadoop_datanode_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_hadoop_datanode_server_packets',`
+	corenet_send_hadoop_datanode_server_packets($1)
+	corenet_receive_hadoop_datanode_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive hadoop_datanode_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_hadoop_datanode_server_packets',`
+	corenet_dontaudit_send_hadoop_datanode_server_packets($1)
+	corenet_dontaudit_receive_hadoop_datanode_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to hadoop_datanode_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_hadoop_datanode_server_packets',`
+	gen_require(`
+		type hadoop_datanode_server_packet_t;
+	')
+
+	allow $1 hadoop_datanode_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the hadoop_namenode port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_hadoop_namenode_port',`
+	gen_require(`
+		type hadoop_namenode_port_t;
+	')
+
+	allow $1 hadoop_namenode_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the hadoop_namenode port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_hadoop_namenode_port',`
+	gen_require(`
+		type hadoop_namenode_port_t;
+	')
+
+	allow $1 hadoop_namenode_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the hadoop_namenode port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_hadoop_namenode_port',`
+	gen_require(`
+		type hadoop_namenode_port_t;
+	')
+
+	dontaudit $1 hadoop_namenode_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the hadoop_namenode port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_hadoop_namenode_port',`
+	gen_require(`
+		type hadoop_namenode_port_t;
+	')
+
+	allow $1 hadoop_namenode_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the hadoop_namenode port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_hadoop_namenode_port',`
+	gen_require(`
+		type hadoop_namenode_port_t;
+	')
+
+	dontaudit $1 hadoop_namenode_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the hadoop_namenode port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_hadoop_namenode_port',`
+	corenet_udp_send_hadoop_namenode_port($1)
+	corenet_udp_receive_hadoop_namenode_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the hadoop_namenode port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_hadoop_namenode_port',`
+	corenet_dontaudit_udp_send_hadoop_namenode_port($1)
+	corenet_dontaudit_udp_receive_hadoop_namenode_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the hadoop_namenode port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_hadoop_namenode_port',`
+	gen_require(`
+		type hadoop_namenode_port_t;
+	')
+
+	allow $1 hadoop_namenode_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the hadoop_namenode port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_hadoop_namenode_port',`
+	gen_require(`
+		type hadoop_namenode_port_t;
+	')
+
+	allow $1 hadoop_namenode_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the hadoop_namenode port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_hadoop_namenode_port',`
+	gen_require(`
+		type hadoop_namenode_port_t;
+	')
+
+	allow $1 hadoop_namenode_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send hadoop_namenode_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_hadoop_namenode_client_packets',`
+	gen_require(`
+		type hadoop_namenode_client_packet_t;
+	')
+
+	allow $1 hadoop_namenode_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send hadoop_namenode_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_hadoop_namenode_client_packets',`
+	gen_require(`
+		type hadoop_namenode_client_packet_t;
+	')
+
+	dontaudit $1 hadoop_namenode_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive hadoop_namenode_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_hadoop_namenode_client_packets',`
+	gen_require(`
+		type hadoop_namenode_client_packet_t;
+	')
+
+	allow $1 hadoop_namenode_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive hadoop_namenode_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_hadoop_namenode_client_packets',`
+	gen_require(`
+		type hadoop_namenode_client_packet_t;
+	')
+
+	dontaudit $1 hadoop_namenode_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive hadoop_namenode_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_hadoop_namenode_client_packets',`
+	corenet_send_hadoop_namenode_client_packets($1)
+	corenet_receive_hadoop_namenode_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive hadoop_namenode_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_hadoop_namenode_client_packets',`
+	corenet_dontaudit_send_hadoop_namenode_client_packets($1)
+	corenet_dontaudit_receive_hadoop_namenode_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to hadoop_namenode_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_hadoop_namenode_client_packets',`
+	gen_require(`
+		type hadoop_namenode_client_packet_t;
+	')
+
+	allow $1 hadoop_namenode_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send hadoop_namenode_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_hadoop_namenode_server_packets',`
+	gen_require(`
+		type hadoop_namenode_server_packet_t;
+	')
+
+	allow $1 hadoop_namenode_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send hadoop_namenode_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_hadoop_namenode_server_packets',`
+	gen_require(`
+		type hadoop_namenode_server_packet_t;
+	')
+
+	dontaudit $1 hadoop_namenode_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive hadoop_namenode_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_hadoop_namenode_server_packets',`
+	gen_require(`
+		type hadoop_namenode_server_packet_t;
+	')
+
+	allow $1 hadoop_namenode_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive hadoop_namenode_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_hadoop_namenode_server_packets',`
+	gen_require(`
+		type hadoop_namenode_server_packet_t;
+	')
+
+	dontaudit $1 hadoop_namenode_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive hadoop_namenode_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_hadoop_namenode_server_packets',`
+	corenet_send_hadoop_namenode_server_packets($1)
+	corenet_receive_hadoop_namenode_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive hadoop_namenode_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_hadoop_namenode_server_packets',`
+	corenet_dontaudit_send_hadoop_namenode_server_packets($1)
+	corenet_dontaudit_receive_hadoop_namenode_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to hadoop_namenode_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_hadoop_namenode_server_packets',`
+	gen_require(`
+		type hadoop_namenode_server_packet_t;
+	')
+
+	allow $1 hadoop_namenode_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the hddtemp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_hddtemp_port',`
+	gen_require(`
+		type hddtemp_port_t;
+	')
+
+	allow $1 hddtemp_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the hddtemp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_hddtemp_port',`
+	gen_require(`
+		type hddtemp_port_t;
+	')
+
+	allow $1 hddtemp_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the hddtemp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_hddtemp_port',`
+	gen_require(`
+		type hddtemp_port_t;
+	')
+
+	dontaudit $1 hddtemp_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the hddtemp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_hddtemp_port',`
+	gen_require(`
+		type hddtemp_port_t;
+	')
+
+	allow $1 hddtemp_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the hddtemp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_hddtemp_port',`
+	gen_require(`
+		type hddtemp_port_t;
+	')
+
+	dontaudit $1 hddtemp_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the hddtemp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_hddtemp_port',`
+	corenet_udp_send_hddtemp_port($1)
+	corenet_udp_receive_hddtemp_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the hddtemp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_hddtemp_port',`
+	corenet_dontaudit_udp_send_hddtemp_port($1)
+	corenet_dontaudit_udp_receive_hddtemp_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the hddtemp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_hddtemp_port',`
+	gen_require(`
+		type hddtemp_port_t;
+	')
+
+	allow $1 hddtemp_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the hddtemp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_hddtemp_port',`
+	gen_require(`
+		type hddtemp_port_t;
+	')
+
+	allow $1 hddtemp_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the hddtemp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_hddtemp_port',`
+	gen_require(`
+		type hddtemp_port_t;
+	')
+
+	allow $1 hddtemp_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send hddtemp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_hddtemp_client_packets',`
+	gen_require(`
+		type hddtemp_client_packet_t;
+	')
+
+	allow $1 hddtemp_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send hddtemp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_hddtemp_client_packets',`
+	gen_require(`
+		type hddtemp_client_packet_t;
+	')
+
+	dontaudit $1 hddtemp_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive hddtemp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_hddtemp_client_packets',`
+	gen_require(`
+		type hddtemp_client_packet_t;
+	')
+
+	allow $1 hddtemp_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive hddtemp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_hddtemp_client_packets',`
+	gen_require(`
+		type hddtemp_client_packet_t;
+	')
+
+	dontaudit $1 hddtemp_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive hddtemp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_hddtemp_client_packets',`
+	corenet_send_hddtemp_client_packets($1)
+	corenet_receive_hddtemp_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive hddtemp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_hddtemp_client_packets',`
+	corenet_dontaudit_send_hddtemp_client_packets($1)
+	corenet_dontaudit_receive_hddtemp_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to hddtemp_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_hddtemp_client_packets',`
+	gen_require(`
+		type hddtemp_client_packet_t;
+	')
+
+	allow $1 hddtemp_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send hddtemp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_hddtemp_server_packets',`
+	gen_require(`
+		type hddtemp_server_packet_t;
+	')
+
+	allow $1 hddtemp_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send hddtemp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_hddtemp_server_packets',`
+	gen_require(`
+		type hddtemp_server_packet_t;
+	')
+
+	dontaudit $1 hddtemp_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive hddtemp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_hddtemp_server_packets',`
+	gen_require(`
+		type hddtemp_server_packet_t;
+	')
+
+	allow $1 hddtemp_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive hddtemp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_hddtemp_server_packets',`
+	gen_require(`
+		type hddtemp_server_packet_t;
+	')
+
+	dontaudit $1 hddtemp_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive hddtemp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_hddtemp_server_packets',`
+	corenet_send_hddtemp_server_packets($1)
+	corenet_receive_hddtemp_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive hddtemp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_hddtemp_server_packets',`
+	corenet_dontaudit_send_hddtemp_server_packets($1)
+	corenet_dontaudit_receive_hddtemp_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to hddtemp_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_hddtemp_server_packets',`
+	gen_require(`
+		type hddtemp_server_packet_t;
+	')
+
+	allow $1 hddtemp_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the howl port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_howl_port',`
+	gen_require(`
+		type howl_port_t;
+	')
+
+	allow $1 howl_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the howl port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_howl_port',`
+	gen_require(`
+		type howl_port_t;
+	')
+
+	allow $1 howl_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the howl port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_howl_port',`
+	gen_require(`
+		type howl_port_t;
+	')
+
+	dontaudit $1 howl_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the howl port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_howl_port',`
+	gen_require(`
+		type howl_port_t;
+	')
+
+	allow $1 howl_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the howl port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_howl_port',`
+	gen_require(`
+		type howl_port_t;
+	')
+
+	dontaudit $1 howl_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the howl port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_howl_port',`
+	corenet_udp_send_howl_port($1)
+	corenet_udp_receive_howl_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the howl port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_howl_port',`
+	corenet_dontaudit_udp_send_howl_port($1)
+	corenet_dontaudit_udp_receive_howl_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the howl port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_howl_port',`
+	gen_require(`
+		type howl_port_t;
+	')
+
+	allow $1 howl_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the howl port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_howl_port',`
+	gen_require(`
+		type howl_port_t;
+	')
+
+	allow $1 howl_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the howl port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_howl_port',`
+	gen_require(`
+		type howl_port_t;
+	')
+
+	allow $1 howl_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send howl_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_howl_client_packets',`
+	gen_require(`
+		type howl_client_packet_t;
+	')
+
+	allow $1 howl_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send howl_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_howl_client_packets',`
+	gen_require(`
+		type howl_client_packet_t;
+	')
+
+	dontaudit $1 howl_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive howl_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_howl_client_packets',`
+	gen_require(`
+		type howl_client_packet_t;
+	')
+
+	allow $1 howl_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive howl_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_howl_client_packets',`
+	gen_require(`
+		type howl_client_packet_t;
+	')
+
+	dontaudit $1 howl_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive howl_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_howl_client_packets',`
+	corenet_send_howl_client_packets($1)
+	corenet_receive_howl_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive howl_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_howl_client_packets',`
+	corenet_dontaudit_send_howl_client_packets($1)
+	corenet_dontaudit_receive_howl_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to howl_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_howl_client_packets',`
+	gen_require(`
+		type howl_client_packet_t;
+	')
+
+	allow $1 howl_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send howl_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_howl_server_packets',`
+	gen_require(`
+		type howl_server_packet_t;
+	')
+
+	allow $1 howl_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send howl_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_howl_server_packets',`
+	gen_require(`
+		type howl_server_packet_t;
+	')
+
+	dontaudit $1 howl_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive howl_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_howl_server_packets',`
+	gen_require(`
+		type howl_server_packet_t;
+	')
+
+	allow $1 howl_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive howl_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_howl_server_packets',`
+	gen_require(`
+		type howl_server_packet_t;
+	')
+
+	dontaudit $1 howl_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive howl_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_howl_server_packets',`
+	corenet_send_howl_server_packets($1)
+	corenet_receive_howl_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive howl_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_howl_server_packets',`
+	corenet_dontaudit_send_howl_server_packets($1)
+	corenet_dontaudit_receive_howl_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to howl_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_howl_server_packets',`
+	gen_require(`
+		type howl_server_packet_t;
+	')
+
+	allow $1 howl_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the hplip port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_hplip_port',`
+	gen_require(`
+		type hplip_port_t;
+	')
+
+	allow $1 hplip_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the hplip port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_hplip_port',`
+	gen_require(`
+		type hplip_port_t;
+	')
+
+	allow $1 hplip_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the hplip port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_hplip_port',`
+	gen_require(`
+		type hplip_port_t;
+	')
+
+	dontaudit $1 hplip_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the hplip port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_hplip_port',`
+	gen_require(`
+		type hplip_port_t;
+	')
+
+	allow $1 hplip_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the hplip port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_hplip_port',`
+	gen_require(`
+		type hplip_port_t;
+	')
+
+	dontaudit $1 hplip_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the hplip port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_hplip_port',`
+	corenet_udp_send_hplip_port($1)
+	corenet_udp_receive_hplip_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the hplip port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_hplip_port',`
+	corenet_dontaudit_udp_send_hplip_port($1)
+	corenet_dontaudit_udp_receive_hplip_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the hplip port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_hplip_port',`
+	gen_require(`
+		type hplip_port_t;
+	')
+
+	allow $1 hplip_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the hplip port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_hplip_port',`
+	gen_require(`
+		type hplip_port_t;
+	')
+
+	allow $1 hplip_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the hplip port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_hplip_port',`
+	gen_require(`
+		type hplip_port_t;
+	')
+
+	allow $1 hplip_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send hplip_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_hplip_client_packets',`
+	gen_require(`
+		type hplip_client_packet_t;
+	')
+
+	allow $1 hplip_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send hplip_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_hplip_client_packets',`
+	gen_require(`
+		type hplip_client_packet_t;
+	')
+
+	dontaudit $1 hplip_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive hplip_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_hplip_client_packets',`
+	gen_require(`
+		type hplip_client_packet_t;
+	')
+
+	allow $1 hplip_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive hplip_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_hplip_client_packets',`
+	gen_require(`
+		type hplip_client_packet_t;
+	')
+
+	dontaudit $1 hplip_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive hplip_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_hplip_client_packets',`
+	corenet_send_hplip_client_packets($1)
+	corenet_receive_hplip_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive hplip_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_hplip_client_packets',`
+	corenet_dontaudit_send_hplip_client_packets($1)
+	corenet_dontaudit_receive_hplip_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to hplip_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_hplip_client_packets',`
+	gen_require(`
+		type hplip_client_packet_t;
+	')
+
+	allow $1 hplip_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send hplip_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_hplip_server_packets',`
+	gen_require(`
+		type hplip_server_packet_t;
+	')
+
+	allow $1 hplip_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send hplip_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_hplip_server_packets',`
+	gen_require(`
+		type hplip_server_packet_t;
+	')
+
+	dontaudit $1 hplip_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive hplip_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_hplip_server_packets',`
+	gen_require(`
+		type hplip_server_packet_t;
+	')
+
+	allow $1 hplip_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive hplip_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_hplip_server_packets',`
+	gen_require(`
+		type hplip_server_packet_t;
+	')
+
+	dontaudit $1 hplip_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive hplip_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_hplip_server_packets',`
+	corenet_send_hplip_server_packets($1)
+	corenet_receive_hplip_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive hplip_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_hplip_server_packets',`
+	corenet_dontaudit_send_hplip_server_packets($1)
+	corenet_dontaudit_receive_hplip_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to hplip_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_hplip_server_packets',`
+	gen_require(`
+		type hplip_server_packet_t;
+	')
+
+	allow $1 hplip_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the http port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_http_port',`
+	gen_require(`
+		type http_port_t;
+	')
+
+	allow $1 http_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the http port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_http_port',`
+	gen_require(`
+		type http_port_t;
+	')
+
+	allow $1 http_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the http port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_http_port',`
+	gen_require(`
+		type http_port_t;
+	')
+
+	dontaudit $1 http_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the http port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_http_port',`
+	gen_require(`
+		type http_port_t;
+	')
+
+	allow $1 http_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the http port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_http_port',`
+	gen_require(`
+		type http_port_t;
+	')
+
+	dontaudit $1 http_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the http port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_http_port',`
+	corenet_udp_send_http_port($1)
+	corenet_udp_receive_http_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the http port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_http_port',`
+	corenet_dontaudit_udp_send_http_port($1)
+	corenet_dontaudit_udp_receive_http_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the http port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_http_port',`
+	gen_require(`
+		type http_port_t;
+	')
+
+	allow $1 http_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the http port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_http_port',`
+	gen_require(`
+		type http_port_t;
+	')
+
+	allow $1 http_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the http port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_http_port',`
+	gen_require(`
+		type http_port_t;
+	')
+
+	allow $1 http_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send http_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_http_client_packets',`
+	gen_require(`
+		type http_client_packet_t;
+	')
+
+	allow $1 http_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send http_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_http_client_packets',`
+	gen_require(`
+		type http_client_packet_t;
+	')
+
+	dontaudit $1 http_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive http_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_http_client_packets',`
+	gen_require(`
+		type http_client_packet_t;
+	')
+
+	allow $1 http_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive http_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_http_client_packets',`
+	gen_require(`
+		type http_client_packet_t;
+	')
+
+	dontaudit $1 http_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive http_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_http_client_packets',`
+	corenet_send_http_client_packets($1)
+	corenet_receive_http_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive http_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_http_client_packets',`
+	corenet_dontaudit_send_http_client_packets($1)
+	corenet_dontaudit_receive_http_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to http_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_http_client_packets',`
+	gen_require(`
+		type http_client_packet_t;
+	')
+
+	allow $1 http_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send http_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_http_server_packets',`
+	gen_require(`
+		type http_server_packet_t;
+	')
+
+	allow $1 http_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send http_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_http_server_packets',`
+	gen_require(`
+		type http_server_packet_t;
+	')
+
+	dontaudit $1 http_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive http_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_http_server_packets',`
+	gen_require(`
+		type http_server_packet_t;
+	')
+
+	allow $1 http_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive http_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_http_server_packets',`
+	gen_require(`
+		type http_server_packet_t;
+	')
+
+	dontaudit $1 http_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive http_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_http_server_packets',`
+	corenet_send_http_server_packets($1)
+	corenet_receive_http_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive http_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_http_server_packets',`
+	corenet_dontaudit_send_http_server_packets($1)
+	corenet_dontaudit_receive_http_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to http_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_http_server_packets',`
+	gen_require(`
+		type http_server_packet_t;
+	')
+
+	allow $1 http_server_packet_t:packet relabelto;
+')
+
+ #8443 is mod_nss default port
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the http_cache port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_http_cache_port',`
+	gen_require(`
+		type http_cache_port_t;
+	')
+
+	allow $1 http_cache_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the http_cache port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_http_cache_port',`
+	gen_require(`
+		type http_cache_port_t;
+	')
+
+	allow $1 http_cache_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the http_cache port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_http_cache_port',`
+	gen_require(`
+		type http_cache_port_t;
+	')
+
+	dontaudit $1 http_cache_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the http_cache port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_http_cache_port',`
+	gen_require(`
+		type http_cache_port_t;
+	')
+
+	allow $1 http_cache_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the http_cache port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_http_cache_port',`
+	gen_require(`
+		type http_cache_port_t;
+	')
+
+	dontaudit $1 http_cache_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the http_cache port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_http_cache_port',`
+	corenet_udp_send_http_cache_port($1)
+	corenet_udp_receive_http_cache_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the http_cache port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_http_cache_port',`
+	corenet_dontaudit_udp_send_http_cache_port($1)
+	corenet_dontaudit_udp_receive_http_cache_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the http_cache port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_http_cache_port',`
+	gen_require(`
+		type http_cache_port_t;
+	')
+
+	allow $1 http_cache_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the http_cache port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_http_cache_port',`
+	gen_require(`
+		type http_cache_port_t;
+	')
+
+	allow $1 http_cache_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the http_cache port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_http_cache_port',`
+	gen_require(`
+		type http_cache_port_t;
+	')
+
+	allow $1 http_cache_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send http_cache_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_http_cache_client_packets',`
+	gen_require(`
+		type http_cache_client_packet_t;
+	')
+
+	allow $1 http_cache_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send http_cache_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_http_cache_client_packets',`
+	gen_require(`
+		type http_cache_client_packet_t;
+	')
+
+	dontaudit $1 http_cache_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive http_cache_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_http_cache_client_packets',`
+	gen_require(`
+		type http_cache_client_packet_t;
+	')
+
+	allow $1 http_cache_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive http_cache_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_http_cache_client_packets',`
+	gen_require(`
+		type http_cache_client_packet_t;
+	')
+
+	dontaudit $1 http_cache_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive http_cache_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_http_cache_client_packets',`
+	corenet_send_http_cache_client_packets($1)
+	corenet_receive_http_cache_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive http_cache_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_http_cache_client_packets',`
+	corenet_dontaudit_send_http_cache_client_packets($1)
+	corenet_dontaudit_receive_http_cache_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to http_cache_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_http_cache_client_packets',`
+	gen_require(`
+		type http_cache_client_packet_t;
+	')
+
+	allow $1 http_cache_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send http_cache_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_http_cache_server_packets',`
+	gen_require(`
+		type http_cache_server_packet_t;
+	')
+
+	allow $1 http_cache_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send http_cache_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_http_cache_server_packets',`
+	gen_require(`
+		type http_cache_server_packet_t;
+	')
+
+	dontaudit $1 http_cache_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive http_cache_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_http_cache_server_packets',`
+	gen_require(`
+		type http_cache_server_packet_t;
+	')
+
+	allow $1 http_cache_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive http_cache_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_http_cache_server_packets',`
+	gen_require(`
+		type http_cache_server_packet_t;
+	')
+
+	dontaudit $1 http_cache_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive http_cache_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_http_cache_server_packets',`
+	corenet_send_http_cache_server_packets($1)
+	corenet_receive_http_cache_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive http_cache_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_http_cache_server_packets',`
+	corenet_dontaudit_send_http_cache_server_packets($1)
+	corenet_dontaudit_receive_http_cache_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to http_cache_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_http_cache_server_packets',`
+	gen_require(`
+		type http_cache_server_packet_t;
+	')
+
+	allow $1 http_cache_server_packet_t:packet relabelto;
+')
+
+ # 8118 is for privoxy
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the i18n_input port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_i18n_input_port',`
+	gen_require(`
+		type i18n_input_port_t;
+	')
+
+	allow $1 i18n_input_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the i18n_input port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_i18n_input_port',`
+	gen_require(`
+		type i18n_input_port_t;
+	')
+
+	allow $1 i18n_input_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the i18n_input port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_i18n_input_port',`
+	gen_require(`
+		type i18n_input_port_t;
+	')
+
+	dontaudit $1 i18n_input_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the i18n_input port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_i18n_input_port',`
+	gen_require(`
+		type i18n_input_port_t;
+	')
+
+	allow $1 i18n_input_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the i18n_input port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_i18n_input_port',`
+	gen_require(`
+		type i18n_input_port_t;
+	')
+
+	dontaudit $1 i18n_input_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the i18n_input port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_i18n_input_port',`
+	corenet_udp_send_i18n_input_port($1)
+	corenet_udp_receive_i18n_input_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the i18n_input port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_i18n_input_port',`
+	corenet_dontaudit_udp_send_i18n_input_port($1)
+	corenet_dontaudit_udp_receive_i18n_input_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the i18n_input port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_i18n_input_port',`
+	gen_require(`
+		type i18n_input_port_t;
+	')
+
+	allow $1 i18n_input_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the i18n_input port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_i18n_input_port',`
+	gen_require(`
+		type i18n_input_port_t;
+	')
+
+	allow $1 i18n_input_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the i18n_input port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_i18n_input_port',`
+	gen_require(`
+		type i18n_input_port_t;
+	')
+
+	allow $1 i18n_input_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send i18n_input_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_i18n_input_client_packets',`
+	gen_require(`
+		type i18n_input_client_packet_t;
+	')
+
+	allow $1 i18n_input_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send i18n_input_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_i18n_input_client_packets',`
+	gen_require(`
+		type i18n_input_client_packet_t;
+	')
+
+	dontaudit $1 i18n_input_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive i18n_input_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_i18n_input_client_packets',`
+	gen_require(`
+		type i18n_input_client_packet_t;
+	')
+
+	allow $1 i18n_input_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive i18n_input_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_i18n_input_client_packets',`
+	gen_require(`
+		type i18n_input_client_packet_t;
+	')
+
+	dontaudit $1 i18n_input_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive i18n_input_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_i18n_input_client_packets',`
+	corenet_send_i18n_input_client_packets($1)
+	corenet_receive_i18n_input_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive i18n_input_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_i18n_input_client_packets',`
+	corenet_dontaudit_send_i18n_input_client_packets($1)
+	corenet_dontaudit_receive_i18n_input_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to i18n_input_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_i18n_input_client_packets',`
+	gen_require(`
+		type i18n_input_client_packet_t;
+	')
+
+	allow $1 i18n_input_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send i18n_input_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_i18n_input_server_packets',`
+	gen_require(`
+		type i18n_input_server_packet_t;
+	')
+
+	allow $1 i18n_input_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send i18n_input_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_i18n_input_server_packets',`
+	gen_require(`
+		type i18n_input_server_packet_t;
+	')
+
+	dontaudit $1 i18n_input_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive i18n_input_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_i18n_input_server_packets',`
+	gen_require(`
+		type i18n_input_server_packet_t;
+	')
+
+	allow $1 i18n_input_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive i18n_input_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_i18n_input_server_packets',`
+	gen_require(`
+		type i18n_input_server_packet_t;
+	')
+
+	dontaudit $1 i18n_input_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive i18n_input_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_i18n_input_server_packets',`
+	corenet_send_i18n_input_server_packets($1)
+	corenet_receive_i18n_input_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive i18n_input_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_i18n_input_server_packets',`
+	corenet_dontaudit_send_i18n_input_server_packets($1)
+	corenet_dontaudit_receive_i18n_input_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to i18n_input_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_i18n_input_server_packets',`
+	gen_require(`
+		type i18n_input_server_packet_t;
+	')
+
+	allow $1 i18n_input_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the imaze port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_imaze_port',`
+	gen_require(`
+		type imaze_port_t;
+	')
+
+	allow $1 imaze_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the imaze port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_imaze_port',`
+	gen_require(`
+		type imaze_port_t;
+	')
+
+	allow $1 imaze_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the imaze port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_imaze_port',`
+	gen_require(`
+		type imaze_port_t;
+	')
+
+	dontaudit $1 imaze_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the imaze port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_imaze_port',`
+	gen_require(`
+		type imaze_port_t;
+	')
+
+	allow $1 imaze_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the imaze port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_imaze_port',`
+	gen_require(`
+		type imaze_port_t;
+	')
+
+	dontaudit $1 imaze_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the imaze port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_imaze_port',`
+	corenet_udp_send_imaze_port($1)
+	corenet_udp_receive_imaze_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the imaze port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_imaze_port',`
+	corenet_dontaudit_udp_send_imaze_port($1)
+	corenet_dontaudit_udp_receive_imaze_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the imaze port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_imaze_port',`
+	gen_require(`
+		type imaze_port_t;
+	')
+
+	allow $1 imaze_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the imaze port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_imaze_port',`
+	gen_require(`
+		type imaze_port_t;
+	')
+
+	allow $1 imaze_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the imaze port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_imaze_port',`
+	gen_require(`
+		type imaze_port_t;
+	')
+
+	allow $1 imaze_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send imaze_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_imaze_client_packets',`
+	gen_require(`
+		type imaze_client_packet_t;
+	')
+
+	allow $1 imaze_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send imaze_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_imaze_client_packets',`
+	gen_require(`
+		type imaze_client_packet_t;
+	')
+
+	dontaudit $1 imaze_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive imaze_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_imaze_client_packets',`
+	gen_require(`
+		type imaze_client_packet_t;
+	')
+
+	allow $1 imaze_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive imaze_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_imaze_client_packets',`
+	gen_require(`
+		type imaze_client_packet_t;
+	')
+
+	dontaudit $1 imaze_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive imaze_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_imaze_client_packets',`
+	corenet_send_imaze_client_packets($1)
+	corenet_receive_imaze_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive imaze_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_imaze_client_packets',`
+	corenet_dontaudit_send_imaze_client_packets($1)
+	corenet_dontaudit_receive_imaze_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to imaze_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_imaze_client_packets',`
+	gen_require(`
+		type imaze_client_packet_t;
+	')
+
+	allow $1 imaze_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send imaze_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_imaze_server_packets',`
+	gen_require(`
+		type imaze_server_packet_t;
+	')
+
+	allow $1 imaze_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send imaze_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_imaze_server_packets',`
+	gen_require(`
+		type imaze_server_packet_t;
+	')
+
+	dontaudit $1 imaze_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive imaze_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_imaze_server_packets',`
+	gen_require(`
+		type imaze_server_packet_t;
+	')
+
+	allow $1 imaze_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive imaze_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_imaze_server_packets',`
+	gen_require(`
+		type imaze_server_packet_t;
+	')
+
+	dontaudit $1 imaze_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive imaze_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_imaze_server_packets',`
+	corenet_send_imaze_server_packets($1)
+	corenet_receive_imaze_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive imaze_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_imaze_server_packets',`
+	corenet_dontaudit_send_imaze_server_packets($1)
+	corenet_dontaudit_receive_imaze_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to imaze_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_imaze_server_packets',`
+	gen_require(`
+		type imaze_server_packet_t;
+	')
+
+	allow $1 imaze_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the inetd_child port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_inetd_child_port',`
+	gen_require(`
+		type inetd_child_port_t;
+	')
+
+	allow $1 inetd_child_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the inetd_child port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_inetd_child_port',`
+	gen_require(`
+		type inetd_child_port_t;
+	')
+
+	allow $1 inetd_child_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the inetd_child port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_inetd_child_port',`
+	gen_require(`
+		type inetd_child_port_t;
+	')
+
+	dontaudit $1 inetd_child_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the inetd_child port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_inetd_child_port',`
+	gen_require(`
+		type inetd_child_port_t;
+	')
+
+	allow $1 inetd_child_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the inetd_child port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_inetd_child_port',`
+	gen_require(`
+		type inetd_child_port_t;
+	')
+
+	dontaudit $1 inetd_child_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the inetd_child port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_inetd_child_port',`
+	corenet_udp_send_inetd_child_port($1)
+	corenet_udp_receive_inetd_child_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the inetd_child port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_inetd_child_port',`
+	corenet_dontaudit_udp_send_inetd_child_port($1)
+	corenet_dontaudit_udp_receive_inetd_child_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the inetd_child port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_inetd_child_port',`
+	gen_require(`
+		type inetd_child_port_t;
+	')
+
+	allow $1 inetd_child_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the inetd_child port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_inetd_child_port',`
+	gen_require(`
+		type inetd_child_port_t;
+	')
+
+	allow $1 inetd_child_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the inetd_child port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_inetd_child_port',`
+	gen_require(`
+		type inetd_child_port_t;
+	')
+
+	allow $1 inetd_child_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send inetd_child_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_inetd_child_client_packets',`
+	gen_require(`
+		type inetd_child_client_packet_t;
+	')
+
+	allow $1 inetd_child_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send inetd_child_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_inetd_child_client_packets',`
+	gen_require(`
+		type inetd_child_client_packet_t;
+	')
+
+	dontaudit $1 inetd_child_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive inetd_child_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_inetd_child_client_packets',`
+	gen_require(`
+		type inetd_child_client_packet_t;
+	')
+
+	allow $1 inetd_child_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive inetd_child_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_inetd_child_client_packets',`
+	gen_require(`
+		type inetd_child_client_packet_t;
+	')
+
+	dontaudit $1 inetd_child_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive inetd_child_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_inetd_child_client_packets',`
+	corenet_send_inetd_child_client_packets($1)
+	corenet_receive_inetd_child_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive inetd_child_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_inetd_child_client_packets',`
+	corenet_dontaudit_send_inetd_child_client_packets($1)
+	corenet_dontaudit_receive_inetd_child_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to inetd_child_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_inetd_child_client_packets',`
+	gen_require(`
+		type inetd_child_client_packet_t;
+	')
+
+	allow $1 inetd_child_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send inetd_child_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_inetd_child_server_packets',`
+	gen_require(`
+		type inetd_child_server_packet_t;
+	')
+
+	allow $1 inetd_child_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send inetd_child_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_inetd_child_server_packets',`
+	gen_require(`
+		type inetd_child_server_packet_t;
+	')
+
+	dontaudit $1 inetd_child_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive inetd_child_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_inetd_child_server_packets',`
+	gen_require(`
+		type inetd_child_server_packet_t;
+	')
+
+	allow $1 inetd_child_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive inetd_child_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_inetd_child_server_packets',`
+	gen_require(`
+		type inetd_child_server_packet_t;
+	')
+
+	dontaudit $1 inetd_child_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive inetd_child_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_inetd_child_server_packets',`
+	corenet_send_inetd_child_server_packets($1)
+	corenet_receive_inetd_child_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive inetd_child_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_inetd_child_server_packets',`
+	corenet_dontaudit_send_inetd_child_server_packets($1)
+	corenet_dontaudit_receive_inetd_child_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to inetd_child_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_inetd_child_server_packets',`
+	gen_require(`
+		type inetd_child_server_packet_t;
+	')
+
+	allow $1 inetd_child_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the innd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_innd_port',`
+	gen_require(`
+		type innd_port_t;
+	')
+
+	allow $1 innd_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the innd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_innd_port',`
+	gen_require(`
+		type innd_port_t;
+	')
+
+	allow $1 innd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the innd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_innd_port',`
+	gen_require(`
+		type innd_port_t;
+	')
+
+	dontaudit $1 innd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the innd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_innd_port',`
+	gen_require(`
+		type innd_port_t;
+	')
+
+	allow $1 innd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the innd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_innd_port',`
+	gen_require(`
+		type innd_port_t;
+	')
+
+	dontaudit $1 innd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the innd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_innd_port',`
+	corenet_udp_send_innd_port($1)
+	corenet_udp_receive_innd_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the innd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_innd_port',`
+	corenet_dontaudit_udp_send_innd_port($1)
+	corenet_dontaudit_udp_receive_innd_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the innd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_innd_port',`
+	gen_require(`
+		type innd_port_t;
+	')
+
+	allow $1 innd_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the innd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_innd_port',`
+	gen_require(`
+		type innd_port_t;
+	')
+
+	allow $1 innd_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the innd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_innd_port',`
+	gen_require(`
+		type innd_port_t;
+	')
+
+	allow $1 innd_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send innd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_innd_client_packets',`
+	gen_require(`
+		type innd_client_packet_t;
+	')
+
+	allow $1 innd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send innd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_innd_client_packets',`
+	gen_require(`
+		type innd_client_packet_t;
+	')
+
+	dontaudit $1 innd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive innd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_innd_client_packets',`
+	gen_require(`
+		type innd_client_packet_t;
+	')
+
+	allow $1 innd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive innd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_innd_client_packets',`
+	gen_require(`
+		type innd_client_packet_t;
+	')
+
+	dontaudit $1 innd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive innd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_innd_client_packets',`
+	corenet_send_innd_client_packets($1)
+	corenet_receive_innd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive innd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_innd_client_packets',`
+	corenet_dontaudit_send_innd_client_packets($1)
+	corenet_dontaudit_receive_innd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to innd_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_innd_client_packets',`
+	gen_require(`
+		type innd_client_packet_t;
+	')
+
+	allow $1 innd_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send innd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_innd_server_packets',`
+	gen_require(`
+		type innd_server_packet_t;
+	')
+
+	allow $1 innd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send innd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_innd_server_packets',`
+	gen_require(`
+		type innd_server_packet_t;
+	')
+
+	dontaudit $1 innd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive innd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_innd_server_packets',`
+	gen_require(`
+		type innd_server_packet_t;
+	')
+
+	allow $1 innd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive innd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_innd_server_packets',`
+	gen_require(`
+		type innd_server_packet_t;
+	')
+
+	dontaudit $1 innd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive innd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_innd_server_packets',`
+	corenet_send_innd_server_packets($1)
+	corenet_receive_innd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive innd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_innd_server_packets',`
+	corenet_dontaudit_send_innd_server_packets($1)
+	corenet_dontaudit_receive_innd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to innd_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_innd_server_packets',`
+	gen_require(`
+		type innd_server_packet_t;
+	')
+
+	allow $1 innd_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the ipmi port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_ipmi_port',`
+	gen_require(`
+		type ipmi_port_t;
+	')
+
+	allow $1 ipmi_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the ipmi port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_ipmi_port',`
+	gen_require(`
+		type ipmi_port_t;
+	')
+
+	allow $1 ipmi_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the ipmi port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_ipmi_port',`
+	gen_require(`
+		type ipmi_port_t;
+	')
+
+	dontaudit $1 ipmi_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the ipmi port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_ipmi_port',`
+	gen_require(`
+		type ipmi_port_t;
+	')
+
+	allow $1 ipmi_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the ipmi port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_ipmi_port',`
+	gen_require(`
+		type ipmi_port_t;
+	')
+
+	dontaudit $1 ipmi_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the ipmi port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_ipmi_port',`
+	corenet_udp_send_ipmi_port($1)
+	corenet_udp_receive_ipmi_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the ipmi port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_ipmi_port',`
+	corenet_dontaudit_udp_send_ipmi_port($1)
+	corenet_dontaudit_udp_receive_ipmi_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the ipmi port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_ipmi_port',`
+	gen_require(`
+		type ipmi_port_t;
+	')
+
+	allow $1 ipmi_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the ipmi port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_ipmi_port',`
+	gen_require(`
+		type ipmi_port_t;
+	')
+
+	allow $1 ipmi_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the ipmi port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_ipmi_port',`
+	gen_require(`
+		type ipmi_port_t;
+	')
+
+	allow $1 ipmi_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send ipmi_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_ipmi_client_packets',`
+	gen_require(`
+		type ipmi_client_packet_t;
+	')
+
+	allow $1 ipmi_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send ipmi_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_ipmi_client_packets',`
+	gen_require(`
+		type ipmi_client_packet_t;
+	')
+
+	dontaudit $1 ipmi_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive ipmi_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_ipmi_client_packets',`
+	gen_require(`
+		type ipmi_client_packet_t;
+	')
+
+	allow $1 ipmi_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive ipmi_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_ipmi_client_packets',`
+	gen_require(`
+		type ipmi_client_packet_t;
+	')
+
+	dontaudit $1 ipmi_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive ipmi_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_ipmi_client_packets',`
+	corenet_send_ipmi_client_packets($1)
+	corenet_receive_ipmi_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive ipmi_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_ipmi_client_packets',`
+	corenet_dontaudit_send_ipmi_client_packets($1)
+	corenet_dontaudit_receive_ipmi_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to ipmi_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_ipmi_client_packets',`
+	gen_require(`
+		type ipmi_client_packet_t;
+	')
+
+	allow $1 ipmi_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send ipmi_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_ipmi_server_packets',`
+	gen_require(`
+		type ipmi_server_packet_t;
+	')
+
+	allow $1 ipmi_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send ipmi_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_ipmi_server_packets',`
+	gen_require(`
+		type ipmi_server_packet_t;
+	')
+
+	dontaudit $1 ipmi_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive ipmi_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_ipmi_server_packets',`
+	gen_require(`
+		type ipmi_server_packet_t;
+	')
+
+	allow $1 ipmi_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive ipmi_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_ipmi_server_packets',`
+	gen_require(`
+		type ipmi_server_packet_t;
+	')
+
+	dontaudit $1 ipmi_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive ipmi_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_ipmi_server_packets',`
+	corenet_send_ipmi_server_packets($1)
+	corenet_receive_ipmi_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive ipmi_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_ipmi_server_packets',`
+	corenet_dontaudit_send_ipmi_server_packets($1)
+	corenet_dontaudit_receive_ipmi_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to ipmi_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_ipmi_server_packets',`
+	gen_require(`
+		type ipmi_server_packet_t;
+	')
+
+	allow $1 ipmi_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the ipp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_ipp_port',`
+	gen_require(`
+		type ipp_port_t;
+	')
+
+	allow $1 ipp_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the ipp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_ipp_port',`
+	gen_require(`
+		type ipp_port_t;
+	')
+
+	allow $1 ipp_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the ipp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_ipp_port',`
+	gen_require(`
+		type ipp_port_t;
+	')
+
+	dontaudit $1 ipp_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the ipp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_ipp_port',`
+	gen_require(`
+		type ipp_port_t;
+	')
+
+	allow $1 ipp_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the ipp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_ipp_port',`
+	gen_require(`
+		type ipp_port_t;
+	')
+
+	dontaudit $1 ipp_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the ipp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_ipp_port',`
+	corenet_udp_send_ipp_port($1)
+	corenet_udp_receive_ipp_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the ipp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_ipp_port',`
+	corenet_dontaudit_udp_send_ipp_port($1)
+	corenet_dontaudit_udp_receive_ipp_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the ipp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_ipp_port',`
+	gen_require(`
+		type ipp_port_t;
+	')
+
+	allow $1 ipp_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the ipp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_ipp_port',`
+	gen_require(`
+		type ipp_port_t;
+	')
+
+	allow $1 ipp_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the ipp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_ipp_port',`
+	gen_require(`
+		type ipp_port_t;
+	')
+
+	allow $1 ipp_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send ipp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_ipp_client_packets',`
+	gen_require(`
+		type ipp_client_packet_t;
+	')
+
+	allow $1 ipp_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send ipp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_ipp_client_packets',`
+	gen_require(`
+		type ipp_client_packet_t;
+	')
+
+	dontaudit $1 ipp_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive ipp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_ipp_client_packets',`
+	gen_require(`
+		type ipp_client_packet_t;
+	')
+
+	allow $1 ipp_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive ipp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_ipp_client_packets',`
+	gen_require(`
+		type ipp_client_packet_t;
+	')
+
+	dontaudit $1 ipp_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive ipp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_ipp_client_packets',`
+	corenet_send_ipp_client_packets($1)
+	corenet_receive_ipp_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive ipp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_ipp_client_packets',`
+	corenet_dontaudit_send_ipp_client_packets($1)
+	corenet_dontaudit_receive_ipp_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to ipp_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_ipp_client_packets',`
+	gen_require(`
+		type ipp_client_packet_t;
+	')
+
+	allow $1 ipp_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send ipp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_ipp_server_packets',`
+	gen_require(`
+		type ipp_server_packet_t;
+	')
+
+	allow $1 ipp_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send ipp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_ipp_server_packets',`
+	gen_require(`
+		type ipp_server_packet_t;
+	')
+
+	dontaudit $1 ipp_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive ipp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_ipp_server_packets',`
+	gen_require(`
+		type ipp_server_packet_t;
+	')
+
+	allow $1 ipp_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive ipp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_ipp_server_packets',`
+	gen_require(`
+		type ipp_server_packet_t;
+	')
+
+	dontaudit $1 ipp_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive ipp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_ipp_server_packets',`
+	corenet_send_ipp_server_packets($1)
+	corenet_receive_ipp_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive ipp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_ipp_server_packets',`
+	corenet_dontaudit_send_ipp_server_packets($1)
+	corenet_dontaudit_receive_ipp_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to ipp_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_ipp_server_packets',`
+	gen_require(`
+		type ipp_server_packet_t;
+	')
+
+	allow $1 ipp_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the ipsecnat port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_ipsecnat_port',`
+	gen_require(`
+		type ipsecnat_port_t;
+	')
+
+	allow $1 ipsecnat_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the ipsecnat port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_ipsecnat_port',`
+	gen_require(`
+		type ipsecnat_port_t;
+	')
+
+	allow $1 ipsecnat_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the ipsecnat port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_ipsecnat_port',`
+	gen_require(`
+		type ipsecnat_port_t;
+	')
+
+	dontaudit $1 ipsecnat_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the ipsecnat port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_ipsecnat_port',`
+	gen_require(`
+		type ipsecnat_port_t;
+	')
+
+	allow $1 ipsecnat_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the ipsecnat port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_ipsecnat_port',`
+	gen_require(`
+		type ipsecnat_port_t;
+	')
+
+	dontaudit $1 ipsecnat_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the ipsecnat port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_ipsecnat_port',`
+	corenet_udp_send_ipsecnat_port($1)
+	corenet_udp_receive_ipsecnat_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the ipsecnat port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_ipsecnat_port',`
+	corenet_dontaudit_udp_send_ipsecnat_port($1)
+	corenet_dontaudit_udp_receive_ipsecnat_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the ipsecnat port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_ipsecnat_port',`
+	gen_require(`
+		type ipsecnat_port_t;
+	')
+
+	allow $1 ipsecnat_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the ipsecnat port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_ipsecnat_port',`
+	gen_require(`
+		type ipsecnat_port_t;
+	')
+
+	allow $1 ipsecnat_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the ipsecnat port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_ipsecnat_port',`
+	gen_require(`
+		type ipsecnat_port_t;
+	')
+
+	allow $1 ipsecnat_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send ipsecnat_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_ipsecnat_client_packets',`
+	gen_require(`
+		type ipsecnat_client_packet_t;
+	')
+
+	allow $1 ipsecnat_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send ipsecnat_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_ipsecnat_client_packets',`
+	gen_require(`
+		type ipsecnat_client_packet_t;
+	')
+
+	dontaudit $1 ipsecnat_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive ipsecnat_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_ipsecnat_client_packets',`
+	gen_require(`
+		type ipsecnat_client_packet_t;
+	')
+
+	allow $1 ipsecnat_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive ipsecnat_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_ipsecnat_client_packets',`
+	gen_require(`
+		type ipsecnat_client_packet_t;
+	')
+
+	dontaudit $1 ipsecnat_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive ipsecnat_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_ipsecnat_client_packets',`
+	corenet_send_ipsecnat_client_packets($1)
+	corenet_receive_ipsecnat_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive ipsecnat_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_ipsecnat_client_packets',`
+	corenet_dontaudit_send_ipsecnat_client_packets($1)
+	corenet_dontaudit_receive_ipsecnat_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to ipsecnat_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_ipsecnat_client_packets',`
+	gen_require(`
+		type ipsecnat_client_packet_t;
+	')
+
+	allow $1 ipsecnat_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send ipsecnat_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_ipsecnat_server_packets',`
+	gen_require(`
+		type ipsecnat_server_packet_t;
+	')
+
+	allow $1 ipsecnat_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send ipsecnat_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_ipsecnat_server_packets',`
+	gen_require(`
+		type ipsecnat_server_packet_t;
+	')
+
+	dontaudit $1 ipsecnat_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive ipsecnat_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_ipsecnat_server_packets',`
+	gen_require(`
+		type ipsecnat_server_packet_t;
+	')
+
+	allow $1 ipsecnat_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive ipsecnat_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_ipsecnat_server_packets',`
+	gen_require(`
+		type ipsecnat_server_packet_t;
+	')
+
+	dontaudit $1 ipsecnat_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive ipsecnat_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_ipsecnat_server_packets',`
+	corenet_send_ipsecnat_server_packets($1)
+	corenet_receive_ipsecnat_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive ipsecnat_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_ipsecnat_server_packets',`
+	corenet_dontaudit_send_ipsecnat_server_packets($1)
+	corenet_dontaudit_receive_ipsecnat_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to ipsecnat_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_ipsecnat_server_packets',`
+	gen_require(`
+		type ipsecnat_server_packet_t;
+	')
+
+	allow $1 ipsecnat_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the ircd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_ircd_port',`
+	gen_require(`
+		type ircd_port_t;
+	')
+
+	allow $1 ircd_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the ircd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_ircd_port',`
+	gen_require(`
+		type ircd_port_t;
+	')
+
+	allow $1 ircd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the ircd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_ircd_port',`
+	gen_require(`
+		type ircd_port_t;
+	')
+
+	dontaudit $1 ircd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the ircd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_ircd_port',`
+	gen_require(`
+		type ircd_port_t;
+	')
+
+	allow $1 ircd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the ircd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_ircd_port',`
+	gen_require(`
+		type ircd_port_t;
+	')
+
+	dontaudit $1 ircd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the ircd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_ircd_port',`
+	corenet_udp_send_ircd_port($1)
+	corenet_udp_receive_ircd_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the ircd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_ircd_port',`
+	corenet_dontaudit_udp_send_ircd_port($1)
+	corenet_dontaudit_udp_receive_ircd_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the ircd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_ircd_port',`
+	gen_require(`
+		type ircd_port_t;
+	')
+
+	allow $1 ircd_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the ircd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_ircd_port',`
+	gen_require(`
+		type ircd_port_t;
+	')
+
+	allow $1 ircd_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the ircd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_ircd_port',`
+	gen_require(`
+		type ircd_port_t;
+	')
+
+	allow $1 ircd_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send ircd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_ircd_client_packets',`
+	gen_require(`
+		type ircd_client_packet_t;
+	')
+
+	allow $1 ircd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send ircd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_ircd_client_packets',`
+	gen_require(`
+		type ircd_client_packet_t;
+	')
+
+	dontaudit $1 ircd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive ircd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_ircd_client_packets',`
+	gen_require(`
+		type ircd_client_packet_t;
+	')
+
+	allow $1 ircd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive ircd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_ircd_client_packets',`
+	gen_require(`
+		type ircd_client_packet_t;
+	')
+
+	dontaudit $1 ircd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive ircd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_ircd_client_packets',`
+	corenet_send_ircd_client_packets($1)
+	corenet_receive_ircd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive ircd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_ircd_client_packets',`
+	corenet_dontaudit_send_ircd_client_packets($1)
+	corenet_dontaudit_receive_ircd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to ircd_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_ircd_client_packets',`
+	gen_require(`
+		type ircd_client_packet_t;
+	')
+
+	allow $1 ircd_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send ircd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_ircd_server_packets',`
+	gen_require(`
+		type ircd_server_packet_t;
+	')
+
+	allow $1 ircd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send ircd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_ircd_server_packets',`
+	gen_require(`
+		type ircd_server_packet_t;
+	')
+
+	dontaudit $1 ircd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive ircd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_ircd_server_packets',`
+	gen_require(`
+		type ircd_server_packet_t;
+	')
+
+	allow $1 ircd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive ircd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_ircd_server_packets',`
+	gen_require(`
+		type ircd_server_packet_t;
+	')
+
+	dontaudit $1 ircd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive ircd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_ircd_server_packets',`
+	corenet_send_ircd_server_packets($1)
+	corenet_receive_ircd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive ircd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_ircd_server_packets',`
+	corenet_dontaudit_send_ircd_server_packets($1)
+	corenet_dontaudit_receive_ircd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to ircd_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_ircd_server_packets',`
+	gen_require(`
+		type ircd_server_packet_t;
+	')
+
+	allow $1 ircd_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the isakmp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_isakmp_port',`
+	gen_require(`
+		type isakmp_port_t;
+	')
+
+	allow $1 isakmp_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the isakmp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_isakmp_port',`
+	gen_require(`
+		type isakmp_port_t;
+	')
+
+	allow $1 isakmp_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the isakmp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_isakmp_port',`
+	gen_require(`
+		type isakmp_port_t;
+	')
+
+	dontaudit $1 isakmp_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the isakmp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_isakmp_port',`
+	gen_require(`
+		type isakmp_port_t;
+	')
+
+	allow $1 isakmp_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the isakmp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_isakmp_port',`
+	gen_require(`
+		type isakmp_port_t;
+	')
+
+	dontaudit $1 isakmp_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the isakmp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_isakmp_port',`
+	corenet_udp_send_isakmp_port($1)
+	corenet_udp_receive_isakmp_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the isakmp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_isakmp_port',`
+	corenet_dontaudit_udp_send_isakmp_port($1)
+	corenet_dontaudit_udp_receive_isakmp_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the isakmp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_isakmp_port',`
+	gen_require(`
+		type isakmp_port_t;
+	')
+
+	allow $1 isakmp_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the isakmp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_isakmp_port',`
+	gen_require(`
+		type isakmp_port_t;
+	')
+
+	allow $1 isakmp_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the isakmp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_isakmp_port',`
+	gen_require(`
+		type isakmp_port_t;
+	')
+
+	allow $1 isakmp_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send isakmp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_isakmp_client_packets',`
+	gen_require(`
+		type isakmp_client_packet_t;
+	')
+
+	allow $1 isakmp_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send isakmp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_isakmp_client_packets',`
+	gen_require(`
+		type isakmp_client_packet_t;
+	')
+
+	dontaudit $1 isakmp_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive isakmp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_isakmp_client_packets',`
+	gen_require(`
+		type isakmp_client_packet_t;
+	')
+
+	allow $1 isakmp_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive isakmp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_isakmp_client_packets',`
+	gen_require(`
+		type isakmp_client_packet_t;
+	')
+
+	dontaudit $1 isakmp_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive isakmp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_isakmp_client_packets',`
+	corenet_send_isakmp_client_packets($1)
+	corenet_receive_isakmp_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive isakmp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_isakmp_client_packets',`
+	corenet_dontaudit_send_isakmp_client_packets($1)
+	corenet_dontaudit_receive_isakmp_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to isakmp_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_isakmp_client_packets',`
+	gen_require(`
+		type isakmp_client_packet_t;
+	')
+
+	allow $1 isakmp_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send isakmp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_isakmp_server_packets',`
+	gen_require(`
+		type isakmp_server_packet_t;
+	')
+
+	allow $1 isakmp_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send isakmp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_isakmp_server_packets',`
+	gen_require(`
+		type isakmp_server_packet_t;
+	')
+
+	dontaudit $1 isakmp_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive isakmp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_isakmp_server_packets',`
+	gen_require(`
+		type isakmp_server_packet_t;
+	')
+
+	allow $1 isakmp_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive isakmp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_isakmp_server_packets',`
+	gen_require(`
+		type isakmp_server_packet_t;
+	')
+
+	dontaudit $1 isakmp_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive isakmp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_isakmp_server_packets',`
+	corenet_send_isakmp_server_packets($1)
+	corenet_receive_isakmp_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive isakmp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_isakmp_server_packets',`
+	corenet_dontaudit_send_isakmp_server_packets($1)
+	corenet_dontaudit_receive_isakmp_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to isakmp_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_isakmp_server_packets',`
+	gen_require(`
+		type isakmp_server_packet_t;
+	')
+
+	allow $1 isakmp_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the iscsi port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_iscsi_port',`
+	gen_require(`
+		type iscsi_port_t;
+	')
+
+	allow $1 iscsi_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the iscsi port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_iscsi_port',`
+	gen_require(`
+		type iscsi_port_t;
+	')
+
+	allow $1 iscsi_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the iscsi port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_iscsi_port',`
+	gen_require(`
+		type iscsi_port_t;
+	')
+
+	dontaudit $1 iscsi_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the iscsi port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_iscsi_port',`
+	gen_require(`
+		type iscsi_port_t;
+	')
+
+	allow $1 iscsi_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the iscsi port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_iscsi_port',`
+	gen_require(`
+		type iscsi_port_t;
+	')
+
+	dontaudit $1 iscsi_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the iscsi port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_iscsi_port',`
+	corenet_udp_send_iscsi_port($1)
+	corenet_udp_receive_iscsi_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the iscsi port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_iscsi_port',`
+	corenet_dontaudit_udp_send_iscsi_port($1)
+	corenet_dontaudit_udp_receive_iscsi_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the iscsi port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_iscsi_port',`
+	gen_require(`
+		type iscsi_port_t;
+	')
+
+	allow $1 iscsi_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the iscsi port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_iscsi_port',`
+	gen_require(`
+		type iscsi_port_t;
+	')
+
+	allow $1 iscsi_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the iscsi port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_iscsi_port',`
+	gen_require(`
+		type iscsi_port_t;
+	')
+
+	allow $1 iscsi_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send iscsi_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_iscsi_client_packets',`
+	gen_require(`
+		type iscsi_client_packet_t;
+	')
+
+	allow $1 iscsi_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send iscsi_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_iscsi_client_packets',`
+	gen_require(`
+		type iscsi_client_packet_t;
+	')
+
+	dontaudit $1 iscsi_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive iscsi_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_iscsi_client_packets',`
+	gen_require(`
+		type iscsi_client_packet_t;
+	')
+
+	allow $1 iscsi_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive iscsi_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_iscsi_client_packets',`
+	gen_require(`
+		type iscsi_client_packet_t;
+	')
+
+	dontaudit $1 iscsi_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive iscsi_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_iscsi_client_packets',`
+	corenet_send_iscsi_client_packets($1)
+	corenet_receive_iscsi_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive iscsi_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_iscsi_client_packets',`
+	corenet_dontaudit_send_iscsi_client_packets($1)
+	corenet_dontaudit_receive_iscsi_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to iscsi_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_iscsi_client_packets',`
+	gen_require(`
+		type iscsi_client_packet_t;
+	')
+
+	allow $1 iscsi_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send iscsi_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_iscsi_server_packets',`
+	gen_require(`
+		type iscsi_server_packet_t;
+	')
+
+	allow $1 iscsi_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send iscsi_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_iscsi_server_packets',`
+	gen_require(`
+		type iscsi_server_packet_t;
+	')
+
+	dontaudit $1 iscsi_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive iscsi_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_iscsi_server_packets',`
+	gen_require(`
+		type iscsi_server_packet_t;
+	')
+
+	allow $1 iscsi_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive iscsi_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_iscsi_server_packets',`
+	gen_require(`
+		type iscsi_server_packet_t;
+	')
+
+	dontaudit $1 iscsi_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive iscsi_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_iscsi_server_packets',`
+	corenet_send_iscsi_server_packets($1)
+	corenet_receive_iscsi_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive iscsi_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_iscsi_server_packets',`
+	corenet_dontaudit_send_iscsi_server_packets($1)
+	corenet_dontaudit_receive_iscsi_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to iscsi_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_iscsi_server_packets',`
+	gen_require(`
+		type iscsi_server_packet_t;
+	')
+
+	allow $1 iscsi_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the isns port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_isns_port',`
+	gen_require(`
+		type isns_port_t;
+	')
+
+	allow $1 isns_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the isns port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_isns_port',`
+	gen_require(`
+		type isns_port_t;
+	')
+
+	allow $1 isns_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the isns port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_isns_port',`
+	gen_require(`
+		type isns_port_t;
+	')
+
+	dontaudit $1 isns_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the isns port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_isns_port',`
+	gen_require(`
+		type isns_port_t;
+	')
+
+	allow $1 isns_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the isns port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_isns_port',`
+	gen_require(`
+		type isns_port_t;
+	')
+
+	dontaudit $1 isns_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the isns port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_isns_port',`
+	corenet_udp_send_isns_port($1)
+	corenet_udp_receive_isns_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the isns port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_isns_port',`
+	corenet_dontaudit_udp_send_isns_port($1)
+	corenet_dontaudit_udp_receive_isns_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the isns port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_isns_port',`
+	gen_require(`
+		type isns_port_t;
+	')
+
+	allow $1 isns_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the isns port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_isns_port',`
+	gen_require(`
+		type isns_port_t;
+	')
+
+	allow $1 isns_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the isns port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_isns_port',`
+	gen_require(`
+		type isns_port_t;
+	')
+
+	allow $1 isns_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send isns_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_isns_client_packets',`
+	gen_require(`
+		type isns_client_packet_t;
+	')
+
+	allow $1 isns_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send isns_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_isns_client_packets',`
+	gen_require(`
+		type isns_client_packet_t;
+	')
+
+	dontaudit $1 isns_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive isns_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_isns_client_packets',`
+	gen_require(`
+		type isns_client_packet_t;
+	')
+
+	allow $1 isns_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive isns_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_isns_client_packets',`
+	gen_require(`
+		type isns_client_packet_t;
+	')
+
+	dontaudit $1 isns_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive isns_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_isns_client_packets',`
+	corenet_send_isns_client_packets($1)
+	corenet_receive_isns_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive isns_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_isns_client_packets',`
+	corenet_dontaudit_send_isns_client_packets($1)
+	corenet_dontaudit_receive_isns_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to isns_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_isns_client_packets',`
+	gen_require(`
+		type isns_client_packet_t;
+	')
+
+	allow $1 isns_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send isns_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_isns_server_packets',`
+	gen_require(`
+		type isns_server_packet_t;
+	')
+
+	allow $1 isns_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send isns_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_isns_server_packets',`
+	gen_require(`
+		type isns_server_packet_t;
+	')
+
+	dontaudit $1 isns_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive isns_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_isns_server_packets',`
+	gen_require(`
+		type isns_server_packet_t;
+	')
+
+	allow $1 isns_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive isns_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_isns_server_packets',`
+	gen_require(`
+		type isns_server_packet_t;
+	')
+
+	dontaudit $1 isns_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive isns_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_isns_server_packets',`
+	corenet_send_isns_server_packets($1)
+	corenet_receive_isns_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive isns_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_isns_server_packets',`
+	corenet_dontaudit_send_isns_server_packets($1)
+	corenet_dontaudit_receive_isns_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to isns_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_isns_server_packets',`
+	gen_require(`
+		type isns_server_packet_t;
+	')
+
+	allow $1 isns_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the jabber_client port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_jabber_client_port',`
+	gen_require(`
+		type jabber_client_port_t;
+	')
+
+	allow $1 jabber_client_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the jabber_client port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_jabber_client_port',`
+	gen_require(`
+		type jabber_client_port_t;
+	')
+
+	allow $1 jabber_client_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the jabber_client port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_jabber_client_port',`
+	gen_require(`
+		type jabber_client_port_t;
+	')
+
+	dontaudit $1 jabber_client_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the jabber_client port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_jabber_client_port',`
+	gen_require(`
+		type jabber_client_port_t;
+	')
+
+	allow $1 jabber_client_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the jabber_client port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_jabber_client_port',`
+	gen_require(`
+		type jabber_client_port_t;
+	')
+
+	dontaudit $1 jabber_client_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the jabber_client port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_jabber_client_port',`
+	corenet_udp_send_jabber_client_port($1)
+	corenet_udp_receive_jabber_client_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the jabber_client port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_jabber_client_port',`
+	corenet_dontaudit_udp_send_jabber_client_port($1)
+	corenet_dontaudit_udp_receive_jabber_client_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the jabber_client port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_jabber_client_port',`
+	gen_require(`
+		type jabber_client_port_t;
+	')
+
+	allow $1 jabber_client_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the jabber_client port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_jabber_client_port',`
+	gen_require(`
+		type jabber_client_port_t;
+	')
+
+	allow $1 jabber_client_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the jabber_client port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_jabber_client_port',`
+	gen_require(`
+		type jabber_client_port_t;
+	')
+
+	allow $1 jabber_client_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send jabber_client_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_jabber_client_client_packets',`
+	gen_require(`
+		type jabber_client_client_packet_t;
+	')
+
+	allow $1 jabber_client_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send jabber_client_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_jabber_client_client_packets',`
+	gen_require(`
+		type jabber_client_client_packet_t;
+	')
+
+	dontaudit $1 jabber_client_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive jabber_client_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_jabber_client_client_packets',`
+	gen_require(`
+		type jabber_client_client_packet_t;
+	')
+
+	allow $1 jabber_client_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive jabber_client_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_jabber_client_client_packets',`
+	gen_require(`
+		type jabber_client_client_packet_t;
+	')
+
+	dontaudit $1 jabber_client_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive jabber_client_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_jabber_client_client_packets',`
+	corenet_send_jabber_client_client_packets($1)
+	corenet_receive_jabber_client_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive jabber_client_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_jabber_client_client_packets',`
+	corenet_dontaudit_send_jabber_client_client_packets($1)
+	corenet_dontaudit_receive_jabber_client_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to jabber_client_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_jabber_client_client_packets',`
+	gen_require(`
+		type jabber_client_client_packet_t;
+	')
+
+	allow $1 jabber_client_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send jabber_client_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_jabber_client_server_packets',`
+	gen_require(`
+		type jabber_client_server_packet_t;
+	')
+
+	allow $1 jabber_client_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send jabber_client_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_jabber_client_server_packets',`
+	gen_require(`
+		type jabber_client_server_packet_t;
+	')
+
+	dontaudit $1 jabber_client_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive jabber_client_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_jabber_client_server_packets',`
+	gen_require(`
+		type jabber_client_server_packet_t;
+	')
+
+	allow $1 jabber_client_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive jabber_client_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_jabber_client_server_packets',`
+	gen_require(`
+		type jabber_client_server_packet_t;
+	')
+
+	dontaudit $1 jabber_client_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive jabber_client_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_jabber_client_server_packets',`
+	corenet_send_jabber_client_server_packets($1)
+	corenet_receive_jabber_client_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive jabber_client_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_jabber_client_server_packets',`
+	corenet_dontaudit_send_jabber_client_server_packets($1)
+	corenet_dontaudit_receive_jabber_client_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to jabber_client_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_jabber_client_server_packets',`
+	gen_require(`
+		type jabber_client_server_packet_t;
+	')
+
+	allow $1 jabber_client_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the jabber_interserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_jabber_interserver_port',`
+	gen_require(`
+		type jabber_interserver_port_t;
+	')
+
+	allow $1 jabber_interserver_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the jabber_interserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_jabber_interserver_port',`
+	gen_require(`
+		type jabber_interserver_port_t;
+	')
+
+	allow $1 jabber_interserver_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the jabber_interserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_jabber_interserver_port',`
+	gen_require(`
+		type jabber_interserver_port_t;
+	')
+
+	dontaudit $1 jabber_interserver_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the jabber_interserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_jabber_interserver_port',`
+	gen_require(`
+		type jabber_interserver_port_t;
+	')
+
+	allow $1 jabber_interserver_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the jabber_interserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_jabber_interserver_port',`
+	gen_require(`
+		type jabber_interserver_port_t;
+	')
+
+	dontaudit $1 jabber_interserver_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the jabber_interserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_jabber_interserver_port',`
+	corenet_udp_send_jabber_interserver_port($1)
+	corenet_udp_receive_jabber_interserver_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the jabber_interserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_jabber_interserver_port',`
+	corenet_dontaudit_udp_send_jabber_interserver_port($1)
+	corenet_dontaudit_udp_receive_jabber_interserver_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the jabber_interserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_jabber_interserver_port',`
+	gen_require(`
+		type jabber_interserver_port_t;
+	')
+
+	allow $1 jabber_interserver_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the jabber_interserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_jabber_interserver_port',`
+	gen_require(`
+		type jabber_interserver_port_t;
+	')
+
+	allow $1 jabber_interserver_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the jabber_interserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_jabber_interserver_port',`
+	gen_require(`
+		type jabber_interserver_port_t;
+	')
+
+	allow $1 jabber_interserver_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send jabber_interserver_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_jabber_interserver_client_packets',`
+	gen_require(`
+		type jabber_interserver_client_packet_t;
+	')
+
+	allow $1 jabber_interserver_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send jabber_interserver_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_jabber_interserver_client_packets',`
+	gen_require(`
+		type jabber_interserver_client_packet_t;
+	')
+
+	dontaudit $1 jabber_interserver_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive jabber_interserver_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_jabber_interserver_client_packets',`
+	gen_require(`
+		type jabber_interserver_client_packet_t;
+	')
+
+	allow $1 jabber_interserver_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive jabber_interserver_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_jabber_interserver_client_packets',`
+	gen_require(`
+		type jabber_interserver_client_packet_t;
+	')
+
+	dontaudit $1 jabber_interserver_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive jabber_interserver_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_jabber_interserver_client_packets',`
+	corenet_send_jabber_interserver_client_packets($1)
+	corenet_receive_jabber_interserver_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive jabber_interserver_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_jabber_interserver_client_packets',`
+	corenet_dontaudit_send_jabber_interserver_client_packets($1)
+	corenet_dontaudit_receive_jabber_interserver_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to jabber_interserver_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_jabber_interserver_client_packets',`
+	gen_require(`
+		type jabber_interserver_client_packet_t;
+	')
+
+	allow $1 jabber_interserver_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send jabber_interserver_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_jabber_interserver_server_packets',`
+	gen_require(`
+		type jabber_interserver_server_packet_t;
+	')
+
+	allow $1 jabber_interserver_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send jabber_interserver_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_jabber_interserver_server_packets',`
+	gen_require(`
+		type jabber_interserver_server_packet_t;
+	')
+
+	dontaudit $1 jabber_interserver_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive jabber_interserver_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_jabber_interserver_server_packets',`
+	gen_require(`
+		type jabber_interserver_server_packet_t;
+	')
+
+	allow $1 jabber_interserver_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive jabber_interserver_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_jabber_interserver_server_packets',`
+	gen_require(`
+		type jabber_interserver_server_packet_t;
+	')
+
+	dontaudit $1 jabber_interserver_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive jabber_interserver_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_jabber_interserver_server_packets',`
+	corenet_send_jabber_interserver_server_packets($1)
+	corenet_receive_jabber_interserver_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive jabber_interserver_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_jabber_interserver_server_packets',`
+	corenet_dontaudit_send_jabber_interserver_server_packets($1)
+	corenet_dontaudit_receive_jabber_interserver_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to jabber_interserver_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_jabber_interserver_server_packets',`
+	gen_require(`
+		type jabber_interserver_server_packet_t;
+	')
+
+	allow $1 jabber_interserver_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the kerberos port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_kerberos_port',`
+	gen_require(`
+		type kerberos_port_t;
+	')
+
+	allow $1 kerberos_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the kerberos port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_kerberos_port',`
+	gen_require(`
+		type kerberos_port_t;
+	')
+
+	allow $1 kerberos_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the kerberos port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_kerberos_port',`
+	gen_require(`
+		type kerberos_port_t;
+	')
+
+	dontaudit $1 kerberos_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the kerberos port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_kerberos_port',`
+	gen_require(`
+		type kerberos_port_t;
+	')
+
+	allow $1 kerberos_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the kerberos port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_kerberos_port',`
+	gen_require(`
+		type kerberos_port_t;
+	')
+
+	dontaudit $1 kerberos_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the kerberos port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_kerberos_port',`
+	corenet_udp_send_kerberos_port($1)
+	corenet_udp_receive_kerberos_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the kerberos port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_kerberos_port',`
+	corenet_dontaudit_udp_send_kerberos_port($1)
+	corenet_dontaudit_udp_receive_kerberos_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the kerberos port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_kerberos_port',`
+	gen_require(`
+		type kerberos_port_t;
+	')
+
+	allow $1 kerberos_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the kerberos port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_kerberos_port',`
+	gen_require(`
+		type kerberos_port_t;
+	')
+
+	allow $1 kerberos_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the kerberos port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_kerberos_port',`
+	gen_require(`
+		type kerberos_port_t;
+	')
+
+	allow $1 kerberos_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send kerberos_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_kerberos_client_packets',`
+	gen_require(`
+		type kerberos_client_packet_t;
+	')
+
+	allow $1 kerberos_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send kerberos_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_kerberos_client_packets',`
+	gen_require(`
+		type kerberos_client_packet_t;
+	')
+
+	dontaudit $1 kerberos_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive kerberos_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_kerberos_client_packets',`
+	gen_require(`
+		type kerberos_client_packet_t;
+	')
+
+	allow $1 kerberos_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive kerberos_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_kerberos_client_packets',`
+	gen_require(`
+		type kerberos_client_packet_t;
+	')
+
+	dontaudit $1 kerberos_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive kerberos_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_kerberos_client_packets',`
+	corenet_send_kerberos_client_packets($1)
+	corenet_receive_kerberos_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive kerberos_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_kerberos_client_packets',`
+	corenet_dontaudit_send_kerberos_client_packets($1)
+	corenet_dontaudit_receive_kerberos_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to kerberos_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_kerberos_client_packets',`
+	gen_require(`
+		type kerberos_client_packet_t;
+	')
+
+	allow $1 kerberos_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send kerberos_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_kerberos_server_packets',`
+	gen_require(`
+		type kerberos_server_packet_t;
+	')
+
+	allow $1 kerberos_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send kerberos_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_kerberos_server_packets',`
+	gen_require(`
+		type kerberos_server_packet_t;
+	')
+
+	dontaudit $1 kerberos_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive kerberos_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_kerberos_server_packets',`
+	gen_require(`
+		type kerberos_server_packet_t;
+	')
+
+	allow $1 kerberos_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive kerberos_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_kerberos_server_packets',`
+	gen_require(`
+		type kerberos_server_packet_t;
+	')
+
+	dontaudit $1 kerberos_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive kerberos_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_kerberos_server_packets',`
+	corenet_send_kerberos_server_packets($1)
+	corenet_receive_kerberos_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive kerberos_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_kerberos_server_packets',`
+	corenet_dontaudit_send_kerberos_server_packets($1)
+	corenet_dontaudit_receive_kerberos_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to kerberos_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_kerberos_server_packets',`
+	gen_require(`
+		type kerberos_server_packet_t;
+	')
+
+	allow $1 kerberos_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the kerberos_admin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_kerberos_admin_port',`
+	gen_require(`
+		type kerberos_admin_port_t;
+	')
+
+	allow $1 kerberos_admin_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the kerberos_admin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_kerberos_admin_port',`
+	gen_require(`
+		type kerberos_admin_port_t;
+	')
+
+	allow $1 kerberos_admin_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the kerberos_admin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_kerberos_admin_port',`
+	gen_require(`
+		type kerberos_admin_port_t;
+	')
+
+	dontaudit $1 kerberos_admin_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the kerberos_admin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_kerberos_admin_port',`
+	gen_require(`
+		type kerberos_admin_port_t;
+	')
+
+	allow $1 kerberos_admin_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the kerberos_admin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_kerberos_admin_port',`
+	gen_require(`
+		type kerberos_admin_port_t;
+	')
+
+	dontaudit $1 kerberos_admin_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the kerberos_admin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_kerberos_admin_port',`
+	corenet_udp_send_kerberos_admin_port($1)
+	corenet_udp_receive_kerberos_admin_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the kerberos_admin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_kerberos_admin_port',`
+	corenet_dontaudit_udp_send_kerberos_admin_port($1)
+	corenet_dontaudit_udp_receive_kerberos_admin_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the kerberos_admin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_kerberos_admin_port',`
+	gen_require(`
+		type kerberos_admin_port_t;
+	')
+
+	allow $1 kerberos_admin_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the kerberos_admin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_kerberos_admin_port',`
+	gen_require(`
+		type kerberos_admin_port_t;
+	')
+
+	allow $1 kerberos_admin_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the kerberos_admin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_kerberos_admin_port',`
+	gen_require(`
+		type kerberos_admin_port_t;
+	')
+
+	allow $1 kerberos_admin_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send kerberos_admin_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_kerberos_admin_client_packets',`
+	gen_require(`
+		type kerberos_admin_client_packet_t;
+	')
+
+	allow $1 kerberos_admin_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send kerberos_admin_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_kerberos_admin_client_packets',`
+	gen_require(`
+		type kerberos_admin_client_packet_t;
+	')
+
+	dontaudit $1 kerberos_admin_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive kerberos_admin_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_kerberos_admin_client_packets',`
+	gen_require(`
+		type kerberos_admin_client_packet_t;
+	')
+
+	allow $1 kerberos_admin_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive kerberos_admin_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_kerberos_admin_client_packets',`
+	gen_require(`
+		type kerberos_admin_client_packet_t;
+	')
+
+	dontaudit $1 kerberos_admin_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive kerberos_admin_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_kerberos_admin_client_packets',`
+	corenet_send_kerberos_admin_client_packets($1)
+	corenet_receive_kerberos_admin_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive kerberos_admin_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_kerberos_admin_client_packets',`
+	corenet_dontaudit_send_kerberos_admin_client_packets($1)
+	corenet_dontaudit_receive_kerberos_admin_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to kerberos_admin_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_kerberos_admin_client_packets',`
+	gen_require(`
+		type kerberos_admin_client_packet_t;
+	')
+
+	allow $1 kerberos_admin_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send kerberos_admin_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_kerberos_admin_server_packets',`
+	gen_require(`
+		type kerberos_admin_server_packet_t;
+	')
+
+	allow $1 kerberos_admin_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send kerberos_admin_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_kerberos_admin_server_packets',`
+	gen_require(`
+		type kerberos_admin_server_packet_t;
+	')
+
+	dontaudit $1 kerberos_admin_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive kerberos_admin_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_kerberos_admin_server_packets',`
+	gen_require(`
+		type kerberos_admin_server_packet_t;
+	')
+
+	allow $1 kerberos_admin_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive kerberos_admin_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_kerberos_admin_server_packets',`
+	gen_require(`
+		type kerberos_admin_server_packet_t;
+	')
+
+	dontaudit $1 kerberos_admin_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive kerberos_admin_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_kerberos_admin_server_packets',`
+	corenet_send_kerberos_admin_server_packets($1)
+	corenet_receive_kerberos_admin_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive kerberos_admin_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_kerberos_admin_server_packets',`
+	corenet_dontaudit_send_kerberos_admin_server_packets($1)
+	corenet_dontaudit_receive_kerberos_admin_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to kerberos_admin_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_kerberos_admin_server_packets',`
+	gen_require(`
+		type kerberos_admin_server_packet_t;
+	')
+
+	allow $1 kerberos_admin_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the kerberos_master port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_kerberos_master_port',`
+	gen_require(`
+		type kerberos_master_port_t;
+	')
+
+	allow $1 kerberos_master_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the kerberos_master port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_kerberos_master_port',`
+	gen_require(`
+		type kerberos_master_port_t;
+	')
+
+	allow $1 kerberos_master_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the kerberos_master port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_kerberos_master_port',`
+	gen_require(`
+		type kerberos_master_port_t;
+	')
+
+	dontaudit $1 kerberos_master_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the kerberos_master port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_kerberos_master_port',`
+	gen_require(`
+		type kerberos_master_port_t;
+	')
+
+	allow $1 kerberos_master_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the kerberos_master port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_kerberos_master_port',`
+	gen_require(`
+		type kerberos_master_port_t;
+	')
+
+	dontaudit $1 kerberos_master_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the kerberos_master port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_kerberos_master_port',`
+	corenet_udp_send_kerberos_master_port($1)
+	corenet_udp_receive_kerberos_master_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the kerberos_master port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_kerberos_master_port',`
+	corenet_dontaudit_udp_send_kerberos_master_port($1)
+	corenet_dontaudit_udp_receive_kerberos_master_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the kerberos_master port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_kerberos_master_port',`
+	gen_require(`
+		type kerberos_master_port_t;
+	')
+
+	allow $1 kerberos_master_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the kerberos_master port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_kerberos_master_port',`
+	gen_require(`
+		type kerberos_master_port_t;
+	')
+
+	allow $1 kerberos_master_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the kerberos_master port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_kerberos_master_port',`
+	gen_require(`
+		type kerberos_master_port_t;
+	')
+
+	allow $1 kerberos_master_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send kerberos_master_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_kerberos_master_client_packets',`
+	gen_require(`
+		type kerberos_master_client_packet_t;
+	')
+
+	allow $1 kerberos_master_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send kerberos_master_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_kerberos_master_client_packets',`
+	gen_require(`
+		type kerberos_master_client_packet_t;
+	')
+
+	dontaudit $1 kerberos_master_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive kerberos_master_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_kerberos_master_client_packets',`
+	gen_require(`
+		type kerberos_master_client_packet_t;
+	')
+
+	allow $1 kerberos_master_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive kerberos_master_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_kerberos_master_client_packets',`
+	gen_require(`
+		type kerberos_master_client_packet_t;
+	')
+
+	dontaudit $1 kerberos_master_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive kerberos_master_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_kerberos_master_client_packets',`
+	corenet_send_kerberos_master_client_packets($1)
+	corenet_receive_kerberos_master_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive kerberos_master_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_kerberos_master_client_packets',`
+	corenet_dontaudit_send_kerberos_master_client_packets($1)
+	corenet_dontaudit_receive_kerberos_master_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to kerberos_master_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_kerberos_master_client_packets',`
+	gen_require(`
+		type kerberos_master_client_packet_t;
+	')
+
+	allow $1 kerberos_master_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send kerberos_master_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_kerberos_master_server_packets',`
+	gen_require(`
+		type kerberos_master_server_packet_t;
+	')
+
+	allow $1 kerberos_master_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send kerberos_master_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_kerberos_master_server_packets',`
+	gen_require(`
+		type kerberos_master_server_packet_t;
+	')
+
+	dontaudit $1 kerberos_master_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive kerberos_master_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_kerberos_master_server_packets',`
+	gen_require(`
+		type kerberos_master_server_packet_t;
+	')
+
+	allow $1 kerberos_master_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive kerberos_master_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_kerberos_master_server_packets',`
+	gen_require(`
+		type kerberos_master_server_packet_t;
+	')
+
+	dontaudit $1 kerberos_master_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive kerberos_master_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_kerberos_master_server_packets',`
+	corenet_send_kerberos_master_server_packets($1)
+	corenet_receive_kerberos_master_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive kerberos_master_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_kerberos_master_server_packets',`
+	corenet_dontaudit_send_kerberos_master_server_packets($1)
+	corenet_dontaudit_receive_kerberos_master_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to kerberos_master_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_kerberos_master_server_packets',`
+	gen_require(`
+		type kerberos_master_server_packet_t;
+	')
+
+	allow $1 kerberos_master_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the kismet port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_kismet_port',`
+	gen_require(`
+		type kismet_port_t;
+	')
+
+	allow $1 kismet_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the kismet port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_kismet_port',`
+	gen_require(`
+		type kismet_port_t;
+	')
+
+	allow $1 kismet_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the kismet port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_kismet_port',`
+	gen_require(`
+		type kismet_port_t;
+	')
+
+	dontaudit $1 kismet_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the kismet port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_kismet_port',`
+	gen_require(`
+		type kismet_port_t;
+	')
+
+	allow $1 kismet_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the kismet port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_kismet_port',`
+	gen_require(`
+		type kismet_port_t;
+	')
+
+	dontaudit $1 kismet_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the kismet port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_kismet_port',`
+	corenet_udp_send_kismet_port($1)
+	corenet_udp_receive_kismet_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the kismet port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_kismet_port',`
+	corenet_dontaudit_udp_send_kismet_port($1)
+	corenet_dontaudit_udp_receive_kismet_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the kismet port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_kismet_port',`
+	gen_require(`
+		type kismet_port_t;
+	')
+
+	allow $1 kismet_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the kismet port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_kismet_port',`
+	gen_require(`
+		type kismet_port_t;
+	')
+
+	allow $1 kismet_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the kismet port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_kismet_port',`
+	gen_require(`
+		type kismet_port_t;
+	')
+
+	allow $1 kismet_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send kismet_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_kismet_client_packets',`
+	gen_require(`
+		type kismet_client_packet_t;
+	')
+
+	allow $1 kismet_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send kismet_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_kismet_client_packets',`
+	gen_require(`
+		type kismet_client_packet_t;
+	')
+
+	dontaudit $1 kismet_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive kismet_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_kismet_client_packets',`
+	gen_require(`
+		type kismet_client_packet_t;
+	')
+
+	allow $1 kismet_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive kismet_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_kismet_client_packets',`
+	gen_require(`
+		type kismet_client_packet_t;
+	')
+
+	dontaudit $1 kismet_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive kismet_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_kismet_client_packets',`
+	corenet_send_kismet_client_packets($1)
+	corenet_receive_kismet_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive kismet_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_kismet_client_packets',`
+	corenet_dontaudit_send_kismet_client_packets($1)
+	corenet_dontaudit_receive_kismet_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to kismet_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_kismet_client_packets',`
+	gen_require(`
+		type kismet_client_packet_t;
+	')
+
+	allow $1 kismet_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send kismet_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_kismet_server_packets',`
+	gen_require(`
+		type kismet_server_packet_t;
+	')
+
+	allow $1 kismet_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send kismet_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_kismet_server_packets',`
+	gen_require(`
+		type kismet_server_packet_t;
+	')
+
+	dontaudit $1 kismet_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive kismet_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_kismet_server_packets',`
+	gen_require(`
+		type kismet_server_packet_t;
+	')
+
+	allow $1 kismet_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive kismet_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_kismet_server_packets',`
+	gen_require(`
+		type kismet_server_packet_t;
+	')
+
+	dontaudit $1 kismet_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive kismet_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_kismet_server_packets',`
+	corenet_send_kismet_server_packets($1)
+	corenet_receive_kismet_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive kismet_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_kismet_server_packets',`
+	corenet_dontaudit_send_kismet_server_packets($1)
+	corenet_dontaudit_receive_kismet_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to kismet_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_kismet_server_packets',`
+	gen_require(`
+		type kismet_server_packet_t;
+	')
+
+	allow $1 kismet_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the kprop port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_kprop_port',`
+	gen_require(`
+		type kprop_port_t;
+	')
+
+	allow $1 kprop_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the kprop port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_kprop_port',`
+	gen_require(`
+		type kprop_port_t;
+	')
+
+	allow $1 kprop_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the kprop port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_kprop_port',`
+	gen_require(`
+		type kprop_port_t;
+	')
+
+	dontaudit $1 kprop_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the kprop port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_kprop_port',`
+	gen_require(`
+		type kprop_port_t;
+	')
+
+	allow $1 kprop_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the kprop port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_kprop_port',`
+	gen_require(`
+		type kprop_port_t;
+	')
+
+	dontaudit $1 kprop_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the kprop port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_kprop_port',`
+	corenet_udp_send_kprop_port($1)
+	corenet_udp_receive_kprop_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the kprop port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_kprop_port',`
+	corenet_dontaudit_udp_send_kprop_port($1)
+	corenet_dontaudit_udp_receive_kprop_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the kprop port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_kprop_port',`
+	gen_require(`
+		type kprop_port_t;
+	')
+
+	allow $1 kprop_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the kprop port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_kprop_port',`
+	gen_require(`
+		type kprop_port_t;
+	')
+
+	allow $1 kprop_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the kprop port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_kprop_port',`
+	gen_require(`
+		type kprop_port_t;
+	')
+
+	allow $1 kprop_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send kprop_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_kprop_client_packets',`
+	gen_require(`
+		type kprop_client_packet_t;
+	')
+
+	allow $1 kprop_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send kprop_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_kprop_client_packets',`
+	gen_require(`
+		type kprop_client_packet_t;
+	')
+
+	dontaudit $1 kprop_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive kprop_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_kprop_client_packets',`
+	gen_require(`
+		type kprop_client_packet_t;
+	')
+
+	allow $1 kprop_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive kprop_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_kprop_client_packets',`
+	gen_require(`
+		type kprop_client_packet_t;
+	')
+
+	dontaudit $1 kprop_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive kprop_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_kprop_client_packets',`
+	corenet_send_kprop_client_packets($1)
+	corenet_receive_kprop_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive kprop_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_kprop_client_packets',`
+	corenet_dontaudit_send_kprop_client_packets($1)
+	corenet_dontaudit_receive_kprop_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to kprop_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_kprop_client_packets',`
+	gen_require(`
+		type kprop_client_packet_t;
+	')
+
+	allow $1 kprop_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send kprop_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_kprop_server_packets',`
+	gen_require(`
+		type kprop_server_packet_t;
+	')
+
+	allow $1 kprop_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send kprop_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_kprop_server_packets',`
+	gen_require(`
+		type kprop_server_packet_t;
+	')
+
+	dontaudit $1 kprop_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive kprop_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_kprop_server_packets',`
+	gen_require(`
+		type kprop_server_packet_t;
+	')
+
+	allow $1 kprop_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive kprop_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_kprop_server_packets',`
+	gen_require(`
+		type kprop_server_packet_t;
+	')
+
+	dontaudit $1 kprop_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive kprop_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_kprop_server_packets',`
+	corenet_send_kprop_server_packets($1)
+	corenet_receive_kprop_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive kprop_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_kprop_server_packets',`
+	corenet_dontaudit_send_kprop_server_packets($1)
+	corenet_dontaudit_receive_kprop_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to kprop_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_kprop_server_packets',`
+	gen_require(`
+		type kprop_server_packet_t;
+	')
+
+	allow $1 kprop_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the ktalkd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_ktalkd_port',`
+	gen_require(`
+		type ktalkd_port_t;
+	')
+
+	allow $1 ktalkd_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the ktalkd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_ktalkd_port',`
+	gen_require(`
+		type ktalkd_port_t;
+	')
+
+	allow $1 ktalkd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the ktalkd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_ktalkd_port',`
+	gen_require(`
+		type ktalkd_port_t;
+	')
+
+	dontaudit $1 ktalkd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the ktalkd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_ktalkd_port',`
+	gen_require(`
+		type ktalkd_port_t;
+	')
+
+	allow $1 ktalkd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the ktalkd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_ktalkd_port',`
+	gen_require(`
+		type ktalkd_port_t;
+	')
+
+	dontaudit $1 ktalkd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the ktalkd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_ktalkd_port',`
+	corenet_udp_send_ktalkd_port($1)
+	corenet_udp_receive_ktalkd_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the ktalkd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_ktalkd_port',`
+	corenet_dontaudit_udp_send_ktalkd_port($1)
+	corenet_dontaudit_udp_receive_ktalkd_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the ktalkd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_ktalkd_port',`
+	gen_require(`
+		type ktalkd_port_t;
+	')
+
+	allow $1 ktalkd_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the ktalkd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_ktalkd_port',`
+	gen_require(`
+		type ktalkd_port_t;
+	')
+
+	allow $1 ktalkd_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the ktalkd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_ktalkd_port',`
+	gen_require(`
+		type ktalkd_port_t;
+	')
+
+	allow $1 ktalkd_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send ktalkd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_ktalkd_client_packets',`
+	gen_require(`
+		type ktalkd_client_packet_t;
+	')
+
+	allow $1 ktalkd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send ktalkd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_ktalkd_client_packets',`
+	gen_require(`
+		type ktalkd_client_packet_t;
+	')
+
+	dontaudit $1 ktalkd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive ktalkd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_ktalkd_client_packets',`
+	gen_require(`
+		type ktalkd_client_packet_t;
+	')
+
+	allow $1 ktalkd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive ktalkd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_ktalkd_client_packets',`
+	gen_require(`
+		type ktalkd_client_packet_t;
+	')
+
+	dontaudit $1 ktalkd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive ktalkd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_ktalkd_client_packets',`
+	corenet_send_ktalkd_client_packets($1)
+	corenet_receive_ktalkd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive ktalkd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_ktalkd_client_packets',`
+	corenet_dontaudit_send_ktalkd_client_packets($1)
+	corenet_dontaudit_receive_ktalkd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to ktalkd_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_ktalkd_client_packets',`
+	gen_require(`
+		type ktalkd_client_packet_t;
+	')
+
+	allow $1 ktalkd_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send ktalkd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_ktalkd_server_packets',`
+	gen_require(`
+		type ktalkd_server_packet_t;
+	')
+
+	allow $1 ktalkd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send ktalkd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_ktalkd_server_packets',`
+	gen_require(`
+		type ktalkd_server_packet_t;
+	')
+
+	dontaudit $1 ktalkd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive ktalkd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_ktalkd_server_packets',`
+	gen_require(`
+		type ktalkd_server_packet_t;
+	')
+
+	allow $1 ktalkd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive ktalkd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_ktalkd_server_packets',`
+	gen_require(`
+		type ktalkd_server_packet_t;
+	')
+
+	dontaudit $1 ktalkd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive ktalkd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_ktalkd_server_packets',`
+	corenet_send_ktalkd_server_packets($1)
+	corenet_receive_ktalkd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive ktalkd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_ktalkd_server_packets',`
+	corenet_dontaudit_send_ktalkd_server_packets($1)
+	corenet_dontaudit_receive_ktalkd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to ktalkd_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_ktalkd_server_packets',`
+	gen_require(`
+		type ktalkd_server_packet_t;
+	')
+
+	allow $1 ktalkd_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the ldap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_ldap_port',`
+	gen_require(`
+		type ldap_port_t;
+	')
+
+	allow $1 ldap_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the ldap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_ldap_port',`
+	gen_require(`
+		type ldap_port_t;
+	')
+
+	allow $1 ldap_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the ldap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_ldap_port',`
+	gen_require(`
+		type ldap_port_t;
+	')
+
+	dontaudit $1 ldap_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the ldap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_ldap_port',`
+	gen_require(`
+		type ldap_port_t;
+	')
+
+	allow $1 ldap_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the ldap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_ldap_port',`
+	gen_require(`
+		type ldap_port_t;
+	')
+
+	dontaudit $1 ldap_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the ldap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_ldap_port',`
+	corenet_udp_send_ldap_port($1)
+	corenet_udp_receive_ldap_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the ldap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_ldap_port',`
+	corenet_dontaudit_udp_send_ldap_port($1)
+	corenet_dontaudit_udp_receive_ldap_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the ldap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_ldap_port',`
+	gen_require(`
+		type ldap_port_t;
+	')
+
+	allow $1 ldap_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the ldap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_ldap_port',`
+	gen_require(`
+		type ldap_port_t;
+	')
+
+	allow $1 ldap_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the ldap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_ldap_port',`
+	gen_require(`
+		type ldap_port_t;
+	')
+
+	allow $1 ldap_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send ldap_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_ldap_client_packets',`
+	gen_require(`
+		type ldap_client_packet_t;
+	')
+
+	allow $1 ldap_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send ldap_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_ldap_client_packets',`
+	gen_require(`
+		type ldap_client_packet_t;
+	')
+
+	dontaudit $1 ldap_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive ldap_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_ldap_client_packets',`
+	gen_require(`
+		type ldap_client_packet_t;
+	')
+
+	allow $1 ldap_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive ldap_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_ldap_client_packets',`
+	gen_require(`
+		type ldap_client_packet_t;
+	')
+
+	dontaudit $1 ldap_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive ldap_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_ldap_client_packets',`
+	corenet_send_ldap_client_packets($1)
+	corenet_receive_ldap_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive ldap_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_ldap_client_packets',`
+	corenet_dontaudit_send_ldap_client_packets($1)
+	corenet_dontaudit_receive_ldap_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to ldap_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_ldap_client_packets',`
+	gen_require(`
+		type ldap_client_packet_t;
+	')
+
+	allow $1 ldap_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send ldap_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_ldap_server_packets',`
+	gen_require(`
+		type ldap_server_packet_t;
+	')
+
+	allow $1 ldap_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send ldap_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_ldap_server_packets',`
+	gen_require(`
+		type ldap_server_packet_t;
+	')
+
+	dontaudit $1 ldap_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive ldap_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_ldap_server_packets',`
+	gen_require(`
+		type ldap_server_packet_t;
+	')
+
+	allow $1 ldap_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive ldap_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_ldap_server_packets',`
+	gen_require(`
+		type ldap_server_packet_t;
+	')
+
+	dontaudit $1 ldap_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive ldap_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_ldap_server_packets',`
+	corenet_send_ldap_server_packets($1)
+	corenet_receive_ldap_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive ldap_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_ldap_server_packets',`
+	corenet_dontaudit_send_ldap_server_packets($1)
+	corenet_dontaudit_receive_ldap_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to ldap_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_ldap_server_packets',`
+	gen_require(`
+		type ldap_server_packet_t;
+	')
+
+	allow $1 ldap_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the lirc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_lirc_port',`
+	gen_require(`
+		type lirc_port_t;
+	')
+
+	allow $1 lirc_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the lirc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_lirc_port',`
+	gen_require(`
+		type lirc_port_t;
+	')
+
+	allow $1 lirc_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the lirc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_lirc_port',`
+	gen_require(`
+		type lirc_port_t;
+	')
+
+	dontaudit $1 lirc_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the lirc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_lirc_port',`
+	gen_require(`
+		type lirc_port_t;
+	')
+
+	allow $1 lirc_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the lirc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_lirc_port',`
+	gen_require(`
+		type lirc_port_t;
+	')
+
+	dontaudit $1 lirc_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the lirc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_lirc_port',`
+	corenet_udp_send_lirc_port($1)
+	corenet_udp_receive_lirc_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the lirc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_lirc_port',`
+	corenet_dontaudit_udp_send_lirc_port($1)
+	corenet_dontaudit_udp_receive_lirc_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the lirc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_lirc_port',`
+	gen_require(`
+		type lirc_port_t;
+	')
+
+	allow $1 lirc_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the lirc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_lirc_port',`
+	gen_require(`
+		type lirc_port_t;
+	')
+
+	allow $1 lirc_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the lirc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_lirc_port',`
+	gen_require(`
+		type lirc_port_t;
+	')
+
+	allow $1 lirc_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send lirc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_lirc_client_packets',`
+	gen_require(`
+		type lirc_client_packet_t;
+	')
+
+	allow $1 lirc_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send lirc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_lirc_client_packets',`
+	gen_require(`
+		type lirc_client_packet_t;
+	')
+
+	dontaudit $1 lirc_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive lirc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_lirc_client_packets',`
+	gen_require(`
+		type lirc_client_packet_t;
+	')
+
+	allow $1 lirc_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive lirc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_lirc_client_packets',`
+	gen_require(`
+		type lirc_client_packet_t;
+	')
+
+	dontaudit $1 lirc_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive lirc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_lirc_client_packets',`
+	corenet_send_lirc_client_packets($1)
+	corenet_receive_lirc_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive lirc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_lirc_client_packets',`
+	corenet_dontaudit_send_lirc_client_packets($1)
+	corenet_dontaudit_receive_lirc_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to lirc_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_lirc_client_packets',`
+	gen_require(`
+		type lirc_client_packet_t;
+	')
+
+	allow $1 lirc_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send lirc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_lirc_server_packets',`
+	gen_require(`
+		type lirc_server_packet_t;
+	')
+
+	allow $1 lirc_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send lirc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_lirc_server_packets',`
+	gen_require(`
+		type lirc_server_packet_t;
+	')
+
+	dontaudit $1 lirc_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive lirc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_lirc_server_packets',`
+	gen_require(`
+		type lirc_server_packet_t;
+	')
+
+	allow $1 lirc_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive lirc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_lirc_server_packets',`
+	gen_require(`
+		type lirc_server_packet_t;
+	')
+
+	dontaudit $1 lirc_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive lirc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_lirc_server_packets',`
+	corenet_send_lirc_server_packets($1)
+	corenet_receive_lirc_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive lirc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_lirc_server_packets',`
+	corenet_dontaudit_send_lirc_server_packets($1)
+	corenet_dontaudit_receive_lirc_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to lirc_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_lirc_server_packets',`
+	gen_require(`
+		type lirc_server_packet_t;
+	')
+
+	allow $1 lirc_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the lmtp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_lmtp_port',`
+	gen_require(`
+		type lmtp_port_t;
+	')
+
+	allow $1 lmtp_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the lmtp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_lmtp_port',`
+	gen_require(`
+		type lmtp_port_t;
+	')
+
+	allow $1 lmtp_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the lmtp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_lmtp_port',`
+	gen_require(`
+		type lmtp_port_t;
+	')
+
+	dontaudit $1 lmtp_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the lmtp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_lmtp_port',`
+	gen_require(`
+		type lmtp_port_t;
+	')
+
+	allow $1 lmtp_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the lmtp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_lmtp_port',`
+	gen_require(`
+		type lmtp_port_t;
+	')
+
+	dontaudit $1 lmtp_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the lmtp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_lmtp_port',`
+	corenet_udp_send_lmtp_port($1)
+	corenet_udp_receive_lmtp_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the lmtp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_lmtp_port',`
+	corenet_dontaudit_udp_send_lmtp_port($1)
+	corenet_dontaudit_udp_receive_lmtp_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the lmtp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_lmtp_port',`
+	gen_require(`
+		type lmtp_port_t;
+	')
+
+	allow $1 lmtp_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the lmtp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_lmtp_port',`
+	gen_require(`
+		type lmtp_port_t;
+	')
+
+	allow $1 lmtp_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the lmtp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_lmtp_port',`
+	gen_require(`
+		type lmtp_port_t;
+	')
+
+	allow $1 lmtp_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send lmtp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_lmtp_client_packets',`
+	gen_require(`
+		type lmtp_client_packet_t;
+	')
+
+	allow $1 lmtp_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send lmtp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_lmtp_client_packets',`
+	gen_require(`
+		type lmtp_client_packet_t;
+	')
+
+	dontaudit $1 lmtp_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive lmtp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_lmtp_client_packets',`
+	gen_require(`
+		type lmtp_client_packet_t;
+	')
+
+	allow $1 lmtp_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive lmtp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_lmtp_client_packets',`
+	gen_require(`
+		type lmtp_client_packet_t;
+	')
+
+	dontaudit $1 lmtp_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive lmtp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_lmtp_client_packets',`
+	corenet_send_lmtp_client_packets($1)
+	corenet_receive_lmtp_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive lmtp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_lmtp_client_packets',`
+	corenet_dontaudit_send_lmtp_client_packets($1)
+	corenet_dontaudit_receive_lmtp_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to lmtp_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_lmtp_client_packets',`
+	gen_require(`
+		type lmtp_client_packet_t;
+	')
+
+	allow $1 lmtp_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send lmtp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_lmtp_server_packets',`
+	gen_require(`
+		type lmtp_server_packet_t;
+	')
+
+	allow $1 lmtp_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send lmtp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_lmtp_server_packets',`
+	gen_require(`
+		type lmtp_server_packet_t;
+	')
+
+	dontaudit $1 lmtp_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive lmtp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_lmtp_server_packets',`
+	gen_require(`
+		type lmtp_server_packet_t;
+	')
+
+	allow $1 lmtp_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive lmtp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_lmtp_server_packets',`
+	gen_require(`
+		type lmtp_server_packet_t;
+	')
+
+	dontaudit $1 lmtp_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive lmtp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_lmtp_server_packets',`
+	corenet_send_lmtp_server_packets($1)
+	corenet_receive_lmtp_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive lmtp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_lmtp_server_packets',`
+	corenet_dontaudit_send_lmtp_server_packets($1)
+	corenet_dontaudit_receive_lmtp_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to lmtp_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_lmtp_server_packets',`
+	gen_require(`
+		type lmtp_server_packet_t;
+	')
+
+	allow $1 lmtp_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the lrrd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_lrrd_port',`
+	gen_require(`
+		type lrrd_port_t;
+	')
+
+	allow $1 lrrd_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the lrrd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_lrrd_port',`
+	gen_require(`
+		type lrrd_port_t;
+	')
+
+	allow $1 lrrd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the lrrd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_lrrd_port',`
+	gen_require(`
+		type lrrd_port_t;
+	')
+
+	dontaudit $1 lrrd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the lrrd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_lrrd_port',`
+	gen_require(`
+		type lrrd_port_t;
+	')
+
+	allow $1 lrrd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the lrrd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_lrrd_port',`
+	gen_require(`
+		type lrrd_port_t;
+	')
+
+	dontaudit $1 lrrd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the lrrd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_lrrd_port',`
+	corenet_udp_send_lrrd_port($1)
+	corenet_udp_receive_lrrd_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the lrrd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_lrrd_port',`
+	corenet_dontaudit_udp_send_lrrd_port($1)
+	corenet_dontaudit_udp_receive_lrrd_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the lrrd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_lrrd_port',`
+	gen_require(`
+		type lrrd_port_t;
+	')
+
+	allow $1 lrrd_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the lrrd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_lrrd_port',`
+	gen_require(`
+		type lrrd_port_t;
+	')
+
+	allow $1 lrrd_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the lrrd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_lrrd_port',`
+	gen_require(`
+		type lrrd_port_t;
+	')
+
+	allow $1 lrrd_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send lrrd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_lrrd_client_packets',`
+	gen_require(`
+		type lrrd_client_packet_t;
+	')
+
+	allow $1 lrrd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send lrrd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_lrrd_client_packets',`
+	gen_require(`
+		type lrrd_client_packet_t;
+	')
+
+	dontaudit $1 lrrd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive lrrd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_lrrd_client_packets',`
+	gen_require(`
+		type lrrd_client_packet_t;
+	')
+
+	allow $1 lrrd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive lrrd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_lrrd_client_packets',`
+	gen_require(`
+		type lrrd_client_packet_t;
+	')
+
+	dontaudit $1 lrrd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive lrrd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_lrrd_client_packets',`
+	corenet_send_lrrd_client_packets($1)
+	corenet_receive_lrrd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive lrrd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_lrrd_client_packets',`
+	corenet_dontaudit_send_lrrd_client_packets($1)
+	corenet_dontaudit_receive_lrrd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to lrrd_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_lrrd_client_packets',`
+	gen_require(`
+		type lrrd_client_packet_t;
+	')
+
+	allow $1 lrrd_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send lrrd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_lrrd_server_packets',`
+	gen_require(`
+		type lrrd_server_packet_t;
+	')
+
+	allow $1 lrrd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send lrrd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_lrrd_server_packets',`
+	gen_require(`
+		type lrrd_server_packet_t;
+	')
+
+	dontaudit $1 lrrd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive lrrd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_lrrd_server_packets',`
+	gen_require(`
+		type lrrd_server_packet_t;
+	')
+
+	allow $1 lrrd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive lrrd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_lrrd_server_packets',`
+	gen_require(`
+		type lrrd_server_packet_t;
+	')
+
+	dontaudit $1 lrrd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive lrrd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_lrrd_server_packets',`
+	corenet_send_lrrd_server_packets($1)
+	corenet_receive_lrrd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive lrrd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_lrrd_server_packets',`
+	corenet_dontaudit_send_lrrd_server_packets($1)
+	corenet_dontaudit_receive_lrrd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to lrrd_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_lrrd_server_packets',`
+	gen_require(`
+		type lrrd_server_packet_t;
+	')
+
+	allow $1 lrrd_server_packet_t:packet relabelto;
+')
+
+ # no defined portcon
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the mail port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_mail_port',`
+	gen_require(`
+		type mail_port_t;
+	')
+
+	allow $1 mail_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the mail port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_mail_port',`
+	gen_require(`
+		type mail_port_t;
+	')
+
+	allow $1 mail_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the mail port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_mail_port',`
+	gen_require(`
+		type mail_port_t;
+	')
+
+	dontaudit $1 mail_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the mail port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_mail_port',`
+	gen_require(`
+		type mail_port_t;
+	')
+
+	allow $1 mail_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the mail port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_mail_port',`
+	gen_require(`
+		type mail_port_t;
+	')
+
+	dontaudit $1 mail_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the mail port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_mail_port',`
+	corenet_udp_send_mail_port($1)
+	corenet_udp_receive_mail_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the mail port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_mail_port',`
+	corenet_dontaudit_udp_send_mail_port($1)
+	corenet_dontaudit_udp_receive_mail_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the mail port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_mail_port',`
+	gen_require(`
+		type mail_port_t;
+	')
+
+	allow $1 mail_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the mail port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_mail_port',`
+	gen_require(`
+		type mail_port_t;
+	')
+
+	allow $1 mail_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the mail port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_mail_port',`
+	gen_require(`
+		type mail_port_t;
+	')
+
+	allow $1 mail_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send mail_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_mail_client_packets',`
+	gen_require(`
+		type mail_client_packet_t;
+	')
+
+	allow $1 mail_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send mail_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_mail_client_packets',`
+	gen_require(`
+		type mail_client_packet_t;
+	')
+
+	dontaudit $1 mail_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive mail_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_mail_client_packets',`
+	gen_require(`
+		type mail_client_packet_t;
+	')
+
+	allow $1 mail_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive mail_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_mail_client_packets',`
+	gen_require(`
+		type mail_client_packet_t;
+	')
+
+	dontaudit $1 mail_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive mail_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_mail_client_packets',`
+	corenet_send_mail_client_packets($1)
+	corenet_receive_mail_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive mail_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_mail_client_packets',`
+	corenet_dontaudit_send_mail_client_packets($1)
+	corenet_dontaudit_receive_mail_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to mail_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_mail_client_packets',`
+	gen_require(`
+		type mail_client_packet_t;
+	')
+
+	allow $1 mail_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send mail_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_mail_server_packets',`
+	gen_require(`
+		type mail_server_packet_t;
+	')
+
+	allow $1 mail_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send mail_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_mail_server_packets',`
+	gen_require(`
+		type mail_server_packet_t;
+	')
+
+	dontaudit $1 mail_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive mail_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_mail_server_packets',`
+	gen_require(`
+		type mail_server_packet_t;
+	')
+
+	allow $1 mail_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive mail_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_mail_server_packets',`
+	gen_require(`
+		type mail_server_packet_t;
+	')
+
+	dontaudit $1 mail_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive mail_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_mail_server_packets',`
+	corenet_send_mail_server_packets($1)
+	corenet_receive_mail_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive mail_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_mail_server_packets',`
+	corenet_dontaudit_send_mail_server_packets($1)
+	corenet_dontaudit_receive_mail_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to mail_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_mail_server_packets',`
+	gen_require(`
+		type mail_server_packet_t;
+	')
+
+	allow $1 mail_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the matahari port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_matahari_port',`
+	gen_require(`
+		type matahari_port_t;
+	')
+
+	allow $1 matahari_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the matahari port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_matahari_port',`
+	gen_require(`
+		type matahari_port_t;
+	')
+
+	allow $1 matahari_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the matahari port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_matahari_port',`
+	gen_require(`
+		type matahari_port_t;
+	')
+
+	dontaudit $1 matahari_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the matahari port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_matahari_port',`
+	gen_require(`
+		type matahari_port_t;
+	')
+
+	allow $1 matahari_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the matahari port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_matahari_port',`
+	gen_require(`
+		type matahari_port_t;
+	')
+
+	dontaudit $1 matahari_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the matahari port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_matahari_port',`
+	corenet_udp_send_matahari_port($1)
+	corenet_udp_receive_matahari_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the matahari port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_matahari_port',`
+	corenet_dontaudit_udp_send_matahari_port($1)
+	corenet_dontaudit_udp_receive_matahari_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the matahari port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_matahari_port',`
+	gen_require(`
+		type matahari_port_t;
+	')
+
+	allow $1 matahari_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the matahari port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_matahari_port',`
+	gen_require(`
+		type matahari_port_t;
+	')
+
+	allow $1 matahari_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the matahari port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_matahari_port',`
+	gen_require(`
+		type matahari_port_t;
+	')
+
+	allow $1 matahari_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send matahari_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_matahari_client_packets',`
+	gen_require(`
+		type matahari_client_packet_t;
+	')
+
+	allow $1 matahari_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send matahari_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_matahari_client_packets',`
+	gen_require(`
+		type matahari_client_packet_t;
+	')
+
+	dontaudit $1 matahari_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive matahari_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_matahari_client_packets',`
+	gen_require(`
+		type matahari_client_packet_t;
+	')
+
+	allow $1 matahari_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive matahari_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_matahari_client_packets',`
+	gen_require(`
+		type matahari_client_packet_t;
+	')
+
+	dontaudit $1 matahari_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive matahari_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_matahari_client_packets',`
+	corenet_send_matahari_client_packets($1)
+	corenet_receive_matahari_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive matahari_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_matahari_client_packets',`
+	corenet_dontaudit_send_matahari_client_packets($1)
+	corenet_dontaudit_receive_matahari_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to matahari_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_matahari_client_packets',`
+	gen_require(`
+		type matahari_client_packet_t;
+	')
+
+	allow $1 matahari_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send matahari_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_matahari_server_packets',`
+	gen_require(`
+		type matahari_server_packet_t;
+	')
+
+	allow $1 matahari_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send matahari_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_matahari_server_packets',`
+	gen_require(`
+		type matahari_server_packet_t;
+	')
+
+	dontaudit $1 matahari_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive matahari_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_matahari_server_packets',`
+	gen_require(`
+		type matahari_server_packet_t;
+	')
+
+	allow $1 matahari_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive matahari_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_matahari_server_packets',`
+	gen_require(`
+		type matahari_server_packet_t;
+	')
+
+	dontaudit $1 matahari_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive matahari_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_matahari_server_packets',`
+	corenet_send_matahari_server_packets($1)
+	corenet_receive_matahari_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive matahari_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_matahari_server_packets',`
+	corenet_dontaudit_send_matahari_server_packets($1)
+	corenet_dontaudit_receive_matahari_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to matahari_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_matahari_server_packets',`
+	gen_require(`
+		type matahari_server_packet_t;
+	')
+
+	allow $1 matahari_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the memcache port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_memcache_port',`
+	gen_require(`
+		type memcache_port_t;
+	')
+
+	allow $1 memcache_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the memcache port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_memcache_port',`
+	gen_require(`
+		type memcache_port_t;
+	')
+
+	allow $1 memcache_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the memcache port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_memcache_port',`
+	gen_require(`
+		type memcache_port_t;
+	')
+
+	dontaudit $1 memcache_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the memcache port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_memcache_port',`
+	gen_require(`
+		type memcache_port_t;
+	')
+
+	allow $1 memcache_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the memcache port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_memcache_port',`
+	gen_require(`
+		type memcache_port_t;
+	')
+
+	dontaudit $1 memcache_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the memcache port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_memcache_port',`
+	corenet_udp_send_memcache_port($1)
+	corenet_udp_receive_memcache_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the memcache port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_memcache_port',`
+	corenet_dontaudit_udp_send_memcache_port($1)
+	corenet_dontaudit_udp_receive_memcache_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the memcache port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_memcache_port',`
+	gen_require(`
+		type memcache_port_t;
+	')
+
+	allow $1 memcache_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the memcache port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_memcache_port',`
+	gen_require(`
+		type memcache_port_t;
+	')
+
+	allow $1 memcache_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the memcache port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_memcache_port',`
+	gen_require(`
+		type memcache_port_t;
+	')
+
+	allow $1 memcache_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send memcache_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_memcache_client_packets',`
+	gen_require(`
+		type memcache_client_packet_t;
+	')
+
+	allow $1 memcache_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send memcache_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_memcache_client_packets',`
+	gen_require(`
+		type memcache_client_packet_t;
+	')
+
+	dontaudit $1 memcache_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive memcache_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_memcache_client_packets',`
+	gen_require(`
+		type memcache_client_packet_t;
+	')
+
+	allow $1 memcache_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive memcache_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_memcache_client_packets',`
+	gen_require(`
+		type memcache_client_packet_t;
+	')
+
+	dontaudit $1 memcache_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive memcache_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_memcache_client_packets',`
+	corenet_send_memcache_client_packets($1)
+	corenet_receive_memcache_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive memcache_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_memcache_client_packets',`
+	corenet_dontaudit_send_memcache_client_packets($1)
+	corenet_dontaudit_receive_memcache_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to memcache_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_memcache_client_packets',`
+	gen_require(`
+		type memcache_client_packet_t;
+	')
+
+	allow $1 memcache_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send memcache_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_memcache_server_packets',`
+	gen_require(`
+		type memcache_server_packet_t;
+	')
+
+	allow $1 memcache_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send memcache_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_memcache_server_packets',`
+	gen_require(`
+		type memcache_server_packet_t;
+	')
+
+	dontaudit $1 memcache_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive memcache_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_memcache_server_packets',`
+	gen_require(`
+		type memcache_server_packet_t;
+	')
+
+	allow $1 memcache_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive memcache_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_memcache_server_packets',`
+	gen_require(`
+		type memcache_server_packet_t;
+	')
+
+	dontaudit $1 memcache_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive memcache_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_memcache_server_packets',`
+	corenet_send_memcache_server_packets($1)
+	corenet_receive_memcache_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive memcache_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_memcache_server_packets',`
+	corenet_dontaudit_send_memcache_server_packets($1)
+	corenet_dontaudit_receive_memcache_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to memcache_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_memcache_server_packets',`
+	gen_require(`
+		type memcache_server_packet_t;
+	')
+
+	allow $1 memcache_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the milter port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_milter_port',`
+	gen_require(`
+		type milter_port_t;
+	')
+
+	allow $1 milter_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the milter port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_milter_port',`
+	gen_require(`
+		type milter_port_t;
+	')
+
+	allow $1 milter_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the milter port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_milter_port',`
+	gen_require(`
+		type milter_port_t;
+	')
+
+	dontaudit $1 milter_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the milter port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_milter_port',`
+	gen_require(`
+		type milter_port_t;
+	')
+
+	allow $1 milter_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the milter port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_milter_port',`
+	gen_require(`
+		type milter_port_t;
+	')
+
+	dontaudit $1 milter_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the milter port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_milter_port',`
+	corenet_udp_send_milter_port($1)
+	corenet_udp_receive_milter_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the milter port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_milter_port',`
+	corenet_dontaudit_udp_send_milter_port($1)
+	corenet_dontaudit_udp_receive_milter_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the milter port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_milter_port',`
+	gen_require(`
+		type milter_port_t;
+	')
+
+	allow $1 milter_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the milter port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_milter_port',`
+	gen_require(`
+		type milter_port_t;
+	')
+
+	allow $1 milter_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the milter port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_milter_port',`
+	gen_require(`
+		type milter_port_t;
+	')
+
+	allow $1 milter_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send milter_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_milter_client_packets',`
+	gen_require(`
+		type milter_client_packet_t;
+	')
+
+	allow $1 milter_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send milter_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_milter_client_packets',`
+	gen_require(`
+		type milter_client_packet_t;
+	')
+
+	dontaudit $1 milter_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive milter_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_milter_client_packets',`
+	gen_require(`
+		type milter_client_packet_t;
+	')
+
+	allow $1 milter_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive milter_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_milter_client_packets',`
+	gen_require(`
+		type milter_client_packet_t;
+	')
+
+	dontaudit $1 milter_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive milter_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_milter_client_packets',`
+	corenet_send_milter_client_packets($1)
+	corenet_receive_milter_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive milter_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_milter_client_packets',`
+	corenet_dontaudit_send_milter_client_packets($1)
+	corenet_dontaudit_receive_milter_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to milter_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_milter_client_packets',`
+	gen_require(`
+		type milter_client_packet_t;
+	')
+
+	allow $1 milter_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send milter_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_milter_server_packets',`
+	gen_require(`
+		type milter_server_packet_t;
+	')
+
+	allow $1 milter_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send milter_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_milter_server_packets',`
+	gen_require(`
+		type milter_server_packet_t;
+	')
+
+	dontaudit $1 milter_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive milter_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_milter_server_packets',`
+	gen_require(`
+		type milter_server_packet_t;
+	')
+
+	allow $1 milter_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive milter_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_milter_server_packets',`
+	gen_require(`
+		type milter_server_packet_t;
+	')
+
+	dontaudit $1 milter_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive milter_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_milter_server_packets',`
+	corenet_send_milter_server_packets($1)
+	corenet_receive_milter_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive milter_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_milter_server_packets',`
+	corenet_dontaudit_send_milter_server_packets($1)
+	corenet_dontaudit_receive_milter_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to milter_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_milter_server_packets',`
+	gen_require(`
+		type milter_server_packet_t;
+	')
+
+	allow $1 milter_server_packet_t:packet relabelto;
+')
+
+ # no defined portcon
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the mmcc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_mmcc_port',`
+	gen_require(`
+		type mmcc_port_t;
+	')
+
+	allow $1 mmcc_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the mmcc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_mmcc_port',`
+	gen_require(`
+		type mmcc_port_t;
+	')
+
+	allow $1 mmcc_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the mmcc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_mmcc_port',`
+	gen_require(`
+		type mmcc_port_t;
+	')
+
+	dontaudit $1 mmcc_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the mmcc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_mmcc_port',`
+	gen_require(`
+		type mmcc_port_t;
+	')
+
+	allow $1 mmcc_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the mmcc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_mmcc_port',`
+	gen_require(`
+		type mmcc_port_t;
+	')
+
+	dontaudit $1 mmcc_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the mmcc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_mmcc_port',`
+	corenet_udp_send_mmcc_port($1)
+	corenet_udp_receive_mmcc_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the mmcc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_mmcc_port',`
+	corenet_dontaudit_udp_send_mmcc_port($1)
+	corenet_dontaudit_udp_receive_mmcc_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the mmcc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_mmcc_port',`
+	gen_require(`
+		type mmcc_port_t;
+	')
+
+	allow $1 mmcc_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the mmcc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_mmcc_port',`
+	gen_require(`
+		type mmcc_port_t;
+	')
+
+	allow $1 mmcc_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the mmcc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_mmcc_port',`
+	gen_require(`
+		type mmcc_port_t;
+	')
+
+	allow $1 mmcc_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send mmcc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_mmcc_client_packets',`
+	gen_require(`
+		type mmcc_client_packet_t;
+	')
+
+	allow $1 mmcc_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send mmcc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_mmcc_client_packets',`
+	gen_require(`
+		type mmcc_client_packet_t;
+	')
+
+	dontaudit $1 mmcc_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive mmcc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_mmcc_client_packets',`
+	gen_require(`
+		type mmcc_client_packet_t;
+	')
+
+	allow $1 mmcc_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive mmcc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_mmcc_client_packets',`
+	gen_require(`
+		type mmcc_client_packet_t;
+	')
+
+	dontaudit $1 mmcc_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive mmcc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_mmcc_client_packets',`
+	corenet_send_mmcc_client_packets($1)
+	corenet_receive_mmcc_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive mmcc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_mmcc_client_packets',`
+	corenet_dontaudit_send_mmcc_client_packets($1)
+	corenet_dontaudit_receive_mmcc_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to mmcc_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_mmcc_client_packets',`
+	gen_require(`
+		type mmcc_client_packet_t;
+	')
+
+	allow $1 mmcc_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send mmcc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_mmcc_server_packets',`
+	gen_require(`
+		type mmcc_server_packet_t;
+	')
+
+	allow $1 mmcc_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send mmcc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_mmcc_server_packets',`
+	gen_require(`
+		type mmcc_server_packet_t;
+	')
+
+	dontaudit $1 mmcc_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive mmcc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_mmcc_server_packets',`
+	gen_require(`
+		type mmcc_server_packet_t;
+	')
+
+	allow $1 mmcc_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive mmcc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_mmcc_server_packets',`
+	gen_require(`
+		type mmcc_server_packet_t;
+	')
+
+	dontaudit $1 mmcc_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive mmcc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_mmcc_server_packets',`
+	corenet_send_mmcc_server_packets($1)
+	corenet_receive_mmcc_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive mmcc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_mmcc_server_packets',`
+	corenet_dontaudit_send_mmcc_server_packets($1)
+	corenet_dontaudit_receive_mmcc_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to mmcc_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_mmcc_server_packets',`
+	gen_require(`
+		type mmcc_server_packet_t;
+	')
+
+	allow $1 mmcc_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the monopd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_monopd_port',`
+	gen_require(`
+		type monopd_port_t;
+	')
+
+	allow $1 monopd_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the monopd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_monopd_port',`
+	gen_require(`
+		type monopd_port_t;
+	')
+
+	allow $1 monopd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the monopd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_monopd_port',`
+	gen_require(`
+		type monopd_port_t;
+	')
+
+	dontaudit $1 monopd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the monopd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_monopd_port',`
+	gen_require(`
+		type monopd_port_t;
+	')
+
+	allow $1 monopd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the monopd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_monopd_port',`
+	gen_require(`
+		type monopd_port_t;
+	')
+
+	dontaudit $1 monopd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the monopd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_monopd_port',`
+	corenet_udp_send_monopd_port($1)
+	corenet_udp_receive_monopd_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the monopd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_monopd_port',`
+	corenet_dontaudit_udp_send_monopd_port($1)
+	corenet_dontaudit_udp_receive_monopd_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the monopd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_monopd_port',`
+	gen_require(`
+		type monopd_port_t;
+	')
+
+	allow $1 monopd_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the monopd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_monopd_port',`
+	gen_require(`
+		type monopd_port_t;
+	')
+
+	allow $1 monopd_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the monopd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_monopd_port',`
+	gen_require(`
+		type monopd_port_t;
+	')
+
+	allow $1 monopd_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send monopd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_monopd_client_packets',`
+	gen_require(`
+		type monopd_client_packet_t;
+	')
+
+	allow $1 monopd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send monopd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_monopd_client_packets',`
+	gen_require(`
+		type monopd_client_packet_t;
+	')
+
+	dontaudit $1 monopd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive monopd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_monopd_client_packets',`
+	gen_require(`
+		type monopd_client_packet_t;
+	')
+
+	allow $1 monopd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive monopd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_monopd_client_packets',`
+	gen_require(`
+		type monopd_client_packet_t;
+	')
+
+	dontaudit $1 monopd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive monopd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_monopd_client_packets',`
+	corenet_send_monopd_client_packets($1)
+	corenet_receive_monopd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive monopd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_monopd_client_packets',`
+	corenet_dontaudit_send_monopd_client_packets($1)
+	corenet_dontaudit_receive_monopd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to monopd_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_monopd_client_packets',`
+	gen_require(`
+		type monopd_client_packet_t;
+	')
+
+	allow $1 monopd_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send monopd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_monopd_server_packets',`
+	gen_require(`
+		type monopd_server_packet_t;
+	')
+
+	allow $1 monopd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send monopd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_monopd_server_packets',`
+	gen_require(`
+		type monopd_server_packet_t;
+	')
+
+	dontaudit $1 monopd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive monopd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_monopd_server_packets',`
+	gen_require(`
+		type monopd_server_packet_t;
+	')
+
+	allow $1 monopd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive monopd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_monopd_server_packets',`
+	gen_require(`
+		type monopd_server_packet_t;
+	')
+
+	dontaudit $1 monopd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive monopd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_monopd_server_packets',`
+	corenet_send_monopd_server_packets($1)
+	corenet_receive_monopd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive monopd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_monopd_server_packets',`
+	corenet_dontaudit_send_monopd_server_packets($1)
+	corenet_dontaudit_receive_monopd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to monopd_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_monopd_server_packets',`
+	gen_require(`
+		type monopd_server_packet_t;
+	')
+
+	allow $1 monopd_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the mpd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_mpd_port',`
+	gen_require(`
+		type mpd_port_t;
+	')
+
+	allow $1 mpd_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the mpd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_mpd_port',`
+	gen_require(`
+		type mpd_port_t;
+	')
+
+	allow $1 mpd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the mpd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_mpd_port',`
+	gen_require(`
+		type mpd_port_t;
+	')
+
+	dontaudit $1 mpd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the mpd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_mpd_port',`
+	gen_require(`
+		type mpd_port_t;
+	')
+
+	allow $1 mpd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the mpd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_mpd_port',`
+	gen_require(`
+		type mpd_port_t;
+	')
+
+	dontaudit $1 mpd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the mpd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_mpd_port',`
+	corenet_udp_send_mpd_port($1)
+	corenet_udp_receive_mpd_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the mpd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_mpd_port',`
+	corenet_dontaudit_udp_send_mpd_port($1)
+	corenet_dontaudit_udp_receive_mpd_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the mpd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_mpd_port',`
+	gen_require(`
+		type mpd_port_t;
+	')
+
+	allow $1 mpd_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the mpd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_mpd_port',`
+	gen_require(`
+		type mpd_port_t;
+	')
+
+	allow $1 mpd_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the mpd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_mpd_port',`
+	gen_require(`
+		type mpd_port_t;
+	')
+
+	allow $1 mpd_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send mpd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_mpd_client_packets',`
+	gen_require(`
+		type mpd_client_packet_t;
+	')
+
+	allow $1 mpd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send mpd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_mpd_client_packets',`
+	gen_require(`
+		type mpd_client_packet_t;
+	')
+
+	dontaudit $1 mpd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive mpd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_mpd_client_packets',`
+	gen_require(`
+		type mpd_client_packet_t;
+	')
+
+	allow $1 mpd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive mpd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_mpd_client_packets',`
+	gen_require(`
+		type mpd_client_packet_t;
+	')
+
+	dontaudit $1 mpd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive mpd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_mpd_client_packets',`
+	corenet_send_mpd_client_packets($1)
+	corenet_receive_mpd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive mpd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_mpd_client_packets',`
+	corenet_dontaudit_send_mpd_client_packets($1)
+	corenet_dontaudit_receive_mpd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to mpd_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_mpd_client_packets',`
+	gen_require(`
+		type mpd_client_packet_t;
+	')
+
+	allow $1 mpd_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send mpd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_mpd_server_packets',`
+	gen_require(`
+		type mpd_server_packet_t;
+	')
+
+	allow $1 mpd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send mpd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_mpd_server_packets',`
+	gen_require(`
+		type mpd_server_packet_t;
+	')
+
+	dontaudit $1 mpd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive mpd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_mpd_server_packets',`
+	gen_require(`
+		type mpd_server_packet_t;
+	')
+
+	allow $1 mpd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive mpd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_mpd_server_packets',`
+	gen_require(`
+		type mpd_server_packet_t;
+	')
+
+	dontaudit $1 mpd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive mpd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_mpd_server_packets',`
+	corenet_send_mpd_server_packets($1)
+	corenet_receive_mpd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive mpd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_mpd_server_packets',`
+	corenet_dontaudit_send_mpd_server_packets($1)
+	corenet_dontaudit_receive_mpd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to mpd_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_mpd_server_packets',`
+	gen_require(`
+		type mpd_server_packet_t;
+	')
+
+	allow $1 mpd_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the msnp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_msnp_port',`
+	gen_require(`
+		type msnp_port_t;
+	')
+
+	allow $1 msnp_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the msnp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_msnp_port',`
+	gen_require(`
+		type msnp_port_t;
+	')
+
+	allow $1 msnp_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the msnp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_msnp_port',`
+	gen_require(`
+		type msnp_port_t;
+	')
+
+	dontaudit $1 msnp_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the msnp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_msnp_port',`
+	gen_require(`
+		type msnp_port_t;
+	')
+
+	allow $1 msnp_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the msnp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_msnp_port',`
+	gen_require(`
+		type msnp_port_t;
+	')
+
+	dontaudit $1 msnp_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the msnp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_msnp_port',`
+	corenet_udp_send_msnp_port($1)
+	corenet_udp_receive_msnp_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the msnp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_msnp_port',`
+	corenet_dontaudit_udp_send_msnp_port($1)
+	corenet_dontaudit_udp_receive_msnp_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the msnp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_msnp_port',`
+	gen_require(`
+		type msnp_port_t;
+	')
+
+	allow $1 msnp_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the msnp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_msnp_port',`
+	gen_require(`
+		type msnp_port_t;
+	')
+
+	allow $1 msnp_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the msnp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_msnp_port',`
+	gen_require(`
+		type msnp_port_t;
+	')
+
+	allow $1 msnp_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send msnp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_msnp_client_packets',`
+	gen_require(`
+		type msnp_client_packet_t;
+	')
+
+	allow $1 msnp_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send msnp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_msnp_client_packets',`
+	gen_require(`
+		type msnp_client_packet_t;
+	')
+
+	dontaudit $1 msnp_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive msnp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_msnp_client_packets',`
+	gen_require(`
+		type msnp_client_packet_t;
+	')
+
+	allow $1 msnp_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive msnp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_msnp_client_packets',`
+	gen_require(`
+		type msnp_client_packet_t;
+	')
+
+	dontaudit $1 msnp_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive msnp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_msnp_client_packets',`
+	corenet_send_msnp_client_packets($1)
+	corenet_receive_msnp_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive msnp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_msnp_client_packets',`
+	corenet_dontaudit_send_msnp_client_packets($1)
+	corenet_dontaudit_receive_msnp_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to msnp_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_msnp_client_packets',`
+	gen_require(`
+		type msnp_client_packet_t;
+	')
+
+	allow $1 msnp_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send msnp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_msnp_server_packets',`
+	gen_require(`
+		type msnp_server_packet_t;
+	')
+
+	allow $1 msnp_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send msnp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_msnp_server_packets',`
+	gen_require(`
+		type msnp_server_packet_t;
+	')
+
+	dontaudit $1 msnp_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive msnp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_msnp_server_packets',`
+	gen_require(`
+		type msnp_server_packet_t;
+	')
+
+	allow $1 msnp_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive msnp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_msnp_server_packets',`
+	gen_require(`
+		type msnp_server_packet_t;
+	')
+
+	dontaudit $1 msnp_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive msnp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_msnp_server_packets',`
+	corenet_send_msnp_server_packets($1)
+	corenet_receive_msnp_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive msnp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_msnp_server_packets',`
+	corenet_dontaudit_send_msnp_server_packets($1)
+	corenet_dontaudit_receive_msnp_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to msnp_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_msnp_server_packets',`
+	gen_require(`
+		type msnp_server_packet_t;
+	')
+
+	allow $1 msnp_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the mssql port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_mssql_port',`
+	gen_require(`
+		type mssql_port_t;
+	')
+
+	allow $1 mssql_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the mssql port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_mssql_port',`
+	gen_require(`
+		type mssql_port_t;
+	')
+
+	allow $1 mssql_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the mssql port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_mssql_port',`
+	gen_require(`
+		type mssql_port_t;
+	')
+
+	dontaudit $1 mssql_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the mssql port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_mssql_port',`
+	gen_require(`
+		type mssql_port_t;
+	')
+
+	allow $1 mssql_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the mssql port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_mssql_port',`
+	gen_require(`
+		type mssql_port_t;
+	')
+
+	dontaudit $1 mssql_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the mssql port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_mssql_port',`
+	corenet_udp_send_mssql_port($1)
+	corenet_udp_receive_mssql_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the mssql port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_mssql_port',`
+	corenet_dontaudit_udp_send_mssql_port($1)
+	corenet_dontaudit_udp_receive_mssql_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the mssql port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_mssql_port',`
+	gen_require(`
+		type mssql_port_t;
+	')
+
+	allow $1 mssql_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the mssql port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_mssql_port',`
+	gen_require(`
+		type mssql_port_t;
+	')
+
+	allow $1 mssql_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the mssql port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_mssql_port',`
+	gen_require(`
+		type mssql_port_t;
+	')
+
+	allow $1 mssql_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send mssql_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_mssql_client_packets',`
+	gen_require(`
+		type mssql_client_packet_t;
+	')
+
+	allow $1 mssql_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send mssql_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_mssql_client_packets',`
+	gen_require(`
+		type mssql_client_packet_t;
+	')
+
+	dontaudit $1 mssql_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive mssql_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_mssql_client_packets',`
+	gen_require(`
+		type mssql_client_packet_t;
+	')
+
+	allow $1 mssql_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive mssql_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_mssql_client_packets',`
+	gen_require(`
+		type mssql_client_packet_t;
+	')
+
+	dontaudit $1 mssql_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive mssql_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_mssql_client_packets',`
+	corenet_send_mssql_client_packets($1)
+	corenet_receive_mssql_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive mssql_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_mssql_client_packets',`
+	corenet_dontaudit_send_mssql_client_packets($1)
+	corenet_dontaudit_receive_mssql_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to mssql_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_mssql_client_packets',`
+	gen_require(`
+		type mssql_client_packet_t;
+	')
+
+	allow $1 mssql_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send mssql_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_mssql_server_packets',`
+	gen_require(`
+		type mssql_server_packet_t;
+	')
+
+	allow $1 mssql_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send mssql_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_mssql_server_packets',`
+	gen_require(`
+		type mssql_server_packet_t;
+	')
+
+	dontaudit $1 mssql_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive mssql_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_mssql_server_packets',`
+	gen_require(`
+		type mssql_server_packet_t;
+	')
+
+	allow $1 mssql_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive mssql_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_mssql_server_packets',`
+	gen_require(`
+		type mssql_server_packet_t;
+	')
+
+	dontaudit $1 mssql_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive mssql_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_mssql_server_packets',`
+	corenet_send_mssql_server_packets($1)
+	corenet_receive_mssql_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive mssql_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_mssql_server_packets',`
+	corenet_dontaudit_send_mssql_server_packets($1)
+	corenet_dontaudit_receive_mssql_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to mssql_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_mssql_server_packets',`
+	gen_require(`
+		type mssql_server_packet_t;
+	')
+
+	allow $1 mssql_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the munin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_munin_port',`
+	gen_require(`
+		type munin_port_t;
+	')
+
+	allow $1 munin_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the munin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_munin_port',`
+	gen_require(`
+		type munin_port_t;
+	')
+
+	allow $1 munin_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the munin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_munin_port',`
+	gen_require(`
+		type munin_port_t;
+	')
+
+	dontaudit $1 munin_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the munin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_munin_port',`
+	gen_require(`
+		type munin_port_t;
+	')
+
+	allow $1 munin_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the munin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_munin_port',`
+	gen_require(`
+		type munin_port_t;
+	')
+
+	dontaudit $1 munin_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the munin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_munin_port',`
+	corenet_udp_send_munin_port($1)
+	corenet_udp_receive_munin_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the munin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_munin_port',`
+	corenet_dontaudit_udp_send_munin_port($1)
+	corenet_dontaudit_udp_receive_munin_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the munin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_munin_port',`
+	gen_require(`
+		type munin_port_t;
+	')
+
+	allow $1 munin_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the munin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_munin_port',`
+	gen_require(`
+		type munin_port_t;
+	')
+
+	allow $1 munin_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the munin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_munin_port',`
+	gen_require(`
+		type munin_port_t;
+	')
+
+	allow $1 munin_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send munin_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_munin_client_packets',`
+	gen_require(`
+		type munin_client_packet_t;
+	')
+
+	allow $1 munin_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send munin_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_munin_client_packets',`
+	gen_require(`
+		type munin_client_packet_t;
+	')
+
+	dontaudit $1 munin_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive munin_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_munin_client_packets',`
+	gen_require(`
+		type munin_client_packet_t;
+	')
+
+	allow $1 munin_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive munin_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_munin_client_packets',`
+	gen_require(`
+		type munin_client_packet_t;
+	')
+
+	dontaudit $1 munin_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive munin_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_munin_client_packets',`
+	corenet_send_munin_client_packets($1)
+	corenet_receive_munin_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive munin_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_munin_client_packets',`
+	corenet_dontaudit_send_munin_client_packets($1)
+	corenet_dontaudit_receive_munin_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to munin_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_munin_client_packets',`
+	gen_require(`
+		type munin_client_packet_t;
+	')
+
+	allow $1 munin_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send munin_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_munin_server_packets',`
+	gen_require(`
+		type munin_server_packet_t;
+	')
+
+	allow $1 munin_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send munin_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_munin_server_packets',`
+	gen_require(`
+		type munin_server_packet_t;
+	')
+
+	dontaudit $1 munin_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive munin_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_munin_server_packets',`
+	gen_require(`
+		type munin_server_packet_t;
+	')
+
+	allow $1 munin_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive munin_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_munin_server_packets',`
+	gen_require(`
+		type munin_server_packet_t;
+	')
+
+	dontaudit $1 munin_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive munin_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_munin_server_packets',`
+	corenet_send_munin_server_packets($1)
+	corenet_receive_munin_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive munin_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_munin_server_packets',`
+	corenet_dontaudit_send_munin_server_packets($1)
+	corenet_dontaudit_receive_munin_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to munin_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_munin_server_packets',`
+	gen_require(`
+		type munin_server_packet_t;
+	')
+
+	allow $1 munin_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the mysqld port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_mysqld_port',`
+	gen_require(`
+		type mysqld_port_t;
+	')
+
+	allow $1 mysqld_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the mysqld port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_mysqld_port',`
+	gen_require(`
+		type mysqld_port_t;
+	')
+
+	allow $1 mysqld_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the mysqld port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_mysqld_port',`
+	gen_require(`
+		type mysqld_port_t;
+	')
+
+	dontaudit $1 mysqld_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the mysqld port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_mysqld_port',`
+	gen_require(`
+		type mysqld_port_t;
+	')
+
+	allow $1 mysqld_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the mysqld port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_mysqld_port',`
+	gen_require(`
+		type mysqld_port_t;
+	')
+
+	dontaudit $1 mysqld_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the mysqld port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_mysqld_port',`
+	corenet_udp_send_mysqld_port($1)
+	corenet_udp_receive_mysqld_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the mysqld port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_mysqld_port',`
+	corenet_dontaudit_udp_send_mysqld_port($1)
+	corenet_dontaudit_udp_receive_mysqld_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the mysqld port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_mysqld_port',`
+	gen_require(`
+		type mysqld_port_t;
+	')
+
+	allow $1 mysqld_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the mysqld port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_mysqld_port',`
+	gen_require(`
+		type mysqld_port_t;
+	')
+
+	allow $1 mysqld_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the mysqld port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_mysqld_port',`
+	gen_require(`
+		type mysqld_port_t;
+	')
+
+	allow $1 mysqld_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send mysqld_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_mysqld_client_packets',`
+	gen_require(`
+		type mysqld_client_packet_t;
+	')
+
+	allow $1 mysqld_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send mysqld_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_mysqld_client_packets',`
+	gen_require(`
+		type mysqld_client_packet_t;
+	')
+
+	dontaudit $1 mysqld_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive mysqld_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_mysqld_client_packets',`
+	gen_require(`
+		type mysqld_client_packet_t;
+	')
+
+	allow $1 mysqld_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive mysqld_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_mysqld_client_packets',`
+	gen_require(`
+		type mysqld_client_packet_t;
+	')
+
+	dontaudit $1 mysqld_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive mysqld_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_mysqld_client_packets',`
+	corenet_send_mysqld_client_packets($1)
+	corenet_receive_mysqld_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive mysqld_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_mysqld_client_packets',`
+	corenet_dontaudit_send_mysqld_client_packets($1)
+	corenet_dontaudit_receive_mysqld_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to mysqld_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_mysqld_client_packets',`
+	gen_require(`
+		type mysqld_client_packet_t;
+	')
+
+	allow $1 mysqld_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send mysqld_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_mysqld_server_packets',`
+	gen_require(`
+		type mysqld_server_packet_t;
+	')
+
+	allow $1 mysqld_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send mysqld_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_mysqld_server_packets',`
+	gen_require(`
+		type mysqld_server_packet_t;
+	')
+
+	dontaudit $1 mysqld_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive mysqld_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_mysqld_server_packets',`
+	gen_require(`
+		type mysqld_server_packet_t;
+	')
+
+	allow $1 mysqld_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive mysqld_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_mysqld_server_packets',`
+	gen_require(`
+		type mysqld_server_packet_t;
+	')
+
+	dontaudit $1 mysqld_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive mysqld_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_mysqld_server_packets',`
+	corenet_send_mysqld_server_packets($1)
+	corenet_receive_mysqld_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive mysqld_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_mysqld_server_packets',`
+	corenet_dontaudit_send_mysqld_server_packets($1)
+	corenet_dontaudit_receive_mysqld_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to mysqld_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_mysqld_server_packets',`
+	gen_require(`
+		type mysqld_server_packet_t;
+	')
+
+	allow $1 mysqld_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the mysqlmanagerd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_mysqlmanagerd_port',`
+	gen_require(`
+		type mysqlmanagerd_port_t;
+	')
+
+	allow $1 mysqlmanagerd_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the mysqlmanagerd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_mysqlmanagerd_port',`
+	gen_require(`
+		type mysqlmanagerd_port_t;
+	')
+
+	allow $1 mysqlmanagerd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the mysqlmanagerd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_mysqlmanagerd_port',`
+	gen_require(`
+		type mysqlmanagerd_port_t;
+	')
+
+	dontaudit $1 mysqlmanagerd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the mysqlmanagerd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_mysqlmanagerd_port',`
+	gen_require(`
+		type mysqlmanagerd_port_t;
+	')
+
+	allow $1 mysqlmanagerd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the mysqlmanagerd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_mysqlmanagerd_port',`
+	gen_require(`
+		type mysqlmanagerd_port_t;
+	')
+
+	dontaudit $1 mysqlmanagerd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the mysqlmanagerd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_mysqlmanagerd_port',`
+	corenet_udp_send_mysqlmanagerd_port($1)
+	corenet_udp_receive_mysqlmanagerd_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the mysqlmanagerd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_mysqlmanagerd_port',`
+	corenet_dontaudit_udp_send_mysqlmanagerd_port($1)
+	corenet_dontaudit_udp_receive_mysqlmanagerd_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the mysqlmanagerd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_mysqlmanagerd_port',`
+	gen_require(`
+		type mysqlmanagerd_port_t;
+	')
+
+	allow $1 mysqlmanagerd_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the mysqlmanagerd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_mysqlmanagerd_port',`
+	gen_require(`
+		type mysqlmanagerd_port_t;
+	')
+
+	allow $1 mysqlmanagerd_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the mysqlmanagerd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_mysqlmanagerd_port',`
+	gen_require(`
+		type mysqlmanagerd_port_t;
+	')
+
+	allow $1 mysqlmanagerd_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send mysqlmanagerd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_mysqlmanagerd_client_packets',`
+	gen_require(`
+		type mysqlmanagerd_client_packet_t;
+	')
+
+	allow $1 mysqlmanagerd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send mysqlmanagerd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_mysqlmanagerd_client_packets',`
+	gen_require(`
+		type mysqlmanagerd_client_packet_t;
+	')
+
+	dontaudit $1 mysqlmanagerd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive mysqlmanagerd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_mysqlmanagerd_client_packets',`
+	gen_require(`
+		type mysqlmanagerd_client_packet_t;
+	')
+
+	allow $1 mysqlmanagerd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive mysqlmanagerd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_mysqlmanagerd_client_packets',`
+	gen_require(`
+		type mysqlmanagerd_client_packet_t;
+	')
+
+	dontaudit $1 mysqlmanagerd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive mysqlmanagerd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_mysqlmanagerd_client_packets',`
+	corenet_send_mysqlmanagerd_client_packets($1)
+	corenet_receive_mysqlmanagerd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive mysqlmanagerd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_mysqlmanagerd_client_packets',`
+	corenet_dontaudit_send_mysqlmanagerd_client_packets($1)
+	corenet_dontaudit_receive_mysqlmanagerd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to mysqlmanagerd_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_mysqlmanagerd_client_packets',`
+	gen_require(`
+		type mysqlmanagerd_client_packet_t;
+	')
+
+	allow $1 mysqlmanagerd_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send mysqlmanagerd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_mysqlmanagerd_server_packets',`
+	gen_require(`
+		type mysqlmanagerd_server_packet_t;
+	')
+
+	allow $1 mysqlmanagerd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send mysqlmanagerd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_mysqlmanagerd_server_packets',`
+	gen_require(`
+		type mysqlmanagerd_server_packet_t;
+	')
+
+	dontaudit $1 mysqlmanagerd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive mysqlmanagerd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_mysqlmanagerd_server_packets',`
+	gen_require(`
+		type mysqlmanagerd_server_packet_t;
+	')
+
+	allow $1 mysqlmanagerd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive mysqlmanagerd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_mysqlmanagerd_server_packets',`
+	gen_require(`
+		type mysqlmanagerd_server_packet_t;
+	')
+
+	dontaudit $1 mysqlmanagerd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive mysqlmanagerd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_mysqlmanagerd_server_packets',`
+	corenet_send_mysqlmanagerd_server_packets($1)
+	corenet_receive_mysqlmanagerd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive mysqlmanagerd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_mysqlmanagerd_server_packets',`
+	corenet_dontaudit_send_mysqlmanagerd_server_packets($1)
+	corenet_dontaudit_receive_mysqlmanagerd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to mysqlmanagerd_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_mysqlmanagerd_server_packets',`
+	gen_require(`
+		type mysqlmanagerd_server_packet_t;
+	')
+
+	allow $1 mysqlmanagerd_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the nessus port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_nessus_port',`
+	gen_require(`
+		type nessus_port_t;
+	')
+
+	allow $1 nessus_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the nessus port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_nessus_port',`
+	gen_require(`
+		type nessus_port_t;
+	')
+
+	allow $1 nessus_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the nessus port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_nessus_port',`
+	gen_require(`
+		type nessus_port_t;
+	')
+
+	dontaudit $1 nessus_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the nessus port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_nessus_port',`
+	gen_require(`
+		type nessus_port_t;
+	')
+
+	allow $1 nessus_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the nessus port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_nessus_port',`
+	gen_require(`
+		type nessus_port_t;
+	')
+
+	dontaudit $1 nessus_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the nessus port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_nessus_port',`
+	corenet_udp_send_nessus_port($1)
+	corenet_udp_receive_nessus_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the nessus port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_nessus_port',`
+	corenet_dontaudit_udp_send_nessus_port($1)
+	corenet_dontaudit_udp_receive_nessus_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the nessus port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_nessus_port',`
+	gen_require(`
+		type nessus_port_t;
+	')
+
+	allow $1 nessus_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the nessus port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_nessus_port',`
+	gen_require(`
+		type nessus_port_t;
+	')
+
+	allow $1 nessus_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the nessus port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_nessus_port',`
+	gen_require(`
+		type nessus_port_t;
+	')
+
+	allow $1 nessus_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send nessus_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_nessus_client_packets',`
+	gen_require(`
+		type nessus_client_packet_t;
+	')
+
+	allow $1 nessus_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send nessus_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_nessus_client_packets',`
+	gen_require(`
+		type nessus_client_packet_t;
+	')
+
+	dontaudit $1 nessus_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive nessus_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_nessus_client_packets',`
+	gen_require(`
+		type nessus_client_packet_t;
+	')
+
+	allow $1 nessus_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive nessus_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_nessus_client_packets',`
+	gen_require(`
+		type nessus_client_packet_t;
+	')
+
+	dontaudit $1 nessus_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive nessus_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_nessus_client_packets',`
+	corenet_send_nessus_client_packets($1)
+	corenet_receive_nessus_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive nessus_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_nessus_client_packets',`
+	corenet_dontaudit_send_nessus_client_packets($1)
+	corenet_dontaudit_receive_nessus_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to nessus_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_nessus_client_packets',`
+	gen_require(`
+		type nessus_client_packet_t;
+	')
+
+	allow $1 nessus_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send nessus_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_nessus_server_packets',`
+	gen_require(`
+		type nessus_server_packet_t;
+	')
+
+	allow $1 nessus_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send nessus_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_nessus_server_packets',`
+	gen_require(`
+		type nessus_server_packet_t;
+	')
+
+	dontaudit $1 nessus_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive nessus_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_nessus_server_packets',`
+	gen_require(`
+		type nessus_server_packet_t;
+	')
+
+	allow $1 nessus_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive nessus_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_nessus_server_packets',`
+	gen_require(`
+		type nessus_server_packet_t;
+	')
+
+	dontaudit $1 nessus_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive nessus_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_nessus_server_packets',`
+	corenet_send_nessus_server_packets($1)
+	corenet_receive_nessus_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive nessus_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_nessus_server_packets',`
+	corenet_dontaudit_send_nessus_server_packets($1)
+	corenet_dontaudit_receive_nessus_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to nessus_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_nessus_server_packets',`
+	gen_require(`
+		type nessus_server_packet_t;
+	')
+
+	allow $1 nessus_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the netport port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_netport_port',`
+	gen_require(`
+		type netport_port_t;
+	')
+
+	allow $1 netport_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the netport port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_netport_port',`
+	gen_require(`
+		type netport_port_t;
+	')
+
+	allow $1 netport_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the netport port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_netport_port',`
+	gen_require(`
+		type netport_port_t;
+	')
+
+	dontaudit $1 netport_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the netport port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_netport_port',`
+	gen_require(`
+		type netport_port_t;
+	')
+
+	allow $1 netport_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the netport port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_netport_port',`
+	gen_require(`
+		type netport_port_t;
+	')
+
+	dontaudit $1 netport_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the netport port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_netport_port',`
+	corenet_udp_send_netport_port($1)
+	corenet_udp_receive_netport_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the netport port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_netport_port',`
+	corenet_dontaudit_udp_send_netport_port($1)
+	corenet_dontaudit_udp_receive_netport_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the netport port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_netport_port',`
+	gen_require(`
+		type netport_port_t;
+	')
+
+	allow $1 netport_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the netport port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_netport_port',`
+	gen_require(`
+		type netport_port_t;
+	')
+
+	allow $1 netport_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the netport port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_netport_port',`
+	gen_require(`
+		type netport_port_t;
+	')
+
+	allow $1 netport_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send netport_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_netport_client_packets',`
+	gen_require(`
+		type netport_client_packet_t;
+	')
+
+	allow $1 netport_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send netport_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_netport_client_packets',`
+	gen_require(`
+		type netport_client_packet_t;
+	')
+
+	dontaudit $1 netport_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive netport_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_netport_client_packets',`
+	gen_require(`
+		type netport_client_packet_t;
+	')
+
+	allow $1 netport_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive netport_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_netport_client_packets',`
+	gen_require(`
+		type netport_client_packet_t;
+	')
+
+	dontaudit $1 netport_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive netport_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_netport_client_packets',`
+	corenet_send_netport_client_packets($1)
+	corenet_receive_netport_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive netport_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_netport_client_packets',`
+	corenet_dontaudit_send_netport_client_packets($1)
+	corenet_dontaudit_receive_netport_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to netport_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_netport_client_packets',`
+	gen_require(`
+		type netport_client_packet_t;
+	')
+
+	allow $1 netport_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send netport_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_netport_server_packets',`
+	gen_require(`
+		type netport_server_packet_t;
+	')
+
+	allow $1 netport_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send netport_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_netport_server_packets',`
+	gen_require(`
+		type netport_server_packet_t;
+	')
+
+	dontaudit $1 netport_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive netport_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_netport_server_packets',`
+	gen_require(`
+		type netport_server_packet_t;
+	')
+
+	allow $1 netport_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive netport_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_netport_server_packets',`
+	gen_require(`
+		type netport_server_packet_t;
+	')
+
+	dontaudit $1 netport_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive netport_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_netport_server_packets',`
+	corenet_send_netport_server_packets($1)
+	corenet_receive_netport_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive netport_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_netport_server_packets',`
+	corenet_dontaudit_send_netport_server_packets($1)
+	corenet_dontaudit_receive_netport_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to netport_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_netport_server_packets',`
+	gen_require(`
+		type netport_server_packet_t;
+	')
+
+	allow $1 netport_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the netsupport port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_netsupport_port',`
+	gen_require(`
+		type netsupport_port_t;
+	')
+
+	allow $1 netsupport_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the netsupport port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_netsupport_port',`
+	gen_require(`
+		type netsupport_port_t;
+	')
+
+	allow $1 netsupport_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the netsupport port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_netsupport_port',`
+	gen_require(`
+		type netsupport_port_t;
+	')
+
+	dontaudit $1 netsupport_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the netsupport port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_netsupport_port',`
+	gen_require(`
+		type netsupport_port_t;
+	')
+
+	allow $1 netsupport_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the netsupport port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_netsupport_port',`
+	gen_require(`
+		type netsupport_port_t;
+	')
+
+	dontaudit $1 netsupport_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the netsupport port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_netsupport_port',`
+	corenet_udp_send_netsupport_port($1)
+	corenet_udp_receive_netsupport_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the netsupport port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_netsupport_port',`
+	corenet_dontaudit_udp_send_netsupport_port($1)
+	corenet_dontaudit_udp_receive_netsupport_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the netsupport port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_netsupport_port',`
+	gen_require(`
+		type netsupport_port_t;
+	')
+
+	allow $1 netsupport_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the netsupport port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_netsupport_port',`
+	gen_require(`
+		type netsupport_port_t;
+	')
+
+	allow $1 netsupport_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the netsupport port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_netsupport_port',`
+	gen_require(`
+		type netsupport_port_t;
+	')
+
+	allow $1 netsupport_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send netsupport_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_netsupport_client_packets',`
+	gen_require(`
+		type netsupport_client_packet_t;
+	')
+
+	allow $1 netsupport_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send netsupport_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_netsupport_client_packets',`
+	gen_require(`
+		type netsupport_client_packet_t;
+	')
+
+	dontaudit $1 netsupport_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive netsupport_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_netsupport_client_packets',`
+	gen_require(`
+		type netsupport_client_packet_t;
+	')
+
+	allow $1 netsupport_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive netsupport_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_netsupport_client_packets',`
+	gen_require(`
+		type netsupport_client_packet_t;
+	')
+
+	dontaudit $1 netsupport_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive netsupport_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_netsupport_client_packets',`
+	corenet_send_netsupport_client_packets($1)
+	corenet_receive_netsupport_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive netsupport_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_netsupport_client_packets',`
+	corenet_dontaudit_send_netsupport_client_packets($1)
+	corenet_dontaudit_receive_netsupport_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to netsupport_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_netsupport_client_packets',`
+	gen_require(`
+		type netsupport_client_packet_t;
+	')
+
+	allow $1 netsupport_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send netsupport_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_netsupport_server_packets',`
+	gen_require(`
+		type netsupport_server_packet_t;
+	')
+
+	allow $1 netsupport_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send netsupport_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_netsupport_server_packets',`
+	gen_require(`
+		type netsupport_server_packet_t;
+	')
+
+	dontaudit $1 netsupport_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive netsupport_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_netsupport_server_packets',`
+	gen_require(`
+		type netsupport_server_packet_t;
+	')
+
+	allow $1 netsupport_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive netsupport_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_netsupport_server_packets',`
+	gen_require(`
+		type netsupport_server_packet_t;
+	')
+
+	dontaudit $1 netsupport_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive netsupport_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_netsupport_server_packets',`
+	corenet_send_netsupport_server_packets($1)
+	corenet_receive_netsupport_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive netsupport_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_netsupport_server_packets',`
+	corenet_dontaudit_send_netsupport_server_packets($1)
+	corenet_dontaudit_receive_netsupport_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to netsupport_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_netsupport_server_packets',`
+	gen_require(`
+		type netsupport_server_packet_t;
+	')
+
+	allow $1 netsupport_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the nmbd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_nmbd_port',`
+	gen_require(`
+		type nmbd_port_t;
+	')
+
+	allow $1 nmbd_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the nmbd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_nmbd_port',`
+	gen_require(`
+		type nmbd_port_t;
+	')
+
+	allow $1 nmbd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the nmbd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_nmbd_port',`
+	gen_require(`
+		type nmbd_port_t;
+	')
+
+	dontaudit $1 nmbd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the nmbd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_nmbd_port',`
+	gen_require(`
+		type nmbd_port_t;
+	')
+
+	allow $1 nmbd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the nmbd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_nmbd_port',`
+	gen_require(`
+		type nmbd_port_t;
+	')
+
+	dontaudit $1 nmbd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the nmbd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_nmbd_port',`
+	corenet_udp_send_nmbd_port($1)
+	corenet_udp_receive_nmbd_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the nmbd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_nmbd_port',`
+	corenet_dontaudit_udp_send_nmbd_port($1)
+	corenet_dontaudit_udp_receive_nmbd_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the nmbd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_nmbd_port',`
+	gen_require(`
+		type nmbd_port_t;
+	')
+
+	allow $1 nmbd_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the nmbd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_nmbd_port',`
+	gen_require(`
+		type nmbd_port_t;
+	')
+
+	allow $1 nmbd_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the nmbd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_nmbd_port',`
+	gen_require(`
+		type nmbd_port_t;
+	')
+
+	allow $1 nmbd_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send nmbd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_nmbd_client_packets',`
+	gen_require(`
+		type nmbd_client_packet_t;
+	')
+
+	allow $1 nmbd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send nmbd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_nmbd_client_packets',`
+	gen_require(`
+		type nmbd_client_packet_t;
+	')
+
+	dontaudit $1 nmbd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive nmbd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_nmbd_client_packets',`
+	gen_require(`
+		type nmbd_client_packet_t;
+	')
+
+	allow $1 nmbd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive nmbd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_nmbd_client_packets',`
+	gen_require(`
+		type nmbd_client_packet_t;
+	')
+
+	dontaudit $1 nmbd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive nmbd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_nmbd_client_packets',`
+	corenet_send_nmbd_client_packets($1)
+	corenet_receive_nmbd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive nmbd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_nmbd_client_packets',`
+	corenet_dontaudit_send_nmbd_client_packets($1)
+	corenet_dontaudit_receive_nmbd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to nmbd_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_nmbd_client_packets',`
+	gen_require(`
+		type nmbd_client_packet_t;
+	')
+
+	allow $1 nmbd_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send nmbd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_nmbd_server_packets',`
+	gen_require(`
+		type nmbd_server_packet_t;
+	')
+
+	allow $1 nmbd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send nmbd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_nmbd_server_packets',`
+	gen_require(`
+		type nmbd_server_packet_t;
+	')
+
+	dontaudit $1 nmbd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive nmbd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_nmbd_server_packets',`
+	gen_require(`
+		type nmbd_server_packet_t;
+	')
+
+	allow $1 nmbd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive nmbd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_nmbd_server_packets',`
+	gen_require(`
+		type nmbd_server_packet_t;
+	')
+
+	dontaudit $1 nmbd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive nmbd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_nmbd_server_packets',`
+	corenet_send_nmbd_server_packets($1)
+	corenet_receive_nmbd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive nmbd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_nmbd_server_packets',`
+	corenet_dontaudit_send_nmbd_server_packets($1)
+	corenet_dontaudit_receive_nmbd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to nmbd_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_nmbd_server_packets',`
+	gen_require(`
+		type nmbd_server_packet_t;
+	')
+
+	allow $1 nmbd_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the ntop port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_ntop_port',`
+	gen_require(`
+		type ntop_port_t;
+	')
+
+	allow $1 ntop_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the ntop port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_ntop_port',`
+	gen_require(`
+		type ntop_port_t;
+	')
+
+	allow $1 ntop_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the ntop port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_ntop_port',`
+	gen_require(`
+		type ntop_port_t;
+	')
+
+	dontaudit $1 ntop_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the ntop port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_ntop_port',`
+	gen_require(`
+		type ntop_port_t;
+	')
+
+	allow $1 ntop_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the ntop port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_ntop_port',`
+	gen_require(`
+		type ntop_port_t;
+	')
+
+	dontaudit $1 ntop_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the ntop port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_ntop_port',`
+	corenet_udp_send_ntop_port($1)
+	corenet_udp_receive_ntop_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the ntop port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_ntop_port',`
+	corenet_dontaudit_udp_send_ntop_port($1)
+	corenet_dontaudit_udp_receive_ntop_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the ntop port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_ntop_port',`
+	gen_require(`
+		type ntop_port_t;
+	')
+
+	allow $1 ntop_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the ntop port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_ntop_port',`
+	gen_require(`
+		type ntop_port_t;
+	')
+
+	allow $1 ntop_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the ntop port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_ntop_port',`
+	gen_require(`
+		type ntop_port_t;
+	')
+
+	allow $1 ntop_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send ntop_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_ntop_client_packets',`
+	gen_require(`
+		type ntop_client_packet_t;
+	')
+
+	allow $1 ntop_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send ntop_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_ntop_client_packets',`
+	gen_require(`
+		type ntop_client_packet_t;
+	')
+
+	dontaudit $1 ntop_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive ntop_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_ntop_client_packets',`
+	gen_require(`
+		type ntop_client_packet_t;
+	')
+
+	allow $1 ntop_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive ntop_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_ntop_client_packets',`
+	gen_require(`
+		type ntop_client_packet_t;
+	')
+
+	dontaudit $1 ntop_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive ntop_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_ntop_client_packets',`
+	corenet_send_ntop_client_packets($1)
+	corenet_receive_ntop_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive ntop_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_ntop_client_packets',`
+	corenet_dontaudit_send_ntop_client_packets($1)
+	corenet_dontaudit_receive_ntop_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to ntop_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_ntop_client_packets',`
+	gen_require(`
+		type ntop_client_packet_t;
+	')
+
+	allow $1 ntop_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send ntop_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_ntop_server_packets',`
+	gen_require(`
+		type ntop_server_packet_t;
+	')
+
+	allow $1 ntop_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send ntop_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_ntop_server_packets',`
+	gen_require(`
+		type ntop_server_packet_t;
+	')
+
+	dontaudit $1 ntop_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive ntop_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_ntop_server_packets',`
+	gen_require(`
+		type ntop_server_packet_t;
+	')
+
+	allow $1 ntop_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive ntop_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_ntop_server_packets',`
+	gen_require(`
+		type ntop_server_packet_t;
+	')
+
+	dontaudit $1 ntop_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive ntop_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_ntop_server_packets',`
+	corenet_send_ntop_server_packets($1)
+	corenet_receive_ntop_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive ntop_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_ntop_server_packets',`
+	corenet_dontaudit_send_ntop_server_packets($1)
+	corenet_dontaudit_receive_ntop_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to ntop_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_ntop_server_packets',`
+	gen_require(`
+		type ntop_server_packet_t;
+	')
+
+	allow $1 ntop_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the ntp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_ntp_port',`
+	gen_require(`
+		type ntp_port_t;
+	')
+
+	allow $1 ntp_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the ntp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_ntp_port',`
+	gen_require(`
+		type ntp_port_t;
+	')
+
+	allow $1 ntp_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the ntp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_ntp_port',`
+	gen_require(`
+		type ntp_port_t;
+	')
+
+	dontaudit $1 ntp_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the ntp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_ntp_port',`
+	gen_require(`
+		type ntp_port_t;
+	')
+
+	allow $1 ntp_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the ntp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_ntp_port',`
+	gen_require(`
+		type ntp_port_t;
+	')
+
+	dontaudit $1 ntp_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the ntp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_ntp_port',`
+	corenet_udp_send_ntp_port($1)
+	corenet_udp_receive_ntp_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the ntp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_ntp_port',`
+	corenet_dontaudit_udp_send_ntp_port($1)
+	corenet_dontaudit_udp_receive_ntp_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the ntp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_ntp_port',`
+	gen_require(`
+		type ntp_port_t;
+	')
+
+	allow $1 ntp_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the ntp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_ntp_port',`
+	gen_require(`
+		type ntp_port_t;
+	')
+
+	allow $1 ntp_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the ntp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_ntp_port',`
+	gen_require(`
+		type ntp_port_t;
+	')
+
+	allow $1 ntp_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send ntp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_ntp_client_packets',`
+	gen_require(`
+		type ntp_client_packet_t;
+	')
+
+	allow $1 ntp_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send ntp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_ntp_client_packets',`
+	gen_require(`
+		type ntp_client_packet_t;
+	')
+
+	dontaudit $1 ntp_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive ntp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_ntp_client_packets',`
+	gen_require(`
+		type ntp_client_packet_t;
+	')
+
+	allow $1 ntp_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive ntp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_ntp_client_packets',`
+	gen_require(`
+		type ntp_client_packet_t;
+	')
+
+	dontaudit $1 ntp_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive ntp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_ntp_client_packets',`
+	corenet_send_ntp_client_packets($1)
+	corenet_receive_ntp_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive ntp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_ntp_client_packets',`
+	corenet_dontaudit_send_ntp_client_packets($1)
+	corenet_dontaudit_receive_ntp_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to ntp_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_ntp_client_packets',`
+	gen_require(`
+		type ntp_client_packet_t;
+	')
+
+	allow $1 ntp_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send ntp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_ntp_server_packets',`
+	gen_require(`
+		type ntp_server_packet_t;
+	')
+
+	allow $1 ntp_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send ntp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_ntp_server_packets',`
+	gen_require(`
+		type ntp_server_packet_t;
+	')
+
+	dontaudit $1 ntp_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive ntp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_ntp_server_packets',`
+	gen_require(`
+		type ntp_server_packet_t;
+	')
+
+	allow $1 ntp_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive ntp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_ntp_server_packets',`
+	gen_require(`
+		type ntp_server_packet_t;
+	')
+
+	dontaudit $1 ntp_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive ntp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_ntp_server_packets',`
+	corenet_send_ntp_server_packets($1)
+	corenet_receive_ntp_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive ntp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_ntp_server_packets',`
+	corenet_dontaudit_send_ntp_server_packets($1)
+	corenet_dontaudit_receive_ntp_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to ntp_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_ntp_server_packets',`
+	gen_require(`
+		type ntp_server_packet_t;
+	')
+
+	allow $1 ntp_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the oracledb port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_oracledb_port',`
+	gen_require(`
+		type oracledb_port_t;
+	')
+
+	allow $1 oracledb_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the oracledb port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_oracledb_port',`
+	gen_require(`
+		type oracledb_port_t;
+	')
+
+	allow $1 oracledb_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the oracledb port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_oracledb_port',`
+	gen_require(`
+		type oracledb_port_t;
+	')
+
+	dontaudit $1 oracledb_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the oracledb port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_oracledb_port',`
+	gen_require(`
+		type oracledb_port_t;
+	')
+
+	allow $1 oracledb_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the oracledb port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_oracledb_port',`
+	gen_require(`
+		type oracledb_port_t;
+	')
+
+	dontaudit $1 oracledb_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the oracledb port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_oracledb_port',`
+	corenet_udp_send_oracledb_port($1)
+	corenet_udp_receive_oracledb_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the oracledb port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_oracledb_port',`
+	corenet_dontaudit_udp_send_oracledb_port($1)
+	corenet_dontaudit_udp_receive_oracledb_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the oracledb port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_oracledb_port',`
+	gen_require(`
+		type oracledb_port_t;
+	')
+
+	allow $1 oracledb_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the oracledb port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_oracledb_port',`
+	gen_require(`
+		type oracledb_port_t;
+	')
+
+	allow $1 oracledb_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the oracledb port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_oracledb_port',`
+	gen_require(`
+		type oracledb_port_t;
+	')
+
+	allow $1 oracledb_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send oracledb_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_oracledb_client_packets',`
+	gen_require(`
+		type oracledb_client_packet_t;
+	')
+
+	allow $1 oracledb_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send oracledb_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_oracledb_client_packets',`
+	gen_require(`
+		type oracledb_client_packet_t;
+	')
+
+	dontaudit $1 oracledb_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive oracledb_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_oracledb_client_packets',`
+	gen_require(`
+		type oracledb_client_packet_t;
+	')
+
+	allow $1 oracledb_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive oracledb_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_oracledb_client_packets',`
+	gen_require(`
+		type oracledb_client_packet_t;
+	')
+
+	dontaudit $1 oracledb_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive oracledb_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_oracledb_client_packets',`
+	corenet_send_oracledb_client_packets($1)
+	corenet_receive_oracledb_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive oracledb_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_oracledb_client_packets',`
+	corenet_dontaudit_send_oracledb_client_packets($1)
+	corenet_dontaudit_receive_oracledb_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to oracledb_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_oracledb_client_packets',`
+	gen_require(`
+		type oracledb_client_packet_t;
+	')
+
+	allow $1 oracledb_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send oracledb_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_oracledb_server_packets',`
+	gen_require(`
+		type oracledb_server_packet_t;
+	')
+
+	allow $1 oracledb_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send oracledb_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_oracledb_server_packets',`
+	gen_require(`
+		type oracledb_server_packet_t;
+	')
+
+	dontaudit $1 oracledb_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive oracledb_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_oracledb_server_packets',`
+	gen_require(`
+		type oracledb_server_packet_t;
+	')
+
+	allow $1 oracledb_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive oracledb_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_oracledb_server_packets',`
+	gen_require(`
+		type oracledb_server_packet_t;
+	')
+
+	dontaudit $1 oracledb_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive oracledb_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_oracledb_server_packets',`
+	corenet_send_oracledb_server_packets($1)
+	corenet_receive_oracledb_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive oracledb_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_oracledb_server_packets',`
+	corenet_dontaudit_send_oracledb_server_packets($1)
+	corenet_dontaudit_receive_oracledb_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to oracledb_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_oracledb_server_packets',`
+	gen_require(`
+		type oracledb_server_packet_t;
+	')
+
+	allow $1 oracledb_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the ocsp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_ocsp_port',`
+	gen_require(`
+		type ocsp_port_t;
+	')
+
+	allow $1 ocsp_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the ocsp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_ocsp_port',`
+	gen_require(`
+		type ocsp_port_t;
+	')
+
+	allow $1 ocsp_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the ocsp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_ocsp_port',`
+	gen_require(`
+		type ocsp_port_t;
+	')
+
+	dontaudit $1 ocsp_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the ocsp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_ocsp_port',`
+	gen_require(`
+		type ocsp_port_t;
+	')
+
+	allow $1 ocsp_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the ocsp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_ocsp_port',`
+	gen_require(`
+		type ocsp_port_t;
+	')
+
+	dontaudit $1 ocsp_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the ocsp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_ocsp_port',`
+	corenet_udp_send_ocsp_port($1)
+	corenet_udp_receive_ocsp_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the ocsp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_ocsp_port',`
+	corenet_dontaudit_udp_send_ocsp_port($1)
+	corenet_dontaudit_udp_receive_ocsp_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the ocsp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_ocsp_port',`
+	gen_require(`
+		type ocsp_port_t;
+	')
+
+	allow $1 ocsp_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the ocsp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_ocsp_port',`
+	gen_require(`
+		type ocsp_port_t;
+	')
+
+	allow $1 ocsp_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the ocsp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_ocsp_port',`
+	gen_require(`
+		type ocsp_port_t;
+	')
+
+	allow $1 ocsp_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send ocsp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_ocsp_client_packets',`
+	gen_require(`
+		type ocsp_client_packet_t;
+	')
+
+	allow $1 ocsp_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send ocsp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_ocsp_client_packets',`
+	gen_require(`
+		type ocsp_client_packet_t;
+	')
+
+	dontaudit $1 ocsp_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive ocsp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_ocsp_client_packets',`
+	gen_require(`
+		type ocsp_client_packet_t;
+	')
+
+	allow $1 ocsp_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive ocsp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_ocsp_client_packets',`
+	gen_require(`
+		type ocsp_client_packet_t;
+	')
+
+	dontaudit $1 ocsp_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive ocsp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_ocsp_client_packets',`
+	corenet_send_ocsp_client_packets($1)
+	corenet_receive_ocsp_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive ocsp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_ocsp_client_packets',`
+	corenet_dontaudit_send_ocsp_client_packets($1)
+	corenet_dontaudit_receive_ocsp_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to ocsp_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_ocsp_client_packets',`
+	gen_require(`
+		type ocsp_client_packet_t;
+	')
+
+	allow $1 ocsp_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send ocsp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_ocsp_server_packets',`
+	gen_require(`
+		type ocsp_server_packet_t;
+	')
+
+	allow $1 ocsp_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send ocsp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_ocsp_server_packets',`
+	gen_require(`
+		type ocsp_server_packet_t;
+	')
+
+	dontaudit $1 ocsp_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive ocsp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_ocsp_server_packets',`
+	gen_require(`
+		type ocsp_server_packet_t;
+	')
+
+	allow $1 ocsp_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive ocsp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_ocsp_server_packets',`
+	gen_require(`
+		type ocsp_server_packet_t;
+	')
+
+	dontaudit $1 ocsp_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive ocsp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_ocsp_server_packets',`
+	corenet_send_ocsp_server_packets($1)
+	corenet_receive_ocsp_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive ocsp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_ocsp_server_packets',`
+	corenet_dontaudit_send_ocsp_server_packets($1)
+	corenet_dontaudit_receive_ocsp_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to ocsp_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_ocsp_server_packets',`
+	gen_require(`
+		type ocsp_server_packet_t;
+	')
+
+	allow $1 ocsp_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the openvpn port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_openvpn_port',`
+	gen_require(`
+		type openvpn_port_t;
+	')
+
+	allow $1 openvpn_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the openvpn port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_openvpn_port',`
+	gen_require(`
+		type openvpn_port_t;
+	')
+
+	allow $1 openvpn_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the openvpn port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_openvpn_port',`
+	gen_require(`
+		type openvpn_port_t;
+	')
+
+	dontaudit $1 openvpn_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the openvpn port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_openvpn_port',`
+	gen_require(`
+		type openvpn_port_t;
+	')
+
+	allow $1 openvpn_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the openvpn port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_openvpn_port',`
+	gen_require(`
+		type openvpn_port_t;
+	')
+
+	dontaudit $1 openvpn_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the openvpn port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_openvpn_port',`
+	corenet_udp_send_openvpn_port($1)
+	corenet_udp_receive_openvpn_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the openvpn port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_openvpn_port',`
+	corenet_dontaudit_udp_send_openvpn_port($1)
+	corenet_dontaudit_udp_receive_openvpn_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the openvpn port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_openvpn_port',`
+	gen_require(`
+		type openvpn_port_t;
+	')
+
+	allow $1 openvpn_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the openvpn port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_openvpn_port',`
+	gen_require(`
+		type openvpn_port_t;
+	')
+
+	allow $1 openvpn_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the openvpn port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_openvpn_port',`
+	gen_require(`
+		type openvpn_port_t;
+	')
+
+	allow $1 openvpn_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send openvpn_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_openvpn_client_packets',`
+	gen_require(`
+		type openvpn_client_packet_t;
+	')
+
+	allow $1 openvpn_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send openvpn_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_openvpn_client_packets',`
+	gen_require(`
+		type openvpn_client_packet_t;
+	')
+
+	dontaudit $1 openvpn_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive openvpn_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_openvpn_client_packets',`
+	gen_require(`
+		type openvpn_client_packet_t;
+	')
+
+	allow $1 openvpn_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive openvpn_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_openvpn_client_packets',`
+	gen_require(`
+		type openvpn_client_packet_t;
+	')
+
+	dontaudit $1 openvpn_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive openvpn_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_openvpn_client_packets',`
+	corenet_send_openvpn_client_packets($1)
+	corenet_receive_openvpn_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive openvpn_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_openvpn_client_packets',`
+	corenet_dontaudit_send_openvpn_client_packets($1)
+	corenet_dontaudit_receive_openvpn_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to openvpn_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_openvpn_client_packets',`
+	gen_require(`
+		type openvpn_client_packet_t;
+	')
+
+	allow $1 openvpn_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send openvpn_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_openvpn_server_packets',`
+	gen_require(`
+		type openvpn_server_packet_t;
+	')
+
+	allow $1 openvpn_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send openvpn_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_openvpn_server_packets',`
+	gen_require(`
+		type openvpn_server_packet_t;
+	')
+
+	dontaudit $1 openvpn_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive openvpn_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_openvpn_server_packets',`
+	gen_require(`
+		type openvpn_server_packet_t;
+	')
+
+	allow $1 openvpn_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive openvpn_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_openvpn_server_packets',`
+	gen_require(`
+		type openvpn_server_packet_t;
+	')
+
+	dontaudit $1 openvpn_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive openvpn_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_openvpn_server_packets',`
+	corenet_send_openvpn_server_packets($1)
+	corenet_receive_openvpn_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive openvpn_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_openvpn_server_packets',`
+	corenet_dontaudit_send_openvpn_server_packets($1)
+	corenet_dontaudit_receive_openvpn_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to openvpn_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_openvpn_server_packets',`
+	gen_require(`
+		type openvpn_server_packet_t;
+	')
+
+	allow $1 openvpn_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the pegasus_http port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_pegasus_http_port',`
+	gen_require(`
+		type pegasus_http_port_t;
+	')
+
+	allow $1 pegasus_http_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the pegasus_http port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_pegasus_http_port',`
+	gen_require(`
+		type pegasus_http_port_t;
+	')
+
+	allow $1 pegasus_http_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the pegasus_http port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_pegasus_http_port',`
+	gen_require(`
+		type pegasus_http_port_t;
+	')
+
+	dontaudit $1 pegasus_http_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the pegasus_http port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_pegasus_http_port',`
+	gen_require(`
+		type pegasus_http_port_t;
+	')
+
+	allow $1 pegasus_http_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the pegasus_http port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_pegasus_http_port',`
+	gen_require(`
+		type pegasus_http_port_t;
+	')
+
+	dontaudit $1 pegasus_http_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the pegasus_http port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_pegasus_http_port',`
+	corenet_udp_send_pegasus_http_port($1)
+	corenet_udp_receive_pegasus_http_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the pegasus_http port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_pegasus_http_port',`
+	corenet_dontaudit_udp_send_pegasus_http_port($1)
+	corenet_dontaudit_udp_receive_pegasus_http_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the pegasus_http port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_pegasus_http_port',`
+	gen_require(`
+		type pegasus_http_port_t;
+	')
+
+	allow $1 pegasus_http_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the pegasus_http port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_pegasus_http_port',`
+	gen_require(`
+		type pegasus_http_port_t;
+	')
+
+	allow $1 pegasus_http_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the pegasus_http port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_pegasus_http_port',`
+	gen_require(`
+		type pegasus_http_port_t;
+	')
+
+	allow $1 pegasus_http_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send pegasus_http_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_pegasus_http_client_packets',`
+	gen_require(`
+		type pegasus_http_client_packet_t;
+	')
+
+	allow $1 pegasus_http_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send pegasus_http_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_pegasus_http_client_packets',`
+	gen_require(`
+		type pegasus_http_client_packet_t;
+	')
+
+	dontaudit $1 pegasus_http_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive pegasus_http_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_pegasus_http_client_packets',`
+	gen_require(`
+		type pegasus_http_client_packet_t;
+	')
+
+	allow $1 pegasus_http_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive pegasus_http_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_pegasus_http_client_packets',`
+	gen_require(`
+		type pegasus_http_client_packet_t;
+	')
+
+	dontaudit $1 pegasus_http_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive pegasus_http_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_pegasus_http_client_packets',`
+	corenet_send_pegasus_http_client_packets($1)
+	corenet_receive_pegasus_http_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive pegasus_http_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_pegasus_http_client_packets',`
+	corenet_dontaudit_send_pegasus_http_client_packets($1)
+	corenet_dontaudit_receive_pegasus_http_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to pegasus_http_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_pegasus_http_client_packets',`
+	gen_require(`
+		type pegasus_http_client_packet_t;
+	')
+
+	allow $1 pegasus_http_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send pegasus_http_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_pegasus_http_server_packets',`
+	gen_require(`
+		type pegasus_http_server_packet_t;
+	')
+
+	allow $1 pegasus_http_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send pegasus_http_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_pegasus_http_server_packets',`
+	gen_require(`
+		type pegasus_http_server_packet_t;
+	')
+
+	dontaudit $1 pegasus_http_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive pegasus_http_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_pegasus_http_server_packets',`
+	gen_require(`
+		type pegasus_http_server_packet_t;
+	')
+
+	allow $1 pegasus_http_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive pegasus_http_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_pegasus_http_server_packets',`
+	gen_require(`
+		type pegasus_http_server_packet_t;
+	')
+
+	dontaudit $1 pegasus_http_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive pegasus_http_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_pegasus_http_server_packets',`
+	corenet_send_pegasus_http_server_packets($1)
+	corenet_receive_pegasus_http_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive pegasus_http_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_pegasus_http_server_packets',`
+	corenet_dontaudit_send_pegasus_http_server_packets($1)
+	corenet_dontaudit_receive_pegasus_http_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to pegasus_http_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_pegasus_http_server_packets',`
+	gen_require(`
+		type pegasus_http_server_packet_t;
+	')
+
+	allow $1 pegasus_http_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the pegasus_https port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_pegasus_https_port',`
+	gen_require(`
+		type pegasus_https_port_t;
+	')
+
+	allow $1 pegasus_https_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the pegasus_https port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_pegasus_https_port',`
+	gen_require(`
+		type pegasus_https_port_t;
+	')
+
+	allow $1 pegasus_https_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the pegasus_https port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_pegasus_https_port',`
+	gen_require(`
+		type pegasus_https_port_t;
+	')
+
+	dontaudit $1 pegasus_https_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the pegasus_https port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_pegasus_https_port',`
+	gen_require(`
+		type pegasus_https_port_t;
+	')
+
+	allow $1 pegasus_https_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the pegasus_https port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_pegasus_https_port',`
+	gen_require(`
+		type pegasus_https_port_t;
+	')
+
+	dontaudit $1 pegasus_https_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the pegasus_https port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_pegasus_https_port',`
+	corenet_udp_send_pegasus_https_port($1)
+	corenet_udp_receive_pegasus_https_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the pegasus_https port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_pegasus_https_port',`
+	corenet_dontaudit_udp_send_pegasus_https_port($1)
+	corenet_dontaudit_udp_receive_pegasus_https_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the pegasus_https port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_pegasus_https_port',`
+	gen_require(`
+		type pegasus_https_port_t;
+	')
+
+	allow $1 pegasus_https_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the pegasus_https port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_pegasus_https_port',`
+	gen_require(`
+		type pegasus_https_port_t;
+	')
+
+	allow $1 pegasus_https_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the pegasus_https port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_pegasus_https_port',`
+	gen_require(`
+		type pegasus_https_port_t;
+	')
+
+	allow $1 pegasus_https_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send pegasus_https_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_pegasus_https_client_packets',`
+	gen_require(`
+		type pegasus_https_client_packet_t;
+	')
+
+	allow $1 pegasus_https_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send pegasus_https_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_pegasus_https_client_packets',`
+	gen_require(`
+		type pegasus_https_client_packet_t;
+	')
+
+	dontaudit $1 pegasus_https_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive pegasus_https_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_pegasus_https_client_packets',`
+	gen_require(`
+		type pegasus_https_client_packet_t;
+	')
+
+	allow $1 pegasus_https_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive pegasus_https_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_pegasus_https_client_packets',`
+	gen_require(`
+		type pegasus_https_client_packet_t;
+	')
+
+	dontaudit $1 pegasus_https_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive pegasus_https_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_pegasus_https_client_packets',`
+	corenet_send_pegasus_https_client_packets($1)
+	corenet_receive_pegasus_https_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive pegasus_https_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_pegasus_https_client_packets',`
+	corenet_dontaudit_send_pegasus_https_client_packets($1)
+	corenet_dontaudit_receive_pegasus_https_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to pegasus_https_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_pegasus_https_client_packets',`
+	gen_require(`
+		type pegasus_https_client_packet_t;
+	')
+
+	allow $1 pegasus_https_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send pegasus_https_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_pegasus_https_server_packets',`
+	gen_require(`
+		type pegasus_https_server_packet_t;
+	')
+
+	allow $1 pegasus_https_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send pegasus_https_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_pegasus_https_server_packets',`
+	gen_require(`
+		type pegasus_https_server_packet_t;
+	')
+
+	dontaudit $1 pegasus_https_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive pegasus_https_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_pegasus_https_server_packets',`
+	gen_require(`
+		type pegasus_https_server_packet_t;
+	')
+
+	allow $1 pegasus_https_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive pegasus_https_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_pegasus_https_server_packets',`
+	gen_require(`
+		type pegasus_https_server_packet_t;
+	')
+
+	dontaudit $1 pegasus_https_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive pegasus_https_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_pegasus_https_server_packets',`
+	corenet_send_pegasus_https_server_packets($1)
+	corenet_receive_pegasus_https_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive pegasus_https_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_pegasus_https_server_packets',`
+	corenet_dontaudit_send_pegasus_https_server_packets($1)
+	corenet_dontaudit_receive_pegasus_https_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to pegasus_https_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_pegasus_https_server_packets',`
+	gen_require(`
+		type pegasus_https_server_packet_t;
+	')
+
+	allow $1 pegasus_https_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the pgpkeyserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_pgpkeyserver_port',`
+	gen_require(`
+		type pgpkeyserver_port_t;
+	')
+
+	allow $1 pgpkeyserver_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the pgpkeyserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_pgpkeyserver_port',`
+	gen_require(`
+		type pgpkeyserver_port_t;
+	')
+
+	allow $1 pgpkeyserver_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the pgpkeyserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_pgpkeyserver_port',`
+	gen_require(`
+		type pgpkeyserver_port_t;
+	')
+
+	dontaudit $1 pgpkeyserver_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the pgpkeyserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_pgpkeyserver_port',`
+	gen_require(`
+		type pgpkeyserver_port_t;
+	')
+
+	allow $1 pgpkeyserver_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the pgpkeyserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_pgpkeyserver_port',`
+	gen_require(`
+		type pgpkeyserver_port_t;
+	')
+
+	dontaudit $1 pgpkeyserver_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the pgpkeyserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_pgpkeyserver_port',`
+	corenet_udp_send_pgpkeyserver_port($1)
+	corenet_udp_receive_pgpkeyserver_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the pgpkeyserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_pgpkeyserver_port',`
+	corenet_dontaudit_udp_send_pgpkeyserver_port($1)
+	corenet_dontaudit_udp_receive_pgpkeyserver_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the pgpkeyserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_pgpkeyserver_port',`
+	gen_require(`
+		type pgpkeyserver_port_t;
+	')
+
+	allow $1 pgpkeyserver_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the pgpkeyserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_pgpkeyserver_port',`
+	gen_require(`
+		type pgpkeyserver_port_t;
+	')
+
+	allow $1 pgpkeyserver_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the pgpkeyserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_pgpkeyserver_port',`
+	gen_require(`
+		type pgpkeyserver_port_t;
+	')
+
+	allow $1 pgpkeyserver_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send pgpkeyserver_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_pgpkeyserver_client_packets',`
+	gen_require(`
+		type pgpkeyserver_client_packet_t;
+	')
+
+	allow $1 pgpkeyserver_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send pgpkeyserver_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_pgpkeyserver_client_packets',`
+	gen_require(`
+		type pgpkeyserver_client_packet_t;
+	')
+
+	dontaudit $1 pgpkeyserver_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive pgpkeyserver_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_pgpkeyserver_client_packets',`
+	gen_require(`
+		type pgpkeyserver_client_packet_t;
+	')
+
+	allow $1 pgpkeyserver_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive pgpkeyserver_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_pgpkeyserver_client_packets',`
+	gen_require(`
+		type pgpkeyserver_client_packet_t;
+	')
+
+	dontaudit $1 pgpkeyserver_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive pgpkeyserver_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_pgpkeyserver_client_packets',`
+	corenet_send_pgpkeyserver_client_packets($1)
+	corenet_receive_pgpkeyserver_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive pgpkeyserver_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_pgpkeyserver_client_packets',`
+	corenet_dontaudit_send_pgpkeyserver_client_packets($1)
+	corenet_dontaudit_receive_pgpkeyserver_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to pgpkeyserver_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_pgpkeyserver_client_packets',`
+	gen_require(`
+		type pgpkeyserver_client_packet_t;
+	')
+
+	allow $1 pgpkeyserver_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send pgpkeyserver_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_pgpkeyserver_server_packets',`
+	gen_require(`
+		type pgpkeyserver_server_packet_t;
+	')
+
+	allow $1 pgpkeyserver_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send pgpkeyserver_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_pgpkeyserver_server_packets',`
+	gen_require(`
+		type pgpkeyserver_server_packet_t;
+	')
+
+	dontaudit $1 pgpkeyserver_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive pgpkeyserver_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_pgpkeyserver_server_packets',`
+	gen_require(`
+		type pgpkeyserver_server_packet_t;
+	')
+
+	allow $1 pgpkeyserver_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive pgpkeyserver_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_pgpkeyserver_server_packets',`
+	gen_require(`
+		type pgpkeyserver_server_packet_t;
+	')
+
+	dontaudit $1 pgpkeyserver_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive pgpkeyserver_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_pgpkeyserver_server_packets',`
+	corenet_send_pgpkeyserver_server_packets($1)
+	corenet_receive_pgpkeyserver_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive pgpkeyserver_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_pgpkeyserver_server_packets',`
+	corenet_dontaudit_send_pgpkeyserver_server_packets($1)
+	corenet_dontaudit_receive_pgpkeyserver_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to pgpkeyserver_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_pgpkeyserver_server_packets',`
+	gen_require(`
+		type pgpkeyserver_server_packet_t;
+	')
+
+	allow $1 pgpkeyserver_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the pingd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_pingd_port',`
+	gen_require(`
+		type pingd_port_t;
+	')
+
+	allow $1 pingd_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the pingd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_pingd_port',`
+	gen_require(`
+		type pingd_port_t;
+	')
+
+	allow $1 pingd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the pingd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_pingd_port',`
+	gen_require(`
+		type pingd_port_t;
+	')
+
+	dontaudit $1 pingd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the pingd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_pingd_port',`
+	gen_require(`
+		type pingd_port_t;
+	')
+
+	allow $1 pingd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the pingd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_pingd_port',`
+	gen_require(`
+		type pingd_port_t;
+	')
+
+	dontaudit $1 pingd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the pingd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_pingd_port',`
+	corenet_udp_send_pingd_port($1)
+	corenet_udp_receive_pingd_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the pingd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_pingd_port',`
+	corenet_dontaudit_udp_send_pingd_port($1)
+	corenet_dontaudit_udp_receive_pingd_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the pingd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_pingd_port',`
+	gen_require(`
+		type pingd_port_t;
+	')
+
+	allow $1 pingd_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the pingd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_pingd_port',`
+	gen_require(`
+		type pingd_port_t;
+	')
+
+	allow $1 pingd_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the pingd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_pingd_port',`
+	gen_require(`
+		type pingd_port_t;
+	')
+
+	allow $1 pingd_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send pingd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_pingd_client_packets',`
+	gen_require(`
+		type pingd_client_packet_t;
+	')
+
+	allow $1 pingd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send pingd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_pingd_client_packets',`
+	gen_require(`
+		type pingd_client_packet_t;
+	')
+
+	dontaudit $1 pingd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive pingd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_pingd_client_packets',`
+	gen_require(`
+		type pingd_client_packet_t;
+	')
+
+	allow $1 pingd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive pingd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_pingd_client_packets',`
+	gen_require(`
+		type pingd_client_packet_t;
+	')
+
+	dontaudit $1 pingd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive pingd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_pingd_client_packets',`
+	corenet_send_pingd_client_packets($1)
+	corenet_receive_pingd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive pingd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_pingd_client_packets',`
+	corenet_dontaudit_send_pingd_client_packets($1)
+	corenet_dontaudit_receive_pingd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to pingd_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_pingd_client_packets',`
+	gen_require(`
+		type pingd_client_packet_t;
+	')
+
+	allow $1 pingd_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send pingd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_pingd_server_packets',`
+	gen_require(`
+		type pingd_server_packet_t;
+	')
+
+	allow $1 pingd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send pingd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_pingd_server_packets',`
+	gen_require(`
+		type pingd_server_packet_t;
+	')
+
+	dontaudit $1 pingd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive pingd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_pingd_server_packets',`
+	gen_require(`
+		type pingd_server_packet_t;
+	')
+
+	allow $1 pingd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive pingd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_pingd_server_packets',`
+	gen_require(`
+		type pingd_server_packet_t;
+	')
+
+	dontaudit $1 pingd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive pingd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_pingd_server_packets',`
+	corenet_send_pingd_server_packets($1)
+	corenet_receive_pingd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive pingd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_pingd_server_packets',`
+	corenet_dontaudit_send_pingd_server_packets($1)
+	corenet_dontaudit_receive_pingd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to pingd_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_pingd_server_packets',`
+	gen_require(`
+		type pingd_server_packet_t;
+	')
+
+	allow $1 pingd_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the pop port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_pop_port',`
+	gen_require(`
+		type pop_port_t;
+	')
+
+	allow $1 pop_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the pop port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_pop_port',`
+	gen_require(`
+		type pop_port_t;
+	')
+
+	allow $1 pop_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the pop port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_pop_port',`
+	gen_require(`
+		type pop_port_t;
+	')
+
+	dontaudit $1 pop_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the pop port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_pop_port',`
+	gen_require(`
+		type pop_port_t;
+	')
+
+	allow $1 pop_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the pop port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_pop_port',`
+	gen_require(`
+		type pop_port_t;
+	')
+
+	dontaudit $1 pop_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the pop port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_pop_port',`
+	corenet_udp_send_pop_port($1)
+	corenet_udp_receive_pop_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the pop port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_pop_port',`
+	corenet_dontaudit_udp_send_pop_port($1)
+	corenet_dontaudit_udp_receive_pop_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the pop port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_pop_port',`
+	gen_require(`
+		type pop_port_t;
+	')
+
+	allow $1 pop_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the pop port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_pop_port',`
+	gen_require(`
+		type pop_port_t;
+	')
+
+	allow $1 pop_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the pop port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_pop_port',`
+	gen_require(`
+		type pop_port_t;
+	')
+
+	allow $1 pop_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send pop_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_pop_client_packets',`
+	gen_require(`
+		type pop_client_packet_t;
+	')
+
+	allow $1 pop_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send pop_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_pop_client_packets',`
+	gen_require(`
+		type pop_client_packet_t;
+	')
+
+	dontaudit $1 pop_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive pop_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_pop_client_packets',`
+	gen_require(`
+		type pop_client_packet_t;
+	')
+
+	allow $1 pop_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive pop_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_pop_client_packets',`
+	gen_require(`
+		type pop_client_packet_t;
+	')
+
+	dontaudit $1 pop_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive pop_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_pop_client_packets',`
+	corenet_send_pop_client_packets($1)
+	corenet_receive_pop_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive pop_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_pop_client_packets',`
+	corenet_dontaudit_send_pop_client_packets($1)
+	corenet_dontaudit_receive_pop_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to pop_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_pop_client_packets',`
+	gen_require(`
+		type pop_client_packet_t;
+	')
+
+	allow $1 pop_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send pop_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_pop_server_packets',`
+	gen_require(`
+		type pop_server_packet_t;
+	')
+
+	allow $1 pop_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send pop_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_pop_server_packets',`
+	gen_require(`
+		type pop_server_packet_t;
+	')
+
+	dontaudit $1 pop_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive pop_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_pop_server_packets',`
+	gen_require(`
+		type pop_server_packet_t;
+	')
+
+	allow $1 pop_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive pop_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_pop_server_packets',`
+	gen_require(`
+		type pop_server_packet_t;
+	')
+
+	dontaudit $1 pop_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive pop_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_pop_server_packets',`
+	corenet_send_pop_server_packets($1)
+	corenet_receive_pop_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive pop_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_pop_server_packets',`
+	corenet_dontaudit_send_pop_server_packets($1)
+	corenet_dontaudit_receive_pop_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to pop_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_pop_server_packets',`
+	gen_require(`
+		type pop_server_packet_t;
+	')
+
+	allow $1 pop_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the portmap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_portmap_port',`
+	gen_require(`
+		type portmap_port_t;
+	')
+
+	allow $1 portmap_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the portmap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_portmap_port',`
+	gen_require(`
+		type portmap_port_t;
+	')
+
+	allow $1 portmap_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the portmap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_portmap_port',`
+	gen_require(`
+		type portmap_port_t;
+	')
+
+	dontaudit $1 portmap_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the portmap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_portmap_port',`
+	gen_require(`
+		type portmap_port_t;
+	')
+
+	allow $1 portmap_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the portmap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_portmap_port',`
+	gen_require(`
+		type portmap_port_t;
+	')
+
+	dontaudit $1 portmap_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the portmap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_portmap_port',`
+	corenet_udp_send_portmap_port($1)
+	corenet_udp_receive_portmap_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the portmap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_portmap_port',`
+	corenet_dontaudit_udp_send_portmap_port($1)
+	corenet_dontaudit_udp_receive_portmap_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the portmap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_portmap_port',`
+	gen_require(`
+		type portmap_port_t;
+	')
+
+	allow $1 portmap_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the portmap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_portmap_port',`
+	gen_require(`
+		type portmap_port_t;
+	')
+
+	allow $1 portmap_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the portmap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_portmap_port',`
+	gen_require(`
+		type portmap_port_t;
+	')
+
+	allow $1 portmap_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send portmap_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_portmap_client_packets',`
+	gen_require(`
+		type portmap_client_packet_t;
+	')
+
+	allow $1 portmap_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send portmap_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_portmap_client_packets',`
+	gen_require(`
+		type portmap_client_packet_t;
+	')
+
+	dontaudit $1 portmap_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive portmap_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_portmap_client_packets',`
+	gen_require(`
+		type portmap_client_packet_t;
+	')
+
+	allow $1 portmap_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive portmap_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_portmap_client_packets',`
+	gen_require(`
+		type portmap_client_packet_t;
+	')
+
+	dontaudit $1 portmap_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive portmap_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_portmap_client_packets',`
+	corenet_send_portmap_client_packets($1)
+	corenet_receive_portmap_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive portmap_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_portmap_client_packets',`
+	corenet_dontaudit_send_portmap_client_packets($1)
+	corenet_dontaudit_receive_portmap_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to portmap_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_portmap_client_packets',`
+	gen_require(`
+		type portmap_client_packet_t;
+	')
+
+	allow $1 portmap_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send portmap_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_portmap_server_packets',`
+	gen_require(`
+		type portmap_server_packet_t;
+	')
+
+	allow $1 portmap_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send portmap_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_portmap_server_packets',`
+	gen_require(`
+		type portmap_server_packet_t;
+	')
+
+	dontaudit $1 portmap_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive portmap_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_portmap_server_packets',`
+	gen_require(`
+		type portmap_server_packet_t;
+	')
+
+	allow $1 portmap_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive portmap_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_portmap_server_packets',`
+	gen_require(`
+		type portmap_server_packet_t;
+	')
+
+	dontaudit $1 portmap_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive portmap_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_portmap_server_packets',`
+	corenet_send_portmap_server_packets($1)
+	corenet_receive_portmap_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive portmap_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_portmap_server_packets',`
+	corenet_dontaudit_send_portmap_server_packets($1)
+	corenet_dontaudit_receive_portmap_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to portmap_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_portmap_server_packets',`
+	gen_require(`
+		type portmap_server_packet_t;
+	')
+
+	allow $1 portmap_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the postfix_policyd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_postfix_policyd_port',`
+	gen_require(`
+		type postfix_policyd_port_t;
+	')
+
+	allow $1 postfix_policyd_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the postfix_policyd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_postfix_policyd_port',`
+	gen_require(`
+		type postfix_policyd_port_t;
+	')
+
+	allow $1 postfix_policyd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the postfix_policyd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_postfix_policyd_port',`
+	gen_require(`
+		type postfix_policyd_port_t;
+	')
+
+	dontaudit $1 postfix_policyd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the postfix_policyd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_postfix_policyd_port',`
+	gen_require(`
+		type postfix_policyd_port_t;
+	')
+
+	allow $1 postfix_policyd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the postfix_policyd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_postfix_policyd_port',`
+	gen_require(`
+		type postfix_policyd_port_t;
+	')
+
+	dontaudit $1 postfix_policyd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the postfix_policyd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_postfix_policyd_port',`
+	corenet_udp_send_postfix_policyd_port($1)
+	corenet_udp_receive_postfix_policyd_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the postfix_policyd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_postfix_policyd_port',`
+	corenet_dontaudit_udp_send_postfix_policyd_port($1)
+	corenet_dontaudit_udp_receive_postfix_policyd_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the postfix_policyd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_postfix_policyd_port',`
+	gen_require(`
+		type postfix_policyd_port_t;
+	')
+
+	allow $1 postfix_policyd_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the postfix_policyd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_postfix_policyd_port',`
+	gen_require(`
+		type postfix_policyd_port_t;
+	')
+
+	allow $1 postfix_policyd_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the postfix_policyd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_postfix_policyd_port',`
+	gen_require(`
+		type postfix_policyd_port_t;
+	')
+
+	allow $1 postfix_policyd_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send postfix_policyd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_postfix_policyd_client_packets',`
+	gen_require(`
+		type postfix_policyd_client_packet_t;
+	')
+
+	allow $1 postfix_policyd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send postfix_policyd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_postfix_policyd_client_packets',`
+	gen_require(`
+		type postfix_policyd_client_packet_t;
+	')
+
+	dontaudit $1 postfix_policyd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive postfix_policyd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_postfix_policyd_client_packets',`
+	gen_require(`
+		type postfix_policyd_client_packet_t;
+	')
+
+	allow $1 postfix_policyd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive postfix_policyd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_postfix_policyd_client_packets',`
+	gen_require(`
+		type postfix_policyd_client_packet_t;
+	')
+
+	dontaudit $1 postfix_policyd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive postfix_policyd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_postfix_policyd_client_packets',`
+	corenet_send_postfix_policyd_client_packets($1)
+	corenet_receive_postfix_policyd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive postfix_policyd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_postfix_policyd_client_packets',`
+	corenet_dontaudit_send_postfix_policyd_client_packets($1)
+	corenet_dontaudit_receive_postfix_policyd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to postfix_policyd_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_postfix_policyd_client_packets',`
+	gen_require(`
+		type postfix_policyd_client_packet_t;
+	')
+
+	allow $1 postfix_policyd_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send postfix_policyd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_postfix_policyd_server_packets',`
+	gen_require(`
+		type postfix_policyd_server_packet_t;
+	')
+
+	allow $1 postfix_policyd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send postfix_policyd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_postfix_policyd_server_packets',`
+	gen_require(`
+		type postfix_policyd_server_packet_t;
+	')
+
+	dontaudit $1 postfix_policyd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive postfix_policyd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_postfix_policyd_server_packets',`
+	gen_require(`
+		type postfix_policyd_server_packet_t;
+	')
+
+	allow $1 postfix_policyd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive postfix_policyd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_postfix_policyd_server_packets',`
+	gen_require(`
+		type postfix_policyd_server_packet_t;
+	')
+
+	dontaudit $1 postfix_policyd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive postfix_policyd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_postfix_policyd_server_packets',`
+	corenet_send_postfix_policyd_server_packets($1)
+	corenet_receive_postfix_policyd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive postfix_policyd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_postfix_policyd_server_packets',`
+	corenet_dontaudit_send_postfix_policyd_server_packets($1)
+	corenet_dontaudit_receive_postfix_policyd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to postfix_policyd_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_postfix_policyd_server_packets',`
+	gen_require(`
+		type postfix_policyd_server_packet_t;
+	')
+
+	allow $1 postfix_policyd_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the postgresql port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_postgresql_port',`
+	gen_require(`
+		type postgresql_port_t;
+	')
+
+	allow $1 postgresql_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the postgresql port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_postgresql_port',`
+	gen_require(`
+		type postgresql_port_t;
+	')
+
+	allow $1 postgresql_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the postgresql port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_postgresql_port',`
+	gen_require(`
+		type postgresql_port_t;
+	')
+
+	dontaudit $1 postgresql_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the postgresql port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_postgresql_port',`
+	gen_require(`
+		type postgresql_port_t;
+	')
+
+	allow $1 postgresql_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the postgresql port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_postgresql_port',`
+	gen_require(`
+		type postgresql_port_t;
+	')
+
+	dontaudit $1 postgresql_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the postgresql port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_postgresql_port',`
+	corenet_udp_send_postgresql_port($1)
+	corenet_udp_receive_postgresql_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the postgresql port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_postgresql_port',`
+	corenet_dontaudit_udp_send_postgresql_port($1)
+	corenet_dontaudit_udp_receive_postgresql_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the postgresql port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_postgresql_port',`
+	gen_require(`
+		type postgresql_port_t;
+	')
+
+	allow $1 postgresql_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the postgresql port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_postgresql_port',`
+	gen_require(`
+		type postgresql_port_t;
+	')
+
+	allow $1 postgresql_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the postgresql port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_postgresql_port',`
+	gen_require(`
+		type postgresql_port_t;
+	')
+
+	allow $1 postgresql_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send postgresql_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_postgresql_client_packets',`
+	gen_require(`
+		type postgresql_client_packet_t;
+	')
+
+	allow $1 postgresql_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send postgresql_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_postgresql_client_packets',`
+	gen_require(`
+		type postgresql_client_packet_t;
+	')
+
+	dontaudit $1 postgresql_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive postgresql_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_postgresql_client_packets',`
+	gen_require(`
+		type postgresql_client_packet_t;
+	')
+
+	allow $1 postgresql_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive postgresql_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_postgresql_client_packets',`
+	gen_require(`
+		type postgresql_client_packet_t;
+	')
+
+	dontaudit $1 postgresql_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive postgresql_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_postgresql_client_packets',`
+	corenet_send_postgresql_client_packets($1)
+	corenet_receive_postgresql_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive postgresql_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_postgresql_client_packets',`
+	corenet_dontaudit_send_postgresql_client_packets($1)
+	corenet_dontaudit_receive_postgresql_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to postgresql_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_postgresql_client_packets',`
+	gen_require(`
+		type postgresql_client_packet_t;
+	')
+
+	allow $1 postgresql_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send postgresql_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_postgresql_server_packets',`
+	gen_require(`
+		type postgresql_server_packet_t;
+	')
+
+	allow $1 postgresql_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send postgresql_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_postgresql_server_packets',`
+	gen_require(`
+		type postgresql_server_packet_t;
+	')
+
+	dontaudit $1 postgresql_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive postgresql_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_postgresql_server_packets',`
+	gen_require(`
+		type postgresql_server_packet_t;
+	')
+
+	allow $1 postgresql_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive postgresql_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_postgresql_server_packets',`
+	gen_require(`
+		type postgresql_server_packet_t;
+	')
+
+	dontaudit $1 postgresql_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive postgresql_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_postgresql_server_packets',`
+	corenet_send_postgresql_server_packets($1)
+	corenet_receive_postgresql_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive postgresql_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_postgresql_server_packets',`
+	corenet_dontaudit_send_postgresql_server_packets($1)
+	corenet_dontaudit_receive_postgresql_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to postgresql_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_postgresql_server_packets',`
+	gen_require(`
+		type postgresql_server_packet_t;
+	')
+
+	allow $1 postgresql_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the postgrey port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_postgrey_port',`
+	gen_require(`
+		type postgrey_port_t;
+	')
+
+	allow $1 postgrey_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the postgrey port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_postgrey_port',`
+	gen_require(`
+		type postgrey_port_t;
+	')
+
+	allow $1 postgrey_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the postgrey port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_postgrey_port',`
+	gen_require(`
+		type postgrey_port_t;
+	')
+
+	dontaudit $1 postgrey_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the postgrey port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_postgrey_port',`
+	gen_require(`
+		type postgrey_port_t;
+	')
+
+	allow $1 postgrey_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the postgrey port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_postgrey_port',`
+	gen_require(`
+		type postgrey_port_t;
+	')
+
+	dontaudit $1 postgrey_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the postgrey port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_postgrey_port',`
+	corenet_udp_send_postgrey_port($1)
+	corenet_udp_receive_postgrey_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the postgrey port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_postgrey_port',`
+	corenet_dontaudit_udp_send_postgrey_port($1)
+	corenet_dontaudit_udp_receive_postgrey_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the postgrey port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_postgrey_port',`
+	gen_require(`
+		type postgrey_port_t;
+	')
+
+	allow $1 postgrey_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the postgrey port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_postgrey_port',`
+	gen_require(`
+		type postgrey_port_t;
+	')
+
+	allow $1 postgrey_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the postgrey port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_postgrey_port',`
+	gen_require(`
+		type postgrey_port_t;
+	')
+
+	allow $1 postgrey_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send postgrey_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_postgrey_client_packets',`
+	gen_require(`
+		type postgrey_client_packet_t;
+	')
+
+	allow $1 postgrey_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send postgrey_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_postgrey_client_packets',`
+	gen_require(`
+		type postgrey_client_packet_t;
+	')
+
+	dontaudit $1 postgrey_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive postgrey_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_postgrey_client_packets',`
+	gen_require(`
+		type postgrey_client_packet_t;
+	')
+
+	allow $1 postgrey_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive postgrey_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_postgrey_client_packets',`
+	gen_require(`
+		type postgrey_client_packet_t;
+	')
+
+	dontaudit $1 postgrey_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive postgrey_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_postgrey_client_packets',`
+	corenet_send_postgrey_client_packets($1)
+	corenet_receive_postgrey_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive postgrey_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_postgrey_client_packets',`
+	corenet_dontaudit_send_postgrey_client_packets($1)
+	corenet_dontaudit_receive_postgrey_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to postgrey_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_postgrey_client_packets',`
+	gen_require(`
+		type postgrey_client_packet_t;
+	')
+
+	allow $1 postgrey_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send postgrey_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_postgrey_server_packets',`
+	gen_require(`
+		type postgrey_server_packet_t;
+	')
+
+	allow $1 postgrey_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send postgrey_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_postgrey_server_packets',`
+	gen_require(`
+		type postgrey_server_packet_t;
+	')
+
+	dontaudit $1 postgrey_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive postgrey_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_postgrey_server_packets',`
+	gen_require(`
+		type postgrey_server_packet_t;
+	')
+
+	allow $1 postgrey_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive postgrey_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_postgrey_server_packets',`
+	gen_require(`
+		type postgrey_server_packet_t;
+	')
+
+	dontaudit $1 postgrey_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive postgrey_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_postgrey_server_packets',`
+	corenet_send_postgrey_server_packets($1)
+	corenet_receive_postgrey_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive postgrey_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_postgrey_server_packets',`
+	corenet_dontaudit_send_postgrey_server_packets($1)
+	corenet_dontaudit_receive_postgrey_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to postgrey_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_postgrey_server_packets',`
+	gen_require(`
+		type postgrey_server_packet_t;
+	')
+
+	allow $1 postgrey_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the prelude port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_prelude_port',`
+	gen_require(`
+		type prelude_port_t;
+	')
+
+	allow $1 prelude_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the prelude port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_prelude_port',`
+	gen_require(`
+		type prelude_port_t;
+	')
+
+	allow $1 prelude_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the prelude port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_prelude_port',`
+	gen_require(`
+		type prelude_port_t;
+	')
+
+	dontaudit $1 prelude_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the prelude port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_prelude_port',`
+	gen_require(`
+		type prelude_port_t;
+	')
+
+	allow $1 prelude_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the prelude port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_prelude_port',`
+	gen_require(`
+		type prelude_port_t;
+	')
+
+	dontaudit $1 prelude_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the prelude port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_prelude_port',`
+	corenet_udp_send_prelude_port($1)
+	corenet_udp_receive_prelude_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the prelude port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_prelude_port',`
+	corenet_dontaudit_udp_send_prelude_port($1)
+	corenet_dontaudit_udp_receive_prelude_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the prelude port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_prelude_port',`
+	gen_require(`
+		type prelude_port_t;
+	')
+
+	allow $1 prelude_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the prelude port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_prelude_port',`
+	gen_require(`
+		type prelude_port_t;
+	')
+
+	allow $1 prelude_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the prelude port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_prelude_port',`
+	gen_require(`
+		type prelude_port_t;
+	')
+
+	allow $1 prelude_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send prelude_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_prelude_client_packets',`
+	gen_require(`
+		type prelude_client_packet_t;
+	')
+
+	allow $1 prelude_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send prelude_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_prelude_client_packets',`
+	gen_require(`
+		type prelude_client_packet_t;
+	')
+
+	dontaudit $1 prelude_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive prelude_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_prelude_client_packets',`
+	gen_require(`
+		type prelude_client_packet_t;
+	')
+
+	allow $1 prelude_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive prelude_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_prelude_client_packets',`
+	gen_require(`
+		type prelude_client_packet_t;
+	')
+
+	dontaudit $1 prelude_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive prelude_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_prelude_client_packets',`
+	corenet_send_prelude_client_packets($1)
+	corenet_receive_prelude_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive prelude_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_prelude_client_packets',`
+	corenet_dontaudit_send_prelude_client_packets($1)
+	corenet_dontaudit_receive_prelude_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to prelude_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_prelude_client_packets',`
+	gen_require(`
+		type prelude_client_packet_t;
+	')
+
+	allow $1 prelude_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send prelude_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_prelude_server_packets',`
+	gen_require(`
+		type prelude_server_packet_t;
+	')
+
+	allow $1 prelude_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send prelude_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_prelude_server_packets',`
+	gen_require(`
+		type prelude_server_packet_t;
+	')
+
+	dontaudit $1 prelude_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive prelude_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_prelude_server_packets',`
+	gen_require(`
+		type prelude_server_packet_t;
+	')
+
+	allow $1 prelude_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive prelude_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_prelude_server_packets',`
+	gen_require(`
+		type prelude_server_packet_t;
+	')
+
+	dontaudit $1 prelude_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive prelude_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_prelude_server_packets',`
+	corenet_send_prelude_server_packets($1)
+	corenet_receive_prelude_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive prelude_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_prelude_server_packets',`
+	corenet_dontaudit_send_prelude_server_packets($1)
+	corenet_dontaudit_receive_prelude_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to prelude_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_prelude_server_packets',`
+	gen_require(`
+		type prelude_server_packet_t;
+	')
+
+	allow $1 prelude_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the presence port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_presence_port',`
+	gen_require(`
+		type presence_port_t;
+	')
+
+	allow $1 presence_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the presence port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_presence_port',`
+	gen_require(`
+		type presence_port_t;
+	')
+
+	allow $1 presence_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the presence port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_presence_port',`
+	gen_require(`
+		type presence_port_t;
+	')
+
+	dontaudit $1 presence_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the presence port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_presence_port',`
+	gen_require(`
+		type presence_port_t;
+	')
+
+	allow $1 presence_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the presence port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_presence_port',`
+	gen_require(`
+		type presence_port_t;
+	')
+
+	dontaudit $1 presence_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the presence port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_presence_port',`
+	corenet_udp_send_presence_port($1)
+	corenet_udp_receive_presence_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the presence port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_presence_port',`
+	corenet_dontaudit_udp_send_presence_port($1)
+	corenet_dontaudit_udp_receive_presence_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the presence port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_presence_port',`
+	gen_require(`
+		type presence_port_t;
+	')
+
+	allow $1 presence_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the presence port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_presence_port',`
+	gen_require(`
+		type presence_port_t;
+	')
+
+	allow $1 presence_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the presence port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_presence_port',`
+	gen_require(`
+		type presence_port_t;
+	')
+
+	allow $1 presence_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send presence_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_presence_client_packets',`
+	gen_require(`
+		type presence_client_packet_t;
+	')
+
+	allow $1 presence_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send presence_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_presence_client_packets',`
+	gen_require(`
+		type presence_client_packet_t;
+	')
+
+	dontaudit $1 presence_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive presence_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_presence_client_packets',`
+	gen_require(`
+		type presence_client_packet_t;
+	')
+
+	allow $1 presence_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive presence_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_presence_client_packets',`
+	gen_require(`
+		type presence_client_packet_t;
+	')
+
+	dontaudit $1 presence_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive presence_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_presence_client_packets',`
+	corenet_send_presence_client_packets($1)
+	corenet_receive_presence_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive presence_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_presence_client_packets',`
+	corenet_dontaudit_send_presence_client_packets($1)
+	corenet_dontaudit_receive_presence_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to presence_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_presence_client_packets',`
+	gen_require(`
+		type presence_client_packet_t;
+	')
+
+	allow $1 presence_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send presence_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_presence_server_packets',`
+	gen_require(`
+		type presence_server_packet_t;
+	')
+
+	allow $1 presence_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send presence_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_presence_server_packets',`
+	gen_require(`
+		type presence_server_packet_t;
+	')
+
+	dontaudit $1 presence_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive presence_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_presence_server_packets',`
+	gen_require(`
+		type presence_server_packet_t;
+	')
+
+	allow $1 presence_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive presence_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_presence_server_packets',`
+	gen_require(`
+		type presence_server_packet_t;
+	')
+
+	dontaudit $1 presence_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive presence_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_presence_server_packets',`
+	corenet_send_presence_server_packets($1)
+	corenet_receive_presence_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive presence_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_presence_server_packets',`
+	corenet_dontaudit_send_presence_server_packets($1)
+	corenet_dontaudit_receive_presence_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to presence_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_presence_server_packets',`
+	gen_require(`
+		type presence_server_packet_t;
+	')
+
+	allow $1 presence_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the printer port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_printer_port',`
+	gen_require(`
+		type printer_port_t;
+	')
+
+	allow $1 printer_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the printer port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_printer_port',`
+	gen_require(`
+		type printer_port_t;
+	')
+
+	allow $1 printer_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the printer port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_printer_port',`
+	gen_require(`
+		type printer_port_t;
+	')
+
+	dontaudit $1 printer_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the printer port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_printer_port',`
+	gen_require(`
+		type printer_port_t;
+	')
+
+	allow $1 printer_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the printer port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_printer_port',`
+	gen_require(`
+		type printer_port_t;
+	')
+
+	dontaudit $1 printer_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the printer port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_printer_port',`
+	corenet_udp_send_printer_port($1)
+	corenet_udp_receive_printer_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the printer port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_printer_port',`
+	corenet_dontaudit_udp_send_printer_port($1)
+	corenet_dontaudit_udp_receive_printer_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the printer port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_printer_port',`
+	gen_require(`
+		type printer_port_t;
+	')
+
+	allow $1 printer_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the printer port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_printer_port',`
+	gen_require(`
+		type printer_port_t;
+	')
+
+	allow $1 printer_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the printer port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_printer_port',`
+	gen_require(`
+		type printer_port_t;
+	')
+
+	allow $1 printer_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send printer_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_printer_client_packets',`
+	gen_require(`
+		type printer_client_packet_t;
+	')
+
+	allow $1 printer_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send printer_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_printer_client_packets',`
+	gen_require(`
+		type printer_client_packet_t;
+	')
+
+	dontaudit $1 printer_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive printer_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_printer_client_packets',`
+	gen_require(`
+		type printer_client_packet_t;
+	')
+
+	allow $1 printer_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive printer_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_printer_client_packets',`
+	gen_require(`
+		type printer_client_packet_t;
+	')
+
+	dontaudit $1 printer_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive printer_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_printer_client_packets',`
+	corenet_send_printer_client_packets($1)
+	corenet_receive_printer_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive printer_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_printer_client_packets',`
+	corenet_dontaudit_send_printer_client_packets($1)
+	corenet_dontaudit_receive_printer_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to printer_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_printer_client_packets',`
+	gen_require(`
+		type printer_client_packet_t;
+	')
+
+	allow $1 printer_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send printer_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_printer_server_packets',`
+	gen_require(`
+		type printer_server_packet_t;
+	')
+
+	allow $1 printer_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send printer_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_printer_server_packets',`
+	gen_require(`
+		type printer_server_packet_t;
+	')
+
+	dontaudit $1 printer_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive printer_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_printer_server_packets',`
+	gen_require(`
+		type printer_server_packet_t;
+	')
+
+	allow $1 printer_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive printer_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_printer_server_packets',`
+	gen_require(`
+		type printer_server_packet_t;
+	')
+
+	dontaudit $1 printer_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive printer_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_printer_server_packets',`
+	corenet_send_printer_server_packets($1)
+	corenet_receive_printer_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive printer_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_printer_server_packets',`
+	corenet_dontaudit_send_printer_server_packets($1)
+	corenet_dontaudit_receive_printer_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to printer_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_printer_server_packets',`
+	gen_require(`
+		type printer_server_packet_t;
+	')
+
+	allow $1 printer_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the ptal port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_ptal_port',`
+	gen_require(`
+		type ptal_port_t;
+	')
+
+	allow $1 ptal_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the ptal port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_ptal_port',`
+	gen_require(`
+		type ptal_port_t;
+	')
+
+	allow $1 ptal_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the ptal port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_ptal_port',`
+	gen_require(`
+		type ptal_port_t;
+	')
+
+	dontaudit $1 ptal_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the ptal port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_ptal_port',`
+	gen_require(`
+		type ptal_port_t;
+	')
+
+	allow $1 ptal_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the ptal port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_ptal_port',`
+	gen_require(`
+		type ptal_port_t;
+	')
+
+	dontaudit $1 ptal_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the ptal port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_ptal_port',`
+	corenet_udp_send_ptal_port($1)
+	corenet_udp_receive_ptal_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the ptal port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_ptal_port',`
+	corenet_dontaudit_udp_send_ptal_port($1)
+	corenet_dontaudit_udp_receive_ptal_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the ptal port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_ptal_port',`
+	gen_require(`
+		type ptal_port_t;
+	')
+
+	allow $1 ptal_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the ptal port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_ptal_port',`
+	gen_require(`
+		type ptal_port_t;
+	')
+
+	allow $1 ptal_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the ptal port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_ptal_port',`
+	gen_require(`
+		type ptal_port_t;
+	')
+
+	allow $1 ptal_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send ptal_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_ptal_client_packets',`
+	gen_require(`
+		type ptal_client_packet_t;
+	')
+
+	allow $1 ptal_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send ptal_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_ptal_client_packets',`
+	gen_require(`
+		type ptal_client_packet_t;
+	')
+
+	dontaudit $1 ptal_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive ptal_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_ptal_client_packets',`
+	gen_require(`
+		type ptal_client_packet_t;
+	')
+
+	allow $1 ptal_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive ptal_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_ptal_client_packets',`
+	gen_require(`
+		type ptal_client_packet_t;
+	')
+
+	dontaudit $1 ptal_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive ptal_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_ptal_client_packets',`
+	corenet_send_ptal_client_packets($1)
+	corenet_receive_ptal_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive ptal_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_ptal_client_packets',`
+	corenet_dontaudit_send_ptal_client_packets($1)
+	corenet_dontaudit_receive_ptal_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to ptal_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_ptal_client_packets',`
+	gen_require(`
+		type ptal_client_packet_t;
+	')
+
+	allow $1 ptal_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send ptal_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_ptal_server_packets',`
+	gen_require(`
+		type ptal_server_packet_t;
+	')
+
+	allow $1 ptal_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send ptal_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_ptal_server_packets',`
+	gen_require(`
+		type ptal_server_packet_t;
+	')
+
+	dontaudit $1 ptal_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive ptal_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_ptal_server_packets',`
+	gen_require(`
+		type ptal_server_packet_t;
+	')
+
+	allow $1 ptal_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive ptal_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_ptal_server_packets',`
+	gen_require(`
+		type ptal_server_packet_t;
+	')
+
+	dontaudit $1 ptal_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive ptal_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_ptal_server_packets',`
+	corenet_send_ptal_server_packets($1)
+	corenet_receive_ptal_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive ptal_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_ptal_server_packets',`
+	corenet_dontaudit_send_ptal_server_packets($1)
+	corenet_dontaudit_receive_ptal_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to ptal_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_ptal_server_packets',`
+	gen_require(`
+		type ptal_server_packet_t;
+	')
+
+	allow $1 ptal_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the pulseaudio port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_pulseaudio_port',`
+	gen_require(`
+		type pulseaudio_port_t;
+	')
+
+	allow $1 pulseaudio_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the pulseaudio port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_pulseaudio_port',`
+	gen_require(`
+		type pulseaudio_port_t;
+	')
+
+	allow $1 pulseaudio_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the pulseaudio port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_pulseaudio_port',`
+	gen_require(`
+		type pulseaudio_port_t;
+	')
+
+	dontaudit $1 pulseaudio_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the pulseaudio port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_pulseaudio_port',`
+	gen_require(`
+		type pulseaudio_port_t;
+	')
+
+	allow $1 pulseaudio_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the pulseaudio port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_pulseaudio_port',`
+	gen_require(`
+		type pulseaudio_port_t;
+	')
+
+	dontaudit $1 pulseaudio_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the pulseaudio port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_pulseaudio_port',`
+	corenet_udp_send_pulseaudio_port($1)
+	corenet_udp_receive_pulseaudio_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the pulseaudio port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_pulseaudio_port',`
+	corenet_dontaudit_udp_send_pulseaudio_port($1)
+	corenet_dontaudit_udp_receive_pulseaudio_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the pulseaudio port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_pulseaudio_port',`
+	gen_require(`
+		type pulseaudio_port_t;
+	')
+
+	allow $1 pulseaudio_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the pulseaudio port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_pulseaudio_port',`
+	gen_require(`
+		type pulseaudio_port_t;
+	')
+
+	allow $1 pulseaudio_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the pulseaudio port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_pulseaudio_port',`
+	gen_require(`
+		type pulseaudio_port_t;
+	')
+
+	allow $1 pulseaudio_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send pulseaudio_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_pulseaudio_client_packets',`
+	gen_require(`
+		type pulseaudio_client_packet_t;
+	')
+
+	allow $1 pulseaudio_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send pulseaudio_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_pulseaudio_client_packets',`
+	gen_require(`
+		type pulseaudio_client_packet_t;
+	')
+
+	dontaudit $1 pulseaudio_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive pulseaudio_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_pulseaudio_client_packets',`
+	gen_require(`
+		type pulseaudio_client_packet_t;
+	')
+
+	allow $1 pulseaudio_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive pulseaudio_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_pulseaudio_client_packets',`
+	gen_require(`
+		type pulseaudio_client_packet_t;
+	')
+
+	dontaudit $1 pulseaudio_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive pulseaudio_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_pulseaudio_client_packets',`
+	corenet_send_pulseaudio_client_packets($1)
+	corenet_receive_pulseaudio_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive pulseaudio_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_pulseaudio_client_packets',`
+	corenet_dontaudit_send_pulseaudio_client_packets($1)
+	corenet_dontaudit_receive_pulseaudio_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to pulseaudio_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_pulseaudio_client_packets',`
+	gen_require(`
+		type pulseaudio_client_packet_t;
+	')
+
+	allow $1 pulseaudio_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send pulseaudio_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_pulseaudio_server_packets',`
+	gen_require(`
+		type pulseaudio_server_packet_t;
+	')
+
+	allow $1 pulseaudio_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send pulseaudio_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_pulseaudio_server_packets',`
+	gen_require(`
+		type pulseaudio_server_packet_t;
+	')
+
+	dontaudit $1 pulseaudio_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive pulseaudio_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_pulseaudio_server_packets',`
+	gen_require(`
+		type pulseaudio_server_packet_t;
+	')
+
+	allow $1 pulseaudio_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive pulseaudio_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_pulseaudio_server_packets',`
+	gen_require(`
+		type pulseaudio_server_packet_t;
+	')
+
+	dontaudit $1 pulseaudio_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive pulseaudio_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_pulseaudio_server_packets',`
+	corenet_send_pulseaudio_server_packets($1)
+	corenet_receive_pulseaudio_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive pulseaudio_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_pulseaudio_server_packets',`
+	corenet_dontaudit_send_pulseaudio_server_packets($1)
+	corenet_dontaudit_receive_pulseaudio_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to pulseaudio_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_pulseaudio_server_packets',`
+	gen_require(`
+		type pulseaudio_server_packet_t;
+	')
+
+	allow $1 pulseaudio_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the puppet port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_puppet_port',`
+	gen_require(`
+		type puppet_port_t;
+	')
+
+	allow $1 puppet_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the puppet port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_puppet_port',`
+	gen_require(`
+		type puppet_port_t;
+	')
+
+	allow $1 puppet_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the puppet port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_puppet_port',`
+	gen_require(`
+		type puppet_port_t;
+	')
+
+	dontaudit $1 puppet_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the puppet port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_puppet_port',`
+	gen_require(`
+		type puppet_port_t;
+	')
+
+	allow $1 puppet_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the puppet port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_puppet_port',`
+	gen_require(`
+		type puppet_port_t;
+	')
+
+	dontaudit $1 puppet_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the puppet port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_puppet_port',`
+	corenet_udp_send_puppet_port($1)
+	corenet_udp_receive_puppet_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the puppet port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_puppet_port',`
+	corenet_dontaudit_udp_send_puppet_port($1)
+	corenet_dontaudit_udp_receive_puppet_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the puppet port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_puppet_port',`
+	gen_require(`
+		type puppet_port_t;
+	')
+
+	allow $1 puppet_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the puppet port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_puppet_port',`
+	gen_require(`
+		type puppet_port_t;
+	')
+
+	allow $1 puppet_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the puppet port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_puppet_port',`
+	gen_require(`
+		type puppet_port_t;
+	')
+
+	allow $1 puppet_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send puppet_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_puppet_client_packets',`
+	gen_require(`
+		type puppet_client_packet_t;
+	')
+
+	allow $1 puppet_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send puppet_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_puppet_client_packets',`
+	gen_require(`
+		type puppet_client_packet_t;
+	')
+
+	dontaudit $1 puppet_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive puppet_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_puppet_client_packets',`
+	gen_require(`
+		type puppet_client_packet_t;
+	')
+
+	allow $1 puppet_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive puppet_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_puppet_client_packets',`
+	gen_require(`
+		type puppet_client_packet_t;
+	')
+
+	dontaudit $1 puppet_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive puppet_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_puppet_client_packets',`
+	corenet_send_puppet_client_packets($1)
+	corenet_receive_puppet_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive puppet_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_puppet_client_packets',`
+	corenet_dontaudit_send_puppet_client_packets($1)
+	corenet_dontaudit_receive_puppet_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to puppet_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_puppet_client_packets',`
+	gen_require(`
+		type puppet_client_packet_t;
+	')
+
+	allow $1 puppet_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send puppet_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_puppet_server_packets',`
+	gen_require(`
+		type puppet_server_packet_t;
+	')
+
+	allow $1 puppet_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send puppet_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_puppet_server_packets',`
+	gen_require(`
+		type puppet_server_packet_t;
+	')
+
+	dontaudit $1 puppet_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive puppet_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_puppet_server_packets',`
+	gen_require(`
+		type puppet_server_packet_t;
+	')
+
+	allow $1 puppet_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive puppet_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_puppet_server_packets',`
+	gen_require(`
+		type puppet_server_packet_t;
+	')
+
+	dontaudit $1 puppet_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive puppet_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_puppet_server_packets',`
+	corenet_send_puppet_server_packets($1)
+	corenet_receive_puppet_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive puppet_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_puppet_server_packets',`
+	corenet_dontaudit_send_puppet_server_packets($1)
+	corenet_dontaudit_receive_puppet_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to puppet_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_puppet_server_packets',`
+	gen_require(`
+		type puppet_server_packet_t;
+	')
+
+	allow $1 puppet_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the pxe port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_pxe_port',`
+	gen_require(`
+		type pxe_port_t;
+	')
+
+	allow $1 pxe_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the pxe port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_pxe_port',`
+	gen_require(`
+		type pxe_port_t;
+	')
+
+	allow $1 pxe_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the pxe port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_pxe_port',`
+	gen_require(`
+		type pxe_port_t;
+	')
+
+	dontaudit $1 pxe_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the pxe port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_pxe_port',`
+	gen_require(`
+		type pxe_port_t;
+	')
+
+	allow $1 pxe_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the pxe port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_pxe_port',`
+	gen_require(`
+		type pxe_port_t;
+	')
+
+	dontaudit $1 pxe_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the pxe port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_pxe_port',`
+	corenet_udp_send_pxe_port($1)
+	corenet_udp_receive_pxe_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the pxe port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_pxe_port',`
+	corenet_dontaudit_udp_send_pxe_port($1)
+	corenet_dontaudit_udp_receive_pxe_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the pxe port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_pxe_port',`
+	gen_require(`
+		type pxe_port_t;
+	')
+
+	allow $1 pxe_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the pxe port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_pxe_port',`
+	gen_require(`
+		type pxe_port_t;
+	')
+
+	allow $1 pxe_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the pxe port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_pxe_port',`
+	gen_require(`
+		type pxe_port_t;
+	')
+
+	allow $1 pxe_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send pxe_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_pxe_client_packets',`
+	gen_require(`
+		type pxe_client_packet_t;
+	')
+
+	allow $1 pxe_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send pxe_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_pxe_client_packets',`
+	gen_require(`
+		type pxe_client_packet_t;
+	')
+
+	dontaudit $1 pxe_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive pxe_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_pxe_client_packets',`
+	gen_require(`
+		type pxe_client_packet_t;
+	')
+
+	allow $1 pxe_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive pxe_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_pxe_client_packets',`
+	gen_require(`
+		type pxe_client_packet_t;
+	')
+
+	dontaudit $1 pxe_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive pxe_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_pxe_client_packets',`
+	corenet_send_pxe_client_packets($1)
+	corenet_receive_pxe_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive pxe_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_pxe_client_packets',`
+	corenet_dontaudit_send_pxe_client_packets($1)
+	corenet_dontaudit_receive_pxe_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to pxe_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_pxe_client_packets',`
+	gen_require(`
+		type pxe_client_packet_t;
+	')
+
+	allow $1 pxe_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send pxe_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_pxe_server_packets',`
+	gen_require(`
+		type pxe_server_packet_t;
+	')
+
+	allow $1 pxe_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send pxe_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_pxe_server_packets',`
+	gen_require(`
+		type pxe_server_packet_t;
+	')
+
+	dontaudit $1 pxe_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive pxe_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_pxe_server_packets',`
+	gen_require(`
+		type pxe_server_packet_t;
+	')
+
+	allow $1 pxe_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive pxe_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_pxe_server_packets',`
+	gen_require(`
+		type pxe_server_packet_t;
+	')
+
+	dontaudit $1 pxe_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive pxe_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_pxe_server_packets',`
+	corenet_send_pxe_server_packets($1)
+	corenet_receive_pxe_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive pxe_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_pxe_server_packets',`
+	corenet_dontaudit_send_pxe_server_packets($1)
+	corenet_dontaudit_receive_pxe_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to pxe_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_pxe_server_packets',`
+	gen_require(`
+		type pxe_server_packet_t;
+	')
+
+	allow $1 pxe_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the pyzor port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_pyzor_port',`
+	gen_require(`
+		type pyzor_port_t;
+	')
+
+	allow $1 pyzor_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the pyzor port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_pyzor_port',`
+	gen_require(`
+		type pyzor_port_t;
+	')
+
+	allow $1 pyzor_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the pyzor port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_pyzor_port',`
+	gen_require(`
+		type pyzor_port_t;
+	')
+
+	dontaudit $1 pyzor_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the pyzor port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_pyzor_port',`
+	gen_require(`
+		type pyzor_port_t;
+	')
+
+	allow $1 pyzor_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the pyzor port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_pyzor_port',`
+	gen_require(`
+		type pyzor_port_t;
+	')
+
+	dontaudit $1 pyzor_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the pyzor port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_pyzor_port',`
+	corenet_udp_send_pyzor_port($1)
+	corenet_udp_receive_pyzor_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the pyzor port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_pyzor_port',`
+	corenet_dontaudit_udp_send_pyzor_port($1)
+	corenet_dontaudit_udp_receive_pyzor_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the pyzor port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_pyzor_port',`
+	gen_require(`
+		type pyzor_port_t;
+	')
+
+	allow $1 pyzor_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the pyzor port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_pyzor_port',`
+	gen_require(`
+		type pyzor_port_t;
+	')
+
+	allow $1 pyzor_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the pyzor port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_pyzor_port',`
+	gen_require(`
+		type pyzor_port_t;
+	')
+
+	allow $1 pyzor_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send pyzor_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_pyzor_client_packets',`
+	gen_require(`
+		type pyzor_client_packet_t;
+	')
+
+	allow $1 pyzor_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send pyzor_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_pyzor_client_packets',`
+	gen_require(`
+		type pyzor_client_packet_t;
+	')
+
+	dontaudit $1 pyzor_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive pyzor_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_pyzor_client_packets',`
+	gen_require(`
+		type pyzor_client_packet_t;
+	')
+
+	allow $1 pyzor_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive pyzor_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_pyzor_client_packets',`
+	gen_require(`
+		type pyzor_client_packet_t;
+	')
+
+	dontaudit $1 pyzor_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive pyzor_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_pyzor_client_packets',`
+	corenet_send_pyzor_client_packets($1)
+	corenet_receive_pyzor_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive pyzor_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_pyzor_client_packets',`
+	corenet_dontaudit_send_pyzor_client_packets($1)
+	corenet_dontaudit_receive_pyzor_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to pyzor_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_pyzor_client_packets',`
+	gen_require(`
+		type pyzor_client_packet_t;
+	')
+
+	allow $1 pyzor_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send pyzor_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_pyzor_server_packets',`
+	gen_require(`
+		type pyzor_server_packet_t;
+	')
+
+	allow $1 pyzor_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send pyzor_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_pyzor_server_packets',`
+	gen_require(`
+		type pyzor_server_packet_t;
+	')
+
+	dontaudit $1 pyzor_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive pyzor_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_pyzor_server_packets',`
+	gen_require(`
+		type pyzor_server_packet_t;
+	')
+
+	allow $1 pyzor_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive pyzor_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_pyzor_server_packets',`
+	gen_require(`
+		type pyzor_server_packet_t;
+	')
+
+	dontaudit $1 pyzor_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive pyzor_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_pyzor_server_packets',`
+	corenet_send_pyzor_server_packets($1)
+	corenet_receive_pyzor_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive pyzor_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_pyzor_server_packets',`
+	corenet_dontaudit_send_pyzor_server_packets($1)
+	corenet_dontaudit_receive_pyzor_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to pyzor_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_pyzor_server_packets',`
+	gen_require(`
+		type pyzor_server_packet_t;
+	')
+
+	allow $1 pyzor_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the radacct port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_radacct_port',`
+	gen_require(`
+		type radacct_port_t;
+	')
+
+	allow $1 radacct_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the radacct port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_radacct_port',`
+	gen_require(`
+		type radacct_port_t;
+	')
+
+	allow $1 radacct_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the radacct port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_radacct_port',`
+	gen_require(`
+		type radacct_port_t;
+	')
+
+	dontaudit $1 radacct_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the radacct port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_radacct_port',`
+	gen_require(`
+		type radacct_port_t;
+	')
+
+	allow $1 radacct_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the radacct port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_radacct_port',`
+	gen_require(`
+		type radacct_port_t;
+	')
+
+	dontaudit $1 radacct_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the radacct port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_radacct_port',`
+	corenet_udp_send_radacct_port($1)
+	corenet_udp_receive_radacct_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the radacct port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_radacct_port',`
+	corenet_dontaudit_udp_send_radacct_port($1)
+	corenet_dontaudit_udp_receive_radacct_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the radacct port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_radacct_port',`
+	gen_require(`
+		type radacct_port_t;
+	')
+
+	allow $1 radacct_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the radacct port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_radacct_port',`
+	gen_require(`
+		type radacct_port_t;
+	')
+
+	allow $1 radacct_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the radacct port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_radacct_port',`
+	gen_require(`
+		type radacct_port_t;
+	')
+
+	allow $1 radacct_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send radacct_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_radacct_client_packets',`
+	gen_require(`
+		type radacct_client_packet_t;
+	')
+
+	allow $1 radacct_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send radacct_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_radacct_client_packets',`
+	gen_require(`
+		type radacct_client_packet_t;
+	')
+
+	dontaudit $1 radacct_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive radacct_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_radacct_client_packets',`
+	gen_require(`
+		type radacct_client_packet_t;
+	')
+
+	allow $1 radacct_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive radacct_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_radacct_client_packets',`
+	gen_require(`
+		type radacct_client_packet_t;
+	')
+
+	dontaudit $1 radacct_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive radacct_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_radacct_client_packets',`
+	corenet_send_radacct_client_packets($1)
+	corenet_receive_radacct_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive radacct_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_radacct_client_packets',`
+	corenet_dontaudit_send_radacct_client_packets($1)
+	corenet_dontaudit_receive_radacct_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to radacct_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_radacct_client_packets',`
+	gen_require(`
+		type radacct_client_packet_t;
+	')
+
+	allow $1 radacct_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send radacct_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_radacct_server_packets',`
+	gen_require(`
+		type radacct_server_packet_t;
+	')
+
+	allow $1 radacct_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send radacct_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_radacct_server_packets',`
+	gen_require(`
+		type radacct_server_packet_t;
+	')
+
+	dontaudit $1 radacct_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive radacct_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_radacct_server_packets',`
+	gen_require(`
+		type radacct_server_packet_t;
+	')
+
+	allow $1 radacct_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive radacct_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_radacct_server_packets',`
+	gen_require(`
+		type radacct_server_packet_t;
+	')
+
+	dontaudit $1 radacct_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive radacct_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_radacct_server_packets',`
+	corenet_send_radacct_server_packets($1)
+	corenet_receive_radacct_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive radacct_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_radacct_server_packets',`
+	corenet_dontaudit_send_radacct_server_packets($1)
+	corenet_dontaudit_receive_radacct_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to radacct_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_radacct_server_packets',`
+	gen_require(`
+		type radacct_server_packet_t;
+	')
+
+	allow $1 radacct_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the radius port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_radius_port',`
+	gen_require(`
+		type radius_port_t;
+	')
+
+	allow $1 radius_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the radius port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_radius_port',`
+	gen_require(`
+		type radius_port_t;
+	')
+
+	allow $1 radius_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the radius port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_radius_port',`
+	gen_require(`
+		type radius_port_t;
+	')
+
+	dontaudit $1 radius_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the radius port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_radius_port',`
+	gen_require(`
+		type radius_port_t;
+	')
+
+	allow $1 radius_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the radius port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_radius_port',`
+	gen_require(`
+		type radius_port_t;
+	')
+
+	dontaudit $1 radius_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the radius port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_radius_port',`
+	corenet_udp_send_radius_port($1)
+	corenet_udp_receive_radius_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the radius port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_radius_port',`
+	corenet_dontaudit_udp_send_radius_port($1)
+	corenet_dontaudit_udp_receive_radius_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the radius port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_radius_port',`
+	gen_require(`
+		type radius_port_t;
+	')
+
+	allow $1 radius_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the radius port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_radius_port',`
+	gen_require(`
+		type radius_port_t;
+	')
+
+	allow $1 radius_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the radius port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_radius_port',`
+	gen_require(`
+		type radius_port_t;
+	')
+
+	allow $1 radius_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send radius_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_radius_client_packets',`
+	gen_require(`
+		type radius_client_packet_t;
+	')
+
+	allow $1 radius_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send radius_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_radius_client_packets',`
+	gen_require(`
+		type radius_client_packet_t;
+	')
+
+	dontaudit $1 radius_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive radius_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_radius_client_packets',`
+	gen_require(`
+		type radius_client_packet_t;
+	')
+
+	allow $1 radius_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive radius_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_radius_client_packets',`
+	gen_require(`
+		type radius_client_packet_t;
+	')
+
+	dontaudit $1 radius_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive radius_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_radius_client_packets',`
+	corenet_send_radius_client_packets($1)
+	corenet_receive_radius_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive radius_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_radius_client_packets',`
+	corenet_dontaudit_send_radius_client_packets($1)
+	corenet_dontaudit_receive_radius_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to radius_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_radius_client_packets',`
+	gen_require(`
+		type radius_client_packet_t;
+	')
+
+	allow $1 radius_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send radius_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_radius_server_packets',`
+	gen_require(`
+		type radius_server_packet_t;
+	')
+
+	allow $1 radius_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send radius_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_radius_server_packets',`
+	gen_require(`
+		type radius_server_packet_t;
+	')
+
+	dontaudit $1 radius_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive radius_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_radius_server_packets',`
+	gen_require(`
+		type radius_server_packet_t;
+	')
+
+	allow $1 radius_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive radius_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_radius_server_packets',`
+	gen_require(`
+		type radius_server_packet_t;
+	')
+
+	dontaudit $1 radius_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive radius_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_radius_server_packets',`
+	corenet_send_radius_server_packets($1)
+	corenet_receive_radius_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive radius_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_radius_server_packets',`
+	corenet_dontaudit_send_radius_server_packets($1)
+	corenet_dontaudit_receive_radius_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to radius_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_radius_server_packets',`
+	gen_require(`
+		type radius_server_packet_t;
+	')
+
+	allow $1 radius_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the radsec port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_radsec_port',`
+	gen_require(`
+		type radsec_port_t;
+	')
+
+	allow $1 radsec_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the radsec port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_radsec_port',`
+	gen_require(`
+		type radsec_port_t;
+	')
+
+	allow $1 radsec_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the radsec port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_radsec_port',`
+	gen_require(`
+		type radsec_port_t;
+	')
+
+	dontaudit $1 radsec_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the radsec port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_radsec_port',`
+	gen_require(`
+		type radsec_port_t;
+	')
+
+	allow $1 radsec_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the radsec port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_radsec_port',`
+	gen_require(`
+		type radsec_port_t;
+	')
+
+	dontaudit $1 radsec_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the radsec port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_radsec_port',`
+	corenet_udp_send_radsec_port($1)
+	corenet_udp_receive_radsec_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the radsec port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_radsec_port',`
+	corenet_dontaudit_udp_send_radsec_port($1)
+	corenet_dontaudit_udp_receive_radsec_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the radsec port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_radsec_port',`
+	gen_require(`
+		type radsec_port_t;
+	')
+
+	allow $1 radsec_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the radsec port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_radsec_port',`
+	gen_require(`
+		type radsec_port_t;
+	')
+
+	allow $1 radsec_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the radsec port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_radsec_port',`
+	gen_require(`
+		type radsec_port_t;
+	')
+
+	allow $1 radsec_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send radsec_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_radsec_client_packets',`
+	gen_require(`
+		type radsec_client_packet_t;
+	')
+
+	allow $1 radsec_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send radsec_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_radsec_client_packets',`
+	gen_require(`
+		type radsec_client_packet_t;
+	')
+
+	dontaudit $1 radsec_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive radsec_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_radsec_client_packets',`
+	gen_require(`
+		type radsec_client_packet_t;
+	')
+
+	allow $1 radsec_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive radsec_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_radsec_client_packets',`
+	gen_require(`
+		type radsec_client_packet_t;
+	')
+
+	dontaudit $1 radsec_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive radsec_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_radsec_client_packets',`
+	corenet_send_radsec_client_packets($1)
+	corenet_receive_radsec_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive radsec_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_radsec_client_packets',`
+	corenet_dontaudit_send_radsec_client_packets($1)
+	corenet_dontaudit_receive_radsec_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to radsec_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_radsec_client_packets',`
+	gen_require(`
+		type radsec_client_packet_t;
+	')
+
+	allow $1 radsec_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send radsec_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_radsec_server_packets',`
+	gen_require(`
+		type radsec_server_packet_t;
+	')
+
+	allow $1 radsec_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send radsec_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_radsec_server_packets',`
+	gen_require(`
+		type radsec_server_packet_t;
+	')
+
+	dontaudit $1 radsec_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive radsec_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_radsec_server_packets',`
+	gen_require(`
+		type radsec_server_packet_t;
+	')
+
+	allow $1 radsec_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive radsec_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_radsec_server_packets',`
+	gen_require(`
+		type radsec_server_packet_t;
+	')
+
+	dontaudit $1 radsec_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive radsec_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_radsec_server_packets',`
+	corenet_send_radsec_server_packets($1)
+	corenet_receive_radsec_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive radsec_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_radsec_server_packets',`
+	corenet_dontaudit_send_radsec_server_packets($1)
+	corenet_dontaudit_receive_radsec_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to radsec_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_radsec_server_packets',`
+	gen_require(`
+		type radsec_server_packet_t;
+	')
+
+	allow $1 radsec_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the razor port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_razor_port',`
+	gen_require(`
+		type razor_port_t;
+	')
+
+	allow $1 razor_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the razor port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_razor_port',`
+	gen_require(`
+		type razor_port_t;
+	')
+
+	allow $1 razor_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the razor port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_razor_port',`
+	gen_require(`
+		type razor_port_t;
+	')
+
+	dontaudit $1 razor_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the razor port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_razor_port',`
+	gen_require(`
+		type razor_port_t;
+	')
+
+	allow $1 razor_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the razor port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_razor_port',`
+	gen_require(`
+		type razor_port_t;
+	')
+
+	dontaudit $1 razor_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the razor port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_razor_port',`
+	corenet_udp_send_razor_port($1)
+	corenet_udp_receive_razor_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the razor port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_razor_port',`
+	corenet_dontaudit_udp_send_razor_port($1)
+	corenet_dontaudit_udp_receive_razor_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the razor port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_razor_port',`
+	gen_require(`
+		type razor_port_t;
+	')
+
+	allow $1 razor_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the razor port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_razor_port',`
+	gen_require(`
+		type razor_port_t;
+	')
+
+	allow $1 razor_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the razor port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_razor_port',`
+	gen_require(`
+		type razor_port_t;
+	')
+
+	allow $1 razor_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send razor_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_razor_client_packets',`
+	gen_require(`
+		type razor_client_packet_t;
+	')
+
+	allow $1 razor_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send razor_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_razor_client_packets',`
+	gen_require(`
+		type razor_client_packet_t;
+	')
+
+	dontaudit $1 razor_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive razor_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_razor_client_packets',`
+	gen_require(`
+		type razor_client_packet_t;
+	')
+
+	allow $1 razor_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive razor_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_razor_client_packets',`
+	gen_require(`
+		type razor_client_packet_t;
+	')
+
+	dontaudit $1 razor_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive razor_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_razor_client_packets',`
+	corenet_send_razor_client_packets($1)
+	corenet_receive_razor_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive razor_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_razor_client_packets',`
+	corenet_dontaudit_send_razor_client_packets($1)
+	corenet_dontaudit_receive_razor_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to razor_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_razor_client_packets',`
+	gen_require(`
+		type razor_client_packet_t;
+	')
+
+	allow $1 razor_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send razor_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_razor_server_packets',`
+	gen_require(`
+		type razor_server_packet_t;
+	')
+
+	allow $1 razor_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send razor_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_razor_server_packets',`
+	gen_require(`
+		type razor_server_packet_t;
+	')
+
+	dontaudit $1 razor_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive razor_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_razor_server_packets',`
+	gen_require(`
+		type razor_server_packet_t;
+	')
+
+	allow $1 razor_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive razor_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_razor_server_packets',`
+	gen_require(`
+		type razor_server_packet_t;
+	')
+
+	dontaudit $1 razor_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive razor_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_razor_server_packets',`
+	corenet_send_razor_server_packets($1)
+	corenet_receive_razor_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive razor_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_razor_server_packets',`
+	corenet_dontaudit_send_razor_server_packets($1)
+	corenet_dontaudit_receive_razor_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to razor_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_razor_server_packets',`
+	gen_require(`
+		type razor_server_packet_t;
+	')
+
+	allow $1 razor_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the repository port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_repository_port',`
+	gen_require(`
+		type repository_port_t;
+	')
+
+	allow $1 repository_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the repository port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_repository_port',`
+	gen_require(`
+		type repository_port_t;
+	')
+
+	allow $1 repository_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the repository port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_repository_port',`
+	gen_require(`
+		type repository_port_t;
+	')
+
+	dontaudit $1 repository_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the repository port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_repository_port',`
+	gen_require(`
+		type repository_port_t;
+	')
+
+	allow $1 repository_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the repository port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_repository_port',`
+	gen_require(`
+		type repository_port_t;
+	')
+
+	dontaudit $1 repository_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the repository port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_repository_port',`
+	corenet_udp_send_repository_port($1)
+	corenet_udp_receive_repository_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the repository port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_repository_port',`
+	corenet_dontaudit_udp_send_repository_port($1)
+	corenet_dontaudit_udp_receive_repository_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the repository port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_repository_port',`
+	gen_require(`
+		type repository_port_t;
+	')
+
+	allow $1 repository_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the repository port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_repository_port',`
+	gen_require(`
+		type repository_port_t;
+	')
+
+	allow $1 repository_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the repository port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_repository_port',`
+	gen_require(`
+		type repository_port_t;
+	')
+
+	allow $1 repository_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send repository_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_repository_client_packets',`
+	gen_require(`
+		type repository_client_packet_t;
+	')
+
+	allow $1 repository_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send repository_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_repository_client_packets',`
+	gen_require(`
+		type repository_client_packet_t;
+	')
+
+	dontaudit $1 repository_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive repository_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_repository_client_packets',`
+	gen_require(`
+		type repository_client_packet_t;
+	')
+
+	allow $1 repository_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive repository_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_repository_client_packets',`
+	gen_require(`
+		type repository_client_packet_t;
+	')
+
+	dontaudit $1 repository_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive repository_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_repository_client_packets',`
+	corenet_send_repository_client_packets($1)
+	corenet_receive_repository_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive repository_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_repository_client_packets',`
+	corenet_dontaudit_send_repository_client_packets($1)
+	corenet_dontaudit_receive_repository_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to repository_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_repository_client_packets',`
+	gen_require(`
+		type repository_client_packet_t;
+	')
+
+	allow $1 repository_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send repository_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_repository_server_packets',`
+	gen_require(`
+		type repository_server_packet_t;
+	')
+
+	allow $1 repository_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send repository_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_repository_server_packets',`
+	gen_require(`
+		type repository_server_packet_t;
+	')
+
+	dontaudit $1 repository_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive repository_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_repository_server_packets',`
+	gen_require(`
+		type repository_server_packet_t;
+	')
+
+	allow $1 repository_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive repository_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_repository_server_packets',`
+	gen_require(`
+		type repository_server_packet_t;
+	')
+
+	dontaudit $1 repository_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive repository_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_repository_server_packets',`
+	corenet_send_repository_server_packets($1)
+	corenet_receive_repository_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive repository_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_repository_server_packets',`
+	corenet_dontaudit_send_repository_server_packets($1)
+	corenet_dontaudit_receive_repository_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to repository_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_repository_server_packets',`
+	gen_require(`
+		type repository_server_packet_t;
+	')
+
+	allow $1 repository_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the ricci port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_ricci_port',`
+	gen_require(`
+		type ricci_port_t;
+	')
+
+	allow $1 ricci_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the ricci port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_ricci_port',`
+	gen_require(`
+		type ricci_port_t;
+	')
+
+	allow $1 ricci_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the ricci port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_ricci_port',`
+	gen_require(`
+		type ricci_port_t;
+	')
+
+	dontaudit $1 ricci_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the ricci port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_ricci_port',`
+	gen_require(`
+		type ricci_port_t;
+	')
+
+	allow $1 ricci_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the ricci port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_ricci_port',`
+	gen_require(`
+		type ricci_port_t;
+	')
+
+	dontaudit $1 ricci_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the ricci port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_ricci_port',`
+	corenet_udp_send_ricci_port($1)
+	corenet_udp_receive_ricci_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the ricci port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_ricci_port',`
+	corenet_dontaudit_udp_send_ricci_port($1)
+	corenet_dontaudit_udp_receive_ricci_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the ricci port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_ricci_port',`
+	gen_require(`
+		type ricci_port_t;
+	')
+
+	allow $1 ricci_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the ricci port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_ricci_port',`
+	gen_require(`
+		type ricci_port_t;
+	')
+
+	allow $1 ricci_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the ricci port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_ricci_port',`
+	gen_require(`
+		type ricci_port_t;
+	')
+
+	allow $1 ricci_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send ricci_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_ricci_client_packets',`
+	gen_require(`
+		type ricci_client_packet_t;
+	')
+
+	allow $1 ricci_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send ricci_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_ricci_client_packets',`
+	gen_require(`
+		type ricci_client_packet_t;
+	')
+
+	dontaudit $1 ricci_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive ricci_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_ricci_client_packets',`
+	gen_require(`
+		type ricci_client_packet_t;
+	')
+
+	allow $1 ricci_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive ricci_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_ricci_client_packets',`
+	gen_require(`
+		type ricci_client_packet_t;
+	')
+
+	dontaudit $1 ricci_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive ricci_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_ricci_client_packets',`
+	corenet_send_ricci_client_packets($1)
+	corenet_receive_ricci_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive ricci_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_ricci_client_packets',`
+	corenet_dontaudit_send_ricci_client_packets($1)
+	corenet_dontaudit_receive_ricci_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to ricci_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_ricci_client_packets',`
+	gen_require(`
+		type ricci_client_packet_t;
+	')
+
+	allow $1 ricci_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send ricci_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_ricci_server_packets',`
+	gen_require(`
+		type ricci_server_packet_t;
+	')
+
+	allow $1 ricci_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send ricci_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_ricci_server_packets',`
+	gen_require(`
+		type ricci_server_packet_t;
+	')
+
+	dontaudit $1 ricci_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive ricci_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_ricci_server_packets',`
+	gen_require(`
+		type ricci_server_packet_t;
+	')
+
+	allow $1 ricci_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive ricci_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_ricci_server_packets',`
+	gen_require(`
+		type ricci_server_packet_t;
+	')
+
+	dontaudit $1 ricci_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive ricci_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_ricci_server_packets',`
+	corenet_send_ricci_server_packets($1)
+	corenet_receive_ricci_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive ricci_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_ricci_server_packets',`
+	corenet_dontaudit_send_ricci_server_packets($1)
+	corenet_dontaudit_receive_ricci_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to ricci_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_ricci_server_packets',`
+	gen_require(`
+		type ricci_server_packet_t;
+	')
+
+	allow $1 ricci_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the ricci_modcluster port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_ricci_modcluster_port',`
+	gen_require(`
+		type ricci_modcluster_port_t;
+	')
+
+	allow $1 ricci_modcluster_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the ricci_modcluster port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_ricci_modcluster_port',`
+	gen_require(`
+		type ricci_modcluster_port_t;
+	')
+
+	allow $1 ricci_modcluster_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the ricci_modcluster port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_ricci_modcluster_port',`
+	gen_require(`
+		type ricci_modcluster_port_t;
+	')
+
+	dontaudit $1 ricci_modcluster_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the ricci_modcluster port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_ricci_modcluster_port',`
+	gen_require(`
+		type ricci_modcluster_port_t;
+	')
+
+	allow $1 ricci_modcluster_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the ricci_modcluster port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_ricci_modcluster_port',`
+	gen_require(`
+		type ricci_modcluster_port_t;
+	')
+
+	dontaudit $1 ricci_modcluster_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the ricci_modcluster port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_ricci_modcluster_port',`
+	corenet_udp_send_ricci_modcluster_port($1)
+	corenet_udp_receive_ricci_modcluster_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the ricci_modcluster port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_ricci_modcluster_port',`
+	corenet_dontaudit_udp_send_ricci_modcluster_port($1)
+	corenet_dontaudit_udp_receive_ricci_modcluster_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the ricci_modcluster port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_ricci_modcluster_port',`
+	gen_require(`
+		type ricci_modcluster_port_t;
+	')
+
+	allow $1 ricci_modcluster_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the ricci_modcluster port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_ricci_modcluster_port',`
+	gen_require(`
+		type ricci_modcluster_port_t;
+	')
+
+	allow $1 ricci_modcluster_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the ricci_modcluster port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_ricci_modcluster_port',`
+	gen_require(`
+		type ricci_modcluster_port_t;
+	')
+
+	allow $1 ricci_modcluster_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send ricci_modcluster_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_ricci_modcluster_client_packets',`
+	gen_require(`
+		type ricci_modcluster_client_packet_t;
+	')
+
+	allow $1 ricci_modcluster_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send ricci_modcluster_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_ricci_modcluster_client_packets',`
+	gen_require(`
+		type ricci_modcluster_client_packet_t;
+	')
+
+	dontaudit $1 ricci_modcluster_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive ricci_modcluster_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_ricci_modcluster_client_packets',`
+	gen_require(`
+		type ricci_modcluster_client_packet_t;
+	')
+
+	allow $1 ricci_modcluster_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive ricci_modcluster_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_ricci_modcluster_client_packets',`
+	gen_require(`
+		type ricci_modcluster_client_packet_t;
+	')
+
+	dontaudit $1 ricci_modcluster_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive ricci_modcluster_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_ricci_modcluster_client_packets',`
+	corenet_send_ricci_modcluster_client_packets($1)
+	corenet_receive_ricci_modcluster_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive ricci_modcluster_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_ricci_modcluster_client_packets',`
+	corenet_dontaudit_send_ricci_modcluster_client_packets($1)
+	corenet_dontaudit_receive_ricci_modcluster_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to ricci_modcluster_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_ricci_modcluster_client_packets',`
+	gen_require(`
+		type ricci_modcluster_client_packet_t;
+	')
+
+	allow $1 ricci_modcluster_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send ricci_modcluster_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_ricci_modcluster_server_packets',`
+	gen_require(`
+		type ricci_modcluster_server_packet_t;
+	')
+
+	allow $1 ricci_modcluster_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send ricci_modcluster_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_ricci_modcluster_server_packets',`
+	gen_require(`
+		type ricci_modcluster_server_packet_t;
+	')
+
+	dontaudit $1 ricci_modcluster_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive ricci_modcluster_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_ricci_modcluster_server_packets',`
+	gen_require(`
+		type ricci_modcluster_server_packet_t;
+	')
+
+	allow $1 ricci_modcluster_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive ricci_modcluster_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_ricci_modcluster_server_packets',`
+	gen_require(`
+		type ricci_modcluster_server_packet_t;
+	')
+
+	dontaudit $1 ricci_modcluster_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive ricci_modcluster_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_ricci_modcluster_server_packets',`
+	corenet_send_ricci_modcluster_server_packets($1)
+	corenet_receive_ricci_modcluster_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive ricci_modcluster_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_ricci_modcluster_server_packets',`
+	corenet_dontaudit_send_ricci_modcluster_server_packets($1)
+	corenet_dontaudit_receive_ricci_modcluster_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to ricci_modcluster_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_ricci_modcluster_server_packets',`
+	gen_require(`
+		type ricci_modcluster_server_packet_t;
+	')
+
+	allow $1 ricci_modcluster_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the rlogind port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_rlogind_port',`
+	gen_require(`
+		type rlogind_port_t;
+	')
+
+	allow $1 rlogind_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the rlogind port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_rlogind_port',`
+	gen_require(`
+		type rlogind_port_t;
+	')
+
+	allow $1 rlogind_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the rlogind port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_rlogind_port',`
+	gen_require(`
+		type rlogind_port_t;
+	')
+
+	dontaudit $1 rlogind_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the rlogind port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_rlogind_port',`
+	gen_require(`
+		type rlogind_port_t;
+	')
+
+	allow $1 rlogind_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the rlogind port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_rlogind_port',`
+	gen_require(`
+		type rlogind_port_t;
+	')
+
+	dontaudit $1 rlogind_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the rlogind port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_rlogind_port',`
+	corenet_udp_send_rlogind_port($1)
+	corenet_udp_receive_rlogind_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the rlogind port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_rlogind_port',`
+	corenet_dontaudit_udp_send_rlogind_port($1)
+	corenet_dontaudit_udp_receive_rlogind_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the rlogind port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_rlogind_port',`
+	gen_require(`
+		type rlogind_port_t;
+	')
+
+	allow $1 rlogind_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the rlogind port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_rlogind_port',`
+	gen_require(`
+		type rlogind_port_t;
+	')
+
+	allow $1 rlogind_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the rlogind port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_rlogind_port',`
+	gen_require(`
+		type rlogind_port_t;
+	')
+
+	allow $1 rlogind_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send rlogind_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_rlogind_client_packets',`
+	gen_require(`
+		type rlogind_client_packet_t;
+	')
+
+	allow $1 rlogind_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send rlogind_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_rlogind_client_packets',`
+	gen_require(`
+		type rlogind_client_packet_t;
+	')
+
+	dontaudit $1 rlogind_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive rlogind_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_rlogind_client_packets',`
+	gen_require(`
+		type rlogind_client_packet_t;
+	')
+
+	allow $1 rlogind_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive rlogind_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_rlogind_client_packets',`
+	gen_require(`
+		type rlogind_client_packet_t;
+	')
+
+	dontaudit $1 rlogind_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive rlogind_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_rlogind_client_packets',`
+	corenet_send_rlogind_client_packets($1)
+	corenet_receive_rlogind_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive rlogind_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_rlogind_client_packets',`
+	corenet_dontaudit_send_rlogind_client_packets($1)
+	corenet_dontaudit_receive_rlogind_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to rlogind_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_rlogind_client_packets',`
+	gen_require(`
+		type rlogind_client_packet_t;
+	')
+
+	allow $1 rlogind_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send rlogind_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_rlogind_server_packets',`
+	gen_require(`
+		type rlogind_server_packet_t;
+	')
+
+	allow $1 rlogind_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send rlogind_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_rlogind_server_packets',`
+	gen_require(`
+		type rlogind_server_packet_t;
+	')
+
+	dontaudit $1 rlogind_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive rlogind_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_rlogind_server_packets',`
+	gen_require(`
+		type rlogind_server_packet_t;
+	')
+
+	allow $1 rlogind_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive rlogind_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_rlogind_server_packets',`
+	gen_require(`
+		type rlogind_server_packet_t;
+	')
+
+	dontaudit $1 rlogind_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive rlogind_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_rlogind_server_packets',`
+	corenet_send_rlogind_server_packets($1)
+	corenet_receive_rlogind_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive rlogind_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_rlogind_server_packets',`
+	corenet_dontaudit_send_rlogind_server_packets($1)
+	corenet_dontaudit_receive_rlogind_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to rlogind_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_rlogind_server_packets',`
+	gen_require(`
+		type rlogind_server_packet_t;
+	')
+
+	allow $1 rlogind_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the rndc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_rndc_port',`
+	gen_require(`
+		type rndc_port_t;
+	')
+
+	allow $1 rndc_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the rndc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_rndc_port',`
+	gen_require(`
+		type rndc_port_t;
+	')
+
+	allow $1 rndc_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the rndc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_rndc_port',`
+	gen_require(`
+		type rndc_port_t;
+	')
+
+	dontaudit $1 rndc_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the rndc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_rndc_port',`
+	gen_require(`
+		type rndc_port_t;
+	')
+
+	allow $1 rndc_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the rndc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_rndc_port',`
+	gen_require(`
+		type rndc_port_t;
+	')
+
+	dontaudit $1 rndc_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the rndc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_rndc_port',`
+	corenet_udp_send_rndc_port($1)
+	corenet_udp_receive_rndc_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the rndc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_rndc_port',`
+	corenet_dontaudit_udp_send_rndc_port($1)
+	corenet_dontaudit_udp_receive_rndc_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the rndc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_rndc_port',`
+	gen_require(`
+		type rndc_port_t;
+	')
+
+	allow $1 rndc_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the rndc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_rndc_port',`
+	gen_require(`
+		type rndc_port_t;
+	')
+
+	allow $1 rndc_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the rndc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_rndc_port',`
+	gen_require(`
+		type rndc_port_t;
+	')
+
+	allow $1 rndc_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send rndc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_rndc_client_packets',`
+	gen_require(`
+		type rndc_client_packet_t;
+	')
+
+	allow $1 rndc_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send rndc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_rndc_client_packets',`
+	gen_require(`
+		type rndc_client_packet_t;
+	')
+
+	dontaudit $1 rndc_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive rndc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_rndc_client_packets',`
+	gen_require(`
+		type rndc_client_packet_t;
+	')
+
+	allow $1 rndc_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive rndc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_rndc_client_packets',`
+	gen_require(`
+		type rndc_client_packet_t;
+	')
+
+	dontaudit $1 rndc_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive rndc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_rndc_client_packets',`
+	corenet_send_rndc_client_packets($1)
+	corenet_receive_rndc_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive rndc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_rndc_client_packets',`
+	corenet_dontaudit_send_rndc_client_packets($1)
+	corenet_dontaudit_receive_rndc_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to rndc_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_rndc_client_packets',`
+	gen_require(`
+		type rndc_client_packet_t;
+	')
+
+	allow $1 rndc_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send rndc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_rndc_server_packets',`
+	gen_require(`
+		type rndc_server_packet_t;
+	')
+
+	allow $1 rndc_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send rndc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_rndc_server_packets',`
+	gen_require(`
+		type rndc_server_packet_t;
+	')
+
+	dontaudit $1 rndc_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive rndc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_rndc_server_packets',`
+	gen_require(`
+		type rndc_server_packet_t;
+	')
+
+	allow $1 rndc_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive rndc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_rndc_server_packets',`
+	gen_require(`
+		type rndc_server_packet_t;
+	')
+
+	dontaudit $1 rndc_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive rndc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_rndc_server_packets',`
+	corenet_send_rndc_server_packets($1)
+	corenet_receive_rndc_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive rndc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_rndc_server_packets',`
+	corenet_dontaudit_send_rndc_server_packets($1)
+	corenet_dontaudit_receive_rndc_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to rndc_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_rndc_server_packets',`
+	gen_require(`
+		type rndc_server_packet_t;
+	')
+
+	allow $1 rndc_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the router port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_router_port',`
+	gen_require(`
+		type router_port_t;
+	')
+
+	allow $1 router_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the router port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_router_port',`
+	gen_require(`
+		type router_port_t;
+	')
+
+	allow $1 router_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the router port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_router_port',`
+	gen_require(`
+		type router_port_t;
+	')
+
+	dontaudit $1 router_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the router port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_router_port',`
+	gen_require(`
+		type router_port_t;
+	')
+
+	allow $1 router_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the router port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_router_port',`
+	gen_require(`
+		type router_port_t;
+	')
+
+	dontaudit $1 router_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the router port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_router_port',`
+	corenet_udp_send_router_port($1)
+	corenet_udp_receive_router_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the router port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_router_port',`
+	corenet_dontaudit_udp_send_router_port($1)
+	corenet_dontaudit_udp_receive_router_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the router port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_router_port',`
+	gen_require(`
+		type router_port_t;
+	')
+
+	allow $1 router_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the router port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_router_port',`
+	gen_require(`
+		type router_port_t;
+	')
+
+	allow $1 router_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the router port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_router_port',`
+	gen_require(`
+		type router_port_t;
+	')
+
+	allow $1 router_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send router_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_router_client_packets',`
+	gen_require(`
+		type router_client_packet_t;
+	')
+
+	allow $1 router_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send router_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_router_client_packets',`
+	gen_require(`
+		type router_client_packet_t;
+	')
+
+	dontaudit $1 router_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive router_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_router_client_packets',`
+	gen_require(`
+		type router_client_packet_t;
+	')
+
+	allow $1 router_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive router_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_router_client_packets',`
+	gen_require(`
+		type router_client_packet_t;
+	')
+
+	dontaudit $1 router_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive router_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_router_client_packets',`
+	corenet_send_router_client_packets($1)
+	corenet_receive_router_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive router_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_router_client_packets',`
+	corenet_dontaudit_send_router_client_packets($1)
+	corenet_dontaudit_receive_router_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to router_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_router_client_packets',`
+	gen_require(`
+		type router_client_packet_t;
+	')
+
+	allow $1 router_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send router_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_router_server_packets',`
+	gen_require(`
+		type router_server_packet_t;
+	')
+
+	allow $1 router_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send router_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_router_server_packets',`
+	gen_require(`
+		type router_server_packet_t;
+	')
+
+	dontaudit $1 router_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive router_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_router_server_packets',`
+	gen_require(`
+		type router_server_packet_t;
+	')
+
+	allow $1 router_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive router_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_router_server_packets',`
+	gen_require(`
+		type router_server_packet_t;
+	')
+
+	dontaudit $1 router_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive router_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_router_server_packets',`
+	corenet_send_router_server_packets($1)
+	corenet_receive_router_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive router_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_router_server_packets',`
+	corenet_dontaudit_send_router_server_packets($1)
+	corenet_dontaudit_receive_router_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to router_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_router_server_packets',`
+	gen_require(`
+		type router_server_packet_t;
+	')
+
+	allow $1 router_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the rsh port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_rsh_port',`
+	gen_require(`
+		type rsh_port_t;
+	')
+
+	allow $1 rsh_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the rsh port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_rsh_port',`
+	gen_require(`
+		type rsh_port_t;
+	')
+
+	allow $1 rsh_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the rsh port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_rsh_port',`
+	gen_require(`
+		type rsh_port_t;
+	')
+
+	dontaudit $1 rsh_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the rsh port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_rsh_port',`
+	gen_require(`
+		type rsh_port_t;
+	')
+
+	allow $1 rsh_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the rsh port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_rsh_port',`
+	gen_require(`
+		type rsh_port_t;
+	')
+
+	dontaudit $1 rsh_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the rsh port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_rsh_port',`
+	corenet_udp_send_rsh_port($1)
+	corenet_udp_receive_rsh_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the rsh port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_rsh_port',`
+	corenet_dontaudit_udp_send_rsh_port($1)
+	corenet_dontaudit_udp_receive_rsh_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the rsh port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_rsh_port',`
+	gen_require(`
+		type rsh_port_t;
+	')
+
+	allow $1 rsh_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the rsh port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_rsh_port',`
+	gen_require(`
+		type rsh_port_t;
+	')
+
+	allow $1 rsh_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the rsh port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_rsh_port',`
+	gen_require(`
+		type rsh_port_t;
+	')
+
+	allow $1 rsh_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send rsh_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_rsh_client_packets',`
+	gen_require(`
+		type rsh_client_packet_t;
+	')
+
+	allow $1 rsh_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send rsh_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_rsh_client_packets',`
+	gen_require(`
+		type rsh_client_packet_t;
+	')
+
+	dontaudit $1 rsh_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive rsh_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_rsh_client_packets',`
+	gen_require(`
+		type rsh_client_packet_t;
+	')
+
+	allow $1 rsh_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive rsh_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_rsh_client_packets',`
+	gen_require(`
+		type rsh_client_packet_t;
+	')
+
+	dontaudit $1 rsh_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive rsh_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_rsh_client_packets',`
+	corenet_send_rsh_client_packets($1)
+	corenet_receive_rsh_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive rsh_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_rsh_client_packets',`
+	corenet_dontaudit_send_rsh_client_packets($1)
+	corenet_dontaudit_receive_rsh_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to rsh_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_rsh_client_packets',`
+	gen_require(`
+		type rsh_client_packet_t;
+	')
+
+	allow $1 rsh_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send rsh_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_rsh_server_packets',`
+	gen_require(`
+		type rsh_server_packet_t;
+	')
+
+	allow $1 rsh_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send rsh_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_rsh_server_packets',`
+	gen_require(`
+		type rsh_server_packet_t;
+	')
+
+	dontaudit $1 rsh_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive rsh_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_rsh_server_packets',`
+	gen_require(`
+		type rsh_server_packet_t;
+	')
+
+	allow $1 rsh_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive rsh_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_rsh_server_packets',`
+	gen_require(`
+		type rsh_server_packet_t;
+	')
+
+	dontaudit $1 rsh_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive rsh_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_rsh_server_packets',`
+	corenet_send_rsh_server_packets($1)
+	corenet_receive_rsh_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive rsh_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_rsh_server_packets',`
+	corenet_dontaudit_send_rsh_server_packets($1)
+	corenet_dontaudit_receive_rsh_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to rsh_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_rsh_server_packets',`
+	gen_require(`
+		type rsh_server_packet_t;
+	')
+
+	allow $1 rsh_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the rsync port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_rsync_port',`
+	gen_require(`
+		type rsync_port_t;
+	')
+
+	allow $1 rsync_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the rsync port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_rsync_port',`
+	gen_require(`
+		type rsync_port_t;
+	')
+
+	allow $1 rsync_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the rsync port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_rsync_port',`
+	gen_require(`
+		type rsync_port_t;
+	')
+
+	dontaudit $1 rsync_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the rsync port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_rsync_port',`
+	gen_require(`
+		type rsync_port_t;
+	')
+
+	allow $1 rsync_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the rsync port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_rsync_port',`
+	gen_require(`
+		type rsync_port_t;
+	')
+
+	dontaudit $1 rsync_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the rsync port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_rsync_port',`
+	corenet_udp_send_rsync_port($1)
+	corenet_udp_receive_rsync_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the rsync port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_rsync_port',`
+	corenet_dontaudit_udp_send_rsync_port($1)
+	corenet_dontaudit_udp_receive_rsync_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the rsync port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_rsync_port',`
+	gen_require(`
+		type rsync_port_t;
+	')
+
+	allow $1 rsync_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the rsync port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_rsync_port',`
+	gen_require(`
+		type rsync_port_t;
+	')
+
+	allow $1 rsync_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the rsync port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_rsync_port',`
+	gen_require(`
+		type rsync_port_t;
+	')
+
+	allow $1 rsync_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send rsync_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_rsync_client_packets',`
+	gen_require(`
+		type rsync_client_packet_t;
+	')
+
+	allow $1 rsync_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send rsync_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_rsync_client_packets',`
+	gen_require(`
+		type rsync_client_packet_t;
+	')
+
+	dontaudit $1 rsync_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive rsync_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_rsync_client_packets',`
+	gen_require(`
+		type rsync_client_packet_t;
+	')
+
+	allow $1 rsync_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive rsync_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_rsync_client_packets',`
+	gen_require(`
+		type rsync_client_packet_t;
+	')
+
+	dontaudit $1 rsync_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive rsync_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_rsync_client_packets',`
+	corenet_send_rsync_client_packets($1)
+	corenet_receive_rsync_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive rsync_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_rsync_client_packets',`
+	corenet_dontaudit_send_rsync_client_packets($1)
+	corenet_dontaudit_receive_rsync_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to rsync_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_rsync_client_packets',`
+	gen_require(`
+		type rsync_client_packet_t;
+	')
+
+	allow $1 rsync_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send rsync_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_rsync_server_packets',`
+	gen_require(`
+		type rsync_server_packet_t;
+	')
+
+	allow $1 rsync_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send rsync_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_rsync_server_packets',`
+	gen_require(`
+		type rsync_server_packet_t;
+	')
+
+	dontaudit $1 rsync_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive rsync_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_rsync_server_packets',`
+	gen_require(`
+		type rsync_server_packet_t;
+	')
+
+	allow $1 rsync_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive rsync_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_rsync_server_packets',`
+	gen_require(`
+		type rsync_server_packet_t;
+	')
+
+	dontaudit $1 rsync_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive rsync_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_rsync_server_packets',`
+	corenet_send_rsync_server_packets($1)
+	corenet_receive_rsync_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive rsync_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_rsync_server_packets',`
+	corenet_dontaudit_send_rsync_server_packets($1)
+	corenet_dontaudit_receive_rsync_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to rsync_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_rsync_server_packets',`
+	gen_require(`
+		type rsync_server_packet_t;
+	')
+
+	allow $1 rsync_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the rwho port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_rwho_port',`
+	gen_require(`
+		type rwho_port_t;
+	')
+
+	allow $1 rwho_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the rwho port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_rwho_port',`
+	gen_require(`
+		type rwho_port_t;
+	')
+
+	allow $1 rwho_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the rwho port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_rwho_port',`
+	gen_require(`
+		type rwho_port_t;
+	')
+
+	dontaudit $1 rwho_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the rwho port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_rwho_port',`
+	gen_require(`
+		type rwho_port_t;
+	')
+
+	allow $1 rwho_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the rwho port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_rwho_port',`
+	gen_require(`
+		type rwho_port_t;
+	')
+
+	dontaudit $1 rwho_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the rwho port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_rwho_port',`
+	corenet_udp_send_rwho_port($1)
+	corenet_udp_receive_rwho_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the rwho port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_rwho_port',`
+	corenet_dontaudit_udp_send_rwho_port($1)
+	corenet_dontaudit_udp_receive_rwho_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the rwho port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_rwho_port',`
+	gen_require(`
+		type rwho_port_t;
+	')
+
+	allow $1 rwho_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the rwho port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_rwho_port',`
+	gen_require(`
+		type rwho_port_t;
+	')
+
+	allow $1 rwho_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the rwho port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_rwho_port',`
+	gen_require(`
+		type rwho_port_t;
+	')
+
+	allow $1 rwho_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send rwho_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_rwho_client_packets',`
+	gen_require(`
+		type rwho_client_packet_t;
+	')
+
+	allow $1 rwho_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send rwho_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_rwho_client_packets',`
+	gen_require(`
+		type rwho_client_packet_t;
+	')
+
+	dontaudit $1 rwho_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive rwho_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_rwho_client_packets',`
+	gen_require(`
+		type rwho_client_packet_t;
+	')
+
+	allow $1 rwho_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive rwho_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_rwho_client_packets',`
+	gen_require(`
+		type rwho_client_packet_t;
+	')
+
+	dontaudit $1 rwho_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive rwho_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_rwho_client_packets',`
+	corenet_send_rwho_client_packets($1)
+	corenet_receive_rwho_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive rwho_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_rwho_client_packets',`
+	corenet_dontaudit_send_rwho_client_packets($1)
+	corenet_dontaudit_receive_rwho_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to rwho_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_rwho_client_packets',`
+	gen_require(`
+		type rwho_client_packet_t;
+	')
+
+	allow $1 rwho_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send rwho_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_rwho_server_packets',`
+	gen_require(`
+		type rwho_server_packet_t;
+	')
+
+	allow $1 rwho_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send rwho_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_rwho_server_packets',`
+	gen_require(`
+		type rwho_server_packet_t;
+	')
+
+	dontaudit $1 rwho_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive rwho_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_rwho_server_packets',`
+	gen_require(`
+		type rwho_server_packet_t;
+	')
+
+	allow $1 rwho_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive rwho_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_rwho_server_packets',`
+	gen_require(`
+		type rwho_server_packet_t;
+	')
+
+	dontaudit $1 rwho_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive rwho_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_rwho_server_packets',`
+	corenet_send_rwho_server_packets($1)
+	corenet_receive_rwho_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive rwho_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_rwho_server_packets',`
+	corenet_dontaudit_send_rwho_server_packets($1)
+	corenet_dontaudit_receive_rwho_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to rwho_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_rwho_server_packets',`
+	gen_require(`
+		type rwho_server_packet_t;
+	')
+
+	allow $1 rwho_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the sap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_sap_port',`
+	gen_require(`
+		type sap_port_t;
+	')
+
+	allow $1 sap_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the sap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_sap_port',`
+	gen_require(`
+		type sap_port_t;
+	')
+
+	allow $1 sap_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the sap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_sap_port',`
+	gen_require(`
+		type sap_port_t;
+	')
+
+	dontaudit $1 sap_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the sap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_sap_port',`
+	gen_require(`
+		type sap_port_t;
+	')
+
+	allow $1 sap_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the sap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_sap_port',`
+	gen_require(`
+		type sap_port_t;
+	')
+
+	dontaudit $1 sap_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the sap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_sap_port',`
+	corenet_udp_send_sap_port($1)
+	corenet_udp_receive_sap_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the sap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_sap_port',`
+	corenet_dontaudit_udp_send_sap_port($1)
+	corenet_dontaudit_udp_receive_sap_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the sap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_sap_port',`
+	gen_require(`
+		type sap_port_t;
+	')
+
+	allow $1 sap_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the sap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_sap_port',`
+	gen_require(`
+		type sap_port_t;
+	')
+
+	allow $1 sap_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the sap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_sap_port',`
+	gen_require(`
+		type sap_port_t;
+	')
+
+	allow $1 sap_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send sap_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_sap_client_packets',`
+	gen_require(`
+		type sap_client_packet_t;
+	')
+
+	allow $1 sap_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send sap_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_sap_client_packets',`
+	gen_require(`
+		type sap_client_packet_t;
+	')
+
+	dontaudit $1 sap_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive sap_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_sap_client_packets',`
+	gen_require(`
+		type sap_client_packet_t;
+	')
+
+	allow $1 sap_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive sap_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_sap_client_packets',`
+	gen_require(`
+		type sap_client_packet_t;
+	')
+
+	dontaudit $1 sap_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive sap_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_sap_client_packets',`
+	corenet_send_sap_client_packets($1)
+	corenet_receive_sap_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive sap_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_sap_client_packets',`
+	corenet_dontaudit_send_sap_client_packets($1)
+	corenet_dontaudit_receive_sap_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to sap_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_sap_client_packets',`
+	gen_require(`
+		type sap_client_packet_t;
+	')
+
+	allow $1 sap_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send sap_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_sap_server_packets',`
+	gen_require(`
+		type sap_server_packet_t;
+	')
+
+	allow $1 sap_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send sap_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_sap_server_packets',`
+	gen_require(`
+		type sap_server_packet_t;
+	')
+
+	dontaudit $1 sap_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive sap_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_sap_server_packets',`
+	gen_require(`
+		type sap_server_packet_t;
+	')
+
+	allow $1 sap_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive sap_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_sap_server_packets',`
+	gen_require(`
+		type sap_server_packet_t;
+	')
+
+	dontaudit $1 sap_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive sap_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_sap_server_packets',`
+	corenet_send_sap_server_packets($1)
+	corenet_receive_sap_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive sap_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_sap_server_packets',`
+	corenet_dontaudit_send_sap_server_packets($1)
+	corenet_dontaudit_receive_sap_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to sap_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_sap_server_packets',`
+	gen_require(`
+		type sap_server_packet_t;
+	')
+
+	allow $1 sap_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the sieve port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_sieve_port',`
+	gen_require(`
+		type sieve_port_t;
+	')
+
+	allow $1 sieve_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the sieve port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_sieve_port',`
+	gen_require(`
+		type sieve_port_t;
+	')
+
+	allow $1 sieve_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the sieve port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_sieve_port',`
+	gen_require(`
+		type sieve_port_t;
+	')
+
+	dontaudit $1 sieve_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the sieve port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_sieve_port',`
+	gen_require(`
+		type sieve_port_t;
+	')
+
+	allow $1 sieve_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the sieve port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_sieve_port',`
+	gen_require(`
+		type sieve_port_t;
+	')
+
+	dontaudit $1 sieve_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the sieve port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_sieve_port',`
+	corenet_udp_send_sieve_port($1)
+	corenet_udp_receive_sieve_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the sieve port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_sieve_port',`
+	corenet_dontaudit_udp_send_sieve_port($1)
+	corenet_dontaudit_udp_receive_sieve_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the sieve port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_sieve_port',`
+	gen_require(`
+		type sieve_port_t;
+	')
+
+	allow $1 sieve_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the sieve port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_sieve_port',`
+	gen_require(`
+		type sieve_port_t;
+	')
+
+	allow $1 sieve_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the sieve port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_sieve_port',`
+	gen_require(`
+		type sieve_port_t;
+	')
+
+	allow $1 sieve_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send sieve_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_sieve_client_packets',`
+	gen_require(`
+		type sieve_client_packet_t;
+	')
+
+	allow $1 sieve_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send sieve_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_sieve_client_packets',`
+	gen_require(`
+		type sieve_client_packet_t;
+	')
+
+	dontaudit $1 sieve_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive sieve_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_sieve_client_packets',`
+	gen_require(`
+		type sieve_client_packet_t;
+	')
+
+	allow $1 sieve_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive sieve_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_sieve_client_packets',`
+	gen_require(`
+		type sieve_client_packet_t;
+	')
+
+	dontaudit $1 sieve_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive sieve_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_sieve_client_packets',`
+	corenet_send_sieve_client_packets($1)
+	corenet_receive_sieve_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive sieve_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_sieve_client_packets',`
+	corenet_dontaudit_send_sieve_client_packets($1)
+	corenet_dontaudit_receive_sieve_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to sieve_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_sieve_client_packets',`
+	gen_require(`
+		type sieve_client_packet_t;
+	')
+
+	allow $1 sieve_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send sieve_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_sieve_server_packets',`
+	gen_require(`
+		type sieve_server_packet_t;
+	')
+
+	allow $1 sieve_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send sieve_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_sieve_server_packets',`
+	gen_require(`
+		type sieve_server_packet_t;
+	')
+
+	dontaudit $1 sieve_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive sieve_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_sieve_server_packets',`
+	gen_require(`
+		type sieve_server_packet_t;
+	')
+
+	allow $1 sieve_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive sieve_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_sieve_server_packets',`
+	gen_require(`
+		type sieve_server_packet_t;
+	')
+
+	dontaudit $1 sieve_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive sieve_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_sieve_server_packets',`
+	corenet_send_sieve_server_packets($1)
+	corenet_receive_sieve_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive sieve_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_sieve_server_packets',`
+	corenet_dontaudit_send_sieve_server_packets($1)
+	corenet_dontaudit_receive_sieve_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to sieve_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_sieve_server_packets',`
+	gen_require(`
+		type sieve_server_packet_t;
+	')
+
+	allow $1 sieve_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the sip port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_sip_port',`
+	gen_require(`
+		type sip_port_t;
+	')
+
+	allow $1 sip_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the sip port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_sip_port',`
+	gen_require(`
+		type sip_port_t;
+	')
+
+	allow $1 sip_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the sip port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_sip_port',`
+	gen_require(`
+		type sip_port_t;
+	')
+
+	dontaudit $1 sip_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the sip port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_sip_port',`
+	gen_require(`
+		type sip_port_t;
+	')
+
+	allow $1 sip_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the sip port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_sip_port',`
+	gen_require(`
+		type sip_port_t;
+	')
+
+	dontaudit $1 sip_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the sip port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_sip_port',`
+	corenet_udp_send_sip_port($1)
+	corenet_udp_receive_sip_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the sip port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_sip_port',`
+	corenet_dontaudit_udp_send_sip_port($1)
+	corenet_dontaudit_udp_receive_sip_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the sip port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_sip_port',`
+	gen_require(`
+		type sip_port_t;
+	')
+
+	allow $1 sip_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the sip port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_sip_port',`
+	gen_require(`
+		type sip_port_t;
+	')
+
+	allow $1 sip_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the sip port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_sip_port',`
+	gen_require(`
+		type sip_port_t;
+	')
+
+	allow $1 sip_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send sip_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_sip_client_packets',`
+	gen_require(`
+		type sip_client_packet_t;
+	')
+
+	allow $1 sip_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send sip_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_sip_client_packets',`
+	gen_require(`
+		type sip_client_packet_t;
+	')
+
+	dontaudit $1 sip_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive sip_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_sip_client_packets',`
+	gen_require(`
+		type sip_client_packet_t;
+	')
+
+	allow $1 sip_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive sip_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_sip_client_packets',`
+	gen_require(`
+		type sip_client_packet_t;
+	')
+
+	dontaudit $1 sip_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive sip_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_sip_client_packets',`
+	corenet_send_sip_client_packets($1)
+	corenet_receive_sip_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive sip_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_sip_client_packets',`
+	corenet_dontaudit_send_sip_client_packets($1)
+	corenet_dontaudit_receive_sip_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to sip_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_sip_client_packets',`
+	gen_require(`
+		type sip_client_packet_t;
+	')
+
+	allow $1 sip_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send sip_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_sip_server_packets',`
+	gen_require(`
+		type sip_server_packet_t;
+	')
+
+	allow $1 sip_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send sip_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_sip_server_packets',`
+	gen_require(`
+		type sip_server_packet_t;
+	')
+
+	dontaudit $1 sip_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive sip_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_sip_server_packets',`
+	gen_require(`
+		type sip_server_packet_t;
+	')
+
+	allow $1 sip_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive sip_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_sip_server_packets',`
+	gen_require(`
+		type sip_server_packet_t;
+	')
+
+	dontaudit $1 sip_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive sip_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_sip_server_packets',`
+	corenet_send_sip_server_packets($1)
+	corenet_receive_sip_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive sip_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_sip_server_packets',`
+	corenet_dontaudit_send_sip_server_packets($1)
+	corenet_dontaudit_receive_sip_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to sip_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_sip_server_packets',`
+	gen_require(`
+		type sip_server_packet_t;
+	')
+
+	allow $1 sip_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the sixxsconfig port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_sixxsconfig_port',`
+	gen_require(`
+		type sixxsconfig_port_t;
+	')
+
+	allow $1 sixxsconfig_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the sixxsconfig port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_sixxsconfig_port',`
+	gen_require(`
+		type sixxsconfig_port_t;
+	')
+
+	allow $1 sixxsconfig_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the sixxsconfig port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_sixxsconfig_port',`
+	gen_require(`
+		type sixxsconfig_port_t;
+	')
+
+	dontaudit $1 sixxsconfig_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the sixxsconfig port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_sixxsconfig_port',`
+	gen_require(`
+		type sixxsconfig_port_t;
+	')
+
+	allow $1 sixxsconfig_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the sixxsconfig port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_sixxsconfig_port',`
+	gen_require(`
+		type sixxsconfig_port_t;
+	')
+
+	dontaudit $1 sixxsconfig_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the sixxsconfig port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_sixxsconfig_port',`
+	corenet_udp_send_sixxsconfig_port($1)
+	corenet_udp_receive_sixxsconfig_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the sixxsconfig port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_sixxsconfig_port',`
+	corenet_dontaudit_udp_send_sixxsconfig_port($1)
+	corenet_dontaudit_udp_receive_sixxsconfig_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the sixxsconfig port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_sixxsconfig_port',`
+	gen_require(`
+		type sixxsconfig_port_t;
+	')
+
+	allow $1 sixxsconfig_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the sixxsconfig port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_sixxsconfig_port',`
+	gen_require(`
+		type sixxsconfig_port_t;
+	')
+
+	allow $1 sixxsconfig_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the sixxsconfig port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_sixxsconfig_port',`
+	gen_require(`
+		type sixxsconfig_port_t;
+	')
+
+	allow $1 sixxsconfig_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send sixxsconfig_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_sixxsconfig_client_packets',`
+	gen_require(`
+		type sixxsconfig_client_packet_t;
+	')
+
+	allow $1 sixxsconfig_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send sixxsconfig_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_sixxsconfig_client_packets',`
+	gen_require(`
+		type sixxsconfig_client_packet_t;
+	')
+
+	dontaudit $1 sixxsconfig_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive sixxsconfig_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_sixxsconfig_client_packets',`
+	gen_require(`
+		type sixxsconfig_client_packet_t;
+	')
+
+	allow $1 sixxsconfig_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive sixxsconfig_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_sixxsconfig_client_packets',`
+	gen_require(`
+		type sixxsconfig_client_packet_t;
+	')
+
+	dontaudit $1 sixxsconfig_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive sixxsconfig_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_sixxsconfig_client_packets',`
+	corenet_send_sixxsconfig_client_packets($1)
+	corenet_receive_sixxsconfig_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive sixxsconfig_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_sixxsconfig_client_packets',`
+	corenet_dontaudit_send_sixxsconfig_client_packets($1)
+	corenet_dontaudit_receive_sixxsconfig_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to sixxsconfig_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_sixxsconfig_client_packets',`
+	gen_require(`
+		type sixxsconfig_client_packet_t;
+	')
+
+	allow $1 sixxsconfig_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send sixxsconfig_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_sixxsconfig_server_packets',`
+	gen_require(`
+		type sixxsconfig_server_packet_t;
+	')
+
+	allow $1 sixxsconfig_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send sixxsconfig_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_sixxsconfig_server_packets',`
+	gen_require(`
+		type sixxsconfig_server_packet_t;
+	')
+
+	dontaudit $1 sixxsconfig_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive sixxsconfig_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_sixxsconfig_server_packets',`
+	gen_require(`
+		type sixxsconfig_server_packet_t;
+	')
+
+	allow $1 sixxsconfig_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive sixxsconfig_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_sixxsconfig_server_packets',`
+	gen_require(`
+		type sixxsconfig_server_packet_t;
+	')
+
+	dontaudit $1 sixxsconfig_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive sixxsconfig_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_sixxsconfig_server_packets',`
+	corenet_send_sixxsconfig_server_packets($1)
+	corenet_receive_sixxsconfig_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive sixxsconfig_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_sixxsconfig_server_packets',`
+	corenet_dontaudit_send_sixxsconfig_server_packets($1)
+	corenet_dontaudit_receive_sixxsconfig_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to sixxsconfig_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_sixxsconfig_server_packets',`
+	gen_require(`
+		type sixxsconfig_server_packet_t;
+	')
+
+	allow $1 sixxsconfig_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the smbd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_smbd_port',`
+	gen_require(`
+		type smbd_port_t;
+	')
+
+	allow $1 smbd_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the smbd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_smbd_port',`
+	gen_require(`
+		type smbd_port_t;
+	')
+
+	allow $1 smbd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the smbd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_smbd_port',`
+	gen_require(`
+		type smbd_port_t;
+	')
+
+	dontaudit $1 smbd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the smbd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_smbd_port',`
+	gen_require(`
+		type smbd_port_t;
+	')
+
+	allow $1 smbd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the smbd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_smbd_port',`
+	gen_require(`
+		type smbd_port_t;
+	')
+
+	dontaudit $1 smbd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the smbd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_smbd_port',`
+	corenet_udp_send_smbd_port($1)
+	corenet_udp_receive_smbd_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the smbd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_smbd_port',`
+	corenet_dontaudit_udp_send_smbd_port($1)
+	corenet_dontaudit_udp_receive_smbd_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the smbd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_smbd_port',`
+	gen_require(`
+		type smbd_port_t;
+	')
+
+	allow $1 smbd_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the smbd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_smbd_port',`
+	gen_require(`
+		type smbd_port_t;
+	')
+
+	allow $1 smbd_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the smbd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_smbd_port',`
+	gen_require(`
+		type smbd_port_t;
+	')
+
+	allow $1 smbd_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send smbd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_smbd_client_packets',`
+	gen_require(`
+		type smbd_client_packet_t;
+	')
+
+	allow $1 smbd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send smbd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_smbd_client_packets',`
+	gen_require(`
+		type smbd_client_packet_t;
+	')
+
+	dontaudit $1 smbd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive smbd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_smbd_client_packets',`
+	gen_require(`
+		type smbd_client_packet_t;
+	')
+
+	allow $1 smbd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive smbd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_smbd_client_packets',`
+	gen_require(`
+		type smbd_client_packet_t;
+	')
+
+	dontaudit $1 smbd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive smbd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_smbd_client_packets',`
+	corenet_send_smbd_client_packets($1)
+	corenet_receive_smbd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive smbd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_smbd_client_packets',`
+	corenet_dontaudit_send_smbd_client_packets($1)
+	corenet_dontaudit_receive_smbd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to smbd_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_smbd_client_packets',`
+	gen_require(`
+		type smbd_client_packet_t;
+	')
+
+	allow $1 smbd_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send smbd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_smbd_server_packets',`
+	gen_require(`
+		type smbd_server_packet_t;
+	')
+
+	allow $1 smbd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send smbd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_smbd_server_packets',`
+	gen_require(`
+		type smbd_server_packet_t;
+	')
+
+	dontaudit $1 smbd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive smbd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_smbd_server_packets',`
+	gen_require(`
+		type smbd_server_packet_t;
+	')
+
+	allow $1 smbd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive smbd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_smbd_server_packets',`
+	gen_require(`
+		type smbd_server_packet_t;
+	')
+
+	dontaudit $1 smbd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive smbd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_smbd_server_packets',`
+	corenet_send_smbd_server_packets($1)
+	corenet_receive_smbd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive smbd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_smbd_server_packets',`
+	corenet_dontaudit_send_smbd_server_packets($1)
+	corenet_dontaudit_receive_smbd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to smbd_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_smbd_server_packets',`
+	gen_require(`
+		type smbd_server_packet_t;
+	')
+
+	allow $1 smbd_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the smtp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_smtp_port',`
+	gen_require(`
+		type smtp_port_t;
+	')
+
+	allow $1 smtp_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the smtp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_smtp_port',`
+	gen_require(`
+		type smtp_port_t;
+	')
+
+	allow $1 smtp_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the smtp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_smtp_port',`
+	gen_require(`
+		type smtp_port_t;
+	')
+
+	dontaudit $1 smtp_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the smtp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_smtp_port',`
+	gen_require(`
+		type smtp_port_t;
+	')
+
+	allow $1 smtp_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the smtp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_smtp_port',`
+	gen_require(`
+		type smtp_port_t;
+	')
+
+	dontaudit $1 smtp_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the smtp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_smtp_port',`
+	corenet_udp_send_smtp_port($1)
+	corenet_udp_receive_smtp_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the smtp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_smtp_port',`
+	corenet_dontaudit_udp_send_smtp_port($1)
+	corenet_dontaudit_udp_receive_smtp_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the smtp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_smtp_port',`
+	gen_require(`
+		type smtp_port_t;
+	')
+
+	allow $1 smtp_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the smtp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_smtp_port',`
+	gen_require(`
+		type smtp_port_t;
+	')
+
+	allow $1 smtp_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the smtp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_smtp_port',`
+	gen_require(`
+		type smtp_port_t;
+	')
+
+	allow $1 smtp_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send smtp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_smtp_client_packets',`
+	gen_require(`
+		type smtp_client_packet_t;
+	')
+
+	allow $1 smtp_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send smtp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_smtp_client_packets',`
+	gen_require(`
+		type smtp_client_packet_t;
+	')
+
+	dontaudit $1 smtp_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive smtp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_smtp_client_packets',`
+	gen_require(`
+		type smtp_client_packet_t;
+	')
+
+	allow $1 smtp_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive smtp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_smtp_client_packets',`
+	gen_require(`
+		type smtp_client_packet_t;
+	')
+
+	dontaudit $1 smtp_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive smtp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_smtp_client_packets',`
+	corenet_send_smtp_client_packets($1)
+	corenet_receive_smtp_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive smtp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_smtp_client_packets',`
+	corenet_dontaudit_send_smtp_client_packets($1)
+	corenet_dontaudit_receive_smtp_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to smtp_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_smtp_client_packets',`
+	gen_require(`
+		type smtp_client_packet_t;
+	')
+
+	allow $1 smtp_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send smtp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_smtp_server_packets',`
+	gen_require(`
+		type smtp_server_packet_t;
+	')
+
+	allow $1 smtp_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send smtp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_smtp_server_packets',`
+	gen_require(`
+		type smtp_server_packet_t;
+	')
+
+	dontaudit $1 smtp_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive smtp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_smtp_server_packets',`
+	gen_require(`
+		type smtp_server_packet_t;
+	')
+
+	allow $1 smtp_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive smtp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_smtp_server_packets',`
+	gen_require(`
+		type smtp_server_packet_t;
+	')
+
+	dontaudit $1 smtp_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive smtp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_smtp_server_packets',`
+	corenet_send_smtp_server_packets($1)
+	corenet_receive_smtp_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive smtp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_smtp_server_packets',`
+	corenet_dontaudit_send_smtp_server_packets($1)
+	corenet_dontaudit_receive_smtp_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to smtp_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_smtp_server_packets',`
+	gen_require(`
+		type smtp_server_packet_t;
+	')
+
+	allow $1 smtp_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the snmp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_snmp_port',`
+	gen_require(`
+		type snmp_port_t;
+	')
+
+	allow $1 snmp_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the snmp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_snmp_port',`
+	gen_require(`
+		type snmp_port_t;
+	')
+
+	allow $1 snmp_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the snmp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_snmp_port',`
+	gen_require(`
+		type snmp_port_t;
+	')
+
+	dontaudit $1 snmp_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the snmp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_snmp_port',`
+	gen_require(`
+		type snmp_port_t;
+	')
+
+	allow $1 snmp_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the snmp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_snmp_port',`
+	gen_require(`
+		type snmp_port_t;
+	')
+
+	dontaudit $1 snmp_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the snmp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_snmp_port',`
+	corenet_udp_send_snmp_port($1)
+	corenet_udp_receive_snmp_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the snmp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_snmp_port',`
+	corenet_dontaudit_udp_send_snmp_port($1)
+	corenet_dontaudit_udp_receive_snmp_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the snmp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_snmp_port',`
+	gen_require(`
+		type snmp_port_t;
+	')
+
+	allow $1 snmp_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the snmp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_snmp_port',`
+	gen_require(`
+		type snmp_port_t;
+	')
+
+	allow $1 snmp_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the snmp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_snmp_port',`
+	gen_require(`
+		type snmp_port_t;
+	')
+
+	allow $1 snmp_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send snmp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_snmp_client_packets',`
+	gen_require(`
+		type snmp_client_packet_t;
+	')
+
+	allow $1 snmp_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send snmp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_snmp_client_packets',`
+	gen_require(`
+		type snmp_client_packet_t;
+	')
+
+	dontaudit $1 snmp_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive snmp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_snmp_client_packets',`
+	gen_require(`
+		type snmp_client_packet_t;
+	')
+
+	allow $1 snmp_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive snmp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_snmp_client_packets',`
+	gen_require(`
+		type snmp_client_packet_t;
+	')
+
+	dontaudit $1 snmp_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive snmp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_snmp_client_packets',`
+	corenet_send_snmp_client_packets($1)
+	corenet_receive_snmp_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive snmp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_snmp_client_packets',`
+	corenet_dontaudit_send_snmp_client_packets($1)
+	corenet_dontaudit_receive_snmp_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to snmp_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_snmp_client_packets',`
+	gen_require(`
+		type snmp_client_packet_t;
+	')
+
+	allow $1 snmp_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send snmp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_snmp_server_packets',`
+	gen_require(`
+		type snmp_server_packet_t;
+	')
+
+	allow $1 snmp_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send snmp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_snmp_server_packets',`
+	gen_require(`
+		type snmp_server_packet_t;
+	')
+
+	dontaudit $1 snmp_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive snmp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_snmp_server_packets',`
+	gen_require(`
+		type snmp_server_packet_t;
+	')
+
+	allow $1 snmp_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive snmp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_snmp_server_packets',`
+	gen_require(`
+		type snmp_server_packet_t;
+	')
+
+	dontaudit $1 snmp_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive snmp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_snmp_server_packets',`
+	corenet_send_snmp_server_packets($1)
+	corenet_receive_snmp_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive snmp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_snmp_server_packets',`
+	corenet_dontaudit_send_snmp_server_packets($1)
+	corenet_dontaudit_receive_snmp_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to snmp_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_snmp_server_packets',`
+	gen_require(`
+		type snmp_server_packet_t;
+	')
+
+	allow $1 snmp_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the socks port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_socks_port',`
+	gen_require(`
+		type socks_port_t;
+	')
+
+	allow $1 socks_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the socks port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_socks_port',`
+	gen_require(`
+		type socks_port_t;
+	')
+
+	allow $1 socks_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the socks port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_socks_port',`
+	gen_require(`
+		type socks_port_t;
+	')
+
+	dontaudit $1 socks_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the socks port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_socks_port',`
+	gen_require(`
+		type socks_port_t;
+	')
+
+	allow $1 socks_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the socks port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_socks_port',`
+	gen_require(`
+		type socks_port_t;
+	')
+
+	dontaudit $1 socks_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the socks port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_socks_port',`
+	corenet_udp_send_socks_port($1)
+	corenet_udp_receive_socks_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the socks port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_socks_port',`
+	corenet_dontaudit_udp_send_socks_port($1)
+	corenet_dontaudit_udp_receive_socks_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the socks port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_socks_port',`
+	gen_require(`
+		type socks_port_t;
+	')
+
+	allow $1 socks_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the socks port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_socks_port',`
+	gen_require(`
+		type socks_port_t;
+	')
+
+	allow $1 socks_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the socks port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_socks_port',`
+	gen_require(`
+		type socks_port_t;
+	')
+
+	allow $1 socks_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send socks_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_socks_client_packets',`
+	gen_require(`
+		type socks_client_packet_t;
+	')
+
+	allow $1 socks_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send socks_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_socks_client_packets',`
+	gen_require(`
+		type socks_client_packet_t;
+	')
+
+	dontaudit $1 socks_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive socks_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_socks_client_packets',`
+	gen_require(`
+		type socks_client_packet_t;
+	')
+
+	allow $1 socks_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive socks_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_socks_client_packets',`
+	gen_require(`
+		type socks_client_packet_t;
+	')
+
+	dontaudit $1 socks_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive socks_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_socks_client_packets',`
+	corenet_send_socks_client_packets($1)
+	corenet_receive_socks_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive socks_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_socks_client_packets',`
+	corenet_dontaudit_send_socks_client_packets($1)
+	corenet_dontaudit_receive_socks_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to socks_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_socks_client_packets',`
+	gen_require(`
+		type socks_client_packet_t;
+	')
+
+	allow $1 socks_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send socks_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_socks_server_packets',`
+	gen_require(`
+		type socks_server_packet_t;
+	')
+
+	allow $1 socks_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send socks_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_socks_server_packets',`
+	gen_require(`
+		type socks_server_packet_t;
+	')
+
+	dontaudit $1 socks_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive socks_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_socks_server_packets',`
+	gen_require(`
+		type socks_server_packet_t;
+	')
+
+	allow $1 socks_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive socks_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_socks_server_packets',`
+	gen_require(`
+		type socks_server_packet_t;
+	')
+
+	dontaudit $1 socks_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive socks_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_socks_server_packets',`
+	corenet_send_socks_server_packets($1)
+	corenet_receive_socks_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive socks_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_socks_server_packets',`
+	corenet_dontaudit_send_socks_server_packets($1)
+	corenet_dontaudit_receive_socks_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to socks_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_socks_server_packets',`
+	gen_require(`
+		type socks_server_packet_t;
+	')
+
+	allow $1 socks_server_packet_t:packet relabelto;
+')
+
+ # no defined portcon
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the soundd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_soundd_port',`
+	gen_require(`
+		type soundd_port_t;
+	')
+
+	allow $1 soundd_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the soundd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_soundd_port',`
+	gen_require(`
+		type soundd_port_t;
+	')
+
+	allow $1 soundd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the soundd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_soundd_port',`
+	gen_require(`
+		type soundd_port_t;
+	')
+
+	dontaudit $1 soundd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the soundd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_soundd_port',`
+	gen_require(`
+		type soundd_port_t;
+	')
+
+	allow $1 soundd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the soundd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_soundd_port',`
+	gen_require(`
+		type soundd_port_t;
+	')
+
+	dontaudit $1 soundd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the soundd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_soundd_port',`
+	corenet_udp_send_soundd_port($1)
+	corenet_udp_receive_soundd_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the soundd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_soundd_port',`
+	corenet_dontaudit_udp_send_soundd_port($1)
+	corenet_dontaudit_udp_receive_soundd_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the soundd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_soundd_port',`
+	gen_require(`
+		type soundd_port_t;
+	')
+
+	allow $1 soundd_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the soundd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_soundd_port',`
+	gen_require(`
+		type soundd_port_t;
+	')
+
+	allow $1 soundd_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the soundd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_soundd_port',`
+	gen_require(`
+		type soundd_port_t;
+	')
+
+	allow $1 soundd_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send soundd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_soundd_client_packets',`
+	gen_require(`
+		type soundd_client_packet_t;
+	')
+
+	allow $1 soundd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send soundd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_soundd_client_packets',`
+	gen_require(`
+		type soundd_client_packet_t;
+	')
+
+	dontaudit $1 soundd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive soundd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_soundd_client_packets',`
+	gen_require(`
+		type soundd_client_packet_t;
+	')
+
+	allow $1 soundd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive soundd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_soundd_client_packets',`
+	gen_require(`
+		type soundd_client_packet_t;
+	')
+
+	dontaudit $1 soundd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive soundd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_soundd_client_packets',`
+	corenet_send_soundd_client_packets($1)
+	corenet_receive_soundd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive soundd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_soundd_client_packets',`
+	corenet_dontaudit_send_soundd_client_packets($1)
+	corenet_dontaudit_receive_soundd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to soundd_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_soundd_client_packets',`
+	gen_require(`
+		type soundd_client_packet_t;
+	')
+
+	allow $1 soundd_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send soundd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_soundd_server_packets',`
+	gen_require(`
+		type soundd_server_packet_t;
+	')
+
+	allow $1 soundd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send soundd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_soundd_server_packets',`
+	gen_require(`
+		type soundd_server_packet_t;
+	')
+
+	dontaudit $1 soundd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive soundd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_soundd_server_packets',`
+	gen_require(`
+		type soundd_server_packet_t;
+	')
+
+	allow $1 soundd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive soundd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_soundd_server_packets',`
+	gen_require(`
+		type soundd_server_packet_t;
+	')
+
+	dontaudit $1 soundd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive soundd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_soundd_server_packets',`
+	corenet_send_soundd_server_packets($1)
+	corenet_receive_soundd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive soundd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_soundd_server_packets',`
+	corenet_dontaudit_send_soundd_server_packets($1)
+	corenet_dontaudit_receive_soundd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to soundd_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_soundd_server_packets',`
+	gen_require(`
+		type soundd_server_packet_t;
+	')
+
+	allow $1 soundd_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the spamd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_spamd_port',`
+	gen_require(`
+		type spamd_port_t;
+	')
+
+	allow $1 spamd_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the spamd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_spamd_port',`
+	gen_require(`
+		type spamd_port_t;
+	')
+
+	allow $1 spamd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the spamd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_spamd_port',`
+	gen_require(`
+		type spamd_port_t;
+	')
+
+	dontaudit $1 spamd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the spamd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_spamd_port',`
+	gen_require(`
+		type spamd_port_t;
+	')
+
+	allow $1 spamd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the spamd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_spamd_port',`
+	gen_require(`
+		type spamd_port_t;
+	')
+
+	dontaudit $1 spamd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the spamd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_spamd_port',`
+	corenet_udp_send_spamd_port($1)
+	corenet_udp_receive_spamd_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the spamd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_spamd_port',`
+	corenet_dontaudit_udp_send_spamd_port($1)
+	corenet_dontaudit_udp_receive_spamd_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the spamd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_spamd_port',`
+	gen_require(`
+		type spamd_port_t;
+	')
+
+	allow $1 spamd_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the spamd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_spamd_port',`
+	gen_require(`
+		type spamd_port_t;
+	')
+
+	allow $1 spamd_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the spamd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_spamd_port',`
+	gen_require(`
+		type spamd_port_t;
+	')
+
+	allow $1 spamd_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send spamd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_spamd_client_packets',`
+	gen_require(`
+		type spamd_client_packet_t;
+	')
+
+	allow $1 spamd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send spamd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_spamd_client_packets',`
+	gen_require(`
+		type spamd_client_packet_t;
+	')
+
+	dontaudit $1 spamd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive spamd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_spamd_client_packets',`
+	gen_require(`
+		type spamd_client_packet_t;
+	')
+
+	allow $1 spamd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive spamd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_spamd_client_packets',`
+	gen_require(`
+		type spamd_client_packet_t;
+	')
+
+	dontaudit $1 spamd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive spamd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_spamd_client_packets',`
+	corenet_send_spamd_client_packets($1)
+	corenet_receive_spamd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive spamd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_spamd_client_packets',`
+	corenet_dontaudit_send_spamd_client_packets($1)
+	corenet_dontaudit_receive_spamd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to spamd_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_spamd_client_packets',`
+	gen_require(`
+		type spamd_client_packet_t;
+	')
+
+	allow $1 spamd_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send spamd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_spamd_server_packets',`
+	gen_require(`
+		type spamd_server_packet_t;
+	')
+
+	allow $1 spamd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send spamd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_spamd_server_packets',`
+	gen_require(`
+		type spamd_server_packet_t;
+	')
+
+	dontaudit $1 spamd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive spamd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_spamd_server_packets',`
+	gen_require(`
+		type spamd_server_packet_t;
+	')
+
+	allow $1 spamd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive spamd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_spamd_server_packets',`
+	gen_require(`
+		type spamd_server_packet_t;
+	')
+
+	dontaudit $1 spamd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive spamd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_spamd_server_packets',`
+	corenet_send_spamd_server_packets($1)
+	corenet_receive_spamd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive spamd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_spamd_server_packets',`
+	corenet_dontaudit_send_spamd_server_packets($1)
+	corenet_dontaudit_receive_spamd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to spamd_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_spamd_server_packets',`
+	gen_require(`
+		type spamd_server_packet_t;
+	')
+
+	allow $1 spamd_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the speech port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_speech_port',`
+	gen_require(`
+		type speech_port_t;
+	')
+
+	allow $1 speech_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the speech port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_speech_port',`
+	gen_require(`
+		type speech_port_t;
+	')
+
+	allow $1 speech_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the speech port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_speech_port',`
+	gen_require(`
+		type speech_port_t;
+	')
+
+	dontaudit $1 speech_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the speech port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_speech_port',`
+	gen_require(`
+		type speech_port_t;
+	')
+
+	allow $1 speech_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the speech port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_speech_port',`
+	gen_require(`
+		type speech_port_t;
+	')
+
+	dontaudit $1 speech_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the speech port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_speech_port',`
+	corenet_udp_send_speech_port($1)
+	corenet_udp_receive_speech_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the speech port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_speech_port',`
+	corenet_dontaudit_udp_send_speech_port($1)
+	corenet_dontaudit_udp_receive_speech_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the speech port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_speech_port',`
+	gen_require(`
+		type speech_port_t;
+	')
+
+	allow $1 speech_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the speech port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_speech_port',`
+	gen_require(`
+		type speech_port_t;
+	')
+
+	allow $1 speech_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the speech port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_speech_port',`
+	gen_require(`
+		type speech_port_t;
+	')
+
+	allow $1 speech_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send speech_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_speech_client_packets',`
+	gen_require(`
+		type speech_client_packet_t;
+	')
+
+	allow $1 speech_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send speech_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_speech_client_packets',`
+	gen_require(`
+		type speech_client_packet_t;
+	')
+
+	dontaudit $1 speech_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive speech_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_speech_client_packets',`
+	gen_require(`
+		type speech_client_packet_t;
+	')
+
+	allow $1 speech_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive speech_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_speech_client_packets',`
+	gen_require(`
+		type speech_client_packet_t;
+	')
+
+	dontaudit $1 speech_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive speech_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_speech_client_packets',`
+	corenet_send_speech_client_packets($1)
+	corenet_receive_speech_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive speech_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_speech_client_packets',`
+	corenet_dontaudit_send_speech_client_packets($1)
+	corenet_dontaudit_receive_speech_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to speech_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_speech_client_packets',`
+	gen_require(`
+		type speech_client_packet_t;
+	')
+
+	allow $1 speech_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send speech_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_speech_server_packets',`
+	gen_require(`
+		type speech_server_packet_t;
+	')
+
+	allow $1 speech_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send speech_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_speech_server_packets',`
+	gen_require(`
+		type speech_server_packet_t;
+	')
+
+	dontaudit $1 speech_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive speech_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_speech_server_packets',`
+	gen_require(`
+		type speech_server_packet_t;
+	')
+
+	allow $1 speech_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive speech_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_speech_server_packets',`
+	gen_require(`
+		type speech_server_packet_t;
+	')
+
+	dontaudit $1 speech_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive speech_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_speech_server_packets',`
+	corenet_send_speech_server_packets($1)
+	corenet_receive_speech_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive speech_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_speech_server_packets',`
+	corenet_dontaudit_send_speech_server_packets($1)
+	corenet_dontaudit_receive_speech_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to speech_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_speech_server_packets',`
+	gen_require(`
+		type speech_server_packet_t;
+	')
+
+	allow $1 speech_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the squid port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_squid_port',`
+	gen_require(`
+		type squid_port_t;
+	')
+
+	allow $1 squid_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the squid port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_squid_port',`
+	gen_require(`
+		type squid_port_t;
+	')
+
+	allow $1 squid_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the squid port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_squid_port',`
+	gen_require(`
+		type squid_port_t;
+	')
+
+	dontaudit $1 squid_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the squid port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_squid_port',`
+	gen_require(`
+		type squid_port_t;
+	')
+
+	allow $1 squid_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the squid port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_squid_port',`
+	gen_require(`
+		type squid_port_t;
+	')
+
+	dontaudit $1 squid_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the squid port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_squid_port',`
+	corenet_udp_send_squid_port($1)
+	corenet_udp_receive_squid_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the squid port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_squid_port',`
+	corenet_dontaudit_udp_send_squid_port($1)
+	corenet_dontaudit_udp_receive_squid_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the squid port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_squid_port',`
+	gen_require(`
+		type squid_port_t;
+	')
+
+	allow $1 squid_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the squid port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_squid_port',`
+	gen_require(`
+		type squid_port_t;
+	')
+
+	allow $1 squid_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the squid port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_squid_port',`
+	gen_require(`
+		type squid_port_t;
+	')
+
+	allow $1 squid_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send squid_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_squid_client_packets',`
+	gen_require(`
+		type squid_client_packet_t;
+	')
+
+	allow $1 squid_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send squid_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_squid_client_packets',`
+	gen_require(`
+		type squid_client_packet_t;
+	')
+
+	dontaudit $1 squid_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive squid_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_squid_client_packets',`
+	gen_require(`
+		type squid_client_packet_t;
+	')
+
+	allow $1 squid_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive squid_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_squid_client_packets',`
+	gen_require(`
+		type squid_client_packet_t;
+	')
+
+	dontaudit $1 squid_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive squid_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_squid_client_packets',`
+	corenet_send_squid_client_packets($1)
+	corenet_receive_squid_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive squid_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_squid_client_packets',`
+	corenet_dontaudit_send_squid_client_packets($1)
+	corenet_dontaudit_receive_squid_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to squid_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_squid_client_packets',`
+	gen_require(`
+		type squid_client_packet_t;
+	')
+
+	allow $1 squid_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send squid_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_squid_server_packets',`
+	gen_require(`
+		type squid_server_packet_t;
+	')
+
+	allow $1 squid_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send squid_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_squid_server_packets',`
+	gen_require(`
+		type squid_server_packet_t;
+	')
+
+	dontaudit $1 squid_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive squid_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_squid_server_packets',`
+	gen_require(`
+		type squid_server_packet_t;
+	')
+
+	allow $1 squid_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive squid_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_squid_server_packets',`
+	gen_require(`
+		type squid_server_packet_t;
+	')
+
+	dontaudit $1 squid_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive squid_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_squid_server_packets',`
+	corenet_send_squid_server_packets($1)
+	corenet_receive_squid_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive squid_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_squid_server_packets',`
+	corenet_dontaudit_send_squid_server_packets($1)
+	corenet_dontaudit_receive_squid_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to squid_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_squid_server_packets',`
+	gen_require(`
+		type squid_server_packet_t;
+	')
+
+	allow $1 squid_server_packet_t:packet relabelto;
+')
+
+ # snmp and htcp
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the ssh port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_ssh_port',`
+	gen_require(`
+		type ssh_port_t;
+	')
+
+	allow $1 ssh_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the ssh port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_ssh_port',`
+	gen_require(`
+		type ssh_port_t;
+	')
+
+	allow $1 ssh_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the ssh port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_ssh_port',`
+	gen_require(`
+		type ssh_port_t;
+	')
+
+	dontaudit $1 ssh_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the ssh port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_ssh_port',`
+	gen_require(`
+		type ssh_port_t;
+	')
+
+	allow $1 ssh_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the ssh port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_ssh_port',`
+	gen_require(`
+		type ssh_port_t;
+	')
+
+	dontaudit $1 ssh_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the ssh port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_ssh_port',`
+	corenet_udp_send_ssh_port($1)
+	corenet_udp_receive_ssh_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the ssh port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_ssh_port',`
+	corenet_dontaudit_udp_send_ssh_port($1)
+	corenet_dontaudit_udp_receive_ssh_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the ssh port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_ssh_port',`
+	gen_require(`
+		type ssh_port_t;
+	')
+
+	allow $1 ssh_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the ssh port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_ssh_port',`
+	gen_require(`
+		type ssh_port_t;
+	')
+
+	allow $1 ssh_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the ssh port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_ssh_port',`
+	gen_require(`
+		type ssh_port_t;
+	')
+
+	allow $1 ssh_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send ssh_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_ssh_client_packets',`
+	gen_require(`
+		type ssh_client_packet_t;
+	')
+
+	allow $1 ssh_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send ssh_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_ssh_client_packets',`
+	gen_require(`
+		type ssh_client_packet_t;
+	')
+
+	dontaudit $1 ssh_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive ssh_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_ssh_client_packets',`
+	gen_require(`
+		type ssh_client_packet_t;
+	')
+
+	allow $1 ssh_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive ssh_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_ssh_client_packets',`
+	gen_require(`
+		type ssh_client_packet_t;
+	')
+
+	dontaudit $1 ssh_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive ssh_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_ssh_client_packets',`
+	corenet_send_ssh_client_packets($1)
+	corenet_receive_ssh_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive ssh_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_ssh_client_packets',`
+	corenet_dontaudit_send_ssh_client_packets($1)
+	corenet_dontaudit_receive_ssh_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to ssh_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_ssh_client_packets',`
+	gen_require(`
+		type ssh_client_packet_t;
+	')
+
+	allow $1 ssh_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send ssh_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_ssh_server_packets',`
+	gen_require(`
+		type ssh_server_packet_t;
+	')
+
+	allow $1 ssh_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send ssh_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_ssh_server_packets',`
+	gen_require(`
+		type ssh_server_packet_t;
+	')
+
+	dontaudit $1 ssh_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive ssh_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_ssh_server_packets',`
+	gen_require(`
+		type ssh_server_packet_t;
+	')
+
+	allow $1 ssh_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive ssh_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_ssh_server_packets',`
+	gen_require(`
+		type ssh_server_packet_t;
+	')
+
+	dontaudit $1 ssh_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive ssh_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_ssh_server_packets',`
+	corenet_send_ssh_server_packets($1)
+	corenet_receive_ssh_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive ssh_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_ssh_server_packets',`
+	corenet_dontaudit_send_ssh_server_packets($1)
+	corenet_dontaudit_receive_ssh_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to ssh_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_ssh_server_packets',`
+	gen_require(`
+		type ssh_server_packet_t;
+	')
+
+	allow $1 ssh_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the stunnel port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_stunnel_port',`
+	gen_require(`
+		type stunnel_port_t;
+	')
+
+	allow $1 stunnel_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the stunnel port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_stunnel_port',`
+	gen_require(`
+		type stunnel_port_t;
+	')
+
+	allow $1 stunnel_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the stunnel port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_stunnel_port',`
+	gen_require(`
+		type stunnel_port_t;
+	')
+
+	dontaudit $1 stunnel_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the stunnel port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_stunnel_port',`
+	gen_require(`
+		type stunnel_port_t;
+	')
+
+	allow $1 stunnel_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the stunnel port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_stunnel_port',`
+	gen_require(`
+		type stunnel_port_t;
+	')
+
+	dontaudit $1 stunnel_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the stunnel port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_stunnel_port',`
+	corenet_udp_send_stunnel_port($1)
+	corenet_udp_receive_stunnel_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the stunnel port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_stunnel_port',`
+	corenet_dontaudit_udp_send_stunnel_port($1)
+	corenet_dontaudit_udp_receive_stunnel_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the stunnel port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_stunnel_port',`
+	gen_require(`
+		type stunnel_port_t;
+	')
+
+	allow $1 stunnel_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the stunnel port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_stunnel_port',`
+	gen_require(`
+		type stunnel_port_t;
+	')
+
+	allow $1 stunnel_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the stunnel port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_stunnel_port',`
+	gen_require(`
+		type stunnel_port_t;
+	')
+
+	allow $1 stunnel_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send stunnel_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_stunnel_client_packets',`
+	gen_require(`
+		type stunnel_client_packet_t;
+	')
+
+	allow $1 stunnel_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send stunnel_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_stunnel_client_packets',`
+	gen_require(`
+		type stunnel_client_packet_t;
+	')
+
+	dontaudit $1 stunnel_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive stunnel_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_stunnel_client_packets',`
+	gen_require(`
+		type stunnel_client_packet_t;
+	')
+
+	allow $1 stunnel_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive stunnel_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_stunnel_client_packets',`
+	gen_require(`
+		type stunnel_client_packet_t;
+	')
+
+	dontaudit $1 stunnel_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive stunnel_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_stunnel_client_packets',`
+	corenet_send_stunnel_client_packets($1)
+	corenet_receive_stunnel_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive stunnel_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_stunnel_client_packets',`
+	corenet_dontaudit_send_stunnel_client_packets($1)
+	corenet_dontaudit_receive_stunnel_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to stunnel_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_stunnel_client_packets',`
+	gen_require(`
+		type stunnel_client_packet_t;
+	')
+
+	allow $1 stunnel_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send stunnel_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_stunnel_server_packets',`
+	gen_require(`
+		type stunnel_server_packet_t;
+	')
+
+	allow $1 stunnel_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send stunnel_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_stunnel_server_packets',`
+	gen_require(`
+		type stunnel_server_packet_t;
+	')
+
+	dontaudit $1 stunnel_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive stunnel_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_stunnel_server_packets',`
+	gen_require(`
+		type stunnel_server_packet_t;
+	')
+
+	allow $1 stunnel_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive stunnel_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_stunnel_server_packets',`
+	gen_require(`
+		type stunnel_server_packet_t;
+	')
+
+	dontaudit $1 stunnel_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive stunnel_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_stunnel_server_packets',`
+	corenet_send_stunnel_server_packets($1)
+	corenet_receive_stunnel_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive stunnel_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_stunnel_server_packets',`
+	corenet_dontaudit_send_stunnel_server_packets($1)
+	corenet_dontaudit_receive_stunnel_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to stunnel_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_stunnel_server_packets',`
+	gen_require(`
+		type stunnel_server_packet_t;
+	')
+
+	allow $1 stunnel_server_packet_t:packet relabelto;
+')
+
+ # no defined portcon
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the swat port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_swat_port',`
+	gen_require(`
+		type swat_port_t;
+	')
+
+	allow $1 swat_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the swat port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_swat_port',`
+	gen_require(`
+		type swat_port_t;
+	')
+
+	allow $1 swat_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the swat port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_swat_port',`
+	gen_require(`
+		type swat_port_t;
+	')
+
+	dontaudit $1 swat_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the swat port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_swat_port',`
+	gen_require(`
+		type swat_port_t;
+	')
+
+	allow $1 swat_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the swat port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_swat_port',`
+	gen_require(`
+		type swat_port_t;
+	')
+
+	dontaudit $1 swat_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the swat port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_swat_port',`
+	corenet_udp_send_swat_port($1)
+	corenet_udp_receive_swat_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the swat port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_swat_port',`
+	corenet_dontaudit_udp_send_swat_port($1)
+	corenet_dontaudit_udp_receive_swat_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the swat port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_swat_port',`
+	gen_require(`
+		type swat_port_t;
+	')
+
+	allow $1 swat_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the swat port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_swat_port',`
+	gen_require(`
+		type swat_port_t;
+	')
+
+	allow $1 swat_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the swat port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_swat_port',`
+	gen_require(`
+		type swat_port_t;
+	')
+
+	allow $1 swat_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send swat_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_swat_client_packets',`
+	gen_require(`
+		type swat_client_packet_t;
+	')
+
+	allow $1 swat_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send swat_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_swat_client_packets',`
+	gen_require(`
+		type swat_client_packet_t;
+	')
+
+	dontaudit $1 swat_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive swat_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_swat_client_packets',`
+	gen_require(`
+		type swat_client_packet_t;
+	')
+
+	allow $1 swat_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive swat_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_swat_client_packets',`
+	gen_require(`
+		type swat_client_packet_t;
+	')
+
+	dontaudit $1 swat_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive swat_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_swat_client_packets',`
+	corenet_send_swat_client_packets($1)
+	corenet_receive_swat_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive swat_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_swat_client_packets',`
+	corenet_dontaudit_send_swat_client_packets($1)
+	corenet_dontaudit_receive_swat_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to swat_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_swat_client_packets',`
+	gen_require(`
+		type swat_client_packet_t;
+	')
+
+	allow $1 swat_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send swat_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_swat_server_packets',`
+	gen_require(`
+		type swat_server_packet_t;
+	')
+
+	allow $1 swat_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send swat_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_swat_server_packets',`
+	gen_require(`
+		type swat_server_packet_t;
+	')
+
+	dontaudit $1 swat_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive swat_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_swat_server_packets',`
+	gen_require(`
+		type swat_server_packet_t;
+	')
+
+	allow $1 swat_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive swat_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_swat_server_packets',`
+	gen_require(`
+		type swat_server_packet_t;
+	')
+
+	dontaudit $1 swat_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive swat_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_swat_server_packets',`
+	corenet_send_swat_server_packets($1)
+	corenet_receive_swat_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive swat_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_swat_server_packets',`
+	corenet_dontaudit_send_swat_server_packets($1)
+	corenet_dontaudit_receive_swat_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to swat_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_swat_server_packets',`
+	gen_require(`
+		type swat_server_packet_t;
+	')
+
+	allow $1 swat_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the syslogd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_syslogd_port',`
+	gen_require(`
+		type syslogd_port_t;
+	')
+
+	allow $1 syslogd_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the syslogd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_syslogd_port',`
+	gen_require(`
+		type syslogd_port_t;
+	')
+
+	allow $1 syslogd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the syslogd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_syslogd_port',`
+	gen_require(`
+		type syslogd_port_t;
+	')
+
+	dontaudit $1 syslogd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the syslogd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_syslogd_port',`
+	gen_require(`
+		type syslogd_port_t;
+	')
+
+	allow $1 syslogd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the syslogd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_syslogd_port',`
+	gen_require(`
+		type syslogd_port_t;
+	')
+
+	dontaudit $1 syslogd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the syslogd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_syslogd_port',`
+	corenet_udp_send_syslogd_port($1)
+	corenet_udp_receive_syslogd_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the syslogd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_syslogd_port',`
+	corenet_dontaudit_udp_send_syslogd_port($1)
+	corenet_dontaudit_udp_receive_syslogd_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the syslogd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_syslogd_port',`
+	gen_require(`
+		type syslogd_port_t;
+	')
+
+	allow $1 syslogd_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the syslogd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_syslogd_port',`
+	gen_require(`
+		type syslogd_port_t;
+	')
+
+	allow $1 syslogd_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the syslogd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_syslogd_port',`
+	gen_require(`
+		type syslogd_port_t;
+	')
+
+	allow $1 syslogd_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send syslogd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_syslogd_client_packets',`
+	gen_require(`
+		type syslogd_client_packet_t;
+	')
+
+	allow $1 syslogd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send syslogd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_syslogd_client_packets',`
+	gen_require(`
+		type syslogd_client_packet_t;
+	')
+
+	dontaudit $1 syslogd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive syslogd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_syslogd_client_packets',`
+	gen_require(`
+		type syslogd_client_packet_t;
+	')
+
+	allow $1 syslogd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive syslogd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_syslogd_client_packets',`
+	gen_require(`
+		type syslogd_client_packet_t;
+	')
+
+	dontaudit $1 syslogd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive syslogd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_syslogd_client_packets',`
+	corenet_send_syslogd_client_packets($1)
+	corenet_receive_syslogd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive syslogd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_syslogd_client_packets',`
+	corenet_dontaudit_send_syslogd_client_packets($1)
+	corenet_dontaudit_receive_syslogd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to syslogd_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_syslogd_client_packets',`
+	gen_require(`
+		type syslogd_client_packet_t;
+	')
+
+	allow $1 syslogd_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send syslogd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_syslogd_server_packets',`
+	gen_require(`
+		type syslogd_server_packet_t;
+	')
+
+	allow $1 syslogd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send syslogd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_syslogd_server_packets',`
+	gen_require(`
+		type syslogd_server_packet_t;
+	')
+
+	dontaudit $1 syslogd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive syslogd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_syslogd_server_packets',`
+	gen_require(`
+		type syslogd_server_packet_t;
+	')
+
+	allow $1 syslogd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive syslogd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_syslogd_server_packets',`
+	gen_require(`
+		type syslogd_server_packet_t;
+	')
+
+	dontaudit $1 syslogd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive syslogd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_syslogd_server_packets',`
+	corenet_send_syslogd_server_packets($1)
+	corenet_receive_syslogd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive syslogd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_syslogd_server_packets',`
+	corenet_dontaudit_send_syslogd_server_packets($1)
+	corenet_dontaudit_receive_syslogd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to syslogd_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_syslogd_server_packets',`
+	gen_require(`
+		type syslogd_server_packet_t;
+	')
+
+	allow $1 syslogd_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the tcs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_tcs_port',`
+	gen_require(`
+		type tcs_port_t;
+	')
+
+	allow $1 tcs_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the tcs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_tcs_port',`
+	gen_require(`
+		type tcs_port_t;
+	')
+
+	allow $1 tcs_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the tcs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_tcs_port',`
+	gen_require(`
+		type tcs_port_t;
+	')
+
+	dontaudit $1 tcs_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the tcs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_tcs_port',`
+	gen_require(`
+		type tcs_port_t;
+	')
+
+	allow $1 tcs_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the tcs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_tcs_port',`
+	gen_require(`
+		type tcs_port_t;
+	')
+
+	dontaudit $1 tcs_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the tcs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_tcs_port',`
+	corenet_udp_send_tcs_port($1)
+	corenet_udp_receive_tcs_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the tcs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_tcs_port',`
+	corenet_dontaudit_udp_send_tcs_port($1)
+	corenet_dontaudit_udp_receive_tcs_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the tcs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_tcs_port',`
+	gen_require(`
+		type tcs_port_t;
+	')
+
+	allow $1 tcs_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the tcs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_tcs_port',`
+	gen_require(`
+		type tcs_port_t;
+	')
+
+	allow $1 tcs_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the tcs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_tcs_port',`
+	gen_require(`
+		type tcs_port_t;
+	')
+
+	allow $1 tcs_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send tcs_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_tcs_client_packets',`
+	gen_require(`
+		type tcs_client_packet_t;
+	')
+
+	allow $1 tcs_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send tcs_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_tcs_client_packets',`
+	gen_require(`
+		type tcs_client_packet_t;
+	')
+
+	dontaudit $1 tcs_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive tcs_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_tcs_client_packets',`
+	gen_require(`
+		type tcs_client_packet_t;
+	')
+
+	allow $1 tcs_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive tcs_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_tcs_client_packets',`
+	gen_require(`
+		type tcs_client_packet_t;
+	')
+
+	dontaudit $1 tcs_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive tcs_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_tcs_client_packets',`
+	corenet_send_tcs_client_packets($1)
+	corenet_receive_tcs_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive tcs_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_tcs_client_packets',`
+	corenet_dontaudit_send_tcs_client_packets($1)
+	corenet_dontaudit_receive_tcs_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to tcs_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_tcs_client_packets',`
+	gen_require(`
+		type tcs_client_packet_t;
+	')
+
+	allow $1 tcs_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send tcs_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_tcs_server_packets',`
+	gen_require(`
+		type tcs_server_packet_t;
+	')
+
+	allow $1 tcs_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send tcs_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_tcs_server_packets',`
+	gen_require(`
+		type tcs_server_packet_t;
+	')
+
+	dontaudit $1 tcs_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive tcs_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_tcs_server_packets',`
+	gen_require(`
+		type tcs_server_packet_t;
+	')
+
+	allow $1 tcs_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive tcs_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_tcs_server_packets',`
+	gen_require(`
+		type tcs_server_packet_t;
+	')
+
+	dontaudit $1 tcs_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive tcs_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_tcs_server_packets',`
+	corenet_send_tcs_server_packets($1)
+	corenet_receive_tcs_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive tcs_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_tcs_server_packets',`
+	corenet_dontaudit_send_tcs_server_packets($1)
+	corenet_dontaudit_receive_tcs_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to tcs_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_tcs_server_packets',`
+	gen_require(`
+		type tcs_server_packet_t;
+	')
+
+	allow $1 tcs_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the telnetd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_telnetd_port',`
+	gen_require(`
+		type telnetd_port_t;
+	')
+
+	allow $1 telnetd_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the telnetd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_telnetd_port',`
+	gen_require(`
+		type telnetd_port_t;
+	')
+
+	allow $1 telnetd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the telnetd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_telnetd_port',`
+	gen_require(`
+		type telnetd_port_t;
+	')
+
+	dontaudit $1 telnetd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the telnetd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_telnetd_port',`
+	gen_require(`
+		type telnetd_port_t;
+	')
+
+	allow $1 telnetd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the telnetd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_telnetd_port',`
+	gen_require(`
+		type telnetd_port_t;
+	')
+
+	dontaudit $1 telnetd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the telnetd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_telnetd_port',`
+	corenet_udp_send_telnetd_port($1)
+	corenet_udp_receive_telnetd_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the telnetd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_telnetd_port',`
+	corenet_dontaudit_udp_send_telnetd_port($1)
+	corenet_dontaudit_udp_receive_telnetd_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the telnetd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_telnetd_port',`
+	gen_require(`
+		type telnetd_port_t;
+	')
+
+	allow $1 telnetd_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the telnetd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_telnetd_port',`
+	gen_require(`
+		type telnetd_port_t;
+	')
+
+	allow $1 telnetd_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the telnetd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_telnetd_port',`
+	gen_require(`
+		type telnetd_port_t;
+	')
+
+	allow $1 telnetd_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send telnetd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_telnetd_client_packets',`
+	gen_require(`
+		type telnetd_client_packet_t;
+	')
+
+	allow $1 telnetd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send telnetd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_telnetd_client_packets',`
+	gen_require(`
+		type telnetd_client_packet_t;
+	')
+
+	dontaudit $1 telnetd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive telnetd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_telnetd_client_packets',`
+	gen_require(`
+		type telnetd_client_packet_t;
+	')
+
+	allow $1 telnetd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive telnetd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_telnetd_client_packets',`
+	gen_require(`
+		type telnetd_client_packet_t;
+	')
+
+	dontaudit $1 telnetd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive telnetd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_telnetd_client_packets',`
+	corenet_send_telnetd_client_packets($1)
+	corenet_receive_telnetd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive telnetd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_telnetd_client_packets',`
+	corenet_dontaudit_send_telnetd_client_packets($1)
+	corenet_dontaudit_receive_telnetd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to telnetd_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_telnetd_client_packets',`
+	gen_require(`
+		type telnetd_client_packet_t;
+	')
+
+	allow $1 telnetd_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send telnetd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_telnetd_server_packets',`
+	gen_require(`
+		type telnetd_server_packet_t;
+	')
+
+	allow $1 telnetd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send telnetd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_telnetd_server_packets',`
+	gen_require(`
+		type telnetd_server_packet_t;
+	')
+
+	dontaudit $1 telnetd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive telnetd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_telnetd_server_packets',`
+	gen_require(`
+		type telnetd_server_packet_t;
+	')
+
+	allow $1 telnetd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive telnetd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_telnetd_server_packets',`
+	gen_require(`
+		type telnetd_server_packet_t;
+	')
+
+	dontaudit $1 telnetd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive telnetd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_telnetd_server_packets',`
+	corenet_send_telnetd_server_packets($1)
+	corenet_receive_telnetd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive telnetd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_telnetd_server_packets',`
+	corenet_dontaudit_send_telnetd_server_packets($1)
+	corenet_dontaudit_receive_telnetd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to telnetd_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_telnetd_server_packets',`
+	gen_require(`
+		type telnetd_server_packet_t;
+	')
+
+	allow $1 telnetd_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the tftp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_tftp_port',`
+	gen_require(`
+		type tftp_port_t;
+	')
+
+	allow $1 tftp_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the tftp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_tftp_port',`
+	gen_require(`
+		type tftp_port_t;
+	')
+
+	allow $1 tftp_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the tftp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_tftp_port',`
+	gen_require(`
+		type tftp_port_t;
+	')
+
+	dontaudit $1 tftp_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the tftp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_tftp_port',`
+	gen_require(`
+		type tftp_port_t;
+	')
+
+	allow $1 tftp_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the tftp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_tftp_port',`
+	gen_require(`
+		type tftp_port_t;
+	')
+
+	dontaudit $1 tftp_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the tftp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_tftp_port',`
+	corenet_udp_send_tftp_port($1)
+	corenet_udp_receive_tftp_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the tftp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_tftp_port',`
+	corenet_dontaudit_udp_send_tftp_port($1)
+	corenet_dontaudit_udp_receive_tftp_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the tftp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_tftp_port',`
+	gen_require(`
+		type tftp_port_t;
+	')
+
+	allow $1 tftp_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the tftp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_tftp_port',`
+	gen_require(`
+		type tftp_port_t;
+	')
+
+	allow $1 tftp_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the tftp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_tftp_port',`
+	gen_require(`
+		type tftp_port_t;
+	')
+
+	allow $1 tftp_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send tftp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_tftp_client_packets',`
+	gen_require(`
+		type tftp_client_packet_t;
+	')
+
+	allow $1 tftp_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send tftp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_tftp_client_packets',`
+	gen_require(`
+		type tftp_client_packet_t;
+	')
+
+	dontaudit $1 tftp_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive tftp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_tftp_client_packets',`
+	gen_require(`
+		type tftp_client_packet_t;
+	')
+
+	allow $1 tftp_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive tftp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_tftp_client_packets',`
+	gen_require(`
+		type tftp_client_packet_t;
+	')
+
+	dontaudit $1 tftp_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive tftp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_tftp_client_packets',`
+	corenet_send_tftp_client_packets($1)
+	corenet_receive_tftp_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive tftp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_tftp_client_packets',`
+	corenet_dontaudit_send_tftp_client_packets($1)
+	corenet_dontaudit_receive_tftp_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to tftp_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_tftp_client_packets',`
+	gen_require(`
+		type tftp_client_packet_t;
+	')
+
+	allow $1 tftp_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send tftp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_tftp_server_packets',`
+	gen_require(`
+		type tftp_server_packet_t;
+	')
+
+	allow $1 tftp_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send tftp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_tftp_server_packets',`
+	gen_require(`
+		type tftp_server_packet_t;
+	')
+
+	dontaudit $1 tftp_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive tftp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_tftp_server_packets',`
+	gen_require(`
+		type tftp_server_packet_t;
+	')
+
+	allow $1 tftp_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive tftp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_tftp_server_packets',`
+	gen_require(`
+		type tftp_server_packet_t;
+	')
+
+	dontaudit $1 tftp_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive tftp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_tftp_server_packets',`
+	corenet_send_tftp_server_packets($1)
+	corenet_receive_tftp_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive tftp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_tftp_server_packets',`
+	corenet_dontaudit_send_tftp_server_packets($1)
+	corenet_dontaudit_receive_tftp_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to tftp_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_tftp_server_packets',`
+	gen_require(`
+		type tftp_server_packet_t;
+	')
+
+	allow $1 tftp_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the tor port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_tor_port',`
+	gen_require(`
+		type tor_port_t;
+	')
+
+	allow $1 tor_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the tor port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_tor_port',`
+	gen_require(`
+		type tor_port_t;
+	')
+
+	allow $1 tor_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the tor port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_tor_port',`
+	gen_require(`
+		type tor_port_t;
+	')
+
+	dontaudit $1 tor_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the tor port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_tor_port',`
+	gen_require(`
+		type tor_port_t;
+	')
+
+	allow $1 tor_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the tor port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_tor_port',`
+	gen_require(`
+		type tor_port_t;
+	')
+
+	dontaudit $1 tor_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the tor port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_tor_port',`
+	corenet_udp_send_tor_port($1)
+	corenet_udp_receive_tor_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the tor port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_tor_port',`
+	corenet_dontaudit_udp_send_tor_port($1)
+	corenet_dontaudit_udp_receive_tor_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the tor port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_tor_port',`
+	gen_require(`
+		type tor_port_t;
+	')
+
+	allow $1 tor_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the tor port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_tor_port',`
+	gen_require(`
+		type tor_port_t;
+	')
+
+	allow $1 tor_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the tor port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_tor_port',`
+	gen_require(`
+		type tor_port_t;
+	')
+
+	allow $1 tor_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send tor_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_tor_client_packets',`
+	gen_require(`
+		type tor_client_packet_t;
+	')
+
+	allow $1 tor_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send tor_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_tor_client_packets',`
+	gen_require(`
+		type tor_client_packet_t;
+	')
+
+	dontaudit $1 tor_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive tor_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_tor_client_packets',`
+	gen_require(`
+		type tor_client_packet_t;
+	')
+
+	allow $1 tor_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive tor_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_tor_client_packets',`
+	gen_require(`
+		type tor_client_packet_t;
+	')
+
+	dontaudit $1 tor_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive tor_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_tor_client_packets',`
+	corenet_send_tor_client_packets($1)
+	corenet_receive_tor_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive tor_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_tor_client_packets',`
+	corenet_dontaudit_send_tor_client_packets($1)
+	corenet_dontaudit_receive_tor_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to tor_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_tor_client_packets',`
+	gen_require(`
+		type tor_client_packet_t;
+	')
+
+	allow $1 tor_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send tor_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_tor_server_packets',`
+	gen_require(`
+		type tor_server_packet_t;
+	')
+
+	allow $1 tor_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send tor_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_tor_server_packets',`
+	gen_require(`
+		type tor_server_packet_t;
+	')
+
+	dontaudit $1 tor_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive tor_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_tor_server_packets',`
+	gen_require(`
+		type tor_server_packet_t;
+	')
+
+	allow $1 tor_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive tor_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_tor_server_packets',`
+	gen_require(`
+		type tor_server_packet_t;
+	')
+
+	dontaudit $1 tor_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive tor_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_tor_server_packets',`
+	corenet_send_tor_server_packets($1)
+	corenet_receive_tor_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive tor_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_tor_server_packets',`
+	corenet_dontaudit_send_tor_server_packets($1)
+	corenet_dontaudit_receive_tor_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to tor_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_tor_server_packets',`
+	gen_require(`
+		type tor_server_packet_t;
+	')
+
+	allow $1 tor_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the traceroute port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_traceroute_port',`
+	gen_require(`
+		type traceroute_port_t;
+	')
+
+	allow $1 traceroute_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the traceroute port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_traceroute_port',`
+	gen_require(`
+		type traceroute_port_t;
+	')
+
+	allow $1 traceroute_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the traceroute port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_traceroute_port',`
+	gen_require(`
+		type traceroute_port_t;
+	')
+
+	dontaudit $1 traceroute_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the traceroute port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_traceroute_port',`
+	gen_require(`
+		type traceroute_port_t;
+	')
+
+	allow $1 traceroute_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the traceroute port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_traceroute_port',`
+	gen_require(`
+		type traceroute_port_t;
+	')
+
+	dontaudit $1 traceroute_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the traceroute port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_traceroute_port',`
+	corenet_udp_send_traceroute_port($1)
+	corenet_udp_receive_traceroute_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the traceroute port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_traceroute_port',`
+	corenet_dontaudit_udp_send_traceroute_port($1)
+	corenet_dontaudit_udp_receive_traceroute_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the traceroute port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_traceroute_port',`
+	gen_require(`
+		type traceroute_port_t;
+	')
+
+	allow $1 traceroute_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the traceroute port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_traceroute_port',`
+	gen_require(`
+		type traceroute_port_t;
+	')
+
+	allow $1 traceroute_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the traceroute port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_traceroute_port',`
+	gen_require(`
+		type traceroute_port_t;
+	')
+
+	allow $1 traceroute_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send traceroute_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_traceroute_client_packets',`
+	gen_require(`
+		type traceroute_client_packet_t;
+	')
+
+	allow $1 traceroute_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send traceroute_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_traceroute_client_packets',`
+	gen_require(`
+		type traceroute_client_packet_t;
+	')
+
+	dontaudit $1 traceroute_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive traceroute_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_traceroute_client_packets',`
+	gen_require(`
+		type traceroute_client_packet_t;
+	')
+
+	allow $1 traceroute_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive traceroute_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_traceroute_client_packets',`
+	gen_require(`
+		type traceroute_client_packet_t;
+	')
+
+	dontaudit $1 traceroute_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive traceroute_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_traceroute_client_packets',`
+	corenet_send_traceroute_client_packets($1)
+	corenet_receive_traceroute_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive traceroute_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_traceroute_client_packets',`
+	corenet_dontaudit_send_traceroute_client_packets($1)
+	corenet_dontaudit_receive_traceroute_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to traceroute_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_traceroute_client_packets',`
+	gen_require(`
+		type traceroute_client_packet_t;
+	')
+
+	allow $1 traceroute_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send traceroute_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_traceroute_server_packets',`
+	gen_require(`
+		type traceroute_server_packet_t;
+	')
+
+	allow $1 traceroute_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send traceroute_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_traceroute_server_packets',`
+	gen_require(`
+		type traceroute_server_packet_t;
+	')
+
+	dontaudit $1 traceroute_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive traceroute_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_traceroute_server_packets',`
+	gen_require(`
+		type traceroute_server_packet_t;
+	')
+
+	allow $1 traceroute_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive traceroute_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_traceroute_server_packets',`
+	gen_require(`
+		type traceroute_server_packet_t;
+	')
+
+	dontaudit $1 traceroute_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive traceroute_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_traceroute_server_packets',`
+	corenet_send_traceroute_server_packets($1)
+	corenet_receive_traceroute_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive traceroute_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_traceroute_server_packets',`
+	corenet_dontaudit_send_traceroute_server_packets($1)
+	corenet_dontaudit_receive_traceroute_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to traceroute_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_traceroute_server_packets',`
+	gen_require(`
+		type traceroute_server_packet_t;
+	')
+
+	allow $1 traceroute_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the transproxy port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_transproxy_port',`
+	gen_require(`
+		type transproxy_port_t;
+	')
+
+	allow $1 transproxy_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the transproxy port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_transproxy_port',`
+	gen_require(`
+		type transproxy_port_t;
+	')
+
+	allow $1 transproxy_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the transproxy port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_transproxy_port',`
+	gen_require(`
+		type transproxy_port_t;
+	')
+
+	dontaudit $1 transproxy_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the transproxy port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_transproxy_port',`
+	gen_require(`
+		type transproxy_port_t;
+	')
+
+	allow $1 transproxy_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the transproxy port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_transproxy_port',`
+	gen_require(`
+		type transproxy_port_t;
+	')
+
+	dontaudit $1 transproxy_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the transproxy port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_transproxy_port',`
+	corenet_udp_send_transproxy_port($1)
+	corenet_udp_receive_transproxy_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the transproxy port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_transproxy_port',`
+	corenet_dontaudit_udp_send_transproxy_port($1)
+	corenet_dontaudit_udp_receive_transproxy_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the transproxy port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_transproxy_port',`
+	gen_require(`
+		type transproxy_port_t;
+	')
+
+	allow $1 transproxy_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the transproxy port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_transproxy_port',`
+	gen_require(`
+		type transproxy_port_t;
+	')
+
+	allow $1 transproxy_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the transproxy port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_transproxy_port',`
+	gen_require(`
+		type transproxy_port_t;
+	')
+
+	allow $1 transproxy_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send transproxy_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_transproxy_client_packets',`
+	gen_require(`
+		type transproxy_client_packet_t;
+	')
+
+	allow $1 transproxy_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send transproxy_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_transproxy_client_packets',`
+	gen_require(`
+		type transproxy_client_packet_t;
+	')
+
+	dontaudit $1 transproxy_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive transproxy_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_transproxy_client_packets',`
+	gen_require(`
+		type transproxy_client_packet_t;
+	')
+
+	allow $1 transproxy_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive transproxy_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_transproxy_client_packets',`
+	gen_require(`
+		type transproxy_client_packet_t;
+	')
+
+	dontaudit $1 transproxy_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive transproxy_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_transproxy_client_packets',`
+	corenet_send_transproxy_client_packets($1)
+	corenet_receive_transproxy_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive transproxy_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_transproxy_client_packets',`
+	corenet_dontaudit_send_transproxy_client_packets($1)
+	corenet_dontaudit_receive_transproxy_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to transproxy_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_transproxy_client_packets',`
+	gen_require(`
+		type transproxy_client_packet_t;
+	')
+
+	allow $1 transproxy_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send transproxy_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_transproxy_server_packets',`
+	gen_require(`
+		type transproxy_server_packet_t;
+	')
+
+	allow $1 transproxy_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send transproxy_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_transproxy_server_packets',`
+	gen_require(`
+		type transproxy_server_packet_t;
+	')
+
+	dontaudit $1 transproxy_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive transproxy_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_transproxy_server_packets',`
+	gen_require(`
+		type transproxy_server_packet_t;
+	')
+
+	allow $1 transproxy_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive transproxy_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_transproxy_server_packets',`
+	gen_require(`
+		type transproxy_server_packet_t;
+	')
+
+	dontaudit $1 transproxy_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive transproxy_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_transproxy_server_packets',`
+	corenet_send_transproxy_server_packets($1)
+	corenet_receive_transproxy_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive transproxy_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_transproxy_server_packets',`
+	corenet_dontaudit_send_transproxy_server_packets($1)
+	corenet_dontaudit_receive_transproxy_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to transproxy_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_transproxy_server_packets',`
+	gen_require(`
+		type transproxy_server_packet_t;
+	')
+
+	allow $1 transproxy_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the ups port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_ups_port',`
+	gen_require(`
+		type ups_port_t;
+	')
+
+	allow $1 ups_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the ups port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_ups_port',`
+	gen_require(`
+		type ups_port_t;
+	')
+
+	allow $1 ups_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the ups port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_ups_port',`
+	gen_require(`
+		type ups_port_t;
+	')
+
+	dontaudit $1 ups_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the ups port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_ups_port',`
+	gen_require(`
+		type ups_port_t;
+	')
+
+	allow $1 ups_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the ups port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_ups_port',`
+	gen_require(`
+		type ups_port_t;
+	')
+
+	dontaudit $1 ups_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the ups port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_ups_port',`
+	corenet_udp_send_ups_port($1)
+	corenet_udp_receive_ups_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the ups port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_ups_port',`
+	corenet_dontaudit_udp_send_ups_port($1)
+	corenet_dontaudit_udp_receive_ups_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the ups port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_ups_port',`
+	gen_require(`
+		type ups_port_t;
+	')
+
+	allow $1 ups_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the ups port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_ups_port',`
+	gen_require(`
+		type ups_port_t;
+	')
+
+	allow $1 ups_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the ups port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_ups_port',`
+	gen_require(`
+		type ups_port_t;
+	')
+
+	allow $1 ups_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send ups_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_ups_client_packets',`
+	gen_require(`
+		type ups_client_packet_t;
+	')
+
+	allow $1 ups_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send ups_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_ups_client_packets',`
+	gen_require(`
+		type ups_client_packet_t;
+	')
+
+	dontaudit $1 ups_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive ups_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_ups_client_packets',`
+	gen_require(`
+		type ups_client_packet_t;
+	')
+
+	allow $1 ups_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive ups_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_ups_client_packets',`
+	gen_require(`
+		type ups_client_packet_t;
+	')
+
+	dontaudit $1 ups_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive ups_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_ups_client_packets',`
+	corenet_send_ups_client_packets($1)
+	corenet_receive_ups_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive ups_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_ups_client_packets',`
+	corenet_dontaudit_send_ups_client_packets($1)
+	corenet_dontaudit_receive_ups_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to ups_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_ups_client_packets',`
+	gen_require(`
+		type ups_client_packet_t;
+	')
+
+	allow $1 ups_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send ups_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_ups_server_packets',`
+	gen_require(`
+		type ups_server_packet_t;
+	')
+
+	allow $1 ups_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send ups_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_ups_server_packets',`
+	gen_require(`
+		type ups_server_packet_t;
+	')
+
+	dontaudit $1 ups_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive ups_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_ups_server_packets',`
+	gen_require(`
+		type ups_server_packet_t;
+	')
+
+	allow $1 ups_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive ups_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_ups_server_packets',`
+	gen_require(`
+		type ups_server_packet_t;
+	')
+
+	dontaudit $1 ups_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive ups_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_ups_server_packets',`
+	corenet_send_ups_server_packets($1)
+	corenet_receive_ups_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive ups_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_ups_server_packets',`
+	corenet_dontaudit_send_ups_server_packets($1)
+	corenet_dontaudit_receive_ups_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to ups_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_ups_server_packets',`
+	gen_require(`
+		type ups_server_packet_t;
+	')
+
+	allow $1 ups_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the utcpserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_utcpserver_port',`
+	gen_require(`
+		type utcpserver_port_t;
+	')
+
+	allow $1 utcpserver_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the utcpserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_utcpserver_port',`
+	gen_require(`
+		type utcpserver_port_t;
+	')
+
+	allow $1 utcpserver_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the utcpserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_utcpserver_port',`
+	gen_require(`
+		type utcpserver_port_t;
+	')
+
+	dontaudit $1 utcpserver_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the utcpserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_utcpserver_port',`
+	gen_require(`
+		type utcpserver_port_t;
+	')
+
+	allow $1 utcpserver_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the utcpserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_utcpserver_port',`
+	gen_require(`
+		type utcpserver_port_t;
+	')
+
+	dontaudit $1 utcpserver_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the utcpserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_utcpserver_port',`
+	corenet_udp_send_utcpserver_port($1)
+	corenet_udp_receive_utcpserver_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the utcpserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_utcpserver_port',`
+	corenet_dontaudit_udp_send_utcpserver_port($1)
+	corenet_dontaudit_udp_receive_utcpserver_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the utcpserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_utcpserver_port',`
+	gen_require(`
+		type utcpserver_port_t;
+	')
+
+	allow $1 utcpserver_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the utcpserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_utcpserver_port',`
+	gen_require(`
+		type utcpserver_port_t;
+	')
+
+	allow $1 utcpserver_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the utcpserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_utcpserver_port',`
+	gen_require(`
+		type utcpserver_port_t;
+	')
+
+	allow $1 utcpserver_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send utcpserver_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_utcpserver_client_packets',`
+	gen_require(`
+		type utcpserver_client_packet_t;
+	')
+
+	allow $1 utcpserver_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send utcpserver_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_utcpserver_client_packets',`
+	gen_require(`
+		type utcpserver_client_packet_t;
+	')
+
+	dontaudit $1 utcpserver_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive utcpserver_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_utcpserver_client_packets',`
+	gen_require(`
+		type utcpserver_client_packet_t;
+	')
+
+	allow $1 utcpserver_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive utcpserver_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_utcpserver_client_packets',`
+	gen_require(`
+		type utcpserver_client_packet_t;
+	')
+
+	dontaudit $1 utcpserver_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive utcpserver_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_utcpserver_client_packets',`
+	corenet_send_utcpserver_client_packets($1)
+	corenet_receive_utcpserver_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive utcpserver_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_utcpserver_client_packets',`
+	corenet_dontaudit_send_utcpserver_client_packets($1)
+	corenet_dontaudit_receive_utcpserver_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to utcpserver_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_utcpserver_client_packets',`
+	gen_require(`
+		type utcpserver_client_packet_t;
+	')
+
+	allow $1 utcpserver_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send utcpserver_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_utcpserver_server_packets',`
+	gen_require(`
+		type utcpserver_server_packet_t;
+	')
+
+	allow $1 utcpserver_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send utcpserver_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_utcpserver_server_packets',`
+	gen_require(`
+		type utcpserver_server_packet_t;
+	')
+
+	dontaudit $1 utcpserver_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive utcpserver_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_utcpserver_server_packets',`
+	gen_require(`
+		type utcpserver_server_packet_t;
+	')
+
+	allow $1 utcpserver_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive utcpserver_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_utcpserver_server_packets',`
+	gen_require(`
+		type utcpserver_server_packet_t;
+	')
+
+	dontaudit $1 utcpserver_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive utcpserver_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_utcpserver_server_packets',`
+	corenet_send_utcpserver_server_packets($1)
+	corenet_receive_utcpserver_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive utcpserver_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_utcpserver_server_packets',`
+	corenet_dontaudit_send_utcpserver_server_packets($1)
+	corenet_dontaudit_receive_utcpserver_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to utcpserver_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_utcpserver_server_packets',`
+	gen_require(`
+		type utcpserver_server_packet_t;
+	')
+
+	allow $1 utcpserver_server_packet_t:packet relabelto;
+')
+
+ # no defined portcon
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the uucpd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_uucpd_port',`
+	gen_require(`
+		type uucpd_port_t;
+	')
+
+	allow $1 uucpd_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the uucpd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_uucpd_port',`
+	gen_require(`
+		type uucpd_port_t;
+	')
+
+	allow $1 uucpd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the uucpd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_uucpd_port',`
+	gen_require(`
+		type uucpd_port_t;
+	')
+
+	dontaudit $1 uucpd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the uucpd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_uucpd_port',`
+	gen_require(`
+		type uucpd_port_t;
+	')
+
+	allow $1 uucpd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the uucpd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_uucpd_port',`
+	gen_require(`
+		type uucpd_port_t;
+	')
+
+	dontaudit $1 uucpd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the uucpd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_uucpd_port',`
+	corenet_udp_send_uucpd_port($1)
+	corenet_udp_receive_uucpd_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the uucpd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_uucpd_port',`
+	corenet_dontaudit_udp_send_uucpd_port($1)
+	corenet_dontaudit_udp_receive_uucpd_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the uucpd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_uucpd_port',`
+	gen_require(`
+		type uucpd_port_t;
+	')
+
+	allow $1 uucpd_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the uucpd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_uucpd_port',`
+	gen_require(`
+		type uucpd_port_t;
+	')
+
+	allow $1 uucpd_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the uucpd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_uucpd_port',`
+	gen_require(`
+		type uucpd_port_t;
+	')
+
+	allow $1 uucpd_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send uucpd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_uucpd_client_packets',`
+	gen_require(`
+		type uucpd_client_packet_t;
+	')
+
+	allow $1 uucpd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send uucpd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_uucpd_client_packets',`
+	gen_require(`
+		type uucpd_client_packet_t;
+	')
+
+	dontaudit $1 uucpd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive uucpd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_uucpd_client_packets',`
+	gen_require(`
+		type uucpd_client_packet_t;
+	')
+
+	allow $1 uucpd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive uucpd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_uucpd_client_packets',`
+	gen_require(`
+		type uucpd_client_packet_t;
+	')
+
+	dontaudit $1 uucpd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive uucpd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_uucpd_client_packets',`
+	corenet_send_uucpd_client_packets($1)
+	corenet_receive_uucpd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive uucpd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_uucpd_client_packets',`
+	corenet_dontaudit_send_uucpd_client_packets($1)
+	corenet_dontaudit_receive_uucpd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to uucpd_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_uucpd_client_packets',`
+	gen_require(`
+		type uucpd_client_packet_t;
+	')
+
+	allow $1 uucpd_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send uucpd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_uucpd_server_packets',`
+	gen_require(`
+		type uucpd_server_packet_t;
+	')
+
+	allow $1 uucpd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send uucpd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_uucpd_server_packets',`
+	gen_require(`
+		type uucpd_server_packet_t;
+	')
+
+	dontaudit $1 uucpd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive uucpd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_uucpd_server_packets',`
+	gen_require(`
+		type uucpd_server_packet_t;
+	')
+
+	allow $1 uucpd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive uucpd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_uucpd_server_packets',`
+	gen_require(`
+		type uucpd_server_packet_t;
+	')
+
+	dontaudit $1 uucpd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive uucpd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_uucpd_server_packets',`
+	corenet_send_uucpd_server_packets($1)
+	corenet_receive_uucpd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive uucpd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_uucpd_server_packets',`
+	corenet_dontaudit_send_uucpd_server_packets($1)
+	corenet_dontaudit_receive_uucpd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to uucpd_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_uucpd_server_packets',`
+	gen_require(`
+		type uucpd_server_packet_t;
+	')
+
+	allow $1 uucpd_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the varnishd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_varnishd_port',`
+	gen_require(`
+		type varnishd_port_t;
+	')
+
+	allow $1 varnishd_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the varnishd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_varnishd_port',`
+	gen_require(`
+		type varnishd_port_t;
+	')
+
+	allow $1 varnishd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the varnishd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_varnishd_port',`
+	gen_require(`
+		type varnishd_port_t;
+	')
+
+	dontaudit $1 varnishd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the varnishd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_varnishd_port',`
+	gen_require(`
+		type varnishd_port_t;
+	')
+
+	allow $1 varnishd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the varnishd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_varnishd_port',`
+	gen_require(`
+		type varnishd_port_t;
+	')
+
+	dontaudit $1 varnishd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the varnishd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_varnishd_port',`
+	corenet_udp_send_varnishd_port($1)
+	corenet_udp_receive_varnishd_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the varnishd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_varnishd_port',`
+	corenet_dontaudit_udp_send_varnishd_port($1)
+	corenet_dontaudit_udp_receive_varnishd_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the varnishd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_varnishd_port',`
+	gen_require(`
+		type varnishd_port_t;
+	')
+
+	allow $1 varnishd_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the varnishd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_varnishd_port',`
+	gen_require(`
+		type varnishd_port_t;
+	')
+
+	allow $1 varnishd_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the varnishd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_varnishd_port',`
+	gen_require(`
+		type varnishd_port_t;
+	')
+
+	allow $1 varnishd_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send varnishd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_varnishd_client_packets',`
+	gen_require(`
+		type varnishd_client_packet_t;
+	')
+
+	allow $1 varnishd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send varnishd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_varnishd_client_packets',`
+	gen_require(`
+		type varnishd_client_packet_t;
+	')
+
+	dontaudit $1 varnishd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive varnishd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_varnishd_client_packets',`
+	gen_require(`
+		type varnishd_client_packet_t;
+	')
+
+	allow $1 varnishd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive varnishd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_varnishd_client_packets',`
+	gen_require(`
+		type varnishd_client_packet_t;
+	')
+
+	dontaudit $1 varnishd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive varnishd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_varnishd_client_packets',`
+	corenet_send_varnishd_client_packets($1)
+	corenet_receive_varnishd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive varnishd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_varnishd_client_packets',`
+	corenet_dontaudit_send_varnishd_client_packets($1)
+	corenet_dontaudit_receive_varnishd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to varnishd_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_varnishd_client_packets',`
+	gen_require(`
+		type varnishd_client_packet_t;
+	')
+
+	allow $1 varnishd_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send varnishd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_varnishd_server_packets',`
+	gen_require(`
+		type varnishd_server_packet_t;
+	')
+
+	allow $1 varnishd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send varnishd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_varnishd_server_packets',`
+	gen_require(`
+		type varnishd_server_packet_t;
+	')
+
+	dontaudit $1 varnishd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive varnishd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_varnishd_server_packets',`
+	gen_require(`
+		type varnishd_server_packet_t;
+	')
+
+	allow $1 varnishd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive varnishd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_varnishd_server_packets',`
+	gen_require(`
+		type varnishd_server_packet_t;
+	')
+
+	dontaudit $1 varnishd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive varnishd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_varnishd_server_packets',`
+	corenet_send_varnishd_server_packets($1)
+	corenet_receive_varnishd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive varnishd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_varnishd_server_packets',`
+	corenet_dontaudit_send_varnishd_server_packets($1)
+	corenet_dontaudit_receive_varnishd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to varnishd_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_varnishd_server_packets',`
+	gen_require(`
+		type varnishd_server_packet_t;
+	')
+
+	allow $1 varnishd_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the virt port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_virt_port',`
+	gen_require(`
+		type virt_port_t;
+	')
+
+	allow $1 virt_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the virt port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_virt_port',`
+	gen_require(`
+		type virt_port_t;
+	')
+
+	allow $1 virt_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the virt port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_virt_port',`
+	gen_require(`
+		type virt_port_t;
+	')
+
+	dontaudit $1 virt_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the virt port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_virt_port',`
+	gen_require(`
+		type virt_port_t;
+	')
+
+	allow $1 virt_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the virt port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_virt_port',`
+	gen_require(`
+		type virt_port_t;
+	')
+
+	dontaudit $1 virt_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the virt port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_virt_port',`
+	corenet_udp_send_virt_port($1)
+	corenet_udp_receive_virt_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the virt port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_virt_port',`
+	corenet_dontaudit_udp_send_virt_port($1)
+	corenet_dontaudit_udp_receive_virt_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the virt port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_virt_port',`
+	gen_require(`
+		type virt_port_t;
+	')
+
+	allow $1 virt_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the virt port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_virt_port',`
+	gen_require(`
+		type virt_port_t;
+	')
+
+	allow $1 virt_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the virt port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_virt_port',`
+	gen_require(`
+		type virt_port_t;
+	')
+
+	allow $1 virt_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send virt_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_virt_client_packets',`
+	gen_require(`
+		type virt_client_packet_t;
+	')
+
+	allow $1 virt_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send virt_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_virt_client_packets',`
+	gen_require(`
+		type virt_client_packet_t;
+	')
+
+	dontaudit $1 virt_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive virt_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_virt_client_packets',`
+	gen_require(`
+		type virt_client_packet_t;
+	')
+
+	allow $1 virt_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive virt_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_virt_client_packets',`
+	gen_require(`
+		type virt_client_packet_t;
+	')
+
+	dontaudit $1 virt_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive virt_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_virt_client_packets',`
+	corenet_send_virt_client_packets($1)
+	corenet_receive_virt_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive virt_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_virt_client_packets',`
+	corenet_dontaudit_send_virt_client_packets($1)
+	corenet_dontaudit_receive_virt_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to virt_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_virt_client_packets',`
+	gen_require(`
+		type virt_client_packet_t;
+	')
+
+	allow $1 virt_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send virt_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_virt_server_packets',`
+	gen_require(`
+		type virt_server_packet_t;
+	')
+
+	allow $1 virt_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send virt_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_virt_server_packets',`
+	gen_require(`
+		type virt_server_packet_t;
+	')
+
+	dontaudit $1 virt_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive virt_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_virt_server_packets',`
+	gen_require(`
+		type virt_server_packet_t;
+	')
+
+	allow $1 virt_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive virt_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_virt_server_packets',`
+	gen_require(`
+		type virt_server_packet_t;
+	')
+
+	dontaudit $1 virt_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive virt_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_virt_server_packets',`
+	corenet_send_virt_server_packets($1)
+	corenet_receive_virt_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive virt_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_virt_server_packets',`
+	corenet_dontaudit_send_virt_server_packets($1)
+	corenet_dontaudit_receive_virt_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to virt_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_virt_server_packets',`
+	gen_require(`
+		type virt_server_packet_t;
+	')
+
+	allow $1 virt_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the virt_migration port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_virt_migration_port',`
+	gen_require(`
+		type virt_migration_port_t;
+	')
+
+	allow $1 virt_migration_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the virt_migration port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_virt_migration_port',`
+	gen_require(`
+		type virt_migration_port_t;
+	')
+
+	allow $1 virt_migration_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the virt_migration port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_virt_migration_port',`
+	gen_require(`
+		type virt_migration_port_t;
+	')
+
+	dontaudit $1 virt_migration_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the virt_migration port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_virt_migration_port',`
+	gen_require(`
+		type virt_migration_port_t;
+	')
+
+	allow $1 virt_migration_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the virt_migration port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_virt_migration_port',`
+	gen_require(`
+		type virt_migration_port_t;
+	')
+
+	dontaudit $1 virt_migration_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the virt_migration port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_virt_migration_port',`
+	corenet_udp_send_virt_migration_port($1)
+	corenet_udp_receive_virt_migration_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the virt_migration port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_virt_migration_port',`
+	corenet_dontaudit_udp_send_virt_migration_port($1)
+	corenet_dontaudit_udp_receive_virt_migration_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the virt_migration port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_virt_migration_port',`
+	gen_require(`
+		type virt_migration_port_t;
+	')
+
+	allow $1 virt_migration_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the virt_migration port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_virt_migration_port',`
+	gen_require(`
+		type virt_migration_port_t;
+	')
+
+	allow $1 virt_migration_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the virt_migration port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_virt_migration_port',`
+	gen_require(`
+		type virt_migration_port_t;
+	')
+
+	allow $1 virt_migration_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send virt_migration_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_virt_migration_client_packets',`
+	gen_require(`
+		type virt_migration_client_packet_t;
+	')
+
+	allow $1 virt_migration_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send virt_migration_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_virt_migration_client_packets',`
+	gen_require(`
+		type virt_migration_client_packet_t;
+	')
+
+	dontaudit $1 virt_migration_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive virt_migration_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_virt_migration_client_packets',`
+	gen_require(`
+		type virt_migration_client_packet_t;
+	')
+
+	allow $1 virt_migration_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive virt_migration_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_virt_migration_client_packets',`
+	gen_require(`
+		type virt_migration_client_packet_t;
+	')
+
+	dontaudit $1 virt_migration_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive virt_migration_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_virt_migration_client_packets',`
+	corenet_send_virt_migration_client_packets($1)
+	corenet_receive_virt_migration_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive virt_migration_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_virt_migration_client_packets',`
+	corenet_dontaudit_send_virt_migration_client_packets($1)
+	corenet_dontaudit_receive_virt_migration_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to virt_migration_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_virt_migration_client_packets',`
+	gen_require(`
+		type virt_migration_client_packet_t;
+	')
+
+	allow $1 virt_migration_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send virt_migration_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_virt_migration_server_packets',`
+	gen_require(`
+		type virt_migration_server_packet_t;
+	')
+
+	allow $1 virt_migration_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send virt_migration_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_virt_migration_server_packets',`
+	gen_require(`
+		type virt_migration_server_packet_t;
+	')
+
+	dontaudit $1 virt_migration_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive virt_migration_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_virt_migration_server_packets',`
+	gen_require(`
+		type virt_migration_server_packet_t;
+	')
+
+	allow $1 virt_migration_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive virt_migration_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_virt_migration_server_packets',`
+	gen_require(`
+		type virt_migration_server_packet_t;
+	')
+
+	dontaudit $1 virt_migration_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive virt_migration_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_virt_migration_server_packets',`
+	corenet_send_virt_migration_server_packets($1)
+	corenet_receive_virt_migration_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive virt_migration_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_virt_migration_server_packets',`
+	corenet_dontaudit_send_virt_migration_server_packets($1)
+	corenet_dontaudit_receive_virt_migration_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to virt_migration_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_virt_migration_server_packets',`
+	gen_require(`
+		type virt_migration_server_packet_t;
+	')
+
+	allow $1 virt_migration_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the vnc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_vnc_port',`
+	gen_require(`
+		type vnc_port_t;
+	')
+
+	allow $1 vnc_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the vnc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_vnc_port',`
+	gen_require(`
+		type vnc_port_t;
+	')
+
+	allow $1 vnc_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the vnc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_vnc_port',`
+	gen_require(`
+		type vnc_port_t;
+	')
+
+	dontaudit $1 vnc_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the vnc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_vnc_port',`
+	gen_require(`
+		type vnc_port_t;
+	')
+
+	allow $1 vnc_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the vnc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_vnc_port',`
+	gen_require(`
+		type vnc_port_t;
+	')
+
+	dontaudit $1 vnc_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the vnc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_vnc_port',`
+	corenet_udp_send_vnc_port($1)
+	corenet_udp_receive_vnc_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the vnc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_vnc_port',`
+	corenet_dontaudit_udp_send_vnc_port($1)
+	corenet_dontaudit_udp_receive_vnc_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the vnc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_vnc_port',`
+	gen_require(`
+		type vnc_port_t;
+	')
+
+	allow $1 vnc_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the vnc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_vnc_port',`
+	gen_require(`
+		type vnc_port_t;
+	')
+
+	allow $1 vnc_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the vnc port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_vnc_port',`
+	gen_require(`
+		type vnc_port_t;
+	')
+
+	allow $1 vnc_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send vnc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_vnc_client_packets',`
+	gen_require(`
+		type vnc_client_packet_t;
+	')
+
+	allow $1 vnc_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send vnc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_vnc_client_packets',`
+	gen_require(`
+		type vnc_client_packet_t;
+	')
+
+	dontaudit $1 vnc_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive vnc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_vnc_client_packets',`
+	gen_require(`
+		type vnc_client_packet_t;
+	')
+
+	allow $1 vnc_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive vnc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_vnc_client_packets',`
+	gen_require(`
+		type vnc_client_packet_t;
+	')
+
+	dontaudit $1 vnc_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive vnc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_vnc_client_packets',`
+	corenet_send_vnc_client_packets($1)
+	corenet_receive_vnc_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive vnc_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_vnc_client_packets',`
+	corenet_dontaudit_send_vnc_client_packets($1)
+	corenet_dontaudit_receive_vnc_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to vnc_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_vnc_client_packets',`
+	gen_require(`
+		type vnc_client_packet_t;
+	')
+
+	allow $1 vnc_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send vnc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_vnc_server_packets',`
+	gen_require(`
+		type vnc_server_packet_t;
+	')
+
+	allow $1 vnc_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send vnc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_vnc_server_packets',`
+	gen_require(`
+		type vnc_server_packet_t;
+	')
+
+	dontaudit $1 vnc_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive vnc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_vnc_server_packets',`
+	gen_require(`
+		type vnc_server_packet_t;
+	')
+
+	allow $1 vnc_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive vnc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_vnc_server_packets',`
+	gen_require(`
+		type vnc_server_packet_t;
+	')
+
+	dontaudit $1 vnc_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive vnc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_vnc_server_packets',`
+	corenet_send_vnc_server_packets($1)
+	corenet_receive_vnc_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive vnc_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_vnc_server_packets',`
+	corenet_dontaudit_send_vnc_server_packets($1)
+	corenet_dontaudit_receive_vnc_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to vnc_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_vnc_server_packets',`
+	gen_require(`
+		type vnc_server_packet_t;
+	')
+
+	allow $1 vnc_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the wccp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_wccp_port',`
+	gen_require(`
+		type wccp_port_t;
+	')
+
+	allow $1 wccp_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the wccp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_wccp_port',`
+	gen_require(`
+		type wccp_port_t;
+	')
+
+	allow $1 wccp_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the wccp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_wccp_port',`
+	gen_require(`
+		type wccp_port_t;
+	')
+
+	dontaudit $1 wccp_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the wccp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_wccp_port',`
+	gen_require(`
+		type wccp_port_t;
+	')
+
+	allow $1 wccp_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the wccp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_wccp_port',`
+	gen_require(`
+		type wccp_port_t;
+	')
+
+	dontaudit $1 wccp_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the wccp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_wccp_port',`
+	corenet_udp_send_wccp_port($1)
+	corenet_udp_receive_wccp_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the wccp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_wccp_port',`
+	corenet_dontaudit_udp_send_wccp_port($1)
+	corenet_dontaudit_udp_receive_wccp_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the wccp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_wccp_port',`
+	gen_require(`
+		type wccp_port_t;
+	')
+
+	allow $1 wccp_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the wccp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_wccp_port',`
+	gen_require(`
+		type wccp_port_t;
+	')
+
+	allow $1 wccp_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the wccp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_wccp_port',`
+	gen_require(`
+		type wccp_port_t;
+	')
+
+	allow $1 wccp_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send wccp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_wccp_client_packets',`
+	gen_require(`
+		type wccp_client_packet_t;
+	')
+
+	allow $1 wccp_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send wccp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_wccp_client_packets',`
+	gen_require(`
+		type wccp_client_packet_t;
+	')
+
+	dontaudit $1 wccp_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive wccp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_wccp_client_packets',`
+	gen_require(`
+		type wccp_client_packet_t;
+	')
+
+	allow $1 wccp_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive wccp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_wccp_client_packets',`
+	gen_require(`
+		type wccp_client_packet_t;
+	')
+
+	dontaudit $1 wccp_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive wccp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_wccp_client_packets',`
+	corenet_send_wccp_client_packets($1)
+	corenet_receive_wccp_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive wccp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_wccp_client_packets',`
+	corenet_dontaudit_send_wccp_client_packets($1)
+	corenet_dontaudit_receive_wccp_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to wccp_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_wccp_client_packets',`
+	gen_require(`
+		type wccp_client_packet_t;
+	')
+
+	allow $1 wccp_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send wccp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_wccp_server_packets',`
+	gen_require(`
+		type wccp_server_packet_t;
+	')
+
+	allow $1 wccp_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send wccp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_wccp_server_packets',`
+	gen_require(`
+		type wccp_server_packet_t;
+	')
+
+	dontaudit $1 wccp_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive wccp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_wccp_server_packets',`
+	gen_require(`
+		type wccp_server_packet_t;
+	')
+
+	allow $1 wccp_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive wccp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_wccp_server_packets',`
+	gen_require(`
+		type wccp_server_packet_t;
+	')
+
+	dontaudit $1 wccp_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive wccp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_wccp_server_packets',`
+	corenet_send_wccp_server_packets($1)
+	corenet_receive_wccp_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive wccp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_wccp_server_packets',`
+	corenet_dontaudit_send_wccp_server_packets($1)
+	corenet_dontaudit_receive_wccp_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to wccp_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_wccp_server_packets',`
+	gen_require(`
+		type wccp_server_packet_t;
+	')
+
+	allow $1 wccp_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the whois port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_whois_port',`
+	gen_require(`
+		type whois_port_t;
+	')
+
+	allow $1 whois_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the whois port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_whois_port',`
+	gen_require(`
+		type whois_port_t;
+	')
+
+	allow $1 whois_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the whois port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_whois_port',`
+	gen_require(`
+		type whois_port_t;
+	')
+
+	dontaudit $1 whois_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the whois port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_whois_port',`
+	gen_require(`
+		type whois_port_t;
+	')
+
+	allow $1 whois_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the whois port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_whois_port',`
+	gen_require(`
+		type whois_port_t;
+	')
+
+	dontaudit $1 whois_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the whois port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_whois_port',`
+	corenet_udp_send_whois_port($1)
+	corenet_udp_receive_whois_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the whois port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_whois_port',`
+	corenet_dontaudit_udp_send_whois_port($1)
+	corenet_dontaudit_udp_receive_whois_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the whois port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_whois_port',`
+	gen_require(`
+		type whois_port_t;
+	')
+
+	allow $1 whois_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the whois port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_whois_port',`
+	gen_require(`
+		type whois_port_t;
+	')
+
+	allow $1 whois_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the whois port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_whois_port',`
+	gen_require(`
+		type whois_port_t;
+	')
+
+	allow $1 whois_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send whois_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_whois_client_packets',`
+	gen_require(`
+		type whois_client_packet_t;
+	')
+
+	allow $1 whois_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send whois_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_whois_client_packets',`
+	gen_require(`
+		type whois_client_packet_t;
+	')
+
+	dontaudit $1 whois_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive whois_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_whois_client_packets',`
+	gen_require(`
+		type whois_client_packet_t;
+	')
+
+	allow $1 whois_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive whois_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_whois_client_packets',`
+	gen_require(`
+		type whois_client_packet_t;
+	')
+
+	dontaudit $1 whois_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive whois_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_whois_client_packets',`
+	corenet_send_whois_client_packets($1)
+	corenet_receive_whois_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive whois_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_whois_client_packets',`
+	corenet_dontaudit_send_whois_client_packets($1)
+	corenet_dontaudit_receive_whois_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to whois_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_whois_client_packets',`
+	gen_require(`
+		type whois_client_packet_t;
+	')
+
+	allow $1 whois_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send whois_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_whois_server_packets',`
+	gen_require(`
+		type whois_server_packet_t;
+	')
+
+	allow $1 whois_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send whois_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_whois_server_packets',`
+	gen_require(`
+		type whois_server_packet_t;
+	')
+
+	dontaudit $1 whois_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive whois_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_whois_server_packets',`
+	gen_require(`
+		type whois_server_packet_t;
+	')
+
+	allow $1 whois_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive whois_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_whois_server_packets',`
+	gen_require(`
+		type whois_server_packet_t;
+	')
+
+	dontaudit $1 whois_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive whois_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_whois_server_packets',`
+	corenet_send_whois_server_packets($1)
+	corenet_receive_whois_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive whois_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_whois_server_packets',`
+	corenet_dontaudit_send_whois_server_packets($1)
+	corenet_dontaudit_receive_whois_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to whois_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_whois_server_packets',`
+	gen_require(`
+		type whois_server_packet_t;
+	')
+
+	allow $1 whois_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the xdmcp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_xdmcp_port',`
+	gen_require(`
+		type xdmcp_port_t;
+	')
+
+	allow $1 xdmcp_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the xdmcp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_xdmcp_port',`
+	gen_require(`
+		type xdmcp_port_t;
+	')
+
+	allow $1 xdmcp_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the xdmcp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_xdmcp_port',`
+	gen_require(`
+		type xdmcp_port_t;
+	')
+
+	dontaudit $1 xdmcp_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the xdmcp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_xdmcp_port',`
+	gen_require(`
+		type xdmcp_port_t;
+	')
+
+	allow $1 xdmcp_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the xdmcp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_xdmcp_port',`
+	gen_require(`
+		type xdmcp_port_t;
+	')
+
+	dontaudit $1 xdmcp_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the xdmcp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_xdmcp_port',`
+	corenet_udp_send_xdmcp_port($1)
+	corenet_udp_receive_xdmcp_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the xdmcp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_xdmcp_port',`
+	corenet_dontaudit_udp_send_xdmcp_port($1)
+	corenet_dontaudit_udp_receive_xdmcp_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the xdmcp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_xdmcp_port',`
+	gen_require(`
+		type xdmcp_port_t;
+	')
+
+	allow $1 xdmcp_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the xdmcp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_xdmcp_port',`
+	gen_require(`
+		type xdmcp_port_t;
+	')
+
+	allow $1 xdmcp_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the xdmcp port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_xdmcp_port',`
+	gen_require(`
+		type xdmcp_port_t;
+	')
+
+	allow $1 xdmcp_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send xdmcp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_xdmcp_client_packets',`
+	gen_require(`
+		type xdmcp_client_packet_t;
+	')
+
+	allow $1 xdmcp_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send xdmcp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_xdmcp_client_packets',`
+	gen_require(`
+		type xdmcp_client_packet_t;
+	')
+
+	dontaudit $1 xdmcp_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive xdmcp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_xdmcp_client_packets',`
+	gen_require(`
+		type xdmcp_client_packet_t;
+	')
+
+	allow $1 xdmcp_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive xdmcp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_xdmcp_client_packets',`
+	gen_require(`
+		type xdmcp_client_packet_t;
+	')
+
+	dontaudit $1 xdmcp_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive xdmcp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_xdmcp_client_packets',`
+	corenet_send_xdmcp_client_packets($1)
+	corenet_receive_xdmcp_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive xdmcp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_xdmcp_client_packets',`
+	corenet_dontaudit_send_xdmcp_client_packets($1)
+	corenet_dontaudit_receive_xdmcp_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to xdmcp_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_xdmcp_client_packets',`
+	gen_require(`
+		type xdmcp_client_packet_t;
+	')
+
+	allow $1 xdmcp_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send xdmcp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_xdmcp_server_packets',`
+	gen_require(`
+		type xdmcp_server_packet_t;
+	')
+
+	allow $1 xdmcp_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send xdmcp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_xdmcp_server_packets',`
+	gen_require(`
+		type xdmcp_server_packet_t;
+	')
+
+	dontaudit $1 xdmcp_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive xdmcp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_xdmcp_server_packets',`
+	gen_require(`
+		type xdmcp_server_packet_t;
+	')
+
+	allow $1 xdmcp_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive xdmcp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_xdmcp_server_packets',`
+	gen_require(`
+		type xdmcp_server_packet_t;
+	')
+
+	dontaudit $1 xdmcp_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive xdmcp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_xdmcp_server_packets',`
+	corenet_send_xdmcp_server_packets($1)
+	corenet_receive_xdmcp_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive xdmcp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_xdmcp_server_packets',`
+	corenet_dontaudit_send_xdmcp_server_packets($1)
+	corenet_dontaudit_receive_xdmcp_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to xdmcp_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_xdmcp_server_packets',`
+	gen_require(`
+		type xdmcp_server_packet_t;
+	')
+
+	allow $1 xdmcp_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the xen port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_xen_port',`
+	gen_require(`
+		type xen_port_t;
+	')
+
+	allow $1 xen_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the xen port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_xen_port',`
+	gen_require(`
+		type xen_port_t;
+	')
+
+	allow $1 xen_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the xen port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_xen_port',`
+	gen_require(`
+		type xen_port_t;
+	')
+
+	dontaudit $1 xen_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the xen port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_xen_port',`
+	gen_require(`
+		type xen_port_t;
+	')
+
+	allow $1 xen_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the xen port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_xen_port',`
+	gen_require(`
+		type xen_port_t;
+	')
+
+	dontaudit $1 xen_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the xen port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_xen_port',`
+	corenet_udp_send_xen_port($1)
+	corenet_udp_receive_xen_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the xen port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_xen_port',`
+	corenet_dontaudit_udp_send_xen_port($1)
+	corenet_dontaudit_udp_receive_xen_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the xen port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_xen_port',`
+	gen_require(`
+		type xen_port_t;
+	')
+
+	allow $1 xen_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the xen port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_xen_port',`
+	gen_require(`
+		type xen_port_t;
+	')
+
+	allow $1 xen_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the xen port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_xen_port',`
+	gen_require(`
+		type xen_port_t;
+	')
+
+	allow $1 xen_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send xen_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_xen_client_packets',`
+	gen_require(`
+		type xen_client_packet_t;
+	')
+
+	allow $1 xen_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send xen_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_xen_client_packets',`
+	gen_require(`
+		type xen_client_packet_t;
+	')
+
+	dontaudit $1 xen_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive xen_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_xen_client_packets',`
+	gen_require(`
+		type xen_client_packet_t;
+	')
+
+	allow $1 xen_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive xen_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_xen_client_packets',`
+	gen_require(`
+		type xen_client_packet_t;
+	')
+
+	dontaudit $1 xen_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive xen_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_xen_client_packets',`
+	corenet_send_xen_client_packets($1)
+	corenet_receive_xen_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive xen_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_xen_client_packets',`
+	corenet_dontaudit_send_xen_client_packets($1)
+	corenet_dontaudit_receive_xen_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to xen_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_xen_client_packets',`
+	gen_require(`
+		type xen_client_packet_t;
+	')
+
+	allow $1 xen_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send xen_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_xen_server_packets',`
+	gen_require(`
+		type xen_server_packet_t;
+	')
+
+	allow $1 xen_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send xen_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_xen_server_packets',`
+	gen_require(`
+		type xen_server_packet_t;
+	')
+
+	dontaudit $1 xen_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive xen_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_xen_server_packets',`
+	gen_require(`
+		type xen_server_packet_t;
+	')
+
+	allow $1 xen_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive xen_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_xen_server_packets',`
+	gen_require(`
+		type xen_server_packet_t;
+	')
+
+	dontaudit $1 xen_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive xen_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_xen_server_packets',`
+	corenet_send_xen_server_packets($1)
+	corenet_receive_xen_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive xen_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_xen_server_packets',`
+	corenet_dontaudit_send_xen_server_packets($1)
+	corenet_dontaudit_receive_xen_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to xen_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_xen_server_packets',`
+	gen_require(`
+		type xen_server_packet_t;
+	')
+
+	allow $1 xen_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the xfs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_xfs_port',`
+	gen_require(`
+		type xfs_port_t;
+	')
+
+	allow $1 xfs_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the xfs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_xfs_port',`
+	gen_require(`
+		type xfs_port_t;
+	')
+
+	allow $1 xfs_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the xfs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_xfs_port',`
+	gen_require(`
+		type xfs_port_t;
+	')
+
+	dontaudit $1 xfs_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the xfs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_xfs_port',`
+	gen_require(`
+		type xfs_port_t;
+	')
+
+	allow $1 xfs_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the xfs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_xfs_port',`
+	gen_require(`
+		type xfs_port_t;
+	')
+
+	dontaudit $1 xfs_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the xfs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_xfs_port',`
+	corenet_udp_send_xfs_port($1)
+	corenet_udp_receive_xfs_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the xfs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_xfs_port',`
+	corenet_dontaudit_udp_send_xfs_port($1)
+	corenet_dontaudit_udp_receive_xfs_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the xfs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_xfs_port',`
+	gen_require(`
+		type xfs_port_t;
+	')
+
+	allow $1 xfs_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the xfs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_xfs_port',`
+	gen_require(`
+		type xfs_port_t;
+	')
+
+	allow $1 xfs_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the xfs port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_xfs_port',`
+	gen_require(`
+		type xfs_port_t;
+	')
+
+	allow $1 xfs_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send xfs_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_xfs_client_packets',`
+	gen_require(`
+		type xfs_client_packet_t;
+	')
+
+	allow $1 xfs_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send xfs_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_xfs_client_packets',`
+	gen_require(`
+		type xfs_client_packet_t;
+	')
+
+	dontaudit $1 xfs_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive xfs_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_xfs_client_packets',`
+	gen_require(`
+		type xfs_client_packet_t;
+	')
+
+	allow $1 xfs_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive xfs_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_xfs_client_packets',`
+	gen_require(`
+		type xfs_client_packet_t;
+	')
+
+	dontaudit $1 xfs_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive xfs_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_xfs_client_packets',`
+	corenet_send_xfs_client_packets($1)
+	corenet_receive_xfs_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive xfs_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_xfs_client_packets',`
+	corenet_dontaudit_send_xfs_client_packets($1)
+	corenet_dontaudit_receive_xfs_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to xfs_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_xfs_client_packets',`
+	gen_require(`
+		type xfs_client_packet_t;
+	')
+
+	allow $1 xfs_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send xfs_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_xfs_server_packets',`
+	gen_require(`
+		type xfs_server_packet_t;
+	')
+
+	allow $1 xfs_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send xfs_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_xfs_server_packets',`
+	gen_require(`
+		type xfs_server_packet_t;
+	')
+
+	dontaudit $1 xfs_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive xfs_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_xfs_server_packets',`
+	gen_require(`
+		type xfs_server_packet_t;
+	')
+
+	allow $1 xfs_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive xfs_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_xfs_server_packets',`
+	gen_require(`
+		type xfs_server_packet_t;
+	')
+
+	dontaudit $1 xfs_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive xfs_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_xfs_server_packets',`
+	corenet_send_xfs_server_packets($1)
+	corenet_receive_xfs_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive xfs_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_xfs_server_packets',`
+	corenet_dontaudit_send_xfs_server_packets($1)
+	corenet_dontaudit_receive_xfs_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to xfs_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_xfs_server_packets',`
+	gen_require(`
+		type xfs_server_packet_t;
+	')
+
+	allow $1 xfs_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the xserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_xserver_port',`
+	gen_require(`
+		type xserver_port_t;
+	')
+
+	allow $1 xserver_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the xserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_xserver_port',`
+	gen_require(`
+		type xserver_port_t;
+	')
+
+	allow $1 xserver_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the xserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_xserver_port',`
+	gen_require(`
+		type xserver_port_t;
+	')
+
+	dontaudit $1 xserver_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the xserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_xserver_port',`
+	gen_require(`
+		type xserver_port_t;
+	')
+
+	allow $1 xserver_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the xserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_xserver_port',`
+	gen_require(`
+		type xserver_port_t;
+	')
+
+	dontaudit $1 xserver_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the xserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_xserver_port',`
+	corenet_udp_send_xserver_port($1)
+	corenet_udp_receive_xserver_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the xserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_xserver_port',`
+	corenet_dontaudit_udp_send_xserver_port($1)
+	corenet_dontaudit_udp_receive_xserver_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the xserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_xserver_port',`
+	gen_require(`
+		type xserver_port_t;
+	')
+
+	allow $1 xserver_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the xserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_xserver_port',`
+	gen_require(`
+		type xserver_port_t;
+	')
+
+	allow $1 xserver_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the xserver port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_xserver_port',`
+	gen_require(`
+		type xserver_port_t;
+	')
+
+	allow $1 xserver_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send xserver_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_xserver_client_packets',`
+	gen_require(`
+		type xserver_client_packet_t;
+	')
+
+	allow $1 xserver_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send xserver_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_xserver_client_packets',`
+	gen_require(`
+		type xserver_client_packet_t;
+	')
+
+	dontaudit $1 xserver_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive xserver_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_xserver_client_packets',`
+	gen_require(`
+		type xserver_client_packet_t;
+	')
+
+	allow $1 xserver_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive xserver_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_xserver_client_packets',`
+	gen_require(`
+		type xserver_client_packet_t;
+	')
+
+	dontaudit $1 xserver_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive xserver_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_xserver_client_packets',`
+	corenet_send_xserver_client_packets($1)
+	corenet_receive_xserver_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive xserver_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_xserver_client_packets',`
+	corenet_dontaudit_send_xserver_client_packets($1)
+	corenet_dontaudit_receive_xserver_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to xserver_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_xserver_client_packets',`
+	gen_require(`
+		type xserver_client_packet_t;
+	')
+
+	allow $1 xserver_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send xserver_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_xserver_server_packets',`
+	gen_require(`
+		type xserver_server_packet_t;
+	')
+
+	allow $1 xserver_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send xserver_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_xserver_server_packets',`
+	gen_require(`
+		type xserver_server_packet_t;
+	')
+
+	dontaudit $1 xserver_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive xserver_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_xserver_server_packets',`
+	gen_require(`
+		type xserver_server_packet_t;
+	')
+
+	allow $1 xserver_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive xserver_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_xserver_server_packets',`
+	gen_require(`
+		type xserver_server_packet_t;
+	')
+
+	dontaudit $1 xserver_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive xserver_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_xserver_server_packets',`
+	corenet_send_xserver_server_packets($1)
+	corenet_receive_xserver_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive xserver_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_xserver_server_packets',`
+	corenet_dontaudit_send_xserver_server_packets($1)
+	corenet_dontaudit_receive_xserver_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to xserver_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_xserver_server_packets',`
+	gen_require(`
+		type xserver_server_packet_t;
+	')
+
+	allow $1 xserver_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the zarafa port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_zarafa_port',`
+	gen_require(`
+		type zarafa_port_t;
+	')
+
+	allow $1 zarafa_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the zarafa port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_zarafa_port',`
+	gen_require(`
+		type zarafa_port_t;
+	')
+
+	allow $1 zarafa_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the zarafa port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_zarafa_port',`
+	gen_require(`
+		type zarafa_port_t;
+	')
+
+	dontaudit $1 zarafa_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the zarafa port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_zarafa_port',`
+	gen_require(`
+		type zarafa_port_t;
+	')
+
+	allow $1 zarafa_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the zarafa port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_zarafa_port',`
+	gen_require(`
+		type zarafa_port_t;
+	')
+
+	dontaudit $1 zarafa_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the zarafa port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_zarafa_port',`
+	corenet_udp_send_zarafa_port($1)
+	corenet_udp_receive_zarafa_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the zarafa port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_zarafa_port',`
+	corenet_dontaudit_udp_send_zarafa_port($1)
+	corenet_dontaudit_udp_receive_zarafa_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the zarafa port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_zarafa_port',`
+	gen_require(`
+		type zarafa_port_t;
+	')
+
+	allow $1 zarafa_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the zarafa port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_zarafa_port',`
+	gen_require(`
+		type zarafa_port_t;
+	')
+
+	allow $1 zarafa_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the zarafa port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_zarafa_port',`
+	gen_require(`
+		type zarafa_port_t;
+	')
+
+	allow $1 zarafa_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send zarafa_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_zarafa_client_packets',`
+	gen_require(`
+		type zarafa_client_packet_t;
+	')
+
+	allow $1 zarafa_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send zarafa_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_zarafa_client_packets',`
+	gen_require(`
+		type zarafa_client_packet_t;
+	')
+
+	dontaudit $1 zarafa_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive zarafa_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_zarafa_client_packets',`
+	gen_require(`
+		type zarafa_client_packet_t;
+	')
+
+	allow $1 zarafa_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive zarafa_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_zarafa_client_packets',`
+	gen_require(`
+		type zarafa_client_packet_t;
+	')
+
+	dontaudit $1 zarafa_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive zarafa_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_zarafa_client_packets',`
+	corenet_send_zarafa_client_packets($1)
+	corenet_receive_zarafa_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive zarafa_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_zarafa_client_packets',`
+	corenet_dontaudit_send_zarafa_client_packets($1)
+	corenet_dontaudit_receive_zarafa_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to zarafa_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_zarafa_client_packets',`
+	gen_require(`
+		type zarafa_client_packet_t;
+	')
+
+	allow $1 zarafa_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send zarafa_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_zarafa_server_packets',`
+	gen_require(`
+		type zarafa_server_packet_t;
+	')
+
+	allow $1 zarafa_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send zarafa_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_zarafa_server_packets',`
+	gen_require(`
+		type zarafa_server_packet_t;
+	')
+
+	dontaudit $1 zarafa_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive zarafa_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_zarafa_server_packets',`
+	gen_require(`
+		type zarafa_server_packet_t;
+	')
+
+	allow $1 zarafa_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive zarafa_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_zarafa_server_packets',`
+	gen_require(`
+		type zarafa_server_packet_t;
+	')
+
+	dontaudit $1 zarafa_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive zarafa_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_zarafa_server_packets',`
+	corenet_send_zarafa_server_packets($1)
+	corenet_receive_zarafa_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive zarafa_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_zarafa_server_packets',`
+	corenet_dontaudit_send_zarafa_server_packets($1)
+	corenet_dontaudit_receive_zarafa_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to zarafa_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_zarafa_server_packets',`
+	gen_require(`
+		type zarafa_server_packet_t;
+	')
+
+	allow $1 zarafa_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the zabbix port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_zabbix_port',`
+	gen_require(`
+		type zabbix_port_t;
+	')
+
+	allow $1 zabbix_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the zabbix port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_zabbix_port',`
+	gen_require(`
+		type zabbix_port_t;
+	')
+
+	allow $1 zabbix_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the zabbix port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_zabbix_port',`
+	gen_require(`
+		type zabbix_port_t;
+	')
+
+	dontaudit $1 zabbix_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the zabbix port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_zabbix_port',`
+	gen_require(`
+		type zabbix_port_t;
+	')
+
+	allow $1 zabbix_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the zabbix port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_zabbix_port',`
+	gen_require(`
+		type zabbix_port_t;
+	')
+
+	dontaudit $1 zabbix_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the zabbix port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_zabbix_port',`
+	corenet_udp_send_zabbix_port($1)
+	corenet_udp_receive_zabbix_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the zabbix port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_zabbix_port',`
+	corenet_dontaudit_udp_send_zabbix_port($1)
+	corenet_dontaudit_udp_receive_zabbix_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the zabbix port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_zabbix_port',`
+	gen_require(`
+		type zabbix_port_t;
+	')
+
+	allow $1 zabbix_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the zabbix port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_zabbix_port',`
+	gen_require(`
+		type zabbix_port_t;
+	')
+
+	allow $1 zabbix_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the zabbix port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_zabbix_port',`
+	gen_require(`
+		type zabbix_port_t;
+	')
+
+	allow $1 zabbix_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send zabbix_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_zabbix_client_packets',`
+	gen_require(`
+		type zabbix_client_packet_t;
+	')
+
+	allow $1 zabbix_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send zabbix_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_zabbix_client_packets',`
+	gen_require(`
+		type zabbix_client_packet_t;
+	')
+
+	dontaudit $1 zabbix_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive zabbix_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_zabbix_client_packets',`
+	gen_require(`
+		type zabbix_client_packet_t;
+	')
+
+	allow $1 zabbix_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive zabbix_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_zabbix_client_packets',`
+	gen_require(`
+		type zabbix_client_packet_t;
+	')
+
+	dontaudit $1 zabbix_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive zabbix_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_zabbix_client_packets',`
+	corenet_send_zabbix_client_packets($1)
+	corenet_receive_zabbix_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive zabbix_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_zabbix_client_packets',`
+	corenet_dontaudit_send_zabbix_client_packets($1)
+	corenet_dontaudit_receive_zabbix_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to zabbix_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_zabbix_client_packets',`
+	gen_require(`
+		type zabbix_client_packet_t;
+	')
+
+	allow $1 zabbix_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send zabbix_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_zabbix_server_packets',`
+	gen_require(`
+		type zabbix_server_packet_t;
+	')
+
+	allow $1 zabbix_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send zabbix_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_zabbix_server_packets',`
+	gen_require(`
+		type zabbix_server_packet_t;
+	')
+
+	dontaudit $1 zabbix_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive zabbix_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_zabbix_server_packets',`
+	gen_require(`
+		type zabbix_server_packet_t;
+	')
+
+	allow $1 zabbix_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive zabbix_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_zabbix_server_packets',`
+	gen_require(`
+		type zabbix_server_packet_t;
+	')
+
+	dontaudit $1 zabbix_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive zabbix_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_zabbix_server_packets',`
+	corenet_send_zabbix_server_packets($1)
+	corenet_receive_zabbix_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive zabbix_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_zabbix_server_packets',`
+	corenet_dontaudit_send_zabbix_server_packets($1)
+	corenet_dontaudit_receive_zabbix_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to zabbix_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_zabbix_server_packets',`
+	gen_require(`
+		type zabbix_server_packet_t;
+	')
+
+	allow $1 zabbix_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the zabbix_agent port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_zabbix_agent_port',`
+	gen_require(`
+		type zabbix_agent_port_t;
+	')
+
+	allow $1 zabbix_agent_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the zabbix_agent port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_zabbix_agent_port',`
+	gen_require(`
+		type zabbix_agent_port_t;
+	')
+
+	allow $1 zabbix_agent_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the zabbix_agent port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_zabbix_agent_port',`
+	gen_require(`
+		type zabbix_agent_port_t;
+	')
+
+	dontaudit $1 zabbix_agent_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the zabbix_agent port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_zabbix_agent_port',`
+	gen_require(`
+		type zabbix_agent_port_t;
+	')
+
+	allow $1 zabbix_agent_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the zabbix_agent port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_zabbix_agent_port',`
+	gen_require(`
+		type zabbix_agent_port_t;
+	')
+
+	dontaudit $1 zabbix_agent_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the zabbix_agent port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_zabbix_agent_port',`
+	corenet_udp_send_zabbix_agent_port($1)
+	corenet_udp_receive_zabbix_agent_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the zabbix_agent port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_zabbix_agent_port',`
+	corenet_dontaudit_udp_send_zabbix_agent_port($1)
+	corenet_dontaudit_udp_receive_zabbix_agent_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the zabbix_agent port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_zabbix_agent_port',`
+	gen_require(`
+		type zabbix_agent_port_t;
+	')
+
+	allow $1 zabbix_agent_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the zabbix_agent port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_zabbix_agent_port',`
+	gen_require(`
+		type zabbix_agent_port_t;
+	')
+
+	allow $1 zabbix_agent_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the zabbix_agent port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_zabbix_agent_port',`
+	gen_require(`
+		type zabbix_agent_port_t;
+	')
+
+	allow $1 zabbix_agent_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send zabbix_agent_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_zabbix_agent_client_packets',`
+	gen_require(`
+		type zabbix_agent_client_packet_t;
+	')
+
+	allow $1 zabbix_agent_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send zabbix_agent_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_zabbix_agent_client_packets',`
+	gen_require(`
+		type zabbix_agent_client_packet_t;
+	')
+
+	dontaudit $1 zabbix_agent_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive zabbix_agent_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_zabbix_agent_client_packets',`
+	gen_require(`
+		type zabbix_agent_client_packet_t;
+	')
+
+	allow $1 zabbix_agent_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive zabbix_agent_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_zabbix_agent_client_packets',`
+	gen_require(`
+		type zabbix_agent_client_packet_t;
+	')
+
+	dontaudit $1 zabbix_agent_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive zabbix_agent_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_zabbix_agent_client_packets',`
+	corenet_send_zabbix_agent_client_packets($1)
+	corenet_receive_zabbix_agent_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive zabbix_agent_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_zabbix_agent_client_packets',`
+	corenet_dontaudit_send_zabbix_agent_client_packets($1)
+	corenet_dontaudit_receive_zabbix_agent_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to zabbix_agent_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_zabbix_agent_client_packets',`
+	gen_require(`
+		type zabbix_agent_client_packet_t;
+	')
+
+	allow $1 zabbix_agent_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send zabbix_agent_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_zabbix_agent_server_packets',`
+	gen_require(`
+		type zabbix_agent_server_packet_t;
+	')
+
+	allow $1 zabbix_agent_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send zabbix_agent_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_zabbix_agent_server_packets',`
+	gen_require(`
+		type zabbix_agent_server_packet_t;
+	')
+
+	dontaudit $1 zabbix_agent_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive zabbix_agent_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_zabbix_agent_server_packets',`
+	gen_require(`
+		type zabbix_agent_server_packet_t;
+	')
+
+	allow $1 zabbix_agent_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive zabbix_agent_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_zabbix_agent_server_packets',`
+	gen_require(`
+		type zabbix_agent_server_packet_t;
+	')
+
+	dontaudit $1 zabbix_agent_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive zabbix_agent_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_zabbix_agent_server_packets',`
+	corenet_send_zabbix_agent_server_packets($1)
+	corenet_receive_zabbix_agent_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive zabbix_agent_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_zabbix_agent_server_packets',`
+	corenet_dontaudit_send_zabbix_agent_server_packets($1)
+	corenet_dontaudit_receive_zabbix_agent_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to zabbix_agent_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_zabbix_agent_server_packets',`
+	gen_require(`
+		type zabbix_agent_server_packet_t;
+	')
+
+	allow $1 zabbix_agent_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the zookeeper_client port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_zookeeper_client_port',`
+	gen_require(`
+		type zookeeper_client_port_t;
+	')
+
+	allow $1 zookeeper_client_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the zookeeper_client port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_zookeeper_client_port',`
+	gen_require(`
+		type zookeeper_client_port_t;
+	')
+
+	allow $1 zookeeper_client_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the zookeeper_client port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_zookeeper_client_port',`
+	gen_require(`
+		type zookeeper_client_port_t;
+	')
+
+	dontaudit $1 zookeeper_client_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the zookeeper_client port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_zookeeper_client_port',`
+	gen_require(`
+		type zookeeper_client_port_t;
+	')
+
+	allow $1 zookeeper_client_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the zookeeper_client port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_zookeeper_client_port',`
+	gen_require(`
+		type zookeeper_client_port_t;
+	')
+
+	dontaudit $1 zookeeper_client_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the zookeeper_client port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_zookeeper_client_port',`
+	corenet_udp_send_zookeeper_client_port($1)
+	corenet_udp_receive_zookeeper_client_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the zookeeper_client port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_zookeeper_client_port',`
+	corenet_dontaudit_udp_send_zookeeper_client_port($1)
+	corenet_dontaudit_udp_receive_zookeeper_client_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the zookeeper_client port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_zookeeper_client_port',`
+	gen_require(`
+		type zookeeper_client_port_t;
+	')
+
+	allow $1 zookeeper_client_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the zookeeper_client port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_zookeeper_client_port',`
+	gen_require(`
+		type zookeeper_client_port_t;
+	')
+
+	allow $1 zookeeper_client_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the zookeeper_client port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_zookeeper_client_port',`
+	gen_require(`
+		type zookeeper_client_port_t;
+	')
+
+	allow $1 zookeeper_client_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send zookeeper_client_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_zookeeper_client_client_packets',`
+	gen_require(`
+		type zookeeper_client_client_packet_t;
+	')
+
+	allow $1 zookeeper_client_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send zookeeper_client_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_zookeeper_client_client_packets',`
+	gen_require(`
+		type zookeeper_client_client_packet_t;
+	')
+
+	dontaudit $1 zookeeper_client_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive zookeeper_client_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_zookeeper_client_client_packets',`
+	gen_require(`
+		type zookeeper_client_client_packet_t;
+	')
+
+	allow $1 zookeeper_client_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive zookeeper_client_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_zookeeper_client_client_packets',`
+	gen_require(`
+		type zookeeper_client_client_packet_t;
+	')
+
+	dontaudit $1 zookeeper_client_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive zookeeper_client_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_zookeeper_client_client_packets',`
+	corenet_send_zookeeper_client_client_packets($1)
+	corenet_receive_zookeeper_client_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive zookeeper_client_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_zookeeper_client_client_packets',`
+	corenet_dontaudit_send_zookeeper_client_client_packets($1)
+	corenet_dontaudit_receive_zookeeper_client_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to zookeeper_client_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_zookeeper_client_client_packets',`
+	gen_require(`
+		type zookeeper_client_client_packet_t;
+	')
+
+	allow $1 zookeeper_client_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send zookeeper_client_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_zookeeper_client_server_packets',`
+	gen_require(`
+		type zookeeper_client_server_packet_t;
+	')
+
+	allow $1 zookeeper_client_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send zookeeper_client_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_zookeeper_client_server_packets',`
+	gen_require(`
+		type zookeeper_client_server_packet_t;
+	')
+
+	dontaudit $1 zookeeper_client_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive zookeeper_client_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_zookeeper_client_server_packets',`
+	gen_require(`
+		type zookeeper_client_server_packet_t;
+	')
+
+	allow $1 zookeeper_client_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive zookeeper_client_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_zookeeper_client_server_packets',`
+	gen_require(`
+		type zookeeper_client_server_packet_t;
+	')
+
+	dontaudit $1 zookeeper_client_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive zookeeper_client_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_zookeeper_client_server_packets',`
+	corenet_send_zookeeper_client_server_packets($1)
+	corenet_receive_zookeeper_client_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive zookeeper_client_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_zookeeper_client_server_packets',`
+	corenet_dontaudit_send_zookeeper_client_server_packets($1)
+	corenet_dontaudit_receive_zookeeper_client_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to zookeeper_client_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_zookeeper_client_server_packets',`
+	gen_require(`
+		type zookeeper_client_server_packet_t;
+	')
+
+	allow $1 zookeeper_client_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the zookeeper_election port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_zookeeper_election_port',`
+	gen_require(`
+		type zookeeper_election_port_t;
+	')
+
+	allow $1 zookeeper_election_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the zookeeper_election port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_zookeeper_election_port',`
+	gen_require(`
+		type zookeeper_election_port_t;
+	')
+
+	allow $1 zookeeper_election_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the zookeeper_election port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_zookeeper_election_port',`
+	gen_require(`
+		type zookeeper_election_port_t;
+	')
+
+	dontaudit $1 zookeeper_election_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the zookeeper_election port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_zookeeper_election_port',`
+	gen_require(`
+		type zookeeper_election_port_t;
+	')
+
+	allow $1 zookeeper_election_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the zookeeper_election port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_zookeeper_election_port',`
+	gen_require(`
+		type zookeeper_election_port_t;
+	')
+
+	dontaudit $1 zookeeper_election_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the zookeeper_election port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_zookeeper_election_port',`
+	corenet_udp_send_zookeeper_election_port($1)
+	corenet_udp_receive_zookeeper_election_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the zookeeper_election port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_zookeeper_election_port',`
+	corenet_dontaudit_udp_send_zookeeper_election_port($1)
+	corenet_dontaudit_udp_receive_zookeeper_election_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the zookeeper_election port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_zookeeper_election_port',`
+	gen_require(`
+		type zookeeper_election_port_t;
+	')
+
+	allow $1 zookeeper_election_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the zookeeper_election port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_zookeeper_election_port',`
+	gen_require(`
+		type zookeeper_election_port_t;
+	')
+
+	allow $1 zookeeper_election_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the zookeeper_election port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_zookeeper_election_port',`
+	gen_require(`
+		type zookeeper_election_port_t;
+	')
+
+	allow $1 zookeeper_election_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send zookeeper_election_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_zookeeper_election_client_packets',`
+	gen_require(`
+		type zookeeper_election_client_packet_t;
+	')
+
+	allow $1 zookeeper_election_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send zookeeper_election_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_zookeeper_election_client_packets',`
+	gen_require(`
+		type zookeeper_election_client_packet_t;
+	')
+
+	dontaudit $1 zookeeper_election_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive zookeeper_election_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_zookeeper_election_client_packets',`
+	gen_require(`
+		type zookeeper_election_client_packet_t;
+	')
+
+	allow $1 zookeeper_election_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive zookeeper_election_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_zookeeper_election_client_packets',`
+	gen_require(`
+		type zookeeper_election_client_packet_t;
+	')
+
+	dontaudit $1 zookeeper_election_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive zookeeper_election_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_zookeeper_election_client_packets',`
+	corenet_send_zookeeper_election_client_packets($1)
+	corenet_receive_zookeeper_election_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive zookeeper_election_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_zookeeper_election_client_packets',`
+	corenet_dontaudit_send_zookeeper_election_client_packets($1)
+	corenet_dontaudit_receive_zookeeper_election_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to zookeeper_election_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_zookeeper_election_client_packets',`
+	gen_require(`
+		type zookeeper_election_client_packet_t;
+	')
+
+	allow $1 zookeeper_election_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send zookeeper_election_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_zookeeper_election_server_packets',`
+	gen_require(`
+		type zookeeper_election_server_packet_t;
+	')
+
+	allow $1 zookeeper_election_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send zookeeper_election_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_zookeeper_election_server_packets',`
+	gen_require(`
+		type zookeeper_election_server_packet_t;
+	')
+
+	dontaudit $1 zookeeper_election_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive zookeeper_election_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_zookeeper_election_server_packets',`
+	gen_require(`
+		type zookeeper_election_server_packet_t;
+	')
+
+	allow $1 zookeeper_election_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive zookeeper_election_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_zookeeper_election_server_packets',`
+	gen_require(`
+		type zookeeper_election_server_packet_t;
+	')
+
+	dontaudit $1 zookeeper_election_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive zookeeper_election_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_zookeeper_election_server_packets',`
+	corenet_send_zookeeper_election_server_packets($1)
+	corenet_receive_zookeeper_election_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive zookeeper_election_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_zookeeper_election_server_packets',`
+	corenet_dontaudit_send_zookeeper_election_server_packets($1)
+	corenet_dontaudit_receive_zookeeper_election_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to zookeeper_election_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_zookeeper_election_server_packets',`
+	gen_require(`
+		type zookeeper_election_server_packet_t;
+	')
+
+	allow $1 zookeeper_election_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the zookeeper_leader port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_zookeeper_leader_port',`
+	gen_require(`
+		type zookeeper_leader_port_t;
+	')
+
+	allow $1 zookeeper_leader_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the zookeeper_leader port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_zookeeper_leader_port',`
+	gen_require(`
+		type zookeeper_leader_port_t;
+	')
+
+	allow $1 zookeeper_leader_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the zookeeper_leader port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_zookeeper_leader_port',`
+	gen_require(`
+		type zookeeper_leader_port_t;
+	')
+
+	dontaudit $1 zookeeper_leader_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the zookeeper_leader port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_zookeeper_leader_port',`
+	gen_require(`
+		type zookeeper_leader_port_t;
+	')
+
+	allow $1 zookeeper_leader_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the zookeeper_leader port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_zookeeper_leader_port',`
+	gen_require(`
+		type zookeeper_leader_port_t;
+	')
+
+	dontaudit $1 zookeeper_leader_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the zookeeper_leader port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_zookeeper_leader_port',`
+	corenet_udp_send_zookeeper_leader_port($1)
+	corenet_udp_receive_zookeeper_leader_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the zookeeper_leader port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_zookeeper_leader_port',`
+	corenet_dontaudit_udp_send_zookeeper_leader_port($1)
+	corenet_dontaudit_udp_receive_zookeeper_leader_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the zookeeper_leader port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_zookeeper_leader_port',`
+	gen_require(`
+		type zookeeper_leader_port_t;
+	')
+
+	allow $1 zookeeper_leader_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the zookeeper_leader port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_zookeeper_leader_port',`
+	gen_require(`
+		type zookeeper_leader_port_t;
+	')
+
+	allow $1 zookeeper_leader_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the zookeeper_leader port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_zookeeper_leader_port',`
+	gen_require(`
+		type zookeeper_leader_port_t;
+	')
+
+	allow $1 zookeeper_leader_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send zookeeper_leader_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_zookeeper_leader_client_packets',`
+	gen_require(`
+		type zookeeper_leader_client_packet_t;
+	')
+
+	allow $1 zookeeper_leader_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send zookeeper_leader_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_zookeeper_leader_client_packets',`
+	gen_require(`
+		type zookeeper_leader_client_packet_t;
+	')
+
+	dontaudit $1 zookeeper_leader_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive zookeeper_leader_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_zookeeper_leader_client_packets',`
+	gen_require(`
+		type zookeeper_leader_client_packet_t;
+	')
+
+	allow $1 zookeeper_leader_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive zookeeper_leader_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_zookeeper_leader_client_packets',`
+	gen_require(`
+		type zookeeper_leader_client_packet_t;
+	')
+
+	dontaudit $1 zookeeper_leader_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive zookeeper_leader_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_zookeeper_leader_client_packets',`
+	corenet_send_zookeeper_leader_client_packets($1)
+	corenet_receive_zookeeper_leader_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive zookeeper_leader_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_zookeeper_leader_client_packets',`
+	corenet_dontaudit_send_zookeeper_leader_client_packets($1)
+	corenet_dontaudit_receive_zookeeper_leader_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to zookeeper_leader_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_zookeeper_leader_client_packets',`
+	gen_require(`
+		type zookeeper_leader_client_packet_t;
+	')
+
+	allow $1 zookeeper_leader_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send zookeeper_leader_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_zookeeper_leader_server_packets',`
+	gen_require(`
+		type zookeeper_leader_server_packet_t;
+	')
+
+	allow $1 zookeeper_leader_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send zookeeper_leader_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_zookeeper_leader_server_packets',`
+	gen_require(`
+		type zookeeper_leader_server_packet_t;
+	')
+
+	dontaudit $1 zookeeper_leader_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive zookeeper_leader_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_zookeeper_leader_server_packets',`
+	gen_require(`
+		type zookeeper_leader_server_packet_t;
+	')
+
+	allow $1 zookeeper_leader_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive zookeeper_leader_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_zookeeper_leader_server_packets',`
+	gen_require(`
+		type zookeeper_leader_server_packet_t;
+	')
+
+	dontaudit $1 zookeeper_leader_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive zookeeper_leader_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_zookeeper_leader_server_packets',`
+	corenet_send_zookeeper_leader_server_packets($1)
+	corenet_receive_zookeeper_leader_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive zookeeper_leader_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_zookeeper_leader_server_packets',`
+	corenet_dontaudit_send_zookeeper_leader_server_packets($1)
+	corenet_dontaudit_receive_zookeeper_leader_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to zookeeper_leader_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_zookeeper_leader_server_packets',`
+	gen_require(`
+		type zookeeper_leader_server_packet_t;
+	')
+
+	allow $1 zookeeper_leader_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the zebra port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_zebra_port',`
+	gen_require(`
+		type zebra_port_t;
+	')
+
+	allow $1 zebra_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the zebra port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_zebra_port',`
+	gen_require(`
+		type zebra_port_t;
+	')
+
+	allow $1 zebra_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the zebra port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_zebra_port',`
+	gen_require(`
+		type zebra_port_t;
+	')
+
+	dontaudit $1 zebra_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the zebra port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_zebra_port',`
+	gen_require(`
+		type zebra_port_t;
+	')
+
+	allow $1 zebra_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the zebra port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_zebra_port',`
+	gen_require(`
+		type zebra_port_t;
+	')
+
+	dontaudit $1 zebra_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the zebra port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_zebra_port',`
+	corenet_udp_send_zebra_port($1)
+	corenet_udp_receive_zebra_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the zebra port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_zebra_port',`
+	corenet_dontaudit_udp_send_zebra_port($1)
+	corenet_dontaudit_udp_receive_zebra_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the zebra port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_zebra_port',`
+	gen_require(`
+		type zebra_port_t;
+	')
+
+	allow $1 zebra_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the zebra port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_zebra_port',`
+	gen_require(`
+		type zebra_port_t;
+	')
+
+	allow $1 zebra_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the zebra port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_zebra_port',`
+	gen_require(`
+		type zebra_port_t;
+	')
+
+	allow $1 zebra_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send zebra_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_zebra_client_packets',`
+	gen_require(`
+		type zebra_client_packet_t;
+	')
+
+	allow $1 zebra_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send zebra_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_zebra_client_packets',`
+	gen_require(`
+		type zebra_client_packet_t;
+	')
+
+	dontaudit $1 zebra_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive zebra_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_zebra_client_packets',`
+	gen_require(`
+		type zebra_client_packet_t;
+	')
+
+	allow $1 zebra_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive zebra_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_zebra_client_packets',`
+	gen_require(`
+		type zebra_client_packet_t;
+	')
+
+	dontaudit $1 zebra_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive zebra_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_zebra_client_packets',`
+	corenet_send_zebra_client_packets($1)
+	corenet_receive_zebra_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive zebra_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_zebra_client_packets',`
+	corenet_dontaudit_send_zebra_client_packets($1)
+	corenet_dontaudit_receive_zebra_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to zebra_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_zebra_client_packets',`
+	gen_require(`
+		type zebra_client_packet_t;
+	')
+
+	allow $1 zebra_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send zebra_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_zebra_server_packets',`
+	gen_require(`
+		type zebra_server_packet_t;
+	')
+
+	allow $1 zebra_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send zebra_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_zebra_server_packets',`
+	gen_require(`
+		type zebra_server_packet_t;
+	')
+
+	dontaudit $1 zebra_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive zebra_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_zebra_server_packets',`
+	gen_require(`
+		type zebra_server_packet_t;
+	')
+
+	allow $1 zebra_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive zebra_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_zebra_server_packets',`
+	gen_require(`
+		type zebra_server_packet_t;
+	')
+
+	dontaudit $1 zebra_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive zebra_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_zebra_server_packets',`
+	corenet_send_zebra_server_packets($1)
+	corenet_receive_zebra_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive zebra_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_zebra_server_packets',`
+	corenet_dontaudit_send_zebra_server_packets($1)
+	corenet_dontaudit_receive_zebra_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to zebra_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_zebra_server_packets',`
+	gen_require(`
+		type zebra_server_packet_t;
+	')
+
+	allow $1 zebra_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the zope port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_zope_port',`
+	gen_require(`
+		type zope_port_t;
+	')
+
+	allow $1 zope_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the zope port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_zope_port',`
+	gen_require(`
+		type zope_port_t;
+	')
+
+	allow $1 zope_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the zope port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_zope_port',`
+	gen_require(`
+		type zope_port_t;
+	')
+
+	dontaudit $1 zope_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the zope port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_zope_port',`
+	gen_require(`
+		type zope_port_t;
+	')
+
+	allow $1 zope_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the zope port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_zope_port',`
+	gen_require(`
+		type zope_port_t;
+	')
+
+	dontaudit $1 zope_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the zope port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_zope_port',`
+	corenet_udp_send_zope_port($1)
+	corenet_udp_receive_zope_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the zope port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_zope_port',`
+	corenet_dontaudit_udp_send_zope_port($1)
+	corenet_dontaudit_udp_receive_zope_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the zope port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_zope_port',`
+	gen_require(`
+		type zope_port_t;
+	')
+
+	allow $1 zope_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the zope port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_zope_port',`
+	gen_require(`
+		type zope_port_t;
+	')
+
+	allow $1 zope_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the zope port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_zope_port',`
+	gen_require(`
+		type zope_port_t;
+	')
+
+	allow $1 zope_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send zope_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_zope_client_packets',`
+	gen_require(`
+		type zope_client_packet_t;
+	')
+
+	allow $1 zope_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send zope_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_zope_client_packets',`
+	gen_require(`
+		type zope_client_packet_t;
+	')
+
+	dontaudit $1 zope_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive zope_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_zope_client_packets',`
+	gen_require(`
+		type zope_client_packet_t;
+	')
+
+	allow $1 zope_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive zope_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_zope_client_packets',`
+	gen_require(`
+		type zope_client_packet_t;
+	')
+
+	dontaudit $1 zope_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive zope_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_zope_client_packets',`
+	corenet_send_zope_client_packets($1)
+	corenet_receive_zope_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive zope_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_zope_client_packets',`
+	corenet_dontaudit_send_zope_client_packets($1)
+	corenet_dontaudit_receive_zope_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to zope_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_zope_client_packets',`
+	gen_require(`
+		type zope_client_packet_t;
+	')
+
+	allow $1 zope_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send zope_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_zope_server_packets',`
+	gen_require(`
+		type zope_server_packet_t;
+	')
+
+	allow $1 zope_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send zope_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_zope_server_packets',`
+	gen_require(`
+		type zope_server_packet_t;
+	')
+
+	dontaudit $1 zope_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive zope_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_zope_server_packets',`
+	gen_require(`
+		type zope_server_packet_t;
+	')
+
+	allow $1 zope_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive zope_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_zope_server_packets',`
+	gen_require(`
+		type zope_server_packet_t;
+	')
+
+	dontaudit $1 zope_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive zope_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_zope_server_packets',`
+	corenet_send_zope_server_packets($1)
+	corenet_receive_zope_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive zope_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_zope_server_packets',`
+	corenet_dontaudit_send_zope_server_packets($1)
+	corenet_dontaudit_receive_zope_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to zope_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_zope_server_packets',`
+	gen_require(`
+		type zope_server_packet_t;
+	')
+
+	allow $1 zope_server_packet_t:packet relabelto;
+')
+
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP network traffic on the lo interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_lo_if',`
+	gen_require(`
+		type lo_netif_t;
+	')
+
+	allow $1 lo_netif_t:netif { tcp_send tcp_recv egress ingress };
+')
+
+########################################
+## <summary>
+##	Send UDP network traffic on the lo interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_lo_if',`
+	gen_require(`
+		type lo_netif_t;
+	')
+
+	allow $1 lo_netif_t:netif { udp_send egress };
+')
+
+########################################
+## <summary>
+##	Receive UDP network traffic on the lo interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_lo_if',`
+	gen_require(`
+		type lo_netif_t;
+	')
+
+	allow $1 lo_netif_t:netif { udp_recv ingress };
+')
+
+########################################
+## <summary>
+##	Send and receive UDP network traffic on the lo interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_lo_if',`
+	corenet_udp_send_lo_if($1)
+	corenet_udp_receive_lo_if($1)
+')
+
+########################################
+## <summary>
+##	Send raw IP packets on the lo interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_raw_send_lo_if',`
+	gen_require(`
+		type lo_netif_t;
+	')
+
+	allow $1 lo_netif_t:netif { rawip_send egress };
+')
+
+########################################
+## <summary>
+##	Receive raw IP packets on the lo interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_raw_receive_lo_if',`
+	gen_require(`
+		type lo_netif_t;
+	')
+
+	allow $1 lo_netif_t:netif { rawip_recv ingress };
+')
+
+########################################
+## <summary>
+##	Send and receive raw IP packets on the lo interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_raw_sendrecv_lo_if',`
+	corenet_raw_send_lo_if($1)
+	corenet_raw_receive_lo_if($1)
+')
+
+
+
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
new file mode 100644
index 00000000..07126bdc
--- /dev/null
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -0,0 +1,3136 @@
+## <summary>Policy controlling access to network objects</summary>
+## <required val="true">
+##	Contains the initial SIDs for network objects.
+## </required>
+
+########################################
+## <summary>
+##	Define type to be a network port type
+## </summary>
+## <desc>
+##	<p>
+##	Define type to be a network port type
+##	</p>
+##	<p>
+##	This is for supporting third party modules and its
+##	use is not allowed in upstream reference policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type to be used for network ports.
+##	</summary>
+## </param>
+#
+interface(`corenet_port',`
+	gen_require(`
+		attribute port_type;
+	')
+
+	typeattribute $1 port_type;
+')
+
+########################################
+## <summary>
+##	Define network type to be a reserved port (lt 1024)
+## </summary>
+## <desc>
+##	<p>
+##	Define network type to be a reserved port (lt 1024)
+##	</p>
+##	<p>
+##	This is for supporting third party modules and its
+##	use is not allowed in upstream reference policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type to be used for network ports.
+##	</summary>
+## </param>
+#
+interface(`corenet_reserved_port',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	typeattribute $1 reserved_port_type;
+')
+
+########################################
+## <summary>
+##	Define network type to be a rpc port ( 512 lt PORT lt 1024)
+## </summary>
+## <desc>
+##	<p>
+##	Define network type to be a rpc port ( 512 lt PORT lt 1024)
+##	</p>
+##	<p>
+##	This is for supporting third party modules and its
+##	use is not allowed in upstream reference policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type to be used for network ports.
+##	</summary>
+## </param>
+#
+interface(`corenet_rpc_port',`
+	gen_require(`
+		attribute rpc_port_type;
+	')
+
+	typeattribute $1 rpc_port_type;
+')
+
+########################################
+## <summary>
+##	Define type to be a network node type
+## </summary>
+## <desc>
+##	<p>
+##	Define type to be a network node type
+##	</p>
+##	<p>
+##	This is for supporting third party modules and its
+##	use is not allowed in upstream reference policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type to be used for network nodes.
+##	</summary>
+## </param>
+#
+interface(`corenet_node',`
+	gen_require(`
+		attribute node_type;
+	')
+
+	typeattribute $1 node_type;
+')
+
+########################################
+## <summary>
+##	Define type to be a network packet type
+## </summary>
+## <desc>
+##	<p>
+##	Define type to be a network packet type
+##	</p>
+##	<p>
+##	This is for supporting third party modules and its
+##	use is not allowed in upstream reference policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type to be used for a network packet.
+##	</summary>
+## </param>
+#
+interface(`corenet_packet',`
+	gen_require(`
+		attribute packet_type;
+	')
+
+	typeattribute $1 packet_type;
+')
+
+########################################
+## <summary>
+##	Define type to be a network client packet type
+## </summary>
+## <desc>
+##	<p>
+##	Define type to be a network client packet type
+##	</p>
+##	<p>
+##	This is for supporting third party modules and its
+##	use is not allowed in upstream reference policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type to be used for a network client packet.
+##	</summary>
+## </param>
+#
+interface(`corenet_client_packet',`
+	gen_require(`
+		attribute packet_type, client_packet_type;
+	')
+
+	typeattribute $1 client_packet_type, packet_type;
+')
+
+########################################
+## <summary>
+##	Define type to be a network server packet type
+## </summary>
+## <desc>
+##	<p>
+##	Define type to be a network server packet type
+##	</p>
+##	<p>
+##	This is for supporting third party modules and its
+##	use is not allowed in upstream reference policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type to be used for a network server packet.
+##	</summary>
+## </param>
+#
+interface(`corenet_server_packet',`
+	gen_require(`
+		attribute packet_type, server_packet_type;
+	')
+
+	typeattribute $1 server_packet_type, packet_type;
+')
+
+########################################
+## <summary>
+##	Make the specified type usable
+##	for labeled ipsec.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Type to be used for labeled ipsec.
+##	</summary>
+## </param>
+#
+interface(`corenet_spd_type',`
+	gen_require(`
+		attribute ipsec_spd_type;
+	')
+
+	typeattribute $1 ipsec_spd_type;
+')
+
+########################################
+## <summary>
+##	Send and receive TCP network traffic on generic interfaces.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to send and receive TCP network
+##	traffic on generic network interfaces.
+##	</p>
+##	<p>
+##	Related interface:
+##	</p>
+##	<ul>
+##		<li>corenet_all_recvfrom_unlabeled()</li>
+##		<li>corenet_tcp_sendrecv_generic_node()</li>
+##		<li>corenet_tcp_sendrecv_all_ports()</li>
+##		<li>corenet_tcp_connect_all_ports()</li>
+##	</ul>
+##	<p>
+##	Example client being able to connect to all ports over
+##	generic nodes, without labeled networking:
+##	</p>
+##	<p>
+##	allow myclient_t self:tcp_socket create_stream_socket_perms;
+##	corenet_tcp_sendrecv_generic_if(myclient_t)
+##	corenet_tcp_sendrecv_generic_node(myclient_t)
+##	corenet_tcp_sendrecv_all_ports(myclient_t)
+##	corenet_tcp_connect_all_ports(myclient_t)
+##	corenet_all_recvfrom_unlabeled(myclient_t)
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_generic_if',`
+	gen_require(`
+		type netif_t;
+	')
+
+	allow $1 netif_t:netif { tcp_send tcp_recv egress ingress };
+')
+
+########################################
+## <summary>
+##	Send UDP network traffic on generic interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_send_generic_if',`
+	gen_require(`
+		type netif_t;
+	')
+
+	allow $1 netif_t:netif { udp_send egress };
+')
+
+########################################
+## <summary>
+##	Dontaudit attempts to send UDP network traffic
+##	on generic interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_send_generic_if',`
+	gen_require(`
+		type netif_t;
+	')
+
+	dontaudit $1 netif_t:netif { udp_send egress };
+')
+
+########################################
+## <summary>
+##	Receive UDP network traffic on generic interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_receive_generic_if',`
+	gen_require(`
+		type netif_t;
+	')
+
+	allow $1 netif_t:netif { udp_recv ingress };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP network
+##	traffic on generic interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_receive_generic_if',`
+	gen_require(`
+		type netif_t;
+	')
+
+	dontaudit $1 netif_t:netif { udp_recv ingress };
+')
+
+########################################
+## <summary>
+##	Send and receive UDP network traffic on generic interfaces.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to send and receive UDP network
+##	traffic on generic network interfaces.
+##	</p>
+##	<p>
+##	Related interface:
+##	</p>
+##	<ul>
+##		<li>corenet_all_recvfrom_unlabeled()</li>
+##		<li>corenet_udp_sendrecv_generic_node()</li>
+##		<li>corenet_udp_sendrecv_all_ports()</li>
+##	</ul>
+##	<p>
+##	Example client being able to send to all ports over
+##	generic nodes, without labeled networking:
+##	</p>
+##	<p>
+##	allow myclient_t self:udp_socket create_socket_perms;
+##	corenet_udp_sendrecv_generic_if(myclient_t)
+##	corenet_udp_sendrecv_generic_node(myclient_t)
+##	corenet_udp_sendrecv_all_ports(myclient_t)
+##	corenet_all_recvfrom_unlabeled(myclient_t)
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_generic_if',`
+	corenet_udp_send_generic_if($1)
+	corenet_udp_receive_generic_if($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive UDP network
+##	traffic on generic interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_sendrecv_generic_if',`
+	corenet_dontaudit_udp_send_generic_if($1)
+	corenet_dontaudit_udp_receive_generic_if($1)
+')
+
+########################################
+## <summary>
+##	Send raw IP packets on generic interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_raw_send_generic_if',`
+	gen_require(`
+		type netif_t;
+	')
+
+	allow $1 netif_t:netif { rawip_send egress };
+')
+
+########################################
+## <summary>
+##	Receive raw IP packets on generic interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_raw_receive_generic_if',`
+	gen_require(`
+		type netif_t;
+	')
+
+	allow $1 netif_t:netif { rawip_recv ingress };
+')
+
+########################################
+## <summary>
+##	Send and receive raw IP packets on generic interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_raw_sendrecv_generic_if',`
+	corenet_raw_send_generic_if($1)
+	corenet_raw_receive_generic_if($1)
+')
+
+########################################
+## <summary>
+##	Allow outgoing network traffic on the generic interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The peer label of the outgoing network traffic.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_out_generic_if',`
+	gen_require(`
+		type netif_t;
+	')
+
+	allow $1 netif_t:netif egress;
+')
+
+########################################
+## <summary>
+##	Allow incoming traffic on the generic interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The peer label of the incoming network traffic.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_in_generic_if',`
+	gen_require(`
+		type netif_t;
+	')
+
+	allow $1 netif_t:netif ingress;
+')
+
+########################################
+## <summary>
+##	Allow incoming and outgoing network traffic on the generic interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The peer label of the network traffic.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_inout_generic_if',`
+	corenet_in_generic_if($1)
+	corenet_out_generic_if($1)
+')
+
+########################################
+## <summary>
+##	Send and receive TCP network traffic on all interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_sendrecv_all_if',`
+	gen_require(`
+		attribute netif_type;
+	')
+
+	allow $1 netif_type:netif { tcp_send tcp_recv egress ingress };
+')
+
+########################################
+## <summary>
+##	Send UDP network traffic on all interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_send_all_if',`
+	gen_require(`
+		attribute netif_type;
+	')
+
+	allow $1 netif_type:netif { udp_send egress };
+')
+
+########################################
+## <summary>
+##	Receive UDP network traffic on all interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_receive_all_if',`
+	gen_require(`
+		attribute netif_type;
+	')
+
+	allow $1 netif_type:netif { udp_recv ingress };
+')
+
+########################################
+## <summary>
+##	Send and receive UDP network traffic on all interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_sendrecv_all_if',`
+	corenet_udp_send_all_if($1)
+	corenet_udp_receive_all_if($1)
+')
+
+########################################
+## <summary>
+##	Send raw IP packets on all interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_raw_send_all_if',`
+	gen_require(`
+		attribute netif_type;
+	')
+
+	allow $1 netif_type:netif { rawip_send egress };
+')
+
+########################################
+## <summary>
+##	Receive raw IP packets on all interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_raw_receive_all_if',`
+	gen_require(`
+		attribute netif_type;
+	')
+
+	allow $1 netif_type:netif { rawip_recv ingress };
+')
+
+########################################
+## <summary>
+##	Send and receive raw IP packets on all interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_raw_sendrecv_all_if',`
+	corenet_raw_send_all_if($1)
+	corenet_raw_receive_all_if($1)
+')
+
+########################################
+## <summary>
+##	Send and receive TCP network traffic on generic nodes.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to send and receive TCP network
+##	traffic to/from generic network nodes (hostnames/networks).
+##	</p>
+##	<p>
+##	Related interface:
+##	</p>
+##	<ul>
+##		<li>corenet_all_recvfrom_unlabeled()</li>
+##		<li>corenet_tcp_sendrecv_generic_if()</li>
+##		<li>corenet_tcp_sendrecv_all_ports()</li>
+##		<li>corenet_tcp_connect_all_ports()</li>
+##	</ul>
+##	<p>
+##	Example client being able to connect to all ports over
+##	generic nodes, without labeled networking:
+##	</p>
+##	<p>
+##	allow myclient_t self:tcp_socket create_stream_socket_perms;
+##	corenet_tcp_sendrecv_generic_if(myclient_t)
+##	corenet_tcp_sendrecv_generic_node(myclient_t)
+##	corenet_tcp_sendrecv_all_ports(myclient_t)
+##	corenet_tcp_connect_all_ports(myclient_t)
+##	corenet_all_recvfrom_unlabeled(myclient_t)
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_generic_node',`
+	gen_require(`
+		type node_t;
+	')
+
+	allow $1 node_t:node { tcp_send tcp_recv sendto recvfrom };
+')
+
+########################################
+## <summary>
+##	Send UDP network traffic on generic nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_send_generic_node',`
+	gen_require(`
+		type node_t;
+	')
+
+	allow $1 node_t:node { udp_send sendto };
+')
+
+########################################
+## <summary>
+##	Receive UDP network traffic on generic nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_receive_generic_node',`
+	gen_require(`
+		type node_t;
+	')
+
+	allow $1 node_t:node { udp_recv recvfrom };
+')
+
+########################################
+## <summary>
+##	Send and receive UDP network traffic on generic nodes.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to send and receive UDP network
+##	traffic to/from generic network nodes (hostnames/networks).
+##	</p>
+##	<p>
+##	Related interface:
+##	</p>
+##	<ul>
+##		<li>corenet_all_recvfrom_unlabeled()</li>
+##		<li>corenet_udp_sendrecv_generic_if()</li>
+##		<li>corenet_udp_sendrecv_all_ports()</li>
+##	</ul>
+##	<p>
+##	Example client being able to send to all ports over
+##	generic nodes, without labeled networking:
+##	</p>
+##	<p>
+##	allow myclient_t self:udp_socket create_socket_perms;
+##	corenet_udp_sendrecv_generic_if(myclient_t)
+##	corenet_udp_sendrecv_generic_node(myclient_t)
+##	corenet_udp_sendrecv_all_ports(myclient_t)
+##	corenet_all_recvfrom_unlabeled(myclient_t)
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_generic_node',`
+	corenet_udp_send_generic_node($1)
+	corenet_udp_receive_generic_node($1)
+')
+
+########################################
+## <summary>
+##	Send raw IP packets on generic nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_raw_send_generic_node',`
+	gen_require(`
+		type node_t;
+	')
+
+	allow $1 node_t:node { rawip_send sendto };
+')
+
+########################################
+## <summary>
+##	Receive raw IP packets on generic nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_raw_receive_generic_node',`
+	gen_require(`
+		type node_t;
+	')
+
+	allow $1 node_t:node { rawip_recv recvfrom };
+')
+
+########################################
+## <summary>
+##	Send and receive raw IP packets on generic nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_raw_sendrecv_generic_node',`
+	corenet_raw_send_generic_node($1)
+	corenet_raw_receive_generic_node($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to generic nodes.
+## </summary>
+## <desc>
+##	<p>
+##	Bind TCP sockets to generic nodes.  This is
+##	necessary for binding a socket so it
+##	can be used for servers to listen
+##	for incoming connections.
+##	</p>
+##	<p>
+##	Related interface:
+##	</p>
+##	<ul>
+##		<li>corenet_udp_bind_generic_node()</li>
+##	</ul>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="1"/>
+#
+interface(`corenet_tcp_bind_generic_node',`
+	gen_require(`
+		type node_t;
+	')
+
+	allow $1 node_t:tcp_socket node_bind;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to generic nodes.
+## </summary>
+## <desc>
+##	<p>
+##	Bind UDP sockets to generic nodes.  This is
+##	necessary for binding a socket so it
+##	can be used for servers to listen
+##	for incoming connections.
+##	</p>
+##	<p>
+##	Related interface:
+##	</p>
+##	<ul>
+##		<li>corenet_tcp_bind_generic_node()</li>
+##	</ul>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="1"/>
+#
+interface(`corenet_udp_bind_generic_node',`
+	gen_require(`
+		type node_t;
+	')
+
+	allow $1 node_t:udp_socket node_bind;
+')
+
+########################################
+## <summary>
+##	Bind raw sockets to genric nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+# rawip_socket node_bind does not make much sense.
+# cjp: vmware hits this too
+interface(`corenet_raw_bind_generic_node',`
+	gen_require(`
+		type node_t;
+	')
+
+	allow $1 node_t:rawip_socket node_bind;
+')
+
+########################################
+## <summary>
+##	Allow outgoing network traffic to generic nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The peer label of the outgoing network traffic.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_out_generic_node',`
+	gen_require(`
+		type node_t;
+	')
+
+	allow $1 node_t:node sendto;
+')
+
+########################################
+## <summary>
+##	Allow incoming network traffic from generic nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The peer label of the incoming network traffic.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_in_generic_node',`
+	gen_require(`
+		type node_t;
+	')
+
+	allow $1 node_t:node recvfrom;
+')
+
+########################################
+## <summary>
+##	Allow incoming and outgoing network traffic with generic nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The peer label of the network traffic.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_inout_generic_node',`
+	corenet_in_generic_node($1)
+	corenet_out_generic_node($1)
+')
+
+########################################
+## <summary>
+##	Send and receive TCP network traffic on all nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_sendrecv_all_nodes',`
+	gen_require(`
+		attribute node_type;
+	')
+
+	allow $1 node_type:node { tcp_send tcp_recv sendto recvfrom };
+')
+
+########################################
+## <summary>
+##	Send UDP network traffic on all nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_send_all_nodes',`
+	gen_require(`
+		attribute node_type;
+	')
+
+	allow $1 node_type:node { udp_send sendto };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP network
+##	traffic on any nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_send_all_nodes',`
+	gen_require(`
+		attribute node_type;
+	')
+
+	dontaudit $1 node_type:node { udp_send sendto };
+')
+
+########################################
+## <summary>
+##	Receive UDP network traffic on all nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_receive_all_nodes',`
+	gen_require(`
+		attribute node_type;
+	')
+
+	allow $1 node_type:node { udp_recv recvfrom };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP
+##	network traffic on all nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_receive_all_nodes',`
+	gen_require(`
+		attribute node_type;
+	')
+
+	dontaudit $1 node_type:node { udp_recv recvfrom };
+')
+
+########################################
+## <summary>
+##	Send and receive UDP network traffic on all nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_sendrecv_all_nodes',`
+	corenet_udp_send_all_nodes($1)
+	corenet_udp_receive_all_nodes($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive UDP
+##	network traffic on any nodes nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_sendrecv_all_nodes',`
+	corenet_dontaudit_udp_send_all_nodes($1)
+	corenet_dontaudit_udp_receive_all_nodes($1)
+')
+
+########################################
+## <summary>
+##	Send raw IP packets on all nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_raw_send_all_nodes',`
+	gen_require(`
+		attribute node_type;
+	')
+
+	allow $1 node_type:node { rawip_send sendto };
+')
+
+########################################
+## <summary>
+##	Receive raw IP packets on all nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_raw_receive_all_nodes',`
+	gen_require(`
+		attribute node_type;
+	')
+
+	allow $1 node_type:node { rawip_recv recvfrom };
+')
+
+########################################
+## <summary>
+##	Send and receive raw IP packets on all nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_raw_sendrecv_all_nodes',`
+	corenet_raw_send_all_nodes($1)
+	corenet_raw_receive_all_nodes($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to all nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_bind_all_nodes',`
+	gen_require(`
+		attribute node_type;
+	')
+
+	allow $1 node_type:tcp_socket node_bind;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to all nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_bind_all_nodes',`
+	gen_require(`
+		attribute node_type;
+	')
+
+	allow $1 node_type:udp_socket node_bind;
+')
+
+########################################
+## <summary>
+##	Bind raw sockets to all nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+# rawip_socket node_bind does not make much sense.
+# cjp: vmware hits this too
+interface(`corenet_raw_bind_all_nodes',`
+	gen_require(`
+		attribute node_type;
+	')
+
+	allow $1 node_type:rawip_socket node_bind;
+')
+
+########################################
+## <summary>
+##	Send and receive TCP network traffic on generic ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_sendrecv_generic_port',`
+	gen_require(`
+		type port_t;
+	')
+
+	allow $1 port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Do not audit send and receive TCP network traffic on generic ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_sendrecv_generic_port',`
+	gen_require(`
+		type port_t;
+	')
+
+	dontaudit $1 port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP network traffic on generic ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_send_generic_port',`
+	gen_require(`
+		type port_t;
+	')
+
+	allow $1 port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP network traffic on generic ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_receive_generic_port',`
+	gen_require(`
+		type port_t;
+	')
+
+	allow $1 port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP network traffic on generic ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_sendrecv_generic_port',`
+	corenet_udp_send_generic_port($1)
+	corenet_udp_receive_generic_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to generic ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_bind_generic_port',`
+	gen_require(`
+		type port_t;
+		attribute defined_port_type;
+	')
+
+	allow $1 port_t:tcp_socket name_bind;
+	dontaudit $1 defined_port_type:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
+##	Do not audit bind TCP sockets to generic ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_bind_generic_port',`
+	gen_require(`
+		type port_t;
+	')
+
+	dontaudit $1 port_t:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to generic ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_bind_generic_port',`
+	gen_require(`
+		type port_t;
+		attribute defined_port_type;
+	')
+
+	allow $1 port_t:udp_socket name_bind;
+	dontaudit $1 defined_port_type:udp_socket name_bind;
+')
+
+########################################
+## <summary>
+##	Connect TCP sockets to generic ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_generic_port',`
+	gen_require(`
+		type port_t;
+	')
+
+	allow $1 port_t:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+##	Send and receive TCP network traffic on all ports.
+## </summary>
+## <desc>
+##	<p>
+##	Send and receive TCP network traffic on all ports.
+##	Related interfaces:
+##	</p>
+##	<ul>
+##		<li>corenet_all_recvfrom_unlabeled()</li>
+##		<li>corenet_tcp_sendrecv_generic_if()</li>
+##		<li>corenet_tcp_sendrecv_generic_node()</li>
+##		<li>corenet_tcp_connect_all_ports()</li>
+##		<li>corenet_tcp_bind_all_ports()</li>
+##	</ul>
+##	<p>
+##	Example client being able to connect to all ports over
+##	generic nodes, without labeled networking:
+##	</p>
+##	<p>
+##	allow myclient_t self:tcp_socket create_stream_socket_perms;
+##	corenet_tcp_sendrecv_generic_if(myclient_t)
+##	corenet_tcp_sendrecv_generic_node(myclient_t)
+##	corenet_tcp_sendrecv_all_ports(myclient_t)
+##	corenet_tcp_connect_all_ports(myclient_t)
+##	corenet_all_recvfrom_unlabeled(myclient_t)
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_all_ports',`
+	gen_require(`
+		attribute port_type;
+	')
+
+	allow $1 port_type:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP network traffic on all ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_send_all_ports',`
+	gen_require(`
+		attribute port_type;
+	')
+
+	allow $1 port_type:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP network traffic on all ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_receive_all_ports',`
+	gen_require(`
+		attribute port_type;
+	')
+
+	allow $1 port_type:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP network traffic on all ports.
+## </summary>
+## <desc>
+##	<p>
+##	Send and receive UDP network traffic on all ports.
+##	Related interfaces:
+##	</p>
+##	<ul>
+##		<li>corenet_all_recvfrom_unlabeled()</li>
+##		<li>corenet_udp_sendrecv_generic_if()</li>
+##		<li>corenet_udp_sendrecv_generic_node()</li>
+##		<li>corenet_udp_bind_all_ports()</li>
+##	</ul>
+##	<p>
+##	Example client being able to send to all ports over
+##	generic nodes, without labeled networking:
+##	</p>
+##	<p>
+##	allow myclient_t self:udp_socket create_socket_perms;
+##	corenet_udp_sendrecv_generic_if(myclient_t)
+##	corenet_udp_sendrecv_generic_node(myclient_t)
+##	corenet_udp_sendrecv_all_ports(myclient_t)
+##	corenet_all_recvfrom_unlabeled(myclient_t)
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_all_ports',`
+	corenet_udp_send_all_ports($1)
+	corenet_udp_receive_all_ports($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to all ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_bind_all_ports',`
+	gen_require(`
+		attribute port_type;
+	')
+
+	allow $1 port_type:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Do not audit attepts to bind TCP sockets to any ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_bind_all_ports',`
+	gen_require(`
+		attribute port_type;
+	')
+
+	dontaudit $1 port_type:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to all ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_bind_all_ports',`
+	gen_require(`
+		attribute port_type;
+	')
+
+	allow $1 port_type:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Do not audit attepts to bind UDP sockets to any ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_bind_all_ports',`
+	gen_require(`
+		attribute port_type;
+	')
+
+	dontaudit $1 port_type:udp_socket name_bind;
+')
+
+########################################
+## <summary>
+##	Connect TCP sockets to all ports.
+## </summary>
+## <desc>
+##	<p>
+##	Connect TCP sockets to all ports
+##	</p>
+##	<p>
+##	Related interfaces:
+##	</p>
+##	<ul>
+##		<li>corenet_all_recvfrom_unlabeled()</li>
+##		<li>corenet_tcp_sendrecv_generic_if()</li>
+##		<li>corenet_tcp_sendrecv_generic_node()</li>
+##		<li>corenet_tcp_sendrecv_all_ports()</li>
+##		<li>corenet_tcp_bind_all_ports()</li>
+##	</ul>
+##	<p>
+##	Example client being able to connect to all ports over
+##	generic nodes, without labeled networking:
+##	</p>
+##	<p>
+##	allow myclient_t self:tcp_socket create_stream_socket_perms;
+##	corenet_tcp_sendrecv_generic_if(myclient_t)
+##	corenet_tcp_sendrecv_generic_node(myclient_t)
+##	corenet_tcp_sendrecv_all_ports(myclient_t)
+##	corenet_tcp_connect_all_ports(myclient_t)
+##	corenet_all_recvfrom_unlabeled(myclient_t)
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="1"/>
+#
+interface(`corenet_tcp_connect_all_ports',`
+	gen_require(`
+		attribute port_type;
+	')
+
+	allow $1 port_type:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to connect TCP sockets
+##	to all ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_connect_all_ports',`
+	gen_require(`
+		attribute port_type;
+	')
+
+	dontaudit $1 port_type:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+##	Send and receive TCP network traffic on generic reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_sendrecv_reserved_port',`
+	gen_require(`
+		type reserved_port_t;
+	')
+
+	allow $1 reserved_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP network traffic on generic reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_send_reserved_port',`
+	gen_require(`
+		type reserved_port_t;
+	')
+
+	allow $1 reserved_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP network traffic on generic reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_receive_reserved_port',`
+	gen_require(`
+		type reserved_port_t;
+	')
+
+	allow $1 reserved_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP network traffic on generic reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_sendrecv_reserved_port',`
+	corenet_udp_send_reserved_port($1)
+	corenet_udp_receive_reserved_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to generic reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_bind_reserved_port',`
+	gen_require(`
+		type reserved_port_t;
+	')
+
+	allow $1 reserved_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to generic reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_bind_reserved_port',`
+	gen_require(`
+		type reserved_port_t;
+	')
+
+	allow $1 reserved_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Connect TCP sockets to generic reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_reserved_port',`
+	gen_require(`
+		type reserved_port_t;
+	')
+
+	allow $1 reserved_port_t:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+##	Send and receive TCP network traffic on all reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_sendrecv_all_reserved_ports',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	allow $1 reserved_port_type:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP network traffic on all reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_send_all_reserved_ports',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	allow $1 reserved_port_type:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP network traffic on all reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_receive_all_reserved_ports',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	allow $1 reserved_port_type:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP network traffic on all reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_sendrecv_all_reserved_ports',`
+	corenet_udp_send_all_reserved_ports($1)
+	corenet_udp_receive_all_reserved_ports($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to all reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_bind_all_reserved_ports',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	allow $1 reserved_port_type:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to bind TCP sockets to all reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	dontaudit $1 reserved_port_type:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to all reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_bind_all_reserved_ports',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	allow $1 reserved_port_type:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to bind UDP sockets to all reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	dontaudit $1 reserved_port_type:udp_socket name_bind;
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_bind_all_unreserved_ports',`
+	gen_require(`
+		attribute unreserved_port_type;
+	')
+
+	allow $1 unreserved_port_type:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_bind_all_unreserved_ports',`
+	gen_require(`
+		attribute unreserved_port_type;
+	')
+
+	allow $1 unreserved_port_type:udp_socket name_bind;
+')
+
+########################################
+## <summary>
+##	Connect TCP sockets to reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_all_reserved_ports',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	allow $1 reserved_port_type:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+##	Connect TCP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_all_unreserved_ports',`
+	gen_require(`
+		attribute unreserved_port_type;
+	')
+
+	allow $1 unreserved_port_type:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to connect TCP sockets
+##	all reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	dontaudit $1 reserved_port_type:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+##	Connect TCP sockets to rpc ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_all_rpc_ports',`
+	gen_require(`
+		attribute rpc_port_type;
+	')
+
+	allow $1 rpc_port_type:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to connect TCP sockets
+##	all rpc ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
+	gen_require(`
+		attribute rpc_port_type;
+	')
+
+	dontaudit $1 rpc_port_type:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+##	Read and write the TUN/TAP virtual network device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_rw_tun_tap_dev',`
+	gen_require(`
+		type tun_tap_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 tun_tap_device_t:chr_file rw_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read or write the TUN/TAP
+##	virtual network device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_rw_tun_tap_dev',`
+	gen_require(`
+		type tun_tap_device_t;
+	')
+
+	dontaudit $1 tun_tap_device_t:chr_file { read write };
+')
+
+########################################
+## <summary>
+##	Getattr the point-to-point device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_getattr_ppp_dev',`
+	gen_require(`
+		type ppp_device_t;
+	')
+
+	allow $1 ppp_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Read and write the point-to-point device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_rw_ppp_dev',`
+	gen_require(`
+		type ppp_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 ppp_device_t:chr_file rw_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to all RPC ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_bind_all_rpc_ports',`
+	gen_require(`
+		attribute rpc_port_type;
+	')
+
+	allow $1 rpc_port_type:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to bind TCP sockets to all RPC ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_bind_all_rpc_ports',`
+	gen_require(`
+		attribute rpc_port_type;
+	')
+
+	dontaudit $1 rpc_port_type:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to all RPC ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_bind_all_rpc_ports',`
+	gen_require(`
+		attribute rpc_port_type;
+	')
+
+	allow $1 rpc_port_type:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to bind UDP sockets to all RPC ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_bind_all_rpc_ports',`
+	gen_require(`
+		attribute rpc_port_type;
+	')
+
+	dontaudit $1 rpc_port_type:udp_socket name_bind;
+')
+
+########################################
+## <summary>
+##	Send and receive messages on a
+##	non-encrypted (no IPSEC) network
+##	session.
+## </summary>
+## <desc>
+##	<p>
+##	Send and receive messages on a
+##	non-encrypted (no IPSEC) network
+##	session.  (Deprecated)
+##	</p>
+##	<p>
+##	The corenet_all_recvfrom_unlabeled() interface should be used instead
+##	of this one.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_non_ipsec_sendrecv',`
+	refpolicywarn(`$0($*) has been deprecated, use corenet_all_recvfrom_unlabeled() instead.')
+	corenet_all_recvfrom_unlabeled($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	messages on a non-encrypted (no IPSEC) network
+##	session.
+## </summary>
+## <desc>
+##	<p>
+##	Do not audit attempts to send and receive
+##	messages on a non-encrypted (no IPSEC) network
+##	session.
+##	</p>
+##	<p>
+##	The corenet_dontaudit_all_recvfrom_unlabeled() interface should be
+##	used instead of this one.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_non_ipsec_sendrecv',`
+	refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_all_recvfrom_unlabeled() instead.')
+	corenet_dontaudit_all_recvfrom_unlabeled($1)
+')
+
+########################################
+## <summary>
+##	Receive TCP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_recv_netlabel',`
+	refpolicywarn(`$0($*) has been deprecated, use corenet_tcp_recvfrom_netlabel() instead.')
+	corenet_tcp_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+##	Receive TCP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_recvfrom_netlabel',`
+	gen_require(`
+		type netlabel_peer_t;
+	')
+
+	allow $1 netlabel_peer_t:peer recv;
+	allow $1 netlabel_peer_t:tcp_socket recvfrom;
+')
+
+########################################
+## <summary>
+##	Receive TCP packets from an unlabled connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_recvfrom_unlabeled',`
+	kernel_tcp_recvfrom_unlabeled($1)
+	kernel_recvfrom_unlabeled_peer($1)
+
+	# XXX - at some point the oubound/send access check will be removed
+	# but for right now we need to keep this in place so as not to break
+	# older systems
+	kernel_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive TCP packets from a NetLabel
+##	connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_recv_netlabel',`
+	refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_tcp_recvfrom_netlabel() instead.')
+	corenet_dontaudit_tcp_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive TCP packets from a NetLabel
+##	connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
+	gen_require(`
+		type netlabel_peer_t;
+	')
+
+	dontaudit $1 netlabel_peer_t:peer recv;
+	dontaudit $1 netlabel_peer_t:tcp_socket recvfrom;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive TCP packets from an unlabeled
+##	connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_recvfrom_unlabeled',`
+	kernel_dontaudit_tcp_recvfrom_unlabeled($1)
+	kernel_dontaudit_recvfrom_unlabeled_peer($1)
+
+	# XXX - at some point the oubound/send access check will be removed
+	# but for right now we need to keep this in place so as not to break
+	# older systems
+	kernel_dontaudit_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+##	Receive UDP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_recv_netlabel',`
+	refpolicywarn(`$0($*) has been deprecated, use corenet_udp_recvfrom_netlabel() instead.')
+	corenet_udp_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+##	Receive UDP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_recvfrom_netlabel',`
+	gen_require(`
+		type netlabel_peer_t;
+	')
+
+	allow $1 netlabel_peer_t:peer recv;
+	allow $1 netlabel_peer_t:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+##	Receive UDP packets from an unlabeled connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_recvfrom_unlabeled',`
+	kernel_udp_recvfrom_unlabeled($1)
+	kernel_recvfrom_unlabeled_peer($1)
+
+	# XXX - at some point the oubound/send access check will be removed
+	# but for right now we need to keep this in place so as not to break
+	# older systems
+	kernel_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP packets from a NetLabel
+##	connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_recv_netlabel',`
+	refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_udp_recvfrom_netlabel($1) instead.')
+	corenet_dontaudit_udp_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP packets from a NetLabel
+##	connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_recvfrom_netlabel',`
+	gen_require(`
+		type netlabel_peer_t;
+	')
+
+	dontaudit $1 netlabel_peer_t:peer recv;
+	dontaudit $1 netlabel_peer_t:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP packets from an unlabeled
+##	connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_recvfrom_unlabeled',`
+	kernel_dontaudit_udp_recvfrom_unlabeled($1)
+	kernel_dontaudit_recvfrom_unlabeled_peer($1)
+
+	# XXX - at some point the oubound/send access check will be removed
+	# but for right now we need to keep this in place so as not to break
+	# older systems
+	kernel_dontaudit_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+##	Receive Raw IP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_raw_recv_netlabel',`
+	refpolicywarn(`$0($*) has been deprecated, use corenet_raw_recvfrom_netlabel() instead.')
+	corenet_raw_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+##	Receive Raw IP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_raw_recvfrom_netlabel',`
+	gen_require(`
+		type netlabel_peer_t;
+	')
+
+	allow $1 netlabel_peer_t:peer recv;
+	allow $1 netlabel_peer_t:rawip_socket recvfrom;
+')
+
+########################################
+## <summary>
+##	Receive Raw IP packets from an unlabeled connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_raw_recvfrom_unlabeled',`
+	kernel_raw_recvfrom_unlabeled($1)
+	kernel_recvfrom_unlabeled_peer($1)
+
+	# XXX - at some point the oubound/send access check will be removed
+	# but for right now we need to keep this in place so as not to break
+	# older systems
+	kernel_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive Raw IP packets from a NetLabel
+##	connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_raw_recv_netlabel',`
+	refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_raw_recvfrom_netlabel() instead.')
+	corenet_dontaudit_raw_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive Raw IP packets from a NetLabel
+##	connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_raw_recvfrom_netlabel',`
+	gen_require(`
+		type netlabel_peer_t;
+	')
+
+	dontaudit $1 netlabel_peer_t:peer recv;
+	dontaudit $1 netlabel_peer_t:rawip_socket recvfrom;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive Raw IP packets from an unlabeled
+##	connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
+	kernel_dontaudit_raw_recvfrom_unlabeled($1)
+	kernel_dontaudit_recvfrom_unlabeled_peer($1)
+
+	# XXX - at some point the oubound/send access check will be removed
+	# but for right now we need to keep this in place so as not to break
+	# older systems
+	kernel_dontaudit_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+##	Receive packets from an unlabeled connection.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to receive packets from an
+##	unlabeled connection.  On machines that do not utilize
+##	labeled networking, this will be required on all
+##	networking domains.  On machines tha do utilize
+##	labeled networking, this will be required for any
+##	networking domain that is allowed to receive
+##	network traffic that does not have a label.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_all_recvfrom_unlabeled',`
+	kernel_tcp_recvfrom_unlabeled($1)
+	kernel_udp_recvfrom_unlabeled($1)
+	kernel_raw_recvfrom_unlabeled($1)
+	kernel_recvfrom_unlabeled_peer($1)
+
+	# XXX - at some point the oubound/send access check will be removed
+	# but for right now we need to keep this in place so as not to break
+	# older systems
+	kernel_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+##	Receive packets from a NetLabel connection.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to receive NetLabel
+##	network traffic, which utilizes the Commercial IP
+##	Security Option (CIPSO) to set the MLS level
+##	of the network packets.  This is required for
+##	all networking domains that receive NetLabel
+##	network traffic.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_all_recvfrom_netlabel',`
+	gen_require(`
+		type netlabel_peer_t;
+	')
+
+	allow $1 netlabel_peer_t:peer recv;
+	allow $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive packets from an unlabeled connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
+	kernel_dontaudit_tcp_recvfrom_unlabeled($1)
+	kernel_dontaudit_udp_recvfrom_unlabeled($1)
+	kernel_dontaudit_raw_recvfrom_unlabeled($1)
+	kernel_dontaudit_recvfrom_unlabeled_peer($1)
+
+	# XXX - at some point the oubound/send access check will be removed
+	# but for right now we need to keep this in place so as not to break
+	# older systems
+	kernel_dontaudit_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive packets from a NetLabel
+##	connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_all_recvfrom_netlabel',`
+	gen_require(`
+		type netlabel_peer_t;
+	')
+
+	dontaudit $1 netlabel_peer_t:peer recv;
+	dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
+')
+
+########################################
+## <summary>
+##	Rules for receiving labeled TCP packets.
+## </summary>
+## <desc>
+##	<p>
+##	Rules for receiving labeled TCP packets.
+##	</p>
+##	<p>
+##	Due to the nature of TCP, this is bidirectional.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="peer_domain">
+##	<summary>
+##	Peer domain.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_recvfrom_labeled',`
+	allow { $1 $2 } self:association sendto;
+	allow $1 $2:{ association tcp_socket } recvfrom;
+	allow $2 $1:{ association tcp_socket } recvfrom;
+
+	allow $1 $2:peer recv;
+	allow $2 $1:peer recv;
+
+	# allow receiving packets from MLS-only peers using NetLabel
+	corenet_tcp_recvfrom_netlabel($1)
+	corenet_tcp_recvfrom_netlabel($2)
+')
+
+########################################
+## <summary>
+##	Rules for receiving labeled UDP packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="peer_domain">
+##	<summary>
+##	Peer domain.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_recvfrom_labeled',`
+	allow $2 self:association sendto;
+	allow $1 $2:{ association udp_socket } recvfrom;
+
+	allow $1 $2:peer recv;
+
+	# allow receiving packets from MLS-only peers using NetLabel
+	corenet_udp_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+##	Rules for receiving labeled raw IP packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="peer_domain">
+##	<summary>
+##	Peer domain.
+##	</summary>
+## </param>
+#
+interface(`corenet_raw_recvfrom_labeled',`
+	allow $2 self:association sendto;
+	allow $1 $2:{ association rawip_socket } recvfrom;
+
+	allow $1 $2:peer recv;
+
+	# allow receiving packets from MLS-only peers using NetLabel
+	corenet_raw_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+##	Rules for receiving labeled packets via TCP, UDP and raw IP.
+## </summary>
+## <desc>
+##	<p>
+##	Rules for receiving labeled packets via TCP, UDP and raw IP.
+##	</p>
+##	<p>
+##	Due to the nature of TCP, the rules (for TCP
+##	networking only) are bidirectional.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="peer_domain">
+##	<summary>
+##	Peer domain.
+##	</summary>
+## </param>
+#
+interface(`corenet_all_recvfrom_labeled',`
+	corenet_tcp_recvfrom_labeled($1, $2)
+	corenet_udp_recvfrom_labeled($1, $2)
+	corenet_raw_recvfrom_labeled($1, $2)
+')
+
+########################################
+## <summary>
+##	Make the specified type usable
+##	for labeled ipsec.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Type to be used for labeled ipsec.
+##	</summary>
+## </param>
+#
+interface(`corenet_setcontext_all_spds',`
+	gen_require(`
+		attribute ipsec_spd_type;
+	')
+
+	allow $1 ipsec_spd_type:association setcontext;
+')
+
+########################################
+## <summary>
+##	Send generic client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_send_generic_client_packets',`
+	gen_require(`
+		type client_packet_t;
+	')
+
+	allow $1 client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive generic client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_receive_generic_client_packets',`
+	gen_require(`
+		type client_packet_t;
+	')
+
+	allow $1 client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive generic client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sendrecv_generic_client_packets',`
+	corenet_send_generic_client_packets($1)
+	corenet_receive_generic_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to the generic client packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_generic_client_packets',`
+	gen_require(`
+		type client_packet_t;
+	')
+
+	allow $1 client_packet_t:packet relabelto;
+')
+
+########################################
+## <summary>
+##	Send generic server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_send_generic_server_packets',`
+	gen_require(`
+		type server_packet_t;
+	')
+
+	allow $1 server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive generic server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_receive_generic_server_packets',`
+	gen_require(`
+		type server_packet_t;
+	')
+
+	allow $1 server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive generic server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sendrecv_generic_server_packets',`
+	corenet_send_generic_server_packets($1)
+	corenet_receive_generic_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to the generic server packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_generic_server_packets',`
+	gen_require(`
+		type server_packet_t;
+	')
+
+	allow $1 server_packet_t:packet relabelto;
+')
+
+########################################
+## <summary>
+##	Send and receive unlabeled packets.
+## </summary>
+## <desc>
+##	<p>
+##	Send and receive unlabeled packets.
+##	These packets do not match any netfilter
+##	SECMARK rules.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sendrecv_unlabeled_packets',`
+	kernel_sendrecv_unlabeled_packets($1)
+')
+
+########################################
+## <summary>
+##	Send all client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_send_all_client_packets',`
+	gen_require(`
+		attribute client_packet_type;
+	')
+
+	allow $1 client_packet_type:packet send;
+')
+
+########################################
+## <summary>
+##	Receive all client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_receive_all_client_packets',`
+	gen_require(`
+		attribute client_packet_type;
+	')
+
+	allow $1 client_packet_type:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive all client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sendrecv_all_client_packets',`
+	corenet_send_all_client_packets($1)
+	corenet_receive_all_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to any client packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_all_client_packets',`
+	gen_require(`
+		attribute client_packet_type;
+	')
+
+	allow $1 client_packet_type:packet relabelto;
+')
+
+########################################
+## <summary>
+##	Send all server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_send_all_server_packets',`
+	gen_require(`
+		attribute server_packet_type;
+	')
+
+	allow $1 server_packet_type:packet send;
+')
+
+########################################
+## <summary>
+##	Receive all server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_receive_all_server_packets',`
+	gen_require(`
+		attribute server_packet_type;
+	')
+
+	allow $1 server_packet_type:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive all server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sendrecv_all_server_packets',`
+	corenet_send_all_server_packets($1)
+	corenet_receive_all_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to any server packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_all_server_packets',`
+	gen_require(`
+		attribute server_packet_type;
+	')
+
+	allow $1 server_packet_type:packet relabelto;
+')
+
+########################################
+## <summary>
+##	Send all packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_send_all_packets',`
+	gen_require(`
+		attribute packet_type;
+	')
+
+	allow $1 packet_type:packet send;
+')
+
+########################################
+## <summary>
+##	Receive all packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_receive_all_packets',`
+	gen_require(`
+		attribute packet_type;
+	')
+
+	allow $1 packet_type:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive all packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sendrecv_all_packets',`
+	corenet_send_all_packets($1)
+	corenet_receive_all_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to any packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_all_packets',`
+	gen_require(`
+		attribute packet_type;
+	')
+
+	allow $1 packet_type:packet relabelto;
+')
+
+########################################
+## <summary>
+##	Unconfined access to network objects.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_unconfined',`
+	gen_require(`
+		attribute corenet_unconfined_type;
+	')
+
+	typeattribute $1 corenet_unconfined_type;
+')
diff --git a/policy/modules/kernel/corenetwork.if.m4 b/policy/modules/kernel/corenetwork.if.m4
new file mode 100644
index 00000000..8e0f9cd1
--- /dev/null
+++ b/policy/modules/kernel/corenetwork.if.m4
@@ -0,0 +1,853 @@
+#
+# shiftn(num,list...)
+#
+# shift the list num times
+#
+define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')')
+
+########################################
+#
+# Network Interface generated macros 
+#
+########################################
+
+define(`create_netif_interfaces',``
+########################################
+## <summary>
+##	Send and receive TCP network traffic on the $1 interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_$1_if',`
+	gen_require(`
+		$3 $1_$2;
+	')
+
+	allow dollarsone $1_$2:netif { tcp_send tcp_recv egress ingress };
+')
+
+########################################
+## <summary>
+##	Send UDP network traffic on the $1 interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_$1_if',`
+	gen_require(`
+		$3 $1_$2;
+	')
+
+	allow dollarsone $1_$2:netif { udp_send egress };
+')
+
+########################################
+## <summary>
+##	Receive UDP network traffic on the $1 interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_$1_if',`
+	gen_require(`
+		$3 $1_$2;
+	')
+
+	allow dollarsone $1_$2:netif { udp_recv ingress };
+')
+
+########################################
+## <summary>
+##	Send and receive UDP network traffic on the $1 interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_$1_if',`
+	corenet_udp_send_$1_if(dollarsone)
+	corenet_udp_receive_$1_if(dollarsone)
+')
+
+########################################
+## <summary>
+##	Send raw IP packets on the $1 interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_raw_send_$1_if',`
+	gen_require(`
+		$3 $1_$2;
+	')
+
+	allow dollarsone $1_$2:netif { rawip_send egress };
+')
+
+########################################
+## <summary>
+##	Receive raw IP packets on the $1 interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_raw_receive_$1_if',`
+	gen_require(`
+		$3 $1_$2;
+	')
+
+	allow dollarsone $1_$2:netif { rawip_recv ingress };
+')
+
+########################################
+## <summary>
+##	Send and receive raw IP packets on the $1 interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_raw_sendrecv_$1_if',`
+	corenet_raw_send_$1_if(dollarsone)
+	corenet_raw_receive_$1_if(dollarsone)
+')
+'') dnl end create_netif_interfaces
+
+# create confined network interfaces controlled by the network_enabled boolean
+# do not call this macro for loop back
+define(`create_netif_interfaces_controlled',``
+########################################
+## <summary>
+##	Send and receive TCP network traffic on the $1 interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_$1_if',`
+	gen_require(`
+		$3 $1_$2;
+	')
+
+	if (network_enabled) {
+		allow dollarsone $1_$2:netif { tcp_send tcp_recv egress ingress };
+	}
+')
+
+########################################
+## <summary>
+##	Send UDP network traffic on the $1 interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_$1_if',`
+	gen_require(`
+		$3 $1_$2;
+	')
+
+	if (network_enabled) {
+		allow dollarsone $1_$2:netif { udp_send egress };
+	}
+')
+
+########################################
+## <summary>
+##	Receive UDP network traffic on the $1 interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_$1_if',`
+	gen_require(`
+		$3 $1_$2;
+	')
+
+	if (network_enabled) {
+		allow dollarsone $1_$2:netif { udp_recv ingress };
+	}
+')
+
+########################################
+## <summary>
+##	Send and receive UDP network traffic on the $1 interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_$1_if',`
+	corenet_udp_send_$1_if(dollarsone)
+	corenet_udp_receive_$1_if(dollarsone)
+')
+
+########################################
+## <summary>
+##	Send raw IP packets on the $1 interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_raw_send_$1_if',`
+	gen_require(`
+		$3 $1_$2;
+	')
+
+	if (network_enabled) {
+		allow dollarsone $1_$2:netif { rawip_send egress };
+	}
+')
+
+########################################
+## <summary>
+##	Receive raw IP packets on the $1 interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_raw_receive_$1_if',`
+	gen_require(`
+		$3 $1_$2;
+	')
+
+	if (network_enabled) {
+		allow dollarsone $1_$2:netif { rawip_recv ingress };
+	}
+')
+
+########################################
+## <summary>
+##	Send and receive raw IP packets on the $1 interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_raw_sendrecv_$1_if',`
+	corenet_raw_send_$1_if(dollarsone)
+	corenet_raw_receive_$1_if(dollarsone)
+')
+'') dnl end create_netif_interfaces_controlled
+
+########################################
+#
+# Network node generated macros 
+#
+########################################
+
+define(`create_node_interfaces',``
+########################################
+## <summary>
+##	Send and receive TCP traffic on the $1 node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_$1_node',`
+	gen_require(`
+		$3 $1_$2;
+	')
+
+	allow dollarsone $1_$2:node { tcp_send tcp_recv sendto recvfrom };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the $1 node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_$1_node',`
+	gen_require(`
+		$3 $1_$2;
+	')
+
+	allow dollarsone $1_$2:node { udp_send sendto };
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the $1 node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_$1_node',`
+	gen_require(`
+		$3 $1_$2;
+	')
+
+	allow dollarsone $1_$2:node { udp_recv recvfrom };
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the $1 node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_$1_node',`
+	corenet_udp_send_$1_node(dollarsone)
+	corenet_udp_receive_$1_node(dollarsone)
+')
+
+########################################
+## <summary>
+##	Send raw IP packets on the $1 node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_raw_send_$1_node',`
+	gen_require(`
+		$3 $1_$2;
+	')
+
+	allow dollarsone $1_$2:node { rawip_send sendto };
+')
+
+########################################
+## <summary>
+##	Receive raw IP packets on the $1 node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_raw_receive_$1_node',`
+	gen_require(`
+		$3 $1_$2;
+	')
+
+	allow dollarsone $1_$2:node { rawip_recv recvfrom };
+')
+
+########################################
+## <summary>
+##	Send and receive raw IP packets on the $1 node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_raw_sendrecv_$1_node',`
+	corenet_raw_send_$1_node(dollarsone)
+	corenet_raw_receive_$1_node(dollarsone)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to node $1.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_$1_node',`
+	gen_require(`
+		$3 $1_$2;
+	')
+
+	allow dollarsone $1_$2:tcp_socket node_bind;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the $1 node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_$1_node',`
+	gen_require(`
+		$3 $1_$2;
+	')
+
+	allow dollarsone $1_$2:udp_socket node_bind;
+')
+'') dnl end create_node_interfaces
+
+########################################
+#
+# Network port generated macros 
+#
+########################################
+
+define(`create_port_interfaces',``
+########################################
+## <summary>
+##	Send and receive TCP traffic on the $1 port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_$1_port',`
+	gen_require(`
+		$3 $1_$2;
+	')
+
+	allow dollarsone $1_$2:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the $1 port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_$1_port',`
+	gen_require(`
+		$3 $1_$2;
+	')
+
+	allow dollarsone $1_$2:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the $1 port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_$1_port',`
+	gen_require(`
+		$3 $1_$2;
+	')
+
+	dontaudit dollarsone $1_$2:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the $1 port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_$1_port',`
+	gen_require(`
+		$3 $1_$2;
+	')
+
+	allow dollarsone $1_$2:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the $1 port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_$1_port',`
+	gen_require(`
+		$3 $1_$2;
+	')
+
+	dontaudit dollarsone $1_$2:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the $1 port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_$1_port',`
+	corenet_udp_send_$1_port(dollarsone)
+	corenet_udp_receive_$1_port(dollarsone)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the $1 port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_$1_port',`
+	corenet_dontaudit_udp_send_$1_port(dollarsone)
+	corenet_dontaudit_udp_receive_$1_port(dollarsone)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the $1 port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_$1_port',`
+	gen_require(`
+		$3 $1_$2;
+	')
+
+	allow dollarsone $1_$2:tcp_socket name_bind;
+	$4
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the $1 port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_$1_port',`
+	gen_require(`
+		$3 $1_$2;
+	')
+
+	allow dollarsone $1_$2:udp_socket name_bind;
+	$4
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the $1 port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_$1_port',`
+	gen_require(`
+		$3 $1_$2;
+	')
+
+	allow dollarsone $1_$2:tcp_socket name_connect;
+')
+'') dnl end create_port_interfaces
+
+define(`create_packet_interfaces',``
+########################################
+## <summary>
+##	Send $1 packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_$1_packets',`
+	gen_require(`
+		type $1_packet_t;
+	')
+
+	allow dollarsone $1_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send $1 packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_$1_packets',`
+	gen_require(`
+		type $1_packet_t;
+	')
+
+	dontaudit dollarsone $1_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive $1 packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_$1_packets',`
+	gen_require(`
+		type $1_packet_t;
+	')
+
+	allow dollarsone $1_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive $1 packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_$1_packets',`
+	gen_require(`
+		type $1_packet_t;
+	')
+
+	dontaudit dollarsone $1_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive $1 packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_$1_packets',`
+	corenet_send_$1_packets(dollarsone)
+	corenet_receive_$1_packets(dollarsone)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive $1 packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_$1_packets',`
+	corenet_dontaudit_send_$1_packets(dollarsone)
+	corenet_dontaudit_receive_$1_packets(dollarsone)
+')
+
+########################################
+## <summary>
+##	Relabel packets to $1 the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_$1_packets',`
+	gen_require(`
+		type $1_packet_t;
+	')
+
+	allow dollarsone $1_packet_t:packet relabelto;
+')
+'') dnl end create_port_interfaces
+
+#
+# create_netif_*_interfaces(linux_interfacename)
+#
+define(`create_netif_type_interfaces',`
+create_netif_interfaces($1,netif_t,type)
+')
+define(`create_netif_type_interfaces_controlled',`
+create_netif_interfaces_controlled($1,netif_t,type)
+')
+define(`create_netif_attrib_interfaces',`
+create_netif_interfaces($1,netif,attribute)
+')
+define(`create_netif_attrib_interfaces_controlled',`
+create_netif_interfaces_controlled($1,netif,attribute)
+')
+
+#
+# network_interface(linux_interfacename,mls_sensitivity)
+#
+define(`network_interface',`
+create_netif_type_interfaces($1)
+')
+
+define(`network_interface_controlled',`
+create_netif_type_interfaces_controlled($1)
+')
+
+#
+# create_node_*_interfaces(node_name)
+#
+define(`create_node_type_interfaces',`
+create_node_interfaces($1,node_t,type)
+')
+define(`create_node_attrib_interfaces',`
+create_node_interfaces($1,node,attribute)
+')
+
+#
+# network_node(node_name,mls_sensitivity,address,netmask)
+#
+define(`network_node',`
+create_node_type_interfaces($1)
+')
+
+# These next three macros have formatting, and should not me indented
+define(`determine_reserved_capability',`dnl
+ifelse($2,`',`',`dnl
+ifelse(eval($2 < 1024),1,``allow' dollarsone self:capability net_bind_service;',`dnl
+determine_reserved_capability(shiftn(3,$*))dnl
+')dnl end inner ifelse
+')dnl end outer ifelse
+') dnl end determine reserved capability
+
+#
+# create_port_*_interfaces(port_name, protocol,portnum,mls_sensitivity [,protocol portnum mls_sensitivity[,...]])
+# (these wrap create_port_interfaces to handle attributes and types)
+define(`create_port_type_interfaces',`create_port_interfaces($1,port_t,type,determine_reserved_capability(shift($*)))')
+define(`create_port_attrib_interfaces',`create_port_interfaces($1,port,attribute,determine_reserved_capability(shift($*)))')
+
+#
+# network_port(port_name,protocol portnum mls_sensitivity [,protocol,portnum,mls_sensitivity[,...]])
+#
+define(`network_port',`
+create_port_type_interfaces($*)
+create_packet_interfaces($1_client)
+create_packet_interfaces($1_server)
+')
+
+#
+# network_packet(packet_name)
+#
+define(`network_packet',`
+create_packet_interfaces($1_client)
+create_packet_interfaces($1_server)
+')
diff --git a/policy/modules/kernel/corenetwork.te b/policy/modules/kernel/corenetwork.te
new file mode 100644
index 00000000..46fb5114
--- /dev/null
+++ b/policy/modules/kernel/corenetwork.te
@@ -0,0 +1,1537 @@
+#
+# This is a generated file!  Instead of modifying this file, the
+# corenetwork.te.in or corenetwork.te.m4 file should be modified.
+#
+policy_module(corenetwork, 1.17.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute client_packet_type;
+# This is an optimization for { port_type -port_t }
+attribute defined_port_type;
+attribute ipsec_spd_type;
+attribute netif_type;
+attribute node_type;
+attribute packet_type;
+attribute port_type;
+attribute reserved_port_type;
+attribute rpc_port_type;
+attribute server_packet_type;
+# This is an optimization for { port_type -reserved_port_type }
+attribute unreserved_port_type;
+
+attribute corenet_unconfined_type;
+
+type ppp_device_t;
+dev_node(ppp_device_t)
+
+#
+# tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/*
+#
+type tun_tap_device_t;
+dev_node(tun_tap_device_t)
+
+########################################
+#
+# Ports and packets
+#
+
+#
+# client_packet_t is the default type of IPv4 and IPv6 client packets.
+#
+type client_packet_t, packet_type, client_packet_type;
+
+#
+# The netlabel_peer_t is used by the kernel's NetLabel subsystem for network
+# connections using NetLabel which do not carry full SELinux contexts.
+#
+type netlabel_peer_t;
+sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh)
+
+#
+# port_t is the default type of INET port numbers.
+#
+type port_t, port_type;
+sid port gen_context(system_u:object_r:port_t,s0)
+
+#
+# unreserved_port_t is the default type of INET port numbers above 1023
+#
+type unreserved_port_t, port_type, unreserved_port_type;
+
+#
+# reserved_port_t is the type of INET port numbers below 1024.
+#
+type reserved_port_t, port_type, reserved_port_type;
+
+#
+# hi_reserved_port_t is the type of INET port numbers between 512-1023.
+#
+type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
+
+#
+# server_packet_t is the default type of IPv4 and IPv6 server packets.
+#
+type server_packet_t, packet_type, server_packet_type;
+
+
+type afs_bos_port_t, port_type, defined_port_type;
+type afs_bos_client_packet_t, packet_type, client_packet_type;
+type afs_bos_server_packet_t, packet_type, server_packet_type;
+typeattribute afs_bos_port_t unreserved_port_type;
+portcon udp 7007 gen_context(system_u:object_r:afs_bos_port_t,s0)
+
+
+type afs_fs_port_t, port_type, defined_port_type;
+type afs_fs_client_packet_t, packet_type, client_packet_type;
+type afs_fs_server_packet_t, packet_type, server_packet_type;
+typeattribute afs_fs_port_t unreserved_port_type;
+portcon tcp 2040 gen_context(system_u:object_r:afs_fs_port_t,s0)
+portcon udp 7000 gen_context(system_u:object_r:afs_fs_port_t,s0)
+portcon udp 7005 gen_context(system_u:object_r:afs_fs_port_t,s0)
+
+
+type afs_ka_port_t, port_type, defined_port_type;
+type afs_ka_client_packet_t, packet_type, client_packet_type;
+type afs_ka_server_packet_t, packet_type, server_packet_type;
+typeattribute afs_ka_port_t unreserved_port_type;
+portcon udp 7004 gen_context(system_u:object_r:afs_ka_port_t,s0)
+
+
+type afs_pt_port_t, port_type, defined_port_type;
+type afs_pt_client_packet_t, packet_type, client_packet_type;
+type afs_pt_server_packet_t, packet_type, server_packet_type;
+typeattribute afs_pt_port_t unreserved_port_type;
+portcon udp 7002 gen_context(system_u:object_r:afs_pt_port_t,s0)
+
+
+type afs_vl_port_t, port_type, defined_port_type;
+type afs_vl_client_packet_t, packet_type, client_packet_type;
+type afs_vl_server_packet_t, packet_type, server_packet_type;
+typeattribute afs_vl_port_t unreserved_port_type;
+portcon udp 7003 gen_context(system_u:object_r:afs_vl_port_t,s0)
+
+
+type agentx_port_t, port_type, defined_port_type;
+type agentx_client_packet_t, packet_type, client_packet_type;
+type agentx_server_packet_t, packet_type, server_packet_type;
+typeattribute agentx_port_t reserved_port_type;
+typeattribute agentx_port_t rpc_port_type;
+portcon udp 705 gen_context(system_u:object_r:agentx_port_t,s0)
+portcon tcp 705 gen_context(system_u:object_r:agentx_port_t,s0)
+
+
+type amanda_port_t, port_type, defined_port_type;
+type amanda_client_packet_t, packet_type, client_packet_type;
+type amanda_server_packet_t, packet_type, server_packet_type;
+typeattribute amanda_port_t unreserved_port_type;
+portcon udp 10080-10082 gen_context(system_u:object_r:amanda_port_t,s0)
+portcon tcp 10080-10083 gen_context(system_u:object_r:amanda_port_t,s0)
+
+
+type amavisd_recv_port_t, port_type, defined_port_type;
+type amavisd_recv_client_packet_t, packet_type, client_packet_type;
+type amavisd_recv_server_packet_t, packet_type, server_packet_type;
+typeattribute amavisd_recv_port_t unreserved_port_type;
+portcon tcp 10024 gen_context(system_u:object_r:amavisd_recv_port_t,s0)
+
+
+type amavisd_send_port_t, port_type, defined_port_type;
+type amavisd_send_client_packet_t, packet_type, client_packet_type;
+type amavisd_send_server_packet_t, packet_type, server_packet_type;
+typeattribute amavisd_send_port_t unreserved_port_type;
+portcon tcp 10025 gen_context(system_u:object_r:amavisd_send_port_t,s0)
+
+
+type amqp_port_t, port_type, defined_port_type;
+type amqp_client_packet_t, packet_type, client_packet_type;
+type amqp_server_packet_t, packet_type, server_packet_type;
+typeattribute amqp_port_t unreserved_port_type;
+portcon udp 5671-5672 gen_context(system_u:object_r:amqp_port_t,s0)
+portcon tcp 5671-5672 gen_context(system_u:object_r:amqp_port_t,s0)
+
+
+type aol_port_t, port_type, defined_port_type;
+type aol_client_packet_t, packet_type, client_packet_type;
+type aol_server_packet_t, packet_type, server_packet_type;
+typeattribute aol_port_t unreserved_port_type;
+portcon udp 5190-5193 gen_context(system_u:object_r:aol_port_t,s0)
+portcon tcp 5190-5193 gen_context(system_u:object_r:aol_port_t,s0)
+
+
+type apcupsd_port_t, port_type, defined_port_type;
+type apcupsd_client_packet_t, packet_type, client_packet_type;
+type apcupsd_server_packet_t, packet_type, server_packet_type;
+typeattribute apcupsd_port_t unreserved_port_type;
+portcon tcp 3551 gen_context(system_u:object_r:apcupsd_port_t,s0)
+portcon udp 3551 gen_context(system_u:object_r:apcupsd_port_t,s0)
+
+
+type asterisk_port_t, port_type, defined_port_type;
+type asterisk_client_packet_t, packet_type, client_packet_type;
+type asterisk_server_packet_t, packet_type, server_packet_type;
+typeattribute asterisk_port_t unreserved_port_type;
+portcon tcp 1720 gen_context(system_u:object_r:asterisk_port_t,s0)
+portcon udp 2427 gen_context(system_u:object_r:asterisk_port_t,s0)
+portcon udp 2727 gen_context(system_u:object_r:asterisk_port_t,s0)
+portcon udp 4569 gen_context(system_u:object_r:asterisk_port_t,s0)
+
+
+type audit_port_t, port_type, defined_port_type;
+type audit_client_packet_t, packet_type, client_packet_type;
+type audit_server_packet_t, packet_type, server_packet_type;
+typeattribute audit_port_t reserved_port_type;
+portcon tcp 60 gen_context(system_u:object_r:audit_port_t,s0)
+
+
+type auth_port_t, port_type, defined_port_type;
+type auth_client_packet_t, packet_type, client_packet_type;
+type auth_server_packet_t, packet_type, server_packet_type;
+typeattribute auth_port_t reserved_port_type;
+portcon tcp 113 gen_context(system_u:object_r:auth_port_t,s0)
+
+
+type bgp_port_t, port_type, defined_port_type;
+type bgp_client_packet_t, packet_type, client_packet_type;
+type bgp_server_packet_t, packet_type, server_packet_type;
+typeattribute bgp_port_t reserved_port_type;
+portcon tcp 179 gen_context(system_u:object_r:bgp_port_t,s0)
+portcon udp 179 gen_context(system_u:object_r:bgp_port_t,s0)
+portcon tcp 2605 gen_context(system_u:object_r:bgp_port_t,s0)
+portcon udp 2605 gen_context(system_u:object_r:bgp_port_t,s0)
+
+
+type boinc_port_t, port_type, defined_port_type;
+type boinc_client_packet_t, packet_type, client_packet_type;
+type boinc_server_packet_t, packet_type, server_packet_type;
+typeattribute boinc_port_t unreserved_port_type;
+portcon tcp 31416 gen_context(system_u:object_r:boinc_port_t,s0)
+
+
+type biff_port_t, port_type, defined_port_type;
+type biff_client_packet_t, packet_type, client_packet_type;
+type biff_server_packet_t, packet_type, server_packet_type;
+ # no defined portcon
+
+type certmaster_port_t, port_type, defined_port_type;
+type certmaster_client_packet_t, packet_type, client_packet_type;
+type certmaster_server_packet_t, packet_type, server_packet_type;
+typeattribute certmaster_port_t unreserved_port_type;
+portcon tcp 51235 gen_context(system_u:object_r:certmaster_port_t,s0)
+
+
+type chronyd_port_t, port_type, defined_port_type;
+type chronyd_client_packet_t, packet_type, client_packet_type;
+type chronyd_server_packet_t, packet_type, server_packet_type;
+typeattribute chronyd_port_t reserved_port_type;
+portcon udp 323 gen_context(system_u:object_r:chronyd_port_t,s0)
+
+
+type clamd_port_t, port_type, defined_port_type;
+type clamd_client_packet_t, packet_type, client_packet_type;
+type clamd_server_packet_t, packet_type, server_packet_type;
+typeattribute clamd_port_t unreserved_port_type;
+portcon tcp 3310 gen_context(system_u:object_r:clamd_port_t,s0)
+
+
+type clockspeed_port_t, port_type, defined_port_type;
+type clockspeed_client_packet_t, packet_type, client_packet_type;
+type clockspeed_server_packet_t, packet_type, server_packet_type;
+typeattribute clockspeed_port_t unreserved_port_type;
+portcon udp 4041 gen_context(system_u:object_r:clockspeed_port_t,s0)
+
+
+type cluster_port_t, port_type, defined_port_type;
+type cluster_client_packet_t, packet_type, client_packet_type;
+type cluster_server_packet_t, packet_type, server_packet_type;
+typeattribute cluster_port_t unreserved_port_type;
+portcon tcp 5149 gen_context(system_u:object_r:cluster_port_t,s0)
+portcon udp 5149 gen_context(system_u:object_r:cluster_port_t,s0)
+portcon tcp 40040 gen_context(system_u:object_r:cluster_port_t,s0)
+portcon tcp 50006-50008 gen_context(system_u:object_r:cluster_port_t,s0)
+portcon udp 50006-50008 gen_context(system_u:object_r:cluster_port_t,s0)
+
+
+type cobbler_port_t, port_type, defined_port_type;
+type cobbler_client_packet_t, packet_type, client_packet_type;
+type cobbler_server_packet_t, packet_type, server_packet_type;
+typeattribute cobbler_port_t unreserved_port_type;
+portcon tcp 25151 gen_context(system_u:object_r:cobbler_port_t,s0)
+
+
+type comsat_port_t, port_type, defined_port_type;
+type comsat_client_packet_t, packet_type, client_packet_type;
+type comsat_server_packet_t, packet_type, server_packet_type;
+typeattribute comsat_port_t reserved_port_type;
+typeattribute comsat_port_t rpc_port_type;
+portcon udp 512 gen_context(system_u:object_r:comsat_port_t,s0)
+
+
+type cvs_port_t, port_type, defined_port_type;
+type cvs_client_packet_t, packet_type, client_packet_type;
+type cvs_server_packet_t, packet_type, server_packet_type;
+typeattribute cvs_port_t unreserved_port_type;
+portcon tcp 2401 gen_context(system_u:object_r:cvs_port_t,s0)
+portcon udp 2401 gen_context(system_u:object_r:cvs_port_t,s0)
+
+
+type cyphesis_port_t, port_type, defined_port_type;
+type cyphesis_client_packet_t, packet_type, client_packet_type;
+type cyphesis_server_packet_t, packet_type, server_packet_type;
+typeattribute cyphesis_port_t unreserved_port_type;
+portcon tcp 6767 gen_context(system_u:object_r:cyphesis_port_t,s0)
+portcon tcp 6769 gen_context(system_u:object_r:cyphesis_port_t,s0)
+portcon tcp 6780-6799 gen_context(system_u:object_r:cyphesis_port_t,s0)
+portcon udp 32771 gen_context(system_u:object_r:cyphesis_port_t,s0)
+
+
+type daap_port_t, port_type, defined_port_type;
+type daap_client_packet_t, packet_type, client_packet_type;
+type daap_server_packet_t, packet_type, server_packet_type;
+typeattribute daap_port_t unreserved_port_type;
+portcon tcp 3689 gen_context(system_u:object_r:daap_port_t,s0)
+portcon udp 3689 gen_context(system_u:object_r:daap_port_t,s0)
+
+
+type dbskkd_port_t, port_type, defined_port_type;
+type dbskkd_client_packet_t, packet_type, client_packet_type;
+type dbskkd_server_packet_t, packet_type, server_packet_type;
+typeattribute dbskkd_port_t unreserved_port_type;
+portcon tcp 1178 gen_context(system_u:object_r:dbskkd_port_t,s0)
+
+
+type dcc_port_t, port_type, defined_port_type;
+type dcc_client_packet_t, packet_type, client_packet_type;
+type dcc_server_packet_t, packet_type, server_packet_type;
+typeattribute dcc_port_t unreserved_port_type;
+portcon udp 6276 gen_context(system_u:object_r:dcc_port_t,s0)
+portcon udp 6277 gen_context(system_u:object_r:dcc_port_t,s0)
+
+
+type dccm_port_t, port_type, defined_port_type;
+type dccm_client_packet_t, packet_type, client_packet_type;
+type dccm_server_packet_t, packet_type, server_packet_type;
+typeattribute dccm_port_t unreserved_port_type;
+portcon tcp 5679 gen_context(system_u:object_r:dccm_port_t,s0)
+portcon udp 5679 gen_context(system_u:object_r:dccm_port_t,s0)
+
+
+type dhcpc_port_t, port_type, defined_port_type;
+type dhcpc_client_packet_t, packet_type, client_packet_type;
+type dhcpc_server_packet_t, packet_type, server_packet_type;
+typeattribute dhcpc_port_t reserved_port_type;
+typeattribute dhcpc_port_t rpc_port_type;
+portcon udp 68 gen_context(system_u:object_r:dhcpc_port_t,s0)
+portcon tcp 68 gen_context(system_u:object_r:dhcpc_port_t,s0)
+portcon udp 546 gen_context(system_u:object_r:dhcpc_port_t,s0)
+portcon tcp 546 gen_context(system_u:object_r:dhcpc_port_t,s0)
+
+
+type dhcpd_port_t, port_type, defined_port_type;
+type dhcpd_client_packet_t, packet_type, client_packet_type;
+type dhcpd_server_packet_t, packet_type, server_packet_type;
+typeattribute dhcpd_port_t reserved_port_type;
+typeattribute dhcpd_port_t rpc_port_type;
+portcon udp 67 gen_context(system_u:object_r:dhcpd_port_t,s0)
+portcon udp 547 gen_context(system_u:object_r:dhcpd_port_t,s0)
+portcon tcp 547 gen_context(system_u:object_r:dhcpd_port_t,s0)
+portcon udp 548 gen_context(system_u:object_r:dhcpd_port_t,s0)
+portcon tcp 548 gen_context(system_u:object_r:dhcpd_port_t,s0)
+portcon tcp 647 gen_context(system_u:object_r:dhcpd_port_t,s0)
+portcon udp 647 gen_context(system_u:object_r:dhcpd_port_t,s0)
+portcon tcp 847 gen_context(system_u:object_r:dhcpd_port_t,s0)
+portcon udp 847 gen_context(system_u:object_r:dhcpd_port_t,s0)
+portcon tcp 7911 gen_context(system_u:object_r:dhcpd_port_t,s0)
+
+
+type dict_port_t, port_type, defined_port_type;
+type dict_client_packet_t, packet_type, client_packet_type;
+type dict_server_packet_t, packet_type, server_packet_type;
+typeattribute dict_port_t unreserved_port_type;
+portcon tcp 2628 gen_context(system_u:object_r:dict_port_t,s0)
+
+
+type distccd_port_t, port_type, defined_port_type;
+type distccd_client_packet_t, packet_type, client_packet_type;
+type distccd_server_packet_t, packet_type, server_packet_type;
+typeattribute distccd_port_t unreserved_port_type;
+portcon tcp 3632 gen_context(system_u:object_r:distccd_port_t,s0)
+
+
+type dns_port_t, port_type, defined_port_type;
+type dns_client_packet_t, packet_type, client_packet_type;
+type dns_server_packet_t, packet_type, server_packet_type;
+typeattribute dns_port_t reserved_port_type;
+portcon udp 53 gen_context(system_u:object_r:dns_port_t,s0)
+portcon tcp 53 gen_context(system_u:object_r:dns_port_t,s0)
+
+
+type epmap_port_t, port_type, defined_port_type;
+type epmap_client_packet_t, packet_type, client_packet_type;
+type epmap_server_packet_t, packet_type, server_packet_type;
+typeattribute epmap_port_t reserved_port_type;
+portcon tcp 135 gen_context(system_u:object_r:epmap_port_t,s0)
+portcon udp 135 gen_context(system_u:object_r:epmap_port_t,s0)
+
+
+type fingerd_port_t, port_type, defined_port_type;
+type fingerd_client_packet_t, packet_type, client_packet_type;
+type fingerd_server_packet_t, packet_type, server_packet_type;
+typeattribute fingerd_port_t reserved_port_type;
+portcon tcp 79 gen_context(system_u:object_r:fingerd_port_t,s0)
+
+
+type ftp_port_t, port_type, defined_port_type;
+type ftp_client_packet_t, packet_type, client_packet_type;
+type ftp_server_packet_t, packet_type, server_packet_type;
+typeattribute ftp_port_t reserved_port_type;
+typeattribute ftp_port_t rpc_port_type;
+portcon tcp 21 gen_context(system_u:object_r:ftp_port_t,s0)
+portcon tcp 990 gen_context(system_u:object_r:ftp_port_t,s0)
+portcon udp 990 gen_context(system_u:object_r:ftp_port_t,s0)
+
+
+type ftp_data_port_t, port_type, defined_port_type;
+type ftp_data_client_packet_t, packet_type, client_packet_type;
+type ftp_data_server_packet_t, packet_type, server_packet_type;
+typeattribute ftp_data_port_t reserved_port_type;
+portcon tcp 20 gen_context(system_u:object_r:ftp_data_port_t,s0)
+
+
+type gatekeeper_port_t, port_type, defined_port_type;
+type gatekeeper_client_packet_t, packet_type, client_packet_type;
+type gatekeeper_server_packet_t, packet_type, server_packet_type;
+typeattribute gatekeeper_port_t unreserved_port_type;
+portcon udp 1718 gen_context(system_u:object_r:gatekeeper_port_t,s0)
+portcon udp 1719 gen_context(system_u:object_r:gatekeeper_port_t,s0)
+portcon tcp 1721 gen_context(system_u:object_r:gatekeeper_port_t,s0)
+portcon tcp 7000 gen_context(system_u:object_r:gatekeeper_port_t,s0)
+
+
+type giftd_port_t, port_type, defined_port_type;
+type giftd_client_packet_t, packet_type, client_packet_type;
+type giftd_server_packet_t, packet_type, server_packet_type;
+typeattribute giftd_port_t unreserved_port_type;
+portcon tcp 1213 gen_context(system_u:object_r:giftd_port_t,s0)
+
+
+type git_port_t, port_type, defined_port_type;
+type git_client_packet_t, packet_type, client_packet_type;
+type git_server_packet_t, packet_type, server_packet_type;
+typeattribute git_port_t unreserved_port_type;
+portcon tcp 9418 gen_context(system_u:object_r:git_port_t,s0)
+portcon udp 9418 gen_context(system_u:object_r:git_port_t,s0)
+
+
+type glance_registry_port_t, port_type, defined_port_type;
+type glance_registry_client_packet_t, packet_type, client_packet_type;
+type glance_registry_server_packet_t, packet_type, server_packet_type;
+typeattribute glance_registry_port_t unreserved_port_type;
+portcon tcp 9191 gen_context(system_u:object_r:glance_registry_port_t,s0)
+portcon udp 9191 gen_context(system_u:object_r:glance_registry_port_t,s0)
+
+
+type gopher_port_t, port_type, defined_port_type;
+type gopher_client_packet_t, packet_type, client_packet_type;
+type gopher_server_packet_t, packet_type, server_packet_type;
+typeattribute gopher_port_t reserved_port_type;
+portcon tcp 70 gen_context(system_u:object_r:gopher_port_t,s0)
+portcon udp 70 gen_context(system_u:object_r:gopher_port_t,s0)
+
+
+type gpsd_port_t, port_type, defined_port_type;
+type gpsd_client_packet_t, packet_type, client_packet_type;
+type gpsd_server_packet_t, packet_type, server_packet_type;
+typeattribute gpsd_port_t unreserved_port_type;
+portcon tcp 2947 gen_context(system_u:object_r:gpsd_port_t,s0)
+
+
+type hadoop_datanode_port_t, port_type, defined_port_type;
+type hadoop_datanode_client_packet_t, packet_type, client_packet_type;
+type hadoop_datanode_server_packet_t, packet_type, server_packet_type;
+typeattribute hadoop_datanode_port_t unreserved_port_type;
+portcon tcp 50010 gen_context(system_u:object_r:hadoop_datanode_port_t,s0)
+
+
+type hadoop_namenode_port_t, port_type, defined_port_type;
+type hadoop_namenode_client_packet_t, packet_type, client_packet_type;
+type hadoop_namenode_server_packet_t, packet_type, server_packet_type;
+typeattribute hadoop_namenode_port_t unreserved_port_type;
+portcon tcp 8020 gen_context(system_u:object_r:hadoop_namenode_port_t,s0)
+
+
+type hddtemp_port_t, port_type, defined_port_type;
+type hddtemp_client_packet_t, packet_type, client_packet_type;
+type hddtemp_server_packet_t, packet_type, server_packet_type;
+typeattribute hddtemp_port_t unreserved_port_type;
+portcon tcp 7634 gen_context(system_u:object_r:hddtemp_port_t,s0)
+
+
+type howl_port_t, port_type, defined_port_type;
+type howl_client_packet_t, packet_type, client_packet_type;
+type howl_server_packet_t, packet_type, server_packet_type;
+typeattribute howl_port_t unreserved_port_type;
+portcon tcp 5335 gen_context(system_u:object_r:howl_port_t,s0)
+portcon udp 5353 gen_context(system_u:object_r:howl_port_t,s0)
+
+
+type hplip_port_t, port_type, defined_port_type;
+type hplip_client_packet_t, packet_type, client_packet_type;
+type hplip_server_packet_t, packet_type, server_packet_type;
+typeattribute hplip_port_t unreserved_port_type;
+portcon tcp 1782 gen_context(system_u:object_r:hplip_port_t,s0)
+portcon tcp 2207 gen_context(system_u:object_r:hplip_port_t,s0)
+portcon tcp 2208 gen_context(system_u:object_r:hplip_port_t,s0)
+portcon tcp 8290 gen_context(system_u:object_r:hplip_port_t,s0)
+portcon tcp 50000 gen_context(system_u:object_r:hplip_port_t,s0)
+portcon tcp 50002 gen_context(system_u:object_r:hplip_port_t,s0)
+portcon tcp 8292 gen_context(system_u:object_r:hplip_port_t,s0)
+portcon tcp 9100 gen_context(system_u:object_r:hplip_port_t,s0)
+portcon tcp 9101 gen_context(system_u:object_r:hplip_port_t,s0)
+portcon tcp 9102 gen_context(system_u:object_r:hplip_port_t,s0)
+portcon tcp 9220 gen_context(system_u:object_r:hplip_port_t,s0)
+portcon tcp 9221 gen_context(system_u:object_r:hplip_port_t,s0)
+portcon tcp 9222 gen_context(system_u:object_r:hplip_port_t,s0)
+portcon tcp 9280 gen_context(system_u:object_r:hplip_port_t,s0)
+portcon tcp 9281 gen_context(system_u:object_r:hplip_port_t,s0)
+portcon tcp 9282 gen_context(system_u:object_r:hplip_port_t,s0)
+portcon tcp 9290 gen_context(system_u:object_r:hplip_port_t,s0)
+portcon tcp 9291 gen_context(system_u:object_r:hplip_port_t,s0)
+portcon tcp 9292 gen_context(system_u:object_r:hplip_port_t,s0)
+
+
+type http_port_t, port_type, defined_port_type;
+type http_client_packet_t, packet_type, client_packet_type;
+type http_server_packet_t, packet_type, server_packet_type;
+typeattribute http_port_t reserved_port_type;
+portcon tcp 80 gen_context(system_u:object_r:http_port_t,s0)
+portcon tcp 443 gen_context(system_u:object_r:http_port_t,s0)
+portcon tcp 488 gen_context(system_u:object_r:http_port_t,s0)
+portcon tcp 8008 gen_context(system_u:object_r:http_port_t,s0)
+portcon tcp 8009 gen_context(system_u:object_r:http_port_t,s0)
+portcon tcp 8443 gen_context(system_u:object_r:http_port_t,s0)
+ #8443 is mod_nss default port
+
+type http_cache_port_t, port_type, defined_port_type;
+type http_cache_client_packet_t, packet_type, client_packet_type;
+type http_cache_server_packet_t, packet_type, server_packet_type;
+typeattribute http_cache_port_t unreserved_port_type;
+portcon tcp 3128 gen_context(system_u:object_r:http_cache_port_t,s0)
+portcon udp 3130 gen_context(system_u:object_r:http_cache_port_t,s0)
+portcon tcp 8080 gen_context(system_u:object_r:http_cache_port_t,s0)
+portcon tcp 8118 gen_context(system_u:object_r:http_cache_port_t,s0)
+portcon tcp 10001-10010 gen_context(system_u:object_r:http_cache_port_t,s0)
+ # 8118 is for privoxy
+
+type i18n_input_port_t, port_type, defined_port_type;
+type i18n_input_client_packet_t, packet_type, client_packet_type;
+type i18n_input_server_packet_t, packet_type, server_packet_type;
+typeattribute i18n_input_port_t unreserved_port_type;
+portcon tcp 9010 gen_context(system_u:object_r:i18n_input_port_t,s0)
+
+
+type imaze_port_t, port_type, defined_port_type;
+type imaze_client_packet_t, packet_type, client_packet_type;
+type imaze_server_packet_t, packet_type, server_packet_type;
+typeattribute imaze_port_t unreserved_port_type;
+portcon tcp 5323 gen_context(system_u:object_r:imaze_port_t,s0)
+portcon udp 5323 gen_context(system_u:object_r:imaze_port_t,s0)
+
+
+type inetd_child_port_t, port_type, defined_port_type;
+type inetd_child_client_packet_t, packet_type, client_packet_type;
+type inetd_child_server_packet_t, packet_type, server_packet_type;
+typeattribute inetd_child_port_t reserved_port_type;
+typeattribute inetd_child_port_t rpc_port_type;
+portcon tcp 1 gen_context(system_u:object_r:inetd_child_port_t,s0)
+portcon udp 1 gen_context(system_u:object_r:inetd_child_port_t,s0)
+portcon tcp 7 gen_context(system_u:object_r:inetd_child_port_t,s0)
+portcon udp 7 gen_context(system_u:object_r:inetd_child_port_t,s0)
+portcon tcp 9 gen_context(system_u:object_r:inetd_child_port_t,s0)
+portcon udp 9 gen_context(system_u:object_r:inetd_child_port_t,s0)
+portcon tcp 13 gen_context(system_u:object_r:inetd_child_port_t,s0)
+portcon udp 13 gen_context(system_u:object_r:inetd_child_port_t,s0)
+portcon tcp 19 gen_context(system_u:object_r:inetd_child_port_t,s0)
+portcon udp 19 gen_context(system_u:object_r:inetd_child_port_t,s0)
+portcon tcp 37 gen_context(system_u:object_r:inetd_child_port_t,s0)
+portcon udp 37 gen_context(system_u:object_r:inetd_child_port_t,s0)
+portcon tcp 512 gen_context(system_u:object_r:inetd_child_port_t,s0)
+portcon tcp 543 gen_context(system_u:object_r:inetd_child_port_t,s0)
+portcon tcp 544 gen_context(system_u:object_r:inetd_child_port_t,s0)
+portcon tcp 891 gen_context(system_u:object_r:inetd_child_port_t,s0)
+portcon udp 891 gen_context(system_u:object_r:inetd_child_port_t,s0)
+portcon tcp 892 gen_context(system_u:object_r:inetd_child_port_t,s0)
+portcon udp 892 gen_context(system_u:object_r:inetd_child_port_t,s0)
+portcon tcp 2105 gen_context(system_u:object_r:inetd_child_port_t,s0)
+portcon tcp 5666 gen_context(system_u:object_r:inetd_child_port_t,s0)
+
+
+type innd_port_t, port_type, defined_port_type;
+type innd_client_packet_t, packet_type, client_packet_type;
+type innd_server_packet_t, packet_type, server_packet_type;
+typeattribute innd_port_t reserved_port_type;
+portcon tcp 119 gen_context(system_u:object_r:innd_port_t,s0)
+
+
+type ipmi_port_t, port_type, defined_port_type;
+type ipmi_client_packet_t, packet_type, client_packet_type;
+type ipmi_server_packet_t, packet_type, server_packet_type;
+typeattribute ipmi_port_t reserved_port_type;
+typeattribute ipmi_port_t rpc_port_type;
+portcon udp 623 gen_context(system_u:object_r:ipmi_port_t,s0)
+portcon udp 664 gen_context(system_u:object_r:ipmi_port_t,s0)
+
+
+type ipp_port_t, port_type, defined_port_type;
+type ipp_client_packet_t, packet_type, client_packet_type;
+type ipp_server_packet_t, packet_type, server_packet_type;
+typeattribute ipp_port_t reserved_port_type;
+typeattribute ipp_port_t rpc_port_type;
+portcon tcp 631 gen_context(system_u:object_r:ipp_port_t,s0)
+portcon udp 631 gen_context(system_u:object_r:ipp_port_t,s0)
+portcon tcp 8610-8614 gen_context(system_u:object_r:ipp_port_t,s0)
+portcon udp 8610-8614 gen_context(system_u:object_r:ipp_port_t,s0)
+
+
+type ipsecnat_port_t, port_type, defined_port_type;
+type ipsecnat_client_packet_t, packet_type, client_packet_type;
+type ipsecnat_server_packet_t, packet_type, server_packet_type;
+typeattribute ipsecnat_port_t unreserved_port_type;
+portcon tcp 4500 gen_context(system_u:object_r:ipsecnat_port_t,s0)
+portcon udp 4500 gen_context(system_u:object_r:ipsecnat_port_t,s0)
+
+
+type ircd_port_t, port_type, defined_port_type;
+type ircd_client_packet_t, packet_type, client_packet_type;
+type ircd_server_packet_t, packet_type, server_packet_type;
+typeattribute ircd_port_t unreserved_port_type;
+portcon tcp 6667 gen_context(system_u:object_r:ircd_port_t,s0)
+
+
+type isakmp_port_t, port_type, defined_port_type;
+type isakmp_client_packet_t, packet_type, client_packet_type;
+type isakmp_server_packet_t, packet_type, server_packet_type;
+typeattribute isakmp_port_t reserved_port_type;
+portcon udp 500 gen_context(system_u:object_r:isakmp_port_t,s0)
+
+
+type iscsi_port_t, port_type, defined_port_type;
+type iscsi_client_packet_t, packet_type, client_packet_type;
+type iscsi_server_packet_t, packet_type, server_packet_type;
+typeattribute iscsi_port_t unreserved_port_type;
+portcon tcp 3260 gen_context(system_u:object_r:iscsi_port_t,s0)
+
+
+type isns_port_t, port_type, defined_port_type;
+type isns_client_packet_t, packet_type, client_packet_type;
+type isns_server_packet_t, packet_type, server_packet_type;
+typeattribute isns_port_t unreserved_port_type;
+portcon tcp 3205 gen_context(system_u:object_r:isns_port_t,s0)
+portcon udp 3205 gen_context(system_u:object_r:isns_port_t,s0)
+
+
+type jabber_client_port_t, port_type, defined_port_type;
+type jabber_client_client_packet_t, packet_type, client_packet_type;
+type jabber_client_server_packet_t, packet_type, server_packet_type;
+typeattribute jabber_client_port_t unreserved_port_type;
+portcon tcp 5222 gen_context(system_u:object_r:jabber_client_port_t,s0)
+portcon tcp 5223 gen_context(system_u:object_r:jabber_client_port_t,s0)
+
+
+type jabber_interserver_port_t, port_type, defined_port_type;
+type jabber_interserver_client_packet_t, packet_type, client_packet_type;
+type jabber_interserver_server_packet_t, packet_type, server_packet_type;
+typeattribute jabber_interserver_port_t unreserved_port_type;
+portcon tcp 5269 gen_context(system_u:object_r:jabber_interserver_port_t,s0)
+
+
+type kerberos_port_t, port_type, defined_port_type;
+type kerberos_client_packet_t, packet_type, client_packet_type;
+type kerberos_server_packet_t, packet_type, server_packet_type;
+typeattribute kerberos_port_t reserved_port_type;
+typeattribute kerberos_port_t rpc_port_type;
+portcon tcp 88 gen_context(system_u:object_r:kerberos_port_t,s0)
+portcon udp 88 gen_context(system_u:object_r:kerberos_port_t,s0)
+portcon tcp 750 gen_context(system_u:object_r:kerberos_port_t,s0)
+portcon udp 750 gen_context(system_u:object_r:kerberos_port_t,s0)
+
+
+type kerberos_admin_port_t, port_type, defined_port_type;
+type kerberos_admin_client_packet_t, packet_type, client_packet_type;
+type kerberos_admin_server_packet_t, packet_type, server_packet_type;
+typeattribute kerberos_admin_port_t reserved_port_type;
+typeattribute kerberos_admin_port_t rpc_port_type;
+portcon tcp 464 gen_context(system_u:object_r:kerberos_admin_port_t,s0)
+portcon udp 464 gen_context(system_u:object_r:kerberos_admin_port_t,s0)
+portcon tcp 749 gen_context(system_u:object_r:kerberos_admin_port_t,s0)
+
+
+type kerberos_master_port_t, port_type, defined_port_type;
+type kerberos_master_client_packet_t, packet_type, client_packet_type;
+type kerberos_master_server_packet_t, packet_type, server_packet_type;
+typeattribute kerberos_master_port_t unreserved_port_type;
+portcon tcp 4444 gen_context(system_u:object_r:kerberos_master_port_t,s0)
+portcon udp 4444 gen_context(system_u:object_r:kerberos_master_port_t,s0)
+
+
+type kismet_port_t, port_type, defined_port_type;
+type kismet_client_packet_t, packet_type, client_packet_type;
+type kismet_server_packet_t, packet_type, server_packet_type;
+typeattribute kismet_port_t unreserved_port_type;
+portcon tcp 2501 gen_context(system_u:object_r:kismet_port_t,s0)
+
+
+type kprop_port_t, port_type, defined_port_type;
+type kprop_client_packet_t, packet_type, client_packet_type;
+type kprop_server_packet_t, packet_type, server_packet_type;
+typeattribute kprop_port_t reserved_port_type;
+typeattribute kprop_port_t rpc_port_type;
+portcon tcp 754 gen_context(system_u:object_r:kprop_port_t,s0)
+
+
+type ktalkd_port_t, port_type, defined_port_type;
+type ktalkd_client_packet_t, packet_type, client_packet_type;
+type ktalkd_server_packet_t, packet_type, server_packet_type;
+typeattribute ktalkd_port_t reserved_port_type;
+typeattribute ktalkd_port_t rpc_port_type;
+portcon udp 517 gen_context(system_u:object_r:ktalkd_port_t,s0)
+portcon udp 518 gen_context(system_u:object_r:ktalkd_port_t,s0)
+
+
+type ldap_port_t, port_type, defined_port_type;
+type ldap_client_packet_t, packet_type, client_packet_type;
+type ldap_server_packet_t, packet_type, server_packet_type;
+typeattribute ldap_port_t reserved_port_type;
+typeattribute ldap_port_t rpc_port_type;
+portcon tcp 389 gen_context(system_u:object_r:ldap_port_t,s0)
+portcon udp 389 gen_context(system_u:object_r:ldap_port_t,s0)
+portcon tcp 636 gen_context(system_u:object_r:ldap_port_t,s0)
+portcon udp 636 gen_context(system_u:object_r:ldap_port_t,s0)
+portcon tcp 3268 gen_context(system_u:object_r:ldap_port_t,s0)
+
+
+type lirc_port_t, port_type, defined_port_type;
+type lirc_client_packet_t, packet_type, client_packet_type;
+type lirc_server_packet_t, packet_type, server_packet_type;
+typeattribute lirc_port_t unreserved_port_type;
+portcon tcp 8765 gen_context(system_u:object_r:lirc_port_t,s0)
+
+
+type lmtp_port_t, port_type, defined_port_type;
+type lmtp_client_packet_t, packet_type, client_packet_type;
+type lmtp_server_packet_t, packet_type, server_packet_type;
+typeattribute lmtp_port_t reserved_port_type;
+portcon tcp 24 gen_context(system_u:object_r:lmtp_port_t,s0)
+portcon udp 24 gen_context(system_u:object_r:lmtp_port_t,s0)
+
+
+type lrrd_port_t, port_type, defined_port_type;
+type lrrd_client_packet_t, packet_type, client_packet_type;
+type lrrd_server_packet_t, packet_type, server_packet_type;
+ # no defined portcon
+
+type mail_port_t, port_type, defined_port_type;
+type mail_client_packet_t, packet_type, client_packet_type;
+type mail_server_packet_t, packet_type, server_packet_type;
+typeattribute mail_port_t unreserved_port_type;
+portcon tcp 2000 gen_context(system_u:object_r:mail_port_t,s0)
+portcon tcp 3905 gen_context(system_u:object_r:mail_port_t,s0)
+
+
+type matahari_port_t, port_type, defined_port_type;
+type matahari_client_packet_t, packet_type, client_packet_type;
+type matahari_server_packet_t, packet_type, server_packet_type;
+typeattribute matahari_port_t unreserved_port_type;
+portcon tcp 49000 gen_context(system_u:object_r:matahari_port_t,s0)
+portcon udp 49000 gen_context(system_u:object_r:matahari_port_t,s0)
+
+
+type memcache_port_t, port_type, defined_port_type;
+type memcache_client_packet_t, packet_type, client_packet_type;
+type memcache_server_packet_t, packet_type, server_packet_type;
+typeattribute memcache_port_t unreserved_port_type;
+portcon tcp 11211 gen_context(system_u:object_r:memcache_port_t,s0)
+portcon udp 11211 gen_context(system_u:object_r:memcache_port_t,s0)
+
+
+type milter_port_t, port_type, defined_port_type;
+type milter_client_packet_t, packet_type, client_packet_type;
+type milter_server_packet_t, packet_type, server_packet_type;
+ # no defined portcon
+
+type mmcc_port_t, port_type, defined_port_type;
+type mmcc_client_packet_t, packet_type, client_packet_type;
+type mmcc_server_packet_t, packet_type, server_packet_type;
+typeattribute mmcc_port_t unreserved_port_type;
+portcon tcp 5050 gen_context(system_u:object_r:mmcc_port_t,s0)
+portcon udp 5050 gen_context(system_u:object_r:mmcc_port_t,s0)
+
+
+type monopd_port_t, port_type, defined_port_type;
+type monopd_client_packet_t, packet_type, client_packet_type;
+type monopd_server_packet_t, packet_type, server_packet_type;
+typeattribute monopd_port_t unreserved_port_type;
+portcon tcp 1234 gen_context(system_u:object_r:monopd_port_t,s0)
+
+
+type mpd_port_t, port_type, defined_port_type;
+type mpd_client_packet_t, packet_type, client_packet_type;
+type mpd_server_packet_t, packet_type, server_packet_type;
+typeattribute mpd_port_t unreserved_port_type;
+portcon tcp 6600 gen_context(system_u:object_r:mpd_port_t,s0)
+
+
+type msnp_port_t, port_type, defined_port_type;
+type msnp_client_packet_t, packet_type, client_packet_type;
+type msnp_server_packet_t, packet_type, server_packet_type;
+typeattribute msnp_port_t unreserved_port_type;
+portcon tcp 1863 gen_context(system_u:object_r:msnp_port_t,s0)
+portcon udp 1863 gen_context(system_u:object_r:msnp_port_t,s0)
+
+
+type mssql_port_t, port_type, defined_port_type;
+type mssql_client_packet_t, packet_type, client_packet_type;
+type mssql_server_packet_t, packet_type, server_packet_type;
+typeattribute mssql_port_t unreserved_port_type;
+portcon tcp 1433-1434 gen_context(system_u:object_r:mssql_port_t,s0)
+portcon udp 1433-1434 gen_context(system_u:object_r:mssql_port_t,s0)
+
+
+type munin_port_t, port_type, defined_port_type;
+type munin_client_packet_t, packet_type, client_packet_type;
+type munin_server_packet_t, packet_type, server_packet_type;
+typeattribute munin_port_t unreserved_port_type;
+portcon tcp 4949 gen_context(system_u:object_r:munin_port_t,s0)
+portcon udp 4949 gen_context(system_u:object_r:munin_port_t,s0)
+
+
+type mysqld_port_t, port_type, defined_port_type;
+type mysqld_client_packet_t, packet_type, client_packet_type;
+type mysqld_server_packet_t, packet_type, server_packet_type;
+typeattribute mysqld_port_t unreserved_port_type;
+portcon tcp 1186 gen_context(system_u:object_r:mysqld_port_t,s0)
+portcon tcp 3306 gen_context(system_u:object_r:mysqld_port_t,s0)
+portcon tcp 63132-63164 gen_context(system_u:object_r:mysqld_port_t,s0)
+
+
+type mysqlmanagerd_port_t, port_type, defined_port_type;
+type mysqlmanagerd_client_packet_t, packet_type, client_packet_type;
+type mysqlmanagerd_server_packet_t, packet_type, server_packet_type;
+typeattribute mysqlmanagerd_port_t unreserved_port_type;
+portcon tcp 2273 gen_context(system_u:object_r:mysqlmanagerd_port_t,s0)
+
+
+type nessus_port_t, port_type, defined_port_type;
+type nessus_client_packet_t, packet_type, client_packet_type;
+type nessus_server_packet_t, packet_type, server_packet_type;
+typeattribute nessus_port_t unreserved_port_type;
+portcon tcp 1241 gen_context(system_u:object_r:nessus_port_t,s0)
+
+
+type netport_port_t, port_type, defined_port_type;
+type netport_client_packet_t, packet_type, client_packet_type;
+type netport_server_packet_t, packet_type, server_packet_type;
+typeattribute netport_port_t unreserved_port_type;
+portcon tcp 3129 gen_context(system_u:object_r:netport_port_t,s0)
+portcon udp 3129 gen_context(system_u:object_r:netport_port_t,s0)
+
+
+type netsupport_port_t, port_type, defined_port_type;
+type netsupport_client_packet_t, packet_type, client_packet_type;
+type netsupport_server_packet_t, packet_type, server_packet_type;
+typeattribute netsupport_port_t unreserved_port_type;
+portcon tcp 5404 gen_context(system_u:object_r:netsupport_port_t,s0)
+portcon udp 5404 gen_context(system_u:object_r:netsupport_port_t,s0)
+portcon tcp 5405 gen_context(system_u:object_r:netsupport_port_t,s0)
+portcon udp 5405 gen_context(system_u:object_r:netsupport_port_t,s0)
+
+
+type nmbd_port_t, port_type, defined_port_type;
+type nmbd_client_packet_t, packet_type, client_packet_type;
+type nmbd_server_packet_t, packet_type, server_packet_type;
+typeattribute nmbd_port_t reserved_port_type;
+portcon udp 137 gen_context(system_u:object_r:nmbd_port_t,s0)
+portcon udp 138 gen_context(system_u:object_r:nmbd_port_t,s0)
+
+
+type ntop_port_t, port_type, defined_port_type;
+type ntop_client_packet_t, packet_type, client_packet_type;
+type ntop_server_packet_t, packet_type, server_packet_type;
+typeattribute ntop_port_t unreserved_port_type;
+portcon tcp 3000-3001 gen_context(system_u:object_r:ntop_port_t,s0)
+portcon udp 3000-3001 gen_context(system_u:object_r:ntop_port_t,s0)
+
+
+type ntp_port_t, port_type, defined_port_type;
+type ntp_client_packet_t, packet_type, client_packet_type;
+type ntp_server_packet_t, packet_type, server_packet_type;
+typeattribute ntp_port_t reserved_port_type;
+portcon udp 123 gen_context(system_u:object_r:ntp_port_t,s0)
+
+
+type oracledb_port_t, port_type, defined_port_type;
+type oracledb_client_packet_t, packet_type, client_packet_type;
+type oracledb_server_packet_t, packet_type, server_packet_type;
+typeattribute oracledb_port_t unreserved_port_type;
+portcon tcp 1521 gen_context(system_u:object_r:oracledb_port_t,s0)
+portcon udp 1521 gen_context(system_u:object_r:oracledb_port_t,s0)
+portcon tcp 2483 gen_context(system_u:object_r:oracledb_port_t,s0)
+portcon udp 2483 gen_context(system_u:object_r:oracledb_port_t,s0)
+portcon tcp 2484 gen_context(system_u:object_r:oracledb_port_t,s0)
+portcon udp 2484 gen_context(system_u:object_r:oracledb_port_t,s0)
+
+
+type ocsp_port_t, port_type, defined_port_type;
+type ocsp_client_packet_t, packet_type, client_packet_type;
+type ocsp_server_packet_t, packet_type, server_packet_type;
+typeattribute ocsp_port_t unreserved_port_type;
+portcon tcp 9080 gen_context(system_u:object_r:ocsp_port_t,s0)
+
+
+type openvpn_port_t, port_type, defined_port_type;
+type openvpn_client_packet_t, packet_type, client_packet_type;
+type openvpn_server_packet_t, packet_type, server_packet_type;
+typeattribute openvpn_port_t unreserved_port_type;
+portcon tcp 1194 gen_context(system_u:object_r:openvpn_port_t,s0)
+portcon udp 1194 gen_context(system_u:object_r:openvpn_port_t,s0)
+
+
+type pegasus_http_port_t, port_type, defined_port_type;
+type pegasus_http_client_packet_t, packet_type, client_packet_type;
+type pegasus_http_server_packet_t, packet_type, server_packet_type;
+typeattribute pegasus_http_port_t unreserved_port_type;
+portcon tcp 5988 gen_context(system_u:object_r:pegasus_http_port_t,s0)
+
+
+type pegasus_https_port_t, port_type, defined_port_type;
+type pegasus_https_client_packet_t, packet_type, client_packet_type;
+type pegasus_https_server_packet_t, packet_type, server_packet_type;
+typeattribute pegasus_https_port_t unreserved_port_type;
+portcon tcp 5989 gen_context(system_u:object_r:pegasus_https_port_t,s0)
+
+
+type pgpkeyserver_port_t, port_type, defined_port_type;
+type pgpkeyserver_client_packet_t, packet_type, client_packet_type;
+type pgpkeyserver_server_packet_t, packet_type, server_packet_type;
+typeattribute pgpkeyserver_port_t unreserved_port_type;
+portcon udp 11371 gen_context(system_u:object_r:pgpkeyserver_port_t,s0)
+portcon tcp 11371 gen_context(system_u:object_r:pgpkeyserver_port_t,s0)
+
+
+type pingd_port_t, port_type, defined_port_type;
+type pingd_client_packet_t, packet_type, client_packet_type;
+type pingd_server_packet_t, packet_type, server_packet_type;
+typeattribute pingd_port_t unreserved_port_type;
+portcon tcp 9125 gen_context(system_u:object_r:pingd_port_t,s0)
+
+
+type pop_port_t, port_type, defined_port_type;
+type pop_client_packet_t, packet_type, client_packet_type;
+type pop_server_packet_t, packet_type, server_packet_type;
+typeattribute pop_port_t reserved_port_type;
+typeattribute pop_port_t rpc_port_type;
+portcon tcp 106 gen_context(system_u:object_r:pop_port_t,s0)
+portcon tcp 109 gen_context(system_u:object_r:pop_port_t,s0)
+portcon tcp 110 gen_context(system_u:object_r:pop_port_t,s0)
+portcon tcp 143 gen_context(system_u:object_r:pop_port_t,s0)
+portcon tcp 220 gen_context(system_u:object_r:pop_port_t,s0)
+portcon tcp 993 gen_context(system_u:object_r:pop_port_t,s0)
+portcon tcp 995 gen_context(system_u:object_r:pop_port_t,s0)
+portcon tcp 1109 gen_context(system_u:object_r:pop_port_t,s0)
+
+
+type portmap_port_t, port_type, defined_port_type;
+type portmap_client_packet_t, packet_type, client_packet_type;
+type portmap_server_packet_t, packet_type, server_packet_type;
+typeattribute portmap_port_t reserved_port_type;
+portcon udp 111 gen_context(system_u:object_r:portmap_port_t,s0)
+portcon tcp 111 gen_context(system_u:object_r:portmap_port_t,s0)
+
+
+type postfix_policyd_port_t, port_type, defined_port_type;
+type postfix_policyd_client_packet_t, packet_type, client_packet_type;
+type postfix_policyd_server_packet_t, packet_type, server_packet_type;
+typeattribute postfix_policyd_port_t unreserved_port_type;
+portcon tcp 10031 gen_context(system_u:object_r:postfix_policyd_port_t,s0)
+
+
+type postgresql_port_t, port_type, defined_port_type;
+type postgresql_client_packet_t, packet_type, client_packet_type;
+type postgresql_server_packet_t, packet_type, server_packet_type;
+typeattribute postgresql_port_t unreserved_port_type;
+portcon tcp 5432 gen_context(system_u:object_r:postgresql_port_t,s0)
+
+
+type postgrey_port_t, port_type, defined_port_type;
+type postgrey_client_packet_t, packet_type, client_packet_type;
+type postgrey_server_packet_t, packet_type, server_packet_type;
+typeattribute postgrey_port_t unreserved_port_type;
+portcon tcp 60000 gen_context(system_u:object_r:postgrey_port_t,s0)
+
+
+type prelude_port_t, port_type, defined_port_type;
+type prelude_client_packet_t, packet_type, client_packet_type;
+type prelude_server_packet_t, packet_type, server_packet_type;
+typeattribute prelude_port_t unreserved_port_type;
+portcon tcp 4690 gen_context(system_u:object_r:prelude_port_t,s0)
+portcon udp 4690 gen_context(system_u:object_r:prelude_port_t,s0)
+
+
+type presence_port_t, port_type, defined_port_type;
+type presence_client_packet_t, packet_type, client_packet_type;
+type presence_server_packet_t, packet_type, server_packet_type;
+typeattribute presence_port_t unreserved_port_type;
+portcon tcp 5298-5299 gen_context(system_u:object_r:presence_port_t,s0)
+portcon udp 5298-5299 gen_context(system_u:object_r:presence_port_t,s0)
+
+
+type printer_port_t, port_type, defined_port_type;
+type printer_client_packet_t, packet_type, client_packet_type;
+type printer_server_packet_t, packet_type, server_packet_type;
+typeattribute printer_port_t reserved_port_type;
+typeattribute printer_port_t rpc_port_type;
+portcon tcp 515 gen_context(system_u:object_r:printer_port_t,s0)
+
+
+type ptal_port_t, port_type, defined_port_type;
+type ptal_client_packet_t, packet_type, client_packet_type;
+type ptal_server_packet_t, packet_type, server_packet_type;
+typeattribute ptal_port_t unreserved_port_type;
+portcon tcp 5703 gen_context(system_u:object_r:ptal_port_t,s0)
+
+
+type pulseaudio_port_t, port_type, defined_port_type;
+type pulseaudio_client_packet_t, packet_type, client_packet_type;
+type pulseaudio_server_packet_t, packet_type, server_packet_type;
+typeattribute pulseaudio_port_t unreserved_port_type;
+portcon tcp 4713 gen_context(system_u:object_r:pulseaudio_port_t,s0)
+
+
+type puppet_port_t, port_type, defined_port_type;
+type puppet_client_packet_t, packet_type, client_packet_type;
+type puppet_server_packet_t, packet_type, server_packet_type;
+typeattribute puppet_port_t unreserved_port_type;
+portcon tcp 8140 gen_context(system_u:object_r:puppet_port_t,s0)
+
+
+type pxe_port_t, port_type, defined_port_type;
+type pxe_client_packet_t, packet_type, client_packet_type;
+type pxe_server_packet_t, packet_type, server_packet_type;
+typeattribute pxe_port_t unreserved_port_type;
+portcon udp 4011 gen_context(system_u:object_r:pxe_port_t,s0)
+
+
+type pyzor_port_t, port_type, defined_port_type;
+type pyzor_client_packet_t, packet_type, client_packet_type;
+type pyzor_server_packet_t, packet_type, server_packet_type;
+typeattribute pyzor_port_t unreserved_port_type;
+portcon udp 24441 gen_context(system_u:object_r:pyzor_port_t,s0)
+
+
+type radacct_port_t, port_type, defined_port_type;
+type radacct_client_packet_t, packet_type, client_packet_type;
+type radacct_server_packet_t, packet_type, server_packet_type;
+typeattribute radacct_port_t unreserved_port_type;
+portcon udp 1646 gen_context(system_u:object_r:radacct_port_t,s0)
+portcon udp 1813 gen_context(system_u:object_r:radacct_port_t,s0)
+
+
+type radius_port_t, port_type, defined_port_type;
+type radius_client_packet_t, packet_type, client_packet_type;
+type radius_server_packet_t, packet_type, server_packet_type;
+typeattribute radius_port_t unreserved_port_type;
+portcon udp 1645 gen_context(system_u:object_r:radius_port_t,s0)
+portcon udp 1812 gen_context(system_u:object_r:radius_port_t,s0)
+
+
+type radsec_port_t, port_type, defined_port_type;
+type radsec_client_packet_t, packet_type, client_packet_type;
+type radsec_server_packet_t, packet_type, server_packet_type;
+typeattribute radsec_port_t unreserved_port_type;
+portcon tcp 2083 gen_context(system_u:object_r:radsec_port_t,s0)
+
+
+type razor_port_t, port_type, defined_port_type;
+type razor_client_packet_t, packet_type, client_packet_type;
+type razor_server_packet_t, packet_type, server_packet_type;
+typeattribute razor_port_t unreserved_port_type;
+portcon tcp 2703 gen_context(system_u:object_r:razor_port_t,s0)
+
+
+type repository_port_t, port_type, defined_port_type;
+type repository_client_packet_t, packet_type, client_packet_type;
+type repository_server_packet_t, packet_type, server_packet_type;
+typeattribute repository_port_t unreserved_port_type;
+portcon tcp 6363 gen_context(system_u:object_r:repository_port_t,s0)
+
+
+type ricci_port_t, port_type, defined_port_type;
+type ricci_client_packet_t, packet_type, client_packet_type;
+type ricci_server_packet_t, packet_type, server_packet_type;
+typeattribute ricci_port_t unreserved_port_type;
+portcon tcp 11111 gen_context(system_u:object_r:ricci_port_t,s0)
+portcon udp 11111 gen_context(system_u:object_r:ricci_port_t,s0)
+
+
+type ricci_modcluster_port_t, port_type, defined_port_type;
+type ricci_modcluster_client_packet_t, packet_type, client_packet_type;
+type ricci_modcluster_server_packet_t, packet_type, server_packet_type;
+typeattribute ricci_modcluster_port_t unreserved_port_type;
+portcon tcp 16851 gen_context(system_u:object_r:ricci_modcluster_port_t,s0)
+portcon udp 16851 gen_context(system_u:object_r:ricci_modcluster_port_t,s0)
+
+
+type rlogind_port_t, port_type, defined_port_type;
+type rlogind_client_packet_t, packet_type, client_packet_type;
+type rlogind_server_packet_t, packet_type, server_packet_type;
+typeattribute rlogind_port_t reserved_port_type;
+typeattribute rlogind_port_t rpc_port_type;
+portcon tcp 513 gen_context(system_u:object_r:rlogind_port_t,s0)
+
+
+type rndc_port_t, port_type, defined_port_type;
+type rndc_client_packet_t, packet_type, client_packet_type;
+type rndc_server_packet_t, packet_type, server_packet_type;
+typeattribute rndc_port_t reserved_port_type;
+typeattribute rndc_port_t rpc_port_type;
+portcon tcp 953 gen_context(system_u:object_r:rndc_port_t,s0)
+
+
+type router_port_t, port_type, defined_port_type;
+type router_client_packet_t, packet_type, client_packet_type;
+type router_server_packet_t, packet_type, server_packet_type;
+typeattribute router_port_t reserved_port_type;
+typeattribute router_port_t rpc_port_type;
+portcon udp 520 gen_context(system_u:object_r:router_port_t,s0)
+portcon udp 521 gen_context(system_u:object_r:router_port_t,s0)
+portcon tcp 521 gen_context(system_u:object_r:router_port_t,s0)
+
+
+type rsh_port_t, port_type, defined_port_type;
+type rsh_client_packet_t, packet_type, client_packet_type;
+type rsh_server_packet_t, packet_type, server_packet_type;
+typeattribute rsh_port_t reserved_port_type;
+typeattribute rsh_port_t rpc_port_type;
+portcon tcp 514 gen_context(system_u:object_r:rsh_port_t,s0)
+
+
+type rsync_port_t, port_type, defined_port_type;
+type rsync_client_packet_t, packet_type, client_packet_type;
+type rsync_server_packet_t, packet_type, server_packet_type;
+typeattribute rsync_port_t reserved_port_type;
+typeattribute rsync_port_t rpc_port_type;
+portcon tcp 873 gen_context(system_u:object_r:rsync_port_t,s0)
+portcon udp 873 gen_context(system_u:object_r:rsync_port_t,s0)
+
+
+type rwho_port_t, port_type, defined_port_type;
+type rwho_client_packet_t, packet_type, client_packet_type;
+type rwho_server_packet_t, packet_type, server_packet_type;
+typeattribute rwho_port_t reserved_port_type;
+typeattribute rwho_port_t rpc_port_type;
+portcon udp 513 gen_context(system_u:object_r:rwho_port_t,s0)
+
+
+type sap_port_t, port_type, defined_port_type;
+type sap_client_packet_t, packet_type, client_packet_type;
+type sap_server_packet_t, packet_type, server_packet_type;
+typeattribute sap_port_t unreserved_port_type;
+portcon tcp 9875 gen_context(system_u:object_r:sap_port_t,s0)
+portcon udp 9875 gen_context(system_u:object_r:sap_port_t,s0)
+
+
+type sieve_port_t, port_type, defined_port_type;
+type sieve_client_packet_t, packet_type, client_packet_type;
+type sieve_server_packet_t, packet_type, server_packet_type;
+typeattribute sieve_port_t unreserved_port_type;
+portcon tcp 4190 gen_context(system_u:object_r:sieve_port_t,s0)
+
+
+type sip_port_t, port_type, defined_port_type;
+type sip_client_packet_t, packet_type, client_packet_type;
+type sip_server_packet_t, packet_type, server_packet_type;
+typeattribute sip_port_t unreserved_port_type;
+portcon tcp 5060 gen_context(system_u:object_r:sip_port_t,s0)
+portcon udp 5060 gen_context(system_u:object_r:sip_port_t,s0)
+portcon tcp 5061 gen_context(system_u:object_r:sip_port_t,s0)
+portcon udp 5061 gen_context(system_u:object_r:sip_port_t,s0)
+
+
+type sixxsconfig_port_t, port_type, defined_port_type;
+type sixxsconfig_client_packet_t, packet_type, client_packet_type;
+type sixxsconfig_server_packet_t, packet_type, server_packet_type;
+typeattribute sixxsconfig_port_t unreserved_port_type;
+portcon tcp 3874 gen_context(system_u:object_r:sixxsconfig_port_t,s0)
+portcon udp 3874 gen_context(system_u:object_r:sixxsconfig_port_t,s0)
+
+
+type smbd_port_t, port_type, defined_port_type;
+type smbd_client_packet_t, packet_type, client_packet_type;
+type smbd_server_packet_t, packet_type, server_packet_type;
+typeattribute smbd_port_t reserved_port_type;
+portcon tcp 137-139 gen_context(system_u:object_r:smbd_port_t,s0)
+portcon tcp 445 gen_context(system_u:object_r:smbd_port_t,s0)
+
+
+type smtp_port_t, port_type, defined_port_type;
+type smtp_client_packet_t, packet_type, client_packet_type;
+type smtp_server_packet_t, packet_type, server_packet_type;
+typeattribute smtp_port_t reserved_port_type;
+typeattribute smtp_port_t rpc_port_type;
+portcon tcp 25 gen_context(system_u:object_r:smtp_port_t,s0)
+portcon tcp 465 gen_context(system_u:object_r:smtp_port_t,s0)
+portcon tcp 587 gen_context(system_u:object_r:smtp_port_t,s0)
+
+
+type snmp_port_t, port_type, defined_port_type;
+type snmp_client_packet_t, packet_type, client_packet_type;
+type snmp_server_packet_t, packet_type, server_packet_type;
+typeattribute snmp_port_t reserved_port_type;
+portcon udp 161 gen_context(system_u:object_r:snmp_port_t,s0)
+portcon udp 162 gen_context(system_u:object_r:snmp_port_t,s0)
+portcon tcp 199 gen_context(system_u:object_r:snmp_port_t,s0)
+portcon tcp 1161 gen_context(system_u:object_r:snmp_port_t,s0)
+
+
+type socks_port_t, port_type, defined_port_type;
+type socks_client_packet_t, packet_type, client_packet_type;
+type socks_server_packet_t, packet_type, server_packet_type;
+ # no defined portcon
+
+type soundd_port_t, port_type, defined_port_type;
+type soundd_client_packet_t, packet_type, client_packet_type;
+type soundd_server_packet_t, packet_type, server_packet_type;
+typeattribute soundd_port_t unreserved_port_type;
+portcon tcp 8000 gen_context(system_u:object_r:soundd_port_t,s0)
+portcon tcp 9433 gen_context(system_u:object_r:soundd_port_t,s0)
+portcon tcp 16001 gen_context(system_u:object_r:soundd_port_t,s0)
+
+
+type spamd_port_t, port_type, defined_port_type;
+type spamd_client_packet_t, packet_type, client_packet_type;
+type spamd_server_packet_t, packet_type, server_packet_type;
+typeattribute spamd_port_t reserved_port_type;
+typeattribute spamd_port_t rpc_port_type;
+portcon tcp 783 gen_context(system_u:object_r:spamd_port_t,s0)
+
+
+type speech_port_t, port_type, defined_port_type;
+type speech_client_packet_t, packet_type, client_packet_type;
+type speech_server_packet_t, packet_type, server_packet_type;
+typeattribute speech_port_t unreserved_port_type;
+portcon tcp 8036 gen_context(system_u:object_r:speech_port_t,s0)
+
+
+type squid_port_t, port_type, defined_port_type;
+type squid_client_packet_t, packet_type, client_packet_type;
+type squid_server_packet_t, packet_type, server_packet_type;
+typeattribute squid_port_t unreserved_port_type;
+portcon udp 3401 gen_context(system_u:object_r:squid_port_t,s0)
+portcon tcp 3401 gen_context(system_u:object_r:squid_port_t,s0)
+portcon udp 4827 gen_context(system_u:object_r:squid_port_t,s0)
+portcon tcp 4827 gen_context(system_u:object_r:squid_port_t,s0)
+ # snmp and htcp
+
+type ssh_port_t, port_type, defined_port_type;
+type ssh_client_packet_t, packet_type, client_packet_type;
+type ssh_server_packet_t, packet_type, server_packet_type;
+typeattribute ssh_port_t reserved_port_type;
+portcon tcp 22 gen_context(system_u:object_r:ssh_port_t,s0)
+
+
+type stunnel_port_t, port_type, defined_port_type;
+type stunnel_client_packet_t, packet_type, client_packet_type;
+type stunnel_server_packet_t, packet_type, server_packet_type;
+ # no defined portcon
+
+type swat_port_t, port_type, defined_port_type;
+type swat_client_packet_t, packet_type, client_packet_type;
+type swat_server_packet_t, packet_type, server_packet_type;
+typeattribute swat_port_t reserved_port_type;
+typeattribute swat_port_t rpc_port_type;
+portcon tcp 901 gen_context(system_u:object_r:swat_port_t,s0)
+
+
+type syslogd_port_t, port_type, defined_port_type;
+type syslogd_client_packet_t, packet_type, client_packet_type;
+type syslogd_server_packet_t, packet_type, server_packet_type;
+typeattribute syslogd_port_t reserved_port_type;
+typeattribute syslogd_port_t rpc_port_type;
+portcon udp 514 gen_context(system_u:object_r:syslogd_port_t,s0)
+
+
+type tcs_port_t, port_type, defined_port_type;
+type tcs_client_packet_t, packet_type, client_packet_type;
+type tcs_server_packet_t, packet_type, server_packet_type;
+typeattribute tcs_port_t unreserved_port_type;
+portcon tcp 30003 gen_context(system_u:object_r:tcs_port_t,s0)
+
+
+type telnetd_port_t, port_type, defined_port_type;
+type telnetd_client_packet_t, packet_type, client_packet_type;
+type telnetd_server_packet_t, packet_type, server_packet_type;
+typeattribute telnetd_port_t reserved_port_type;
+portcon tcp 23 gen_context(system_u:object_r:telnetd_port_t,s0)
+
+
+type tftp_port_t, port_type, defined_port_type;
+type tftp_client_packet_t, packet_type, client_packet_type;
+type tftp_server_packet_t, packet_type, server_packet_type;
+typeattribute tftp_port_t reserved_port_type;
+portcon udp 69 gen_context(system_u:object_r:tftp_port_t,s0)
+
+
+type tor_port_t, port_type, defined_port_type;
+type tor_client_packet_t, packet_type, client_packet_type;
+type tor_server_packet_t, packet_type, server_packet_type;
+typeattribute tor_port_t unreserved_port_type;
+portcon tcp 6969 gen_context(system_u:object_r:tor_port_t,s0)
+portcon tcp 9001 gen_context(system_u:object_r:tor_port_t,s0)
+portcon tcp 9030 gen_context(system_u:object_r:tor_port_t,s0)
+portcon tcp 9050 gen_context(system_u:object_r:tor_port_t,s0)
+portcon tcp 9051 gen_context(system_u:object_r:tor_port_t,s0)
+
+
+type traceroute_port_t, port_type, defined_port_type;
+type traceroute_client_packet_t, packet_type, client_packet_type;
+type traceroute_server_packet_t, packet_type, server_packet_type;
+typeattribute traceroute_port_t unreserved_port_type;
+portcon udp 64000-64010 gen_context(system_u:object_r:traceroute_port_t,s0)
+
+
+type transproxy_port_t, port_type, defined_port_type;
+type transproxy_client_packet_t, packet_type, client_packet_type;
+type transproxy_server_packet_t, packet_type, server_packet_type;
+typeattribute transproxy_port_t unreserved_port_type;
+portcon tcp 8081 gen_context(system_u:object_r:transproxy_port_t,s0)
+
+
+type ups_port_t, port_type, defined_port_type;
+type ups_client_packet_t, packet_type, client_packet_type;
+type ups_server_packet_t, packet_type, server_packet_type;
+typeattribute ups_port_t unreserved_port_type;
+portcon tcp 3493 gen_context(system_u:object_r:ups_port_t,s0)
+
+
+type utcpserver_port_t, port_type, defined_port_type;
+type utcpserver_client_packet_t, packet_type, client_packet_type;
+type utcpserver_server_packet_t, packet_type, server_packet_type;
+ # no defined portcon
+
+type uucpd_port_t, port_type, defined_port_type;
+type uucpd_client_packet_t, packet_type, client_packet_type;
+type uucpd_server_packet_t, packet_type, server_packet_type;
+typeattribute uucpd_port_t reserved_port_type;
+typeattribute uucpd_port_t rpc_port_type;
+portcon tcp 540 gen_context(system_u:object_r:uucpd_port_t,s0)
+
+
+type varnishd_port_t, port_type, defined_port_type;
+type varnishd_client_packet_t, packet_type, client_packet_type;
+type varnishd_server_packet_t, packet_type, server_packet_type;
+typeattribute varnishd_port_t unreserved_port_type;
+portcon tcp 6081-6082 gen_context(system_u:object_r:varnishd_port_t,s0)
+
+
+type virt_port_t, port_type, defined_port_type;
+type virt_client_packet_t, packet_type, client_packet_type;
+type virt_server_packet_t, packet_type, server_packet_type;
+typeattribute virt_port_t unreserved_port_type;
+portcon tcp 16509 gen_context(system_u:object_r:virt_port_t,s0)
+portcon udp 16509 gen_context(system_u:object_r:virt_port_t,s0)
+portcon tcp 16514 gen_context(system_u:object_r:virt_port_t,s0)
+portcon udp 16514 gen_context(system_u:object_r:virt_port_t,s0)
+
+
+type virt_migration_port_t, port_type, defined_port_type;
+type virt_migration_client_packet_t, packet_type, client_packet_type;
+type virt_migration_server_packet_t, packet_type, server_packet_type;
+typeattribute virt_migration_port_t unreserved_port_type;
+portcon tcp 49152-49216 gen_context(system_u:object_r:virt_migration_port_t,s0)
+
+
+type vnc_port_t, port_type, defined_port_type;
+type vnc_client_packet_t, packet_type, client_packet_type;
+type vnc_server_packet_t, packet_type, server_packet_type;
+typeattribute vnc_port_t unreserved_port_type;
+portcon tcp 5900 gen_context(system_u:object_r:vnc_port_t,s0)
+
+
+type wccp_port_t, port_type, defined_port_type;
+type wccp_client_packet_t, packet_type, client_packet_type;
+type wccp_server_packet_t, packet_type, server_packet_type;
+typeattribute wccp_port_t unreserved_port_type;
+portcon udp 2048 gen_context(system_u:object_r:wccp_port_t,s0)
+
+
+type whois_port_t, port_type, defined_port_type;
+type whois_client_packet_t, packet_type, client_packet_type;
+type whois_server_packet_t, packet_type, server_packet_type;
+typeattribute whois_port_t reserved_port_type;
+portcon tcp 43 gen_context(system_u:object_r:whois_port_t,s0)
+portcon udp 43 gen_context(system_u:object_r:whois_port_t,s0)
+portcon tcp 4321 gen_context(system_u:object_r:whois_port_t,s0 )
+portcon udp 4321 gen_context(system_u:object_r:whois_port_t,s0 )
+
+
+type xdmcp_port_t, port_type, defined_port_type;
+type xdmcp_client_packet_t, packet_type, client_packet_type;
+type xdmcp_server_packet_t, packet_type, server_packet_type;
+typeattribute xdmcp_port_t reserved_port_type;
+portcon udp 177 gen_context(system_u:object_r:xdmcp_port_t,s0)
+portcon tcp 177 gen_context(system_u:object_r:xdmcp_port_t,s0)
+
+
+type xen_port_t, port_type, defined_port_type;
+type xen_client_packet_t, packet_type, client_packet_type;
+type xen_server_packet_t, packet_type, server_packet_type;
+typeattribute xen_port_t unreserved_port_type;
+portcon tcp 8002 gen_context(system_u:object_r:xen_port_t,s0)
+
+
+type xfs_port_t, port_type, defined_port_type;
+type xfs_client_packet_t, packet_type, client_packet_type;
+type xfs_server_packet_t, packet_type, server_packet_type;
+typeattribute xfs_port_t unreserved_port_type;
+portcon tcp 7100 gen_context(system_u:object_r:xfs_port_t,s0)
+
+
+type xserver_port_t, port_type, defined_port_type;
+type xserver_client_packet_t, packet_type, client_packet_type;
+type xserver_server_packet_t, packet_type, server_packet_type;
+typeattribute xserver_port_t unreserved_port_type;
+portcon tcp 6000-6020 gen_context(system_u:object_r:xserver_port_t,s0)
+
+
+type zarafa_port_t, port_type, defined_port_type;
+type zarafa_client_packet_t, packet_type, client_packet_type;
+type zarafa_server_packet_t, packet_type, server_packet_type;
+typeattribute zarafa_port_t reserved_port_type;
+portcon tcp 236 gen_context(system_u:object_r:zarafa_port_t,s0)
+portcon tcp 237 gen_context(system_u:object_r:zarafa_port_t,s0)
+
+
+type zabbix_port_t, port_type, defined_port_type;
+type zabbix_client_packet_t, packet_type, client_packet_type;
+type zabbix_server_packet_t, packet_type, server_packet_type;
+typeattribute zabbix_port_t unreserved_port_type;
+portcon tcp 10051 gen_context(system_u:object_r:zabbix_port_t,s0)
+
+
+type zabbix_agent_port_t, port_type, defined_port_type;
+type zabbix_agent_client_packet_t, packet_type, client_packet_type;
+type zabbix_agent_server_packet_t, packet_type, server_packet_type;
+typeattribute zabbix_agent_port_t unreserved_port_type;
+portcon tcp 10050 gen_context(system_u:object_r:zabbix_agent_port_t,s0)
+
+
+type zookeeper_client_port_t, port_type, defined_port_type;
+type zookeeper_client_client_packet_t, packet_type, client_packet_type;
+type zookeeper_client_server_packet_t, packet_type, server_packet_type;
+typeattribute zookeeper_client_port_t unreserved_port_type;
+portcon tcp 2181 gen_context(system_u:object_r:zookeeper_client_port_t,s0)
+
+
+type zookeeper_election_port_t, port_type, defined_port_type;
+type zookeeper_election_client_packet_t, packet_type, client_packet_type;
+type zookeeper_election_server_packet_t, packet_type, server_packet_type;
+typeattribute zookeeper_election_port_t unreserved_port_type;
+portcon tcp 3888 gen_context(system_u:object_r:zookeeper_election_port_t,s0)
+
+
+type zookeeper_leader_port_t, port_type, defined_port_type;
+type zookeeper_leader_client_packet_t, packet_type, client_packet_type;
+type zookeeper_leader_server_packet_t, packet_type, server_packet_type;
+typeattribute zookeeper_leader_port_t unreserved_port_type;
+portcon tcp 2888 gen_context(system_u:object_r:zookeeper_leader_port_t,s0)
+
+
+type zebra_port_t, port_type, defined_port_type;
+type zebra_client_packet_t, packet_type, client_packet_type;
+type zebra_server_packet_t, packet_type, server_packet_type;
+typeattribute zebra_port_t unreserved_port_type;
+portcon tcp 2600-2604 gen_context(system_u:object_r:zebra_port_t,s0)
+portcon tcp 2606 gen_context(system_u:object_r:zebra_port_t,s0)
+portcon udp 2600-2604 gen_context(system_u:object_r:zebra_port_t,s0)
+portcon udp 2606 gen_context(system_u:object_r:zebra_port_t,s0)
+
+
+type zope_port_t, port_type, defined_port_type;
+type zope_client_packet_t, packet_type, client_packet_type;
+type zope_server_packet_t, packet_type, server_packet_type;
+typeattribute zope_port_t unreserved_port_type;
+portcon tcp 8021 gen_context(system_u:object_r:zope_port_t,s0)
+
+
+# Defaults for reserved ports.	Earlier portcon entries take precedence;
+# these entries just cover any remaining reserved ports not otherwise declared.
+
+portcon udp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
+portcon tcp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
+portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
+portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
+
+########################################
+#
+# Network nodes
+#
+
+#
+# node_t is the default type of network nodes.
+# The node_*_t types are used for specific network
+# nodes in net_contexts or net_contexts.mls.
+#
+type node_t, node_type;
+typealias node_t alias { compat_ipv4_node_t lo_node_t link_local_node_t inaddr_any_node_t unspec_node_t };
+sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh)
+
+# network_node examples:
+#network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255)
+#network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
+
+########################################
+#
+# Network Interfaces
+#
+
+#
+# netif_t is the default type of network interfaces.
+#
+type netif_t, netif_type;
+sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+
+ifdef(`enable_mls',`
+
+
+gen_require(`type unlabeled_t;')
+type lo_netif_t alias netif_lo_t, netif_type;
+netifcon lo gen_context(system_u:object_r:lo_netif_t,s0 - mls_systemhigh) gen_context(system_u:object_r:unlabeled_t,s0 - mls_systemhigh)
+
+
+
+',`
+
+typealias netif_t alias { lo_netif_t netif_lo_t };
+
+')
+
+
+########################################
+#
+# Unconfined access to this module
+#
+
+allow corenet_unconfined_type node_type:node *;
+allow corenet_unconfined_type netif_type:netif *;
+allow corenet_unconfined_type packet_type:packet *;
+allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect };
+allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
+
+# Bind to any network address.
+allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind;
+allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
new file mode 100644
index 00000000..e50dfedc
--- /dev/null
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -0,0 +1,305 @@
+policy_module(corenetwork, 1.17.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute client_packet_type;
+# This is an optimization for { port_type -port_t }
+attribute defined_port_type;
+attribute ipsec_spd_type;
+attribute netif_type;
+attribute node_type;
+attribute packet_type;
+attribute port_type;
+attribute reserved_port_type;
+attribute rpc_port_type;
+attribute server_packet_type;
+# This is an optimization for { port_type -reserved_port_type }
+attribute unreserved_port_type;
+
+attribute corenet_unconfined_type;
+
+type ppp_device_t;
+dev_node(ppp_device_t)
+
+#
+# tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/*
+#
+type tun_tap_device_t;
+dev_node(tun_tap_device_t)
+
+########################################
+#
+# Ports and packets
+#
+
+#
+# client_packet_t is the default type of IPv4 and IPv6 client packets.
+#
+type client_packet_t, packet_type, client_packet_type;
+
+#
+# The netlabel_peer_t is used by the kernel's NetLabel subsystem for network
+# connections using NetLabel which do not carry full SELinux contexts.
+#
+type netlabel_peer_t;
+sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh)
+
+#
+# port_t is the default type of INET port numbers.
+#
+type port_t, port_type;
+sid port gen_context(system_u:object_r:port_t,s0)
+
+#
+# unreserved_port_t is the default type of INET port numbers above 1023
+#
+type unreserved_port_t, port_type, unreserved_port_type;
+
+#
+# reserved_port_t is the type of INET port numbers below 1024.
+#
+type reserved_port_t, port_type, reserved_port_type;
+
+#
+# hi_reserved_port_t is the type of INET port numbers between 512-1023.
+#
+type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
+
+#
+# server_packet_t is the default type of IPv4 and IPv6 server packets.
+#
+type server_packet_t, packet_type, server_packet_type;
+
+network_port(afs_bos, udp,7007,s0)
+network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
+network_port(afs_ka, udp,7004,s0)
+network_port(afs_pt, udp,7002,s0)
+network_port(afs_vl, udp,7003,s0)
+network_port(agentx, udp,705,s0, tcp,705,s0)
+network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
+network_port(amavisd_recv, tcp,10024,s0)
+network_port(amavisd_send, tcp,10025,s0)
+network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
+network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
+network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
+network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
+network_port(audit, tcp,60,s0)
+network_port(auth, tcp,113,s0)
+network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
+network_port(boinc, tcp,31416,s0)
+network_port(biff) # no defined portcon
+network_port(certmaster, tcp,51235,s0)
+network_port(chronyd, udp,323,s0)
+network_port(clamd, tcp,3310,s0)
+network_port(clockspeed, udp,4041,s0)
+network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0)
+network_port(cobbler, tcp,25151,s0)
+network_port(comsat, udp,512,s0)
+network_port(cvs, tcp,2401,s0, udp,2401,s0)
+network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
+network_port(daap, tcp,3689,s0, udp,3689,s0)
+network_port(dbskkd, tcp,1178,s0)
+network_port(dcc, udp,6276,s0, udp,6277,s0)
+network_port(dccm, tcp,5679,s0, udp,5679,s0)
+network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
+network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
+network_port(dict, tcp,2628,s0)
+network_port(distccd, tcp,3632,s0)
+network_port(dns, udp,53,s0, tcp,53,s0)
+network_port(epmap, tcp,135,s0, udp,135,s0)
+network_port(fingerd, tcp,79,s0)
+network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
+network_port(ftp_data, tcp,20,s0)
+network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
+network_port(giftd, tcp,1213,s0)
+network_port(git, tcp,9418,s0, udp,9418,s0)
+network_port(glance_registry, tcp,9191,s0, udp,9191,s0)
+network_port(gopher, tcp,70,s0, udp,70,s0)
+network_port(gpsd, tcp,2947,s0)
+network_port(hadoop_datanode, tcp,50010,s0)
+network_port(hadoop_namenode, tcp,8020,s0)
+network_port(hddtemp, tcp,7634,s0)
+network_port(howl, tcp,5335,s0, udp,5353,s0)
+network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
+network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
+network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
+network_port(i18n_input, tcp,9010,s0)
+network_port(imaze, tcp,5323,s0, udp,5323,s0)
+network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
+network_port(innd, tcp,119,s0)
+network_port(ipmi, udp,623,s0, udp,664,s0)
+network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
+network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
+network_port(ircd, tcp,6667,s0)
+network_port(isakmp, udp,500,s0)
+network_port(iscsi, tcp,3260,s0)
+network_port(isns, tcp,3205,s0, udp,3205,s0)
+network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
+network_port(jabber_interserver, tcp,5269,s0)
+network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
+network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
+network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
+network_port(kismet, tcp,2501,s0)
+network_port(kprop, tcp,754,s0)
+network_port(ktalkd, udp,517,s0, udp,518,s0)
+network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
+network_port(lirc, tcp,8765,s0)
+network_port(lmtp, tcp,24,s0, udp,24,s0)
+network_port(lrrd) # no defined portcon
+network_port(mail, tcp,2000,s0, tcp,3905,s0)
+network_port(matahari, tcp,49000,s0, udp,49000,s0)
+network_port(memcache, tcp,11211,s0, udp,11211,s0)
+network_port(milter) # no defined portcon
+network_port(mmcc, tcp,5050,s0, udp,5050,s0)
+network_port(monopd, tcp,1234,s0)
+network_port(mpd, tcp,6600,s0)
+network_port(msnp, tcp,1863,s0, udp,1863,s0)
+network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
+network_port(munin, tcp,4949,s0, udp,4949,s0)
+network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
+network_port(mysqlmanagerd, tcp,2273,s0)
+network_port(nessus, tcp,1241,s0)
+network_port(netport, tcp,3129,s0, udp,3129,s0)
+network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
+network_port(nmbd, udp,137,s0, udp,138,s0)
+network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0)
+network_port(ntp, udp,123,s0)
+network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
+network_port(ocsp, tcp,9080,s0)
+network_port(openvpn, tcp,1194,s0, udp,1194,s0)
+network_port(pegasus_http, tcp,5988,s0)
+network_port(pegasus_https, tcp,5989,s0)
+network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
+network_port(pingd, tcp,9125,s0)
+network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
+network_port(portmap, udp,111,s0, tcp,111,s0)
+network_port(postfix_policyd, tcp,10031,s0)
+network_port(postgresql, tcp,5432,s0)
+network_port(postgrey, tcp,60000,s0)
+network_port(prelude, tcp,4690,s0, udp,4690,s0)
+network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
+network_port(printer, tcp,515,s0)
+network_port(ptal, tcp,5703,s0)
+network_port(pulseaudio, tcp,4713,s0)
+network_port(puppet, tcp, 8140, s0)
+network_port(pxe, udp,4011,s0)
+network_port(pyzor, udp,24441,s0)
+network_port(radacct, udp,1646,s0, udp,1813,s0)
+network_port(radius, udp,1645,s0, udp,1812,s0)
+network_port(radsec, tcp,2083,s0)
+network_port(razor, tcp,2703,s0)
+network_port(repository, tcp, 6363, s0)
+network_port(ricci, tcp,11111,s0, udp,11111,s0)
+network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
+network_port(rlogind, tcp,513,s0)
+network_port(rndc, tcp,953,s0)
+network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0)
+network_port(rsh, tcp,514,s0)
+network_port(rsync, tcp,873,s0, udp,873,s0)
+network_port(rwho, udp,513,s0)
+network_port(sap, tcp,9875,s0, udp,9875,s0)
+network_port(sieve, tcp,4190,s0)
+network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0)
+network_port(sixxsconfig, tcp,3874,s0, udp,3874,s0)
+network_port(smbd, tcp,137-139,s0, tcp,445,s0)
+network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
+network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp, 1161, s0)
+network_port(socks) # no defined portcon
+network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
+network_port(spamd, tcp,783,s0)
+network_port(speech, tcp,8036,s0)
+network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
+network_port(ssh, tcp,22,s0)
+network_port(stunnel) # no defined portcon
+network_port(swat, tcp,901,s0)
+network_port(syslogd, udp,514,s0)
+network_port(tcs, tcp, 30003, s0)
+network_port(telnetd, tcp,23,s0)
+network_port(tftp, udp,69,s0)
+network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
+network_port(traceroute, udp,64000-64010,s0)
+network_port(transproxy, tcp,8081,s0)
+network_port(ups, tcp,3493,s0)
+network_port(utcpserver) # no defined portcon
+network_port(uucpd, tcp,540,s0)
+network_port(varnishd, tcp,6081-6082,s0)
+network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
+network_port(virt_migration, tcp,49152-49216,s0)
+network_port(vnc, tcp,5900,s0)
+network_port(wccp, udp,2048,s0)
+network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
+network_port(xdmcp, udp,177,s0, tcp,177,s0)
+network_port(xen, tcp,8002,s0)
+network_port(xfs, tcp,7100,s0)
+network_port(xserver, tcp,6000-6020,s0)
+network_port(zarafa, tcp,236,s0, tcp,237,s0)
+network_port(zabbix, tcp,10051,s0)
+network_port(zabbix_agent, tcp,10050,s0)
+network_port(zookeeper_client, tcp,2181,s0)
+network_port(zookeeper_election, tcp,3888,s0)
+network_port(zookeeper_leader, tcp,2888,s0)
+network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
+network_port(zope, tcp,8021,s0)
+
+# Defaults for reserved ports.	Earlier portcon entries take precedence;
+# these entries just cover any remaining reserved ports not otherwise declared.
+
+portcon udp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
+portcon tcp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
+portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
+portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
+
+########################################
+#
+# Network nodes
+#
+
+#
+# node_t is the default type of network nodes.
+# The node_*_t types are used for specific network
+# nodes in net_contexts or net_contexts.mls.
+#
+type node_t, node_type;
+typealias node_t alias { compat_ipv4_node_t lo_node_t link_local_node_t inaddr_any_node_t unspec_node_t };
+sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh)
+
+# network_node examples:
+#network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255)
+#network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
+
+########################################
+#
+# Network Interfaces
+#
+
+#
+# netif_t is the default type of network interfaces.
+#
+type netif_t, netif_type;
+sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+
+build_option(`enable_mls',`
+network_interface(lo, lo, s0 - mls_systemhigh)
+',`
+typealias netif_t alias { lo_netif_t netif_lo_t };
+')
+
+########################################
+#
+# Unconfined access to this module
+#
+
+allow corenet_unconfined_type node_type:node *;
+allow corenet_unconfined_type netif_type:netif *;
+allow corenet_unconfined_type packet_type:packet *;
+allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect };
+allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
+
+# Bind to any network address.
+allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind;
+allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4
new file mode 100644
index 00000000..3f6e1688
--- /dev/null
+++ b/policy/modules/kernel/corenetwork.te.m4
@@ -0,0 +1,113 @@
+#
+# shiftn(num,list...)
+#
+# shift the list num times
+#
+define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')')
+
+#
+# range_start(num)
+#
+# return the low port in a range.
+#
+# range_start(600) returns "600"
+# range_start(1200-1600) returns "1200"
+#
+define(`range_start',`ifelse(-1,index(`$1', `-'),$1,substr($1,0,index(`$1', `-')))')
+
+#
+# build_option(option_name,true,[false])
+#
+# makes an ifdef.  hacky quoting changes because with
+# regular quoting, the macros in $2 and $3 will not be expanded
+#
+define(`build_option',`dnl
+changequote([,])dnl
+[ifdef(`$1',`]
+changequote(`,')dnl
+$2
+changequote([,])dnl
+[',`]
+changequote(`,')dnl
+$3
+changequote([,])dnl
+[')]
+changequote(`,')dnl
+')
+
+define(`declare_netifs',`dnl
+netifcon $2 gen_context(system_u:object_r:$1,$3) gen_context(system_u:object_r:unlabeled_t,$3)
+ifelse(`$4',`',`',`declare_netifs($1,shiftn(3,$*))')dnl
+')
+
+#
+# network_interface(if_name,linux_interface,mls_sensitivity)
+#
+define(`network_interface',`
+gen_require(``type unlabeled_t;'')
+type $1_netif_t alias netif_$1_t, netif_type;
+declare_netifs($1_netif_t,shift($*))
+')
+
+define(`network_interface_controlled',`
+ifdef(`__network_enabled_declared__',`',`
+## <desc>
+## <p>
+## Enable network traffic on all controlled interfaces.
+## </p>
+## </desc>
+gen_bool(network_enabled, true)
+define(`__network_enabled_declared__')
+')
+gen_require(``type unlabeled_t;'')
+type $1_netif_t alias netif_$1_t, netif_type;
+declare_netifs($1_netif_t,shift($*))
+')
+
+define(`declare_nodes',`dnl
+nodecon $3 $4 gen_context(system_u:object_r:$1,$2)
+ifelse(`$5',`',`',`declare_nodes($1,shiftn(4,$*))')dnl
+')
+
+#
+# network_node(node_name,mls_sensitivity,address,netmask[, mls_sensitivity,address,netmask, [...]])
+#
+define(`network_node',`
+type $1_node_t alias node_$1_t, node_type;
+declare_nodes($1_node_t,shift($*))
+')
+
+define(`declare_portcons',`dnl
+portcon $2 $3 gen_context(system_u:object_r:$1,$4)
+ifelse(`$5',`',`',`declare_portcons($1,shiftn(4,$*))')dnl
+')
+
+define(`add_port_attribute',`dnl
+ifelse(eval(range_start($2) < 1024),1,`typeattribute $1 reserved_port_type;',`typeattribute $1 unreserved_port_type;')
+')
+
+# bindresvport in glibc starts searching for reserved ports at 512
+define(`add_rpc_attribute',`dnl
+ifelse(eval(range_start($3) >= 512 && range_start($3) < 1024),1,`typeattribute $1 rpc_port_type;
+',`ifelse(`$5',`',`',`add_rpc_attribute($1,shiftn(4,$*))')')dnl
+')
+
+#
+# network_port(port_name,protocol portnum mls_sensitivity [,protocol portnum mls_sensitivity[,...]])
+#
+define(`network_port',`
+type $1_port_t, port_type, defined_port_type;
+type $1_client_packet_t, packet_type, client_packet_type;
+type $1_server_packet_t, packet_type, server_packet_type;
+ifelse(`$2',`',`',`add_port_attribute($1_port_t,$3)')dnl
+ifelse(`$2',`',`',`add_rpc_attribute($1_port_t,shift($*))')dnl
+ifelse(`$2',`',`',`declare_portcons($1_port_t,shift($*))')dnl
+')
+
+#
+# network_packet(packet_name)
+#
+define(`network_packet',`
+type $1_client_packet_t, packet_type, client_packet_type;
+type $1_server_packet_t, packet_type, server_packet_type;
+')
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
new file mode 100644
index 00000000..02b7ac18
--- /dev/null
+++ b/policy/modules/kernel/devices.fc
@@ -0,0 +1,206 @@
+
+/dev			-d	gen_context(system_u:object_r:device_t,s0)
+/dev/.*				gen_context(system_u:object_r:device_t,s0)
+
+/dev/.*mouse.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/[0-9].*		-c	gen_context(system_u:object_r:usb_device_t,s0)
+/dev/3dfx		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/admmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/adsp.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/(misc/)?agpgart	-c	gen_context(system_u:object_r:agp_device_t,s0)
+/dev/aload.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/amidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/amixer.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/apm_bios		-c	gen_context(system_u:object_r:apm_bios_t,s0)
+/dev/atibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/audio.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/autofs.*		-c	gen_context(system_u:object_r:autofs_device_t,s0)
+/dev/beep		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/btrfs-control	-c	gen_context(system_u:object_r:lvm_control_t,s0)
+/dev/controlD64		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/crash		-c	gen_context(system_u:object_r:crash_device_t,mls_systemhigh)
+/dev/dahdi/.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/dmfm		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/dmmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/dsp.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/efirtc		-c	gen_context(system_u:object_r:clock_device_t,s0)
+/dev/elographics/e2201	-c	gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/em8300.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/etherd/.+		-c	gen_context(system_u:object_r:lvm_control_t,s0)
+/dev/event.*		-c	gen_context(system_u:object_r:event_device_t,s0)
+/dev/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
+/dev/fb[0-9]*		-c	gen_context(system_u:object_r:framebuf_device_t,s0)
+/dev/full		-c	gen_context(system_u:object_r:null_device_t,s0)
+/dev/fw.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
+/dev/gfx		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/graphics		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/gtrsc.*		-c	gen_context(system_u:object_r:clock_device_t,s0)
+/dev/hfmodem		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/hiddev.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
+/dev/hidraw.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
+/dev/hpet		-c	gen_context(system_u:object_r:clock_device_t,s0)
+/dev/hw_random		-c	gen_context(system_u:object_r:random_device_t,s0)
+/dev/hwrng		-c	gen_context(system_u:object_r:random_device_t,s0)
+/dev/i915		-c	gen_context(system_u:object_r:dri_device_t,s0)
+/dev/inportbm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/ipmi[0-9]+		-c	gen_context(system_u:object_r:ipmi_device_t,s0)
+/dev/ipmi/[0-9]+	-c	gen_context(system_u:object_r:ipmi_device_t,s0)
+/dev/irlpt[0-9]+	-c	gen_context(system_u:object_r:printer_device_t,s0)
+/dev/jbm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/js.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/kmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+/dev/kmsg		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
+/dev/kqemu		-c	gen_context(system_u:object_r:qemu_device_t,s0)
+/dev/ksm		-c	gen_context(system_u:object_r:ksm_device_t,s0)
+/dev/kvm		-c	gen_context(system_u:object_r:kvm_device_t,s0)
+/dev/lik.*		-c	gen_context(system_u:object_r:event_device_t,s0)
+/dev/lirc[0-9]+		-c	gen_context(system_u:object_r:lirc_device_t,s0)
+/dev/lircm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/logibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
+/dev/mcelog		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
+/dev/mem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+/dev/mergemem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+/dev/mga_vid.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/microcode		-c	gen_context(system_u:object_r:cpu_device_t,s0)
+/dev/midi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/misc/dlm.*		-c	gen_context(system_u:object_r:dlm_control_device_t,s0)
+/dev/mixer.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/mmetfgrab		-c	gen_context(system_u:object_r:scanner_device_t,s0)
+/dev/modem		-c	gen_context(system_u:object_r:modem_device_t,s0)
+/dev/mpu401.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/msr.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
+/dev/net/vhost		-c	gen_context(system_u:object_r:vhost_device_t,s0)
+/dev/network_latency	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
+/dev/network_throughput	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
+/dev/noz.* 		-c	gen_context(system_u:object_r:modem_device_t,s0)
+/dev/null		-c	gen_context(system_u:object_r:null_device_t,s0)
+/dev/nvidia.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/nvram		-c	gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
+/dev/oldmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+/dev/opengl		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/par.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
+/dev/patmgr[01]		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/pc110pad		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/pcfclock.*		-c	gen_context(system_u:object_r:clock_device_t,s0)
+/dev/pmu		-c	gen_context(system_u:object_r:power_device_t,s0)
+/dev/port		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+/dev/pps.*		-c	gen_context(system_u:object_r:clock_device_t,s0)
+/dev/(misc/)?psaux	-c	gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/rmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/radeon		-c	gen_context(system_u:object_r:dri_device_t,s0)
+/dev/radio.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/random		-c	gen_context(system_u:object_r:random_device_t,s0)
+/dev/raw1394.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/rfkill		-c	gen_context(system_u:object_r:wireless_device_t,s0)
+/dev/(misc/)?rtc[0-9]*	-c	gen_context(system_u:object_r:clock_device_t,s0)
+/dev/sequencer		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/sequencer2		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/smpte.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/smu		-c	gen_context(system_u:object_r:power_device_t,s0)
+/dev/srnd[0-7]		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/snapshot		-c	gen_context(system_u:object_r:apm_bios_t,s0)
+/dev/sndstat		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/sonypi		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/tpm[0-9]*		-c	gen_context(system_u:object_r:tpm_device_t,s0)
+/dev/uinput		-c	gen_context(system_u:object_r:event_device_t,s0)
+/dev/uio[0-9]+		-c	gen_context(system_u:object_r:userio_device_t,s0)
+/dev/urandom		-c	gen_context(system_u:object_r:urandom_device_t,s0)
+/dev/ub[a-c]		-c	gen_context(system_u:object_r:usb_device_t,s0)
+/dev/usb.+		-c	gen_context(system_u:object_r:usb_device_t,s0)
+/dev/usblp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
+/dev/usbmon.+		-c	gen_context(system_u:object_r:usbmon_device_t,s0)
+ifdef(`distro_suse', `
+/dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
+')
+/dev/vhost-net		-c	gen_context(system_u:object_r:vhost_device_t,s0)
+/dev/vbi.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/vbox.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/vga_arbiter	-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/vmmon		-c	gen_context(system_u:object_r:vmware_device_t,s0)
+/dev/vmnet.*		-c	gen_context(system_u:object_r:vmware_device_t,s0)
+/dev/video.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/vrtpanel		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/vttuner		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/vtx.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/watchdog		-c	gen_context(system_u:object_r:watchdog_device_t,s0)
+/dev/winradio.		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/z90crypt		-c	gen_context(system_u:object_r:crypt_device_t,s0)
+/dev/zero		-c	gen_context(system_u:object_r:zero_device_t,s0)
+
+/dev/bus/usb/.*/[0-9]+	-c	gen_context(system_u:object_r:usb_device_t,s0)
+
+/dev/card.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/cmx.*		-c	gen_context(system_u:object_r:smartcard_device_t,s0)
+
+/dev/cpu_dma_latency	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
+/dev/cpu.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
+/dev/cpu/mtrr		-c	gen_context(system_u:object_r:mtrr_device_t,s0)
+
+/dev/biometric/sensor.*	-c	gen_context(system_u:object_r:event_device_t,s0)
+
+/dev/dri/.+		-c	gen_context(system_u:object_r:dri_device_t,s0)
+
+/dev/dvb/.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+
+/dev/input/.*		-c	gen_context(system_u:object_r:event_device_t,s0)
+/dev/input/m.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/input/.*mouse.*	-c	gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/input/keyboard.*	-c	gen_context(system_u:object_r:event_device_t,s0)
+/dev/input/event.*	-c	gen_context(system_u:object_r:event_device_t,s0)
+/dev/input/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/input/js.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/input/uinput	-c	gen_context(system_u:object_r:event_device_t,s0)
+
+/dev/mapper/control	-c	gen_context(system_u:object_r:lvm_control_t,s0)
+
+/dev/mfpports/.*	-c	gen_context(system_u:object_r:printer_device_t,s0)
+
+/dev/mqueue(/.*)?		<<none>>
+
+/dev/mvideo/.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+
+/dev/pts(/.*)?			<<none>>
+
+/dev/s(ou)?nd/.*	-c	gen_context(system_u:object_r:sound_device_t,s0)
+
+/dev/touchscreen/ucb1x00 -c	gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/touchscreen/mk712	-c	gen_context(system_u:object_r:mouse_device_t,s0)
+
+/dev/usb/dc2xx.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
+/dev/usb/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
+/dev/usb/mdc800.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
+/dev/usb/scanner.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
+
+/dev/xen/blktap.*	-c	gen_context(system_u:object_r:xen_device_t,s0)
+/dev/xen/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
+/dev/xen/gntdev		-c	gen_context(system_u:object_r:xen_device_t,s0)
+/dev/xen/gntalloc	-c	gen_context(system_u:object_r:xen_device_t,s0)
+
+ifdef(`distro_debian',`
+# this is a static /dev dir "backup mount"
+# if you want to disable udev, you'll have to boot permissive and relabel!
+/dev/\.static		-d	gen_context(system_u:object_r:device_t,s0)
+/dev/\.static/dev	-d	gen_context(system_u:object_r:device_t,s0)
+/dev/\.static/dev/(.*)?		<<none>>
+')
+
+/etc/udev/devices	-d	gen_context(system_u:object_r:device_t,s0)
+
+# used by init scripts to initally populate udev /dev
+/lib/udev/devices(/.*)?		gen_context(system_u:object_r:device_t,s0)
+/lib/udev/devices/lp.*	-c	gen_context(system_u:object_r:printer_device_t,s0)
+/lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
+/lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
+
+/sys(/.*)?			gen_context(system_u:object_r:sysfs_t,s0)
+
+ifdef(`distro_redhat',`
+# originally from named.fc
+/var/named/chroot/dev	-d	gen_context(system_u:object_r:device_t,s0)
+/var/named/chroot/dev/null -c	gen_context(system_u:object_r:null_device_t,s0)
+/var/named/chroot/dev/random -c	gen_context(system_u:object_r:random_device_t,s0)
+/var/named/chroot/dev/zero -c	gen_context(system_u:object_r:zero_device_t,s0)
+')
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
new file mode 100644
index 00000000..b657ae9c
--- /dev/null
+++ b/policy/modules/kernel/devices.if
@@ -0,0 +1,4822 @@
+## <summary>
+## Device nodes and interfaces for many basic system devices.
+## </summary>
+## <desc>
+## <p>
+## This module creates the device node concept and provides
+## the policy for many of the device files. Notable exceptions are
+## the mass storage and terminal devices that are covered by other
+## modules.
+## </p>
+## <p>
+## This module creates the concept of a device node. That is a
+## char or block device file, usually in /dev. All types that
+## are used to label device nodes should use the dev_node macro.
+## </p>
+## <p>
+## Additionally, this module controls access to three things:
+##	<ul>
+##		<li>the device directories containing device nodes</li>
+##		<li>device nodes as a group</li>
+##		<li>individual access to specific device nodes covered by
+##		this module.</li>
+##	</ul>
+## </p>
+## </desc>
+## <required val="true">
+##	Depended on by other required modules.
+## </required>
+
+########################################
+## <summary>
+##	Make the specified type usable for device
+##	nodes in a filesystem.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified type usable for device nodes
+##	in a filesystem.  Types used for device nodes that
+##	do not use this interface, or an interface that
+##	calls this one, will have unexpected behaviors
+##	while the system is running.
+##	</p>
+##	<p>
+##	Example:
+##	</p>
+##	<p>
+##	type mydev_t;
+##	dev_node(mydev_t)
+##	allow mydomain_t mydev_t:chr_file read_chr_file_perms;
+##	</p>
+##	<p>
+##	Related interfaces:
+##	</p>
+##	<ul>
+##		<li>term_tty()</li>
+##		<li>term_pty()</li>
+##	</ul>
+## </desc>
+## <param name="type">
+##	<summary>
+##	Type to be used for device nodes.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`dev_node',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	typeattribute $1 device_node;
+')
+
+########################################
+## <summary>
+##	Associate the specified file type with device filesystem.
+## </summary>
+## <param name="file_type">
+##	<summary>
+##	The type of the file to be associated.
+##	</summary>
+## </param>
+#
+interface(`dev_associate',`
+	gen_require(`
+		type device_t;
+	')
+
+	allow $1 device_t:filesystem associate;
+	fs_associate_tmpfs($1)	#For backwards compatibility
+')
+
+########################################
+## <summary>
+##	Get attributes of device filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_fs',`
+	gen_require(`
+		type device_t;
+	')
+
+	allow $1 device_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+##	Mount a filesystem on /dev
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allow access.
+##	</summary>
+## </param>
+#
+interface(`dev_mounton',`
+	gen_require(`
+		type device_t;
+	')
+
+	allow $1 device_t:dir mounton;
+')
+
+########################################
+## <summary>
+##	Allow full relabeling (to and from) of all device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`dev_relabel_all_dev_nodes',`
+	gen_require(`
+		attribute device_node;
+		type device_t;
+	')
+
+	relabelfrom_dirs_pattern($1, device_t, device_node)
+	relabelfrom_files_pattern($1, device_t, device_node)
+	relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
+	relabelfrom_fifo_files_pattern($1, device_t, device_node)
+	relabelfrom_sock_files_pattern($1, device_t, device_node)
+	relabel_blk_files_pattern($1, device_t, { device_t device_node })
+	relabel_chr_files_pattern($1, device_t, { device_t device_node })
+')
+
+########################################
+## <summary>
+##	List all of the device nodes in a device directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_list_all_dev_nodes',`
+	gen_require(`
+		type device_t;
+	')
+
+	list_dirs_pattern($1, device_t, device_t)
+	read_lnk_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+##	Set the attributes of /dev directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_generic_dirs',`
+	gen_require(`
+		type device_t;
+	')
+
+	setattr_dirs_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+##	Dontaudit attempts to list all device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_list_all_dev_nodes',`
+	gen_require(`
+		type device_t;
+	')
+
+	dontaudit $1 device_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Add entries to directories in /dev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_add_entry_generic_dirs',`
+	gen_require(`
+		type device_t;
+	')
+
+	allow $1 device_t:dir add_entry_dir_perms;
+')
+
+########################################
+## <summary>
+##	Add entries to directories in /dev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_remove_entry_generic_dirs',`
+	gen_require(`
+		type device_t;
+	')
+
+	allow $1 device_t:dir del_entry_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create a directory in the device directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_create_generic_dirs',`
+	gen_require(`
+		type device_t;
+	')
+
+	allow $1 device_t:dir list_dir_perms;
+	create_dirs_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+##	Delete a directory in the device directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_delete_generic_dirs',`
+	gen_require(`
+		type device_t;
+	')
+
+	delete_dirs_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+##	Manage of directories in /dev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_manage_generic_dirs',`
+	gen_require(`
+		type device_t;
+	')
+
+	manage_dirs_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+##	Allow full relabeling (to and from) of directories in /dev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_relabel_generic_dev_dirs',`
+	gen_require(`
+		type device_t;
+	')
+
+	relabel_dirs_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+##	dontaudit getattr generic files in /dev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_generic_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	dontaudit $1 device_t:file getattr;
+')
+
+########################################
+## <summary>
+##	Read generic files in /dev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_read_generic_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	read_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+##	Read and write generic files in /dev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_generic_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	rw_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+##	Delete generic files in /dev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_delete_generic_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	delete_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+##	Create a file in the device directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_manage_generic_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	manage_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+##	Dontaudit getattr on generic pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_generic_pipes',`
+	gen_require(`
+		type device_t;
+	')
+
+	dontaudit $1 device_t:fifo_file getattr;
+')
+
+########################################
+## <summary>
+##	Write generic socket files in /dev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_write_generic_sockets',`
+	gen_require(`
+		type device_t;
+	')
+
+	write_sock_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+##	Allow getattr on generic block devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_generic_blk_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	getattr_blk_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+##	Dontaudit getattr on generic block devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_generic_blk_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	dontaudit $1 device_t:blk_file getattr;
+')
+
+########################################
+## <summary>
+##	Dontaudit setattr on generic block devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_setattr_generic_blk_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	dontaudit $1 device_t:blk_file setattr;
+')
+
+########################################
+## <summary>
+##	Create generic block device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_create_generic_blk_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	create_blk_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+##	Delete generic block device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_delete_generic_blk_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	delete_blk_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+##	Allow getattr for generic character device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_generic_chr_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+##	Dontaudit getattr for generic character device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_generic_chr_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	dontaudit $1 device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Dontaudit setattr for generic character device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_setattr_generic_chr_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	dontaudit $1 device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+##	Read generic character device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_generic_chr_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	allow $1 device_t:chr_file read_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Read and write generic character device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_generic_chr_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	allow $1 device_t:chr_file rw_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Read and write generic block device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_generic_blk_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	allow $1 device_t:blk_file rw_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Dontaudit attempts to read/write generic character device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to dontaudit access.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_rw_generic_chr_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	dontaudit $1 device_t:chr_file rw_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Create generic character device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_create_generic_chr_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	create_chr_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+##	Delete generic character device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_delete_generic_chr_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	delete_chr_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+##	Relabel from generic character device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_relabelfrom_generic_chr_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	allow $1 device_t:chr_file relabelfrom;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to set the attributes
+##	of symbolic links in device directories (/dev).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_setattr_generic_symlinks',`
+	gen_require(`
+		type device_t;
+	')
+
+	dontaudit $1 device_t:lnk_file setattr;
+')
+
+########################################
+## <summary>
+##	Read symbolic links in device directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_generic_symlinks',`
+	gen_require(`
+		type device_t;
+	')
+
+	allow $1 device_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+##	Create symbolic links in device directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_create_generic_symlinks',`
+	gen_require(`
+		type device_t;
+	')
+
+	create_lnk_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+##	Delete symbolic links in device directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_delete_generic_symlinks',`
+	gen_require(`
+		type device_t;
+	')
+
+	delete_lnk_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+##	Create, delete, read, and write symbolic links in device directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_manage_generic_symlinks',`
+	gen_require(`
+		type device_t;
+	')
+
+	manage_lnk_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+##	Relabel symbolic links in device directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_relabel_generic_symlinks',`
+	gen_require(`
+		type device_t;
+	')
+
+	relabel_lnk_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+##	Create, delete, read, and write device nodes in device directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_manage_all_dev_nodes',`
+	gen_require(`
+		attribute device_node, memory_raw_read, memory_raw_write;
+		type device_t;
+	')
+
+	manage_dirs_pattern($1, device_t, device_t)
+	manage_sock_files_pattern($1, device_t, device_t)
+	manage_lnk_files_pattern($1, device_t, device_t)
+	manage_chr_files_pattern($1, device_t, { device_t device_node })
+	manage_blk_files_pattern($1, device_t, { device_t device_node })
+	relabel_dirs_pattern($1, device_t, device_t)
+	relabel_chr_files_pattern($1, device_t, { device_t device_node })
+	relabel_blk_files_pattern($1, device_t, { device_t device_node })
+
+	# these next rules are to satisfy assertions broken by the above lines.
+	# the permissions hopefully can be cut back a lot
+	storage_raw_read_fixed_disk($1)
+	storage_raw_write_fixed_disk($1)
+	storage_read_scsi_generic($1)
+	storage_write_scsi_generic($1)
+
+	typeattribute $1 memory_raw_read;
+	typeattribute $1 memory_raw_write;
+')
+
+########################################
+## <summary>
+##	Dontaudit getattr for generic device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_rw_generic_dev_nodes',`
+	gen_require(`
+		type device_t;
+	')
+
+	dontaudit $1 device_t:{ chr_file blk_file } { getattr read write ioctl };
+')
+
+########################################
+## <summary>
+##	Create, delete, read, and write block device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_manage_generic_blk_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	manage_blk_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+##	Create, delete, read, and write character device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_manage_generic_chr_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	manage_chr_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+##	Create, read, and write device nodes. The node
+##	will be transitioned to the type provided.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="file">
+##	<summary>
+##	Type to which the created node will be transitioned.
+##	</summary>
+## </param>
+## <param name="objectclass(es)">
+##	<summary>
+##	Object class(es) (single or set including {}) for which this
+##	the transition will occur.
+##	</summary>
+## </param>
+#
+interface(`dev_filetrans',`
+	gen_require(`
+		type device_t;
+	')
+
+	filetrans_pattern($1, device_t, $2, $3)
+
+	dev_associate($2)
+	files_associate_tmp($2)
+')
+
+########################################
+## <summary>
+##	Create, read, and write device nodes. The node
+##	will be transitioned to the type provided.  This is
+##	a temporary interface until devtmpfs functionality
+##	fixed.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="objectclass(es)">
+##	<summary>
+##	Object class(es) (single or set including {}) for which this
+##	the transition will occur.
+##	</summary>
+## </param>
+#
+interface(`dev_tmpfs_filetrans_dev',`
+	gen_require(`
+		type device_t;
+	')
+
+	fs_tmpfs_filetrans($1, device_t, $2)
+')
+
+########################################
+## <summary>
+##	Getattr on all block file device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`dev_getattr_all_blk_files',`
+	gen_require(`
+		attribute device_node;
+		type device_t;
+	')
+
+	getattr_blk_files_pattern($1, device_t, device_node)
+')
+
+########################################
+## <summary>
+##	Dontaudit getattr on all block file device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_all_blk_files',`
+	gen_require(`
+		attribute device_node;
+		type device_t;
+	')
+
+	dontaudit $1 { device_t device_node }:blk_file getattr;
+')
+
+########################################
+## <summary>
+##	Getattr on all character file device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`dev_getattr_all_chr_files',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	getattr_chr_files_pattern($1, device_t, device_node)
+')
+
+########################################
+## <summary>
+##	Dontaudit getattr on all character file device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_all_chr_files',`
+	gen_require(`
+		attribute device_node;
+		type device_t;
+	')
+
+	dontaudit $1 { device_t device_node }:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Setattr on all block file device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`dev_setattr_all_blk_files',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	setattr_blk_files_pattern($1, device_t, device_node)
+')
+
+########################################
+## <summary>
+##	Setattr on all character file device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`dev_setattr_all_chr_files',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	setattr_chr_files_pattern($1, device_t, device_node)
+')
+
+########################################
+## <summary>
+##	Dontaudit read on all block file device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_read_all_blk_files',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	dontaudit $1 device_node:blk_file { getattr read };
+')
+
+########################################
+## <summary>
+##	Dontaudit write on all block file device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_write_all_blk_files',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	dontaudit $1 device_node:blk_file write;
+')
+
+########################################
+## <summary>
+##	Dontaudit read on all character file device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_read_all_chr_files',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	dontaudit $1 device_node:chr_file { getattr read };
+')
+
+########################################
+## <summary>
+##	Dontaudit write on all character file device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_write_all_chr_files',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	dontaudit $1 device_node:chr_file write;
+')
+
+########################################
+## <summary>
+##	Create all block device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_create_all_blk_files',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	create_blk_files_pattern($1, device_t, device_node)
+')
+
+########################################
+## <summary>
+##	Create all character device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_create_all_chr_files',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	create_chr_files_pattern($1, device_t, device_node)
+')
+
+########################################
+## <summary>
+##	Delete all block device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_delete_all_blk_files',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	delete_blk_files_pattern($1, device_t, device_node)
+')
+
+########################################
+## <summary>
+##	Delete all character device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_delete_all_chr_files',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	delete_chr_files_pattern($1, device_t, device_node)
+')
+
+########################################
+## <summary>
+##	Rename all block device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rename_all_blk_files',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	rename_blk_files_pattern($1, device_t, device_node)
+')
+
+########################################
+## <summary>
+##	Rename all character device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rename_all_chr_files',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	rename_chr_files_pattern($1, device_t, device_node)
+')
+
+########################################
+## <summary>
+##	Read, write, create, and delete all block device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_manage_all_blk_files',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	manage_blk_files_pattern($1, device_t, device_node)
+
+	# these next rules are to satisfy assertions broken by the above lines.
+	storage_raw_read_fixed_disk($1)
+	storage_raw_write_fixed_disk($1)
+	storage_read_scsi_generic($1)
+	storage_write_scsi_generic($1)
+')
+
+########################################
+## <summary>
+##	Read, write, create, and delete all character device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_manage_all_chr_files',`
+	gen_require(`
+		attribute device_node, memory_raw_read, memory_raw_write;
+	')
+
+	manage_chr_files_pattern($1, device_t, device_node)
+
+	typeattribute $1 memory_raw_read, memory_raw_write;
+')
+
+########################################
+## <summary>
+##	Getattr the agp devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_agp_dev',`
+	gen_require(`
+		type device_t, agp_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, agp_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write the agp devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_agp',`
+	gen_require(`
+		type device_t, agp_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, agp_device_t)
+')
+
+########################################
+## <summary>
+##	Get the attributes of the apm bios device node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_apm_bios_dev',`
+	gen_require(`
+		type device_t, apm_bios_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, apm_bios_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes of
+##	the apm bios device node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_apm_bios_dev',`
+	gen_require(`
+		type apm_bios_t;
+	')
+
+	dontaudit $1 apm_bios_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Set the attributes of the apm bios device node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_apm_bios_dev',`
+	gen_require(`
+		type device_t, apm_bios_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, apm_bios_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to set the attributes of
+##	the apm bios device node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_setattr_apm_bios_dev',`
+	gen_require(`
+		type apm_bios_t;
+	')
+
+	dontaudit $1 apm_bios_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+##	Read and write the apm bios.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_apm_bios',`
+	gen_require(`
+		type device_t, apm_bios_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, apm_bios_t)
+')
+
+########################################
+## <summary>
+##	Get the attributes of the autofs device node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_autofs_dev',`
+	gen_require(`
+		type device_t, autofs_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, autofs_device_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes of
+##	the autofs device node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_autofs_dev',`
+	gen_require(`
+		type autofs_device_t;
+	')
+
+	dontaudit $1 autofs_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Set the attributes of the autofs device node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_autofs_dev',`
+	gen_require(`
+		type device_t, autofs_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, autofs_device_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to set the attributes of
+##	the autofs device node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_setattr_autofs_dev',`
+	gen_require(`
+		type autofs_device_t;
+	')
+
+	dontaudit $1 autofs_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+##	Read and write the autofs device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_autofs',`
+	gen_require(`
+		type device_t, autofs_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, autofs_device_t)
+')
+
+########################################
+## <summary>
+##	Relabel the autofs device node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_relabel_autofs_dev',`
+	gen_require(`
+		type autofs_device_t;
+	')
+
+	allow $1 autofs_device_t:chr_file relabel_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Read and write the PCMCIA card manager device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_cardmgr',`
+	gen_require(`
+		type cardmgr_dev_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, cardmgr_dev_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and
+##	write the PCMCIA card manager device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_rw_cardmgr',`
+	gen_require(`
+		type cardmgr_dev_t;
+	')
+
+	dontaudit $1 cardmgr_dev_t:chr_file { read write };
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	the PCMCIA card manager device
+##	with the correct type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_create_cardmgr_dev',`
+	gen_require(`
+		type device_t, cardmgr_dev_t;
+	')
+
+	create_chr_files_pattern($1, device_t, cardmgr_dev_t)
+	create_blk_files_pattern($1, device_t, cardmgr_dev_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	the PCMCIA card manager device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_manage_cardmgr_dev',`
+	gen_require(`
+		type device_t, cardmgr_dev_t;
+	')
+
+	manage_chr_files_pattern($1, device_t, cardmgr_dev_t)
+	manage_blk_files_pattern($1, device_t, cardmgr_dev_t)
+')
+
+########################################
+## <summary>
+##	Automatic type transition to the type
+##	for PCMCIA card manager device nodes when
+##	created in /dev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_filetrans_cardmgr',`
+	gen_require(`
+		type device_t, cardmgr_dev_t;
+	')
+
+	filetrans_pattern($1, device_t, cardmgr_dev_t, { chr_file blk_file })
+')
+
+########################################
+## <summary>
+##	Get the attributes of the CPU
+##	microcode and id interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_cpu_dev',`
+	gen_require(`
+		type device_t, cpu_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, cpu_device_t)
+')
+
+########################################
+## <summary>
+##	Set the attributes of the CPU
+##	microcode and id interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_cpu_dev',`
+	gen_require(`
+		type device_t, cpu_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, cpu_device_t)
+')
+
+########################################
+## <summary>
+##	Read the CPU identity.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_cpuid',`
+	gen_require(`
+		type device_t, cpu_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, cpu_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write the the CPU microcode device. This
+##	is required to load CPU microcode.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_cpu_microcode',`
+	gen_require(`
+		type device_t, cpu_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, cpu_device_t)
+')
+
+########################################
+## <summary>
+##	Read the kernel crash device
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_crash',`
+	gen_require(`
+		type device_t, crash_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, crash_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write the the hardware SSL accelerator.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_crypto',`
+	gen_require(`
+		type device_t, crypt_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, crypt_device_t)
+')
+
+#######################################
+## <summary>
+##	Set the attributes of the dlm control devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_dlm_control',`
+	gen_require(`
+	type device_t, kvm_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, dlm_control_device_t)
+')
+
+#######################################
+## <summary>
+##	Read and write the the dlm control device
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_dlm_control',`
+	gen_require(`
+		type device_t, dlm_control_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, dlm_control_device_t)
+')
+
+########################################
+## <summary>
+##	getattr the dri devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_dri_dev',`
+	gen_require(`
+		type device_t, dri_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, dri_device_t)
+')
+
+########################################
+## <summary>
+##	Setattr the dri devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_dri_dev',`
+	gen_require(`
+		type device_t, dri_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, dri_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write the dri devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_dri',`
+	gen_require(`
+		type device_t, dri_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, dri_device_t)
+')
+
+########################################
+## <summary>
+##	Dontaudit read and write on the dri devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_rw_dri',`
+	gen_require(`
+		type dri_device_t;
+	')
+
+	dontaudit $1 dri_device_t:chr_file rw_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete the dri devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_manage_dri_dev',`
+	gen_require(`
+		type device_t, dri_device_t;
+	')
+
+	manage_chr_files_pattern($1, device_t, dri_device_t)
+')
+
+########################################
+## <summary>
+##	Automatic type transition to the type
+##	for DRI device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_filetrans_dri',`
+	gen_require(`
+		type device_t, dri_device_t;
+	')
+
+	filetrans_pattern($1, device_t, dri_device_t, chr_file)
+')
+
+########################################
+## <summary>
+##	Get the attributes of the event devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_input_dev',`
+	gen_require(`
+		type device_t, event_device_t;
+	')
+
+	allow $1 device_t:dir list_dir_perms;
+	allow $1 event_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Set the attributes of the event devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_input_dev',`
+	gen_require(`
+		type device_t, event_device_t;
+	')
+
+	allow $1 device_t:dir list_dir_perms;
+	allow $1 event_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+##	Read input event devices (/dev/input).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_input',`
+	gen_require(`
+		type device_t, event_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, event_device_t)
+')
+
+########################################
+## <summary>
+##	Read input event devices (/dev/input).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_input_dev',`
+	gen_require(`
+		type device_t, event_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, event_device_t)
+')
+
+########################################
+## <summary>
+##	Get the attributes of the framebuffer device node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_framebuffer_dev',`
+	gen_require(`
+		type device_t, framebuf_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, framebuf_device_t)
+')
+
+########################################
+## <summary>
+##	Set the attributes of the framebuffer device node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_framebuffer_dev',`
+	gen_require(`
+		type device_t, framebuf_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, framebuf_device_t)
+')
+
+########################################
+## <summary>
+##	Dot not audit attempts to set the attributes
+##	of the framebuffer device node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_setattr_framebuffer_dev',`
+	gen_require(`
+		type framebuf_device_t;
+	')
+
+	dontaudit $1 framebuf_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+##	Read the framebuffer.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_framebuffer',`
+	gen_require(`
+		type framebuf_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, framebuf_device_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read the framebuffer.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_read_framebuffer',`
+	gen_require(`
+		type framebuf_device_t;
+	')
+
+	dontaudit $1 framebuf_device_t:chr_file { getattr read };
+')
+
+########################################
+## <summary>
+##	Write the framebuffer.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_write_framebuffer',`
+	gen_require(`
+		type device_t, framebuf_device_t;
+	')
+
+	write_chr_files_pattern($1, device_t, framebuf_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write the framebuffer.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_framebuffer',`
+	gen_require(`
+		type device_t, framebuf_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, framebuf_device_t)
+')
+
+########################################
+## <summary>
+##	Read the kernel messages
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_kmsg',`
+	gen_require(`
+		type device_t, kmsg_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, kmsg_device_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read the kernel messages
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_read_kmsg',`
+	gen_require(`
+		type kmsg_device_t;
+	')
+
+	dontaudit $1 kmsg_device_t:chr_file read;
+')
+
+########################################
+## <summary>
+##	Write to the kernel messages device
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_write_kmsg',`
+	gen_require(`
+		type device_t, kmsg_device_t;
+	')
+
+	write_chr_files_pattern($1, device_t, kmsg_device_t)
+')
+
+########################################
+## <summary>
+##	Get the attributes of the ksm devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_ksm_dev',`
+	gen_require(`
+		type device_t, ksm_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, ksm_device_t)
+')
+
+########################################
+## <summary>
+##	Set the attributes of the ksm devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_ksm_dev',`
+	gen_require(`
+		type device_t, ksm_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, ksm_device_t)
+')
+
+########################################
+## <summary>
+##	Read the ksm devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_ksm',`
+	gen_require(`
+		type device_t, ksm_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, ksm_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write to ksm devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_ksm',`
+	gen_require(`
+		type device_t, ksm_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, ksm_device_t)
+')
+
+########################################
+## <summary>
+##	Get the attributes of the kvm devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_kvm_dev',`
+	gen_require(`
+		type device_t, kvm_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, kvm_device_t)
+')
+
+########################################
+## <summary>
+##	Set the attributes of the kvm devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_kvm_dev',`
+	gen_require(`
+		type device_t, kvm_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, kvm_device_t)
+')
+
+########################################
+## <summary>
+##	Read the kvm devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_kvm',`
+	gen_require(`
+		type device_t, kvm_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, kvm_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write to kvm devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_kvm',`
+	gen_require(`
+		type device_t, kvm_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, kvm_device_t)
+')
+
+######################################
+## <summary>
+##	Read the lirc device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_lirc',`
+	gen_require(`
+		type device_t, lirc_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, lirc_device_t)
+')
+
+######################################
+## <summary>
+##	Read and write the lirc device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_lirc',`
+	gen_require(`
+		type device_t, lirc_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, lirc_device_t)
+')
+
+######################################
+## <summary>
+##	Automatic type transition to the type
+##	for lirc device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_filetrans_lirc',`
+	gen_require(`
+		type device_t, lirc_device_t;
+	')
+
+	filetrans_pattern($1, device_t, lirc_device_t, chr_file)
+')
+
+########################################
+## <summary>
+##	Get the attributes of the lvm comtrol device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_lvm_control',`
+	gen_require(`
+		type device_t, lvm_control_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, lvm_control_t)
+')
+
+########################################
+## <summary>
+##	Read the lvm comtrol device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_lvm_control',`
+	gen_require(`
+		type device_t, lvm_control_t;
+	')
+
+	read_chr_files_pattern($1, device_t, lvm_control_t)
+')
+
+########################################
+## <summary>
+##	Read and write the lvm control device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_lvm_control',`
+	gen_require(`
+		type device_t, lvm_control_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, lvm_control_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write lvm control device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_rw_lvm_control',`
+	gen_require(`
+		type lvm_control_t;
+	')
+
+	dontaudit $1 lvm_control_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Delete the lvm control device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_delete_lvm_control_dev',`
+	gen_require(`
+		type device_t, lvm_control_t;
+	')
+
+	delete_chr_files_pattern($1, device_t, lvm_control_t)
+')
+
+########################################
+## <summary>
+##	dontaudit getattr raw memory devices (e.g. /dev/mem).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_memory_dev',`
+	gen_require(`
+		type memory_device_t;
+	')
+
+	dontaudit $1 memory_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Read raw memory devices (e.g. /dev/mem).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_raw_memory',`
+	gen_require(`
+		type device_t, memory_device_t;
+		attribute memory_raw_read;
+	')
+
+	read_chr_files_pattern($1, device_t, memory_device_t)
+
+	allow $1 self:capability sys_rawio;
+	typeattribute $1 memory_raw_read;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read raw memory devices
+##	(e.g. /dev/mem).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_read_raw_memory',`
+	gen_require(`
+		type memory_device_t;
+	')
+
+	dontaudit $1 memory_device_t:chr_file read_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Write raw memory devices (e.g. /dev/mem).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_write_raw_memory',`
+	gen_require(`
+		type device_t, memory_device_t;
+		attribute memory_raw_write;
+	')
+
+	write_chr_files_pattern($1, device_t, memory_device_t)
+
+	allow $1 self:capability sys_rawio;
+	typeattribute $1 memory_raw_write;
+')
+
+########################################
+## <summary>
+##	Read and execute raw memory devices (e.g. /dev/mem).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rx_raw_memory',`
+	gen_require(`
+		type device_t, memory_device_t;
+	')
+
+	dev_read_raw_memory($1)
+	allow $1 memory_device_t:chr_file execute;
+')
+
+########################################
+## <summary>
+##	Write and execute raw memory devices (e.g. /dev/mem).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_wx_raw_memory',`
+	gen_require(`
+		type device_t, memory_device_t;
+	')
+
+	dev_write_raw_memory($1)
+	allow $1 memory_device_t:chr_file execute;
+')
+
+########################################
+## <summary>
+##	Get the attributes of miscellaneous devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_misc_dev',`
+	gen_require(`
+		type device_t, misc_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, misc_device_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of miscellaneous devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_misc_dev',`
+	gen_require(`
+		type misc_device_t;
+	')
+
+	dontaudit $1 misc_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Set the attributes of miscellaneous devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_misc_dev',`
+	gen_require(`
+		type device_t, misc_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, misc_device_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to set the attributes
+##	of miscellaneous devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_setattr_misc_dev',`
+	gen_require(`
+		type misc_device_t;
+	')
+
+	dontaudit $1 misc_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+##	Read miscellaneous devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_misc',`
+	gen_require(`
+		type device_t, misc_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, misc_device_t)
+')
+
+########################################
+## <summary>
+##	Write miscellaneous devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_write_misc',`
+	gen_require(`
+		type device_t, misc_device_t;
+	')
+
+	write_chr_files_pattern($1, device_t, misc_device_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write miscellaneous devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_rw_misc',`
+	gen_require(`
+		type misc_device_t;
+	')
+
+	dontaudit $1 misc_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Get the attributes of the modem devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_modem_dev',`
+	gen_require(`
+		type device_t, modem_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, modem_device_t)
+')
+
+########################################
+## <summary>
+##	Set the attributes of the modem devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_modem_dev',`
+	gen_require(`
+		type device_t, modem_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, modem_device_t)
+')
+
+########################################
+## <summary>
+##	Read the modem devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_modem',`
+	gen_require(`
+		type device_t, modem_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, modem_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write to modem devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_modem',`
+	gen_require(`
+		type device_t, modem_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, modem_device_t)
+')
+
+########################################
+## <summary>
+##	Get the attributes of the mouse devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_mouse_dev',`
+	gen_require(`
+		type device_t, mouse_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, mouse_device_t)
+')
+
+########################################
+## <summary>
+##	Set the attributes of the mouse devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_mouse_dev',`
+	gen_require(`
+		type device_t, mouse_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, mouse_device_t)
+')
+
+########################################
+## <summary>
+##	Read the mouse devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_mouse',`
+	gen_require(`
+		type device_t, mouse_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, mouse_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write to mouse devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_mouse',`
+	gen_require(`
+		type device_t, mouse_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, mouse_device_t)
+')
+
+########################################
+## <summary>
+##	Get the attributes of the memory type range
+##	registers (MTRR) device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_mtrr_dev',`
+	gen_require(`
+		type device_t, mtrr_device_t;
+	')
+
+	getattr_files_pattern($1, device_t, mtrr_device_t)
+	getattr_chr_files_pattern($1, device_t, mtrr_device_t)
+')
+
+########################################
+## <summary>
+##	Read the memory type range
+##	registers (MTRR).  (Deprecated)
+## </summary>
+## <desc>
+##	<p>
+##	Read the memory type range
+##	registers (MTRR).  This interface has
+##	been deprecated, dev_rw_mtrr() should be
+##	used instead.
+##	</p>
+##	<p>
+##	The MTRR device ioctls can be used for
+##	reading and writing; thus, read access to the
+##	device cannot be separated from write access.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_mtrr',`
+	refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().')
+	dev_rw_mtrr($1)
+')
+
+########################################
+## <summary>
+##	Write the memory type range
+##	registers (MTRR).  (Deprecated)
+## </summary>
+## <desc>
+##	<p>
+##	Write the memory type range
+##	registers (MTRR).  This interface has
+##	been deprecated, dev_rw_mtrr() should be
+##	used instead.
+##	</p>
+##	<p>
+##	The MTRR device ioctls can be used for
+##	reading and writing; thus, write access to the
+##	device cannot be separated from read access.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_write_mtrr',`
+	refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().')
+	dev_rw_mtrr($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write the memory type
+##	range registers (MTRR).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_write_mtrr',`
+	gen_require(`
+		type mtrr_device_t;
+	')
+
+	dontaudit $1 mtrr_device_t:file write;
+	dontaudit $1 mtrr_device_t:chr_file write;
+')
+
+########################################
+## <summary>
+##	Read and write the memory type range registers (MTRR).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_mtrr',`
+	gen_require(`
+		type device_t, mtrr_device_t;
+	')
+
+	rw_files_pattern($1, device_t, mtrr_device_t)
+	rw_chr_files_pattern($1, device_t, mtrr_device_t)
+')
+
+########################################
+## <summary>
+##	Get the attributes of the network control device
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_netcontrol_dev',`
+	gen_require(`
+		type device_t, netcontrol_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, netcontrol_device_t)
+')
+
+########################################
+## <summary>
+##	Read the network control identity.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_netcontrol',`
+	gen_require(`
+		type device_t, netcontrol_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, netcontrol_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write the the network control device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_netcontrol',`
+	gen_require(`
+		type device_t, netcontrol_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, netcontrol_device_t)
+')
+
+########################################
+## <summary>
+##	Get the attributes of the null device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_null_dev',`
+	gen_require(`
+		type device_t, null_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, null_device_t)
+')
+
+########################################
+## <summary>
+##	Set the attributes of the null device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_null_dev',`
+	gen_require(`
+		type device_t, null_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, null_device_t)
+')
+
+########################################
+## <summary>
+##	Delete the null device (/dev/null).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_delete_null',`
+	gen_require(`
+		type device_t, null_device_t;
+	')
+
+	delete_chr_files_pattern($1, device_t, null_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write to the null device (/dev/null).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_null',`
+	gen_require(`
+		type device_t, null_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, null_device_t)
+')
+
+########################################
+## <summary>
+##	Create the null device (/dev/null).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_create_null_dev',`
+	gen_require(`
+		type device_t, null_device_t;
+	')
+
+	create_chr_files_pattern($1, device_t, null_device_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of the BIOS non-volatile RAM device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_nvram_dev',`
+	gen_require(`
+		type nvram_device_t;
+	')
+
+	dontaudit $1 nvram_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Read and write BIOS non-volatile RAM.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_nvram',`
+	gen_require(`
+		type nvram_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, nvram_device_t)
+')
+
+########################################
+## <summary>
+##	Get the attributes of the printer device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_printer_dev',`
+	gen_require(`
+		type device_t, printer_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, printer_device_t)
+')
+
+########################################
+## <summary>
+##	Set the attributes of the printer device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_printer_dev',`
+	gen_require(`
+		type device_t, printer_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, printer_device_t)
+')
+
+########################################
+## <summary>
+##	Append the printer device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+# cjp: added for lpd/checkpc_t
+interface(`dev_append_printer',`
+	gen_require(`
+		type device_t, printer_device_t;
+	')
+
+	append_chr_files_pattern($1, device_t, printer_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write the printer device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_printer',`
+	gen_require(`
+		type device_t, printer_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, printer_device_t)
+')
+
+########################################
+## <summary>
+##	Read printk devices (e.g., /dev/kmsg /dev/mcelog)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_printk',`
+	gen_require(`
+		type device_t, printk_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, printk_device_t)
+')
+
+########################################
+## <summary>
+##	Get the attributes of the QEMU
+##	microcode and id interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_qemu_dev',`
+	gen_require(`
+		type device_t, qemu_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, qemu_device_t)
+')
+
+########################################
+## <summary>
+##	Set the attributes of the QEMU
+##	microcode and id interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_qemu_dev',`
+	gen_require(`
+		type device_t, qemu_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, qemu_device_t)
+')
+
+########################################
+## <summary>
+##	Read the QEMU device
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_qemu',`
+	gen_require(`
+		type device_t, qemu_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, qemu_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write the the QEMU device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_qemu',`
+	gen_require(`
+		type device_t, qemu_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, qemu_device_t)
+')
+
+########################################
+## <summary>
+##	Read from random number generator
+##	devices (e.g., /dev/random).
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to read from random number
+##	generator devices (e.g., /dev/random).  Typically this is
+##	used in situations when a cryptographically secure random
+##	number is needed.
+##	</p>
+##	<p>
+##	Related interface:
+##	</p>
+##	<ul>
+##		<li>dev_read_urand()</li>
+##	</ul>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`dev_read_rand',`
+	gen_require(`
+		type device_t, random_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, random_device_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read from random
+##	number generator devices (e.g., /dev/random)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_read_rand',`
+	gen_require(`
+		type random_device_t;
+	')
+
+	dontaudit $1 random_device_t:chr_file { getattr read };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to append to random
+##	number generator devices (e.g., /dev/random)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_append_rand',`
+	gen_require(`
+		type random_device_t;
+	')
+
+	dontaudit $1 random_device_t:chr_file append_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Write to the random device (e.g., /dev/random). This adds
+##	entropy used to generate the random data read from the
+##	random device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_write_rand',`
+	gen_require(`
+		type device_t, random_device_t;
+	')
+
+	write_chr_files_pattern($1, device_t, random_device_t)
+')
+
+########################################
+## <summary>
+##	Read the realtime clock (/dev/rtc).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_realtime_clock',`
+	gen_require(`
+		type device_t, clock_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, clock_device_t)
+')
+
+########################################
+## <summary>
+##	Set the realtime clock (/dev/rtc).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_write_realtime_clock',`
+	gen_require(`
+		type device_t, clock_device_t;
+	')
+
+	write_chr_files_pattern($1, device_t, clock_device_t)
+
+	allow $1 clock_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+##	Read and set the realtime clock (/dev/rtc).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_realtime_clock',`
+	dev_read_realtime_clock($1)
+	dev_write_realtime_clock($1)
+')
+
+########################################
+## <summary>
+##	Get the attributes of the scanner device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_scanner_dev',`
+	gen_require(`
+		type device_t, scanner_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, scanner_device_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes of
+##	the scanner device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_scanner_dev',`
+	gen_require(`
+		type scanner_device_t;
+	')
+
+	dontaudit $1 scanner_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Set the attributes of the scanner device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_scanner_dev',`
+	gen_require(`
+		type device_t, scanner_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, scanner_device_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to set the attributes of
+##	the scanner device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_setattr_scanner_dev',`
+	gen_require(`
+		type scanner_device_t;
+	')
+
+	dontaudit $1 scanner_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+##	Read and write the scanner device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_scanner',`
+	gen_require(`
+		type device_t, scanner_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, scanner_device_t)
+')
+
+########################################
+## <summary>
+##	Get the attributes of the sound devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_sound_dev',`
+	gen_require(`
+		type device_t, sound_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, sound_device_t)
+')
+
+########################################
+## <summary>
+##	Set the attributes of the sound devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_sound_dev',`
+	gen_require(`
+		type device_t, sound_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, sound_device_t)
+')
+
+########################################
+## <summary>
+##	Read the sound devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_sound',`
+	gen_require(`
+		type device_t, sound_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, sound_device_t)
+')
+
+########################################
+## <summary>
+##	Write the sound devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_write_sound',`
+	gen_require(`
+		type device_t, sound_device_t;
+	')
+
+	write_chr_files_pattern($1, device_t, sound_device_t)
+')
+
+########################################
+## <summary>
+##	Read the sound mixer devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_sound_mixer',`
+	gen_require(`
+		type device_t, sound_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, sound_device_t)
+')
+
+########################################
+## <summary>
+##	Write the sound mixer devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_write_sound_mixer',`
+	gen_require(`
+		type device_t, sound_device_t;
+	')
+
+	write_chr_files_pattern($1, device_t, sound_device_t)
+')
+
+########################################
+## <summary>
+##	Get the attributes of the the power management device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_power_mgmt_dev',`
+	gen_require(`
+		type device_t, power_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, power_device_t)
+')
+
+########################################
+## <summary>
+##	Set the attributes of the the power management device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_power_mgmt_dev',`
+	gen_require(`
+		type device_t, power_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, power_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write the the power management device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_power_management',`
+	gen_require(`
+		type device_t, power_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, power_device_t)
+')
+
+########################################
+## <summary>
+##	Getattr on smartcard devices
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_smartcard_dev',`
+	gen_require(`
+		type smartcard_device_t;
+	')
+
+	allow $1 smartcard_device_t:chr_file getattr;
+
+')
+
+########################################
+## <summary>
+##	dontaudit getattr on smartcard devices
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_smartcard_dev',`
+	gen_require(`
+		type smartcard_device_t;
+	')
+
+	dontaudit $1 smartcard_device_t:chr_file getattr;
+
+')
+
+########################################
+## <summary>
+##	Read and write smartcard devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_smartcard',`
+	gen_require(`
+		type device_t, smartcard_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, smartcard_device_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete smartcard devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_manage_smartcard',`
+	gen_require(`
+		type device_t, smartcard_device_t;
+	')
+
+	manage_chr_files_pattern($1, device_t, smartcard_device_t)
+')
+
+########################################
+## <summary>
+##	Get the attributes of sysfs filesystem
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_sysfs_fs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	allow $1 sysfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit getting the attributes of sysfs filesystem
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to dontaudit access from
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_sysfs_fs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	dontaudit $1 sysfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+##	Associate a file to a sysfs filesystem.
+## </summary>
+## <param name="file_type">
+##	<summary>
+##	The type of the file to be associated to sysfs.
+##	</summary>
+## </param>
+#
+interface(`dev_associate_sysfs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	allow $1 sysfs_t:filesystem associate;
+')
+
+########################################
+## <summary>
+##	Get the attributes of sysfs directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_sysfs_dirs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	allow $1 sysfs_t:dir getattr_dir_perms;
+')
+
+########################################
+## <summary>
+##	Search the sysfs directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_search_sysfs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	search_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search sysfs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_search_sysfs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	dontaudit $1 sysfs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	List the contents of the sysfs directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_list_sysfs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	list_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+## <summary>
+##	Write in a sysfs directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+# cjp: added for cpuspeed
+interface(`dev_write_sysfs_dirs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	allow $1 sysfs_t:dir write;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write in a sysfs directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_write_sysfs_dirs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	dontaudit $1 sysfs_t:dir write;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete sysfs
+##	directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_manage_sysfs_dirs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	manage_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+## <summary>
+##	Read hardware state information.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to read the contents of
+##	the sysfs filesystem.  This filesystem contains
+##	information, parameters, and other settings on the
+##	hardware installed on the system.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`dev_read_sysfs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	read_files_pattern($1, sysfs_t, sysfs_t)
+	read_lnk_files_pattern($1, sysfs_t, sysfs_t)
+
+	list_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+## <summary>
+##	Allow caller to modify hardware state information.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_sysfs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	rw_files_pattern($1, sysfs_t, sysfs_t)
+	read_lnk_files_pattern($1, sysfs_t, sysfs_t)
+
+	list_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+## <summary>
+##	Read and write the TPM device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_tpm',`
+	gen_require(`
+		type device_t, tpm_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, tpm_device_t)
+')
+
+########################################
+## <summary>
+##	Read from pseudo random number generator devices (e.g., /dev/urandom).
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to read from pseudo random number
+##	generator devices (e.g., /dev/urandom).  Typically this is
+##	used in situations when a cryptographically secure random
+##	number is not necessarily needed.  One example is the Stack
+##	Smashing Protector (SSP, formerly known as ProPolice) support
+##	that may be compiled into programs.
+##	</p>
+##	<p>
+##	Related interface:
+##	</p>
+##	<ul>
+##		<li>dev_read_rand()</li>
+##	</ul>
+##	<p>
+##	Related tunable:
+##	</p>
+##	<ul>
+##		<li>global_ssp</li>
+##	</ul>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`dev_read_urand',`
+	gen_require(`
+		type device_t, urandom_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, urandom_device_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read from pseudo
+##	random devices (e.g., /dev/urandom)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_read_urand',`
+	gen_require(`
+		type urandom_device_t;
+	')
+
+	dontaudit $1 urandom_device_t:chr_file { getattr read };
+')
+
+########################################
+## <summary>
+##	Write to the pseudo random device (e.g., /dev/urandom). This
+##	sets the random number generator seed.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_write_urand',`
+	gen_require(`
+		type device_t, urandom_device_t;
+	')
+
+	write_chr_files_pattern($1, device_t, urandom_device_t)
+')
+
+########################################
+## <summary>
+##	Getattr generic the USB devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_generic_usb_dev',`
+	gen_require(`
+		type usb_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, usb_device_t)
+')
+
+########################################
+## <summary>
+##	Setattr generic the USB devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_generic_usb_dev',`
+	gen_require(`
+		type usb_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, usb_device_t)
+')
+
+########################################
+## <summary>
+##	Read generic the USB devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_generic_usb_dev',`
+	gen_require(`
+		type usb_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, usb_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write generic the USB devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_generic_usb_dev',`
+	gen_require(`
+		type device_t, usb_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, usb_device_t)
+')
+
+########################################
+## <summary>
+##	Read USB monitor devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_usbmon_dev',`
+	gen_require(`
+		type device_t, usbmon_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, usbmon_device_t)
+')
+
+########################################
+## <summary>
+##	Write USB monitor devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_write_usbmon_dev',`
+	gen_require(`
+		type device_t, usbmon_device_t;
+	')
+
+	write_chr_files_pattern($1, device_t, usbmon_device_t)
+')
+
+########################################
+## <summary>
+##	Mount a usbfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_mount_usbfs',`
+	gen_require(`
+		type usbfs_t;
+	')
+
+	allow $1 usbfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+##	Associate a file to a usbfs filesystem.
+## </summary>
+## <param name="file_type">
+##	<summary>
+##	The type of the file to be associated to usbfs.
+##	</summary>
+## </param>
+#
+interface(`dev_associate_usbfs',`
+	gen_require(`
+		type usbfs_t;
+	')
+
+	allow $1 usbfs_t:filesystem associate;
+')
+
+########################################
+## <summary>
+##	Get the attributes of a directory in the usb filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_usbfs_dirs',`
+	gen_require(`
+		type usbfs_t;
+	')
+
+	allow $1 usbfs_t:dir getattr_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of a directory in the usb filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_usbfs_dirs',`
+	gen_require(`
+		type usbfs_t;
+	')
+
+	dontaudit $1 usbfs_t:dir getattr_dir_perms;
+')
+
+########################################
+## <summary>
+##	Search the directory containing USB hardware information.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_search_usbfs',`
+	gen_require(`
+		type usbfs_t;
+	')
+
+	search_dirs_pattern($1, usbfs_t, usbfs_t)
+')
+
+########################################
+## <summary>
+##	Allow caller to get a list of usb hardware.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_list_usbfs',`
+	gen_require(`
+		type usbfs_t;
+	')
+
+	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
+	getattr_files_pattern($1, usbfs_t, usbfs_t)
+
+	list_dirs_pattern($1, usbfs_t, usbfs_t)
+')
+
+########################################
+## <summary>
+##	Set the attributes of usbfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_usbfs_files',`
+	gen_require(`
+		type usbfs_t;
+	')
+
+	setattr_files_pattern($1, usbfs_t, usbfs_t)
+	list_dirs_pattern($1, usbfs_t, usbfs_t)
+')
+
+########################################
+## <summary>
+##	Read USB hardware information using
+##	the usbfs filesystem interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_usbfs',`
+	gen_require(`
+		type usbfs_t;
+	')
+
+	read_files_pattern($1, usbfs_t, usbfs_t)
+	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
+	list_dirs_pattern($1, usbfs_t, usbfs_t)
+')
+
+########################################
+## <summary>
+##	Allow caller to modify usb hardware configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_usbfs',`
+	gen_require(`
+		type usbfs_t;
+	')
+
+	list_dirs_pattern($1, usbfs_t, usbfs_t)
+	rw_files_pattern($1, usbfs_t, usbfs_t)
+	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
+')
+
+########################################
+## <summary>
+##	Get the attributes of video4linux devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_video_dev',`
+	gen_require(`
+		type device_t, v4l_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, v4l_device_t)
+')
+
+######################################
+## <summary>
+##	Read and write userio device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_userio_dev',`
+	gen_require(`
+		type device_t, userio_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, userio_device_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of video4linux device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_video_dev',`
+	gen_require(`
+		type v4l_device_t;
+	')
+
+	dontaudit $1 v4l_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Set the attributes of video4linux device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_video_dev',`
+	gen_require(`
+		type device_t, v4l_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, v4l_device_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to set the attributes
+##	of video4linux device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_setattr_video_dev',`
+	gen_require(`
+		type v4l_device_t;
+	')
+
+	dontaudit $1 v4l_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+##	Read the video4linux devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_video_dev',`
+	gen_require(`
+		type device_t, v4l_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, v4l_device_t)
+')
+
+########################################
+## <summary>
+##	Write the video4linux devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_write_video_dev',`
+	gen_require(`
+		type device_t, v4l_device_t;
+	')
+
+	write_chr_files_pattern($1, device_t, v4l_device_t)
+')
+
+########################################
+## <summary>
+##	Allow read/write the vhost net device
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_vhost',`
+	gen_require(`
+		type device_t, vhost_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, vhost_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write VMWare devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_vmware',`
+	gen_require(`
+		type device_t, vmware_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, vmware_device_t)
+')
+
+########################################
+## <summary>
+##	Read, write, and mmap VMWare devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rwx_vmware',`
+	gen_require(`
+		type device_t, vmware_device_t;
+	')
+
+	dev_rw_vmware($1)
+	allow $1 vmware_device_t:chr_file execute;
+')
+
+########################################
+## <summary>
+##	Read from watchdog devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_watchdog',`
+	gen_require(`
+		type device_t, watchdog_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, watchdog_device_t)
+')
+
+########################################
+## <summary>
+##	Write to watchdog devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_write_watchdog',`
+	gen_require(`
+		type device_t, watchdog_device_t;
+	')
+
+	write_chr_files_pattern($1, device_t, watchdog_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write the the wireless device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_wireless',`
+	gen_require(`
+		type device_t, wireless_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, wireless_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write Xen devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_xen',`
+	gen_require(`
+		type device_t, xen_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, xen_device_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete Xen devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_manage_xen',`
+	gen_require(`
+		type device_t, xen_device_t;
+	')
+
+	manage_chr_files_pattern($1, device_t, xen_device_t)
+')
+
+########################################
+## <summary>
+##	Automatic type transition to the type
+##	for xen device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_filetrans_xen',`
+	gen_require(`
+		type device_t, xen_device_t;
+	')
+
+	filetrans_pattern($1, device_t, xen_device_t, chr_file)
+')
+
+########################################
+## <summary>
+##	Get the attributes of X server miscellaneous devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_xserver_misc_dev',`
+	gen_require(`
+		type device_t, xserver_misc_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, xserver_misc_device_t)
+')
+
+########################################
+## <summary>
+##	Set the attributes of X server miscellaneous devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_xserver_misc_dev',`
+	gen_require(`
+		type device_t, xserver_misc_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, xserver_misc_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write X server miscellaneous devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_xserver_misc',`
+	gen_require(`
+		type device_t, xserver_misc_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, xserver_misc_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write to the zero device (/dev/zero).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_zero',`
+	gen_require(`
+		type device_t, zero_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, zero_device_t)
+')
+
+########################################
+## <summary>
+##	Read, write, and execute the zero device (/dev/zero).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rwx_zero',`
+	gen_require(`
+		type zero_device_t;
+	')
+
+	dev_rw_zero($1)
+	allow $1 zero_device_t:chr_file execute;
+')
+
+########################################
+## <summary>
+##	Execmod the zero device (/dev/zero).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_execmod_zero',`
+	gen_require(`
+		type zero_device_t;
+	')
+
+	dev_rw_zero($1)
+	allow $1 zero_device_t:chr_file execmod;
+')
+
+########################################
+## <summary>
+##	Create the zero device (/dev/zero).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_create_zero_dev',`
+	gen_require(`
+		type device_t, zero_device_t;
+	')
+
+	create_chr_files_pattern($1, device_t, zero_device_t)
+')
+
+########################################
+## <summary>
+##	Unconfined access to devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_unconfined',`
+	gen_require(`
+		attribute devices_unconfined_type;
+	')
+
+	typeattribute $1 devices_unconfined_type;
+')
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
new file mode 100644
index 00000000..82be0882
--- /dev/null
+++ b/policy/modules/kernel/devices.te
@@ -0,0 +1,314 @@
+policy_module(devices, 1.13.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute device_node;
+attribute memory_raw_read;
+attribute memory_raw_write;
+attribute devices_unconfined_type;
+
+#
+# device_t is the type of /dev.
+#
+type device_t;
+fs_associate_tmpfs(device_t)
+files_type(device_t)
+files_mountpoint(device_t)
+files_associate_tmp(device_t)
+fs_type(device_t)
+fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
+
+#
+# Type for /dev/agpgart
+#
+type agp_device_t;
+dev_node(agp_device_t)
+
+#
+# Type for /dev/apm_bios
+#
+type apm_bios_t;
+dev_node(apm_bios_t)
+
+#
+# Type for /dev/autofs
+#
+type autofs_device_t;
+dev_node(autofs_device_t)
+
+type cardmgr_dev_t;
+dev_node(cardmgr_dev_t)
+files_tmp_file(cardmgr_dev_t)
+
+#
+# clock_device_t is the type of
+# /dev/rtc.
+#
+type clock_device_t;
+dev_node(clock_device_t)
+
+#
+# cpu control devices /dev/cpu/0/*
+#
+type cpu_device_t;
+dev_node(cpu_device_t)
+
+#
+# Type for /dev/crash
+#
+type crash_device_t;
+dev_node(crash_device_t)
+
+# for the IBM zSeries z90crypt hardware ssl accelorator
+type crypt_device_t;
+dev_node(crypt_device_t)
+
+#
+# dlm_misc_device_t is the type of /dev/misc/dlm.*
+#
+type dlm_control_device_t;
+dev_node(dlm_control_device_t)
+
+type dri_device_t;
+dev_node(dri_device_t)
+
+type event_device_t;
+dev_node(event_device_t)
+
+#
+# Type for framebuffer /dev/fb/*
+#
+type framebuf_device_t;
+dev_node(framebuf_device_t)
+
+#
+# Type for /dev/ipmi/0
+#
+type ipmi_device_t;
+dev_node(ipmi_device_t)
+
+#
+# Type for /dev/kmsg
+#
+type kmsg_device_t;
+dev_node(kmsg_device_t)
+
+#
+# ksm_device_t is the type of /dev/ksm
+#
+type ksm_device_t;
+dev_node(ksm_device_t)
+
+#
+# kvm_device_t is the type of
+# /dev/kvm
+#
+type kvm_device_t;
+dev_node(kvm_device_t)
+
+#
+# Type for /dev/lirc
+#
+type lirc_device_t;
+dev_node(lirc_device_t)
+
+#
+# Type for /dev/mapper/control
+#
+type lvm_control_t;
+dev_node(lvm_control_t)
+
+#
+# memory_device_t is the type of /dev/kmem,
+# /dev/mem and /dev/port.
+#
+type memory_device_t;
+dev_node(memory_device_t)
+
+neverallow ~{ memory_raw_read devices_unconfined_type } memory_device_t:{ chr_file blk_file } read;
+neverallow ~{ memory_raw_write devices_unconfined_type } memory_device_t:{ chr_file blk_file } { append write };
+
+type misc_device_t;
+dev_node(misc_device_t)
+
+#
+# A general type for modem devices.
+#
+type modem_device_t;
+dev_node(modem_device_t)
+
+#
+# A more general type for mouse devices.
+#
+type mouse_device_t;
+dev_node(mouse_device_t)
+
+#
+# Type for /dev/cpu/mtrr and /proc/mtrr
+#
+type mtrr_device_t;
+dev_node(mtrr_device_t)
+genfscon proc /mtrr gen_context(system_u:object_r:mtrr_device_t,s0)
+
+#
+# network control devices
+#
+type netcontrol_device_t;
+dev_node(netcontrol_device_t)
+
+#
+# null_device_t is the type of /dev/null.
+#
+type null_device_t;
+dev_node(null_device_t)
+mls_trusted_object(null_device_t)
+sid devnull gen_context(system_u:object_r:null_device_t,s0)
+
+#
+# Type for /dev/nvram
+#
+type nvram_device_t;
+dev_node(nvram_device_t)
+
+#
+# Type for /dev/pmu
+#
+type power_device_t;
+dev_node(power_device_t)
+
+type printer_device_t;
+dev_node(printer_device_t)
+mls_file_write_within_range(printer_device_t)
+
+#
+# qemu control devices
+#
+type qemu_device_t;
+dev_node(qemu_device_t)
+
+#
+# random_device_t is the type of /dev/random
+#
+type random_device_t;
+dev_node(random_device_t)
+
+type scanner_device_t;
+dev_node(scanner_device_t)
+
+#
+# Type for smartcards
+#
+type smartcard_device_t;
+dev_node(smartcard_device_t)
+
+#
+# Type for sound devices and mixers
+#
+type sound_device_t;
+dev_node(sound_device_t)
+
+#
+# sysfs_t is the type for the /sys pseudofs
+#
+type sysfs_t;
+files_mountpoint(sysfs_t)
+fs_type(sysfs_t)
+genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
+
+#
+# Type for /dev/tpm
+#
+type tpm_device_t;
+dev_node(tpm_device_t)
+
+#
+# urandom_device_t is the type of /dev/urandom
+#
+type urandom_device_t;
+dev_node(urandom_device_t)
+
+#
+# usbfs_t is the type for the /proc/bus/usb pseudofs
+#
+type usbfs_t alias usbdevfs_t;
+files_mountpoint(usbfs_t)
+fs_noxattr_type(usbfs_t)
+genfscon usbfs / gen_context(system_u:object_r:usbfs_t,s0)
+genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0)
+
+#
+# usb_device_t is the type for /dev/bus/usb/[0-9]+/[0-9]+
+#
+type usb_device_t;
+dev_node(usb_device_t)
+
+#
+# usb_device_t is the type for /dev/usbmon
+#
+type usbmon_device_t;
+dev_node(usbmon_device_t)
+
+#
+# userio_device_t is the type for /dev/uio[0-9]+
+#
+type userio_device_t;
+dev_node(userio_device_t)
+
+type v4l_device_t;
+dev_node(v4l_device_t)
+
+#
+# vhost_device_t is the type for /dev/vhost-net
+#
+type vhost_device_t;
+dev_node(vhost_device_t)
+
+# Type for vmware devices.
+type vmware_device_t;
+dev_node(vmware_device_t)
+
+type watchdog_device_t;
+dev_node(watchdog_device_t)
+
+#
+# wireless control devices
+#
+type wireless_device_t;
+dev_node(wireless_device_t)
+
+type xen_device_t;
+dev_node(xen_device_t)
+
+type xserver_misc_device_t;
+dev_node(xserver_misc_device_t)
+
+#
+# zero_device_t is the type of /dev/zero.
+#
+type zero_device_t;
+dev_node(zero_device_t)
+mls_trusted_object(zero_device_t)
+
+########################################
+#
+# Rules for all device nodes
+#
+
+allow device_node device_t:filesystem associate;
+
+fs_associate(device_node)
+fs_associate_tmpfs(device_node)
+
+files_associate_tmp(device_node)
+
+########################################
+#
+# Unconfined access to this module
+#
+
+allow devices_unconfined_type self:capability sys_rawio;
+allow devices_unconfined_type device_node:{ blk_file chr_file } *;
+allow devices_unconfined_type mtrr_device_t:file *;
diff --git a/policy/modules/kernel/domain.fc b/policy/modules/kernel/domain.fc
new file mode 100644
index 00000000..7be4ddf7
--- /dev/null
+++ b/policy/modules/kernel/domain.fc
@@ -0,0 +1 @@
+# This module currently does not have any file contexts.
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
new file mode 100644
index 00000000..6a1e4d15
--- /dev/null
+++ b/policy/modules/kernel/domain.if
@@ -0,0 +1,1533 @@
+## <summary>Core policy for domains.</summary>
+## <required val="true">
+##	Contains the concept of a domain.
+## </required>
+
+########################################
+## <summary>
+##	Make the specified type usable as a basic domain.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified type usable as a basic domain.
+##	</p>
+##	<p>
+##	This is primarily used for kernel threads;
+##	generally the domain_type() interface is
+##	more appropriate for userland processes.
+##	</p>
+## </desc>
+## <param name="type">
+##	<summary>
+##	Type to be used as a basic domain type.
+##	</summary>
+## </param>
+#
+interface(`domain_base_type',`
+	gen_require(`
+		attribute domain;
+	')
+
+	typeattribute $1 domain;
+')
+
+########################################
+## <summary>
+##	Make the specified type usable as a domain.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified type usable as a domain.  This,
+##	or an interface that calls this interface, must be
+##	used on all types that are used as domains.
+##	</p>
+##	<p>
+##	Related interfaces:
+##	</p>
+##	<ul>
+##		<li>application_domain()</li>
+##		<li>init_daemon_domain()</li>
+##		<li>init_domaion()</li>
+##		<li>init_ranged_daemon_domain()</li>
+##		<li>init_ranged_domain()</li>
+##		<li>init_ranged_system_domain()</li>
+##		<li>init_script_domain()</li>
+##		<li>init_system_domain()</li>
+##	</ul>
+##	<p>
+##	Example:
+##	</p>
+##	<p>
+##	type mydomain_t;
+##	domain_type(mydomain_t)
+##	type myfile_t;
+##	files_type(myfile_t)
+##	allow mydomain_t myfile_t:file read_file_perms;
+##	</p>
+## </desc>
+## <param name="type">
+##	<summary>
+##	Type to be used as a domain type.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`domain_type',`
+	# start with basic domain
+	domain_base_type($1)
+
+	ifdef(`distro_redhat',`
+		optional_policy(`
+			unconfined_use_fds($1)
+		')
+	')
+
+	# send init a sigchld and signull
+	optional_policy(`
+		init_sigchld($1)
+		init_signull($1)
+	')
+
+	# these seem questionable:
+
+	optional_policy(`
+		rpm_use_fds($1)
+		rpm_read_pipes($1)
+	')
+
+	optional_policy(`
+		selinux_dontaudit_getattr_fs($1)
+		selinux_dontaudit_read_fs($1)
+	')
+
+	optional_policy(`
+		seutil_dontaudit_read_config($1)
+	')
+')
+
+########################################
+## <summary>
+##	Make the specified type usable as
+##	an entry point for the domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to be entered.
+##	</summary>
+## </param>
+## <param name="type">
+##	<summary>
+##	Type of program used for entering
+##	the domain.
+##	</summary>
+## </param>
+#
+interface(`domain_entry_file',`
+	gen_require(`
+		attribute entry_type;
+	')
+
+	allow $1 $2:file entrypoint;
+	allow $1 $2:file { mmap_file_perms ioctl lock };
+
+	typeattribute $2 entry_type;
+
+	corecmd_executable_file($2)
+')
+
+########################################
+## <summary>
+##	Make the file descriptors of the specified
+##	domain for interactive use (widely inheritable)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`domain_interactive_fd',`
+	gen_require(`
+		attribute privfd;
+	')
+
+	typeattribute $1 privfd;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to perform
+##	dynamic transitions.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to perform
+##	dynamic transitions.
+##	</p>
+##	<p>
+##	This violates process tranquility, and it
+##	is strongly suggested that this not be used.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`domain_dyntrans_type',`
+	gen_require(`
+		attribute set_curr_context;
+	')
+
+	typeattribute $1 set_curr_context;
+')
+
+########################################
+## <summary>
+##	Makes caller and execption to the constraint
+##	preventing changing to the system user
+##	identity and system role.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`domain_system_change_exemption',`
+	gen_require(`
+		attribute can_system_change;
+	')
+
+	typeattribute $1 can_system_change;
+')
+
+########################################
+## <summary>
+##	Makes caller an exception to the constraint preventing
+##	changing of user identity.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The process type to make an exception to the constraint.
+##	</summary>
+## </param>
+#
+interface(`domain_subj_id_change_exemption',`
+	gen_require(`
+		attribute can_change_process_identity;
+	')
+
+	typeattribute $1 can_change_process_identity;
+')
+
+########################################
+## <summary>
+##	Makes caller an exception to the constraint preventing
+##	changing of role.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The process type to make an exception to the constraint.
+##	</summary>
+## </param>
+#
+interface(`domain_role_change_exemption',`
+	gen_require(`
+		attribute can_change_process_role;
+	')
+
+	typeattribute $1 can_change_process_role;
+')
+
+########################################
+## <summary>
+##	Makes caller an exception to the constraint preventing
+##	changing the user identity in object contexts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The process type to make an exception to the constraint.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_obj_id_change_exemption',`
+	gen_require(`
+		attribute can_change_object_identity;
+	')
+
+	typeattribute $1 can_change_object_identity;
+')
+
+########################################
+## <summary>
+##	Make the specified domain the target of
+##	the user domain exception of the
+##	SELinux role and identity change
+##	constraints.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified domain the target of
+##	the user domain exception of the
+##	SELinux role and identity change
+##	constraints.
+##	</p>
+##	<p>
+##	This interface is needed to decouple
+##	the user domains from the base module.
+##	It should not be used other than on
+##	user domains.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain target for user exemption.
+##	</summary>
+## </param>
+#
+interface(`domain_user_exemption_target',`
+	gen_require(`
+		attribute process_user_target;
+	')
+
+	typeattribute $1 process_user_target;
+')
+
+########################################
+## <summary>
+##	Make the specified domain the source of
+##	the cron domain exception of the
+##	SELinux role and identity change
+##	constraints.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified domain the source of
+##	the cron domain exception of the
+##	SELinux role and identity change
+##	constraints.
+##	</p>
+##	<p>
+##	This interface is needed to decouple
+##	the cron domains from the base module.
+##	It should not be used other than on
+##	cron domains.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain target for user exemption.
+##	</summary>
+## </param>
+#
+interface(`domain_cron_exemption_source',`
+	gen_require(`
+		attribute cron_source_domain;
+	')
+
+	typeattribute $1 cron_source_domain;
+')
+
+########################################
+## <summary>
+##	Make the specified domain the target of
+##	the cron domain exception of the
+##	SELinux role and identity change
+##	constraints.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified domain the target of
+##	the cron domain exception of the
+##	SELinux role and identity change
+##	constraints.
+##	</p>
+##	<p>
+##	This interface is needed to decouple
+##	the cron domains from the base module.
+##	It should not be used other than on
+##	user cron jobs.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain target for user exemption.
+##	</summary>
+## </param>
+#
+interface(`domain_cron_exemption_target',`
+	gen_require(`
+		attribute cron_job_domain;
+	')
+
+	typeattribute $1 cron_job_domain;
+')
+
+########################################
+## <summary>
+##	Inherit and use file descriptors from
+##	domains with interactive programs.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to inherit and use file
+##	descriptors from domains with interactive programs. 
+##	This does not allow access to the objects being referenced
+##	by the file descriptors.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="1"/>
+#
+interface(`domain_use_interactive_fds',`
+	gen_require(`
+		attribute privfd;
+	')
+
+	allow $1 privfd:fd use;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to inherit file
+##	descriptors from domains with interactive
+##	programs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`domain_dontaudit_use_interactive_fds',`
+	gen_require(`
+		attribute privfd;
+	')
+
+	dontaudit $1 privfd:fd use;
+')
+
+########################################
+## <summary>
+##	Send a SIGCHLD signal to domains whose file
+##	discriptors are widely inheritable.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+# cjp: this was added because of newrole
+interface(`domain_sigchld_interactive_fds',`
+	gen_require(`
+		attribute privfd;
+	')
+
+	allow $1 privfd:process sigchld;
+')
+
+########################################
+## <summary>
+##	Set the nice level of all domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_setpriority_all_domains',`
+	gen_require(`
+		attribute domain;
+	')
+
+	allow $1 domain:process setsched;
+')
+
+########################################
+## <summary>
+##	Send general signals to all domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_signal_all_domains',`
+	gen_require(`
+		attribute domain;
+	')
+
+	allow $1 domain:process signal;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send general
+##	signals to all domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_dontaudit_signal_all_domains',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:process signal;
+')
+
+########################################
+## <summary>
+##	Send a null signal to all domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_signull_all_domains',`
+	gen_require(`
+		attribute domain;
+	')
+
+	allow $1 domain:process signull;
+')
+
+########################################
+## <summary>
+##	Send a stop signal to all domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_sigstop_all_domains',`
+	gen_require(`
+		attribute domain;
+	')
+
+	allow $1 domain:process sigstop;
+')
+
+########################################
+## <summary>
+##	Send a child terminated signal to all domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_sigchld_all_domains',`
+	gen_require(`
+		attribute domain;
+	')
+
+	allow $1 domain:process sigchld;
+')
+
+########################################
+## <summary>
+##	Send a kill signal to all domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_kill_all_domains',`
+	gen_require(`
+		attribute domain;
+	')
+
+	allow $1 domain:process sigkill;
+	allow $1 self:capability kill;
+')
+
+########################################
+## <summary>
+##	Search the process state directory (/proc/pid) of all domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`domain_search_all_domains_state',`
+	gen_require(`
+		attribute domain;
+	')
+
+	kernel_search_proc($1)
+	allow $1 domain:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search the process
+##	state directory (/proc/pid) of all domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`domain_dontaudit_search_all_domains_state',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read the process state (/proc/pid) of all domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_read_all_domains_state',`
+	gen_require(`
+		attribute domain;
+	')
+
+	kernel_search_proc($1)
+	allow $1 domain:dir list_dir_perms;
+	read_files_pattern($1, domain, domain)
+	read_lnk_files_pattern($1, domain, domain)
+')
+
+########################################
+## <summary>
+##	Get the attributes of all domains of all domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_getattr_all_domains',`
+	gen_require(`
+		attribute domain;
+	')
+
+	allow $1 domain:process getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_domains',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:process getattr;
+')
+
+########################################
+## <summary>
+##	Read the process state (/proc/pid) of all confined domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_read_confined_domains_state',`
+	gen_require(`
+		attribute domain, unconfined_domain_type;
+	')
+
+	kernel_search_proc($1)
+	allow $1 { domain -unconfined_domain_type }:dir list_dir_perms;
+	read_files_pattern($1, { domain -unconfined_domain_type }, { domain -unconfined_domain_type })
+	read_lnk_files_pattern($1, { domain -unconfined_domain_type }, { domain -unconfined_domain_type })
+
+	dontaudit $1 unconfined_domain_type:dir search_dir_perms;
+	dontaudit $1 unconfined_domain_type:file read_file_perms;
+	dontaudit $1 unconfined_domain_type:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+##	Get the attributes of all confined domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_getattr_confined_domains',`
+	gen_require(`
+		attribute domain, unconfined_domain_type;
+	')
+
+	allow $1 { domain -unconfined_domain_type }:process getattr;
+')
+
+########################################
+## <summary>
+##	Ptrace all domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_ptrace_all_domains',`
+	gen_require(`
+		attribute domain;
+	')
+
+	allow $1 domain:process ptrace;
+	allow domain $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to ptrace all domains.
+## </summary>
+## <desc>
+##	<p>
+##	Do not audit attempts to ptrace all domains.
+##	</p>
+##	<p>
+##	Generally this needs to be suppressed because procps tries to access
+##	/proc/pid/environ and this now triggers a ptrace check in recent kernels
+##	(2.4 and 2.6).
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`domain_dontaudit_ptrace_all_domains',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:process ptrace;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to ptrace confined domains.
+## </summary>
+## <desc>
+##	<p>
+##	Do not audit attempts to ptrace confined domains.
+##	</p>
+##	<p>
+##	Generally this needs to be suppressed because procps tries to access
+##	/proc/pid/environ and this now triggers a ptrace check in recent kernels
+##	(2.4 and 2.6).
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`domain_dontaudit_ptrace_confined_domains',`
+	gen_require(`
+		attribute domain, unconfined_domain_type;
+	')
+
+	dontaudit $1 { domain -unconfined_domain_type }:process ptrace;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read the process
+##	state (/proc/pid) of all domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`domain_dontaudit_read_all_domains_state',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:dir list_dir_perms;
+	dontaudit $1 domain:lnk_file read_lnk_file_perms;
+	dontaudit $1 domain:file read_file_perms;
+
+	# cjp: these should be removed:
+	dontaudit $1 domain:sock_file read_sock_file_perms;
+	dontaudit $1 domain:fifo_file read_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read the process state
+##	directories of all domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`domain_dontaudit_list_all_domains_state',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Get the session ID of all domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`domain_getsession_all_domains',`
+	gen_require(`
+		attribute domain;
+	')
+
+	allow $1 domain:process getsession;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the
+##	session ID of all domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`domain_dontaudit_getsession_all_domains',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:process getsession;
+')
+
+########################################
+## <summary>
+##	Get the process group ID of all domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`domain_getpgid_all_domains',`
+	gen_require(`
+		attribute domain;
+	')
+
+	allow $1 domain:process getpgid;
+')
+
+########################################
+## <summary>
+##	Get the scheduler information of all domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`domain_getsched_all_domains',`
+	gen_require(`
+		attribute domain;
+	')
+
+	allow $1 domain:process getsched;
+')
+
+########################################
+## <summary>
+##	Get the capability information of all domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`domain_getcap_all_domains',`
+	gen_require(`
+		attribute domain;
+	')
+
+	allow $1 domain:process getcap;
+')
+
+########################################
+## <summary>
+##	Get the attributes of all domains
+##	sockets, for all socket types.
+## </summary>
+## <desc>
+##	<p>
+##	Get the attributes of all domains
+##	sockets, for all socket types.
+##	</p>
+##	<p>
+##	This is commonly used for domains
+##	that can use lsof on all domains.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`domain_getattr_all_sockets',`
+	gen_require(`
+		attribute domain;
+	')
+
+	allow $1 domain:socket_class_set getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all domains sockets, for all socket types.
+## </summary>
+## <desc>
+##	<p>
+##	Do not audit attempts to get the attributes
+##	of all domains sockets, for all socket types.
+##	</p>
+##	<p>
+##	This interface was added for PCMCIA cardmgr
+##	and is probably excessive.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_sockets',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:socket_class_set getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all domains TCP sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_tcp_sockets',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:tcp_socket getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all domains UDP sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_udp_sockets',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:udp_socket getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read or write
+##	all domains UDP sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`domain_dontaudit_rw_all_udp_sockets',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:udp_socket { read write };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get attribues of
+##	all domains IPSEC key management sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_key_sockets',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:key_socket getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get attribues of
+##	all domains packet sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_packet_sockets',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:packet_socket getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get attribues of
+##	all domains raw sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_raw_sockets',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:rawip_socket getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read or write
+##	all domains key sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`domain_dontaudit_rw_all_key_sockets',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:key_socket { read write };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all domains unix datagram sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_dgram_sockets',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:unix_dgram_socket getattr;
+')
+
+########################################
+## <summary>
+##	Get the attributes
+##	of all domains unix datagram sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`domain_getattr_all_stream_sockets',`
+	gen_require(`
+		attribute domain;
+	')
+
+	allow $1 domain:unix_stream_socket getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all domains unix datagram sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_stream_sockets',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:unix_stream_socket getattr;
+')
+
+########################################
+## <summary>
+##	Get the attributes of all domains
+##	unnamed pipes.
+## </summary>
+## <desc>
+##	<p>
+##	Get the attributes of all domains
+##	unnamed pipes.
+##	</p>
+##	<p>
+##	This is commonly used for domains
+##	that can use lsof on all domains.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`domain_getattr_all_pipes',`
+	gen_require(`
+		attribute domain;
+	')
+
+	allow $1 domain:fifo_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all domains unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_pipes',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:fifo_file getattr;
+')
+
+########################################
+## <summary>
+##	Allow specified type to set context of all
+##	domains IPSEC associations.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`domain_ipsec_setcontext_all_domains',`
+	gen_require(`
+		attribute domain;
+	')
+
+	allow $1 domain:association setcontext;
+')
+
+########################################
+## <summary>
+##	Get the attributes of entry point
+##	files for all domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`domain_getattr_all_entry_files',`
+	gen_require(`
+		attribute entry_type;
+	')
+
+	allow $1 entry_type:lnk_file read_lnk_file_perms;
+	allow $1 entry_type:file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all entry point files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_entry_files',`
+	gen_require(`
+		attribute entry_type;
+	')
+
+	dontaudit $1 entry_type:file getattr_file_perms;
+')
+
+########################################
+## <summary>
+##	Read the entry point files for all domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`domain_read_all_entry_files',`
+	gen_require(`
+		attribute entry_type;
+	')
+
+	allow $1 entry_type:lnk_file read_lnk_file_perms;
+	allow $1 entry_type:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute the entry point files for all
+##	domains in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_exec_all_entry_files',`
+	gen_require(`
+		attribute entry_type;
+	')
+
+	can_exec($1, entry_type)
+')
+
+########################################
+## <summary>
+##	dontaudit checking for execute on all entry point files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`domain_dontaudit_exec_all_entry_files',`
+	gen_require(`
+		attribute entry_type;
+	')
+
+	dontaudit $1 entry_type:file exec_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete all
+##	entrypoint files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+# cjp: added for prelink
+interface(`domain_manage_all_entry_files',`
+	gen_require(`
+		attribute entry_type;
+	')
+
+	allow $1 entry_type:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Relabel to and from all entry point
+##	file types.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+# cjp: added for prelink
+interface(`domain_relabel_all_entry_files',`
+	gen_require(`
+		attribute entry_type;
+	')
+
+	allow $1 entry_type:file relabel_file_perms;
+')
+
+########################################
+## <summary>
+##	Mmap all entry point files as executable.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+# cjp: added for prelink
+interface(`domain_mmap_all_entry_files',`
+	gen_require(`
+		attribute entry_type;
+	')
+
+	allow $1 entry_type:file mmap_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute an entry_type in the specified domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="target_domain">
+##	<summary>
+##	The type of the new process.
+##	</summary>
+## </param>
+#
+# cjp: added for userhelper
+interface(`domain_entry_file_spec_domtrans',`
+	gen_require(`
+		attribute entry_type;
+	')
+
+	domain_transition_pattern($1, entry_type, $2)
+')
+
+########################################
+## <summary>
+##	Ability to mmap a low area of the address
+##	space conditionally, as configured by
+##	/proc/sys/kernel/mmap_min_addr.
+##	Preventing such mappings helps protect against
+##	exploiting null deref bugs in the kernel.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_mmap_low',`
+	gen_require(`
+		attribute mmap_low_domain_type;
+		bool mmap_low_allowed;
+	')
+
+	typeattribute $1 mmap_low_domain_type;
+
+	if ( mmap_low_allowed ) {
+		allow $1 self:memprotect mmap_zero;
+	}
+')
+
+########################################
+## <summary>
+##	Ability to mmap a low area of the address
+##	space unconditionally, as configured
+##	by /proc/sys/kernel/mmap_min_addr.
+##	Preventing such mappings helps protect against
+##	exploiting null deref bugs in the kernel.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_mmap_low_uncond',`
+	gen_require(`
+		attribute mmap_low_domain_type;
+	')
+
+	typeattribute $1 mmap_low_domain_type;
+
+	allow $1 self:memprotect mmap_zero;
+')
+
+########################################
+## <summary>
+##	Allow specified type to receive labeled
+##	networking packets from all domains, over
+##	all protocols (TCP, UDP, etc)
+## </summary>
+## <param name="type">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`domain_all_recvfrom_all_domains',`
+	gen_require(`
+		attribute domain;
+ 	')
+
+	corenet_all_recvfrom_labeled($1, domain)
+')
+
+########################################
+## <summary>
+##	Send generic signals to the unconfined domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`domain_unconfined_signal',`
+	gen_require(`
+		attribute unconfined_domain_type;
+	')
+
+	allow $1 unconfined_domain_type:process signal;
+')
+
+########################################
+## <summary>
+##	Unconfined access to domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`domain_unconfined',`
+	gen_require(`
+		attribute set_curr_context;
+		attribute can_change_object_identity;
+		attribute unconfined_domain_type;
+		attribute process_uncond_exempt;
+	')
+
+	typeattribute $1 unconfined_domain_type;
+
+	# pass constraints
+	typeattribute $1 can_change_object_identity;
+	typeattribute $1 set_curr_context;
+	typeattribute $1 process_uncond_exempt;
+')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
new file mode 100644
index 00000000..cf04cb50
--- /dev/null
+++ b/policy/modules/kernel/domain.te
@@ -0,0 +1,170 @@
+policy_module(domain, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+##	Control the ability to mmap a low area of the address space,
+##	as configured by /proc/sys/kernel/mmap_min_addr.
+## </p>
+## </desc>
+gen_tunable(mmap_low_allowed, false)
+
+# Mark process types as domains
+attribute domain;
+
+# Transitions only allowed from domains to other domains
+neverallow domain ~domain:process { transition dyntransition };
+
+# Domains that are unconfined
+attribute unconfined_domain_type;
+
+# Domains that can mmap low memory.
+attribute mmap_low_domain_type;
+neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
+
+# Domains that can set their current context
+# (perform dynamic transitions)
+attribute set_curr_context;
+
+# enabling setcurrent breaks process tranquility.  If you do not
+# know what this means or do not understand the implications of a
+# dynamic transition, you should not be using it!!!
+neverallow { domain -set_curr_context } self:process setcurrent;
+
+# entrypoint executables
+attribute entry_type;
+
+# widely-inheritable file descriptors
+attribute privfd;
+
+#
+# constraint related attributes
+#
+
+# [1] types that can change SELinux identity on transition
+attribute can_change_process_identity;
+
+# [2] types that can change SELinux role on transition
+attribute can_change_process_role;
+
+# [3] types that can change the SELinux identity on a filesystem
+# object or a socket object on a create or relabel
+attribute can_change_object_identity;
+
+# [3] types that can change to system_u:system_r
+attribute can_system_change;
+
+# [4] types that have attribute 1 can change the SELinux
+# identity only if the target domain has this attribute.
+# Types that have attribute 2 can change the SELinux role
+# only if the target domain has this attribute.
+attribute process_user_target;
+
+# For cron jobs
+# [5] types used for cron daemons
+attribute cron_source_domain;
+# [6] types used for cron jobs
+attribute cron_job_domain;
+
+# [7] types that are unconditionally exempt from
+# SELinux identity and role change constraints
+attribute process_uncond_exempt;	# add userhelperdomain to this one
+
+neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *;
+neverallow ~{ domain unlabeled_t } *:process *;
+
+########################################
+#
+# Rules applied to all domains
+#
+
+# read /proc/(pid|self) entries
+allow domain self:dir list_dir_perms;
+allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
+allow domain self:file rw_file_perms;
+kernel_read_proc_symlinks(domain)
+# Every domain gets the key ring, so we should default
+# to no one allowed to look at it; afs kernel support creates
+# a keyring
+kernel_dontaudit_search_key(domain)
+kernel_dontaudit_link_key(domain)
+
+# create child processes in the domain
+allow domain self:process { fork sigchld };
+
+# Use trusted objects in /dev
+dev_rw_null(domain)
+dev_rw_zero(domain)
+term_use_controlling_term(domain)
+
+# list the root directory
+files_list_root(domain)
+
+ifdef(`hide_broken_symptoms',`
+	# This check is in the general socket
+	# listen code, before protocol-specific
+	# listen function is called, so bad calls
+	# to listen on UDP sockets should be silenced
+	dontaudit domain self:udp_socket listen;
+')
+
+tunable_policy(`global_ssp',`
+	# enable reading of urandom for all domains:
+	# this should be enabled when all programs
+	# are compiled with ProPolice/SSP
+	# stack smashing protection.
+	dev_read_urand(domain)
+')
+
+optional_policy(`
+	libs_use_ld_so(domain)
+	libs_use_shared_libs(domain)
+')
+
+optional_policy(`
+	setrans_translate_context(domain)
+')
+
+# xdm passes an open file descriptor to xsession-errors.log which is then audited by all confined domains.
+optional_policy(`
+	xserver_dontaudit_use_xdm_fds(domain)
+	xserver_dontaudit_rw_xdm_pipes(domain)
+')
+
+########################################
+#
+# Unconfined access to this module
+#
+
+# unconfined access also allows constraints, but this
+# is handled in the interface as typeattribute cannot
+# be used on an attribute.
+
+# Use/sendto/connectto sockets created by any domain.
+allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
+
+# Use descriptors and pipes created by any domain.
+allow unconfined_domain_type domain:fd use;
+allow unconfined_domain_type domain:fifo_file rw_file_perms;
+
+# Act upon any other process.
+allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
+
+# Create/access any System V IPC objects.
+allow unconfined_domain_type domain:{ sem msgq shm } *;
+allow unconfined_domain_type domain:msg { send receive };
+
+# For /proc/pid
+allow unconfined_domain_type domain:dir list_dir_perms;
+allow unconfined_domain_type domain:file rw_file_perms;
+allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+
+# act on all domains keys
+allow unconfined_domain_type domain:key *;
+
+# receive from all domains over labeled networking
+domain_all_recvfrom_all_domains(unconfined_domain_type)
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
new file mode 100644
index 00000000..94496b05
--- /dev/null
+++ b/policy/modules/kernel/files.fc
@@ -0,0 +1,265 @@
+
+#
+# /
+#
+/.*				gen_context(system_u:object_r:default_t,s0)
+/			-d	gen_context(system_u:object_r:root_t,s0)
+/\.journal			<<none>>
+/afs			-d	gen_context(system_u:object_r:mnt_t,s0)
+/initrd\.img.*		-l	gen_context(system_u:object_r:boot_t,s0)
+/vmlinuz.*		-l	gen_context(system_u:object_r:boot_t,s0)
+
+ifdef(`distro_redhat',`
+/\.autofsck		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/\.autorelabel		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/\.suspended		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/fastboot 		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/forcefsck 		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/fsckoptions 		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/halt			--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/poweroff		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+')
+
+ifdef(`distro_suse',`
+/success		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+')
+
+#
+# /boot
+#
+/boot			-d	gen_context(system_u:object_r:boot_t,s0)
+/boot/.*			gen_context(system_u:object_r:boot_t,s0)
+/boot/\.journal			<<none>>
+/boot/efi(/.*)?/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
+/boot/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+/boot/lost\+found/.*		<<none>>
+/boot/System\.map(-.*)?	--	gen_context(system_u:object_r:system_map_t,s0)
+
+#
+# /emul
+#
+/emul			-d	gen_context(system_u:object_r:usr_t,s0)
+/emul/.*			gen_context(system_u:object_r:usr_t,s0)
+
+#
+# /etc
+#
+/etc			-d	gen_context(system_u:object_r:etc_t,s0)
+/etc/.*				gen_context(system_u:object_r:etc_t,s0)
+/etc/\.fstab\.hal\..+	--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/blkid(/.*)?		gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/cmtab		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/fstab\.REVOKE	--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/ioctl\.save	--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/killpower		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/localtime		-l	gen_context(system_u:object_r:etc_t,s0)
+/etc/mtab		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/mtab\.fuselock	--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/nohotplug		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/nologin.*		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+
+/etc/cups/client\.conf	--	gen_context(system_u:object_r:etc_t,s0)
+
+/etc/ipsec\.d/examples(/.*)?	gen_context(system_u:object_r:etc_t,s0)
+
+/etc/network/ifstate	--	gen_context(system_u:object_r:etc_runtime_t,s0)
+
+/etc/ptal/ptal-printd-like -- 	gen_context(system_u:object_r:etc_runtime_t,s0)
+
+/etc/sysconfig/hwconf	--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/sysconfig/firstboot --	gen_context(system_u:object_r:etc_runtime_t,s0)
+
+ifdef(`distro_gentoo', `
+/etc/profile\.env	--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/csh\.env		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/env\.d(/.*)?		gen_context(system_u:object_r:etc_runtime_t,s0)
+')
+
+ifdef(`distro_redhat',`
+/etc/rhgb(/.*)?		-d	gen_context(system_u:object_r:mnt_t,s0)
+')
+
+ifdef(`distro_suse',`
+/etc/defkeymap\.map	--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/init\.d/\.depend.*	--	gen_context(system_u:object_r:etc_runtime_t,s0)
+')
+
+#
+# HOME_ROOT
+# expanded by genhomedircon
+#
+HOME_ROOT		-d	gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh)
+HOME_ROOT		-l	gen_context(system_u:object_r:home_root_t,s0)
+HOME_ROOT/\.journal		<<none>>
+HOME_ROOT/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+HOME_ROOT/lost\+found/.*		<<none>>
+
+#
+# /initrd
+#
+# initrd mount point, only used during boot
+/initrd			-d	gen_context(system_u:object_r:root_t,s0)
+
+#
+# /lib(64)?
+#
+/lib/modules(/.*)?		gen_context(system_u:object_r:modules_object_t,s0)
+/lib64/modules(/.*)?		gen_context(system_u:object_r:modules_object_t,s0)
+
+ifdef(`distro_debian',`
+# on Debian /lib/init/rw is a tmpfs used like /var/run but
+# before /var is mounted
+/lib/init/rw(/.*)?		gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
+')
+
+#
+# /lost+found
+#
+/lost\+found		-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+/lost\+found/.*			<<none>>
+
+#
+# /media
+#
+# Mount points; do not relabel subdirectories, since
+# we don't want to change any removable media by default.
+/media(/[^/]*)		-l	gen_context(system_u:object_r:mnt_t,s0)
+/media(/[^/]*)?		-d	gen_context(system_u:object_r:mnt_t,s0)
+/media/[^/]*/.*			<<none>>
+/media/\.hal-.*		--	gen_context(system_u:object_r:mnt_t,s0)
+
+#
+# /misc
+#
+/misc			-d	gen_context(system_u:object_r:mnt_t,s0)
+
+#
+# /mnt
+#
+/mnt(/[^/]*)		-l	gen_context(system_u:object_r:mnt_t,s0)
+/mnt(/[^/]*)?		-d	gen_context(system_u:object_r:mnt_t,s0)
+/mnt/[^/]*/.*			<<none>>
+
+#
+# /net
+#
+/net			-d	gen_context(system_u:object_r:mnt_t,s0)
+
+#
+# /opt
+#
+/opt			-d	gen_context(system_u:object_r:usr_t,s0)
+/opt/.*				gen_context(system_u:object_r:usr_t,s0)
+
+/opt/(.*/)?var/lib(64)?(/.*)?	gen_context(system_u:object_r:var_lib_t,s0)
+
+#
+# /proc
+#
+/proc			-d	<<none>>
+/proc/.*			<<none>>
+
+#
+# /run
+#
+/run			-d	gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
+/run/.*				gen_context(system_u:object_r:var_run_t,s0)
+/run/.*\.*pid			<<none>>
+/run/lock(/.*)?			gen_context(system_u:object_r:var_lock_t,s0)
+
+#
+# /selinux
+#
+/selinux		-d	<<none>>
+/selinux/.*			<<none>>
+
+#
+# /srv
+#
+/srv			-d	gen_context(system_u:object_r:var_t,s0)
+/srv/.*				gen_context(system_u:object_r:var_t,s0)
+
+#
+# /tmp
+#
+/tmp			-d	gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+/tmp/.*				<<none>>
+/tmp/\.journal			<<none>>
+
+/tmp/lost\+found	-d		gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+/tmp/lost\+found/.*		<<none>>
+
+#
+# /usr
+#
+/usr			-d	gen_context(system_u:object_r:usr_t,s0)
+/usr/.*				gen_context(system_u:object_r:usr_t,s0)
+/usr/\.journal			<<none>>
+
+/usr/doc(/.*)?/lib(/.*)?		gen_context(system_u:object_r:usr_t,s0)
+
+/usr/etc(/.*)?			gen_context(system_u:object_r:etc_t,s0)
+
+/usr/inclu.e(/.*)?		gen_context(system_u:object_r:usr_t,s0)
+
+/usr/local/\.journal		<<none>>
+
+/usr/local/etc(/.*)?		gen_context(system_u:object_r:etc_t,s0)
+
+/usr/local/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+/usr/local/lost\+found/.*	<<none>>
+
+/usr/lost\+found		-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+/usr/lost\+found/.*		<<none>>
+
+/usr/share/doc(/.*)?/README.*	gen_context(system_u:object_r:usr_t,s0)
+
+/usr/tmp			-d	gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+/usr/tmp/.*			<<none>>
+
+ifndef(`distro_redhat',`
+/usr/local/src(/.*)?		gen_context(system_u:object_r:src_t,s0)
+
+/usr/src(/.*)?			gen_context(system_u:object_r:src_t,s0)
+/usr/src/kernels/.+/lib(/.*)?	gen_context(system_u:object_r:usr_t,s0)
+')
+
+#
+# /var
+#
+/var			-d	gen_context(system_u:object_r:var_t,s0)
+/var/.*				gen_context(system_u:object_r:var_t,s0)
+/var/\.journal			<<none>>
+
+/var/db/.*\.db		--	gen_context(system_u:object_r:etc_t,s0)
+
+/var/ftp/etc(/.*)?		gen_context(system_u:object_r:etc_t,s0)
+
+/var/lib(/.*)?			gen_context(system_u:object_r:var_lib_t,s0)
+
+/var/lib/nfs/rpc_pipefs(/.*)?	<<none>>
+
+/var/lock(/.*)?			gen_context(system_u:object_r:var_lock_t,s0)
+
+/var/lost\+found		-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+/var/lost\+found/.*		<<none>>
+
+/var/run			-d	gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
+/var/run			-l	gen_context(system_u:object_r:var_run_t,s0)
+/var/run/.*			gen_context(system_u:object_r:var_run_t,s0)
+/var/run/.*\.*pid		<<none>>
+
+/var/spool(/.*)?			gen_context(system_u:object_r:var_spool_t,s0)
+/var/spool/postfix/etc(/.*)?	gen_context(system_u:object_r:etc_t,s0)
+
+/var/tmp		-d	gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+/var/tmp		-l	gen_context(system_u:object_r:tmp_t,s0)
+/var/tmp/.*			<<none>>
+/var/tmp/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+/var/tmp/lost\+found/.*		<<none>>
+/var/tmp/vi\.recover	-d	gen_context(system_u:object_r:tmp_t,s0)
+
+ifdef(`distro_debian',`
+/var/run/motd		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
+')
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
new file mode 100644
index 00000000..adeec85f
--- /dev/null
+++ b/policy/modules/kernel/files.if
@@ -0,0 +1,6223 @@
+## <summary>
+## Basic filesystem types and interfaces.
+## </summary>
+## <desc>
+## <p>
+## This module contains basic filesystem types and interfaces. This
+## includes:
+## <ul>
+##	<li>The concept of different file types including basic
+##	files, mount points, tmp files, etc.</li>
+##	<li>Access to groups of files and all files.</li>
+##	<li>Types and interfaces for the basic filesystem layout
+##	(/, /etc, /tmp, /usr, etc.).</li>
+## </ul>
+## </p>
+## </desc>
+## <required val="true">
+##	Contains the concept of a file.
+##	Comains the file initial SID.
+## </required>
+
+########################################
+## <summary>
+##	Make the specified type usable for files
+##	in a filesystem.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified type usable for files
+##	in a filesystem.  Types used for files that
+##	do not use this interface, or an interface that
+##	calls this one, will have unexpected behaviors
+##	while the system is running. If the type is used
+##	for device nodes (character or block files), then
+##	the dev_node() interface is more appropriate.
+##	</p>
+##	<p>
+##	Related interfaces:
+##	</p>
+##	<ul>
+##		<li>application_domain()</li>
+##		<li>application_executable_file()</li>
+##		<li>corecmd_executable_file()</li>
+##		<li>init_daemon_domain()</li>
+##		<li>init_domaion()</li>
+##		<li>init_ranged_daemon_domain()</li>
+##		<li>init_ranged_domain()</li>
+##		<li>init_ranged_system_domain()</li>
+##		<li>init_script_file()</li>
+##		<li>init_script_domain()</li>
+##		<li>init_system_domain()</li>
+##		<li>files_config_files()</li>
+##		<li>files_lock_file()</li>
+##		<li>files_mountpoint()</li>
+##		<li>files_pid_file()</li>
+##		<li>files_security_file()</li>
+##		<li>files_security_mountpoint()</li>
+##		<li>files_tmp_file()</li>
+##		<li>files_tmpfs_file()</li>
+##		<li>logging_log_file()</li>
+##		<li>userdom_user_home_content()</li>
+##	</ul>
+##	<p>
+##	Example:
+##	</p>
+##	<p>
+##	type myfile_t;
+##	files_type(myfile_t)
+##	allow mydomain_t myfile_t:file read_file_perms;
+##	</p>
+## </desc>
+## <param name="type">
+##	<summary>
+##	Type to be used for files.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`files_type',`
+	gen_require(`
+		attribute file_type, non_security_file_type;
+	')
+
+	typeattribute $1 file_type, non_security_file_type;
+')
+
+########################################
+## <summary>
+##	Make the specified type a file that
+##	should not be dontaudited from
+##	browsing from user domains.
+## </summary>
+## <param name="file_type">
+##	<summary>
+##	Type of the file to be used as a
+##	member directory.
+##	</summary>
+## </param>
+#
+interface(`files_security_file',`
+	gen_require(`
+		attribute file_type, security_file_type;
+	')
+
+	typeattribute $1 file_type, security_file_type;
+')
+
+########################################
+## <summary>
+##	Make the specified type usable for
+##	lock files.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used for lock files.
+##	</summary>
+## </param>
+#
+interface(`files_lock_file',`
+	gen_require(`
+		attribute lockfile;
+	')
+
+	files_type($1)
+	typeattribute $1 lockfile;
+')
+
+########################################
+## <summary>
+##	Make the specified type usable for
+##	filesystem mount points.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used for mount points.
+##	</summary>
+## </param>
+#
+interface(`files_mountpoint',`
+	gen_require(`
+		attribute mountpoint;
+	')
+
+	files_type($1)
+	typeattribute $1 mountpoint;
+')
+
+########################################
+## <summary>
+##	Make the specified type usable for
+##	security file filesystem mount points.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used for mount points.
+##	</summary>
+## </param>
+#
+interface(`files_security_mountpoint',`
+	gen_require(`
+		attribute mountpoint;
+	')
+
+	files_security_file($1)
+	typeattribute $1 mountpoint;
+')
+
+########################################
+## <summary>
+##	Make the specified type usable for
+##	runtime process ID files.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified type usable for runtime process ID files,
+##	typically found in /var/run.
+##	This will also make the type usable for files, making
+##	calls to files_type() redundant.  Failure to use this interface
+##	for a PID file type may result in problems with starting
+##	or stopping services.
+##	</p>
+##	<p>
+##	Related interfaces:
+##	</p>
+##	<ul>
+##		<li>files_pid_filetrans()</li>
+##	</ul>
+##	<p>
+##	Example usage with a domain that can create and
+##	write its PID file with a private PID file type in the
+##	/var/run directory:
+##	</p>
+##	<p>
+##	type mypidfile_t;
+##	files_pid_file(mypidfile_t)
+##	allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
+##	files_pid_filetrans(mydomain_t, mypidfile_t, file)
+##	</p>
+## </desc>
+## <param name="type">
+##	<summary>
+##	Type to be used for PID files.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`files_pid_file',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	files_type($1)
+	typeattribute $1 pidfile;
+')
+
+########################################
+## <summary>
+##	Make the specified type a
+##	configuration file.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified type usable for configuration files.
+##	This will also make the type usable for files, making
+##	calls to files_type() redundant.  Failure to use this interface
+##	for a temporary file may result in problems with
+##	configuration management tools.
+##	</p>
+##	<p>
+##	Example usage with a domain that can read
+##	its configuration file /etc:
+##	</p>
+##	<p>
+##	type myconffile_t;
+##	files_config_file(myconffile_t)
+##	allow mydomain_t myconffile_t:file read_file_perms;
+##	files_search_etc(mydomain_t)
+##	</p>
+## </desc>
+## <param name="file_type">
+##	<summary>
+##	Type to be used as a configuration file.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`files_config_file',`
+	gen_require(`
+		attribute configfile;
+	')
+	files_type($1)
+	typeattribute $1 configfile;
+')
+
+########################################
+## <summary>
+##	Make the specified type a
+##	polyinstantiated directory.
+## </summary>
+## <param name="file_type">
+##	<summary>
+##	Type of the file to be used as a
+##	polyinstantiated directory.
+##	</summary>
+## </param>
+#
+interface(`files_poly',`
+	gen_require(`
+		attribute polydir;
+	')
+
+	files_type($1)
+	typeattribute $1 polydir;
+')
+
+########################################
+## <summary>
+##	Make the specified type a parent
+##	of a polyinstantiated directory.
+## </summary>
+## <param name="file_type">
+##	<summary>
+##	Type of the file to be used as a
+##	parent directory.
+##	</summary>
+## </param>
+#
+interface(`files_poly_parent',`
+	gen_require(`
+		attribute polyparent;
+	')
+
+	files_type($1)
+	typeattribute $1 polyparent;
+')
+
+########################################
+## <summary>
+##	Make the specified type a
+##	polyinstantiation member directory.
+## </summary>
+## <param name="file_type">
+##	<summary>
+##	Type of the file to be used as a
+##	member directory.
+##	</summary>
+## </param>
+#
+interface(`files_poly_member',`
+	gen_require(`
+		attribute polymember;
+	')
+
+	files_type($1)
+	typeattribute $1 polymember;
+')
+
+########################################
+## <summary>
+##	Make the domain use the specified
+##	type of polyinstantiated directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain using the polyinstantiated
+##	directory.
+##	</summary>
+## </param>
+## <param name="file_type">
+##	<summary>
+##	Type of the file to be used as a
+##	member directory.
+##	</summary>
+## </param>
+#
+interface(`files_poly_member_tmp',`
+	gen_require(`
+		type tmp_t;
+	')
+
+	type_member $1 tmp_t:dir $2;
+')
+
+########################################
+## <summary>
+##	Make the specified type a file
+##	used for temporary files.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified type usable for temporary files.
+##	This will also make the type usable for files, making
+##	calls to files_type() redundant.  Failure to use this interface
+##	for a temporary file may result in problems with
+##	purging temporary files.
+##	</p>
+##	<p>
+##	Related interfaces:
+##	</p>
+##	<ul>
+##		<li>files_tmp_filetrans()</li>
+##	</ul>
+##	<p>
+##	Example usage with a domain that can create and
+##	write its temporary file in the system temporary file
+##	directories (/tmp or /var/tmp):
+##	</p>
+##	<p>
+##	type mytmpfile_t;
+##	files_tmp_file(mytmpfile_t)
+##	allow mydomain_t mytmpfile_t:file { create_file_perms write_file_perms };
+##	files_tmp_filetrans(mydomain_t, mytmpfile_t, file)
+##	</p>
+## </desc>
+## <param name="file_type">
+##	<summary>
+##	Type of the file to be used as a
+##	temporary file.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`files_tmp_file',`
+	gen_require(`
+		attribute tmpfile;
+		type tmp_t;
+	')
+
+	files_type($1)
+	files_poly_member($1)
+	typeattribute $1 tmpfile;
+')
+
+########################################
+## <summary>
+##	Transform the type into a file, for use on a
+##	virtual memory filesystem (tmpfs).
+## </summary>
+## <param name="type">
+##	<summary>
+##	The type to be transformed.
+##	</summary>
+## </param>
+#
+interface(`files_tmpfs_file',`
+	gen_require(`
+		attribute tmpfsfile;
+	')
+
+	files_type($1)
+	typeattribute $1 tmpfsfile;
+')
+
+########################################
+## <summary>
+##	Get the attributes of all directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_getattr_all_dirs',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	getattr_dirs_pattern($1, file_type, file_type)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_all_dirs',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	dontaudit $1 file_type:dir getattr;
+')
+
+########################################
+## <summary>
+##	List all non-security directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_list_non_security',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	list_dirs_pattern($1, non_security_file_type, non_security_file_type)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to list all
+##	non-security directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_list_non_security',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	dontaudit $1 non_security_file_type:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Mount a filesystem on all non-security
+##	directories and files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_mounton_non_security',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	allow $1 non_security_file_type:dir mounton;
+	allow $1 non_security_file_type:file mounton;
+')
+
+########################################
+## <summary>
+##	Allow attempts to modify any directory
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_write_non_security_dirs',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	allow $1 non_security_file_type:dir write;
+')
+
+########################################
+## <summary>
+##	Allow attempts to manage non-security directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_non_security_dirs',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	allow $1 non_security_file_type:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Get the attributes of all files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_getattr_all_files',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	getattr_files_pattern($1, file_type, file_type)
+	getattr_lnk_files_pattern($1, file_type, file_type)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_all_files',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	dontaudit $1 file_type:file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of non security files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_non_security_files',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	dontaudit $1 non_security_file_type:file getattr;
+')
+
+########################################
+## <summary>
+##	Read all files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_all_files',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 file_type:dir list_dir_perms;
+	read_files_pattern($1, file_type, file_type)
+
+	optional_policy(`
+		auth_read_shadow($1)
+	')
+')
+
+########################################
+## <summary>
+##	Allow shared library text relocations in all files.
+## </summary>
+## <desc>
+##	<p>
+##	Allow shared library text relocations in all files.
+##	</p>
+##	<p>
+##	This is added to support WINE policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_execmod_all_files',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 file_type:file execmod;
+')
+
+########################################
+## <summary>
+##	Read all non-security files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_read_non_security_files',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	read_files_pattern($1, non_security_file_type, non_security_file_type)
+	read_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
+')
+
+########################################
+## <summary>
+##	Read all directories on the filesystem, except
+##	the listed exceptions.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="exception_types" optional="true">
+##	<summary>
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+##	</summary>
+## </param>
+#
+interface(`files_read_all_dirs_except',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 { file_type $2 }:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read all files on the filesystem, except
+##	the listed exceptions.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="exception_types" optional="true">
+##	<summary>
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+##	</summary>
+## </param>
+#
+interface(`files_read_all_files_except',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	read_files_pattern($1, { file_type $2 }, { file_type $2 })
+')
+
+########################################
+## <summary>
+##	Read all symbolic links on the filesystem, except
+##	the listed exceptions.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="exception_types" optional="true">
+##	<summary>
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+##	</summary>
+## </param>
+#
+interface(`files_read_all_symlinks_except',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
+')
+
+########################################
+## <summary>
+##	Get the attributes of all symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_getattr_all_symlinks',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	getattr_lnk_files_pattern($1, file_type, file_type)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_all_symlinks',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	dontaudit $1 file_type:lnk_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read all symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_read_all_symlinks',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	dontaudit $1 file_type:lnk_file read;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of non security symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_non_security_symlinks',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	dontaudit $1 non_security_file_type:lnk_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of non security block devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_non_security_blk_files',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	dontaudit $1 non_security_file_type:blk_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of non security character devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_non_security_chr_files',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	dontaudit $1 non_security_file_type:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Read all symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_read_all_symlinks',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 file_type:dir list_dir_perms;
+	read_lnk_files_pattern($1, file_type, file_type)
+')
+
+########################################
+## <summary>
+##	Get the attributes of all named pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_getattr_all_pipes',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 file_type:dir list_dir_perms;
+	getattr_fifo_files_pattern($1, file_type, file_type)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all named pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_all_pipes',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	dontaudit $1 file_type:fifo_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of non security named pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_non_security_pipes',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	dontaudit $1 non_security_file_type:fifo_file getattr;
+')
+
+########################################
+## <summary>
+##	Get the attributes of all named sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_getattr_all_sockets',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 file_type:dir list_dir_perms;
+	getattr_sock_files_pattern($1, file_type, file_type)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all named sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_all_sockets',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	dontaudit $1 file_type:sock_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of non security named sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_non_security_sockets',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	dontaudit $1 non_security_file_type:sock_file getattr;
+')
+
+########################################
+## <summary>
+##	Read all block nodes with file types.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_all_blk_files',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	read_blk_files_pattern($1, file_type, file_type)
+')
+
+########################################
+## <summary>
+##	Read all character nodes with file types.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_all_chr_files',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	read_chr_files_pattern($1, file_type, file_type)
+')
+
+########################################
+## <summary>
+##	Relabel all files on the filesystem, except
+##	the listed exceptions.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="exception_types" optional="true">
+##	<summary>
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_relabel_all_files',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 { file_type $2 }:dir list_dir_perms;
+	relabel_dirs_pattern($1, { file_type $2 }, { file_type $2 })
+	relabel_files_pattern($1, { file_type $2 }, { file_type $2 })
+	relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
+	relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
+	relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
+	# this is only relabelfrom since there should be no
+	# device nodes with file types.
+	relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
+	relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
+
+	# satisfy the assertions:
+	seutil_relabelto_bin_policy($1)
+')
+
+########################################
+## <summary>
+##	rw all files on the filesystem, except
+##	the listed exceptions.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="exception_types" optional="true">
+##	<summary>
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_rw_all_files',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	rw_files_pattern($1, { file_type $2 }, { file_type $2 })
+')
+
+########################################
+## <summary>
+##	Manage all files on the filesystem, except
+##	the listed exceptions.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="exception_types" optional="true">
+##	<summary>
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_all_files',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	manage_dirs_pattern($1, { file_type $2 }, { file_type $2 })
+	manage_files_pattern($1, { file_type $2 }, { file_type $2 })
+	manage_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
+	manage_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
+	manage_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
+
+	# satisfy the assertions:
+	seutil_create_bin_policy($1)
+	files_manage_kernel_modules($1)
+')
+
+########################################
+## <summary>
+##	Search the contents of all directories on
+##	extended attribute filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_search_all',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 file_type:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	List the contents of all directories on
+##	extended attribute filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_list_all',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 file_type:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search the
+##	contents of any directories on extended
+##	attribute filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_search_all_dirs',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	dontaudit $1 file_type:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Get the attributes of all filesystems
+##	with the type of a file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+# dwalsh: This interface is to allow quotacheck to work on a
+# a filesystem mounted with the --context switch
+# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212957
+#
+interface(`files_getattr_all_file_type_fs',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 file_type:filesystem getattr;
+')
+
+########################################
+## <summary>
+##	Relabel a filesystem to the type of a file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabelto_all_file_type_fs',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 file_type:filesystem relabelto;
+')
+
+########################################
+## <summary>
+##	Relabel a filesystem to the type of a file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabel_all_file_type_fs',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 file_type:filesystem { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
+##	Mount all filesystems with the type of a file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_mount_all_file_type_fs',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 file_type:filesystem mount;
+')
+
+########################################
+## <summary>
+##	Unmount all filesystems with the type of a file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_unmount_all_file_type_fs',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 file_type:filesystem unmount;
+')
+
+#############################################
+## <summary>
+##	Manage all configuration directories on filesystem
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+##
+#
+interface(`files_manage_config_dirs',`
+	gen_require(`
+		attribute configfile;
+	')
+
+	manage_dirs_pattern($1, configfile, configfile)
+')
+
+#########################################
+## <summary>
+##	Relabel configuration directories
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+##
+#
+interface(`files_relabel_config_dirs',`
+	gen_require(`
+		attribute configfile;
+	')
+
+	relabel_dirs_pattern($1, configfile, configfile)
+')
+
+########################################
+## <summary>
+##	Read config files in /etc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_config_files',`
+	gen_require(`
+		attribute configfile;
+	')
+
+	allow $1 configfile:dir list_dir_perms;
+	read_files_pattern($1, configfile, configfile)
+	read_lnk_files_pattern($1, configfile, configfile)
+')
+
+###########################################
+## <summary>
+## 	Manage all configuration files on filesystem
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access.
+## 	</summary>
+## </param>
+##
+#
+interface(`files_manage_config_files',`
+	gen_require(`
+		attribute configfile;
+	')
+
+	manage_files_pattern($1, configfile, configfile)
+')
+
+#######################################
+## <summary>
+##	Relabel configuration files
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+##
+#
+interface(`files_relabel_config_files',`
+	gen_require(`
+		attribute configfile;
+	')
+
+	relabel_files_pattern($1, configfile, configfile)
+')
+
+########################################
+## <summary>
+##	Mount a filesystem on all mount points.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_mounton_all_mountpoints',`
+	gen_require(`
+		attribute mountpoint;
+	')
+
+	allow $1 mountpoint:dir { search_dir_perms mounton };
+	allow $1 mountpoint:file { getattr mounton };
+')
+
+########################################
+## <summary>
+##	Get the attributes of all mount points.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_getattr_all_mountpoints',`
+	gen_require(`
+		attribute mountpoint;
+	')
+
+	allow $1 mountpoint:dir getattr;
+')
+
+########################################
+## <summary>
+##	Set the attributes of all mount points.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_setattr_all_mountpoints',`
+	gen_require(`
+		attribute mountpoint;
+	')
+
+	allow $1 mountpoint:dir setattr;
+')
+
+########################################
+## <summary>
+##	Search all mount points.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_search_all_mountpoints',`
+	gen_require(`
+		attribute mountpoint;
+	')
+
+	allow $1 mountpoint:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit searching of all mount points.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_search_all_mountpoints',`
+	gen_require(`
+		attribute mountpoint;
+	')
+
+	dontaudit $1 mountpoint:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit listing of all mount points.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_list_all_mountpoints',`
+	gen_require(`
+		attribute mountpoint;
+	')
+
+	dontaudit $1 mountpoint:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit write attempts on mount points.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to ignore write attempts from
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_write_all_mountpoints',`
+	gen_require(`
+		attribute mountpoint;
+	')
+
+	dontaudit $1 mountpoint:dir write;
+')
+
+########################################
+## <summary>
+##	Do not audit setattr attempts on mount points.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to ignore setattr attempts from
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_setattr_all_mountpoints',`
+	gen_require(`
+		attribute mountpoint;
+	')
+
+	dontaudit $1 mountpoint:dir setattr;
+')
+
+########################################
+## <summary>
+##	List the contents of the root directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_list_root',`
+	gen_require(`
+		type root_t;
+	')
+
+	allow $1 root_t:dir list_dir_perms;
+	allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write to / dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_write_root_dirs',`
+	gen_require(`
+		type root_t;
+	')
+
+	dontaudit $1 root_t:dir write;
+')
+
+###################
+## <summary>
+##	Do not audit attempts to write
+##	files in the root directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_rw_root_dir',`
+	gen_require(`
+		type root_t;
+	')
+
+	dontaudit $1 root_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create an object in the root directory, with a private
+##	type using a type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private type">
+##	<summary>
+##	The type of the object to be created.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+#
+interface(`files_root_filetrans',`
+	gen_require(`
+		type root_t;
+	')
+
+	filetrans_pattern($1, root_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read files in
+##	the root directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_read_root_files',`
+	gen_require(`
+		type root_t;
+	')
+
+	dontaudit $1 root_t:file { getattr read };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read or write
+##	files in the root directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_rw_root_files',`
+	gen_require(`
+		type root_t;
+	')
+
+	dontaudit $1 root_t:file { read write };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read or write
+##	character device nodes in the root directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_rw_root_chr_files',`
+	gen_require(`
+		type root_t;
+	')
+
+	dontaudit $1 root_t:chr_file { read write };
+')
+
+########################################
+## <summary>
+##	Delete files in the root directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_root_files',`
+	gen_require(`
+		type root_t;
+	')
+
+	allow $1 root_t:file unlink;
+')
+
+########################################
+## <summary>
+##	Remove entries from the root directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_root_dir_entry',`
+	gen_require(`
+		type root_t;
+	')
+
+	allow $1 root_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+##	Unmount a rootfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_unmount_rootfs',`
+	gen_require(`
+		type root_t;
+	')
+
+	allow $1 root_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+##	Get attributes of the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_getattr_boot_dirs',`
+	gen_require(`
+		type boot_t;
+	')
+
+	allow $1 boot_t:dir getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get attributes
+##	of the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_boot_dirs',`
+	gen_require(`
+		type boot_t;
+	')
+
+	dontaudit $1 boot_t:dir getattr;
+')
+
+########################################
+## <summary>
+##	Search the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_search_boot',`
+	gen_require(`
+		type boot_t;
+	')
+
+	allow $1 boot_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_search_boot',`
+	gen_require(`
+		type boot_t;
+	')
+
+	dontaudit $1 boot_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	List the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_list_boot',`
+	gen_require(`
+		type boot_t;
+	')
+
+	allow $1 boot_t:dir list_dir_perms;
+')
+
+#######################################
+## <summary>
+##	Do not audit attempts to list the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_list_boot',`
+	gen_require(`
+		type boot_t;
+	')
+
+	dontaudit $1 boot_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create directories in /boot
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_create_boot_dirs',`
+	gen_require(`
+		type boot_t;
+	')
+
+	allow $1 boot_t:dir { create rw_dir_perms };
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	directories in /boot.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_boot_dirs',`
+	gen_require(`
+		type boot_t;
+	')
+
+	allow $1 boot_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create a private type object in boot
+##	with an automatic type transition
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to be created.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+#
+interface(`files_boot_filetrans',`
+	gen_require(`
+		type boot_t;
+	')
+
+	filetrans_pattern($1, boot_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	read files in the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_read_boot_files',`
+	gen_require(`
+		type boot_t;
+	')
+
+	read_files_pattern($1, boot_t, boot_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete files
+##	in the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_boot_files',`
+	gen_require(`
+		type boot_t;
+	')
+
+	manage_files_pattern($1, boot_t, boot_t)
+')
+
+########################################
+## <summary>
+##	Relabel from files in the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabelfrom_boot_files',`
+	gen_require(`
+		type boot_t;
+	')
+
+	relabelfrom_files_pattern($1, boot_t, boot_t)
+')
+
+######################################
+## <summary>
+##	Read symbolic links in the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_boot_symlinks',`
+	gen_require(`
+		type boot_t;
+	')
+
+	read_lnk_files_pattern($1, boot_t, boot_t)
+')
+
+########################################
+## <summary>
+##	Read and write symbolic links
+##	in the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_rw_boot_symlinks',`
+	gen_require(`
+		type boot_t;
+	')
+
+	allow $1 boot_t:dir list_dir_perms;
+	rw_lnk_files_pattern($1, boot_t, boot_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete symbolic links
+##	in the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_boot_symlinks',`
+	gen_require(`
+		type boot_t;
+	')
+
+	manage_lnk_files_pattern($1, boot_t, boot_t)
+')
+
+########################################
+## <summary>
+##	Read kernel files in the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_kernel_img',`
+	gen_require(`
+		type boot_t;
+	')
+
+	allow $1 boot_t:dir list_dir_perms;
+	read_files_pattern($1, boot_t, boot_t)
+	read_lnk_files_pattern($1, boot_t, boot_t)
+')
+
+########################################
+## <summary>
+##	Install a kernel into the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_create_kernel_img',`
+	gen_require(`
+		type boot_t;
+	')
+
+	allow $1 boot_t:file { create_file_perms rw_file_perms };
+	manage_lnk_files_pattern($1, boot_t, boot_t)
+')
+
+########################################
+## <summary>
+##	Delete a kernel from /boot.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_delete_kernel',`
+	gen_require(`
+		type boot_t;
+	')
+
+	delete_files_pattern($1, boot_t, boot_t)
+')
+
+########################################
+## <summary>
+##	Getattr of directories with the default file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_getattr_default_dirs',`
+	gen_require(`
+		type default_t;
+	')
+
+	allow $1 default_t:dir getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes of
+##	directories with the default file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_default_dirs',`
+	gen_require(`
+		type default_t;
+	')
+
+	dontaudit $1 default_t:dir getattr;
+')
+
+########################################
+## <summary>
+##	Search the contents of directories with the default file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_search_default',`
+	gen_require(`
+		type default_t;
+	')
+
+	allow $1 default_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	List contents of directories with the default file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_list_default',`
+	gen_require(`
+		type default_t;
+	')
+
+	allow $1 default_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to list contents of
+##	directories with the default file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_list_default',`
+	gen_require(`
+		type default_t;
+	')
+
+	dontaudit $1 default_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete directories with
+##	the default file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_default_dirs',`
+	gen_require(`
+		type default_t;
+	')
+
+	manage_dirs_pattern($1, default_t, default_t)
+')
+
+########################################
+## <summary>
+##	Mount a filesystem on a directory with the default file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_mounton_default',`
+	gen_require(`
+		type default_t;
+	')
+
+	allow $1 default_t:dir { search_dir_perms mounton };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes of
+##	files with the default file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_default_files',`
+	gen_require(`
+		type default_t;
+	')
+
+	dontaudit $1 default_t:file getattr;
+')
+
+########################################
+## <summary>
+##	Read files with the default file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_default_files',`
+	gen_require(`
+		type default_t;
+	')
+
+	allow $1 default_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read files
+##	with the default file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_read_default_files',`
+	gen_require(`
+		type default_t;
+	')
+
+	dontaudit $1 default_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete files with
+##	the default file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_default_files',`
+	gen_require(`
+		type default_t;
+	')
+
+	manage_files_pattern($1, default_t, default_t)
+')
+
+########################################
+## <summary>
+##	Read symbolic links with the default file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_default_symlinks',`
+	gen_require(`
+		type default_t;
+	')
+
+	allow $1 default_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+##	Read sockets with the default file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_default_sockets',`
+	gen_require(`
+		type default_t;
+	')
+
+	allow $1 default_t:sock_file read_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	Read named pipes with the default file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_default_pipes',`
+	gen_require(`
+		type default_t;
+	')
+
+	allow $1 default_t:fifo_file read_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Search the contents of /etc directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_search_etc',`
+	gen_require(`
+		type etc_t;
+	')
+
+	allow $1 etc_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Set the attributes of the /etc directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_setattr_etc_dirs',`
+	gen_require(`
+		type etc_t;
+	')
+
+	allow $1 etc_t:dir setattr;
+')
+
+########################################
+## <summary>
+##	List the contents of /etc directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_list_etc',`
+	gen_require(`
+		type etc_t;
+	')
+
+	allow $1 etc_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write to /etc dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_write_etc_dirs',`
+	gen_require(`
+		type etc_t;
+	')
+
+	dontaudit $1 etc_t:dir write;
+')
+
+########################################
+## <summary>
+##	Add and remove entries from /etc directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_rw_etc_dirs',`
+	gen_require(`
+		type etc_t;
+	')
+
+	allow $1 etc_t:dir rw_dir_perms;
+')
+
+##########################################
+## <summary>
+## 	Manage generic directories in /etc
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+##
+#
+interface(`files_manage_etc_dirs',`
+	gen_require(`
+		type etc_t;
+	')
+
+	manage_dirs_pattern($1, etc_t, etc_t)
+')
+
+########################################
+## <summary>
+##	Read generic files in /etc.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to read generic
+##	files in /etc. These files are typically
+##	general system configuration files that do
+##	not have more specific SELinux types.  Some
+##	examples of these files are:
+##	</p>
+##	<ul>
+##		<li>/etc/fstab</li>
+##		<li>/etc/passwd</li>
+##		<li>/etc/services</li>
+##		<li>/etc/shells</li>
+##	</ul>
+##	<p>
+##	This interface does not include access to /etc/shadow.
+##	</p>
+##	<p>
+##	Generally, it is safe for many domains to have
+##	this access.  However, since this interface provides
+##	access to the /etc/passwd file, caution must be
+##	exercised, as user account names can be leaked
+##	through this access.
+##	</p>
+##	<p>
+##	Related interfaces:
+##	</p>
+##	<ul>
+##		<li>auth_read_shadow()</li>
+##		<li>files_read_etc_runtime_files()</li>
+##		<li>seutil_read_config()</li>
+##	</ul>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`files_read_etc_files',`
+	gen_require(`
+		type etc_t;
+	')
+
+	allow $1 etc_t:dir list_dir_perms;
+	read_files_pattern($1, etc_t, etc_t)
+	read_lnk_files_pattern($1, etc_t, etc_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write generic files in /etc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_write_etc_files',`
+	gen_require(`
+		type etc_t;
+	')
+
+	dontaudit $1 etc_t:file write;
+')
+
+########################################
+## <summary>
+##	Read and write generic files in /etc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_rw_etc_files',`
+	gen_require(`
+		type etc_t;
+	')
+
+	allow $1 etc_t:dir list_dir_perms;
+	rw_files_pattern($1, etc_t, etc_t)
+	read_lnk_files_pattern($1, etc_t, etc_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete generic
+##	files in /etc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_etc_files',`
+	gen_require(`
+		type etc_t;
+	')
+
+	manage_files_pattern($1, etc_t, etc_t)
+	read_lnk_files_pattern($1, etc_t, etc_t)
+')
+
+########################################
+## <summary>
+##	Delete system configuration files in /etc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_etc_files',`
+	gen_require(`
+		type etc_t;
+	')
+
+	delete_files_pattern($1, etc_t, etc_t)
+')
+
+########################################
+## <summary>
+##	Execute generic files in /etc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_exec_etc_files',`
+	gen_require(`
+		type etc_t;
+	')
+
+	allow $1 etc_t:dir list_dir_perms;
+	read_lnk_files_pattern($1, etc_t, etc_t)
+	exec_files_pattern($1, etc_t, etc_t)
+')
+
+#######################################
+## <summary>
+##	Relabel from and to generic files in /etc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabel_etc_files',`
+	gen_require(`
+		type etc_t;
+	')
+
+	allow $1 etc_t:dir list_dir_perms;
+	relabel_files_pattern($1, etc_t, etc_t)
+')
+
+########################################
+## <summary>
+##	Read symbolic links in /etc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_etc_symlinks',`
+	gen_require(`
+		type etc_t;
+	')
+
+	read_lnk_files_pattern($1, etc_t, etc_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete symbolic links in /etc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_etc_symlinks',`
+	gen_require(`
+		type etc_t;
+	')
+
+	manage_lnk_files_pattern($1, etc_t, etc_t)
+')
+
+########################################
+## <summary>
+##	Create objects in /etc with a private
+##	type using a type_transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="file_type">
+##	<summary>
+##	Private file type.
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Object classes to be created.
+##	</summary>
+## </param>
+#
+interface(`files_etc_filetrans',`
+	gen_require(`
+		type etc_t;
+	')
+
+	filetrans_pattern($1, etc_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Create a boot flag.
+## </summary>
+## <desc>
+##	<p>
+##	Create a boot flag, such as
+##	/.autorelabel and /.autofsck.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_create_boot_flag',`
+	gen_require(`
+		type root_t, etc_runtime_t;
+	')
+
+	allow $1 etc_runtime_t:file manage_file_perms;
+	filetrans_pattern($1, root_t, etc_runtime_t, file)
+')
+
+########################################
+## <summary>
+##	Delete a boot flag.
+## </summary>
+## <desc>
+##	<p>
+##	Delete a boot flag, such as
+##	/.autorelabel and /.autofsck.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_delete_boot_flag',`
+	gen_require(`
+		type root_t, etc_runtime_t;
+	')
+
+	delete_files_pattern($1, root_t, etc_runtime_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to set the attributes of the etc_runtime files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_setattr_etc_runtime_files',`
+	gen_require(`
+		type etc_runtime_t;
+	')
+
+	dontaudit $1 etc_runtime_t:file setattr;
+')
+
+########################################
+## <summary>
+##	Read files in /etc that are dynamically
+##	created on boot, such as mtab.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to read dynamically created
+##	configuration files in /etc. These files are typically
+##	general system configuration files that do
+##	not have more specific SELinux types.  Some
+##	examples of these files are:
+##	</p>
+##	<ul>
+##		<li>/etc/motd</li>
+##		<li>/etc/mtab</li>
+##		<li>/etc/nologin</li>
+##	</ul>
+##	<p>
+##	This interface does not include access to /etc/shadow.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10" />
+## <rolecap/>
+#
+interface(`files_read_etc_runtime_files',`
+	gen_require(`
+		type etc_t, etc_runtime_t;
+	')
+
+	allow $1 etc_t:dir list_dir_perms;
+	read_files_pattern($1, etc_t, etc_runtime_t)
+	read_lnk_files_pattern($1, etc_t, etc_runtime_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read files
+##	in /etc that are dynamically
+##	created on boot, such as mtab.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_read_etc_runtime_files',`
+	gen_require(`
+		type etc_runtime_t;
+	')
+
+	dontaudit $1 etc_runtime_t:file { getattr read };
+')
+
+########################################
+## <summary>
+##	Read and write files in /etc that are dynamically
+##	created on boot, such as mtab.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_rw_etc_runtime_files',`
+	gen_require(`
+		type etc_t, etc_runtime_t;
+	')
+
+	allow $1 etc_t:dir list_dir_perms;
+	rw_files_pattern($1, etc_t, etc_runtime_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete files in
+##	/etc that are dynamically created on boot,
+##	such as mtab.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_etc_runtime_files',`
+	gen_require(`
+		type etc_t, etc_runtime_t;
+	')
+
+	manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete symbolic links in
+##	/etc that are dynamically created on boot.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_etc_runtime_lnk_files',`
+	gen_require(`
+		type etc_t, etc_runtime_t;
+	')
+
+	manage_lnk_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
+')
+
+########################################
+## <summary>
+##	Create, etc runtime objects with an automatic
+##	type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The class of the object being created.
+##	</summary>
+## </param>
+#
+interface(`files_etc_filetrans_etc_runtime',`
+	gen_require(`
+		type etc_t, etc_runtime_t;
+	')
+
+	filetrans_pattern($1, etc_t, etc_runtime_t, $2)
+')
+
+########################################
+## <summary>
+##	Getattr of directories on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_getattr_isid_type_dirs',`
+	gen_require(`
+		type file_t;
+	')
+
+	allow $1 file_t:dir getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search directories on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_search_isid_type_dirs',`
+	gen_require(`
+		type file_t;
+	')
+
+	dontaudit $1 file_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	List the contents of directories on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_list_isid_type_dirs',`
+	gen_require(`
+		type file_t;
+	')
+
+	allow $1 file_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read and write directories on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_rw_isid_type_dirs',`
+	gen_require(`
+		type file_t;
+	')
+
+	allow $1 file_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+##	Delete directories on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_isid_type_dirs',`
+	gen_require(`
+		type file_t;
+	')
+
+	delete_dirs_pattern($1, file_t, file_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete directories
+##	on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_isid_type_dirs',`
+	gen_require(`
+		type file_t;
+	')
+
+	allow $1 file_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Mount a filesystem on a directory on new filesystems
+##	that has not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_mounton_isid_type_dirs',`
+	gen_require(`
+		type file_t;
+	')
+
+	allow $1 file_t:dir { search_dir_perms mounton };
+')
+
+########################################
+## <summary>
+##	Read files on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_isid_type_files',`
+	gen_require(`
+		type file_t;
+	')
+
+	allow $1 file_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Delete files on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_isid_type_files',`
+	gen_require(`
+		type file_t;
+	')
+
+	delete_files_pattern($1, file_t, file_t)
+')
+
+########################################
+## <summary>
+##	Delete symbolic links on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_isid_type_symlinks',`
+	gen_require(`
+		type file_t;
+	')
+
+	delete_lnk_files_pattern($1, file_t, file_t)
+')
+
+########################################
+## <summary>
+##	Delete named pipes on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_isid_type_fifo_files',`
+	gen_require(`
+		type file_t;
+	')
+
+	delete_fifo_files_pattern($1, file_t, file_t)
+')
+
+########################################
+## <summary>
+##	Delete named sockets on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_isid_type_sock_files',`
+	gen_require(`
+		type file_t;
+	')
+
+	delete_sock_files_pattern($1, file_t, file_t)
+')
+
+########################################
+## <summary>
+##	Delete block files on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_isid_type_blk_files',`
+	gen_require(`
+		type file_t;
+	')
+
+	delete_blk_files_pattern($1, file_t, file_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write to character
+##	files that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_write_isid_chr_files',`
+	gen_require(`
+		type file_t;
+	')
+
+	dontaudit $1 file_t:chr_file write;
+')
+
+########################################
+## <summary>
+##	Delete chr files on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_isid_type_chr_files',`
+	gen_require(`
+		type file_t;
+	')
+
+	delete_chr_files_pattern($1, file_t, file_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete files
+##	on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_isid_type_files',`
+	gen_require(`
+		type file_t;
+	')
+
+	allow $1 file_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete symbolic links
+##	on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_isid_type_symlinks',`
+	gen_require(`
+		type file_t;
+	')
+
+	allow $1 file_t:lnk_file manage_lnk_file_perms;
+')
+
+########################################
+## <summary>
+##	Read and write block device nodes on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_rw_isid_type_blk_files',`
+	gen_require(`
+		type file_t;
+	')
+
+	allow $1 file_t:blk_file rw_blk_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete block device nodes
+##	on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_isid_type_blk_files',`
+	gen_require(`
+		type file_t;
+	')
+
+	allow $1 file_t:blk_file manage_blk_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete character device nodes
+##	on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_isid_type_chr_files',`
+	gen_require(`
+		type file_t;
+	')
+
+	allow $1 file_t:chr_file manage_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Get the attributes of the home directories root
+##	(/home).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_getattr_home_dir',`
+	gen_require(`
+		type home_root_t;
+	')
+
+	allow $1 home_root_t:dir getattr;
+	allow $1 home_root_t:lnk_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the
+##	attributes of the home directories root
+##	(/home).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_home_dir',`
+	gen_require(`
+		type home_root_t;
+	')
+
+	dontaudit $1 home_root_t:dir getattr;
+	dontaudit $1 home_root_t:lnk_file getattr;
+')
+
+########################################
+## <summary>
+##	Search home directories root (/home).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_search_home',`
+	gen_require(`
+		type home_root_t;
+	')
+
+	allow $1 home_root_t:dir search_dir_perms;
+	allow $1 home_root_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search
+##	home directories root (/home).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_search_home',`
+	gen_require(`
+		type home_root_t;
+	')
+
+	dontaudit $1 home_root_t:dir search_dir_perms;
+	dontaudit $1 home_root_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to list
+##	home directories root (/home).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_list_home',`
+	gen_require(`
+		type home_root_t;
+	')
+
+	dontaudit $1 home_root_t:dir list_dir_perms;
+	dontaudit $1 home_root_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+##	Get listing of home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_list_home',`
+	gen_require(`
+		type home_root_t;
+	')
+
+	allow $1 home_root_t:dir list_dir_perms;
+	allow $1 home_root_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+##	Relabel to user home root (/home).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabelto_home',`
+	gen_require(`
+		type home_root_t;
+	')
+
+	allow $1 home_root_t:dir relabelto;
+')
+
+########################################
+## <summary>
+##	Create objects in /home.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="home_type">
+##	<summary>
+##	The private type.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The class of the object being created.
+##	</summary>
+## </param>
+#
+interface(`files_home_filetrans',`
+	gen_require(`
+		type home_root_t;
+	')
+
+	filetrans_pattern($1, home_root_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Get the attributes of lost+found directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_getattr_lost_found_dirs',`
+	gen_require(`
+		type lost_found_t;
+	')
+
+	allow $1 lost_found_t:dir getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes of
+##	lost+found directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_lost_found_dirs',`
+	gen_require(`
+		type lost_found_t;
+	')
+
+	dontaudit $1 lost_found_t:dir getattr;
+')
+
+#######################################
+## <summary>
+##	List the contents of lost+found directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_list_lost_found',`
+	gen_require(`
+		type lost_found_t;
+	')
+
+	allow $1 lost_found_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete objects in
+##	lost+found directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_lost_found',`
+	gen_require(`
+		type lost_found_t;
+	')
+
+	manage_dirs_pattern($1, lost_found_t, lost_found_t)
+	manage_files_pattern($1, lost_found_t, lost_found_t)
+	manage_lnk_files_pattern($1, lost_found_t, lost_found_t)
+	manage_fifo_files_pattern($1, lost_found_t, lost_found_t)
+	manage_sock_files_pattern($1, lost_found_t, lost_found_t)
+')
+
+########################################
+## <summary>
+##	Search the contents of /mnt.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_search_mnt',`
+	gen_require(`
+		type mnt_t;
+	')
+
+	allow $1 mnt_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search /mnt.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_search_mnt',`
+	gen_require(`
+		type mnt_t;
+	')
+
+	dontaudit $1 mnt_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	List the contents of /mnt.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_list_mnt',`
+	gen_require(`
+		type mnt_t;
+	')
+
+	allow $1 mnt_t:dir list_dir_perms;
+')
+
+######################################
+## <summary>
+##	Do not audit attempts to list the contents of /mnt.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_list_mnt',`
+	gen_require(`
+		type mnt_t;
+	')
+
+	dontaudit $1 mnt_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Mount a filesystem on /mnt.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_mounton_mnt',`
+	gen_require(`
+		type mnt_t;
+	')
+
+	allow $1 mnt_t:dir { search_dir_perms mounton };
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete directories in /mnt.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_mnt_dirs',`
+	gen_require(`
+		type mnt_t;
+	')
+
+	allow $1 mnt_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete files in /mnt.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_mnt_files',`
+	gen_require(`
+		type mnt_t;
+	')
+
+	manage_files_pattern($1, mnt_t, mnt_t)
+')
+
+########################################
+## <summary>
+##	read files in /mnt.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_mnt_files',`
+	gen_require(`
+		type mnt_t;
+	')
+
+	read_files_pattern($1, mnt_t, mnt_t)
+')
+
+######################################
+## <summary>
+##	Read symbolic links in /mnt.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_mnt_symlinks',`
+	gen_require(`
+		type mnt_t;
+	')
+
+	read_lnk_files_pattern($1, mnt_t, mnt_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete symbolic links in /mnt.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_mnt_symlinks',`
+	gen_require(`
+		type mnt_t;
+	')
+
+	manage_lnk_files_pattern($1, mnt_t, mnt_t)
+')
+
+########################################
+## <summary>
+##	Search the contents of the kernel module directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_search_kernel_modules',`
+	gen_require(`
+		type modules_object_t;
+	')
+
+	allow $1 modules_object_t:dir search_dir_perms;
+	read_lnk_files_pattern($1, modules_object_t, modules_object_t)
+')
+
+########################################
+## <summary>
+##	List the contents of the kernel module directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_list_kernel_modules',`
+	gen_require(`
+		type modules_object_t;
+	')
+
+	allow $1 modules_object_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Get the attributes of kernel module files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_getattr_kernel_modules',`
+	gen_require(`
+		type modules_object_t;
+	')
+
+	getattr_files_pattern($1, modules_object_t, modules_object_t)
+')
+
+########################################
+## <summary>
+##	Read kernel module files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_kernel_modules',`
+	gen_require(`
+		type modules_object_t;
+	')
+
+	allow $1 modules_object_t:dir list_dir_perms;
+	read_files_pattern($1, modules_object_t, modules_object_t)
+	read_lnk_files_pattern($1, modules_object_t, modules_object_t)
+')
+
+########################################
+## <summary>
+##	Write kernel module files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_write_kernel_modules',`
+	gen_require(`
+		type modules_object_t;
+	')
+
+	allow $1 modules_object_t:dir list_dir_perms;
+	write_files_pattern($1, modules_object_t, modules_object_t)
+')
+
+########################################
+## <summary>
+##	Delete kernel module files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_kernel_modules',`
+	gen_require(`
+		type modules_object_t;
+	')
+
+	delete_files_pattern($1, modules_object_t, modules_object_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	kernel module files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_kernel_modules',`
+	gen_require(`
+		type modules_object_t;
+	')
+
+	manage_files_pattern($1, modules_object_t, modules_object_t)
+')
+
+########################################
+## <summary>
+##	Relabel from and to kernel module files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabel_kernel_modules',`
+	gen_require(`
+		type modules_object_t;
+	')
+
+	relabel_files_pattern($1, modules_object_t, modules_object_t)
+	allow $1 modules_object_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create objects in the kernel module directories
+##	with a private type via an automatic type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to be created.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+#
+interface(`files_kernel_modules_filetrans',`
+	gen_require(`
+		type modules_object_t;
+	')
+
+	filetrans_pattern($1, modules_object_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	List world-readable directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_list_world_readable',`
+	gen_require(`
+		type readable_t;
+	')
+
+	allow $1 readable_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read world-readable files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_read_world_readable_files',`
+	gen_require(`
+		type readable_t;
+	')
+
+	allow $1 readable_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Read world-readable symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_read_world_readable_symlinks',`
+	gen_require(`
+		type readable_t;
+	')
+
+	allow $1 readable_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+##	Read world-readable named pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_world_readable_pipes',`
+	gen_require(`
+		type readable_t;
+	')
+
+	allow $1 readable_t:fifo_file read_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Read world-readable sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_world_readable_sockets',`
+	gen_require(`
+		type readable_t;
+	')
+
+	allow $1 readable_t:sock_file read_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow the specified type to associate
+##	to a filesystem with the type of the
+##	temporary directory (/tmp).
+## </summary>
+## <param name="file_type">
+##	<summary>
+##	Type of the file to associate.
+##	</summary>
+## </param>
+#
+interface(`files_associate_tmp',`
+	gen_require(`
+		type tmp_t;
+	')
+
+	allow $1 tmp_t:filesystem associate;
+')
+
+########################################
+## <summary>
+##	Get the	attributes of the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_getattr_tmp_dirs',`
+	gen_require(`
+		type tmp_t;
+	')
+
+	allow $1 tmp_t:dir getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the
+##	attributes of the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_tmp_dirs',`
+	gen_require(`
+		type tmp_t;
+	')
+
+	dontaudit $1 tmp_t:dir getattr;
+')
+
+########################################
+## <summary>
+##	Search the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_search_tmp',`
+	gen_require(`
+		type tmp_t;
+	')
+
+	allow $1 tmp_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_search_tmp',`
+	gen_require(`
+		type tmp_t;
+	')
+
+	dontaudit $1 tmp_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_list_tmp',`
+	gen_require(`
+		type tmp_t;
+	')
+
+	allow $1 tmp_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit listing of the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain not to audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_list_tmp',`
+	gen_require(`
+		type tmp_t;
+	')
+
+	dontaudit $1 tmp_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Remove entries from the tmp directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_tmp_dir_entry',`
+	gen_require(`
+		type tmp_t;
+	')
+
+	allow $1 tmp_t:dir del_entry_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read files in the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_generic_tmp_files',`
+	gen_require(`
+		type tmp_t;
+	')
+
+	read_files_pattern($1, tmp_t, tmp_t)
+')
+
+########################################
+## <summary>
+##	Manage temporary directories in /tmp.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_generic_tmp_dirs',`
+	gen_require(`
+		type tmp_t;
+	')
+
+	manage_dirs_pattern($1, tmp_t, tmp_t)
+')
+
+########################################
+## <summary>
+##	Manage temporary files and directories in /tmp.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_generic_tmp_files',`
+	gen_require(`
+		type tmp_t;
+	')
+
+	manage_files_pattern($1, tmp_t, tmp_t)
+')
+
+########################################
+## <summary>
+##	Read symbolic links in the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_generic_tmp_symlinks',`
+	gen_require(`
+		type tmp_t;
+	')
+
+	read_lnk_files_pattern($1, tmp_t, tmp_t)
+')
+
+########################################
+## <summary>
+##	Read and write generic named sockets in the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_rw_generic_tmp_sockets',`
+	gen_require(`
+		type tmp_t;
+	')
+
+	rw_sock_files_pattern($1, tmp_t, tmp_t)
+')
+
+########################################
+## <summary>
+##	Set the attributes of all tmp directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_setattr_all_tmp_dirs',`
+	gen_require(`
+		attribute tmpfile;
+	')
+
+	allow $1 tmpfile:dir { search_dir_perms setattr };
+')
+
+########################################
+## <summary>
+##	List all tmp directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_list_all_tmp',`
+	gen_require(`
+		attribute tmpfile;
+	')
+
+	allow $1 tmpfile:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Relabel to and from all temporary
+##	directory types.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_relabel_all_tmp_dirs',`
+	gen_require(`
+		attribute tmpfile;
+		type var_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	relabel_dirs_pattern($1, tmpfile, tmpfile)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all tmp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain not to audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_all_tmp_files',`
+	gen_require(`
+		attribute tmpfile;
+	')
+
+	dontaudit $1 tmpfile:file getattr;
+')
+
+########################################
+## <summary>
+##	Allow attempts to get the attributes
+##	of all tmp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_getattr_all_tmp_files',`
+	gen_require(`
+		attribute tmpfile;
+	')
+
+	allow $1 tmpfile:file getattr;
+')
+
+########################################
+## <summary>
+##	Relabel to and from all temporary
+##	file types.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_relabel_all_tmp_files',`
+	gen_require(`
+		attribute tmpfile;
+		type var_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	relabel_files_pattern($1, tmpfile, tmpfile)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all tmp sock_file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain not to audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_all_tmp_sockets',`
+	gen_require(`
+		attribute tmpfile;
+	')
+
+	dontaudit $1 tmpfile:sock_file getattr;
+')
+
+########################################
+## <summary>
+##	Read all tmp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_all_tmp_files',`
+	gen_require(`
+		attribute tmpfile;
+	')
+
+	read_files_pattern($1, tmpfile, tmpfile)
+')
+
+########################################
+## <summary>
+##	Create an object in the tmp directories, with a private
+##	type using a type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private type">
+##	<summary>
+##	The type of the object to be created.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+#
+interface(`files_tmp_filetrans',`
+	gen_require(`
+		type tmp_t;
+	')
+
+	filetrans_pattern($1, tmp_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Delete the contents of /tmp.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_purge_tmp',`
+	gen_require(`
+		attribute tmpfile;
+	')
+
+	allow $1 tmpfile:dir list_dir_perms;
+	delete_dirs_pattern($1, tmpfile, tmpfile)
+	delete_files_pattern($1, tmpfile, tmpfile)
+	delete_lnk_files_pattern($1, tmpfile, tmpfile)
+	delete_fifo_files_pattern($1, tmpfile, tmpfile)
+	delete_sock_files_pattern($1, tmpfile, tmpfile)
+')
+
+########################################
+## <summary>
+##	Set the attributes of the /usr directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_setattr_usr_dirs',`
+	gen_require(`
+		type usr_t;
+	')
+
+	allow $1 usr_t:dir setattr;
+')
+
+########################################
+## <summary>
+##	Search the content of /usr.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_search_usr',`
+	gen_require(`
+		type usr_t;
+	')
+
+	allow $1 usr_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	List the contents of generic
+##	directories in /usr.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_list_usr',`
+	gen_require(`
+		type usr_t;
+	')
+
+	allow $1 usr_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit write of /usr dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_write_usr_dirs',`
+	gen_require(`
+		type usr_t;
+	')
+
+	dontaudit $1 usr_t:dir write;
+')
+
+########################################
+## <summary>
+##	Add and remove entries from /usr directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_rw_usr_dirs',`
+	gen_require(`
+		type usr_t;
+	')
+
+	allow $1 usr_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to add and remove
+##	entries from /usr directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_rw_usr_dirs',`
+	gen_require(`
+		type usr_t;
+	')
+
+	dontaudit $1 usr_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+##	Delete generic directories in /usr in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_usr_dirs',`
+	gen_require(`
+		type usr_t;
+	')
+
+	delete_dirs_pattern($1, usr_t, usr_t)
+')
+
+########################################
+## <summary>
+##	Delete generic files in /usr in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_usr_files',`
+	gen_require(`
+		type usr_t;
+	')
+
+	delete_files_pattern($1, usr_t, usr_t)
+')
+
+########################################
+## <summary>
+##	Get the attributes of files in /usr.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_getattr_usr_files',`
+	gen_require(`
+		type usr_t;
+	')
+
+	getattr_files_pattern($1, usr_t, usr_t)
+')
+
+########################################
+## <summary>
+##	Read generic files in /usr.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to read generic
+##	files in /usr. These files are various program
+##	files that do not have more specific SELinux types.
+##	Some examples of these files are:
+##	</p>
+##	<ul>
+##		<li>/usr/include/*</li>
+##		<li>/usr/share/doc/*</li>
+##		<li>/usr/share/info/*</li>
+##	</ul>
+##	<p>
+##	Generally, it is safe for many domains to have
+##	this access.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`files_read_usr_files',`
+	gen_require(`
+		type usr_t;
+	')
+
+	allow $1 usr_t:dir list_dir_perms;
+	read_files_pattern($1, usr_t, usr_t)
+	read_lnk_files_pattern($1, usr_t, usr_t)
+')
+
+########################################
+## <summary>
+##	Execute generic programs in /usr in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_exec_usr_files',`
+	gen_require(`
+		type usr_t;
+	')
+
+	allow $1 usr_t:dir list_dir_perms;
+	exec_files_pattern($1, usr_t, usr_t)
+	read_lnk_files_pattern($1, usr_t, usr_t)
+')
+
+########################################
+## <summary>
+##	dontaudit write of /usr files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_write_usr_files',`
+	gen_require(`
+		type usr_t;
+	')
+
+	dontaudit $1 usr_t:file write;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete files in the /usr directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_usr_files',`
+	gen_require(`
+		type usr_t;
+	')
+
+	manage_files_pattern($1, usr_t, usr_t)
+')
+
+########################################
+## <summary>
+##	Relabel a file to the type used in /usr.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabelto_usr_files',`
+	gen_require(`
+		type usr_t;
+	')
+
+	relabelto_files_pattern($1, usr_t, usr_t)
+')
+
+########################################
+## <summary>
+##	Relabel a file from the type used in /usr.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabelfrom_usr_files',`
+	gen_require(`
+		type usr_t;
+	')
+
+	relabelfrom_files_pattern($1, usr_t, usr_t)
+')
+
+########################################
+## <summary>
+##	Read symbolic links in /usr.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_usr_symlinks',`
+	gen_require(`
+		type usr_t;
+	')
+
+	read_lnk_files_pattern($1, usr_t, usr_t)
+')
+
+########################################
+## <summary>
+##	Create objects in the /usr directory
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="file_type">
+##	<summary>
+##	The type of the object to be created
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The object class.
+##	</summary>
+## </param>
+#
+interface(`files_usr_filetrans',`
+	gen_require(`
+		type usr_t;
+	')
+
+	filetrans_pattern($1, usr_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search /usr/src.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_search_src',`
+	gen_require(`
+		type src_t;
+	')
+
+	dontaudit $1 src_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Get the attributes of files in /usr/src.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_getattr_usr_src_files',`
+	gen_require(`
+		type usr_t, src_t;
+	')
+
+	getattr_files_pattern($1, src_t, src_t)
+
+	# /usr/src/linux symlink:
+	read_lnk_files_pattern($1, usr_t, src_t)
+')
+
+########################################
+## <summary>
+##	Read files in /usr/src.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_usr_src_files',`
+	gen_require(`
+		type usr_t, src_t;
+	')
+
+	allow $1 usr_t:dir search_dir_perms;
+	read_files_pattern($1, { usr_t src_t }, src_t)
+	read_lnk_files_pattern($1, { usr_t src_t }, src_t)
+	allow $1 src_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Execute programs in /usr/src in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_exec_usr_src_files',`
+	gen_require(`
+		type usr_t, src_t;
+	')
+
+	list_dirs_pattern($1, usr_t, src_t)
+	exec_files_pattern($1, src_t, src_t)
+	read_lnk_files_pattern($1, src_t, src_t)
+')
+
+########################################
+## <summary>
+##	Install a system.map into the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_create_kernel_symbol_table',`
+	gen_require(`
+		type boot_t, system_map_t;
+	')
+
+	allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
+	allow $1 system_map_t:file { create_file_perms rw_file_perms };
+')
+
+########################################
+## <summary>
+##	Read system.map in the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_kernel_symbol_table',`
+	gen_require(`
+		type boot_t, system_map_t;
+	')
+
+	allow $1 boot_t:dir list_dir_perms;
+	read_files_pattern($1, boot_t, system_map_t)
+')
+
+########################################
+## <summary>
+##	Delete a system.map in the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_kernel_symbol_table',`
+	gen_require(`
+		type boot_t, system_map_t;
+	')
+
+	allow $1 boot_t:dir list_dir_perms;
+	delete_files_pattern($1, boot_t, system_map_t)
+')
+
+########################################
+## <summary>
+##	Search the contents of /var.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_search_var',`
+	gen_require(`
+		type var_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write to /var.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_write_var_dirs',`
+	gen_require(`
+		type var_t;
+	')
+
+	dontaudit $1 var_t:dir write;
+')
+
+########################################
+## <summary>
+##	Allow attempts to write to /var.dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_write_var_dirs',`
+	gen_require(`
+		type var_t;
+	')
+
+	allow $1 var_t:dir write;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search
+##	the contents of /var.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_search_var',`
+	gen_require(`
+		type var_t;
+	')
+
+	dontaudit $1 var_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	List the contents of /var.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_list_var',`
+	gen_require(`
+		type var_t;
+	')
+
+	allow $1 var_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete directories
+##	in the /var directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_var_dirs',`
+	gen_require(`
+		type var_t;
+	')
+
+	allow $1 var_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read files in the /var directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_var_files',`
+	gen_require(`
+		type var_t;
+	')
+
+	read_files_pattern($1, var_t, var_t)
+')
+
+########################################
+## <summary>
+##	Append files in the /var directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_append_var_files',`
+	gen_require(`
+		type var_t;
+	')
+
+	append_files_pattern($1, var_t, var_t)
+')
+
+########################################
+## <summary>
+##	Read and write files in the /var directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_rw_var_files',`
+	gen_require(`
+		type var_t;
+	')
+
+	rw_files_pattern($1, var_t, var_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write
+##	files in the /var directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_rw_var_files',`
+	gen_require(`
+		type var_t;
+	')
+
+	dontaudit $1 var_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete files in the /var directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_var_files',`
+	gen_require(`
+		type var_t;
+	')
+
+	manage_files_pattern($1, var_t, var_t)
+')
+
+########################################
+## <summary>
+##	Read symbolic links in the /var directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_var_symlinks',`
+	gen_require(`
+		type var_t;
+	')
+
+	read_lnk_files_pattern($1, var_t, var_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete symbolic
+##	links in the /var directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_var_symlinks',`
+	gen_require(`
+		type var_t;
+	')
+
+	manage_lnk_files_pattern($1, var_t, var_t)
+')
+
+########################################
+## <summary>
+##	Create objects in the /var directory
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="file_type">
+##	<summary>
+##	The type of the object to be created
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The object class.
+##	</summary>
+## </param>
+#
+interface(`files_var_filetrans',`
+	gen_require(`
+		type var_t;
+	')
+
+	filetrans_pattern($1, var_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Get the attributes of the /var/lib directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_getattr_var_lib_dirs',`
+	gen_require(`
+		type var_t, var_lib_t;
+	')
+
+	getattr_dirs_pattern($1, var_t, var_lib_t)
+')
+
+########################################
+## <summary>
+##	Search the /var/lib directory.
+## </summary>
+## <desc>
+##	<p>
+##	Search the /var/lib directory.  This is
+##	necessary to access files or directories under
+##	/var/lib that have a private type.  For example, a
+##	domain accessing a private library file in the
+##	/var/lib directory:
+##	</p>
+##	<p>
+##	allow mydomain_t mylibfile_t:file read_file_perms;
+##	files_search_var_lib(mydomain_t)
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="5"/>
+#
+interface(`files_search_var_lib',`
+	gen_require(`
+		type var_t, var_lib_t;
+	')
+
+	search_dirs_pattern($1, var_t, var_lib_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search the
+##	contents of /var/lib.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="5"/>
+#
+interface(`files_dontaudit_search_var_lib',`
+	gen_require(`
+		type var_lib_t;
+	')
+
+	dontaudit $1 var_lib_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	List the contents of the /var/lib directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_list_var_lib',`
+	gen_require(`
+		type var_t, var_lib_t;
+	')
+
+	list_dirs_pattern($1, var_t, var_lib_t)
+')
+
+###########################################
+## <summary>
+##	Read-write /var/lib directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_rw_var_lib_dirs',`
+	gen_require(`
+		type var_lib_t;
+	')
+
+	rw_dirs_pattern($1, var_lib_t, var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create objects in the /var/lib directory
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="file_type">
+##	<summary>
+##	The type of the object to be created
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The object class.
+##	</summary>
+## </param>
+#
+interface(`files_var_lib_filetrans',`
+	gen_require(`
+		type var_t, var_lib_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	filetrans_pattern($1, var_lib_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Read generic files in /var/lib.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_var_lib_files',`
+	gen_require(`
+		type var_t, var_lib_t;
+	')
+
+	allow $1 var_lib_t:dir list_dir_perms;
+	read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read generic symbolic links in /var/lib
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_var_lib_symlinks',`
+	gen_require(`
+		type var_t, var_lib_t;
+	')
+
+	read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
+')
+
+# cjp: the next two interfaces really need to be fixed
+# in some way.  They really neeed their own types.
+
+########################################
+## <summary>
+##	Create, read, write, and delete the
+##	pseudorandom number generator seed.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_urandom_seed',`
+	gen_require(`
+		type var_t, var_lib_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	manage_files_pattern($1, var_lib_t, var_lib_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to manage mount tables
+##	necessary for rpcd, nfsd, etc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_mounttab',`
+	gen_require(`
+		type var_t, var_lib_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	manage_files_pattern($1, var_lib_t, var_lib_t)
+')
+
+########################################
+## <summary>
+##	Search the locks directory (/var/lock).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_search_locks',`
+	gen_require(`
+		type var_t, var_lock_t;
+	')
+
+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+	search_dirs_pattern($1, var_t, var_lock_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search the
+##	locks directory (/var/lock).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_search_locks',`
+	gen_require(`
+		type var_lock_t;
+	')
+
+	dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
+	dontaudit $1 var_lock_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	List generic lock directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_list_locks',`
+	gen_require(`
+		type var_t, var_lock_t;
+	')
+
+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+	list_dirs_pattern($1, var_t, var_lock_t)
+')
+
+########################################
+## <summary>
+##	Add and remove entries in the /var/lock
+##	directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_rw_lock_dirs',`
+	gen_require(`
+		type var_t, var_lock_t;
+	')
+
+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+	rw_dirs_pattern($1, var_t, var_lock_t)
+')
+
+########################################
+## <summary>
+##	Relabel to and from all lock directory types.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_relabel_all_lock_dirs',`
+	gen_require(`
+		attribute lockfile;
+		type var_t, var_lock_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+	relabel_dirs_pattern($1, lockfile, lockfile)
+')
+
+########################################
+## <summary>
+##	Get the attributes of generic lock files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_getattr_generic_locks',`
+	gen_require(`
+		type var_t, var_lock_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+	allow $1 var_lock_t:dir list_dir_perms;
+	getattr_files_pattern($1, var_lock_t, var_lock_t)
+')
+
+########################################
+## <summary>
+##	Delete generic lock files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_generic_locks',`
+	gen_require(`
+		type var_t, var_lock_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+	delete_files_pattern($1, var_lock_t, var_lock_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete generic
+##	lock files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_generic_locks',`
+	gen_require(`
+		type var_t, var_lock_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+	manage_files_pattern($1, var_lock_t, var_lock_t)
+')
+
+########################################
+## <summary>
+##	Delete all lock files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_delete_all_locks',`
+	gen_require(`
+		attribute lockfile;
+		type var_t, var_lock_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+	delete_files_pattern($1, lockfile, lockfile)
+')
+
+########################################
+## <summary>
+##	Read all lock files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_all_locks',`
+	gen_require(`
+		attribute lockfile;
+		type var_t, var_lock_t;
+	')
+
+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+	allow $1 { var_t var_lock_t }:dir search_dir_perms;
+	allow $1 lockfile:dir list_dir_perms;
+	read_files_pattern($1, lockfile, lockfile)
+	read_lnk_files_pattern($1, lockfile, lockfile)
+')
+
+########################################
+## <summary>
+##	manage all lock files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_all_locks',`
+	gen_require(`
+		attribute lockfile;
+		type var_t, var_lock_t;
+	')
+
+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+	allow $1 { var_t var_lock_t }:dir search_dir_perms;
+	manage_dirs_pattern($1, lockfile, lockfile)
+	manage_files_pattern($1, lockfile, lockfile)
+	manage_lnk_files_pattern($1, lockfile, lockfile)
+')
+
+########################################
+## <summary>
+##	Create an object in the locks directory, with a private
+##	type using a type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private type">
+##	<summary>
+##	The type of the object to be created.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+#
+interface(`files_lock_filetrans',`
+	gen_require(`
+		type var_t, var_lock_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+	filetrans_pattern($1, var_lock_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of the /var/run directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_pid_dirs',`
+	gen_require(`
+		type var_run_t;
+	')
+
+	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+	dontaudit $1 var_run_t:dir getattr;
+')
+
+########################################
+## <summary>
+##	Set the attributes of the /var/run directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_setattr_pid_dirs',`
+	gen_require(`
+		type var_run_t;
+	')
+
+	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+	allow $1 var_run_t:dir setattr;
+')
+
+########################################
+## <summary>
+##	Search the contents of runtime process
+##	ID directories (/var/run).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_search_pids',`
+	gen_require(`
+		type var_t, var_run_t;
+	')
+
+	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+	search_dirs_pattern($1, var_t, var_run_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search
+##	the /var/run directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_search_pids',`
+	gen_require(`
+		type var_run_t;
+	')
+
+	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+	dontaudit $1 var_run_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	List the contents of the runtime process
+##	ID directories (/var/run).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_list_pids',`
+	gen_require(`
+		type var_t, var_run_t;
+	')
+
+	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+	list_dirs_pattern($1, var_t, var_run_t)
+')
+
+########################################
+## <summary>
+##	Read generic process ID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_generic_pids',`
+	gen_require(`
+		type var_t, var_run_t;
+	')
+
+	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+	list_dirs_pattern($1, var_t, var_run_t)
+	read_files_pattern($1, var_run_t, var_run_t)
+')
+
+########################################
+## <summary>
+##	Write named generic process ID pipes
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_write_generic_pid_pipes',`
+	gen_require(`
+		type var_run_t;
+	')
+
+	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+	allow $1 var_run_t:fifo_file write;
+')
+
+########################################
+## <summary>
+##	Create an object in the process ID directory, with a private type.
+## </summary>
+## <desc>
+##	<p>
+##	Create an object in the process ID directory (e.g., /var/run)
+##	with a private type.  Typically this is used for creating
+##	private PID files in /var/run with the private type instead
+##	of the general PID file type. To accomplish this goal,
+##	either the program must be SELinux-aware, or use this interface.
+##	</p>
+##	<p>
+##	Related interfaces:
+##	</p>
+##	<ul>
+##		<li>files_pid_file()</li>
+##	</ul>
+##	<p>
+##	Example usage with a domain that can create and
+##	write its PID file with a private PID file type in the
+##	/var/run directory:
+##	</p>
+##	<p>
+##	type mypidfile_t;
+##	files_pid_file(mypidfile_t)
+##	allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
+##	files_pid_filetrans(mydomain_t, mypidfile_t, file)
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private type">
+##	<summary>
+##	The type of the object to be created.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`files_pid_filetrans',`
+	gen_require(`
+		type var_t, var_run_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+	filetrans_pattern($1, var_run_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Read and write generic process ID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_rw_generic_pids',`
+	gen_require(`
+		type var_t, var_run_t;
+	')
+
+	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+	list_dirs_pattern($1, var_t, var_run_t)
+	rw_files_pattern($1, var_run_t, var_run_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes of
+##	daemon runtime data files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_all_pids',`
+	gen_require(`
+		attribute pidfile;
+		type var_run_t;
+	')
+
+	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+	dontaudit $1 pidfile:file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write to daemon runtime data files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_write_all_pids',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+	dontaudit $1 pidfile:file write;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to ioctl daemon runtime data files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_ioctl_all_pids',`
+	gen_require(`
+		attribute pidfile;
+		type var_run_t;
+	')
+
+	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+	dontaudit $1 pidfile:file ioctl;
+')
+
+########################################
+## <summary>
+##	Read all process ID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_read_all_pids',`
+	gen_require(`
+		attribute pidfile;
+		type var_t, var_run_t;
+	')
+
+	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+	list_dirs_pattern($1, var_t, pidfile)
+	read_files_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
+##	Mount filesystems on all polyinstantiation
+##	member directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_mounton_all_poly_members',`
+	gen_require(`
+		attribute polymember;
+	')
+
+	allow $1 polymember:dir mounton;
+')
+
+########################################
+## <summary>
+##	Create PID directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_create_pid_dirs',`
+	gen_require(`
+		type var_t, var_run_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+	create_dirs_pattern($1, var_run_t, var_run_t)
+')
+
+########################################
+## <summary>
+##	Delete all process IDs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_delete_all_pids',`
+	gen_require(`
+		attribute pidfile;
+		type var_t, var_run_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+	allow $1 var_run_t:dir rmdir;
+	allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+	delete_files_pattern($1, pidfile, pidfile)
+	delete_fifo_files_pattern($1, pidfile, pidfile)
+	delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
+')
+
+########################################
+## <summary>
+##	Delete all process ID directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_all_pid_dirs',`
+	gen_require(`
+		attribute pidfile;
+		type var_t, var_run_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+	delete_dirs_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
+##	Search the contents of generic spool
+##	directories (/var/spool).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_search_spool',`
+	gen_require(`
+		type var_t, var_spool_t;
+	')
+
+	search_dirs_pattern($1, var_t, var_spool_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search generic
+##	spool directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_search_spool',`
+	gen_require(`
+		type var_spool_t;
+	')
+
+	dontaudit $1 var_spool_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	List the contents of generic spool
+##	(/var/spool) directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_list_spool',`
+	gen_require(`
+		type var_t, var_spool_t;
+	')
+
+	list_dirs_pattern($1, var_t, var_spool_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete generic
+##	spool directories (/var/spool).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_generic_spool_dirs',`
+	gen_require(`
+		type var_t, var_spool_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	manage_dirs_pattern($1, var_spool_t, var_spool_t)
+')
+
+########################################
+## <summary>
+##	Read generic spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_generic_spool',`
+	gen_require(`
+		type var_t, var_spool_t;
+	')
+
+	list_dirs_pattern($1, var_t, var_spool_t)
+	read_files_pattern($1, var_spool_t, var_spool_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete generic
+##	spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_generic_spool',`
+	gen_require(`
+		type var_t, var_spool_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	manage_files_pattern($1, var_spool_t, var_spool_t)
+')
+
+########################################
+## <summary>
+##	Create objects in the spool directory
+##	with a private type with a type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="file">
+##	<summary>
+##	Type to which the created node will be transitioned.
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Object class(es) (single or set including {}) for which this
+##	the transition will occur.
+##	</summary>
+## </param>
+#
+interface(`files_spool_filetrans',`
+	gen_require(`
+		type var_t, var_spool_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	filetrans_pattern($1, var_spool_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Allow access to manage all polyinstantiated
+##	directories on the system.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_polyinstantiate_all',`
+	gen_require(`
+		attribute polydir, polymember, polyparent;
+		type poly_t;
+	')
+
+	# Need to give access to /selinux/member
+	selinux_compute_member($1)
+
+	# Need sys_admin capability for mounting
+	allow $1 self:capability { chown fsetid sys_admin fowner };
+
+	# Need to give access to the directories to be polyinstantiated
+	allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
+
+	# Need to give access to the polyinstantiated subdirectories
+	allow $1 polymember:dir search_dir_perms;
+
+	# Need to give access to parent directories where original
+	# is remounted for polyinstantiation aware programs (like gdm)
+	allow $1 polyparent:dir { getattr mounton };
+
+	# Need to give permission to create directories where applicable
+	allow $1 self:process setfscreate;
+	allow $1 polymember: dir { create setattr relabelto };
+	allow $1 polydir: dir { write add_name open };
+	allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
+
+	# Default type for mountpoints
+	allow $1 poly_t:dir { create mounton };
+	fs_unmount_xattr_fs($1)
+
+	fs_mount_tmpfs($1)
+	fs_unmount_tmpfs($1)
+
+	ifdef(`distro_redhat',`
+		# namespace.init
+		files_search_tmp($1)
+		files_search_home($1)
+		corecmd_exec_bin($1)
+		seutil_domtrans_setfiles($1)
+	')
+')
+
+########################################
+## <summary>
+##	Unconfined access to files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_unconfined',`
+	gen_require(`
+		attribute files_unconfined_type;
+	')
+
+	typeattribute $1 files_unconfined_type;
+')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
new file mode 100644
index 00000000..4dcef63d
--- /dev/null
+++ b/policy/modules/kernel/files.te
@@ -0,0 +1,228 @@
+policy_module(files, 1.16.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute file_type;
+attribute files_unconfined_type;
+attribute lockfile;
+attribute mountpoint;
+attribute pidfile;
+attribute configfile;
+
+# For labeling types that are to be polyinstantiated
+attribute polydir;
+
+# And for labeling the parent directories of those polyinstantiated directories
+# This is necessary for remounting the original in the parent to give
+# security aware apps access
+attribute polyparent;
+
+# And labeling for the member directories
+attribute polymember;
+
+# sensitive security files whose accesses should
+# not be dontaudited for uses
+attribute security_file_type;
+# and its opposite
+attribute non_security_file_type;
+
+attribute tmpfile;
+attribute tmpfsfile;
+
+# this attribute is not currently used and will be removed in the future.
+# unfortunately, this attribute can not be removed yet because it may cause
+# some policies to fail to link if it is still required.
+attribute usercanread;
+
+#
+# boot_t is the type for files in /boot
+#
+type boot_t;
+files_mountpoint(boot_t)
+
+# default_t is the default type for files that do not
+# match any specification in the file_contexts configuration
+# other than the generic /.* specification.
+type default_t;
+files_mountpoint(default_t)
+
+#
+# etc_t is the type of the system etc directories.
+#
+type etc_t, configfile;
+files_type(etc_t)
+# compatibility aliases for removed types:
+typealias etc_t alias automount_etc_t;
+typealias etc_t alias snmpd_etc_t;
+
+#
+# etc_runtime_t is the type of various
+# files in /etc that are automatically
+# generated during initialization.
+#
+type etc_runtime_t;
+files_type(etc_runtime_t)
+#Temporarily in policy until FC5 dissappears
+typealias etc_runtime_t alias firstboot_rw_t;
+
+#
+# file_t is the default type of a file that has not yet been
+# assigned an extended attribute (EA) value (when using a filesystem
+# that supports EAs).
+#
+type file_t;
+files_mountpoint(file_t)
+kernel_rootfs_mountpoint(file_t)
+sid file gen_context(system_u:object_r:file_t,s0)
+
+#
+# home_root_t is the type for the directory where user home directories
+# are created
+#
+type home_root_t;
+files_mountpoint(home_root_t)
+files_poly_parent(home_root_t)
+
+#
+# lost_found_t is the type for the lost+found directories.
+#
+type lost_found_t;
+files_type(lost_found_t)
+
+#
+# mnt_t is the type for mount points such as /mnt/cdrom
+#
+type mnt_t;
+files_mountpoint(mnt_t)
+
+#
+# modules_object_t is the type for kernel modules
+#
+type modules_object_t;
+files_type(modules_object_t)
+
+type no_access_t;
+files_type(no_access_t)
+
+type poly_t;
+files_type(poly_t)
+
+type readable_t;
+files_type(readable_t)
+
+#
+# root_t is the type for rootfs and the root directory.
+#
+type root_t;
+files_mountpoint(root_t)
+files_poly_parent(root_t)
+kernel_rootfs_mountpoint(root_t)
+genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
+
+#
+# src_t is the type of files in the system src directories.
+#
+type src_t;
+files_mountpoint(src_t)
+
+#
+# system_map_t is for the system.map files in /boot
+#
+type system_map_t;
+files_type(system_map_t)
+genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0)
+
+#
+# tmp_t is the type of the temporary directories
+#
+type tmp_t;
+files_tmp_file(tmp_t)
+files_mountpoint(tmp_t)
+files_poly(tmp_t)
+files_poly_parent(tmp_t)
+
+#
+# usr_t is the type for /usr.
+#
+type usr_t;
+files_mountpoint(usr_t)
+
+#
+# var_t is the type of /var
+#
+type var_t;
+files_mountpoint(var_t)
+
+#
+# var_lib_t is the type of /var/lib
+#
+type var_lib_t;
+files_mountpoint(var_lib_t)
+
+#
+# var_lock_t is tye type of /var/lock
+#
+type var_lock_t;
+files_lock_file(var_lock_t)
+
+#
+# var_run_t is the type of /var/run, usually
+# used for pid and other runtime files.
+#
+type var_run_t;
+files_pid_file(var_run_t)
+files_mountpoint(var_run_t)
+
+#
+# var_spool_t is the type of /var/spool
+#
+type var_spool_t;
+files_tmp_file(var_spool_t)
+
+########################################
+#
+# Rules for all file types
+#
+
+allow file_type self:filesystem associate;
+
+fs_associate(file_type)
+fs_associate_noxattr(file_type)
+fs_associate_tmpfs(file_type)
+fs_associate_ramfs(file_type)
+fs_associate_hugetlbfs(file_type)
+
+########################################
+#
+# Rules for all tmp file types
+#
+
+allow file_type tmp_t:filesystem associate;
+
+fs_associate_tmpfs(tmpfile)
+
+########################################
+#
+# Rules for all tmpfs file types
+#
+
+fs_associate_tmpfs(tmpfsfile)
+
+########################################
+#
+# Unconfined access to this module
+#
+
+# Create/access any file in a labeled filesystem;
+allow files_unconfined_type file_type:{ file chr_file } ~execmod;
+allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
+
+# Mount/unmount any filesystem with the context= option.
+allow files_unconfined_type file_type:filesystem *;
+
+tunable_policy(`allow_execmod',`
+	allow files_unconfined_type file_type:file execmod;
+')
diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
new file mode 100644
index 00000000..cda5588e
--- /dev/null
+++ b/policy/modules/kernel/filesystem.fc
@@ -0,0 +1,16 @@
+/cgroup			-d	gen_context(system_u:object_r:cgroup_t,s0)
+/cgroup/.*			<<none>>
+
+/dev/hugepages		-d	gen_context(system_u:object_r:hugetlbfs_t,s0)
+/dev/hugepages(/.*)?		<<none>>
+/dev/shm		-d	gen_context(system_u:object_r:tmpfs_t,s0)
+/dev/shm/.*			<<none>>
+
+/lib/udev/devices/hugepages -d	gen_context(system_u:object_r:hugetlbfs_t,s0)
+/lib/udev/devices/hugepages/.*	<<none>>
+/lib/udev/devices/shm	-d	gen_context(system_u:object_r:tmpfs_t,s0)
+/lib/udev/devices/shm/.*	<<none>>
+
+# for systemd systems:
+/sys/fs/cgroup		-d	gen_context(system_u:object_r:cgroup_t,s0)
+/sys/fs/cgroup/.*		<<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
new file mode 100644
index 00000000..97fcdac2
--- /dev/null
+++ b/policy/modules/kernel/filesystem.if
@@ -0,0 +1,4868 @@
+## <summary>Policy for filesystems.</summary>
+## <required val="true">
+##	Contains the initial SID for the filesystems.
+## </required>
+
+########################################
+## <summary>
+##	Transform specified type into a filesystem type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_type',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	typeattribute $1 filesystem_type;
+')
+
+########################################
+## <summary>
+##	Transform specified type into a filesystem
+##	type which does not have extended attribute
+##	support.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_noxattr_type',`
+	gen_require(`
+		attribute noxattrfs;
+	')
+
+	fs_type($1)
+
+	typeattribute $1 noxattrfs;
+')
+
+########################################
+## <summary>
+##	Associate the specified file type to persistent
+##	filesystems with extended attributes.  This
+##	allows a file of this type to be created on
+##	a filesystem such as ext3, JFS, and XFS.
+## </summary>
+## <param name="file_type">
+##	<summary>
+##	The type of the to be associated.
+##	</summary>
+## </param>
+#
+interface(`fs_associate',`
+	gen_require(`
+		type fs_t;
+	')
+
+	allow $1 fs_t:filesystem associate;
+')
+
+########################################
+## <summary>
+##	Associate the specified file type to
+##	filesystems which lack extended attributes
+##	support.  This allows a file of this type
+##	to be created on a filesystem such as
+##	FAT32, and NFS.
+## </summary>
+## <param name="file_type">
+##	<summary>
+##	The type of the to be associated.
+##	</summary>
+## </param>
+#
+interface(`fs_associate_noxattr',`
+	gen_require(`
+		attribute noxattrfs;
+	')
+
+	allow $1 noxattrfs:filesystem associate;
+')
+
+########################################
+## <summary>
+##	Execute files on a filesystem that does
+##	not support extended attributes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_exec_noxattr',`
+	gen_require(`
+		attribute noxattrfs;
+	')
+
+	can_exec($1, noxattrfs)
+')
+
+########################################
+## <summary>
+##	Mount a persistent filesystem which
+##	has extended attributes, such as
+##	ext3, JFS, or XFS.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mount_xattr_fs',`
+	gen_require(`
+		type fs_t;
+	')
+
+	allow $1 fs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+##	Remount a persistent filesystem which
+##	has extended attributes, such as
+##	ext3, JFS, or XFS.  This allows
+##	some mount options to be changed.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_remount_xattr_fs',`
+	gen_require(`
+		type fs_t;
+	')
+
+	allow $1 fs_t:filesystem remount;
+')
+
+########################################
+## <summary>
+##	Unmount a persistent filesystem which
+##	has extended attributes, such as
+##	ext3, JFS, or XFS.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_unmount_xattr_fs',`
+	gen_require(`
+		type fs_t;
+	')
+
+	allow $1 fs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+##	Get the attributes of persistent
+##	filesystems which have extended
+##	attributes, such as ext3, JFS, or XFS.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to
+##	get the attributes of a persistent
+##	filesystems which have extended
+##	attributes, such as ext3, JFS, or XFS.
+##	Example attributes:
+##	</p>
+##	<ul>
+##		<li>Type of the file system (e.g., ext3)</li>
+##		<li>Size of the file system</li>
+##		<li>Available space on the file system</li>
+##	</ul>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="5"/>
+## <rolecap/>
+#
+interface(`fs_getattr_xattr_fs',`
+	gen_require(`
+		type fs_t;
+	')
+
+	allow $1 fs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to
+##	get the attributes of a persistent
+##	filesystem which has extended
+##	attributes, such as ext3, JFS, or XFS.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_xattr_fs',`
+	gen_require(`
+		type fs_t;
+	')
+
+	dontaudit $1 fs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+##	Allow changing of the label of a
+##	filesystem with extended attributes
+##	using the context= mount option.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_relabelfrom_xattr_fs',`
+	gen_require(`
+		type fs_t;
+	')
+
+	allow $1 fs_t:filesystem relabelfrom;
+')
+
+########################################
+## <summary>
+##	Get the filesystem quotas of a filesystem
+##	with extended attributes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_get_xattr_fs_quotas',`
+	gen_require(`
+		type fs_t;
+	')
+
+	allow $1 fs_t:filesystem quotaget;
+')
+
+########################################
+## <summary>
+##	Set the filesystem quotas of a filesystem
+##	with extended attributes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_set_xattr_fs_quotas',`
+	gen_require(`
+		type fs_t;
+	')
+
+	allow $1 fs_t:filesystem quotamod;
+')
+
+########################################
+## <summary>
+##	Read files on anon_inodefs file systems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_anon_inodefs_files',`
+	gen_require(`
+		type anon_inodefs_t;
+
+	')
+
+	read_files_pattern($1, anon_inodefs_t, anon_inodefs_t)
+')
+
+########################################
+## <summary>
+##	Read and write files on anon_inodefs
+##	file systems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_rw_anon_inodefs_files',`
+	gen_require(`
+		type anon_inodefs_t;
+
+	')
+
+	rw_files_pattern($1, anon_inodefs_t, anon_inodefs_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read or write files on
+##	anon_inodefs file systems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_rw_anon_inodefs_files',`
+	gen_require(`
+		type anon_inodefs_t;
+
+	')
+
+	dontaudit $1 anon_inodefs_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Mount an automount pseudo filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mount_autofs',`
+	gen_require(`
+		type autofs_t;
+	')
+
+	allow $1 autofs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+##	Remount an automount pseudo filesystem
+##	This allows some mount options to be changed.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_remount_autofs',`
+	gen_require(`
+		type autofs_t;
+	')
+
+	allow $1 autofs_t:filesystem remount;
+')
+
+########################################
+## <summary>
+##	Unmount an automount pseudo filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_unmount_autofs',`
+	gen_require(`
+		type autofs_t;
+	')
+
+	allow $1 autofs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+##	Get the attributes of an automount
+##	pseudo filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_autofs',`
+	gen_require(`
+		type autofs_t;
+	')
+
+	allow $1 autofs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+##	Search automount filesystem to use automatically
+##	mounted filesystems.
+## </summary>
+## <desc>
+##	Allow the specified domain to search mount points
+##	that have filesystems that are mounted by
+##	the automount service.  Generally this will
+##	be required for any domain that accesses objects
+##	on these filesystems.
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="5"/>
+#
+interface(`fs_search_auto_mountpoints',`
+	gen_require(`
+		type autofs_t;
+	')
+
+	allow $1 autofs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read directories of automatically
+##	mounted filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_list_auto_mountpoints',`
+	gen_require(`
+		type autofs_t;
+	')
+
+	allow $1 autofs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to list directories of automatically
+##	mounted filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_list_auto_mountpoints',`
+	gen_require(`
+		type autofs_t;
+	')
+
+	dontaudit $1 autofs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete symbolic links
+##	on an autofs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_autofs_symlinks',`
+	gen_require(`
+		type autofs_t;
+	')
+
+	manage_lnk_files_pattern($1, autofs_t, autofs_t)
+')
+
+########################################
+## <summary>
+##	Get the attributes of directories on
+##	binfmt_misc filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_binfmt_misc_dirs',`
+	gen_require(`
+		type binfmt_misc_fs_t;
+	')
+
+	allow $1 binfmt_misc_fs_t:dir getattr;
+
+')
+
+########################################
+## <summary>
+##	Register an interpreter for new binary
+##	file types, using the kernel binfmt_misc
+##	support.
+## </summary>
+## <desc>
+##	<p>
+##	Register an interpreter for new binary
+##	file types, using the kernel binfmt_misc
+##	support.
+##	</p>
+##	<p>
+##	A common use for this is to
+##	register a JVM as an interpreter for
+##	Java byte code.  Registered binaries
+##	can be directly executed on a command line
+##	without specifying the interpreter.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_register_binary_executable_type',`
+	gen_require(`
+		type binfmt_misc_fs_t;
+	')
+
+	rw_files_pattern($1, binfmt_misc_fs_t, binfmt_misc_fs_t)
+')
+
+########################################
+## <summary>
+##	Mount cgroup filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mount_cgroup', `
+	gen_require(`
+		type cgroup_t;
+	')
+
+	allow $1 cgroup_t:filesystem mount;
+')
+
+########################################
+## <summary>
+##	Remount cgroup filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_remount_cgroup', `
+	gen_require(`
+		type cgroup_t;
+	')
+
+	allow $1 cgroup_t:filesystem remount;
+')
+
+########################################
+## <summary>
+##	Unmount cgroup filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_unmount_cgroup', `
+	gen_require(`
+		type cgroup_t;
+	')
+
+	allow $1 cgroup_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+##	Get attributes of cgroup filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_cgroup',`
+	gen_require(`
+		type cgroup_t;
+	')
+
+	allow $1 cgroup_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+##	Search cgroup directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_search_cgroup_dirs',`
+	gen_require(`
+		type cgroup_t;
+
+	')
+
+	search_dirs_pattern($1, cgroup_t, cgroup_t)
+	dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
+##	list cgroup directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_list_cgroup_dirs', `
+	gen_require(`
+		type cgroup_t;
+	')
+
+	list_dirs_pattern($1, cgroup_t, cgroup_t)
+	dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
+##	Delete cgroup directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_delete_cgroup_dirs', `
+	gen_require(`
+		type cgroup_t;
+	')
+
+	delete_dirs_pattern($1, cgroup_t, cgroup_t)
+	dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
+##	Manage cgroup directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_cgroup_dirs',`
+	gen_require(`
+		type cgroup_t;
+
+	')
+
+	manage_dirs_pattern($1, cgroup_t, cgroup_t)
+	dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
+##	Read cgroup files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_cgroup_files',`
+	gen_require(`
+		type cgroup_t;
+
+	')
+
+	read_files_pattern($1, cgroup_t, cgroup_t)
+	dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
+##	Write cgroup files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_write_cgroup_files', `
+	gen_require(`
+		type cgroup_t;
+	')
+
+	write_files_pattern($1, cgroup_t, cgroup_t)
+	dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
+##	Read and write cgroup files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_rw_cgroup_files',`
+	gen_require(`
+		type cgroup_t;
+
+	')
+
+	rw_files_pattern($1, cgroup_t, cgroup_t)
+	dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to open,
+##	get attributes, read and write
+##	cgroup files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_rw_cgroup_files',`
+	gen_require(`
+		type cgroup_t;
+	')
+
+	dontaudit $1 cgroup_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Manage cgroup files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_cgroup_files',`
+	gen_require(`
+		type cgroup_t;
+
+	')
+
+	manage_files_pattern($1, cgroup_t, cgroup_t)
+	dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
+##	Mount on cgroup directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mounton_cgroup', `
+	gen_require(`
+		type cgroup_t;
+	')
+
+	allow $1 cgroup_t:dir mounton;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read
+##	dirs on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_list_cifs_dirs',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	dontaudit $1 cifs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Mount a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mount_cifs',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	allow $1 cifs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+##	Remount a CIFS or SMB network filesystem.
+##	This allows some mount options to be changed.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_remount_cifs',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	allow $1 cifs_t:filesystem remount;
+')
+
+########################################
+## <summary>
+##	Unmount a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_unmount_cifs',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	allow $1 cifs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+##	Get the attributes of a CIFS or
+##	SMB network filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_getattr_cifs',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	allow $1 cifs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+##	Search directories on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_search_cifs',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	allow $1 cifs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	List the contents of directories on a
+##	CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_list_cifs',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	allow $1 cifs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to list the contents
+##	of directories on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_list_cifs',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	dontaudit $1 cifs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Mounton a CIFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mounton_cifs',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	allow $1 cifs_t:dir mounton;
+')
+
+########################################
+## <summary>
+##	Read files on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_read_cifs_files',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	allow $1 cifs_t:dir list_dir_perms;
+	read_files_pattern($1, cifs_t, cifs_t)
+')
+
+########################################
+## <summary>
+##	Get the attributes of filesystems that
+##	do not have extended attribute support.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_getattr_noxattr_fs',`
+	gen_require(`
+		attribute noxattrfs;
+	')
+
+	allow $1 noxattrfs:filesystem getattr;
+')
+
+########################################
+## <summary>
+##	Read all noxattrfs directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_list_noxattr_fs',`
+	gen_require(`
+		attribute noxattrfs;
+	')
+
+	allow $1 noxattrfs:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to list all
+##	noxattrfs directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_list_noxattr_fs',`
+	gen_require(`
+		attribute noxattrfs;
+	')
+
+	dontaudit $1 noxattrfs:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete all noxattrfs directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_noxattr_fs_dirs',`
+	gen_require(`
+		attribute noxattrfs;
+	')
+
+	allow $1 noxattrfs:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read all noxattrfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_noxattr_fs_files',`
+	gen_require(`
+		attribute noxattrfs;
+	')
+
+	read_files_pattern($1, noxattrfs, noxattrfs)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read all
+##	noxattrfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_read_noxattr_fs_files',`
+	gen_require(`
+		attribute noxattrfs;
+	')
+
+	dontaudit $1 noxattrfs:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Dont audit attempts to write to noxattrfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_write_noxattr_fs_files',`
+	gen_require(`
+		attribute noxattrfs;
+	')
+
+	dontaudit $1 noxattrfs:file write;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete all noxattrfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_noxattr_fs_files',`
+	gen_require(`
+		attribute noxattrfs;
+	')
+
+	manage_files_pattern($1, noxattrfs, noxattrfs)
+')
+
+########################################
+## <summary>
+##	Read all noxattrfs symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_noxattr_fs_symlinks',`
+	gen_require(`
+		attribute noxattrfs;
+	')
+
+	read_lnk_files_pattern($1, noxattrfs, noxattrfs)
+')
+
+########################################
+## <summary>
+##	Relabel all objets from filesystems that
+##	do not support extended attributes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_relabelfrom_noxattr_fs',`
+	gen_require(`
+		attribute noxattrfs;
+	')
+
+	allow $1 noxattrfs:dir list_dir_perms;
+	relabelfrom_dirs_pattern($1, noxattrfs, noxattrfs)
+	relabelfrom_files_pattern($1, noxattrfs, noxattrfs)
+	relabelfrom_lnk_files_pattern($1, noxattrfs, noxattrfs)
+	relabelfrom_fifo_files_pattern($1, noxattrfs, noxattrfs)
+	relabelfrom_sock_files_pattern($1, noxattrfs, noxattrfs)
+	relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
+	relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read
+##	files on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_read_cifs_files',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	dontaudit $1 cifs_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Append files
+##	on a CIFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_append_cifs_files',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	append_files_pattern($1, cifs_t, cifs_t)
+')
+
+########################################
+## <summary>
+##	dontaudit Append files
+##	on a CIFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_dontaudit_append_cifs_files',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	dontaudit $1 cifs_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read or
+##	write files on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_rw_cifs_files',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	dontaudit $1 cifs_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Read symbolic links on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_cifs_symlinks',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	allow $1 cifs_t:dir list_dir_perms;
+	read_lnk_files_pattern($1, cifs_t, cifs_t)
+')
+
+########################################
+## <summary>
+##	Read named pipes
+##	on a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_cifs_named_pipes',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	read_fifo_files_pattern($1, cifs_t, cifs_t)
+')
+
+########################################
+## <summary>
+##	Read named pipes
+##	on a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_cifs_named_sockets',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	read_sock_files_pattern($1, cifs_t, cifs_t)
+')
+
+########################################
+## <summary>
+##	Execute files on a CIFS or SMB
+##	network filesystem, in the caller
+##	domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_exec_cifs_files',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	allow $1 cifs_t:dir list_dir_perms;
+	exec_files_pattern($1, cifs_t, cifs_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete directories
+##	on a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_manage_cifs_dirs',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	allow $1 cifs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to create, read,
+##	write, and delete directories
+##	on a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_manage_cifs_dirs',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	dontaudit $1 cifs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete files
+##	on a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_manage_cifs_files',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	manage_files_pattern($1, cifs_t, cifs_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to create, read,
+##	write, and delete files
+##	on a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_manage_cifs_files',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	dontaudit $1 cifs_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete symbolic links
+##	on a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_cifs_symlinks',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	manage_lnk_files_pattern($1, cifs_t, cifs_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete named pipes
+##	on a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_cifs_named_pipes',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	manage_fifo_files_pattern($1, cifs_t, cifs_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete named sockets
+##	on a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_cifs_named_sockets',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	manage_sock_files_pattern($1, cifs_t, cifs_t)
+')
+
+########################################
+## <summary>
+##	Execute a file on a CIFS or SMB filesystem
+##	in the specified domain.
+## </summary>
+## <desc>
+##	<p>
+##	Execute a file on a CIFS or SMB filesystem
+##	in the specified domain.  This allows
+##	the specified domain to execute any file
+##	on these filesystems in the specified
+##	domain.  This is not suggested.
+##	</p>
+##	<p>
+##	No interprocess communication (signals, pipes,
+##	etc.) is provided by this interface since
+##	the domains are not owned by this module.
+##	</p>
+##	<p>
+##	This interface was added to handle
+##	home directories on CIFS/SMB filesystems,
+##	in particular used by the ssh-agent policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="target_domain">
+##	<summary>
+##	The type of the new process.
+##	</summary>
+## </param>
+#
+interface(`fs_cifs_domtrans',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	allow $1 cifs_t:dir search_dir_perms;
+	domain_auto_transition_pattern($1, cifs_t, $2)
+')
+
+#######################################
+## <summary>
+##	Create, read, write, and delete dirs
+##	on a configfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_configfs_dirs',`
+	gen_require(`
+		type configfs_t;
+	')
+
+	manage_dirs_pattern($1, configfs_t, configfs_t)
+')
+
+#######################################
+## <summary>
+##	Create, read, write, and delete files
+##	on a configfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_configfs_files',`
+	gen_require(`
+		type configfs_t;
+	')
+
+	manage_files_pattern($1, configfs_t, configfs_t)
+')
+
+########################################
+## <summary>
+##	Mount a DOS filesystem, such as
+##	FAT32 or NTFS.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mount_dos_fs',`
+	gen_require(`
+		type dosfs_t;
+	')
+
+	allow $1 dosfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+##	Remount a DOS filesystem, such as
+##	FAT32 or NTFS.  This allows
+##	some mount options to be changed.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_remount_dos_fs',`
+	gen_require(`
+		type dosfs_t;
+	')
+
+	allow $1 dosfs_t:filesystem remount;
+')
+
+########################################
+## <summary>
+##	Unmount a DOS filesystem, such as
+##	FAT32 or NTFS.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_unmount_dos_fs',`
+	gen_require(`
+		type dosfs_t;
+	')
+
+	allow $1 dosfs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+##	Get the attributes of a DOS
+##	filesystem, such as FAT32 or NTFS.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_getattr_dos_fs',`
+	gen_require(`
+		type dosfs_t;
+	')
+
+	allow $1 dosfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+##	Allow changing of the label of a
+##	DOS filesystem using the context= mount option.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_relabelfrom_dos_fs',`
+	gen_require(`
+		type dosfs_t;
+	')
+
+	allow $1 dosfs_t:filesystem relabelfrom;
+')
+
+########################################
+## <summary>
+##	Search dosfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_search_dos',`
+	gen_require(`
+		type dosfs_t;
+	')
+
+	allow $1 dosfs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	List dirs DOS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_list_dos',`
+	gen_require(`
+		type dosfs_t;
+	')
+
+	list_dirs_pattern($1, dosfs_t, dosfs_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete dirs
+##	on a DOS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_dos_dirs',`
+	gen_require(`
+		type dosfs_t;
+	')
+
+	manage_dirs_pattern($1, dosfs_t, dosfs_t)
+')
+
+########################################
+## <summary>
+##	Read files on a DOS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_dos_files',`
+	gen_require(`
+		type dosfs_t;
+	')
+
+	read_files_pattern($1, dosfs_t, dosfs_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete files
+##	on a DOS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_dos_files',`
+	gen_require(`
+		type dosfs_t;
+	')
+
+	manage_files_pattern($1, dosfs_t, dosfs_t)
+')
+
+########################################
+## <summary>
+##	Read eventpollfs files.
+## </summary>
+## <desc>
+##	<p>
+##	Read eventpollfs files
+##	</p>
+##	<p>
+##	This interface has been deprecated, and will
+##	be removed in the future.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+# eventpollfs was changed to task SID 20060628
+interface(`fs_read_eventpollfs',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	Mount a FUSE filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mount_fusefs',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	allow $1 fusefs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+##	Unmount a FUSE filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_unmount_fusefs',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	allow $1 fusefs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+##	Mounton a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mounton_fusefs',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	allow $1 fusefs_t:dir mounton;
+')
+
+########################################
+## <summary>
+##	Search directories
+##	on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_search_fusefs',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	allow $1 fusefs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to list the contents
+##	of directories on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_list_fusefs',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	dontaudit $1 fusefs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete directories
+##	on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_manage_fusefs_dirs',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	allow $1 fusefs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to create, read,
+##	write, and delete directories
+##	on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_manage_fusefs_dirs',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	dontaudit $1 fusefs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read, a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_read_fusefs_files',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	read_files_pattern($1, fusefs_t, fusefs_t)
+')
+
+########################################
+## <summary>
+##	Execute files on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_exec_fusefs_files',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	exec_files_pattern($1, fusefs_t, fusefs_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete files
+##	on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_manage_fusefs_files',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	manage_files_pattern($1, fusefs_t, fusefs_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to create,
+##	read, write, and delete files
+##	on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_manage_fusefs_files',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	dontaudit $1 fusefs_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Read symbolic links on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_fusefs_symlinks',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	allow $1 fusefs_t:dir list_dir_perms;
+	read_lnk_files_pattern($1, fusefs_t, fusefs_t)
+')
+
+########################################
+## <summary>
+##	Get the attributes of an hugetlbfs
+##	filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_hugetlbfs',`
+	gen_require(`
+		type hugetlbfs_t;
+	')
+
+	allow $1 hugetlbfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+##	List hugetlbfs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_list_hugetlbfs',`
+	gen_require(`
+		type hugetlbfs_t;
+	')
+
+	allow $1 hugetlbfs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Manage hugetlbfs dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_hugetlbfs_dirs',`
+	gen_require(`
+		type hugetlbfs_t;
+	')
+
+	manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
+')
+
+########################################
+## <summary>
+##	Read and write hugetlbfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_rw_hugetlbfs_files',`
+	gen_require(`
+		type hugetlbfs_t;
+	')
+
+	rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
+')
+
+########################################
+## <summary>
+##	Allow the type to associate to hugetlbfs filesystems.
+## </summary>
+## <param name="type">
+##	<summary>
+##	The type of the object to be associated.
+##	</summary>
+## </param>
+#
+interface(`fs_associate_hugetlbfs',`
+	gen_require(`
+		type hugetlbfs_t;
+	')
+
+	allow $1 hugetlbfs_t:filesystem associate;
+')
+
+########################################
+## <summary>
+##	Search inotifyfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_search_inotifyfs',`
+	gen_require(`
+		type inotifyfs_t;
+	')
+
+	allow $1 inotifyfs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	List inotifyfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_list_inotifyfs',`
+	gen_require(`
+		type inotifyfs_t;
+	')
+
+	allow $1 inotifyfs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Dontaudit List inotifyfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_list_inotifyfs',`
+	gen_require(`
+		type inotifyfs_t;
+	')
+
+	dontaudit $1 inotifyfs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create an object in a hugetlbfs filesystem, with a private
+##	type using a type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private type">
+##	<summary>
+##	The type of the object to be created.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+#
+interface(`fs_hugetlbfs_filetrans',`
+	gen_require(`
+		type hugetlbfs_t;
+	')
+
+	allow $2 hugetlbfs_t:filesystem associate;
+	filetrans_pattern($1, hugetlbfs_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Mount an iso9660 filesystem, which
+##	is usually used on CDs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mount_iso9660_fs',`
+	gen_require(`
+		type iso9660_t;
+	')
+
+	allow $1 iso9660_t:filesystem mount;
+')
+
+########################################
+## <summary>
+##	Remount an iso9660 filesystem, which
+##	is usually used on CDs.  This allows
+##	some mount options to be changed.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_remount_iso9660_fs',`
+	gen_require(`
+		type iso9660_t;
+	')
+
+	allow $1 iso9660_t:filesystem remount;
+')
+
+########################################
+## <summary>
+##	Unmount an iso9660 filesystem, which
+##	is usually used on CDs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_unmount_iso9660_fs',`
+	gen_require(`
+		type iso9660_t;
+	')
+
+	allow $1 iso9660_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+##	Get the attributes of an iso9660
+##	filesystem, which is usually used on CDs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_getattr_iso9660_fs',`
+	gen_require(`
+		type iso9660_t;
+	')
+
+	allow $1 iso9660_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+##	Read files on an iso9660 filesystem, which
+##	is usually used on CDs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_iso9660_files',`
+	gen_require(`
+		type iso9660_t;
+	')
+
+	allow $1 iso9660_t:dir list_dir_perms;
+	allow $1 iso9660_t:file getattr;
+')
+
+########################################
+## <summary>
+##	Read files on an iso9660 filesystem, which
+##	is usually used on CDs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_iso9660_files',`
+	gen_require(`
+		type iso9660_t;
+	')
+
+	allow $1 iso9660_t:dir list_dir_perms;
+	read_files_pattern($1, iso9660_t, iso9660_t)
+	read_lnk_files_pattern($1, iso9660_t, iso9660_t)
+')
+
+########################################
+## <summary>
+##	Mount a NFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mount_nfs',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	allow $1 nfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+##	Remount a NFS filesystem.  This allows
+##	some mount options to be changed.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_remount_nfs',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	allow $1 nfs_t:filesystem remount;
+')
+
+########################################
+## <summary>
+##	Unmount a NFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_unmount_nfs',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	allow $1 nfs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+##	Get the attributes of a NFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_getattr_nfs',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	allow $1 nfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+##	Search directories on a NFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_search_nfs',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	allow $1 nfs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	List NFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_list_nfs',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	allow $1 nfs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to list the contents
+##	of directories on a NFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_list_nfs',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	dontaudit $1 nfs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Mounton a NFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mounton_nfs',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	allow $1 nfs_t:dir mounton;
+')
+
+########################################
+## <summary>
+##	Read files on a NFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_read_nfs_files',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	allow $1 nfs_t:dir list_dir_perms;
+	read_files_pattern($1, nfs_t, nfs_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read
+##	files on a NFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_read_nfs_files',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	dontaudit $1 nfs_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Read files on a NFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_write_nfs_files',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	allow $1 nfs_t:dir list_dir_perms;
+	write_files_pattern($1, nfs_t, nfs_t)
+')
+
+########################################
+## <summary>
+##	Execute files on a NFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_exec_nfs_files',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	allow $1 nfs_t:dir list_dir_perms;
+	exec_files_pattern($1, nfs_t, nfs_t)
+')
+
+########################################
+## <summary>
+##	Append files
+##	on a NFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_append_nfs_files',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	append_files_pattern($1, nfs_t, nfs_t)
+')
+
+########################################
+## <summary>
+##	dontaudit Append files
+##	on a NFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_dontaudit_append_nfs_files',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	dontaudit $1 nfs_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read or
+##	write files on a NFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_rw_nfs_files',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	dontaudit $1 nfs_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Read symbolic links on a NFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_nfs_symlinks',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	allow $1 nfs_t:dir list_dir_perms;
+	read_lnk_files_pattern($1, nfs_t, nfs_t)
+')
+
+########################################
+## <summary>
+##	Dontaudit read symbolic links on a NFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_read_nfs_symlinks',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	dontaudit $1 nfs_t:lnk_file read_lnk_file_perms;
+')
+
+#########################################
+## <summary>
+##	Read named sockets on a NFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_nfs_named_sockets',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	read_sock_files_pattern($1, nfs_t, nfs_t)
+')
+
+#########################################
+## <summary>
+##	Read named pipes on a NFS network filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_read_nfs_named_pipes',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	read_fifo_files_pattern($1, nfs_t, nfs_t)
+')
+
+########################################
+## <summary>
+##	Read directories of RPC file system pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_rpc_dirs',`
+	gen_require(`
+		type rpc_pipefs_t;
+	')
+
+	allow $1 rpc_pipefs_t:dir getattr;
+
+')
+
+########################################
+## <summary>
+##	Search directories of RPC file system pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_search_rpc',`
+	gen_require(`
+		type rpc_pipefs_t;
+	')
+
+	allow $1 rpc_pipefs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Search removable storage directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_search_removable',`
+	gen_require(`
+		type removable_t;
+	')
+
+	allow $1 removable_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to list removable storage directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain not to audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_list_removable',`
+	gen_require(`
+		type removable_t;
+	')
+
+	dontaudit $1 removable_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read removable storage files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_removable_files',`
+	gen_require(`
+		type removable_t;
+	')
+
+	read_files_pattern($1, removable_t, removable_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read removable storage files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain not to audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_read_removable_files',`
+	gen_require(`
+		type removable_t;
+	')
+
+	dontaudit $1 removable_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write removable storage files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain not to audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_write_removable_files',`
+	gen_require(`
+		type removable_t;
+	')
+
+	dontaudit $1 removable_t:file write_file_perms;
+')
+
+########################################
+## <summary>
+##	Read removable storage symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_removable_symlinks',`
+	gen_require(`
+		type removable_t;
+	')
+
+	read_lnk_files_pattern($1, removable_t, removable_t)
+')
+
+######################################
+## <summary>
+##	Read block nodes on removable filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_removable_blk_files',`
+	gen_require(`
+		type removable_t;
+	')
+
+	allow $1 removable_t:dir list_dir_perms;
+	read_blk_files_pattern($1, removable_t, removable_t)
+')
+
+########################################
+## <summary>
+##	Read and write block nodes on removable filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_rw_removable_blk_files',`
+	gen_require(`
+		type removable_t;
+	')
+
+	allow $1 removable_t:dir list_dir_perms;
+	rw_blk_files_pattern($1, removable_t, removable_t)
+')
+
+########################################
+## <summary>
+##	Read directories of RPC file system pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_list_rpc',`
+	gen_require(`
+		type rpc_pipefs_t;
+	')
+
+	allow $1 rpc_pipefs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read files of RPC file system pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_rpc_files',`
+	gen_require(`
+		type rpc_pipefs_t;
+	')
+
+	read_files_pattern($1, rpc_pipefs_t, rpc_pipefs_t)
+')
+
+########################################
+## <summary>
+##	Read symbolic links of RPC file system pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_rpc_symlinks',`
+	gen_require(`
+		type rpc_pipefs_t;
+	')
+
+	read_lnk_files_pattern($1, rpc_pipefs_t, rpc_pipefs_t)
+')
+
+########################################
+## <summary>
+##	Read sockets of RPC file system pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_rpc_sockets',`
+	gen_require(`
+		type rpc_pipefs_t;
+	')
+
+	allow $1 rpc_pipefs_t:sock_file read;
+')
+
+########################################
+## <summary>
+##	Read and write sockets of RPC file system pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_rw_rpc_sockets',`
+	gen_require(`
+		type rpc_pipefs_t;
+	')
+
+	allow $1 rpc_pipefs_t:sock_file { read write };
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete directories
+##	on a NFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_manage_nfs_dirs',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	allow $1 nfs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to create, read,
+##	write, and delete directories
+##	on a NFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_manage_nfs_dirs',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	dontaudit $1 nfs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete files
+##	on a NFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_manage_nfs_files',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	manage_files_pattern($1, nfs_t, nfs_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to create,
+##	read, write, and delete files
+##	on a NFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_manage_nfs_files',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	dontaudit $1 nfs_t:file manage_file_perms;
+')
+
+#########################################
+## <summary>
+##	Create, read, write, and delete symbolic links
+##	on a NFS network filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_manage_nfs_symlinks',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	manage_lnk_files_pattern($1, nfs_t, nfs_t)
+')
+
+#########################################
+## <summary>
+##	Create, read, write, and delete named pipes
+##	on a NFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_nfs_named_pipes',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	manage_fifo_files_pattern($1, nfs_t, nfs_t)
+')
+
+#########################################
+## <summary>
+##	Create, read, write, and delete named sockets
+##	on a NFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_nfs_named_sockets',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	manage_sock_files_pattern($1, nfs_t, nfs_t)
+')
+
+########################################
+## <summary>
+##	Execute a file on a NFS filesystem
+##	in the specified domain.
+## </summary>
+## <desc>
+##	<p>
+##	Execute a file on a NFS filesystem
+##	in the specified domain.  This allows
+##	the specified domain to execute any file
+##	on a NFS filesystem in the specified
+##	domain.  This is not suggested.
+##	</p>
+##	<p>
+##	No interprocess communication (signals, pipes,
+##	etc.) is provided by this interface since
+##	the domains are not owned by this module.
+##	</p>
+##	<p>
+##	This interface was added to handle
+##	home directories on NFS filesystems,
+##	in particular used by the ssh-agent policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="target_domain">
+##	<summary>
+##	The type of the new process.
+##	</summary>
+## </param>
+#
+interface(`fs_nfs_domtrans',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	allow $1 nfs_t:dir search_dir_perms;
+	domain_auto_transition_pattern($1, nfs_t, $2)
+')
+
+########################################
+## <summary>
+##	Mount a NFS server pseudo filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mount_nfsd_fs',`
+	gen_require(`
+		type nfsd_fs_t;
+	')
+
+	allow $1 nfsd_fs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+##	Mount a NFS server pseudo filesystem.
+##	This allows some mount options to be changed.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_remount_nfsd_fs',`
+	gen_require(`
+		type nfsd_fs_t;
+	')
+
+	allow $1 nfsd_fs_t:filesystem remount;
+')
+
+########################################
+## <summary>
+##	Unmount a NFS server pseudo filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_unmount_nfsd_fs',`
+	gen_require(`
+		type nfsd_fs_t;
+	')
+
+	allow $1 nfsd_fs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+##	Get the attributes of a NFS server
+##	pseudo filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_nfsd_fs',`
+	gen_require(`
+		type nfsd_fs_t;
+	')
+
+	allow $1 nfsd_fs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+##	Search NFS server directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_search_nfsd_fs',`
+	gen_require(`
+		type nfsd_fs_t;
+	')
+
+	allow $1 nfsd_fs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	List NFS server directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_list_nfsd_fs',`
+	gen_require(`
+		type nfsd_fs_t;
+	')
+
+	allow $1 nfsd_fs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Getattr files on an nfsd filesystem
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_nfsd_files',`
+	gen_require(`
+		type nfsd_fs_t;
+	')
+
+	getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
+')
+
+########################################
+## <summary>
+##	Read and write NFS server files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_rw_nfsd_fs',`
+	gen_require(`
+		type nfsd_fs_t;
+	')
+
+	rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
+')
+
+########################################
+## <summary>
+##	Allow the type to associate to ramfs filesystems.
+## </summary>
+## <param name="type">
+##	<summary>
+##	The type of the object to be associated.
+##	</summary>
+## </param>
+#
+interface(`fs_associate_ramfs',`
+	gen_require(`
+		type ramfs_t;
+	')
+
+	allow $1 ramfs_t:filesystem associate;
+')
+
+########################################
+## <summary>
+##	Mount a RAM filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mount_ramfs',`
+	gen_require(`
+		type ramfs_t;
+	')
+
+	allow $1 ramfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+##	Remount a RAM filesystem.  This allows
+##	some mount options to be changed.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_remount_ramfs',`
+	gen_require(`
+		type ramfs_t;
+	')
+
+	allow $1 ramfs_t:filesystem remount;
+')
+
+########################################
+## <summary>
+##	Unmount a RAM filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_unmount_ramfs',`
+	gen_require(`
+		type ramfs_t;
+	')
+
+	allow $1 ramfs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+##	Get the attributes of a RAM filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_ramfs',`
+	gen_require(`
+		type ramfs_t;
+	')
+
+	allow $1 ramfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+##	Search directories on a ramfs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_search_ramfs',`
+	gen_require(`
+		type ramfs_t;
+	')
+
+	allow $1 ramfs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Dontaudit Search directories on a ramfs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_search_ramfs',`
+	gen_require(`
+		type ramfs_t;
+	')
+
+	dontaudit $1 ramfs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	directories on a ramfs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_ramfs_dirs',`
+	gen_require(`
+		type ramfs_t;
+	')
+
+	allow $1 ramfs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Dontaudit read on a ramfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_read_ramfs_files',`
+	gen_require(`
+		type ramfs_t;
+	')
+
+	dontaudit $1 ramfs_t:file read;
+')
+
+########################################
+## <summary>
+##	Dontaudit read on a ramfs fifo_files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_read_ramfs_pipes',`
+	gen_require(`
+		type ramfs_t;
+	')
+
+	dontaudit $1 ramfs_t:fifo_file read;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	files on a ramfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_ramfs_files',`
+	gen_require(`
+		type ramfs_t;
+	')
+
+	manage_files_pattern($1, ramfs_t, ramfs_t)
+')
+
+########################################
+## <summary>
+##	Write to named pipe on a ramfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_write_ramfs_pipes',`
+	gen_require(`
+		type ramfs_t;
+	')
+
+	write_fifo_files_pattern($1, ramfs_t, ramfs_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write to named
+##	pipes on a ramfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_write_ramfs_pipes',`
+	gen_require(`
+		type ramfs_t;
+	')
+
+	dontaudit $1 ramfs_t:fifo_file write;
+')
+
+########################################
+## <summary>
+##	Read and write a named pipe on a ramfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_rw_ramfs_pipes',`
+	gen_require(`
+		type ramfs_t;
+	')
+
+	rw_fifo_files_pattern($1, ramfs_t, ramfs_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	named pipes on a ramfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_ramfs_pipes',`
+	gen_require(`
+		type ramfs_t;
+	')
+
+	manage_fifo_files_pattern($1, ramfs_t, ramfs_t)
+')
+
+########################################
+## <summary>
+##	Write to named socket on a ramfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_write_ramfs_sockets',`
+	gen_require(`
+		type ramfs_t;
+	')
+
+	write_sock_files_pattern($1, ramfs_t, ramfs_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	named sockets on a ramfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_ramfs_sockets',`
+	gen_require(`
+		type ramfs_t;
+	')
+
+	manage_sock_files_pattern($1, ramfs_t, ramfs_t)
+')
+
+########################################
+## <summary>
+##	Mount a ROM filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mount_romfs',`
+	gen_require(`
+		type romfs_t;
+	')
+
+	allow $1 romfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+##	Remount a ROM filesystem.  This allows
+##	some mount options to be changed.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_remount_romfs',`
+	gen_require(`
+		type romfs_t;
+	')
+
+	allow $1 romfs_t:filesystem remount;
+')
+
+########################################
+## <summary>
+##	Unmount a ROM filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_unmount_romfs',`
+	gen_require(`
+		type romfs_t;
+	')
+
+	allow $1 romfs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+##	Get the attributes of a ROM
+##	filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_romfs',`
+	gen_require(`
+		type romfs_t;
+	')
+
+	allow $1 romfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+##	Mount a RPC pipe filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mount_rpc_pipefs',`
+	gen_require(`
+		type rpc_pipefs_t;
+	')
+
+	allow $1 rpc_pipefs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+##	Remount a RPC pipe filesystem.  This
+##	allows some mount option to be changed.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_remount_rpc_pipefs',`
+	gen_require(`
+		type rpc_pipefs_t;
+	')
+
+	allow $1 rpc_pipefs_t:filesystem remount;
+')
+
+########################################
+## <summary>
+##	Unmount a RPC pipe filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_unmount_rpc_pipefs',`
+	gen_require(`
+		type rpc_pipefs_t;
+	')
+
+	allow $1 rpc_pipefs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+##	Get the attributes of a RPC pipe
+##	filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_rpc_pipefs',`
+	gen_require(`
+		type rpc_pipefs_t;
+	')
+
+	allow $1 rpc_pipefs_t:filesystem getattr;
+')
+
+#########################################
+## <summary>
+##	Read and write RPC pipe filesystem named pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_rw_rpc_named_pipes',`
+	gen_require(`
+		type rpc_pipefs_t;
+	')
+
+	allow $1 rpc_pipefs_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Mount a tmpfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mount_tmpfs',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	allow $1 tmpfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+##	Remount a tmpfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_remount_tmpfs',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	allow $1 tmpfs_t:filesystem remount;
+')
+
+########################################
+## <summary>
+##	Unmount a tmpfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_unmount_tmpfs',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	allow $1 tmpfs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+##	Get the attributes of a tmpfs
+##	filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_getattr_tmpfs',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	allow $1 tmpfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+##	Allow the type to associate to tmpfs filesystems.
+## </summary>
+## <param name="type">
+##	<summary>
+##	The type of the object to be associated.
+##	</summary>
+## </param>
+#
+interface(`fs_associate_tmpfs',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	allow $1 tmpfs_t:filesystem associate;
+')
+
+########################################
+## <summary>
+##	Get the attributes of tmpfs directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_tmpfs_dirs',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	allow $1 tmpfs_t:dir getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of tmpfs directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	dontaudit $1 tmpfs_t:dir getattr;
+')
+
+########################################
+## <summary>
+##	Set the attributes of tmpfs directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_setattr_tmpfs_dirs',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	allow $1 tmpfs_t:dir setattr;
+')
+
+########################################
+## <summary>
+##	Search tmpfs directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_search_tmpfs',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	allow $1 tmpfs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	List the contents of generic tmpfs directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_list_tmpfs',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	allow $1 tmpfs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to list the
+##	contents of generic tmpfs directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_list_tmpfs',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	dontaudit $1 tmpfs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	tmpfs directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_tmpfs_dirs',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	allow $1 tmpfs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write
+##	tmpfs directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_write_tmpfs_dirs',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	dontaudit $1 tmpfs_t:dir write;
+')
+
+########################################
+## <summary>
+##	Create an object in a tmpfs filesystem, with a private
+##	type using a type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private type">
+##	<summary>
+##	The type of the object to be created.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+#
+interface(`fs_tmpfs_filetrans',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	allow $2 tmpfs_t:filesystem associate;
+	filetrans_pattern($1, tmpfs_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to getattr
+##	generic tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_tmpfs_files',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	dontaudit $1 tmpfs_t:file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read or write
+##	generic tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_rw_tmpfs_files',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	dontaudit $1 tmpfs_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	auto moutpoints.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_auto_mountpoints',`
+	gen_require(`
+		type autofs_t;
+	')
+
+	allow $1 autofs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read generic tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_tmpfs_files',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	read_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
+##	Read and write generic tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_rw_tmpfs_files',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	rw_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
+##	Read tmpfs link files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_tmpfs_symlinks',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	read_lnk_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
+##	Read and write character nodes on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_rw_tmpfs_chr_files',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	allow $1 tmpfs_t:dir list_dir_perms;
+	rw_chr_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
+##	dontaudit Read and write character nodes on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	dontaudit $1 tmpfs_t:dir list_dir_perms;
+	dontaudit $1 tmpfs_t:chr_file rw_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Relabel character nodes on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_relabel_tmpfs_chr_file',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	allow $1 tmpfs_t:dir list_dir_perms;
+	relabel_chr_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
+##	Read and write block nodes on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_rw_tmpfs_blk_files',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	allow $1 tmpfs_t:dir list_dir_perms;
+	rw_blk_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
+##	Relabel block nodes on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_relabel_tmpfs_blk_file',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	allow $1 tmpfs_t:dir list_dir_perms;
+	relabel_blk_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
+##	Read and write, create and delete generic
+##	files on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_tmpfs_files',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	manage_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
+##	Read and write, create and delete symbolic
+##	links on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_tmpfs_symlinks',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	manage_lnk_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
+##	Read and write, create and delete socket
+##	files on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_tmpfs_sockets',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	manage_sock_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
+##	Read and write, create and delete character
+##	nodes on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_tmpfs_chr_files',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	manage_chr_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
+##	Read and write, create and delete block nodes
+##	on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_tmpfs_blk_files',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	manage_blk_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
+##	Mount a XENFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mount_xenfs',`
+	gen_require(`
+		type xenfs_t;
+	')
+
+	allow $1 xenfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+##	Search the XENFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_search_xenfs',`
+	gen_require(`
+		type xenfs_t;
+	')
+
+	allow $1 xenfs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete directories
+##	on a XENFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_manage_xenfs_dirs',`
+	gen_require(`
+		type xenfs_t;
+	')
+
+	allow $1 xenfs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to create, read,
+##	write, and delete directories
+##	on a XENFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_manage_xenfs_dirs',`
+	gen_require(`
+		type xenfs_t;
+	')
+
+	dontaudit $1 xenfs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete files
+##	on a XENFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_manage_xenfs_files',`
+	gen_require(`
+		type xenfs_t;
+	')
+
+	manage_files_pattern($1, xenfs_t, xenfs_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to create,
+##	read, write, and delete files
+##	on a XENFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_manage_xenfs_files',`
+	gen_require(`
+		type xenfs_t;
+	')
+
+	dontaudit $1 xenfs_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Mount all filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mount_all_fs',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	allow $1 filesystem_type:filesystem mount;
+')
+
+########################################
+## <summary>
+##	Remount all filesystems.  This
+##	allows some mount options to be changed.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_remount_all_fs',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	allow $1 filesystem_type:filesystem remount;
+')
+
+########################################
+## <summary>
+##	Unmount all filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_unmount_all_fs',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	allow $1 filesystem_type:filesystem unmount;
+')
+
+########################################
+## <summary>
+##	Get the attributes of all filesystems.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to
+##	et the attributes of all filesystems.
+##	Example attributes:
+##	</p>
+##	<ul>
+##		<li>Type of the file system (e.g., ext3)</li>
+##		<li>Size of the file system</li>
+##		<li>Available space on the file system</li>
+##	</ul>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="5"/>
+## <rolecap/>
+#
+interface(`fs_getattr_all_fs',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	allow $1 filesystem_type:filesystem getattr;
+	files_getattr_all_file_type_fs($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	all filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_all_fs',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	dontaudit $1 filesystem_type:filesystem getattr;
+')
+
+########################################
+## <summary>
+##	Get the quotas of all filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_get_all_fs_quotas',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	allow $1 filesystem_type:filesystem quotaget;
+')
+
+########################################
+## <summary>
+##	Set the quotas of all filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_set_all_quotas',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	allow $1 filesystem_type:filesystem quotamod;
+')
+
+########################################
+## <summary>
+##	Relabelfrom all filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_relabelfrom_all_fs',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	allow $1 filesystem_type:filesystem relabelfrom;
+')
+
+########################################
+## <summary>
+##	Get the attributes of all directories
+##	with a filesystem type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_all_dirs',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	allow $1 filesystem_type:dir getattr;
+')
+
+########################################
+## <summary>
+##	Search all directories with a filesystem type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_search_all',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	allow $1 filesystem_type:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	List all directories with a filesystem type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_list_all',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	allow $1 filesystem_type:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Get the attributes of all files with
+##	a filesystem type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_all_files',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	getattr_files_pattern($1, filesystem_type, filesystem_type)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all files with a filesystem type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_all_files',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	dontaudit $1 filesystem_type:file getattr;
+')
+
+########################################
+## <summary>
+##	Get the attributes of all symbolic links with
+##	a filesystem type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_all_symlinks',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	getattr_lnk_files_pattern($1, filesystem_type, filesystem_type)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all symbolic links with a filesystem type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_all_symlinks',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	dontaudit $1 filesystem_type:lnk_file getattr;
+')
+
+########################################
+## <summary>
+##	Get the attributes of all named pipes with
+##	a filesystem type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_all_pipes',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	getattr_fifo_files_pattern($1, filesystem_type, filesystem_type)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all named pipes with a filesystem type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_all_pipes',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	dontaudit $1 filesystem_type:fifo_file getattr;
+')
+
+########################################
+## <summary>
+##	Get the attributes of all named sockets with
+##	a filesystem type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_all_sockets',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	getattr_sock_files_pattern($1, filesystem_type, filesystem_type)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all named sockets with a filesystem type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_all_sockets',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	dontaudit $1 filesystem_type:sock_file getattr;
+')
+
+########################################
+## <summary>
+##	Get the attributes of all block device nodes with
+##	a filesystem type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_all_blk_files',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	getattr_blk_files_pattern($1, filesystem_type, filesystem_type)
+')
+
+########################################
+## <summary>
+##	Get the attributes of all character device nodes with
+##	a filesystem type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_all_chr_files',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	getattr_chr_files_pattern($1, filesystem_type, filesystem_type)
+')
+
+########################################
+## <summary>
+##	Unconfined access to filesystems
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_unconfined',`
+	gen_require(`
+		attribute filesystem_unconfined_type;
+	')
+
+	typeattribute $1 filesystem_unconfined_type;
+')
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
new file mode 100644
index 00000000..abd970d0
--- /dev/null
+++ b/policy/modules/kernel/filesystem.te
@@ -0,0 +1,302 @@
+policy_module(filesystem, 1.15.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute filesystem_type;
+attribute filesystem_unconfined_type;
+attribute noxattrfs;
+
+##############################
+#
+# fs_t is the default type for persistent
+# filesystems with extended attributes
+#
+type fs_t;
+fs_type(fs_t)
+sid fs gen_context(system_u:object_r:fs_t,s0)
+
+# Use xattrs for the following filesystem types.
+# Requires that a security xattr handler exist for the filesystem.
+fs_use_xattr btrfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
+
+# Use the allocating task SID to label inodes in the following filesystem
+# types, and label the filesystem itself with the specified context.
+# This is appropriate for pseudo filesystems that represent objects
+# like pipes and sockets, so that these objects are labeled with the same
+# type as the creating task.
+fs_use_task eventpollfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_task pipefs gen_context(system_u:object_r:fs_t,s0);
+fs_use_task sockfs gen_context(system_u:object_r:fs_t,s0);
+
+##############################
+#
+# Non-persistent/pseudo filesystems
+#
+
+type anon_inodefs_t;
+fs_type(anon_inodefs_t)
+files_mountpoint(anon_inodefs_t)
+genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
+
+type bdev_t;
+fs_type(bdev_t)
+genfscon bdev / gen_context(system_u:object_r:bdev_t,s0)
+
+type binfmt_misc_fs_t;
+fs_type(binfmt_misc_fs_t)
+files_mountpoint(binfmt_misc_fs_t)
+genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)
+
+type capifs_t;
+fs_type(capifs_t)
+files_mountpoint(capifs_t)
+genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
+
+type cgroup_t;
+fs_type(cgroup_t)
+files_type(cgroup_t)
+files_mountpoint(cgroup_t)
+dev_associate_sysfs(cgroup_t) # only for systemd systems
+genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
+
+type configfs_t;
+fs_type(configfs_t)
+genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
+
+type cpusetfs_t;
+fs_type(cpusetfs_t)
+allow cpusetfs_t self:filesystem associate;
+genfscon cpuset / gen_context(system_u:object_r:cpusetfs_t,s0)
+
+type ecryptfs_t;
+fs_noxattr_type(ecryptfs_t)
+files_mountpoint(ecryptfs_t)
+genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
+
+type futexfs_t;
+fs_type(futexfs_t)
+genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
+
+type hugetlbfs_t;
+fs_type(hugetlbfs_t)
+files_mountpoint(hugetlbfs_t)
+fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
+
+type ibmasmfs_t;
+fs_type(ibmasmfs_t)
+allow ibmasmfs_t self:filesystem associate;
+genfscon ibmasmfs / gen_context(system_u:object_r:ibmasmfs_t,s0)
+
+type infinibandeventfs_t;
+fs_type(infinibandeventfs_t)
+allow infinibandeventfs_t self:filesystem associate;
+genfscon infinibandeventfs / gen_context(system_u:object_r:infinibandeventfs_t,s0)
+
+type inotifyfs_t;
+fs_type(inotifyfs_t)
+genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
+
+type mvfs_t;
+fs_noxattr_type(mvfs_t)
+allow mvfs_t self:filesystem associate;
+genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
+
+type nfsd_fs_t;
+fs_type(nfsd_fs_t)
+genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
+
+type oprofilefs_t;
+fs_type(oprofilefs_t)
+genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0)
+
+type ramfs_t;
+fs_type(ramfs_t)
+files_mountpoint(ramfs_t)
+genfscon ramfs / gen_context(system_u:object_r:ramfs_t,s0)
+
+type romfs_t;
+fs_type(romfs_t)
+genfscon romfs / gen_context(system_u:object_r:romfs_t,s0)
+genfscon cramfs / gen_context(system_u:object_r:romfs_t,s0)
+
+type rpc_pipefs_t;
+fs_type(rpc_pipefs_t)
+genfscon rpc_pipefs / gen_context(system_u:object_r:rpc_pipefs_t,s0)
+files_mountpoint(rpc_pipefs_t)
+
+type spufs_t;
+fs_type(spufs_t)
+genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
+files_mountpoint(spufs_t)
+
+type squash_t;
+fs_type(squash_t)
+genfscon squash / gen_context(system_u:object_r:squash_t,s0)
+files_mountpoint(squash_t)
+
+type sysv_t;
+fs_noxattr_type(sysv_t)
+files_mountpoint(sysv_t)
+genfscon sysv / gen_context(system_u:object_r:sysv_t,s0)
+genfscon v7 / gen_context(system_u:object_r:sysv_t,s0)
+
+type vmblock_t;
+fs_noxattr_type(vmblock_t)
+files_mountpoint(vmblock_t)
+genfscon vmblock / gen_context(system_u:object_r:vmblock_t,s0)
+genfscon vboxsf / gen_context(system_u:object_r:vmblock_t,s0)
+genfscon vmhgfs / gen_context(system_u:object_r:vmblock_t,s0)
+
+type vxfs_t;
+fs_noxattr_type(vxfs_t)
+files_mountpoint(vxfs_t)
+genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
+
+#
+# tmpfs_t is the type for tmpfs filesystems
+#
+type tmpfs_t;
+fs_type(tmpfs_t)
+files_type(tmpfs_t)
+files_mountpoint(tmpfs_t)
+files_poly_parent(tmpfs_t)
+
+# Use a transition SID based on the allocating task SID and the
+# filesystem SID to label inodes in the following filesystem types,
+# and label the filesystem itself with the specified context.
+# This is appropriate for pseudo filesystems like devpts and tmpfs
+# where we want to label objects with a derived type.
+fs_use_trans mqueue gen_context(system_u:object_r:tmpfs_t,s0);
+fs_use_trans shm gen_context(system_u:object_r:tmpfs_t,s0);
+fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0);
+
+allow tmpfs_t noxattrfs:filesystem associate;
+
+type xenfs_t;
+fs_noxattr_type(xenfs_t)
+files_mountpoint(xenfs_t)
+genfscon xenfs / gen_context(system_u:object_r:xenfs_t,s0)
+
+##############################
+#
+# Filesystems without extended attribute support
+#
+
+type autofs_t;
+fs_noxattr_type(autofs_t)
+files_mountpoint(autofs_t)
+genfscon autofs / gen_context(system_u:object_r:autofs_t,s0)
+genfscon automount / gen_context(system_u:object_r:autofs_t,s0)
+
+#
+# cifs_t is the type for filesystems and their
+# files shared from Windows servers
+#
+type cifs_t alias sambafs_t;
+fs_noxattr_type(cifs_t)
+files_mountpoint(cifs_t)
+genfscon cifs / gen_context(system_u:object_r:cifs_t,s0)
+genfscon smbfs / gen_context(system_u:object_r:cifs_t,s0)
+
+#
+# dosfs_t is the type for fat and vfat
+# filesystems and their files.
+#
+type dosfs_t;
+fs_noxattr_type(dosfs_t)
+files_mountpoint(dosfs_t)
+allow dosfs_t fs_t:filesystem associate;
+genfscon fat / gen_context(system_u:object_r:dosfs_t,s0)
+genfscon hfs / gen_context(system_u:object_r:dosfs_t,s0)
+genfscon hfsplus / gen_context(system_u:object_r:dosfs_t,s0)
+genfscon msdos / gen_context(system_u:object_r:dosfs_t,s0)
+genfscon ntfs-3g / gen_context(system_u:object_r:dosfs_t,s0)
+genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0)
+genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0)
+
+type fusefs_t;
+fs_noxattr_type(fusefs_t)
+files_mountpoint(fusefs_t)
+allow fusefs_t self:filesystem associate;
+allow fusefs_t fs_t:filesystem associate;
+genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
+genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0)
+genfscon fusectl / gen_context(system_u:object_r:fusefs_t,s0)
+
+#
+# iso9660_t is the type for CD filesystems
+# and their files.
+#
+type iso9660_t;
+fs_noxattr_type(iso9660_t)
+files_mountpoint(iso9660_t)
+genfscon iso9660 / gen_context(system_u:object_r:iso9660_t,s0)
+genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+
+#
+# removable_t is the default type of all removable media
+#
+type removable_t;
+allow removable_t noxattrfs:filesystem associate;
+fs_noxattr_type(removable_t)
+files_mountpoint(removable_t)
+
+#
+# nfs_t is the default type for NFS file systems
+# and their files.
+#
+type nfs_t;
+fs_noxattr_type(nfs_t)
+files_mountpoint(nfs_t)
+genfscon nfs / gen_context(system_u:object_r:nfs_t,s0)
+genfscon nfs4 / gen_context(system_u:object_r:nfs_t,s0)
+genfscon afs / gen_context(system_u:object_r:nfs_t,s0)
+genfscon dazukofs / gen_context(system_u:object_r:nfs_t,s0)
+genfscon coda / gen_context(system_u:object_r:nfs_t,s0)
+genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
+genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
+genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
+genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
+
+########################################
+#
+# Rules for all filesystem types
+#
+
+allow filesystem_type self:filesystem associate;
+
+########################################
+#
+# Rules for filesystems without xattr support
+#
+
+# Allow me to mv from one noxattrfs to another nfs_t to dosfs_t for example
+fs_associate_noxattr(noxattrfs)
+
+########################################
+#
+# Unconfined access to this module
+#
+
+allow filesystem_unconfined_type filesystem_type:filesystem *;
+
+# Create/access other files. fs_type is to pick up various
+# pseudo filesystem types that are applied to both the filesystem
+# and its files.
+allow filesystem_unconfined_type filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;
diff --git a/policy/modules/kernel/kernel.fc b/policy/modules/kernel/kernel.fc
new file mode 100644
index 00000000..7be4ddf7
--- /dev/null
+++ b/policy/modules/kernel/kernel.fc
@@ -0,0 +1 @@
+# This module currently does not have any file contexts.
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
new file mode 100644
index 00000000..4bf45cb7
--- /dev/null
+++ b/policy/modules/kernel/kernel.if
@@ -0,0 +1,2960 @@
+## <summary>
+##	Policy for kernel threads, proc filesystem,
+##	and unlabeled processes and objects.
+## </summary>
+## <required val="true">
+##	This module has initial SIDs.
+## </required>
+
+########################################
+## <summary>
+##	Allows to start userland processes
+##	by transitioning to the specified domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The process type entered by kernel.
+##	</summary>
+## </param>
+## <param name="entrypoint">
+##	<summary>
+##	The executable type for the entrypoint.
+##	</summary>
+## </param>
+#
+interface(`kernel_domtrans_to',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	domtrans_pattern(kernel_t, $2, $1)
+')
+
+########################################
+## <summary>
+##	Allows to start userland processes
+##	by transitioning to the specified domain,
+##	with a range transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The process type entered by kernel.
+##	</summary>
+## </param>
+## <param name="entrypoint">
+##	<summary>
+##	The executable type for the entrypoint.
+##	</summary>
+## </param>
+## <param name="range">
+##	<summary>
+##	Range for the domain.
+##	</summary>
+## </param>
+#
+interface(`kernel_ranged_domtrans_to',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	kernel_domtrans_to($1, $2)
+
+	ifdef(`enable_mcs',`
+		range_transition kernel_t $2:process $3;
+	')
+
+	ifdef(`enable_mls',`
+		range_transition kernel_t $2:process $3;
+		mls_rangetrans_target($1)
+	')
+')
+
+########################################
+## <summary>
+##	Allows the kernel to mount filesystems on
+##	the specified directory type.
+## </summary>
+## <param name="directory_type">
+##	<summary>
+##	The type of the directory to use as a mountpoint.
+##	</summary>
+## </param>
+#
+interface(`kernel_rootfs_mountpoint',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow kernel_t $1:dir mounton;
+')
+
+########################################
+## <summary>
+##	Set the process group of kernel threads.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_setpgid',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 kernel_t:process setpgid;
+')
+
+########################################
+## <summary>
+##	Set the priority of kernel threads.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_setsched',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 kernel_t:process setsched;
+')
+
+########################################
+## <summary>
+##	Send a SIGCHLD signal to kernel threads.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_sigchld',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 kernel_t:process sigchld;
+')
+
+########################################
+## <summary>
+##	Send a kill signal to kernel threads.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_kill',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 kernel_t:process sigkill;
+')
+
+########################################
+## <summary>
+##	Send a generic signal to kernel threads.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_signal',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 kernel_t:process signal;
+')
+
+########################################
+## <summary>
+##	Allows the kernel to share state information with
+##	the caller.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process with which to share state information.
+##	</summary>
+## </param>
+#
+interface(`kernel_share_state',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow kernel_t $1:process share;
+')
+
+########################################
+## <summary>
+##	Permits caller to use kernel file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_use_fds',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 kernel_t:fd use;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to use
+##	kernel file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_use_fds',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	dontaudit $1 kernel_t:fd use;
+')
+
+########################################
+## <summary>
+##	Read and write kernel unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_rw_pipes',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 kernel_t:fifo_file { read write };
+')
+
+########################################
+## <summary>
+##	Read and write kernel unix datagram sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_rw_unix_dgram_sockets',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 kernel_t:unix_dgram_socket { read write ioctl };
+')
+
+########################################
+## <summary>
+##	Send messages to kernel unix datagram sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_dgram_send',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 kernel_t:unix_dgram_socket sendto;
+')
+
+########################################
+## <summary>
+##	Receive messages from kernel TCP sockets.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_tcp_recvfrom',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	Send UDP network traffic to the kernel.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_udp_send',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	Receive messages from kernel UDP sockets.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_udp_recvfrom',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	Allows caller to load kernel modules
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_load_module',`
+	gen_require(`
+		attribute can_load_kernmodule;
+	')
+
+	typeattribute $1 can_load_kernmodule;
+')
+
+########################################
+## <summary>
+##	Allow search the kernel key ring.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_search_key',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 kernel_t:key search;
+')
+
+########################################
+## <summary>
+##	dontaudit search the kernel key ring.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_search_key',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	dontaudit $1 kernel_t:key search;
+')
+
+########################################
+## <summary>
+##	Allow link to the kernel key ring.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_link_key',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 kernel_t:key link;
+')
+
+########################################
+## <summary>
+##	dontaudit link to the kernel key ring.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_link_key',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	dontaudit $1 kernel_t:key link;
+')
+
+########################################
+## <summary>
+##	Allows caller to read the ring buffer.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_read_ring_buffer',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 self:capability2 syslog;
+	allow $1 kernel_t:system syslog_read;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read the ring buffer.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_read_ring_buffer',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	dontaudit $1 kernel_t:system syslog_read;
+')
+
+########################################
+## <summary>
+##	Change the level of kernel messages logged to the console.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_change_ring_buffer_level',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 self:capability2 syslog;
+	allow $1 kernel_t:system syslog_console;
+
+	ifdef(`distro_rhel4',`
+		allow $1 self:capability sys_admin;
+	')
+
+	ifdef(`distro_rhel5',`
+		allow $1 self:capability sys_admin;
+	')
+')
+
+########################################
+## <summary>
+##	Allows the caller to clear the ring buffer.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_clear_ring_buffer',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 self:capability2 syslog;
+	allow $1 kernel_t:system syslog_mod;
+
+	ifdef(`distro_rhel4',`
+		allow $1 self:capability sys_admin;
+	')
+
+	ifdef(`distro_rhel5',`
+		allow $1 self:capability sys_admin;
+	')
+')
+
+########################################
+## <summary>
+##	Allows caller to request the kernel to load a module
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to request that the kernel
+##	load a kernel module.  An example of this is the
+##	auto-loading of network drivers when doing an
+##	ioctl() on a network interface.
+##	</p>
+##	<p>
+##	In the specific case of a module loading request
+##	on a network interface, the domain will also
+##	need the net_admin capability.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_request_load_module',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 kernel_t:system module_request;
+')
+
+########################################
+## <summary>
+##	Do not audit requests to the kernel to load a module.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_request_load_module',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	dontaudit $1 kernel_t:system module_request;
+')
+
+########################################
+## <summary>
+##	Get information on all System V IPC objects.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_get_sysvipc_info',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 kernel_t:system ipc_info;
+')
+
+########################################
+## <summary>
+##	Get the attributes of a kernel debugging filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_getattr_debugfs',`
+	gen_require(`
+		type debugfs_t;
+	')
+
+	allow $1 debugfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+##	Mount a kernel debugging filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_mount_debugfs',`
+	gen_require(`
+		type debugfs_t;
+	')
+
+	allow $1 debugfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+##	Unmount a kernel debugging filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_unmount_debugfs',`
+	gen_require(`
+		type debugfs_t;
+	')
+
+	allow $1 debugfs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+##	Remount a kernel debugging filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_remount_debugfs',`
+	gen_require(`
+		type debugfs_t;
+	')
+
+	allow $1 debugfs_t:filesystem remount;
+')
+
+########################################
+## <summary>
+##	Search the contents of a kernel debugging filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_search_debugfs',`
+	gen_require(`
+		type debugfs_t;
+	')
+
+	search_dirs_pattern($1, debugfs_t, debugfs_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search the kernel debugging filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_search_debugfs',`
+	gen_require(`
+		type debugfs_t;
+	')
+
+	dontaudit $1 debugfs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read information from the debugging filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_read_debugfs',`
+	gen_require(`
+		type debugfs_t;
+	')
+
+	read_files_pattern($1, debugfs_t, debugfs_t)
+	read_lnk_files_pattern($1, debugfs_t, debugfs_t)
+	list_dirs_pattern($1, debugfs_t, debugfs_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write kernel debugging filesystem dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_write_debugfs_dirs',`
+	gen_require(`
+		type debugfs_t;
+	')
+
+	dontaudit $1 debugfs_t:dir write;
+')
+
+########################################
+## <summary>
+##	Manage information from the debugging filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_manage_debugfs',`
+	gen_require(`
+		type debugfs_t;
+	')
+
+	manage_files_pattern($1, debugfs_t, debugfs_t)
+	read_lnk_files_pattern($1, debugfs_t, debugfs_t)
+	list_dirs_pattern($1, debugfs_t, debugfs_t)
+')
+
+########################################
+## <summary>
+##	Mount a kernel VM filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_mount_kvmfs',`
+	gen_require(`
+		type kvmfs_t;
+	')
+
+	allow $1 kvmfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+##	Unmount the proc filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_unmount_proc',`
+	gen_require(`
+		type proc_t;
+	')
+
+	allow $1 proc_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+##	Get the attributes of the proc filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_getattr_proc',`
+	gen_require(`
+		type proc_t;
+	')
+
+	allow $1 proc_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to set the
+##	attributes of directories in /proc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_setattr_proc_dirs',`
+	gen_require(`
+		type proc_t;
+	')
+
+	dontaudit $1 proc_t:dir setattr;
+')
+
+########################################
+## <summary>
+##	Search directories in /proc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_search_proc',`
+	gen_require(`
+		type proc_t;
+	')
+
+	search_dirs_pattern($1, proc_t, proc_t)
+')
+
+########################################
+## <summary>
+##	List the contents of directories in /proc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_list_proc',`
+	gen_require(`
+		type proc_t;
+	')
+
+	list_dirs_pattern($1, proc_t, proc_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to list the
+##	contents of directories in /proc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_list_proc',`
+	gen_require(`
+		type proc_t;
+	')
+
+	dontaudit $1 proc_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write the
+##	directories in /proc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_write_proc_dirs',`
+	gen_require(`
+		type proc_t;
+	')
+
+	dontaudit $1 proc_t:dir write;
+')
+
+########################################
+## <summary>
+##	Get the attributes of files in /proc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_getattr_proc_files',`
+	gen_require(`
+		type proc_t;
+	')
+
+	getattr_files_pattern($1, proc_t, proc_t)
+')
+
+########################################
+## <summary>
+##	Read generic symbolic links in /proc.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to read (follow) generic
+##	symbolic links (symlinks) in the proc filesystem (/proc).
+##	This interface does not include access to the targets of
+##	these links.  An example symlink is /proc/self.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`kernel_read_proc_symlinks',`
+	gen_require(`
+		type proc_t;
+	')
+
+	read_lnk_files_pattern($1, proc_t, proc_t)
+')
+
+########################################
+## <summary>
+##	Allows caller to read system state information in /proc.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to read general system
+##	state information from the proc filesystem (/proc).
+##	</p>
+##	<p>
+##	Generally it should be safe to allow this access.  Some
+##	example files that can be read based on this interface:
+##	</p>
+##	<ul>
+##		<li>/proc/cpuinfo</li>
+##		<li>/proc/meminfo</li>
+##		<li>/proc/uptime</li>
+##	</ul>
+##	<p>
+##	This does not allow access to sysctl entries (/proc/sys/*)
+##	nor process state information (/proc/pid).
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+## <rolecap/>
+#
+interface(`kernel_read_system_state',`
+	gen_require(`
+		type proc_t;
+	')
+
+	read_files_pattern($1, proc_t, proc_t)
+	read_lnk_files_pattern($1, proc_t, proc_t)
+
+	list_dirs_pattern($1, proc_t, proc_t)
+')
+
+########################################
+## <summary>
+##	Write to generic proc entries.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+# cjp: this should probably go away.  any
+# file thats writable in proc should really
+# have its own label.
+#
+interface(`kernel_write_proc_files',`
+	gen_require(`
+		type proc_t;
+	')
+
+	write_files_pattern($1, proc_t, proc_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts by caller to
+##	read system state information in proc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_read_system_state',`
+	gen_require(`
+		type proc_t;
+	')
+
+	dontaudit $1 proc_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts by caller to
+##	read system state information in proc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_read_proc_symlinks',`
+	gen_require(`
+		type proc_t;
+	')
+
+	dontaudit $1 proc_t:lnk_file read;
+')
+
+#######################################
+## <summary>
+##	Allow caller to read and write state information for AFS.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_rw_afs_state',`
+	gen_require(`
+		type proc_t, proc_afs_t;
+	')
+
+	list_dirs_pattern($1, proc_t, proc_t)
+	rw_files_pattern($1, proc_afs_t, proc_afs_t)
+')
+
+#######################################
+## <summary>
+##	Allow caller to read the state information for software raid.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_read_software_raid_state',`
+	gen_require(`
+		type proc_t, proc_mdstat_t;
+	')
+
+	read_files_pattern($1, proc_t, proc_mdstat_t)
+
+	list_dirs_pattern($1, proc_t, proc_t)
+')
+
+#######################################
+## <summary>
+##	Allow caller to read and set the state information for software raid.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_rw_software_raid_state',`
+	gen_require(`
+		type proc_t, proc_mdstat_t;
+	')
+
+	rw_files_pattern($1, proc_t, proc_mdstat_t)
+
+	list_dirs_pattern($1, proc_t, proc_t)
+')
+
+########################################
+## <summary>
+##	Allows caller to get attribues of core kernel interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_getattr_core_if',`
+	gen_require(`
+		type proc_t, proc_kcore_t;
+	')
+
+	getattr_files_pattern($1, proc_t, proc_kcore_t)
+
+	list_dirs_pattern($1, proc_t, proc_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes of
+##	core kernel interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_getattr_core_if',`
+	gen_require(`
+		type proc_kcore_t;
+	')
+
+	dontaudit $1 proc_kcore_t:file getattr;
+')
+
+########################################
+## <summary>
+##	Allows caller to read the core kernel interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_read_core_if',`
+	gen_require(`
+		type proc_t, proc_kcore_t;
+		attribute can_dump_kernel;
+	')
+
+	allow $1 self:capability sys_rawio;
+	read_files_pattern($1, proc_t, proc_kcore_t)
+	list_dirs_pattern($1, proc_t, proc_t)
+
+	typeattribute $1 can_dump_kernel;
+')
+
+########################################
+## <summary>
+##	Allow caller to read kernel messages
+##	using the /proc/kmsg interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_read_messages',`
+	gen_require(`
+		attribute can_receive_kernel_messages;
+		type proc_kmsg_t, proc_t;
+	')
+
+	read_files_pattern($1, proc_t, proc_kmsg_t)
+
+	typeattribute $1 can_receive_kernel_messages;
+')
+
+########################################
+## <summary>
+##	Allow caller to get the attributes of kernel message
+##	interface (/proc/kmsg).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_getattr_message_if',`
+	gen_require(`
+		type proc_kmsg_t, proc_t;
+	')
+
+	getattr_files_pattern($1, proc_t, proc_kmsg_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts by caller to get the attributes of kernel
+##	message interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_getattr_message_if',`
+	gen_require(`
+		type proc_kmsg_t, proc_t;
+	')
+
+	dontaudit $1 proc_kmsg_t:file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search the network
+##	state directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+##
+#
+interface(`kernel_dontaudit_search_network_state',`
+	gen_require(`
+		type proc_net_t;
+	')
+
+	dontaudit $1 proc_net_t:dir search;
+')
+
+########################################
+## <summary>
+##	Allow searching of network state directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+##
+#
+interface(`kernel_search_network_state',`
+	gen_require(`
+		type proc_net_t;
+	')
+
+	search_dirs_pattern($1, proc_t, proc_net_t)
+')
+
+########################################
+## <summary>
+##	Read the network state information.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to read the networking
+##	state information. This includes several pieces
+##	of networking information, such as network interface
+##	names, netfilter (iptables) statistics, protocol
+##	information, routes, and remote procedure call (RPC)
+##	information.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+## <rolecap/>
+#
+interface(`kernel_read_network_state',`
+	gen_require(`
+		type proc_t, proc_net_t;
+	')
+
+	read_files_pattern($1, { proc_t proc_net_t }, proc_net_t)
+	read_lnk_files_pattern($1, { proc_t proc_net_t }, proc_net_t)
+
+	list_dirs_pattern($1, proc_t, proc_net_t)
+')
+
+########################################
+## <summary>
+##	Allow caller to read the network state symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_read_network_state_symlinks',`
+	gen_require(`
+		type proc_t, proc_net_t;
+	')
+
+	read_lnk_files_pattern($1, { proc_t proc_net_t }, proc_net_t)
+
+	list_dirs_pattern($1, proc_t, proc_net_t)
+')
+
+########################################
+## <summary>
+##	Allow searching of xen state directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+##
+#
+interface(`kernel_search_xen_state',`
+	gen_require(`
+		type proc_t, proc_xen_t;
+	')
+
+	search_dirs_pattern($1, proc_t, proc_xen_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search the xen
+##	state directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+##
+#
+interface(`kernel_dontaudit_search_xen_state',`
+	gen_require(`
+		type proc_xen_t;
+	')
+
+	dontaudit $1 proc_xen_t:dir search;
+')
+
+########################################
+## <summary>
+##	Allow caller to read the xen state information.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+##
+#
+interface(`kernel_read_xen_state',`
+	gen_require(`
+		type proc_t, proc_xen_t;
+	')
+
+	read_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t)
+	read_lnk_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t)
+
+	list_dirs_pattern($1, proc_t, proc_xen_t)
+')
+
+########################################
+## <summary>
+##	Allow caller to read the xen state symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+##
+#
+interface(`kernel_read_xen_state_symlinks',`
+	gen_require(`
+		type proc_t, proc_xen_t;
+	')
+
+	read_lnk_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t)
+
+	list_dirs_pattern($1, proc_t, proc_xen_t)
+')
+
+########################################
+## <summary>
+##	Allow caller to write xen state information.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+##
+#
+interface(`kernel_write_xen_state',`
+	gen_require(`
+		type proc_t, proc_xen_t;
+	')
+
+	write_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t)
+')
+
+########################################
+## <summary>
+##	Allow attempts to list all proc directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_list_all_proc',`
+	gen_require(`
+		attribute proc_type;
+	')
+
+	allow $1 proc_type:dir list_dir_perms;
+	allow $1 proc_type:file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to list all proc directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_list_all_proc',`
+	gen_require(`
+		attribute proc_type;
+	')
+
+	dontaudit $1 proc_type:dir list_dir_perms;
+	dontaudit $1 proc_type:file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts by caller to search
+##	the base directory of sysctls.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+##
+#
+interface(`kernel_dontaudit_search_sysctl',`
+	gen_require(`
+		type sysctl_t;
+	')
+
+	dontaudit $1 sysctl_t:dir search;
+')
+
+########################################
+## <summary>
+##	Allow access to read sysctl directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+##
+#
+interface(`kernel_read_sysctl',`
+	gen_require(`
+		type sysctl_t, proc_t;
+	')
+
+	list_dirs_pattern($1, proc_t, sysctl_t)
+	read_files_pattern($1, sysctl_t, sysctl_t)
+')
+
+########################################
+## <summary>
+##	Allow caller to read the device sysctls.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_read_device_sysctls',`
+	gen_require(`
+		type proc_t, sysctl_t, sysctl_dev_t;
+	')
+
+	read_files_pattern($1, { proc_t sysctl_t sysctl_dev_t }, sysctl_dev_t)
+
+	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_dev_t)
+')
+
+########################################
+## <summary>
+##	Read and write device sysctls.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_rw_device_sysctls',`
+	gen_require(`
+		type proc_t, sysctl_t, sysctl_dev_t;
+	')
+
+	rw_files_pattern($1, { proc_t sysctl_t sysctl_dev_t }, sysctl_dev_t)
+
+	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_dev_t)
+')
+
+########################################
+## <summary>
+##	Allow caller to search virtual memory sysctls.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_search_vm_sysctl',`
+	gen_require(`
+		type proc_t, sysctl_t, sysctl_vm_t;
+	')
+
+	search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_t)
+')
+
+########################################
+## <summary>
+##	Allow caller to read virtual memory sysctls.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_read_vm_sysctls',`
+	gen_require(`
+		type proc_t, sysctl_t, sysctl_vm_t;
+	')
+
+	read_files_pattern($1, { proc_t sysctl_t sysctl_vm_t }, sysctl_vm_t)
+
+	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_t)
+')
+
+########################################
+## <summary>
+##	Read and write virtual memory sysctls.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_rw_vm_sysctls',`
+	gen_require(`
+		type proc_t, sysctl_t, sysctl_vm_t;
+	')
+
+	rw_files_pattern($1 ,{ proc_t sysctl_t sysctl_vm_t }, sysctl_vm_t)
+	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_t)
+
+	# hal needs this
+	allow $1 sysctl_vm_t:dir write;
+')
+
+########################################
+## <summary>
+##	Search network sysctl directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_search_network_sysctl',`
+	gen_require(`
+		type proc_t, sysctl_t, sysctl_net_t;
+	')
+
+	search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts by caller to search network sysctl directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_search_network_sysctl',`
+	gen_require(`
+		type sysctl_net_t;
+	')
+
+	dontaudit $1 sysctl_net_t:dir search;
+')
+
+########################################
+## <summary>
+##	Allow caller to read network sysctls.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_read_net_sysctls',`
+	gen_require(`
+		type proc_t, sysctl_t, sysctl_net_t;
+	')
+
+	read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
+
+	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
+')
+
+########################################
+## <summary>
+##	Allow caller to modiry contents of sysctl network files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_rw_net_sysctls',`
+	gen_require(`
+		type proc_t, sysctl_t, sysctl_net_t;
+	')
+
+	rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
+
+	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
+')
+
+########################################
+## <summary>
+##	Allow caller to read unix domain
+##	socket sysctls.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_read_unix_sysctls',`
+	gen_require(`
+		type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
+	')
+
+	read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t)
+
+	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
+')
+
+########################################
+## <summary>
+##	Read and write unix domain
+##	socket sysctls.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_rw_unix_sysctls',`
+	gen_require(`
+		type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
+	')
+
+	rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t)
+
+	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
+')
+
+########################################
+## <summary>
+##	Read the hotplug sysctl.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_read_hotplug_sysctls',`
+	gen_require(`
+		type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
+	')
+
+	read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_hotplug_t)
+
+	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
+')
+
+########################################
+## <summary>
+##	Read and write the hotplug sysctl.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_rw_hotplug_sysctls',`
+	gen_require(`
+		type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
+	')
+
+	rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_hotplug_t)
+
+	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
+')
+
+########################################
+## <summary>
+##	Read the modprobe sysctl.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_read_modprobe_sysctls',`
+	gen_require(`
+		type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
+	')
+
+	read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_modprobe_t)
+
+	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
+')
+
+########################################
+## <summary>
+##	Read and write the modprobe sysctl.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_rw_modprobe_sysctls',`
+	gen_require(`
+		type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
+	')
+
+	rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_modprobe_t)
+
+	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search generic kernel sysctls.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_search_kernel_sysctl',`
+	gen_require(`
+		type sysctl_kernel_t;
+	')
+
+	dontaudit $1 sysctl_kernel_t:dir search;
+')
+
+########################################
+## <summary>
+##	Read generic crypto sysctls.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_read_crypto_sysctls',`
+	gen_require(`
+		type proc_t, sysctl_t, sysctl_crypto_t;
+	')
+
+	read_files_pattern($1, { proc_t sysctl_t sysctl_crypto_t }, sysctl_crypto_t)
+	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_crypto_t)
+')
+
+########################################
+## <summary>
+##	Read general kernel sysctls.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to read general
+##	kernel sysctl settings. These settings are typically
+##	read using the sysctl program.  The settings
+##	that are included by this interface are prefixed
+##	with "kernel.", for example, kernel.sysrq.
+##	</p>
+##	<p>
+##	This does not include access to the hotplug
+##	handler setting (kernel.hotplug)
+##	nor the module installer handler setting
+##	(kernel.modprobe).
+##	</p>
+##	<p>
+##	Related interfaces:
+##	</p>
+##	<ul>
+##		<li>kernel_rw_kernel_sysctl()</li>
+##	</ul>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`kernel_read_kernel_sysctls',`
+	gen_require(`
+		type proc_t, sysctl_t, sysctl_kernel_t;
+	')
+
+	read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_kernel_t)
+
+	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write generic kernel sysctls.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_write_kernel_sysctl',`
+	gen_require(`
+		type sysctl_kernel_t;
+	')
+
+	dontaudit $1 sysctl_kernel_t:file write;
+')
+
+########################################
+## <summary>
+##	Read and write generic kernel sysctls.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_rw_kernel_sysctl',`
+	gen_require(`
+		type proc_t, sysctl_t, sysctl_kernel_t;
+	')
+
+	rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_kernel_t)
+
+	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
+')
+
+########################################
+## <summary>
+##	Read filesystem sysctls.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_read_fs_sysctls',`
+	gen_require(`
+		type proc_t, sysctl_t, sysctl_fs_t;
+	')
+
+	read_files_pattern($1, { proc_t sysctl_t sysctl_fs_t }, sysctl_fs_t)
+
+	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_fs_t)
+')
+
+########################################
+## <summary>
+##	Read and write fileystem sysctls.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_rw_fs_sysctls',`
+	gen_require(`
+		type proc_t, sysctl_t, sysctl_fs_t;
+	')
+
+	rw_files_pattern($1, { proc_t sysctl_t sysctl_fs_t }, sysctl_fs_t)
+
+	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_fs_t)
+')
+
+########################################
+## <summary>
+##	Read IRQ sysctls.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_read_irq_sysctls',`
+	gen_require(`
+		type proc_t, sysctl_irq_t;
+	')
+
+	read_files_pattern($1, { proc_t sysctl_irq_t }, sysctl_irq_t)
+
+	list_dirs_pattern($1, proc_t, sysctl_irq_t)
+')
+
+########################################
+## <summary>
+##	Read and write IRQ sysctls.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_rw_irq_sysctls',`
+	gen_require(`
+		type proc_t, sysctl_irq_t;
+	')
+
+	rw_files_pattern($1, { proc_t sysctl_irq_t }, sysctl_irq_t)
+
+	list_dirs_pattern($1, proc_t, sysctl_irq_t)
+')
+
+########################################
+## <summary>
+##	Read RPC sysctls.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_read_rpc_sysctls',`
+	gen_require(`
+		type proc_t, proc_net_t, sysctl_rpc_t;
+	')
+
+	read_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t)
+
+	list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t)
+')
+
+########################################
+## <summary>
+##	Read and write RPC sysctls.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_rw_rpc_sysctls',`
+	gen_require(`
+		type proc_t, proc_net_t, sysctl_rpc_t;
+	')
+
+	rw_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t)
+
+	list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to list all sysctl directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_list_all_sysctls',`
+	gen_require(`
+		attribute sysctl_type;
+	')
+
+	dontaudit $1 sysctl_type:dir list_dir_perms;
+	dontaudit $1 sysctl_type:file getattr;
+')
+
+########################################
+## <summary>
+##	Allow caller to read all sysctls.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_read_all_sysctls',`
+	gen_require(`
+		attribute sysctl_type;
+		type proc_t, proc_net_t;
+	')
+
+	# proc_net_t for /proc/net/rpc sysctls
+	read_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type)
+
+	list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_type)
+')
+
+########################################
+## <summary>
+##	Read and write all sysctls.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_rw_all_sysctls',`
+	gen_require(`
+		attribute sysctl_type;
+		type proc_t, proc_net_t;
+	')
+
+	# proc_net_t for /proc/net/rpc sysctls
+	rw_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type)
+
+	allow $1 sysctl_type:dir list_dir_perms;
+	# why is setattr needed?
+	allow $1 sysctl_type:file setattr;
+')
+
+########################################
+## <summary>
+##	Send a kill signal to unlabeled processes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_kill_unlabeled',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:process sigkill;
+')
+
+########################################
+## <summary>
+##	Mount a kernel unlabeled filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_mount_unlabeled',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:filesystem mount;
+')
+
+########################################
+## <summary>
+##	Unmount a kernel unlabeled filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_unmount_unlabeled',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+##	Send general signals to unlabeled processes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_signal_unlabeled',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:process signal;
+')
+
+########################################
+## <summary>
+##	Send a null signal to unlabeled processes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_signull_unlabeled',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:process signull;
+')
+
+########################################
+## <summary>
+##	Send a stop signal to unlabeled processes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_sigstop_unlabeled',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:process sigstop;
+')
+
+########################################
+## <summary>
+##	Send a child terminated signal to unlabeled processes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_sigchld_unlabeled',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:process sigchld;
+')
+
+########################################
+## <summary>
+##	List unlabeled directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_list_unlabeled',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read the process state (/proc/pid) of all unlabeled_t.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_read_unlabeled_state',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:dir list_dir_perms;
+	read_files_pattern($1, unlabeled_t, unlabeled_t)
+	read_lnk_files_pattern($1, unlabeled_t, unlabeled_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to list unlabeled directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_list_unlabeled',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	dontaudit $1 unlabeled_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read and write unlabeled directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_rw_unlabeled_dirs',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read and write unlabeled files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_rw_unlabeled_files',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts by caller to get the
+##	attributes of an unlabeled file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_getattr_unlabeled_files',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	dontaudit $1 unlabeled_t:file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts by caller to
+##	read an unlabeled file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_read_unlabeled_files',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	dontaudit $1 unlabeled_t:file { getattr read };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts by caller to get the
+##	attributes of unlabeled symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_getattr_unlabeled_symlinks',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	dontaudit $1 unlabeled_t:lnk_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts by caller to get the
+##	attributes of unlabeled named pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_getattr_unlabeled_pipes',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	dontaudit $1 unlabeled_t:fifo_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts by caller to get the
+##	attributes of unlabeled named sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_getattr_unlabeled_sockets',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	dontaudit $1 unlabeled_t:sock_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts by caller to get attributes for
+##	unlabeled block devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_getattr_unlabeled_blk_files',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	dontaudit $1 unlabeled_t:blk_file getattr;
+')
+
+########################################
+## <summary>
+##	Read and write unlabeled block device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_rw_unlabeled_blk_files',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:blk_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts by caller to get attributes for
+##	unlabeled character devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_getattr_unlabeled_chr_files',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	dontaudit $1 unlabeled_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Allow caller to relabel unlabeled directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_relabelfrom_unlabeled_dirs',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:dir { list_dir_perms relabelfrom };
+')
+
+########################################
+## <summary>
+##	Allow caller to relabel unlabeled files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_relabelfrom_unlabeled_files',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	kernel_list_unlabeled($1)
+	allow $1 unlabeled_t:file { getattr relabelfrom };
+')
+
+########################################
+## <summary>
+##	Allow caller to relabel unlabeled symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_relabelfrom_unlabeled_symlinks',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	kernel_list_unlabeled($1)
+	allow $1 unlabeled_t:lnk_file { getattr relabelfrom };
+')
+
+########################################
+## <summary>
+##	Allow caller to relabel unlabeled named pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_relabelfrom_unlabeled_pipes',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	kernel_list_unlabeled($1)
+	allow $1 unlabeled_t:fifo_file { getattr relabelfrom };
+')
+
+########################################
+## <summary>
+##	Allow caller to relabel unlabeled named sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_relabelfrom_unlabeled_sockets',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	kernel_list_unlabeled($1)
+	allow $1 unlabeled_t:sock_file { getattr relabelfrom };
+')
+
+########################################
+## <summary>
+##	Send and receive messages from an
+##	unlabeled IPSEC association.
+## </summary>
+## <desc>
+##	<p>
+##	Send and receive messages from an
+##	unlabeled IPSEC association.  Network
+##	connections that are not protected
+##	by IPSEC have use an unlabeled
+##	assocation.
+##	</p>
+##	<p>
+##	The corenetwork interface
+##	corenet_non_ipsec_sendrecv() should
+##	be used instead of this one.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_sendrecv_unlabeled_association',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:association { sendto recvfrom };
+
+	# temporary hack until labeling on packets is supported
+	allow $1 unlabeled_t:packet { send recv };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive messages
+##	from an	unlabeled IPSEC association.
+## </summary>
+## <desc>
+##	<p>
+##	Do not audit attempts to send and receive messages
+##	from an	unlabeled IPSEC association.  Network
+##	connections that are not protected
+##	by IPSEC have use an unlabeled
+##	assocation.
+##	</p>
+##	<p>
+##	The corenetwork interface
+##	corenet_dontaudit_non_ipsec_sendrecv() should
+##	be used instead of this one.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	dontaudit $1 unlabeled_t:association { sendto recvfrom };
+')
+
+########################################
+## <summary>
+##	Receive TCP packets from an unlabeled connection.
+## </summary>
+## <desc>
+##	<p>
+##	Receive TCP packets from an unlabeled connection.
+##	</p>
+##	<p>
+##	The corenetwork interface corenet_tcp_recv_unlabeled() should
+##	be used instead of this one.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_tcp_recvfrom_unlabeled',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:tcp_socket recvfrom;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive TCP packets from an unlabeled
+##	connection.
+## </summary>
+## <desc>
+##	<p>
+##	Do not audit attempts to receive TCP packets from an unlabeled
+##	connection.
+##	</p>
+##	<p>
+##	The corenetwork interface corenet_dontaudit_tcp_recv_unlabeled()
+##	should be used instead of this one.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_tcp_recvfrom_unlabeled',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	dontaudit $1 unlabeled_t:tcp_socket recvfrom;
+')
+
+########################################
+## <summary>
+##	Receive UDP packets from an unlabeled connection.
+## </summary>
+## <desc>
+##	<p>
+##	Receive UDP packets from an unlabeled connection.
+##	</p>
+##	<p>
+##	The corenetwork interface corenet_udp_recv_unlabeled() should
+##	be used instead of this one.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_udp_recvfrom_unlabeled',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP packets from an unlabeled
+##	connection.
+## </summary>
+## <desc>
+##	<p>
+##	Do not audit attempts to receive UDP packets from an unlabeled
+##	connection.
+##	</p>
+##	<p>
+##	The corenetwork interface corenet_dontaudit_udp_recv_unlabeled()
+##	should be used instead of this one.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_udp_recvfrom_unlabeled',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	dontaudit $1 unlabeled_t:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+##	Receive Raw IP packets from an unlabeled connection.
+## </summary>
+## <desc>
+##	<p>
+##	Receive Raw IP packets from an unlabeled connection.
+##	</p>
+##	<p>
+##	The corenetwork interface corenet_raw_recv_unlabeled() should
+##	be used instead of this one.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_raw_recvfrom_unlabeled',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:rawip_socket recvfrom;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive Raw IP packets from an unlabeled
+##	connection.
+## </summary>
+## <desc>
+##	<p>
+##	Do not audit attempts to receive Raw IP packets from an unlabeled
+##	connection.
+##	</p>
+##	<p>
+##	The corenetwork interface corenet_dontaudit_raw_recv_unlabeled()
+##	should be used instead of this one.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_raw_recvfrom_unlabeled',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	dontaudit $1 unlabeled_t:rawip_socket recvfrom;
+')
+
+########################################
+## <summary>
+##	Send and receive unlabeled packets.
+## </summary>
+## <desc>
+##	<p>
+##	Send and receive unlabeled packets.
+##	These packets do not match any netfilter
+##	SECMARK rules.
+##	</p>
+##	<p>
+##	The corenetwork interface
+##	corenet_sendrecv_unlabeled_packets() should
+##	be used instead of this one.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_sendrecv_unlabeled_packets',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:packet { send recv };
+')
+
+########################################
+## <summary>
+##	Receive packets from an unlabeled peer.
+## </summary>
+## <desc>
+##	<p>
+##	Receive packets from an unlabeled peer, these packets do not have any
+##	peer labeling information present.
+##	</p>
+##	<p>
+##	The corenetwork interface corenet_recvfrom_unlabeled_peer() should
+##	be used instead of this one.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_recvfrom_unlabeled_peer',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:peer recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive packets from an unlabeled peer.
+## </summary>
+## <desc>
+##	<p>
+##	Do not audit attempts to receive packets from an unlabeled peer,
+##	these packets do not have any peer labeling information present.
+##	</p>
+##	<p>
+##	The corenetwork interface corenet_dontaudit_*_recvfrom_unlabeled()
+##	should be used instead of this one.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_recvfrom_unlabeled_peer',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	dontaudit $1 unlabeled_t:peer recv;
+')
+
+########################################
+## <summary>
+##	Relabel from unlabeled database objects.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_relabelfrom_unlabeled_database',`
+	gen_require(`
+		type unlabeled_t;
+		class db_database { setattr relabelfrom };
+		class db_schema { setattr relabelfrom };
+		class db_table { setattr relabelfrom };
+		class db_sequence { setattr relabelfrom };
+		class db_view { setattr relabelfrom };
+		class db_procedure { setattr relabelfrom };
+		class db_language { setattr relabelfrom };
+		class db_column { setattr relabelfrom };
+		class db_tuple { update relabelfrom };
+		class db_blob { setattr relabelfrom };
+	')
+
+	allow $1 unlabeled_t:db_database { setattr relabelfrom };
+	allow $1 unlabeled_t:db_schema { setattr relabelfrom };
+	allow $1 unlabeled_t:db_table { setattr relabelfrom };
+	allow $1 unlabeled_t:db_sequence { setattr relabelfrom };
+	allow $1 unlabeled_t:db_view { setattr relabelfrom };
+	allow $1 unlabeled_t:db_procedure { setattr relabelfrom };
+	allow $1 unlabeled_t:db_language { setattr relabelfrom };
+	allow $1 unlabeled_t:db_column { setattr relabelfrom };
+	allow $1 unlabeled_t:db_tuple { update relabelfrom };
+	allow $1 unlabeled_t:db_blob { setattr relabelfrom };
+')
+
+########################################
+## <summary>
+##	Unconfined access to kernel module resources.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_unconfined',`
+	gen_require(`
+		attribute kern_unconfined;
+	')
+
+	typeattribute $1 kern_unconfined;
+	kernel_load_module($1)
+')
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
new file mode 100644
index 00000000..a394a98e
--- /dev/null
+++ b/policy/modules/kernel/kernel.te
@@ -0,0 +1,413 @@
+policy_module(kernel, 1.15.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Disable kernel module loading.
+## </p>
+## </desc>
+gen_bool(secure_mode_insmod, false)
+
+# assertion related attributes
+attribute can_load_kernmodule;
+attribute can_receive_kernel_messages;
+attribute can_dump_kernel;
+
+neverallow ~can_load_kernmodule self:capability sys_module;
+
+# domains with unconfined access to kernel resources
+attribute kern_unconfined;
+
+# regular entries in proc
+attribute proc_type;
+
+# sysctls
+attribute sysctl_type;
+
+role system_r;
+role sysadm_r;
+role staff_r;
+role user_r;
+
+# here until order dependence is fixed:
+role unconfined_r;
+
+ifdef(`enable_mls',`
+	role secadm_r;
+	role auditadm_r;
+')
+
+#
+# kernel_t is the domain of kernel threads.
+# It is also the target type when checking permissions in the system class.
+#
+type kernel_t, can_load_kernmodule;
+domain_base_type(kernel_t)
+mls_rangetrans_source(kernel_t)
+role system_r types kernel_t;
+sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
+
+#
+# DebugFS
+#
+
+type debugfs_t;
+files_mountpoint(debugfs_t)
+fs_type(debugfs_t)
+allow debugfs_t self:filesystem associate;
+genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
+
+#
+# kvmFS
+#
+
+type kvmfs_t;
+fs_type(kvmfs_t)
+genfscon kvmfs / gen_context(system_u:object_r:kvmfs_t,s0)
+
+#
+# Procfs types
+#
+
+type proc_t, proc_type;
+files_mountpoint(proc_t)
+fs_type(proc_t)
+genfscon proc / gen_context(system_u:object_r:proc_t,s0)
+genfscon proc /sysvipc gen_context(system_u:object_r:proc_t,s0)
+
+type proc_afs_t, proc_type;
+genfscon proc /fs/openafs gen_context(system_u:object_r:proc_afs_t,s0)
+
+# kernel message interface
+type proc_kmsg_t, proc_type;
+genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,mls_systemhigh)
+neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file ~getattr;
+
+# /proc kcore: inaccessible
+type proc_kcore_t, proc_type;
+neverallow ~{ can_dump_kernel kern_unconfined } proc_kcore_t:file ~getattr;
+genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
+
+type proc_mdstat_t, proc_type;
+genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0)
+
+type proc_net_t, proc_type;
+genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0)
+
+type proc_xen_t, proc_type;
+files_mountpoint(proc_xen_t)
+genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0)
+
+#
+# Sysctl types
+#
+
+# /proc/sys directory, base directory of sysctls
+type sysctl_t, sysctl_type;
+files_mountpoint(sysctl_t)
+sid sysctl gen_context(system_u:object_r:sysctl_t,s0)
+genfscon proc /sys gen_context(system_u:object_r:sysctl_t,s0)
+
+# /proc/irq directory and files
+type sysctl_irq_t, sysctl_type;
+genfscon proc /irq gen_context(system_u:object_r:sysctl_irq_t,s0)
+
+# /proc/net/rpc directory and files
+type sysctl_rpc_t, sysctl_type;
+genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0)
+
+# /proc/sys/crypto directory and files
+type sysctl_crypto_t, sysctl_type;
+genfscon proc /sys/crypto gen_context(system_u:object_r:sysctl_crypto_t,s0)
+
+# /proc/sys/fs directory and files
+type sysctl_fs_t, sysctl_type;
+files_mountpoint(sysctl_fs_t)
+genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
+
+# /proc/sys/kernel directory and files
+type sysctl_kernel_t, sysctl_type;
+genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0)
+
+# /proc/sys/kernel/modprobe file
+type sysctl_modprobe_t, sysctl_type;
+genfscon proc /sys/kernel/modprobe gen_context(system_u:object_r:sysctl_modprobe_t,s0)
+
+# /proc/sys/kernel/hotplug file
+type sysctl_hotplug_t, sysctl_type;
+genfscon proc /sys/kernel/hotplug gen_context(system_u:object_r:sysctl_hotplug_t,s0)
+
+# /proc/sys/net directory and files
+type sysctl_net_t, sysctl_type;
+genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s0)
+
+# /proc/sys/net/unix directory and files
+type sysctl_net_unix_t, sysctl_type;
+genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
+
+# /proc/sys/vm directory and files
+type sysctl_vm_t, sysctl_type;
+genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0)
+
+# /proc/sys/dev directory and files
+type sysctl_dev_t, sysctl_type;
+genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
+
+#
+# unlabeled_t is the type of unlabeled objects.
+# Objects that have no known labeling information or that
+# have labels that are no longer valid are treated as having this type.
+#
+type unlabeled_t;
+fs_associate(unlabeled_t)
+sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+
+# These initial sids are no longer used, and can be removed:
+sid any_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+sid file_labels		gen_context(system_u:object_r:unlabeled_t,s0)
+sid icmp_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+sid igmp_packet		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+sid init		gen_context(system_u:object_r:unlabeled_t,s0)
+sid kmod		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+sid policy		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+sid scmp_packet		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+sid sysctl_modprobe 	gen_context(system_u:object_r:unlabeled_t,s0)
+sid sysctl_fs		gen_context(system_u:object_r:unlabeled_t,s0)
+sid sysctl_kernel	gen_context(system_u:object_r:unlabeled_t,s0)
+sid sysctl_net		gen_context(system_u:object_r:unlabeled_t,s0)
+sid sysctl_net_unix	gen_context(system_u:object_r:unlabeled_t,s0)
+sid sysctl_vm		gen_context(system_u:object_r:unlabeled_t,s0)
+sid sysctl_dev		gen_context(system_u:object_r:unlabeled_t,s0)
+sid tcp_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+
+########################################
+#
+# kernel local policy
+#
+
+allow kernel_t self:capability ~sys_module;
+allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow kernel_t self:shm create_shm_perms;
+allow kernel_t self:sem create_sem_perms;
+allow kernel_t self:msg { send receive };
+allow kernel_t self:msgq create_msgq_perms;
+allow kernel_t self:unix_dgram_socket create_socket_perms;
+allow kernel_t self:unix_stream_socket create_stream_socket_perms;
+allow kernel_t self:unix_dgram_socket sendto;
+allow kernel_t self:unix_stream_socket connectto;
+allow kernel_t self:fifo_file rw_fifo_file_perms;
+allow kernel_t self:sock_file read_sock_file_perms;
+allow kernel_t self:fd use;
+
+allow kernel_t debugfs_t:dir search_dir_perms;
+
+allow kernel_t proc_t:dir list_dir_perms;
+allow kernel_t proc_t:file read_file_perms;
+allow kernel_t proc_t:lnk_file read_lnk_file_perms;
+
+allow kernel_t proc_net_t:dir list_dir_perms;
+allow kernel_t proc_net_t:file read_file_perms;
+
+allow kernel_t proc_mdstat_t:file read_file_perms;
+
+allow kernel_t proc_kcore_t:file getattr;
+
+allow kernel_t proc_kmsg_t:file getattr;
+
+allow kernel_t sysctl_kernel_t:dir list_dir_perms;
+allow kernel_t sysctl_kernel_t:file read_file_perms;
+allow kernel_t sysctl_t:dir list_dir_perms;
+
+# Other possible mount points for the root fs are in files
+allow kernel_t unlabeled_t:dir mounton;
+dontaudit kernel_t unlabeled_t:dir search;
+# Kernel-generated traffic e.g., TCP resets on
+# connections with invalidated labels:
+allow kernel_t unlabeled_t:packet send;
+
+# Allow unlabeled network traffic
+allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
+corenet_in_generic_if(unlabeled_t)
+corenet_in_generic_node(unlabeled_t)
+
+corenet_all_recvfrom_unlabeled(kernel_t)
+corenet_all_recvfrom_netlabel(kernel_t)
+# Kernel-generated traffic e.g., ICMP replies:
+corenet_raw_sendrecv_all_if(kernel_t)
+corenet_raw_sendrecv_all_nodes(kernel_t)
+corenet_raw_send_generic_if(kernel_t)
+# Kernel-generated traffic e.g., TCP resets:
+corenet_tcp_sendrecv_all_if(kernel_t)
+corenet_tcp_sendrecv_all_nodes(kernel_t)
+corenet_raw_send_generic_node(kernel_t)
+corenet_send_all_packets(kernel_t)
+
+dev_read_sysfs(kernel_t)
+dev_search_usbfs(kernel_t)
+# devtmpfs handling:
+dev_create_generic_dirs(kernel_t)
+dev_delete_generic_dirs(kernel_t)
+dev_create_generic_blk_files(kernel_t)
+dev_delete_generic_blk_files(kernel_t)
+dev_create_generic_chr_files(kernel_t)
+dev_delete_generic_chr_files(kernel_t)
+dev_mounton(kernel_t)
+
+# Mount root file system. Used when loading a policy
+# from initrd, then mounting the root filesystem
+fs_mount_all_fs(kernel_t)
+fs_unmount_all_fs(kernel_t)
+
+selinux_load_policy(kernel_t)
+
+term_use_console(kernel_t)
+
+corecmd_exec_shell(kernel_t)
+corecmd_list_bin(kernel_t)
+# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
+corecmd_exec_bin(kernel_t)
+
+domain_signal_all_domains(kernel_t)
+domain_search_all_domains_state(kernel_t)
+
+files_list_root(kernel_t)
+files_list_etc(kernel_t)
+files_list_home(kernel_t)
+files_read_usr_files(kernel_t)
+
+mcs_process_set_categories(kernel_t)
+
+mls_process_read_up(kernel_t)
+mls_process_write_down(kernel_t)
+mls_file_write_all_levels(kernel_t)
+mls_file_read_all_levels(kernel_t)
+
+ifdef(`distro_redhat',`
+	# Bugzilla 222337
+	fs_rw_tmpfs_chr_files(kernel_t)
+')
+
+optional_policy(`
+	hotplug_search_config(kernel_t)
+')
+
+optional_policy(`
+	init_sigchld(kernel_t)
+')
+
+optional_policy(`
+	libs_use_ld_so(kernel_t)
+	libs_use_shared_libs(kernel_t)
+')
+
+optional_policy(`
+	logging_send_syslog_msg(kernel_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(kernel_t)
+')
+
+optional_policy(`
+	# nfs kernel server needs kernel UDP access. It is less risky and painful
+	# to just give it everything.
+	allow kernel_t self:tcp_socket create_stream_socket_perms;
+	allow kernel_t self:udp_socket create_socket_perms;
+
+	# nfs kernel server needs kernel UDP access. It is less risky and painful
+	# to just give it everything.
+	corenet_udp_sendrecv_generic_if(kernel_t)
+	corenet_udp_sendrecv_generic_node(kernel_t)
+	corenet_udp_sendrecv_all_ports(kernel_t)
+	corenet_udp_bind_generic_node(kernel_t)
+	corenet_sendrecv_portmap_client_packets(kernel_t)
+	corenet_sendrecv_generic_server_packets(kernel_t)
+
+	fs_getattr_xattr_fs(kernel_t)
+
+	auth_dontaudit_getattr_shadow(kernel_t)
+
+	sysnet_read_config(kernel_t)
+
+	rpc_manage_nfs_ro_content(kernel_t)
+	rpc_manage_nfs_rw_content(kernel_t)
+	rpc_tcp_rw_nfs_sockets(kernel_t)
+	rpc_udp_rw_nfs_sockets(kernel_t)
+
+	tunable_policy(`nfs_export_all_ro',`
+		fs_getattr_noxattr_fs(kernel_t)
+		fs_list_noxattr_fs(kernel_t)
+		fs_read_noxattr_fs_files(kernel_t)
+		fs_read_noxattr_fs_symlinks(kernel_t)
+
+		auth_read_all_dirs_except_auth_files(kernel_t)
+		auth_read_all_files_except_auth_files(kernel_t)
+		auth_read_all_symlinks_except_auth_files(kernel_t)
+	')
+
+	tunable_policy(`nfs_export_all_rw',`
+		fs_getattr_noxattr_fs(kernel_t)
+		fs_list_noxattr_fs(kernel_t)
+		fs_read_noxattr_fs_files(kernel_t)
+		fs_read_noxattr_fs_symlinks(kernel_t)
+
+		auth_manage_all_files_except_auth_files(kernel_t)
+	')
+')
+
+optional_policy(`
+	seutil_read_config(kernel_t)
+	seutil_read_bin_policy(kernel_t)
+')
+
+optional_policy(`
+	unconfined_domain_noaudit(kernel_t)
+')
+
+########################################
+#
+# Unlabeled process local policy
+#
+
+optional_policy(`
+	# If you load a new policy that removes active domains, processes can
+	# get stuck if you do not allow unlabeled processes to signal init.
+	# If you load an incompatible policy, you should probably reboot,
+	# since you may have compromised system security.
+	init_sigchld(unlabeled_t)
+')
+
+########################################
+#
+# Kernel module loading policy
+#
+
+if( ! secure_mode_insmod ) {
+	allow can_load_kernmodule self:capability sys_module;
+
+	# load_module() calls stop_machine() which
+	# calls sched_setscheduler()
+	allow can_load_kernmodule self:capability sys_nice;
+	kernel_setsched(can_load_kernmodule)
+}
+
+########################################
+#
+# Rules for unconfined acccess to this module
+#
+
+allow kern_unconfined proc_type:{ dir file lnk_file } *;
+
+allow kern_unconfined sysctl_type:{ dir file } *;
+
+allow kern_unconfined kernel_t:system *;
+
+allow kern_unconfined unlabeled_t:dir_file_class_set *;
+allow kern_unconfined unlabeled_t:filesystem *;
+allow kern_unconfined unlabeled_t:association *;
+allow kern_unconfined unlabeled_t:packet *;
+allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
diff --git a/policy/modules/kernel/mcs.fc b/policy/modules/kernel/mcs.fc
new file mode 100644
index 00000000..fa8a4b15
--- /dev/null
+++ b/policy/modules/kernel/mcs.fc
@@ -0,0 +1 @@
+# no MCS file contexts
diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
new file mode 100644
index 00000000..f52faaf3
--- /dev/null
+++ b/policy/modules/kernel/mcs.if
@@ -0,0 +1,104 @@
+## <summary>Multicategory security policy</summary>
+## <required val="true">
+##	Contains attributes used in MCS policy.
+## </required>
+
+########################################
+## <summary>
+##	This domain is allowed to read files and directories
+##	regardless of their MCS category set.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain target for user exemption.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mcs_file_read_all',`
+	gen_require(`
+		attribute mcsreadall;
+	')
+
+	typeattribute $1 mcsreadall;
+')
+
+########################################
+## <summary>
+##	This domain is allowed to write files and directories
+##	regardless of their MCS category set.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain target for user exemption.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mcs_file_write_all',`
+	gen_require(`
+		attribute mcswriteall;
+	')
+
+	typeattribute $1 mcswriteall;
+')
+
+########################################
+## <summary>
+##	This domain is allowed to sigkill and sigstop 
+##	all domains regardless of their MCS category set.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain target for user exemption.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mcs_killall',`
+	gen_require(`
+		attribute mcskillall;
+	')
+
+	typeattribute $1 mcskillall;
+')
+
+########################################
+## <summary>
+##	This domain is allowed to ptrace
+##	all domains regardless of their MCS
+##	category set.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain target for user exemption.
+##	</summary>
+## </param>
+#
+interface(`mcs_ptrace_all',`
+	gen_require(`
+		attribute mcsptraceall;
+	')
+
+	typeattribute $1 mcsptraceall;
+')
+
+########################################
+## <summary>
+##	Make specified domain MCS trusted
+##	for setting any category set for
+##	the processes it executes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain target for user exemption.
+##	</summary>
+## </param>
+#
+interface(`mcs_process_set_categories',`
+	gen_require(`
+		attribute mcssetcats;
+	')
+
+	typeattribute $1 mcssetcats;
+')
diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te
new file mode 100644
index 00000000..0e5b6611
--- /dev/null
+++ b/policy/modules/kernel/mcs.te
@@ -0,0 +1,12 @@
+policy_module(mcs, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute mcskillall;
+attribute mcsptraceall;
+attribute mcssetcats;
+attribute mcswriteall;
+attribute mcsreadall;
diff --git a/policy/modules/kernel/metadata.xml b/policy/modules/kernel/metadata.xml
new file mode 100644
index 00000000..d1da3a2f
--- /dev/null
+++ b/policy/modules/kernel/metadata.xml
@@ -0,0 +1 @@
+<summary>Policy modules for kernel resources.</summary>
diff --git a/policy/modules/kernel/mls.fc b/policy/modules/kernel/mls.fc
new file mode 100644
index 00000000..13df19ec
--- /dev/null
+++ b/policy/modules/kernel/mls.fc
@@ -0,0 +1 @@
+# No MLS file contexts.
diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
new file mode 100644
index 00000000..d178478d
--- /dev/null
+++ b/policy/modules/kernel/mls.if
@@ -0,0 +1,984 @@
+## <summary>Multilevel security policy</summary>
+## <desc>
+##	<p>
+##	This module contains interfaces for handling multilevel
+##	security.  The interfaces allow the specified subjects
+##	and objects to be allowed certain privileges in the
+##	MLS rules.
+##	</p>
+## </desc>
+## <required val="true">
+##	Contains attributes used in MLS policy.
+## </required>
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for reading from files up to its clearance.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_file_read_to_clearance',`
+	gen_require(`
+		attribute mlsfilereadtoclr;
+	')
+
+	typeattribute $1 mlsfilereadtoclr;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for reading from files at all levels.  (Deprecated)
+## </summary>
+## <desc>
+##	<p>
+##	Make specified domain MLS trusted
+##	for reading from files at all levels.
+##	</p>
+##	<p>
+##	This interface has been deprecated, please use
+##	mls_file_read_all_levels() instead.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mls_file_read_up',`
+	refpolicywarn(`$0($*) has been deprecated, please use mls_file_read_all_levels() instead.')
+	mls_file_read_all_levels($1)
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for reading from files at all levels.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_file_read_all_levels',`
+	gen_require(`
+		attribute mlsfileread;
+	')
+
+	typeattribute $1 mlsfileread;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for write to files up to its clearance.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_file_write_to_clearance',`
+	gen_require(`
+		attribute mlsfilewritetoclr;
+	')
+
+	typeattribute $1 mlsfilewritetoclr;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for writing to files at all levels.  (Deprecated)
+## </summary>
+## <desc>
+##	<p>
+##	Make specified domain MLS trusted
+##	for writing to files at all levels.
+##	</p>
+##	<p>
+##	This interface has been deprecated, please use
+##	mls_file_write_all_levels() instead.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mls_file_write_down',`
+	refpolicywarn(`$0($*) has been deprecated, please use mls_file_write_all_levels() instead.')
+	mls_file_write_all_levels($1)
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for writing to files at all levels.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_file_write_all_levels',`
+	gen_require(`
+		attribute mlsfilewrite;
+	')
+
+	typeattribute $1 mlsfilewrite;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for raising the level of files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_file_upgrade',`
+	gen_require(`
+		attribute mlsfileupgrade;
+	')
+
+	typeattribute $1 mlsfileupgrade;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for lowering the level of files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_file_downgrade',`
+	gen_require(`
+		attribute mlsfiledowngrade;
+	')
+
+	typeattribute $1 mlsfiledowngrade;
+')
+
+########################################
+## <summary>
+##	Make specified domain trusted to
+##	be written to within its MLS range.
+##	The subject's MLS range must be a
+##	proper subset of the object's MLS range.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_file_write_within_range',`
+	gen_require(`
+		attribute mlsfilewriteinrange;
+	')
+
+	typeattribute $1 mlsfilewriteinrange;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for reading from sockets at any level.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_socket_read_all_levels',`
+	gen_require(`
+		attribute mlsnetread;
+	')
+
+	typeattribute $1 mlsnetread;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for reading from sockets at any level
+##	that is dominated by the process clearance.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_socket_read_to_clearance',`
+	gen_require(`
+		attribute mlsnetreadtoclr;
+	')
+
+	typeattribute $1 mlsnetreadtoclr;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for writing to sockets up to
+##	its clearance.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_socket_write_to_clearance',`
+	gen_require(`
+		attribute mlsnetwritetoclr;
+	')
+
+	typeattribute $1 mlsnetwritetoclr;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for writing to sockets at any level.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_socket_write_all_levels',`
+	gen_require(`
+		attribute mlsnetwrite;
+	')
+
+	typeattribute $1 mlsnetwrite;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for receiving network data from 
+##	network interfaces or hosts at any level.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_net_receive_all_levels',`
+	gen_require(`
+		attribute mlsnetrecvall;
+	')
+
+	typeattribute $1 mlsnetrecvall;
+')
+
+########################################
+## <summary>
+##	Make specified domain trusted to
+##	write to network objects within its MLS range.
+##	The subject's MLS range must be a
+##	proper subset of the object's MLS range.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_net_write_within_range',`
+	gen_require(`
+		attribute mlsnetwriteranged;
+	')
+
+	typeattribute $1 mlsnetwriteranged;
+')
+
+########################################
+## <summary>
+##	Make specified domain trusted to
+##	write inbound packets regardless of the
+##	network's or node's MLS range.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_net_inbound_all_levels',`
+	gen_require(`
+		attribute mlsnetinbound;
+	')
+
+	typeattribute $1 mlsnetinbound;
+')
+
+########################################
+## <summary>
+##	Make specified domain trusted to
+##	write outbound packets regardless of the
+##	network's or node's MLS range.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_net_outbound_all_levels',`
+	gen_require(`
+		attribute mlsnetoutbound;
+	')
+
+	typeattribute $1 mlsnetoutbound;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for reading from System V IPC objects
+##	up to its clearance.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_sysvipc_read_to_clearance',`
+	gen_require(`
+		attribute mlsipcreadtoclr;
+	')
+
+	typeattribute $1 mlsipcreadtoclr;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for reading from System V IPC objects
+##	at any level.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_sysvipc_read_all_levels',`
+	gen_require(`
+		attribute mlsipcread;
+	')
+
+	typeattribute $1 mlsipcread;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for writing to System V IPC objects
+##	up to its clearance.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_sysvipc_write_to_clearance',`
+	gen_require(`
+		attribute mlsipcwritetoclr;
+	')
+
+	typeattribute $1 mlsipcwritetoclr;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for writing to System V IPC objects
+##	at any level.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_sysvipc_write_all_levels',`
+	gen_require(`
+		attribute mlsipcwrite;
+	')
+
+	typeattribute $1 mlsipcwrite;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to do a MLS
+##	range transition that changes
+##	the current level.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mls_rangetrans_source',`
+	gen_require(`
+		attribute privrangetrans;
+	')
+
+	typeattribute $1 privrangetrans;
+')
+
+########################################
+## <summary>
+##	Make specified domain a target domain
+##	for MLS range transitions that change
+##	the current level.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mls_rangetrans_target',`
+	gen_require(`
+		attribute mlsrangetrans;
+	')
+
+	typeattribute $1 mlsrangetrans;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for reading from processes up to
+##	its clearance.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_process_read_to_clearance',`
+	gen_require(`
+		attribute mlsprocreadtoclr;
+	')
+
+	typeattribute $1 mlsprocreadtoclr;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for reading from processes at all levels.  (Deprecated)
+## </summary>
+## <desc>
+##	<p>
+##	Make specified domain MLS trusted
+##	for reading from processes at all levels.
+##	</p>
+##	<p>
+##	This interface has been deprecated, please use
+##	mls_process_read_all_levels() instead.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mls_process_read_up',`
+#	refpolicywarn(`$0($*) has been deprecated, please use mls_process_read_all_levels() instead.')
+	mls_process_read_all_levels($1)
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for reading from processes at all levels.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_process_read_all_levels',`
+	gen_require(`
+		attribute mlsprocread;
+	')
+
+	typeattribute $1 mlsprocread;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for writing to processes up to
+##	its clearance.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_process_write_to_clearance',`
+	gen_require(`
+		attribute mlsprocwritetoclr;
+	')
+
+	typeattribute $1 mlsprocwritetoclr;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for writing to processes at all levels.  (Deprecated)
+## </summary>
+## <desc>
+##	<p>
+##	Make specified domain MLS trusted
+##	for writing to processes at all levels.
+##	</p>
+##	<p>
+##	This interface has been deprecated, please use
+##	mls_process_write_all_levels() instead.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mls_process_write_down',`
+#	refpolicywarn(`$0($*) has been deprecated, please use mls_process_write_all_levels() instead.')
+	mls_process_write_all_levels($1)
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for writing to processes at all levels.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_process_write_all_levels',`
+	gen_require(`
+		attribute mlsprocwrite;
+	')
+
+	typeattribute $1 mlsprocwrite;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for setting the level of processes
+##	it executes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_process_set_level',`
+	gen_require(`
+		attribute mlsprocsetsl;
+	')
+
+	typeattribute $1 mlsprocsetsl;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for reading from X objects up to its clearance.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_xwin_read_to_clearance',`
+	gen_require(`
+		attribute mlsxwinreadtoclr;
+	')
+
+	typeattribute $1 mlsxwinreadtoclr;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for reading from X objects at any level.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_xwin_read_all_levels',`
+	gen_require(`
+		attribute mlsxwinread;
+	')
+
+	typeattribute $1 mlsxwinread;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for write to X objects up to its clearance.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_xwin_write_to_clearance',`
+	gen_require(`
+		attribute mlsxwinwritetoclr;
+	')
+
+	typeattribute $1 mlsxwinwritetoclr;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for writing to X objects at any level.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_xwin_write_all_levels',`
+	gen_require(`
+		attribute mlsxwinwrite;
+	')
+
+	typeattribute $1 mlsxwinwrite;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for reading from X colormaps at any level.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_colormap_read_all_levels',`
+	gen_require(`
+		attribute mlsxwinreadcolormap;
+	')
+
+	typeattribute $1 mlsxwinreadcolormap;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for writing to X colormaps at any level.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_colormap_write_all_levels',`
+	gen_require(`
+		attribute mlsxwinwritecolormap;
+	')
+
+	typeattribute $1 mlsxwinwritecolormap;
+')
+
+########################################
+## <summary>
+##	Make specified object MLS trusted.
+## </summary>
+## <desc>
+##	<p>
+##	Make specified object MLS trusted.  This
+##	allows all levels to read and write the
+##	object.
+##	</p>
+##	<p>
+##	This currently only applies to filesystem
+##	objects, for example, files and directories.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	The type of the object.
+##	</summary>
+## </param>
+#
+interface(`mls_trusted_object',`
+	gen_require(`
+		attribute mlstrustedobject;
+	')
+
+	typeattribute $1 mlstrustedobject;
+')
+
+########################################
+## <summary>
+##	Make the specified domain trusted
+##	to inherit and use file descriptors
+##	from all levels.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_fd_use_all_levels',`
+	gen_require(`
+		attribute mlsfduse;
+	')
+
+	typeattribute $1 mlsfduse;
+')
+
+########################################
+## <summary>
+##	Make the file descriptors from the
+##	specifed domain inheritable by
+##	all levels.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_fd_share_all_levels',`
+	gen_require(`
+		attribute mlsfdshare;
+	')
+
+	typeattribute $1 mlsfdshare;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for translating contexts at all levels.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_context_translate_all_levels',`
+	gen_require(`
+		attribute mlstranslate;
+	')
+
+	typeattribute $1 mlstranslate;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for reading from databases at any level.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_db_read_all_levels',`
+	gen_require(`
+		attribute mlsdbread;
+	')
+
+	typeattribute $1 mlsdbread;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for writing to databases at any level.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_db_write_all_levels',`
+	gen_require(`
+		attribute mlsdbwrite;
+	')
+
+	typeattribute $1 mlsdbwrite;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for raising the level of databases.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_db_upgrade',`
+	gen_require(`
+		attribute mlsdbupgrade;
+	')
+
+	typeattribute $1 mlsdbupgrade;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for lowering the level of databases.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_db_downgrade',`
+	gen_require(`
+		attribute mlsdbdowngrade;
+	')
+
+	typeattribute $1 mlsdbdowngrade;
+')
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for sending dbus messages to 
+##	all levels.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_dbus_send_all_levels',`
+	gen_require(`
+		attribute mlsdbussend;
+	')
+
+	typeattribute $1 mlsdbussend;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for receiving dbus messages from 
+##	all levels.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_dbus_recv_all_levels',`
+	gen_require(`
+		attribute mlsdbusrecv;
+	')
+
+	typeattribute $1 mlsdbusrecv;
+')
diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
new file mode 100644
index 00000000..8c7bd90d
--- /dev/null
+++ b/policy/modules/kernel/mls.te
@@ -0,0 +1,69 @@
+policy_module(mls, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute mlsfileread;
+attribute mlsfilereadtoclr;
+attribute mlsfilewrite;
+attribute mlsfilewritetoclr;
+attribute mlsfilewriteinrange;
+attribute mlsfileupgrade;
+attribute mlsfiledowngrade;
+
+attribute mlsnetread;
+attribute mlsnetreadtoclr;
+attribute mlsnetwrite;
+attribute mlsnetwritetoclr;
+attribute mlsnetwriteranged;
+attribute mlsnetupgrade;
+attribute mlsnetdowngrade;
+attribute mlsnetrecvall;
+attribute mlsnetinbound;
+attribute mlsnetoutbound;
+
+attribute mlsipcread;
+attribute mlsipcreadtoclr;
+attribute mlsipcwrite;
+attribute mlsipcwritetoclr;
+
+attribute mlsprocread;
+attribute mlsprocreadtoclr;
+attribute mlsprocwrite;
+attribute mlsprocwritetoclr;
+attribute mlsprocsetsl;
+
+attribute mlsxwinread;
+attribute mlsxwinreadtoclr;
+attribute mlsxwinwrite;
+attribute mlsxwinwritetoclr;
+attribute mlsxwinreadproperty;
+attribute mlsxwinwriteproperty;
+attribute mlsxwinreadselection;
+attribute mlsxwinwriteselection;
+attribute mlsxwinreadcolormap;
+attribute mlsxwinwritecolormap;
+attribute mlsxwinwritexinput;
+
+attribute mlsdbread;
+attribute mlsdbreadtoclr;
+attribute mlsdbwrite;
+attribute mlsdbwritetoclr;
+attribute mlsdbwriteinrange;
+attribute mlsdbupgrade;
+attribute mlsdbdowngrade;
+
+attribute mlstrustedobject;
+
+attribute privrangetrans;
+attribute mlsrangetrans;
+
+attribute mlsfduse; 
+attribute mlsfdshare;
+
+attribute mlstranslate;
+
+attribute mlsdbusrecv;
+attribute mlsdbussend;
diff --git a/policy/modules/kernel/selinux.fc b/policy/modules/kernel/selinux.fc
new file mode 100644
index 00000000..7be4ddf7
--- /dev/null
+++ b/policy/modules/kernel/selinux.fc
@@ -0,0 +1 @@
+# This module currently does not have any file contexts.
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
new file mode 100644
index 00000000..ced3220d
--- /dev/null
+++ b/policy/modules/kernel/selinux.if
@@ -0,0 +1,712 @@
+## <summary>
+##	Policy for kernel security interface, in particular, selinuxfs.
+## </summary>
+## <required val="true">
+##	Contains the policy for the kernel SELinux security interface.
+## </required>
+
+########################################
+## <summary>
+##	Make the specified type used for labeling SELinux Booleans.
+##	This interface is only usable in the base module.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified type used for labeling SELinux Booleans.
+##	</p>
+##	<p>
+##	This makes use of genfscon statements, which are only
+##	available in the base module.  Thus any module which calls this
+##	interface must be included in the base module.
+##	</p>
+## </desc>
+## <param name="type">
+##	<summary>
+##	Type used for labeling a Boolean.
+##	</summary>
+## </param>
+## <param name="boolean">
+##	<summary>
+##	Name of the Boolean.
+##	</summary>
+## </param>
+#
+interface(`selinux_labeled_boolean',`
+	gen_require(`
+		attribute boolean_type;
+	')
+
+	typeattribute $1 boolean_type;
+
+	# because of this statement, any module which
+	# calls this interface must be in the base module:
+	genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
+')
+
+########################################
+## <summary>
+##	Get the mountpoint of the selinuxfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`selinux_get_fs_mount',`
+	gen_require(`
+		type security_t;
+	')
+
+	# starting in libselinux 2.0.5, init_selinuxmnt() will
+	# attempt to short circuit by checking if SELINUXMNT
+	# (/selinux) is already a selinuxfs
+	allow $1 security_t:filesystem getattr;
+
+	# Same for /sys/fs/selinux
+	dev_getattr_sysfs_fs($1)
+	dev_search_sysfs($1)
+
+	# read /proc/filesystems to see if selinuxfs is supported
+	# then read /proc/self/mount to see where selinuxfs is mounted
+	kernel_read_system_state($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the mountpoint
+##	of the selinuxfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`selinux_dontaudit_get_fs_mount',`
+	gen_require(`
+		type security_t;
+	')
+
+	# starting in libselinux 2.0.5, init_selinuxmnt() will
+	# attempt to short circuit by checking if SELINUXMNT
+	# (/selinux) is already a selinuxfs
+	dontaudit $1 security_t:filesystem getattr;
+
+	# Same for /sys/fs/selinux
+	dev_dontaudit_getattr_sysfs_fs($1)
+	dev_dontaudit_search_sysfs($1)
+
+	# read /proc/filesystems to see if selinuxfs is supported
+	# then read /proc/self/mount to see where selinuxfs is mounted
+	kernel_dontaudit_read_system_state($1)
+')
+
+########################################
+## <summary>
+##	Mount the selinuxfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`selinux_mount_fs',`
+	gen_require(`
+		type security_t;
+	')
+
+	allow $1 security_t:filesystem mount;
+')
+
+########################################
+## <summary>
+##	Remount the selinuxfs filesystem.
+##	This allows some mount options to be changed.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`selinux_remount_fs',`
+	gen_require(`
+		type security_t;
+	')
+
+	allow $1 security_t:filesystem remount;
+')
+
+########################################
+## <summary>
+##	Unmount the selinuxfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`selinux_unmount_fs',`
+	gen_require(`
+		type security_t;
+	')
+
+	allow $1 security_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+##	Get the attributes of the selinuxfs filesystem
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`selinux_getattr_fs',`
+	gen_require(`
+		type security_t;
+	')
+
+	allow $1 security_t:filesystem getattr;
+	dev_getattr_sysfs_fs($1)
+	dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the
+##	attributes of the selinuxfs filesystem
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`selinux_dontaudit_getattr_fs',`
+	gen_require(`
+		type security_t;
+	')
+
+	dontaudit $1 security_t:filesystem getattr;
+
+	dev_dontaudit_getattr_sysfs_fs($1)
+	dev_dontaudit_search_sysfs($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the
+##	attributes of the selinuxfs directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`selinux_dontaudit_getattr_dir',`
+	gen_require(`
+		type security_t;
+	')
+
+	dontaudit $1 security_t:dir getattr;
+')
+
+########################################
+## <summary>
+##	Search selinuxfs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`selinux_search_fs',`
+	gen_require(`
+		type security_t;
+	')
+
+	allow $1 security_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search selinuxfs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`selinux_dontaudit_search_fs',`
+	gen_require(`
+		type security_t;
+	')
+
+	dontaudit $1 security_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read
+##	generic selinuxfs entries
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`selinux_dontaudit_read_fs',`
+	gen_require(`
+		type security_t;
+	')
+
+	dontaudit $1 security_t:dir search_dir_perms;
+	dontaudit $1 security_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Allows the caller to get the mode of policy enforcement
+##	(enforcing or permissive mode).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`selinux_get_enforce_mode',`
+	gen_require(`
+		type security_t;
+	')
+
+	allow $1 security_t:dir list_dir_perms;
+	allow $1 security_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow caller to set the mode of policy enforcement
+##	(enforcing or permissive mode).
+## </summary>
+## <desc>
+##	<p>
+##	Allow caller to set the mode of policy enforcement
+##	(enforcing or permissive mode).
+##	</p>
+##	<p>
+##	Since this is a security event, this action is
+##	always audited.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`selinux_set_enforce_mode',`
+	gen_require(`
+		type security_t;
+		attribute can_setenforce;
+		bool secure_mode_policyload;
+	')
+
+	allow $1 security_t:dir list_dir_perms;
+	allow $1 security_t:file rw_file_perms;
+	typeattribute $1 can_setenforce;
+
+	if(!secure_mode_policyload) {
+		allow $1 security_t:security setenforce;
+
+		ifdef(`distro_rhel4',`
+			# needed for systems without audit support
+			auditallow $1 security_t:security setenforce;
+		')
+	}
+')
+
+########################################
+## <summary>
+##	Allow caller to load the policy into the kernel.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`selinux_load_policy',`
+	gen_require(`
+		type security_t;
+		attribute can_load_policy;
+		bool secure_mode_policyload;
+	')
+
+	allow $1 security_t:dir list_dir_perms;
+	allow $1 security_t:file rw_file_perms;
+	typeattribute $1 can_load_policy;
+
+	if(!secure_mode_policyload) {
+		allow $1 security_t:security load_policy;
+
+		ifdef(`distro_rhel4',`
+			# needed for systems without audit support
+			auditallow $1 security_t:security load_policy;
+		')
+	}
+')
+
+########################################
+## <summary>
+##	Allow caller to read the policy from the kernel.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`selinux_read_policy',`
+	gen_require(`
+		type security_t;
+	')
+
+	allow $1 security_t:dir list_dir_perms;
+	allow $1 security_t:file read_file_perms;
+	allow $1 security_t:security read_policy;
+')
+
+########################################
+## <summary>
+##	Allow caller to set the state of Booleans to
+##	enable or disable conditional portions of the policy.  (Deprecated)
+## </summary>
+## <desc>
+##	<p>
+##	Allow caller to set the state of Booleans to
+##	enable or disable conditional portions of the policy.
+##	</p>
+##	<p>
+##	Since this is a security event, this action is
+##	always audited.
+##	</p>
+##	<p>
+##	This interface has been deprecated.  Please use
+##	selinux_set_generic_booleans() or selinux_set_all_booleans()
+##	instead.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`selinux_set_boolean',`
+	refpolicywarn(`$0($*) has been deprecated, use selinux_set_generic_booleans() instead.')
+	selinux_set_generic_booleans($1)
+')
+
+########################################
+## <summary>
+##	Allow caller to set the state of generic Booleans to
+##	enable or disable conditional portions of the policy.
+## </summary>
+## <desc>
+##	<p>
+##	Allow caller to set the state of generic Booleans to
+##	enable or disable conditional portions of the policy.
+##	</p>
+##	<p>
+##	Since this is a security event, this action is
+##	always audited.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`selinux_set_generic_booleans',`
+	gen_require(`
+		type security_t;
+	')
+
+	allow $1 security_t:dir list_dir_perms;
+	allow $1 security_t:file rw_file_perms;
+
+	allow $1 security_t:security setbool;
+
+	ifdef(`distro_rhel4',`
+		# needed for systems without audit support
+		auditallow $1 security_t:security setbool;
+	')
+')
+
+########################################
+## <summary>
+##	Allow caller to set the state of all Booleans to
+##	enable or disable conditional portions of the policy.
+## </summary>
+## <desc>
+##	<p>
+##	Allow caller to set the state of all Booleans to
+##	enable or disable conditional portions of the policy.
+##	</p>
+##	<p>
+##	Since this is a security event, this action is
+##	always audited.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`selinux_set_all_booleans',`
+	gen_require(`
+		type security_t, secure_mode_policyload_t;
+		attribute boolean_type;
+		bool secure_mode_policyload;
+	')
+
+	allow $1 security_t:dir list_dir_perms;
+	allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms;
+	allow $1 secure_mode_policyload_t:file read_file_perms;
+
+	allow $1 security_t:security setbool;
+
+	ifdef(`distro_rhel4',`
+		# needed for systems without audit support
+		auditallow $1 security_t:security setbool;
+	')
+
+	if(!secure_mode_policyload) {
+		allow $1 secure_mode_policyload_t:file write_file_perms;
+	}
+')
+
+########################################
+## <summary>
+##	Allow caller to set SELinux access vector cache parameters.
+## </summary>
+## <desc>
+##	<p>
+##	Allow caller to set SELinux access vector cache parameters.
+##	The allows the domain to set performance related parameters
+##	of the AVC, such as cache threshold.
+##	</p>
+##	<p>
+##	Since this is a security event, this action is
+##	always audited.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`selinux_set_parameters',`
+	gen_require(`
+		type security_t;
+		attribute can_setsecparam;
+	')
+
+	allow $1 security_t:dir list_dir_perms;
+	allow $1 security_t:file rw_file_perms;
+	allow $1 security_t:security setsecparam;
+	auditallow $1 security_t:security setsecparam;
+	typeattribute $1 can_setsecparam;
+')
+
+########################################
+## <summary>
+##	Allows caller to validate security contexts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`selinux_validate_context',`
+	gen_require(`
+		type security_t;
+	')
+
+	allow $1 security_t:dir list_dir_perms;
+	allow $1 security_t:file rw_file_perms;
+	allow $1 security_t:security check_context;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to validate security contexts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`selinux_dontaudit_validate_context',`
+	gen_require(`
+		type security_t;
+	')
+
+	dontaudit $1 security_t:dir list_dir_perms;
+	dontaudit $1 security_t:file rw_file_perms;
+	dontaudit $1 security_t:security check_context;
+')
+
+########################################
+## <summary>
+##	Allows caller to compute an access vector.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`selinux_compute_access_vector',`
+	gen_require(`
+		type security_t;
+	')
+
+	allow $1 security_t:dir list_dir_perms;
+	allow $1 security_t:file rw_file_perms;
+	allow $1 security_t:security compute_av;
+')
+
+########################################
+## <summary>
+##	Calculate the default type for object creation.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`selinux_compute_create_context',`
+	gen_require(`
+		type security_t;
+	')
+
+	allow $1 security_t:dir list_dir_perms;
+	allow $1 security_t:file rw_file_perms;
+	allow $1 security_t:security compute_create;
+')
+
+########################################
+## <summary>
+##	Allows caller to compute polyinstatntiated
+##	directory members.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`selinux_compute_member',`
+	gen_require(`
+		type security_t;
+	')
+
+	allow $1 security_t:dir list_dir_perms;
+	allow $1 security_t:file rw_file_perms;
+	allow $1 security_t:security compute_member;
+')
+
+########################################
+## <summary>
+##	Calculate the context for relabeling objects.
+## </summary>
+## <desc>
+##	<p>
+##	Calculate the context for relabeling objects.
+##	This is determined by using the type_change
+##	rules in the policy, and is generally used
+##	for determining the context for relabeling
+##	a terminal when a user logs in.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`selinux_compute_relabel_context',`
+	gen_require(`
+		type security_t;
+	')
+
+	allow $1 security_t:dir list_dir_perms;
+	allow $1 security_t:file rw_file_perms;
+	allow $1 security_t:security compute_relabel;
+')
+
+########################################
+## <summary>
+##	Allows caller to compute possible contexts for a user.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`selinux_compute_user_contexts',`
+	gen_require(`
+		type security_t;
+	')
+
+	allow $1 security_t:dir list_dir_perms;
+	allow $1 security_t:file rw_file_perms;
+	allow $1 security_t:security compute_user;
+')
+
+########################################
+## <summary>
+##	Unconfined access to the SELinux kernel security server.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`selinux_unconfined',`
+	gen_require(`
+		attribute selinux_unconfined_type;
+	')
+
+	typeattribute $1 selinux_unconfined_type;
+')
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
new file mode 100644
index 00000000..9c0628d9
--- /dev/null
+++ b/policy/modules/kernel/selinux.te
@@ -0,0 +1,70 @@
+policy_module(selinux, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Boolean to determine whether the system permits loading policy, setting
+## enforcing mode, and changing boolean values.  Set this to true and you
+## have to reboot to set it back.
+## </p>
+## </desc>
+gen_bool(secure_mode_policyload,false)
+
+attribute boolean_type;
+attribute can_load_policy;
+attribute can_setenforce;
+attribute can_setsecparam;
+attribute selinux_unconfined_type;
+
+type secure_mode_policyload_t;
+selinux_labeled_boolean(secure_mode_policyload_t, secure_mode_policyload)
+
+# 
+# security_t is the target type when checking
+# the permissions in the security class.  It is also
+# applied to selinuxfs inodes.
+#
+type security_t, boolean_type;
+fs_type(security_t)
+files_mountpoint(security_t)
+mls_trusted_object(security_t)
+sid security gen_context(system_u:object_r:security_t,mls_systemhigh)
+genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
+genfscon securityfs / gen_context(system_u:object_r:security_t,s0)
+
+neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
+neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
+neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
+
+########################################
+#
+# Unconfined access to this module
+#
+
+# use SELinuxfs
+allow selinux_unconfined_type security_t:dir list_dir_perms;
+allow selinux_unconfined_type security_t:file rw_file_perms;
+allow selinux_unconfined_type boolean_type:file read_file_perms;
+allow selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file write_file_perms;
+
+# Access the security API.
+allow selinux_unconfined_type security_t:security ~{ load_policy setenforce };
+
+ifdef(`distro_rhel4',`
+	# needed for systems without audit support
+	auditallow selinux_unconfined_type security_t:security setbool;
+')
+
+if(!secure_mode_policyload) {
+	allow selinux_unconfined_type security_t:security { load_policy setenforce };
+	allow selinux_unconfined_type secure_mode_policyload_t:file write_file_perms;
+
+	ifdef(`distro_rhel4',`
+		# needed for systems without audit support
+		auditallow selinux_unconfined_type security_t:security { load_policy setenforce };
+	')
+}
diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
new file mode 100644
index 00000000..5d19e5ba
--- /dev/null
+++ b/policy/modules/kernel/storage.fc
@@ -0,0 +1,83 @@
+/dev/\.tmp-block.*	-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/n?(raw)?[qr]ft[0-3] -c	gen_context(system_u:object_r:tape_device_t,s0)
+/dev/n?[hs]t[0-9].*	-c	gen_context(system_u:object_r:tape_device_t,s0)
+/dev/n?z?qft[0-3]	-c	gen_context(system_u:object_r:tape_device_t,s0)
+/dev/n?osst[0-3].*	-c	gen_context(system_u:object_r:tape_device_t,s0)
+/dev/n?pt[0-9]+		-c	gen_context(system_u:object_r:tape_device_t,s0)
+/dev/n?tpqic[12].*	-c	gen_context(system_u:object_r:tape_device_t,s0)
+/dev/[shmxv]d[^/]*	-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/aztcd		-b	gen_context(system_u:object_r:removable_device_t,s0)
+/dev/bpcd		-b	gen_context(system_u:object_r:removable_device_t,s0)
+/dev/bsg/.+		-c	gen_context(system_u:object_r:scsi_generic_device_t,s0)
+/dev/cdu.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
+/dev/cm20.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
+/dev/dasd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/dasd[^/]*		-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/dm-[0-9]+		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/drbd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/etherd/.+		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/fd[^/]+		-b	gen_context(system_u:object_r:removable_device_t,s0)
+/dev/flash[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/gscd		-b	gen_context(system_u:object_r:removable_device_t,s0)
+/dev/hitcd		-b	gen_context(system_u:object_r:removable_device_t,s0)
+/dev/ht[0-1]		-b	gen_context(system_u:object_r:tape_device_t,s0)
+/dev/hwcdrom		-b	gen_context(system_u:object_r:removable_device_t,s0)
+/dev/initrd		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/jsfd		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/jsflash		-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/loop.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/lvm		-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/mcdx?		-b	gen_context(system_u:object_r:removable_device_t,s0)
+/dev/megadev.*		-c	gen_context(system_u:object_r:removable_device_t,s0)
+/dev/mmcblk.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
+/dev/mspblk.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
+/dev/mtd.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/nb[^/]+		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/optcd		-b	gen_context(system_u:object_r:removable_device_t,s0)
+/dev/p[fg][0-3]		-b	gen_context(system_u:object_r:removable_device_t,s0)
+/dev/pcd[0-3]		-b	gen_context(system_u:object_r:removable_device_t,s0)
+/dev/pd[a-d][^/]*	-b	gen_context(system_u:object_r:removable_device_t,s0)
+/dev/pg[0-3]		-c	gen_context(system_u:object_r:removable_device_t,s0)
+/dev/ps3d.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/ram.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/(raw/)?rawctl	-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/rd.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ifdef(`distro_redhat', `
+/dev/root		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+')
+/dev/s(cd|r)[^/]*	-b	gen_context(system_u:object_r:removable_device_t,s0)
+/dev/sbpcd.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
+/dev/sg[0-9]+		-c	gen_context(system_u:object_r:scsi_generic_device_t,s0)
+/dev/sjcd		-b	gen_context(system_u:object_r:removable_device_t,s0)
+/dev/sonycd		-b	gen_context(system_u:object_r:removable_device_t,s0)
+/dev/tape.*		-c	gen_context(system_u:object_r:tape_device_t,s0)
+/dev/tw[a-z][^/]+	-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/ub[a-z][^/]+	-b	gen_context(system_u:object_r:removable_device_t,mls_systemhigh)
+/dev/ubd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/vd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/xvd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+
+/dev/ataraid/.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+
+/dev/cciss/[^/]*	-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+
+/dev/fuse		-c	gen_context(system_u:object_r:fuse_device_t,s0)
+/dev/floppy/[^/]*	-b	gen_context(system_u:object_r:removable_device_t,s0)
+
+/dev/i2o/hd[^/]*	-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+
+/dev/ida/[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+
+/dev/md/.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/mapper/.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+
+/dev/device-mapper	-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+
+/dev/raw/raw[0-9]+	-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+
+/dev/scramdisk/.*	-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+
+/dev/usb/rio500		-c	gen_context(system_u:object_r:removable_device_t,s0)
+
+/lib/udev/devices/loop.* -b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/lib/udev/devices/fuse	-c	gen_context(system_u:object_r:fuse_device_t,s0)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
new file mode 100644
index 00000000..1700ef27
--- /dev/null
+++ b/policy/modules/kernel/storage.if
@@ -0,0 +1,810 @@
+## <summary>Policy controlling access to storage devices</summary>
+
+########################################
+## <summary>
+##	Allow the caller to get the attributes of fixed disk
+##	device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_getattr_fixed_disk_dev',`
+	gen_require(`
+		type fixed_disk_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 fixed_disk_device_t:blk_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts made by the caller to get
+##	the attributes of fixed disk device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`storage_dontaudit_getattr_fixed_disk_dev',`
+	gen_require(`
+		type fixed_disk_device_t;
+	')
+
+	dontaudit $1 fixed_disk_device_t:blk_file getattr;
+	dontaudit $1 fixed_disk_device_t:chr_file getattr; # /dev/rawctl
+')
+
+########################################
+## <summary>
+##	Allow the caller to set the attributes of fixed disk
+##	device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_setattr_fixed_disk_dev',`
+	gen_require(`
+		type fixed_disk_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 fixed_disk_device_t:blk_file setattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts made by the caller to set
+##	the attributes of fixed disk device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`storage_dontaudit_setattr_fixed_disk_dev',`
+	gen_require(`
+		type fixed_disk_device_t;
+	')
+
+	dontaudit $1 fixed_disk_device_t:blk_file setattr;
+')
+
+########################################
+## <summary>
+##	Allow the caller to directly read from a fixed disk.
+##	This is extremly dangerous as it can bypass the
+##	SELinux protections for filesystem objects, and
+##	should only be used by trusted domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_raw_read_fixed_disk',`
+	gen_require(`
+		attribute fixed_disk_raw_read;
+		type fixed_disk_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
+	allow $1 fixed_disk_device_t:chr_file read_chr_file_perms;
+	typeattribute $1 fixed_disk_raw_read;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts made by the caller to read
+##	fixed disk device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`storage_dontaudit_read_fixed_disk',`
+	gen_require(`
+		type fixed_disk_device_t;
+
+	')
+
+	dontaudit $1 fixed_disk_device_t:blk_file read_blk_file_perms;
+	dontaudit $1 fixed_disk_device_t:chr_file read_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow the caller to directly write to a fixed disk.
+##	This is extremly dangerous as it can bypass the
+##	SELinux protections for filesystem objects, and
+##	should only be used by trusted domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_raw_write_fixed_disk',`
+	gen_require(`
+		attribute fixed_disk_raw_write;
+		type fixed_disk_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 fixed_disk_device_t:blk_file write_blk_file_perms;
+	allow $1 fixed_disk_device_t:chr_file write_chr_file_perms;
+	typeattribute $1 fixed_disk_raw_write;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts made by the caller to write
+##	fixed disk device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`storage_dontaudit_write_fixed_disk',`
+	gen_require(`
+		type fixed_disk_device_t;
+
+	')
+
+	dontaudit $1 fixed_disk_device_t:blk_file write_blk_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow the caller to directly read and write to a fixed disk.
+##	This is extremly dangerous as it can bypass the
+##	SELinux protections for filesystem objects, and
+##	should only be used by trusted domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_raw_rw_fixed_disk',`
+	storage_raw_read_fixed_disk($1)
+	storage_raw_write_fixed_disk($1)
+')
+
+########################################
+## <summary>
+##	Allow the caller to create fixed disk device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_create_fixed_disk_dev',`
+	gen_require(`
+		type fixed_disk_device_t;
+	')
+
+	allow $1 self:capability mknod;
+	allow $1 fixed_disk_device_t:blk_file create_blk_file_perms;
+	dev_add_entry_generic_dirs($1)
+')
+
+########################################
+## <summary>
+##	Allow the caller to create fixed disk device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_delete_fixed_disk_dev',`
+	gen_require(`
+		type fixed_disk_device_t;
+	')
+
+	allow $1 fixed_disk_device_t:blk_file delete_blk_file_perms;
+	dev_remove_entry_generic_dirs($1)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete fixed disk device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_manage_fixed_disk',`
+	gen_require(`
+		attribute fixed_disk_raw_read, fixed_disk_raw_write;
+		type fixed_disk_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 self:capability mknod;
+	allow $1 fixed_disk_device_t:blk_file manage_blk_file_perms;
+	allow $1 fixed_disk_device_t:chr_file manage_chr_file_perms;
+	typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
+')
+
+########################################
+## <summary>
+##	Create block devices in /dev with the fixed disk type
+##	via an automatic type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_dev_filetrans_fixed_disk',`
+	gen_require(`
+		type fixed_disk_device_t;
+	')
+
+	dev_filetrans($1, fixed_disk_device_t, blk_file)
+')
+
+########################################
+## <summary>
+##	Create block devices in on a tmpfs filesystem with the
+##	fixed disk type via an automatic type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_tmpfs_filetrans_fixed_disk',`
+	gen_require(`
+		type fixed_disk_device_t;
+	')
+
+	fs_tmpfs_filetrans($1, fixed_disk_device_t, blk_file)
+')
+
+########################################
+## <summary>
+##	Relabel fixed disk device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_relabel_fixed_disk',`
+	gen_require(`
+		type fixed_disk_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 fixed_disk_device_t:blk_file relabel_blk_file_perms;
+')
+
+########################################
+## <summary>
+##	Enable a fixed disk device as swap space
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_swapon_fixed_disk',`
+	gen_require(`
+		type fixed_disk_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 fixed_disk_device_t:blk_file { getattr swapon };
+')
+
+########################################
+## <summary>
+##	Allow the caller to get the attributes
+##	of device nodes of fuse devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_getattr_fuse_dev',`
+	gen_require(`
+		type fuse_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 fuse_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	read or write fuse device interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_rw_fuse',`
+	gen_require(`
+		type fuse_device_t;
+	')
+
+	allow $1 fuse_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read or write
+##	fuse device interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`storage_dontaudit_rw_fuse',`
+	gen_require(`
+		type fuse_device_t;
+	')
+
+	dontaudit $1 fuse_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow the caller to get the attributes of
+##	the generic SCSI interface device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_getattr_scsi_generic_dev',`
+	gen_require(`
+		type scsi_generic_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 scsi_generic_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Allow the caller to set the attributes of
+##	the generic SCSI interface device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_setattr_scsi_generic_dev',`
+	gen_require(`
+		type scsi_generic_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 scsi_generic_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+##	Allow the caller to directly read, in a
+##	generic fashion, from any SCSI device.
+##	This is extremly dangerous as it can bypass the
+##	SELinux protections for filesystem objects, and
+##	should only be used by trusted domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_read_scsi_generic',`
+	gen_require(`
+		attribute scsi_generic_read;
+		type scsi_generic_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 scsi_generic_device_t:chr_file read_chr_file_perms;
+	typeattribute $1 scsi_generic_read;
+')
+
+########################################
+## <summary>
+##	Allow the caller to directly write, in a
+##	generic fashion, from any SCSI device.
+##	This is extremly dangerous as it can bypass the
+##	SELinux protections for filesystem objects, and
+##	should only be used by trusted domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_write_scsi_generic',`
+	gen_require(`
+		attribute scsi_generic_write;
+		type scsi_generic_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 scsi_generic_device_t:chr_file write_chr_file_perms;
+	typeattribute $1 scsi_generic_write;
+')
+
+########################################
+## <summary>
+##	Set attributes of the device nodes
+##	for the SCSI generic inerface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_setattr_scsi_generic_dev_dev',`
+	gen_require(`
+		type scsi_generic_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 scsi_generic_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read or write
+##	SCSI generic device interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`storage_dontaudit_rw_scsi_generic',`
+	gen_require(`
+		type scsi_generic_device_t;
+	')
+
+	dontaudit $1 scsi_generic_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow the caller to get the attributes of removable
+##	devices device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_getattr_removable_dev',`
+	gen_require(`
+		type removable_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 removable_device_t:blk_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts made by the caller to get
+##	the attributes of removable devices device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`storage_dontaudit_getattr_removable_dev',`
+	gen_require(`
+		type removable_device_t;
+	')
+
+	dontaudit $1 removable_device_t:blk_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts made by the caller to read
+##	removable devices device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`storage_dontaudit_read_removable_device',`
+	gen_require(`
+		type removable_device_t;
+
+	')
+
+	dontaudit $1 removable_device_t:blk_file read_blk_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts made by the caller to write
+##	removable devices device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`storage_dontaudit_write_removable_device',`
+	gen_require(`
+		type removable_device_t;
+	')
+
+	dontaudit $1 removable_device_t:blk_file write_blk_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow the caller to set the attributes of removable
+##	devices device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_setattr_removable_dev',`
+	gen_require(`
+		type removable_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 removable_device_t:blk_file setattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts made by the caller to set
+##	the attributes of removable devices device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`storage_dontaudit_setattr_removable_dev',`
+	gen_require(`
+		type removable_device_t;
+	')
+
+	dontaudit $1 removable_device_t:blk_file setattr;
+')
+
+########################################
+## <summary>
+##	Allow the caller to directly read from
+##	a removable device.
+##	This is extremly dangerous as it can bypass the
+##	SELinux protections for filesystem objects, and
+##	should only be used by trusted domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_raw_read_removable_device',`
+	gen_require(`
+		type removable_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 removable_device_t:blk_file read_blk_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to directly read removable devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`storage_dontaudit_raw_read_removable_device',`
+	gen_require(`
+		type removable_device_t;
+	')
+
+	dontaudit $1 removable_device_t:blk_file read_blk_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow the caller to directly write to
+##	a removable device.
+##	This is extremly dangerous as it can bypass the
+##	SELinux protections for filesystem objects, and
+##	should only be used by trusted domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_raw_write_removable_device',`
+	gen_require(`
+		type removable_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 removable_device_t:blk_file write_blk_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to directly write removable devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`storage_dontaudit_raw_write_removable_device',`
+	gen_require(`
+		type removable_device_t;
+	')
+
+	dontaudit $1 removable_device_t:blk_file write_blk_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow the caller to directly read
+##	a tape device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_read_tape',`
+	gen_require(`
+		type tape_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 tape_device_t:chr_file read_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow the caller to directly read
+##	a tape device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_write_tape',`
+	gen_require(`
+		type tape_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 tape_device_t:chr_file write_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow the caller to get the attributes
+##	of device nodes of tape devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_getattr_tape_dev',`
+	gen_require(`
+		type tape_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 tape_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Allow the caller to set the attributes
+##	of device nodes of tape devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_setattr_tape_dev',`
+	gen_require(`
+		type tape_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 tape_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+##	Unconfined access to storage devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_unconfined',`
+	gen_require(`
+		attribute storage_unconfined_type;
+	')
+
+	typeattribute $1 storage_unconfined_type;
+')
diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te
new file mode 100644
index 00000000..bb1554d4
--- /dev/null
+++ b/policy/modules/kernel/storage.te
@@ -0,0 +1,59 @@
+policy_module(storage, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute fixed_disk_raw_read;
+attribute fixed_disk_raw_write;
+attribute scsi_generic_read;
+attribute scsi_generic_write;
+attribute storage_unconfined_type;
+
+#
+# fixed_disk_device_t is the type of
+# /dev/hd* and /dev/sd*.
+#
+type fixed_disk_device_t;
+dev_node(fixed_disk_device_t)
+
+neverallow ~{ fixed_disk_raw_read storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } read;
+neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } { append write };
+
+#
+# fuse_device_t is the type of /dev/fuse
+#
+type fuse_device_t;
+dev_node(fuse_device_t)
+
+#
+# scsi_generic_device_t is the type of /dev/sg*
+# it gives access to ALL SCSI devices (both fixed and removable)
+#
+type scsi_generic_device_t;
+dev_node(scsi_generic_device_t)
+
+neverallow ~{ scsi_generic_read storage_unconfined_type } scsi_generic_device_t:{ chr_file blk_file } read;
+neverallow ~{ scsi_generic_write storage_unconfined_type } scsi_generic_device_t:{ chr_file blk_file } { append write };
+
+#
+# removable_device_t is the type of
+# /dev/scd* and /dev/fd*.
+#
+type removable_device_t;
+dev_node(removable_device_t)
+
+#
+# tape_device_t is the type of
+#
+type tape_device_t;
+dev_node(tape_device_t)
+
+########################################
+#
+# Unconfined access to this module
+#
+
+allow storage_unconfined_type { fixed_disk_device_t removable_device_t }:blk_file *;
+allow storage_unconfined_type { scsi_generic_device_t tape_device_t }:chr_file *;
diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
new file mode 100644
index 00000000..7d45d15a
--- /dev/null
+++ b/policy/modules/kernel/terminal.fc
@@ -0,0 +1,43 @@
+
+/dev/.*tty[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
+/dev/[pt]ty[a-ep-z][0-9a-f] -c	gen_context(system_u:object_r:bsdpty_device_t,s0)
+/dev/adb.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
+/dev/capi.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
+/dev/console		-c	gen_context(system_u:object_r:console_device_t,s0)
+/dev/cu.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
+/dev/dcbri[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
+/dev/hpilo/[^/]*	-c	gen_context(system_u:object_r:tty_device_t,s0)
+/dev/hvc.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
+/dev/hvsi.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
+/dev/i2c[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
+/dev/ircomm[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
+/dev/ip2[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
+/dev/isdn.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
+/dev/ptmx		-c	gen_context(system_u:object_r:ptmx_t,s0)
+/dev/pts/ptmx		-c	gen_context(system_u:object_r:ptmx_t,s0)
+/dev/rfcomm[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
+/dev/slamr[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
+/dev/tty		-c	gen_context(system_u:object_r:devtty_t,s0)
+/dev/ttySG.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
+/dev/xvc[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
+
+/dev/pty/.*		-c	gen_context(system_u:object_r:bsdpty_device_t,s0)
+
+/dev/pts		-d	gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
+
+/dev/tts/[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
+
+/dev/usb/tty.*		-c	gen_context(system_u:object_r:usbtty_device_t,s0)
+
+/dev/vcc?/.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
+
+/dev/vcs[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
+
+/dev/xvc[0-9]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
+
+ifdef(`distro_gentoo',`
+/dev/tts/[0-9]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
+
+# used by init scripts to initally populate udev /dev
+/lib/udev/devices/console -c	gen_context(system_u:object_r:console_device_t,s0)
+')
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
new file mode 100644
index 00000000..01dd2f1f
--- /dev/null
+++ b/policy/modules/kernel/terminal.if
@@ -0,0 +1,1495 @@
+## <summary>Policy for terminals.</summary>
+## <required val="true">
+##	Depended on by other required modules.
+## </required>
+
+########################################
+## <summary>
+##	Transform specified type into a pty type.
+## </summary>
+## <param name="pty_type">
+##	<summary>
+##	An object type that will applied to a pty.
+##	</summary>
+## </param>
+#
+interface(`term_pty',`
+	gen_require(`
+		attribute ptynode;
+		type devpts_t;
+	')
+
+	dev_node($1)
+	allow $1 devpts_t:filesystem associate;
+	typeattribute $1 ptynode;
+')
+
+########################################
+## <summary>
+##	Transform specified type into an user
+##	pty type. This allows it to be relabeled via
+##	type change by login programs such as ssh.
+## </summary>
+## <param name="userdomain">
+##	<summary>
+##	The type of the user domain associated with
+##	this pty.
+##	</summary>
+## </param>
+## <param name="object_type">
+##	<summary>
+##	An object type that will applied to a pty.
+##	</summary>
+## </param>
+#
+interface(`term_user_pty',`
+	gen_require(`
+		attribute server_ptynode;
+	')
+
+	term_pty($2)
+	type_change $1 server_ptynode:chr_file $2;
+')
+
+########################################
+## <summary>
+##	Transform specified type into a pty type
+##	used by login programs, such as sshd.
+## </summary>
+## <param name="pty_type">
+##	<summary>
+##	An object type that will applied to a pty.
+##	</summary>
+## </param>
+#
+interface(`term_login_pty',`
+	gen_require(`
+		attribute server_ptynode;
+	')
+
+	term_pty($1)
+	typeattribute $1 server_ptynode;
+')
+
+########################################
+## <summary>
+##	Transform specified type into a tty type.
+## </summary>
+## <param name="tty_type">
+##	<summary>
+##	An object type that will applied to a tty.
+##	</summary>
+## </param>
+#
+interface(`term_tty',`
+	gen_require(`
+		attribute ttynode, serial_device;
+		type tty_device_t;
+	')
+
+	typeattribute $1 ttynode, serial_device;
+
+	dev_node($1)
+')
+
+########################################
+## <summary>
+##	Transform specified type into a user tty type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	User domain that is related to this tty.
+##	</summary>
+## </param>
+## <param name="tty_type">
+##	<summary>
+##	An object type that will applied to a tty.
+##	</summary>
+## </param>
+#
+interface(`term_user_tty',`
+	gen_require(`
+		attribute ttynode;
+		type console_device_t;
+		type tty_device_t;
+	')
+
+	term_tty($2)
+
+	type_change $1 tty_device_t:chr_file $2;
+
+	# Debian login is from shadow utils and does not allow resetting the perms.
+	# have to fix this!
+	ifdef(`distro_debian',`
+		type_change $1 ttynode:chr_file $2;
+	')
+
+	tunable_policy(`console_login',`
+		# When user logs in from /dev/console, relabel it
+		# to user tty type as well.
+		type_change $1 console_device_t:chr_file $2;
+	')
+')
+
+########################################
+## <summary>
+##	Create a pty in the /dev/pts directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process creating the pty.
+##	</summary>
+## </param>
+## <param name="pty_type">
+##	<summary>
+##	The type of the pty.
+##	</summary>
+## </param>
+#
+interface(`term_create_pty',`
+	gen_require(`
+		type bsdpty_device_t, devpts_t, ptmx_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 ptmx_t:chr_file rw_file_perms;
+
+	allow $1 devpts_t:dir list_dir_perms;
+	allow $1 devpts_t:filesystem getattr;
+	dontaudit $1 bsdpty_device_t:chr_file { getattr read write };
+	type_transition $1 devpts_t:chr_file $2;
+')
+
+########################################
+## <summary>
+##	Write the console, all
+##	ttys and all ptys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_write_all_terms',`
+	gen_require(`
+		attribute ttynode, ptynode;
+		type console_device_t, devpts_t, tty_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 devpts_t:dir list_dir_perms;
+	allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file write_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Read and write the console, all
+##	ttys and all ptys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_use_all_terms',`
+	gen_require(`
+		attribute ttynode, ptynode;
+		type console_device_t, devpts_t, tty_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 devpts_t:dir list_dir_perms;
+	allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Write to the console.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_write_console',`
+	gen_require(`
+		type console_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 console_device_t:chr_file write_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Read from the console.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_read_console',`
+	gen_require(`
+		type console_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 console_device_t:chr_file read_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read from the console.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_dontaudit_read_console',`
+	gen_require(`
+		type console_device_t;
+	')
+
+	dontaudit $1 console_device_t:chr_file read_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Read from and write to the console.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_use_console',`
+	gen_require(`
+		type console_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 console_device_t:chr_file rw_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attemtps to read from
+##	or write to the console.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`term_dontaudit_use_console',`
+	gen_require(`
+		type console_device_t;
+	')
+
+	dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Set the attributes of the console
+##	device node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_setattr_console',`
+	gen_require(`
+		type console_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 console_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+##	Relabel from and to the console type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_relabel_console',`
+	gen_require(`
+		type console_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 console_device_t:chr_file relabel_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Create the console device (/dev/console).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_create_console_dev',`
+	gen_require(`
+		type console_device_t;
+	')
+
+	dev_add_entry_generic_dirs($1)
+	allow $1 console_device_t:chr_file create;
+	allow $1 self:capability mknod;
+')
+
+########################################
+## <summary>
+##	Get the attributes of a pty filesystem
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_getattr_pty_fs',`
+	gen_require(`
+		type devpts_t;
+	')
+
+	allow $1 devpts_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the
+##	attributes of the /dev/pts directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`term_dontaudit_getattr_pty_dirs',`
+	gen_require(`
+		type devpts_t;
+	')
+
+	dontaudit $1 devpts_t:dir getattr;
+')
+
+########################################
+## <summary>
+##	Search the contents of the /dev/pts directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_search_ptys',`
+	gen_require(`
+		type devpts_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 devpts_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search the
+##	contents of the /dev/pts directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`term_dontaudit_search_ptys',`
+	gen_require(`
+		type devpts_t;
+	')
+
+	dev_dontaudit_list_all_dev_nodes($1)
+	dontaudit $1 devpts_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read the /dev/pts directory to
+##	list all ptys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_list_ptys',`
+	gen_require(`
+		type devpts_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 devpts_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read the
+##	/dev/pts directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`term_dontaudit_list_ptys',`
+	gen_require(`
+		type devpts_t;
+	')
+
+	dontaudit $1 devpts_t:dir { getattr search read };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to create, read,
+##	write, or delete the /dev/pts directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`term_dontaudit_manage_pty_dirs',`
+	gen_require(`
+		type devpts_t;
+	')
+
+	dontaudit $1 devpts_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of generic pty devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`term_dontaudit_getattr_generic_ptys',`
+	gen_require(`
+		type devpts_t;
+	')
+
+	dontaudit $1 devpts_t:chr_file getattr;
+')
+########################################
+## <summary>
+##	ioctl of generic pty devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+# cjp: added for ppp
+interface(`term_ioctl_generic_ptys',`
+	gen_require(`
+		type devpts_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 devpts_t:dir search;
+	allow $1 devpts_t:chr_file ioctl;
+')
+
+########################################
+## <summary>
+##	Allow setting the attributes of
+##	generic pty devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+# dwalsh: added for rhgb
+interface(`term_setattr_generic_ptys',`
+	gen_require(`
+		type devpts_t;
+	')
+
+	allow $1 devpts_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+##	Dontaudit setting the attributes of
+##	generic pty devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+# dwalsh: added for rhgb
+interface(`term_dontaudit_setattr_generic_ptys',`
+	gen_require(`
+		type devpts_t;
+	')
+
+	dontaudit $1 devpts_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+##	Read and write the generic pty
+##	type.  This is generally only used in
+##	the targeted policy.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_use_generic_ptys',`
+	gen_require(`
+		type devpts_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 devpts_t:dir list_dir_perms;
+	allow $1 devpts_t:chr_file { rw_term_perms lock append };
+')
+
+########################################
+## <summary>
+##	Dot not audit attempts to read and
+##	write the generic pty type.  This is
+##	generally only used in the targeted policy.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`term_dontaudit_use_generic_ptys',`
+	gen_require(`
+		type devpts_t;
+	')
+
+	dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
+')
+
+#######################################
+## <summary>
+##	Set the attributes of the tty device
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_setattr_controlling_term',`
+	gen_require(`
+		type devtty_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 devtty_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+##	Read and write the controlling
+##	terminal (/dev/tty).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_use_controlling_term',`
+	gen_require(`
+		type devtty_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 devtty_t:chr_file { rw_term_perms lock append };
+')
+
+#######################################
+## <summary>
+##	Get the attributes of the pty multiplexor (/dev/ptmx).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`term_getattr_ptmx',`
+	gen_require(`
+		type ptmx_t;
+	')
+
+	allow $1 ptmx_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get attributes
+##	on the pty multiplexor (/dev/ptmx).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`term_dontaudit_getattr_ptmx',`
+	gen_require(`
+		type ptmx_t;
+	')
+
+	dontaudit $1 ptmx_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Read and write the pty multiplexor (/dev/ptmx).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_use_ptmx',`
+	gen_require(`
+		type ptmx_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 ptmx_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and
+##	write the pty multiplexor (/dev/ptmx).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`term_dontaudit_use_ptmx',`
+	gen_require(`
+		type ptmx_t;
+	')
+
+	dontaudit $1 ptmx_t:chr_file { getattr read write };
+')
+
+########################################
+## <summary>
+##	Get the attributes of all
+##	pty device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_getattr_all_ptys',`
+	gen_require(`
+		attribute ptynode;
+		type devpts_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 devpts_t:dir list_dir_perms;
+	allow $1 ptynode:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the
+##	attributes of any pty
+##	device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`term_dontaudit_getattr_all_ptys',`
+	gen_require(`
+		attribute ptynode;
+	')
+
+	dontaudit $1 ptynode:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Set the attributes of all
+##	pty device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_setattr_all_ptys',`
+	gen_require(`
+		attribute ptynode;
+		type devpts_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 devpts_t:dir list_dir_perms;
+	allow $1 ptynode:chr_file setattr;
+')
+
+########################################
+## <summary>
+##	Relabel to all ptys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_relabelto_all_ptys',`
+	gen_require(`
+		attribute ptynode;
+	')
+
+	allow $1 ptynode:chr_file relabelto;
+')
+
+########################################
+## <summary>
+##	Write to all ptys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_write_all_ptys',`
+	gen_require(`
+		attribute ptynode;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 ptynode:chr_file write_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Read and write all ptys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_use_all_ptys',`
+	gen_require(`
+		attribute ptynode;
+		type devpts_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 devpts_t:dir list_dir_perms;
+	allow $1 ptynode:chr_file { rw_term_perms lock append };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read or write any ptys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`term_dontaudit_use_all_ptys',`
+	gen_require(`
+		attribute ptynode;
+	')
+
+	dontaudit $1 ptynode:chr_file { rw_term_perms lock append };
+')
+
+########################################
+## <summary>
+##	Relabel from and to all pty device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_relabel_all_ptys',`
+	gen_require(`
+		attribute ptynode;
+		type devpts_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	relabel_chr_files_pattern($1, devpts_t, ptynode)
+')
+
+########################################
+## <summary>
+##	Get the attributes of all user
+##	pty device nodes. (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_getattr_all_user_ptys',`
+	refpolicywarn(`$0 has been deprecated, use term_getattr_all_ptys() instead.')
+	term_getattr_all_ptys($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the
+##	attributes of any user pty
+##	device nodes. (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_dontaudit_getattr_all_user_ptys',`
+	refpolicywarn(`$0 has been deprecated, use term_dontaudit_getattr_all_ptys() instead.')
+	term_dontaudit_getattr_all_ptys($1)
+')
+
+########################################
+## <summary>
+##	Set the attributes of all user
+##	pty device nodes. (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_setattr_all_user_ptys',`
+	refpolicywarn(`$0 has been deprecated, use term_setattr_all_ptys() instead.')
+	term_setattr_all_ptys($1)
+')
+
+########################################
+## <summary>
+##	Relabel to all user ptys. (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_relabelto_all_user_ptys',`
+	refpolicywarn(`$0 has been deprecated, use term_relabelto_all_ptys() instead.')
+	term_relabelto_all_ptys($1)
+')
+
+########################################
+## <summary>
+##	Write to all user ptys. (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_write_all_user_ptys',`
+	refpolicywarn(`$0 has been deprecated, use term_write_all_ptys() instead.')
+	term_write_all_ptys($1)
+')
+
+########################################
+## <summary>
+##	Read and write all user ptys. (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_use_all_user_ptys',`
+	refpolicywarn(`$0 has been deprecated, use term_use_all_ptys() instead.')
+	term_use_all_ptys($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read any
+##	user ptys. (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`term_dontaudit_use_all_user_ptys',`
+	refpolicywarn(`$0 has been deprecated, use term_dontaudit_use_all_ptys() instead.')
+	term_dontaudit_use_all_ptys($1)
+')
+
+########################################
+## <summary>
+##	Relabel from and to all user
+##	user pty device nodes. (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_relabel_all_user_ptys',`
+	refpolicywarn(`$0 has been deprecated, use term_relabel_all_ptys() instead.')
+	term_relabel_all_ptys($1)
+')
+
+########################################
+## <summary>
+##	Get the attributes of all unallocated
+##	tty device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_getattr_unallocated_ttys',`
+	gen_require(`
+		type tty_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 tty_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all unallocated tty device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`term_dontaudit_getattr_unallocated_ttys',`
+	gen_require(`
+		type tty_device_t;
+	')
+
+	dontaudit $1 tty_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Set the attributes of all unallocated
+##	tty device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_setattr_unallocated_ttys',`
+	gen_require(`
+		type tty_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 tty_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to set the attributes
+##	of unallocated tty device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`term_dontaudit_setattr_unallocated_ttys',`
+	gen_require(`
+		type tty_device_t;
+	')
+
+	dontaudit $1 tty_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to ioctl
+##	unallocated tty device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`term_dontaudit_ioctl_unallocated_ttys',`
+	gen_require(`
+		type tty_device_t;
+	')
+
+	dontaudit $1 tty_device_t:chr_file ioctl;
+')
+
+########################################
+## <summary>
+##	Relabel from and to the unallocated
+##	tty type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_relabel_unallocated_ttys',`
+	gen_require(`
+		type tty_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 tty_device_t:chr_file relabel_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Relabel from all user tty types to
+##	the unallocated tty type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_reset_tty_labels',`
+	gen_require(`
+		attribute ttynode;
+		type tty_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 ttynode:chr_file relabelfrom;
+	allow $1 tty_device_t:chr_file relabelto;
+')
+
+########################################
+## <summary>
+##	Append to unallocated ttys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_append_unallocated_ttys',`
+	gen_require(`
+		type tty_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 tty_device_t:chr_file append_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Write to unallocated ttys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_write_unallocated_ttys',`
+	gen_require(`
+		type tty_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 tty_device_t:chr_file write_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Read and write unallocated ttys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_use_unallocated_ttys',`
+	gen_require(`
+		type tty_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 tty_device_t:chr_file rw_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read or
+##	write unallocated ttys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`term_dontaudit_use_unallocated_ttys',`
+	gen_require(`
+		type tty_device_t;
+	')
+
+	dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Get the attributes of all tty device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_getattr_all_ttys',`
+	gen_require(`
+		attribute ttynode;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 ttynode:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the
+##	attributes of any tty device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`term_dontaudit_getattr_all_ttys',`
+	gen_require(`
+		attribute ttynode;
+	')
+
+	dev_list_all_dev_nodes($1)
+	dontaudit $1 ttynode:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Set the attributes of all tty device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_setattr_all_ttys',`
+	gen_require(`
+		attribute ttynode;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 ttynode:chr_file setattr;
+')
+
+########################################
+## <summary>
+##	Relabel from and to all tty device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_relabel_all_ttys',`
+	gen_require(`
+		attribute ttynode;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 ttynode:chr_file relabel_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Write to all ttys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_write_all_ttys',`
+	gen_require(`
+		attribute ttynode;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 ttynode:chr_file write_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Read and write all ttys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_use_all_ttys',`
+	gen_require(`
+		attribute ttynode;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 ttynode:chr_file rw_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read or write
+##	any ttys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`term_dontaudit_use_all_ttys',`
+	gen_require(`
+		attribute ttynode;
+	')
+
+	dontaudit $1 ttynode:chr_file rw_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Get the attributes of all user tty
+##	device nodes. (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_getattr_all_user_ttys',`
+	refpolicywarn(`$0() is deprecated, use term_getattr_all_ttys() instead.')
+	term_getattr_all_ttys($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the
+##	attributes of any user tty
+##	device nodes. (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`term_dontaudit_getattr_all_user_ttys',`
+	refpolicywarn(`$0() is deprecated, use term_dontaudit_getattr_all_ttys() instead.')
+	term_dontaudit_getattr_all_ttys($1)
+')
+
+########################################
+## <summary>
+##	Set the attributes of all user tty
+##	device nodes. (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_setattr_all_user_ttys',`
+	refpolicywarn(`$0() is deprecated, use term_setattr_all_ttys() instead.')
+	term_setattr_all_ttys($1)
+')
+
+########################################
+## <summary>
+##	Relabel from and to all user
+##	user tty device nodes. (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_relabel_all_user_ttys',`
+	refpolicywarn(`$0() is deprecated, use term_relabel_all_ttys() instead.')
+	term_relabel_all_ttys($1)
+')
+
+########################################
+## <summary>
+##	Write to all user ttys. (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_write_all_user_ttys',`
+	refpolicywarn(`$0() is deprecated, use term_write_all_ttys() instead.')
+	term_write_all_ttys($1)
+')
+
+########################################
+## <summary>
+##	Read and write all user to all user ttys. (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_use_all_user_ttys',`
+	refpolicywarn(`$0() is deprecated, use term_use_all_ttys() instead.')
+	term_use_all_ttys($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read or write
+##	any user ttys. (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_dontaudit_use_all_user_ttys',`
+	refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
+	term_dontaudit_use_all_ttys($1)
+')
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
new file mode 100644
index 00000000..9d646592
--- /dev/null
+++ b/policy/modules/kernel/terminal.te
@@ -0,0 +1,58 @@
+policy_module(terminal, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+attribute ttynode;
+attribute ptynode;
+attribute server_ptynode;
+attribute serial_device;
+
+#
+# bsdpty_device_t is the type of /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f]
+type bsdpty_device_t;
+dev_node(bsdpty_device_t)
+
+#
+# console_device_t is the type of /dev/console.
+#
+type console_device_t;
+dev_node(console_device_t)
+
+#
+# devpts_t is the type of the devpts file system and
+# the type of the root directory of the file system.
+#
+type devpts_t;
+files_mountpoint(devpts_t)
+fs_associate_tmpfs(devpts_t)
+fs_type(devpts_t)
+fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
+
+#
+# devtty_t is the type of /dev/tty.
+#
+type devtty_t;
+dev_node(devtty_t)
+mls_trusted_object(devtty_t)
+
+#
+# ptmx_t is the type for /dev/ptmx.
+#
+type ptmx_t;
+dev_node(ptmx_t)
+mls_trusted_object(ptmx_t)
+allow ptmx_t devpts_t:filesystem associate;
+
+#
+# tty_device_t is the type of /dev/*tty*
+#
+type tty_device_t, serial_device;
+dev_node(tty_device_t)
+
+#
+# usbtty_device_t is the type of /dev/usr/tty*
+#
+type usbtty_device_t, serial_device;
+dev_node(usbtty_device_t)
diff --git a/policy/modules/kernel/ubac.fc b/policy/modules/kernel/ubac.fc
new file mode 100644
index 00000000..778366f8
--- /dev/null
+++ b/policy/modules/kernel/ubac.fc
@@ -0,0 +1 @@
+# no UBAC file contexts
diff --git a/policy/modules/kernel/ubac.if b/policy/modules/kernel/ubac.if
new file mode 100644
index 00000000..464f759e
--- /dev/null
+++ b/policy/modules/kernel/ubac.if
@@ -0,0 +1,197 @@
+## <summary>User-based access control policy</summary>
+## <required val="true">
+##	Contains attributes used in UBAC policy.
+## </required>
+
+########################################
+## <summary>
+##	Constrain by user-based access control (UBAC).
+## </summary>
+## <desc>
+##	<p>
+##	Constrain the specified type by user-based
+##	access control (UBAC).  Typically, these are
+##	user processes or user files that need to be
+##	differentiated by SELinux user.  Normally this
+##	does not include administrative or privileged
+##	programs. For the UBAC rules to be enforced,
+##	both the subject (source) type and the object
+##	(target) types must be UBAC constrained.
+##	</p>
+## </desc>
+## <param name="type">
+##	<summary>
+##	Type to be constrained by UBAC.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`ubac_constrained',`
+	gen_require(`
+		attribute ubac_constrained_type;
+	')
+
+	typeattribute $1 ubac_constrained_type;
+')
+
+########################################
+## <summary>
+##	Exempt user-based access control for files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to be exempted.
+##	</summary>
+## </param>
+#
+interface(`ubac_file_exempt',`
+	gen_require(`
+		attribute ubacfile;
+	')
+
+	typeattribute $1 ubacfile;
+')
+
+########################################
+## <summary>
+##	Exempt user-based access control for processes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to be exempted.
+##	</summary>
+## </param>
+#
+interface(`ubac_process_exempt',`
+	gen_require(`
+		attribute ubacproc;
+	')
+
+	typeattribute $1 ubacproc;
+')
+
+########################################
+## <summary>
+##	Exempt user-based access control for file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to be exempted.
+##	</summary>
+## </param>
+#
+interface(`ubac_fd_exempt',`
+	gen_require(`
+		attribute ubacfd;
+	')
+
+	typeattribute $1 ubacfd;
+')
+
+########################################
+## <summary>
+##	Exempt user-based access control for sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to be exempted.
+##	</summary>
+## </param>
+#
+interface(`ubac_socket_exempt',`
+	gen_require(`
+		attribute ubacsock;
+	')
+
+	typeattribute $1 ubacsock;
+')
+
+########################################
+## <summary>
+##	Exempt user-based access control for SysV IPC.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to be exempted.
+##	</summary>
+## </param>
+#
+interface(`ubac_sysvipc_exempt',`
+	gen_require(`
+		attribute ubacipc;
+	')
+
+	typeattribute $1 ubacipc;
+')
+
+########################################
+## <summary>
+##	Exempt user-based access control for X Windows.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to be exempted.
+##	</summary>
+## </param>
+#
+interface(`ubac_xwin_exempt',`
+	gen_require(`
+		attribute ubacxwin;
+	')
+
+	typeattribute $1 ubacxwin;
+')
+
+########################################
+## <summary>
+##	Exempt user-based access control for dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to be exempted.
+##	</summary>
+## </param>
+#
+interface(`ubac_dbus_exempt',`
+	gen_require(`
+		attribute ubacdbus;
+	')
+
+	typeattribute $1 ubacdbus;
+')
+
+########################################
+## <summary>
+##	Exempt user-based access control for keys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to be exempted.
+##	</summary>
+## </param>
+#
+interface(`ubac_key_exempt',`
+	gen_require(`
+		attribute ubackey;
+	')
+
+	typeattribute $1 ubackey;
+')
+
+########################################
+## <summary>
+##	Exempt user-based access control for databases.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to be exempted.
+##	</summary>
+## </param>
+#
+interface(`ubac_db_exempt',`
+	gen_require(`
+		attribute ubacdb;
+	')
+
+	typeattribute $1 ubacdb;
+')
diff --git a/policy/modules/kernel/ubac.te b/policy/modules/kernel/ubac.te
new file mode 100644
index 00000000..0a57c412
--- /dev/null
+++ b/policy/modules/kernel/ubac.te
@@ -0,0 +1,19 @@
+policy_module(ubac, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute ubac_constrained_type;
+
+attribute ubacfile;
+attribute ubacproc;
+attribute ubacsock;
+attribute ubacfd;
+attribute ubacipc;
+attribute ubacxwin;
+attribute ubacdbus;
+attribute ubackey;
+attribute ubacdb;
+
diff --git a/policy/modules/roles/auditadm.fc b/policy/modules/roles/auditadm.fc
new file mode 100644
index 00000000..601a7b02
--- /dev/null
+++ b/policy/modules/roles/auditadm.fc
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --git a/policy/modules/roles/auditadm.if b/policy/modules/roles/auditadm.if
new file mode 100644
index 00000000..d320022b
--- /dev/null
+++ b/policy/modules/roles/auditadm.if
@@ -0,0 +1,50 @@
+## <summary>Audit administrator role</summary>
+
+########################################
+## <summary>
+##	Change to the audit administrator role.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`auditadm_role_change',`
+	gen_require(`
+		role auditadm_r;
+	')
+
+	allow $1 auditadm_r;
+')
+
+########################################
+## <summary>
+##	Change from the audit administrator role.
+## </summary>
+## <desc>
+##	<p>
+##	Change from the audit administrator role to
+##	the specified role.
+##	</p>
+##	<p>
+##	This is an interface to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`auditadm_role_change_to',`
+	gen_require(`
+		role auditadm_r;
+	')
+
+	allow auditadm_r $1;
+')
diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
new file mode 100644
index 00000000..834a065d
--- /dev/null
+++ b/policy/modules/roles/auditadm.te
@@ -0,0 +1,65 @@
+policy_module(auditadm, 2.2.0)
+
+########################################
+#
+# Declarations
+#
+
+role auditadm_r;
+role system_r;
+userdom_unpriv_user_template(auditadm)
+
+########################################
+#
+# Local policy
+#
+
+allow auditadm_t self:capability { dac_read_search dac_override };
+
+kernel_read_ring_buffer(auditadm_t)
+
+corecmd_exec_shell(auditadm_t)
+
+domain_kill_all_domains(auditadm_t)
+
+logging_send_syslog_msg(auditadm_t)
+logging_read_generic_logs(auditadm_t)
+logging_manage_audit_log(auditadm_t)
+logging_manage_audit_config(auditadm_t)
+logging_run_auditctl(auditadm_t, auditadm_r)
+logging_run_auditd(auditadm_t, auditadm_r)
+
+seutil_run_runinit(auditadm_t, auditadm_r)
+seutil_read_bin_policy(auditadm_t)
+
+optional_policy(`
+	consoletype_exec(auditadm_t)
+')
+
+optional_policy(`
+	dmesg_exec(auditadm_t)
+')
+
+optional_policy(`
+	screen_role_template(auditadm, auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+	secadm_role_change(auditadm_r)
+')
+
+optional_policy(`
+	su_role_template(auditadm, auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+	sudo_role_template(auditadm, auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+	sysadm_role_change(auditadm_r)
+')
+
+optional_policy(`
+	vlock_run(auditadm_t, auditadm_r)
+')
diff --git a/policy/modules/roles/logadm.fc b/policy/modules/roles/logadm.fc
new file mode 100644
index 00000000..601a7b02
--- /dev/null
+++ b/policy/modules/roles/logadm.fc
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --git a/policy/modules/roles/logadm.if b/policy/modules/roles/logadm.if
new file mode 100644
index 00000000..c9740e5f
--- /dev/null
+++ b/policy/modules/roles/logadm.if
@@ -0,0 +1,50 @@
+## <summary>Log administrator role</summary>
+
+########################################
+## <summary>
+##	Change to the log administrator role.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logadm_role_change',`
+	gen_require(`
+		role logadm_r;
+	')
+
+	allow $1 logadm_r;
+')
+
+########################################
+## <summary>
+##	Change from the log administrator role.
+## </summary>
+## <desc>
+##	<p>
+##	Change from the log administrator role to
+##	the specified role.
+##	</p>
+##	<p>
+##	This is an interface to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logadm_role_change_to',`
+	gen_require(`
+		role logadm_r;
+	')
+
+	allow logadm_r $1;
+')
diff --git a/policy/modules/roles/logadm.te b/policy/modules/roles/logadm.te
new file mode 100644
index 00000000..3a45a3ef
--- /dev/null
+++ b/policy/modules/roles/logadm.te
@@ -0,0 +1,19 @@
+policy_module(logadm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+role logadm_r;
+
+userdom_base_user_template(logadm)
+
+########################################
+#
+# logadmin local policy
+#
+
+allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
+
+logging_admin(logadm_t, logadm_r)
diff --git a/policy/modules/roles/metadata.xml b/policy/modules/roles/metadata.xml
new file mode 100644
index 00000000..ba002e80
--- /dev/null
+++ b/policy/modules/roles/metadata.xml
@@ -0,0 +1 @@
+<summary>Policy modules for user roles.</summary>
diff --git a/policy/modules/roles/secadm.fc b/policy/modules/roles/secadm.fc
new file mode 100644
index 00000000..601a7b02
--- /dev/null
+++ b/policy/modules/roles/secadm.fc
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --git a/policy/modules/roles/secadm.if b/policy/modules/roles/secadm.if
new file mode 100644
index 00000000..bb6a5feb
--- /dev/null
+++ b/policy/modules/roles/secadm.if
@@ -0,0 +1,51 @@
+## <summary>Security administrator role</summary>
+
+########################################
+## <summary>
+##	Change to the security administrator role.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`secadm_role_change',`
+	gen_require(`
+		role secadm_r;
+	')
+
+	allow $1 secadm_r;
+')
+
+########################################
+## <summary>
+##	Change from the security administrator role.
+## </summary>
+## <desc>
+##	<p>
+##	Change from the security administrator role to
+##	the specified role.
+##	</p>
+##	<p>
+##	This is an interface to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`secadm_role_change_to_template',`
+	gen_require(`
+		role secadm_r;
+	')
+
+	allow secadm_r $1;
+')
+
diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
new file mode 100644
index 00000000..89ddeaa3
--- /dev/null
+++ b/policy/modules/roles/secadm.te
@@ -0,0 +1,76 @@
+policy_module(secadm, 2.3.0)
+
+########################################
+#
+# Declarations
+#
+
+role secadm_r;
+
+userdom_unpriv_user_template(secadm)
+userdom_security_admin_template(secadm_t, secadm_r)
+
+########################################
+#
+# Local policy
+#
+
+allow secadm_t self:capability { dac_read_search dac_override };
+
+corecmd_exec_shell(secadm_t)
+
+dev_relabel_all_dev_nodes(secadm_t)
+
+domain_obj_id_change_exemption(secadm_t)
+
+mls_process_read_up(secadm_t)
+mls_file_read_all_levels(secadm_t)
+mls_file_write_all_levels(secadm_t)
+mls_file_upgrade(secadm_t)
+mls_file_downgrade(secadm_t)
+
+auth_role(secadm_r, secadm_t)
+auth_relabel_all_files_except_auth_files(secadm_t)
+auth_relabel_shadow(secadm_t)
+
+init_exec(secadm_t)
+
+logging_read_audit_log(secadm_t)
+logging_read_generic_logs(secadm_t)
+logging_read_audit_config(secadm_t)
+
+optional_policy(`
+	aide_run(secadm_t, secadm_r)
+')
+
+optional_policy(`
+	auditadm_role_change(secadm_r)
+')
+
+optional_policy(`
+	dmesg_exec(secadm_t)
+')
+
+optional_policy(`
+	netlabel_run_mgmt(secadm_t, secadm_r)
+')
+
+optional_policy(`
+	screen_role_template(secadm, secadm_r, secadm_t)
+')
+
+optional_policy(`
+	su_role_template(secadm, secadm_r, secadm_t)
+')
+
+optional_policy(`
+	sudo_role_template(secadm, secadm_r, secadm_t)
+')
+
+optional_policy(`
+	sysadm_role_change(secadm_r)
+')
+
+optional_policy(`
+	vlock_run(secadm_t, secadm_r)
+')
diff --git a/policy/modules/roles/staff.fc b/policy/modules/roles/staff.fc
new file mode 100644
index 00000000..601a7b02
--- /dev/null
+++ b/policy/modules/roles/staff.fc
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --git a/policy/modules/roles/staff.if b/policy/modules/roles/staff.if
new file mode 100644
index 00000000..234a940f
--- /dev/null
+++ b/policy/modules/roles/staff.if
@@ -0,0 +1,50 @@
+## <summary>Administrator's unprivileged user role</summary>
+
+########################################
+## <summary>
+##	Change to the staff role.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`staff_role_change',`
+	gen_require(`
+		role staff_r;
+	')
+
+	allow $1 staff_r;
+')
+
+########################################
+## <summary>
+##	Change from the staff role.
+## </summary>
+## <desc>
+##	<p>
+##	Change from the staff role to
+##	the specified role.
+##	</p>
+##	<p>
+##	This is an interface to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`staff_role_change_to',`
+	gen_require(`
+		role staff_r;
+	')
+
+	allow staff_r $1;
+')
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
new file mode 100644
index 00000000..b625c18d
--- /dev/null
+++ b/policy/modules/roles/staff.te
@@ -0,0 +1,198 @@
+policy_module(staff, 2.3.0)
+
+########################################
+#
+# Declarations
+#
+
+role staff_r;
+
+userdom_unpriv_user_template(staff)
+
+########################################
+#
+# Local policy
+#
+
+optional_policy(`
+	apache_role(staff_r, staff_t)
+')
+
+optional_policy(`
+	auditadm_role_change(staff_r)
+')
+
+optional_policy(`
+	dbadm_role_change(staff_r)
+')
+
+optional_policy(`
+	git_role(staff_r, staff_t)
+')
+
+optional_policy(`
+	postgresql_role(staff_r, staff_t)
+')
+
+optional_policy(`
+	secadm_role_change(staff_r)
+')
+
+optional_policy(`
+	ssh_role_template(staff, staff_r, staff_t)
+')
+
+optional_policy(`
+	sudo_role_template(staff, staff_r, staff_t)
+')
+
+optional_policy(`
+	sysadm_role_change(staff_r)
+	userdom_dontaudit_use_user_terminals(staff_t)
+')
+
+optional_policy(`
+	vlock_run(staff_t, staff_r)
+')
+
+optional_policy(`
+	xserver_role(staff_r, staff_t)
+')
+
+ifndef(`distro_redhat',`
+	optional_policy(`
+		auth_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		bluetooth_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		cdrecord_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		cron_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		dbus_role_template(staff, staff_r, staff_t)
+	')
+
+	optional_policy(`
+		evolution_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		games_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		gift_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		gnome_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		gorg_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		gpg_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		irc_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		java_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		links_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		lockdev_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		lpd_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		mozilla_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		mplayer_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		mta_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		mutt_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		pan_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		pyzor_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		razor_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		rssh_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		skype_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		screen_role_template(staff, staff_r, staff_t)
+	')
+
+	optional_policy(`
+		spamassassin_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		su_role_template(staff, staff_r, staff_t)
+	')
+
+	optional_policy(`
+		thunderbird_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		tvtime_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		uml_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		userhelper_role_template(staff, staff_r, staff_t)
+	')
+
+	optional_policy(`
+		vmware_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		wireshark_role(staff_r, staff_t)
+	')
+')
diff --git a/policy/modules/roles/sysadm.fc b/policy/modules/roles/sysadm.fc
new file mode 100644
index 00000000..601a7b02
--- /dev/null
+++ b/policy/modules/roles/sysadm.fc
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --git a/policy/modules/roles/sysadm.if b/policy/modules/roles/sysadm.if
new file mode 100644
index 00000000..ff924307
--- /dev/null
+++ b/policy/modules/roles/sysadm.if
@@ -0,0 +1,238 @@
+## <summary>General system administration role</summary>
+
+########################################
+## <summary>
+##	Change to the system administrator role.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`sysadm_role_change',`
+	gen_require(`
+		role sysadm_r;
+	')
+
+	allow $1 sysadm_r;
+')
+
+########################################
+## <summary>
+##	Change from the system administrator role.
+## </summary>
+## <desc>
+##	<p>
+##	Change from the system administrator role to
+##	the specified role.
+##	</p>
+##	<p>
+##	This is an interface to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`sysadm_role_change_to',`
+	gen_require(`
+		role sysadm_r;
+	')
+
+	allow sysadm_r $1;
+')
+
+########################################
+## <summary>
+##	Execute a shell in the sysadm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysadm_shell_domtrans',`
+	gen_require(`
+		type sysadm_t;
+	')
+
+	corecmd_shell_domtrans($1, sysadm_t)
+	allow sysadm_t $1:fd use;
+	allow sysadm_t $1:fifo_file rw_file_perms;
+	allow sysadm_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute a generic bin program in the sysadm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysadm_bin_spec_domtrans',`
+	gen_require(`
+		type sysadm_t;
+	')
+
+	corecmd_bin_spec_domtrans($1, sysadm_t)
+	allow sysadm_t $1:fd use;
+	allow sysadm_t $1:fifo_file rw_file_perms;
+	allow sysadm_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute all entrypoint files in the sysadm domain. This
+##	is an explicit transition, requiring the
+##	caller to use setexeccon().
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysadm_entry_spec_domtrans',`
+	gen_require(`
+		type sysadm_t;
+	')
+
+	domain_entry_file_spec_domtrans($1, sysadm_t)
+	allow sysadm_t $1:fd use;
+	allow sysadm_t $1:fifo_file rw_file_perms;
+	allow sysadm_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Allow sysadm to execute all entrypoint files in
+##	a specified domain.  This is an explicit transition,
+##	requiring the caller to use setexeccon().
+## </summary>
+## <desc>
+##	<p>
+##	Allow sysadm to execute all entrypoint files in
+##	a specified domain.  This is an explicit transition,
+##	requiring the caller to use setexeccon().
+##	</p>
+##	<p>
+##	This is a interface to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysadm_entry_spec_domtrans_to',`
+	gen_require(`
+		type sysadm_t;
+	')
+
+	domain_entry_file_spec_domtrans(sysadm_t, $1)
+	allow $1 sysadm_t:fd use;
+	allow $1 sysadm_t:fifo_file rw_file_perms;
+	allow $1 sysadm_t:process sigchld;
+')
+
+########################################
+## <summary>
+##	Allow sysadm to execute a generic bin program in
+##	a specified domain.  This is an explicit transition,
+##	requiring the caller to use setexeccon().
+## </summary>
+## <desc>
+##	<p>
+##	Allow sysadm to execute a generic bin program in
+##	a specified domain.
+##	</p>
+##	<p>
+##	This is a interface to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to execute in.
+##	</summary>
+## </param>
+#
+interface(`sysadm_bin_spec_domtrans_to',`
+	gen_require(`
+		type sysadm_t;
+	')
+
+	corecmd_bin_spec_domtrans(sysadm_t, $1)
+	allow $1 sysadm_t:fd use;
+	allow $1 sysadm_t:fifo_file rw_file_perms;
+	allow $1 sysadm_t:process sigchld;
+')
+
+########################################
+## <summary>
+##	Send a SIGCHLD signal to sysadm users.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysadm_sigchld',`
+	gen_require(`
+		type sysadm_t;
+	')
+
+	allow $1 sysadm_t:process sigchld;
+')
+
+########################################
+## <summary>
+##	Inherit and use sysadm file descriptors
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysadm_use_fds',`
+	gen_require(`
+		type sysadm_t;
+	')
+
+	allow $1 sysadm_t:fd use;
+')
+
+########################################
+## <summary>
+##	Read and write sysadm user unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysadm_rw_pipes',`
+	gen_require(`
+		type sysadm_t;
+	')
+
+	allow $1 sysadm_t:fifo_file rw_fifo_file_perms;
+')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
new file mode 100644
index 00000000..317e327b
--- /dev/null
+++ b/policy/modules/roles/sysadm.te
@@ -0,0 +1,509 @@
+policy_module(sysadm, 2.4.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow sysadm to debug or ptrace all processes.
+## </p>
+## </desc>
+gen_tunable(allow_ptrace, false)
+
+role sysadm_r;
+
+userdom_admin_user_template(sysadm)
+
+ifndef(`enable_mls',`
+	userdom_security_admin_template(sysadm_t, sysadm_r)
+')
+
+########################################
+#
+# Local policy
+#
+
+corecmd_exec_shell(sysadm_t)
+
+mls_process_read_up(sysadm_t)
+
+ubac_process_exempt(sysadm_t)
+ubac_file_exempt(sysadm_t)
+ubac_fd_exempt(sysadm_t)
+
+init_exec(sysadm_t)
+
+# Add/remove user home directories
+userdom_manage_user_home_dirs(sysadm_t)
+userdom_home_filetrans_user_home_dir(sysadm_t)
+
+ifdef(`direct_sysadm_daemon',`
+	optional_policy(`
+		init_run_daemon(sysadm_t, sysadm_r)
+	')
+',`
+	ifdef(`distro_gentoo',`
+		optional_policy(`
+			seutil_init_script_run_runinit(sysadm_t, sysadm_r)
+		')
+	')
+')
+
+ifdef(`distro_gentoo',`
+	init_exec_rc(sysadm_t)
+')
+
+ifndef(`enable_mls',`
+	logging_manage_audit_log(sysadm_t)
+	logging_manage_audit_config(sysadm_t)
+	logging_run_auditctl(sysadm_t, sysadm_r)
+')
+
+tunable_policy(`allow_ptrace',`
+	domain_ptrace_all_domains(sysadm_t)
+')
+
+optional_policy(`
+	amanda_run_recover(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	apache_run_helper(sysadm_t, sysadm_r)
+	#apache_run_all_scripts(sysadm_t, sysadm_r)
+	#apache_domtrans_sys_script(sysadm_t)
+	apache_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	# cjp: why is this not apm_run_client
+	apm_domtrans_client(sysadm_t)
+')
+
+optional_policy(`
+	apt_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	asterisk_stream_connect(sysadm_t)
+')
+
+optional_policy(`
+	auditadm_role_change(sysadm_r)
+')
+
+optional_policy(`
+	bacula_run_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	backup_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	bind_run_ndc(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	bootloader_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	certwatch_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	clock_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	clockspeed_run_cli(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	consoletype_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	cvs_exec(sysadm_t)
+')
+
+optional_policy(`
+	dcc_run_cdcc(sysadm_t, sysadm_r)
+	dcc_run_client(sysadm_t, sysadm_r)
+	dcc_run_dbclean(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	ddcprobe_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	dmesg_exec(sysadm_t)
+')
+
+optional_policy(`
+	dmidecode_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	dpkg_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	dracut_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	firstboot_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	fstools_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	git_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	hostname_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	hadoop_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	# allow system administrator to use the ipsec script to look
+	# at things (e.g., ipsec auto --status)
+	# probably should create an ipsec_admin role for this kind of thing
+	ipsec_exec_mgmt(sysadm_t)
+	ipsec_stream_connect(sysadm_t)
+	# for lsof
+	ipsec_getattr_key_sockets(sysadm_t)
+')
+
+optional_policy(`
+	iptables_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	kudzu_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	libs_run_ldconfig(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	lockdev_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	logrotate_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	lpd_run_checkpc(sysadm_t, sysadm_r)
+	lpd_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	lvm_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	modutils_run_depmod(sysadm_t, sysadm_r)
+	modutils_run_insmod(sysadm_t, sysadm_r)
+	modutils_run_update_mods(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	mount_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	mozilla_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	mplayer_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	mta_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	munin_stream_connect(sysadm_t)
+')
+
+optional_policy(`
+	mutt_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	mysql_stream_connect(sysadm_t)
+')
+
+optional_policy(`
+	networkmanager_run_wpa_cli(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	netutils_run(sysadm_t, sysadm_r)
+	netutils_run_ping(sysadm_t, sysadm_r)
+	netutils_run_traceroute(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	nginx_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	ntp_stub()
+	corenet_udp_bind_ntp_port(sysadm_t)
+')
+
+optional_policy(`
+	oav_run_update(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	pcmcia_run_cardctl(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	portage_run(sysadm_t, sysadm_r)
+	portage_run_fetch(sysadm_t, sysadm_r)
+	portage_run_gcc_config(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	portmap_run_helper(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	pyzor_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	qemu_read_state(sysadm_t)
+	qemu_signal(sysadm_t)
+	qemu_kill(sysadm_t)
+	qemu_setsched(sysadm_t)
+	qemu_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	quota_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	raid_run_mdadm(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	razor_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	rpc_domtrans_nfsd(sysadm_t)
+')
+
+optional_policy(`
+	rpm_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	rssh_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	rsync_exec(sysadm_t)
+')
+
+optional_policy(`
+	samba_run_net(sysadm_t, sysadm_r)
+	samba_run_winbind_helper(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	samhain_admin(sysadm_t)
+')
+
+optional_policy(`
+	screen_role_template(sysadm, sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	secadm_role_change(sysadm_r)
+')
+
+optional_policy(`
+	seutil_run_setfiles(sysadm_t, sysadm_r)
+	seutil_run_runinit(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	spamassassin_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	ssh_role_template(sysadm, sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	staff_role_change(sysadm_r)
+')
+
+optional_policy(`
+	su_role_template(sysadm, sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	sudo_role_template(sysadm, sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	sysnet_run_ifconfig(sysadm_t, sysadm_r)
+	sysnet_run_dhcpc(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	thunderbird_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	tripwire_run_siggen(sysadm_t, sysadm_r)
+	tripwire_run_tripwire(sysadm_t, sysadm_r)
+	tripwire_run_twadmin(sysadm_t, sysadm_r)
+	tripwire_run_twprint(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	tvtime_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	tzdata_domtrans(sysadm_t)
+')
+
+optional_policy(`
+	uml_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	unconfined_domtrans(sysadm_t)
+')
+
+optional_policy(`
+	unprivuser_role_change(sysadm_r)
+')
+
+optional_policy(`
+	usbmodules_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	userhelper_role_template(sysadm, sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	usermanage_run_admin_passwd(sysadm_t, sysadm_r)
+	usermanage_run_groupadd(sysadm_t, sysadm_r)
+	usermanage_run_useradd(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	vde_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	virt_stream_connect(sysadm_t)
+')
+
+optional_policy(`
+	vmware_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	vpn_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	webalizer_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	wireshark_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	vlock_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	xserver_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	yam_run(sysadm_t, sysadm_r)
+')
+
+ifndef(`distro_redhat',`
+	optional_policy(`
+		auth_role(sysadm_r, sysadm_t)
+	')
+
+	optional_policy(`
+		bluetooth_role(sysadm_r, sysadm_t)
+	')
+
+	optional_policy(`
+		cdrecord_role(sysadm_r, sysadm_t)
+	')
+
+	optional_policy(`
+		cron_admin_role(sysadm_r, sysadm_t)
+	')
+
+	optional_policy(`
+		dbus_role_template(sysadm, sysadm_r, sysadm_t)
+	')
+
+	optional_policy(`
+		evolution_role(sysadm_r, sysadm_t)
+	')
+
+	optional_policy(`
+		games_role(sysadm_r, sysadm_t)
+	')
+
+	optional_policy(`
+		gift_role(sysadm_r, sysadm_t)
+	')
+
+	optional_policy(`
+		gnome_role(sysadm_r, sysadm_t)
+	')
+
+	optional_policy(`
+		gorg_role(sysadm_r, sysadm_t)
+	')
+
+	optional_policy(`
+		gpg_role(sysadm_r, sysadm_t)
+	')
+
+	optional_policy(`
+		irc_role(sysadm_r, sysadm_t)
+	')
+
+	optional_policy(`
+		java_role(sysadm_r, sysadm_t)
+	')
+')
+
diff --git a/policy/modules/roles/unprivuser.fc b/policy/modules/roles/unprivuser.fc
new file mode 100644
index 00000000..601a7b02
--- /dev/null
+++ b/policy/modules/roles/unprivuser.fc
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --git a/policy/modules/roles/unprivuser.if b/policy/modules/roles/unprivuser.if
new file mode 100644
index 00000000..38355964
--- /dev/null
+++ b/policy/modules/roles/unprivuser.if
@@ -0,0 +1,50 @@
+## <summary>Generic unprivileged user role</summary>
+
+########################################
+## <summary>
+##	Change to the generic user role.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`unprivuser_role_change',`
+	gen_require(`
+		role user_r;
+	')
+
+	allow $1 user_r;
+')
+
+########################################
+## <summary>
+##	Change from the generic user role.
+## </summary>
+## <desc>
+##	<p>
+##	Change from the generic user role to
+##	the specified role.
+##	</p>
+##	<p>
+##	This is an interface to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`unprivuser_role_change_to',`
+	gen_require(`
+		role user_r;
+	')
+
+	allow user_r $1;
+')
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
new file mode 100644
index 00000000..59428ec9
--- /dev/null
+++ b/policy/modules/roles/unprivuser.te
@@ -0,0 +1,183 @@
+policy_module(unprivuser, 2.3.0)
+
+# this module should be named user, but that is
+# a compile error since user is a keyword.
+
+########################################
+#
+# Declarations
+#
+
+role user_r;
+
+userdom_unpriv_user_template(user)
+
+optional_policy(`
+	apache_role(user_r, user_t)
+')
+
+optional_policy(`
+	git_role(user_r, user_t)
+')
+
+optional_policy(`
+	screen_role_template(user, user_r, user_t)
+')
+
+optional_policy(`
+	vlock_run(user_t, user_r)
+')
+
+optional_policy(`
+	xserver_role(user_r, user_t)
+')
+
+ifndef(`distro_redhat',`
+	optional_policy(`
+		auth_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		bluetooth_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		cdrecord_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		cron_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		dbus_role_template(user, user_r, user_t)
+	')
+
+	optional_policy(`
+		evolution_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		games_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		gift_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		gnome_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		gorg_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		gpg_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		hadoop_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		irc_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		java_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		links_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		lockdev_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		lpd_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		mozilla_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		mplayer_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		mta_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		mutt_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		pan_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		postgresql_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		pyzor_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		razor_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		rssh_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		skype_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		spamassassin_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		ssh_role_template(user, user_r, user_t)
+	')
+
+	optional_policy(`
+		su_role_template(user, user_r, user_t)
+	')
+
+	optional_policy(`
+		sudo_role_template(user, user_r, user_t)
+	')
+
+	optional_policy(`
+		thunderbird_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		tvtime_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		uml_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		userhelper_role_template(user, user_r, user_t)
+	')
+
+	optional_policy(`
+		vmware_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		wireshark_role(user_r, user_t)
+	')
+')
diff --git a/policy/modules/services/metadata.xml b/policy/modules/services/metadata.xml
new file mode 100644
index 00000000..4e6ec175
--- /dev/null
+++ b/policy/modules/services/metadata.xml
@@ -0,0 +1,4 @@
+<summary>
+	Policy modules for system services, like cron, and network services,
+	like sshd.
+</summary>
diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
new file mode 100644
index 00000000..d51676ad
--- /dev/null
+++ b/policy/modules/services/postgresql.fc
@@ -0,0 +1,55 @@
+#
+# /etc
+#
+/etc/postgresql(/.*)?			gen_context(system_u:object_r:postgresql_etc_t,s0)
+ifdef(`distro_gentoo',`
+/etc/postgresql-.*(/.*)?		gen_context(system_u:object_r:postgresql_etc_t,s0)
+')
+/etc/rc\.d/init\.d/(se)?postgresql --	gen_context(system_u:object_r:postgresql_initrc_exec_t,s0)
+/etc/sysconfig/pgsql(/.*)? 		gen_context(system_u:object_r:postgresql_etc_t,s0)
+
+#
+# /usr
+#
+/usr/bin/initdb(\.sepgsql)?	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/bin/(se)?postgres		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+
+/usr/lib(64)?/pgsql/test/regress(/.*)?	gen_context(system_u:object_r:postgresql_db_t,s0)
+/usr/lib(64)?/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib(64)?/postgresql/bin/.* --	gen_context(system_u:object_r:postgresql_exec_t,s0)
+
+ifdef(`distro_debian', `
+/usr/lib/postgresql/.*/bin/.*	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+')
+
+ifdef(`distro_redhat', `
+/usr/share/jonas/pgsql(/.*)?		gen_context(system_u:object_r:postgresql_db_t,s0)
+')
+
+ifdef(`distro_gentoo',`
+/usr/lib(64)?/postgresql-.*/bin/.*	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+')
+
+#
+# /var
+#
+/var/lib/postgres(ql)?(/.*)? 		gen_context(system_u:object_r:postgresql_db_t,s0)
+
+/var/lib/pgsql/data(/.*)?		gen_context(system_u:object_r:postgresql_db_t,s0)
+/var/lib/pgsql/logfile(/.*)?		gen_context(system_u:object_r:postgresql_log_t,s0)
+/var/lib/pgsql/pgstartup\.log		gen_context(system_u:object_r:postgresql_log_t,s0)
+
+/var/lib/sepgsql(/.*)?			gen_context(system_u:object_r:postgresql_db_t,s0)
+/var/lib/sepgsql/pgstartup\.log	--	gen_context(system_u:object_r:postgresql_log_t,s0)
+
+/var/log/postgres\.log.* 	--	gen_context(system_u:object_r:postgresql_log_t,s0)
+/var/log/postgresql(/.*)?		gen_context(system_u:object_r:postgresql_log_t,s0)
+/var/log/sepostgresql\.log.*	--	gen_context(system_u:object_r:postgresql_log_t,s0)
+
+ifdef(`distro_redhat', `
+/var/log/rhdb/rhdb(/.*)?		gen_context(system_u:object_r:postgresql_log_t,s0)
+')
+
+/var/run/postgresql(/.*)?		gen_context(system_u:object_r:postgresql_var_run_t,s0)
+
+/var/run/postmaster.*			gen_context(system_u:object_r:postgresql_var_run_t,s0)
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
new file mode 100644
index 00000000..5e19ee70
--- /dev/null
+++ b/policy/modules/services/postgresql.if
@@ -0,0 +1,566 @@
+## <summary>PostgreSQL relational database</summary>
+
+#######################################
+## <summary>
+##	Role access for SE-PostgreSQL.
+## </summary>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+## <param name="user_domain">
+## 	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+interface(`postgresql_role',`
+	gen_require(`
+		class db_database all_db_database_perms;
+		class db_schema all_db_schema_perms;
+		class db_table all_db_table_perms;
+		class db_sequence all_db_sequence_perms;
+		class db_view all_db_view_perms;
+		class db_procedure all_db_procedure_perms;
+		class db_language all_db_language_perms;
+		class db_column all_db_column_perms;
+		class db_tuple all_db_tuple_perms;
+		class db_blob all_db_blob_perms;
+
+		attribute sepgsql_client_type, sepgsql_database_type;
+		attribute sepgsql_schema_type, sepgsql_sysobj_table_type;
+
+		type sepgsql_trusted_proc_exec_t, sepgsql_trusted_proc_t;
+		type user_sepgsql_blob_t, user_sepgsql_proc_exec_t;
+		type user_sepgsql_schema_t, user_sepgsql_seq_t;
+		type user_sepgsql_sysobj_t, user_sepgsql_table_t;
+		type user_sepgsql_view_t;
+	')
+
+	########################################
+	#
+	# Declarations
+	#
+
+	typeattribute $2 sepgsql_client_type;
+	role $1 types sepgsql_trusted_proc_t;
+
+	##############################
+	#
+	# Client local policy
+	#
+
+	tunable_policy(`sepgsql_enable_users_ddl',`
+		allow $2 user_sepgsql_schema_t:db_schema { create drop setattr };
+		allow $2 user_sepgsql_table_t:db_table { create drop setattr };
+		allow $2 user_sepgsql_table_t:db_column { create drop setattr };
+		allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
+		allow $2 user_sepgsql_seq_t:db_sequence { create drop setattr set_value };
+		allow $2 user_sepgsql_view_t:db_view { create drop setattr };
+		allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
+	')
+
+	allow $2 user_sepgsql_schema_t:db_schema { getattr search add_name remove_name };
+	type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t;
+
+	allow $2 user_sepgsql_table_t:db_table	{ getattr use select update insert delete lock };
+	allow $2 user_sepgsql_table_t:db_column { getattr use select update insert };
+	allow $2 user_sepgsql_table_t:db_tuple	{ use select update insert delete };
+	type_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t;		# deprecated
+	type_transition $2 sepgsql_schema_type:db_table user_sepgsql_table_t;
+
+	allow $2 user_sepgsql_sysobj_t:db_tuple	{ use select };
+	type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t;
+
+	allow $2 user_sepgsql_seq_t:db_sequence { getattr get_value next_value };
+	type_transition $2 sepgsql_schema_type:db_sequence user_sepgsql_seq_t;
+
+	allow $2 user_sepgsql_view_t:db_view { getattr expand };
+	type_transition $2 sepgsql_schema_type:db_view user_sepgsql_view_t;
+
+	allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute };
+	type_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t;	# deprecated
+	type_transition $2 sepgsql_schema_type:db_procedure user_sepgsql_proc_exec_t;
+
+	allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
+	type_transition $2 sepgsql_database_type:db_blob user_sepgsql_blob_t;
+
+	allow $2 sepgsql_trusted_proc_t:process transition;
+	type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
+')
+
+########################################
+## <summary>
+##	Marks as a SE-PostgreSQL loadable shared library module
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type marked as a database object type.
+##	</summary>
+## </param>
+#
+interface(`postgresql_loadable_module',`
+	gen_require(`
+		attribute sepgsql_module_type;
+	')
+
+	typeattribute $1 sepgsql_module_type;
+')
+
+########################################
+## <summary>
+##	Marks as a SE-PostgreSQL database object type
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type marked as a database object type.
+##	</summary>
+## </param>
+#
+interface(`postgresql_database_object',`
+	gen_require(`
+		attribute sepgsql_database_type;
+	')
+
+	typeattribute $1 sepgsql_database_type;
+')
+
+########################################
+## <summary>
+##	Marks as a SE-PostgreSQL schema object type
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type marked as a schema object type.
+##	</summary>
+## </param>
+#
+interface(`postgresql_schema_object',`
+	gen_require(`
+		attribute sepgsql_schema_type;
+	')
+
+	typeattribute $1 sepgsql_schema_type;
+')
+
+########################################
+## <summary>
+##	Marks as a SE-PostgreSQL table/column/tuple object type
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type marked as a table/column/tuple object type.
+##	</summary>
+## </param>
+#
+interface(`postgresql_table_object',`
+	gen_require(`
+		attribute sepgsql_table_type;
+	')
+
+	typeattribute $1 sepgsql_table_type;
+')
+
+########################################
+## <summary>
+##	Marks as a SE-PostgreSQL system table/column/tuple object type
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type marked as a table/column/tuple object type.
+##	</summary>
+## </param>
+#
+interface(`postgresql_system_table_object',`
+	gen_require(`
+		attribute sepgsql_table_type, sepgsql_sysobj_table_type;
+	')
+
+	typeattribute $1 sepgsql_table_type;
+	typeattribute $1 sepgsql_sysobj_table_type;
+')
+
+########################################
+## <summary>
+##	Marks as a SE-PostgreSQL sequence type
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type marked as a sequence type.
+##	</summary>
+## </param>
+#
+interface(`postgresql_sequence_object',`
+	gen_require(`
+		attribute sepgsql_sequence_type;
+	')
+
+	typeattribute $1 sepgsql_sequence_type;
+')
+
+########################################
+## <summary>
+##	Marks as a SE-PostgreSQL view object type
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type marked as a view object type.
+##	</summary>
+## </param>
+#
+interface(`postgresql_view_object',`
+	gen_require(`
+		attribute sepgsql_view_type;
+	')
+
+	typeattribute $1 sepgsql_view_type;
+')
+
+########################################
+## <summary>
+##	Marks as a SE-PostgreSQL procedure object type
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type marked as a database object type.
+##	</summary>
+## </param>
+#
+interface(`postgresql_procedure_object',`
+	gen_require(`
+		attribute sepgsql_procedure_type;
+	')
+
+	typeattribute $1 sepgsql_procedure_type;
+')
+
+########################################
+## <summary>
+##	Marks as a SE-PostgreSQL procedural language object type
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type marked as a procedural language object type.
+##	</summary>
+## </param>
+#
+interface(`postgresql_language_object',`
+	gen_require(`
+		attribute sepgsql_language_type;
+	')
+
+	typeattribute $1 sepgsql_language_type;
+')
+
+########################################
+## <summary>
+##	Marks as a SE-PostgreSQL binary large object type
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type marked as a database binary large object type.
+##	</summary>
+## </param>
+#
+interface(`postgresql_blob_object',`
+	gen_require(`
+		attribute sepgsql_blob_type;
+	')
+
+	typeattribute $1 sepgsql_blob_type;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to search postgresql's database directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`postgresql_search_db',`
+	gen_require(`
+		type postgresql_db_t;
+	')
+
+	allow $1 postgresql_db_t:dir search;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to manage postgresql's database.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+interface(`postgresql_manage_db',`
+	gen_require(`
+		type postgresql_db_t;
+	')
+
+	allow $1 postgresql_db_t:dir rw_dir_perms;
+	allow $1 postgresql_db_t:file rw_file_perms;
+	allow $1 postgresql_db_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+##	Execute postgresql in the postgresql domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`postgresql_domtrans',`
+	gen_require(`
+		type postgresql_t, postgresql_exec_t;
+	')
+
+	domtrans_pattern($1, postgresql_exec_t, postgresql_t)
+')
+
+######################################
+## <summary>
+##	Allow domain to signal postgresql
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`postgresql_signal',`
+	gen_require(`
+		type postgresql_t;
+	')
+	allow $1 postgresql_t:process signal;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read postgresql's etc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`postgresql_read_config',`
+	gen_require(`
+		type postgresql_etc_t;
+	')
+
+	files_search_etc($1)
+	allow $1 postgresql_etc_t:dir list_dir_perms;
+	allow $1 postgresql_etc_t:file read_file_perms;
+	allow $1 postgresql_etc_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to connect to postgresql with a tcp socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`postgresql_tcp_connect',`
+	gen_require(`
+		type postgresql_t;
+	')
+
+	corenet_tcp_recvfrom_labeled($1, postgresql_t)
+	corenet_tcp_sendrecv_postgresql_port($1)
+	corenet_tcp_connect_postgresql_port($1)
+	corenet_sendrecv_postgresql_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to connect to postgresql with a unix socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`postgresql_stream_connect',`
+	gen_require(`
+		type postgresql_t, postgresql_var_run_t, postgresql_tmp_t;
+	')
+
+	files_search_pids($1)
+	allow $1 postgresql_t:unix_stream_socket connectto;
+	allow $1 postgresql_var_run_t:sock_file write;
+	# Some versions of postgresql put the sock file in /tmp
+	allow $1 postgresql_tmp_t:sock_file write;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain unprivileged accesses to unifined database objects
+##	managed by SE-PostgreSQL,
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`postgresql_unpriv_client',`
+	gen_require(`
+		class db_database all_db_database_perms;
+		class db_schema all_db_schema_perms;
+		class db_table all_db_table_perms;
+		class db_sequence all_db_sequence_perms;
+		class db_view all_db_view_perms;
+		class db_procedure all_db_procedure_perms;
+		class db_language all_db_language_perms;
+		class db_column all_db_column_perms;
+		class db_tuple all_db_tuple_perms;
+		class db_blob all_db_blob_perms;
+
+		attribute sepgsql_client_type;
+		attribute sepgsql_database_type, sepgsql_schema_type;
+		attribute sepgsql_sysobj_table_type;
+
+		type sepgsql_trusted_proc_t, sepgsql_trusted_proc_exec_t;
+		type unpriv_sepgsql_blob_t, unpriv_sepgsql_proc_exec_t;
+		type unpriv_sepgsql_schema_t, unpriv_sepgsql_seq_t;
+		type unpriv_sepgsql_sysobj_t, unpriv_sepgsql_table_t;
+		type unpriv_sepgsql_view_t;
+	')
+
+	########################################
+	#
+	# Declarations
+	#
+
+	typeattribute $1 sepgsql_client_type;
+
+	########################################
+	#
+	# Client local policy
+	#
+
+	type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
+	allow $1 sepgsql_trusted_proc_t:process transition;
+
+	tunable_policy(`sepgsql_enable_users_ddl',`
+		allow $1 unpriv_sepgsql_schema_t:db_schema { create drop setattr };
+		allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
+		allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr };
+		allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete };
+		allow $1 unpriv_sepgsql_seq_t:db_sequence { create drop setattr };
+		allow $1 unpriv_sepgsql_view_t:db_view { create drop setattr };
+		allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr };
+	')
+	allow $1 unpriv_sepgsql_schema_t:db_schema { getattr add_name remove_name };
+	type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t;
+
+	allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock };
+	allow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert };
+	allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete };
+	type_transition $1 sepgsql_database_type:db_table unpriv_sepgsql_table_t;	# deprecated
+	type_transition $1 sepgsql_schema_type:db_table unpriv_sepgsql_table_t;
+
+	allow $1 unpriv_sepgsql_seq_t:db_sequence { getattr get_value next_value set_value };
+	type_transition $1 sepgsql_schema_type:db_sequence unpriv_sepgsql_seq_t;
+
+	allow $1 unpriv_sepgsql_view_t:db_view { getattr expand };
+	type_transition $1 sepgsql_schema_type:db_view unpriv_sepgsql_view_t;
+
+	allow $1 unpriv_sepgsql_sysobj_t:db_tuple { use select };
+	type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t;
+
+	allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute };
+	type_transition $1 sepgsql_database_type:db_procedure unpriv_sepgsql_proc_exec_t; # deprecated
+	type_transition $1 sepgsql_schema_type:db_procedure unpriv_sepgsql_proc_exec_t;
+
+	allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
+	type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain unconfined accesses to any database objects
+##	managed by SE-PostgreSQL,
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`postgresql_unconfined',`
+	gen_require(`
+		attribute sepgsql_unconfined_type;
+	')
+
+	typeattribute $1 sepgsql_unconfined_type;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate an postgresql environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the postgresql domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`postgresql_admin',`
+	gen_require(`
+		attribute sepgsql_admin_type;
+		attribute sepgsql_client_type;
+
+		type postgresql_t, postgresql_var_run_t;
+		type postgresql_tmp_t, postgresql_db_t;
+		type postgresql_etc_t, postgresql_log_t;
+		type postgresql_initrc_exec_t;
+	')
+
+	typeattribute $1 sepgsql_admin_type;
+	role $2 types postgresql_t;
+
+	allow $1 postgresql_t:process { ptrace signal_perms };
+	ps_process_pattern($1, postgresql_t)
+
+	init_labeled_script_domtrans($1, postgresql_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 postgresql_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	admin_pattern($1, postgresql_var_run_t)
+
+	admin_pattern($1, postgresql_db_t)
+
+	admin_pattern($1, postgresql_etc_t)
+
+	admin_pattern($1, postgresql_log_t)
+
+	admin_pattern($1, postgresql_tmp_t)
+
+	postgresql_tcp_connect($1)
+	postgresql_stream_connect($1)
+')
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
new file mode 100644
index 00000000..4d71f89e
--- /dev/null
+++ b/policy/modules/services/postgresql.te
@@ -0,0 +1,540 @@
+policy_module(postgresql, 1.14.0)
+
+gen_require(`
+	class db_database all_db_database_perms;
+	class db_table all_db_table_perms;
+	class db_procedure all_db_procedure_perms;
+	class db_column all_db_column_perms;
+	class db_tuple all_db_tuple_perms;
+	class db_blob all_db_blob_perms;
+	class db_schema all_db_schema_perms;
+	class db_view all_db_view_perms;
+	class db_sequence all_db_sequence_perms;
+	class db_language all_db_language_perms;
+')
+
+#################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow unprived users to execute DDL statement
+## </p>
+## </desc>
+gen_tunable(sepgsql_enable_users_ddl, true)
+
+## <desc>
+## <p>
+## Allow database admins to execute DML statement
+## </p>
+## </desc>
+gen_tunable(sepgsql_unconfined_dbadm, true)
+
+type postgresql_t;
+type postgresql_exec_t;
+init_daemon_domain(postgresql_t, postgresql_exec_t)
+
+type postgresql_db_t;
+files_type(postgresql_db_t)
+
+type postgresql_etc_t;
+files_config_file(postgresql_etc_t)
+
+type postgresql_initrc_exec_t;
+init_script_file(postgresql_initrc_exec_t)
+
+type postgresql_lock_t;
+files_lock_file(postgresql_lock_t)
+
+type postgresql_log_t;
+logging_log_file(postgresql_log_t)
+
+type postgresql_tmp_t;
+files_tmp_file(postgresql_tmp_t)
+
+type postgresql_var_run_t;
+files_pid_file(postgresql_var_run_t)
+
+# database clients attribute
+attribute sepgsql_admin_type;
+attribute sepgsql_client_type;
+attribute sepgsql_unconfined_type;
+
+# database objects attribute
+attribute sepgsql_database_type;
+attribute sepgsql_schema_type;
+attribute sepgsql_table_type;
+attribute sepgsql_sysobj_table_type;
+attribute sepgsql_sequence_type;
+attribute sepgsql_view_type;
+attribute sepgsql_procedure_type;
+attribute sepgsql_language_type;
+attribute sepgsql_blob_type;
+attribute sepgsql_module_type;
+
+# database object types
+type sepgsql_blob_t;
+postgresql_blob_object(sepgsql_blob_t)
+
+type sepgsql_db_t;
+postgresql_database_object(sepgsql_db_t)
+
+type sepgsql_fixed_table_t;
+postgresql_table_object(sepgsql_fixed_table_t)
+
+type sepgsql_lang_t;
+postgresql_language_object(sepgsql_lang_t)
+
+type sepgsql_priv_lang_t;
+postgresql_language_object(sepgsql_priv_lang_t)
+
+type sepgsql_proc_exec_t;
+typealias sepgsql_proc_exec_t alias sepgsql_proc_t;
+postgresql_procedure_object(sepgsql_proc_exec_t)
+
+type sepgsql_ro_blob_t;
+postgresql_blob_object(sepgsql_ro_blob_t)
+
+type sepgsql_ro_table_t;
+postgresql_table_object(sepgsql_ro_table_t)
+
+type sepgsql_safe_lang_t;
+postgresql_language_object(sepgsql_safe_lang_t)
+
+type sepgsql_schema_t;
+postgresql_schema_object(sepgsql_schema_t)
+
+type sepgsql_secret_blob_t;
+postgresql_blob_object(sepgsql_secret_blob_t)
+
+type sepgsql_secret_table_t;
+postgresql_table_object(sepgsql_secret_table_t)
+
+type sepgsql_seq_t;
+postgresql_sequence_object(sepgsql_seq_t)
+
+type sepgsql_sysobj_t;
+postgresql_system_table_object(sepgsql_sysobj_t)
+
+type sepgsql_table_t;
+postgresql_table_object(sepgsql_table_t)
+
+type sepgsql_trusted_proc_exec_t;
+postgresql_procedure_object(sepgsql_trusted_proc_exec_t)
+
+type sepgsql_view_t;
+postgresql_view_object(sepgsql_view_t)
+
+# Trusted Procedure Domain
+type sepgsql_trusted_proc_t;
+domain_type(sepgsql_trusted_proc_t)
+postgresql_unconfined(sepgsql_trusted_proc_t)
+role system_r types sepgsql_trusted_proc_t;
+
+# Types for unprivileged client
+type unpriv_sepgsql_blob_t;
+postgresql_blob_object(unpriv_sepgsql_blob_t)
+
+type unpriv_sepgsql_proc_exec_t;
+postgresql_procedure_object(unpriv_sepgsql_proc_exec_t)
+
+type unpriv_sepgsql_schema_t;
+postgresql_schema_object(unpriv_sepgsql_schema_t)
+
+type unpriv_sepgsql_seq_t;
+postgresql_sequence_object(unpriv_sepgsql_seq_t)
+
+type unpriv_sepgsql_sysobj_t;
+postgresql_system_table_object(unpriv_sepgsql_sysobj_t)
+
+type unpriv_sepgsql_table_t;
+postgresql_table_object(unpriv_sepgsql_table_t)
+
+type unpriv_sepgsql_view_t;
+postgresql_view_object(unpriv_sepgsql_view_t)
+
+# Types for UBAC
+type user_sepgsql_blob_t;
+typealias user_sepgsql_blob_t alias { staff_sepgsql_blob_t sysadm_sepgsql_blob_t };
+typealias user_sepgsql_blob_t alias { auditadm_sepgsql_blob_t secadm_sepgsql_blob_t };
+postgresql_blob_object(user_sepgsql_blob_t)
+
+type user_sepgsql_proc_exec_t;
+typealias user_sepgsql_proc_exec_t alias { staff_sepgsql_proc_exec_t sysadm_sepgsql_proc_exec_t };
+typealias user_sepgsql_proc_exec_t alias { auditadm_sepgsql_proc_exec_t secadm_sepgsql_proc_exec_t };
+postgresql_procedure_object(user_sepgsql_proc_exec_t)
+
+type user_sepgsql_schema_t;
+typealias user_sepgsql_schema_t alias { staff_sepgsql_schema_t sysadm_sepgsql_schema_t };
+typealias user_sepgsql_schema_t alias { auditadm_sepgsql_schema_t secadm_sepgsql_schema_t };
+postgresql_schema_object(user_sepgsql_schema_t)
+
+type user_sepgsql_seq_t;
+typealias user_sepgsql_seq_t alias { staff_sepgsql_seq_t sysadm_sepgsql_seq_t };
+typealias user_sepgsql_seq_t alias { auditadm_sepgsql_seq_t secadm_sepgsql_seq_t };
+postgresql_sequence_object(user_sepgsql_seq_t)
+
+type user_sepgsql_sysobj_t;
+typealias user_sepgsql_sysobj_t alias { staff_sepgsql_sysobj_t sysadm_sepgsql_sysobj_t };
+typealias user_sepgsql_sysobj_t alias { auditadm_sepgsql_sysobj_t secadm_sepgsql_sysobj_t };
+postgresql_system_table_object(user_sepgsql_sysobj_t)
+
+type user_sepgsql_table_t;
+typealias user_sepgsql_table_t alias { staff_sepgsql_table_t sysadm_sepgsql_table_t };
+typealias user_sepgsql_table_t alias { auditadm_sepgsql_table_t secadm_sepgsql_table_t };
+postgresql_table_object(user_sepgsql_table_t)
+
+type user_sepgsql_view_t;
+typealias user_sepgsql_view_t alias { staff_sepgsql_view_t sysadm_sepgsql_view_t };
+typealias user_sepgsql_view_t alias { auditadm_sepgsql_view_t secadm_sepgsql_view_t };
+postgresql_view_object(user_sepgsql_view_t)
+
+########################################
+#
+# postgresql Local policy
+#
+allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin };
+dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
+allow postgresql_t self:process signal_perms;
+allow postgresql_t self:fifo_file rw_fifo_file_perms;
+allow postgresql_t self:file { getattr read };
+allow postgresql_t self:sem create_sem_perms;
+allow postgresql_t self:shm create_shm_perms;
+allow postgresql_t self:tcp_socket create_stream_socket_perms;
+allow postgresql_t self:udp_socket create_stream_socket_perms;
+allow postgresql_t self:unix_dgram_socket create_socket_perms;
+allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
+allow postgresql_t self:netlink_selinux_socket create_socket_perms;
+
+allow postgresql_t sepgsql_database_type:db_database *;
+type_transition postgresql_t postgresql_t:db_database sepgsql_db_t;		# deprecated
+
+allow postgresql_t sepgsql_module_type:db_database install_module;
+# Database/Loadable module
+allow sepgsql_database_type sepgsql_module_type:db_database load_module;
+
+allow postgresql_t sepgsql_schema_type:db_schema *;
+type_transition postgresql_t sepgsql_database_type:db_schema sepgsql_schema_t;
+
+allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *;
+type_transition postgresql_t sepgsql_database_type:db_table sepgsql_sysobj_t;	# deprecated
+type_transition postgresql_t sepgsql_schema_type:db_table sepgsql_sysobj_t;
+
+allow postgresql_t sepgsql_sequence_type:db_sequence *;
+type_transition postgresql_t sepgsql_schema_type:db_sequence sepgsql_seq_t;
+
+allow postgresql_t sepgsql_view_type:db_view *;
+type_transition postgresql_t sepgsql_schema_type:db_view sepgsql_view_t;
+
+allow postgresql_t sepgsql_procedure_type:db_procedure *;
+type_transition postgresql_t sepgsql_database_type:db_procedure sepgsql_proc_exec_t;	# deprecated
+type_transition postgresql_t sepgsql_schema_type:db_procedure sepgsql_proc_exec_t;
+
+allow postgresql_t sepgsql_blob_type:db_blob *;
+type_transition postgresql_t sepgsql_database_type:db_blob sepgsql_blob_t;
+
+manage_dirs_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
+manage_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
+manage_lnk_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
+manage_fifo_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
+manage_sock_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
+files_var_lib_filetrans(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file })
+
+allow postgresql_t postgresql_etc_t:dir list_dir_perms;
+read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
+read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
+
+allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
+can_exec(postgresql_t, postgresql_exec_t )
+
+allow postgresql_t postgresql_lock_t:file manage_file_perms;
+files_lock_filetrans(postgresql_t, postgresql_lock_t, file)
+
+manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t)
+logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir })
+
+manage_dirs_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
+manage_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
+manage_lnk_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
+manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
+manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
+files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file })
+fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file })
+
+manage_dirs_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
+manage_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
+manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
+files_pid_filetrans(postgresql_t, postgresql_var_run_t, { dir file })
+
+kernel_read_kernel_sysctls(postgresql_t)
+kernel_read_system_state(postgresql_t)
+kernel_list_proc(postgresql_t)
+kernel_read_all_sysctls(postgresql_t)
+kernel_read_proc_symlinks(postgresql_t)
+
+corenet_all_recvfrom_unlabeled(postgresql_t)
+corenet_all_recvfrom_netlabel(postgresql_t)
+corenet_tcp_sendrecv_generic_if(postgresql_t)
+corenet_udp_sendrecv_generic_if(postgresql_t)
+corenet_tcp_sendrecv_generic_node(postgresql_t)
+corenet_udp_sendrecv_generic_node(postgresql_t)
+corenet_tcp_sendrecv_all_ports(postgresql_t)
+corenet_udp_sendrecv_all_ports(postgresql_t)
+corenet_udp_bind_generic_node(postgresql_t)
+corenet_tcp_bind_generic_node(postgresql_t)
+corenet_tcp_bind_postgresql_port(postgresql_t)
+corenet_tcp_connect_auth_port(postgresql_t)
+corenet_tcp_connect_postgresql_port(postgresql_t)
+corenet_sendrecv_postgresql_server_packets(postgresql_t)
+corenet_sendrecv_auth_client_packets(postgresql_t)
+
+dev_read_sysfs(postgresql_t)
+dev_read_urand(postgresql_t)
+
+fs_getattr_all_fs(postgresql_t)
+fs_search_auto_mountpoints(postgresql_t)
+fs_rw_hugetlbfs_files(postgresql_t)
+
+selinux_get_enforce_mode(postgresql_t)
+selinux_validate_context(postgresql_t)
+selinux_compute_access_vector(postgresql_t)
+selinux_compute_create_context(postgresql_t)
+selinux_compute_relabel_context(postgresql_t)
+
+term_use_controlling_term(postgresql_t)
+
+corecmd_exec_bin(postgresql_t)
+corecmd_exec_shell(postgresql_t)
+
+domain_dontaudit_list_all_domains_state(postgresql_t)
+domain_use_interactive_fds(postgresql_t)
+
+files_dontaudit_search_home(postgresql_t)
+files_manage_etc_files(postgresql_t)
+files_search_etc(postgresql_t)
+files_read_etc_runtime_files(postgresql_t)
+files_read_usr_files(postgresql_t)
+
+auth_use_pam(postgresql_t)
+
+init_read_utmp(postgresql_t)
+
+logging_send_syslog_msg(postgresql_t)
+logging_send_audit_msgs(postgresql_t)
+
+miscfiles_read_localization(postgresql_t)
+
+seutil_libselinux_linked(postgresql_t)
+seutil_read_default_contexts(postgresql_t)
+
+userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
+userdom_dontaudit_search_user_home_dirs(postgresql_t)
+userdom_dontaudit_use_user_terminals(postgresql_t)
+
+optional_policy(`
+	mta_getattr_spool(postgresql_t)
+')
+
+tunable_policy(`allow_execmem',`
+	allow postgresql_t self:process execmem;
+')
+
+optional_policy(`
+	consoletype_exec(postgresql_t)
+')
+
+optional_policy(`
+	cron_search_spool(postgresql_t)
+	cron_system_entry(postgresql_t, postgresql_exec_t)
+')
+
+optional_policy(`
+	hostname_exec(postgresql_t)
+')
+
+optional_policy(`
+	ipsec_match_default_spd(postgresql_t)
+')
+
+optional_policy(`
+	kerberos_use(postgresql_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(postgresql_t)
+')
+
+optional_policy(`
+	udev_read_db(postgresql_t)
+')
+
+########################################
+#
+# Rules common to all clients
+#
+
+allow sepgsql_client_type sepgsql_db_t:db_database { getattr access get_param set_param };
+type_transition sepgsql_client_type sepgsql_client_type:db_database sepgsql_db_t;
+
+allow sepgsql_client_type sepgsql_schema_t:db_schema { getattr search };
+
+allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr use select insert lock };
+allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr use select insert };
+allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert };
+
+allow sepgsql_client_type sepgsql_table_t:db_table { getattr use select update insert delete lock };
+allow sepgsql_client_type sepgsql_table_t:db_column { getattr use select update insert };
+allow sepgsql_client_type sepgsql_table_t:db_tuple { use select update insert delete };
+
+allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr use select lock };
+allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr use select };
+allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { use select };
+
+allow sepgsql_client_type sepgsql_secret_table_t:db_table getattr;
+allow sepgsql_client_type sepgsql_secret_table_t:db_column getattr;
+
+allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr use select lock };
+allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select };
+allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select };
+
+allow sepgsql_client_type sepgsql_seq_t:db_sequence { getattr get_value next_value };
+
+allow sepgsql_client_type sepgsql_view_t:db_view { getattr expand };
+
+allow sepgsql_client_type sepgsql_proc_exec_t:db_procedure { getattr execute install };
+allow sepgsql_client_type sepgsql_trusted_proc_exec_t:db_procedure { getattr execute entrypoint };
+
+allow sepgsql_client_type sepgsql_lang_t:db_language { getattr };
+allow sepgsql_client_type sepgsql_safe_lang_t:db_language { getattr execute };
+
+# Only DBA can implement SQL procedures using `unsafe' procedural languages.
+# The `unsafe' one provides a capability to access internal data structure,
+# so we don't allow user-defined function being implemented using `unsafe' one.
+allow sepgsql_proc_exec_t sepgsql_lang_t:db_language { implement };
+allow sepgsql_procedure_type sepgsql_safe_lang_t:db_language { implement };
+
+allow sepgsql_client_type sepgsql_blob_t:db_blob { create drop getattr setattr read write };
+allow sepgsql_client_type sepgsql_ro_blob_t:db_blob { getattr read };
+allow sepgsql_client_type sepgsql_secret_blob_t:db_blob getattr;
+
+# The purpose of the dontaudit rule in row-level access control is to prevent a flood of logs.
+# If a client tries to SELECT a table including violated tuples, these are filtered from
+# the result set as if not exist, but its access denied longs can be recorded within log files.
+# In generally, the number of tuples are much larger than the number of columns, tables and so on.
+# So, it makes a flood of logs when many tuples are violated.
+#
+# The default policy does not prevent anything for sepgsql_client_type sepgsql_unconfined_type,
+# so we don't need "dontaudit" rules in Type-Enforcement. However, MLS/MCS can prevent them
+# to access classified tuples and can make a audit record.
+#
+# Therefore, the following rule is applied for any domains which can connect SE-PostgreSQL.
+dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete };
+
+# Note that permission of creation/deletion are eventually controlled by
+# create or drop permission of individual objects within shared schemas.
+# So, it just allows to create/drop user specific types.
+tunable_policy(`sepgsql_enable_users_ddl',`
+	allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name };
+')
+
+########################################
+#
+# Rules common to administrator clients
+#
+
+allow sepgsql_admin_type sepgsql_database_type:db_database { create drop getattr setattr relabelfrom relabelto access };
+type_transition sepgsql_admin_type sepgsql_admin_type:db_database sepgsql_db_t;		# deprecated
+
+allow sepgsql_admin_type sepgsql_schema_type:db_schema { create drop getattr setattr relabelfrom relabelto search add_name remove_name };
+type_transition sepgsql_admin_type sepgsql_database_type:db_schema sepgsql_schema_t;
+
+allow sepgsql_admin_type sepgsql_table_type:db_table { create drop getattr setattr relabelfrom relabelto lock };
+allow sepgsql_admin_type sepgsql_table_type:db_column { create drop getattr setattr relabelfrom relabelto };
+allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { relabelfrom relabelto select update insert delete };
+
+type_transition sepgsql_admin_type sepgsql_database_type:db_table sepgsql_table_t;	# deprecated
+type_transition sepgsql_admin_type sepgsql_schema_type:db_table sepgsql_table_t;
+
+allow sepgsql_admin_type sepgsql_sequence_type:db_sequence { create drop getattr setattr relabelfrom relabelto get_value next_value set_value };
+
+type_transition sepgsql_admin_type sepgsql_schema_type:db_sequence sepgsql_seq_t;
+
+allow sepgsql_admin_type sepgsql_view_type:db_view { create drop getattr setattr relabelfrom relabelto expand };
+
+type_transition sepgsql_admin_type sepgsql_schema_type:db_view sepgsql_view_t;
+
+allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create drop getattr relabelfrom relabelto };
+allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure execute;
+
+type_transition sepgsql_admin_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t;	# deprecated
+type_transition sepgsql_admin_type sepgsql_schema_type:db_procedure sepgsql_proc_exec_t;
+
+allow sepgsql_admin_type sepgsql_language_type:db_language { create drop getattr setattr relabelfrom relabelto execute };
+
+type_transition sepgsql_admin_type sepgsql_database_type:db_language sepgsql_lang_t;
+
+allow sepgsql_admin_type sepgsql_blob_type:db_blob { create drop getattr setattr relabelfrom relabelto };
+
+type_transition sepgsql_admin_type sepgsql_database_type:db_blob sepgsql_blob_t;
+
+allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
+
+kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)
+
+tunable_policy(`sepgsql_unconfined_dbadm',`
+	allow sepgsql_admin_type sepgsql_database_type:db_database *;
+
+	allow sepgsql_admin_type sepgsql_schema_type:db_schema *;
+
+	allow sepgsql_admin_type sepgsql_table_type:{ db_table db_column db_tuple } *;
+	allow sepgsql_admin_type sepgsql_sequence_type:db_sequence *;
+	allow sepgsql_admin_type sepgsql_view_type:db_view *;
+
+	allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure *;
+	allow sepgsql_admin_type sepgsql_trusted_proc_exec_t:db_procedure ~install;
+	allow sepgsql_admin_type sepgsql_procedure_type:db_procedure ~{ execute install };
+
+	allow sepgsql_admin_type sepgsql_language_type:db_language ~implement;
+
+	allow sepgsql_admin_type sepgsql_blob_type:db_blob *;
+')
+
+########################################
+#
+# Unconfined access to this module
+#
+
+allow sepgsql_unconfined_type sepgsql_database_type:db_database *;
+type_transition sepgsql_unconfined_type sepgsql_unconfined_type:db_database sepgsql_db_t;	# deprecated
+
+allow sepgsql_unconfined_type sepgsql_schema_type:db_schema *;
+type_transition sepgsql_unconfined_type sepgsql_database_type:db_schema sepgsql_schema_t;
+
+type_transition sepgsql_unconfined_type sepgsql_database_type:db_table sepgsql_table_t;		# deprecated
+type_transition sepgsql_unconfined_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t;	# deprecated
+type_transition sepgsql_unconfined_type sepgsql_schema_type:db_table sepgsql_table_t;
+type_transition sepgsql_unconfined_type sepgsql_schema_type:db_sequence sepgsql_seq_t;
+type_transition sepgsql_unconfined_type sepgsql_schema_type:db_view sepgsql_view_t;
+type_transition sepgsql_unconfined_type sepgsql_schema_type:db_procedure sepgsql_proc_exec_t;
+type_transition sepgsql_unconfined_type sepgsql_database_type:db_language sepgsql_lang_t;
+type_transition sepgsql_unconfined_type sepgsql_database_type:db_blob sepgsql_blob_t;
+
+allow sepgsql_unconfined_type sepgsql_table_type:{ db_table db_column db_tuple } *;
+allow sepgsql_unconfined_type sepgsql_sequence_type:db_sequence *;
+allow sepgsql_unconfined_type sepgsql_view_type:db_view *;
+
+# unconfined domain is not allowed to invoke user defined procedure directly.
+# They have to confirm and relabel it at first.
+allow sepgsql_unconfined_type sepgsql_proc_exec_t:db_procedure *;
+allow sepgsql_unconfined_type sepgsql_trusted_proc_exec_t:db_procedure ~install;
+allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure ~{ execute install };
+
+allow sepgsql_unconfined_type sepgsql_language_type:db_language ~implement;
+
+allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
+
+allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
+
+kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
new file mode 100644
index 00000000..078bcd7d
--- /dev/null
+++ b/policy/modules/services/ssh.fc
@@ -0,0 +1,16 @@
+HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
+
+/etc/ssh/primes			--	gen_context(system_u:object_r:sshd_key_t,s0)
+/etc/ssh/ssh_host_key 		--	gen_context(system_u:object_r:sshd_key_t,s0)
+/etc/ssh/ssh_host_dsa_key	--	gen_context(system_u:object_r:sshd_key_t,s0)
+/etc/ssh/ssh_host_rsa_key	--	gen_context(system_u:object_r:sshd_key_t,s0)
+
+/usr/bin/ssh			--	gen_context(system_u:object_r:ssh_exec_t,s0)
+/usr/bin/ssh-agent		--	gen_context(system_u:object_r:ssh_agent_exec_t,s0)
+/usr/bin/ssh-keygen		--	gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
+
+/usr/libexec/openssh/ssh-keysign --	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+
+/usr/sbin/sshd			--	gen_context(system_u:object_r:sshd_exec_t,s0)
+
+/var/run/sshd\.init\.pid	--	gen_context(system_u:object_r:sshd_var_run_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
new file mode 100644
index 00000000..fe0c6827
--- /dev/null
+++ b/policy/modules/services/ssh.if
@@ -0,0 +1,756 @@
+## <summary>Secure shell client and server policy.</summary>
+
+#######################################
+## <summary>
+##	Basic SSH client template.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for ssh client sessions.  A derived
+##	type is also created to protect the user ssh keys.
+##	</p>
+##	<p>
+##	This template was added for NX.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the domain.
+##	</summary>
+## </param>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+#
+template(`ssh_basic_client_template',`
+
+	gen_require(`
+		attribute ssh_server;
+		type ssh_exec_t, sshd_key_t, sshd_tmp_t;
+	')
+
+	##############################
+	#
+	# Declarations
+	#
+
+	type $1_ssh_t;
+	application_domain($1_ssh_t, ssh_exec_t)
+	role $3 types $1_ssh_t;
+
+	type $1_ssh_home_t;
+	files_type($1_ssh_home_t)
+	typealias $1_ssh_home_t alias $1_home_ssh_t;
+
+	##############################
+	#
+	# Client local policy
+	#
+
+	allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };
+	allow $1_ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+	allow $1_ssh_t self:fd use;
+	allow $1_ssh_t self:fifo_file rw_fifo_file_perms;
+	allow $1_ssh_t self:unix_dgram_socket { create_socket_perms sendto };
+	allow $1_ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
+	allow $1_ssh_t self:shm create_shm_perms;
+	allow $1_ssh_t self:sem create_sem_perms;
+	allow $1_ssh_t self:msgq create_msgq_perms;
+	allow $1_ssh_t self:msg { send receive };
+	allow $1_ssh_t self:tcp_socket create_stream_socket_perms;
+
+	# for rsync
+	allow $1_ssh_t $2:unix_stream_socket rw_socket_perms;
+	allow $1_ssh_t $2:unix_stream_socket connectto;
+
+	# Read the ssh key file.
+	allow $1_ssh_t sshd_key_t:file read_file_perms;
+
+	# Access the ssh temporary files.
+	allow $1_ssh_t sshd_tmp_t:dir manage_dir_perms;
+	allow $1_ssh_t sshd_tmp_t:file manage_file_perms;
+	files_tmp_filetrans($1_ssh_t, sshd_tmp_t, { file dir })
+
+	# Transition from the domain to the derived domain.
+	domtrans_pattern($2, ssh_exec_t, $1_ssh_t)
+
+	# inheriting stream sockets is needed for "ssh host command" as no pty
+	# is allocated
+	# cjp: should probably fix target to be an attribute for ssh servers
+	# or "regular" (not special like sshd_extern_t) servers
+	allow $2 ssh_server:unix_stream_socket rw_stream_socket_perms;
+
+	# allow ps to show ssh
+	ps_process_pattern($2, $1_ssh_t)
+
+	# user can manage the keys and config
+	manage_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t)
+	manage_lnk_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t)
+	manage_sock_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t)
+
+	# ssh client can manage the keys and config
+	manage_files_pattern($1_ssh_t, $1_ssh_home_t, $1_ssh_home_t)
+	read_lnk_files_pattern($1_ssh_t, $1_ssh_home_t, $1_ssh_home_t)
+
+	# ssh servers can read the user keys and config
+	allow ssh_server $1_ssh_home_t:dir list_dir_perms;
+	read_files_pattern(ssh_server, $1_ssh_home_t, $1_ssh_home_t)
+	read_lnk_files_pattern(ssh_server, $1_ssh_home_t, $1_ssh_home_t)
+
+	kernel_read_kernel_sysctls($1_ssh_t)
+	kernel_read_system_state($1_ssh_t)
+
+	corenet_all_recvfrom_unlabeled($1_ssh_t)
+	corenet_all_recvfrom_netlabel($1_ssh_t)
+	corenet_tcp_sendrecv_generic_if($1_ssh_t)
+	corenet_tcp_sendrecv_generic_node($1_ssh_t)
+	corenet_tcp_sendrecv_all_ports($1_ssh_t)
+	corenet_tcp_connect_ssh_port($1_ssh_t)
+	corenet_sendrecv_ssh_client_packets($1_ssh_t)
+
+	dev_read_urand($1_ssh_t)
+
+	fs_getattr_all_fs($1_ssh_t)
+	fs_search_auto_mountpoints($1_ssh_t)
+
+	# run helper programs - needed eg for x11-ssh-askpass
+	corecmd_exec_shell($1_ssh_t)
+	corecmd_exec_bin($1_ssh_t)
+
+	domain_use_interactive_fds($1_ssh_t)
+
+	files_list_home($1_ssh_t)
+	files_read_usr_files($1_ssh_t)
+	files_read_etc_runtime_files($1_ssh_t)
+	files_read_etc_files($1_ssh_t)
+	files_read_var_files($1_ssh_t)
+
+	auth_use_nsswitch($1_ssh_t)
+
+	logging_send_syslog_msg($1_ssh_t)
+	logging_read_generic_logs($1_ssh_t)
+
+	miscfiles_read_localization($1_ssh_t)
+
+	seutil_read_config($1_ssh_t)
+
+	optional_policy(`
+		kerberos_use($1_ssh_t)
+	')
+')
+
+#######################################
+## <summary>
+##	The template to define a ssh server.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a domains to be used for
+##	creating a ssh server.  This is typically done
+##	to have multiple ssh servers of different sensitivities,
+##	such as for an internal network-facing ssh server, and
+##	a external network-facing ssh server.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the server domain (e.g., sshd
+##	is the prefix for sshd_t).
+##	</summary>
+## </param>
+#
+template(`ssh_server_template', `
+	type $1_t, ssh_server;
+	auth_login_pgm_domain($1_t)
+
+	type $1_devpts_t;
+	term_login_pty($1_devpts_t)
+
+	type $1_tmpfs_t;
+	files_tmpfs_file($1_tmpfs_t)
+
+	type $1_var_run_t;
+	files_pid_file($1_var_run_t)
+
+	allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
+	allow $1_t self:fifo_file rw_fifo_file_perms;
+	allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate };
+	allow $1_t self:tcp_socket create_stream_socket_perms;
+	allow $1_t self:udp_socket create_socket_perms;
+	# ssh agent connections:
+	allow $1_t self:unix_stream_socket create_stream_socket_perms;
+	allow $1_t self:shm create_shm_perms;
+
+	allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
+	term_create_pty($1_t, $1_devpts_t)
+
+	manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+	fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file)
+
+	allow $1_t $1_var_run_t:file manage_file_perms;
+	files_pid_filetrans($1_t, $1_var_run_t, file)
+
+	can_exec($1_t, sshd_exec_t)
+
+	# Access key files
+	allow $1_t sshd_key_t:file read_file_perms;
+
+	kernel_read_kernel_sysctls($1_t)
+	kernel_read_network_state($1_t)
+
+	corenet_all_recvfrom_unlabeled($1_t)
+	corenet_all_recvfrom_netlabel($1_t)
+	corenet_tcp_sendrecv_generic_if($1_t)
+	corenet_udp_sendrecv_generic_if($1_t)
+	corenet_raw_sendrecv_generic_if($1_t)
+	corenet_tcp_sendrecv_generic_node($1_t)
+	corenet_udp_sendrecv_generic_node($1_t)
+	corenet_raw_sendrecv_generic_node($1_t)
+	corenet_udp_sendrecv_all_ports($1_t)
+	corenet_tcp_sendrecv_all_ports($1_t)
+	corenet_tcp_bind_generic_node($1_t)
+	corenet_udp_bind_generic_node($1_t)
+	corenet_tcp_bind_ssh_port($1_t)
+	corenet_tcp_connect_all_ports($1_t)
+	corenet_sendrecv_ssh_server_packets($1_t)
+
+	fs_dontaudit_getattr_all_fs($1_t)
+
+	auth_rw_login_records($1_t)
+	auth_rw_faillog($1_t)
+
+	corecmd_read_bin_symlinks($1_t)
+	corecmd_getattr_bin_files($1_t)
+	# for sshd subsystems, such as sftp-server.
+	corecmd_getattr_bin_files($1_t)
+
+	domain_interactive_fd($1_t)
+
+	files_read_etc_files($1_t)
+	files_read_etc_runtime_files($1_t)
+	files_read_usr_files($1_t)
+
+	logging_search_logs($1_t)
+
+	miscfiles_read_localization($1_t)
+
+	userdom_create_all_users_keys($1_t)
+	userdom_dontaudit_relabelfrom_user_ptys($1_t)
+	userdom_search_user_home_dirs($1_t)
+
+	# Allow checking users mail at login
+	optional_policy(`
+		mta_getattr_spool($1_t)
+	')
+
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_read_nfs_files($1_t)
+		fs_read_nfs_symlinks($1_t)
+	')
+
+	tunable_policy(`use_samba_home_dirs',`
+		fs_read_cifs_files($1_t)
+	')
+
+	optional_policy(`
+		kerberos_use($1_t)
+		kerberos_manage_host_rcache($1_t)
+	')
+
+	optional_policy(`
+		files_read_var_lib_symlinks($1_t)
+		nx_spec_domtrans_server($1_t)
+	')
+')
+
+########################################
+## <summary>
+##	Role access for ssh
+## </summary>
+## <param name="role_prefix">
+##	<summary>
+##	The prefix of the role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+template(`ssh_role_template',`
+	gen_require(`
+		attribute ssh_server, ssh_agent_type;
+
+		type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t;
+		type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t;
+		type ssh_agent_tmp_t;
+	')
+
+	##############################
+	#
+	# Declarations
+	#
+
+	role $2 types ssh_t;
+
+	type $1_ssh_agent_t, ssh_agent_type;
+	userdom_user_application_domain($1_ssh_agent_t, ssh_agent_exec_t)
+	domain_interactive_fd($1_ssh_agent_t)
+	role $2 types $1_ssh_agent_t;
+
+	##############################
+	#
+	# Local policy
+	#
+
+	# Transition from the domain to the derived domain.
+	domtrans_pattern($3, ssh_exec_t, ssh_t)
+
+	# inheriting stream sockets is needed for "ssh host command" as no pty
+	# is allocated
+	allow $3 ssh_server:unix_stream_socket rw_stream_socket_perms;
+
+	# allow ps to show ssh
+	ps_process_pattern($3, ssh_t)
+	allow $3 ssh_t:process signal;
+
+	# for rsync
+	allow ssh_t $3:unix_stream_socket rw_socket_perms;
+	allow ssh_t $3:unix_stream_socket connectto;
+
+	# user can manage the keys and config
+	manage_files_pattern($3, ssh_home_t, ssh_home_t)
+	manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t)
+	manage_sock_files_pattern($3, ssh_home_t, ssh_home_t)
+	userdom_search_user_home_dirs($1_t)
+
+	##############################
+	#
+	# SSH agent local policy
+	#
+
+	allow $1_ssh_agent_t self:process setrlimit;
+	allow $1_ssh_agent_t self:capability setgid;
+
+	allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull;
+
+	allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+	manage_dirs_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t)
+	manage_sock_files_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t)
+	files_tmp_filetrans($1_ssh_agent_t, ssh_agent_tmp_t, { dir sock_file })
+
+	# for ssh-add
+	stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
+
+	# Allow the user shell to signal the ssh program.
+	allow $3 $1_ssh_agent_t:process signal;
+
+	# allow ps to show ssh
+	ps_process_pattern($3, $1_ssh_agent_t)
+
+	domtrans_pattern($3, ssh_agent_exec_t, $1_ssh_agent_t)
+
+	kernel_read_kernel_sysctls($1_ssh_agent_t)
+
+	dev_read_urand($1_ssh_agent_t)
+	dev_read_rand($1_ssh_agent_t)
+
+	fs_search_auto_mountpoints($1_ssh_agent_t)
+
+	# transition back to normal privs upon exec
+	corecmd_shell_domtrans($1_ssh_agent_t, $3)
+	corecmd_bin_domtrans($1_ssh_agent_t, $3)
+
+	domain_use_interactive_fds($1_ssh_agent_t)
+
+	files_read_etc_files($1_ssh_agent_t)
+	files_read_etc_runtime_files($1_ssh_agent_t)
+	files_search_home($1_ssh_agent_t)
+
+	libs_read_lib_files($1_ssh_agent_t)
+
+	logging_send_syslog_msg($1_ssh_agent_t)
+
+	miscfiles_read_localization($1_ssh_agent_t)
+	miscfiles_read_generic_certs($1_ssh_agent_t)
+
+	seutil_dontaudit_read_config($1_ssh_agent_t)
+
+	# Write to the user domain tty.
+	userdom_use_user_terminals($1_ssh_agent_t)
+
+	# for the transition back to normal privs upon exec
+	userdom_search_user_home_content($1_ssh_agent_t)
+	userdom_user_home_domtrans($1_ssh_agent_t, $3)
+	allow $3 $1_ssh_agent_t:fd use;
+	allow $3 $1_ssh_agent_t:fifo_file rw_file_perms;
+	allow $3 $1_ssh_agent_t:process sigchld;
+
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_manage_nfs_files($1_ssh_agent_t)
+
+		# transition back to normal privs upon exec
+		fs_nfs_domtrans($1_ssh_agent_t, $3)
+	')
+
+	tunable_policy(`use_samba_home_dirs',`
+		fs_manage_cifs_files($1_ssh_agent_t)
+
+		# transition back to normal privs upon exec
+		fs_cifs_domtrans($1_ssh_agent_t, $3)
+	')
+
+	optional_policy(`
+		nis_use_ypbind($1_ssh_agent_t)
+	')
+
+	optional_policy(`
+		xserver_use_xdm_fds($1_ssh_agent_t)
+		xserver_rw_xdm_pipes($1_ssh_agent_t)
+	')
+')
+
+########################################
+## <summary>
+##	Send a SIGCHLD signal to the ssh server.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_sigchld',`
+	gen_require(`
+		type sshd_t;
+	')
+
+	allow $1 sshd_t:process sigchld;
+')
+
+########################################
+## <summary>
+##	Send a generic signal to the ssh server.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_signal',`
+	gen_require(`
+		type sshd_t;
+	')
+
+	allow $1 sshd_t:process signal;
+')
+
+########################################
+## <summary>
+##	Send a null signal to sshd processes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_signull',`
+	gen_require(`
+		type sshd_t;
+	')
+
+	allow $1 sshd_t:process signull;
+')
+
+########################################
+## <summary>
+##	Read a ssh server unnamed pipe.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_read_pipes',`
+	gen_require(`
+		type sshd_t;
+	')
+
+	allow $1 sshd_t:fifo_file { getattr read };
+')
+########################################
+## <summary>
+##	Read and write a ssh server unnamed pipe.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_rw_pipes',`
+	gen_require(`
+		type sshd_t;
+	')
+
+	allow $1 sshd_t:fifo_file { write read getattr ioctl };
+')
+
+########################################
+## <summary>
+##	Read and write ssh server unix domain stream sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_rw_stream_sockets',`
+	gen_require(`
+		type sshd_t;
+	')
+
+	allow $1 sshd_t:unix_stream_socket rw_stream_socket_perms;
+')
+
+########################################
+## <summary>
+##	Read and write ssh server TCP sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_rw_tcp_sockets',`
+	gen_require(`
+		type sshd_t;
+	')
+
+	allow $1 sshd_t:tcp_socket rw_stream_socket_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write
+##	ssh server TCP sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`ssh_dontaudit_rw_tcp_sockets',`
+	gen_require(`
+		type sshd_t;
+	')
+
+	dontaudit $1 sshd_t:tcp_socket { read write };
+')
+
+########################################
+## <summary>
+##	Connect to SSH daemons over TCP sockets.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_tcp_connect',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	Execute the ssh daemon sshd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ssh_domtrans',`
+	gen_require(`
+		type sshd_t, sshd_exec_t;
+	')
+
+	domtrans_pattern($1, sshd_exec_t, sshd_t)
+')
+
+########################################
+## <summary>
+##	Execute the ssh client in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_exec',`
+	gen_require(`
+		type ssh_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, ssh_exec_t)
+')
+
+########################################
+## <summary>
+##	Set the attributes of sshd key files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_setattr_key_files',`
+	gen_require(`
+		type sshd_key_t;
+	')
+
+	allow $1 sshd_key_t:file setattr;
+	files_search_pids($1)
+')
+
+########################################
+## <summary>
+##	Execute the ssh agent client in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_agent_exec',`
+	gen_require(`
+		type ssh_agent_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, ssh_agent_exec_t)
+')
+
+########################################
+## <summary>
+##	Read ssh home directory content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_read_user_home_files',`
+	gen_require(`
+		type ssh_home_t;
+	')
+
+	allow $1 ssh_home_t:dir list_dir_perms;
+	read_files_pattern($1, ssh_home_t, ssh_home_t)
+	read_lnk_files_pattern($1, ssh_home_t, ssh_home_t)
+	userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+##	Execute the ssh key generator in the ssh keygen domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ssh_domtrans_keygen',`
+	gen_require(`
+		type ssh_keygen_t, ssh_keygen_exec_t;
+	')
+
+	domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
+')
+
+########################################
+## <summary>
+##	Read ssh server keys
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`ssh_dontaudit_read_server_keys',`
+	gen_require(`
+		type sshd_key_t;
+	')
+
+	dontaudit $1 sshd_key_t:file { getattr read };
+')
+
+######################################
+## <summary>
+##	Manage ssh home directory content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_manage_home_files',`
+	gen_require(`
+		type ssh_home_t;
+	')
+
+	manage_files_pattern($1, ssh_home_t, ssh_home_t)
+	userdom_search_user_home_dirs($1)
+')
+
+#######################################
+## <summary>
+##	Delete from the ssh temp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_delete_tmp',`
+	gen_require(`
+		type sshd_tmp_t;
+	')
+
+	files_search_tmp($1)
+	delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
new file mode 100644
index 00000000..b17e27ac
--- /dev/null
+++ b/policy/modules/services/ssh.te
@@ -0,0 +1,341 @@
+policy_module(ssh, 2.3.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## allow host key based authentication
+## </p>
+## </desc>
+gen_tunable(allow_ssh_keysign, false)
+
+## <desc>
+## <p>
+## Allow ssh logins as sysadm_r:sysadm_t
+## </p>
+## </desc>
+gen_tunable(ssh_sysadm_login, false)
+
+attribute ssh_server;
+attribute ssh_agent_type;
+
+type ssh_keygen_t;
+type ssh_keygen_exec_t;
+init_system_domain(ssh_keygen_t, ssh_keygen_exec_t)
+role system_r types ssh_keygen_t;
+
+type sshd_exec_t;
+corecmd_executable_file(sshd_exec_t)
+
+ssh_server_template(sshd)
+init_daemon_domain(sshd_t, sshd_exec_t)
+
+type sshd_key_t;
+files_type(sshd_key_t)
+
+type sshd_tmp_t;
+files_tmp_file(sshd_tmp_t)
+files_poly_parent(sshd_tmp_t)
+
+ifdef(`enable_mcs',`
+	init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
+')
+
+type ssh_t;
+type ssh_exec_t;
+typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t };
+typealias ssh_t alias { auditadm_ssh_t secadm_ssh_t };
+userdom_user_application_domain(ssh_t, ssh_exec_t)
+
+type ssh_agent_exec_t;
+corecmd_executable_file(ssh_agent_exec_t)
+
+type ssh_agent_tmp_t;
+typealias ssh_agent_tmp_t alias { user_ssh_agent_tmp_t staff_ssh_agent_tmp_t sysadm_ssh_agent_tmp_t };
+typealias ssh_agent_tmp_t alias { auditadm_ssh_agent_tmp_t secadm_ssh_agent_tmp_t };
+userdom_user_tmp_file(ssh_agent_tmp_t)
+
+type ssh_keysign_t;
+type ssh_keysign_exec_t;
+typealias ssh_keysign_t alias { user_ssh_keysign_t staff_ssh_keysign_t sysadm_ssh_keysign_t };
+typealias ssh_keysign_t alias { auditadm_ssh_keysign_t secadm_ssh_keysign_t };
+userdom_user_application_domain(ssh_keysign_t, ssh_keysign_exec_t)
+
+type ssh_tmpfs_t;
+typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t };
+typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t };
+userdom_user_tmpfs_file(ssh_tmpfs_t)
+
+type ssh_home_t;
+typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
+typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
+userdom_user_home_content(ssh_home_t)
+
+##############################
+#
+# SSH client local policy
+#
+
+allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
+allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow ssh_t self:fd use;
+allow ssh_t self:fifo_file rw_fifo_file_perms;
+allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
+allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow ssh_t self:shm create_shm_perms;
+allow ssh_t self:sem create_sem_perms;
+allow ssh_t self:msgq create_msgq_perms;
+allow ssh_t self:msg { send receive };
+allow ssh_t self:tcp_socket create_stream_socket_perms;
+
+# Read the ssh key file.
+allow ssh_t sshd_key_t:file read_file_perms;
+
+# Access the ssh temporary files.
+allow ssh_t sshd_tmp_t:dir manage_dir_perms;
+allow ssh_t sshd_tmp_t:file manage_file_perms;
+files_tmp_filetrans(ssh_t, sshd_tmp_t, { file dir })
+
+manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
+manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
+manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
+manage_sock_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
+fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
+manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
+userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
+
+# Allow the ssh program to communicate with ssh-agent.
+stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
+
+allow ssh_t sshd_t:unix_stream_socket connectto;
+
+# ssh client can manage the keys and config
+manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
+read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
+
+# ssh servers can read the user keys and config
+allow ssh_server ssh_home_t:dir list_dir_perms;
+read_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
+read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
+
+kernel_read_kernel_sysctls(ssh_t)
+kernel_read_system_state(ssh_t)
+
+corenet_all_recvfrom_unlabeled(ssh_t)
+corenet_all_recvfrom_netlabel(ssh_t)
+corenet_tcp_sendrecv_generic_if(ssh_t)
+corenet_tcp_sendrecv_generic_node(ssh_t)
+corenet_tcp_sendrecv_all_ports(ssh_t)
+corenet_tcp_connect_ssh_port(ssh_t)
+corenet_sendrecv_ssh_client_packets(ssh_t)
+
+dev_read_urand(ssh_t)
+
+fs_getattr_all_fs(ssh_t)
+fs_search_auto_mountpoints(ssh_t)
+
+# run helper programs - needed eg for x11-ssh-askpass
+corecmd_exec_shell(ssh_t)
+corecmd_exec_bin(ssh_t)
+
+domain_use_interactive_fds(ssh_t)
+
+files_list_home(ssh_t)
+files_read_usr_files(ssh_t)
+files_read_etc_runtime_files(ssh_t)
+files_read_etc_files(ssh_t)
+files_read_var_files(ssh_t)
+
+logging_send_syslog_msg(ssh_t)
+logging_read_generic_logs(ssh_t)
+
+auth_use_nsswitch(ssh_t)
+
+miscfiles_read_localization(ssh_t)
+
+seutil_read_config(ssh_t)
+
+userdom_dontaudit_list_user_home_dirs(ssh_t)
+userdom_search_user_home_dirs(ssh_t)
+# Write to the user domain tty.
+userdom_use_user_terminals(ssh_t)
+# needs to read krb tgt
+userdom_read_user_tmp_files(ssh_t)
+
+tunable_policy(`allow_ssh_keysign',`
+	domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
+	allow ssh_keysign_t ssh_t:fd use;
+	allow ssh_keysign_t ssh_t:process sigchld;
+	allow ssh_keysign_t ssh_t:fifo_file rw_file_perms;
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(ssh_t)
+	fs_manage_nfs_files(ssh_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(ssh_t)
+	fs_manage_cifs_files(ssh_t)
+')
+
+# for port forwarding
+tunable_policy(`user_tcp_server',`
+	corenet_tcp_bind_ssh_port(ssh_t)
+	corenet_tcp_bind_generic_node(ssh_t)
+')
+
+optional_policy(`
+	xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t)
+	xserver_domtrans_xauth(ssh_t)
+')
+
+##############################
+#
+# ssh_keysign_t local policy
+#
+
+tunable_policy(`allow_ssh_keysign',`
+	allow ssh_keysign_t self:capability { setgid setuid };
+	allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
+
+	allow ssh_keysign_t sshd_key_t:file { getattr read };
+
+	dev_read_urand(ssh_keysign_t)
+
+	files_read_etc_files(ssh_keysign_t)
+')
+
+optional_policy(`
+	tunable_policy(`allow_ssh_keysign',`
+		nscd_socket_use(ssh_keysign_t)
+	')
+')
+
+#################################
+#
+# sshd local policy
+#
+# sshd_t is the domain for the sshd program.
+#
+
+# so a tunnel can point to another ssh tunnel
+allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
+allow sshd_t self:key { search link write };
+
+manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
+manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
+manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
+files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
+
+kernel_search_key(sshd_t)
+kernel_link_key(sshd_t)
+
+term_use_all_ptys(sshd_t)
+term_setattr_all_ptys(sshd_t)
+term_relabelto_all_ptys(sshd_t)
+
+# for X forwarding
+corenet_tcp_bind_xserver_port(sshd_t)
+corenet_sendrecv_xserver_server_packets(sshd_t)
+
+tunable_policy(`ssh_sysadm_login',`
+	# Relabel and access ptys created by sshd
+	# ioctl is necessary for logout() processing for utmp entry and for w to
+	# display the tty.
+	# some versions of sshd on the new SE Linux require setattr
+	userdom_spec_domtrans_all_users(sshd_t)
+	userdom_signal_all_users(sshd_t)
+',`
+	userdom_spec_domtrans_unpriv_users(sshd_t)
+	userdom_signal_unpriv_users(sshd_t)
+')
+
+optional_policy(`
+	daemontools_service_domain(sshd_t, sshd_exec_t)
+')
+
+optional_policy(`
+	inetd_tcp_service_domain(sshd_t, sshd_exec_t)
+')
+
+optional_policy(`
+	kerberos_keytab_template(sshd, sshd_t)
+')
+
+optional_policy(`
+	oddjob_domtrans_mkhomedir(sshd_t)
+')
+
+optional_policy(`
+	rpm_use_script_fds(sshd_t)
+')
+
+optional_policy(`
+	rssh_spec_domtrans(sshd_t)
+	# For reading /home/user/.ssh
+	rssh_read_ro_content(sshd_t)
+')
+
+optional_policy(`
+	unconfined_shell_domtrans(sshd_t)
+')
+
+optional_policy(`
+	xserver_domtrans_xauth(sshd_t)
+')
+
+########################################
+#
+# ssh_keygen local policy
+#
+
+# ssh_keygen_t is the type of the ssh-keygen program when run at install time
+# and by sysadm_t
+
+dontaudit ssh_keygen_t self:capability sys_tty_config;
+allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
+
+allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
+
+allow ssh_keygen_t sshd_key_t:file manage_file_perms;
+files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
+
+kernel_read_kernel_sysctls(ssh_keygen_t)
+
+fs_search_auto_mountpoints(ssh_keygen_t)
+
+dev_read_sysfs(ssh_keygen_t)
+dev_read_urand(ssh_keygen_t)
+
+term_dontaudit_use_console(ssh_keygen_t)
+
+domain_use_interactive_fds(ssh_keygen_t)
+
+files_read_etc_files(ssh_keygen_t)
+
+init_use_fds(ssh_keygen_t)
+init_use_script_ptys(ssh_keygen_t)
+
+auth_use_nsswitch(ssh_keygen_t)
+
+logging_send_syslog_msg(ssh_keygen_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
+
+optional_policy(`
+	nscd_socket_use(ssh_keygen_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(ssh_keygen_t)
+')
+
+optional_policy(`
+	udev_read_db(ssh_keygen_t)
+')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
new file mode 100644
index 00000000..c1e2eda8
--- /dev/null
+++ b/policy/modules/services/xserver.fc
@@ -0,0 +1,114 @@
+#
+# HOME_DIR
+#
+HOME_DIR/\.fonts\.conf	--	gen_context(system_u:object_r:user_fonts_config_t,s0)
+HOME_DIR/\.fonts(/.*)?		gen_context(system_u:object_r:user_fonts_t,s0)
+HOME_DIR/\.fonts/auto(/.*)?	gen_context(system_u:object_r:user_fonts_cache_t,s0)
+HOME_DIR/\.fonts\.cache-.* --	gen_context(system_u:object_r:user_fonts_cache_t,s0)
+HOME_DIR/\.fontconfig(/.*)?	gen_context(system_u:object_r:user_fonts_cache_t,s0)
+HOME_DIR/\.ICEauthority.* --	gen_context(system_u:object_r:iceauth_home_t,s0)
+HOME_DIR/\.serverauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.xauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+
+#
+# /dev
+#
+/dev/xconsole		-p	gen_context(system_u:object_r:xconsole_device_t,s0)
+
+#
+# /etc
+#
+/etc/gdm/PostSession/.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/gdm/PreSession/.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/gdm/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
+
+/etc/init\.d/xfree86-common --	gen_context(system_u:object_r:xserver_exec_t,s0)
+
+/etc/kde[34]?/kdm/Xstartup --	gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/kde[34]?/kdm/Xreset --	gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/kde[34]?/kdm/Xsession --	gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/kde[34]?/kdm/backgroundrc	gen_context(system_u:object_r:xdm_var_run_t,s0)
+
+/etc/X11/[wx]dm/Xreset.* --	gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/X11/[wxg]dm/Xsession --	gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/X11/wdm(/.*)?		gen_context(system_u:object_r:xdm_rw_etc_t,s0)
+/etc/X11/wdm/Xsetup.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/X11/wdm/Xstartup.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/X11/Xsession[^/]*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
+
+#
+# /opt
+#
+
+/opt/kde3/bin/kdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
+
+#
+# /tmp
+#
+
+/tmp/\.ICE-unix		-d	gen_context(system_u:object_r:xdm_tmp_t,s0)
+/tmp/\.ICE-unix/.*	-s	<<none>>
+/tmp/\.X0-lock		--	gen_context(system_u:object_r:xserver_tmp_t,s0)
+/tmp/\.X11-unix		-d	gen_context(system_u:object_r:xdm_tmp_t,s0)
+/tmp/\.X11-unix/.*	-s	<<none>>
+
+#
+# /usr
+#
+
+/usr/(s)?bin/gdm-binary	--	gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/(s)?bin/lxdm(-binary)? --	gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/(s)?bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
+/usr/bin/slim		--	gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/Xair		--	gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/bin/xauth		--	gen_context(system_u:object_r:xauth_exec_t,s0)
+/usr/bin/Xorg		--	gen_context(system_u:object_r:xserver_exec_t,s0)
+
+/usr/lib(64)?/qt-.*/etc/settings(/.*)?	gen_context(system_u:object_r:xdm_var_run_t,s0)
+
+/usr/X11R6/bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/X11R6/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
+/usr/X11R6/bin/X	--	gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/X11R6/bin/xauth	--	gen_context(system_u:object_r:xauth_exec_t,s0)
+/usr/X11R6/bin/XFree86	--	gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/X11R6/bin/Xipaq	--	gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/X11R6/bin/Xorg	--	gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/X11R6/bin/Xwrapper	--	gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/X11R6/lib/X11/xkb	-d	gen_context(system_u:object_r:xkb_var_lib_t,s0)
+/usr/X11R6/lib/X11/xkb/.* --	gen_context(system_u:object_r:xkb_var_lib_t,s0)
+
+ifndef(`distro_debian',`
+/usr/var/[xgkw]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
+')
+
+#
+# /var
+#
+
+/var/[xgkw]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
+
+/var/lib/lxdm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/[xkw]dm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/xkb(/.*)?		gen_context(system_u:object_r:xkb_var_lib_t,s0)
+
+/var/log/[kwx]dm\.log.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/lxdm\.log	--	gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/gdm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/slim\.log	--	gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/XFree86.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/Xorg.*		--	gen_context(system_u:object_r:xserver_log_t,s0)
+
+/var/run/[gx]dm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lxdm\.auth	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lxdm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lxdm(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/slim(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/xauth(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/xdmctl(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
+
+ifdef(`distro_suse',`
+/var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
+')
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
new file mode 100644
index 00000000..130ced96
--- /dev/null
+++ b/policy/modules/services/xserver.if
@@ -0,0 +1,1252 @@
+## <summary>X Windows Server</summary>
+
+########################################
+## <summary>
+##	Rules required for using the X Windows server
+##	and environment, for restricted users.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_restricted_role',`
+	gen_require(`
+		type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t;
+		type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
+		type iceauth_t, iceauth_exec_t, iceauth_home_t;
+		type xauth_t, xauth_exec_t, xauth_home_t;
+	')
+
+	role $1 types { xserver_t xauth_t iceauth_t };
+
+	# Xserver read/write client shm
+	allow xserver_t $2:fd use;
+	allow xserver_t $2:shm rw_shm_perms;
+
+	allow xserver_t $2:process signal;
+
+	allow xserver_t $2:shm rw_shm_perms;
+
+	allow $2 user_fonts_t:dir list_dir_perms;
+	allow $2 user_fonts_t:file read_file_perms;
+
+	allow $2 user_fonts_config_t:dir list_dir_perms;
+	allow $2 user_fonts_config_t:file read_file_perms;
+
+	manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+	manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+
+	stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
+	files_search_tmp($2)
+
+	# Communicate via System V shared memory.
+	allow $2 xserver_t:shm r_shm_perms;
+	allow $2 xserver_tmpfs_t:file read_file_perms;
+
+	# allow ps to show iceauth
+	ps_process_pattern($2, iceauth_t)
+
+	domtrans_pattern($2, iceauth_exec_t, iceauth_t)
+
+	allow $2 iceauth_home_t:file read_file_perms;
+
+	domtrans_pattern($2, xauth_exec_t, xauth_t)
+
+	allow $2 xauth_t:process signal;
+
+	# allow ps to show xauth
+	ps_process_pattern($2, xauth_t)
+	allow $2 xserver_t:process signal;
+
+	allow $2 xauth_home_t:file read_file_perms;
+
+	# for when /tmp/.X11-unix is created by the system
+	allow $2 xdm_t:fd use;
+	allow $2 xdm_t:fifo_file { getattr read write ioctl };
+	allow $2 xdm_tmp_t:dir search;
+	allow $2 xdm_tmp_t:sock_file { read write };
+	dontaudit $2 xdm_t:tcp_socket { read write };
+
+	# Client read xserver shm
+	allow $2 xserver_t:fd use;
+	allow $2 xserver_tmpfs_t:file read_file_perms;
+
+	# Read /tmp/.X0-lock
+	allow $2 xserver_tmp_t:file { getattr read };
+
+	dev_rw_xserver_misc($2)
+	dev_rw_power_management($2)
+	dev_read_input($2)
+	dev_read_misc($2)
+	dev_write_misc($2)
+	# open office is looking for the following
+	dev_getattr_agp_dev($2)
+	dev_dontaudit_rw_dri($2)
+	# GNOME checks for usb and other devices:
+	dev_rw_usbfs($2)
+
+	miscfiles_read_fonts($2)
+
+	xserver_common_x_domain_template(user, $2)
+	xserver_domtrans($2)
+	xserver_unconfined($2)
+	xserver_xsession_entry_type($2)
+	xserver_dontaudit_write_log($2)
+	xserver_stream_connect_xdm($2)
+	# certain apps want to read xdm.pid file
+	xserver_read_xdm_pid($2)
+	# gnome-session creates socket under /tmp/.ICE-unix/
+	xserver_create_xdm_tmp_sockets($2)
+	# Needed for escd, remove if we get escd policy
+	xserver_manage_xdm_tmp_files($2)
+
+	# Client write xserver shm
+	tunable_policy(`allow_write_xshm',`
+		allow $2 xserver_t:shm rw_shm_perms;
+		allow $2 xserver_tmpfs_t:file rw_file_perms;
+	')
+')
+
+########################################
+## <summary>
+##	Rules required for using the X Windows server
+##	and environment.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_role',`
+	gen_require(`
+		type iceauth_home_t, xserver_t, xserver_tmpfs_t, xauth_home_t;
+		type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
+	')
+
+	xserver_restricted_role($1, $2)
+
+	# Communicate via System V shared memory.
+	allow $2 xserver_t:shm rw_shm_perms;
+	allow $2 xserver_tmpfs_t:file rw_file_perms;
+
+	allow $2 iceauth_home_t:file manage_file_perms;
+	allow $2 iceauth_home_t:file { relabelfrom relabelto };
+
+	allow $2 xauth_home_t:file manage_file_perms;
+	allow $2 xauth_home_t:file { relabelfrom relabelto };
+
+	manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
+	manage_files_pattern($2, user_fonts_t, user_fonts_t)
+	relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
+	relabel_files_pattern($2, user_fonts_t, user_fonts_t)
+
+	manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+	manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+	relabel_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+	relabel_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+
+	manage_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
+	manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
+	relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
+	relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
+
+')
+
+#######################################
+## <summary>
+##	Create sessions on the X server, with read-only
+##	access to the X server shared
+##	memory segments.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="tmpfs_type">
+##	<summary>
+##	The type of the domain SYSV tmpfs files.
+##	</summary>
+## </param>
+#
+interface(`xserver_ro_session',`
+	gen_require(`
+		type xserver_t, xserver_tmp_t, xserver_tmpfs_t;
+	')
+
+	# Xserver read/write client shm
+	allow xserver_t $1:fd use;
+	allow xserver_t $1:shm rw_shm_perms;
+	allow xserver_t $2:file rw_file_perms;
+
+	# Connect to xserver
+	allow $1 xserver_t:unix_stream_socket connectto;
+	allow $1 xserver_t:process signal;
+
+	# Read /tmp/.X0-lock
+	allow $1 xserver_tmp_t:file { getattr read };
+
+	# Client read xserver shm
+	allow $1 xserver_t:fd use;
+	allow $1 xserver_t:shm r_shm_perms;
+	allow $1 xserver_tmpfs_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+##	Create sessions on the X server, with read and write
+##	access to the X server shared
+##	memory segments.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="tmpfs_type">
+##	<summary>
+##	The type of the domain SYSV tmpfs files.
+##	</summary>
+## </param>
+#
+interface(`xserver_rw_session',`
+	gen_require(`
+		type xserver_t, xserver_tmpfs_t;
+	')
+
+	xserver_ro_session($1,$2)
+	allow $1 xserver_t:shm rw_shm_perms;
+	allow $1 xserver_tmpfs_t:file rw_file_perms;
+')
+
+#######################################
+## <summary>
+##	Create non-drawing client sessions on an X server.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_non_drawing_client',`
+	gen_require(`
+		class x_drawable { getattr get_property };
+		class x_extension { query use };
+		class x_gc { create setattr };
+		class x_property read;
+
+		type xserver_t, xdm_var_run_t;
+		type xextension_t, xproperty_t, root_xdrawable_t;
+	')
+
+	allow $1 self:x_gc { create setattr };
+
+	allow $1 xdm_var_run_t:dir search;
+	allow $1 xserver_t:unix_stream_socket connectto;
+
+	allow $1 xextension_t:x_extension { query use };
+	allow $1 root_xdrawable_t:x_drawable { getattr get_property };
+	allow $1 xproperty_t:x_property read;
+')
+
+#######################################
+## <summary>
+##	Create full client sessions
+##	on a user X server.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="tmpfs_type">
+##	<summary>
+##	The type of the domain SYSV tmpfs files.
+##	</summary>
+## </param>
+#
+interface(`xserver_user_client',`
+	refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
+	gen_require(`
+		type xdm_t, xdm_tmp_t;
+		type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
+	')
+
+	allow $1 self:shm create_shm_perms;
+	allow $1 self:unix_dgram_socket create_socket_perms;
+	allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
+
+	# Read .Xauthority file
+	allow $1 xauth_home_t:file { getattr read };
+	allow $1 iceauth_home_t:file { getattr read };
+
+	# for when /tmp/.X11-unix is created by the system
+	allow $1 xdm_t:fd use;
+	allow $1 xdm_t:fifo_file { getattr read write ioctl };
+	allow $1 xdm_tmp_t:dir search;
+	allow $1 xdm_tmp_t:sock_file { read write };
+	dontaudit $1 xdm_t:tcp_socket { read write };
+
+	# Allow connections to X server.
+	files_search_tmp($1)
+
+	miscfiles_read_fonts($1)
+
+	userdom_search_user_home_dirs($1)
+	# for .xsession-errors
+	userdom_dontaudit_write_user_home_content_files($1)
+
+	xserver_ro_session($1,$2)
+	xserver_use_user_fonts($1)
+
+	xserver_read_xdm_tmp_files($1)
+
+	# Client write xserver shm
+	tunable_policy(`allow_write_xshm',`
+		allow $1 xserver_t:shm rw_shm_perms;
+		allow $1 xserver_tmpfs_t:file rw_file_perms;
+	')
+')
+
+#######################################
+## <summary>
+##	Interface to provide X object permissions on a given X server to
+##	an X client domain.  Provides the minimal set required by a basic
+##	X client application.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the X client domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Client domain allowed access.
+##	</summary>
+## </param>
+#
+template(`xserver_common_x_domain_template',`
+	gen_require(`
+		type root_xdrawable_t;
+		type xproperty_t, $1_xproperty_t;
+		type xevent_t, client_xevent_t;
+		type input_xevent_t, $1_input_xevent_t;
+
+		attribute x_domain;
+		attribute xdrawable_type, xcolormap_type;
+		attribute input_xevent_type;
+
+		class x_drawable all_x_drawable_perms;
+		class x_property all_x_property_perms;
+		class x_event all_x_event_perms;
+		class x_synthetic_event all_x_synthetic_event_perms;
+	')
+
+	##############################
+	#
+	# Local Policy
+	#
+
+	# Type attributes
+	typeattribute $2 x_domain;
+	typeattribute $2 xdrawable_type, xcolormap_type;
+
+	# X Properties
+	# disable property transitions for the time being.
+#	type_transition $2 xproperty_t:x_property $1_xproperty_t;
+
+	# X Windows
+	# new windows have the domain type
+	type_transition $2 root_xdrawable_t:x_drawable $2;
+
+	# X Input
+	# distinguish input events
+	type_transition $2 input_xevent_t:x_event $1_input_xevent_t;
+	# can send own events
+	allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } send;
+	# can receive own events
+	allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive;
+	# can receive default events
+	allow $2 client_xevent_t:{ x_event x_synthetic_event } receive;
+	allow $2 xevent_t:{ x_event x_synthetic_event } receive;
+	# dont audit send failures
+	dontaudit $2 input_xevent_type:x_event send;
+')
+
+#######################################
+## <summary>
+##	Template for creating the set of types used
+##	in an X windows domain.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the X client domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+#
+template(`xserver_object_types_template',`
+	gen_require(`
+		attribute xproperty_type, input_xevent_type, xevent_type;
+	')
+
+	##############################
+	#
+	# Declarations
+	#
+
+	# Types for properties
+	type $1_xproperty_t, xproperty_type;
+	ubac_constrained($1_xproperty_t)
+
+	# Types for events
+	type $1_input_xevent_t, input_xevent_type, xevent_type;
+	ubac_constrained($1_input_xevent_t)
+')
+
+#######################################
+## <summary>
+##	Interface to provide X object permissions on a given X server to
+##	an X client domain.  Provides the minimal set required by a basic
+##	X client application.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the X client domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Client domain allowed access.
+##	</summary>
+## </param>
+## <param name="tmpfs_type">
+##	<summary>
+##	The type of the domain SYSV tmpfs files.
+##	</summary>
+## </param>
+#
+template(`xserver_user_x_domain_template',`
+	gen_require(`
+		type xdm_t, xdm_tmp_t;
+		type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
+	')
+
+	allow $2 self:shm create_shm_perms;
+	allow $2 self:unix_dgram_socket create_socket_perms;
+	allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
+
+	# Read .Xauthority file
+	allow $2 xauth_home_t:file read_file_perms;
+	allow $2 iceauth_home_t:file read_file_perms;
+
+	# for when /tmp/.X11-unix is created by the system
+	allow $2 xdm_t:fd use;
+	allow $2 xdm_t:fifo_file { getattr read write ioctl };
+	allow $2 xdm_tmp_t:dir search_dir_perms;
+	allow $2 xdm_tmp_t:sock_file { read write };
+	dontaudit $2 xdm_t:tcp_socket { read write };
+
+	# Allow connections to X server.
+	files_search_tmp($2)
+
+	miscfiles_read_fonts($2)
+
+	userdom_search_user_home_dirs($2)
+	# for .xsession-errors
+	userdom_dontaudit_write_user_home_content_files($2)
+
+	xserver_ro_session($2,$3)
+	xserver_use_user_fonts($2)
+
+	xserver_read_xdm_tmp_files($2)
+
+	# X object manager
+	xserver_object_types_template($1)
+	xserver_common_x_domain_template($1,$2)
+
+	# Client write xserver shm
+	tunable_policy(`allow_write_xshm',`
+		allow $2 xserver_t:shm rw_shm_perms;
+		allow $2 xserver_tmpfs_t:file rw_file_perms;
+	')
+')
+
+########################################
+## <summary>
+##	Read user fonts, user font configuration,
+##	and manage the user font cache.
+## </summary>
+## <desc>
+##	<p>
+##	Read user fonts, user font configuration,
+##	and manage the user font cache.
+##	</p>
+##	<p>
+##	This is a templated interface, and should only
+##	be called from a per-userdomain template.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_use_user_fonts',`
+	gen_require(`
+		type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
+	')
+
+	# Read per user fonts
+	allow $1 user_fonts_t:dir list_dir_perms;
+	allow $1 user_fonts_t:file read_file_perms;
+
+	# Manipulate the global font cache
+	manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
+	manage_files_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
+
+	# Read per user font config
+	allow $1 user_fonts_config_t:dir list_dir_perms;
+	allow $1 user_fonts_config_t:file read_file_perms;
+
+	userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+##	Transition to the Xauthority domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`xserver_domtrans_xauth',`
+	gen_require(`
+		type xauth_t, xauth_exec_t;
+	')
+
+	domtrans_pattern($1, xauth_exec_t, xauth_t)
+')
+
+########################################
+## <summary>
+##	Create a Xauthority file in the user home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_user_home_dir_filetrans_user_xauth',`
+	gen_require(`
+		type xauth_home_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, xauth_home_t, file)
+')
+
+########################################
+## <summary>
+##	Read all users fonts, user font configurations,
+##	and manage all users font caches.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_use_all_users_fonts',`
+	refpolicywarn(`$0() has been deprecated, please use xserver_use_user_fonts.')
+	xserver_use_user_fonts($1)
+')
+
+########################################
+## <summary>
+##	Read all users .Xauthority.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_read_user_xauth',`
+	gen_require(`
+		type xauth_home_t;
+	')
+
+	allow $1 xauth_home_t:file read_file_perms;
+	userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+##	Set the attributes of the X windows console named pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_setattr_console_pipes',`
+	gen_require(`
+		type xconsole_device_t;
+	')
+
+	allow $1 xconsole_device_t:fifo_file setattr;
+')
+
+########################################
+## <summary>
+##	Read and write the X windows console named pipe.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_rw_console',`
+	gen_require(`
+		type xconsole_device_t;
+	')
+
+	allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Use file descriptors for xdm.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_use_xdm_fds',`
+	gen_require(`
+		type xdm_t;
+	')
+
+	allow $1 xdm_t:fd use; 
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to inherit
+##	XDM file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`xserver_dontaudit_use_xdm_fds',`
+	gen_require(`
+		type xdm_t;
+	')
+
+	dontaudit $1 xdm_t:fd use; 
+')
+
+########################################
+## <summary>
+##	Read and write XDM unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_rw_xdm_pipes',`
+	gen_require(`
+		type xdm_t;
+	')
+
+	allow $1 xdm_t:fifo_file { getattr read write }; 
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write
+##	XDM unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`xserver_dontaudit_rw_xdm_pipes',`
+
+	gen_require(`
+		type xdm_t;
+	')
+
+	dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms; 
+')
+
+########################################
+## <summary>
+##	Connect to XDM over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_stream_connect_xdm',`
+	gen_require(`
+		type xdm_t, xdm_tmp_t;
+	')
+
+	files_search_tmp($1)
+	stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t)
+')
+
+########################################
+## <summary>
+##	Read xdm-writable configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_read_xdm_rw_config',`
+	gen_require(`
+		type xdm_rw_etc_t;
+	')
+
+	files_search_etc($1)
+	allow $1 xdm_rw_etc_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Set the attributes of XDM temporary directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_setattr_xdm_tmp_dirs',`
+	gen_require(`
+		type xdm_tmp_t;
+	')
+
+	allow $1 xdm_tmp_t:dir setattr;
+')
+
+########################################
+## <summary>
+##	Create a named socket in a XDM
+##	temporary directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_create_xdm_tmp_sockets',`
+	gen_require(`
+		type xdm_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 xdm_tmp_t:dir list_dir_perms;
+	create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+')
+
+########################################
+## <summary>
+##	Read XDM pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_read_xdm_pid',`
+	gen_require(`
+		type xdm_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 xdm_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Read XDM var lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_read_xdm_lib_files',`
+	gen_require(`
+		type xdm_var_lib_t;
+	')
+
+	allow $1 xdm_var_lib_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Make an X session script an entrypoint for the specified domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain for which the shell is an entrypoint.
+##	</summary>
+## </param>
+#
+interface(`xserver_xsession_entry_type',`
+	gen_require(`
+		type xsession_exec_t;
+	')
+
+	domain_entry_file($1, xsession_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute an X session in the target domain.  This
+##	is an explicit transition, requiring the
+##	caller to use setexeccon().
+## </summary>
+## <desc>
+##	<p>
+##	Execute an Xsession in the target domain.  This
+##	is an explicit transition, requiring the
+##	caller to use setexeccon().
+##	</p>
+##	<p>
+##	No interprocess communication (signals, pipes,
+##	etc.) is provided by this interface since
+##	the domains are not owned by this module.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="target_domain">
+##	<summary>
+##	The type of the shell process.
+##	</summary>
+## </param>
+#
+interface(`xserver_xsession_spec_domtrans',`
+	gen_require(`
+		type xsession_exec_t;
+	')
+
+	domain_trans($1, xsession_exec_t, $2)
+')
+
+########################################
+## <summary>
+##	Get the attributes of X server logs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_getattr_log',`
+	gen_require(`
+		type xserver_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 xserver_log_t:file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write the X server
+##	log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`xserver_dontaudit_write_log',`
+	gen_require(`
+		type xserver_log_t;
+	')
+
+	dontaudit $1 xserver_log_t:file { append write };
+')
+
+########################################
+## <summary>
+##	Delete X server log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_delete_log',`
+	gen_require(`
+		type xserver_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 xserver_log_t:dir list_dir_perms;
+	delete_files_pattern($1, xserver_log_t, xserver_log_t)
+	delete_fifo_files_pattern($1, xserver_log_t, xserver_log_t)
+')
+
+########################################
+## <summary>
+##	Read X keyboard extension libraries.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_read_xkb_libs',`
+	gen_require(`
+		type xkb_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 xkb_var_lib_t:dir list_dir_perms;
+	read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
+	read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read xdm temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_read_xdm_tmp_files',`
+	gen_require(`
+		type xdm_tmp_t;
+	')
+
+ 	files_search_tmp($1)
+	read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read xdm temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`xserver_dontaudit_read_xdm_tmp_files',`
+	gen_require(`
+		type xdm_tmp_t;
+	')
+
+	dontaudit $1 xdm_tmp_t:dir search_dir_perms;
+	dontaudit $1 xdm_tmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Read write xdm temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_rw_xdm_tmp_files',`
+	gen_require(`
+		type xdm_tmp_t;
+	')
+
+	allow $1 xdm_tmp_t:dir search_dir_perms;
+	allow $1 xdm_tmp_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete xdm temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_manage_xdm_tmp_files',`
+	gen_require(`
+		type xdm_tmp_t;
+	')
+
+	manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes of
+##	xdm temporary named sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+	gen_require(`
+		type xdm_tmp_t;
+	')
+
+	dontaudit $1 xdm_tmp_t:sock_file getattr;
+')
+
+########################################
+## <summary>
+##	Execute the X server in the X server domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`xserver_domtrans',`
+	gen_require(`
+		type xserver_t, xserver_exec_t;
+	')
+
+ 	allow $1 xserver_t:process siginh;
+	domtrans_pattern($1, xserver_exec_t, xserver_t)
+')
+
+########################################
+## <summary>
+##	Signal X servers
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_signal',`
+	gen_require(`
+		type xserver_t;
+	')
+
+	allow $1 xserver_t:process signal;
+')
+
+########################################
+## <summary>
+##	Kill X servers
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_kill',`
+	gen_require(`
+		type xserver_t;
+	')
+
+	allow $1 xserver_t:process sigkill;
+')
+
+########################################
+## <summary>
+##	Read and write X server Sys V Shared
+##	memory segments.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_rw_shm',`
+	gen_require(`
+		type xserver_t;
+	')
+
+	allow $1 xserver_t:shm rw_shm_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write to
+##	X server sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`xserver_dontaudit_rw_tcp_sockets',`
+	gen_require(`
+		type xserver_t;
+	')
+
+	dontaudit $1 xserver_t:tcp_socket { read write };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write X server
+##	unix domain stream sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`xserver_dontaudit_rw_stream_sockets',`
+	gen_require(`
+		type xserver_t;
+	')
+
+	dontaudit $1 xserver_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+##	Connect to the X server over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_stream_connect',`
+	gen_require(`
+		type xserver_t, xserver_tmp_t;
+	')
+
+	files_search_tmp($1)
+	stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
+')
+
+########################################
+## <summary>
+##	Read X server temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_read_tmp_files',`
+	gen_require(`
+		type xserver_tmp_t;
+	')
+
+	allow $1 xserver_tmp_t:file read_file_perms;
+	files_search_tmp($1)
+')
+
+########################################
+## <summary>
+##	Interface to provide X object permissions on a given X server to
+##	an X client domain.  Gives the domain permission to read the
+##      virtual core keyboard and virtual core pointer devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_manage_core_devices',`
+	gen_require(`
+		type xserver_t;
+		class x_device all_x_device_perms;
+		class x_pointer all_x_pointer_perms;
+		class x_keyboard all_x_keyboard_perms;
+	')
+
+	allow $1 xserver_t:{ x_device x_pointer x_keyboard } *;
+')
+
+########################################
+## <summary>
+##	Interface to provide X object permissions on a given X server to
+##	an X client domain.  Gives the domain complete control over the
+##	display.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_unconfined',`
+	gen_require(`
+		attribute x_domain;
+		attribute xserver_unconfined_type;
+	')
+
+	typeattribute $1 x_domain;
+	typeattribute $1 xserver_unconfined_type;
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
new file mode 100644
index 00000000..ce12f7f5
--- /dev/null
+++ b/policy/modules/services/xserver.te
@@ -0,0 +1,1006 @@
+policy_module(xserver, 3.7.0)
+
+gen_require(`
+	class x_drawable all_x_drawable_perms;
+	class x_screen all_x_screen_perms;
+	class x_gc all_x_gc_perms;
+	class x_font all_x_font_perms;
+	class x_colormap all_x_colormap_perms;
+	class x_property all_x_property_perms;
+	class x_selection all_x_selection_perms;
+	class x_cursor all_x_cursor_perms;
+	class x_client all_x_client_perms;
+	class x_device all_x_device_perms;
+	class x_pointer all_x_pointer_perms;
+	class x_keyboard all_x_keyboard_perms;
+	class x_server all_x_server_perms;
+	class x_extension all_x_extension_perms;
+	class x_resource all_x_resource_perms;
+	class x_event all_x_event_perms;
+	class x_synthetic_event all_x_synthetic_event_perms;
+')
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allows clients to write to the X server shared
+## memory segments.
+## </p>
+## </desc>
+gen_tunable(allow_write_xshm, false)
+
+## <desc>
+## <p>
+## Allow xdm logins as sysadm
+## </p>
+## </desc>
+gen_tunable(xdm_sysadm_login, false)
+
+## <desc>
+## <p>
+## Support X userspace object manager
+## </p>
+## </desc>
+gen_tunable(xserver_object_manager, false)
+
+attribute x_domain;
+
+# X Events
+attribute xevent_type;
+attribute input_xevent_type;
+type xevent_t, xevent_type;
+typealias xevent_t alias { user_property_xevent_t staff_property_xevent_t sysadm_property_xevent_t };
+typealias xevent_t alias { auditadm_property_xevent_t secadm_property_xevent_t };
+typealias xevent_t alias { user_focus_xevent_t staff_focus_xevent_t sysadm_focus_xevent_t };
+typealias xevent_t alias { auditadm_focus_xevent_t secadm_focus_xevent_t };
+typealias xevent_t alias { user_manage_xevent_t staff_manage_xevent_t sysadm_manage_xevent_t };
+typealias xevent_t alias { auditadm_manage_xevent_t secadm_manage_xevent_t };
+typealias xevent_t alias { user_default_xevent_t staff_default_xevent_t sysadm_default_xevent_t };
+typealias xevent_t alias { auditadm_default_xevent_t secadm_default_xevent_t };
+
+type client_xevent_t, xevent_type;
+typealias client_xevent_t alias { user_client_xevent_t staff_client_xevent_t sysadm_client_xevent_t };
+typealias client_xevent_t alias { auditadm_client_xevent_t secadm_client_xevent_t };
+
+type input_xevent_t, xevent_type, input_xevent_type;
+
+# X Extensions
+attribute xextension_type;
+type xextension_t, xextension_type;
+type security_xextension_t, xextension_type;
+
+# X Properties
+attribute xproperty_type;
+type xproperty_t, xproperty_type;
+type seclabel_xproperty_t, xproperty_type;
+type clipboard_xproperty_t, xproperty_type;
+
+# X Selections
+attribute xselection_type;
+type xselection_t, xselection_type;
+type clipboard_xselection_t, xselection_type;
+#type settings_xselection_t, xselection_type;
+#type dbus_xselection_t, xselection_type;
+
+# X Drawables
+attribute xdrawable_type;
+attribute xcolormap_type;
+type root_xdrawable_t, xdrawable_type;
+type root_xcolormap_t, xcolormap_type;
+
+attribute xserver_unconfined_type;
+
+xserver_object_types_template(root)
+xserver_object_types_template(user)
+
+typealias user_xproperty_t alias { staff_xproperty_t sysadm_xproperty_t };
+typealias user_xproperty_t alias { auditadm_xproperty_t secadm_xproperty_t };
+typealias user_input_xevent_t alias { staff_input_xevent_t sysadm_input_xevent_t };
+typealias user_input_xevent_t alias { auditadm_input_xevent_t secadm_input_xevent_t };
+
+type remote_t;
+xserver_object_types_template(remote)
+xserver_common_x_domain_template(remote, remote_t)
+
+type user_fonts_t;
+typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t };
+typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t };
+userdom_user_home_content(user_fonts_t)
+
+type user_fonts_cache_t;
+typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t };
+typealias user_fonts_cache_t alias { auditadm_fonts_cache_t secadm_fonts_cache_t };
+userdom_user_home_content(user_fonts_cache_t)
+
+type user_fonts_config_t;
+typealias user_fonts_config_t alias { staff_fonts_config_t sysadm_fonts_config_t };
+typealias user_fonts_config_t alias { auditadm_fonts_config_t secadm_fonts_config_t };
+userdom_user_home_content(user_fonts_config_t)
+
+type iceauth_t;
+type iceauth_exec_t;
+typealias iceauth_t alias { user_iceauth_t staff_iceauth_t sysadm_iceauth_t };
+typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t };
+userdom_user_application_domain(iceauth_t, iceauth_exec_t)
+
+type iceauth_home_t;
+typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t };
+typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t };
+userdom_user_home_content(iceauth_home_t)
+
+type xauth_t;
+type xauth_exec_t;
+typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t };
+typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t };
+userdom_user_application_domain(xauth_t, xauth_exec_t)
+
+type xauth_home_t;
+typealias xauth_home_t alias { user_xauth_home_t staff_xauth_home_t sysadm_xauth_home_t };
+typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t };
+userdom_user_home_content(xauth_home_t)
+
+type xauth_tmp_t;
+typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t };
+typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
+userdom_user_tmp_file(xauth_tmp_t)
+
+# this is not actually a device, its a pipe
+type xconsole_device_t;
+files_type(xconsole_device_t)
+fs_associate_tmpfs(xconsole_device_t)
+files_associate_tmp(xconsole_device_t)
+
+type xdm_t;
+type xdm_exec_t;
+auth_login_pgm_domain(xdm_t)
+init_domain(xdm_t, xdm_exec_t)
+init_daemon_domain(xdm_t, xdm_exec_t)
+xserver_object_types_template(xdm)
+xserver_common_x_domain_template(xdm, xdm_t)
+
+type xdm_lock_t;
+files_lock_file(xdm_lock_t)
+
+type xdm_rw_etc_t;
+files_type(xdm_rw_etc_t)
+
+type xdm_var_lib_t;
+files_type(xdm_var_lib_t)
+
+type xdm_var_run_t;
+files_pid_file(xdm_var_run_t)
+
+type xdm_tmp_t;
+files_tmp_file(xdm_tmp_t)
+typealias xdm_tmp_t alias ice_tmp_t;
+
+type xdm_tmpfs_t;
+files_tmpfs_file(xdm_tmpfs_t)
+
+# type for /var/lib/xkb
+type xkb_var_lib_t;
+files_type(xkb_var_lib_t)
+
+# Type for the executable used to start the X server, e.g. Xwrapper.
+type xserver_t;
+type xserver_exec_t;
+typealias xserver_t alias { user_xserver_t staff_xserver_t sysadm_xserver_t };
+typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
+init_system_domain(xserver_t, xserver_exec_t)
+ubac_constrained(xserver_t)
+
+type xserver_tmp_t;
+typealias xserver_tmp_t alias { user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t };
+typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t };
+userdom_user_tmp_file(xserver_tmp_t)
+
+type xserver_tmpfs_t;
+typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t };
+typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t xdm_xserver_tmpfs_t };
+userdom_user_tmpfs_file(xserver_tmpfs_t)
+
+type xsession_exec_t;
+corecmd_executable_file(xsession_exec_t)
+
+# Type for the X server log file.
+type xserver_log_t;
+logging_log_file(xserver_log_t)
+
+ifdef(`enable_mcs',`
+	init_ranged_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh)
+	init_ranged_daemon_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh)
+')
+
+optional_policy(`
+	prelink_object_file(xkb_var_lib_t)
+')
+
+########################################
+#
+# Iceauth local policy
+#
+
+allow iceauth_t iceauth_home_t:file manage_file_perms;
+userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
+
+allow xdm_t iceauth_home_t:file read_file_perms;
+
+files_search_tmp(iceauth_t)
+fs_search_auto_mountpoints(iceauth_t)
+
+userdom_use_user_terminals(iceauth_t)
+userdom_read_user_tmp_files(iceauth_t)
+
+getty_use_fds(iceauth_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_files(iceauth_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_files(iceauth_t)
+')
+
+########################################
+#
+# Xauth local policy
+#
+
+allow xauth_t self:process signal;
+allow xauth_t self:unix_stream_socket create_stream_socket_perms;
+
+allow xauth_t xauth_home_t:file manage_file_perms;
+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file)
+
+manage_dirs_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
+manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
+files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
+
+allow xdm_t xauth_home_t:file manage_file_perms;
+userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file)
+
+kernel_request_load_module(xauth_t)
+
+domain_use_interactive_fds(xauth_t)
+
+files_read_etc_files(xauth_t)
+files_search_pids(xauth_t)
+
+fs_getattr_xattr_fs(xauth_t)
+fs_search_auto_mountpoints(xauth_t)
+
+# cjp: why?
+term_use_ptmx(xauth_t)
+
+auth_use_nsswitch(xauth_t)
+
+userdom_use_user_terminals(xauth_t)
+userdom_read_user_tmp_files(xauth_t)
+userdom_read_user_tmp_files(xserver_t)
+
+xserver_rw_xdm_tmp_files(xauth_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_files(xauth_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_files(xauth_t)
+')
+
+optional_policy(`
+	ssh_sigchld(xauth_t)
+	ssh_read_pipes(xauth_t)
+	ssh_dontaudit_rw_tcp_sockets(xauth_t)
+')
+
+########################################
+#
+# XDM Local policy
+#
+
+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
+allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
+allow xdm_t self:fifo_file rw_fifo_file_perms;
+allow xdm_t self:shm create_shm_perms;
+allow xdm_t self:sem create_sem_perms;
+allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow xdm_t self:unix_dgram_socket create_socket_perms;
+allow xdm_t self:tcp_socket create_stream_socket_perms;
+allow xdm_t self:udp_socket create_socket_perms;
+allow xdm_t self:socket create_socket_perms;
+allow xdm_t self:appletalk_socket create_socket_perms;
+allow xdm_t self:key { search link write };
+
+allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+
+# Allow gdm to run gdm-binary
+can_exec(xdm_t, xdm_exec_t)
+
+allow xdm_t xdm_lock_t:file manage_file_perms;
+files_lock_filetrans(xdm_t, xdm_lock_t, file)
+
+# wdm has its own config dir /etc/X11/wdm
+# this is ugly, daemons should not create files under /etc!
+manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t)
+
+manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
+
+manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
+manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
+manage_lnk_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
+manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
+manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
+fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
+manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
+files_var_lib_filetrans(xdm_t, xdm_var_lib_t, file)
+
+manage_dirs_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
+manage_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
+manage_fifo_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
+files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file })
+
+allow xdm_t xserver_t:process signal;
+allow xdm_t xserver_t:unix_stream_socket connectto;
+
+allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
+allow xdm_t xserver_tmp_t:dir { setattr list_dir_perms };
+
+# transition to the xdm xserver
+domtrans_pattern(xdm_t, xserver_exec_t, xserver_t)
+allow xserver_t xdm_t:process signal;
+allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
+
+allow xdm_t xserver_t:shm rw_shm_perms;
+
+# connect to xdm xserver over stream socket
+stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+
+# Remove /tmp/.X11-unix/X0.
+delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
+delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
+
+manage_dirs_pattern(xdm_t, xserver_log_t, xserver_log_t)
+manage_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
+manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
+logging_log_filetrans(xdm_t, xserver_log_t, file)
+
+kernel_read_system_state(xdm_t)
+kernel_read_kernel_sysctls(xdm_t)
+kernel_read_net_sysctls(xdm_t)
+kernel_read_network_state(xdm_t)
+
+corecmd_exec_shell(xdm_t)
+corecmd_exec_bin(xdm_t)
+
+corenet_all_recvfrom_unlabeled(xdm_t)
+corenet_all_recvfrom_netlabel(xdm_t)
+corenet_tcp_sendrecv_generic_if(xdm_t)
+corenet_udp_sendrecv_generic_if(xdm_t)
+corenet_tcp_sendrecv_generic_node(xdm_t)
+corenet_udp_sendrecv_generic_node(xdm_t)
+corenet_tcp_sendrecv_all_ports(xdm_t)
+corenet_udp_sendrecv_all_ports(xdm_t)
+corenet_tcp_bind_generic_node(xdm_t)
+corenet_udp_bind_generic_node(xdm_t)
+corenet_tcp_connect_all_ports(xdm_t)
+corenet_sendrecv_all_client_packets(xdm_t)
+# xdm tries to bind to biff_port_t
+corenet_dontaudit_tcp_bind_all_ports(xdm_t)
+
+dev_read_rand(xdm_t)
+dev_read_sysfs(xdm_t)
+dev_getattr_framebuffer_dev(xdm_t)
+dev_setattr_framebuffer_dev(xdm_t)
+dev_getattr_mouse_dev(xdm_t)
+dev_setattr_mouse_dev(xdm_t)
+dev_rw_apm_bios(xdm_t)
+dev_setattr_apm_bios_dev(xdm_t)
+dev_rw_dri(xdm_t)
+dev_rw_agp(xdm_t)
+dev_getattr_xserver_misc_dev(xdm_t)
+dev_setattr_xserver_misc_dev(xdm_t)
+dev_getattr_misc_dev(xdm_t)
+dev_setattr_misc_dev(xdm_t)
+dev_dontaudit_rw_misc(xdm_t)
+dev_getattr_video_dev(xdm_t)
+dev_setattr_video_dev(xdm_t)
+dev_getattr_scanner_dev(xdm_t)
+dev_setattr_scanner_dev(xdm_t)
+dev_getattr_sound_dev(xdm_t)
+dev_setattr_sound_dev(xdm_t)
+dev_getattr_power_mgmt_dev(xdm_t)
+dev_setattr_power_mgmt_dev(xdm_t)
+
+domain_use_interactive_fds(xdm_t)
+# Do not audit denied probes of /proc.
+domain_dontaudit_read_all_domains_state(xdm_t)
+
+files_read_etc_files(xdm_t)
+files_read_var_files(xdm_t)
+files_read_etc_runtime_files(xdm_t)
+files_exec_etc_files(xdm_t)
+files_list_mnt(xdm_t)
+# Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme...
+files_read_usr_files(xdm_t)
+# Poweroff wants to create the /poweroff file when run from xdm
+files_create_boot_flag(xdm_t)
+
+fs_getattr_all_fs(xdm_t)
+fs_search_auto_mountpoints(xdm_t)
+
+storage_dontaudit_read_fixed_disk(xdm_t)
+storage_dontaudit_write_fixed_disk(xdm_t)
+storage_dontaudit_setattr_fixed_disk_dev(xdm_t)
+storage_dontaudit_raw_read_removable_device(xdm_t)
+storage_dontaudit_raw_write_removable_device(xdm_t)
+storage_dontaudit_setattr_removable_dev(xdm_t)
+storage_dontaudit_rw_scsi_generic(xdm_t)
+
+term_setattr_console(xdm_t)
+term_use_unallocated_ttys(xdm_t)
+term_setattr_unallocated_ttys(xdm_t)
+
+auth_domtrans_pam_console(xdm_t)
+auth_manage_pam_pid(xdm_t)
+auth_manage_pam_console_data(xdm_t)
+auth_rw_faillog(xdm_t)
+auth_write_login_records(xdm_t)
+
+# Run telinit->init to shutdown.
+init_telinit(xdm_t)
+
+libs_exec_lib_files(xdm_t)
+
+logging_read_generic_logs(xdm_t)
+
+miscfiles_read_localization(xdm_t)
+miscfiles_read_fonts(xdm_t)
+
+sysnet_read_config(xdm_t)
+
+userdom_dontaudit_use_unpriv_user_fds(xdm_t)
+userdom_create_all_users_keys(xdm_t)
+# for .dmrc
+userdom_read_user_home_content_files(xdm_t)
+# Search /proc for any user domain processes.
+userdom_read_all_users_state(xdm_t)
+userdom_signal_all_users(xdm_t)
+
+xserver_rw_session(xdm_t, xdm_tmpfs_t)
+xserver_unconfined(xdm_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(xdm_t)
+	fs_manage_nfs_files(xdm_t)
+	fs_manage_nfs_symlinks(xdm_t)
+	fs_exec_nfs_files(xdm_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(xdm_t)
+	fs_manage_cifs_files(xdm_t)
+	fs_manage_cifs_symlinks(xdm_t)
+	fs_exec_cifs_files(xdm_t)
+')
+
+tunable_policy(`xdm_sysadm_login',`
+	userdom_xsession_spec_domtrans_all_users(xdm_t)
+	# FIXME:
+#	xserver_rw_session_template(xdm,userdomain)
+',`
+	userdom_xsession_spec_domtrans_unpriv_users(xdm_t)
+	# FIXME:
+#	xserver_rw_session_template(xdm,unpriv_userdomain)
+#	dontaudit xserver_t sysadm_t:shm { unix_read unix_write };
+#	allow xserver_t xdm_tmpfs_t:file rw_file_perms;
+')
+
+optional_policy(`
+	alsa_domtrans(xdm_t)
+')
+
+optional_policy(`
+	consolekit_dbus_chat(xdm_t)
+')
+
+optional_policy(`
+	consoletype_exec(xdm_t)
+')
+
+optional_policy(`
+	# Talk to the console mouse server.
+	gpm_stream_connect(xdm_t)
+	gpm_setattr_gpmctl(xdm_t)
+')
+
+optional_policy(`
+	hostname_exec(xdm_t)
+')
+
+optional_policy(`
+	loadkeys_exec(xdm_t)
+')
+
+optional_policy(`
+	locallogin_signull(xdm_t)
+')
+
+optional_policy(`
+	# Do not audit attempts to check whether user root has email
+	mta_dontaudit_getattr_spool_files(xdm_t)
+')
+
+optional_policy(`
+	resmgr_stream_connect(xdm_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(xdm_t)
+')
+
+optional_policy(`
+	udev_read_db(xdm_t)
+')
+
+optional_policy(`
+	unconfined_domain(xdm_t)
+	unconfined_domtrans(xdm_t)
+
+	ifndef(`distro_redhat',`
+		allow xdm_t self:process { execheap execmem };
+	')
+
+	ifdef(`distro_rhel4',`
+		allow xdm_t self:process { execheap execmem };
+	')
+')
+
+optional_policy(`
+	userhelper_dontaudit_search_config(xdm_t)
+')
+
+optional_policy(`
+	usermanage_read_crack_db(xdm_t)
+')
+
+optional_policy(`
+	xfs_stream_connect(xdm_t)
+')
+
+########################################
+#
+# X server local policy
+#
+
+# X Object Manager rules
+type_transition xserver_t xserver_t:x_drawable root_xdrawable_t;
+type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
+
+allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
+allow xserver_t input_xevent_t:x_event send;
+
+# Allow X to process keyboard events
+udev_read_db(xserver_t)
+
+# setuid/setgid for the wrapper program to change UID
+# sys_rawio is for iopl access - should not be needed for frame-buffer
+# sys_admin, locking shared mem?  chowning IPC message queues or semaphores?
+# admin of APM bios?
+# sys_nice is so that the X server can set a negative nice value
+# execheap needed until the X module loader is fixed.
+# NVIDIA Needs execstack
+
+allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
+dontaudit xserver_t self:capability chown;
+allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow xserver_t self:fd use;
+allow xserver_t self:fifo_file rw_fifo_file_perms;
+allow xserver_t self:sock_file read_sock_file_perms;
+allow xserver_t self:shm create_shm_perms;
+allow xserver_t self:sem create_sem_perms;
+allow xserver_t self:msgq create_msgq_perms;
+allow xserver_t self:msg { send receive };
+allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow xserver_t self:tcp_socket create_stream_socket_perms;
+allow xserver_t self:udp_socket create_socket_perms;
+allow xserver_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
+manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
+manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
+files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+
+filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
+
+manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
+manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
+manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
+manage_fifo_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
+manage_sock_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
+fs_tmpfs_filetrans(xserver_t, xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+files_search_var_lib(xserver_t)
+
+domtrans_pattern(xserver_t, xauth_exec_t, xauth_t)
+allow xserver_t xauth_home_t:file read_file_perms;
+
+# Create files in /var/log with the xserver_log_t type.
+manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
+logging_log_filetrans(xserver_t, xserver_log_t, file)
+
+domain_dontaudit_search_all_domains_state(xserver_t)
+
+kernel_read_system_state(xserver_t)
+kernel_read_device_sysctls(xserver_t)
+kernel_read_modprobe_sysctls(xserver_t)
+# Xorg wants to check if kernel is tainted
+kernel_read_kernel_sysctls(xserver_t)
+kernel_write_proc_files(xserver_t)
+
+# Run helper programs in xserver_t.
+corecmd_exec_bin(xserver_t)
+corecmd_exec_shell(xserver_t)
+
+corenet_all_recvfrom_unlabeled(xserver_t)
+corenet_all_recvfrom_netlabel(xserver_t)
+corenet_tcp_sendrecv_generic_if(xserver_t)
+corenet_udp_sendrecv_generic_if(xserver_t)
+corenet_tcp_sendrecv_generic_node(xserver_t)
+corenet_udp_sendrecv_generic_node(xserver_t)
+corenet_tcp_sendrecv_all_ports(xserver_t)
+corenet_udp_sendrecv_all_ports(xserver_t)
+corenet_tcp_bind_generic_node(xserver_t)
+corenet_tcp_bind_xserver_port(xserver_t)
+corenet_tcp_connect_all_ports(xserver_t)
+corenet_sendrecv_xserver_server_packets(xserver_t)
+corenet_sendrecv_all_client_packets(xserver_t)
+
+dev_rw_sysfs(xserver_t)
+dev_rw_mouse(xserver_t)
+dev_rw_mtrr(xserver_t)
+dev_rw_apm_bios(xserver_t)
+dev_rw_agp(xserver_t)
+dev_rw_framebuffer(xserver_t)
+dev_manage_dri_dev(xserver_t)
+dev_filetrans_dri(xserver_t)
+dev_create_generic_dirs(xserver_t)
+dev_setattr_generic_dirs(xserver_t)
+# raw memory access is needed if not using the frame buffer
+dev_read_raw_memory(xserver_t)
+dev_wx_raw_memory(xserver_t)
+# for other device nodes such as the NVidia binary-only driver
+dev_rw_xserver_misc(xserver_t)
+# read events - the synaptics touchpad driver reads raw events
+dev_rw_input_dev(xserver_t)
+dev_rwx_zero(xserver_t)
+
+files_read_etc_files(xserver_t)
+files_read_etc_runtime_files(xserver_t)
+files_read_usr_files(xserver_t)
+
+# brought on by rhgb
+files_search_mnt(xserver_t)
+# for nscd
+files_dontaudit_search_pids(xserver_t)
+
+fs_getattr_xattr_fs(xserver_t)
+fs_search_nfs(xserver_t)
+fs_search_auto_mountpoints(xserver_t)
+fs_search_ramfs(xserver_t)
+
+mls_xwin_read_to_clearance(xserver_t)
+
+selinux_validate_context(xserver_t)
+selinux_compute_access_vector(xserver_t)
+selinux_compute_create_context(xserver_t)
+
+auth_use_nsswitch(xserver_t)
+
+init_getpgid(xserver_t)
+
+term_setattr_unallocated_ttys(xserver_t)
+term_use_unallocated_ttys(xserver_t)
+
+getty_use_fds(xserver_t)
+
+locallogin_use_fds(xserver_t)
+
+logging_send_syslog_msg(xserver_t)
+logging_send_audit_msgs(xserver_t)
+
+miscfiles_read_localization(xserver_t)
+miscfiles_read_fonts(xserver_t)
+
+modutils_domtrans_insmod(xserver_t)
+
+# read x_contexts
+seutil_read_default_contexts(xserver_t)
+
+userdom_search_user_home_dirs(xserver_t)
+userdom_use_user_ttys(xserver_t)
+userdom_setattr_user_ttys(xserver_t)
+userdom_read_user_tmp_files(xserver_t)
+userdom_rw_user_tmpfs_files(xserver_t)
+
+xserver_use_user_fonts(xserver_t)
+
+ifndef(`distro_redhat',`
+	allow xserver_t self:process { execmem execheap execstack };
+	domain_mmap_low_uncond(xserver_t)
+')
+
+ifdef(`distro_rhel4',`
+	allow xserver_t self:process { execmem execheap execstack };
+')
+
+ifdef(`enable_mls',`
+	range_transition xserver_t xserver_tmp_t:sock_file s0 - mls_systemhigh;
+	range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
+')
+
+tunable_policy(`!xserver_object_manager',`
+	# should be xserver_unconfined(xserver_t),
+	# but typeattribute doesnt work in conditionals
+
+	allow xserver_t xserver_t:x_server *;
+	allow xserver_t { x_domain root_xdrawable_t }:x_drawable *;
+	allow xserver_t xserver_t:x_screen *;
+	allow xserver_t x_domain:x_gc *;
+	allow xserver_t { x_domain root_xcolormap_t }:x_colormap *;
+	allow xserver_t xproperty_type:x_property *;
+	allow xserver_t xselection_type:x_selection *;
+	allow xserver_t x_domain:x_cursor *;
+	allow xserver_t x_domain:x_client *;
+	allow xserver_t { x_domain xserver_t }:x_device *;
+	allow xserver_t { x_domain xserver_t }:x_pointer *;
+	allow xserver_t { x_domain xserver_t }:x_keyboard *;
+	allow xserver_t xextension_type:x_extension *;
+	allow xserver_t { x_domain xserver_t }:x_resource *;
+	allow xserver_t xevent_type:{ x_event x_synthetic_event } *;
+')
+
+optional_policy(`
+	apm_stream_connect(xserver_t)
+')
+
+optional_policy(`
+	auth_search_pam_console_data(xserver_t)
+')
+
+optional_policy(`
+	rhgb_getpgid(xserver_t)
+	rhgb_signal(xserver_t)
+')
+
+optional_policy(`
+	udev_read_db(xserver_t)
+')
+
+optional_policy(`
+	unconfined_domain_noaudit(xserver_t)
+	unconfined_domtrans(xserver_t)
+')
+
+optional_policy(`
+	userhelper_search_config(xserver_t)
+')
+
+optional_policy(`
+	xfs_stream_connect(xserver_t)
+')
+
+########################################
+#
+# XDM Xserver local policy
+#
+# cjp: when xdm is configurable via tunable these
+# rules will be enabled only when xdm is enabled
+
+allow xserver_t xdm_t:process { signal getpgid };
+allow xserver_t xdm_t:shm rw_shm_perms;
+
+# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
+# handle of a file inside the dir!!!
+allow xserver_t xdm_var_lib_t:file { getattr read };
+dontaudit xserver_t xdm_var_lib_t:dir search;
+
+allow xserver_t xdm_var_run_t:file read_file_perms;
+
+# Label pid and temporary files with derived types.
+manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+
+# Run xkbcomp.
+allow xserver_t xkb_var_lib_t:lnk_file read;
+can_exec(xserver_t, xkb_var_lib_t)
+
+# VNC v4 module in X server
+corenet_tcp_bind_vnc_port(xserver_t)
+
+init_use_fds(xserver_t)
+
+# FIXME: After per user fonts are properly working
+# xserver_t may no longer have any reason
+# to read ROLE_home_t - examine this in more detail
+# (xauth?)
+userdom_read_user_home_content_files(xserver_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(xserver_t)
+	fs_manage_nfs_files(xserver_t)
+	fs_manage_nfs_symlinks(xserver_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(xserver_t)
+	fs_manage_cifs_files(xserver_t)
+	fs_manage_cifs_symlinks(xserver_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(xserver_t)
+	hal_dbus_chat(xserver_t)
+')
+
+optional_policy(`
+	resmgr_stream_connect(xdm_t)
+')
+
+optional_policy(`
+	rhgb_rw_shm(xserver_t)
+	rhgb_rw_tmpfs_files(xserver_t)
+')
+
+########################################
+#
+# Rules common to all X window domains
+#
+
+# Hacks
+# everyone can do override-redirect windows.
+# this could be used to spoof labels
+allow x_domain self:x_drawable override;
+# firefox gets nosy with other people's windows
+allow x_domain x_domain:x_drawable { list_child receive };
+
+# X Server
+# can get X server attributes
+allow x_domain xserver_t:x_server getattr;
+# can grab the server
+allow x_domain xserver_t:x_server grab;
+# can read and write server-owned generic resources
+allow x_domain xserver_t:x_resource { read write };
+# can mess with own clients
+allow x_domain self:x_client { getattr manage destroy };
+
+# X Protocol Extensions
+allow x_domain xextension_t:x_extension { query use };
+allow x_domain security_xextension_t:x_extension { query use };
+
+# X Properties
+# can change properties of root window
+allow x_domain root_xdrawable_t:x_drawable { list_property get_property set_property };
+# can change properties of my own windows
+allow x_domain self:x_drawable { list_property get_property set_property };
+# can read and write cut buffers
+allow x_domain clipboard_xproperty_t:x_property { create read write append };
+# can read security labels
+allow x_domain seclabel_xproperty_t:x_property { getattr read };
+# can change all other properties
+allow x_domain xproperty_t:x_property { getattr create read write append destroy };
+
+# X Windows
+# operations allowed on root windows
+allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
+# operations allowed on my windows
+allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
+allow x_domain self:x_drawable { blend };
+# operations allowed on all windows
+allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
+
+# X Colormaps
+# can use the default colormap
+allow x_domain root_xcolormap_t:x_colormap { read use add_color remove_color install uninstall };
+# can create and use colormaps
+allow x_domain self:x_colormap *;
+
+# X Devices
+# operations allowed on my own devices
+allow x_domain self:{ x_device x_pointer x_keyboard } *;
+# operations allowed on generic devices
+allow x_domain xserver_t:x_device { use getattr setattr getfocus setfocus bell grab freeze force_cursor };
+# operations allowed on core keyboard
+allow x_domain xserver_t:x_keyboard { use getattr setattr getfocus setfocus bell grab };
+# operations allowed on core pointer
+allow x_domain xserver_t:x_pointer { read use getattr setattr getfocus setfocus bell grab freeze force_cursor };
+
+# all devices can generate input events
+allow x_domain root_xdrawable_t:x_drawable send;
+allow x_domain x_domain:x_drawable send;
+allow x_domain input_xevent_t:x_event send;
+
+# dontaudit keyloggers repeatedly polling
+#dontaudit x_domain xserver_t:x_keyboard read;
+
+# X Input
+# can receive default events
+allow x_domain xevent_t:{ x_event x_synthetic_event } receive;
+# can receive ICCCM events
+allow x_domain client_xevent_t:{ x_event x_synthetic_event } receive;
+# can send ICCCM events to the root window
+allow x_domain client_xevent_t:x_synthetic_event send;
+# can receive root window input events
+allow x_domain root_input_xevent_t:x_event receive;
+
+# X Selections
+# can use the clipboard
+allow x_domain clipboard_xselection_t:x_selection { getattr setattr read };
+# can use default selections
+allow x_domain xselection_t:x_selection { getattr setattr read };
+
+# Other X Objects
+# can create and use cursors
+allow x_domain self:x_cursor *;
+# can create and use graphics contexts
+allow x_domain self:x_gc *;
+# can read and write own objects
+allow x_domain self:x_resource { read write };
+# can mess with the screensaver
+allow x_domain xserver_t:x_screen { getattr saver_getattr };
+
+########################################
+#
+# Rules for unconfined access to this module
+#
+
+tunable_policy(`! xserver_object_manager',`
+	# should be xserver_unconfined(x_domain),
+	# but typeattribute doesnt work in conditionals
+
+	allow x_domain xserver_t:x_server *;
+	allow x_domain xdrawable_type:x_drawable *;
+	allow x_domain xserver_t:x_screen *;
+	allow x_domain x_domain:x_gc *;
+	allow x_domain xcolormap_type:x_colormap *;
+	allow x_domain xproperty_type:x_property *;
+	allow x_domain xselection_type:x_selection *;
+	allow x_domain x_domain:x_cursor *;
+	allow x_domain x_domain:x_client *;
+	allow x_domain { x_domain xserver_t }:x_device *;
+	allow x_domain { x_domain xserver_t }:x_pointer *;
+	allow x_domain { x_domain xserver_t }:x_keyboard *;
+	allow x_domain xextension_type:x_extension *;
+	allow x_domain { x_domain xserver_t }:x_resource *;
+	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
+')
+
+allow xserver_unconfined_type xserver_t:x_server *;
+allow xserver_unconfined_type xdrawable_type:x_drawable *;
+allow xserver_unconfined_type xserver_t:x_screen *;
+allow xserver_unconfined_type x_domain:x_gc *;
+allow xserver_unconfined_type xcolormap_type:x_colormap *;
+allow xserver_unconfined_type xproperty_type:x_property *;
+allow xserver_unconfined_type xselection_type:x_selection *;
+allow xserver_unconfined_type x_domain:x_cursor *;
+allow xserver_unconfined_type x_domain:x_client *;
+allow xserver_unconfined_type { x_domain xserver_t }:x_device *;
+allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *;
+allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
+allow xserver_unconfined_type xextension_type:x_extension *;
+allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
+allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
diff --git a/policy/modules/system/application.fc b/policy/modules/system/application.fc
new file mode 100644
index 00000000..08133f3c
--- /dev/null
+++ b/policy/modules/system/application.fc
@@ -0,0 +1 @@
+# No application file contexts.
diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if
new file mode 100644
index 00000000..1b6619e6
--- /dev/null
+++ b/policy/modules/system/application.if
@@ -0,0 +1,207 @@
+## <summary>Policy for user executable applications.</summary>
+
+########################################
+## <summary>
+##	Make the specified type usable as an application domain.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used as a domain type.
+##	</summary>
+## </param>
+#
+interface(`application_type',`
+	gen_require(`
+		attribute application_domain_type;
+	')
+
+	typeattribute $1 application_domain_type;
+
+	# start with basic domain
+	domain_type($1)
+')
+
+########################################
+## <summary>
+##	Make the specified type usable for files
+##	that are exectuables, such as binary programs.
+##	This does not include shared libraries.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used for files.
+##	</summary>
+## </param>
+#
+interface(`application_executable_file',`
+	gen_require(`
+		attribute application_exec_type;
+	')
+
+	typeattribute $1 application_exec_type;
+
+	corecmd_executable_file($1)
+')
+
+########################################
+## <summary>
+## Execute application executables in the caller domain.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`application_exec',`
+	gen_require(`
+		attribute application_exec_type;
+	')
+
+	can_exec($1, application_exec_type)
+')
+
+########################################
+## <summary>
+##	Execute all executable files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`application_exec_all',`
+	corecmd_dontaudit_exec_all_executables($1)
+	corecmd_exec_bin($1)
+	corecmd_exec_shell($1)
+	corecmd_exec_chroot($1)
+
+	application_exec($1)
+')
+
+########################################
+## <summary>
+##	Create a domain for applications.
+## </summary>
+## <desc>
+##	<p>
+##	Create a domain for applications.  Typically these are
+##	programs that are run interactively.
+##	</p>
+##	<p>
+##	The types will be made usable as a domain and file, making
+##	calls to domain_type() and files_type() redundant.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type to be used as an application domain.
+##	</summary>
+## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program to be used as an entry point to this domain.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`application_domain',`
+	application_type($1)
+	application_executable_file($2)
+	domain_entry_file($1, $2)
+')
+
+########################################
+## <summary>
+##	Send null signals to all application domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`application_signull',`
+	gen_require(`
+		attribute application_domain_type;
+	')
+
+	allow $1 application_domain_type:process signull;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send null signals
+##	to all application domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`application_dontaudit_signull',`
+	gen_require(`
+		attribute application_domain_type;
+	')
+
+	dontaudit $1 application_domain_type:process signull;
+')
+
+########################################
+## <summary>
+##	Send general signals to all application domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`application_signal',`
+	gen_require(`
+		attribute application_domain_type;
+	')
+
+	allow $1 application_domain_type:process signal;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send general signals
+##	to all application domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`application_dontaudit_signal',`
+	gen_require(`
+		attribute application_domain_type;
+	')
+
+	dontaudit $1 application_domain_type:process signal;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send kill signals
+##	to all application domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`application_dontaudit_sigkill',`
+	gen_require(`
+		attribute application_domain_type;
+	')
+
+	dontaudit $1 application_domain_type:process sigkill;
+')
diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te
new file mode 100644
index 00000000..c6fdab72
--- /dev/null
+++ b/policy/modules/system/application.te
@@ -0,0 +1,20 @@
+policy_module(application, 1.2.0)
+
+# Attribute of user applications
+attribute application_domain_type;
+
+# Executables to be run by user
+attribute application_exec_type;
+
+optional_policy(`
+	cron_sigchld(application_domain_type)
+')
+
+optional_policy(`
+	ssh_sigchld(application_domain_type)
+	ssh_rw_stream_sockets(application_domain_type)
+')
+
+optional_policy(`
+	sudo_sigchld(application_domain_type)
+')
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
new file mode 100644
index 00000000..1226c32c
--- /dev/null
+++ b/policy/modules/system/authlogin.fc
@@ -0,0 +1,51 @@
+
+/bin/login		--	gen_context(system_u:object_r:login_exec_t,s0)
+
+ifndef(`distro_gentoo',`
+/etc/\.pwd\.lock	--	gen_context(system_u:object_r:shadow_t,s0)
+')
+/etc/group\.lock	--	gen_context(system_u:object_r:shadow_t,s0)
+/etc/gshadow.*		--	gen_context(system_u:object_r:shadow_t,s0)
+/etc/passwd\.lock	--	gen_context(system_u:object_r:shadow_t,s0)
+/etc/shadow.*		--	gen_context(system_u:object_r:shadow_t,s0)
+
+/sbin/pam_console_apply	 --	gen_context(system_u:object_r:pam_console_exec_t,s0)
+/sbin/pam_timestamp_check --	gen_context(system_u:object_r:pam_exec_t,s0)
+/sbin/unix_chkpwd	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
+/sbin/unix_update	--	gen_context(system_u:object_r:updpwd_exec_t,s0)
+/sbin/unix_verify	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ifdef(`distro_suse', `
+/sbin/unix2_chkpwd	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
+')
+
+/usr/kerberos/sbin/login\.krb5 -- gen_context(system_u:object_r:login_exec_t,s0)
+
+/usr/sbin/utempter	--	gen_context(system_u:object_r:utempter_exec_t,s0)
+/usr/sbin/validate	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ifdef(`distro_gentoo', `
+/usr/sbin/unix_chkpwd	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
+')
+
+/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
+
+/var/db/shadow.*	--	gen_context(system_u:object_r:shadow_t,s0)
+
+/var/lib/abl(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
+/var/lib/pam_ssh(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
+
+/var/log/btmp.*		--	gen_context(system_u:object_r:faillog_t,s0)
+/var/log/dmesg		--	gen_context(system_u:object_r:var_log_t,s0)
+/var/log/faillog	--	gen_context(system_u:object_r:faillog_t,s0)
+/var/log/lastlog	--	gen_context(system_u:object_r:lastlog_t,s0)
+/var/log/syslog		--	gen_context(system_u:object_r:var_log_t,s0)
+/var/log/tallylog	--	gen_context(system_u:object_r:faillog_t,s0)
+/var/log/wtmp.*		--	gen_context(system_u:object_r:wtmp_t,s0)
+
+/var/run/console(/.*)?	 	gen_context(system_u:object_r:pam_var_console_t,s0)
+/var/run/faillock(/.*)?		gen_context(system_u:object_r:faillog_t,s0)
+/var/run/pam_mount(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
+/var/run/pam_ssh(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
+/var/run/sepermit(/.*)? 	gen_context(system_u:object_r:pam_var_run_t,s0)
+/var/run/sudo(/.*)?		gen_context(system_u:object_r:pam_var_run_t,s0)
+/var/run/user(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
+/var/(db|lib|adm)/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
new file mode 100644
index 00000000..d51181fc
--- /dev/null
+++ b/policy/modules/system/authlogin.if
@@ -0,0 +1,1822 @@
+## <summary>Common policy for authentication and user login.</summary>
+
+########################################
+## <summary>
+##	Role access for password authentication.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_role',`
+	gen_require(`
+		type chkpwd_t, chkpwd_exec_t, shadow_t;
+	')
+
+	role $1 types chkpwd_t;
+
+	# Transition from the user domain to this domain.
+	domtrans_pattern($2, chkpwd_exec_t, chkpwd_t)
+
+	ps_process_pattern($2, chkpwd_t)
+
+	dontaudit $2 shadow_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Use PAM for authentication.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_use_pam',`
+
+	# for SSP/ProPolice
+	dev_read_urand($1)
+	# for encrypted homedir
+	dev_read_sysfs($1)
+
+	auth_domtrans_chk_passwd($1)
+	auth_domtrans_upd_passwd($1)
+	auth_dontaudit_read_shadow($1)
+	auth_read_login_records($1)
+	auth_append_login_records($1)
+	auth_rw_lastlog($1)
+	auth_rw_faillog($1)
+	auth_exec_pam($1)
+	auth_use_nsswitch($1)
+
+	logging_send_audit_msgs($1)
+	logging_send_syslog_msg($1)
+
+	optional_policy(`
+		dbus_system_bus_client($1)
+
+		optional_policy(`
+			consolekit_dbus_chat($1)
+		')
+
+		optional_policy(`
+			fprintd_dbus_chat($1)
+		')
+	')
+
+	optional_policy(`
+		kerberos_manage_host_rcache($1)
+		kerberos_read_config($1)
+	')
+
+	optional_policy(`
+		nis_authenticate($1)
+	')
+')
+
+########################################
+## <summary>
+##	Make the specified domain used for a login program.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain type used for a login program domain.
+##	</summary>
+## </param>
+#
+interface(`auth_login_pgm_domain',`
+	gen_require(`
+		type var_auth_t, auth_cache_t;
+	')
+
+	domain_type($1)
+	domain_subj_id_change_exemption($1)
+	domain_role_change_exemption($1)
+	domain_obj_id_change_exemption($1)
+	role system_r types $1;
+
+	# Needed for pam_selinux_permit to cleanup properly
+	domain_read_all_domains_state($1)
+	domain_kill_all_domains($1)
+
+	# pam_keyring
+	allow $1 self:capability ipc_lock;
+	allow $1 self:process setkeycreate;
+	allow $1 self:key manage_key_perms;
+
+	files_list_var_lib($1)
+	manage_files_pattern($1, var_auth_t, var_auth_t)
+
+	manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
+	manage_files_pattern($1, auth_cache_t, auth_cache_t)
+	manage_sock_files_pattern($1, auth_cache_t, auth_cache_t)
+	files_var_filetrans($1, auth_cache_t, dir)
+
+	# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
+	kernel_rw_afs_state($1)
+
+	# for fingerprint readers
+	dev_rw_input_dev($1)
+	dev_rw_generic_usb_dev($1)
+
+	files_read_etc_files($1)
+
+	fs_list_auto_mountpoints($1)
+
+	selinux_get_fs_mount($1)
+	selinux_validate_context($1)
+	selinux_compute_access_vector($1)
+	selinux_compute_create_context($1)
+	selinux_compute_relabel_context($1)
+	selinux_compute_user_contexts($1)
+
+	mls_file_read_all_levels($1)
+	mls_file_write_all_levels($1)
+	mls_file_upgrade($1)
+	mls_file_downgrade($1)
+	mls_process_set_level($1)
+	mls_fd_share_all_levels($1)
+
+	auth_use_pam($1)
+
+	init_rw_utmp($1)
+
+	logging_set_loginuid($1)
+	logging_set_tty_audit($1)
+
+	seutil_read_config($1)
+	seutil_read_default_contexts($1)
+
+	tunable_policy(`allow_polyinstantiation',`
+		files_polyinstantiate_all($1)
+	')
+')
+
+########################################
+## <summary>
+##	Use the login program as an entry point program.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_login_entry_type',`
+	gen_require(`
+		type login_exec_t;
+	')
+
+	domain_entry_file($1, login_exec_t)
+')
+
+########################################
+## <summary>
+##	Make the specified type usable as a
+##	login file.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified type usable as a login file,
+##	This type has restricted modification capabilities when used with
+##	other interfaces that permit files_type access.
+##	The default type has properties similar to that of the shadow file.
+##	This will also make the type usable as a security file, making
+##	calls to files_security_file() redundant.
+##	</p>
+## </desc>
+## <param name="type">
+##	<summary>
+##	Type to be used as a login file.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`auth_file',`
+	gen_require(`
+		attribute auth_file_type;
+	')
+
+	files_security_file($1)
+	typeattribute $1 auth_file_type;
+')
+
+########################################
+## <summary>
+##	Execute a login_program in the target domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="target_domain">
+##	<summary>
+##	The type of the login_program process.
+##	</summary>
+## </param>
+#
+interface(`auth_domtrans_login_program',`
+	gen_require(`
+		type login_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, login_exec_t, $2)
+')
+
+########################################
+## <summary>
+##	Execute a login_program in the target domain,
+##	with a range transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="target_domain">
+##	<summary>
+##	The type of the login_program process.
+##	</summary>
+## </param>
+## <param name="range">
+##	<summary>
+##	Range of the login program.
+##	</summary>
+## </param>
+#
+interface(`auth_ranged_domtrans_login_program',`
+	gen_require(`
+		type login_exec_t;
+	')
+
+	auth_domtrans_login_program($1, $2)
+
+	ifdef(`enable_mcs',`
+		range_transition $1 login_exec_t:process $3;
+	')
+
+	ifdef(`enable_mls',`
+		range_transition $1 login_exec_t:process $3;
+	')
+')
+
+########################################
+## <summary>
+##	Search authentication cache
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_search_cache',`
+	gen_require(`
+		type auth_cache_t;
+	')
+
+	allow $1 auth_cache_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read authentication cache
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_read_cache',`
+	gen_require(`
+		type auth_cache_t;
+	')
+
+	read_files_pattern($1, auth_cache_t, auth_cache_t)
+')
+
+########################################
+## <summary>
+##	Read/Write authentication cache
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_rw_cache',`
+	gen_require(`
+		type auth_cache_t;
+	')
+
+	rw_files_pattern($1, auth_cache_t, auth_cache_t)
+')
+
+########################################
+## <summary>
+##	Manage authentication cache
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_manage_cache',`
+	gen_require(`
+		type auth_cache_t;
+	')
+
+	manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
+	manage_files_pattern($1, auth_cache_t, auth_cache_t)
+')
+
+#######################################
+## <summary>
+##	Automatic transition from cache_t to cache.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_var_filetrans_cache',`
+	gen_require(`
+		type auth_cache_t;
+	')
+
+	files_var_filetrans($1, auth_cache_t, { file dir } )
+')
+
+########################################
+## <summary>
+##	Run unix_chkpwd to check a password.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`auth_domtrans_chk_passwd',`
+	gen_require(`
+		type chkpwd_t, chkpwd_exec_t, shadow_t;
+		type auth_cache_t;
+	')
+
+	allow $1 auth_cache_t:dir search_dir_perms;
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, chkpwd_exec_t, chkpwd_t)
+
+	dontaudit $1 shadow_t:file read_file_perms;
+
+	dev_read_rand($1)
+	dev_read_urand($1)
+
+	auth_use_nsswitch($1)
+	auth_rw_faillog($1)
+
+	logging_send_audit_msgs($1)
+
+	miscfiles_read_generic_certs($1)
+
+	optional_policy(`
+		kerberos_read_keytab($1)
+	')
+
+	optional_policy(`
+		pcscd_read_pub_files($1)
+		pcscd_stream_connect($1)
+	')
+
+	optional_policy(`
+		samba_stream_connect_winbind($1)
+	')
+')
+
+########################################
+## <summary>
+##	Run unix_chkpwd to check a password.
+## 	Stripped down version to be called within boolean
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`auth_domtrans_chkpwd',`
+	gen_require(`
+		type chkpwd_t, chkpwd_exec_t, shadow_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, chkpwd_exec_t, chkpwd_t)
+	dontaudit $1 shadow_t:file { getattr read };
+	auth_domtrans_upd_passwd($1)
+')
+
+########################################
+## <summary>
+##	Execute chkpwd programs in the chkpwd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the chkpwd domain.
+##	</summary>
+## </param>
+#
+interface(`auth_run_chk_passwd',`
+	gen_require(`
+		type chkpwd_t;
+	')
+
+	auth_domtrans_chk_passwd($1)
+	role $2 types chkpwd_t;
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run unix_update.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`auth_domtrans_upd_passwd',`
+	gen_require(`
+		type updpwd_t, updpwd_exec_t;
+	')
+
+	domtrans_pattern($1, updpwd_exec_t, updpwd_t)
+	auth_dontaudit_read_shadow($1)
+
+')
+
+########################################
+## <summary>
+##	Execute updpwd programs in the updpwd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the updpwd domain.
+##	</summary>
+## </param>
+#
+interface(`auth_run_upd_passwd',`
+	gen_require(`
+		type updpwd_t;
+	')
+
+	auth_domtrans_upd_passwd($1)
+	role $2 types updpwd_t;
+')
+
+########################################
+## <summary>
+##	Get the attributes of the shadow passwords file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_getattr_shadow',`
+	gen_require(`
+		type shadow_t;
+	')
+
+	files_search_etc($1)
+	allow $1 shadow_t:file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of the shadow passwords file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`auth_dontaudit_getattr_shadow',`
+	gen_require(`
+		type shadow_t;
+	')
+
+	dontaudit $1 shadow_t:file getattr;
+')
+
+########################################
+## <summary>
+##	Read the shadow passwords file (/etc/shadow)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+# cjp: these next three interfaces are split
+# since typeattribute does not work in conditionals
+# yet, otherwise they should be one interface.
+#
+interface(`auth_read_shadow',`
+	auth_can_read_shadow_passwords($1)
+	auth_tunable_read_shadow($1)
+')
+
+########################################
+## <summary>
+##	Pass shadow assertion for reading.
+## </summary>
+## <desc>
+##	<p>
+##	Pass shadow assertion for reading.
+##	This should only be used with
+##	auth_tunable_read_shadow(), and
+##	only exists because typeattribute
+##	does not work in conditionals.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_can_read_shadow_passwords',`
+	gen_require(`
+		attribute can_read_shadow_passwords;
+	')
+
+	typeattribute $1 can_read_shadow_passwords;
+')
+
+########################################
+## <summary>
+##	Read the shadow password file.
+## </summary>
+## <desc>
+##	<p>
+##	Read the shadow password file.  This
+##	should only be used in a conditional;
+##	it does not pass the reading shadow
+##	assertion.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_tunable_read_shadow',`
+	gen_require(`
+		type shadow_t;
+	')
+
+	files_list_etc($1)
+	allow $1 shadow_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read the shadow
+##	password file (/etc/shadow).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`auth_dontaudit_read_shadow',`
+	gen_require(`
+		type shadow_t;
+	')
+
+	dontaudit $1 shadow_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Read and write the shadow password file (/etc/shadow).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_rw_shadow',`
+	gen_require(`
+		attribute can_read_shadow_passwords, can_write_shadow_passwords;
+		type shadow_t;
+	')
+
+	files_list_etc($1)
+	allow $1 shadow_t:file rw_file_perms;
+	typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete the shadow
+##	password file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_manage_shadow',`
+	gen_require(`
+		attribute can_read_shadow_passwords, can_write_shadow_passwords;
+		type shadow_t;
+	')
+
+	allow $1 shadow_t:file manage_file_perms;
+	typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
+')
+
+#######################################
+## <summary>
+##	Automatic transition from etc to shadow.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_etc_filetrans_shadow',`
+	gen_require(`
+		type shadow_t;
+	')
+
+	files_etc_filetrans($1, shadow_t, file)
+')
+
+#######################################
+## <summary>
+##	Relabel to the shadow
+##	password file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_relabelto_shadow',`
+	gen_require(`
+		attribute can_relabelto_shadow_passwords;
+		type shadow_t;
+	')
+
+	files_search_etc($1)
+	allow $1 shadow_t:file relabelto;
+	typeattribute $1 can_relabelto_shadow_passwords;
+')
+
+#######################################
+## <summary>
+##	Relabel from and to the shadow
+##	password file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_relabel_shadow',`
+	gen_require(`
+		attribute can_relabelto_shadow_passwords;
+		type shadow_t;
+	')
+
+	files_search_etc($1)
+	allow $1 shadow_t:file relabel_file_perms;
+	typeattribute $1 can_relabelto_shadow_passwords;
+')
+
+#######################################
+## <summary>
+##	Append to the login failure log.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_append_faillog',`
+	gen_require(`
+		type faillog_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 faillog_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+##	Read and write the login failure log.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_rw_faillog',`
+	gen_require(`
+		type faillog_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 faillog_t:file rw_file_perms;
+')
+
+#######################################
+## <summary>
+##	Read the last logins log.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`auth_read_lastlog',`
+	gen_require(`
+		type lastlog_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 lastlog_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+##	Append only to the last logins log.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_append_lastlog',`
+	gen_require(`
+		type lastlog_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 lastlog_t:file { append_file_perms lock };
+')
+
+#######################################
+## <summary>
+##	Read and write to the last logins log.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_rw_lastlog',`
+	gen_require(`
+		type lastlog_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 lastlog_t:file { rw_file_perms lock setattr };
+')
+
+########################################
+## <summary>
+##	Execute pam programs in the pam domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`auth_domtrans_pam',`
+	gen_require(`
+		type pam_t, pam_exec_t;
+	')
+
+	domtrans_pattern($1, pam_exec_t, pam_t)
+')
+
+########################################
+## <summary>
+##	Send generic signals to pam processes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_signal_pam',`
+	gen_require(`
+		type pam_t;
+	')
+
+	allow $1 pam_t:process signal;
+')
+
+########################################
+## <summary>
+##	Execute pam programs in the PAM domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the PAM domain.
+##	</summary>
+## </param>
+#
+interface(`auth_run_pam',`
+	gen_require(`
+		type pam_t;
+	')
+
+	auth_domtrans_pam($1)
+	role $2 types pam_t;
+')
+
+########################################
+## <summary>
+##	Execute the pam program.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_exec_pam',`
+	gen_require(`
+		type pam_exec_t;
+	')
+
+	can_exec($1, pam_exec_t)
+')
+
+########################################
+## <summary>
+##	Read var auth files. Used by various other applications
+##	and pam applets etc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_read_var_auth',`
+	gen_require(`
+		type var_auth_t;
+	')
+
+	files_search_var($1)
+	read_files_pattern($1, var_auth_t, var_auth_t)
+')
+
+#######################################
+## <summary>
+##  Read and write var auth files. Used by various other applications
+##  and pam applets etc.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`auth_rw_var_auth',`
+    gen_require(`
+		type var_auth_t;
+    ')
+
+    files_search_var($1)
+    rw_files_pattern($1, var_auth_t, var_auth_t)
+')
+
+########################################
+## <summary>
+##	Manage var auth files. Used by various other applications
+##	and pam applets etc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_manage_var_auth',`
+	gen_require(`
+		type var_auth_t;
+	')
+
+	files_search_var($1)
+	allow $1 var_auth_t:dir manage_dir_perms;
+	allow $1 var_auth_t:file rw_file_perms;
+	allow $1 var_auth_t:lnk_file rw_lnk_file_perms;
+')
+
+########################################
+## <summary>
+##	Read PAM PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_read_pam_pid',`
+	gen_require(`
+		type pam_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 pam_var_run_t:dir list_dir_perms;
+	allow $1 pam_var_run_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+##	Do not audit attemps to read PAM PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`auth_dontaudit_read_pam_pid',`
+	gen_require(`
+		type pam_var_run_t;
+	')
+
+	dontaudit $1 pam_var_run_t:file { getattr read };
+')
+
+########################################
+## <summary>
+##	Delete pam PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_delete_pam_pid',`
+	gen_require(`
+		type pam_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 pam_var_run_t:dir del_entry_dir_perms;
+	allow $1 pam_var_run_t:file delete_file_perms;
+')
+
+########################################
+## <summary>
+##	Manage pam PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_manage_pam_pid',`
+	gen_require(`
+		type pam_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 pam_var_run_t:dir manage_dir_perms;
+	allow $1 pam_var_run_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute pam_console with a domain transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`auth_domtrans_pam_console',`
+	gen_require(`
+		type pam_console_t, pam_console_exec_t;
+	')
+
+	domtrans_pattern($1, pam_console_exec_t, pam_console_t)
+')
+
+########################################
+## <summary>
+##	Search the contents of the
+##	pam_console data directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_search_pam_console_data',`
+	gen_require(`
+		type pam_var_console_t;
+	')
+
+	files_search_pids($1)
+	allow $1 pam_var_console_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	List the contents of the pam_console
+##	data directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_list_pam_console_data',`
+	gen_require(`
+		type pam_var_console_t;
+	')
+
+	files_search_pids($1)
+	allow $1 pam_var_console_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Relabel pam_console data directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_relabel_pam_console_data_dirs',`
+	gen_require(`
+		type pam_var_console_t;
+	')
+
+	relabel_dirs_pattern($1, pam_var_console_t, pam_var_console_t)
+')
+
+########################################
+## <summary>
+##	Read pam_console data files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_read_pam_console_data',`
+	gen_require(`
+		type pam_var_console_t;
+	')
+
+	files_search_pids($1)
+	allow $1 pam_var_console_t:dir list_dir_perms;
+	allow $1 pam_var_console_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	pam_console data files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_manage_pam_console_data',`
+	gen_require(`
+		type pam_var_console_t;
+	')
+
+	files_search_pids($1)
+	manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
+	manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
+')
+
+#######################################
+## <summary>
+##	Delete pam_console data.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_delete_pam_console_data',`
+	gen_require(`
+		type pam_var_console_t;
+	')
+
+	files_search_var($1)
+	files_search_pids($1)
+	delete_files_pattern($1, pam_var_console_t, pam_var_console_t)
+')
+
+########################################
+## <summary>
+##	Read all directories on the filesystem, except
+##	login files and listed exceptions.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="exception_types" optional="true">
+##	<summary>
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+##	</summary>
+## </param>
+#
+interface(`auth_read_all_dirs_except_auth_files',`
+	gen_require(`
+		attribute auth_file_type;
+	')
+
+	files_read_all_dirs_except($1, $2 -auth_file_type)
+')
+
+########################################
+## <summary>
+##	Read all directories on the filesystem, except
+##	the shadow passwords and listed exceptions.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="exception_types" optional="true">
+##	<summary>
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+##	</summary>
+## </param>
+#
+interface(`auth_read_all_dirs_except_shadow',`
+	refpolicywarn(`$0($*) has been deprecated, use auth_read_all_dirs_except_auth_files() instead.')
+	auth_read_all_dirs_except_auth_files($1, $2)
+')
+
+########################################
+## <summary>
+##	Read all files on the filesystem, except
+##	login files and listed exceptions.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="exception_types" optional="true">
+##	<summary>
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`auth_read_all_files_except_auth_files',`
+	gen_require(`
+		attribute auth_file_type;
+	')
+
+	files_read_all_files_except($1, $2 -auth_file_type)
+')
+
+########################################
+## <summary>
+##	Read all files on the filesystem, except
+##	the shadow passwords and listed exceptions.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="exception_types" optional="true">
+##	<summary>
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`auth_read_all_files_except_shadow',`
+	refpolicywarn(`$0($*) has been deprecated, use auth_read_all_files_except_auth_files() instead.')
+	auth_read_all_files_except_auth_files($1, $2)
+')
+
+########################################
+## <summary>
+##	Read all symbolic links on the filesystem, except
+##	login files and listed exceptions.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="exception_types" optional="true">
+##	<summary>
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+##	</summary>
+## </param>
+#
+interface(`auth_read_all_symlinks_except_auth_files',`
+	gen_require(`
+		attribute auth_file_type;
+	')
+
+	files_read_all_symlinks_except($1, $2 -auth_file_type)
+')
+
+########################################
+## <summary>
+##	Read all symbolic links on the filesystem, except
+##	the shadow passwords and listed exceptions.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="exception_types" optional="true">
+##	<summary>
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+##	</summary>
+## </param>
+#
+interface(`auth_read_all_symlinks_except_shadow',`
+	refpolicywarn(`$0($*) has been deprecated, use auth_read_all_symlinks_except_auth_files() instead.')
+	auth_read_all_symlinks_except_auth_files($1, $2)
+')
+
+#######################################
+## <summary>
+##	Relabel all files on the filesystem, except
+##	login files and listed exceptions.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="exception_types" optional="true">
+##	<summary>
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+##	</summary>
+## </param>
+#
+interface(`auth_relabel_all_files_except_auth_files',`
+	gen_require(`
+		attribute auth_file_type;
+	')
+
+	files_relabel_all_files($1, $2 -auth_file_type)
+')
+
+########################################
+## <summary>
+##	Relabel all files on the filesystem, except
+##	the shadow passwords and listed exceptions.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="exception_types" optional="true">
+##	<summary>
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+##	</summary>
+## </param>
+#
+interface(`auth_relabel_all_files_except_shadow',`
+	refpolicywarn(`$0($*) has been deprecated, use auth_relabel_all_files_except_auth_files() instead.')
+	auth_relabel_all_files_except_auth_files($1, $2)
+')
+
+########################################
+## <summary>
+##	Read and write all files on the filesystem, except
+##	login files and listed exceptions.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="exception_types" optional="true">
+##	<summary>
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+##	</summary>
+## </param>
+#
+interface(`auth_rw_all_files_except_auth_files',`
+	gen_require(`
+		attribute auth_file_type;
+	')
+
+	files_rw_all_files($1, $2 -auth_file_type)
+')
+
+########################################
+## <summary>
+##	Read and write all files on the filesystem, except
+##	the shadow passwords and listed exceptions.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="exception_types" optional="true">
+##	<summary>
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+##	</summary>
+## </param>
+#
+interface(`auth_rw_all_files_except_shadow',`
+	refpolicywarn(`$0($*) has been deprecated, use auth_rw_all_files_except_auth_files() instead.')
+	auth_rw_all_files_except_auth_files($1, $2)
+')
+
+########################################
+## <summary>
+##	Manage all files on the filesystem, except
+##	login files passwords and listed exceptions.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="exception_types" optional="true">
+##	<summary>
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+##	</summary>
+## </param>
+#
+interface(`auth_manage_all_files_except_auth_files',`
+	gen_require(`
+		attribute auth_file_type;
+	')
+
+	files_manage_all_files($1, $2 -auth_file_type)
+')
+
+########################################
+## <summary>
+##	Manage all files on the filesystem, except
+##	the shadow passwords and listed exceptions.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="exception_types" optional="true">
+##	<summary>
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+##	</summary>
+## </param>
+#
+interface(`auth_manage_all_files_except_shadow',`
+	refpolicywarn(`$0($*) has been deprecated, use auth_manage_all_files_except_auth_files() instead.')
+	auth_manage_all_files_except_auth_files($1, $2)
+')
+
+########################################
+## <summary>
+##	Execute utempter programs in the utempter domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`auth_domtrans_utempter',`
+	gen_require(`
+		type utempter_t, utempter_exec_t;
+	')
+
+	domtrans_pattern($1, utempter_exec_t, utempter_t)
+')
+
+########################################
+## <summary>
+##	Execute utempter programs in the utempter domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the utempter domain.
+##	</summary>
+## </param>
+#
+interface(`auth_run_utempter',`
+	gen_require(`
+		type utempter_t;
+	')
+
+	auth_domtrans_utempter($1)
+	role $2 types utempter_t;
+')
+
+#######################################
+## <summary>
+##	Do not audit attemps to execute utempter executable.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`auth_dontaudit_exec_utempter',`
+	gen_require(`
+		type utempter_exec_t;
+	')
+
+	dontaudit $1 utempter_exec_t:file { execute execute_no_trans };
+')
+
+########################################
+## <summary>
+##	Set the attributes of login record files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_setattr_login_records',`
+	gen_require(`
+		type wtmp_t;
+	')
+
+	allow $1 wtmp_t:file setattr;
+	logging_search_logs($1)
+')
+
+########################################
+## <summary>
+##	Read login records files (/var/log/wtmp).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`auth_read_login_records',`
+	gen_require(`
+		type wtmp_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 wtmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read login records
+##	files (/var/log/wtmp).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`auth_dontaudit_read_login_records',`
+	gen_require(`
+		type wtmp_t;
+	')
+
+	dontaudit $1 wtmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write to
+##	login records files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`auth_dontaudit_write_login_records',`
+	gen_require(`
+		type wtmp_t;
+	')
+
+	dontaudit $1 wtmp_t:file write;
+')
+
+#######################################
+## <summary>
+##	Append to login records (wtmp).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_append_login_records',`
+	gen_require(`
+		type wtmp_t;
+	')
+
+	allow $1 wtmp_t:file append_file_perms;
+	logging_search_logs($1)
+')
+
+#######################################
+## <summary>
+##	Write to login records (wtmp).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_write_login_records',`
+	gen_require(`
+		type wtmp_t;
+	')
+
+	allow $1 wtmp_t:file { write_file_perms lock };
+')
+
+########################################
+## <summary>
+##	Read and write login records.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_rw_login_records',`
+	gen_require(`
+		type wtmp_t;
+	')
+
+	allow $1 wtmp_t:file rw_file_perms;
+	logging_search_logs($1)
+')
+
+########################################
+## <summary>
+##	Create a login records in the log directory
+##	using a type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_log_filetrans_login_records',`
+	gen_require(`
+		type wtmp_t;
+	')
+
+	logging_log_filetrans($1, wtmp_t, file)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete login
+##	records files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_manage_login_records',`
+	gen_require(`
+		type wtmp_t;
+	')
+
+	logging_rw_generic_log_dirs($1)
+	allow $1 wtmp_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Relabel login record files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_relabel_login_records',`
+	gen_require(`
+		type wtmp_t;
+	')
+
+	allow $1 wtmp_t:file relabel_file_perms;
+')
+
+########################################
+## <summary>
+##	Use nsswitch to look up user, password, group, or
+##	host information.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to look up user, password,
+##	group, or host information using the name service.
+##	The most common use of this interface is for services
+##	that do host name resolution (usually DNS resolution).
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`auth_use_nsswitch',`
+
+	files_list_var_lib($1)
+
+	# read /etc/nsswitch.conf
+	files_read_etc_files($1)
+
+	miscfiles_read_generic_certs($1)
+
+	sysnet_dns_name_resolve($1)
+	sysnet_use_ldap($1)
+
+	optional_policy(`
+		avahi_stream_connect($1)
+	')
+
+	optional_policy(`
+		ldap_stream_connect($1)
+	')
+
+ 	optional_policy(`
+		likewise_stream_connect_lsassd($1)
+	')
+
+	optional_policy(`
+		kerberos_use($1)
+	')
+
+	optional_policy(`
+		nis_use_ypbind($1)
+	')
+
+	optional_policy(`
+		nscd_socket_use($1)
+	')
+
+	optional_policy(`
+		nslcd_stream_connect($1)
+	')
+
+	optional_policy(`
+		sssd_stream_connect($1)
+	')
+
+	optional_policy(`
+		samba_stream_connect_winbind($1)
+		samba_read_var_files($1)
+		samba_dontaudit_write_var_files($1)
+	')
+')
+
+########################################
+## <summary>
+##	Unconfined access to the authlogin module.
+## </summary>
+## <desc>
+##	<p>
+##	Unconfined access to the authlogin module.
+##	</p>
+##	<p>
+##	Currently, this only allows assertions for
+##	the shadow passwords file (/etc/shadow) to
+##	be passed.  No access is granted yet.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_unconfined',`
+	gen_require(`
+		attribute can_read_shadow_passwords;
+		attribute can_write_shadow_passwords;
+		attribute can_relabelto_shadow_passwords;
+	')
+
+	typeattribute $1 can_read_shadow_passwords;
+	typeattribute $1 can_write_shadow_passwords;
+	typeattribute $1 can_relabelto_shadow_passwords;
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
new file mode 100644
index 00000000..01c73316
--- /dev/null
+++ b/policy/modules/system/authlogin.te
@@ -0,0 +1,398 @@
+policy_module(authlogin, 2.3.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute auth_file_type;
+attribute can_read_shadow_passwords;
+attribute can_write_shadow_passwords;
+attribute can_relabelto_shadow_passwords;
+
+type auth_cache_t;
+logging_log_file(auth_cache_t)
+
+type chkpwd_t, can_read_shadow_passwords;
+type chkpwd_exec_t;
+typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t };
+typealias chkpwd_t alias { auditadm_chkpwd_t secadm_chkpwd_t };
+application_domain(chkpwd_t, chkpwd_exec_t)
+role system_r types chkpwd_t;
+
+type faillog_t;
+logging_log_file(faillog_t)
+
+type lastlog_t;
+logging_log_file(lastlog_t)
+
+type login_exec_t;
+application_executable_file(login_exec_t)
+
+type pam_console_t;
+type pam_console_exec_t;
+init_system_domain(pam_console_t, pam_console_exec_t)
+role system_r types pam_console_t;
+
+type pam_t;
+domain_type(pam_t)
+role system_r types pam_t;
+
+type pam_exec_t;
+domain_entry_file(pam_t, pam_exec_t)
+
+type pam_tmp_t;
+files_tmp_file(pam_tmp_t)
+
+type pam_var_console_t;
+files_pid_file(pam_var_console_t)
+
+type pam_var_run_t;
+files_pid_file(pam_var_run_t)
+
+type shadow_t;
+auth_file(shadow_t)
+neverallow ~can_read_shadow_passwords shadow_t:file read;
+neverallow ~can_write_shadow_passwords shadow_t:file { create write };
+neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
+
+type updpwd_t;
+type updpwd_exec_t;
+domain_type(updpwd_t)
+domain_entry_file(updpwd_t, updpwd_exec_t)
+domain_obj_id_change_exemption(updpwd_t)
+role system_r types updpwd_t;
+
+type utempter_t;
+type utempter_exec_t;
+application_domain(utempter_t, utempter_exec_t)
+
+#
+# var_auth_t is the type of /var/lib/auth, usually
+# used for auth data in pam_able
+#
+type var_auth_t;
+files_type(var_auth_t)
+
+type wtmp_t;
+logging_log_file(wtmp_t)
+
+########################################
+#
+# Check password local policy
+#
+
+allow chkpwd_t self:capability { dac_override setuid };
+dontaudit chkpwd_t self:capability sys_tty_config;
+allow chkpwd_t self:process { getattr signal };
+
+allow chkpwd_t shadow_t:file read_file_perms;
+files_list_etc(chkpwd_t)
+
+kernel_read_crypto_sysctls(chkpwd_t)
+# is_selinux_enabled
+kernel_read_system_state(chkpwd_t)
+
+domain_dontaudit_use_interactive_fds(chkpwd_t)
+
+dev_read_rand(chkpwd_t)
+dev_read_urand(chkpwd_t)
+
+files_read_etc_files(chkpwd_t)
+# for nscd
+files_dontaudit_search_var(chkpwd_t)
+
+fs_dontaudit_getattr_xattr_fs(chkpwd_t)
+
+term_dontaudit_use_console(chkpwd_t)
+term_dontaudit_use_unallocated_ttys(chkpwd_t)
+term_dontaudit_use_generic_ptys(chkpwd_t)
+term_dontaudit_use_all_ptys(chkpwd_t)
+
+auth_use_nsswitch(chkpwd_t)
+
+logging_send_audit_msgs(chkpwd_t)
+logging_send_syslog_msg(chkpwd_t)
+
+miscfiles_read_localization(chkpwd_t)
+
+seutil_read_config(chkpwd_t)
+seutil_dontaudit_use_newrole_fds(chkpwd_t)
+
+userdom_use_user_terminals(chkpwd_t)
+
+ifdef(`distro_ubuntu',`
+	optional_policy(`
+		unconfined_domain(chkpwd_t)
+	')
+')
+
+optional_policy(`
+	# apache leaks file descriptors
+	apache_dontaudit_rw_tcp_sockets(chkpwd_t)
+')
+
+optional_policy(`
+	kerberos_use(chkpwd_t)
+')
+
+optional_policy(`
+	nis_authenticate(chkpwd_t)
+')
+
+########################################
+#
+# PAM local policy
+#
+
+allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+dontaudit pam_t self:capability sys_tty_config;
+
+allow pam_t self:fd use;
+allow pam_t self:fifo_file rw_file_perms;
+allow pam_t self:unix_dgram_socket create_socket_perms;
+allow pam_t self:unix_stream_socket rw_stream_socket_perms;
+allow pam_t self:unix_dgram_socket sendto;
+allow pam_t self:unix_stream_socket connectto;
+allow pam_t self:shm create_shm_perms;
+allow pam_t self:sem create_sem_perms;
+allow pam_t self:msgq create_msgq_perms;
+allow pam_t self:msg { send receive };
+
+delete_files_pattern(pam_t, pam_var_run_t, pam_var_run_t)
+read_files_pattern(pam_t, pam_var_run_t, pam_var_run_t)
+files_list_pids(pam_t)
+
+allow pam_t pam_tmp_t:dir manage_dir_perms;
+allow pam_t pam_tmp_t:file manage_file_perms;
+files_tmp_filetrans(pam_t, pam_tmp_t, { file dir })
+
+auth_use_nsswitch(pam_t)
+
+kernel_read_system_state(pam_t)
+
+files_read_etc_files(pam_t)
+
+fs_search_auto_mountpoints(pam_t)
+
+miscfiles_read_localization(pam_t)
+
+term_use_all_ttys(pam_t)
+term_use_all_ptys(pam_t)
+
+init_dontaudit_rw_utmp(pam_t)
+
+logging_send_syslog_msg(pam_t)
+
+ifdef(`distro_ubuntu',`
+	optional_policy(`
+		unconfined_domain(pam_t)
+	')
+')
+
+optional_policy(`
+	locallogin_use_fds(pam_t)
+')
+
+########################################
+#
+# PAM console local policy
+#
+
+allow pam_console_t self:capability { chown fowner fsetid };
+dontaudit pam_console_t self:capability sys_tty_config;
+
+allow pam_console_t self:process { sigchld sigkill sigstop signull signal };
+
+# for /var/run/console.lock checking
+read_files_pattern(pam_console_t, pam_var_console_t, pam_var_console_t)
+read_lnk_files_pattern(pam_console_t, pam_var_console_t, pam_var_console_t)
+dontaudit pam_console_t pam_var_console_t:file write;
+
+kernel_read_kernel_sysctls(pam_console_t)
+kernel_use_fds(pam_console_t)
+# Read /proc/meminfo
+kernel_read_system_state(pam_console_t)
+
+dev_read_sysfs(pam_console_t)
+dev_getattr_apm_bios_dev(pam_console_t)
+dev_setattr_apm_bios_dev(pam_console_t)
+dev_getattr_dri_dev(pam_console_t)
+dev_setattr_dri_dev(pam_console_t)
+dev_getattr_input_dev(pam_console_t)
+dev_setattr_input_dev(pam_console_t)
+dev_getattr_framebuffer_dev(pam_console_t)
+dev_setattr_framebuffer_dev(pam_console_t)
+dev_getattr_generic_usb_dev(pam_console_t)
+dev_setattr_generic_usb_dev(pam_console_t)
+dev_getattr_misc_dev(pam_console_t)
+dev_setattr_misc_dev(pam_console_t)
+dev_getattr_mouse_dev(pam_console_t)
+dev_setattr_mouse_dev(pam_console_t)
+dev_getattr_power_mgmt_dev(pam_console_t)
+dev_setattr_power_mgmt_dev(pam_console_t)
+dev_getattr_printer_dev(pam_console_t)
+dev_setattr_printer_dev(pam_console_t)
+dev_getattr_scanner_dev(pam_console_t)
+dev_setattr_scanner_dev(pam_console_t)
+dev_getattr_sound_dev(pam_console_t)
+dev_setattr_sound_dev(pam_console_t)
+dev_getattr_video_dev(pam_console_t)
+dev_setattr_video_dev(pam_console_t)
+dev_getattr_xserver_misc_dev(pam_console_t)
+dev_setattr_xserver_misc_dev(pam_console_t)
+dev_read_urand(pam_console_t)
+
+files_read_etc_files(pam_console_t)
+files_search_pids(pam_console_t)
+files_list_mnt(pam_console_t)
+files_dontaudit_search_isid_type_dirs(pam_console_t)
+# read /etc/mtab
+files_read_etc_runtime_files(pam_console_t)
+
+fs_list_auto_mountpoints(pam_console_t)
+fs_list_noxattr_fs(pam_console_t)
+fs_getattr_all_fs(pam_console_t)
+
+mls_file_read_all_levels(pam_console_t)
+mls_file_write_all_levels(pam_console_t)
+
+storage_getattr_fixed_disk_dev(pam_console_t)
+storage_setattr_fixed_disk_dev(pam_console_t)
+storage_getattr_removable_dev(pam_console_t)
+storage_setattr_removable_dev(pam_console_t)
+storage_getattr_scsi_generic_dev(pam_console_t)
+storage_setattr_scsi_generic_dev(pam_console_t)
+
+term_use_console(pam_console_t)
+term_use_all_ttys(pam_console_t)
+term_use_all_ptys(pam_console_t)
+term_setattr_console(pam_console_t)
+term_getattr_unallocated_ttys(pam_console_t)
+term_setattr_unallocated_ttys(pam_console_t)
+term_use_unallocated_ttys(pam_console_t)
+
+auth_use_nsswitch(pam_console_t)
+
+domain_use_interactive_fds(pam_console_t)
+
+init_use_fds(pam_console_t)
+init_use_script_ptys(pam_console_t)
+
+logging_send_syslog_msg(pam_console_t)
+
+miscfiles_read_localization(pam_console_t)
+miscfiles_read_generic_certs(pam_console_t)
+
+seutil_read_file_contexts(pam_console_t)
+
+userdom_dontaudit_use_unpriv_user_fds(pam_console_t)
+
+ifdef(`distro_ubuntu',`
+	optional_policy(`
+		unconfined_domain(pam_console_t)
+	')
+')
+
+optional_policy(`
+	gpm_getattr_gpmctl(pam_console_t)
+	gpm_setattr_gpmctl(pam_console_t)
+')
+
+optional_policy(`
+	hotplug_use_fds(pam_console_t)
+	hotplug_dontaudit_search_config(pam_console_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(pam_console_t)
+')
+
+optional_policy(`
+	udev_read_db(pam_console_t)
+')
+
+optional_policy(`
+	xserver_read_xdm_pid(pam_console_t)
+	xserver_dontaudit_write_log(pam_console_t)
+')
+
+########################################
+#
+# updpwd local policy
+#
+
+allow updpwd_t self:capability { chown dac_override };
+allow updpwd_t self:process setfscreate;
+allow updpwd_t self:fifo_file rw_fifo_file_perms;
+allow updpwd_t self:unix_stream_socket create_stream_socket_perms;
+allow updpwd_t self:unix_dgram_socket create_socket_perms;
+
+kernel_read_system_state(updpwd_t)
+
+dev_read_urand(updpwd_t)
+
+files_manage_etc_files(updpwd_t)
+
+term_dontaudit_use_console(updpwd_t)
+term_dontaudit_use_unallocated_ttys(updpwd_t)
+
+auth_manage_shadow(updpwd_t)
+auth_use_nsswitch(updpwd_t)
+
+logging_send_syslog_msg(updpwd_t)
+
+miscfiles_read_localization(updpwd_t)
+
+userdom_use_user_terminals(updpwd_t)
+
+ifdef(`distro_ubuntu',`
+	optional_policy(`
+		unconfined_domain(updpwd_t)
+	')
+')
+
+########################################
+#
+# Utempter local policy
+#
+
+allow utempter_t self:capability setgid;
+allow utempter_t self:unix_stream_socket create_stream_socket_perms;
+
+allow utempter_t wtmp_t:file rw_file_perms;
+
+dev_read_urand(utempter_t)
+
+files_read_etc_files(utempter_t)
+
+term_getattr_all_ttys(utempter_t)
+term_getattr_all_ptys(utempter_t)
+term_dontaudit_use_all_ttys(utempter_t)
+term_dontaudit_use_all_ptys(utempter_t)
+term_dontaudit_use_ptmx(utempter_t)
+
+init_rw_utmp(utempter_t)
+
+domain_use_interactive_fds(utempter_t)
+
+logging_search_logs(utempter_t)
+
+userdom_use_user_terminals(utempter_t)
+# Allow utemper to write to /tmp/.xses-*
+userdom_write_user_tmp_files(utempter_t)
+
+ifdef(`distro_ubuntu',`
+	optional_policy(`
+		unconfined_domain(utempter_t)
+	')
+')
+
+optional_policy(`
+	nscd_socket_use(utempter_t)
+')
+
+optional_policy(`
+	xserver_use_xdm_fds(utempter_t)
+	xserver_rw_xdm_pipes(utempter_t)
+')
diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc
new file mode 100644
index 00000000..c5e05ca7
--- /dev/null
+++ b/policy/modules/system/clock.fc
@@ -0,0 +1,5 @@
+
+/etc/adjtime		--	gen_context(system_u:object_r:adjtime_t,s0)
+
+/sbin/hwclock		--	gen_context(system_u:object_r:hwclock_exec_t,s0)
+
diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if
new file mode 100644
index 00000000..e2f6d932
--- /dev/null
+++ b/policy/modules/system/clock.if
@@ -0,0 +1,100 @@
+## <summary>Policy for reading and setting the hardware clock.</summary>
+
+########################################
+## <summary>
+##	Execute hwclock in the clock domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`clock_domtrans',`
+	gen_require(`
+		type hwclock_t, hwclock_exec_t;
+	')
+
+	domtrans_pattern($1, hwclock_exec_t, hwclock_t)
+')
+
+########################################
+## <summary>
+##	Execute hwclock in the clock domain, and
+##	allow the specified role the hwclock domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`clock_run',`
+	gen_require(`
+		type hwclock_t;
+	')
+
+	clock_domtrans($1)
+	role $2 types hwclock_t;
+')
+
+########################################
+## <summary>
+## 	Execute hwclock in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+## 	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`clock_exec',`
+	gen_require(`
+		type hwclock_exec_t;
+	')
+
+	can_exec($1, hwclock_exec_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write clock drift adjustments.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`clock_dontaudit_write_adjtime',`
+	gen_require(`
+		type adjtime_t;
+	')
+
+	dontaudit $1 adjtime_t:file write;
+')
+
+########################################
+## <summary>
+##	Read and write clock drift adjustments.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`clock_rw_adjtime',`
+	gen_require(`
+		type adjtime_t;
+	')
+
+	allow $1 adjtime_t:file rw_file_perms;
+	files_list_etc($1)
+')
diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te
new file mode 100644
index 00000000..b9ed25bc
--- /dev/null
+++ b/policy/modules/system/clock.te
@@ -0,0 +1,81 @@
+policy_module(clock, 1.6.0)
+
+########################################
+#
+# Declarations
+#
+
+type adjtime_t;
+files_type(adjtime_t)
+
+type hwclock_t;
+type hwclock_exec_t;
+init_system_domain(hwclock_t, hwclock_exec_t)
+role system_r types hwclock_t;
+
+########################################
+#
+# Local policy
+#
+
+# Give hwclock the capabilities it requires.  dac_override is a surprise,
+# but hwclock does require it.
+allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config };
+dontaudit hwclock_t self:capability sys_tty_config;
+allow hwclock_t self:process signal_perms;
+allow hwclock_t self:fifo_file rw_fifo_file_perms;
+
+# Allow hwclock to store & retrieve correction factors.
+allow hwclock_t adjtime_t:file { rw_file_perms setattr };
+
+kernel_read_kernel_sysctls(hwclock_t)
+kernel_read_system_state(hwclock_t)
+
+corecmd_exec_bin(hwclock_t)
+corecmd_exec_shell(hwclock_t)
+
+dev_read_sysfs(hwclock_t)
+dev_rw_realtime_clock(hwclock_t)
+
+files_read_etc_files(hwclock_t)
+# for when /usr is not mounted:
+files_dontaudit_search_isid_type_dirs(hwclock_t)
+
+fs_getattr_xattr_fs(hwclock_t)
+fs_search_auto_mountpoints(hwclock_t)
+
+term_dontaudit_use_console(hwclock_t)
+term_use_unallocated_ttys(hwclock_t)
+term_use_all_ttys(hwclock_t)
+term_use_all_ptys(hwclock_t)
+
+domain_use_interactive_fds(hwclock_t)
+
+init_use_fds(hwclock_t)
+init_use_script_ptys(hwclock_t)
+
+logging_send_audit_msgs(hwclock_t)
+logging_send_syslog_msg(hwclock_t)
+
+miscfiles_read_localization(hwclock_t)
+
+optional_policy(`
+	apm_append_log(hwclock_t)
+	apm_rw_stream_sockets(hwclock_t)
+')
+
+optional_policy(`
+	nscd_socket_use(hwclock_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(hwclock_t)
+')
+
+optional_policy(`
+	udev_read_db(hwclock_t)
+')
+
+optional_policy(`
+	userdom_dontaudit_use_unpriv_user_fds(hwclock_t)
+')
diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
new file mode 100644
index 00000000..a97a0964
--- /dev/null
+++ b/policy/modules/system/fstools.fc
@@ -0,0 +1,47 @@
+/sbin/badblocks		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/blkid		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/blockdev		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/cfdisk		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/dosfsck		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/dump		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/dumpe2fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/e2fsck		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/e4fsck		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/e2label		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/fdisk		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/findfs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/fsck.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/hdparm		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/install-mbr	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/jfs_.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/losetup.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/lsraid		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/make_reiser4	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/mkdosfs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/mke2fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/mke4fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/mkfs.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/mkraid		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/mkreiserfs	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/mkswap		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/parted		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/partprobe		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/partx		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/raidautorun	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/raidstart		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/reiserfs(ck|tune)	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/resize.*fs	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/scsi_info		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/sfdisk		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/swapon.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/tune2fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+
+/usr/bin/partition_uuid	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/bin/raw		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/bin/scsi_unique_id	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/bin/syslinux	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+
+/usr/sbin/clubufflush	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/smartctl	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+
+/var/log/fsck(/.*)?		gen_context(system_u:object_r:fsadm_log_t,s0)
diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if
new file mode 100644
index 00000000..016a770b
--- /dev/null
+++ b/policy/modules/system/fstools.if
@@ -0,0 +1,156 @@
+## <summary>Tools for filesystem management, such as mkfs and fsck.</summary>
+
+########################################
+## <summary>
+##	Execute fs tools in the fstools domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`fstools_domtrans',`
+	gen_require(`
+		type fsadm_t, fsadm_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, fsadm_exec_t, fsadm_t)
+')
+
+########################################
+## <summary>
+##	Execute fs tools in the fstools domain, and
+##	allow the specified role the fs tools domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fstools_run',`
+	gen_require(`
+		type fsadm_t;
+	')
+
+	fstools_domtrans($1)
+	role $2 types fsadm_t;
+')
+
+########################################
+## <summary>
+##	Execute fsadm in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fstools_exec',`
+	gen_require(`
+		type fsadm_exec_t;
+	')
+
+	can_exec($1, fsadm_exec_t)
+')
+
+########################################
+## <summary>
+##	Send signal to fsadm process
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fstools_signal',`
+	gen_require(`
+		type fsadm_t;
+	')
+
+	allow $1 fsadm_t:process signal;
+')
+
+########################################
+## <summary>
+##	Read fstools unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fstools_read_pipes',`
+	gen_require(`
+		type fsadm_t;
+	')
+
+	allow $1 fsadm_t:fifo_file read_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Relabel a file to the type used by the
+##	filesystem tools programs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fstools_relabelto_entry_files',`
+	gen_require(`
+		type fsadm_exec_t;
+	')
+
+	allow $1 fsadm_exec_t:file relabelto;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete a file used by the
+##	filesystem tools programs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fstools_manage_entry_files',`
+	gen_require(`
+		type fsadm_exec_t;
+	')
+
+	allow $1 fsadm_exec_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Getattr swapfile
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fstools_getattr_swap_files',`
+	gen_require(`
+		type swapfile_t;
+	')
+
+	allow $1 swapfile_t:file getattr;
+')
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
new file mode 100644
index 00000000..6c4b6ee2
--- /dev/null
+++ b/policy/modules/system/fstools.te
@@ -0,0 +1,197 @@
+policy_module(fstools, 1.15.0)
+
+########################################
+#
+# Declarations
+#
+
+type fsadm_t;
+type fsadm_exec_t;
+init_system_domain(fsadm_t, fsadm_exec_t)
+role system_r types fsadm_t;
+
+type fsadm_log_t;
+logging_log_file(fsadm_log_t)
+
+type fsadm_tmp_t;
+files_tmp_file(fsadm_tmp_t)
+
+type swapfile_t; # customizable
+files_type(swapfile_t)
+
+########################################
+#
+# local policy
+#
+
+# ipc_lock is for losetup
+allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_resource sys_tty_config dac_override dac_read_search };
+allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap };
+allow fsadm_t self:fd use;
+allow fsadm_t self:fifo_file rw_fifo_file_perms;
+allow fsadm_t self:sock_file read_sock_file_perms;
+allow fsadm_t self:unix_dgram_socket create_socket_perms;
+allow fsadm_t self:unix_stream_socket create_stream_socket_perms;
+allow fsadm_t self:unix_dgram_socket sendto;
+allow fsadm_t self:unix_stream_socket connectto;
+allow fsadm_t self:shm create_shm_perms;
+allow fsadm_t self:sem create_sem_perms;
+allow fsadm_t self:msgq create_msgq_perms;
+allow fsadm_t self:msg { send receive };
+
+can_exec(fsadm_t, fsadm_exec_t)
+
+allow fsadm_t fsadm_tmp_t:dir manage_dir_perms;
+allow fsadm_t fsadm_tmp_t:file manage_file_perms;
+files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir })
+
+# log files
+allow fsadm_t fsadm_log_t:dir setattr;
+manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t)
+logging_log_filetrans(fsadm_t, fsadm_log_t, file)
+
+# Enable swapping to files
+allow fsadm_t swapfile_t:file { rw_file_perms swapon };
+
+kernel_read_system_state(fsadm_t)
+kernel_read_kernel_sysctls(fsadm_t)
+kernel_request_load_module(fsadm_t)
+# Allow console log change (updfstab)
+kernel_change_ring_buffer_level(fsadm_t)
+# mkreiserfs needs this
+kernel_getattr_proc(fsadm_t)
+kernel_getattr_core_if(fsadm_t)
+# Access to /initrd devices
+kernel_rw_unlabeled_dirs(fsadm_t)
+kernel_rw_unlabeled_blk_files(fsadm_t)
+
+corecmd_exec_bin(fsadm_t)
+#RedHat bug #201164
+corecmd_exec_shell(fsadm_t)
+# cjp: these are probably not needed:
+corecmd_read_bin_files(fsadm_t)
+corecmd_read_bin_pipes(fsadm_t)
+corecmd_read_bin_sockets(fsadm_t)
+
+dev_getattr_all_chr_files(fsadm_t)
+dev_dontaudit_getattr_all_blk_files(fsadm_t)
+dev_dontaudit_getattr_generic_files(fsadm_t)
+# mkreiserfs and other programs need this for UUID
+dev_read_rand(fsadm_t)
+dev_read_urand(fsadm_t)
+dev_write_kmsg(fsadm_t)
+# Recreate /dev/cdrom.
+dev_manage_generic_symlinks(fsadm_t)
+# fdisk needs this for early boot
+dev_manage_generic_blk_files(fsadm_t)
+# Access to /initrd devices
+dev_search_usbfs(fsadm_t)
+# for swapon
+dev_rw_sysfs(fsadm_t)
+# Access to /initrd devices
+dev_getattr_usbfs_dirs(fsadm_t)
+# Access to /dev/mapper/control
+dev_rw_lvm_control(fsadm_t)
+
+domain_use_interactive_fds(fsadm_t)
+
+files_getattr_boot_dirs(fsadm_t)
+files_list_home(fsadm_t)
+files_read_usr_files(fsadm_t)
+files_read_etc_files(fsadm_t)
+files_manage_lost_found(fsadm_t)
+files_manage_isid_type_dirs(fsadm_t)
+# Write to /etc/mtab.
+files_manage_etc_runtime_files(fsadm_t)
+files_etc_filetrans_etc_runtime(fsadm_t, file)
+# Access to /initrd devices
+files_rw_isid_type_dirs(fsadm_t)
+files_rw_isid_type_blk_files(fsadm_t)
+files_read_isid_type_files(fsadm_t)
+
+fs_search_auto_mountpoints(fsadm_t)
+fs_getattr_xattr_fs(fsadm_t)
+fs_rw_ramfs_pipes(fsadm_t)
+fs_rw_tmpfs_files(fsadm_t)
+# remount file system to apply changes
+fs_remount_xattr_fs(fsadm_t)
+# for /dev/shm
+fs_list_auto_mountpoints(fsadm_t)
+fs_search_tmpfs(fsadm_t)
+fs_getattr_tmpfs_dirs(fsadm_t)
+fs_read_tmpfs_symlinks(fsadm_t)
+# Recreate /mnt/cdrom.
+files_manage_mnt_dirs(fsadm_t)
+# for tune2fs
+files_search_all(fsadm_t)
+
+mls_file_read_all_levels(fsadm_t)
+mls_file_write_all_levels(fsadm_t)
+
+storage_raw_read_fixed_disk(fsadm_t)
+storage_raw_write_fixed_disk(fsadm_t)
+storage_raw_read_removable_device(fsadm_t)
+storage_raw_write_removable_device(fsadm_t)
+storage_read_scsi_generic(fsadm_t)
+storage_swapon_fixed_disk(fsadm_t)
+
+term_use_console(fsadm_t)
+
+init_use_fds(fsadm_t)
+init_use_script_ptys(fsadm_t)
+init_dontaudit_getattr_initctl(fsadm_t)
+
+logging_send_syslog_msg(fsadm_t)
+
+miscfiles_read_localization(fsadm_t)
+
+seutil_read_config(fsadm_t)
+
+userdom_use_user_terminals(fsadm_t)
+
+ifdef(`distro_redhat',`
+	optional_policy(`
+		unconfined_domain(fsadm_t)
+	')
+')
+
+optional_policy(`
+	amanda_rw_dumpdates_files(fsadm_t)
+	amanda_append_log_files(fsadm_t)
+')
+
+optional_policy(`
+	# for smartctl cron jobs
+	cron_system_entry(fsadm_t, fsadm_exec_t)
+')
+
+optional_policy(`
+	hal_dontaudit_write_log(fsadm_t)
+')
+
+optional_policy(`
+	livecd_rw_tmp_files(fsadm_t)
+')
+
+optional_policy(`
+	modutils_read_module_config(fsadm_t)
+	modutils_read_module_deps(fsadm_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(fsadm_t)
+')
+
+optional_policy(`
+	fs_dontaudit_write_ramfs_pipes(fsadm_t)
+	rhgb_stub(fsadm_t)
+')
+
+optional_policy(`
+	udev_read_db(fsadm_t)
+')
+
+optional_policy(`
+	xen_append_log(fsadm_t)
+	xen_rw_image_files(fsadm_t)
+')
diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc
new file mode 100644
index 00000000..e1a1848a
--- /dev/null
+++ b/policy/modules/system/getty.fc
@@ -0,0 +1,12 @@
+
+/etc/mgetty(/.*)?		gen_context(system_u:object_r:getty_etc_t,s0)
+
+/sbin/.*getty		--	gen_context(system_u:object_r:getty_exec_t,s0)
+
+/var/log/mgetty\.log.*	--	gen_context(system_u:object_r:getty_log_t,s0)
+/var/log/vgetty\.log\..* --	gen_context(system_u:object_r:getty_log_t,s0)
+
+/var/run/mgetty\.pid.*	--	gen_context(system_u:object_r:getty_var_run_t,s0)
+
+/var/spool/fax(/.*)?		gen_context(system_u:object_r:getty_var_run_t,s0)
+/var/spool/voice(/.*)?		gen_context(system_u:object_r:getty_var_run_t,s0)
diff --git a/policy/modules/system/getty.if b/policy/modules/system/getty.if
new file mode 100644
index 00000000..e4376aa9
--- /dev/null
+++ b/policy/modules/system/getty.if
@@ -0,0 +1,98 @@
+## <summary>Policy for getty.</summary>
+
+########################################
+## <summary>
+##	Execute gettys in the getty domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`getty_domtrans',`
+	gen_require(`
+		type getty_t, getty_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, getty_exec_t, getty_t)
+')
+
+########################################
+## <summary>
+##	Inherit and use getty file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`getty_use_fds',`
+	gen_require(`
+		type getty_t;
+	')
+
+	allow $1 getty_t:fd use;
+')
+
+########################################
+## <summary>
+##	Allow process to read getty log file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`getty_read_log',`
+	gen_require(`
+		type getty_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 getty_log_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow process to read getty config file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`getty_read_config',`
+	gen_require(`
+		type getty_etc_t;
+	')
+
+	files_search_etc($1)
+	allow $1 getty_etc_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow process to edit getty config file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`getty_rw_config',`
+	gen_require(`
+		type getty_etc_t;
+	')
+
+	files_search_etc($1)
+	allow $1 getty_etc_t:file rw_file_perms;
+')
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
new file mode 100644
index 00000000..fd100fcf
--- /dev/null
+++ b/policy/modules/system/getty.te
@@ -0,0 +1,141 @@
+policy_module(getty, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type getty_t;
+type getty_exec_t;
+init_domain(getty_t, getty_exec_t)
+init_system_domain(getty_t, getty_exec_t)
+domain_interactive_fd(getty_t)
+
+type getty_etc_t;
+typealias getty_etc_t alias etc_getty_t;
+files_config_file(getty_etc_t)
+
+type getty_lock_t;
+files_lock_file(getty_lock_t)
+
+type getty_log_t;
+logging_log_file(getty_log_t)
+
+type getty_tmp_t;
+files_tmp_file(getty_tmp_t)
+
+type getty_var_run_t;
+files_pid_file(getty_var_run_t)
+
+########################################
+#
+# Getty local policy
+#
+
+# Use capabilities.
+allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
+dontaudit getty_t self:capability sys_tty_config;
+allow getty_t self:process { getpgid setpgid getsession signal_perms };
+allow getty_t self:fifo_file rw_fifo_file_perms;
+
+read_files_pattern(getty_t, getty_etc_t, getty_etc_t)
+read_lnk_files_pattern(getty_t, getty_etc_t, getty_etc_t)
+files_etc_filetrans(getty_t, getty_etc_t,{ file dir })
+
+allow getty_t getty_lock_t:file manage_file_perms;
+files_lock_filetrans(getty_t, getty_lock_t, file)
+
+allow getty_t getty_log_t:file manage_file_perms;
+logging_log_filetrans(getty_t, getty_log_t, file)
+
+allow getty_t getty_tmp_t:file manage_file_perms;
+allow getty_t getty_tmp_t:dir manage_dir_perms;
+files_tmp_filetrans(getty_t, getty_tmp_t, { file dir })
+
+manage_files_pattern(getty_t, getty_var_run_t, getty_var_run_t)
+files_pid_filetrans(getty_t, getty_var_run_t, file)
+
+kernel_read_system_state(getty_t)
+
+# these two needed for receiving faxes
+corecmd_exec_bin(getty_t)
+corecmd_exec_shell(getty_t)
+
+dev_read_sysfs(getty_t)
+
+files_rw_generic_pids(getty_t)
+files_read_etc_runtime_files(getty_t)
+files_read_etc_files(getty_t)
+files_search_spool(getty_t)
+
+fs_search_auto_mountpoints(getty_t)
+# for error condition handling
+fs_getattr_xattr_fs(getty_t)
+
+mcs_process_set_categories(getty_t)
+
+mls_file_read_all_levels(getty_t)
+mls_file_write_all_levels(getty_t)
+
+# Chown, chmod, read and write ttys.
+term_use_all_ttys(getty_t)
+term_use_unallocated_ttys(getty_t)
+term_setattr_all_ttys(getty_t)
+term_setattr_unallocated_ttys(getty_t)
+term_setattr_console(getty_t)
+
+auth_rw_login_records(getty_t)
+
+init_rw_utmp(getty_t)
+init_use_script_ptys(getty_t)
+init_dontaudit_use_script_ptys(getty_t)
+
+locallogin_domtrans(getty_t)
+
+logging_send_syslog_msg(getty_t)
+
+miscfiles_read_localization(getty_t)
+
+ifdef(`distro_gentoo',`
+	# Gentoo default /etc/issue makes agetty
+	# do a DNS lookup for the hostname
+	sysnet_dns_name_resolve(getty_t)
+')
+
+ifdef(`distro_redhat',`
+	# getty requires sys_admin #209426
+	allow getty_t self:capability sys_admin;
+')
+
+ifdef(`distro_ubuntu',`
+	optional_policy(`
+		unconfined_domain(getty_t)
+	')
+')
+
+tunable_policy(`console_login',`
+	# Support logging in from /dev/console
+	term_use_console(getty_t)
+',`
+	term_dontaudit_use_console(getty_t)
+')
+
+optional_policy(`
+	mta_send_mail(getty_t)
+')
+
+optional_policy(`
+	nscd_socket_use(getty_t)
+')
+
+optional_policy(`
+	ppp_domtrans(getty_t)
+')
+
+optional_policy(`
+	rhgb_dontaudit_use_ptys(getty_t)
+')
+
+optional_policy(`
+	udev_read_db(getty_t)
+')
diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc
new file mode 100644
index 00000000..9dfecf77
--- /dev/null
+++ b/policy/modules/system/hostname.fc
@@ -0,0 +1,2 @@
+
+/bin/hostname		--	gen_context(system_u:object_r:hostname_exec_t,s0)
diff --git a/policy/modules/system/hostname.if b/policy/modules/system/hostname.if
new file mode 100644
index 00000000..187f04f8
--- /dev/null
+++ b/policy/modules/system/hostname.if
@@ -0,0 +1,65 @@
+## <summary>Policy for changing the system host name.</summary>
+
+########################################
+## <summary>
+##	Execute hostname in the hostname domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`hostname_domtrans',`
+	gen_require(`
+		type hostname_t, hostname_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, hostname_exec_t, hostname_t)
+')
+
+########################################
+## <summary>
+##	Execute hostname in the hostname domain, and
+##	allow the specified role the hostname domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`hostname_run',`
+	gen_require(`
+		type hostname_t;
+	')
+
+	hostname_domtrans($1)
+	role $2 types hostname_t;
+')
+
+########################################
+## <summary>
+##	Execute hostname in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+## 	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`hostname_exec',`
+	gen_require(`
+		type hostname_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, hostname_exec_t)
+')
diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
new file mode 100644
index 00000000..5307361c
--- /dev/null
+++ b/policy/modules/system/hostname.te
@@ -0,0 +1,69 @@
+policy_module(hostname, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type hostname_t;
+type hostname_exec_t;
+init_system_domain(hostname_t, hostname_exec_t)
+role system_r types hostname_t;
+
+########################################
+#
+# Local policy
+#
+
+# for setting the hostname
+allow hostname_t self:process { sigchld sigkill sigstop signull signal };
+allow hostname_t self:capability sys_admin;
+allow hostname_t self:unix_stream_socket create_stream_socket_perms;
+dontaudit hostname_t self:capability sys_tty_config;
+
+kernel_list_proc(hostname_t)
+kernel_read_proc_symlinks(hostname_t)
+
+dev_read_sysfs(hostname_t)
+# Early devtmpfs, before udev relabel
+dev_dontaudit_rw_generic_chr_files(hostname_t)
+
+domain_use_interactive_fds(hostname_t)
+
+files_read_etc_files(hostname_t)
+files_dontaudit_search_var(hostname_t)
+# for when /usr is not mounted:
+files_dontaudit_search_isid_type_dirs(hostname_t)
+
+fs_getattr_xattr_fs(hostname_t)
+fs_search_auto_mountpoints(hostname_t)
+fs_dontaudit_use_tmpfs_chr_dev(hostname_t)
+
+term_dontaudit_use_console(hostname_t)
+term_use_all_ttys(hostname_t)
+term_use_all_ptys(hostname_t)
+
+init_use_fds(hostname_t)
+init_use_script_fds(hostname_t)
+init_use_script_ptys(hostname_t)
+
+logging_send_syslog_msg(hostname_t)
+
+miscfiles_read_localization(hostname_t)
+
+sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t)
+sysnet_read_config(hostname_t)
+sysnet_dns_name_resolve(hostname_t)
+
+optional_policy(`
+	nis_use_ypbind(hostname_t)
+')
+
+optional_policy(`
+	xen_append_log(hostname_t)
+	xen_dontaudit_use_fds(hostname_t)
+')
+
+optional_policy(`
+	unconfined_dontaudit_rw_pipes(hostname_t)
+')
diff --git a/policy/modules/system/hotplug.fc b/policy/modules/system/hotplug.fc
new file mode 100644
index 00000000..caf736b3
--- /dev/null
+++ b/policy/modules/system/hotplug.fc
@@ -0,0 +1,11 @@
+
+/etc/hotplug(/.*)?		gen_context(system_u:object_r:hotplug_etc_t,s0)
+/etc/hotplug/firmware\.agent --	gen_context(system_u:object_r:hotplug_exec_t,s0)
+
+/etc/hotplug\.d/.*	--	gen_context(system_u:object_r:hotplug_exec_t,s0)
+
+/sbin/hotplug		--	gen_context(system_u:object_r:hotplug_exec_t,s0)
+/sbin/netplugd		--	gen_context(system_u:object_r:hotplug_exec_t,s0)
+
+/var/run/usb(/.*)?		gen_context(system_u:object_r:hotplug_var_run_t,s0)
+/var/run/hotplug(/.*)?		gen_context(system_u:object_r:hotplug_var_run_t,s0)
diff --git a/policy/modules/system/hotplug.if b/policy/modules/system/hotplug.if
new file mode 100644
index 00000000..40eb10c6
--- /dev/null
+++ b/policy/modules/system/hotplug.if
@@ -0,0 +1,175 @@
+## <summary>
+## Policy for hotplug system, for supporting the
+## connection and disconnection of devices at runtime.
+## </summary>
+
+########################################
+## <summary>
+##	Execute hotplug with a domain transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`hotplug_domtrans',`
+	gen_require(`
+		type hotplug_t, hotplug_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, hotplug_exec_t, hotplug_t)
+')
+
+########################################
+## <summary>
+##	Execute hotplug in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hotplug_exec',`
+	gen_require(`
+		type hotplug_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, hotplug_exec_t)
+')
+
+########################################
+## <summary>
+##	Inherit and use hotplug file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hotplug_use_fds',`
+	gen_require(`
+		type hotplug_t;
+	')
+
+	allow $1 hotplug_t:fd use;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to inherit
+##	hotplug file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`hotplug_dontaudit_use_fds',`
+	gen_require(`
+		type hotplug_t;
+	')
+
+	dontaudit $1 hotplug_t:fd use;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search the
+##	hotplug configuration directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`hotplug_dontaudit_search_config',`
+	gen_require(`
+		type hotplug_etc_t;
+	')
+
+	dontaudit $1 hotplug_etc_t:dir search;
+')
+
+########################################
+## <summary>
+##	Get the attributes of the hotplug configuration directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hotplug_getattr_config_dirs',`
+	gen_require(`
+		type hotplug_etc_t;
+	')
+
+	allow $1 hotplug_etc_t:dir getattr;
+')
+
+########################################
+## <summary>
+##	Search the hotplug configuration directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hotplug_search_config',`
+	gen_require(`
+		type hotplug_etc_t;
+	')
+
+	allow $1 hotplug_etc_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read the configuration files for hotplug.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`hotplug_read_config',`
+	gen_require(`
+		type hotplug_etc_t;
+	')
+
+	files_search_etc($1)
+	allow $1 hotplug_etc_t:dir list_dir_perms;
+	read_files_pattern($1, hotplug_etc_t, hotplug_etc_t)
+	read_lnk_files_pattern($1, hotplug_etc_t, hotplug_etc_t)
+')
+
+########################################
+## <summary>
+##	Search the hotplug PIDs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hotplug_search_pids',`
+	gen_require(`
+		type hotplug_var_run_t;
+	')
+
+	allow $1 hotplug_var_run_t:dir search_dir_perms;
+	files_search_pids($1)
+')
diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
new file mode 100644
index 00000000..b2e41cc7
--- /dev/null
+++ b/policy/modules/system/hotplug.te
@@ -0,0 +1,203 @@
+policy_module(hotplug, 1.15.0)
+
+########################################
+#
+# Declarations
+#
+
+type hotplug_t;
+type hotplug_exec_t;
+kernel_domtrans_to(hotplug_t, hotplug_exec_t)
+init_daemon_domain(hotplug_t, hotplug_exec_t)
+
+type hotplug_etc_t;
+files_config_file(hotplug_etc_t)
+init_daemon_domain(hotplug_t, hotplug_etc_t)
+
+type hotplug_var_run_t;
+files_pid_file(hotplug_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
+dontaudit hotplug_t self:capability { sys_module sys_admin sys_ptrace sys_tty_config };
+# for access("/etc/bashrc", X_OK) on Red Hat
+dontaudit hotplug_t self:capability { dac_override dac_read_search };
+allow hotplug_t self:process { setpgid getsession getattr signal_perms };
+allow hotplug_t self:fifo_file rw_file_perms;
+allow hotplug_t self:netlink_route_socket r_netlink_socket_perms;
+allow hotplug_t self:udp_socket create_socket_perms;
+allow hotplug_t self:tcp_socket connected_stream_socket_perms;
+
+read_files_pattern(hotplug_t, hotplug_etc_t, hotplug_etc_t)
+read_lnk_files_pattern(hotplug_t, hotplug_etc_t, hotplug_etc_t)
+can_exec(hotplug_t, hotplug_etc_t)
+allow hotplug_t hotplug_etc_t:dir list_dir_perms;
+
+can_exec(hotplug_t, hotplug_exec_t)
+
+manage_dirs_pattern(hotplug_t, hotplug_var_run_t, hotplug_var_run_t)
+manage_files_pattern(hotplug_t, hotplug_var_run_t, hotplug_var_run_t)
+files_pid_filetrans(hotplug_t, hotplug_var_run_t, { dir file })
+
+kernel_sigchld(hotplug_t)
+kernel_setpgid(hotplug_t)
+kernel_read_system_state(hotplug_t)
+kernel_read_network_state(hotplug_t)
+kernel_read_kernel_sysctls(hotplug_t)
+kernel_rw_net_sysctls(hotplug_t)
+
+files_read_kernel_modules(hotplug_t)
+
+corenet_all_recvfrom_unlabeled(hotplug_t)
+corenet_all_recvfrom_netlabel(hotplug_t)
+corenet_tcp_sendrecv_generic_if(hotplug_t)
+corenet_udp_sendrecv_generic_if(hotplug_t)
+corenet_tcp_sendrecv_generic_node(hotplug_t)
+corenet_udp_sendrecv_generic_node(hotplug_t)
+corenet_tcp_sendrecv_all_ports(hotplug_t)
+corenet_udp_sendrecv_all_ports(hotplug_t)
+
+dev_rw_sysfs(hotplug_t)
+dev_read_usbfs(hotplug_t)
+dev_setattr_printer_dev(hotplug_t)
+dev_setattr_sound_dev(hotplug_t)
+# for SSP:
+dev_read_urand(hotplug_t)
+
+fs_getattr_all_fs(hotplug_t)
+fs_search_auto_mountpoints(hotplug_t)
+
+storage_setattr_fixed_disk_dev(hotplug_t)
+storage_setattr_removable_dev(hotplug_t)
+
+corecmd_exec_bin(hotplug_t)
+corecmd_exec_shell(hotplug_t)
+
+domain_use_interactive_fds(hotplug_t)
+# for ps
+domain_dontaudit_read_all_domains_state(hotplug_t)
+domain_dontaudit_getattr_all_domains(hotplug_t)
+
+files_read_etc_files(hotplug_t)
+files_manage_etc_runtime_files(hotplug_t)
+files_etc_filetrans_etc_runtime(hotplug_t, file)
+files_exec_etc_files(hotplug_t)
+# for when filesystems are not mounted early in the boot:
+files_dontaudit_search_isid_type_dirs(hotplug_t)
+
+init_read_script_state(hotplug_t)
+# Allow hotplug (including /sbin/ifup-local) to start/stop services and
+# run sendmail -q
+init_domtrans_script(hotplug_t)
+# kernel threads inherit from shared descriptor table used by init
+init_dontaudit_rw_initctl(hotplug_t)
+
+logging_send_syslog_msg(hotplug_t)
+logging_search_logs(hotplug_t)
+
+# Read /usr/lib/gconv/.*
+libs_read_lib_files(hotplug_t)
+
+miscfiles_read_hwdata(hotplug_t)
+miscfiles_read_localization(hotplug_t)
+
+seutil_dontaudit_search_config(hotplug_t)
+
+sysnet_read_config(hotplug_t)
+
+userdom_dontaudit_use_unpriv_user_fds(hotplug_t)
+userdom_dontaudit_search_user_home_dirs(hotplug_t)
+
+ifdef(`distro_redhat', `
+	optional_policy(`
+		# for arping used for static IP addresses on PCMCIA ethernet
+		netutils_domtrans(hotplug_t)
+		netutils_signal(hotplug_t)
+		fs_rw_tmpfs_chr_files(hotplug_t)
+	')
+	files_getattr_generic_locks(hotplug_t)
+')
+
+optional_policy(`
+	brctl_domtrans(hotplug_t)
+')
+
+optional_policy(`
+	consoletype_exec(hotplug_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(hotplug_t)
+')
+
+optional_policy(`
+	fstools_domtrans(hotplug_t)
+')
+
+optional_policy(`
+	hal_dgram_send(hotplug_t)
+')
+
+optional_policy(`
+	hostname_exec(hotplug_t)
+')
+
+optional_policy(`
+	iptables_domtrans(hotplug_t)
+')
+
+optional_policy(`
+	modutils_domtrans_insmod(hotplug_t)
+	modutils_read_module_deps(hotplug_t)
+')
+
+optional_policy(`
+	mount_domtrans(hotplug_t)
+')
+
+optional_policy(`
+	mta_send_mail(hotplug_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(hotplug_t)
+')
+
+optional_policy(`
+	nscd_socket_use(hotplug_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(hotplug_t)
+')
+
+optional_policy(`
+	sysnet_domtrans_dhcpc(hotplug_t)
+	sysnet_signal_dhcpc(hotplug_t)
+	sysnet_kill_dhcpc(hotplug_t)
+	sysnet_signull_dhcpc(hotplug_t)
+	sysnet_sigstop_dhcpc(hotplug_t)
+	sysnet_sigchld_dhcpc(hotplug_t)
+	sysnet_read_dhcpc_pid(hotplug_t)
+	sysnet_rw_dhcp_config(hotplug_t)
+	sysnet_domtrans_ifconfig(hotplug_t)
+	sysnet_signal_ifconfig(hotplug_t)
+')
+
+optional_policy(`
+	udev_domtrans(hotplug_t)
+	udev_helper_domtrans(hotplug_t)
+	udev_read_db(hotplug_t)
+')
+
+optional_policy(`
+	updfstab_domtrans(hotplug_t)
+')
+
+optional_policy(`
+	usbmodules_domtrans(hotplug_t)
+')
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
new file mode 100644
index 00000000..55591324
--- /dev/null
+++ b/policy/modules/system/init.fc
@@ -0,0 +1,79 @@
+#
+# /etc
+#
+/etc/init\.d/.*		--	gen_context(system_u:object_r:initrc_exec_t,s0)
+
+/etc/rc\.d/rc		--	gen_context(system_u:object_r:initrc_exec_t,s0)
+/etc/rc\.d/rc\.[^/]+	--	gen_context(system_u:object_r:initrc_exec_t,s0)
+
+/etc/rc\.d/init\.d/.*	--	gen_context(system_u:object_r:initrc_exec_t,s0)
+/etc/sysconfig/network-scripts/ifup-ipsec -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
+/etc/X11/prefdm		--	gen_context(system_u:object_r:initrc_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+/etc/vmware/init\.d/vmware --	gen_context(system_u:object_r:initrc_exec_t,s0)
+/etc/x11/startDM\.sh	--	gen_context(system_u:object_r:initrc_exec_t,s0)
+')
+
+#
+# /dev
+#
+/dev/initctl		-p	gen_context(system_u:object_r:initctl_t,s0)
+
+#
+# /lib
+#
+ifdef(`distro_gentoo', `
+/lib/rc/init\.d(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
+/lib/rc/console(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
+')
+
+#
+# /sbin
+#
+/sbin/init(ng)?		--	gen_context(system_u:object_r:init_exec_t,s0)
+# because nowadays, /sbin/init is often a symlink to /sbin/upstart
+/sbin/upstart		--	gen_context(system_u:object_r:init_exec_t,s0)
+
+ifdef(`distro_gentoo', `
+/sbin/rc		--	gen_context(system_u:object_r:rc_exec_t,s0)
+')
+
+#
+# /usr
+#
+/usr/bin/sepg_ctl	--	gen_context(system_u:object_r:initrc_exec_t,s0)
+
+/usr/libexec/dcc/start-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/libexec/dcc/stop-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
+
+/usr/sbin/apachectl	-- 	gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/sbin/open_init_pty	--	gen_context(system_u:object_r:initrc_exec_t,s0)
+
+#
+# /var
+#
+/var/run/utmp		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/runlevel\.dir		gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/random-seed	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/setmixer_flag	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
+
+ifdef(`distro_debian',`
+/var/run/hotkey-setup	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/kdm/.*		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
+')
+
+ifdef(`distro_gentoo', `
+/var/lib/init\.d(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
+/var/lib/ip6?tables(/.*)?		gen_context(system_u:object_r:initrc_tmp_t,s0)
+/var/run/svscan\.pid	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
+')
+
+ifdef(`distro_suse', `
+/var/run/bootsplashctl	-p	gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/keymap		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/numlock-on	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/setleds-on	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/sysconfig(/.*)?	gen_context(system_u:object_r:initrc_var_run_t,s0)
+')
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
new file mode 100644
index 00000000..01bad376
--- /dev/null
+++ b/policy/modules/system/init.if
@@ -0,0 +1,1793 @@
+## <summary>System initialization programs (init and init scripts).</summary>
+
+########################################
+## <summary>
+##	Create a file type used for init scripts.
+## </summary>
+## <desc>
+##	<p>
+##	Create a file type used for init scripts.  It can not be
+##	used in conjunction with init_script_domain(). These
+##	script files are typically stored in the /etc/init.d directory.
+##	</p>
+##	<p>
+##	Typically this is used to constrain what services an
+##	admin can start/stop.  For example, a policy writer may want
+##	to constrain a web administrator to only being able to
+##	restart the web server, not other services.  This special type
+##	will help address that goal.
+##	</p>
+##	<p>
+##	This also makes the type usable for files; thus an
+##	explicit call to files_type() is redundant.
+##	</p>
+## </desc>
+## <param name="script_file">
+##	<summary>
+##	Type to be used for a script file.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`init_script_file',`
+	gen_require(`
+		type initrc_t;
+		attribute init_script_file_type, init_run_all_scripts_domain;
+	')
+
+	typeattribute $1 init_script_file_type;
+
+	domain_entry_file(initrc_t, $1)
+
+	domtrans_pattern(init_run_all_scripts_domain, $1, initrc_t)
+')
+
+########################################
+## <summary>
+##	Create a domain used for init scripts.
+## </summary>
+## <desc>
+##	<p>
+##	Create a domain used for init scripts.
+##	Can not be used in conjunction with
+##	init_script_file().
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type to be used as an init script domain.
+##	</summary>
+## </param>
+## <param name="script_file">
+##	<summary>
+##	Type of the script file used as an entry point to this domain.
+##	</summary>
+## </param>
+#
+interface(`init_script_domain',`
+	gen_require(`
+		attribute init_script_domain_type, init_script_file_type;
+		attribute init_run_all_scripts_domain;
+	')
+
+	typeattribute $1 init_script_domain_type;
+	typeattribute $2 init_script_file_type;
+
+	domain_type($1)
+	domain_entry_file($1, $2)
+
+	domtrans_pattern(init_run_all_scripts_domain, $2, $1)
+')
+
+########################################
+## <summary>
+##	Create a domain which can be started by init.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Type to be used as a domain.
+##	</summary>
+## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program to be used as an entry point to this domain.
+##	</summary>
+## </param>
+#
+interface(`init_domain',`
+	gen_require(`
+		type init_t;
+		role system_r;
+	')
+
+	domain_type($1)
+	domain_entry_file($1, $2)
+
+	role system_r types $1;
+
+	domtrans_pattern(init_t, $2, $1)
+
+	ifdef(`hide_broken_symptoms',`
+		# RHEL4 systems seem to have a stray
+		# fds open from the initrd
+		ifdef(`distro_rhel4',`
+			kernel_dontaudit_use_fds($1)
+		')
+	')
+')
+
+########################################
+## <summary>
+##	Create a domain which can be started by init,
+##	with a range transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Type to be used as a domain.
+##	</summary>
+## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program to be used as an entry point to this domain.
+##	</summary>
+## </param>
+## <param name="range">
+##	<summary>
+##	Range for the domain.
+##	</summary>
+## </param>
+#
+interface(`init_ranged_domain',`
+	gen_require(`
+		type init_t;
+	')
+
+	init_domain($1, $2)
+
+	ifdef(`enable_mcs',`
+		range_transition init_t $2:process $3;
+	')
+
+	ifdef(`enable_mls',`
+		range_transition init_t $2:process $3;
+		mls_rangetrans_target($1)
+	')
+')
+
+########################################
+## <summary>
+##	Create a domain for long running processes
+##	(daemons/services) which are started by init scripts.
+## </summary>
+## <desc>
+##	<p>
+##	Create a domain for long running processes (daemons/services)
+##	which are started by init scripts. Short running processes
+##	should use the init_system_domain() interface instead.
+##	Typically all long running processes started by an init
+##	script (usually in /etc/init.d) will need to use this
+##	interface.
+##	</p>
+##	<p>
+##	The types will be made usable as a domain and file, making
+##	calls to domain_type() and files_type() redundant.
+##	</p>
+##	<p>
+##	If the process must also run in a specific MLS/MCS level,
+##	the init_ranged_daemon_domain() should be used instead.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type to be used as a daemon domain.
+##	</summary>
+## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program to be used as an entry point to this domain.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`init_daemon_domain',`
+	gen_require(`
+		attribute direct_run_init, direct_init, direct_init_entry;
+		type initrc_t;
+		role system_r;
+		attribute daemon;
+	')
+
+	typeattribute $1 daemon;
+
+	domain_type($1)
+	domain_entry_file($1, $2)
+
+	role system_r types $1;
+
+	domtrans_pattern(initrc_t, $2, $1)
+
+	# daemons started from init will
+	# inherit fds from init for the console
+	init_dontaudit_use_fds($1)
+	term_dontaudit_use_console($1)
+
+	# init script ptys are the stdin/out/err
+	# when using run_init
+	init_use_script_ptys($1)
+
+	ifdef(`direct_sysadm_daemon',`
+		domtrans_pattern(direct_run_init, $2, $1)
+		allow direct_run_init $1:process { noatsecure siginh rlimitinh };
+
+		typeattribute $1 direct_init;
+		typeattribute $2 direct_init_entry;
+
+		userdom_dontaudit_use_user_terminals($1)
+	')
+
+	ifdef(`hide_broken_symptoms',`
+		# RHEL4 systems seem to have a stray
+		# fds open from the initrd
+		ifdef(`distro_rhel4',`
+			kernel_dontaudit_use_fds($1)
+		')
+	')
+
+	optional_policy(`
+		nscd_socket_use($1)
+	')
+')
+
+########################################
+## <summary>
+##	Create a domain for long running processes
+##	(daemons/services) which are started by init scripts,
+##	running at a specified MLS/MCS range.
+## </summary>
+## <desc>
+##	<p>
+##	Create a domain for long running processes (daemons/services)
+##	which are started by init scripts, running at a specified
+##	MLS/MCS range. Short running processes
+##	should use the init_ranged_system_domain() interface instead.
+##	Typically all long running processes started by an init
+##	script (usually in /etc/init.d) will need to use this
+##	interface if they need to run in a specific MLS/MCS range.
+##	</p>
+##	<p>
+##	The types will be made usable as a domain and file, making
+##	calls to domain_type() and files_type() redundant.
+##	</p>
+##	<p>
+##	If the policy build option TYPE is standard (MLS and MCS disabled),
+##	this interface has the same behavior as init_daemon_domain().
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type to be used as a daemon domain.
+##	</summary>
+## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program to be used as an entry point to this domain.
+##	</summary>
+## </param>
+## <param name="range">
+##	<summary>
+##	MLS/MCS range for the domain.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`init_ranged_daemon_domain',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	init_daemon_domain($1, $2)
+
+	ifdef(`enable_mcs',`
+		range_transition initrc_t $2:process $3;
+	')
+
+	ifdef(`enable_mls',`
+		range_transition initrc_t $2:process $3;
+		mls_rangetrans_target($1)
+	')
+')
+
+########################################
+## <summary>
+##	Create a domain for short running processes
+##	which are started by init scripts.
+## </summary>
+## <desc>
+##	<p>
+##	Create a domain for short running processes
+##	which are started by init scripts. These are generally applications that
+##	are used to initialize the system during boot.
+##	Long running processes, such as daemons/services
+##	should use the init_daemon_domain() interface instead.
+##	Typically all short running processes started by an init
+##	script (usually in /etc/init.d) will need to use this
+##	interface.
+##	</p>
+##	<p>
+##	The types will be made usable as a domain and file, making
+##	calls to domain_type() and files_type() redundant.
+##	</p>
+##	<p>
+##	If the process must also run in a specific MLS/MCS level,
+##	the init_ranged_system_domain() should be used instead.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type to be used as a system domain.
+##	</summary>
+## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program to be used as an entry point to this domain.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`init_system_domain',`
+	gen_require(`
+		type initrc_t;
+		role system_r;
+	')
+
+	application_domain($1, $2)
+
+	role system_r types $1;
+
+	domtrans_pattern(initrc_t, $2, $1)
+
+	ifdef(`hide_broken_symptoms',`
+		# RHEL4 systems seem to have a stray
+		# fds open from the initrd
+		ifdef(`distro_rhel4',`
+			kernel_dontaudit_use_fds($1)
+		')
+	')
+')
+
+########################################
+## <summary>
+##	Create a domain for short running processes
+##	which are started by init scripts.
+## </summary>
+## <desc>
+##	<p>
+##	Create a domain for long running processes (daemons/services)
+##	which are started by init scripts.
+##	These are generally applications that
+##	are used to initialize the system during boot.
+##	Long running processes
+##	should use the init_ranged_system_domain() interface instead.
+##	Typically all short running processes started by an init
+##	script (usually in /etc/init.d) will need to use this
+##	interface if they need to run in a specific MLS/MCS range.
+##	</p>
+##	<p>
+##	The types will be made usable as a domain and file, making
+##	calls to domain_type() and files_type() redundant.
+##	</p>
+##	<p>
+##	If the policy build option TYPE is standard (MLS and MCS disabled),
+##	this interface has the same behavior as init_system_domain().
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type to be used as a system domain.
+##	</summary>
+## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program to be used as an entry point to this domain.
+##	</summary>
+## </param>
+## <param name="range">
+##	<summary>
+##	Range for the domain.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`init_ranged_system_domain',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	init_system_domain($1, $2)
+
+	ifdef(`enable_mcs',`
+		range_transition initrc_t $2:process $3;
+	')
+
+	ifdef(`enable_mls',`
+		range_transition initrc_t $2:process $3;
+		mls_rangetrans_target($1)
+	')
+')
+
+########################################
+## <summary>
+##	Execute init (/sbin/init) with a domain transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`init_domtrans',`
+	gen_require(`
+		type init_t, init_exec_t;
+	')
+
+	domtrans_pattern($1, init_exec_t, init_t)
+')
+
+########################################
+## <summary>
+##	Execute the init program in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`init_exec',`
+	gen_require(`
+		type init_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, init_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute the rc application in the caller domain.
+## </summary>
+## <desc>
+## <p>
+##	This is only applicable to Gentoo or distributions that use the OpenRC
+##	init system.
+## </p>
+## <p>
+##	The OpenRC /sbin/rc binary is used for both init scripts as well as
+##	management applications and tools. When used for management purposes,
+##	calling /sbin/rc should never cause a transition to initrc_t.
+## </p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_exec_rc',`
+	gen_require(`
+		type rc_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, rc_exec_t)
+')
+
+########################################
+## <summary>
+##	Get the process group of init.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_getpgid',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:process getpgid;
+')
+
+########################################
+## <summary>
+##	Send init a null signal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_signull',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:process signull;
+')
+
+########################################
+## <summary>
+##	Send init a SIGCHLD signal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_sigchld',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:process sigchld;
+')
+
+########################################
+## <summary>
+##	Connect to init with a unix socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_stream_connect',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	Inherit and use file descriptors from init.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to inherit file
+##	descriptors from the init program (process ID 1).
+##	Typically the only file descriptors to be
+##	inherited from init are for the console.
+##	This does not allow the domain any access to
+##	the object to which the file descriptors references.
+##	</p>
+##	<p>
+##	Related interfaces:
+##	</p>
+##	<ul>
+##		<li>init_dontaudit_use_fds()</li>
+##		<li>term_dontaudit_use_console()</li>
+##		<li>term_use_console()</li>
+##	</ul>
+##	<p>
+##	Example usage:
+##	</p>
+##	<p>
+##	init_use_fds(mydomain_t)
+##	term_use_console(mydomain_t)
+##	</p>
+##	<p>
+##	Normally, processes that can inherit these file
+##	descriptors (usually services) write messages to the
+##	system log instead of writing to the console.
+##	Therefore, in many cases, this access should
+##	dontaudited instead.
+##	</p>
+##	<p>
+##	Example dontaudit usage:
+##	</p>
+##	<p>
+##	init_dontaudit_use_fds(mydomain_t)
+##	term_dontaudit_use_console(mydomain_t)
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="1"/>
+#
+interface(`init_use_fds',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:fd use;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to inherit file
+##	descriptors from init.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`init_dontaudit_use_fds',`
+	gen_require(`
+		type init_t;
+	')
+
+	dontaudit $1 init_t:fd use;
+')
+
+########################################
+## <summary>
+##	Send UDP network traffic to init.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_udp_send',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	Get the attributes of initctl.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_getattr_initctl',`
+	gen_require(`
+		type initctl_t;
+	')
+
+	allow $1 initctl_t:fifo_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the
+##	attributes of initctl.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`init_dontaudit_getattr_initctl',`
+	gen_require(`
+		type initctl_t;
+	')
+
+	dontaudit $1 initctl_t:fifo_file getattr;
+')
+
+########################################
+## <summary>
+##	Write to initctl.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_write_initctl',`
+	gen_require(`
+		type initctl_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 initctl_t:fifo_file write;
+')
+
+########################################
+## <summary>
+##	Use telinit (Read and write initctl).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`init_telinit',`
+	gen_require(`
+		type initctl_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 initctl_t:fifo_file rw_fifo_file_perms;
+
+	init_exec($1)
+
+	tunable_policy(`init_upstart',`
+		gen_require(`
+			type init_t;
+		')
+
+		# upstart uses a datagram socket instead of initctl pipe
+		allow $1 self:unix_dgram_socket create_socket_perms;
+		allow $1 init_t:unix_dgram_socket sendto;
+	')
+')
+
+########################################
+## <summary>
+##	Read and write initctl.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_rw_initctl',`
+	gen_require(`
+		type initctl_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 initctl_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and
+##	write initctl.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_dontaudit_rw_initctl',`
+	gen_require(`
+		type initctl_t;
+	')
+
+	dontaudit $1 initctl_t:fifo_file { read write };
+')
+
+########################################
+## <summary>
+##	Make init scripts an entry point for
+##	the specified domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+# cjp: added for gentoo integrated run_init
+interface(`init_script_file_entry_type',`
+	gen_require(`
+		type initrc_exec_t;
+	')
+
+	# /sbin/runscript is a wrapper for /sbin/rc, so run_init_t
+	# wants to execute initrc_exec_t (no transition needed anymore) whereas
+	# runscript previously was a binary
+	# allow $1 initrc_exec_t:file execute_no_trans;
+
+	domain_entry_file($1, initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute init scripts with a specified domain transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`init_spec_domtrans_script',`
+	gen_require(`
+		type initrc_t, initrc_exec_t;
+	')
+
+	files_list_etc($1)
+	spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
+
+	ifdef(`enable_mcs',`
+		range_transition $1 initrc_exec_t:process s0;
+	')
+
+	ifdef(`enable_mls',`
+		range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+	')
+')
+
+########################################
+## <summary>
+##	Execute init scripts with an automatic domain transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`init_domtrans_script',`
+	gen_require(`
+		type initrc_t, initrc_exec_t;
+	')
+
+	files_list_etc($1)
+	domtrans_pattern($1, initrc_exec_t, initrc_t)
+
+	ifdef(`enable_mcs',`
+		range_transition $1 initrc_exec_t:process s0;
+	')
+
+	ifdef(`enable_mls',`
+		range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+	')
+
+	ifdef(`distro_gentoo',`
+		gen_require(`
+			type rc_exec_t;
+		')
+		domtrans_pattern($1, rc_exec_t, initrc_t)
+	')
+')
+
+########################################
+## <summary>
+##	Execute a init script in a specified domain.
+## </summary>
+## <desc>
+##	<p>
+##	Execute a init script in a specified domain.
+##	</p>
+##	<p>
+##	No interprocess communication (signals, pipes,
+##	etc.) is provided by this interface since
+##	the domains are not owned by this module.
+##	</p>
+## </desc>
+## <param name="source_domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="target_domain">
+##	<summary>
+##	Domain to transition to.
+##	</summary>
+## </param>
+# cjp: added for gentoo integrated run_init
+interface(`init_script_file_domtrans',`
+	gen_require(`
+		type initrc_exec_t;
+	')
+
+	files_list_etc($1)
+	domain_auto_trans($1, initrc_exec_t, $2)
+')
+
+########################################
+## <summary>
+##	Transition to the init script domain
+##	on a specified labeled init script.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="init_script_file">
+##	<summary>
+##	Labeled init script file.
+##	</summary>
+## </param>
+#
+interface(`init_labeled_script_domtrans',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	domtrans_pattern($1, $2, initrc_t)
+	files_search_etc($1)
+')
+
+#########################################
+## <summary>
+##	Transition to the init script domain
+## 	for all labeled init script types
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`init_all_labeled_script_domtrans',`
+	gen_require(`
+		attribute init_script_file_type;
+	')
+
+	init_labeled_script_domtrans($1, init_script_file_type)
+')
+
+########################################
+## <summary>
+##	Start and stop daemon programs directly.
+## </summary>
+## <desc>
+##	<p>
+##	Start and stop daemon programs directly
+##	in the traditional "/etc/init.d/daemon start"
+##	style, and do not require run_init.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be performing this action.
+##	</summary>
+## </param>
+#
+interface(`init_run_daemon',`
+	gen_require(`
+		attribute direct_run_init, direct_init, direct_init_entry;
+		role system_r;
+	')
+
+	typeattribute $1 direct_run_init;
+	role_transition $2 direct_init_entry system_r;
+')
+
+########################################
+## <summary>
+##	Read the process state (/proc/pid) of init.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_read_state',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:dir search_dir_perms;
+	allow $1 init_t:file read_file_perms;
+	allow $1 init_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+##	Ptrace init
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`init_ptrace',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:process ptrace;
+')
+
+########################################
+## <summary>
+##	Write an init script unnamed pipe.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_write_script_pipes',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	allow $1 initrc_t:fifo_file write;
+')
+
+########################################
+## <summary>
+##	Get the attribute of init script entrypoint files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_getattr_script_files',`
+	gen_require(`
+		type initrc_exec_t;
+	')
+
+	files_list_etc($1)
+	allow $1 initrc_exec_t:file getattr;
+')
+
+########################################
+## <summary>
+##	Read init scripts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_read_script_files',`
+	gen_require(`
+		type initrc_exec_t;
+	')
+
+	files_search_etc($1)
+	allow $1 initrc_exec_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute init scripts in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_exec_script_files',`
+	gen_require(`
+		type initrc_exec_t;
+	')
+
+	files_list_etc($1)
+	can_exec($1, initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Get the attribute of all init script entrypoint files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_getattr_all_script_files',`
+	gen_require(`
+		attribute init_script_file_type;
+	')
+
+	files_list_etc($1)
+	allow $1 init_script_file_type:file getattr;
+')
+
+########################################
+## <summary>
+##	Read all init script files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_read_all_script_files',`
+	gen_require(`
+		attribute init_script_file_type;
+	')
+
+	files_search_etc($1)
+	allow $1 init_script_file_type:file read_file_perms;
+')
+
+#######################################
+## <summary>
+##	Dontaudit read all init script files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`init_dontaudit_read_all_script_files',`
+	gen_require(`
+		attribute init_script_file_type;
+	')
+
+	dontaudit $1 init_script_file_type:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute all init scripts in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_exec_all_script_files',`
+	gen_require(`
+		attribute init_script_file_type;
+	')
+
+	files_list_etc($1)
+	can_exec($1, init_script_file_type)
+')
+
+########################################
+## <summary>
+##	Read the process state (/proc/pid) of the init scripts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_read_script_state',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	kernel_search_proc($1)
+	read_files_pattern($1, initrc_t, initrc_t)
+	read_lnk_files_pattern($1, initrc_t, initrc_t)
+	list_dirs_pattern($1, initrc_t, initrc_t)
+
+	# should move this to separate interface
+	allow $1 initrc_t:process getattr;
+')
+
+########################################
+## <summary>
+##	Inherit and use init script file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_use_script_fds',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	allow $1 initrc_t:fd use;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to inherit
+##	init script file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`init_dontaudit_use_script_fds',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	dontaudit $1 initrc_t:fd use;
+')
+
+########################################
+## <summary>
+##	Search init script keys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_search_script_keys',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	allow $1 initrc_t:key search;
+')
+
+########################################
+## <summary>
+##	Get the process group ID of init scripts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_getpgid_script',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	allow $1 initrc_t:process getpgid;
+')
+
+########################################
+## <summary>
+##	Send SIGCHLD signals to init scripts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_sigchld_script',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	allow $1 initrc_t:process sigchld;
+')
+
+########################################
+## <summary>
+##	Send generic signals to init scripts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_signal_script',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	allow $1 initrc_t:process signal;
+')
+
+########################################
+## <summary>
+##	Send null signals to init scripts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_signull_script',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	allow $1 initrc_t:process signull;
+')
+
+########################################
+## <summary>
+##	Read and write init script unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_rw_script_pipes',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	allow $1 initrc_t:fifo_file { read write };
+')
+
+########################################
+## <summary>
+##	Send UDP network traffic to init scripts.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_udp_send_script',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to connect to
+##	init scripts with a unix socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_stream_connect_script',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	allow $1 initrc_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read/write to
+##	init scripts with a unix domain stream sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_rw_script_stream_sockets',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	allow $1 initrc_t:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+##	Dont audit the specified domain connecting to
+##	init scripts with a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`init_dontaudit_stream_connect_script',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	dontaudit $1 initrc_t:unix_stream_socket connectto;
+')
+########################################
+## <summary>
+##	Send messages to init scripts over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_dbus_send_script',`
+	gen_require(`
+		type initrc_t;
+		class dbus send_msg;
+	')
+
+	allow $1 initrc_t:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	init scripts over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_dbus_chat_script',`
+	gen_require(`
+		type initrc_t;
+		class dbus send_msg;
+	')
+
+	allow $1 initrc_t:dbus send_msg;
+	allow initrc_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Read and write the init script pty.
+## </summary>
+## <desc>
+##	<p>
+##	Read and write the init script pty.  This
+##	pty is generally opened by the open_init_pty
+##	portion of the run_init program so that the
+##	daemon does not require direct access to
+##	the administrator terminal.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_use_script_ptys',`
+	gen_require(`
+		type initrc_devpts_t;
+	')
+
+	term_list_ptys($1)
+	allow $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and
+##	write the init script pty.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`init_dontaudit_use_script_ptys',`
+	gen_require(`
+		type initrc_devpts_t;
+	')
+
+	dontaudit $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
+')
+
+########################################
+## <summary>
+##	Get the attributes of init script
+##	status files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_getattr_script_status_files',`
+	gen_require(`
+		type initrc_state_t;
+	')
+
+	getattr_files_pattern($1, initrc_state_t, initrc_state_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read init script
+##	status files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`init_dontaudit_read_script_status_files',`
+	gen_require(`
+		type initrc_state_t;
+	')
+
+	dontaudit $1 initrc_state_t:dir search_dir_perms;
+	dontaudit $1 initrc_state_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Read init script temporary data.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_read_script_tmp_files',`
+	gen_require(`
+		type initrc_tmp_t;
+	')
+
+	files_search_tmp($1)
+	read_files_pattern($1, initrc_tmp_t, initrc_tmp_t)
+')
+
+########################################
+## <summary>
+##	Read and write init script temporary data.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_rw_script_tmp_files',`
+	gen_require(`
+		type initrc_tmp_t;
+	')
+
+	files_search_tmp($1)
+	rw_files_pattern($1, initrc_tmp_t, initrc_tmp_t)
+')
+
+########################################
+## <summary>
+##	Create files in a init script
+##	temporary data directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="file_type">
+##	<summary>
+##	The type of the object to be created
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The object class.
+##	</summary>
+## </param>
+#
+interface(`init_script_tmp_filetrans',`
+	gen_require(`
+		type initrc_tmp_t;
+	')
+
+	files_search_tmp($1)
+	filetrans_pattern($1, initrc_tmp_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Get the attributes of init script process id files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_getattr_utmp',`
+	gen_require(`
+		type initrc_var_run_t;
+	')
+
+	allow $1 initrc_var_run_t:file getattr;
+')
+
+########################################
+## <summary>
+##	Read utmp.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_read_utmp',`
+	gen_require(`
+		type initrc_var_run_t;
+	')
+
+	files_list_pids($1)
+	allow $1 initrc_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write utmp.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`init_dontaudit_write_utmp',`
+	gen_require(`
+		type initrc_var_run_t;
+	')
+
+	dontaudit $1 initrc_var_run_t:file { write lock };
+')
+
+########################################
+## <summary>
+##	Write to utmp.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_write_utmp',`
+	gen_require(`
+		type initrc_var_run_t;
+	')
+
+	files_list_pids($1)
+	allow $1 initrc_var_run_t:file { getattr open write };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to lock
+##	init script pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`init_dontaudit_lock_utmp',`
+	gen_require(`
+		type initrc_var_run_t;
+	')
+
+	dontaudit $1 initrc_var_run_t:file lock;
+')
+
+########################################
+## <summary>
+##	Read and write utmp.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_rw_utmp',`
+	gen_require(`
+		type initrc_var_run_t;
+	')
+
+	files_list_pids($1)
+	allow $1 initrc_var_run_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write utmp.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`init_dontaudit_rw_utmp',`
+	gen_require(`
+		type initrc_var_run_t;
+	')
+
+	dontaudit $1 initrc_var_run_t:file { getattr read write append lock };
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete utmp.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_manage_utmp',`
+	gen_require(`
+		type initrc_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 initrc_var_run_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Create files in /var/run with the
+##	utmp file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_pid_filetrans_utmp',`
+	gen_require(`
+		type initrc_var_run_t;
+	')
+
+	files_pid_filetrans($1, initrc_var_run_t, file)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to connect to daemon with a tcp socket
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_tcp_recvfrom_all_daemons',`
+	gen_require(`
+		attribute daemon;
+	')
+
+	corenet_tcp_recvfrom_labeled($1, daemon)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to connect to daemon with a udp socket
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_udp_recvfrom_all_daemons',`
+	gen_require(`
+		attribute daemon;
+	')
+	corenet_udp_recvfrom_labeled($1, daemon)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
new file mode 100644
index 00000000..820c0722
--- /dev/null
+++ b/policy/modules/system/init.te
@@ -0,0 +1,901 @@
+policy_module(init, 1.18.0)
+
+gen_require(`
+	class passwd rootok;
+')
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Enable support for upstart as the init program.
+## </p>
+## </desc>
+gen_tunable(init_upstart, false)
+
+# used for direct running of init scripts
+# by admin domains
+attribute direct_run_init;
+attribute direct_init;
+attribute direct_init_entry;
+
+attribute init_script_domain_type;
+attribute init_script_file_type;
+attribute init_run_all_scripts_domain;
+
+# Mark process types as daemons
+attribute daemon;
+
+#
+# init_t is the domain of the init process.
+#
+type init_t;
+type init_exec_t;
+domain_type(init_t)
+domain_entry_file(init_t, init_exec_t)
+kernel_domtrans_to(init_t, init_exec_t)
+role system_r types init_t;
+
+#
+# init_var_run_t is the type for /var/run/shutdown.pid.
+#
+type init_var_run_t;
+files_pid_file(init_var_run_t)
+
+#
+# initctl_t is the type of the named pipe created
+# by init during initialization.  This pipe is used
+# to communicate with init.
+#
+type initctl_t;
+files_type(initctl_t)
+mls_trusted_object(initctl_t)
+
+type initrc_t, init_script_domain_type, init_run_all_scripts_domain;
+type initrc_exec_t, init_script_file_type;
+domain_type(initrc_t)
+domain_entry_file(initrc_t, initrc_exec_t)
+role system_r types initrc_t;
+# should be part of the true block
+# of the below init_upstart tunable
+# but this has a typeattribute in it
+corecmd_shell_entry_type(initrc_t)
+
+type initrc_devpts_t;
+term_pty(initrc_devpts_t)
+files_type(initrc_devpts_t)
+
+type initrc_state_t;
+files_type(initrc_state_t)
+
+type initrc_tmp_t;
+files_tmp_file(initrc_tmp_t)
+
+type initrc_var_log_t;
+logging_log_file(initrc_var_log_t)
+
+type initrc_var_run_t;
+files_pid_file(initrc_var_run_t)
+
+ifdef(`distro_gentoo',`
+	type rc_exec_t;
+	domain_entry_file(initrc_t, rc_exec_t)
+')
+
+ifdef(`enable_mls',`
+	kernel_ranged_domtrans_to(init_t, init_exec_t, s0 - mls_systemhigh)
+')
+
+########################################
+#
+# Init local policy
+#
+
+# Use capabilities. old rule:
+allow init_t self:capability ~sys_module;
+# is ~sys_module really needed? observed:
+# sys_boot
+# sys_tty_config
+# kill: now provided by domain_kill_all_domains()
+# setuid (from /sbin/shutdown)
+# sys_chroot (from /usr/bin/chroot): now provided by corecmd_chroot_exec_chroot()
+
+allow init_t self:fifo_file rw_fifo_file_perms;
+
+# Re-exec itself
+can_exec(init_t, init_exec_t)
+
+allow init_t initrc_t:unix_stream_socket connectto;
+
+# For /var/run/shutdown.pid.
+allow init_t init_var_run_t:file manage_file_perms;
+files_pid_filetrans(init_t, init_var_run_t, file)
+
+allow init_t initctl_t:fifo_file manage_fifo_file_perms;
+dev_filetrans(init_t, initctl_t, fifo_file)
+
+# Modify utmp.
+allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+manage_dirs_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
+
+kernel_read_system_state(init_t)
+kernel_share_state(init_t)
+
+corecmd_exec_chroot(init_t)
+corecmd_exec_bin(init_t)
+
+dev_read_sysfs(init_t)
+# Early devtmpfs
+dev_rw_generic_chr_files(init_t)
+
+domain_getpgid_all_domains(init_t)
+domain_kill_all_domains(init_t)
+domain_signal_all_domains(init_t)
+domain_signull_all_domains(init_t)
+domain_sigstop_all_domains(init_t)
+domain_sigchld_all_domains(init_t)
+
+files_read_etc_files(init_t)
+files_rw_generic_pids(init_t)
+files_dontaudit_search_isid_type_dirs(init_t)
+files_manage_etc_runtime_files(init_t)
+files_etc_filetrans_etc_runtime(init_t, file)
+# Run /etc/X11/prefdm:
+files_exec_etc_files(init_t)
+# file descriptors inherited from the rootfs:
+files_dontaudit_rw_root_files(init_t)
+files_dontaudit_rw_root_chr_files(init_t)
+
+fs_list_inotifyfs(init_t)
+# cjp: this may be related to /dev/log
+fs_write_ramfs_sockets(init_t)
+
+mcs_process_set_categories(init_t)
+mcs_killall(init_t)
+
+mls_file_read_all_levels(init_t)
+mls_file_write_all_levels(init_t)
+mls_process_write_down(init_t)
+mls_fd_use_all_levels(init_t)
+
+selinux_set_all_booleans(init_t)
+
+term_use_all_terms(init_t)
+
+# Run init scripts.
+init_domtrans_script(init_t)
+
+libs_rw_ld_so_cache(init_t)
+
+logging_send_syslog_msg(init_t)
+logging_rw_generic_logs(init_t)
+
+seutil_read_config(init_t)
+
+miscfiles_read_localization(init_t)
+
+ifdef(`distro_gentoo',`
+	allow init_t self:process { getcap setcap };
+
+	init_exec_rc(initrc_t)
+')
+
+ifdef(`distro_redhat',`
+	fs_read_tmpfs_symlinks(init_t)
+	fs_rw_tmpfs_chr_files(init_t)
+	fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
+')
+
+tunable_policy(`init_upstart',`
+	corecmd_shell_domtrans(init_t, initrc_t)
+',`
+	# Run the shell in the sysadm role for single-user mode.
+	# causes problems with upstart
+	sysadm_shell_domtrans(init_t)
+')
+
+optional_policy(`
+	auth_rw_login_records(init_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(init_t)
+')
+
+optional_policy(`
+	nscd_socket_use(init_t)
+')
+
+optional_policy(`
+	sssd_stream_connect(init_t)
+')
+
+optional_policy(`
+	unconfined_domain(init_t)
+')
+
+########################################
+#
+# Init script local policy
+#
+
+allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
+allow initrc_t self:capability ~{ sys_module };
+dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
+allow initrc_t self:passwd rootok;
+allow initrc_t self:key manage_key_perms;
+
+# Allow IPC with self
+allow initrc_t self:unix_dgram_socket create_socket_perms;
+allow initrc_t self:unix_stream_socket { create listen accept ioctl read getattr write setattr append bind connect getopt setopt shutdown connectto };
+allow initrc_t self:tcp_socket create_stream_socket_perms;
+allow initrc_t self:udp_socket create_socket_perms;
+allow initrc_t self:fifo_file rw_file_perms;
+
+allow initrc_t initrc_devpts_t:chr_file rw_term_perms;
+term_create_pty(initrc_t, initrc_devpts_t)
+
+# Going to single user mode
+init_telinit(initrc_t)
+
+can_exec(initrc_t, init_script_file_type)
+
+domtrans_pattern(init_run_all_scripts_domain, initrc_exec_t, initrc_t)
+
+manage_dirs_pattern(initrc_t, initrc_state_t, initrc_state_t)
+manage_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+manage_lnk_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+
+allow initrc_t initrc_var_run_t:file manage_file_perms;
+files_pid_filetrans(initrc_t, initrc_var_run_t, { file dir })
+
+can_exec(initrc_t, initrc_tmp_t)
+manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
+manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
+manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
+files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
+
+manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
+logging_log_filetrans(initrc_t, initrc_var_log_t, dir);
+
+init_write_initctl(initrc_t)
+
+kernel_read_system_state(initrc_t)
+kernel_read_software_raid_state(initrc_t)
+kernel_read_network_state(initrc_t)
+kernel_read_ring_buffer(initrc_t)
+kernel_change_ring_buffer_level(initrc_t)
+kernel_clear_ring_buffer(initrc_t)
+kernel_get_sysvipc_info(initrc_t)
+kernel_read_all_sysctls(initrc_t)
+kernel_rw_all_sysctls(initrc_t)
+# for lsof which is used by alsa shutdown:
+kernel_dontaudit_getattr_message_if(initrc_t)
+
+files_read_kernel_symbol_table(initrc_t)
+files_dontaudit_write_usr_dirs(initrc_t)
+
+corecmd_exec_all_executables(initrc_t)
+
+corenet_all_recvfrom_unlabeled(initrc_t)
+corenet_all_recvfrom_netlabel(initrc_t)
+corenet_tcp_sendrecv_all_if(initrc_t)
+corenet_udp_sendrecv_all_if(initrc_t)
+corenet_tcp_sendrecv_all_nodes(initrc_t)
+corenet_udp_sendrecv_all_nodes(initrc_t)
+corenet_tcp_sendrecv_all_ports(initrc_t)
+corenet_udp_sendrecv_all_ports(initrc_t)
+corenet_tcp_connect_all_ports(initrc_t)
+corenet_sendrecv_all_client_packets(initrc_t)
+
+dev_read_rand(initrc_t)
+dev_read_urand(initrc_t)
+dev_write_kmsg(initrc_t)
+dev_write_rand(initrc_t)
+dev_write_urand(initrc_t)
+dev_rw_sysfs(initrc_t)
+dev_manage_sysfs_dirs(initrc_t)
+dev_list_usbfs(initrc_t)
+dev_read_framebuffer(initrc_t)
+dev_write_framebuffer(initrc_t)
+dev_read_realtime_clock(initrc_t)
+dev_read_sound_mixer(initrc_t)
+dev_write_sound_mixer(initrc_t)
+dev_setattr_all_chr_files(initrc_t)
+dev_rw_lvm_control(initrc_t)
+dev_delete_lvm_control_dev(initrc_t)
+dev_manage_generic_symlinks(initrc_t)
+dev_manage_generic_files(initrc_t)
+# Wants to remove udev.tbl:
+dev_delete_generic_symlinks(initrc_t)
+dev_getattr_all_blk_files(initrc_t)
+dev_getattr_all_chr_files(initrc_t)
+# Early devtmpfs
+dev_rw_generic_chr_files(initrc_t)
+
+domain_kill_all_domains(initrc_t)
+domain_signal_all_domains(initrc_t)
+domain_signull_all_domains(initrc_t)
+domain_sigstop_all_domains(initrc_t)
+domain_sigchld_all_domains(initrc_t)
+domain_read_all_domains_state(initrc_t)
+domain_getattr_all_domains(initrc_t)
+domain_dontaudit_ptrace_all_domains(initrc_t)
+domain_getsession_all_domains(initrc_t)
+domain_use_interactive_fds(initrc_t)
+# for lsof which is used by alsa shutdown:
+domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
+domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
+domain_dontaudit_getattr_all_pipes(initrc_t)
+
+files_getattr_all_dirs(initrc_t)
+files_getattr_all_files(initrc_t)
+files_getattr_all_symlinks(initrc_t)
+files_getattr_all_pipes(initrc_t)
+files_getattr_all_sockets(initrc_t)
+files_create_pid_dirs(initrc_t)
+files_purge_tmp(initrc_t)
+files_delete_all_locks(initrc_t)
+files_read_all_pids(initrc_t)
+files_delete_all_pids(initrc_t)
+files_delete_all_pid_dirs(initrc_t)
+files_read_etc_files(initrc_t)
+files_manage_etc_runtime_files(initrc_t)
+files_etc_filetrans_etc_runtime(initrc_t, file)
+files_exec_etc_files(initrc_t)
+files_read_usr_files(initrc_t)
+files_manage_urandom_seed(initrc_t)
+files_manage_generic_spool(initrc_t)
+# Mount and unmount file systems.
+# cjp: not sure why these are here; should use mount policy
+files_list_isid_type_dirs(initrc_t)
+files_mounton_isid_type_dirs(initrc_t)
+files_list_default(initrc_t)
+files_mounton_default(initrc_t)
+files_manage_generic_tmp_files(initrc_t)
+files_manage_generic_tmp_dirs(initrc_t)
+
+fs_manage_cgroup_dirs(initrc_t)
+fs_manage_cgroup_files(initrc_t)
+fs_list_inotifyfs(initrc_t)
+fs_register_binary_executable_type(initrc_t)
+# rhgb-console writes to ramfs
+fs_write_ramfs_pipes(initrc_t)
+# cjp: not sure why these are here; should use mount policy
+fs_mount_all_fs(initrc_t)
+fs_unmount_all_fs(initrc_t)
+fs_remount_all_fs(initrc_t)
+fs_getattr_all_fs(initrc_t)
+
+# initrc_t needs to do a pidof which requires ptrace
+mcs_ptrace_all(initrc_t)
+mcs_killall(initrc_t)
+mcs_process_set_categories(initrc_t)
+
+mls_file_read_all_levels(initrc_t)
+mls_file_write_all_levels(initrc_t)
+mls_process_read_up(initrc_t)
+mls_process_write_down(initrc_t)
+mls_rangetrans_source(initrc_t)
+mls_fd_share_all_levels(initrc_t)
+
+selinux_get_enforce_mode(initrc_t)
+
+storage_getattr_fixed_disk_dev(initrc_t)
+storage_setattr_fixed_disk_dev(initrc_t)
+storage_setattr_removable_dev(initrc_t)
+
+term_use_all_terms(initrc_t)
+term_reset_tty_labels(initrc_t)
+
+auth_rw_login_records(initrc_t)
+auth_setattr_login_records(initrc_t)
+auth_rw_lastlog(initrc_t)
+auth_read_pam_pid(initrc_t)
+auth_delete_pam_pid(initrc_t)
+auth_delete_pam_console_data(initrc_t)
+auth_use_nsswitch(initrc_t)
+
+libs_rw_ld_so_cache(initrc_t)
+libs_exec_lib_files(initrc_t)
+libs_exec_ld_so(initrc_t)
+
+logging_send_audit_msgs(initrc_t)
+logging_send_syslog_msg(initrc_t)
+logging_manage_generic_logs(initrc_t)
+logging_read_all_logs(initrc_t)
+logging_append_all_logs(initrc_t)
+logging_read_audit_config(initrc_t)
+logging_delete_devlog_socket(initrc_t)
+
+miscfiles_read_localization(initrc_t)
+# slapd needs to read cert files from its initscript
+miscfiles_read_generic_certs(initrc_t)
+
+modutils_read_module_config(initrc_t)
+modutils_domtrans_insmod(initrc_t)
+
+seutil_read_config(initrc_t)
+
+userdom_read_user_home_content_files(initrc_t)
+# Allow access to the sysadm TTYs. Note that this will give access to the
+# TTYs to any process in the initrc_t domain. Therefore, daemons and such
+# started from init should be placed in their own domain.
+userdom_use_user_terminals(initrc_t)
+
+ifdef(`distro_debian',`
+	dev_setattr_generic_dirs(initrc_t)
+
+	fs_tmpfs_filetrans(initrc_t, initrc_var_run_t, dir)
+
+	# for storing state under /dev/shm
+	fs_setattr_tmpfs_dirs(initrc_t)
+	storage_manage_fixed_disk(initrc_t)
+	storage_tmpfs_filetrans_fixed_disk(initrc_t)
+
+	files_setattr_etc_dirs(initrc_t)
+')
+
+ifdef(`distro_gentoo',`
+	kernel_dontaudit_getattr_core_if(initrc_t)
+
+	# seed udev /dev
+	allow initrc_t self:process setfscreate;
+	dev_create_null_dev(initrc_t)
+	dev_create_zero_dev(initrc_t)
+	dev_create_generic_dirs(initrc_t)
+	term_create_console_dev(initrc_t)
+
+	# unfortunately /sbin/rc does stupid tricks
+	# with /dev/.rcboot to decide if we are in
+	# early init
+	dev_create_generic_dirs(initrc_t)
+	dev_delete_generic_dirs(initrc_t)
+
+	# allow bootmisc to create /var/lock/.keep.
+	files_manage_generic_locks(initrc_t)
+
+	# openrc uses tmpfs for its state data
+	fs_tmpfs_filetrans(initrc_t, initrc_state_t, { dir file fifo_file lnk_file })
+	files_mountpoint(initrc_state_t)
+
+	# init scripts touch this
+	clock_dontaudit_write_adjtime(initrc_t)
+
+	logging_send_audit_msgs(initrc_t)
+
+	# for integrated run_init to read run_init_type.
+	# happens during boot (/sbin/rc execs init scripts)
+	seutil_read_default_contexts(initrc_t)
+
+	# /lib/rcscripts/net/system.sh rewrites resolv.conf :(
+	sysnet_create_config(initrc_t)
+	sysnet_write_config(initrc_t)
+	sysnet_setattr_config(initrc_t)
+
+	optional_policy(`
+		alsa_read_lib(initrc_t)
+	')
+
+	optional_policy(`
+		arpwatch_manage_data_files(initrc_t)
+	')
+
+	optional_policy(`
+		dhcpd_setattr_state_files(initrc_t)
+	')
+
+	optional_policy(`
+		rpc_manage_nfs_state_data(initrc_t)
+	')
+')
+
+ifdef(`distro_redhat',`
+	# this is from kmodule, which should get its own policy:
+	allow initrc_t self:capability sys_admin;
+
+	allow initrc_t self:process setfscreate;
+
+	# Red Hat systems seem to have a stray
+	# fd open from the initrd
+	kernel_dontaudit_use_fds(initrc_t)
+	files_dontaudit_read_root_files(initrc_t)
+
+	# These seem to be from the initrd
+	# during device initialization:
+	dev_create_generic_dirs(initrc_t)
+	dev_rwx_zero(initrc_t)
+	dev_rx_raw_memory(initrc_t)
+	dev_wx_raw_memory(initrc_t)
+	storage_raw_read_fixed_disk(initrc_t)
+	storage_raw_write_fixed_disk(initrc_t)
+
+	files_create_boot_dirs(initrc_t)
+	files_create_boot_flag(initrc_t)
+	files_rw_boot_symlinks(initrc_t)
+	# wants to read /.fonts directory
+	files_read_default_files(initrc_t)
+	files_mountpoint(initrc_tmp_t)
+	# Needs to cp localtime to /var dirs
+	files_write_var_dirs(initrc_t)
+
+	fs_read_tmpfs_symlinks(initrc_t)
+	fs_rw_tmpfs_chr_files(initrc_t)
+
+	storage_manage_fixed_disk(initrc_t)
+	storage_dev_filetrans_fixed_disk(initrc_t)
+	storage_getattr_removable_dev(initrc_t)
+
+	# readahead asks for these
+	auth_dontaudit_read_shadow(initrc_t)
+
+	# init scripts cp /etc/localtime over other directories localtime
+	miscfiles_rw_localization(initrc_t)
+	miscfiles_setattr_localization(initrc_t)
+	miscfiles_relabel_localization(initrc_t)
+
+	miscfiles_read_fonts(initrc_t)
+	miscfiles_read_hwdata(initrc_t)
+
+	optional_policy(`
+		alsa_manage_rw_config(initrc_t)
+	')
+
+	optional_policy(`
+		bind_manage_config_dirs(initrc_t)
+		bind_write_config(initrc_t)
+	')
+
+	optional_policy(`
+		#for /etc/rc.d/init.d/nfs to create /etc/exports
+		rpc_write_exports(initrc_t)
+		rpc_manage_nfs_state_data(initrc_t)
+	')
+
+	optional_policy(`
+		sysnet_rw_dhcp_config(initrc_t)
+		sysnet_manage_config(initrc_t)
+	')
+
+	optional_policy(`
+		xserver_delete_log(initrc_t)
+	')
+')
+
+ifdef(`distro_suse',`
+	optional_policy(`
+		# set permissions on /tmp/.X11-unix
+		xserver_setattr_xdm_tmp_dirs(initrc_t)
+	')
+')
+
+optional_policy(`
+	amavis_search_lib(initrc_t)
+	amavis_setattr_pid_files(initrc_t)
+')
+
+optional_policy(`
+	dev_rw_apm_bios(initrc_t)
+')
+
+optional_policy(`
+	apache_read_config(initrc_t)
+	apache_list_modules(initrc_t)
+')
+
+optional_policy(`
+	asterisk_setattr_logs(initrc_t)
+	asterisk_setattr_pid_files(initrc_t)
+')
+
+optional_policy(`
+	bind_read_config(initrc_t)
+
+	# for chmod in start script
+	bind_setattr_pid_dirs(initrc_t)
+')
+
+optional_policy(`
+	dev_read_usbfs(initrc_t)
+	bluetooth_read_config(initrc_t)
+')
+
+optional_policy(`
+	cgroup_stream_connect_cgred(initrc_t)
+')
+
+optional_policy(`
+	clamav_read_config(initrc_t)
+')
+
+optional_policy(`
+	courier_read_config(initrc_t)
+')
+
+optional_policy(`
+	cpucontrol_stub(initrc_t)
+	dev_getattr_cpu_dev(initrc_t)
+')
+
+optional_policy(`
+	dev_getattr_printer_dev(initrc_t)
+
+	cups_read_log(initrc_t)
+	cups_read_rw_config(initrc_t)
+#cups init script clears error log
+	cups_write_log(initrc_t)
+')
+
+optional_policy(`
+	daemontools_manage_svc(initrc_t)
+')
+
+optional_policy(`
+	dbus_connect_system_bus(initrc_t)
+	dbus_system_bus_client(initrc_t)
+	dbus_read_config(initrc_t)
+
+	optional_policy(`
+		consolekit_dbus_chat(initrc_t)
+	')
+
+	optional_policy(`
+		networkmanager_dbus_chat(initrc_t)
+	')
+
+	optional_policy(`
+		policykit_dbus_chat(initrc_t)
+	')
+')
+
+optional_policy(`
+	# /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+	# /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+	# the directory. But we do not want to allow this.
+	# The master process of dovecot will manage this file.
+	dovecot_dontaudit_unlink_lib_files(initrc_t)
+')
+
+optional_policy(`
+	fail2ban_stream_connect(initrc_t)
+')
+
+optional_policy(`
+	ftp_read_config(initrc_t)
+')
+
+optional_policy(`
+	gpm_setattr_gpmctl(initrc_t)
+')
+
+optional_policy(`
+	hal_write_log(initrc_t)
+')
+
+optional_policy(`
+	dev_read_usbfs(initrc_t)
+
+	# init scripts run /etc/hotplug/usb.rc
+	hotplug_read_config(initrc_t)
+
+	modutils_read_module_deps(initrc_t)
+')
+
+optional_policy(`
+	inn_exec_config(initrc_t)
+')
+
+optional_policy(`
+	ipsec_read_config(initrc_t)
+	ipsec_manage_pid(initrc_t)
+')
+
+optional_policy(`
+	iscsi_stream_connect(initrc_t)
+	iscsi_read_lib_files(initrc_t)
+')
+
+optional_policy(`
+	kerberos_use(initrc_t)
+')
+
+optional_policy(`
+	ldap_read_config(initrc_t)
+	ldap_list_db(initrc_t)
+')
+
+optional_policy(`
+	loadkeys_exec(initrc_t)
+')
+
+optional_policy(`
+	# in emergency/recovery situations use sulogin
+	locallogin_domtrans_sulogin(initrc_t)
+')
+
+optional_policy(`
+	# This is needed to permit chown to read /var/spool/lpd/lp.
+	# This is opens up security more than necessary; this means that ANYTHING
+	# running in the initrc_t domain can read the printer spool directory.
+	# Perhaps executing /etc/rc.d/init.d/lpd should transition
+	# to domain lpd_t, instead of waiting for executing lpd.
+	lpd_list_spool(initrc_t)
+
+	lpd_read_config(initrc_t)
+')
+
+optional_policy(`
+	#allow initrc_t lvm_control_t:chr_file unlink;
+
+	dev_read_lvm_control(initrc_t)
+	dev_create_generic_chr_files(initrc_t)
+
+	lvm_read_config(initrc_t)
+')
+
+optional_policy(`
+	mailman_list_data(initrc_t)
+	mailman_read_data_symlinks(initrc_t)
+')
+
+optional_policy(`
+	mta_read_config(initrc_t)
+	mta_dontaudit_read_spool_symlinks(initrc_t)
+')
+
+optional_policy(`
+	ifdef(`distro_redhat',`
+		mysql_manage_db_dirs(initrc_t)
+	')
+
+	mysql_stream_connect(initrc_t)
+	mysql_write_log(initrc_t)
+	mysql_read_config(initrc_t)
+')
+
+optional_policy(`
+	nis_list_var_yp(initrc_t)
+')
+
+optional_policy(`
+	openvpn_read_config(initrc_t)
+')
+
+optional_policy(`
+	postgresql_manage_db(initrc_t)
+	postgresql_read_config(initrc_t)
+')
+
+optional_policy(`
+	postfix_list_spool(initrc_t)
+')
+
+optional_policy(`
+	puppet_rw_tmp(initrc_t)
+')
+
+optional_policy(`
+	quota_manage_flags(initrc_t)
+')
+
+optional_policy(`
+	raid_manage_mdadm_pid(initrc_t)
+')
+
+optional_policy(`
+	fs_write_ramfs_sockets(initrc_t)
+	fs_search_ramfs(initrc_t)
+
+	rhgb_rw_stream_sockets(initrc_t)
+	rhgb_stream_connect(initrc_t)
+')
+
+optional_policy(`
+	rpc_read_exports(initrc_t)
+')
+
+optional_policy(`
+	# bash tries to access a block device in the initrd
+	kernel_dontaudit_getattr_unlabeled_blk_files(initrc_t)
+
+	# for a bug in rm
+	files_dontaudit_write_all_pids(initrc_t)
+
+	# bash tries ioctl for some reason
+	files_dontaudit_ioctl_all_pids(initrc_t)
+
+	# why is this needed:
+	rpm_manage_db(initrc_t)
+')
+
+optional_policy(`
+	samba_rw_config(initrc_t)
+	samba_read_winbind_pid(initrc_t)
+')
+
+optional_policy(`
+	# shorewall-init script run /var/lib/shorewall/firewall
+	shorewall_lib_domtrans(initrc_t)
+')
+
+optional_policy(`
+	squid_read_config(initrc_t)
+	squid_manage_logs(initrc_t)
+')
+
+optional_policy(`
+	# allow init scripts to su
+	su_restricted_domain_template(initrc, initrc_t, system_r)
+	# Allow initrc_su_t, now defined, to transition to postgresql_t
+	postgresql_domtrans(initrc_su_t)
+	# Allow initrc_su_t to use the initrc_devpts_t (needed for init script failure output)
+	allow initrc_su_t initrc_devpts_t:chr_file { read write };
+')
+
+optional_policy(`
+	ssh_dontaudit_read_server_keys(initrc_t)
+	ssh_setattr_key_files(initrc_t)
+')
+
+optional_policy(`
+	sysnet_read_dhcpc_state(initrc_t)
+')
+
+optional_policy(`
+	udev_dontaudit_getattr_netlink_kobject_uevent_sockets(initrc_t)
+	udev_dontaudit_getattr_unix_stream_sockets(initrc_t)
+	udev_rw_db(initrc_t)
+	udev_manage_pid_files(initrc_t)
+	udev_manage_rules_files(initrc_t)
+')
+
+optional_policy(`
+	uml_setattr_util_sockets(initrc_t)
+')
+
+optional_policy(`
+	virt_stream_connect(initrc_t)
+	virt_manage_svirt_cache(initrc_t)
+')
+
+optional_policy(`
+	unconfined_domain(initrc_t)
+
+	ifdef(`distro_redhat',`
+		# system-config-services causes avc messages that should be dontaudited
+		unconfined_dontaudit_rw_pipes(daemon)
+	')
+
+	optional_policy(`
+		mono_domtrans(initrc_t)
+	')
+')
+
+optional_policy(`
+	vmware_read_system_config(initrc_t)
+	vmware_append_system_config(initrc_t)
+')
+
+optional_policy(`
+	miscfiles_manage_fonts(initrc_t)
+
+	# cjp: is this really needed?
+	xfs_read_sockets(initrc_t)
+')
+
+optional_policy(`
+	# Set device ownerships/modes.
+	xserver_setattr_console_pipes(initrc_t)
+
+	# init script wants to check if it needs to update windowmanagerlist
+	xserver_read_xdm_rw_config(initrc_t)
+')
+
+optional_policy(`
+	zebra_read_config(initrc_t)
+')
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
new file mode 100644
index 00000000..fb09b9ee
--- /dev/null
+++ b/policy/modules/system/ipsec.fc
@@ -0,0 +1,46 @@
+/etc/rc\.d/init\.d/ipsec	--	gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/racoon	--	gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
+
+/etc/ipsec\.secrets		--	gen_context(system_u:object_r:ipsec_key_file_t,s0)
+/etc/ipsec\.conf		--	gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+/etc/racoon/psk\.txt		--	gen_context(system_u:object_r:ipsec_key_file_t,s0)
+
+/etc/racoon(/.*)?			gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+/etc/racoon/certs(/.*)?			gen_context(system_u:object_r:ipsec_key_file_t,s0)
+
+/etc/ipsec\.d(/.*)?			gen_context(system_u:object_r:ipsec_key_file_t,s0)
+
+/sbin/setkey			--	gen_context(system_u:object_r:setkey_exec_t,s0)
+
+/usr/lib(64)?/ipsec/_plutoload	-- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+/usr/lib(64)?/ipsec/_plutorun	--	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+/usr/lib(64)?/ipsec/eroute	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/lib(64)?/ipsec/klipsdebug	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/lib(64)?/ipsec/pluto	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/lib(64)?/ipsec/spi		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
+
+/usr/libexec/ipsec/_plutoload	-- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+/usr/libexec/ipsec/_plutorun	--	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+/usr/libexec/ipsec/eroute	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/ipsec/klipsdebug	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/ipsec/pluto	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/ipsec/spi		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/nm-openswan-service -- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+
+/usr/local/lib(64)?/ipsec/eroute --	gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/local/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/local/lib(64)?/ipsec/pluto --	gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/local/lib(64)?/ipsec/spi	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
+
+/usr/sbin/ipsec			-- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+/usr/sbin/racoon		--	gen_context(system_u:object_r:racoon_exec_t,s0)
+/usr/sbin/setkey		--	gen_context(system_u:object_r:setkey_exec_t,s0)
+
+/var/lock/subsys/ipsec		--	gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
+
+/var/log/pluto\.log		--	gen_context(system_u:object_r:ipsec_log_t,s0)
+
+/var/racoon(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
+
+/var/run/pluto(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
+/var/run/racoon\.pid		--	gen_context(system_u:object_r:ipsec_var_run_t,s0)
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
new file mode 100644
index 00000000..0d4c8d35
--- /dev/null
+++ b/policy/modules/system/ipsec.if
@@ -0,0 +1,371 @@
+## <summary>TCP/IP encryption</summary>
+
+########################################
+## <summary>
+##	Execute ipsec in the ipsec domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ipsec_domtrans',`
+	gen_require(`
+		type ipsec_t, ipsec_exec_t;
+	')
+
+	domtrans_pattern($1, ipsec_exec_t, ipsec_t)
+')
+
+########################################
+## <summary>
+##	Connect to IPSEC using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ipsec_stream_connect',`
+	gen_require(`
+		type ipsec_t, ipsec_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
+')
+
+########################################
+## <summary>
+##	Execute ipsec in the ipsec mgmt domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ipsec_domtrans_mgmt',`
+	gen_require(`
+		type ipsec_mgmt_t, ipsec_mgmt_exec_t;
+	')
+
+	domtrans_pattern($1, ipsec_mgmt_exec_t, ipsec_mgmt_t)
+')
+
+########################################
+## <summary>
+##	Connect to racoon using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ipsec_stream_connect_racoon',`
+	gen_require(`
+		type racoon_t, ipsec_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, ipsec_var_run_t, ipsec_var_run_t, racoon_t)
+')
+
+########################################
+## <summary>
+##	Get the attributes of an IPSEC key socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ipsec_getattr_key_sockets',`
+	gen_require(`
+		type ipsec_t;
+	')
+
+	allow $1 ipsec_t:key_socket getattr;
+')
+
+########################################
+## <summary>
+##	Execute the IPSEC management program in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ipsec_exec_mgmt',`
+	gen_require(`
+		type ipsec_exec_t;
+	')
+
+	can_exec($1, ipsec_exec_t)
+')
+
+########################################
+## <summary>
+##	Send ipsec mgmt a general signal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+interface(`ipsec_signal_mgmt',`
+	gen_require(`
+		type ipsec_mgmt_t;
+	')
+
+	allow $1 ipsec_mgmt_t:process signal;
+')
+
+########################################
+## <summary>
+##	Send ipsec mgmt a null signal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+interface(`ipsec_signull_mgmt',`
+	gen_require(`
+		type ipsec_mgmt_t;
+	')
+
+	allow $1 ipsec_mgmt_t:process signull;
+')
+
+########################################
+## <summary>
+##	Send ipsec mgmt a kill signal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+interface(`ipsec_kill_mgmt',`
+	gen_require(`
+		type ipsec_mgmt_t;
+	')
+
+	allow $1 ipsec_mgmt_t:process sigkill;
+')
+
+######################################
+## <summary>
+##	Send and receive messages from
+##	ipsec-mgmt over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ipsec_mgmt_dbus_chat',`
+	gen_require(`
+		type ipsec_mgmt_t;
+		class dbus send_msg;
+	')
+
+	allow $1 ipsec_mgmt_t:dbus send_msg;
+	allow ipsec_mgmt_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Read the IPSEC configuration
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ipsec_read_config',`
+	gen_require(`
+		type ipsec_conf_file_t;
+	')
+
+	files_search_etc($1)
+	allow $1 ipsec_conf_file_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Match the default SPD entry.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ipsec_match_default_spd',`
+	gen_require(`
+		type ipsec_spd_t;
+	')
+
+	allow $1 ipsec_spd_t:association polmatch;
+	allow $1 self:association sendto;
+')
+
+########################################
+## <summary>
+##	Set the context of a SPD entry to
+##	the default context.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ipsec_setcontext_default_spd',`
+	gen_require(`
+		type ipsec_spd_t;
+	')
+
+	allow $1 ipsec_spd_t:association setcontext;
+')
+
+########################################
+## <summary>
+##	write the ipsec_var_run_t files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ipsec_write_pid',`
+	gen_require(`
+		type ipsec_var_run_t;
+	')
+
+	files_search_pids($1)
+	write_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete the IPSEC pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ipsec_manage_pid',`
+	gen_require(`
+		type ipsec_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t)
+')
+
+########################################
+## <summary>
+##	Execute racoon in the racoon domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ipsec_domtrans_racoon',`
+	gen_require(`
+		type racoon_t, racoon_exec_t;
+	')
+
+	domtrans_pattern($1, racoon_exec_t, racoon_t)
+')
+
+########################################
+## <summary>
+##	Execute racoon and allow the specified role the domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ipsec_run_racoon',`
+	gen_require(`
+		type racoon_t;
+	')
+
+	ipsec_domtrans_racoon($1)
+	role $2 types racoon_t;
+')
+
+########################################
+## <summary>
+##	Execute setkey in the setkey domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ipsec_domtrans_setkey',`
+	gen_require(`
+		type setkey_t, setkey_exec_t;
+	')
+
+	domtrans_pattern($1, setkey_exec_t, setkey_t)
+')
+
+########################################
+## <summary>
+##	Execute setkey and allow the specified role the domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access..
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ipsec_run_setkey',`
+	gen_require(`
+		type setkey_t;
+	')
+
+	ipsec_domtrans_setkey($1)
+	role $2 types setkey_t;
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
new file mode 100644
index 00000000..21b8a8cc
--- /dev/null
+++ b/policy/modules/system/ipsec.te
@@ -0,0 +1,445 @@
+policy_module(ipsec, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow racoon to read shadow
+## </p>
+## </desc>
+gen_tunable(racoon_read_shadow, false)
+
+type ipsec_t;
+type ipsec_exec_t;
+init_daemon_domain(ipsec_t, ipsec_exec_t)
+role system_r types ipsec_t;
+
+# type for ipsec configuration file(s) - not for keys
+type ipsec_conf_file_t;
+files_type(ipsec_conf_file_t)
+
+type ipsec_initrc_exec_t;
+init_script_file(ipsec_initrc_exec_t)
+
+# type for file(s) containing ipsec keys - RSA or preshared
+type ipsec_key_file_t;
+files_type(ipsec_key_file_t)
+
+type ipsec_log_t;
+logging_log_file(ipsec_log_t)
+
+# Default type for IPSEC SPD entries
+type ipsec_spd_t;
+corenet_spd_type(ipsec_spd_t)
+
+type ipsec_tmp_t;
+files_tmp_file(ipsec_tmp_t)
+
+# type for runtime files, including pluto.ctl
+type ipsec_var_run_t;
+files_pid_file(ipsec_var_run_t)
+
+type ipsec_mgmt_t;
+type ipsec_mgmt_exec_t;
+init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
+corecmd_shell_entry_type(ipsec_mgmt_t)
+role system_r types ipsec_mgmt_t;
+
+type ipsec_mgmt_lock_t;
+files_lock_file(ipsec_mgmt_lock_t)
+
+type ipsec_mgmt_var_run_t;
+files_pid_file(ipsec_mgmt_var_run_t)
+
+type racoon_t;
+type racoon_exec_t;
+init_daemon_domain(racoon_t, racoon_exec_t)
+role system_r types racoon_t;
+
+type racoon_tmp_t;
+files_tmp_file(racoon_tmp_t)
+
+type setkey_t;
+type setkey_exec_t;
+init_system_domain(setkey_t, setkey_exec_t)
+role system_r types setkey_t;
+
+########################################
+#
+# ipsec Local policy
+#
+
+allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
+dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
+allow ipsec_t self:process { getcap setcap getsched signal setsched };
+allow ipsec_t self:tcp_socket create_stream_socket_perms;
+allow ipsec_t self:udp_socket create_socket_perms;
+allow ipsec_t self:key_socket create_socket_perms;
+allow ipsec_t self:fifo_file read_fifo_file_perms;
+allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
+
+allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
+
+allow ipsec_t ipsec_conf_file_t:dir list_dir_perms;
+read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
+read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
+
+allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
+manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
+read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
+
+manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
+manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
+files_tmp_filetrans(ipsec_t, ipsec_tmp_t, { dir file })
+
+manage_dirs_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
+manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
+manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
+files_pid_filetrans(ipsec_t, ipsec_var_run_t, { dir file sock_file })
+
+can_exec(ipsec_t, ipsec_mgmt_exec_t)
+
+# pluto runs an updown script (by calling popen()!) as this is by default
+# a shell script, we need to find a way to make things work without
+# letting all sorts of stuff possibly be run...
+# so try flipping back into the ipsec_mgmt_t domain
+corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
+allow ipsec_mgmt_t ipsec_t:fd use;
+allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
+allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
+allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld };
+
+kernel_read_kernel_sysctls(ipsec_t)
+kernel_list_proc(ipsec_t)
+kernel_read_proc_symlinks(ipsec_t)
+# allow pluto to access /proc/net/ipsec_eroute;
+kernel_read_system_state(ipsec_t)
+kernel_read_network_state(ipsec_t)
+kernel_read_software_raid_state(ipsec_t)
+kernel_request_load_module(ipsec_t)
+kernel_getattr_core_if(ipsec_t)
+kernel_getattr_message_if(ipsec_t)
+
+corecmd_exec_shell(ipsec_t)
+corecmd_exec_bin(ipsec_t)
+
+# Pluto needs network access
+corenet_all_recvfrom_unlabeled(ipsec_t)
+corenet_tcp_sendrecv_all_if(ipsec_t)
+corenet_raw_sendrecv_all_if(ipsec_t)
+corenet_tcp_sendrecv_all_nodes(ipsec_t)
+corenet_raw_sendrecv_all_nodes(ipsec_t)
+corenet_tcp_sendrecv_all_ports(ipsec_t)
+corenet_tcp_bind_all_nodes(ipsec_t)
+corenet_udp_bind_all_nodes(ipsec_t)
+corenet_tcp_bind_reserved_port(ipsec_t)
+corenet_tcp_bind_isakmp_port(ipsec_t)
+corenet_udp_bind_isakmp_port(ipsec_t)
+corenet_udp_bind_ipsecnat_port(ipsec_t)
+corenet_sendrecv_generic_server_packets(ipsec_t)
+corenet_sendrecv_isakmp_server_packets(ipsec_t)
+
+dev_read_sysfs(ipsec_t)
+dev_read_rand(ipsec_t)
+dev_read_urand(ipsec_t)
+
+domain_use_interactive_fds(ipsec_t)
+
+files_list_tmp(ipsec_t)
+files_read_etc_files(ipsec_t)
+files_read_usr_files(ipsec_t)
+files_dontaudit_search_home(ipsec_t)
+
+fs_getattr_all_fs(ipsec_t)
+fs_search_auto_mountpoints(ipsec_t)
+
+term_use_console(ipsec_t)
+term_dontaudit_use_all_ttys(ipsec_t)
+
+auth_use_nsswitch(ipsec_t)
+
+init_use_fds(ipsec_t)
+init_use_script_ptys(ipsec_t)
+
+logging_send_syslog_msg(ipsec_t)
+
+miscfiles_read_localization(ipsec_t)
+
+sysnet_domtrans_ifconfig(ipsec_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
+userdom_dontaudit_search_user_home_dirs(ipsec_t)
+
+optional_policy(`
+	seutil_sigchld_newrole(ipsec_t)
+')
+
+optional_policy(`
+	udev_read_db(ipsec_t)
+')
+
+########################################
+#
+# ipsec_mgmt Local policy
+#
+
+allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
+dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config };
+allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal };
+allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
+allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
+allow ipsec_mgmt_t self:udp_socket create_socket_perms;
+allow ipsec_mgmt_t self:key_socket create_socket_perms;
+allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
+
+allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
+files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
+
+manage_dirs_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t)
+manage_files_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t)
+files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file })
+
+manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t)
+logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
+
+allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
+files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
+
+manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
+manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
+
+allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms;
+files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, sock_file)
+
+# _realsetup needs to be able to cat /var/run/pluto.pid,
+# run ps on that pid, and delete the file
+read_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t)
+read_lnk_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t)
+
+# logger, running in ipsec_mgmt_t needs to use sockets
+allow ipsec_mgmt_t self:unix_dgram_socket { create connect write };
+allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write };
+
+allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;
+
+manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
+manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
+
+# whack needs to connect to pluto
+stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
+
+can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
+allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
+
+domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
+
+kernel_rw_net_sysctls(ipsec_mgmt_t)
+# allow pluto to access /proc/net/ipsec_eroute;
+kernel_read_system_state(ipsec_mgmt_t)
+kernel_read_network_state(ipsec_mgmt_t)
+kernel_read_software_raid_state(ipsec_mgmt_t)
+kernel_read_kernel_sysctls(ipsec_mgmt_t)
+kernel_getattr_core_if(ipsec_mgmt_t)
+kernel_getattr_message_if(ipsec_mgmt_t)
+
+files_read_kernel_symbol_table(ipsec_mgmt_t)
+files_getattr_kernel_modules(ipsec_mgmt_t)
+
+# the default updown script wants to run route
+# the ipsec wrapper wants to run /usr/bin/logger (should we put
+# it in its own domain?)
+corecmd_exec_bin(ipsec_mgmt_t)
+corecmd_exec_shell(ipsec_mgmt_t)
+
+dev_read_rand(ipsec_mgmt_t)
+dev_read_urand(ipsec_mgmt_t)
+
+domain_use_interactive_fds(ipsec_mgmt_t)
+# denials when ps tries to search /proc. Do not audit these denials.
+domain_dontaudit_read_all_domains_state(ipsec_mgmt_t)
+# suppress audit messages about unnecessary socket access
+# cjp: this seems excessive
+domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
+domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
+
+files_read_etc_files(ipsec_mgmt_t)
+files_exec_etc_files(ipsec_mgmt_t)
+files_read_etc_runtime_files(ipsec_mgmt_t)
+files_read_usr_files(ipsec_mgmt_t)
+files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
+files_dontaudit_getattr_default_files(ipsec_mgmt_t)
+files_list_tmp(ipsec_mgmt_t)
+
+fs_getattr_xattr_fs(ipsec_mgmt_t)
+fs_list_tmpfs(ipsec_mgmt_t)
+
+term_use_console(ipsec_mgmt_t)
+term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
+
+auth_dontaudit_read_login_records(ipsec_mgmt_t)
+
+init_read_utmp(ipsec_mgmt_t)
+init_use_script_ptys(ipsec_mgmt_t)
+init_exec_script_files(ipsec_mgmt_t)
+init_use_fds(ipsec_mgmt_t)
+init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
+
+logging_send_syslog_msg(ipsec_mgmt_t)
+
+miscfiles_read_localization(ipsec_mgmt_t)
+
+seutil_dontaudit_search_config(ipsec_mgmt_t)
+
+sysnet_manage_config(ipsec_mgmt_t)
+sysnet_domtrans_ifconfig(ipsec_mgmt_t)
+sysnet_etc_filetrans_config(ipsec_mgmt_t)
+
+userdom_use_user_terminals(ipsec_mgmt_t)
+
+optional_policy(`
+	consoletype_exec(ipsec_mgmt_t)
+')
+
+optional_policy(`
+	hostname_exec(ipsec_mgmt_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(ipsec_mgmt_t)
+	dbus_connect_system_bus(ipsec_mgmt_t)
+
+	optional_policy(`
+		networkmanager_dbus_chat(ipsec_mgmt_t)
+	')
+')
+
+optional_policy(`
+	iptables_domtrans(ipsec_mgmt_t)
+')
+
+optional_policy(`
+	modutils_domtrans_insmod(ipsec_mgmt_t)
+')
+
+optional_policy(`
+	nscd_socket_use(ipsec_mgmt_t)
+')
+
+########################################
+#
+# Racoon local policy
+#
+
+allow racoon_t self:capability { net_admin net_bind_service };
+allow racoon_t self:netlink_route_socket create_netlink_socket_perms;
+allow racoon_t self:unix_dgram_socket { connect create ioctl write };
+allow racoon_t self:netlink_selinux_socket { bind create read };
+allow racoon_t self:udp_socket create_socket_perms;
+allow racoon_t self:key_socket create_socket_perms;
+allow racoon_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
+manage_files_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
+files_tmp_filetrans(racoon_t, racoon_tmp_t, { dir file })
+
+can_exec(racoon_t, racoon_exec_t)
+
+can_exec(racoon_t, setkey_exec_t)
+
+# manage pid file
+manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
+manage_sock_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
+files_pid_filetrans(racoon_t, ipsec_var_run_t, file)
+
+allow racoon_t ipsec_conf_file_t:dir list_dir_perms;
+read_files_pattern(racoon_t, ipsec_conf_file_t, ipsec_conf_file_t)
+read_lnk_files_pattern(racoon_t, ipsec_conf_file_t, ipsec_conf_file_t)
+
+allow racoon_t ipsec_key_file_t:dir list_dir_perms;
+read_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t)
+read_lnk_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t)
+
+kernel_read_system_state(racoon_t)
+kernel_read_network_state(racoon_t)
+kernel_request_load_module(racoon_t)
+
+corecmd_exec_shell(racoon_t)
+corecmd_exec_bin(racoon_t)
+
+corenet_all_recvfrom_unlabeled(racoon_t)
+corenet_tcp_sendrecv_all_if(racoon_t)
+corenet_udp_sendrecv_all_if(racoon_t)
+corenet_tcp_sendrecv_all_nodes(racoon_t)
+corenet_udp_sendrecv_all_nodes(racoon_t)
+corenet_tcp_bind_all_nodes(racoon_t)
+corenet_udp_bind_all_nodes(racoon_t)
+corenet_udp_bind_isakmp_port(racoon_t)
+corenet_udp_bind_ipsecnat_port(racoon_t)
+
+dev_read_urand(racoon_t)
+
+# allow racoon to set contexts on ipsec policy and SAs
+domain_ipsec_setcontext_all_domains(racoon_t)
+
+files_read_etc_files(racoon_t)
+
+fs_dontaudit_getattr_xattr_fs(racoon_t)
+
+# allow racoon to use avc_has_perm to check context on proposed SA
+selinux_compute_access_vector(racoon_t)
+
+auth_use_nsswitch(racoon_t)
+
+ipsec_setcontext_default_spd(racoon_t)
+
+locallogin_use_fds(racoon_t)
+
+logging_send_syslog_msg(racoon_t)
+logging_send_audit_msgs(racoon_t)
+
+miscfiles_read_localization(racoon_t)
+
+sysnet_exec_ifconfig(racoon_t)
+
+auth_can_read_shadow_passwords(racoon_t)
+tunable_policy(`racoon_read_shadow',`
+	auth_tunable_read_shadow(racoon_t)
+')
+
+########################################
+#
+# Setkey local policy
+#
+
+allow setkey_t self:capability net_admin;
+allow setkey_t self:key_socket create_socket_perms;
+allow setkey_t self:netlink_route_socket create_netlink_socket_perms;
+
+allow setkey_t ipsec_conf_file_t:dir list_dir_perms;
+read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
+read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
+
+kernel_request_load_module(setkey_t)
+
+# allow setkey utility to set contexts on SA's and policy
+domain_ipsec_setcontext_all_domains(setkey_t)
+
+files_read_etc_files(setkey_t)
+
+init_dontaudit_use_fds(setkey_t)
+init_read_script_tmp_files(setkey_t)
+
+# allow setkey to set the context for ipsec SAs and policy.
+corenet_setcontext_all_spds(setkey_t)
+
+locallogin_use_fds(setkey_t)
+
+miscfiles_read_localization(setkey_t)
+
+seutil_read_config(setkey_t)
+
+userdom_use_user_terminals(setkey_t)
+
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
new file mode 100644
index 00000000..14cffd28
--- /dev/null
+++ b/policy/modules/system/iptables.fc
@@ -0,0 +1,20 @@
+/etc/rc\.d/init\.d/ip6?tables	--	gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ebtables	--	gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
+/etc/sysconfig/ip6?tables.*	--	gen_context(system_u:object_r:iptables_conf_t,s0)
+/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
+
+/sbin/ebtables			--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ebtables-restore		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ipchains.*		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ip6?tables		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ip6?tables-restore	--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ip6?tables-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ipvsadm			--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ipvsadm-restore		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ipvsadm-save		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/xtables-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+
+/usr/sbin/ipchains.*		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/iptables		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/iptables-multi 	--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/iptables-restore	--	gen_context(system_u:object_r:iptables_exec_t,s0)
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
new file mode 100644
index 00000000..c42fbc32
--- /dev/null
+++ b/policy/modules/system/iptables.if
@@ -0,0 +1,165 @@
+## <summary>Policy for iptables.</summary>
+
+########################################
+## <summary>
+##	Execute iptables in the iptables domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`iptables_domtrans',`
+	gen_require(`
+		type iptables_t, iptables_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, iptables_exec_t, iptables_t)
+
+	ifdef(`hide_broken_symptoms', `
+		dontaudit iptables_t $1:socket_class_set { read write };
+	')
+')
+
+########################################
+## <summary>
+##	Execute iptables in the iptables domain, and
+##	allow the specified role the iptables domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`iptables_run',`
+	gen_require(`
+		attribute_role iptables_roles;
+	')
+
+	iptables_domtrans($1)
+	roleattribute $2 iptables_roles;
+')
+
+########################################
+## <summary>
+##	Execute iptables in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`iptables_exec',`
+	gen_require(`
+		type iptables_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, iptables_exec_t)
+')
+
+#####################################
+## <summary>
+##	Execute iptables in the iptables domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`iptables_initrc_domtrans',`
+	gen_require(`
+		type iptables_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, iptables_initrc_exec_t)
+')
+
+#####################################
+## <summary>
+##	Set the attributes of iptables config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`iptables_setattr_config',`
+	gen_require(`
+		type iptables_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 iptables_conf_t:file setattr;
+')
+
+#####################################
+## <summary>
+##	Read iptables config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`iptables_read_config',`
+	gen_require(`
+		type iptables_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 iptables_conf_t:dir list_dir_perms;
+	read_files_pattern($1, iptables_conf_t, iptables_conf_t)
+')
+
+#####################################
+## <summary>
+##	Create files in /etc with the type used for
+##	the iptables config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`iptables_etc_filetrans_config',`
+	gen_require(`
+		type iptables_conf_t;
+	')
+
+	files_etc_filetrans($1, iptables_conf_t, file)
+')
+
+###################################
+## <summary>
+##	Manage iptables config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`iptables_manage_config',`
+	gen_require(`
+		type iptables_conf_t;
+		type etc_t;
+	')
+
+	files_search_etc($1)
+	manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
+')
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
new file mode 100644
index 00000000..0646ee7f
--- /dev/null
+++ b/policy/modules/system/iptables.te
@@ -0,0 +1,145 @@
+policy_module(iptables, 1.13.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role iptables_roles;
+roleattribute system_r iptables_roles;
+
+type iptables_t;
+type iptables_exec_t;
+init_system_domain(iptables_t, iptables_exec_t)
+role iptables_roles types iptables_t;
+
+type iptables_initrc_exec_t;
+init_script_file(iptables_initrc_exec_t)
+
+type iptables_conf_t;
+files_config_file(iptables_conf_t)
+
+type iptables_tmp_t;
+files_tmp_file(iptables_tmp_t)
+
+type iptables_var_run_t;
+files_pid_file(iptables_var_run_t)
+
+########################################
+#
+# Iptables local policy
+#
+
+allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw };
+dontaudit iptables_t self:capability sys_tty_config;
+allow iptables_t self:fifo_file rw_fifo_file_perms;
+allow iptables_t self:process { sigchld sigkill sigstop signull signal };
+allow iptables_t self:netlink_socket create_socket_perms;
+allow iptables_t self:rawip_socket create_socket_perms;
+
+manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
+files_etc_filetrans(iptables_t, iptables_conf_t, file)
+
+manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
+files_pid_filetrans(iptables_t, iptables_var_run_t, file)
+
+can_exec(iptables_t, iptables_exec_t)
+
+allow iptables_t iptables_tmp_t:dir manage_dir_perms;
+allow iptables_t iptables_tmp_t:file manage_file_perms;
+files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
+
+kernel_request_load_module(iptables_t)
+kernel_read_system_state(iptables_t)
+kernel_read_network_state(iptables_t)
+kernel_read_kernel_sysctls(iptables_t)
+kernel_read_modprobe_sysctls(iptables_t)
+kernel_use_fds(iptables_t)
+
+# needed by ipvsadm
+corecmd_exec_bin(iptables_t)
+corecmd_exec_shell(iptables_t)
+
+corenet_relabelto_all_packets(iptables_t)
+corenet_dontaudit_rw_tun_tap_dev(iptables_t)
+
+dev_read_sysfs(iptables_t)
+
+fs_getattr_xattr_fs(iptables_t)
+fs_search_auto_mountpoints(iptables_t)
+fs_list_inotifyfs(iptables_t)
+
+mls_file_read_all_levels(iptables_t)
+
+term_dontaudit_use_console(iptables_t)
+
+domain_use_interactive_fds(iptables_t)
+
+files_read_etc_files(iptables_t)
+files_read_etc_runtime_files(iptables_t)
+
+auth_use_nsswitch(iptables_t)
+
+init_use_fds(iptables_t)
+init_use_script_ptys(iptables_t)
+# to allow rules to be saved on reboot:
+init_rw_script_tmp_files(iptables_t)
+init_rw_script_stream_sockets(iptables_t)
+
+logging_send_syslog_msg(iptables_t)
+
+miscfiles_read_localization(iptables_t)
+
+sysnet_run_ifconfig(iptables_t, iptables_roles)
+sysnet_dns_name_resolve(iptables_t)
+
+userdom_use_user_terminals(iptables_t)
+userdom_use_all_users_fds(iptables_t)
+
+ifdef(`hide_broken_symptoms',`
+	dev_dontaudit_write_mtrr(iptables_t)
+')
+
+optional_policy(`
+	fail2ban_append_log(iptables_t)
+')
+
+optional_policy(`
+	firstboot_use_fds(iptables_t)
+	firstboot_rw_pipes(iptables_t)
+')
+
+optional_policy(`
+	modutils_run_insmod(iptables_t, iptables_roles)
+')
+
+optional_policy(`
+	# for iptables -L
+	nis_use_ypbind(iptables_t)
+')
+
+optional_policy(`
+	ppp_dontaudit_use_fds(iptables_t)
+')
+
+optional_policy(`
+	psad_rw_tmp_files(iptables_t)
+')
+
+optional_policy(`
+	rhgb_dontaudit_use_ptys(iptables_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(iptables_t)
+')
+
+optional_policy(`
+	shorewall_read_tmp_files(iptables_t)
+	shorewall_rw_lib_files(iptables_t)
+	shorewall_read_config(iptables_t)
+')
+
+optional_policy(`
+	udev_read_db(iptables_t)
+')
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
new file mode 100644
index 00000000..560dc481
--- /dev/null
+++ b/policy/modules/system/libraries.fc
@@ -0,0 +1,328 @@
+#
+# /emul
+#
+ifdef(`distro_debian',`
+/emul/ia32-linux/usr(/.*)?/lib(/.*)?		gen_context(system_u:object_r:lib_t,s0)
+/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
+/emul/ia32-linux/lib(/.*)?			gen_context(system_u:object_r:lib_t,s0)
+/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
+')
+
+ifdef(`distro_gentoo',`
+/emul/linux/x86/usr(/.*)?/lib(/.*)?		gen_context(system_u:object_r:lib_t,s0)
+/emul/linux/x86/lib(/.*)?			gen_context(system_u:object_r:lib_t,s0)
+/emul/linux/x86/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
+')
+
+ifdef(`distro_redhat',`
+/emul/ia32-linux/usr(/.*)?/lib(/.*)?		gen_context(system_u:object_r:lib_t,s0)
+/emul/ia32-linux/usr(/.*)?/java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
+/emul/ia32-linux/usr(/.*)?/java/.*\.jar	--	gen_context(system_u:object_r:lib_t,s0)
+/emul/ia32-linux/usr(/.*)?/java/.*\.jsa	--	gen_context(system_u:object_r:lib_t,s0)
+/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
+/emul/ia32-linux/lib(/.*)?			gen_context(system_u:object_r:lib_t,s0)
+/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
+')
+
+#
+# /etc
+#
+/etc/ld\.so\.cache			--	gen_context(system_u:object_r:ld_so_cache_t,s0)
+/etc/ld\.so\.preload			--	gen_context(system_u:object_r:ld_so_cache_t,s0)
+
+/etc/ppp/plugins/rp-pppoe\.so 		--	gen_context(system_u:object_r:lib_t,s0)
+
+#
+# /lib(64)?
+#
+/lib					-d	gen_context(system_u:object_r:lib_t,s0)
+/lib/.*						gen_context(system_u:object_r:lib_t,s0)
+/lib64					-d	gen_context(system_u:object_r:lib_t,s0)
+/lib64/.*					gen_context(system_u:object_r:lib_t,s0)
+/lib/ld-[^/]*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:ld_so_t,s0)
+/lib64/ld-[^/]*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:ld_so_t,s0)
+
+/lib/security/pam_poldi\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/lib64/security/pam_poldi\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ifdef(`distro_debian',`
+/lib32					-l	gen_context(system_u:object_r:lib_t,s0)
+/lib64					-l	gen_context(system_u:object_r:lib_t,s0)
+')
+
+ifdef(`distro_gentoo',`
+/lib					-l	gen_context(system_u:object_r:lib_t,s0)
+/lib32					-d	gen_context(system_u:object_r:lib_t,s0)
+/lib32/.*					gen_context(system_u:object_r:lib_t,s0)
+/lib32/ld-[^/]*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:ld_so_t,s0)
+')
+
+#
+# /opt
+#
+/opt/.*\.so					gen_context(system_u:object_r:lib_t,s0)
+/opt/(.*/)?lib(/.*)?				gen_context(system_u:object_r:lib_t,s0)
+/opt/(.*/)?lib64(/.*)?				gen_context(system_u:object_r:lib_t,s0)
+/opt/(.*/)?java/.+\.jar			--	gen_context(system_u:object_r:lib_t,s0)
+/opt/(.*/)?jre.*/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/(.*/)?jre/.+\.jar			--	gen_context(system_u:object_r:lib_t,s0)
+
+/opt/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+# despite the extensions, they are actually libs
+/opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)
+
+/opt/Komodo-Edit-5/lib/python/lib/python2.6/lib-dynload/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ifdef(`distro_gentoo',`
+# despite the extensions, they are actually libs
+/opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)
+/opt/Acrobat[5-9]/Reader/intellinux/plug_ins3d/.*\.x3d -- gen_context(system_u:object_r:lib_t,s0)
+/opt/Acrobat[5-9]/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0)
+
+/opt/netscape/plugins(/.*)?			gen_context(system_u:object_r:lib_t,s0)
+/opt/netscape/plugins/libflashplayer\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/netscape/plugins/nppdf\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/RealPlayer/codecs(/.*)?			gen_context(system_u:object_r:lib_t,s0)
+/opt/RealPlayer/common(/.*)?			gen_context(system_u:object_r:lib_t,s0)
+/opt/RealPlayer/lib(/.*)?			gen_context(system_u:object_r:lib_t,s0)
+/opt/RealPlayer/mozilla(/.*)?			gen_context(system_u:object_r:lib_t,s0)
+/opt/RealPlayer/plugins(/.*)?			gen_context(system_u:object_r:lib_t,s0)
+')
+
+ifdef(`distro_redhat',`
+/opt/Adobe.*/libcurl\.so 		-- 	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/Adobe(/.*?)/nppdf\.so 		-- 	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/Adobe/Reader.?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/Adobe/Reader.?/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0)
+/opt/cisco-vpnclient/lib/libvpnapi\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/cx.*/lib/wine/.+\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/ibm/java.*/jre/.+\.jar		--	gen_context(system_u:object_r:lib_t,s0)
+/opt/ibm/java.*/jre/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/ibm/java.*/jre/bin/.+\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+')
+
+#
+# /sbin
+#
+/sbin/ldconfig				--	gen_context(system_u:object_r:ldconfig_exec_t,s0)
+
+#
+# /usr
+#
+/usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/(.*/)?java/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?java/.+\.jar			--	gen_context(system_u:object_r:lib_t,s0)
+/usr/(.*/)?java/.+\.jsa			--	gen_context(system_u:object_r:lib_t,s0)
+
+/usr/(.*/)?lib(/.*)?				gen_context(system_u:object_r:lib_t,s0)
+/usr/(.*/)?lib64(/.*)?				gen_context(system_u:object_r:lib_t,s0)
+
+/usr/(.*/)?lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
+
+/usr/(.*/)?nvidia/.+\.so(\..*)?		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib64/altivec/libavcodec\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/cedega/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/vlc/codec/librealvideo_plugin\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/vlc/codec/libdmo_plugin\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/vlc/codec/librealaudio_plugin\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib64/vlc/codec/librealvideo_plugin\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib64/vlc/codec/libdmo_plugin\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib64/vlc/codec/librealaudio_plugin\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libtfmessbsp\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xorg/libGL\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/X11R6/lib/libGL\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libGL\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/catalyst/libGL\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libADM5.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libatiadlxx\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/win32/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/ADM_plugins/videoFilter/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libsipphoneapi\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ati-fglrx/.+\.so(\..*)?	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/fglrx/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libjs\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* 	-- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/nvidia/libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/(local/)?.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:lib_t,s0)
+/usr/(local/)?lib(64)?/wine/.+\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/NX/lib/libXcomp\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/NX/lib/libjpeg\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/X11R6/lib/libXvMCNVIDIA\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/xorg/modules/drivers/fglrx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xorg/modules/drivers/nvidia_drv\.o -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ifdef(`distro_debian',`
+/usr/lib32				-l	gen_context(system_u:object_r:lib_t,s0)
+')
+
+ifdef(`distro_gentoo',`
+/usr/lib				-l	gen_context(system_u:object_r:lib_t,s0)
+')
+
+ifdef(`distro_redhat',`
+/usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- gen_context(system_u:object_r:lib_t,s0)
+
+# The following are libraries with text relocations in need of execmod permissions
+# Some of them should be fixed and removed from this list
+
+# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
+# 	HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
+HOME_DIR/.*/plugins/nppdf\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/allegro/(.*/)?alleg-vga\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/firefox-[^/]*/extensions(/.*)?/libqfaservices.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/firefox-[^/]*/plugins/nppdf.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/firefox/plugins/libractrl\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libFLAC\.so.*			--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libfglrx_gamma\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/mozilla/plugins/nppdf\.so 	-- 	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/mozilla/plugins/libvlcplugin\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/nx/libXcomp\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/nx/libjpeg\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/VBoxVMM\.so			--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib64/mozilla/plugins/libvlcplugin\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libgpac\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libglide3\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libglide3-v[0-9]*\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/helix/plugins/[^/]*\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/helix/codecs/[^/]*\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/X11R6/lib/libfglrx_gamma\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libHermes\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/valgrind/hp2ps		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/valgrind/stage2		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/valgrind/vg.*\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/program/libicudata\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/program/libsts645li\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/program/libvclplug_gen645li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/program/libwrp645li\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/program/libswd680li\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/program/librecentfile\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/program/libsvx680li\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/program/libsoffice\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?pcsc/drivers(/.*)?/lib(cm2020|cm4000|SCR24x)\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+# Fedora Extras packages: ladspa, imlib2, ocaml
+/usr/lib(64)?/ladspa/analogue_osc_1416\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/bandpass_a_iir_1893\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/bandpass_iir_1892\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/butterworth_1902\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/fm_osc_1415\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/gsm_1215\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/gverb_1216\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/hermes_filter_1200\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/highpass_iir_1890\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/lowpass_iir_1891\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/notch_iir_1894\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/pitch_scale_1193\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/pitch_scale_1194\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/sc1_1425\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/sc2_1426\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/sc3_1427\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/sc4_1882\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/se4_1883\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/sane/libsane-epkowa\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ocaml/stublibs/dllnums\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
+/usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local(/.*)?/libmpg123\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/lib/codecs/drv[1-9c]\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+HOME_DIR/.*/plugins/nppdf\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/nprhapengine\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/(.*/)?nprhapengine\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+# Jai, Sun Microsystems (Jpackage SPRM)
+/usr/lib(64)?/libmlib_jai\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libdivxdecore\.so\.0	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libdivxencore\.so\.0	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libdvdcss\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+# vmware
+/usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/vmware/(.*/)?VmPerl\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/vmware/lib(/.*)?/libvmware-gksu.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/(virtualbox(-ose)?/)?(components/)?VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/virtualbox/.*\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+# Java, Sun Microsystems (JPackage SRPM)
+/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/(.*/)?jre.*/.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/(local/)?acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?Adobe/.*\.api		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?lib/xchat/plugins/systray\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?matlab.*/bin/glnx86/(libmw(lapack|mathutil|services)|lapack|libmkl)\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?matlab.*/sys/os/glnx86/libtermcap\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/acroread/(.*/)?sidecars/*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/acroread/(.*/)?nppdf\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/acroread/.+\.api		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/acroread/(.*/)?ADMPlugin\.apl	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/.*/program(/.*)?\.so			gen_context(system_u:object_r:lib_t,s0)
+/usr/lib64/.*/program(/.*)?\.so			gen_context(system_u:object_r:lib_t,s0)
+') dnl end distro_redhat
+
+#
+# /var
+#
+/var/cache/ldconfig(/.*)?			gen_context(system_u:object_r:ldconfig_cache_t,s0)
+
+/var/ftp/lib(64)?(/.*)?				gen_context(system_u:object_r:lib_t,s0)
+/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:ld_so_t,s0)
+
+/var/lib/spamassassin/compiled/.*\.so.*	--	gen_context(system_u:object_r:lib_t,s0)
+
+/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? --	gen_context(system_u:object_r:lib_t,s0)
+
+ifdef(`distro_suse',`
+/var/lib/samba/bin/.+\.so(\.[^/]*)*	-l	gen_context(system_u:object_r:lib_t,s0)
+')
+
+/var/spool/postfix/lib(64)?(/.*)? 		gen_context(system_u:object_r:lib_t,s0)
+/var/spool/postfix/usr(/.*)?			gen_context(system_u:object_r:lib_t,s0)
+/var/spool/postfix/lib(64)?/ld.*\.so.*	--	gen_context(system_u:object_r:ld_so_t,s0)
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
new file mode 100644
index 00000000..808ba93e
--- /dev/null
+++ b/policy/modules/system/libraries.if
@@ -0,0 +1,536 @@
+## <summary>Policy for system libraries.</summary>
+
+########################################
+## <summary>
+##	Execute ldconfig in the ldconfig domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`libs_domtrans_ldconfig',`
+	gen_require(`
+		type ldconfig_t, ldconfig_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, ldconfig_exec_t, ldconfig_t)
+')
+
+########################################
+## <summary>
+##	Execute ldconfig in the ldconfig domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the ldconfig domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`libs_run_ldconfig',`
+	gen_require(`
+		type ldconfig_t;
+	')
+
+	libs_domtrans_ldconfig($1)
+	role $2 types ldconfig_t;
+')
+
+########################################
+## <summary>
+##	Execute ldconfig in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+## 	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`libs_exec_ldconfig',`
+	gen_require(`
+		type ldconfig_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, ldconfig_exec_t)
+')
+
+########################################
+## <summary>
+##	Use the dynamic link/loader for automatic loading
+##	of shared libraries.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`libs_use_ld_so',`
+	gen_require(`
+		type lib_t, ld_so_t, ld_so_cache_t;
+	')
+
+	files_list_etc($1)
+	allow $1 lib_t:dir list_dir_perms;
+
+	read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t })
+	mmap_files_pattern($1, lib_t, ld_so_t)
+
+	allow $1 ld_so_cache_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Use the dynamic link/loader for automatic loading
+##	of shared libraries with legacy support.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`libs_legacy_use_ld_so',`
+	gen_require(`
+		type ld_so_t, ld_so_cache_t;
+	')
+
+	libs_use_ld_so($1)
+	allow $1 ld_so_t:file execmod;
+	allow $1 ld_so_cache_t:file execute;
+')
+
+########################################
+## <summary>
+##	Execute the dynamic link/loader in the caller's domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`libs_exec_ld_so',`
+	gen_require(`
+		type lib_t, ld_so_t;
+	')
+
+	allow $1 lib_t:dir list_dir_perms;
+	read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t })
+	exec_files_pattern($1, lib_t, ld_so_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete the
+##	dynamic link/loader.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+# cjp: added for prelink
+interface(`libs_manage_ld_so',`
+	gen_require(`
+		type lib_t, ld_so_t;
+	')
+
+	manage_files_pattern($1, lib_t, ld_so_t)
+')
+
+########################################
+## <summary>
+##	Relabel to and from the type used for
+##	the dynamic link/loader.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+# cjp: added for prelink
+interface(`libs_relabel_ld_so',`
+	gen_require(`
+		type lib_t, ld_so_t;
+	')
+
+	relabel_files_pattern($1, lib_t, ld_so_t)
+')
+
+########################################
+## <summary>
+##	Modify the dynamic link/loader's cached listing
+##	of shared libraries.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`libs_rw_ld_so_cache',`
+	gen_require(`
+		type ld_so_cache_t;
+	')
+
+	files_list_etc($1)
+	allow $1 ld_so_cache_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Search library directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`libs_search_lib',`
+	gen_require(`
+		type lib_t;
+	')
+
+	allow $1 lib_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write to library directories.
+## </summary>
+## <desc>
+##	<p>
+##	Do not audit attempts to write to library directories.
+##	Typically this is used to quiet attempts to recompile
+##	python byte code.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`libs_dontaudit_write_lib_dirs',`
+	gen_require(`
+		type lib_t;
+	')
+
+	dontaudit $1 lib_t:dir write;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete library directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`libs_manage_lib_dirs',`
+	gen_require(`
+		type lib_t;
+	')
+
+	allow $1 lib_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	dontaudit attempts to setattr on library files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`libs_dontaudit_setattr_lib_files',`
+	gen_require(`
+		type lib_t;
+	')
+
+	dontaudit $1 lib_t:file setattr;
+')
+
+########################################
+## <summary>
+##	Read files in the library directories, such
+##	as static libraries.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`libs_read_lib_files',`
+	gen_require(`
+		type lib_t;
+	')
+
+	files_list_usr($1)
+	list_dirs_pattern($1, lib_t, lib_t)
+	read_files_pattern($1, lib_t, lib_t)
+	read_lnk_files_pattern($1, lib_t, lib_t)
+')
+
+########################################
+## <summary>
+##	Execute library scripts in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`libs_exec_lib_files',`
+	gen_require(`
+		type lib_t;
+	')
+
+	files_search_usr($1)
+	allow $1 lib_t:dir list_dir_perms;
+	read_lnk_files_pattern($1, lib_t, lib_t)
+	exec_files_pattern($1, lib_t, lib_t)
+')
+
+########################################
+## <summary>
+##	Load and execute functions from generic
+##	lib files as shared libraries.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`libs_use_lib_files',`
+	refpolicywarn(`$0($*) has been deprecated, use libs_use_shared_libs() instead.')
+	libs_use_shared_libs($1)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete generic
+##	files in library directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+# cjp: added for prelink
+interface(`libs_manage_lib_files',`
+	gen_require(`
+		type lib_t;
+	')
+
+	manage_files_pattern($1, lib_t, lib_t)
+')
+
+########################################
+## <summary>
+##	Relabel files to the type used in library directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`libs_relabelto_lib_files',`
+	gen_require(`
+		type lib_t;
+	')
+
+	relabelto_files_pattern($1, lib_t, lib_t)
+')
+
+########################################
+## <summary>
+##	Relabel to and from the type used
+##	for generic lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+# cjp: added for prelink
+interface(`libs_relabel_lib_files',`
+	gen_require(`
+		type lib_t;
+	')
+
+	relabel_files_pattern($1, lib_t, lib_t)
+')
+
+########################################
+## <summary>
+##	Delete generic symlinks in library directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+# cjp: added for prelink
+interface(`libs_delete_lib_symlinks',`
+	gen_require(`
+		type lib_t;
+	')
+
+	delete_lnk_files_pattern($1, lib_t, lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete shared libraries.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+# cjp: added for prelink
+interface(`libs_manage_shared_libs',`
+	gen_require(`
+		type lib_t, textrel_shlib_t;
+	')
+
+	manage_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
+')
+
+########################################
+## <summary>
+##	Load and execute functions from shared libraries.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`libs_use_shared_libs',`
+	gen_require(`
+		type lib_t, textrel_shlib_t;
+	')
+
+	files_search_usr($1)
+	allow $1 lib_t:dir list_dir_perms;
+	read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
+	mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
+	allow $1 textrel_shlib_t:file execmod;
+')
+
+########################################
+## <summary>
+##	Load and execute functions from shared libraries,
+##	with legacy support.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`libs_legacy_use_shared_libs',`
+	gen_require(`
+		type lib_t;
+	')
+
+	libs_use_shared_libs($1)
+	allow $1 lib_t:file execmod;
+')
+
+########################################
+## <summary>
+##	Relabel to and from the type used for
+##	shared libraries.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+# cjp: added for prelink
+interface(`libs_relabel_shared_libs',`
+	gen_require(`
+		type lib_t, textrel_shlib_t;
+	')
+
+	relabel_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
+')
+
+########################################
+## <summary>
+##	Create an object in lib directories, with
+##	the shared libraries type using a type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+#
+interface(`lib_filetrans_shared_lib',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	Create an object in lib directories, with
+##	the shared libraries type using a type transition.  (Deprecated)
+## </summary>
+## <desc>
+##	<p>
+##	Create an object in lib directories, with
+##	the shared libraries type using a type transition.  (Deprecated)
+##	</p>
+##	<p>
+##	lib_filetrans_shared_lib() should be used instead.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+#
+interface(`files_lib_filetrans_shared_lib',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
new file mode 100644
index 00000000..50332d34
--- /dev/null
+++ b/policy/modules/system/libraries.te
@@ -0,0 +1,150 @@
+policy_module(libraries, 2.8.0)
+
+########################################
+#
+# Declarations
+#
+
+#
+# ld_so_cache_t is the type of /etc/ld.so.cache.
+#
+type ld_so_cache_t;
+files_type(ld_so_cache_t)
+
+#
+# ld_so_t is the type of the system dynamic loaders.
+#
+type ld_so_t;
+files_type(ld_so_t)
+
+type ldconfig_t;
+type ldconfig_exec_t;
+init_system_domain(ldconfig_t, ldconfig_exec_t)
+role system_r types ldconfig_t;
+
+type ldconfig_cache_t;
+files_type(ldconfig_cache_t)
+
+type ldconfig_tmp_t;
+files_tmp_file(ldconfig_tmp_t)
+
+#
+# lib_t is the type of files in the system lib directories.
+#
+type lib_t alias shlib_t;
+files_type(lib_t)
+
+#
+# textrel_shlib_t is the type of shared objects in the system lib
+# directories, which require text relocation.
+#
+type textrel_shlib_t alias texrel_shlib_t;
+files_type(textrel_shlib_t)
+
+ifdef(`distro_gentoo',`
+	# openrc unfortunately mounts a tmpfs
+	# at /lib/rc/
+	files_mountpoint(lib_t)
+')
+
+optional_policy(`
+	postgresql_loadable_module(lib_t)
+	postgresql_loadable_module(textrel_shlib_t)
+')
+
+########################################
+#
+# ldconfig local policy
+#
+
+allow ldconfig_t self:capability { dac_override sys_chroot };
+
+manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
+
+allow ldconfig_t ld_so_cache_t:file manage_file_perms;
+files_etc_filetrans(ldconfig_t, ld_so_cache_t, file)
+
+manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t)
+manage_files_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t)
+manage_lnk_files_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t)
+files_tmp_filetrans(ldconfig_t, ldconfig_tmp_t, { file dir lnk_file })
+
+manage_lnk_files_pattern(ldconfig_t, lib_t, lib_t)
+
+kernel_read_system_state(ldconfig_t)
+
+fs_getattr_xattr_fs(ldconfig_t)
+
+corecmd_search_bin(ldconfig_t)
+
+domain_use_interactive_fds(ldconfig_t)
+
+files_search_var_lib(ldconfig_t)
+files_read_etc_files(ldconfig_t)
+files_read_usr_files(ldconfig_t)
+files_search_tmp(ldconfig_t)
+files_search_usr(ldconfig_t)
+# for when /etc/ld.so.cache is mislabeled:
+files_delete_etc_files(ldconfig_t)
+
+init_use_script_ptys(ldconfig_t)
+init_read_script_tmp_files(ldconfig_t)
+
+miscfiles_read_localization(ldconfig_t)
+
+logging_send_syslog_msg(ldconfig_t)
+
+userdom_use_user_terminals(ldconfig_t)
+userdom_use_all_users_fds(ldconfig_t)
+
+ifdef(`distro_ubuntu',`
+	optional_policy(`
+		unconfined_domain(ldconfig_t)
+	')
+')
+
+ifdef(`hide_broken_symptoms',`
+	ifdef(`distro_gentoo',`
+		# leaked fds from portage
+		files_dontaudit_rw_var_files(ldconfig_t)
+
+		optional_policy(`
+			portage_dontaudit_search_tmp(ldconfig_t)
+			portage_dontaudit_rw_tmp_files(ldconfig_t)
+		')
+	')
+
+	optional_policy(`
+		unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
+	')
+')
+
+optional_policy(`
+	# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
+	apache_dontaudit_search_modules(ldconfig_t)
+')
+
+optional_policy(`
+	apt_rw_pipes(ldconfig_t)
+	apt_use_fds(ldconfig_t)
+	apt_use_ptys(ldconfig_t)
+')
+
+optional_policy(`
+	dracut_manage_tmp_files(ldconfig_t)
+')
+
+optional_policy(`
+	puppet_rw_tmp(ldconfig_t)
+')
+
+optional_policy(`
+	# When you install a kernel the postinstall builds a initrd image in tmp 
+	# and executes ldconfig on it. If you dont allow this kernel installs 
+	# blow up.
+	rpm_manage_script_tmp_files(ldconfig_t)
+')
+
+optional_policy(`
+	unconfined_domain(ldconfig_t)
+')
diff --git a/policy/modules/system/locallogin.fc b/policy/modules/system/locallogin.fc
new file mode 100644
index 00000000..be6a81b8
--- /dev/null
+++ b/policy/modules/system/locallogin.fc
@@ -0,0 +1,3 @@
+
+/sbin/sulogin		--	gen_context(system_u:object_r:sulogin_exec_t,s0)
+/sbin/sushell		--	gen_context(system_u:object_r:sulogin_exec_t,s0)
diff --git a/policy/modules/system/locallogin.if b/policy/modules/system/locallogin.if
new file mode 100644
index 00000000..0e3c2a97
--- /dev/null
+++ b/policy/modules/system/locallogin.if
@@ -0,0 +1,131 @@
+## <summary>Policy for local logins.</summary>
+
+########################################
+## <summary>
+##	Execute local logins in the local login domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`locallogin_domtrans',`
+	gen_require(`
+		type local_login_t;
+	')
+
+	auth_domtrans_login_program($1, local_login_t)
+
+	ifdef(`enable_mcs',`
+		auth_ranged_domtrans_login_program($1, local_login_t, s0 - mcs_systemhigh)
+	')
+')
+
+########################################
+## <summary>
+##	Allow processes to inherit local login file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`locallogin_use_fds',`
+	gen_require(`
+		type local_login_t;
+	')
+
+	allow $1 local_login_t:fd use;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to inherit local login file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`locallogin_dontaudit_use_fds',`
+	gen_require(`
+		type local_login_t;
+	')
+
+	dontaudit $1 local_login_t:fd use;
+')
+
+########################################
+## <summary>
+##	Send a null signal to local login processes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`locallogin_signull',`
+	gen_require(`
+		type local_login_t;
+	')
+
+	allow $1 local_login_t:process signull;
+')
+
+########################################
+## <summary>
+##	Search for key.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`locallogin_search_keys',`
+	gen_require(`
+		type local_login_t;
+	')
+
+	allow $1 local_login_t:key search;
+')
+
+########################################
+## <summary>
+##	Allow link to the local_login key ring.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`locallogin_link_keys',`
+	gen_require(`
+		type local_login_t;
+	')
+
+	allow $1 local_login_t:key link;
+')
+
+########################################
+## <summary>
+##	Execute local logins in the local login domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`locallogin_domtrans_sulogin',`
+	gen_require(`
+		type sulogin_exec_t, sulogin_t;
+	')
+
+	domtrans_pattern($1, sulogin_exec_t, sulogin_t)
+')
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
new file mode 100644
index 00000000..9fd5be7b
--- /dev/null
+++ b/policy/modules/system/locallogin.te
@@ -0,0 +1,266 @@
+policy_module(locallogin, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+type local_login_t;
+domain_interactive_fd(local_login_t)
+auth_login_pgm_domain(local_login_t)
+auth_login_entry_type(local_login_t)
+
+type local_login_lock_t;
+files_lock_file(local_login_lock_t)
+
+type local_login_tmp_t;
+files_tmp_file(local_login_tmp_t)
+files_poly_parent(local_login_tmp_t)
+
+type sulogin_t;
+type sulogin_exec_t;
+domain_obj_id_change_exemption(sulogin_t)
+domain_subj_id_change_exemption(sulogin_t)
+domain_role_change_exemption(sulogin_t)
+domain_interactive_fd(sulogin_t)
+init_domain(sulogin_t, sulogin_exec_t)
+init_system_domain(sulogin_t, sulogin_exec_t)
+role system_r types sulogin_t;
+
+########################################
+#
+# Local login local policy
+#
+
+allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
+allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow local_login_t self:process { setrlimit setexec };
+allow local_login_t self:fd use;
+allow local_login_t self:fifo_file rw_fifo_file_perms;
+allow local_login_t self:sock_file read_sock_file_perms;
+allow local_login_t self:unix_dgram_socket create_socket_perms;
+allow local_login_t self:unix_stream_socket create_stream_socket_perms;
+allow local_login_t self:unix_dgram_socket sendto;
+allow local_login_t self:unix_stream_socket connectto;
+allow local_login_t self:shm create_shm_perms;
+allow local_login_t self:sem create_sem_perms;
+allow local_login_t self:msgq create_msgq_perms;
+allow local_login_t self:msg { send receive };
+allow local_login_t self:key { search write link };
+
+allow local_login_t local_login_lock_t:file manage_file_perms;
+files_lock_filetrans(local_login_t, local_login_lock_t, file)
+
+allow local_login_t local_login_tmp_t:dir manage_dir_perms;
+allow local_login_t local_login_tmp_t:file manage_file_perms;
+files_tmp_filetrans(local_login_t, local_login_tmp_t, { file dir })
+
+kernel_read_system_state(local_login_t)
+kernel_read_kernel_sysctls(local_login_t)
+kernel_search_key(local_login_t)
+kernel_link_key(local_login_t)
+
+corecmd_list_bin(local_login_t)
+corecmd_read_bin_symlinks(local_login_t)
+# cjp: these are probably not needed:
+corecmd_read_bin_files(local_login_t)
+corecmd_read_bin_pipes(local_login_t)
+corecmd_read_bin_sockets(local_login_t)
+
+dev_setattr_mouse_dev(local_login_t)
+dev_getattr_mouse_dev(local_login_t)
+dev_getattr_power_mgmt_dev(local_login_t)
+dev_setattr_power_mgmt_dev(local_login_t)
+dev_getattr_sound_dev(local_login_t)
+dev_setattr_sound_dev(local_login_t)
+dev_dontaudit_getattr_apm_bios_dev(local_login_t)
+dev_dontaudit_setattr_apm_bios_dev(local_login_t)
+dev_dontaudit_read_framebuffer(local_login_t)
+dev_dontaudit_setattr_framebuffer_dev(local_login_t)
+dev_dontaudit_getattr_generic_blk_files(local_login_t)
+dev_dontaudit_setattr_generic_blk_files(local_login_t)
+dev_dontaudit_getattr_generic_chr_files(local_login_t)
+dev_dontaudit_setattr_generic_chr_files(local_login_t)
+dev_dontaudit_setattr_generic_symlinks(local_login_t)
+dev_dontaudit_getattr_misc_dev(local_login_t)
+dev_dontaudit_setattr_misc_dev(local_login_t)
+dev_dontaudit_getattr_scanner_dev(local_login_t)
+dev_dontaudit_setattr_scanner_dev(local_login_t)
+dev_dontaudit_search_sysfs(local_login_t)
+dev_dontaudit_getattr_video_dev(local_login_t)
+dev_dontaudit_setattr_video_dev(local_login_t)
+
+domain_read_all_entry_files(local_login_t)
+
+files_read_etc_files(local_login_t)
+files_read_etc_runtime_files(local_login_t)
+files_read_usr_files(local_login_t)
+files_list_mnt(local_login_t)
+files_list_world_readable(local_login_t)
+files_read_world_readable_files(local_login_t)
+files_read_world_readable_symlinks(local_login_t)
+files_read_world_readable_pipes(local_login_t)
+files_read_world_readable_sockets(local_login_t)
+# for when /var/mail is a symlink
+files_read_var_symlinks(local_login_t)
+
+fs_search_auto_mountpoints(local_login_t)
+
+storage_dontaudit_getattr_fixed_disk_dev(local_login_t)
+storage_dontaudit_setattr_fixed_disk_dev(local_login_t)
+storage_dontaudit_getattr_removable_dev(local_login_t)
+storage_dontaudit_setattr_removable_dev(local_login_t)
+
+term_use_all_ttys(local_login_t)
+term_use_unallocated_ttys(local_login_t)
+term_relabel_unallocated_ttys(local_login_t)
+term_relabel_all_ttys(local_login_t)
+term_setattr_all_ttys(local_login_t)
+term_setattr_unallocated_ttys(local_login_t)
+
+auth_rw_login_records(local_login_t)
+auth_rw_faillog(local_login_t)
+auth_manage_pam_pid(local_login_t)
+auth_manage_pam_console_data(local_login_t)
+auth_domtrans_pam_console(local_login_t)
+
+init_dontaudit_use_fds(local_login_t)
+
+miscfiles_read_localization(local_login_t)
+
+userdom_spec_domtrans_all_users(local_login_t)
+userdom_signal_all_users(local_login_t)
+userdom_search_user_home_content(local_login_t)
+userdom_use_unpriv_users_fds(local_login_t)
+userdom_sigchld_all_users(local_login_t)
+userdom_create_all_users_keys(local_login_t)
+
+ifdef(`distro_ubuntu',`
+	optional_policy(`
+		unconfined_domain(local_login_t)
+	')
+')
+
+tunable_policy(`console_login',`
+	# Able to relabel /dev/console to user tty types.
+	term_relabel_console(local_login_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_read_nfs_files(local_login_t)
+	fs_read_nfs_symlinks(local_login_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_read_cifs_files(local_login_t)
+	fs_read_cifs_symlinks(local_login_t)
+')
+
+optional_policy(`
+	alsa_domtrans(local_login_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(local_login_t)
+
+	consolekit_dbus_chat(local_login_t)
+')
+
+optional_policy(`
+	gpm_getattr_gpmctl(local_login_t)
+	gpm_setattr_gpmctl(local_login_t)
+')
+
+optional_policy(`
+	# Search for mail spool file.
+	mta_getattr_spool(local_login_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(local_login_t)
+')
+
+optional_policy(`
+	nscd_socket_use(local_login_t)
+')
+
+optional_policy(`
+	unconfined_shell_domtrans(local_login_t)
+')
+
+optional_policy(`
+	usermanage_read_crack_db(local_login_t)
+')
+
+optional_policy(`
+	xserver_read_xdm_tmp_files(local_login_t)
+	xserver_rw_xdm_tmp_files(local_login_t)
+')
+
+#################################
+#
+# Sulogin local policy
+#
+
+allow sulogin_t self:capability dac_override;
+allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow sulogin_t self:fd use;
+allow sulogin_t self:fifo_file rw_fifo_file_perms;
+allow sulogin_t self:unix_dgram_socket create_socket_perms;
+allow sulogin_t self:unix_stream_socket create_stream_socket_perms;
+allow sulogin_t self:unix_dgram_socket sendto;
+allow sulogin_t self:unix_stream_socket connectto;
+allow sulogin_t self:shm create_shm_perms;
+allow sulogin_t self:sem create_sem_perms;
+allow sulogin_t self:msgq create_msgq_perms;
+allow sulogin_t self:msg { send receive };
+
+kernel_read_system_state(sulogin_t)
+
+fs_search_auto_mountpoints(sulogin_t)
+fs_rw_tmpfs_chr_files(sulogin_t)
+
+files_read_etc_files(sulogin_t)
+# because file systems are not mounted:
+files_dontaudit_search_isid_type_dirs(sulogin_t)
+
+auth_read_shadow(sulogin_t)
+
+init_getpgid_script(sulogin_t)
+
+logging_send_syslog_msg(sulogin_t)
+
+seutil_read_config(sulogin_t)
+seutil_read_default_contexts(sulogin_t)
+
+userdom_use_unpriv_users_fds(sulogin_t)
+
+userdom_search_user_home_dirs(sulogin_t)
+userdom_use_user_ptys(sulogin_t)
+
+sysadm_shell_domtrans(sulogin_t)
+
+# suse and debian do not use pam with sulogin...
+ifdef(`distro_suse', `define(`sulogin_no_pam')')
+ifdef(`distro_debian', `define(`sulogin_no_pam')')
+
+ifdef(`sulogin_no_pam', `
+	allow sulogin_t self:capability sys_tty_config;
+	init_getpgid(sulogin_t)
+', `
+	allow sulogin_t self:process setexec;
+	selinux_get_fs_mount(sulogin_t)
+	selinux_validate_context(sulogin_t)
+	selinux_compute_access_vector(sulogin_t)
+	selinux_compute_create_context(sulogin_t)
+	selinux_compute_relabel_context(sulogin_t)
+	selinux_compute_user_contexts(sulogin_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(sulogin_t)
+')
+
+optional_policy(`
+	nscd_socket_use(sulogin_t)
+')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
new file mode 100644
index 00000000..f73a25b8
--- /dev/null
+++ b/policy/modules/system/logging.fc
@@ -0,0 +1,77 @@
+/dev/log		-s	gen_context(system_u:object_r:devlog_t,mls_systemhigh)
+
+/etc/rsyslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
+/etc/syslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
+/etc/audit(/.*)?		gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
+/etc/rc\.d/init\.d/auditd --	gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/rsyslog --	gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
+
+/sbin/audispd		--	gen_context(system_u:object_r:audisp_exec_t,s0)
+/sbin/audisp-remote	--	gen_context(system_u:object_r:audisp_remote_exec_t,s0)
+/sbin/auditctl		--	gen_context(system_u:object_r:auditctl_exec_t,s0)
+/sbin/auditd		--	gen_context(system_u:object_r:auditd_exec_t,s0)
+/sbin/klogd		--	gen_context(system_u:object_r:klogd_exec_t,s0)
+/sbin/minilogd		--	gen_context(system_u:object_r:syslogd_exec_t,s0)
+/sbin/rklogd		--	gen_context(system_u:object_r:klogd_exec_t,s0)
+/sbin/rsyslogd		--	gen_context(system_u:object_r:syslogd_exec_t,s0)
+/sbin/syslogd		--	gen_context(system_u:object_r:syslogd_exec_t,s0)
+/sbin/syslog-ng		--	gen_context(system_u:object_r:syslogd_exec_t,s0)
+
+/usr/sbin/klogd		--	gen_context(system_u:object_r:klogd_exec_t,s0)
+/usr/sbin/metalog	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
+/usr/sbin/rklogd	--	gen_context(system_u:object_r:klogd_exec_t,s0)
+/usr/sbin/rsyslogd	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
+/usr/sbin/syslog-ng	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
+/usr/sbin/syslogd	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
+
+/var/lib/misc/syslog-ng\.persist-	--	gen_context(system_u:object_r:syslogd_var_lib_t,s0)
+/var/lib/syslog-ng(/.*)? 	gen_context(system_u:object_r:syslogd_var_lib_t,s0)
+/var/lib/r?syslog(/.*)?		gen_context(system_u:object_r:syslogd_var_lib_t,s0)
+/var/lib/syslog-ng.persist --	gen_context(system_u:object_r:syslogd_var_lib_t,s0)
+
+ifdef(`distro_suse', `
+/var/lib/stunnel/dev/log -s	gen_context(system_u:object_r:devlog_t,s0)
+')
+
+/var/axfrdns/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
+/var/dnscache/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
+/var/cfengine/outputs(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
+
+/var/log		-d	gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
+/var/log/.*			gen_context(system_u:object_r:var_log_t,s0)
+/var/log/boot\.log	--	gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+/var/log/messages[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+/var/log/secure[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+/var/log/cron[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+/var/log/maillog[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+/var/log/spooler[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+/var/log/audit(/.*)?		gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
+/var/log/syslog-ng(/.*)? 	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
+
+ifndef(`distro_gentoo',`
+/var/log/audit\.log	--	gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
+')
+
+ifdef(`distro_redhat',`
+/var/named/chroot/var/log -d	gen_context(system_u:object_r:var_log_t,s0)
+/var/named/chroot/dev/log -s	gen_context(system_u:object_r:devlog_t,s0)
+')
+
+/var/run/audit_events	-s	gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
+/var/run/audispd_events	-s	gen_context(system_u:object_r:audisp_var_run_t,mls_systemhigh)
+/var/run/auditd\.pid	--	gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
+/var/run/auditd_sock	-s	gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
+/var/run/klogd\.pid	--	gen_context(system_u:object_r:klogd_var_run_t,s0)
+/var/run/log		-s	gen_context(system_u:object_r:devlog_t,s0)
+/var/run/metalog\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
+/var/run/syslogd\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
+/var/run/syslog-ng.ctl	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
+/var/run/syslog-ng(/.*)?	gen_context(system_u:object_r:syslogd_var_run_t,s0)
+
+/var/spool/audit(/.*)?		gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
+/var/spool/bacula/log(/.*)? 	gen_context(system_u:object_r:var_log_t,s0)
+#/var/spool/postfix/pid	-d	gen_context(system_u:object_r:var_run_t,s0)
+/var/spool/plymouth/boot\.log	gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+/var/spool/rsyslog(/.*)? 	gen_context(system_u:object_r:var_log_t,s0)
+
+/var/tinydns/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
new file mode 100644
index 00000000..51dface3
--- /dev/null
+++ b/policy/modules/system/logging.if
@@ -0,0 +1,1064 @@
+## <summary>Policy for the kernel message logger and system logging daemon.</summary>
+
+########################################
+## <summary>
+##	Make the specified type usable for log files
+##	in a filesystem.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified type usable for log files in a filesystem.
+##	This will also make the type usable for files, making 
+##	calls to files_type() redundant.  Failure to use this interface
+##	for a log file type may result in problems with log
+##	rotation, log analysis, and log monitoring programs.
+##	</p>
+##	<p>
+##	Related interfaces:
+##	</p>
+##	<ul>
+##		<li>logging_log_filetrans()</li>
+##	</ul>
+##	<p>
+##	Example usage with a domain that can create
+##	and append to a private log file stored in the
+##	general directories (e.g., /var/log):
+##	</p>
+##	<p>
+##	type mylogfile_t;
+##	logging_log_file(mylogfile_t)
+##	allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms };
+##	logging_log_filetrans(mydomain_t, mylogfile_t, file)
+##	</p>
+## </desc>
+## <param name="type">
+##	<summary>
+##	Type to be used for files.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`logging_log_file',`
+	gen_require(`
+		attribute logfile;
+	')
+
+	files_type($1)
+	files_associate_tmp($1)
+	fs_associate_tmpfs($1)
+	typeattribute $1 logfile;
+')
+
+#######################################
+## <summary>
+##	Send audit messages.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_send_audit_msgs',`
+	allow $1 self:capability audit_write;
+	allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
+')
+
+#######################################
+## <summary>
+##	dontaudit attempts to send audit messages.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`logging_dontaudit_send_audit_msgs',`
+	dontaudit $1 self:capability audit_write;
+	dontaudit $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
+')
+
+########################################
+## <summary>
+##	Set login uid
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_set_loginuid',`
+	allow $1 self:capability audit_control;
+	allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
+')
+
+########################################
+## <summary>
+##	Set tty auditing
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_set_tty_audit',`
+	allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_tty_audit };
+')
+
+########################################
+## <summary>
+##	Set up audit
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_set_audit_parameters',`
+	allow $1 self:capability { audit_write audit_control };
+	allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+')
+
+########################################
+## <summary>
+##	Read the audit log.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_read_audit_log',`
+	gen_require(`
+		type auditd_log_t;
+	')
+
+	files_search_var($1)
+	read_files_pattern($1, auditd_log_t, auditd_log_t)
+	allow $1 auditd_log_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Execute auditctl in the auditctl domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`logging_domtrans_auditctl',`
+	gen_require(`
+		type auditctl_t, auditctl_exec_t;
+	')
+
+	domtrans_pattern($1, auditctl_exec_t, auditctl_t)
+')
+
+########################################
+## <summary>
+##	Execute auditctl in the auditctl domain, and
+##	allow the specified role the auditctl domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_run_auditctl',`
+	gen_require(`
+		type auditctl_t;
+	')
+
+	logging_domtrans_auditctl($1)
+	role $2 types auditctl_t;
+')
+
+########################################
+## <summary>
+##	Execute auditd in the auditd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`logging_domtrans_auditd',`
+	gen_require(`
+		type auditd_t, auditd_exec_t;
+	')
+
+	domtrans_pattern($1, auditd_exec_t, auditd_t)
+')
+
+########################################
+## <summary>
+##	Execute auditd in the auditd domain, and
+##	allow the specified role the auditd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_run_auditd',`
+	gen_require(`
+		type auditd_t;
+	')
+
+	logging_domtrans_auditd($1)
+	role $2 types auditd_t;
+')
+
+########################################
+## <summary>
+##	Connect to auditdstored over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_stream_connect_auditd',`
+	refpolicywarn(`$0($*) has been deprecated, logging_stream_connect_dispatcher() should be used instead.')
+	logging_stream_connect_dispatcher($1)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run the audit dispatcher.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`logging_domtrans_dispatcher',`
+	gen_require(`
+		type audisp_t, audisp_exec_t;
+	')
+
+	domtrans_pattern($1, audisp_exec_t, audisp_t)
+')
+
+########################################
+## <summary>
+##	Signal the audit dispatcher.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_signal_dispatcher',`
+	gen_require(`
+		type audisp_t;
+	')
+
+	allow $1 audisp_t:process signal;
+')
+
+########################################
+## <summary>
+##	Create a domain for processes
+##	which can be started by the system audit dispatcher
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Type to be used as a domain.
+##	</summary>
+## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program to be used as an entry point to this domain.
+##	</summary>
+## </param>
+#
+interface(`logging_dispatcher_domain',`
+	gen_require(`
+		type audisp_t;
+		role system_r;
+	')
+
+	domain_type($1)
+	domain_entry_file($1, $2)
+
+	role system_r types $1;
+
+	domtrans_pattern(audisp_t, $2, $1)
+	allow audisp_t $1:process { sigkill sigstop signull signal };
+
+	allow audisp_t $2:file getattr;
+	allow $1 audisp_t:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+##	Connect to the audit dispatcher over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_stream_connect_dispatcher',`
+	gen_require(`
+		type audisp_t, audisp_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, audisp_var_run_t, audisp_var_run_t, audisp_t)
+')
+
+########################################
+## <summary>
+##	Manage the auditd configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_manage_audit_config',`
+	gen_require(`
+		type auditd_etc_t;
+	')
+
+	files_search_etc($1)
+	manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
+')
+
+########################################
+## <summary>
+##	Manage the audit log.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_manage_audit_log',`
+	gen_require(`
+		type auditd_log_t;
+	')
+
+	files_search_var($1)
+	manage_dirs_pattern($1, auditd_log_t, auditd_log_t)
+	manage_files_pattern($1, auditd_log_t, auditd_log_t)
+')
+
+########################################
+## <summary>
+##	Execute klogd in the klog domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`logging_domtrans_klog',`
+	gen_require(`
+		type klogd_t, klogd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, klogd_exec_t, klogd_t)
+')
+
+########################################
+## <summary>
+##	Check if syslogd is executable.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_check_exec_syslog',`
+	gen_require(`
+		type syslogd_exec_t;
+	')
+
+	corecmd_list_bin($1)
+	corecmd_read_bin_symlinks($1)
+	allow $1 syslogd_exec_t:file execute;
+')
+
+########################################
+## <summary>
+##	Execute syslogd in the syslog domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`logging_domtrans_syslog',`
+	gen_require(`
+		type syslogd_t, syslogd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, syslogd_exec_t, syslogd_t)
+')
+
+########################################
+## <summary>
+##	Create an object in the log directory, with a private type.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to create an object
+##	in the general system log directories (e.g., /var/log)
+##	with a private type.  Typically this is used for creating
+##	private log files in /var/log with the private type instead
+##	of the general system log type. To accomplish this goal,
+##	either the program must be SELinux-aware, or use this interface.
+##	</p>
+##	<p>
+##	Related interfaces:
+##	</p>
+##	<ul>
+##		<li>logging_log_file()</li>
+##	</ul>
+##	<p>
+##	Example usage with a domain that can create
+##	and append to a private log file stored in the
+##	general directories (e.g., /var/log):
+##	</p>
+##	<p>
+##	type mylogfile_t;
+##	logging_log_file(mylogfile_t)
+##	allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms };
+##	logging_log_filetrans(mydomain_t, mylogfile_t, file)
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private type">
+##	<summary>
+##	The type of the object to be created.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`logging_log_filetrans',`
+	gen_require(`
+		type var_log_t;
+	')
+
+	files_search_var($1)
+	filetrans_pattern($1, var_log_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Send system log messages.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to connect to the
+##	system log service (syslog), to send messages be added to
+##	the system logs. Typically this is used by services
+##	that do not have their own log file in /var/log.
+##	</p>
+##	<p>
+##	This does not allow messages to be sent to
+##	the auditing system.
+##	</p>
+##	<p>
+##	Programs which use the libc function syslog() will
+##	require this access.
+##	</p>
+##	<p>
+##	Related interfaces:
+##	</p>
+##	<ul>
+##		<li>logging_send_audit_msgs()</li>
+##	</ul>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_send_syslog_msg',`
+	gen_require(`
+		type syslogd_t, devlog_t;
+	')
+
+	allow $1 devlog_t:lnk_file read_lnk_file_perms;
+	allow $1 devlog_t:sock_file write_sock_file_perms;
+
+	# the type of socket depends on the syslog daemon
+	allow $1 syslogd_t:unix_dgram_socket sendto;
+	allow $1 syslogd_t:unix_stream_socket connectto;
+	allow $1 self:unix_dgram_socket create_socket_perms;
+	allow $1 self:unix_stream_socket create_socket_perms;
+
+	# If syslog is down, the glibc syslog() function
+	# will write to the console.
+	term_write_console($1)
+	term_dontaudit_read_console($1)
+')
+
+########################################
+## <summary>
+##	Read the auditd configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_read_audit_config',`
+	gen_require(`
+		type auditd_etc_t;
+	')
+
+	files_search_etc($1)
+	read_files_pattern($1, auditd_etc_t, auditd_etc_t)
+	allow $1 auditd_etc_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	dontaudit search of auditd configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_dontaudit_search_audit_config',`
+	gen_require(`
+		type auditd_etc_t;
+	')
+
+	dontaudit $1 auditd_etc_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read syslog configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_read_syslog_config',`
+	gen_require(`
+		type syslog_conf_t;
+	')
+
+	allow $1 syslog_conf_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Delete the syslog socket files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_delete_devlog_socket',`
+	gen_require(`
+		type devlog_t;
+	')
+
+	allow $1 devlog_t:sock_file unlink;
+')
+
+########################################
+## <summary>
+##	Allows the domain to open a file in the
+##	log directory, but does not allow the listing
+##	of the contents of the log directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_search_logs',`
+	gen_require(`
+		type var_log_t;
+	')
+
+	files_search_var($1)
+	allow $1 var_log_t:dir search_dir_perms;
+')
+
+#######################################
+## <summary>
+##	Do not audit attempts to search the var log directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain not to audit.
+##	</summary>
+## </param>
+#
+interface(`logging_dontaudit_search_logs',`
+	gen_require(`
+		type var_log_t;
+	')
+
+	dontaudit $1 var_log_t:dir search_dir_perms;
+')
+
+#######################################
+## <summary>
+##	List the contents of the generic log directory (/var/log).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_list_logs',`
+	gen_require(`
+		type var_log_t;
+	')
+
+	files_search_var($1)
+	allow $1 var_log_t:dir list_dir_perms;
+')
+
+#######################################
+## <summary>
+##	Read and write the generic log directory (/var/log).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_rw_generic_log_dirs',`
+	gen_require(`
+		type var_log_t;
+	')
+
+	files_search_var($1)
+	allow $1 var_log_t:dir rw_dir_perms;
+')
+
+#######################################
+## <summary>
+##	Set attributes on all log dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_setattr_all_log_dirs',`
+	gen_require(`
+		attribute logfile;
+	')
+
+	allow $1 logfile:dir setattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the atttributes
+##	of any log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`logging_dontaudit_getattr_all_logs',`
+	gen_require(`
+		attribute logfile;
+	')
+
+	dontaudit $1 logfile:file getattr;
+')
+
+########################################
+## <summary>
+##	Append to all log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_append_all_logs',`
+	gen_require(`
+		attribute logfile;
+		type var_log_t;
+	')
+
+	files_search_var($1)
+	append_files_pattern($1, var_log_t, logfile)
+')
+
+########################################
+## <summary>
+##	Read all log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_read_all_logs',`
+	gen_require(`
+		attribute logfile;
+	')
+
+	files_search_var($1)
+	allow $1 logfile:dir list_dir_perms;
+	read_files_pattern($1, logfile, logfile)
+')
+
+########################################
+## <summary>
+##	Execute all log files in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+# cjp: not sure why this is needed.  This was added
+# because of logrotate.
+interface(`logging_exec_all_logs',`
+	gen_require(`
+		attribute logfile;
+	')
+
+	files_search_var($1)
+	allow $1 logfile:dir list_dir_perms;
+	can_exec($1, logfile)
+')
+
+########################################
+## <summary>
+##	read/write to all log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_rw_all_logs',`
+	gen_require(`
+		attribute logfile;
+	')
+
+	files_search_var($1)
+	rw_files_pattern($1, logfile, logfile)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete all log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_manage_all_logs',`
+	gen_require(`
+		attribute logfile;
+	')
+
+	files_search_var($1)
+	manage_files_pattern($1, logfile, logfile)
+	read_lnk_files_pattern($1, logfile, logfile)
+')
+
+########################################
+## <summary>
+##	Read generic log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_read_generic_logs',`
+	gen_require(`
+		type var_log_t;
+	')
+
+	files_search_var($1)
+	allow $1 var_log_t:dir list_dir_perms;
+	read_files_pattern($1, var_log_t, var_log_t)
+')
+
+########################################
+## <summary>
+##	Write generic log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_write_generic_logs',`
+	gen_require(`
+		type var_log_t;
+	')
+
+	files_search_var($1)
+	allow $1 var_log_t:dir list_dir_perms;
+	write_files_pattern($1, var_log_t, var_log_t)
+')
+
+########################################
+## <summary>
+##	Dontaudit Write generic log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`logging_dontaudit_write_generic_logs',`
+	gen_require(`
+		type var_log_t;
+	')
+
+	dontaudit $1 var_log_t:file write;
+')
+
+########################################
+## <summary>
+##	Read and write generic log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_rw_generic_logs',`
+	gen_require(`
+		type var_log_t;
+	')
+
+	files_search_var($1)
+	allow $1 var_log_t:dir list_dir_perms;
+	rw_files_pattern($1, var_log_t, var_log_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	generic log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_manage_generic_logs',`
+	gen_require(`
+		type var_log_t;
+	')
+
+	files_search_var($1)
+	manage_files_pattern($1, var_log_t, var_log_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	the audit environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	User role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_admin_audit',`
+	gen_require(`
+		type auditd_t, auditd_etc_t, auditd_log_t;
+		type auditd_var_run_t;
+		type auditd_initrc_exec_t;
+	')
+
+	allow $1 auditd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, auditd_t)
+
+	manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
+	manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
+
+	manage_dirs_pattern($1, auditd_log_t, auditd_log_t)
+	manage_files_pattern($1, auditd_log_t, auditd_log_t)
+
+	manage_dirs_pattern($1, auditd_var_run_t, auditd_var_run_t)
+	manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t)
+
+	logging_run_auditctl($1, $2)
+
+	init_labeled_script_domtrans($1, auditd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 auditd_initrc_exec_t system_r;
+	allow $2 system_r;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	the syslog environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	User role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_admin_syslog',`
+	gen_require(`
+		type syslogd_t, klogd_t, syslog_conf_t;
+		type syslogd_tmp_t, syslogd_var_lib_t;
+		type syslogd_var_run_t, klogd_var_run_t;
+		type klogd_tmp_t, var_log_t;
+		type syslogd_initrc_exec_t;
+	')
+
+	allow $1 syslogd_t:process { ptrace signal_perms };
+	allow $1 klogd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, syslogd_t)
+	ps_process_pattern($1, klogd_t)
+
+	manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
+	manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
+
+	manage_dirs_pattern($1, klogd_tmp_t, klogd_tmp_t)
+	manage_files_pattern($1, klogd_tmp_t, klogd_tmp_t)
+
+	manage_dirs_pattern($1, syslogd_tmp_t, syslogd_tmp_t)
+	manage_files_pattern($1, syslogd_tmp_t, syslogd_tmp_t)
+
+	manage_dirs_pattern($1, syslog_conf_t, syslog_conf_t)
+	manage_files_pattern($1, syslog_conf_t, syslog_conf_t)
+	files_etc_filetrans($1, syslog_conf_t, file)
+
+	manage_dirs_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t)
+	manage_files_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t)
+
+	manage_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
+	manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
+
+	logging_manage_all_logs($1)
+
+	init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 syslogd_initrc_exec_t system_r;
+	allow $2 system_r;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	the logging environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	User role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_admin',`
+	logging_admin_audit($1, $2)
+	logging_admin_syslog($1, $2)
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
new file mode 100644
index 00000000..7674d4bd
--- /dev/null
+++ b/policy/modules/system/logging.te
@@ -0,0 +1,515 @@
+policy_module(logging, 1.18.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute logfile;
+
+type auditctl_t;
+type auditctl_exec_t;
+init_system_domain(auditctl_t, auditctl_exec_t)
+role system_r types auditctl_t;
+
+type auditd_etc_t;
+files_security_file(auditd_etc_t)
+
+type auditd_log_t;
+files_security_file(auditd_log_t)
+files_security_mountpoint(auditd_log_t)
+
+type audit_spool_t;
+files_security_file(audit_spool_t)
+files_security_mountpoint(audit_spool_t)
+
+type auditd_t;
+type auditd_exec_t;
+init_daemon_domain(auditd_t, auditd_exec_t)
+
+type auditd_initrc_exec_t;
+init_script_file(auditd_initrc_exec_t)
+
+type auditd_var_run_t;
+files_pid_file(auditd_var_run_t)
+
+type audisp_t;
+type audisp_exec_t;
+init_system_domain(audisp_t, audisp_exec_t)
+
+type audisp_var_run_t;
+files_pid_file(audisp_var_run_t)
+
+type audisp_remote_t;
+type audisp_remote_exec_t;
+logging_dispatcher_domain(audisp_remote_t, audisp_remote_exec_t)
+
+type devlog_t;
+files_type(devlog_t)
+mls_trusted_object(devlog_t)
+
+type klogd_t;
+type klogd_exec_t;
+init_daemon_domain(klogd_t, klogd_exec_t)
+
+type klogd_tmp_t;
+files_tmp_file(klogd_tmp_t)
+
+type klogd_var_run_t;
+files_pid_file(klogd_var_run_t)
+
+type syslog_conf_t;
+files_config_file(syslog_conf_t)
+
+type syslogd_t;
+type syslogd_exec_t;
+init_daemon_domain(syslogd_t, syslogd_exec_t)
+
+type syslogd_initrc_exec_t;
+init_script_file(syslogd_initrc_exec_t)
+
+type syslogd_tmp_t;
+files_tmp_file(syslogd_tmp_t)
+
+type syslogd_var_lib_t;
+files_type(syslogd_var_lib_t)
+
+type syslogd_var_run_t;
+files_pid_file(syslogd_var_run_t)
+
+type var_log_t;
+logging_log_file(var_log_t)
+files_mountpoint(var_log_t)
+
+ifdef(`enable_mls',`
+	init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh)
+	init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
+')
+
+########################################
+#
+# Auditctl local policy
+#
+
+allow auditctl_t self:capability { fsetid dac_read_search dac_override };
+allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
+
+read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
+allow auditctl_t auditd_etc_t:dir list_dir_perms;
+
+# Needed for adding watches
+files_getattr_all_dirs(auditctl_t)
+files_getattr_all_files(auditctl_t)
+files_read_etc_files(auditctl_t)
+
+kernel_read_kernel_sysctls(auditctl_t)
+kernel_read_proc_symlinks(auditctl_t)
+kernel_setsched(auditctl_t)
+
+domain_read_all_domains_state(auditctl_t)
+domain_use_interactive_fds(auditctl_t)
+
+mls_file_read_all_levels(auditctl_t)
+
+term_use_all_terms(auditctl_t)
+
+init_dontaudit_use_fds(auditctl_t)
+
+locallogin_dontaudit_use_fds(auditctl_t)
+
+logging_set_audit_parameters(auditctl_t)
+logging_send_syslog_msg(auditctl_t)
+
+########################################
+#
+# Auditd local policy
+#
+
+allow auditd_t self:capability { chown fsetid sys_nice sys_resource };
+dontaudit auditd_t self:capability sys_tty_config;
+allow auditd_t self:process { getcap signal_perms setcap setpgid setsched };
+allow auditd_t self:file rw_file_perms;
+allow auditd_t self:unix_dgram_socket create_socket_perms;
+allow auditd_t self:fifo_file rw_fifo_file_perms;
+allow auditd_t self:tcp_socket create_stream_socket_perms;
+
+allow auditd_t auditd_etc_t:dir list_dir_perms;
+allow auditd_t auditd_etc_t:file read_file_perms;
+
+manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+allow auditd_t var_log_t:dir search_dir_perms;
+
+manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
+manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
+files_pid_filetrans(auditd_t, auditd_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctls(auditd_t)
+# Needs to be able to run dispatcher.  see /etc/audit/auditd.conf
+# Probably want a transition, and a new auditd_helper app
+kernel_read_system_state(auditd_t)
+
+dev_read_sysfs(auditd_t)
+
+fs_getattr_all_fs(auditd_t)
+fs_search_auto_mountpoints(auditd_t)
+fs_rw_anon_inodefs_files(auditd_t)
+
+selinux_search_fs(auditctl_t)
+
+corenet_all_recvfrom_unlabeled(auditd_t)
+corenet_all_recvfrom_netlabel(auditd_t)
+corenet_tcp_sendrecv_generic_if(auditd_t)
+corenet_tcp_sendrecv_generic_node(auditd_t)
+corenet_tcp_sendrecv_all_ports(auditd_t)
+corenet_tcp_bind_generic_node(auditd_t)
+corenet_tcp_bind_audit_port(auditd_t)
+corenet_sendrecv_audit_server_packets(auditd_t)
+
+# Needs to be able to run dispatcher.  see /etc/audit/auditd.conf
+# Probably want a transition, and a new auditd_helper app
+corecmd_exec_bin(auditd_t)
+corecmd_exec_shell(auditd_t)
+
+domain_use_interactive_fds(auditd_t)
+
+files_read_etc_files(auditd_t)
+files_list_usr(auditd_t)
+
+init_telinit(auditd_t)
+
+logging_set_audit_parameters(auditd_t)
+logging_send_syslog_msg(auditd_t)
+logging_domtrans_dispatcher(auditd_t)
+logging_signal_dispatcher(auditd_t)
+
+miscfiles_read_localization(auditd_t)
+
+mls_file_read_all_levels(auditd_t)
+mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
+
+seutil_dontaudit_read_config(auditd_t)
+
+sysnet_dns_name_resolve(auditd_t)
+
+userdom_use_user_terminals(auditd_t)
+userdom_dontaudit_use_unpriv_user_fds(auditd_t)
+userdom_dontaudit_search_user_home_dirs(auditd_t)
+
+ifdef(`distro_ubuntu',`
+	optional_policy(`
+		unconfined_domain(auditd_t)
+	')
+')
+
+optional_policy(`
+	mta_send_mail(auditd_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(auditd_t)
+')
+
+optional_policy(`
+	udev_read_db(auditd_t)
+')
+
+########################################
+#
+# audit dispatcher local policy
+#
+
+allow audisp_t self:capability { dac_override setpcap sys_nice };
+allow audisp_t self:process { getcap signal_perms setcap setsched };
+allow audisp_t self:fifo_file rw_fifo_file_perms;
+allow audisp_t self:unix_stream_socket create_stream_socket_perms;
+allow audisp_t self:unix_dgram_socket create_socket_perms;
+
+allow audisp_t auditd_t:unix_stream_socket rw_socket_perms;
+
+manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
+files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
+
+kernel_read_system_state(audisp_t)
+
+corecmd_exec_bin(audisp_t)
+corecmd_exec_shell(audisp_t)
+
+domain_use_interactive_fds(audisp_t)
+
+files_read_etc_files(audisp_t)
+files_read_etc_runtime_files(audisp_t)
+
+mls_file_write_all_levels(audisp_t)
+
+logging_send_syslog_msg(audisp_t)
+
+miscfiles_read_localization(audisp_t)
+
+sysnet_dns_name_resolve(audisp_t)
+
+optional_policy(`
+	dbus_system_bus_client(audisp_t)
+')
+
+########################################
+#
+# Audit remote logger local policy
+#
+
+allow audisp_remote_t self:capability { setuid setpcap };
+allow audisp_remote_t self:process { getcap setcap };
+allow audisp_remote_t self:tcp_socket create_socket_perms;
+allow audisp_remote_t var_log_t:dir search_dir_perms;
+
+manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
+manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
+files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
+
+corecmd_exec_bin(audisp_remote_t)
+
+corenet_all_recvfrom_unlabeled(audisp_remote_t)
+corenet_all_recvfrom_netlabel(audisp_remote_t)
+corenet_tcp_sendrecv_generic_if(audisp_remote_t)
+corenet_tcp_sendrecv_generic_node(audisp_remote_t)
+corenet_tcp_sendrecv_all_ports(audisp_remote_t)
+corenet_tcp_bind_audit_port(audisp_remote_t)
+corenet_tcp_bind_generic_node(audisp_remote_t)
+corenet_tcp_connect_audit_port(audisp_remote_t)
+corenet_sendrecv_audit_client_packets(audisp_remote_t)
+
+files_read_etc_files(audisp_remote_t)
+
+logging_send_syslog_msg(audisp_remote_t)
+logging_send_audit_msgs(audisp_remote_t)
+
+miscfiles_read_localization(audisp_remote_t)
+
+sysnet_dns_name_resolve(audisp_remote_t)
+
+########################################
+#
+# klogd local policy
+#
+
+allow klogd_t self:capability sys_admin;
+dontaudit klogd_t self:capability { sys_resource sys_tty_config };
+allow klogd_t self:process signal_perms;
+
+manage_dirs_pattern(klogd_t, klogd_tmp_t, klogd_tmp_t)
+manage_files_pattern(klogd_t, klogd_tmp_t, klogd_tmp_t)
+files_tmp_filetrans(klogd_t, klogd_tmp_t,{ file dir })
+
+manage_files_pattern(klogd_t, klogd_var_run_t, klogd_var_run_t)
+files_pid_filetrans(klogd_t, klogd_var_run_t, file)
+
+kernel_read_system_state(klogd_t)
+kernel_read_messages(klogd_t)
+kernel_read_kernel_sysctls(klogd_t)
+# Control syslog and console logging
+kernel_clear_ring_buffer(klogd_t)
+kernel_change_ring_buffer_level(klogd_t)
+
+files_read_kernel_symbol_table(klogd_t)
+
+dev_read_raw_memory(klogd_t)
+dev_read_sysfs(klogd_t)
+
+fs_getattr_all_fs(klogd_t)
+fs_search_auto_mountpoints(klogd_t)
+
+domain_use_interactive_fds(klogd_t)
+
+files_read_etc_runtime_files(klogd_t)
+# read /etc/nsswitch.conf
+files_read_etc_files(klogd_t)
+
+logging_send_syslog_msg(klogd_t)
+
+miscfiles_read_localization(klogd_t)
+
+mls_file_read_all_levels(klogd_t)
+
+userdom_dontaudit_search_user_home_dirs(klogd_t)
+
+ifdef(`distro_ubuntu',`
+	optional_policy(`
+		unconfined_domain(klogd_t)
+	')
+')
+
+optional_policy(`
+	udev_read_db(klogd_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(klogd_t)
+')
+
+########################################
+#
+# syslogd local policy
+#
+
+# chown fsetid for syslog-ng
+# sys_admin for the integrated klog of syslog-ng and metalog
+# cjp: why net_admin!
+allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
+dontaudit syslogd_t self:capability sys_tty_config;
+# setpgid for metalog
+# setrlimit for syslog-ng
+allow syslogd_t self:process { signal_perms setpgid setrlimit getsched };
+# receive messages to be logged
+allow syslogd_t self:unix_dgram_socket create_socket_perms;
+allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
+allow syslogd_t self:unix_dgram_socket sendto;
+allow syslogd_t self:fifo_file rw_fifo_file_perms;
+allow syslogd_t self:udp_socket create_socket_perms;
+allow syslogd_t self:tcp_socket create_stream_socket_perms;
+
+allow syslogd_t syslog_conf_t:file read_file_perms;
+
+# Create and bind to /dev/log or /var/run/log.
+allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
+files_pid_filetrans(syslogd_t, devlog_t, sock_file)
+
+# create/append log files.
+manage_files_pattern(syslogd_t, var_log_t, var_log_t)
+rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
+
+# Allow access for syslog-ng
+allow syslogd_t var_log_t:dir { create setattr };
+
+# manage temporary files
+manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
+
+manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
+files_search_var_lib(syslogd_t)
+
+# manage pid file
+manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
+files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
+
+kernel_read_system_state(syslogd_t)
+kernel_read_kernel_sysctls(syslogd_t)
+kernel_read_proc_symlinks(syslogd_t)
+# Allow access to /proc/kmsg for syslog-ng
+kernel_read_messages(syslogd_t)
+kernel_clear_ring_buffer(syslogd_t)
+kernel_change_ring_buffer_level(syslogd_t)
+
+corenet_all_recvfrom_unlabeled(syslogd_t)
+corenet_all_recvfrom_netlabel(syslogd_t)
+corenet_udp_sendrecv_generic_if(syslogd_t)
+corenet_udp_sendrecv_generic_node(syslogd_t)
+corenet_udp_sendrecv_all_ports(syslogd_t)
+corenet_udp_bind_generic_node(syslogd_t)
+corenet_udp_bind_syslogd_port(syslogd_t)
+# syslog-ng can listen and connect on tcp port 514 (rsh)
+corenet_tcp_sendrecv_generic_if(syslogd_t)
+corenet_tcp_sendrecv_generic_node(syslogd_t)
+corenet_tcp_sendrecv_all_ports(syslogd_t)
+corenet_tcp_bind_generic_node(syslogd_t)
+corenet_tcp_bind_rsh_port(syslogd_t)
+corenet_tcp_connect_rsh_port(syslogd_t)
+# Allow users to define additional syslog ports to connect to
+corenet_tcp_bind_syslogd_port(syslogd_t)
+corenet_tcp_connect_syslogd_port(syslogd_t)
+corenet_tcp_connect_postgresql_port(syslogd_t)
+corenet_tcp_connect_mysqld_port(syslogd_t)
+
+# syslog-ng can send or receive logs
+corenet_sendrecv_syslogd_client_packets(syslogd_t)
+corenet_sendrecv_syslogd_server_packets(syslogd_t)
+corenet_sendrecv_postgresql_client_packets(syslogd_t)
+corenet_sendrecv_mysqld_client_packets(syslogd_t)
+
+dev_filetrans(syslogd_t, devlog_t, sock_file)
+dev_read_sysfs(syslogd_t)
+
+domain_use_interactive_fds(syslogd_t)
+
+files_read_etc_files(syslogd_t)
+files_read_usr_files(syslogd_t)
+files_read_var_files(syslogd_t)
+files_read_etc_runtime_files(syslogd_t)
+# /initrd is not umounted before minilog starts
+files_dontaudit_search_isid_type_dirs(syslogd_t)
+files_read_kernel_symbol_table(syslogd_t)
+files_rw_var_lib_dirs(syslogd_t)
+files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, file)
+
+fs_getattr_all_fs(syslogd_t)
+fs_search_auto_mountpoints(syslogd_t)
+
+mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
+
+term_write_console(syslogd_t)
+# Allow syslog to a terminal
+term_write_unallocated_ttys(syslogd_t)
+
+# for sending messages to logged in users
+init_read_utmp(syslogd_t)
+init_dontaudit_write_utmp(syslogd_t)
+term_write_all_ttys(syslogd_t)
+
+auth_use_nsswitch(syslogd_t)
+
+init_use_fds(syslogd_t)
+
+# cjp: this doesnt make sense
+logging_send_syslog_msg(syslogd_t)
+
+miscfiles_read_localization(syslogd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
+userdom_dontaudit_search_user_home_dirs(syslogd_t)
+
+ifdef(`distro_gentoo',`
+	# default gentoo syslog-ng config appends kernel
+	# and high priority messages to /dev/tty12
+	term_append_unallocated_ttys(syslogd_t)
+	term_dontaudit_setattr_unallocated_ttys(syslogd_t)
+')
+
+ifdef(`distro_suse',`
+	# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
+	files_var_lib_filetrans(syslogd_t, devlog_t, sock_file)
+')
+
+ifdef(`distro_ubuntu',`
+	optional_policy(`
+		unconfined_domain(syslogd_t)
+	')
+')
+
+optional_policy(`
+	bind_search_cache(syslogd_t)
+')
+
+optional_policy(`
+	inn_manage_log(syslogd_t)
+')
+
+optional_policy(`
+	mysql_stream_connect(syslogd_t)
+')
+
+optional_policy(`
+	postgresql_stream_connect(syslogd_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(syslogd_t)
+')
+
+optional_policy(`
+	udev_read_db(syslogd_t)
+')
+
+optional_policy(`
+	# log to the xconsole
+	xserver_rw_console(syslogd_t)
+')
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
new file mode 100644
index 00000000..26e0d4ba
--- /dev/null
+++ b/policy/modules/system/lvm.fc
@@ -0,0 +1,106 @@
+
+# LVM creates lock files in /var before /var is mounted
+# configure LVM to put lockfiles in /etc/lvm/lock instead
+# for this policy to work (unless you have no separate /var)
+
+#
+# /bin
+#
+ifdef(`distro_gentoo',`
+/bin/cryptsetup		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+')
+
+#
+# /dev
+#
+/dev/.lvm(/.*)?		gen_context(system_u:object_r:lvm_lock_t,s0)
+
+#
+# /etc
+#
+/etc/lvm(/.*)?			gen_context(system_u:object_r:lvm_etc_t,s0)
+/etc/lvm/\.cache	--	gen_context(system_u:object_r:lvm_metadata_t,s0)
+/etc/lvm/cache(/.*)?		gen_context(system_u:object_r:lvm_metadata_t,s0)
+/etc/lvm/archive(/.*)?		gen_context(system_u:object_r:lvm_metadata_t,s0)
+/etc/lvm/backup(/.*)?		gen_context(system_u:object_r:lvm_metadata_t,s0)
+/etc/lvm/lock(/.*)?		gen_context(system_u:object_r:lvm_lock_t,s0)
+
+/etc/lvmtab(/.*)?		gen_context(system_u:object_r:lvm_metadata_t,s0)
+/etc/lvmtab\.d(/.*)?		gen_context(system_u:object_r:lvm_metadata_t,s0)
+
+#
+# /lib
+#
+/lib/lvm-10/.*		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/lib/lvm-200/.*		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+
+#
+# /sbin
+#
+/sbin/cryptsetup	--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/dmraid		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/dmsetup		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/dmsetup\.static	--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/e2fsadm		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvchange		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvcreate		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvdisplay		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvextend		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvm		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvm\.static	--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvmchange		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvmdiskscan	--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvmiopversion	--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvmsadc		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvmsar		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvreduce		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvremove		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvrename		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvresize		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvs		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvscan		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/multipathd	--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/multipath\.static	--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/pvchange		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/pvcreate		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/pvdata		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/pvdisplay		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/pvmove		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/pvremove		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/pvs		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/pvscan		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgcfgbackup	--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgcfgrestore	--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgchange		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgchange\.static	--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgck		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgcreate		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgdisplay		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgexport		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgextend		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgimport		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgmerge		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgmknodes		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgreduce		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgremove		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgrename		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgs		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgscan		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgscan\.static	--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgsplit		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgwrapper		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/clvmd		--	gen_context(system_u:object_r:clvmd_exec_t,s0)
+/usr/sbin/lvm		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+
+#
+# /var
+#
+/var/cache/multipathd(/.*)?	gen_context(system_u:object_r:lvm_metadata_t,s0)
+/var/lib/multipath(/.*)?	gen_context(system_u:object_r:lvm_var_lib_t,s0)
+/var/lock/lvm(/.*)?		gen_context(system_u:object_r:lvm_lock_t,s0)
+/var/run/multipathd\.sock -s	gen_context(system_u:object_r:lvm_var_run_t,s0)
+/var/run/dmevent.*		gen_context(system_u:object_r:lvm_var_run_t,s0)
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
new file mode 100644
index 00000000..58bc27f2
--- /dev/null
+++ b/policy/modules/system/lvm.if
@@ -0,0 +1,125 @@
+## <summary>Policy for logical volume management programs.</summary>
+
+########################################
+## <summary>
+##	Execute lvm programs in the lvm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`lvm_domtrans',`
+	gen_require(`
+		type lvm_t, lvm_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, lvm_exec_t, lvm_t)
+')
+
+########################################
+## <summary>
+##	Execute lvm programs in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lvm_exec',`
+	gen_require(`
+		type lvm_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, lvm_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute lvm programs in the lvm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the LVM domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`lvm_run',`
+	gen_require(`
+		type lvm_t;
+	')
+
+	lvm_domtrans($1)
+	role $2 types lvm_t;
+')
+
+########################################
+## <summary>
+##	Read LVM configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`lvm_read_config',`
+	gen_require(`
+		type lvm_etc_t;
+	')
+
+	files_search_etc($1)
+	allow $1 lvm_etc_t:dir list_dir_perms;
+	read_files_pattern($1, lvm_etc_t, lvm_etc_t)
+')
+
+########################################
+## <summary>
+##	Manage LVM configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`lvm_manage_config',`
+	gen_require(`
+		type lvm_etc_t;
+	')
+
+	files_search_etc($1)
+	manage_dirs_pattern($1, lvm_etc_t, lvm_etc_t)
+	manage_files_pattern($1, lvm_etc_t, lvm_etc_t)
+')
+
+######################################
+## <summary>
+##	Execute a domain transition to run clvmd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`lvm_domtrans_clvmd',`
+	gen_require(`
+		type clvmd_t, clvmd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, clvmd_exec_t, clvmd_t)
+')
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
new file mode 100644
index 00000000..44b78441
--- /dev/null
+++ b/policy/modules/system/lvm.te
@@ -0,0 +1,353 @@
+policy_module(lvm, 1.13.0)
+
+########################################
+#
+# Declarations
+#
+
+type clvmd_t;
+type clvmd_exec_t;
+init_daemon_domain(clvmd_t, clvmd_exec_t)
+
+type clvmd_initrc_exec_t;
+init_script_file(clvmd_initrc_exec_t)
+
+type clvmd_var_run_t;
+files_pid_file(clvmd_var_run_t)
+
+type lvm_t;
+type lvm_exec_t;
+init_system_domain(lvm_t, lvm_exec_t)
+# needs privowner because it assigns the identity system_u to device nodes
+# but runs as the identity of the sysadmin
+domain_obj_id_change_exemption(lvm_t)
+role system_r types lvm_t;
+
+type lvm_etc_t;
+files_type(lvm_etc_t)
+
+type lvm_lock_t;
+files_lock_file(lvm_lock_t)
+
+type lvm_metadata_t;
+files_type(lvm_metadata_t)
+
+type lvm_var_lib_t;
+files_type(lvm_var_lib_t)
+
+type lvm_var_run_t;
+files_pid_file(lvm_var_run_t)
+
+type lvm_tmp_t;
+files_tmp_file(lvm_tmp_t)
+
+########################################
+#
+# Cluster LVM daemon local policy
+#
+
+allow clvmd_t self:capability { sys_nice chown ipc_lock sys_admin mknod };
+dontaudit clvmd_t self:capability sys_tty_config;
+allow clvmd_t self:process { signal_perms setsched };
+dontaudit clvmd_t self:process ptrace;
+allow clvmd_t self:socket create_socket_perms;
+allow clvmd_t self:fifo_file rw_fifo_file_perms;
+allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow clvmd_t self:tcp_socket create_stream_socket_perms;
+allow clvmd_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t)
+files_pid_filetrans(clvmd_t, clvmd_var_run_t, file)
+
+read_files_pattern(clvmd_t, lvm_metadata_t, lvm_metadata_t)
+
+kernel_read_kernel_sysctls(clvmd_t)
+kernel_read_system_state(clvmd_t)
+kernel_list_proc(clvmd_t)
+kernel_read_proc_symlinks(clvmd_t)
+kernel_search_debugfs(clvmd_t)
+kernel_dontaudit_getattr_core_if(clvmd_t)
+
+corecmd_exec_shell(clvmd_t)
+corecmd_getattr_bin_files(clvmd_t)
+
+corenet_all_recvfrom_unlabeled(clvmd_t)
+corenet_all_recvfrom_netlabel(clvmd_t)
+corenet_tcp_sendrecv_generic_if(clvmd_t)
+corenet_udp_sendrecv_generic_if(clvmd_t)
+corenet_raw_sendrecv_generic_if(clvmd_t)
+corenet_tcp_sendrecv_generic_node(clvmd_t)
+corenet_udp_sendrecv_generic_node(clvmd_t)
+corenet_raw_sendrecv_generic_node(clvmd_t)
+corenet_tcp_sendrecv_all_ports(clvmd_t)
+corenet_udp_sendrecv_all_ports(clvmd_t)
+corenet_tcp_bind_generic_node(clvmd_t)
+corenet_tcp_bind_reserved_port(clvmd_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(clvmd_t)
+corenet_sendrecv_generic_server_packets(clvmd_t)
+
+dev_read_sysfs(clvmd_t)
+dev_manage_generic_symlinks(clvmd_t)
+dev_relabel_generic_dev_dirs(clvmd_t)
+dev_manage_generic_blk_files(clvmd_t)
+dev_manage_generic_chr_files(clvmd_t)
+dev_rw_lvm_control(clvmd_t)
+dev_dontaudit_getattr_all_blk_files(clvmd_t)
+dev_dontaudit_getattr_all_chr_files(clvmd_t)
+dev_create_generic_dirs(clvmd_t)
+dev_delete_generic_dirs(clvmd_t)
+
+files_read_etc_files(clvmd_t)
+files_list_usr(clvmd_t)
+
+fs_getattr_all_fs(clvmd_t)
+fs_search_auto_mountpoints(clvmd_t)
+fs_dontaudit_list_tmpfs(clvmd_t)
+fs_dontaudit_read_removable_files(clvmd_t)
+fs_rw_anon_inodefs_files(clvmd_t)
+
+storage_dontaudit_getattr_removable_dev(clvmd_t)
+storage_manage_fixed_disk(clvmd_t)
+storage_dev_filetrans_fixed_disk(clvmd_t)
+storage_relabel_fixed_disk(clvmd_t)
+storage_raw_read_fixed_disk(clvmd_t)
+
+domain_use_interactive_fds(clvmd_t)
+
+auth_use_nsswitch(clvmd_t)
+
+init_dontaudit_getattr_initctl(clvmd_t)
+
+logging_send_syslog_msg(clvmd_t)
+
+miscfiles_read_localization(clvmd_t)
+
+seutil_dontaudit_search_config(clvmd_t)
+seutil_sigchld_newrole(clvmd_t)
+seutil_read_config(clvmd_t)
+seutil_read_file_contexts(clvmd_t)
+seutil_search_default_contexts(clvmd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(clvmd_t)
+userdom_dontaudit_search_user_home_dirs(clvmd_t)
+
+lvm_domtrans(clvmd_t)
+lvm_read_config(clvmd_t)
+
+ifdef(`distro_redhat',`
+	optional_policy(`
+		unconfined_domain(clvmd_t)
+	')
+')
+
+optional_policy(`
+	ccs_stream_connect(clvmd_t)
+')
+
+optional_policy(`
+	gpm_dontaudit_getattr_gpmctl(clvmd_t)
+')
+
+optional_policy(`
+	ricci_dontaudit_rw_modcluster_pipes(clvmd_t)
+	ricci_dontaudit_use_modcluster_fds(clvmd_t)
+')
+
+optional_policy(`
+	udev_read_db(clvmd_t)
+')
+
+########################################
+#
+# LVM Local policy
+#
+
+# DAC overrides and mknod for modifying /dev entries (vgmknodes)
+# rawio needed for dmraid
+# net_admin for multipath
+allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin };
+dontaudit lvm_t self:capability sys_tty_config;
+allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate };
+# LVM will complain a lot if it cannot set its priority.
+allow lvm_t self:process setsched;
+allow lvm_t self:file rw_file_perms;
+allow lvm_t self:fifo_file manage_fifo_file_perms;
+allow lvm_t self:unix_dgram_socket create_socket_perms;
+allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow lvm_t self:sem create_sem_perms;
+
+allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms };
+
+manage_dirs_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t)
+manage_files_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t)
+files_tmp_filetrans(lvm_t, lvm_tmp_t, { file dir })
+
+# /lib/lvm-<version> holds the actual LVM binaries (and symlinks)
+read_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t)
+read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t)
+
+# LVM is split into many individual binaries
+can_exec(lvm_t, lvm_exec_t)
+
+# Creating lock files
+manage_dirs_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
+manage_files_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
+files_lock_filetrans(lvm_t, lvm_lock_t, file)
+
+manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
+manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
+files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
+
+manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
+manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
+manage_sock_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
+files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file })
+
+read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
+read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
+# Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d
+manage_files_pattern(lvm_t, lvm_metadata_t, lvm_metadata_t)
+filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file)
+files_etc_filetrans(lvm_t, lvm_metadata_t, file)
+files_search_mnt(lvm_t)
+
+kernel_get_sysvipc_info(lvm_t)
+kernel_read_system_state(lvm_t)
+# Read system variables in /proc/sys
+kernel_read_kernel_sysctls(lvm_t)
+# it has no reason to need this
+kernel_dontaudit_getattr_core_if(lvm_t)
+kernel_use_fds(lvm_t)
+kernel_search_debugfs(lvm_t)
+
+corecmd_exec_bin(lvm_t)
+corecmd_exec_shell(lvm_t)
+
+dev_create_generic_chr_files(lvm_t)
+dev_delete_generic_dirs(lvm_t)
+dev_read_rand(lvm_t)
+dev_read_urand(lvm_t)
+dev_rw_lvm_control(lvm_t)
+dev_manage_generic_symlinks(lvm_t)
+dev_relabel_generic_dev_dirs(lvm_t)
+dev_manage_generic_blk_files(lvm_t)
+# Read /sys/block. Device mapper metadata is kept there.
+dev_read_sysfs(lvm_t)
+# cjp: this has no effect since LVM does not
+# have lnk_file relabelto for anything else.
+# perhaps this should be blk_files?
+dev_relabel_generic_symlinks(lvm_t)
+# LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
+dev_dontaudit_read_all_chr_files(lvm_t)
+dev_dontaudit_read_all_blk_files(lvm_t)
+dev_dontaudit_getattr_generic_chr_files(lvm_t)
+dev_dontaudit_getattr_generic_blk_files(lvm_t)
+dev_dontaudit_getattr_generic_pipes(lvm_t)
+dev_create_generic_dirs(lvm_t)
+
+domain_use_interactive_fds(lvm_t)
+domain_read_all_domains_state(lvm_t)
+
+files_read_usr_files(lvm_t)
+files_read_etc_files(lvm_t)
+files_read_etc_runtime_files(lvm_t)
+# for when /usr is not mounted:
+files_dontaudit_search_isid_type_dirs(lvm_t)
+
+fs_getattr_xattr_fs(lvm_t)
+fs_search_auto_mountpoints(lvm_t)
+fs_list_tmpfs(lvm_t)
+fs_read_tmpfs_symlinks(lvm_t)
+fs_dontaudit_read_removable_files(lvm_t)
+fs_dontaudit_getattr_tmpfs_files(lvm_t)
+fs_rw_anon_inodefs_files(lvm_t)
+
+mls_file_read_all_levels(lvm_t)
+mls_file_write_to_clearance(lvm_t)
+
+selinux_get_fs_mount(lvm_t)
+selinux_validate_context(lvm_t)
+selinux_compute_access_vector(lvm_t)
+selinux_compute_create_context(lvm_t)
+selinux_compute_relabel_context(lvm_t)
+selinux_compute_user_contexts(lvm_t)
+
+storage_relabel_fixed_disk(lvm_t)
+storage_dontaudit_read_removable_device(lvm_t)
+# LVM creates block devices in /dev/mapper or /dev/<vg>
+# depending on its version
+# LVM(2) needs to create directories (/dev/mapper, /dev/<vg>)
+# and links from /dev/<vg> to /dev/mapper/<vg>-<lv>
+# cjp: needs to create an interface here for fixed disk create
+storage_dev_filetrans_fixed_disk(lvm_t)
+# Access raw devices and old /dev/lvm (c 109,0).  Is this needed?
+storage_manage_fixed_disk(lvm_t)
+
+term_use_all_terms(lvm_t)
+
+init_use_fds(lvm_t)
+init_dontaudit_getattr_initctl(lvm_t)
+init_use_script_ptys(lvm_t)
+init_read_script_state(lvm_t)
+
+logging_send_syslog_msg(lvm_t)
+
+miscfiles_read_localization(lvm_t)
+
+seutil_read_config(lvm_t)
+seutil_read_file_contexts(lvm_t)
+seutil_search_default_contexts(lvm_t)
+seutil_sigchld_newrole(lvm_t)
+
+userdom_use_user_terminals(lvm_t)
+
+ifdef(`distro_redhat',`
+	# this is from the initrd:
+	files_rw_isid_type_dirs(lvm_t)
+
+	optional_policy(`
+		unconfined_domain(lvm_t)
+	')
+')
+
+optional_policy(`
+	bootloader_rw_tmp_files(lvm_t)
+')
+
+optional_policy(`
+	ccs_stream_connect(lvm_t)
+')
+
+optional_policy(`
+	gpm_dontaudit_getattr_gpmctl(lvm_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(lvm_t)
+
+	optional_policy(`
+		hal_dbus_chat(lvm_t)
+	')
+')
+
+optional_policy(`
+	modutils_domtrans_insmod(lvm_t)
+')
+
+optional_policy(`
+	rpm_manage_script_tmp_files(lvm_t)
+')
+
+optional_policy(`
+	udev_read_db(lvm_t)
+')
+
+optional_policy(`
+	virt_manage_images(lvm_t)
+')
+
+optional_policy(`
+	xen_append_log(lvm_t)
+	xen_dontaudit_rw_unix_stream_sockets(lvm_t)
+')
diff --git a/policy/modules/system/metadata.xml b/policy/modules/system/metadata.xml
new file mode 100644
index 00000000..4866e979
--- /dev/null
+++ b/policy/modules/system/metadata.xml
@@ -0,0 +1,3 @@
+<summary>
+	Policy modules for system functions from init to multi-user login.
+</summary>
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
new file mode 100644
index 00000000..172287eb
--- /dev/null
+++ b/policy/modules/system/miscfiles.fc
@@ -0,0 +1,93 @@
+#
+# /emul
+#
+ifdef(`distro_gentoo',`
+/emul/linux/x86/usr/(X11R6/)?lib/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
+')
+
+#
+# /etc
+#
+/etc/avahi/etc/localtime --	gen_context(system_u:object_r:locale_t,s0)
+/etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
+/etc/localtime		--	gen_context(system_u:object_r:locale_t,s0)
+/etc/pki(/.*)?			gen_context(system_u:object_r:cert_t,s0)
+/etc/timezone		--	gen_context(system_u:object_r:locale_t,s0)
+
+ifdef(`distro_redhat',`
+/etc/sysconfig/clock	--	gen_context(system_u:object_r:locale_t,s0)
+')
+
+#
+# /opt
+#
+/opt/(.*/)?man(/.*)?		gen_context(system_u:object_r:man_t,s0)
+
+#
+# /srv
+#
+/srv/([^/]*/)?ftp(/.*)?		gen_context(system_u:object_r:public_content_t,s0)
+/srv/([^/]*/)?rsync(/.*)?	gen_context(system_u:object_r:public_content_t,s0)
+
+#
+# /usr
+#
+/usr/lib/locale(/.*)?		gen_context(system_u:object_r:locale_t,s0)
+
+/usr/lib(64)?/perl5/man(/.*)?	gen_context(system_u:object_r:man_t,s0)
+
+/usr/local/man(/.*)?		gen_context(system_u:object_r:man_t,s0)
+/usr/local/share/man(/.*)?	gen_context(system_u:object_r:man_t,s0)
+
+/usr/local/share/fonts(/.*)?	gen_context(system_u:object_r:fonts_t,s0)
+
+/usr/man(/.*)?			gen_context(system_u:object_r:man_t,s0)
+
+/usr/share/fonts(/.*)?		gen_context(system_u:object_r:fonts_t,s0)
+/usr/share/X11/fonts(/.*)?	gen_context(system_u:object_r:fonts_t,s0)
+/usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+/usr/share/locale(/.*)?		gen_context(system_u:object_r:locale_t,s0)
+/usr/share/man(/.*)?		gen_context(system_u:object_r:man_t,s0)
+/usr/share/X11/locale(/.*)?	gen_context(system_u:object_r:locale_t,s0)
+/usr/share/zoneinfo(/.*)?	gen_context(system_u:object_r:locale_t,s0)
+
+/usr/share/ssl/certs(/.*)?	gen_context(system_u:object_r:cert_t,s0)
+/usr/share/ssl/private(/.*)?	gen_context(system_u:object_r:cert_t,s0)
+
+/usr/X11R6/lib/X11/fonts(/.*)?	gen_context(system_u:object_r:fonts_t,s0)
+
+/usr/X11R6/man(/.*)?		gen_context(system_u:object_r:man_t,s0)
+
+ifdef(`distro_gentoo',`
+/usr/share/misc/(pci|usb)\.ids -- gen_context(system_u:object_r:hwdata_t,s0)
+')
+
+ifdef(`distro_redhat',`
+/usr/share/hwdata(/.*)?		gen_context(system_u:object_r:hwdata_t,s0)
+')
+
+#
+# /var
+#
+/var/ftp(/.*)?			gen_context(system_u:object_r:public_content_t,s0)
+
+/var/lib/texmf(/.*)?		gen_context(system_u:object_r:tetex_data_t,s0)
+
+/var/cache/fontconfig(/.*)?	gen_context(system_u:object_r:fonts_cache_t,s0)
+/var/cache/fonts(/.*)?		gen_context(system_u:object_r:tetex_data_t,s0)
+/var/cache/man(/.*)?		gen_context(system_u:object_r:man_t,s0)
+
+/var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
+
+/var/spool/abrt-upload(/.*)?	gen_context(system_u:object_r:public_content_rw_t,s0)
+/var/spool/texmf(/.*)?		gen_context(system_u:object_r:tetex_data_t,s0)
+
+ifdef(`distro_debian',`
+/var/lib/msttcorefonts(/.*)?	gen_context(system_u:object_r:fonts_t,s0)
+/var/lib/usbutils(/.*)?		gen_context(system_u:object_r:hwdata_t,s0)
+')
+
+ifdef(`distro_redhat',`
+/var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
+/var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
+')
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
new file mode 100644
index 00000000..926ba658
--- /dev/null
+++ b/policy/modules/system/miscfiles.if
@@ -0,0 +1,771 @@
+## <summary>Miscelaneous files.</summary>
+
+########################################
+## <summary>
+##	Make the specified type usable as a cert file.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified type usable for cert files.
+##	This will also make the type usable for files, making
+##	calls to files_type() redundant.  Failure to use this interface
+##	for a temporary file may result in problems with
+##	cert management tools.
+##	</p>
+##	<p>
+##	Related interfaces:
+##	</p>
+##	<ul>
+##		<li>files_type()</li>
+##	</ul>
+##	<p>
+##	Example:
+##	</p>
+##	<p>
+##	type mycertfile_t;
+##	cert_type(mycertfile_t)
+##	allow mydomain_t mycertfile_t:file read_file_perms;
+##	files_search_etc(mydomain_t)
+##	</p>
+## </desc>
+## <param name="type">
+##	<summary>
+##	Type to be used for files.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`miscfiles_cert_type',`
+	gen_require(`
+		attribute cert_type;
+	')
+
+	typeattribute $1 cert_type;
+	files_type($1)
+')
+
+########################################
+## <summary>
+##	Read all SSL certificates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_read_all_certs',`
+	gen_require(`
+		attribute cert_type;
+	')
+
+	allow $1 cert_type:dir list_dir_perms;
+	read_files_pattern($1, cert_type, cert_type)
+	read_lnk_files_pattern($1, cert_type, cert_type)
+')
+
+########################################
+## <summary>
+##	Read generic SSL certificates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_read_generic_certs',`
+	gen_require(`
+		type cert_t;
+	')
+
+	allow $1 cert_t:dir list_dir_perms;
+	read_files_pattern($1, cert_t, cert_t)
+	read_lnk_files_pattern($1, cert_t, cert_t)
+')
+
+########################################
+## <summary>
+##	Manage generic SSL certificates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_manage_generic_cert_dirs',`
+	gen_require(`
+		type cert_t;
+	')
+
+	manage_dirs_pattern($1, cert_t, cert_t)
+')
+
+########################################
+## <summary>
+##	Manage generic SSL certificates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_manage_generic_cert_files',`
+	gen_require(`
+		type cert_t;
+	')
+
+	manage_files_pattern($1, cert_t, cert_t)
+	read_lnk_files_pattern($1, cert_t, cert_t)
+')
+
+########################################
+## <summary>
+##	Read SSL certificates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_read_certs',`
+	miscfiles_read_generic_certs($1)
+	refpolicywarn(`$0() has been deprecated, please use miscfiles_read_generic_certs() instead.')
+')
+
+########################################
+## <summary>
+##	Manage SSL certificates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_manage_cert_dirs',`
+	miscfiles_manage_generic_cert_dirs($1)
+	refpolicywarn(`$0() has been deprecated, please use miscfiles_manage_generic_cert_dirs() instead.')
+')
+
+########################################
+## <summary>
+##	Manage SSL certificates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_manage_cert_files',`
+	miscfiles_manage_generic_cert_files($1)
+	refpolicywarn(`$0() has been deprecated, please use miscfiles_manage_generic_cert_files() instead.')
+')
+
+########################################
+## <summary>
+##	Read fonts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_read_fonts',`
+	gen_require(`
+		type fonts_t, fonts_cache_t;
+	')
+
+	# cjp: fonts can be in either of these dirs
+	files_search_usr($1)
+	libs_search_lib($1)
+
+	allow $1 fonts_t:dir list_dir_perms;
+	read_files_pattern($1, fonts_t, fonts_t)
+	read_lnk_files_pattern($1, fonts_t, fonts_t)
+
+	allow $1 fonts_cache_t:dir list_dir_perms;
+	read_files_pattern($1, fonts_cache_t, fonts_cache_t)
+	read_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t)
+')
+
+########################################
+## <summary>
+##	Set the attributes on a fonts directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_setattr_fonts_dirs',`
+	gen_require(`
+		type fonts_t;
+	')
+
+	allow $1 fonts_t:dir setattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to set the attributes
+##	on a fonts directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_dontaudit_setattr_fonts_dirs',`
+	gen_require(`
+		type fonts_t;
+	')
+
+	dontaudit $1 fonts_t:dir setattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write fonts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_dontaudit_write_fonts',`
+	gen_require(`
+		type fonts_t;
+	')
+
+	dontaudit $1 fonts_t:dir { write setattr };
+	dontaudit $1 fonts_t:file write;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete fonts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_manage_fonts',`
+	gen_require(`
+		type fonts_t;
+	')
+
+	# cjp: fonts can be in either of these dirs
+	files_search_usr($1)
+	libs_search_lib($1)
+
+	manage_dirs_pattern($1, fonts_t, fonts_t)
+	manage_files_pattern($1, fonts_t, fonts_t)
+	manage_lnk_files_pattern($1, fonts_t, fonts_t)
+')
+
+########################################
+## <summary>
+##	Set the attributes on a fonts cache directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_setattr_fonts_cache_dirs',`
+	gen_require(`
+		type fonts_cache_t;
+	')
+
+	allow $1 fonts_cache_t:dir setattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to set the attributes
+##	on a fonts cache directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_dontaudit_setattr_fonts_cache_dirs',`
+	gen_require(`
+		type fonts_cache_t;
+	')
+
+	dontaudit $1 fonts_cache_t:dir setattr;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete fonts cache.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_manage_fonts_cache',`
+	gen_require(`
+		type fonts_cache_t;
+	')
+
+	files_search_var($1)
+
+	manage_dirs_pattern($1, fonts_cache_t, fonts_cache_t)
+	manage_files_pattern($1, fonts_cache_t, fonts_cache_t)
+	manage_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t)
+')
+
+########################################
+## <summary>
+##	Read hardware identification data.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_read_hwdata',`
+	gen_require(`
+		type hwdata_t;
+	')
+
+	allow $1 hwdata_t:dir list_dir_perms;
+	read_files_pattern($1, hwdata_t, hwdata_t)
+	read_lnk_files_pattern($1, hwdata_t, hwdata_t)
+')
+
+########################################
+## <summary>
+##	Allow process to setattr localization info
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_setattr_localization',`
+	gen_require(`
+		type locale_t;
+	')
+
+	files_search_usr($1)
+	allow $1 locale_t:dir list_dir_perms;
+	allow $1 locale_t:file setattr;
+')
+
+########################################
+## <summary>
+##	Allow process to read localization information.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to read the localization files.
+##	This is typically for time zone configuration files, such as
+##	/etc/localtime and files in /usr/share/zoneinfo.
+##	Typically, any domain which needs to know the GMT/UTC
+##	offset of the current timezone will need access
+##	to these files. Generally, it should be safe for any
+##	domain to read these files.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`miscfiles_read_localization',`
+	gen_require(`
+		type locale_t;
+	')
+
+	files_read_etc_symlinks($1)
+	files_search_usr($1)
+	allow $1 locale_t:dir list_dir_perms;
+	read_files_pattern($1, locale_t, locale_t)
+	read_lnk_files_pattern($1, locale_t, locale_t)
+')
+
+########################################
+## <summary>
+##	Allow process to write localization info
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_rw_localization',`
+	gen_require(`
+		type locale_t;
+	')
+
+	files_search_usr($1)
+	allow $1 locale_t:dir list_dir_perms;
+	rw_files_pattern($1, locale_t, locale_t)
+')
+
+########################################
+## <summary>
+##	Allow process to relabel localization info
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_relabel_localization',`
+	gen_require(`
+		type locale_t;
+	')
+
+	files_search_usr($1)
+	relabel_files_pattern($1, locale_t, locale_t)
+')
+
+########################################
+## <summary>
+##	Allow process to read legacy time localization info
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_legacy_read_localization',`
+	gen_require(`
+		type locale_t;
+	')
+
+	miscfiles_read_localization($1)
+	allow $1 locale_t:file execute;
+')
+
+########################################
+## <summary>
+##	Search man pages.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_search_man_pages',`
+	gen_require(`
+		type man_t;
+	')
+
+	allow $1 man_t:dir search_dir_perms;
+	files_search_usr($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search man pages.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_dontaudit_search_man_pages',`
+	gen_require(`
+		type man_t;
+	')
+
+	dontaudit $1 man_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read man pages
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_read_man_pages',`
+	gen_require(`
+		type man_t;
+	')
+
+	files_search_usr($1)
+	allow $1 man_t:dir list_dir_perms;
+	read_files_pattern($1, man_t, man_t)
+	read_lnk_files_pattern($1, man_t, man_t)
+')
+
+########################################
+## <summary>
+##	Delete man pages
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+# cjp: added for tmpreaper
+#
+interface(`miscfiles_delete_man_pages',`
+	gen_require(`
+		type man_t;
+	')
+
+	files_search_usr($1)
+
+	allow $1 man_t:dir setattr;
+	# RH bug #309351
+	allow $1 man_t:dir list_dir_perms;
+	delete_dirs_pattern($1, man_t, man_t)
+	delete_files_pattern($1, man_t, man_t)
+	delete_lnk_files_pattern($1, man_t, man_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete man pages
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_manage_man_pages',`
+	gen_require(`
+		type man_t;
+	')
+
+	files_search_usr($1)
+	manage_dirs_pattern($1, man_t, man_t)
+	manage_files_pattern($1, man_t, man_t)
+	read_lnk_files_pattern($1, man_t, man_t)
+')
+
+########################################
+## <summary>
+##	Read public files used for file
+##	transfer services.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_read_public_files',`
+	gen_require(`
+		type public_content_t, public_content_rw_t;
+	')
+
+	allow $1 { public_content_t public_content_rw_t }:dir list_dir_perms;
+	read_files_pattern($1, { public_content_t public_content_rw_t }, { public_content_t public_content_rw_t })
+	read_lnk_files_pattern($1, { public_content_t public_content_rw_t }, { public_content_t public_content_rw_t })
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete public files
+##	and directories used for file transfer services.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_manage_public_files',`
+	gen_require(`
+		type public_content_rw_t;
+	')
+
+	manage_dirs_pattern($1, public_content_rw_t, public_content_rw_t)
+	manage_files_pattern($1, public_content_rw_t, public_content_rw_t)
+	manage_lnk_files_pattern($1, public_content_rw_t, public_content_rw_t)
+')
+
+########################################
+## <summary>
+##	Read TeX data
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_read_tetex_data',`
+	gen_require(`
+		type tetex_data_t;
+	')
+
+	files_search_var($1)
+	files_search_var_lib($1)
+
+	# cjp: TeX data can be in either of the above dirs
+	allow $1 tetex_data_t:dir list_dir_perms;
+	read_files_pattern($1, tetex_data_t, tetex_data_t)
+	read_lnk_files_pattern($1, tetex_data_t, tetex_data_t)
+')
+
+########################################
+## <summary>
+##	Execute TeX data programs in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_exec_tetex_data',`
+	gen_require(`
+		type fonts_t;
+		type tetex_data_t;
+	')
+
+	files_search_var($1)
+	files_search_var_lib($1)
+
+	# cjp: TeX data can be in either of the above dirs
+	allow $1 tetex_data_t:dir list_dir_perms;
+	exec_files_pattern($1, tetex_data_t, tetex_data_t)
+')
+
+########################################
+## <summary>
+##	Let test files be an entry point for
+##	a specified domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_domain_entry_test_files',`
+	gen_require(`
+		type test_file_t;
+	')
+
+	domain_entry_file($1, test_file_t)
+')
+
+########################################
+## <summary>
+##	Read test files and directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_read_test_files',`
+	gen_require(`
+		type test_file_t;
+	')
+
+	read_files_pattern($1, test_file_t, test_file_t)
+	read_lnk_files_pattern($1, test_file_t, test_file_t)
+')
+
+########################################
+## <summary>
+##	Execute test files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_exec_test_files',`
+	gen_require(`
+		type test_file_t;
+	')
+
+	exec_files_pattern($1, test_file_t, test_file_t)
+	read_lnk_files_pattern($1, test_file_t, test_file_t)
+')
+
+########################################
+## <summary>
+##	Execute test files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_etc_filetrans_localization',`
+	gen_require(`
+		type locale_t;
+	')
+
+	files_etc_filetrans($1, locale_t, file)
+
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete localization
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_manage_localization',`
+	gen_require(`
+		type locale_t;
+	')
+
+	manage_dirs_pattern($1, locale_t, locale_t)
+	manage_files_pattern($1, locale_t, locale_t)
+	manage_lnk_files_pattern($1, locale_t, locale_t)
+')
+
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
new file mode 100644
index 00000000..703944ce
--- /dev/null
+++ b/policy/modules/system/miscfiles.te
@@ -0,0 +1,63 @@
+policy_module(miscfiles, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute cert_type;
+
+#
+# cert_t is the type of files in the system certs directories.
+#
+type cert_t;
+miscfiles_cert_type(cert_t)
+
+#
+# fonts_t is the type of various font
+# files in /usr
+#
+type fonts_t;
+files_type(fonts_t)
+
+type fonts_cache_t;
+files_type(fonts_cache_t)
+
+#
+# type for /usr/share/hwdata
+#
+type hwdata_t;
+files_type(hwdata_t)
+
+#
+# locale_t is the type for system localization
+#
+type locale_t;
+files_type(locale_t)
+
+#
+# man_t is the type for the man directories.
+#
+type man_t alias catman_t;
+files_type(man_t)
+
+#
+# Types for public content
+#
+type public_content_t; #, customizable;
+files_type(public_content_t)
+
+type public_content_rw_t; #, customizable;
+files_type(public_content_rw_t)
+
+#
+# Base type for the tests directory.
+#
+type test_file_t;
+files_type(test_file_t)
+
+#
+# for /var/{spool,lib}/texmf index files
+#
+type tetex_data_t;
+files_tmp_file(tetex_data_t)
diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc
new file mode 100644
index 00000000..532181a5
--- /dev/null
+++ b/policy/modules/system/modutils.fc
@@ -0,0 +1,24 @@
+
+/etc/modules\.conf.*	--	gen_context(system_u:object_r:modules_conf_t,s0)
+/etc/modprobe\.conf.*	--	gen_context(system_u:object_r:modules_conf_t,s0)
+/etc/modprobe\.d(/.*)?		gen_context(system_u:object_r:modules_conf_t,s0)
+
+ifdef(`distro_gentoo',`
+# gentoo init scripts still manage this file
+# even if devfs is off
+/etc/modprobe.devfs.*	--	gen_context(system_u:object_r:modules_conf_t,s0)
+')
+
+/lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
+/lib64/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
+
+/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
+/lib64/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
+
+/sbin/depmod.*		--	gen_context(system_u:object_r:depmod_exec_t,s0)
+/sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0)
+/sbin/insmod.*		--	gen_context(system_u:object_r:insmod_exec_t,s0)
+/sbin/modprobe.*	--	gen_context(system_u:object_r:insmod_exec_t,s0)
+/sbin/modules-update	--	gen_context(system_u:object_r:update_modules_exec_t,s0)
+/sbin/rmmod.*		--	gen_context(system_u:object_r:insmod_exec_t,s0)
+/sbin/update-modules	--	gen_context(system_u:object_r:update_modules_exec_t,s0)
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
new file mode 100644
index 00000000..19d328a7
--- /dev/null
+++ b/policy/modules/system/modutils.if
@@ -0,0 +1,355 @@
+## <summary>Policy for kernel module utilities</summary>
+
+######################################
+## <summary>
+##	Getattr the dependencies of kernel modules.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`modutils_getattr_module_deps',`
+	gen_require(`
+		type modules_dep_t;
+	')
+
+	getattr_files_pattern($1, modules_object_t, modules_dep_t)
+')
+
+########################################
+## <summary>
+##	Read the dependencies of kernel modules.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`modutils_read_module_deps',`
+	gen_require(`
+		type modules_dep_t;
+	')
+
+	files_list_kernel_modules($1)
+	allow $1 modules_dep_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	List the module configuration option files 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`modutils_list_module_config',`
+	gen_require(`
+		type modules_conf_t;
+	')
+
+	list_dirs_pattern($1, modules_conf_t, modules_conf_t)
+')
+
+
+
+########################################
+## <summary>
+##	Read the configuration options used when
+##	loading modules.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`modutils_read_module_config',`
+	gen_require(`
+		type modules_conf_t;
+	')
+
+	# This file type can be in /etc or
+	# /lib(64)?/modules
+	files_search_etc($1)
+	files_search_boot($1)
+
+	read_files_pattern($1, modules_conf_t, modules_conf_t)
+	read_lnk_files_pattern($1, modules_conf_t, modules_conf_t)
+')
+
+########################################
+## <summary>
+##	Rename a file with the configuration options used when
+##	loading modules.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`modutils_rename_module_config',`
+	gen_require(`
+		type modules_conf_t;
+	')
+
+	rename_files_pattern($1, modules_conf_t, modules_conf_t)
+')
+
+########################################
+## <summary>
+##	Unlink a file with the configuration options used when
+##	loading modules.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`modutils_delete_module_config',`
+	gen_require(`
+		type modules_conf_t;
+	')
+
+	delete_files_pattern($1, modules_conf_t, modules_conf_t)
+')
+
+########################################
+## <summary>
+##	Manage files with the configuration options used when
+##	loading modules.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`modutils_manage_module_config',`
+	gen_require(`
+		type modules_conf_t;
+	')
+
+	manage_files_pattern($1, modules_conf_t, modules_conf_t)
+')
+
+########################################
+## <summary>
+##	Unconditionally execute insmod in the insmod domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+# cjp: this is added for pppd, due to nested
+# conditionals not working.
+interface(`modutils_domtrans_insmod_uncond',`
+	gen_require(`
+		type insmod_t, insmod_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, insmod_exec_t, insmod_t)
+')
+
+########################################
+## <summary>
+##	Execute insmod in the insmod domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`modutils_domtrans_insmod',`
+	gen_require(`
+		type insmod_t, insmod_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, insmod_exec_t, insmod_t)
+')
+
+########################################
+## <summary>
+##	Execute insmod in the insmod domain, and
+##	allow the specified role the insmod domain,
+##	and use the caller's terminal.  Has a sigchld
+##	backchannel.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`modutils_run_insmod',`
+	gen_require(`
+		type insmod_t;
+	')
+
+	modutils_domtrans_insmod($1)
+	role $2 types insmod_t;
+')
+
+########################################
+## <summary>
+##	Execute insmod in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`modutils_exec_insmod',`
+	gen_require(`
+		type insmod_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, insmod_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute depmod in the depmod domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`modutils_domtrans_depmod',`
+	gen_require(`
+		type depmod_t, depmod_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, depmod_exec_t, depmod_t)
+')
+
+########################################
+## <summary>
+##	Execute depmod in the depmod domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`modutils_run_depmod',`
+	gen_require(`
+		type depmod_t, insmod_t;
+	')
+
+	modutils_domtrans_depmod($1)
+	role $2 types depmod_t;
+')
+
+########################################
+## <summary>
+##	Execute depmod in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`modutils_exec_depmod',`
+	gen_require(`
+		type depmod_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, depmod_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute depmod in the depmod domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`modutils_domtrans_update_mods',`
+	gen_require(`
+		type update_modules_t, update_modules_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, update_modules_exec_t, update_modules_t)
+')
+
+########################################
+## <summary>
+##	Execute update_modules in the update_modules domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`modutils_run_update_mods',`
+	gen_require(`
+		attribute_role update_modules_roles;
+	')
+
+	modutils_domtrans_update_mods($1)
+	roleattribute $2 update_modules_roles;
+')
+
+########################################
+## <summary>
+##	Execute update_modules in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`modutils_exec_update_mods',`
+	gen_require(`
+		type update_modules_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, update_modules_exec_t)
+')
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
new file mode 100644
index 00000000..43e99e54
--- /dev/null
+++ b/policy/modules/system/modutils.te
@@ -0,0 +1,326 @@
+policy_module(modutils, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role update_modules_roles;
+
+type depmod_t;
+type depmod_exec_t;
+init_system_domain(depmod_t, depmod_exec_t)
+role system_r types depmod_t;
+
+type insmod_t;
+type insmod_exec_t;
+application_domain(insmod_t, insmod_exec_t)
+mls_file_write_all_levels(insmod_t)
+role system_r types insmod_t;
+
+# module loading config
+type modules_conf_t;
+files_type(modules_conf_t)
+
+# module dependencies
+type modules_dep_t;
+files_type(modules_dep_t)
+
+type update_modules_t;
+type update_modules_exec_t;
+init_system_domain(update_modules_t, update_modules_exec_t)
+roleattribute system_r update_modules_roles;
+role update_modules_roles types update_modules_t;
+
+type update_modules_tmp_t;
+files_tmp_file(update_modules_tmp_t)
+
+########################################
+#
+# depmod local policy
+#
+
+can_exec(depmod_t, depmod_exec_t)
+
+# Read conf.modules.
+read_files_pattern(depmod_t, modules_conf_t, modules_conf_t)
+
+allow depmod_t modules_dep_t:file manage_file_perms;
+files_kernel_modules_filetrans(depmod_t, modules_dep_t, file)
+
+kernel_read_system_state(depmod_t)
+
+corecmd_search_bin(depmod_t)
+
+domain_use_interactive_fds(depmod_t)
+
+files_read_kernel_symbol_table(depmod_t)
+files_read_kernel_modules(depmod_t)
+files_read_etc_runtime_files(depmod_t)
+files_read_etc_files(depmod_t)
+files_read_usr_src_files(depmod_t)
+files_list_usr(depmod_t)
+
+fs_getattr_xattr_fs(depmod_t)
+
+term_use_console(depmod_t)
+
+init_use_fds(depmod_t)
+init_use_script_fds(depmod_t)
+init_use_script_ptys(depmod_t)
+
+userdom_use_user_terminals(depmod_t)
+# Read System.map from home directories.
+files_list_home(depmod_t)
+userdom_read_user_home_content_files(depmod_t)
+
+ifdef(`distro_ubuntu',`
+	optional_policy(`
+		unconfined_domain(depmod_t)
+	')
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_read_nfs_files(depmod_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_read_cifs_files(depmod_t)
+')
+
+optional_policy(`
+	dracut_manage_tmp_files(depmod_t)
+')
+
+optional_policy(`
+	rpm_rw_pipes(depmod_t)
+	rpm_manage_script_tmp_files(depmod_t)
+')
+
+optional_policy(`
+	# Read System.map from home directories.
+	unconfined_domain(depmod_t)
+')
+
+########################################
+#
+# insmod local policy
+#
+
+allow insmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
+allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
+
+allow insmod_t self:udp_socket create_socket_perms;
+allow insmod_t self:rawip_socket create_socket_perms;
+
+# Read module config and dependency information
+list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t)
+read_files_pattern(insmod_t, modules_conf_t, modules_conf_t)
+list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t)
+read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
+
+can_exec(insmod_t, insmod_exec_t)
+
+kernel_load_module(insmod_t)
+kernel_request_load_module(insmod_t)
+kernel_read_system_state(insmod_t)
+kernel_read_network_state(insmod_t)
+kernel_write_proc_files(insmod_t)
+kernel_mount_debugfs(insmod_t)
+kernel_mount_kvmfs(insmod_t)
+kernel_read_debugfs(insmod_t)
+# Rules for /proc/sys/kernel/tainted
+kernel_read_kernel_sysctls(insmod_t)
+kernel_rw_kernel_sysctl(insmod_t)
+kernel_read_hotplug_sysctls(insmod_t)
+kernel_setsched(insmod_t)
+
+corecmd_exec_bin(insmod_t)
+corecmd_exec_shell(insmod_t)
+
+dev_rw_sysfs(insmod_t)
+dev_search_usbfs(insmod_t)
+dev_rw_mtrr(insmod_t)
+dev_read_urand(insmod_t)
+dev_rw_agp(insmod_t)
+dev_read_sound(insmod_t)
+dev_write_sound(insmod_t)
+dev_rw_apm_bios(insmod_t)
+
+domain_signal_all_domains(insmod_t)
+domain_use_interactive_fds(insmod_t)
+
+files_read_kernel_modules(insmod_t)
+files_read_etc_runtime_files(insmod_t)
+files_read_etc_files(insmod_t)
+files_read_usr_files(insmod_t)
+files_exec_etc_files(insmod_t)
+# for nscd:
+files_dontaudit_search_pids(insmod_t)
+# for when /var is not mounted early in the boot:
+files_dontaudit_search_isid_type_dirs(insmod_t)
+# for locking: (cjp: ????)
+files_write_kernel_modules(insmod_t)
+
+fs_getattr_xattr_fs(insmod_t)
+fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
+
+init_rw_initctl(insmod_t)
+init_use_fds(insmod_t)
+init_use_script_fds(insmod_t)
+init_use_script_ptys(insmod_t)
+
+logging_send_syslog_msg(insmod_t)
+logging_search_logs(insmod_t)
+
+miscfiles_read_localization(insmod_t)
+
+seutil_read_file_contexts(insmod_t)
+
+userdom_use_user_terminals(insmod_t)
+
+userdom_dontaudit_search_user_home_dirs(insmod_t)
+
+kernel_domtrans_to(insmod_t, insmod_exec_t)
+
+optional_policy(`
+	alsa_domtrans(insmod_t)
+')
+
+optional_policy(`
+	firstboot_dontaudit_rw_pipes(insmod_t)
+	firstboot_dontaudit_rw_stream_sockets(insmod_t)
+')
+
+optional_policy(`
+	hal_write_log(insmod_t)
+')
+
+optional_policy(`
+	hotplug_search_config(insmod_t)
+')
+
+optional_policy(`
+	mount_domtrans(insmod_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(insmod_t)
+')
+
+optional_policy(`
+	nscd_socket_use(insmod_t)
+')
+
+optional_policy(`
+	fs_manage_ramfs_files(insmod_t)
+
+	rhgb_use_fds(insmod_t)
+	rhgb_dontaudit_use_ptys(insmod_t)
+
+	xserver_dontaudit_write_log(insmod_t)
+	xserver_stream_connect(insmod_t)
+	xserver_dontaudit_rw_stream_sockets(insmod_t)
+
+	ifdef(`hide_broken_symptoms',`
+		xserver_dontaudit_rw_tcp_sockets(insmod_t)
+	')
+')
+
+optional_policy(`
+	rpm_rw_pipes(insmod_t)
+')
+
+optional_policy(`
+	unconfined_domain(insmod_t)
+	unconfined_dontaudit_rw_pipes(insmod_t)
+')
+
+optional_policy(`
+	# cjp: why is this needed:
+	dev_rw_xserver_misc(insmod_t)
+
+	xserver_getattr_log(insmod_t)
+')
+
+#################################
+#
+# update-modules local policy
+#
+
+allow update_modules_t self:fifo_file rw_fifo_file_perms;
+
+allow update_modules_t modules_dep_t:file rw_file_perms;
+
+can_exec(update_modules_t, insmod_exec_t)
+can_exec(update_modules_t, update_modules_exec_t)
+
+# manage module loading configuration
+manage_files_pattern(update_modules_t, modules_conf_t, modules_conf_t)
+files_kernel_modules_filetrans(update_modules_t, modules_conf_t, file)
+files_etc_filetrans(update_modules_t, modules_conf_t, file)
+
+# transition to depmod
+domain_auto_trans(update_modules_t, depmod_exec_t, depmod_t)
+allow update_modules_t depmod_t:fd use;
+allow depmod_t update_modules_t:fd use;
+allow depmod_t update_modules_t:fifo_file rw_file_perms;
+allow depmod_t update_modules_t:process sigchld;
+
+manage_dirs_pattern(update_modules_t, update_modules_tmp_t, update_modules_tmp_t)
+manage_files_pattern(update_modules_t, update_modules_tmp_t, update_modules_tmp_t)
+files_tmp_filetrans(update_modules_t, update_modules_tmp_t, { file dir })
+
+kernel_read_kernel_sysctls(update_modules_t)
+kernel_read_system_state(update_modules_t)
+
+corecmd_exec_bin(update_modules_t)
+corecmd_exec_shell(update_modules_t)
+
+dev_read_urand(update_modules_t)
+
+domain_use_interactive_fds(update_modules_t)
+
+files_read_etc_runtime_files(update_modules_t)
+files_read_etc_files(update_modules_t)
+files_exec_etc_files(update_modules_t)
+
+fs_getattr_xattr_fs(update_modules_t)
+
+term_use_console(update_modules_t)
+
+init_use_fds(update_modules_t)
+init_use_script_fds(update_modules_t)
+init_use_script_ptys(update_modules_t)
+
+logging_send_syslog_msg(update_modules_t)
+
+miscfiles_read_localization(update_modules_t)
+
+modutils_run_insmod(update_modules_t, update_modules_roles)
+
+userdom_use_user_terminals(update_modules_t)
+userdom_dontaudit_search_user_home_dirs(update_modules_t)
+
+ifdef(`distro_gentoo',`
+	files_search_pids(update_modules_t)
+	files_getattr_usr_src_files(update_modules_t)
+	files_list_isid_type_dirs(update_modules_t) # /var
+
+	# update-modules on Gentoo throws errors when run because it
+	# sources /etc/init.d/functions.sh, which always scans
+	# /var/lib/init.d to set SOFTLEVEL environment var.
+	# This is never used by update-modules.
+	files_dontaudit_search_var_lib(update_modules_t)
+	init_dontaudit_read_script_status_files(update_modules_t)
+
+	optional_policy(`
+		consoletype_exec(update_modules_t)
+	')
+')
+
+ifdef(`distro_ubuntu',`
+	optional_policy(`
+		unconfined_domain(update_modules_t)
+	')
+')
diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
new file mode 100644
index 00000000..72c746e7
--- /dev/null
+++ b/policy/modules/system/mount.fc
@@ -0,0 +1,4 @@
+/bin/mount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
+/bin/umount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
+
+/usr/bin/fusermount		--	gen_context(system_u:object_r:mount_exec_t,s0)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
new file mode 100644
index 00000000..4584457b
--- /dev/null
+++ b/policy/modules/system/mount.if
@@ -0,0 +1,175 @@
+## <summary>Policy for mount.</summary>
+
+########################################
+## <summary>
+##	Execute mount in the mount domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`mount_domtrans',`
+	gen_require(`
+		type mount_t, mount_exec_t;
+	')
+
+	domtrans_pattern($1, mount_exec_t, mount_t)
+')
+
+########################################
+## <summary>
+##	Execute mount in the mount domain, and
+##	allow the specified role the mount domain,
+##	and use the caller's terminal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mount_run',`
+	gen_require(`
+		attribute_role mount_roles;
+	')
+
+	mount_domtrans($1)
+	roleattribute $2 mount_roles;
+')
+
+########################################
+## <summary>
+##	Execute mount in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mount_exec',`
+	gen_require(`
+		type mount_exec_t;
+	')
+
+	# cjp: this should be removed:
+	allow $1 mount_exec_t:dir list_dir_perms;
+
+	allow $1 mount_exec_t:lnk_file read_lnk_file_perms;
+	can_exec($1, mount_exec_t)
+')
+
+########################################
+## <summary>
+##	Send a generic signal to mount.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mount_signal',`
+	gen_require(`
+		type mount_t;
+	')
+
+	allow $1 mount_t:process signal;
+')
+
+########################################
+## <summary>
+##	Use file descriptors for mount.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`mount_use_fds',`
+	gen_require(`
+		type mount_t;
+	')
+
+	allow $1 mount_t:fd use; 
+')
+
+########################################
+## <summary>
+##	Allow the mount domain to send nfs requests for mounting
+##	network drives
+## </summary>
+## <desc>
+##	<p>
+##	Allow the mount domain to send nfs requests for mounting
+##	network drives
+##	</p>
+##	<p>
+##	This interface has been deprecated as these rules were
+##	a side effect of leaked mount file descriptors.  This
+##	interface has no effect.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mount_send_nfs_client_request',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	Execute mount in the unconfined mount domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`mount_domtrans_unconfined',`
+	gen_require(`
+		type unconfined_mount_t, mount_exec_t;
+	')
+
+	domtrans_pattern($1, mount_exec_t, unconfined_mount_t)
+')
+
+########################################
+## <summary>
+##	Execute mount in the unconfined mount domain, and
+##	allow the specified role the unconfined mount domain,
+##	and use the caller's terminal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mount_run_unconfined',`
+	gen_require(`
+		type unconfined_mount_t;
+	')
+
+	mount_domtrans_unconfined($1)
+	role $2 types unconfined_mount_t;
+')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
new file mode 100644
index 00000000..7f5fbfb9
--- /dev/null
+++ b/policy/modules/system/mount.te
@@ -0,0 +1,219 @@
+policy_module(mount, 1.14.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow the mount command to mount any directory or file.
+## </p>
+## </desc>
+gen_tunable(allow_mount_anyfile, false)
+
+attribute_role mount_roles;
+roleattribute system_r mount_roles;
+
+type mount_t;
+type mount_exec_t;
+init_system_domain(mount_t, mount_exec_t)
+role mount_roles types mount_t;
+
+type mount_loopback_t; # customizable
+files_type(mount_loopback_t)
+
+type mount_tmp_t;
+files_tmp_file(mount_tmp_t)
+
+# causes problems with interfaces when
+# this is optionally declared in monolithic
+# policy--duplicate type declaration
+type unconfined_mount_t;
+application_domain(unconfined_mount_t, mount_exec_t)
+
+########################################
+#
+# mount local policy
+#
+
+# setuid/setgid needed to mount cifs
+allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
+
+allow mount_t mount_loopback_t:file read_file_perms;
+
+allow mount_t mount_tmp_t:file manage_file_perms;
+allow mount_t mount_tmp_t:dir manage_dir_perms;
+
+can_exec(mount_t, mount_exec_t)
+
+files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
+
+kernel_read_system_state(mount_t)
+kernel_read_kernel_sysctls(mount_t)
+kernel_setsched(mount_t)
+kernel_dontaudit_getattr_core_if(mount_t)
+kernel_dontaudit_write_debugfs_dirs(mount_t)
+kernel_dontaudit_write_proc_dirs(mount_t)
+# To load binfmt_misc kernel module
+kernel_request_load_module(mount_t)
+
+# required for mount.smbfs
+corecmd_exec_bin(mount_t)
+
+dev_getattr_all_blk_files(mount_t)
+dev_list_all_dev_nodes(mount_t)
+dev_read_sysfs(mount_t)
+dev_dontaudit_write_sysfs_dirs(mount_t)
+dev_rw_lvm_control(mount_t)
+dev_dontaudit_getattr_all_chr_files(mount_t)
+dev_dontaudit_getattr_memory_dev(mount_t)
+dev_getattr_sound_dev(mount_t)
+# Early devtmpfs, before udev relabel
+dev_dontaudit_rw_generic_chr_files(mount_t)
+
+domain_use_interactive_fds(mount_t)
+
+files_search_all(mount_t)
+files_read_etc_files(mount_t)
+files_manage_etc_runtime_files(mount_t)
+files_etc_filetrans_etc_runtime(mount_t, file)
+files_mounton_all_mountpoints(mount_t)
+files_unmount_rootfs(mount_t)
+# These rules need to be generalized.  Only admin, initrc should have it:
+files_relabel_all_file_type_fs(mount_t)
+files_mount_all_file_type_fs(mount_t)
+files_unmount_all_file_type_fs(mount_t)
+# for when /etc/mtab loses its type
+# cjp: this seems wrong, the type should probably be etc
+files_read_isid_type_files(mount_t)
+# For reading cert files
+files_read_usr_files(mount_t)
+files_list_mnt(mount_t)
+files_dontaudit_write_all_mountpoints(mount_t)
+files_dontaudit_setattr_all_mountpoints(mount_t)
+
+fs_getattr_xattr_fs(mount_t)
+fs_getattr_cifs(mount_t)
+fs_mount_all_fs(mount_t)
+fs_unmount_all_fs(mount_t)
+fs_remount_all_fs(mount_t)
+fs_relabelfrom_all_fs(mount_t)
+fs_list_auto_mountpoints(mount_t)
+fs_rw_tmpfs_chr_files(mount_t)
+fs_read_tmpfs_symlinks(mount_t)
+fs_dontaudit_write_tmpfs_dirs(mount_t)
+
+mls_file_read_all_levels(mount_t)
+mls_file_write_all_levels(mount_t)
+
+selinux_get_enforce_mode(mount_t)
+selinux_get_fs_mount(mount_t)
+
+storage_raw_read_fixed_disk(mount_t)
+storage_raw_write_fixed_disk(mount_t)
+storage_raw_read_removable_device(mount_t)
+storage_raw_write_removable_device(mount_t)
+
+term_use_all_terms(mount_t)
+term_dontaudit_manage_pty_dirs(mount_t)
+
+auth_use_nsswitch(mount_t)
+
+init_use_fds(mount_t)
+init_use_script_ptys(mount_t)
+init_dontaudit_getattr_initctl(mount_t)
+
+logging_send_syslog_msg(mount_t)
+
+miscfiles_read_localization(mount_t)
+
+sysnet_use_portmap(mount_t)
+
+seutil_read_config(mount_t)
+
+userdom_use_all_users_fds(mount_t)
+
+ifdef(`distro_redhat',`
+	optional_policy(`
+		auth_read_pam_console_data(mount_t)
+		# mount config by default sets fscontext=removable_t
+		fs_relabelfrom_dos_fs(mount_t)
+	')
+')
+
+ifdef(`distro_ubuntu',`
+	optional_policy(`
+		unconfined_domain(mount_t)
+	')
+')
+
+tunable_policy(`allow_mount_anyfile',`
+	auth_read_all_dirs_except_auth_files(mount_t)
+	auth_read_all_files_except_auth_files(mount_t)
+	files_mounton_non_security(mount_t)
+')
+
+optional_policy(`
+	# for nfs
+	corenet_all_recvfrom_unlabeled(mount_t)
+	corenet_all_recvfrom_netlabel(mount_t)
+	corenet_tcp_sendrecv_all_if(mount_t)
+	corenet_raw_sendrecv_all_if(mount_t)
+	corenet_udp_sendrecv_all_if(mount_t)
+	corenet_tcp_sendrecv_all_nodes(mount_t)
+	corenet_raw_sendrecv_all_nodes(mount_t)
+	corenet_udp_sendrecv_all_nodes(mount_t)
+	corenet_tcp_sendrecv_all_ports(mount_t)
+	corenet_udp_sendrecv_all_ports(mount_t)
+	corenet_tcp_bind_all_nodes(mount_t)
+	corenet_udp_bind_all_nodes(mount_t)
+	corenet_tcp_bind_generic_port(mount_t)
+	corenet_udp_bind_generic_port(mount_t)
+	corenet_tcp_bind_reserved_port(mount_t)
+	corenet_udp_bind_reserved_port(mount_t)
+	corenet_tcp_bind_all_rpc_ports(mount_t)
+	corenet_udp_bind_all_rpc_ports(mount_t)
+	corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t)
+	corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
+	corenet_tcp_connect_all_ports(mount_t)
+
+	fs_search_rpc(mount_t)
+
+	rpc_stub(mount_t)
+')
+
+optional_policy(`
+	apm_use_fds(mount_t)
+')
+
+optional_policy(`
+	ifdef(`hide_broken_symptoms',`
+		# for a bug in the X server
+		rhgb_dontaudit_rw_stream_sockets(mount_t)
+		term_dontaudit_use_ptmx(mount_t)
+	')
+')
+
+optional_policy(`
+	puppet_rw_tmp(mount_t)
+')
+
+# for kernel package installation
+optional_policy(`
+	rpm_rw_pipes(mount_t)
+')
+
+optional_policy(`
+	samba_run_smbmount(mount_t, mount_roles)
+')
+
+########################################
+#
+# Unconfined mount local policy
+#
+
+optional_policy(`
+	files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
+	unconfined_domain(unconfined_mount_t)
+')
diff --git a/policy/modules/system/netlabel.fc b/policy/modules/system/netlabel.fc
new file mode 100644
index 00000000..b263a8af
--- /dev/null
+++ b/policy/modules/system/netlabel.fc
@@ -0,0 +1 @@
+/sbin/netlabelctl	--	gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0)
diff --git a/policy/modules/system/netlabel.if b/policy/modules/system/netlabel.if
new file mode 100644
index 00000000..8cfaa756
--- /dev/null
+++ b/policy/modules/system/netlabel.if
@@ -0,0 +1,46 @@
+## <summary>NetLabel/CIPSO labeled networking management</summary>
+
+########################################
+## <summary>
+##	Execute netlabel_mgmt in the netlabel_mgmt domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`netlabel_domtrans_mgmt',`
+	gen_require(`
+		type netlabel_mgmt_t, netlabel_mgmt_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, netlabel_mgmt_exec_t, netlabel_mgmt_t)
+')
+
+########################################
+## <summary>
+##	Execute netlabel_mgmt in the netlabel_mgmt domain, and
+##	allow the specified role the netlabel_mgmt domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`netlabel_run_mgmt',`
+	gen_require(`
+		type netlabel_mgmt_t;
+	')
+
+	netlabel_domtrans_mgmt($1)
+	role $2 types netlabel_mgmt_t;
+')
diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te
new file mode 100644
index 00000000..cbbda4a3
--- /dev/null
+++ b/policy/modules/system/netlabel.te
@@ -0,0 +1,28 @@
+policy_module(netlabel, 1.3.0)
+
+########################################
+#
+# Declarations
+#
+
+type netlabel_mgmt_t;
+type netlabel_mgmt_exec_t;
+application_domain(netlabel_mgmt_t, netlabel_mgmt_exec_t)
+role system_r types netlabel_mgmt_t;
+
+########################################
+#
+# NetLabel Management Tools Local policy
+#
+
+# modify the network subsystem configuration
+allow netlabel_mgmt_t self:capability net_admin;
+allow netlabel_mgmt_t self:netlink_socket create_socket_perms;
+
+kernel_read_network_state(netlabel_mgmt_t)
+
+files_read_etc_files(netlabel_mgmt_t)
+
+seutil_use_newrole_fds(netlabel_mgmt_t)
+
+userdom_use_user_terminals(netlabel_mgmt_t)
diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
new file mode 100644
index 00000000..83848fcd
--- /dev/null
+++ b/policy/modules/system/selinuxutil.fc
@@ -0,0 +1,53 @@
+# SELinux userland utilities
+
+#
+# /etc
+#
+/etc/selinux(/.*)?			gen_context(system_u:object_r:selinux_config_t,s0)
+/etc/selinux/([^/]*/)?contexts(/.*)?	gen_context(system_u:object_r:default_context_t,s0)
+/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
+/etc/selinux/([^/]*/)?policy(/.*)?	gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
+/etc/selinux/([^/]*/)?setrans\.conf --	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
+/etc/selinux/([^/]*/)?seusers	--	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
+/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
+/etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
+/etc/selinux/([^/]*/)?users(/.*)? --	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
+
+#
+# /root
+#
+/root/\.default_contexts	-- 	gen_context(system_u:object_r:default_context_t,s0)
+
+#
+# /sbin
+#
+/sbin/load_policy		--	gen_context(system_u:object_r:load_policy_exec_t,s0)
+/sbin/restorecon		--	gen_context(system_u:object_r:setfiles_exec_t,s0)
+/sbin/setfiles.*		--	gen_context(system_u:object_r:setfiles_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/checkpolicy		--	gen_context(system_u:object_r:checkpolicy_exec_t,s0)
+/usr/bin/newrole		--	gen_context(system_u:object_r:newrole_exec_t,s0)
+
+/usr/lib(64)?/selinux(/.*)?		gen_context(system_u:object_r:policy_src_t,s0)
+
+/usr/sbin/load_policy		--	gen_context(system_u:object_r:load_policy_exec_t,s0)
+/usr/sbin/restorecond		--	gen_context(system_u:object_r:restorecond_exec_t,s0)
+/usr/sbin/run_init		--	gen_context(system_u:object_r:run_init_exec_t,s0)
+/usr/sbin/setfiles.*		--	gen_context(system_u:object_r:setfiles_exec_t,s0)
+/usr/sbin/setsebool		--	gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/sbin/semanage		--	gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/sbin/semodule		--	gen_context(system_u:object_r:semanage_exec_t,s0)
+
+#
+# /var/lib
+#
+/var/lib/selinux(/.*)?			gen_context(system_u:object_r:semanage_var_lib_t,s0)
+
+#
+# /var/run
+#
+/var/run/restorecond\.pid	--	gen_context(system_u:object_r:restorecond_var_run_t,s0)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
new file mode 100644
index 00000000..58855714
--- /dev/null
+++ b/policy/modules/system/selinuxutil.if
@@ -0,0 +1,1139 @@
+## <summary>Policy for SELinux policy and userland applications.</summary>
+
+#######################################
+## <summary>
+##	Execute checkpolicy in the checkpolicy domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`seutil_domtrans_checkpolicy',`
+	gen_require(`
+		type checkpolicy_t, checkpolicy_exec_t;
+	')
+
+	files_search_usr($1)
+	corecmd_search_bin($1)
+	domtrans_pattern($1, checkpolicy_exec_t, checkpolicy_t)
+')
+
+########################################
+## <summary>
+##	Execute checkpolicy in the checkpolicy domain, and
+##	allow the specified role the checkpolicy domain,
+##	and use the caller's terminal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_run_checkpolicy',`
+	gen_require(`
+		type checkpolicy_t;
+	')
+
+	seutil_domtrans_checkpolicy($1)
+	role $2 types checkpolicy_t;
+')
+
+########################################
+## <summary>
+##	Execute checkpolicy in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_exec_checkpolicy',`
+	gen_require(`
+		type checkpolicy_exec_t;
+	')
+
+	files_search_usr($1)
+	corecmd_search_bin($1)
+	can_exec($1, checkpolicy_exec_t)
+')
+
+#######################################
+## <summary>
+##	Execute load_policy in the load_policy domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`seutil_domtrans_loadpolicy',`
+	gen_require(`
+		type load_policy_t, load_policy_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, load_policy_exec_t, load_policy_t)
+')
+
+########################################
+## <summary>
+##	Execute load_policy in the load_policy domain, and
+##	allow the specified role the load_policy domain,
+##	and use the caller's terminal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_run_loadpolicy',`
+	gen_require(`
+		type load_policy_t;
+	')
+
+	seutil_domtrans_loadpolicy($1)
+	role $2 types load_policy_t;
+')
+
+########################################
+## <summary>
+##	Execute load_policy in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_exec_loadpolicy',`
+	gen_require(`
+		type load_policy_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, load_policy_exec_t)
+')
+
+########################################
+## <summary>
+##	Read the load_policy program file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_read_loadpolicy',`
+	gen_require(`
+		type load_policy_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	allow $1 load_policy_exec_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+##	Execute newrole in the newole domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`seutil_domtrans_newrole',`
+	gen_require(`
+		type newrole_t, newrole_exec_t;
+	')
+
+	files_search_usr($1)
+	corecmd_search_bin($1)
+	domtrans_pattern($1, newrole_exec_t, newrole_t)
+')
+
+########################################
+## <summary>
+##	Execute newrole in the newrole domain, and
+##	allow the specified role the newrole domain,
+##	and use the caller's terminal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_run_newrole',`
+	gen_require(`
+		attribute_role newrole_roles;
+	')
+
+	seutil_domtrans_newrole($1)
+	roleattribute $2 newrole_roles;
+')
+
+########################################
+## <summary>
+##	Execute newrole in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_exec_newrole',`
+	gen_require(`
+		type newrole_t, newrole_exec_t;
+	')
+
+	files_search_usr($1)
+	corecmd_search_bin($1)
+	can_exec($1, newrole_exec_t)
+')
+
+########################################
+## <summary>
+##	Do not audit the caller attempts to send
+##	a signal to newrole.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`seutil_dontaudit_signal_newrole',`
+	gen_require(`
+		type newrole_t;
+	')
+
+	dontaudit $1 newrole_t:process signal;
+')
+
+########################################
+## <summary>
+##	Send a SIGCHLD signal to newrole.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to send a SIGCHLD
+##	signal to newrole.  This signal is automatically
+##	sent from a process that is terminating to
+##	its parent.  This may be needed by domains
+##	that are executed from newrole.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="1"/>
+#
+interface(`seutil_sigchld_newrole',`
+	gen_require(`
+		type newrole_t;
+	')
+
+	allow $1 newrole_t:process sigchld;
+')
+
+########################################
+## <summary>
+##	Inherit and use newrole file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_use_newrole_fds',`
+	gen_require(`
+		type newrole_t;
+	')
+
+	allow $1 newrole_t:fd use;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to inherit and use
+##	newrole file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`seutil_dontaudit_use_newrole_fds',`
+	gen_require(`
+		type newrole_t;
+	')
+
+	dontaudit $1 newrole_t:fd use;
+')
+
+#######################################
+## <summary>
+##	Execute restorecon in the restorecon domain.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`seutil_domtrans_restorecon',`
+	refpolicywarn(`$0($*) has been deprecated, please use seutil_domtrans_setfiles() instead.')
+	seutil_domtrans_setfiles($1)
+')
+
+########################################
+## <summary>
+##	Execute restorecon in the restorecon domain, and
+##	allow the specified role the restorecon domain,
+##	and use the caller's terminal.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_run_restorecon',`
+	refpolicywarn(`$0($*) has been deprecated, please use seutil_run_setfiles() instead.')
+	seutil_run_setfiles($1,$2)
+')
+
+########################################
+## <summary>
+##	Execute restorecon in the caller domain.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_exec_restorecon',`
+	refpolicywarn(`$0($*) has been deprecated, please use seutil_exec_setfiles() instead.')
+	seutil_exec_setfiles($1)
+')
+
+########################################
+## <summary>
+##	Execute run_init in the run_init domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`seutil_domtrans_runinit',`
+	gen_require(`
+		type run_init_t, run_init_exec_t;
+	')
+
+	files_search_usr($1)
+	corecmd_search_bin($1)
+	domtrans_pattern($1, run_init_exec_t, run_init_t)
+')
+
+########################################
+## <summary>
+##	Execute init scripts in the run_init domain.
+## </summary>
+## <desc>
+##	<p>
+##	Execute init scripts in the run_init domain.
+##	This is used for the Gentoo integrated run_init.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`seutil_init_script_domtrans_runinit',`
+	gen_require(`
+		type run_init_t;
+	')
+
+	init_script_file_domtrans($1, run_init_t)
+
+	allow run_init_t $1:fd use;
+	allow run_init_t $1:fifo_file rw_file_perms;
+	allow run_init_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute run_init in the run_init domain, and
+##	allow the specified role the run_init domain,
+##	and use the caller's terminal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_run_runinit',`
+	gen_require(`
+		attribute_role run_init_roles;
+	')
+
+	seutil_domtrans_runinit($1)
+	roleattribute $2 run_init_roles;
+')
+
+########################################
+## <summary>
+##	Execute init scripts in the run_init domain, and
+##	allow the specified role the run_init domain,
+##	and use the caller's terminal.
+## </summary>
+## <desc>
+##	<p>
+##	Execute init scripts in the run_init domain, and
+##	allow the specified role the run_init domain,
+##	and use the caller's terminal.
+##	</p>
+##	<p>
+##	This is used for the Gentoo integrated run_init.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_init_script_run_runinit',`
+	gen_require(`
+		attribute_role run_init_roles;
+	')
+
+	seutil_init_script_domtrans_runinit($1)
+	roleattribute $2 run_init_roles;
+')
+
+########################################
+## <summary>
+##	Inherit and use run_init file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_use_runinit_fds',`
+	gen_require(`
+		type run_init_t;
+	')
+
+	allow $1 run_init_t:fd use;
+')
+
+########################################
+## <summary>
+##	Execute setfiles in the setfiles domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`seutil_domtrans_setfiles',`
+	gen_require(`
+		type setfiles_t, setfiles_exec_t;
+	')
+
+	files_search_usr($1)
+	corecmd_search_bin($1)
+	domtrans_pattern($1, setfiles_exec_t, setfiles_t)
+')
+
+########################################
+## <summary>
+##	Execute setfiles in the setfiles domain, and
+##	allow the specified role the setfiles domain,
+##	and use the caller's terminal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_run_setfiles',`
+	gen_require(`
+		type setfiles_t;
+	')
+
+	seutil_domtrans_setfiles($1)
+	role $2 types setfiles_t;
+')
+
+########################################
+## <summary>
+##	Execute setfiles in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_exec_setfiles',`
+	gen_require(`
+		type setfiles_exec_t;
+	')
+
+	files_search_usr($1)
+	corecmd_search_bin($1)
+	can_exec($1, setfiles_exec_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search the SELinux
+##	configuration directory (/etc/selinux).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`seutil_dontaudit_search_config',`
+	gen_require(`
+		type selinux_config_t;
+	')
+
+	dontaudit $1 selinux_config_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read the SELinux
+##	userland configuration (/etc/selinux).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`seutil_dontaudit_read_config',`
+	gen_require(`
+		type selinux_config_t;
+	')
+
+	dontaudit $1 selinux_config_t:dir search_dir_perms;
+	dontaudit $1 selinux_config_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Read the general SELinux configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_read_config',`
+	gen_require(`
+		type selinux_config_t;
+	')
+
+	files_search_etc($1)
+	allow $1 selinux_config_t:dir list_dir_perms;
+	read_files_pattern($1, selinux_config_t, selinux_config_t)
+	read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
+')
+
+########################################
+## <summary>
+##	Read and write the general SELinux configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_rw_config',`
+	gen_require(`
+		type selinux_config_t;
+	')
+
+	files_search_etc($1)
+	allow $1 selinux_config_t:dir list_dir_perms;
+	rw_files_pattern($1, selinux_config_t, selinux_config_t)
+')
+
+#######################################
+## <summary>
+##	Create, read, write, and delete
+##	the general selinux configuration files.  (Deprecated)
+## </summary>
+## <desc>
+##	<p>
+##	Create, read, write, and delete
+##	the general selinux configuration files.
+##	</p>
+##	<p>
+##	This interface has been deprecated, please
+##	use the seutil_manage_config() interface instead.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_manage_selinux_config',`
+	refpolicywarn(`$0($*) has been deprecated. Please use seutil_manage_config() instead.')
+	seutil_manage_config($1)
+')
+
+#######################################
+## <summary>
+##	Create, read, write, and delete
+##	the general selinux configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_manage_config',`
+	gen_require(`
+		type selinux_config_t;
+	')
+
+	files_search_etc($1)
+	manage_files_pattern($1, selinux_config_t, selinux_config_t)
+	read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
+')
+
+#######################################
+## <summary>
+##	Create, read, write, and delete
+##	the general selinux configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_manage_config_dirs',`
+	gen_require(`
+		type selinux_config_t;
+	')
+
+	files_search_etc($1)
+	allow $1 selinux_config_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Search the policy directory with default_context files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_search_default_contexts',`
+	gen_require(`
+		type selinux_config_t, default_context_t;
+	')
+
+	files_search_etc($1)
+	search_dirs_pattern($1, selinux_config_t, default_context_t)
+')
+
+########################################
+## <summary>
+##	Read the default_contexts files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_read_default_contexts',`
+	gen_require(`
+		type selinux_config_t, default_context_t;
+	')
+
+	files_search_etc($1)
+	allow $1 selinux_config_t:dir search_dir_perms;
+	allow $1 default_context_t:dir list_dir_perms;
+	read_files_pattern($1, default_context_t, default_context_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete the default_contexts files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_manage_default_contexts',`
+	gen_require(`
+		type selinux_config_t, default_context_t;
+	')
+
+	files_search_etc($1)
+	allow $1 selinux_config_t:dir search_dir_perms;
+	manage_files_pattern($1, default_context_t, default_context_t)
+')
+
+########################################
+## <summary>
+##	Read the file_contexts files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_read_file_contexts',`
+	gen_require(`
+		type selinux_config_t, default_context_t, file_context_t;
+	')
+
+	files_search_etc($1)
+	allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
+	read_files_pattern($1, file_context_t, file_context_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read the file_contexts files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_dontaudit_read_file_contexts',`
+	gen_require(`
+		type selinux_config_t, default_context_t, file_context_t;
+	')
+
+	dontaudit $1 { selinux_config_t default_context_t file_context_t }:dir search_dir_perms;
+	dontaudit $1 file_context_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Read and write the file_contexts files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_rw_file_contexts',`
+	gen_require(`
+		type selinux_config_t, file_context_t, default_context_t;
+	')
+
+	files_search_etc($1)
+	allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
+	rw_files_pattern($1, file_context_t, file_context_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete the file_contexts files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_manage_file_contexts',`
+	gen_require(`
+		type selinux_config_t, file_context_t, default_context_t;
+	')
+
+	files_search_etc($1)
+	allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
+	manage_files_pattern($1, file_context_t, file_context_t)
+')
+
+########################################
+## <summary>
+##	Read the SELinux binary policy.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_read_bin_policy',`
+	gen_require(`
+		type selinux_config_t, policy_config_t;
+	')
+
+	files_search_etc($1)
+	allow $1 selinux_config_t:dir search_dir_perms;
+	read_files_pattern($1, policy_config_t, policy_config_t)
+')
+
+########################################
+## <summary>
+##	Create the SELinux binary policy.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_create_bin_policy',`
+	gen_require(`
+#		attribute can_write_binary_policy;
+		type selinux_config_t, policy_config_t;
+	')
+
+	files_search_etc($1)
+	allow $1 selinux_config_t:dir search_dir_perms;
+	create_files_pattern($1, policy_config_t, policy_config_t)
+	write_files_pattern($1, policy_config_t, policy_config_t)
+#	typeattribute $1 can_write_binary_policy;
+')
+
+########################################
+## <summary>
+##	Allow the caller to relabel a file to the binary policy type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_relabelto_bin_policy',`
+	gen_require(`
+		attribute can_relabelto_binary_policy;
+		type policy_config_t;
+	')
+
+	allow $1 policy_config_t:file relabelto;
+	typeattribute $1 can_relabelto_binary_policy;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete the SELinux
+##	binary policy.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_manage_bin_policy',`
+	gen_require(`
+		attribute can_write_binary_policy;
+		type selinux_config_t, policy_config_t;
+	')
+
+	files_search_etc($1)
+	allow $1 selinux_config_t:dir search_dir_perms;
+	manage_files_pattern($1, policy_config_t, policy_config_t)
+	typeattribute $1 can_write_binary_policy;
+')
+
+########################################
+## <summary>
+##	Read SELinux policy source files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_read_src_policy',`
+	gen_require(`
+		type selinux_config_t, policy_src_t;
+	')
+
+	files_search_etc($1)
+	list_dirs_pattern($1, selinux_config_t, policy_src_t)
+	read_files_pattern($1, policy_src_t, policy_src_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete SELinux
+##	policy source files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_manage_src_policy',`
+	gen_require(`
+		type selinux_config_t, policy_src_t;
+	')
+
+	files_search_etc($1)
+	allow $1 selinux_config_t:dir search_dir_perms;
+	manage_dirs_pattern($1, policy_src_t, policy_src_t)
+	manage_files_pattern($1, policy_src_t, policy_src_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run semanage.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`seutil_domtrans_semanage',`
+	gen_require(`
+		type semanage_t, semanage_exec_t;
+	')
+
+	files_search_usr($1)
+	corecmd_search_bin($1)
+	domtrans_pattern($1, semanage_exec_t, semanage_t)
+')
+
+########################################
+## <summary>
+##	Execute semanage in the semanage domain, and
+##	allow the specified role the semanage domain,
+##	and use the caller's terminal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_run_semanage',`
+	gen_require(`
+		attribute_role semanage_roles;
+	')
+
+	seutil_domtrans_semanage($1)
+	roleattribute $2 semanage_roles;
+')
+
+########################################
+## <summary>
+##	Full management of the semanage
+##	module store.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_manage_module_store',`
+	gen_require(`
+		type selinux_config_t, semanage_store_t;
+	')
+
+	files_search_etc($1)
+	manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
+	manage_files_pattern($1, semanage_store_t, semanage_store_t)
+	filetrans_pattern($1, selinux_config_t, semanage_store_t, dir)
+')
+
+#######################################
+## <summary>
+##	Get read lock on module store
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_get_semanage_read_lock',`
+	gen_require(`
+		type selinux_config_t, semanage_read_lock_t;
+	')
+
+	files_search_etc($1)
+	rw_files_pattern($1, selinux_config_t, semanage_read_lock_t)
+')
+
+#######################################
+## <summary>
+##	Get trans lock on module store
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_get_semanage_trans_lock',`
+	gen_require(`
+		type selinux_config_t, semanage_trans_lock_t;
+	')
+
+	files_search_etc($1)
+	rw_files_pattern($1, selinux_config_t, semanage_trans_lock_t)
+')
+
+########################################
+## <summary>
+##	SELinux-enabled program access for
+##	libselinux-linked programs.
+## </summary>
+## <desc>
+##	<p>
+##	SELinux-enabled programs are typically
+##	linked to the libselinux library.  This
+##	interface will allow access required for
+##	the libselinux constructor to function.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_libselinux_linked',`
+	selinux_get_fs_mount($1)
+	seutil_read_config($1)
+')
+
+########################################
+## <summary>
+##	Do not audit SELinux-enabled program access for
+##	libselinux-linked programs.
+## </summary>
+## <desc>
+##	<p>
+##	SELinux-enabled programs are typically
+##	linked to the libselinux library.  This
+##	interface will dontaudit access required for
+##	the libselinux constructor to function.
+##	</p>
+##	<p>
+##	Generally this should not be used on anything
+##	but simple SELinux-enabled programs that do not
+##	rely on data initialized by the libselinux
+##	constructor.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`seutil_dontaudit_libselinux_linked',`
+	selinux_dontaudit_get_fs_mount($1)
+	seutil_dontaudit_read_config($1)
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
new file mode 100644
index 00000000..cbf52600
--- /dev/null
+++ b/policy/modules/system/selinuxutil.te
@@ -0,0 +1,635 @@
+policy_module(selinuxutil, 1.16.0)
+
+gen_require(`
+	bool secure_mode;
+')
+
+########################################
+#
+# Declarations
+#
+
+attribute can_write_binary_policy;
+attribute can_relabelto_binary_policy;
+
+attribute_role newrole_roles;
+role newrole_roles types newrole_t;
+
+attribute_role run_init_roles;
+role run_init_roles types run_init_t;
+role system_r types run_init_t;
+
+attribute_role semanage_roles;
+roleattribute system_r semanage_roles;
+
+#
+# selinux_config_t is the type applied to
+# /etc/selinux/config
+#
+# cjp: this is out of order due to rules
+# in the domain_type interface
+# (fix dup decl)
+type selinux_config_t;
+files_type(selinux_config_t)
+
+type checkpolicy_t, can_write_binary_policy;
+type checkpolicy_exec_t;
+application_domain(checkpolicy_t, checkpolicy_exec_t)
+role system_r types checkpolicy_t;
+
+#
+# default_context_t is the type applied to
+# /etc/selinux/*/contexts/*
+#
+type default_context_t;
+files_type(default_context_t)
+
+#
+# file_context_t is the type applied to
+# /etc/selinux/*/contexts/files
+#
+type file_context_t;
+files_type(file_context_t)
+
+type load_policy_t;
+type load_policy_exec_t;
+application_domain(load_policy_t, load_policy_exec_t)
+role system_r types load_policy_t;
+
+type newrole_t;
+type newrole_exec_t;
+application_domain(newrole_t, newrole_exec_t)
+domain_role_change_exemption(newrole_t)
+domain_obj_id_change_exemption(newrole_t)
+domain_interactive_fd(newrole_t)
+
+#
+# policy_config_t is the type of /etc/security/selinux/*
+# the security server policy configuration.
+#
+type policy_config_t;
+files_type(policy_config_t)
+
+neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
+#neverallow ~can_write_binary_policy policy_config_t:file { write append };
+
+#
+# policy_src_t is the type of the policy source
+# files.
+#
+type policy_src_t;
+files_type(policy_src_t)
+
+type restorecond_t;
+type restorecond_exec_t;
+init_daemon_domain(restorecond_t, restorecond_exec_t)
+domain_obj_id_change_exemption(restorecond_t)
+role system_r types restorecond_t;
+
+type restorecond_var_run_t;
+files_pid_file(restorecond_var_run_t)
+
+type run_init_t;
+type run_init_exec_t;
+application_domain(run_init_t, run_init_exec_t)
+domain_system_change_exemption(run_init_t)
+
+type semanage_t;
+type semanage_exec_t;
+application_domain(semanage_t, semanage_exec_t)
+domain_interactive_fd(semanage_t)
+role semanage_roles types semanage_t;
+
+type semanage_store_t;
+files_type(semanage_store_t)
+
+type semanage_read_lock_t;
+files_type(semanage_read_lock_t)
+
+type semanage_tmp_t;
+files_tmp_file(semanage_tmp_t)
+
+type semanage_trans_lock_t;
+files_type(semanage_trans_lock_t)
+
+type semanage_var_lib_t;
+files_type(semanage_var_lib_t)
+
+type setfiles_t alias restorecon_t, can_relabelto_binary_policy;
+type setfiles_exec_t alias restorecon_exec_t;
+init_system_domain(setfiles_t, setfiles_exec_t)
+domain_obj_id_change_exemption(setfiles_t)
+
+########################################
+#
+# Checkpolicy local policy
+#
+
+allow checkpolicy_t self:capability dac_override;
+
+# able to create and modify binary policy files
+manage_files_pattern(checkpolicy_t, policy_config_t, policy_config_t)
+
+# allow test policies to be created in src directories
+filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file)
+
+# only allow read of policy source files
+read_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
+read_lnk_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
+allow checkpolicy_t selinux_config_t:dir search_dir_perms;
+
+domain_use_interactive_fds(checkpolicy_t)
+
+files_list_usr(checkpolicy_t)
+# directory search permissions for path to source and binary policy files
+files_search_etc(checkpolicy_t)
+
+fs_getattr_xattr_fs(checkpolicy_t)
+
+term_use_console(checkpolicy_t)
+
+init_use_fds(checkpolicy_t)
+init_use_script_ptys(checkpolicy_t)
+
+userdom_use_user_terminals(checkpolicy_t)
+userdom_use_all_users_fds(checkpolicy_t)
+
+ifdef(`distro_ubuntu',`
+	optional_policy(`
+		unconfined_domain(checkpolicy_t)
+	')
+')
+
+########################################
+#
+# Load_policy local policy
+#
+
+allow load_policy_t self:capability dac_override;
+
+# only allow read of policy config files
+read_files_pattern(load_policy_t, { policy_src_t policy_config_t }, policy_config_t)
+
+domain_use_interactive_fds(load_policy_t)
+
+# for mcs.conf
+files_read_etc_files(load_policy_t)
+files_read_etc_runtime_files(load_policy_t)
+
+fs_getattr_xattr_fs(load_policy_t)
+
+mls_file_read_all_levels(load_policy_t)
+
+selinux_load_policy(load_policy_t)
+selinux_set_all_booleans(load_policy_t)
+
+term_use_console(load_policy_t)
+term_list_ptys(load_policy_t)
+
+init_use_script_fds(load_policy_t)
+init_use_script_ptys(load_policy_t)
+
+miscfiles_read_localization(load_policy_t)
+
+seutil_libselinux_linked(load_policy_t)
+
+userdom_use_user_terminals(load_policy_t)
+userdom_use_all_users_fds(load_policy_t)
+
+ifdef(`distro_ubuntu',`
+	optional_policy(`
+		unconfined_domain(load_policy_t)
+	')
+')
+
+ifdef(`hide_broken_symptoms',`
+	# cjp: cover up stray file descriptors.
+	dontaudit load_policy_t selinux_config_t:file write;
+
+	optional_policy(`
+		unconfined_dontaudit_read_pipes(load_policy_t)
+	')
+')
+
+optional_policy(`
+	portage_dontaudit_use_fds(load_policy_t)
+')
+
+########################################
+#
+# Newrole local policy
+#
+
+allow newrole_t self:capability { fowner setuid setgid dac_override };
+allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
+allow newrole_t self:process setexec;
+allow newrole_t self:fd use;
+allow newrole_t self:fifo_file rw_fifo_file_perms;
+allow newrole_t self:sock_file read_sock_file_perms;
+allow newrole_t self:shm create_shm_perms;
+allow newrole_t self:sem create_sem_perms;
+allow newrole_t self:msgq create_msgq_perms;
+allow newrole_t self:msg { send receive };
+allow newrole_t self:unix_dgram_socket sendto;
+allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+dontaudit newrole_t self:capability dac_read_search;
+
+read_files_pattern(newrole_t, default_context_t, default_context_t)
+read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
+
+kernel_read_system_state(newrole_t)
+kernel_read_kernel_sysctls(newrole_t)
+
+corecmd_list_bin(newrole_t)
+corecmd_read_bin_symlinks(newrole_t)
+
+dev_read_urand(newrole_t)
+
+domain_use_interactive_fds(newrole_t)
+# for when the user types "exec newrole" at the command line:
+domain_sigchld_interactive_fds(newrole_t)
+
+files_read_etc_files(newrole_t)
+files_read_var_files(newrole_t)
+files_read_var_symlinks(newrole_t)
+
+fs_getattr_xattr_fs(newrole_t)
+fs_search_auto_mountpoints(newrole_t)
+
+mls_file_read_all_levels(newrole_t)
+mls_file_write_all_levels(newrole_t)
+mls_file_upgrade(newrole_t)
+mls_file_downgrade(newrole_t)
+mls_process_set_level(newrole_t)
+mls_fd_share_all_levels(newrole_t)
+
+selinux_validate_context(newrole_t)
+selinux_compute_access_vector(newrole_t)
+selinux_compute_create_context(newrole_t)
+selinux_compute_relabel_context(newrole_t)
+selinux_compute_user_contexts(newrole_t)
+
+term_use_all_ttys(newrole_t)
+term_use_all_ptys(newrole_t)
+term_relabel_all_ttys(newrole_t)
+term_relabel_all_ptys(newrole_t)
+term_getattr_unallocated_ttys(newrole_t)
+term_dontaudit_use_unallocated_ttys(newrole_t)
+
+auth_use_nsswitch(newrole_t)
+auth_run_chk_passwd(newrole_t, newrole_roles)
+auth_run_upd_passwd(newrole_t, newrole_roles)
+auth_rw_faillog(newrole_t)
+
+# Write to utmp.
+init_rw_utmp(newrole_t)
+init_use_fds(newrole_t)
+
+logging_send_syslog_msg(newrole_t)
+
+miscfiles_read_localization(newrole_t)
+
+seutil_libselinux_linked(newrole_t)
+
+# for some PAM modules and for cwd
+userdom_dontaudit_search_user_home_content(newrole_t)
+userdom_search_user_home_dirs(newrole_t)
+
+ifdef(`distro_ubuntu',`
+	optional_policy(`
+		unconfined_domain(newrole_t)
+	')
+')
+
+# if secure mode is enabled, then newrole
+# can only transition to unprivileged users
+if(secure_mode) {
+	userdom_spec_domtrans_unpriv_users(newrole_t)
+} else {
+	userdom_spec_domtrans_all_users(newrole_t)
+}
+
+tunable_policy(`allow_polyinstantiation',`
+	files_polyinstantiate_all(newrole_t)
+')
+
+########################################
+#
+# Restorecond local policy
+#
+
+allow restorecond_t self:capability { dac_override dac_read_search fowner };
+allow restorecond_t self:fifo_file rw_fifo_file_perms;
+
+allow restorecond_t restorecond_var_run_t:file manage_file_perms;
+files_pid_filetrans(restorecond_t, restorecond_var_run_t, file)
+
+kernel_use_fds(restorecond_t)
+kernel_rw_pipes(restorecond_t)
+kernel_read_system_state(restorecond_t)
+
+fs_relabelfrom_noxattr_fs(restorecond_t)
+fs_dontaudit_list_nfs(restorecond_t)
+fs_getattr_xattr_fs(restorecond_t)
+fs_list_inotifyfs(restorecond_t)
+
+selinux_validate_context(restorecond_t)
+selinux_compute_access_vector(restorecond_t)
+selinux_compute_create_context(restorecond_t)
+selinux_compute_relabel_context(restorecond_t)
+selinux_compute_user_contexts(restorecond_t)
+
+auth_relabel_all_files_except_auth_files(restorecond_t )
+auth_read_all_files_except_auth_files(restorecond_t)
+auth_use_nsswitch(restorecond_t)
+
+locallogin_dontaudit_use_fds(restorecond_t)
+
+logging_send_syslog_msg(restorecond_t)
+
+miscfiles_read_localization(restorecond_t)
+
+seutil_libselinux_linked(restorecond_t)
+
+ifdef(`distro_ubuntu',`
+	optional_policy(`
+		unconfined_domain(restorecond_t)
+	')
+')
+
+optional_policy(`
+	rpm_use_script_fds(restorecond_t)
+')
+
+#################################
+#
+# Run_init local policy
+#
+
+allow run_init_roles system_r;
+
+allow run_init_t self:process setexec;
+allow run_init_t self:capability setuid;
+allow run_init_t self:fifo_file rw_file_perms;
+allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+# often the administrator runs such programs from a directory that is owned
+# by a different user or has restrictive SE permissions, do not want to audit
+# the failed access to the current directory
+dontaudit run_init_t self:capability { dac_override dac_read_search };
+
+corecmd_exec_bin(run_init_t)
+corecmd_exec_shell(run_init_t)
+
+dev_dontaudit_list_all_dev_nodes(run_init_t)
+
+domain_use_interactive_fds(run_init_t)
+
+files_read_etc_files(run_init_t)
+files_dontaudit_search_all_dirs(run_init_t)
+
+fs_getattr_xattr_fs(run_init_t)
+
+mls_rangetrans_source(run_init_t)
+
+selinux_validate_context(run_init_t)
+selinux_compute_access_vector(run_init_t)
+selinux_compute_create_context(run_init_t)
+selinux_compute_relabel_context(run_init_t)
+selinux_compute_user_contexts(run_init_t)
+
+auth_use_nsswitch(run_init_t)
+auth_run_chk_passwd(run_init_t, run_init_roles)
+auth_run_upd_passwd(run_init_t, run_init_roles)
+auth_dontaudit_read_shadow(run_init_t)
+
+init_spec_domtrans_script(run_init_t)
+# for utmp
+init_rw_utmp(run_init_t)
+
+logging_send_syslog_msg(run_init_t)
+
+miscfiles_read_localization(run_init_t)
+
+seutil_libselinux_linked(run_init_t)
+seutil_read_default_contexts(run_init_t)
+
+userdom_use_user_terminals(run_init_t)
+
+ifndef(`direct_sysadm_daemon',`
+	ifdef(`distro_gentoo',`
+		# Gentoo integrated run_init:
+		init_script_file_entry_type(run_init_t)
+
+		init_exec_rc(run_init_t)
+	')
+')
+
+ifdef(`distro_ubuntu',`
+	optional_policy(`
+		unconfined_domain(run_init_t)
+	')
+')
+
+optional_policy(`
+	daemontools_domtrans_start(run_init_t)
+')
+
+########################################
+#
+# semodule local policy
+#
+
+allow semanage_t self:capability { dac_override audit_write };
+allow semanage_t self:unix_stream_socket create_stream_socket_perms;
+allow semanage_t self:unix_dgram_socket create_socket_perms;
+allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow semanage_t self:fifo_file rw_fifo_file_perms;
+
+allow semanage_t policy_config_t:file rw_file_perms;
+
+allow semanage_t semanage_tmp_t:dir manage_dir_perms;
+allow semanage_t semanage_tmp_t:file manage_file_perms;
+files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
+
+manage_dirs_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t)
+manage_files_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t)
+
+kernel_read_system_state(semanage_t)
+kernel_read_kernel_sysctls(semanage_t)
+
+corecmd_exec_bin(semanage_t)
+
+dev_read_urand(semanage_t)
+
+domain_use_interactive_fds(semanage_t)
+
+files_read_etc_files(semanage_t)
+files_read_etc_runtime_files(semanage_t)
+files_read_usr_files(semanage_t)
+files_list_pids(semanage_t)
+
+mls_file_write_all_levels(semanage_t)
+mls_file_read_all_levels(semanage_t)
+
+selinux_validate_context(semanage_t)
+selinux_get_enforce_mode(semanage_t)
+selinux_getattr_fs(semanage_t)
+# for setsebool:
+selinux_set_all_booleans(semanage_t)
+
+term_use_all_terms(semanage_t)
+
+# Running genhomedircon requires this for finding all users
+auth_use_nsswitch(semanage_t)
+
+locallogin_use_fds(semanage_t)
+
+logging_send_syslog_msg(semanage_t)
+
+miscfiles_read_localization(semanage_t)
+
+seutil_libselinux_linked(semanage_t)
+seutil_manage_file_contexts(semanage_t)
+seutil_manage_config(semanage_t)
+seutil_run_setfiles(semanage_t, semanage_roles)
+seutil_run_loadpolicy(semanage_t, semanage_roles)
+seutil_manage_bin_policy(semanage_t)
+seutil_use_newrole_fds(semanage_t)
+seutil_manage_module_store(semanage_t)
+seutil_get_semanage_trans_lock(semanage_t)
+seutil_get_semanage_read_lock(semanage_t)
+# netfilter_contexts:
+seutil_manage_default_contexts(semanage_t)
+
+# Handle pp files created in homedir and /tmp
+userdom_read_user_home_content_files(semanage_t)
+userdom_read_user_tmp_files(semanage_t)
+
+ifdef(`distro_debian',`
+	files_read_var_lib_files(semanage_t)
+	files_read_var_lib_symlinks(semanage_t)
+')
+
+ifdef(`distro_ubuntu',`
+	optional_policy(`
+		unconfined_domain(semanage_t)
+	')
+')
+
+optional_policy(`
+	gentoo_portage_eselect_module(semanage_t)
+')
+
+########################################
+#
+# Setfiles local policy
+#
+
+allow setfiles_t self:capability { dac_override dac_read_search fowner };
+dontaudit setfiles_t self:capability sys_tty_config;
+allow setfiles_t self:fifo_file rw_file_perms;
+
+allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
+allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;
+allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
+
+kernel_read_system_state(setfiles_t)
+kernel_relabelfrom_unlabeled_dirs(setfiles_t)
+kernel_relabelfrom_unlabeled_files(setfiles_t)
+kernel_relabelfrom_unlabeled_symlinks(setfiles_t)
+kernel_relabelfrom_unlabeled_pipes(setfiles_t)
+kernel_relabelfrom_unlabeled_sockets(setfiles_t)
+kernel_use_fds(setfiles_t)
+kernel_rw_pipes(setfiles_t)
+kernel_rw_unix_dgram_sockets(setfiles_t)
+kernel_dontaudit_list_all_proc(setfiles_t)
+kernel_dontaudit_list_all_sysctls(setfiles_t)
+
+dev_relabel_all_dev_nodes(setfiles_t)
+
+domain_use_interactive_fds(setfiles_t)
+domain_dontaudit_search_all_domains_state(setfiles_t)
+
+files_read_etc_runtime_files(setfiles_t)
+files_read_etc_files(setfiles_t)
+files_list_all(setfiles_t)
+files_relabel_all_files(setfiles_t)
+files_read_usr_symlinks(setfiles_t)
+
+fs_getattr_xattr_fs(setfiles_t)
+fs_list_all(setfiles_t)
+fs_search_auto_mountpoints(setfiles_t)
+fs_relabelfrom_noxattr_fs(setfiles_t)
+
+mls_file_read_all_levels(setfiles_t)
+mls_file_write_all_levels(setfiles_t)
+mls_file_upgrade(setfiles_t)
+mls_file_downgrade(setfiles_t)
+
+selinux_validate_context(setfiles_t)
+selinux_compute_access_vector(setfiles_t)
+selinux_compute_create_context(setfiles_t)
+selinux_compute_relabel_context(setfiles_t)
+selinux_compute_user_contexts(setfiles_t)
+
+term_use_all_ttys(setfiles_t)
+term_use_all_ptys(setfiles_t)
+term_use_unallocated_ttys(setfiles_t)
+
+# this is to satisfy the assertion:
+auth_relabelto_shadow(setfiles_t)
+
+init_use_fds(setfiles_t)
+init_use_script_fds(setfiles_t)
+init_use_script_ptys(setfiles_t)
+init_exec_script_files(setfiles_t)
+
+logging_send_audit_msgs(setfiles_t)
+logging_send_syslog_msg(setfiles_t)
+
+miscfiles_read_localization(setfiles_t)
+
+seutil_libselinux_linked(setfiles_t)
+
+userdom_use_all_users_fds(setfiles_t)
+# for config files in a home directory
+userdom_read_user_home_content_files(setfiles_t)
+
+ifdef(`distro_debian',`
+	# udev tmpfs is populated with static device nodes
+	# and then relabeled afterwards; thus
+	# /dev/console has the tmpfs type
+	fs_rw_tmpfs_chr_files(setfiles_t)
+')
+
+ifdef(`distro_redhat', `
+	fs_rw_tmpfs_chr_files(setfiles_t)
+	fs_rw_tmpfs_blk_files(setfiles_t)
+	fs_relabel_tmpfs_blk_file(setfiles_t)
+	fs_relabel_tmpfs_chr_file(setfiles_t)
+')
+
+ifdef(`distro_ubuntu',`
+	optional_policy(`
+		unconfined_domain(setfiles_t)
+	')
+')
+
+ifdef(`hide_broken_symptoms',`
+	optional_policy(`
+		udev_dontaudit_rw_dgram_sockets(setfiles_t)
+	')
+
+	# cjp: cover up stray file descriptors.
+	optional_policy(`
+		unconfined_dontaudit_read_pipes(setfiles_t)
+		unconfined_dontaudit_rw_tcp_sockets(setfiles_t)
+	')
+')
+
+optional_policy(`
+	hotplug_use_fds(setfiles_t)
+')
diff --git a/policy/modules/system/setrans.fc b/policy/modules/system/setrans.fc
new file mode 100644
index 00000000..bea46299
--- /dev/null
+++ b/policy/modules/system/setrans.fc
@@ -0,0 +1,5 @@
+/etc/rc\.d/init\.d/mcstrans --	gen_context(system_u:object_r:setrans_initrc_exec_t,s0)
+
+/sbin/mcstransd		--	gen_context(system_u:object_r:setrans_exec_t,s0)
+
+/var/run/setrans(/.*)?		gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh)
diff --git a/policy/modules/system/setrans.if b/policy/modules/system/setrans.if
new file mode 100644
index 00000000..efa9c27f
--- /dev/null
+++ b/policy/modules/system/setrans.if
@@ -0,0 +1,42 @@
+## <summary>SELinux MLS/MCS label translation service.</summary>
+
+########################################
+## <summary>
+##	Execute setrans server in the setrans domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+#
+interface(`setrans_initrc_domtrans',`
+	gen_require(`
+		type setrans_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, setrans_initrc_exec_t)
+')
+
+#######################################
+## <summary>
+##	Allow a domain to translate contexts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`setrans_translate_context',`
+	gen_require(`
+		type setrans_t, setrans_var_run_t;
+		class context translate;
+	')
+
+	allow $1 self:unix_stream_socket create_stream_socket_perms;
+	allow $1 setrans_t:context translate;
+	stream_connect_pattern($1, setrans_var_run_t, setrans_var_run_t, setrans_t)
+	files_list_pids($1)
+')
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
new file mode 100644
index 00000000..1447687d
--- /dev/null
+++ b/policy/modules/system/setrans.te
@@ -0,0 +1,87 @@
+policy_module(setrans, 1.8.0)
+
+gen_require(`
+	class context contains;
+')
+
+########################################
+#
+# Declarations
+#
+
+type setrans_t;
+type setrans_exec_t;
+init_daemon_domain(setrans_t, setrans_exec_t)
+
+type setrans_initrc_exec_t;
+init_script_file(setrans_initrc_exec_t)
+
+type setrans_var_run_t;
+files_pid_file(setrans_var_run_t)
+mls_trusted_object(setrans_var_run_t)
+
+ifdef(`enable_mcs',`
+	init_ranged_daemon_domain(setrans_t, setrans_exec_t, s0 - mcs_systemhigh)
+')
+
+ifdef(`enable_mls',`
+	init_ranged_daemon_domain(setrans_t, setrans_exec_t, mls_systemhigh)
+')
+
+########################################
+#
+# setrans local policy
+#
+
+allow setrans_t self:capability sys_resource;
+allow setrans_t self:process { setrlimit getcap setcap signal_perms };
+allow setrans_t self:unix_stream_socket create_stream_socket_perms;
+allow setrans_t self:unix_dgram_socket create_socket_perms;
+allow setrans_t self:netlink_selinux_socket create_socket_perms;
+allow setrans_t self:context contains;
+
+can_exec(setrans_t, setrans_exec_t)
+corecmd_search_bin(setrans_t)
+
+# create unix domain socket in /var
+manage_dirs_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t)
+manage_files_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t)
+manage_sock_files_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t)
+files_pid_filetrans(setrans_t, setrans_var_run_t, { file dir })
+
+kernel_read_kernel_sysctls(setrans_t)
+kernel_read_proc_symlinks(setrans_t)
+
+# allow performing getpidcon() on all processes
+domain_read_all_domains_state(setrans_t)
+domain_dontaudit_search_all_domains_state(setrans_t)
+domain_getattr_all_domains(setrans_t)
+domain_getsession_all_domains(setrans_t)
+
+files_read_etc_runtime_files(setrans_t)
+
+mls_file_read_all_levels(setrans_t)
+mls_file_write_all_levels(setrans_t)
+mls_net_receive_all_levels(setrans_t)
+mls_socket_write_all_levels(setrans_t)
+mls_process_read_up(setrans_t)
+mls_socket_read_all_levels(setrans_t)
+
+selinux_compute_access_vector(setrans_t)
+
+term_dontaudit_use_generic_ptys(setrans_t)
+term_dontaudit_use_unallocated_ttys(setrans_t)
+
+init_dontaudit_use_script_ptys(setrans_t)
+
+locallogin_dontaudit_use_fds(setrans_t)
+
+logging_send_syslog_msg(setrans_t)
+
+miscfiles_read_localization(setrans_t)
+
+seutil_read_config(setrans_t)
+
+optional_policy(`
+	rpm_use_script_fds(setrans_t)
+')
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
new file mode 100644
index 00000000..346a7cc8
--- /dev/null
+++ b/policy/modules/system/sysnetwork.fc
@@ -0,0 +1,74 @@
+
+#
+# /bin
+#
+/bin/ip			--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
+
+#
+# /dev
+#
+ifdef(`distro_debian',`
+/dev/shm/network(/.*)?		gen_context(system_u:object_r:net_conf_t,s0)
+')
+
+#
+# /etc
+#
+/etc/dhclient.*conf	--	gen_context(system_u:object_r:dhcp_etc_t,s0)
+/etc/dhclient-script	--	gen_context(system_u:object_r:dhcp_etc_t,s0)
+/etc/dhcpc.*			gen_context(system_u:object_r:dhcp_etc_t,s0)
+/etc/dhcpd\.conf	--	gen_context(system_u:object_r:dhcp_etc_t,s0)
+/etc/dhcp/dhcpd\.conf	--	gen_context(system_u:object_r:dhcp_etc_t,s0)
+/etc/ethers		--	gen_context(system_u:object_r:net_conf_t,s0)
+/etc/hosts		--	gen_context(system_u:object_r:net_conf_t,s0)
+/etc/hosts\.deny.*	--	gen_context(system_u:object_r:net_conf_t,s0)
+/etc/denyhosts.*	--	gen_context(system_u:object_r:net_conf_t,s0)
+/etc/resolv\.conf.*	--	gen_context(system_u:object_r:net_conf_t,s0)
+/etc/yp\.conf.*		--	gen_context(system_u:object_r:net_conf_t,s0)
+
+/etc/dhcp3(/.*)?		gen_context(system_u:object_r:dhcp_etc_t,s0)
+/etc/dhcp3?/dhclient.*		gen_context(system_u:object_r:dhcp_etc_t,s0)
+
+ifdef(`distro_redhat',`
+/etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/sysconfig/networking(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+/etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+')
+
+#
+# /sbin
+#
+/sbin/dhclient.*	--	gen_context(system_u:object_r:dhcpc_exec_t,s0)
+/sbin/dhcdbd		--	gen_context(system_u:object_r:dhcpc_exec_t,s0)
+/sbin/dhcpcd		--	gen_context(system_u:object_r:dhcpc_exec_t,s0)
+/sbin/ethtool		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/sbin/ifconfig		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/sbin/ip		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/sbin/ipx_configure	--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/sbin/ipx_interface	--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/sbin/ipx_internal_net	--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/sbin/iwconfig		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/sbin/mii-tool		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/sbin/pump		--	gen_context(system_u:object_r:dhcpc_exec_t,s0)
+/sbin/tc		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/tc		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/dhcp3?		-d	gen_context(system_u:object_r:dhcp_state_t,s0)
+/var/lib/dhcp3?/dhclient.*	gen_context(system_u:object_r:dhcpc_state_t,s0)
+/var/lib/dhcpcd(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
+/var/lib/dhclient(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
+/var/lib/wifiroamd(/.*)?	gen_context(system_u:object_r:dhcpc_state_t,s0)
+
+/var/run/dhclient.*	--	gen_context(system_u:object_r:dhcpc_var_run_t,s0)
+/var/run/dhcpcd(/.*)?		gen_context(system_u:object_r:dhcpc_var_run_t,s0)
+
+ifdef(`distro_gentoo',`
+/var/lib/dhcpc(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
+')
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
new file mode 100644
index 00000000..c7f6a4a7
--- /dev/null
+++ b/policy/modules/system/sysnetwork.if
@@ -0,0 +1,741 @@
+## <summary>Policy for network configuration: ifconfig and dhcp client.</summary>
+
+#######################################
+## <summary>
+##	Execute dhcp client in dhcpc domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`sysnet_domtrans_dhcpc',`
+	gen_require(`
+		type dhcpc_t, dhcpc_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, dhcpc_exec_t, dhcpc_t)
+')
+
+########################################
+## <summary>
+##	Execute DHCP clients in the dhcpc domain, and
+##	allow the specified role the dhcpc domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`sysnet_run_dhcpc',`
+	gen_require(`
+		attribute_role dhcpc_roles;
+	')
+
+	sysnet_domtrans_dhcpc($1)
+	roleattribute $2 dhcpc_roles;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to use
+##	the dhcp file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sysnet_dontaudit_use_dhcpc_fds',`
+	gen_require(`
+		type dhcpc_t;
+	')
+
+	dontaudit $1 dhcpc_t:fd use;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read/write to
+##	the dhcp unix stream socket descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sysnet_dontaudit_rw_dhcpc_unix_stream_sockets',`
+	gen_require(`
+		type dhcpc_t;
+	')
+
+	dontaudit $1 dhcpc_t:unix_stream_socket { read write };
+')
+
+
+
+########################################
+## <summary>
+##	Send a SIGCHLD signal to the dhcp client.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_sigchld_dhcpc',`
+	gen_require(`
+		type dhcpc_t;
+	')
+
+	allow $1 dhcpc_t:process sigchld;
+')
+
+########################################
+## <summary>
+##	Send a kill signal to the dhcp client.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`sysnet_kill_dhcpc',`
+	gen_require(`
+		type dhcpc_t;
+	')
+
+	allow $1 dhcpc_t:process sigkill;
+')
+
+########################################
+## <summary>
+##	Send a SIGSTOP signal to the dhcp client.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_sigstop_dhcpc',`
+	gen_require(`
+		type dhcpc_t;
+	')
+
+	allow $1 dhcpc_t:process sigstop;
+')
+
+########################################
+## <summary>
+##	Send a null signal to the dhcp client.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_signull_dhcpc',`
+	gen_require(`
+		type dhcpc_t;
+	')
+
+	allow $1 dhcpc_t:process signull;
+')
+
+########################################
+## <summary>
+##	Send a generic signal to the dhcp client.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`sysnet_signal_dhcpc',`
+	gen_require(`
+		type dhcpc_t;
+	')
+
+	allow $1 dhcpc_t:process signal;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	dhcpc over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_dbus_chat_dhcpc',`
+	gen_require(`
+		type dhcpc_t;
+		class dbus send_msg;
+	')
+
+	allow $1 dhcpc_t:dbus send_msg;
+	allow dhcpc_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Read and write dhcp configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_rw_dhcp_config',`
+	gen_require(`
+		type dhcp_etc_t;
+	')
+
+	files_search_etc($1)
+	allow $1 dhcp_etc_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Search the DHCP client state
+##	directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_search_dhcpc_state',`
+	gen_require(`
+		type dhcpc_state_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 dhcpc_state_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read dhcp client state files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_read_dhcpc_state',`
+	gen_require(`
+		type dhcpc_state_t;
+	')
+
+	read_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
+')
+
+#######################################
+## <summary>
+##	Delete the dhcp client state files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_delete_dhcpc_state',`
+	gen_require(`
+		type dhcpc_state_t;
+	')
+
+	delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
+')
+
+#######################################
+## <summary>
+##	Set the attributes of network config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_setattr_config',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 net_conf_t:file setattr;
+')
+
+#######################################
+## <summary>
+##	Read network config files.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to read the
+##	general network configuration files.  A
+##	common example of this is the
+##	/etc/resolv.conf file, which has domain
+##	name system (DNS) server IP addresses.
+##	Typically, most networking processes will
+##	require	the access provided by this interface.
+##	</p>
+##	<p>
+##	Higher-level interfaces which involve
+##	networking will generally call this interface,
+##	for example:
+##	</p>
+##	<ul>
+##		<li>sysnet_dns_name_resolve()</li>
+##		<li>sysnet_use_ldap()</li>
+##		<li>sysnet_use_portmap()</li>
+##	</ul>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_read_config',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 net_conf_t:file read_file_perms;
+
+	ifdef(`distro_redhat',`
+		allow $1 net_conf_t:dir list_dir_perms;
+		read_files_pattern($1, net_conf_t, net_conf_t)
+	')
+')
+
+#######################################
+## <summary>
+##	Do not audit attempts to read network config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sysnet_dontaudit_read_config',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+	dontaudit $1 net_conf_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+##	Write network config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_write_config',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 net_conf_t:file write_file_perms;
+')
+
+#######################################
+## <summary>
+##	Create network config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_create_config',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 net_conf_t:file create_file_perms;
+')
+
+#######################################
+## <summary>
+##	Create files in /etc with the type used for
+##	the network config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_etc_filetrans_config',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+	files_etc_filetrans($1, net_conf_t, file)
+')
+
+#######################################
+## <summary>
+##	Create, read, write, and delete network config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_manage_config',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+	allow $1 net_conf_t:file manage_file_perms;
+
+	ifdef(`distro_redhat',`
+		manage_files_pattern($1, net_conf_t, net_conf_t)
+	')
+')
+
+#######################################
+## <summary>
+##	Read the dhcp client pid file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_read_dhcpc_pid',`
+	gen_require(`
+		type dhcpc_var_run_t;
+	')
+
+	files_list_pids($1)
+	allow $1 dhcpc_var_run_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+##	Delete the dhcp client pid file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_delete_dhcpc_pid',`
+	gen_require(`
+		type dhcpc_var_run_t;
+	')
+
+	allow $1 dhcpc_var_run_t:file unlink;
+')
+
+#######################################
+## <summary>
+##	Execute ifconfig in the ifconfig domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`sysnet_domtrans_ifconfig',`
+	gen_require(`
+		type ifconfig_t, ifconfig_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, ifconfig_exec_t, ifconfig_t)
+')
+
+########################################
+## <summary>
+##	Execute ifconfig in the ifconfig domain, and
+##	allow the specified role the ifconfig domain,
+##	and use the caller's terminal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`sysnet_run_ifconfig',`
+	gen_require(`
+		type ifconfig_t;
+	')
+
+	corecmd_search_bin($1)
+	sysnet_domtrans_ifconfig($1)
+	role $2 types ifconfig_t;
+')
+
+#######################################
+## <summary>
+##	Execute ifconfig in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_exec_ifconfig',`
+	gen_require(`
+		type ifconfig_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, ifconfig_exec_t)
+')
+
+########################################
+## <summary>
+##	Send a generic signal to ifconfig.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`sysnet_signal_ifconfig',`
+	gen_require(`
+		type ifconfig_t;
+	')
+
+	allow $1 ifconfig_t:process signal;
+')
+
+########################################
+## <summary>
+##	Read the DHCP configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_read_dhcp_config',`
+	gen_require(`
+		type dhcp_etc_t;
+	')
+
+	files_search_etc($1)
+	allow $1 dhcp_etc_t:dir list_dir_perms;
+	read_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
+')
+
+########################################
+## <summary>
+##	Search the DHCP state data directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_search_dhcp_state',`
+	gen_require(`
+		type dhcp_state_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 dhcp_state_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create DHCP state data.
+## </summary>
+## <desc>
+##	<p>
+##	Create DHCP state data.
+##	</p>
+##	<p>
+##	This is added for DHCP server, as
+##	the server and client put their state
+##	files in the same directory.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="file_type">
+##	<summary>
+##	The type of the object to be created
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The object class.
+##	</summary>
+## </param>
+#
+interface(`sysnet_dhcp_state_filetrans',`
+	gen_require(`
+		type dhcp_state_t;
+	')
+
+	files_search_var_lib($1)
+	filetrans_pattern($1, dhcp_state_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Perform a DNS name resolution.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`sysnet_dns_name_resolve',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+	allow $1 self:tcp_socket create_socket_perms;
+	allow $1 self:udp_socket create_socket_perms;
+	allow $1 self:netlink_route_socket r_netlink_socket_perms;
+
+	corenet_all_recvfrom_unlabeled($1)
+	corenet_all_recvfrom_netlabel($1)
+	corenet_tcp_sendrecv_generic_if($1)
+	corenet_udp_sendrecv_generic_if($1)
+	corenet_tcp_sendrecv_generic_node($1)
+	corenet_udp_sendrecv_generic_node($1)
+	corenet_tcp_sendrecv_dns_port($1)
+	corenet_udp_sendrecv_dns_port($1)
+	corenet_tcp_connect_dns_port($1)
+	corenet_sendrecv_dns_client_packets($1)
+
+	sysnet_read_config($1)
+
+	optional_policy(`
+		avahi_stream_connect($1)
+	')
+
+	optional_policy(`
+		nscd_socket_use($1)
+	')
+')
+
+########################################
+## <summary>
+##	Connect and use a LDAP server.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_use_ldap',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+	allow $1 self:tcp_socket create_socket_perms;
+
+	corenet_all_recvfrom_unlabeled($1)
+	corenet_all_recvfrom_netlabel($1)
+	corenet_tcp_sendrecv_generic_if($1)
+	corenet_tcp_sendrecv_generic_node($1)
+	corenet_tcp_sendrecv_ldap_port($1)
+	corenet_tcp_connect_ldap_port($1)
+	corenet_sendrecv_ldap_client_packets($1)
+
+	# Support for LDAPS
+	dev_read_rand($1)
+	dev_read_urand($1)
+
+	sysnet_read_config($1)
+')
+
+########################################
+## <summary>
+##	Connect and use remote port mappers.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_use_portmap',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+	allow $1 self:tcp_socket create_socket_perms;
+	allow $1 self:udp_socket create_socket_perms;
+
+	corenet_all_recvfrom_unlabeled($1)
+	corenet_all_recvfrom_netlabel($1)
+	corenet_tcp_sendrecv_generic_if($1)
+	corenet_udp_sendrecv_generic_if($1)
+	corenet_tcp_sendrecv_generic_node($1)
+	corenet_udp_sendrecv_generic_node($1)
+	corenet_tcp_sendrecv_portmap_port($1)
+	corenet_udp_sendrecv_portmap_port($1)
+	corenet_tcp_connect_portmap_port($1)
+	corenet_sendrecv_portmap_client_packets($1)
+
+	sysnet_read_config($1)
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
new file mode 100644
index 00000000..b2467f54
--- /dev/null
+++ b/policy/modules/system/sysnetwork.te
@@ -0,0 +1,365 @@
+policy_module(sysnetwork, 1.13.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role dhcpc_roles;
+roleattribute system_r dhcpc_roles;
+
+# this is shared between dhcpc and dhcpd:
+type dhcp_etc_t;
+typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
+files_config_file(dhcp_etc_t)
+
+# this is shared between dhcpc and dhcpd:
+type dhcp_state_t;
+files_type(dhcp_state_t)
+
+type dhcpc_t;
+type dhcpc_exec_t;
+init_daemon_domain(dhcpc_t, dhcpc_exec_t)
+role dhcpc_roles types dhcpc_t;
+
+type dhcpc_state_t;
+files_type(dhcpc_state_t)
+
+type dhcpc_tmp_t;
+files_tmp_file(dhcpc_tmp_t)
+
+type dhcpc_var_run_t;
+files_pid_file(dhcpc_var_run_t)
+
+type ifconfig_t;
+type ifconfig_exec_t;
+init_system_domain(ifconfig_t, ifconfig_exec_t)
+role system_r types ifconfig_t;
+
+type net_conf_t alias resolv_conf_t;
+files_type(net_conf_t)
+
+########################################
+#
+# DHCP client local policy
+#
+allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
+dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace sys_admin };
+# for access("/etc/bashrc", X_OK) on Red Hat
+dontaudit dhcpc_t self:capability { dac_read_search sys_module };
+allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
+
+allow dhcpc_t self:fifo_file rw_fifo_file_perms;
+allow dhcpc_t self:tcp_socket create_stream_socket_perms;
+allow dhcpc_t self:udp_socket create_socket_perms;
+allow dhcpc_t self:packet_socket create_socket_perms;
+allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
+
+allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
+read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
+exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
+
+allow dhcpc_t dhcp_state_t:file read_file_perms;
+manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t)
+filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
+
+# create pid file
+manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
+files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, file)
+
+# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
+# in /etc created by dhcpcd will be labelled net_conf_t.
+sysnet_manage_config(dhcpc_t)
+files_etc_filetrans(dhcpc_t, net_conf_t, file)
+
+# create temp files
+manage_dirs_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
+manage_files_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
+files_tmp_filetrans(dhcpc_t, dhcpc_tmp_t, { file dir })
+
+can_exec(dhcpc_t, dhcpc_exec_t)
+
+kernel_read_system_state(dhcpc_t)
+kernel_read_network_state(dhcpc_t)
+kernel_search_network_sysctl(dhcpc_t)
+kernel_read_kernel_sysctls(dhcpc_t)
+kernel_request_load_module(dhcpc_t)
+kernel_use_fds(dhcpc_t)
+kernel_rw_net_sysctls(dhcpc_t)
+
+corecmd_exec_bin(dhcpc_t)
+corecmd_exec_shell(dhcpc_t)
+
+corenet_all_recvfrom_unlabeled(dhcpc_t)
+corenet_all_recvfrom_netlabel(dhcpc_t)
+corenet_tcp_sendrecv_all_if(dhcpc_t)
+corenet_raw_sendrecv_all_if(dhcpc_t)
+corenet_udp_sendrecv_all_if(dhcpc_t)
+corenet_tcp_sendrecv_all_nodes(dhcpc_t)
+corenet_raw_sendrecv_all_nodes(dhcpc_t)
+corenet_udp_sendrecv_all_nodes(dhcpc_t)
+corenet_tcp_sendrecv_all_ports(dhcpc_t)
+corenet_udp_sendrecv_all_ports(dhcpc_t)
+corenet_tcp_bind_all_nodes(dhcpc_t)
+corenet_udp_bind_all_nodes(dhcpc_t)
+corenet_udp_bind_dhcpc_port(dhcpc_t)
+corenet_tcp_connect_all_ports(dhcpc_t)
+corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
+corenet_sendrecv_dhcpc_server_packets(dhcpc_t)
+
+dev_read_sysfs(dhcpc_t)
+# for SSP:
+dev_read_urand(dhcpc_t)
+
+domain_use_interactive_fds(dhcpc_t)
+domain_dontaudit_read_all_domains_state(dhcpc_t)
+
+files_read_etc_files(dhcpc_t)
+files_read_etc_runtime_files(dhcpc_t)
+files_read_usr_files(dhcpc_t)
+files_search_home(dhcpc_t)
+files_search_var_lib(dhcpc_t)
+files_dontaudit_search_locks(dhcpc_t)
+files_getattr_generic_locks(dhcpc_t)
+
+fs_getattr_all_fs(dhcpc_t)
+fs_search_auto_mountpoints(dhcpc_t)
+
+term_dontaudit_use_all_ttys(dhcpc_t)
+term_dontaudit_use_all_ptys(dhcpc_t)
+term_dontaudit_use_unallocated_ttys(dhcpc_t)
+term_dontaudit_use_generic_ptys(dhcpc_t)
+
+init_rw_utmp(dhcpc_t)
+
+logging_send_syslog_msg(dhcpc_t)
+
+miscfiles_read_localization(dhcpc_t)
+
+modutils_run_insmod(dhcpc_t, dhcpc_roles)
+
+sysnet_run_ifconfig(dhcpc_t, dhcpc_roles)
+
+userdom_use_user_terminals(dhcpc_t)
+userdom_dontaudit_search_user_home_dirs(dhcpc_t)
+
+ifdef(`distro_redhat', `
+	files_exec_etc_files(dhcpc_t)
+')
+
+ifdef(`distro_ubuntu',`
+	optional_policy(`
+		unconfined_domain(dhcpc_t)
+	')
+')
+
+optional_policy(`
+	consoletype_run(dhcpc_t, dhcpc_roles)
+')
+
+optional_policy(`
+	init_dbus_chat_script(dhcpc_t)
+
+	dbus_system_bus_client(dhcpc_t)
+	dbus_connect_system_bus(dhcpc_t)
+
+	optional_policy(`
+		networkmanager_dbus_chat(dhcpc_t)
+	')
+')
+
+optional_policy(`
+	hostname_run(dhcpc_t, dhcpc_roles)
+')
+
+optional_policy(`
+	hal_dontaudit_rw_dgram_sockets(dhcpc_t)
+')
+
+optional_policy(`
+	hotplug_getattr_config_dirs(dhcpc_t)
+	hotplug_search_config(dhcpc_t)
+
+	ifdef(`distro_redhat',`
+		logging_domtrans_syslog(dhcpc_t)
+	')
+')
+
+# for the dhcp client to run ping to check IP addresses
+optional_policy(`
+	netutils_run_ping(dhcpc_t, dhcpc_roles)
+	netutils_run(dhcpc_t, dhcpc_roles)
+',`
+	allow dhcpc_t self:capability setuid;
+	allow dhcpc_t self:rawip_socket create_socket_perms;
+')
+
+optional_policy(`
+	nis_read_ypbind_pid(dhcpc_t)
+')
+
+optional_policy(`
+	nscd_initrc_domtrans(dhcpc_t)
+	nscd_domtrans(dhcpc_t)
+	nscd_read_pid(dhcpc_t)
+')
+
+optional_policy(`
+	ntp_initrc_domtrans(dhcpc_t)
+')
+
+optional_policy(`
+	pcmcia_stub(dhcpc_t)
+	dev_rw_cardmgr(dhcpc_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(dhcpc_t)
+	seutil_dontaudit_search_config(dhcpc_t)
+')
+
+optional_policy(`
+	udev_read_db(dhcpc_t)
+')
+
+optional_policy(`
+	userdom_use_all_users_fds(dhcpc_t)
+')
+
+optional_policy(`
+	vmware_append_log(dhcpc_t)
+')
+
+optional_policy(`
+	kernel_read_xen_state(dhcpc_t)
+	kernel_write_xen_state(dhcpc_t)
+	xen_append_log(dhcpc_t)
+	xen_dontaudit_rw_unix_stream_sockets(dhcpc_t)
+')
+
+########################################
+#
+# Ifconfig local policy
+#
+
+allow ifconfig_t self:capability { net_raw net_admin sys_tty_config };
+allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
+allow ifconfig_t self:fd use;
+allow ifconfig_t self:fifo_file rw_fifo_file_perms;
+allow ifconfig_t self:sock_file read_sock_file_perms;
+allow ifconfig_t self:socket create_socket_perms;
+allow ifconfig_t self:unix_dgram_socket create_socket_perms;
+allow ifconfig_t self:unix_stream_socket create_stream_socket_perms;
+allow ifconfig_t self:unix_dgram_socket sendto;
+allow ifconfig_t self:unix_stream_socket connectto;
+allow ifconfig_t self:shm create_shm_perms;
+allow ifconfig_t self:sem create_sem_perms;
+allow ifconfig_t self:msgq create_msgq_perms;
+allow ifconfig_t self:msg { send receive };
+# Create UDP sockets, necessary when called from dhcpc
+allow ifconfig_t self:udp_socket create_socket_perms;
+# for /sbin/ip
+allow ifconfig_t self:packet_socket create_socket_perms;
+allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
+allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
+allow ifconfig_t self:tcp_socket { create ioctl };
+
+kernel_use_fds(ifconfig_t)
+kernel_read_system_state(ifconfig_t)
+kernel_read_network_state(ifconfig_t)
+kernel_request_load_module(ifconfig_t)
+kernel_search_network_sysctl(ifconfig_t)
+kernel_rw_net_sysctls(ifconfig_t)
+
+corenet_rw_tun_tap_dev(ifconfig_t)
+
+dev_read_sysfs(ifconfig_t)
+# for IPSEC setup:
+dev_read_urand(ifconfig_t)
+
+domain_use_interactive_fds(ifconfig_t)
+
+files_read_etc_files(ifconfig_t)
+files_read_etc_runtime_files(ifconfig_t)
+
+fs_getattr_xattr_fs(ifconfig_t)
+fs_search_auto_mountpoints(ifconfig_t)
+
+selinux_dontaudit_getattr_fs(ifconfig_t)
+
+term_dontaudit_use_console(ifconfig_t)
+term_dontaudit_use_all_ttys(ifconfig_t)
+term_dontaudit_use_all_ptys(ifconfig_t)
+term_dontaudit_use_ptmx(ifconfig_t)
+term_dontaudit_use_generic_ptys(ifconfig_t)
+
+files_dontaudit_read_root_files(ifconfig_t)
+
+init_use_fds(ifconfig_t)
+init_use_script_ptys(ifconfig_t)
+
+libs_read_lib_files(ifconfig_t)
+
+logging_send_syslog_msg(ifconfig_t)
+
+miscfiles_read_localization(ifconfig_t)
+
+modutils_domtrans_insmod(ifconfig_t)
+
+seutil_use_runinit_fds(ifconfig_t)
+
+userdom_use_user_terminals(ifconfig_t)
+userdom_use_all_users_fds(ifconfig_t)
+
+ifdef(`distro_ubuntu',`
+	optional_policy(`
+		unconfined_domain(ifconfig_t)
+	')
+')
+
+ifdef(`hide_broken_symptoms',`
+	optional_policy(`
+		dev_dontaudit_rw_cardmgr(ifconfig_t)
+	')
+
+	optional_policy(`
+		udev_dontaudit_rw_dgram_sockets(ifconfig_t)
+	')
+')
+
+optional_policy(`
+	hal_dontaudit_rw_pipes(ifconfig_t)
+	hal_dontaudit_rw_dgram_sockets(ifconfig_t)
+')
+
+optional_policy(`
+	ipsec_write_pid(ifconfig_t)
+	ipsec_setcontext_default_spd(ifconfig_t)
+')
+
+optional_policy(`
+	networkmanager_dontaudit_use_wpa_cli_fds(ifconfig_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(ifconfig_t)
+')
+
+optional_policy(`
+	ppp_use_fds(ifconfig_t)
+')
+
+optional_policy(`
+	unconfined_dontaudit_rw_pipes(ifconfig_t)
+')
+
+optional_policy(`
+	vmware_append_log(ifconfig_t)
+')
+
+optional_policy(`
+	kernel_read_xen_state(ifconfig_t)
+	kernel_write_xen_state(ifconfig_t)
+	xen_append_log(ifconfig_t)
+	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
+')
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
new file mode 100644
index 00000000..25753937
--- /dev/null
+++ b/policy/modules/system/udev.fc
@@ -0,0 +1,36 @@
+/dev/\.udev(/.*)? --	gen_context(system_u:object_r:udev_tbl_t,s0)
+/dev/\.udevdb	--	gen_context(system_u:object_r:udev_tbl_t,s0)
+/dev/udev\.tbl	--	gen_context(system_u:object_r:udev_tbl_t,s0)
+
+/etc/dev\.d/.+	--	gen_context(system_u:object_r:udev_helper_exec_t,s0)
+
+/etc/hotplug\.d/default/udev.* -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
+
+/etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_rules_t,s0)
+/etc/udev/scripts/.+ --	gen_context(system_u:object_r:udev_helper_exec_t,s0)
+
+/lib/udev/udev-acl --	gen_context(system_u:object_r:udev_exec_t,s0)
+
+ifdef(`distro_debian',`
+/lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0)
+')
+
+/sbin/udev	--	gen_context(system_u:object_r:udev_exec_t,s0)
+/sbin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
+/sbin/udevd	--	gen_context(system_u:object_r:udev_exec_t,s0)
+/sbin/udevsend	--	gen_context(system_u:object_r:udev_exec_t,s0)
+/sbin/udevstart	--	gen_context(system_u:object_r:udev_exec_t,s0)
+/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0)
+
+ifdef(`distro_redhat',`
+/sbin/start_udev --	gen_context(system_u:object_r:udev_exec_t,s0)
+')
+
+/usr/bin/udevinfo --	gen_context(system_u:object_r:udev_exec_t,s0)
+
+/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
+/var/run/udev(/.*)?	gen_context(system_u:object_r:udev_tbl_t,s0)
+
+ifdef(`distro_debian',`
+/var/run/xen-hotplug -d	gen_context(system_u:object_r:udev_var_run_t,s0)
+')
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
new file mode 100644
index 00000000..9e7f2187
--- /dev/null
+++ b/policy/modules/system/udev.if
@@ -0,0 +1,291 @@
+## <summary>Policy for udev.</summary>
+
+########################################
+## <summary>
+##	Send generic signals to udev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udev_signal',`
+	gen_require(`
+		type udev_t;
+	')
+
+	allow $1 udev_t:process signal;
+')
+
+########################################
+## <summary>
+##	Execute udev in the udev domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`udev_domtrans',`
+	gen_require(`
+		type udev_t, udev_exec_t;
+	')
+
+	domtrans_pattern($1, udev_exec_t, udev_t)
+')
+
+########################################
+## <summary>
+##	Execute udev in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udev_exec',`
+	gen_require(`
+		type udev_exec_t;
+	')
+
+	can_exec($1, udev_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute a udev helper in the udev domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`udev_helper_domtrans',`
+	gen_require(`
+		type udev_t, udev_helper_exec_t;
+	')
+
+	domtrans_pattern($1, udev_helper_exec_t, udev_t)
+')
+
+########################################
+## <summary>
+##	Allow process to read udev process state.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udev_read_state',`
+	gen_require(`
+		type udev_t;
+	')
+
+	kernel_search_proc($1)
+	allow $1 udev_t:file read_file_perms;
+	allow $1 udev_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to inherit a
+##	udev file descriptor.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`udev_dontaudit_use_fds',`
+	gen_require(`
+		type udev_t;
+	')
+
+	dontaudit $1 udev_t:fd use;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read or write
+##	to a udev unix datagram socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`udev_dontaudit_rw_dgram_sockets',`
+	gen_require(`
+		type udev_t;
+	')
+
+	dontaudit $1 udev_t:unix_dgram_socket { read write };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get attributes
+##	of a udev netlink_kobject_uevent_socket
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`udev_dontaudit_getattr_netlink_kobject_uevent_sockets',`
+	gen_require(`
+		type udev_t;
+	')
+
+	dontaudit $1 udev_t:netlink_kobject_uevent_socket getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get attributes
+##	of a udev unix_stream_socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`udev_dontaudit_getattr_unix_stream_sockets',`
+	gen_require(`
+		type udev_t;
+	')
+
+	dontaudit $1 udev_t:unix_stream_socket getattr;
+')
+
+
+########################################
+## <summary>
+##	Read udev rules files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udev_read_rules_files',`
+	gen_require(`
+		type udev_rules_t;
+	')
+
+	read_files_pattern($1, udev_rules_t, udev_rules_t)
+')
+
+
+########################################
+## <summary>
+##	Manage udev rules files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udev_manage_rules_files',`
+	gen_require(`
+		type udev_rules_t;
+	')
+
+	manage_files_pattern($1, udev_rules_t, udev_rules_t)
+')
+
+########################################
+## <summary>
+##	Do not audit search of udev database directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`udev_dontaudit_search_db',`
+	gen_require(`
+		type udev_tbl_t;
+	')
+
+	dontaudit $1 udev_tbl_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read the udev device table.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to read the udev device table.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`udev_read_db',`
+	gen_require(`
+		type udev_tbl_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 udev_tbl_t:dir list_dir_perms;
+	read_files_pattern($1, udev_tbl_t, udev_tbl_t)
+	read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
+')
+
+########################################
+## <summary>
+##	Allow process to modify list of devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udev_rw_db',`
+	gen_require(`
+		type udev_tbl_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 udev_tbl_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	udev pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udev_manage_pid_files',`
+	gen_require(`
+		type udev_var_run_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
+')
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
new file mode 100644
index 00000000..f32e4bbc
--- /dev/null
+++ b/policy/modules/system/udev.te
@@ -0,0 +1,295 @@
+policy_module(udev, 1.14.0)
+
+########################################
+#
+# Declarations
+#
+
+type udev_t;
+type udev_exec_t;
+type udev_helper_exec_t;
+kernel_domtrans_to(udev_t, udev_exec_t)
+domain_obj_id_change_exemption(udev_t)
+domain_entry_file(udev_t, udev_helper_exec_t)
+domain_interactive_fd(udev_t)
+init_daemon_domain(udev_t, udev_exec_t)
+
+type udev_etc_t alias etc_udev_t;
+files_config_file(udev_etc_t)
+
+type udev_tbl_t alias udev_tdb_t;
+files_type(udev_tbl_t)
+
+type udev_rules_t;
+files_type(udev_rules_t)
+
+type udev_var_run_t;
+files_pid_file(udev_var_run_t)
+
+ifdef(`enable_mcs',`
+	kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
+	init_ranged_daemon_domain(udev_t, udev_exec_t, s0 - mcs_systemhigh)
+')
+
+########################################
+#
+# Local policy
+#
+
+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
+dontaudit udev_t self:capability sys_tty_config;
+allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow udev_t self:process { execmem setfscreate };
+allow udev_t self:fd use;
+allow udev_t self:fifo_file rw_fifo_file_perms;
+allow udev_t self:sock_file read_sock_file_perms;
+allow udev_t self:shm create_shm_perms;
+allow udev_t self:sem create_sem_perms;
+allow udev_t self:msgq create_msgq_perms;
+allow udev_t self:msg { send receive };
+allow udev_t self:unix_stream_socket { listen accept };
+allow udev_t self:unix_dgram_socket sendto;
+allow udev_t self:unix_stream_socket connectto;
+allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow udev_t self:rawip_socket create_socket_perms;
+
+allow udev_t udev_exec_t:file write;
+can_exec(udev_t, udev_exec_t)
+
+allow udev_t udev_helper_exec_t:dir list_dir_perms;
+can_exec(udev_t, udev_helper_exec_t)
+
+# read udev config
+allow udev_t udev_etc_t:file read_file_perms;
+
+allow udev_t udev_tbl_t:dir relabelto;
+manage_dirs_pattern(udev_t, udev_tbl_t, udev_tbl_t)
+manage_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)
+manage_lnk_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)
+dev_filetrans(udev_t, udev_tbl_t, file)
+
+list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t)
+read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
+
+manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
+manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
+manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
+files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
+
+kernel_read_system_state(udev_t)
+kernel_request_load_module(udev_t)
+kernel_getattr_core_if(udev_t)
+kernel_use_fds(udev_t)
+kernel_read_device_sysctls(udev_t)
+kernel_read_hotplug_sysctls(udev_t)
+kernel_read_modprobe_sysctls(udev_t)
+kernel_read_kernel_sysctls(udev_t)
+kernel_rw_hotplug_sysctls(udev_t)
+kernel_rw_unix_dgram_sockets(udev_t)
+kernel_dgram_send(udev_t)
+kernel_signal(udev_t)
+kernel_search_debugfs(udev_t)
+
+#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
+kernel_rw_net_sysctls(udev_t)
+kernel_read_network_state(udev_t)
+kernel_read_software_raid_state(udev_t)
+
+corecmd_exec_all_executables(udev_t)
+
+dev_rw_sysfs(udev_t)
+dev_manage_all_dev_nodes(udev_t)
+dev_rw_generic_files(udev_t)
+dev_delete_generic_files(udev_t)
+dev_search_usbfs(udev_t)
+dev_relabel_all_dev_nodes(udev_t)
+# udev_node.c/node_symlink() symlink labels are explicitly
+# preserved, instead of short circuiting the relabel
+dev_relabel_generic_symlinks(udev_t)
+dev_manage_generic_symlinks(udev_t)
+
+domain_read_all_domains_state(udev_t)
+domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
+
+files_read_usr_files(udev_t)
+files_read_etc_runtime_files(udev_t)
+files_read_etc_files(udev_t)
+files_exec_etc_files(udev_t)
+files_dontaudit_search_isid_type_dirs(udev_t)
+files_getattr_generic_locks(udev_t)
+files_search_mnt(udev_t)
+
+fs_getattr_all_fs(udev_t)
+fs_list_inotifyfs(udev_t)
+fs_rw_anon_inodefs_files(udev_t)
+
+mcs_ptrace_all(udev_t)
+
+mls_file_read_all_levels(udev_t)
+mls_file_write_all_levels(udev_t)
+mls_file_upgrade(udev_t)
+mls_file_downgrade(udev_t)
+mls_process_write_down(udev_t)
+
+selinux_get_fs_mount(udev_t)
+selinux_validate_context(udev_t)
+selinux_compute_access_vector(udev_t)
+selinux_compute_create_context(udev_t)
+selinux_compute_relabel_context(udev_t)
+selinux_compute_user_contexts(udev_t)
+
+auth_read_pam_console_data(udev_t)
+auth_domtrans_pam_console(udev_t)
+auth_use_nsswitch(udev_t)
+
+init_read_utmp(udev_t)
+init_dontaudit_write_utmp(udev_t)
+init_getattr_initctl(udev_t)
+
+logging_search_logs(udev_t)
+logging_send_syslog_msg(udev_t)
+logging_send_audit_msgs(udev_t)
+
+miscfiles_read_localization(udev_t)
+miscfiles_read_hwdata(udev_t)
+
+modutils_domtrans_insmod(udev_t)
+# read modules.inputmap:
+modutils_read_module_deps(udev_t)
+
+seutil_read_config(udev_t)
+seutil_read_default_contexts(udev_t)
+seutil_read_file_contexts(udev_t)
+seutil_domtrans_setfiles(udev_t)
+
+sysnet_domtrans_ifconfig(udev_t)
+sysnet_domtrans_dhcpc(udev_t)
+sysnet_rw_dhcp_config(udev_t)
+sysnet_read_dhcpc_pid(udev_t)
+sysnet_delete_dhcpc_pid(udev_t)
+sysnet_signal_dhcpc(udev_t)
+sysnet_manage_config(udev_t)
+sysnet_etc_filetrans_config(udev_t)
+
+userdom_dontaudit_search_user_home_content(udev_t)
+
+ifdef(`distro_gentoo',`
+	# during boot, init scripts use /dev/.rcsysinit
+	# existance to determine if we are in early booting
+	init_getattr_script_status_files(udev_t)
+	init_domtrans_script(udev_t)
+')
+
+ifdef(`distro_redhat',`
+	fs_manage_tmpfs_dirs(udev_t)
+	fs_manage_tmpfs_files(udev_t)
+	fs_manage_tmpfs_symlinks(udev_t)
+	fs_manage_tmpfs_sockets(udev_t)
+	fs_manage_tmpfs_blk_files(udev_t)
+	fs_manage_tmpfs_chr_files(udev_t)
+	fs_relabel_tmpfs_blk_file(udev_t)
+	fs_relabel_tmpfs_chr_file(udev_t)
+
+	term_search_ptys(udev_t)
+
+	# for arping used for static IP addresses on PCMCIA ethernet
+	netutils_domtrans(udev_t)
+
+	optional_policy(`
+		unconfined_domain(udev_t)
+	')
+')
+
+optional_policy(`
+	alsa_domtrans(udev_t)
+	alsa_read_lib(udev_t)
+	alsa_read_rw_config(udev_t)
+')
+
+optional_policy(`
+	bluetooth_domtrans(udev_t)
+')
+
+optional_policy(`
+	brctl_domtrans(udev_t)
+')
+
+optional_policy(`
+	clock_domtrans(udev_t)
+')
+
+optional_policy(`
+	consoletype_exec(udev_t)
+')
+
+optional_policy(`
+	cups_domtrans_config(udev_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(udev_t)
+')
+
+optional_policy(`
+	devicekit_read_pid_files(udev_t)
+	devicekit_dgram_send(udev_t)
+')
+
+optional_policy(`
+	lvm_domtrans(udev_t)
+')
+
+optional_policy(`
+	fstools_domtrans(udev_t)
+')
+
+optional_policy(`
+	hal_dgram_send(udev_t)
+
+	ifdef(`hide_broken_symptoms',`
+		hal_dontaudit_rw_dgram_sockets(udev_t)
+	')
+')
+
+optional_policy(`
+	hotplug_read_config(udev_t)
+	# usb.agent searches /var/run/usb
+	hotplug_search_pids(udev_t)
+')
+
+optional_policy(`
+	mount_domtrans(udev_t)
+')
+
+optional_policy(`
+	openct_read_pid_files(udev_t)
+	openct_domtrans(udev_t)
+')
+
+optional_policy(`
+	pcscd_read_pub_files(udev_t)
+	pcscd_domtrans(udev_t)
+')
+
+optional_policy(`
+	raid_domtrans_mdadm(udev_t)
+')
+
+optional_policy(`
+	unconfined_signal(udev_t)
+')
+
+optional_policy(`
+	vbetool_domtrans(udev_t)
+')
+
+optional_policy(`
+	kernel_write_xen_state(udev_t)
+	kernel_read_xen_state(udev_t)
+	xen_manage_log(udev_t)
+	xen_read_image_files(udev_t)
+')
+
+optional_policy(`
+	xserver_read_xdm_pid(udev_t)
+')
diff --git a/policy/modules/system/unconfined.fc b/policy/modules/system/unconfined.fc
new file mode 100644
index 00000000..4902c116
--- /dev/null
+++ b/policy/modules/system/unconfined.fc
@@ -0,0 +1,21 @@
+# Add programs here which should not be confined by SELinux
+# e.g.:
+# /usr/local/bin/appsrv		--	gen_context(system_u:object_r:unconfined_exec_t,s0)
+# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
+/usr/bin/valgrind 		--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/vncserver		--	gen_context(system_u:object_r:unconfined_exec_t,s0)
+
+/usr/lib/ia32el/ia32x_loader 	--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+
+/usr/local/RealPlayer/realplay\.bin --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+
+ifdef(`distro_debian',`
+/usr/bin/gcj-dbtool-4\.1	--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/gij-4\.1		--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/lib/openoffice/program/soffice\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+')
+
+ifdef(`distro_gentoo',`
+/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+')
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
new file mode 100644
index 00000000..db7aabbf
--- /dev/null
+++ b/policy/modules/system/unconfined.if
@@ -0,0 +1,589 @@
+## <summary>The unconfined domain.</summary>
+
+########################################
+## <summary>
+##	Make the specified domain unconfined.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to make unconfined.
+##	</summary>
+## </param>
+#
+interface(`unconfined_domain_noaudit',`
+	gen_require(`
+		type unconfined_t;
+		class dbus all_dbus_perms;
+		class nscd all_nscd_perms;
+		class passwd all_passwd_perms;
+	')
+
+	# Use most Linux capabilities
+	allow $1 self:capability ~sys_module;
+	allow $1 self:fifo_file manage_fifo_file_perms;
+
+	# Transition to myself, to make get_ordered_context_list happy.
+	allow $1 self:process transition;
+
+	# Write access is for setting attributes under /proc/self/attr.
+	allow $1 self:file rw_file_perms;
+
+	# Userland object managers
+	allow $1 self:nscd *;
+	allow $1 self:dbus *;
+	allow $1 self:passwd *;
+	allow $1 self:association *;
+
+	kernel_unconfined($1)
+	corenet_unconfined($1)
+	dev_unconfined($1)
+	domain_unconfined($1)
+	domain_dontaudit_read_all_domains_state($1)
+	domain_dontaudit_ptrace_all_domains($1)
+	files_unconfined($1)
+	fs_unconfined($1)
+	selinux_unconfined($1)
+
+	tunable_policy(`allow_execheap',`
+		# Allow making the stack executable via mprotect.
+		allow $1 self:process execheap;
+	')
+
+	tunable_policy(`allow_execmem',`
+		# Allow making anonymous memory executable, e.g. 
+		# for runtime-code generation or executable stack.
+		allow $1 self:process execmem;
+	')
+
+	tunable_policy(`allow_execstack',`
+		# Allow making the stack executable via mprotect;
+		# execstack implies execmem;
+		allow $1 self:process { execstack execmem };
+#		auditallow $1 self:process execstack;
+	')
+
+	optional_policy(`
+		auth_unconfined($1)
+	')
+
+	optional_policy(`
+		# Communicate via dbusd.
+		dbus_system_bus_unconfined($1)
+	')
+
+	optional_policy(`
+		ipsec_setcontext_default_spd($1)
+		ipsec_match_default_spd($1)
+	')
+
+	optional_policy(`
+		nscd_unconfined($1)
+	')
+
+	optional_policy(`
+		postgresql_unconfined($1)
+	')
+
+	optional_policy(`
+		seutil_create_bin_policy($1)
+		seutil_relabelto_bin_policy($1)
+	')
+
+	optional_policy(`
+		storage_unconfined($1)
+	')
+
+	optional_policy(`
+		xserver_unconfined($1)
+	')
+')
+
+########################################
+## <summary>
+##	Make the specified domain unconfined and
+##	audit executable heap usage.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified domain unconfined and
+##	audit executable heap usage.  With exception
+##	of memory protections, usage of this interface
+##	will result in the level of access the domain has
+##	is like SELinux	was not being used.
+##	</p>
+##	<p>
+##	Only completely trusted domains should use this interface.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to make unconfined.
+##	</summary>
+## </param>
+#
+interface(`unconfined_domain',`
+	unconfined_domain_noaudit($1)
+
+	tunable_policy(`allow_execheap',`
+		auditallow $1 self:process execheap;
+	')
+')
+
+########################################
+## <summary>
+##	Add an alias type to the unconfined domain.  (Deprecated)
+## </summary>
+## <desc>
+##	<p>
+##	Add an alias type to the unconfined domain.  (Deprecated)
+##	</p>
+##	<p>
+##	This is added to support targeted policy.  Its
+##	use should be limited.  It has no effect
+##	on the strict policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	New alias of the unconfined domain.
+##	</summary>
+## </param>
+#
+interface(`unconfined_alias_domain',`
+	refpolicywarn(`$0($1) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	Add an alias type to the unconfined execmem
+##	program file type.  (Deprecated)
+## </summary>
+## <desc>
+##	<p>
+##	Add an alias type to the unconfined execmem
+##	program file type.  (Deprecated)
+##	</p>
+##	<p>
+##	This is added to support targeted policy.  Its
+##	use should be limited.  It has no effect
+##	on the strict policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	New alias of the unconfined execmem program type.
+##	</summary>
+## </param>
+#
+interface(`unconfined_execmem_alias_program',`
+	refpolicywarn(`$0($1) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	Transition to the unconfined domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`unconfined_domtrans',`
+	gen_require(`
+		type unconfined_t, unconfined_exec_t;
+	')
+
+	domtrans_pattern($1, unconfined_exec_t, unconfined_t)
+')
+
+########################################
+## <summary>
+##	Execute specified programs in the unconfined domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the unconfined domain.
+##	</summary>
+## </param>
+#
+interface(`unconfined_run',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	unconfined_domtrans($1)
+	role $2 types unconfined_t;
+')
+
+########################################
+## <summary>
+##	Transition to the unconfined domain by executing a shell.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`unconfined_shell_domtrans',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	corecmd_shell_domtrans($1, unconfined_t)
+	allow unconfined_t $1:fd use;
+	allow unconfined_t $1:fifo_file rw_file_perms;
+	allow unconfined_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Allow unconfined to execute the specified program in
+##	the specified domain.
+## </summary>
+## <desc>
+##	<p>
+##	Allow unconfined to execute the specified program in
+##	the specified domain.
+##	</p>
+##	<p>
+##	This is a interface to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to execute in.
+##	</summary>
+## </param>
+## <param name="entry_file">
+##	<summary>
+##	Domain entry point file.
+##	</summary>
+## </param>
+#
+interface(`unconfined_domtrans_to',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	domtrans_pattern(unconfined_t,$2,$1)
+')
+
+########################################
+## <summary>
+##	Allow unconfined to execute the specified program in
+##	the specified domain.  Allow the specified domain the
+##	unconfined role and use of unconfined user terminals.
+## </summary>
+## <desc>
+##	<p>
+##	Allow unconfined to execute the specified program in
+##	the specified domain.  Allow the specified domain the
+##	unconfined role and use of unconfined user terminals.
+##	</p>
+##	<p>
+##	This is a interface to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to execute in.
+##	</summary>
+## </param>
+## <param name="entry_file">
+##	<summary>
+##	Domain entry point file.
+##	</summary>
+## </param>
+#
+interface(`unconfined_run_to',`
+	gen_require(`
+		type unconfined_t;
+		role unconfined_r;
+	')
+
+	domtrans_pattern(unconfined_t,$2,$1)
+	role unconfined_r types $1;
+	userdom_use_user_terminals($1)
+')
+
+########################################
+## <summary>
+##	Inherit file descriptors from the unconfined domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_use_fds',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:fd use;
+')
+
+########################################
+## <summary>
+##	Send a SIGCHLD signal to the unconfined domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_sigchld',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:process sigchld;
+')
+
+########################################
+## <summary>
+##	Send a SIGNULL signal to the unconfined domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_signull',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:process signull;
+')
+
+########################################
+## <summary>
+##	Send generic signals to the unconfined domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_signal',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:process signal;
+')
+
+########################################
+## <summary>
+##	Read unconfined domain unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_read_pipes',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:fifo_file read_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read unconfined domain unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`unconfined_dontaudit_read_pipes',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	dontaudit $1 unconfined_t:fifo_file read;
+')
+
+########################################
+## <summary>
+##	Read and write unconfined domain unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_rw_pipes',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write
+##	unconfined domain unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`unconfined_dontaudit_rw_pipes',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	dontaudit $1 unconfined_t:fifo_file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Connect to the unconfined domain using
+##	a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_stream_connect',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read or write
+##	unconfined domain tcp sockets.
+## </summary>
+## <desc>
+##	<p>
+##	Do not audit attempts to read or write
+##	unconfined domain tcp sockets.
+##	</p>
+##	<p>
+##	This interface was added due to a broken
+##	symptom in ldconfig.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`unconfined_dontaudit_rw_tcp_sockets',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	dontaudit $1 unconfined_t:tcp_socket { read write };
+')
+
+########################################
+## <summary>
+##	Create keys for the unconfined domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_create_keys',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:key create;
+')
+
+########################################
+## <summary>
+##	Send messages to the unconfined domain over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_dbus_send',`
+	gen_require(`
+		type unconfined_t;
+		class dbus send_msg;
+	')
+
+	allow $1 unconfined_t:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	unconfined_t over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_dbus_chat',`
+	gen_require(`
+		type unconfined_t;
+		class dbus send_msg;
+	')
+
+	allow $1 unconfined_t:dbus send_msg;
+	allow unconfined_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Connect to the the unconfined DBUS
+##	for service (acquire_svc).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_dbus_connect',`
+	gen_require(`
+		type unconfined_t;
+		class dbus acquire_svc;
+	')
+
+	allow $1 unconfined_t:dbus acquire_svc;
+')
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
new file mode 100644
index 00000000..70ac50b9
--- /dev/null
+++ b/policy/modules/system/unconfined.te
@@ -0,0 +1,240 @@
+policy_module(unconfined, 3.4.0)
+
+########################################
+#
+# Declarations
+#
+
+# usage in this module of types created by these
+# calls is not correct, however we dont currently
+# have another method to add access to these types
+userdom_base_user_template(unconfined)
+userdom_manage_home_role(unconfined_r, unconfined_t)
+userdom_manage_tmp_role(unconfined_r, unconfined_t)
+userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
+
+type unconfined_exec_t;
+init_system_domain(unconfined_t, unconfined_exec_t)
+
+type unconfined_execmem_t;
+type unconfined_execmem_exec_t;
+init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
+role unconfined_r types unconfined_execmem_t;
+
+########################################
+#
+# Local policy
+#
+
+domtrans_pattern(unconfined_t, unconfined_execmem_exec_t, unconfined_execmem_t)
+
+files_create_boot_flag(unconfined_t)
+
+mcs_killall(unconfined_t)
+mcs_ptrace_all(unconfined_t)
+
+init_run_daemon(unconfined_t, unconfined_r)
+
+libs_run_ldconfig(unconfined_t, unconfined_r)
+
+logging_send_syslog_msg(unconfined_t)
+logging_run_auditctl(unconfined_t, unconfined_r)
+
+mount_run_unconfined(unconfined_t, unconfined_r)
+
+seutil_run_setfiles(unconfined_t, unconfined_r)
+seutil_run_semanage(unconfined_t, unconfined_r)
+
+unconfined_domain(unconfined_t)
+
+userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
+
+ifdef(`distro_gentoo',`
+	seutil_run_runinit(unconfined_t, unconfined_r)
+	seutil_init_script_run_runinit(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+	ada_domtrans(unconfined_t)
+')
+
+optional_policy(`
+	apache_run_helper(unconfined_t, unconfined_r)
+	apache_role(unconfined_r, unconfined_t)
+')
+
+optional_policy(`
+	bind_run_ndc(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+	bootloader_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+	cron_unconfined_role(unconfined_r, unconfined_t)
+')
+
+optional_policy(`
+	init_dbus_chat_script(unconfined_t)
+
+	dbus_stub(unconfined_t)
+
+	optional_policy(`
+		avahi_dbus_chat(unconfined_t)
+	')
+
+	optional_policy(`
+		bluetooth_dbus_chat(unconfined_t)
+	')
+
+	optional_policy(`
+		consolekit_dbus_chat(unconfined_t)
+	')
+
+	optional_policy(`
+		cups_dbus_chat_config(unconfined_t)
+	')
+
+	optional_policy(`
+		hal_dbus_chat(unconfined_t)
+	')
+
+	optional_policy(`
+		networkmanager_dbus_chat(unconfined_t)
+	')
+
+	optional_policy(`
+		oddjob_dbus_chat(unconfined_t)
+	')
+')
+
+optional_policy(`
+	firstboot_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+	ftp_run_ftpdctl(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+	hadoop_role(unconfined_r, unconfined_t)
+')
+
+optional_policy(`
+	inn_domtrans(unconfined_t)
+')
+
+optional_policy(`
+	java_run_unconfined(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+	lpd_run_checkpc(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+	modutils_run_update_mods(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+	mono_domtrans(unconfined_t)
+')
+
+optional_policy(`
+	mta_role(unconfined_r, unconfined_t)
+')
+
+optional_policy(`
+	oddjob_domtrans_mkhomedir(unconfined_t)
+')
+
+optional_policy(`
+	portage_run(unconfined_t, unconfined_r)
+	portage_run_fetch(unconfined_t, unconfined_r)
+	portage_run_gcc_config(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+	prelink_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+	portmap_run_helper(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+	postfix_run_map(unconfined_t, unconfined_r)
+	# cjp: this should probably be removed:
+	postfix_domtrans_master(unconfined_t)
+')
+
+optional_policy(`
+	pyzor_role(unconfined_r, unconfined_t)
+')
+
+optional_policy(`
+	# cjp: this should probably be removed:
+	rpc_domtrans_nfsd(unconfined_t)
+')
+
+optional_policy(`
+	rpm_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+	samba_run_net(unconfined_t, unconfined_r)
+	samba_run_winbind_helper(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+	spamassassin_role(unconfined_r, unconfined_t)
+')
+
+optional_policy(`
+	sysnet_run_dhcpc(unconfined_t, unconfined_r)
+	sysnet_dbus_chat_dhcpc(unconfined_t)
+')
+
+optional_policy(`
+	tzdata_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+	usermanage_run_admin_passwd(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+	vpn_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+	webalizer_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+	wine_domtrans(unconfined_t)
+')
+
+optional_policy(`
+	xserver_role(unconfined_r, unconfined_t)
+')
+
+########################################
+#
+# Unconfined Execmem Local policy
+#
+
+allow unconfined_execmem_t self:process { execstack execmem };
+unconfined_domain_noaudit(unconfined_execmem_t)
+
+optional_policy(`
+	dbus_stub(unconfined_execmem_t)
+
+	init_dbus_chat_script(unconfined_execmem_t)
+	unconfined_dbus_chat(unconfined_execmem_t)
+
+	optional_policy(`
+		hal_dbus_chat(unconfined_execmem_t)
+	')
+')
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
new file mode 100644
index 00000000..db759768
--- /dev/null
+++ b/policy/modules/system/userdomain.fc
@@ -0,0 +1,4 @@
+HOME_DIR	-d	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR/.+		gen_context(system_u:object_r:user_home_t,s0)
+
+/tmp/gconfd-USER -d	gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
new file mode 100644
index 00000000..8d1a5882
--- /dev/null
+++ b/policy/modules/system/userdomain.if
@@ -0,0 +1,3278 @@
+## <summary>Policy for user domains</summary>
+
+#######################################
+## <summary>
+##	The template containing the most basic rules common to all users.
+## </summary>
+## <desc>
+##	<p>
+##	The template containing the most basic rules common to all users.
+##	</p>
+##	<p>
+##	This template creates a user domain, types, and
+##	rules for the user's tty and pty.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <rolebase/>
+#
+template(`userdom_base_user_template',`
+
+	gen_require(`
+		attribute userdomain;
+		type user_devpts_t, user_tty_device_t;
+		class context contains;
+	')
+
+	attribute $1_file_type;
+
+	type $1_t, userdomain;
+	domain_type($1_t)
+	corecmd_shell_entry_type($1_t)
+	corecmd_bin_entry_type($1_t)
+	domain_user_exemption_target($1_t)
+	ubac_constrained($1_t)
+	role $1_r;
+	role $1_r types $1_t;
+	allow system_r $1_r;
+
+	term_user_pty($1_t, user_devpts_t)
+
+	term_user_tty($1_t, user_tty_device_t)
+
+	allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
+	allow $1_t self:fd use;
+	allow $1_t self:fifo_file rw_fifo_file_perms;
+	allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
+	allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto };
+	allow $1_t self:shm create_shm_perms;
+	allow $1_t self:sem create_sem_perms;
+	allow $1_t self:msgq create_msgq_perms;
+	allow $1_t self:msg { send receive };
+	allow $1_t self:context contains;
+	dontaudit $1_t self:socket create;
+
+	allow $1_t user_devpts_t:chr_file { setattr rw_chr_file_perms };
+	term_create_pty($1_t, user_devpts_t)
+	# avoid annoying messages on terminal hangup on role change
+	dontaudit $1_t user_devpts_t:chr_file ioctl;
+
+	allow $1_t user_tty_device_t:chr_file { setattr rw_chr_file_perms };
+	# avoid annoying messages on terminal hangup on role change
+	dontaudit $1_t user_tty_device_t:chr_file ioctl;
+
+	kernel_read_kernel_sysctls($1_t)
+	kernel_dontaudit_list_unlabeled($1_t)
+	kernel_dontaudit_getattr_unlabeled_files($1_t)
+	kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
+	kernel_dontaudit_getattr_unlabeled_pipes($1_t)
+	kernel_dontaudit_getattr_unlabeled_sockets($1_t)
+	kernel_dontaudit_getattr_unlabeled_blk_files($1_t)
+	kernel_dontaudit_getattr_unlabeled_chr_files($1_t)
+
+	dev_dontaudit_getattr_all_blk_files($1_t)
+	dev_dontaudit_getattr_all_chr_files($1_t)
+
+	# When the user domain runs ps, there will be a number of access
+	# denials when ps tries to search /proc. Do not audit these denials.
+	domain_dontaudit_read_all_domains_state($1_t)
+	domain_dontaudit_getattr_all_domains($1_t)
+	domain_dontaudit_getsession_all_domains($1_t)
+
+	files_read_etc_files($1_t)
+	files_read_etc_runtime_files($1_t)
+	files_read_usr_files($1_t)
+	# Read directories and files with the readable_t type.
+	# This type is a general type for "world"-readable files.
+	files_list_world_readable($1_t)
+	files_read_world_readable_files($1_t)
+	files_read_world_readable_symlinks($1_t)
+	files_read_world_readable_pipes($1_t)
+	files_read_world_readable_sockets($1_t)
+	# old broswer_domain():
+	files_dontaudit_list_non_security($1_t)
+	files_dontaudit_getattr_non_security_files($1_t)
+	files_dontaudit_getattr_non_security_symlinks($1_t)
+	files_dontaudit_getattr_non_security_pipes($1_t)
+	files_dontaudit_getattr_non_security_sockets($1_t)
+
+	libs_exec_ld_so($1_t)
+
+	miscfiles_read_localization($1_t)
+	miscfiles_read_generic_certs($1_t)
+
+	sysnet_read_config($1_t)
+
+	tunable_policy(`allow_execmem',`
+		# Allow loading DSOs that require executable stack.
+		allow $1_t self:process execmem;
+	')
+
+	tunable_policy(`allow_execmem && allow_execstack',`
+		# Allow making the stack executable via mprotect.
+		allow $1_t self:process execstack;
+	')
+')
+
+#######################################
+## <summary>
+##	Allow a home directory for which the
+##	role has read-only access.
+## </summary>
+## <desc>
+##	<p>
+##	Allow a home directory for which the
+##	role has read-only access.
+##	</p>
+##	<p>
+##	This does not allow execute access.
+##	</p>
+## </desc>
+## <param name="role">
+##	<summary>
+##	The user role
+##	</summary>
+## </param>
+## <param name="userdomain">
+##	<summary>
+##	The user domain
+##	</summary>
+## </param>
+## <rolebase/>
+#
+interface(`userdom_ro_home_role',`
+	gen_require(`
+		type user_home_t, user_home_dir_t;
+	')
+
+	##############################
+	#
+	# Domain access to home dir
+	#
+
+	type_member $2 user_home_dir_t:dir user_home_dir_t;
+
+	# read-only home directory
+	allow $2 user_home_dir_t:dir list_dir_perms;
+	allow $2 user_home_t:dir list_dir_perms;
+	allow $2 user_home_t:file entrypoint;
+	read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
+	read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
+	read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
+	read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
+	files_list_home($2)
+
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_list_nfs($2)
+		fs_read_nfs_files($2)
+		fs_read_nfs_symlinks($2)
+		fs_read_nfs_named_sockets($2)
+		fs_read_nfs_named_pipes($2)
+	',`
+		fs_dontaudit_list_nfs($2)
+		fs_dontaudit_read_nfs_files($2)
+	')
+
+	tunable_policy(`use_samba_home_dirs',`
+		fs_list_cifs($2)
+		fs_read_cifs_files($2)
+		fs_read_cifs_symlinks($2)
+		fs_read_cifs_named_sockets($2)
+		fs_read_cifs_named_pipes($2)
+	',`
+		fs_dontaudit_list_cifs($2)
+		fs_dontaudit_read_cifs_files($2)
+	')
+')
+
+#######################################
+## <summary>
+##	Allow a home directory for which the
+##	role has full access.
+## </summary>
+## <desc>
+##	<p>
+##	Allow a home directory for which the
+##	role has full access.
+##	</p>
+##	<p>
+##	This does not allow execute access.
+##	</p>
+## </desc>
+## <param name="role">
+##	<summary>
+##	The user role
+##	</summary>
+## </param>
+## <param name="userdomain">
+##	<summary>
+##	The user domain
+##	</summary>
+## </param>
+## <rolebase/>
+#
+interface(`userdom_manage_home_role',`
+	gen_require(`
+		type user_home_t, user_home_dir_t;
+	')
+
+	##############################
+	#
+	# Domain access to home dir
+	#
+
+	type_member $2 user_home_dir_t:dir user_home_dir_t;
+
+	# full control of the home directory
+	allow $2 user_home_t:file entrypoint;
+	manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+	manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+	manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+	manage_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+	manage_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+	relabel_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+	relabel_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+	relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+	relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+	relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+	filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
+	files_list_home($2)
+
+	# manage user xdg locations
+	xdg_manage_generic_cache_home_content($2)
+	xdg_manage_generic_config_home_content($2)
+	xdg_manage_generic_data_home_content($2)
+	xdg_manage_generic_runtime_home_content($2)
+	xdg_relabel_generic_cache_home_content($2)
+	xdg_relabel_generic_config_home_content($2)
+	xdg_relabel_generic_data_home_content($2)
+	xdg_relabel_generic_runtime_home_content($2)
+
+	# cjp: this should probably be removed:
+	allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
+
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_manage_nfs_dirs($2)
+		fs_manage_nfs_files($2)
+		fs_manage_nfs_symlinks($2)
+		fs_manage_nfs_named_sockets($2)
+		fs_manage_nfs_named_pipes($2)
+	',`
+		fs_dontaudit_manage_nfs_dirs($2)
+		fs_dontaudit_manage_nfs_files($2)
+	')
+
+	tunable_policy(`use_samba_home_dirs',`
+		fs_manage_cifs_dirs($2)
+		fs_manage_cifs_files($2)
+		fs_manage_cifs_symlinks($2)
+		fs_manage_cifs_named_sockets($2)
+		fs_manage_cifs_named_pipes($2)
+	',`
+		fs_dontaudit_manage_cifs_dirs($2)
+		fs_dontaudit_manage_cifs_files($2)
+	')
+')
+
+#######################################
+## <summary>
+##	Manage user temporary files
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolebase/>
+#
+interface(`userdom_manage_tmp_role',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	files_poly_member_tmp($2, user_tmp_t)
+
+	manage_dirs_pattern($2, user_tmp_t, user_tmp_t)
+	manage_files_pattern($2, user_tmp_t, user_tmp_t)
+	manage_lnk_files_pattern($2, user_tmp_t, user_tmp_t)
+	manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
+	manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
+	files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
+')
+
+#######################################
+## <summary>
+##	The execute access user temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolebase/>
+#
+interface(`userdom_exec_user_tmp_files',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	exec_files_pattern($1, user_tmp_t, user_tmp_t)
+	files_search_tmp($1)
+')
+
+#######################################
+## <summary>
+##	Role access for the user tmpfs type
+##	that the user has full access.
+## </summary>
+## <desc>
+##	<p>
+##	Role access for the user tmpfs type
+##	that the user has full access.
+##	</p>
+##	<p>
+##	This does not allow execute access.
+##	</p>
+## </desc>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_manage_tmpfs_role',`
+	gen_require(`
+		type user_tmpfs_t;
+	')
+
+	manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t)
+	manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
+	manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
+	manage_sock_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
+	manage_fifo_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
+	fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+')
+
+#######################################
+## <summary>
+##	The template allowing the user basic
+##	network permissions
+## </summary>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <rolebase/>
+#
+template(`userdom_basic_networking_template',`
+	gen_require(`
+		type $1_t;
+	')
+
+	allow $1_t self:tcp_socket create_stream_socket_perms;
+	allow $1_t self:udp_socket create_socket_perms;
+
+	corenet_all_recvfrom_unlabeled($1_t)
+	corenet_all_recvfrom_netlabel($1_t)
+	corenet_tcp_sendrecv_generic_if($1_t)
+	corenet_udp_sendrecv_generic_if($1_t)
+	corenet_tcp_sendrecv_generic_node($1_t)
+	corenet_udp_sendrecv_generic_node($1_t)
+	corenet_tcp_sendrecv_all_ports($1_t)
+	corenet_udp_sendrecv_all_ports($1_t)
+	corenet_tcp_connect_all_ports($1_t)
+	corenet_sendrecv_all_client_packets($1_t)
+
+	corenet_all_recvfrom_labeled($1_t, $1_t)
+
+	optional_policy(`
+		init_tcp_recvfrom_all_daemons($1_t)
+		init_udp_recvfrom_all_daemons($1_t)
+	')
+
+	optional_policy(`
+		ipsec_match_default_spd($1_t)
+	')
+')
+
+#######################################
+## <summary>
+##	The template for creating a user xwindows client.  (Deprecated)
+## </summary>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <rolebase/>
+#
+template(`userdom_xwindows_client_template',`
+	refpolicywarn(`$0() has been deprecated, please use xserver_role() instead.')
+	gen_require(`
+		type $1_t, user_tmpfs_t;
+	')
+
+	dev_rw_xserver_misc($1_t)
+	dev_rw_power_management($1_t)
+	dev_read_input($1_t)
+	dev_read_misc($1_t)
+	dev_write_misc($1_t)
+	# open office is looking for the following
+	dev_getattr_agp_dev($1_t)
+	dev_dontaudit_rw_dri($1_t)
+	# GNOME checks for usb and other devices:
+	dev_rw_usbfs($1_t)
+
+	xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
+	xserver_xsession_entry_type($1_t)
+	xserver_dontaudit_write_log($1_t)
+	xserver_stream_connect_xdm($1_t)
+	# certain apps want to read xdm.pid file
+	xserver_read_xdm_pid($1_t)
+	# gnome-session creates socket under /tmp/.ICE-unix/
+	xserver_create_xdm_tmp_sockets($1_t)
+	# Needed for escd, remove if we get escd policy
+	xserver_manage_xdm_tmp_files($1_t)
+')
+
+#######################################
+## <summary>
+##	The template for allowing the user to change passwords.
+## </summary>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <rolebase/>
+#
+template(`userdom_change_password_template',`
+	gen_require(`
+		type $1_t;
+		role $1_r;
+	')
+
+	optional_policy(`
+		usermanage_run_chfn($1_t, $1_r)
+		usermanage_run_passwd($1_t, $1_r)
+	')
+')
+
+#######################################
+## <summary>
+##	The template containing rules common to unprivileged
+##	users and administrative users.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a user domain, types, and
+##	rules for the user's tty, pty, tmp, and tmpfs files.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+#
+template(`userdom_common_user_template',`
+	gen_require(`
+		attribute unpriv_userdomain;
+	')
+
+	userdom_basic_networking_template($1)
+
+	##############################
+	#
+	# User domain Local policy
+	#
+
+	# evolution and gnome-session try to create a netlink socket
+	dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
+
+	allow $1_t unpriv_userdomain:fd use;
+
+	kernel_read_system_state($1_t)
+	kernel_read_network_state($1_t)
+	kernel_read_net_sysctls($1_t)
+	# Very permissive allowing every domain to see every type:
+	kernel_get_sysvipc_info($1_t)
+	# Find CDROM devices:
+	kernel_read_device_sysctls($1_t)
+
+	corecmd_exec_bin($1_t)
+
+	corenet_udp_bind_generic_node($1_t)
+	corenet_udp_bind_generic_port($1_t)
+
+	dev_read_rand($1_t)
+	dev_write_sound($1_t)
+	dev_read_sound($1_t)
+	dev_read_sound_mixer($1_t)
+	dev_write_sound_mixer($1_t)
+
+	files_exec_etc_files($1_t)
+	files_search_locks($1_t)
+	# Check to see if cdrom is mounted
+	files_search_mnt($1_t)
+	# cjp: perhaps should cut back on file reads:
+	files_read_var_files($1_t)
+	files_read_var_symlinks($1_t)
+	files_read_generic_spool($1_t)
+	files_read_var_lib_files($1_t)
+	# Stat lost+found.
+	files_getattr_lost_found_dirs($1_t)
+
+	fs_rw_cgroup_files($1_t)
+
+	# cjp: some of this probably can be removed
+	selinux_get_fs_mount($1_t)
+	selinux_validate_context($1_t)
+	selinux_compute_access_vector($1_t)
+	selinux_compute_create_context($1_t)
+	selinux_compute_relabel_context($1_t)
+	selinux_compute_user_contexts($1_t)
+
+	# for eject
+	storage_getattr_fixed_disk_dev($1_t)
+
+	auth_use_nsswitch($1_t)
+	auth_read_login_records($1_t)
+	auth_search_pam_console_data($1_t)
+	auth_run_pam($1_t, $1_r)
+	auth_run_utempter($1_t, $1_r)
+
+	init_read_utmp($1_t)
+
+	seutil_read_file_contexts($1_t)
+	seutil_read_default_contexts($1_t)
+	seutil_run_newrole($1_t, $1_r)
+	seutil_exec_checkpolicy($1_t)
+	seutil_exec_setfiles($1_t)
+	# for when the network connection is killed
+	# this is needed when a login role can change
+	# to this one.
+	seutil_dontaudit_signal_newrole($1_t)
+
+	tunable_policy(`user_direct_mouse',`
+		dev_read_mouse($1_t)
+	')
+
+	tunable_policy(`user_ttyfile_stat',`
+		term_getattr_all_ttys($1_t)
+	')
+
+	optional_policy(`
+		alsa_manage_home_files($1_t)
+		alsa_read_rw_config($1_t)
+		alsa_relabel_home_files($1_t)
+	')
+
+	optional_policy(`
+		# Allow graphical boot to check battery lifespan
+		apm_stream_connect($1_t)
+	')
+
+	optional_policy(`
+		canna_stream_connect($1_t)
+	')
+
+	optional_policy(`
+		dbus_system_bus_client($1_t)
+
+		optional_policy(`
+			bluetooth_dbus_chat($1_t)
+		')
+
+		optional_policy(`
+			evolution_dbus_chat($1_t)
+			evolution_alarm_dbus_chat($1_t)
+		')
+
+		optional_policy(`
+			cups_dbus_chat_config($1_t)
+		')
+
+		optional_policy(`
+			hal_dbus_chat($1_t)
+		')
+
+		optional_policy(`
+			networkmanager_dbus_chat($1_t)
+		')
+	')
+
+	optional_policy(`
+		inetd_use_fds($1_t)
+		inetd_rw_tcp_sockets($1_t)
+	')
+
+	optional_policy(`
+		inn_read_config($1_t)
+		inn_read_news_lib($1_t)
+		inn_read_news_spool($1_t)
+	')
+
+	optional_policy(`
+		locate_read_lib_files($1_t)
+	')
+
+	# for running depmod as part of the kernel packaging process
+	optional_policy(`
+		modutils_read_module_config($1_t)
+	')
+
+	optional_policy(`
+		mta_rw_spool($1_t)
+	')
+
+	optional_policy(`
+		tunable_policy(`allow_user_mysql_connect',`
+			mysql_stream_connect($1_t)
+		')
+	')
+
+	optional_policy(`
+		oident_manage_user_content($1_t)
+		oident_relabel_user_content($1_t)
+	')
+
+	optional_policy(`
+		# to allow monitoring of pcmcia status
+		pcmcia_read_pid($1_t)
+	')
+
+	optional_policy(`
+		pcscd_read_pub_files($1_t)
+		pcscd_stream_connect($1_t)
+	')
+
+	optional_policy(`
+		tunable_policy(`allow_user_postgresql_connect',`
+			postgresql_stream_connect($1_t)
+			postgresql_tcp_connect($1_t)
+		')
+	')
+
+	optional_policy(`
+		resmgr_stream_connect($1_t)
+	')
+
+	optional_policy(`
+		rpc_dontaudit_getattr_exports($1_t)
+		rpc_manage_nfs_rw_content($1_t)
+	')
+
+	optional_policy(`
+		samba_stream_connect_winbind($1_t)
+	')
+
+	optional_policy(`
+		slrnpull_search_spool($1_t)
+	')
+
+	optional_policy(`
+		usernetctl_run($1_t, $1_r)
+	')
+')
+
+#######################################
+## <summary>
+##	The template for creating a login user.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a user domain, types, and
+##	rules for the user's tty, pty, home directories,
+##	tmp, and tmpfs files.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+#
+template(`userdom_login_user_template', `
+	gen_require(`
+		class context contains;
+	')
+
+	userdom_base_user_template($1)
+
+	userdom_manage_home_role($1_r, $1_t)
+
+	userdom_manage_tmp_role($1_r, $1_t)
+	userdom_manage_tmpfs_role($1_r, $1_t)
+
+	userdom_exec_user_tmp_files($1_t)
+	userdom_exec_user_home_content_files($1_t)
+
+	userdom_change_password_template($1)
+
+	##############################
+	#
+	# User domain Local policy
+	#
+
+	allow $1_t self:capability { setgid chown fowner };
+	dontaudit $1_t self:capability { sys_nice fsetid };
+
+	allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
+	dontaudit $1_t self:process setrlimit;
+	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
+
+	allow $1_t self:context contains;
+
+	kernel_dontaudit_read_system_state($1_t)
+
+	dev_read_sysfs($1_t)
+	dev_read_urand($1_t)
+
+	domain_use_interactive_fds($1_t)
+	# Command completion can fire hundreds of denials
+	domain_dontaudit_exec_all_entry_files($1_t)
+
+	files_dontaudit_list_default($1_t)
+	files_dontaudit_read_default_files($1_t)
+	# Stat lost+found.
+	files_getattr_lost_found_dirs($1_t)
+
+	fs_get_all_fs_quotas($1_t)
+	fs_getattr_all_fs($1_t)
+	fs_getattr_all_dirs($1_t)
+	fs_search_auto_mountpoints($1_t)
+	fs_list_cgroup_dirs($1_t)
+	fs_list_inotifyfs($1_t)
+	fs_rw_anon_inodefs_files($1_t)
+	fs_dontaudit_rw_cgroup_files($1_t)
+
+	auth_dontaudit_write_login_records($1_t)
+
+	application_exec_all($1_t)
+
+	# The library functions always try to open read-write first,
+	# then fall back to read-only if it fails.
+	init_dontaudit_rw_utmp($1_t)
+	# Stop warnings about access to /dev/console
+	init_dontaudit_use_fds($1_t)
+	init_dontaudit_use_script_fds($1_t)
+
+	libs_exec_lib_files($1_t)
+
+	logging_dontaudit_getattr_all_logs($1_t)
+
+	miscfiles_read_man_pages($1_t)
+	# for running TeX programs
+	miscfiles_read_tetex_data($1_t)
+	miscfiles_exec_tetex_data($1_t)
+
+	seutil_read_config($1_t)
+
+	optional_policy(`
+		cups_read_config($1_t)
+		cups_stream_connect($1_t)
+		cups_stream_connect_ptal($1_t)
+	')
+
+	optional_policy(`
+		kerberos_use($1_t)
+	')
+
+	optional_policy(`
+		mta_dontaudit_read_spool_symlinks($1_t)
+	')
+
+	optional_policy(`
+		quota_dontaudit_getattr_db($1_t)
+	')
+
+	optional_policy(`
+		rpm_read_db($1_t)
+		rpm_dontaudit_manage_db($1_t)
+	')
+')
+
+#######################################
+## <summary>
+##	The template for creating a unprivileged login user.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a user domain, types, and
+##	rules for the user's tty, pty, home directories,
+##	tmp, and tmpfs files.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+#
+template(`userdom_restricted_user_template',`
+	gen_require(`
+		attribute unpriv_userdomain;
+	')
+
+	userdom_login_user_template($1)
+
+	typeattribute $1_t unpriv_userdomain;
+	domain_interactive_fd($1_t)
+
+	##############################
+	#
+	# Local policy
+	#
+
+	optional_policy(`
+		loadkeys_run($1_t, $1_r)
+	')
+')
+
+#######################################
+## <summary>
+##	The template for creating a unprivileged xwindows login user.
+## </summary>
+## <desc>
+##	<p>
+##	The template for creating a unprivileged xwindows login user.
+##	</p>
+##	<p>
+##	This template creates a user domain, types, and
+##	rules for the user's tty, pty, home directories,
+##	tmp, and tmpfs files.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+#
+template(`userdom_restricted_xwindows_user_template',`
+
+	userdom_restricted_user_template($1)
+
+	##############################
+	#
+	# Local policy
+	#
+
+	auth_role($1_r, $1_t)
+	auth_search_pam_console_data($1_t)
+
+	dev_read_sound($1_t)
+	dev_write_sound($1_t)
+	# gnome keyring wants to read this.
+	dev_dontaudit_read_rand($1_t)
+
+	logging_send_syslog_msg($1_t)
+	logging_dontaudit_send_audit_msgs($1_t)
+
+	# Need to to this just so screensaver will work. Should be moved to screensaver domain
+	logging_send_audit_msgs($1_t)
+	selinux_get_enforce_mode($1_t)
+
+	xserver_restricted_role($1_r, $1_t)
+
+	optional_policy(`
+		alsa_read_rw_config($1_t)
+	')
+
+	optional_policy(`
+		dbus_role_template($1, $1_r, $1_t)
+		dbus_system_bus_client($1_t)
+
+		optional_policy(`
+			consolekit_dbus_chat($1_t)
+		')
+
+		optional_policy(`
+			cups_dbus_chat($1_t)
+		')
+	')
+
+	optional_policy(`
+		java_role($1_r, $1_t)
+	')
+
+	optional_policy(`
+		setroubleshoot_dontaudit_stream_connect($1_t)
+	')
+')
+
+#######################################
+## <summary>
+##	The template for creating a unprivileged user roughly
+##	equivalent to a regular linux user.
+## </summary>
+## <desc>
+##	<p>
+##	The template for creating a unprivileged user roughly
+##	equivalent to a regular linux user.
+##	</p>
+##	<p>
+##	This template creates a user domain, types, and
+##	rules for the user's tty, pty, home directories,
+##	tmp, and tmpfs files.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+#
+template(`userdom_unpriv_user_template', `
+
+	##############################
+	#
+	# Declarations
+	#
+
+	# Inherit rules for ordinary users.
+	userdom_restricted_user_template($1)
+	userdom_common_user_template($1)
+
+	##############################
+	#
+	# Local policy
+	#
+
+	# port access is audited even if dac would not have allowed it, so dontaudit it here
+	corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
+	# Need the following rule to allow users to run vpnc
+	corenet_tcp_bind_xserver_port($1_t)
+
+	files_exec_usr_files($1_t)
+	# cjp: why?
+	files_read_kernel_symbol_table($1_t)
+
+	ifndef(`enable_mls',`
+		fs_exec_noxattr($1_t)
+
+		tunable_policy(`user_rw_noexattrfile',`
+			fs_manage_noxattr_fs_files($1_t)
+			fs_manage_noxattr_fs_dirs($1_t)
+			# Write floppies
+			storage_raw_read_removable_device($1_t)
+			storage_raw_write_removable_device($1_t)
+		',`
+			storage_raw_read_removable_device($1_t)
+		')
+	')
+
+	tunable_policy(`user_dmesg',`
+		kernel_read_ring_buffer($1_t)
+	',`
+		kernel_dontaudit_read_ring_buffer($1_t)
+	')
+
+	# Allow users to run TCP servers (bind to ports and accept connection from
+	# the same domain and outside users) disabling this forces FTP passive mode
+	# and may change other protocols
+	tunable_policy(`user_tcp_server',`
+		corenet_tcp_bind_generic_node($1_t)
+		corenet_tcp_bind_generic_port($1_t)
+	')
+
+	optional_policy(`
+		netutils_run_ping_cond($1_t, $1_r)
+		netutils_run_traceroute_cond($1_t, $1_r)
+	')
+
+	# Run pppd in pppd_t by default for user
+	optional_policy(`
+		ppp_run_cond($1_t, $1_r)
+	')
+
+	optional_policy(`
+		setroubleshoot_stream_connect($1_t)
+	')
+')
+
+#######################################
+## <summary>
+##	The template for creating an administrative user.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a user domain, types, and
+##	rules for the user's tty, pty, home directories,
+##	tmp, and tmpfs files.
+##	</p>
+##	<p>
+##	The privileges given to administrative users are:
+##	<ul>
+##		<li>Raw disk access</li>
+##		<li>Set all sysctls</li>
+##		<li>All kernel ring buffer controls</li>
+##		<li>Create, read, write, and delete all files but shadow</li>
+##		<li>Manage source and binary format SELinux policy</li>
+##		<li>Run insmod</li>
+##	</ul>
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., sysadm
+##	is the prefix for sysadm_t).
+##	</summary>
+## </param>
+#
+template(`userdom_admin_user_template',`
+	gen_require(`
+		attribute admindomain;
+		class passwd { passwd chfn chsh rootok };
+	')
+
+	##############################
+	#
+	# Declarations
+	#
+
+	# Inherit rules for ordinary users.
+	userdom_login_user_template($1)
+	userdom_common_user_template($1)
+
+	domain_obj_id_change_exemption($1_t)
+	role system_r types $1_t;
+
+	typeattribute $1_t admindomain;
+
+	ifdef(`direct_sysadm_daemon',`
+		domain_system_change_exemption($1_t)
+	')
+
+	##############################
+	#
+	# $1_t local policy
+	#
+
+	allow $1_t self:capability ~{ sys_module audit_control audit_write };
+	allow $1_t self:process { setexec setfscreate };
+	allow $1_t self:netlink_audit_socket nlmsg_readpriv;
+	allow $1_t self:tun_socket create;
+	# Set password information for other users.
+	allow $1_t self:passwd { passwd chfn chsh };
+	# Skip authentication when pam_rootok is specified.
+	allow $1_t self:passwd rootok;
+
+	kernel_read_software_raid_state($1_t)
+	kernel_getattr_core_if($1_t)
+	kernel_getattr_message_if($1_t)
+	kernel_change_ring_buffer_level($1_t)
+	kernel_clear_ring_buffer($1_t)
+	kernel_read_ring_buffer($1_t)
+	kernel_get_sysvipc_info($1_t)
+	kernel_rw_all_sysctls($1_t)
+	# signal unlabeled processes:
+	kernel_kill_unlabeled($1_t)
+	kernel_signal_unlabeled($1_t)
+	kernel_sigstop_unlabeled($1_t)
+	kernel_signull_unlabeled($1_t)
+	kernel_sigchld_unlabeled($1_t)
+
+	corenet_tcp_bind_generic_port($1_t)
+	# allow setting up tunnels
+	corenet_rw_tun_tap_dev($1_t)
+
+	dev_getattr_generic_blk_files($1_t)
+	dev_getattr_generic_chr_files($1_t)
+	# for lsof
+	dev_getattr_mtrr_dev($1_t)
+	# Allow MAKEDEV to work
+	dev_create_all_blk_files($1_t)
+	dev_create_all_chr_files($1_t)
+	dev_delete_all_blk_files($1_t)
+	dev_delete_all_chr_files($1_t)
+	dev_rename_all_blk_files($1_t)
+	dev_rename_all_chr_files($1_t)
+	dev_create_generic_symlinks($1_t)
+
+	domain_setpriority_all_domains($1_t)
+	domain_read_all_domains_state($1_t)
+	domain_getattr_all_domains($1_t)
+	domain_dontaudit_ptrace_all_domains($1_t)
+	# signal all domains:
+	domain_kill_all_domains($1_t)
+	domain_signal_all_domains($1_t)
+	domain_signull_all_domains($1_t)
+	domain_sigstop_all_domains($1_t)
+	domain_sigstop_all_domains($1_t)
+	domain_sigchld_all_domains($1_t)
+	# for lsof
+	domain_getattr_all_sockets($1_t)
+
+	files_exec_usr_src_files($1_t)
+
+	fs_getattr_all_fs($1_t)
+	fs_set_all_quotas($1_t)
+	fs_exec_noxattr($1_t)
+
+	storage_raw_read_removable_device($1_t)
+	storage_raw_write_removable_device($1_t)
+
+	term_use_all_terms($1_t)
+
+	auth_getattr_shadow($1_t)
+	# Manage almost all files
+	auth_manage_all_files_except_auth_files($1_t)
+	# Relabel almost all files
+	auth_relabel_all_files_except_auth_files($1_t)
+
+	init_telinit($1_t)
+
+	logging_send_syslog_msg($1_t)
+
+	modutils_domtrans_insmod($1_t)
+
+	# The following rule is temporary until such time that a complete
+	# policy management infrastructure is in place so that an administrator
+	# cannot directly manipulate policy files with arbitrary programs.
+	seutil_manage_src_policy($1_t)
+	# Violates the goal of limiting write access to checkpolicy.
+	# But presently necessary for installing the file_contexts file.
+	seutil_manage_bin_policy($1_t)
+
+	userdom_manage_user_home_content_dirs($1_t)
+	userdom_manage_user_home_content_files($1_t)
+	userdom_manage_user_home_content_symlinks($1_t)
+	userdom_manage_user_home_content_pipes($1_t)
+	userdom_manage_user_home_content_sockets($1_t)
+	userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
+
+	tunable_policy(`user_rw_noexattrfile',`
+		fs_manage_noxattr_fs_files($1_t)
+		fs_manage_noxattr_fs_dirs($1_t)
+	',`
+		fs_read_noxattr_fs_files($1_t)
+	')
+
+	optional_policy(`
+		postgresql_unconfined($1_t)
+	')
+
+	optional_policy(`
+		userhelper_exec($1_t)
+	')
+')
+
+########################################
+## <summary>
+##	Allow user to run as a secadm
+## </summary>
+## <desc>
+##	<p>
+##	Create objects in a user home directory
+##	with an automatic type transition to
+##	a specified private type.
+##	</p>
+##	<p>
+##	This is a templated interface, and should only
+##	be called from a per-userdomain template.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role  of the object to create.
+##	</summary>
+## </param>
+#
+template(`userdom_security_admin_template',`
+	allow $1 self:capability { dac_read_search dac_override };
+
+	corecmd_exec_shell($1)
+
+	domain_obj_id_change_exemption($1)
+
+	dev_relabel_all_dev_nodes($1)
+
+	files_create_boot_flag($1)
+
+	# Necessary for managing /boot/efi
+	fs_manage_dos_files($1)
+
+	mls_process_read_up($1)
+	mls_file_read_all_levels($1)
+	mls_file_upgrade($1)
+	mls_file_downgrade($1)
+
+	selinux_set_enforce_mode($1)
+	selinux_set_all_booleans($1)
+	selinux_set_parameters($1)
+
+	auth_relabel_all_files_except_auth_files($1)
+	auth_relabel_shadow($1)
+
+	init_exec($1)
+
+	logging_send_syslog_msg($1)
+	logging_read_audit_log($1)
+	logging_read_generic_logs($1)
+	logging_read_audit_config($1)
+
+	seutil_manage_bin_policy($1)
+	seutil_run_checkpolicy($1, $2)
+	seutil_run_loadpolicy($1, $2)
+	seutil_run_semanage($1, $2)
+	seutil_run_setfiles($1, $2)
+
+	optional_policy(`
+		aide_run($1, $2)
+	')
+
+	optional_policy(`
+		consoletype_exec($1)
+	')
+
+	optional_policy(`
+		dmesg_exec($1)
+	')
+
+	optional_policy(`
+		ipsec_run_setkey($1, $2)
+	')
+
+	optional_policy(`
+		netlabel_run_mgmt($1, $2)
+	')
+
+	optional_policy(`
+		samhain_run($1, $2)
+	')
+')
+
+########################################
+## <summary>
+##	Make the specified type usable as
+##	a user application domain type.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used as a user application domain.
+##	</summary>
+## </param>
+#
+interface(`userdom_user_application_type',`
+	application_type($1)
+	ubac_constrained($1)
+')
+
+########################################
+## <summary>
+##	Make the specified type usable as
+##	a user application domain.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used as a user application domain.
+##	</summary>
+## </param>
+## <param name="type">
+##	<summary>
+##	Type to be used as the domain entry point.
+##	</summary>
+## </param>
+#
+interface(`userdom_user_application_domain',`
+	application_domain($1, $2)
+	ubac_constrained($1)
+')
+
+########################################
+## <summary>
+##	Make the specified type usable in a
+##	user home directory.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used as a file in the
+##	user home directory.
+##	</summary>
+## </param>
+#
+interface(`userdom_user_home_content',`
+	gen_require(`
+		type user_home_t;
+	')
+
+	allow $1 user_home_t:filesystem associate;
+	files_type($1)
+	files_poly_member($1)
+	ubac_constrained($1)
+')
+
+########################################
+## <summary>
+##	Make the specified type usable as a
+##	user temporary file.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used as a file in the
+##	temporary directories.
+##	</summary>
+## </param>
+#
+interface(`userdom_user_tmp_file',`
+	files_tmp_file($1)
+	ubac_constrained($1)
+')
+
+########################################
+## <summary>
+##	Make the specified type usable as a
+##	user tmpfs file.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used as a file in
+##	tmpfs directories.
+##	</summary>
+## </param>
+#
+interface(`userdom_user_tmpfs_file',`
+	files_tmpfs_file($1)
+	ubac_constrained($1)
+')
+
+########################################
+## <summary>
+##	Allow domain to attach to TUN devices created by administrative users.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_attach_admin_tun_iface',`
+	gen_require(`
+		attribute admindomain;
+	')
+
+	allow $1 admindomain:tun_socket relabelfrom;
+	allow $1 self:tun_socket relabelto;
+')
+
+########################################
+## <summary>
+##	Set the attributes of a user pty.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_setattr_user_ptys',`
+	gen_require(`
+		type user_devpts_t;
+	')
+
+	allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Create a user pty.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_create_user_pty',`
+	gen_require(`
+		type user_devpts_t;
+	')
+
+	term_create_pty($1, user_devpts_t)
+')
+
+########################################
+## <summary>
+##	Get the attributes of user home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_getattr_user_home_dirs',`
+	gen_require(`
+		type user_home_dir_t;
+	')
+
+	allow $1 user_home_dir_t:dir getattr_dir_perms;
+	files_search_home($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes of user home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`userdom_dontaudit_getattr_user_home_dirs',`
+	gen_require(`
+		type user_home_dir_t;
+	')
+
+	dontaudit $1 user_home_dir_t:dir getattr_dir_perms;
+')
+
+########################################
+## <summary>
+##	Search user home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_search_user_home_dirs',`
+	gen_require(`
+		type user_home_dir_t;
+	')
+
+	allow $1 user_home_dir_t:dir search_dir_perms;
+	files_search_home($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search user home directories.
+## </summary>
+## <desc>
+##	<p>
+##	Do not audit attempts to search user home directories.
+##	This will supress SELinux denial messages when the specified
+##	domain is denied the permission to search these directories.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`userdom_dontaudit_search_user_home_dirs',`
+	gen_require(`
+		type user_home_dir_t;
+	')
+
+	dontaudit $1 user_home_dir_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	List user home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_list_user_home_dirs',`
+	gen_require(`
+		type user_home_dir_t;
+	')
+
+	allow $1 user_home_dir_t:dir list_dir_perms;
+	files_search_home($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to list user home subdirectories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`userdom_dontaudit_list_user_home_dirs',`
+	gen_require(`
+		type user_home_dir_t;
+	')
+
+	dontaudit $1 user_home_dir_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create user home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_create_user_home_dirs',`
+	gen_require(`
+		type user_home_dir_t;
+	')
+
+	allow $1 user_home_dir_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create user home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_user_home_dirs',`
+	gen_require(`
+		type user_home_dir_t;
+	')
+
+	allow $1 user_home_dir_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Relabel to user home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_relabelto_user_home_dirs',`
+	gen_require(`
+		type user_home_dir_t;
+	')
+
+	allow $1 user_home_dir_t:dir relabelto;
+')
+
+########################################
+## <summary>
+##	Create directories in the home dir root with
+##	the user home directory type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_home_filetrans_user_home_dir',`
+	gen_require(`
+		type user_home_dir_t;
+	')
+
+	files_home_filetrans($1, user_home_dir_t, dir)
+')
+
+########################################
+## <summary>
+##	Do a domain transition to the specified
+##	domain when executing a program in the
+##	user home directory.
+## </summary>
+## <desc>
+##	<p>
+##	Do a domain transition to the specified
+##	domain when executing a program in the
+##	user home directory.
+##	</p>
+##	<p>
+##	No interprocess communication (signals, pipes,
+##	etc.) is provided by this interface since
+##	the domains are not owned by this module.
+##	</p>
+## </desc>
+## <param name="source_domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="target_domain">
+##	<summary>
+##	Domain to transition to.
+##	</summary>
+## </param>
+#
+interface(`userdom_user_home_domtrans',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+	')
+
+	domain_auto_trans($1, user_home_t, $2)
+	allow $1 user_home_dir_t:dir search_dir_perms;
+	files_search_home($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search user home content directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`userdom_dontaudit_search_user_home_content',`
+	gen_require(`
+		type user_home_t;
+	')
+
+	dontaudit $1 user_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	List contents of users home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_list_user_home_content',`
+	gen_require(`
+		type user_home_t;
+	')
+
+	allow $1 user_home_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete directories
+##	in a user home subdirectory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_user_home_content_dirs',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+	')
+
+	manage_dirs_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+	files_search_home($1)
+')
+
+########################################
+## <summary>
+##	Delete directories in a user home subdirectory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_delete_user_home_content_dirs',`
+	gen_require(`
+		type user_home_t;
+	')
+
+	allow $1 user_home_t:dir delete_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to set the
+##	attributes of user home files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`userdom_dontaudit_setattr_user_home_content_files',`
+	gen_require(`
+		type user_home_t;
+	')
+
+	dontaudit $1 user_home_t:file setattr_file_perms;
+')
+
+########################################
+## <summary>
+##	Mmap user home files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_mmap_user_home_content_files',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+	')
+
+	mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+	files_search_home($1)
+')
+
+########################################
+## <summary>
+##	Read user home files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_read_user_home_content_files',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+	')
+
+	read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+	files_search_home($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read user home files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`userdom_dontaudit_read_user_home_content_files',`
+	gen_require(`
+		type user_home_t;
+	')
+
+	dontaudit $1 user_home_t:dir list_dir_perms;
+	dontaudit $1 user_home_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to append user home files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`userdom_dontaudit_append_user_home_content_files',`
+	gen_require(`
+		type user_home_t;
+	')
+
+	dontaudit $1 user_home_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write user home files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`userdom_dontaudit_write_user_home_content_files',`
+	gen_require(`
+		type user_home_t;
+	')
+
+	dontaudit $1 user_home_t:file write_file_perms;
+')
+
+########################################
+## <summary>
+##	Delete files in a user home subdirectory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_delete_user_home_content_files',`
+	gen_require(`
+		type user_home_t;
+	')
+
+	allow $1 user_home_t:file delete_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write user home files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`userdom_dontaudit_relabel_user_home_content_files',`
+	gen_require(`
+		type user_home_t;
+	')
+
+	dontaudit $1 user_home_t:file relabel_file_perms;
+')
+
+########################################
+## <summary>
+##	Read user home subdirectory symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_read_user_home_content_symlinks',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+	')
+
+	read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+	files_search_home($1)
+')
+
+########################################
+## <summary>
+##	Execute user home files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_exec_user_home_content_files',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+	')
+
+	files_search_home($1)
+	exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_exec_nfs_files($1)
+	')
+
+	tunable_policy(`use_samba_home_dirs',`
+		fs_exec_cifs_files($1)
+	')
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to execute user home files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`userdom_dontaudit_exec_user_home_content_files',`
+	gen_require(`
+		type user_home_t;
+	')
+
+	dontaudit $1 user_home_t:file exec_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete files
+##	in a user home subdirectory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_user_home_content_files',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+	')
+
+	manage_files_pattern($1, user_home_t, user_home_t)
+	allow $1 user_home_dir_t:dir search_dir_perms;
+	files_search_home($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to create, read, write, and delete directories
+##	in a user home subdirectory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`userdom_dontaudit_manage_user_home_content_dirs',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+	')
+
+	dontaudit $1 user_home_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete symbolic links
+##	in a user home subdirectory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_user_home_content_symlinks',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+	')
+
+	manage_lnk_files_pattern($1, user_home_t, user_home_t)
+	allow $1 user_home_dir_t:dir search_dir_perms;
+	files_search_home($1)
+')
+
+########################################
+## <summary>
+##	Delete symbolic links in a user home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_delete_user_home_content_symlinks',`
+	gen_require(`
+		type user_home_t;
+	')
+
+	allow $1 user_home_t:lnk_file delete_lnk_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete named pipes
+##	in a user home subdirectory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_user_home_content_pipes',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+	')
+
+	manage_fifo_files_pattern($1, user_home_t, user_home_t)
+	allow $1 user_home_dir_t:dir search_dir_perms;
+	files_search_home($1)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete named sockets
+##	in a user home subdirectory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_user_home_content_sockets',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+	')
+
+	allow $1 user_home_dir_t:dir search_dir_perms;
+	manage_sock_files_pattern($1, user_home_t, user_home_t)
+	files_search_home($1)
+')
+
+########################################
+## <summary>
+##	Create objects in a user home directory
+##	with an automatic type transition to
+##	a specified private type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to create.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+#
+interface(`userdom_user_home_dir_filetrans',`
+	gen_require(`
+		type user_home_dir_t;
+	')
+
+	filetrans_pattern($1, user_home_dir_t, $2, $3)
+	files_search_home($1)
+')
+
+########################################
+## <summary>
+##	Create objects in a user home directory
+##	with an automatic type transition to
+##	a specified private type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to create.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+#
+interface(`userdom_user_home_content_filetrans',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+	')
+
+	filetrans_pattern($1, user_home_t, $2, $3)
+	allow $1 user_home_dir_t:dir search_dir_perms;
+	files_search_home($1)
+')
+
+########################################
+## <summary>
+##	Create objects in a user home directory
+##	with an automatic type transition to
+##	the user home file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+#
+interface(`userdom_user_home_dir_filetrans_user_home_content',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+	')
+
+	filetrans_pattern($1, user_home_dir_t, user_home_t, $2)
+	files_search_home($1)
+')
+
+########################################
+## <summary>
+##	Write to user temporary named sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_write_user_tmp_sockets',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	allow $1 user_tmp_t:sock_file write_sock_file_perms;
+	files_search_tmp($1)
+')
+
+########################################
+## <summary>
+##	List user temporary directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_list_user_tmp',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	allow $1 user_tmp_t:dir list_dir_perms;
+	files_search_tmp($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to list user
+##	temporary directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`userdom_dontaudit_list_user_tmp',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	dontaudit $1 user_tmp_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to manage users
+##	temporary directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	dontaudit $1 user_tmp_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read user temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_read_user_tmp_files',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	read_files_pattern($1, user_tmp_t, user_tmp_t)
+	allow $1 user_tmp_t:dir list_dir_perms;
+	files_search_tmp($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read users
+##	temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`userdom_dontaudit_read_user_tmp_files',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	dontaudit $1 user_tmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to append users
+##	temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`userdom_dontaudit_append_user_tmp_files',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	dontaudit $1 user_tmp_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+##	Read and write user temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_rw_user_tmp_files',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	allow $1 user_tmp_t:dir list_dir_perms;
+	rw_files_pattern($1, user_tmp_t, user_tmp_t)
+	files_search_tmp($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to manage users
+##	temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`userdom_dontaudit_manage_user_tmp_files',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	dontaudit $1 user_tmp_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Read user temporary symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_read_user_tmp_symlinks',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
+	allow $1 user_tmp_t:dir list_dir_perms;
+	files_search_tmp($1)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete user
+##	temporary directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_user_tmp_dirs',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	manage_dirs_pattern($1, user_tmp_t, user_tmp_t)
+	files_search_tmp($1)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete user
+##	temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_user_tmp_files',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	manage_files_pattern($1, user_tmp_t, user_tmp_t)
+	files_search_tmp($1)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete user
+##	temporary symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_user_tmp_symlinks',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
+	files_search_tmp($1)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete user
+##	temporary named pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_user_tmp_pipes',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
+	files_search_tmp($1)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete user
+##	temporary named sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_user_tmp_sockets',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
+	files_search_tmp($1)
+')
+
+########################################
+## <summary>
+##	Create objects in a user temporary directory
+##	with an automatic type transition to
+##	a specified private type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to create.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+#
+interface(`userdom_user_tmp_filetrans',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	filetrans_pattern($1, user_tmp_t, $2, $3)
+	files_search_tmp($1)
+')
+
+########################################
+## <summary>
+##	Create objects in the temporary directory
+##	with an automatic type transition to
+##	the user temporary type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+#
+interface(`userdom_tmp_filetrans_user_tmp',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	files_tmp_filetrans($1, user_tmp_t, $2)
+')
+
+########################################
+## <summary>
+##	Read user tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_read_user_tmpfs_files',`
+	gen_require(`
+		type user_tmpfs_t;
+	')
+
+	read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+	allow $1 user_tmpfs_t:dir list_dir_perms;
+	fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
+##	Read user tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_rw_user_tmpfs_files',`
+	gen_require(`
+		type user_tmpfs_t;
+	')
+
+	rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+	read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+	allow $1 user_tmpfs_t:dir list_dir_perms;
+	fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete user tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_user_tmpfs_files',`
+	gen_require(`
+		type user_tmpfs_t;
+	')
+
+	manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+	allow $1 user_tmpfs_t:dir list_dir_perms;
+	fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
+##	Get the attributes of a user domain tty.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_getattr_user_ttys',`
+	gen_require(`
+		type user_tty_device_t;
+	')
+
+	allow $1 user_tty_device_t:chr_file getattr_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes of a user domain tty.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`userdom_dontaudit_getattr_user_ttys',`
+	gen_require(`
+		type user_tty_device_t;
+	')
+
+	dontaudit $1 user_tty_device_t:chr_file getattr_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Set the attributes of a user domain tty.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_setattr_user_ttys',`
+	gen_require(`
+		type user_tty_device_t;
+	')
+
+	allow $1 user_tty_device_t:chr_file setattr_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to set the attributes of a user domain tty.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`userdom_dontaudit_setattr_user_ttys',`
+	gen_require(`
+		type user_tty_device_t;
+	')
+
+	dontaudit $1 user_tty_device_t:chr_file setattr_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Read and write a user domain tty.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_use_user_ttys',`
+	gen_require(`
+		type user_tty_device_t;
+	')
+
+	allow $1 user_tty_device_t:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+##	Read and write a user domain pty.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_use_user_ptys',`
+	gen_require(`
+		type user_devpts_t;
+	')
+
+	allow $1 user_devpts_t:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+##	Read and write a user TTYs and PTYs.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to read and write user
+##	TTYs and PTYs. This will allow the domain to
+##	interact with the user via the terminal. Typically
+##	all interactive applications will require this
+##	access.
+##	</p>
+##	<p>
+##	However, this also allows the applications to spy
+##	on user sessions or inject information into the
+##	user session.  Thus, this access should likely
+##	not be allowed for non-interactive domains.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`userdom_use_user_terminals',`
+	gen_require(`
+		type user_tty_device_t, user_devpts_t;
+	')
+
+	allow $1 user_tty_device_t:chr_file rw_term_perms;
+	allow $1 user_devpts_t:chr_file rw_term_perms;
+	term_list_ptys($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write
+##	a user domain tty and pty.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`userdom_dontaudit_use_user_terminals',`
+	gen_require(`
+		type user_tty_device_t, user_devpts_t;
+	')
+
+	dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
+	dontaudit $1 user_devpts_t:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+##	Execute a shell in all user domains.  This
+##	is an explicit transition, requiring the
+##	caller to use setexeccon().
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`userdom_spec_domtrans_all_users',`
+	gen_require(`
+		attribute userdomain;
+	')
+
+	corecmd_shell_spec_domtrans($1, userdomain)
+	allow userdomain $1:fd use;
+	allow userdomain $1:fifo_file rw_file_perms;
+	allow userdomain $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute an Xserver session in all unprivileged user domains.  This
+##	is an explicit transition, requiring the
+##	caller to use setexeccon().
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`userdom_xsession_spec_domtrans_all_users',`
+	gen_require(`
+		attribute userdomain;
+	')
+
+	xserver_xsession_spec_domtrans($1, userdomain)
+	allow userdomain $1:fd use;
+	allow userdomain $1:fifo_file rw_file_perms;
+	allow userdomain $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute a shell in all unprivileged user domains.  This
+##	is an explicit transition, requiring the
+##	caller to use setexeccon().
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`userdom_spec_domtrans_unpriv_users',`
+	gen_require(`
+		attribute unpriv_userdomain;
+	')
+
+	corecmd_shell_spec_domtrans($1, unpriv_userdomain)
+	allow unpriv_userdomain $1:fd use;
+	allow unpriv_userdomain $1:fifo_file rw_file_perms;
+	allow unpriv_userdomain $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute an Xserver session in all unprivileged user domains.  This
+##	is an explicit transition, requiring the
+##	caller to use setexeccon().
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+	gen_require(`
+		attribute unpriv_userdomain;
+	')
+
+	xserver_xsession_spec_domtrans($1, unpriv_userdomain)
+	allow unpriv_userdomain $1:fd use;
+	allow unpriv_userdomain $1:fifo_file rw_file_perms;
+	allow unpriv_userdomain $1:process sigchld;
+')
+
+#######################################
+## <summary>
+##	Read and write unpriviledged user SysV sempaphores.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_rw_unpriv_user_semaphores',`
+	gen_require(`
+		attribute unpriv_userdomain;
+	')
+
+	allow $1 unpriv_userdomain:sem rw_sem_perms;
+')
+
+########################################
+## <summary>
+##	Manage unpriviledged user SysV sempaphores.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_unpriv_user_semaphores',`
+	gen_require(`
+		attribute unpriv_userdomain;
+	')
+
+	allow $1 unpriv_userdomain:sem create_sem_perms;
+')
+
+#######################################
+## <summary>
+##	Read and write unpriviledged user SysV shared
+##	memory segments.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_rw_unpriv_user_shared_mem',`
+	gen_require(`
+		attribute unpriv_userdomain;
+	')
+
+	allow $1 unpriv_userdomain:shm rw_shm_perms;
+')
+
+########################################
+## <summary>
+##	Manage unpriviledged user SysV shared
+##	memory segments.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_unpriv_user_shared_mem',`
+	gen_require(`
+		attribute unpriv_userdomain;
+	')
+
+	allow $1 unpriv_userdomain:shm create_shm_perms;
+')
+
+########################################
+## <summary>
+##	Execute bin_t in the unprivileged user domains. This
+##	is an explicit transition, requiring the
+##	caller to use setexeccon().
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`userdom_bin_spec_domtrans_unpriv_users',`
+	gen_require(`
+		attribute unpriv_userdomain;
+	')
+
+	corecmd_bin_spec_domtrans($1, unpriv_userdomain)
+	allow unpriv_userdomain $1:fd use;
+	allow unpriv_userdomain $1:fifo_file rw_file_perms;
+	allow unpriv_userdomain $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute all entrypoint files in unprivileged user
+##	domains. This is an explicit transition, requiring the
+##	caller to use setexeccon().
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_entry_spec_domtrans_unpriv_users',`
+	gen_require(`
+		attribute unpriv_userdomain;
+	')
+
+	domain_entry_file_spec_domtrans($1, unpriv_userdomain)
+	allow unpriv_userdomain $1:fd use;
+	allow unpriv_userdomain $1:fifo_file rw_file_perms;
+	allow unpriv_userdomain $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Search users home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_search_user_home_content',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+	')
+
+	files_list_home($1)
+	allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Send signull to unprivileged user domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_signull_unpriv_users',`
+	gen_require(`
+		attribute unpriv_userdomain;
+	')
+
+	allow $1 unpriv_userdomain:process signull;
+')
+
+########################################
+## <summary>
+##	Send general signals to unprivileged user domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_signal_unpriv_users',`
+	gen_require(`
+		attribute unpriv_userdomain;
+	')
+
+	allow $1 unpriv_userdomain:process signal;
+')
+
+########################################
+## <summary>
+##	Inherit the file descriptors from unprivileged user domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_use_unpriv_users_fds',`
+	gen_require(`
+		attribute unpriv_userdomain;
+	')
+
+	allow $1 unpriv_userdomain:fd use;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to inherit the file descriptors
+##	from unprivileged user domains.
+## </summary>
+## <desc>
+##	<p>
+##	Do not audit attempts to inherit the file descriptors
+##	from unprivileged user domains. This will supress
+##	SELinux denial messages when the specified domain is denied
+##	the permission to inherit these file descriptors.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`userdom_dontaudit_use_unpriv_user_fds',`
+	gen_require(`
+		attribute unpriv_userdomain;
+	')
+
+	dontaudit $1 unpriv_userdomain:fd use;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to use user ptys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`userdom_dontaudit_use_user_ptys',`
+	gen_require(`
+		type user_devpts_t;
+	')
+
+	dontaudit $1 user_devpts_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Relabel files to unprivileged user pty types.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_relabelto_user_ptys',`
+	gen_require(`
+		type user_devpts_t;
+	')
+
+	allow $1 user_devpts_t:chr_file relabelto;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to relabel files from
+##	user pty types.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`userdom_dontaudit_relabelfrom_user_ptys',`
+	gen_require(`
+		type user_devpts_t;
+	')
+
+	dontaudit $1 user_devpts_t:chr_file relabelfrom;
+')
+
+########################################
+## <summary>
+##	Write all users files in /tmp
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_write_user_tmp_files',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	allow $1 user_tmp_t:file write_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to use user ttys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`userdom_dontaudit_use_user_ttys',`
+	gen_require(`
+		type user_tty_device_t;
+	')
+
+	dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Read the process state of all user domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_read_all_users_state',`
+	gen_require(`
+		attribute userdomain;
+	')
+
+	read_files_pattern($1, userdomain, userdomain)
+	kernel_search_proc($1)
+')
+
+########################################
+## <summary>
+##	Get the attributes of all user domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_getattr_all_users',`
+	gen_require(`
+		attribute userdomain;
+	')
+
+	allow $1 userdomain:process getattr;
+')
+
+########################################
+## <summary>
+##	Inherit the file descriptors from all user domains
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_use_all_users_fds',`
+	gen_require(`
+		attribute userdomain;
+	')
+
+	allow $1 userdomain:fd use;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to inherit the file
+##	descriptors from any user domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`userdom_dontaudit_use_all_users_fds',`
+	gen_require(`
+		attribute userdomain;
+	')
+
+	dontaudit $1 userdomain:fd use;
+')
+
+########################################
+## <summary>
+##	Send general signals to all user domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_signal_all_users',`
+	gen_require(`
+		attribute userdomain;
+	')
+
+	allow $1 userdomain:process signal;
+')
+
+########################################
+## <summary>
+##	Send a SIGCHLD signal to all user domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_sigchld_all_users',`
+	gen_require(`
+		attribute userdomain;
+	')
+
+	allow $1 userdomain:process sigchld;
+')
+
+########################################
+## <summary>
+##	Create keys for all user domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_create_all_users_keys',`
+	gen_require(`
+		attribute userdomain;
+	')
+
+	allow $1 userdomain:key create;
+')
+
+########################################
+## <summary>
+##	Send a dbus message to all user domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_dbus_send_all_users',`
+	gen_require(`
+		attribute userdomain;
+		class dbus send_msg;
+	')
+
+	allow $1 userdomain:dbus send_msg;
+')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
new file mode 100644
index 00000000..f8581446
--- /dev/null
+++ b/policy/modules/system/userdomain.te
@@ -0,0 +1,96 @@
+policy_module(userdomain, 4.7.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow users to connect to mysql
+## </p>
+## </desc>
+gen_tunable(allow_user_mysql_connect, false)
+
+## <desc>
+## <p>
+## Allow users to connect to PostgreSQL
+## </p>
+## </desc>
+gen_tunable(allow_user_postgresql_connect, false)
+
+## <desc>
+## <p>
+## Allow regular users direct mouse access
+## </p>
+## </desc>
+gen_tunable(user_direct_mouse, false)
+
+## <desc>
+## <p>
+## Allow users to read system messages.
+## </p>
+## </desc>
+gen_tunable(user_dmesg, false)
+
+## <desc>
+## <p>
+## Allow user to r/w files on filesystems
+## that do not have extended attributes (FAT, CDROM, FLOPPY)
+## </p>
+## </desc>
+gen_tunable(user_rw_noexattrfile, false)
+
+## <desc>
+## <p>
+## Allow w to display everyone
+## </p>
+## </desc>
+gen_tunable(user_ttyfile_stat, false)
+
+attribute admindomain;
+
+# all user domains
+attribute userdomain;
+
+# unprivileged user domains
+attribute unpriv_userdomain;
+
+attribute untrusted_content_type;
+attribute untrusted_content_tmp_type;
+
+type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
+fs_associate_tmpfs(user_home_dir_t)
+files_type(user_home_dir_t)
+files_mountpoint(user_home_dir_t)
+files_associate_tmp(user_home_dir_t)
+files_poly(user_home_dir_t)
+files_poly_member(user_home_dir_t)
+files_poly_parent(user_home_dir_t)
+ubac_constrained(user_home_dir_t)
+
+type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
+typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
+userdom_user_home_content(user_home_t)
+fs_associate_tmpfs(user_home_t)
+files_associate_tmp(user_home_t)
+files_poly_parent(user_home_t)
+files_mountpoint(user_home_t)
+
+type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t };
+dev_node(user_devpts_t)
+files_type(user_devpts_t)
+ubac_constrained(user_devpts_t)
+
+type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
+typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t };
+files_tmp_file(user_tmp_t)
+userdom_user_home_content(user_tmp_t)
+
+type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
+files_tmpfs_file(user_tmpfs_t)
+userdom_user_home_content(user_tmpfs_t)
+
+type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
+dev_node(user_tty_device_t)
+ubac_constrained(user_tty_device_t)
diff --git a/policy/policy_capabilities b/policy/policy_capabilities
new file mode 100644
index 00000000..db3cbca4
--- /dev/null
+++ b/policy/policy_capabilities
@@ -0,0 +1,33 @@
+#
+# This file contains the policy capabilites
+# that are enabled in this policy, not a
+# declaration of DAC capabilites such as
+# dac_override.
+#
+# The affected object classes and their
+# permissions should also be listed in
+# the comments for each capability.
+#
+
+# Enable additional networking access control for
+# labeled networking peers.
+#
+# Checks enabled:
+# node: sendto recvfrom
+# netif: ingress egress
+# peer: recv
+#
+policycap network_peer_controls;
+
+# Enable additional access controls for opening
+# a file (and similar objects).
+#
+# Checks enabled:
+# dir: open
+# file: open
+# fifo_file: open
+# sock_file: open
+# chr_file: open
+# blk_file: open
+#
+policycap open_perms;
diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt
new file mode 100644
index 00000000..8b785c9a
--- /dev/null
+++ b/policy/support/file_patterns.spt
@@ -0,0 +1,556 @@
+#
+# Directory patterns (dir)
+#
+# Parameters:
+# 1. domain type
+# 2. container (directory) type
+# 3. directory type
+#
+define(`getattr_dirs_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:dir getattr_dir_perms;
+')
+
+define(`setattr_dirs_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:dir setattr_dir_perms;
+')
+
+define(`search_dirs_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:dir search_dir_perms;
+')
+
+define(`list_dirs_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:dir list_dir_perms;
+')
+
+define(`add_entry_dirs_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:dir add_entry_dir_perms;
+')
+
+define(`del_entry_dirs_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:dir del_entry_dir_perms;
+')
+
+define(`rw_dirs_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:dir { add_entry_dir_perms del_entry_dir_perms };
+')
+
+define(`create_dirs_pattern',`
+	allow $1 $2:dir add_entry_dir_perms;
+	allow $1 $3:dir create_dir_perms;
+')
+
+define(`delete_dirs_pattern',`
+	allow $1 $2:dir del_entry_dir_perms;
+	allow $1 $3:dir delete_dir_perms;
+')
+
+define(`rename_dirs_pattern',`
+	allow $1 $2:dir rw_dir_perms;
+	allow $1 $3:dir rename_dir_perms;
+')
+
+define(`manage_dirs_pattern',`
+	allow $1 $2:dir rw_dir_perms;
+	allow $1 $3:dir manage_dir_perms;
+')
+
+define(`relabelfrom_dirs_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:dir relabelfrom_dir_perms;
+')
+
+define(`relabelto_dirs_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:dir relabelto_dir_perms;
+')
+
+define(`relabel_dirs_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:dir relabel_dir_perms;
+')
+
+#
+# Regular file patterns (file)
+#
+# Parameters:
+# 1. domain type
+# 2. container (directory) type
+# 3. file type
+#
+define(`getattr_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:file getattr_file_perms;
+')
+
+define(`setattr_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:file setattr_file_perms;
+')
+
+define(`read_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:file read_file_perms;
+')
+
+define(`mmap_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:file mmap_file_perms;
+')
+
+define(`exec_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:file exec_file_perms;
+')
+
+define(`append_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:file append_file_perms;
+')
+
+define(`write_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:file write_file_perms;
+')
+
+define(`rw_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:file rw_file_perms;
+')
+
+define(`create_files_pattern',`
+	allow $1 $2:dir add_entry_dir_perms;
+	allow $1 $3:file create_file_perms;
+')
+
+define(`delete_files_pattern',`
+	allow $1 $2:dir del_entry_dir_perms;
+	allow $1 $3:file delete_file_perms;
+')
+
+define(`rename_files_pattern',`
+	allow $1 $2:dir rw_dir_perms;
+	allow $1 $3:file rename_file_perms;
+')
+
+define(`manage_files_pattern',`
+	allow $1 $2:dir rw_dir_perms;
+	allow $1 $3:file manage_file_perms;
+')
+
+define(`relabelfrom_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:file relabelfrom_file_perms;
+')
+
+define(`relabelto_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:file relabelto_file_perms;
+')
+
+define(`relabel_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:file relabel_file_perms;
+')
+
+#
+# Symbolic link patterns (lnk_file)
+#
+# Parameters:
+# 1. domain type
+# 2. container (directory) type
+# 3. file type
+#
+define(`getattr_lnk_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:lnk_file getattr_lnk_file_perms;
+')
+
+define(`setattr_lnk_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:lnk_file setattr_lnk_file_perms;
+')
+
+define(`read_lnk_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:lnk_file read_lnk_file_perms;
+')
+
+define(`append_lnk_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:lnk_file append_lnk_file_perms;
+')
+
+define(`write_lnk_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:lnk_file write_lnk_file_perms;
+')
+
+define(`rw_lnk_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:lnk_file rw_lnk_file_perms;
+')
+
+define(`create_lnk_files_pattern',`
+	allow $1 $2:dir add_entry_dir_perms;
+	allow $1 $3:lnk_file create_lnk_file_perms;
+')
+
+define(`delete_lnk_files_pattern',`
+	allow $1 $2:dir del_entry_dir_perms;
+	allow $1 $3:lnk_file delete_lnk_file_perms;
+')
+
+define(`rename_lnk_files_pattern',`
+	allow $1 $2:dir rw_dir_perms;
+	allow $1 $3:lnk_file rename_lnk_file_perms;
+')
+
+define(`manage_lnk_files_pattern',`
+	allow $1 $2:dir rw_dir_perms;
+	allow $1 $3:lnk_file manage_lnk_file_perms;
+')
+
+define(`relabelfrom_lnk_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:lnk_file relabelfrom_lnk_file_perms;
+')
+
+define(`relabelto_lnk_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:lnk_file relabelto_lnk_file_perms;
+')
+
+define(`relabel_lnk_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:lnk_file relabel_lnk_file_perms;
+')
+
+#
+# (Un)named Pipes/FIFO patterns (fifo_file)
+#
+# Parameters:
+# 1. domain type
+# 2. container (directory) type
+# 3. file type
+#
+define(`getattr_fifo_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:fifo_file getattr_fifo_file_perms;
+')
+
+define(`setattr_fifo_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:fifo_file setattr_fifo_file_perms;
+')
+
+define(`read_fifo_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:fifo_file read_fifo_file_perms;
+')
+
+define(`append_fifo_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:fifo_file append_fifo_file_perms;
+')
+
+define(`write_fifo_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:fifo_file write_fifo_file_perms;
+')
+
+define(`rw_fifo_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:fifo_file rw_fifo_file_perms;
+')
+
+define(`create_fifo_files_pattern',`
+	allow $1 $2:dir add_entry_dir_perms;
+	allow $1 $3:fifo_file create_fifo_file_perms;
+')
+
+define(`delete_fifo_files_pattern',`
+	allow $1 $2:dir del_entry_dir_perms;
+	allow $1 $3:fifo_file delete_fifo_file_perms;
+')
+
+define(`rename_fifo_files_pattern',`
+	allow $1 $2:dir rw_dir_perms;
+	allow $1 $3:fifo_file rename_fifo_file_perms;
+')
+
+define(`manage_fifo_files_pattern',`
+	allow $1 $2:dir rw_dir_perms;
+	allow $1 $3:fifo_file manage_fifo_file_perms;
+')
+
+define(`relabelfrom_fifo_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:fifo_file relabelfrom_fifo_file_perms;
+')
+
+define(`relabelto_fifo_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:fifo_file relabelto_fifo_file_perms;
+')
+
+define(`relabel_fifo_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:fifo_file relabel_fifo_file_perms;
+')
+
+#
+# (Un)named sockets patterns (sock_file)
+#
+# Parameters:
+# 1. domain type
+# 2. container (directory) type
+# 3. file type
+#
+define(`getattr_sock_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:sock_file getattr_sock_file_perms;
+')
+
+define(`setattr_sock_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:sock_file setattr_sock_file_perms;
+')
+
+define(`read_sock_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:sock_file read_sock_file_perms;
+')
+
+define(`write_sock_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:sock_file write_sock_file_perms;
+')
+
+define(`rw_sock_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:sock_file rw_sock_file_perms;
+')
+
+define(`create_sock_files_pattern',`
+	allow $1 $2:dir add_entry_dir_perms;
+	allow $1 $3:sock_file create_sock_file_perms;
+')
+
+define(`delete_sock_files_pattern',`
+	allow $1 $2:dir del_entry_dir_perms;
+	allow $1 $3:sock_file delete_sock_file_perms;
+')
+
+define(`rename_sock_files_pattern',`
+	allow $1 $2:dir rw_dir_perms;
+	allow $1 $3:sock_file rename_sock_file_perms;
+')
+
+define(`manage_sock_files_pattern',`
+	allow $1 $2:dir rw_dir_perms;
+	allow $1 $3:sock_file manage_sock_file_perms;
+')
+
+define(`relabelfrom_sock_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:sock_file relabelfrom_sock_file_perms;
+')
+
+define(`relabelto_sock_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:sock_file relabelto_sock_file_perms;
+')
+
+define(`relabel_sock_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:sock_file relabel_sock_file_perms;
+')
+
+#
+# Block device node patterns (blk_file)
+#
+# Parameters:
+# 1. domain type
+# 2. container (directory) type
+# 3. file type
+#
+define(`getattr_blk_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:blk_file getattr_blk_file_perms;
+')
+
+define(`setattr_blk_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:blk_file setattr_blk_file_perms;
+')
+
+define(`read_blk_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:blk_file read_blk_file_perms;
+')
+
+define(`append_blk_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:blk_file append_blk_file_perms;
+')
+
+define(`write_blk_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:blk_file write_blk_file_perms;
+')
+
+define(`rw_blk_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:blk_file rw_blk_file_perms;
+')
+
+define(`create_blk_files_pattern',`
+	allow $1 self:capability mknod;
+	allow $1 $2:dir add_entry_dir_perms;
+	allow $1 $3:blk_file create_blk_file_perms;
+')
+
+define(`delete_blk_files_pattern',`
+	allow $1 $2:dir del_entry_dir_perms;
+	allow $1 $3:blk_file delete_blk_file_perms;
+')
+
+define(`rename_blk_files_pattern',`
+	allow $1 $2:dir rw_dir_perms;
+	allow $1 $3:blk_file rename_blk_file_perms;
+')
+
+define(`manage_blk_files_pattern',`
+	allow $1 self:capability mknod;
+	allow $1 $2:dir rw_dir_perms;
+	allow $1 $3:blk_file manage_blk_file_perms;
+')
+
+define(`relabelfrom_blk_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:blk_file relabelfrom_blk_file_perms;
+')
+
+define(`relabelto_blk_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:blk_file relabelto_blk_file_perms;
+')
+
+define(`relabel_blk_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:blk_file relabel_blk_file_perms;
+')
+
+#
+# Character device node patterns (chr_file)
+#
+# Parameters:
+# 1. domain type
+# 2. container (directory) type
+# 3. file type
+#
+define(`getattr_chr_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:chr_file getattr_chr_file_perms;
+')
+
+define(`setattr_chr_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:chr_file setattr_chr_file_perms;
+')
+
+define(`read_chr_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:chr_file read_chr_file_perms;
+')
+
+define(`append_chr_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:chr_file append_chr_file_perms;
+')
+
+define(`write_chr_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:chr_file write_chr_file_perms;
+')
+
+define(`rw_chr_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:chr_file rw_chr_file_perms;
+')
+
+define(`create_chr_files_pattern',`
+	allow $1 self:capability mknod;
+	allow $1 $2:dir add_entry_dir_perms;
+	allow $1 $3:chr_file create_chr_file_perms;
+')
+
+define(`delete_chr_files_pattern',`
+	allow $1 $2:dir del_entry_dir_perms;
+	allow $1 $3:chr_file delete_chr_file_perms;
+')
+
+define(`rename_chr_files_pattern',`
+	allow $1 $2:dir rw_dir_perms;
+	allow $1 $3:chr_file rename_chr_file_perms;
+')
+
+define(`manage_chr_files_pattern',`
+	allow $1 self:capability mknod;
+	allow $1 $2:dir rw_dir_perms;
+	allow $1 $3:chr_file manage_chr_file_perms;
+')
+
+define(`relabelfrom_chr_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:chr_file relabelfrom_chr_file_perms;
+')
+
+define(`relabelto_chr_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:chr_file relabelto_chr_file_perms;
+')
+
+define(`relabel_chr_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:chr_file relabel_chr_file_perms;
+')
+
+#
+# File type_transition patterns
+#
+# filetrans_add_pattern(domain,dirtype,newtype,class(es),[filename])
+#
+define(`filetrans_add_pattern',`
+	allow $1 $2:dir { list_dir_perms add_entry_dir_perms };
+	type_transition $1 $2:$4 $3 $5;
+')
+
+#
+# filetrans_pattern(domain,dirtype,newtype,class(es),[filename])
+#
+define(`filetrans_pattern',`
+	allow $1 $2:dir rw_dir_perms;
+	type_transition $1 $2:$4 $3 $5;
+')
+
+define(`admin_pattern',`
+        manage_dirs_pattern($1,$2,$2)
+        manage_files_pattern($1,$2,$2)
+        manage_lnk_files_pattern($1,$2,$2)
+        manage_fifo_files_pattern($1,$2,$2)
+        manage_sock_files_pattern($1,$2,$2)
+
+        relabel_dirs_pattern($1,$2,$2)
+        relabel_files_pattern($1,$2,$2)
+        relabel_lnk_files_pattern($1,$2,$2)
+        relabel_fifo_files_pattern($1,$2,$2)
+        relabel_sock_files_pattern($1,$2,$2)
+')
diff --git a/policy/support/ipc_patterns.spt b/policy/support/ipc_patterns.spt
new file mode 100644
index 00000000..310f9ef8
--- /dev/null
+++ b/policy/support/ipc_patterns.spt
@@ -0,0 +1,14 @@
+#
+# unix domain socket patterns
+#
+define(`stream_connect_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:sock_file write_sock_file_perms;
+	allow $1 $4:unix_stream_socket connectto;
+')
+
+define(`dgram_send_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:sock_file write_sock_file_perms;
+	allow $1 $4:unix_dgram_socket sendto;
+')
diff --git a/policy/support/loadable_module.spt b/policy/support/loadable_module.spt
new file mode 100644
index 00000000..03906bc4
--- /dev/null
+++ b/policy/support/loadable_module.spt
@@ -0,0 +1,146 @@
+########################################
+#
+# Macros for switching between source policy
+# and loadable policy module support
+#
+
+##############################
+#
+# For adding the module statement
+#
+define(`policy_module',`
+	ifndef(`self_contained_policy',`
+		module $1 $2;
+
+		require {
+			role system_r;
+			all_kernel_class_perms
+
+			ifdef(`enable_mcs',`
+				decl_sens(0,0)
+				decl_cats(0,decr(mcs_num_cats))
+			')
+
+			ifdef(`enable_mls',`
+				decl_sens(0,decr(mls_num_sens))
+				decl_cats(0,decr(mls_num_cats))
+			')
+		}
+	')
+')
+
+##############################
+#
+# For use in interfaces, to optionally insert a require block
+#
+define(`gen_require',`
+	ifdef(`self_contained_policy',`
+		ifdef(`__in_optional_policy',`
+			require {
+				$1
+			} # end require
+		')
+	',`
+		require {
+			$1
+		} # end require
+	')
+')
+
+# helper function, since m4 wont expand macros
+# if a line is a comment (#):
+define(`policy_m4_comment',`
+##### $2 depth: $1
+')dnl
+
+##############################
+#
+# In the future interfaces should be in loadable modules
+#
+# template(name,rules)
+#
+define(`template',` dnl
+	ifdef(`$1',`refpolicyerr(`duplicate definition of $1(). Original definition on '$1.) define(`__if_error')',`define(`$1',__line__)') dnl
+	`define(`$1',` dnl
+	pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
+	policy_m4_comment(policy_call_depth,begin `$1'(dollarsstar)) dnl
+	$2 dnl
+	popdef(`policy_call_depth') dnl
+	policy_m4_comment(policy_call_depth,end `$1'(dollarsstar)) dnl
+	'')
+')
+
+##############################
+#
+# In the future interfaces should be in loadable modules
+#
+# interface(name,rules)
+#
+define(`interface',` dnl
+	ifdef(`$1',`refpolicyerr(`duplicate definition of $1(). Original definition on '$1.) define(`__if_error')',`define(`$1',__line__)') dnl
+	`define(`$1',` dnl
+	pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
+	policy_m4_comment(policy_call_depth,begin `$1'(dollarsstar)) dnl
+	$2
+	popdef(`policy_call_depth') dnl
+	policy_m4_comment(policy_call_depth,end `$1'(dollarsstar)) dnl
+	'')
+')
+
+define(`policy_call_depth',0)
+
+##############################
+#
+# Optional policy handling
+#
+define(`optional_policy',`
+	optional {`'pushdef(`__in_optional_policy')
+		$1
+	ifelse(`$2',`',`',`} else {
+		$2
+	')}`'popdef(`__in_optional_policy')`'ifndef(`__in_optional_policy',` # end optional')
+')
+
+##############################
+#
+# Determine if we should use the default
+# tunable value as specified by the policy
+# or if the override value should be used
+#
+define(`dflt_or_overr',`ifdef(`$1',$1,$2)')
+
+##############################
+#
+# Extract booleans out of an expression.
+# This needs to be reworked so expressions
+# with parentheses can work.
+
+define(`declare_required_symbols',`
+ifelse(regexp($1, `\w'), -1, `', `dnl
+bool regexp($1, `\(\w+\)', `\1');
+declare_required_symbols(regexp($1, `\w+\(.*\)', `\1'))dnl
+') dnl
+')
+
+##############################
+#
+# Tunable declaration
+#
+define(`gen_tunable',`
+	bool $1 dflt_or_overr(`$1'_conf,$2);
+')
+
+##############################
+#
+# Tunable policy handling
+#
+define(`tunable_policy',`
+	gen_require(`
+		declare_required_symbols(`$1')
+	')
+	if (`$1') {
+		$2
+	ifelse(`$3',`',`',`} else {
+		$3
+	')}
+')
diff --git a/policy/support/misc_macros.spt b/policy/support/misc_macros.spt
new file mode 100644
index 00000000..4ca5688c
--- /dev/null
+++ b/policy/support/misc_macros.spt
@@ -0,0 +1,78 @@
+
+########################################
+#
+# Helper macros
+#
+
+#
+# shiftn(num,list...)
+#
+# shift the list num times
+#
+define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')')
+
+#
+# ifndef(expr,true_block,false_block)
+#
+# m4 does not have this.
+#
+define(`ifndef',`ifdef(`$1',`$3',`$2')')
+
+#
+# __endline__
+#
+# dummy macro to insert a newline.  used for 
+# errprint, so the close parentheses can be
+# indented correctly.
+#
+define(`__endline__',`
+')
+
+########################################
+#
+# refpolwarn(message)
+#
+# print a warning message
+#
+define(`refpolicywarn',`errprint(__file__:__line__: Warning: `$1'__endline__)')
+
+########################################
+#
+# refpolerr(message)
+#
+# print an error message.  does not
+# make anything fail.
+#
+define(`refpolicyerr',`errprint(__file__:__line__: Error: `$1'__endline__)')
+
+########################################
+#
+# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_categories])
+#
+define(`gen_user',`dnl
+ifdef(`users_extra',`dnl
+ifelse(`$2',,,`user $1 prefix $2;')
+',`dnl
+user $1 roles { $3 }`'ifdef(`enable_mls', ` level $4 range $5')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$6',,,` - s0:$6')');
+')dnl
+')
+
+########################################
+#
+# gen_context(context,mls_sensitivity,[mcs_categories])
+#
+define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')')dnl
+
+########################################
+#
+# can_exec(domain,executable)
+#
+define(`can_exec',`allow $1 $2:file { mmap_file_perms ioctl lock execute_no_trans };')
+
+########################################
+#
+# gen_bool(name,default_value)
+#
+define(`gen_bool',`
+	bool $1 dflt_or_overr(`$1'_conf,$2);
+')
diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
new file mode 100644
index 00000000..e79d5450
--- /dev/null
+++ b/policy/support/misc_patterns.spt
@@ -0,0 +1,58 @@
+#
+# Specified domain transition patterns
+#
+define(`domain_transition_pattern',`
+	allow $1 $2:file { getattr open read execute };
+	allow $1 $3:process transition;
+	dontaudit $1 $3:process { noatsecure siginh rlimitinh };
+')
+
+# compatibility:
+define(`domain_trans',`domain_transition_pattern($*)')
+
+define(`spec_domtrans_pattern',`
+	allow $1 self:process setexec;
+	domain_transition_pattern($1,$2,$3)
+
+	allow $3 $1:fd use;
+	allow $3 $1:fifo_file rw_fifo_file_perms;
+	allow $3 $1:process sigchld;
+')
+
+#
+# Automatic domain transition patterns
+#
+define(`domain_auto_transition_pattern',`
+	domain_transition_pattern($1,$2,$3)
+	type_transition $1 $2:process $3;
+')
+
+# compatibility:
+define(`domain_auto_trans',`domain_auto_transition_pattern($*)')
+
+define(`domtrans_pattern',`
+	domain_auto_transition_pattern($1,$2,$3)
+
+	allow $3 $1:fd use;
+	allow $3 $1:fifo_file rw_fifo_file_perms;
+	allow $3 $1:process sigchld;
+')
+
+#
+# Dynamic transition pattern
+#
+define(`dyntrans_pattern',`
+	allow $1 self:process setcurrent;
+	allow $1 $2:process dyntransition;
+	allow $2 $1:process sigchld;
+')
+
+#
+# Other process permissions
+#
+define(`ps_process_pattern',`
+	allow $1 $2:dir list_dir_perms;
+	allow $1 $2:file read_file_perms;
+	allow $1 $2:lnk_file read_lnk_file_perms;
+	allow $1 $2:process getattr;
+')
diff --git a/policy/support/mls_mcs_macros.spt b/policy/support/mls_mcs_macros.spt
new file mode 100644
index 00000000..7593e20d
--- /dev/null
+++ b/policy/support/mls_mcs_macros.spt
@@ -0,0 +1,57 @@
+########################################
+#
+# gen_cats(N)
+#
+# declares categores c0 to c(N-1)
+#
+define(`decl_cats',`dnl
+category c$1;
+ifelse(`$1',`$2',,`decl_cats(incr($1),$2)')dnl
+')
+
+define(`gen_cats',`decl_cats(0,decr($1))')
+
+########################################
+#
+# gen_sens(N)
+#
+# declares sensitivites s0 to s(N-1) with dominance
+# in increasing numeric order with s0 lowest, s(N-1) highest
+#
+define(`decl_sens',`dnl
+sensitivity s$1;
+ifelse(`$1',`$2',,`decl_sens(incr($1),$2)')dnl
+')
+
+define(`gen_dominance',`s$1 ifelse(`$1',`$2',,`gen_dominance(incr($1),$2)')')
+
+define(`gen_sens',`
+# Each sensitivity has a name and zero or more aliases.
+decl_sens(0,decr($1))
+
+# Define the ordering of the sensitivity levels (least to greatest)
+dominance { gen_dominance(0,decr($1)) }
+')
+
+########################################
+#
+# gen_levels(N,M)
+#
+# levels from s0 to (N-1) with categories c0 to (M-1)
+#
+define(`decl_levels',`dnl
+level s$1:c0.c$3;
+ifelse(`$1',`$2',,`decl_levels(incr($1),$2,$3)')dnl
+')
+
+define(`gen_levels',`decl_levels(0,decr($1),decr($2))')
+
+########################################
+#
+# Basic level names for system low and high
+#
+define(`mls_systemlow',`s0')
+define(`mls_systemhigh',`s`'decr(mls_num_sens):c0.c`'decr(mls_num_cats)')
+define(`mcs_systemlow',`s0')
+define(`mcs_systemhigh',`s0:c0.c`'decr(mcs_num_cats)')
+define(`mcs_allcats',`c0.c`'decr(mcs_num_cats)')
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
new file mode 100644
index 00000000..6e913172
--- /dev/null
+++ b/policy/support/obj_perm_sets.spt
@@ -0,0 +1,273 @@
+########################################
+# 
+# Support macros for sets of object classes and permissions
+#
+# This file should only have object class and permission set macros - they
+# can only reference object classes and/or permissions.
+
+#
+# All directory and file classes
+#
+define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }')
+
+#
+# All non-directory file classes.
+#
+define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }')
+
+#
+# Non-device file classes.
+#
+define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
+
+#
+# Device file classes.
+#
+define(`devfile_class_set', `{ chr_file blk_file }')
+
+#
+# All socket classes.
+#
+define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
+
+
+#
+# Datagram socket classes.
+# 
+define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
+
+#
+# Stream socket classes.
+#
+define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
+
+#
+# Unprivileged socket classes (exclude rawip, netlink, packet).
+#
+define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
+
+########################################
+# 
+# Macros for sets of permissions
+#
+
+#
+# Permissions to mount and unmount file systems.
+#
+define(`mount_fs_perms', `{ mount remount unmount getattr }')
+
+#
+# Permissions for using sockets.
+# 
+define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
+
+#
+# Permissions for creating and using sockets.
+# 
+define(`create_socket_perms', `{ create rw_socket_perms }')
+
+#
+# Permissions for using stream sockets.
+# 
+define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
+
+#
+# Permissions for creating and using stream sockets.
+# 
+define(`create_stream_socket_perms', `{ create_socket_perms listen accept }')
+
+#
+# Permissions for creating and using sockets.
+# 
+define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
+
+#
+# Permissions for creating and using sockets.
+# 
+define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }')
+
+
+#
+# Permissions for creating and using netlink sockets.
+# 
+define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
+
+#
+# Permissions for using netlink sockets for operations that modify state.
+# 
+define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
+
+#
+# Permissions for using netlink sockets for operations that observe state.
+# 
+define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }')
+
+#
+# Permissions for sending all signals.
+#
+define(`signal_perms', `{ sigchld sigkill sigstop signull signal }')
+
+#
+# Permissions for sending and receiving network packets.
+#
+define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }')
+
+#
+# Permissions for using System V IPC
+#
+define(`r_sem_perms', `{ associate getattr read unix_read }')
+define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }')
+define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }')
+define(`r_msgq_perms', `{ associate getattr read unix_read }')
+define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }')
+define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }')
+define(`r_shm_perms', `{ associate getattr read unix_read }')
+define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }')
+define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }')
+
+########################################
+#
+# New permission sets
+#
+
+#
+# Directory (dir)
+#
+define(`getattr_dir_perms',`{ getattr }')
+define(`setattr_dir_perms',`{ setattr }')
+define(`search_dir_perms',`{ getattr search open }')
+define(`list_dir_perms',`{ getattr search open read lock ioctl }')
+define(`add_entry_dir_perms',`{ getattr search open lock ioctl write add_name }')
+define(`del_entry_dir_perms',`{ getattr search open lock ioctl write remove_name }')
+define(`rw_dir_perms', `{ open read getattr lock search ioctl add_name remove_name write }')
+define(`create_dir_perms',`{ getattr create }')
+define(`rename_dir_perms',`{ getattr rename }')
+define(`delete_dir_perms',`{ getattr rmdir }')
+define(`manage_dir_perms',`{ create open getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }')
+define(`relabelfrom_dir_perms',`{ getattr relabelfrom }')
+define(`relabelto_dir_perms',`{ getattr relabelto }')
+define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
+
+#
+# Regular file (file)
+#
+define(`getattr_file_perms',`{ getattr }')
+define(`setattr_file_perms',`{ setattr }')
+define(`read_file_perms',`{ getattr open read lock ioctl }')
+define(`mmap_file_perms',`{ getattr open read execute ioctl }')
+define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }')
+define(`append_file_perms',`{ getattr open append lock ioctl }')
+define(`write_file_perms',`{ getattr open write append lock ioctl }')
+define(`rw_file_perms',`{ getattr open read write append ioctl lock }')
+define(`create_file_perms',`{ getattr create open }')
+define(`rename_file_perms',`{ getattr rename }')
+define(`delete_file_perms',`{ getattr unlink }')
+define(`manage_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }')
+define(`relabelfrom_file_perms',`{ getattr relabelfrom }')
+define(`relabelto_file_perms',`{ getattr relabelto }')
+define(`relabel_file_perms',`{ getattr relabelfrom relabelto }')
+
+#
+# Symbolic link (lnk_file)
+#
+define(`getattr_lnk_file_perms',`{ getattr }')
+define(`setattr_lnk_file_perms',`{ setattr }')
+define(`read_lnk_file_perms',`{ getattr read }')
+define(`append_lnk_file_perms',`{ getattr append lock ioctl }')
+define(`write_lnk_file_perms',`{ getattr append write lock ioctl }')
+define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }')
+define(`create_lnk_file_perms',`{ create getattr }')
+define(`rename_lnk_file_perms',`{ getattr rename }')
+define(`delete_lnk_file_perms',`{ getattr unlink }')
+define(`manage_lnk_file_perms',`{ create read write getattr setattr link unlink rename }')
+define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }')
+define(`relabelto_lnk_file_perms',`{ getattr relabelto }')
+define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')
+
+#
+# (Un)named Pipes/FIFOs (fifo_file)
+#
+define(`getattr_fifo_file_perms',`{ getattr }')
+define(`setattr_fifo_file_perms',`{ setattr }')
+define(`read_fifo_file_perms',`{ getattr open read lock ioctl }')
+define(`append_fifo_file_perms',`{ getattr open append lock ioctl }')
+define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }')
+define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }')
+define(`create_fifo_file_perms',`{ getattr create open }')
+define(`rename_fifo_file_perms',`{ getattr rename }')
+define(`delete_fifo_file_perms',`{ getattr unlink }')
+define(`manage_fifo_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }')
+define(`relabelfrom_fifo_file_perms',`{ getattr relabelfrom }')
+define(`relabelto_fifo_file_perms',`{ getattr relabelto }')
+define(`relabel_fifo_file_perms',`{ getattr relabelfrom relabelto }')
+
+#
+# (Un)named Sockets (sock_file)
+#
+define(`getattr_sock_file_perms',`{ getattr }')
+define(`setattr_sock_file_perms',`{ setattr }')
+define(`read_sock_file_perms',`{ getattr open read }')
+define(`write_sock_file_perms',`{ getattr write open append }')
+define(`rw_sock_file_perms',`{ getattr open read write append }')
+define(`create_sock_file_perms',`{ getattr create open }')
+define(`rename_sock_file_perms',`{ getattr rename }')
+define(`delete_sock_file_perms',`{ getattr unlink }')
+define(`manage_sock_file_perms',`{ create open getattr setattr read write rename link unlink ioctl lock append }')
+define(`relabelfrom_sock_file_perms',`{ getattr relabelfrom }')
+define(`relabelto_sock_file_perms',`{ getattr relabelto }')
+define(`relabel_sock_file_perms',`{ getattr relabelfrom relabelto }')
+
+#
+# Block device nodes (blk_file)
+#
+define(`getattr_blk_file_perms',`{ getattr }')
+define(`setattr_blk_file_perms',`{ setattr }')
+define(`read_blk_file_perms',`{ getattr open read lock ioctl }')
+define(`append_blk_file_perms',`{ getattr open append lock ioctl }')
+define(`write_blk_file_perms',`{ getattr open write append lock ioctl }')
+define(`rw_blk_file_perms',`{ getattr open read write append ioctl lock }')
+define(`create_blk_file_perms',`{ getattr create }')
+define(`rename_blk_file_perms',`{ getattr rename }')
+define(`delete_blk_file_perms',`{ getattr unlink }')
+define(`manage_blk_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }')
+define(`relabelfrom_blk_file_perms',`{ getattr relabelfrom }')
+define(`relabelto_blk_file_perms',`{ getattr relabelto }')
+define(`relabel_blk_file_perms',`{ getattr relabelfrom relabelto }')
+
+#
+# Character device nodes (chr_file)
+#
+define(`getattr_chr_file_perms',`{ getattr }')
+define(`setattr_chr_file_perms',`{ setattr }')
+define(`read_chr_file_perms',`{ getattr open read lock ioctl }')
+define(`append_chr_file_perms',`{ getattr open append lock ioctl }')
+define(`write_chr_file_perms',`{ getattr open write append lock ioctl }')
+define(`rw_chr_file_perms',`{ getattr open read write append ioctl lock }')
+define(`create_chr_file_perms',`{ getattr create }')
+define(`rename_chr_file_perms',`{ getattr rename }')
+define(`delete_chr_file_perms',`{ getattr unlink }')
+define(`manage_chr_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }')
+define(`relabelfrom_chr_file_perms',`{ getattr relabelfrom }')
+define(`relabelto_chr_file_perms',`{ getattr relabelto }')
+define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }')
+
+########################################
+#
+# Special permission sets
+#
+
+#
+# Use (read and write) terminals
+#
+define(`rw_term_perms', `{ getattr open read write append ioctl }')
+
+#
+# Sockets
+#
+define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
+define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept }')
+
+#
+# Keys
+#
+define(`manage_key_perms', `{ create link read search setattr view write } ')
diff --git a/policy/users b/policy/users
new file mode 100644
index 00000000..c4ebc7e4
--- /dev/null
+++ b/policy/users
@@ -0,0 +1,45 @@
+##################################
+#
+# Core User configuration.
+#
+
+#
+# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
+#
+# Note: Identities without a prefix will not be listed
+# in the users_extra file used by genhomedircon.
+
+#
+# system_u is the user identity for system processes and objects.
+# There should be no corresponding Unix user identity for system,
+# and a user process should never be assigned the system user
+# identity.
+#
+gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
+#
+# user_u is a generic user identity for Linux users who have no
+# SELinux user identity defined.  The modified daemons will use
+# this user identity in the security context if there is no matching
+# SELinux user identity for a Linux user.  If you do not want to
+# permit any access to such users, then remove this entry.
+#
+gen_user(user_u, user, user_r, s0, s0)
+gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
+# Until order dependence is fixed for users:
+gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
+#
+# The following users correspond to Unix identities.
+# These identities are typically assigned as the user attribute
+# when login starts the user shell.  Users with access to the sysadm_r
+# role should use the staff_r role instead of the user_r role when
+# not in the sysadm_r.
+#
+ifdef(`direct_sysadm_daemon',`
+	gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+',`
+	gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
+')
diff --git a/support/Makefile.devel b/support/Makefile.devel
new file mode 100644
index 00000000..b96e9b3d
--- /dev/null
+++ b/support/Makefile.devel
@@ -0,0 +1,223 @@
+
+# helper tools
+AWK ?= gawk
+INSTALL ?= install
+M4 ?= m4
+SED ?= sed
+EINFO ?= echo
+PYTHON ?= python
+CUT ?= cut
+
+NAME ?= $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config)
+SHAREDIR ?= /usr/share/selinux
+HEADERDIR ?= $(SHAREDIR)/$(NAME)/include
+
+include $(HEADERDIR)/build.conf
+
+# executables
+PREFIX := /usr
+BINDIR := $(PREFIX)/bin
+SBINDIR := $(PREFIX)/sbin
+CHECKMODULE := $(BINDIR)/checkmodule
+SEMODULE := $(SBINDIR)/semodule
+SEMOD_PKG := $(BINDIR)/semodule_package
+XMLLINT := $(BINDIR)/xmllint
+
+# set default build options if missing
+TYPE ?= standard
+DIRECT_INITRC ?= n
+POLY ?= n
+QUIET ?= y
+
+genxml := $(PYTHON) $(HEADERDIR)/support/segenxml.py
+
+docs := doc
+polxml := $(docs)/policy.xml
+xmldtd := $(HEADERDIR)/support/policy.dtd
+metaxml := metadata.xml
+
+globaltun = $(HEADERDIR)/global_tunables.xml
+globalbool = $(HEADERDIR)/global_booleans.xml
+
+# enable MLS if requested.
+ifeq "$(TYPE)" "mls"
+	M4PARAM += -D enable_mls
+	CHECKPOLICY += -M
+	CHECKMODULE += -M
+endif
+
+# enable MLS if MCS requested.
+ifeq "$(TYPE)" "mcs"
+	M4PARAM += -D enable_mcs
+	CHECKPOLICY += -M
+	CHECKMODULE += -M
+endif
+
+# enable distribution-specific policy
+ifneq ($(DISTRO),)
+	M4PARAM += -D distro_$(DISTRO)
+endif
+
+ifeq ($(DIRECT_INITRC),y)
+	M4PARAM += -D direct_sysadm_daemon
+endif
+
+ifeq "$(UBAC)" "y"
+	M4PARAM += -D enable_ubac
+endif
+
+# default MLS/MCS sensitivity and category settings.
+MLS_SENS ?= 16
+MLS_CATS ?= 1024
+MCS_CATS ?= 1024
+
+ifeq ($(QUIET),y)
+	verbose := @
+endif
+
+M4PARAM += -D hide_broken_symptoms -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D mcs_num_cats=$(MCS_CATS)
+
+# policy headers
+m4support = $(wildcard $(HEADERDIR)/support/*.spt)
+
+header_layers := $(filter-out $(HEADERDIR)/support,$(shell find $(wildcard $(HEADERDIR)/*) -maxdepth 0 -type d))
+header_xml := $(addsuffix .xml,$(header_layers))
+header_interfaces := $(foreach layer,$(header_layers),$(wildcard $(layer)/*.if))
+
+local_layers := $(filter-out CVS tmp $(docs),$(shell find $(wildcard *) -maxdepth 0 -type d))
+local_xml := $(addprefix tmp/, $(addsuffix .xml,$(local_layers)))
+
+all_layer_names := $(sort $(notdir $(header_layers) $(local_layers)))
+
+3rd_party_mods := $(wildcard *.te)
+detected_mods := $(3rd_party_mods) $(foreach layer,$(local_layers),$(wildcard $(layer)/*.te))
+
+detected_ifs := $(detected_mods:.te=.if)
+detected_fcs := $(detected_mods:.te=.fc)
+all_packages := $(notdir $(detected_mods:.te=.pp))
+
+# figure out what modules we may want to reload
+loaded_mods = $(addsuffix .pp,$(shell $(SEMODULE) -l | $(CUT) -f1))
+sys_mods = $(wildcard $(SHAREDIR)/$(NAME)/*.pp)
+match_sys = $(filter $(addprefix $(SHAREDIR)/$(NAME)/,$(loaded_mods)),$(sys_mods))
+match_loc = $(filter $(all_packages),$(loaded_mods))
+
+vpath %.te $(local_layers)
+vpath %.if $(local_layers)
+vpath %.fc $(local_layers)
+
+.PHONY: clean all xml load reload
+.SUFFIXES:
+.SUFFIXES: .pp
+# broken in make 3.81:
+#.SECONDARY:
+
+########################################
+#
+# Main targets
+#
+
+all: $(all_packages)
+
+xml: $(polxml)
+
+########################################
+#
+# Attempt to reinstall all installed packages
+#
+refresh:
+	@$(EINFO) "Refreshing $(NAME) modules"
+	$(verbose) $(SEMODULE) -b $(SHAREDIR)/$(NAME)/base.pp $(foreach mod,$(match_sys) $(match_loc),-i $(mod))
+
+########################################
+#
+# Load module packages
+#
+
+load: tmp/loaded
+tmp/loaded: $(all_packages)
+	@$(EINFO) "Loading $(NAME) modules: $(basename $(notdir $?))"
+	$(verbose) $(SEMODULE) $(foreach mod,$?,-i $(mod))
+	@mkdir -p tmp
+	@touch tmp/loaded
+
+reload: $(all_packages)
+	@$(EINFO) "Loading $(NAME) modules: $(basename $(notdir $^))"
+	$(verbose) $(SEMODULE) $(foreach mod,$^,-i $(mod))
+	@mkdir -p tmp
+	@touch tmp/loaded
+
+########################################
+#
+# Build module packages
+#
+tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te
+	@$(EINFO) "Compiling $(NAME) $(basename $(@F)) module"
+	@test -d $(@D) || mkdir -p $(@D)
+	$(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
+	$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
+
+tmp/%.mod.fc: $(m4support) %.fc
+	$(verbose) $(M4) $(M4PARAM) $^ > $@
+
+%.pp: tmp/%.mod tmp/%.mod.fc
+	@echo "Creating $(NAME) $(@F) policy package"
+	$(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc
+
+tmp/all_interfaces.conf: $(m4support) $(header_interfaces) $(detected_ifs)
+	@test -d $(@D) || mkdir -p $(@D)
+	@echo "ifdef(\`__if_error',\`m4exit(1)')" > tmp/iferror.m4
+	@echo "divert(-1)" > $@
+	$(verbose) $(M4) $^ tmp/iferror.m4 | sed -e s/dollarsstar/\$$\*/g >> $@
+	@echo "divert" >> $@
+
+# so users dont have to make empty .fc and .if files
+$(detected_fcs):
+	@touch $@
+	
+$(detected_ifs):
+	@echo "## <summary>$(basename $(@D))</summary>" > $@
+
+########################################
+#
+# Documentation generation
+#
+tmp/%.xml: %/*.te %/*.if
+	@test -d $(@D) || mkdir -p $(@D)
+	$(verbose) test -f $(HEADERDIR)/$*.xml || cat $*/$(metaxml) > $@
+	$(verbose) $(genxml) -w -m $(sort $(basename $^)) >> $@
+
+vars: $(local_xml)
+
+$(polxml): $(header_xml) $(local_xml) $(globaltun) $(globalbool) $(detected_mods) $(detected_ifs)
+	@echo "Creating $(@F)"
+	@test -d $(@D) || mkdir -p $(@D)
+	$(verbose) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
+	$(verbose) echo '<!DOCTYPE policy SYSTEM "$(notdir $(xmldtd))">' >> $@
+	$(verbose) echo '<policy>' >> $@
+	$(verbose) for i in $(all_layer_names); do \
+		echo "<layer name=\"$$i\">" >> $@ ;\
+		test -f $(HEADERDIR)/$$i.xml && cat $(HEADERDIR)/$$i.xml >> $@ ;\
+		test -f tmp/$$i.xml && cat tmp/$$i.xml >> $@ ;\
+		echo "</layer>" >> $@ ;\
+	done
+ifneq "$(strip $(3rd_party_mods))" ""
+	$(verbose) echo "<layer name=\"third_party\">" >> $@
+	$(verbose) echo "<summary>These are all third-party modules.</summary>" >> $@
+	$(verbose) $(genxml) -w -m $(addprefix ./,$(basename $(3rd_party_mods))) >> $@
+	$(verbose) echo "</layer>" >> $@
+endif
+	$(verbose) cat $(globaltun) $(globalbool) >> $@
+	$(verbose) echo '</policy>' >> $@
+	$(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
+		$(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\
+	fi
+
+########################################
+#
+# Clean the environment
+#
+
+clean:
+	rm -fR tmp
+	rm -f *.pp
diff --git a/support/comment_move_decl.sed b/support/comment_move_decl.sed
new file mode 100644
index 00000000..601c4f7e
--- /dev/null
+++ b/support/comment_move_decl.sed
@@ -0,0 +1,14 @@
+# comment out lines that are moved by the build
+# process, so line numbers provided by m4 are preserved.
+
+# lines in require and optional blocks are not moved
+/require \{/,/} # end require/b nextline
+/optional \{/,/} # end optional/b nextline
+
+/^[[:blank:]]*(attribute(_role)?|type(alias)?) /s/^/# this line was moved by the build process: &/
+/^[[:blank:]]*(port|node|netif|genfs)con /s/^/# this line was moved by the build process: &/
+/^[[:blank:]]*fs_use_(xattr|task|trans) /s/^/# this line was moved by the build process: &/
+/^[[:blank:]]*sid /s/^/# this line was moved by the build process: &/
+/^[[:blank:]]*bool /s/^/# this line was moved by the build process: &/
+
+:nextline
diff --git a/support/divert.m4 b/support/divert.m4
new file mode 100644
index 00000000..7ce2db3c
--- /dev/null
+++ b/support/divert.m4
@@ -0,0 +1 @@
+divert(`-1')
\ No newline at end of file
diff --git a/support/fc_sort.c b/support/fc_sort.c
new file mode 100644
index 00000000..6c430359
--- /dev/null
+++ b/support/fc_sort.c
@@ -0,0 +1,558 @@
+/* Copyright 2005, Tresys Technology 
+ * 
+ * Some parts of this came from matchpathcon.c in libselinux
+ */
+
+/* PURPOSE OF THIS PROGRAM
+ * The original setfiles sorting algorithm did not take into 
+ * account regular expression specificity. With the current 
+ * strict and targeted policies this is not an issue because 
+ * the file contexts are partially hand sorted and concatenated 
+ * in the right order so that the matches are generally correct.
+ * The way reference policy and loadable policy modules handle
+ * file contexts makes them come out in an unpredictable order
+ * and therefore setfiles (or this standalone tool) need to sort
+ * the regular expressions in a deterministic and stable way.
+ */
+
+#define BUF_SIZE 4096;
+#define _GNU_SOURCE
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+
+typedef unsigned char bool_t;
+
+/* file_context_node
+ * A node used in a linked list of file contexts.c
+ * Each node contains the regular expression, the type and 
+ *  the context, as well as information about the regular
+ *  expression. The regular expression data (meta, stem_len
+ *  and str_len) can be filled in by using the fc_fill_data
+ *  function after the regular expression has been loaded.
+ * next points to the next node in the linked list.
+ */
+typedef struct file_context_node {
+	char *path;
+	char *file_type;
+	char *context;
+	bool_t meta;
+	int stem_len;
+	int str_len;
+	struct file_context_node *next;
+} file_context_node_t;
+
+void file_context_node_destroy(file_context_node_t *x)
+{
+	free(x->path);
+	free(x->file_type);
+	free(x->context);
+}
+
+
+
+/* file_context_bucket
+ * A node used in a linked list of buckets that contain
+ *  file_context_node's.
+ * Each node contains a pointer to a file_context_node which
+ *  is the header of its linked list. This linked list is the
+ *  content of this bucket.
+ * next points to the next bucket in the linked list.
+ */
+typedef struct file_context_bucket {
+	file_context_node_t *data;
+	struct file_context_bucket *next;
+} file_context_bucket_t;
+
+
+
+/* fc_compare
+ * Compares two file contexts' regular expressions and returns:
+ *    -1 if a is less specific than b
+ *     0 if a and be are equally specific
+ *     1 if a is more specific than b
+ * The comparison is based on the following statements,
+ *  in order from most important to least important, given a and b:
+ *     If a is a regular expression and b is not,
+ *      -> a is less specific than b.
+ *     If a's stem length is shorter than b's stem length,
+ *      -> a is less specific than b.
+ *     If a's string length is shorter than b's string length,
+ *      -> a is less specific than b.
+ *     If a does not have a specified type and b does not,
+ *      -> a is less specific than b.
+ */
+int fc_compare(file_context_node_t *a, file_context_node_t *b)
+{
+	/* Check to see if either a or b have meta characters
+	 *  and the other doesn't. */
+	if (a->meta && !b->meta)
+		return -1;
+	if (b->meta && !a->meta)
+		return 1;
+
+	/* Check to see if either a or b have a shorter stem
+	 *  length than the other. */
+	if (a->stem_len < b->stem_len)
+		return -1;
+	if (b->stem_len < a->stem_len)
+		return 1;
+
+	/* Check to see if either a or b have a shorter string
+	 *  length than the other. */
+	if (a->str_len < b->str_len)
+		return -1;
+	if (b->str_len < a->str_len)
+		return 1;
+
+	/* Check to see if either a or b has a specified type
+	 *  and the other doesn't. */
+	if (!a->file_type && b->file_type)
+		return -1;
+	if (!b->file_type && a->file_type)
+		return 1;
+
+	/* If none of the above conditions were satisfied, 
+	 * then a and b are equally specific. */
+	return 0;
+}
+
+
+
+/* fc_merge
+ * Merges two sorted file context linked lists into one
+ *  sorted one.
+ * Pass two lists a and b, and after the completion of fc_merge,
+ *  the final list is contained in a, and b is empty.
+ */
+file_context_node_t *fc_merge(file_context_node_t *a,
+				   file_context_node_t *b)
+{
+	file_context_node_t *a_current;
+	file_context_node_t *b_current;
+	file_context_node_t *temp;
+	file_context_node_t *jumpto;
+
+
+
+	/* If a is a empty list, and b is not,
+	 *  set a as b and proceed to the end. */
+	if (!a && b)
+		a = b;
+	/* If b is an empty list, leave a as it is. */
+	else if (!b) {
+	} else {
+		/* Make it so the list a has the lesser
+		 *  first element always. */
+		if (fc_compare(a, b) == 1) {
+			temp = a;
+			a = b;
+			b = temp;
+		}
+		a_current = a;
+		b_current = b;
+
+		/* Merge by inserting b's nodes in between a's nodes. */
+		while (a_current->next && b_current) {
+			jumpto = a_current->next;
+
+			/* Insert b's nodes in between the current a node
+			 *  and the next a node.*/
+			while (b_current && a_current->next &&
+			       fc_compare(a_current->next,
+					  b_current) != -1) {
+
+
+				temp = a_current->next;
+				a_current->next = b_current;
+				b_current = b_current->next;
+				a_current->next->next = temp;
+				a_current = a_current->next;
+			}
+
+			/* Skip all the inserted node from b to the
+			 *  next node in the original a. */
+			a_current = jumpto;
+		}
+
+
+		/* if there is anything left in b to be inserted,
+		   put it on the end */
+		if (b_current) {
+			a_current->next = b_current;
+		}
+	}
+
+	return a;
+}
+
+
+
+/* fc_merge_sort
+ * Sorts file contexts from least specific to more specific.
+ * The bucket linked list is passed and after the completion
+ *  of the fc_merge_sort function, there is only one bucket
+ *  (pointed to by master) that contains a linked list
+ *  of all the file contexts, in sorted order.
+ * Explanation of the algorithm:
+ *  The algorithm implemented in fc_merge_sort is an iterative
+ *   implementation of merge sort.
+ *  At first, each bucket has a linked list of file contexts
+ *   that are 1 element each.
+ *  Each pass, each odd numbered bucket is merged into the bucket
+ *   before it. This halves the number of buckets each pass.
+ *  It will continue passing over the buckets (as described above)
+ *   until there is only  one bucket left, containing the list of
+ *   file contexts, sorted.
+ */
+void fc_merge_sort(file_context_bucket_t *master)
+{
+
+
+	file_context_bucket_t *current;
+	file_context_bucket_t *temp;
+
+	/* Loop until master is the only bucket left
+	 * so that this will stop when master contains
+	 * the sorted list. */
+	while (master->next) {
+		current = master;
+
+		/* This loop merges buckets two-by-two. */
+		while (current) {
+
+			if (current->next) {
+
+				current->data =
+				    fc_merge(current->data,
+					     current->next->data);
+
+
+
+				temp = current->next;
+				current->next = current->next->next;
+
+				free(temp);
+
+			}
+
+
+			current = current->next;
+		}
+	}
+
+
+}
+
+
+
+/* fc_fill_data
+ * This processes a regular expression in a file context
+ *  and sets the data held in file_context_node, namely
+ *  meta, str_len and stem_len. 
+ * The following changes are made to fc_node after the
+ *  the completion of the function:
+ *     fc_node->meta =		1 if path has a meta character, 0 if not.
+ *     fc_node->str_len =	The string length of the entire path
+ *     fc_node->stem_len = 	The number of characters up until
+ *				 the first meta character.
+ */
+void fc_fill_data(file_context_node_t *fc_node)
+{
+	int c = 0;
+
+	fc_node->meta = 0;
+	fc_node->stem_len = 0;
+	fc_node->str_len = 0;
+
+	/* Process until the string termination character
+	 *  has been reached.
+	 * Note: this while loop has been adapted from
+	 *  spec_hasMetaChars in matchpathcon.c from
+	 *  libselinux-1.22. */
+	while (fc_node->path[c] != '\0') {
+		switch (fc_node->path[c]) {
+		case '.':
+		case '^':
+		case '$':
+		case '?':
+		case '*':
+		case '+':
+		case '|':
+		case '[':
+		case '(':
+		case '{':
+			/* If a meta character is found,
+			 *  set meta to one */
+			fc_node->meta = 1;
+			break;
+		case '\\':
+			/* If a escape character is found,
+			 *  skip the next character. */
+			c++;
+		default:
+			/* If no meta character has been found yet,
+			 *  add one to the stem length. */
+			if (!fc_node->meta)
+				fc_node->stem_len++;
+			break;
+		}
+
+		fc_node->str_len++;
+		c++;
+	}
+}
+
+/* main
+ * This program takes in two arguments, the input filename and the
+ *  output filename. The input file should be syntactically correct.
+ * Overall what is done in the main is read in the file and store each
+ *  line of code, sort it, then output it to the output file.
+ */
+int main(int argc, char *argv[])
+{
+	int lines;
+	size_t start, finish, regex_len, context_len;
+	size_t line_len, buf_len, i, j;
+	char *input_name, *output_name, *line_buf;
+
+	file_context_node_t *temp;
+	file_context_node_t *head;
+	file_context_node_t *current;
+	file_context_bucket_t *master;
+	file_context_bucket_t *bcurrent;
+
+	FILE *in_file, *out_file;
+
+
+	/* Check for the correct number of command line arguments. */
+	if (argc != 3) {
+		fprintf(stderr, "Usage: %s <infile> <outfile>\n",argv[0]);
+		return 1;
+	}
+	
+	input_name = argv[1];
+	output_name = argv[2];
+
+	i = j = lines = 0;
+
+	/* Open the input file. */
+	if (!(in_file = fopen(input_name, "r"))) {
+		fprintf(stderr, "Error: failure opening input file for read.\n");
+		return 1;
+	}
+
+	/* Initialize the head of the linked list. */
+	head = current = (file_context_node_t*)malloc(sizeof(file_context_node_t));
+
+	/* Parse the file into a file_context linked list. */
+	line_buf = NULL;
+
+	while ( getline(&line_buf, &buf_len, in_file) != -1 ){
+		line_len = strlen(line_buf);
+		if( line_len == 0 || line_len == 1)
+			continue;
+		/* Get rid of whitespace from the front of the line. */
+		for (i = 0; i < line_len; i++) {
+			if (!isspace(line_buf[i]))
+				break;
+		}
+
+
+		if (i >= line_len)
+			continue;
+		/* Check if the line isn't empty and isn't a comment */
+		if (line_buf[i] == '#')
+			continue;
+
+		/* We have a valid line - allocate a new node. */
+		temp = (file_context_node_t *)malloc(sizeof(file_context_node_t));
+		if (!temp) {
+			fprintf(stderr, "Error: failure allocating memory.\n");
+			return 1;
+		}
+		temp->next = NULL;
+		memset(temp, 0, sizeof(file_context_node_t));
+
+		/* Parse out the regular expression from the line. */
+		start = i;
+
+
+		while (i < line_len && (!isspace(line_buf[i])))
+			i++;
+		finish = i;
+
+
+		regex_len = finish - start;
+
+		if (regex_len == 0) {
+			file_context_node_destroy(temp);
+			free(temp);
+
+
+			continue;
+		}
+		
+		temp->path = (char*)strndup(&line_buf[start], regex_len);
+		if (!temp->path) {
+			file_context_node_destroy(temp);
+			free(temp);
+			fprintf(stderr, "Error: failure allocating memory.\n");
+			return 1;
+		}
+
+		/* Get rid of whitespace after the regular expression. */
+		for (; i < line_len; i++) {
+
+			if (!isspace(line_buf[i]))
+				break;
+		}	
+
+		if (i == line_len) {
+			file_context_node_destroy(temp);
+			free(temp);
+			continue;
+		}
+
+		/* Parse out the type from the line (if it 
+			*  is there). */
+		if (line_buf[i] == '-') {
+			temp->file_type = (char *)malloc(sizeof(char) * 3);
+			if (!(temp->file_type)) {
+				fprintf(stderr, "Error: failure allocating memory.\n");
+				return 1;
+			}
+
+			if( i + 2 >= line_len ) {
+				file_context_node_destroy(temp);
+				free(temp);
+
+				continue;
+			}
+
+			/* Fill the type into the array. */
+			temp->file_type[0] = line_buf[i];
+			temp->file_type[1] = line_buf[i + 1];
+			i += 2;
+			temp->file_type[2] = 0;
+
+			/* Get rid of whitespace after the type. */
+			for (; i < line_len; i++) {
+				if (!isspace(line_buf[i]))
+					break;
+			}
+
+			if (i == line_len) {
+
+				file_context_node_destroy(temp);
+				free(temp);
+				continue;
+			}
+		}
+
+		/* Parse out the context from the line. */
+		start = i;
+		while (i < line_len && (!isspace(line_buf[i])))
+			i++;
+		finish = i;
+
+		context_len = finish - start;
+
+		temp->context = (char*)strndup(&line_buf[start], context_len);
+		if (!temp->context) {
+			file_context_node_destroy(temp);
+			free(temp);
+			fprintf(stderr, "Error: failure allocating memory.\n");
+			return 1;
+		}
+
+		/* Set all the data about the regular
+			*  expression. */
+		fc_fill_data(temp);
+
+		/* Link this line of code at the end of
+			*  the linked list. */
+		current->next = temp;
+		current = current->next;
+		lines++;
+
+
+		free(line_buf);
+		line_buf = NULL;
+	}
+	fclose(in_file);
+
+	/* Create the bucket linked list from the earlier linked list. */
+	current = head->next;
+	bcurrent = master =
+	    (file_context_bucket_t *)
+	    malloc(sizeof(file_context_bucket_t));
+
+	/* Go until all the nodes have been put in individual buckets. */
+	while (current) {
+		/* Copy over the file context line into the bucket. */
+		bcurrent->data = current;
+		current = current->next;
+
+		/* Detatch the node in the bucket from the old list. */
+		bcurrent->data->next = NULL;
+
+		/* If there should be another bucket, put one at the end. */
+		if (current) {
+			bcurrent->next =
+			    (file_context_bucket_t *)
+			    malloc(sizeof(file_context_bucket_t));
+			if (!(bcurrent->next)) {
+				printf
+				    ("Error: failure allocating memory.\n");
+				return -1;
+			}
+
+			/* Make sure the new bucket thinks it's the end of the
+			 *  list. */
+			bcurrent->next->next = NULL;
+
+			bcurrent = bcurrent->next;
+		}
+
+	}
+
+	/* Sort the bucket list. */
+	fc_merge_sort(master);
+
+	/* Open the output file. */
+	if (!(out_file = fopen(argv[2], "w"))) {
+		printf("Error: failure opening output file for write.\n");
+		return -1;
+	}
+
+	/* Output the sorted file_context linked list to the output file. */
+	current = master->data;
+	while (current) {
+		/* Output the path. */
+		fprintf(out_file, "%s\t\t", current->path);
+
+		/* Output the type, if there is one. */
+		if (current->file_type) {
+			fprintf(out_file, "%s\t", current->file_type);
+		}
+
+		/* Output the context. */
+		fprintf(out_file, "%s\n", current->context);
+
+		/* Remove the node. */
+		temp = current;
+		current = current->next;
+
+		file_context_node_destroy(temp);
+		free(temp);
+
+	}
+	free(master);
+
+	fclose(out_file);
+
+	return 0;
+}
diff --git a/support/genclassperms.py b/support/genclassperms.py
new file mode 100644
index 00000000..732d6451
--- /dev/null
+++ b/support/genclassperms.py
@@ -0,0 +1,308 @@
+#!/usr/bin/python
+
+# Author: Donald Miner <dminer@tresys.com>
+#
+# Copyright (C) 2005 Tresys Technology, LLC
+#      This program is free software; you can redistribute it and/or modify
+#      it under the terms of the GNU General Public License as published by
+#      the Free Software Foundation, version 2.
+
+
+"""
+	This script generates an object class perm definition file.
+"""
+
+import sys
+
+USERSPACE_CLASS = "userspace"
+
+class Class:
+	"""
+	This object stores an access vector class.
+	"""
+
+	def __init__(self, name, perms, common):
+		# The name of the class.
+		self.name = name
+
+		# A list of permissions the class contains.
+		self.perms = perms
+
+		# True if the class is declared as common, False if not.
+		self.common = common
+
+def get_perms(name, av_db, common):
+	"""
+	Returns the list of permissions contained within an access vector
+	class that is stored in the access vector database av_db.
+	Returns an empty list if the object name is not found.
+	Specifiy whether get_perms is to return the class or the
+	common set of permissions with the boolean value 'common',
+	which is important in the case of having duplicate names (such as
+	class file and common file).
+	"""
+
+	# Traverse through the access vector database and try to find the
+	#  object with the name passed.
+	for obj in av_db:
+		if obj.name == name and obj.common == common:
+			return obj.perms
+
+	return []
+
+def get_av_db(file_name):
+	"""
+	Returns an access vector database generated from the file file_name.
+	"""
+	# This function takes a file, reads the data, parses it and returns
+	#  a list of access vector classes.
+	# Reading into av_data:
+	#  The file specified will be read line by line. Each line will have
+	#   its comments removed. Once comments are removed, each 'word' (text
+	#   seperated by whitespace) and braces will be split up into seperate
+	#   strings and appended to the av_data list, in the order they were
+	#   read.
+	# Parsing av_data:
+	#  Parsing is done using a queue implementation of the av_data list.
+	#   Each time a word is used, it is dequeued afterwards. Each loop in
+	#   the while loop below will read in key words and dequeue expected
+	#   words and values. At the end of each loop, a Class containing the
+	#   name, permissions and whether it is a common or not will be appended
+	#   to the database. Lots of errors are caught here, almost all checking
+	#   if a token is expected but EOF is reached.
+	# Now the list of Class objects is returned.
+
+	av_file = open(file_name, "r")
+	av_data = []
+	# Read the file and strip out comments on the way.
+	# At the end of the loop, av_data will contain a list of individual
+	#  words. i.e. ['common', 'file', '{', ...]. All comments and whitespace
+	#  will be gone.
+	while True:
+		av_line = av_file.readline()
+
+		# If EOF has been reached:
+		if not av_line:
+			break
+
+		# Check if there is a comment, and if there is, remove it.
+		comment_index = av_line.find("#")
+		if comment_index != -1:
+			av_line = av_line[:comment_index]
+
+		# Pad the braces with whitespace so that they are split into
+		#  their own word. It doesn't matter if there will be extra
+		#  white space, it'll get thrown away when the string is split.
+		av_line.replace("{"," { ")
+		av_line.replace("}"," } ")		
+
+		# Split up the words on the line and add it to av_data.
+		av_data += av_line.split()
+
+	av_file.close()
+
+	# Parsing the file:
+	# The implementation of this parse is a queue. We use the list of words
+	#  from av_data and use the front element, then dequeue it. Each
+	#  loop of this while is a common or class declaration. Several
+	#  expected tokens are parsed and dequeued out of av_data for each loop.
+	# At the end of the loop, database will contain a list of Class objects.
+	#  i.e. [Class('name',['perm1','perm2',...],'True'), ...]
+	# Dequeue from the beginning of the list until av_data is empty:
+	database = []
+	while len(av_data) != 0:
+		# At the beginning of every loop, the next word should be
+		#  "common" or "class", meaning that each loop is a common
+		#  or class declaration.
+		# av_data = av_data[1:] removes the first element in the
+		#  list, this is what is dequeueing data.
+
+		# Figure out whether the next class will be a common or a class.
+		if av_data[0] == "class":
+			common = False
+		elif av_data[0] == "common":
+			common = True
+		else:
+			error("Unexpected token in file " + file_name + ": "\
+				+ av_data[0] + ".")
+
+		# Dequeue the "class" or "common" key word.
+		av_data = av_data[1:]
+
+		if len(av_data) == 0:
+			error("Missing token in file " + file_name + ".")
+
+		# Get and dequeue the name of the class or common.
+		name = av_data[0]
+		av_data = av_data[1:]
+
+		# Retrieve the permissions inherited from a common set:
+		perms = []
+		# If the object we are working with is a class, since only
+		#  classes inherit:
+		if common == False:
+			if len(av_data) == 0:
+				error("Missing token in file " + file_name + ".")
+
+			# If the class inherits from something else:
+			if av_data[0] == "inherits":
+				# Dequeue the "inherits" key word.
+				av_data = av_data[1:]
+
+				if len(av_data) == 0:
+					error("Missing token in file "\
+						+ file_name + " for " +\
+						keyword + " " + name + ".")
+
+				# av_data[0] is the name of the parent.
+				# Append the permissions of the parent to
+				#  the current class' permissions.
+				perms += get_perms(av_data[0], database, True)
+
+				# Dequeue the name of the parent.
+				av_data = av_data[1:]
+
+		# Retrieve the permissions defined with this set.
+		if len(av_data) > 0 and av_data[0] == "{":
+			# Dequeue the "{"
+			av_data = av_data[1:]
+
+			# Keep appending permissions until a close brace is
+			#  found.
+			while av_data[0] != "}":
+				if av_data[0] == "{":
+					error("Extra '{' in file " +\
+						 file_name + ".")
+
+				# Add the permission name.
+				perms.append(av_data[0])
+
+				# Dequeue the permission name.
+				av_data = av_data[1:]
+
+				if len(av_data) == 0:
+					error("Missing token '}' in file "\
+						+ file_name + ".")
+
+			# Dequeue the "}"
+			av_data = av_data[1:]
+
+		# Add the new access vector class to the database.
+		database.append(Class(name, perms, common))
+
+	return database
+
+def get_sc_db(file_name):
+	"""
+	Returns a security class database generated from the file file_name.
+	"""
+
+	# Read the file then close it.
+	sc_file = open(file_name)
+	sc_data = sc_file.readlines()
+	sc_file.close()
+
+	# For each line in the security classes file, add the name of the class
+	#  and whether it is a userspace class or not to the security class
+	#  database.
+	database = []
+	for line in sc_data:
+		line = line.lstrip()
+		# If the line is empty or the entire line is a comment, skip.
+		if line == "" or line[0] == "#":
+			continue
+
+		# Check if the comment to the right of the permission matches
+		#  USERSPACE_CLASS.
+		comment_index = line.find("#")
+		if comment_index != -1 and line[comment_index+1:].strip() == USERSPACE_CLASS:
+			userspace = True
+		else:
+			userspace = False
+
+		# All lines should be in the format "class NAME", meaning
+		#  it should have two tokens and the first token should be
+		#  "class".
+		split_line = line.split()
+		if len(split_line) < 2 or split_line[0] != "class":
+			error("Wrong syntax: " + line)
+
+		# Add the class's name (split_line[1]) and whether it is a
+		#  userspace class or not to the database.
+		# This is appending a tuple of (NAME,USERSPACE), where NAME is
+		#  the name of the security class and USERSPACE is True if
+		#  if it has "# USERSPACE_CLASS" on the end of the line, False
+		#  if not.
+		database.append((split_line[1], userspace))
+
+	return database
+
+def gen_class_perms(av_db, sc_db):
+	"""
+	Generates a class permissions document and returns it.
+	"""
+
+	# Define class template:
+	class_perms_line = "define(`all_%s_perms',`{ %s}')\n"
+
+	# Generate the defines for the individual class permissions.
+	class_perms = ""
+	for obj in av_db:
+		# Don't output commons
+		if obj.common == True:
+			continue
+
+		# Get the list of permissions from the specified class.
+		perms = get_perms(obj.name, av_db, False)
+
+		# Merge all the permissions into one string with one space
+		#  padding.
+		perm_str = ""
+		for perm in perms:
+			perm_str += perm + " "
+
+		# Add the line to the class_perms
+		class_perms += class_perms_line % (obj.name, perm_str)
+	class_perms += "\n"
+
+	# Generate the kernel_class_perms and userspace_class_perms sets.
+	class_line = "\tclass %s all_%s_perms;\n"
+	kernel_class_perms = "define(`all_kernel_class_perms',`\n"
+	userspace_class_perms = "define(`all_userspace_class_perms',`\n"
+	# For each (NAME,USERSPACE) tuple, add the class to the appropriate
+	# class permission set.
+	for name, userspace in sc_db:
+		if userspace:
+			userspace_class_perms += class_line % (name, name)
+		else:
+			kernel_class_perms += class_line % (name, name)
+	kernel_class_perms += "')\n\n"
+	userspace_class_perms += "')\n"
+
+	# Throw all the strings together and return the string.
+	return class_perms + kernel_class_perms + userspace_class_perms
+
+def error(error):
+	"""
+	Print an error message and exit.
+	"""
+
+        sys.stderr.write("%s exiting for: " % sys.argv[0])
+        sys.stderr.write("%s\n" % error)
+        sys.stderr.flush()
+        sys.exit(1)
+
+# MAIN PROGRAM
+app_name = sys.argv[0]
+
+if len(sys.argv) != 3:
+	error("Incorrect input.\nUsage: " + sys.argv[0] + " access_vectors security_classes" )
+
+# argv[1] is the access vector file.
+av_file = sys.argv[1]
+
+# argv[2] is the security class file.
+sc_file = sys.argv[2]
+
+# Output the class permissions document.
+sys.stdout.write(gen_class_perms(get_av_db(av_file), get_sc_db(sc_file)))
diff --git a/support/genhomedircon b/support/genhomedircon
new file mode 100644
index 00000000..01ef91d9
--- /dev/null
+++ b/support/genhomedircon
@@ -0,0 +1,481 @@
+#! /usr/bin/env python
+# Copyright (C) 2004 Tresys Technology, LLC
+# see file 'COPYING' for use and warranty information
+#
+# genhomedircon - this script is used to generate file context
+# configuration entries for user home directories based on their
+# default roles and is run when building the policy. Specifically, we
+# replace HOME_ROOT, HOME_DIR, and ROLE macros in .fc files with
+# generic and user-specific values.
+#
+# Based off original script by Dan Walsh, <dwalsh@redhat.com>
+#
+# ASSUMPTIONS:
+#
+# The file CONTEXTDIR/files/homedir_template exists.  This file is used to
+# set up the home directory context for each real user.
+# 
+# If a user has more than one role in CONTEXTDIR/local.users, genhomedircon uses
+#  the first role in the list.
+#
+# If a user is not listed in CONTEXTDIR/local.users, he will default to user_u, role user
+#
+# "Real" users (as opposed to system users) are those whose UID is greater than
+#  or equal STARTING_UID (usually 500) and whose login is not a member of
+#  EXCLUDE_LOGINS.  Users who are explicitly defined in CONTEXTDIR/local.users
+#  are always "real" (including root, in the default configuration).
+#
+#  
+# Old ASSUMPTIONS:
+#
+# If a user has more than one role in FILECONTEXTDIR/users, genhomedircon uses
+#  the first role in the list.
+#
+# If a user is not listed in FILECONTEXTDIR/users, genhomedircon assumes that
+#  the user's home dir will be found in one of the HOME_ROOTs.
+#
+# "Real" users (as opposed to system users) are those whose UID is greater than
+#  or equal STARTING_UID (usually 500) and whose login is not a member of
+#  EXCLUDE_LOGINS.  Users who are explicitly defined in FILECONTEXTDIR/users
+#  are always "real" (including root, in the default configuration).
+#
+
+import commands, sys, os, pwd, string, getopt, re
+
+EXCLUDE_LOGINS=["/sbin/nologin", "/bin/false"]
+
+def getStartingUID():
+	starting_uid = sys.maxint
+	rc=commands.getstatusoutput("grep -h '^UID_MIN' /etc/login.defs")
+	if rc[0] == 0:
+		uid_min = re.sub("^UID_MIN[^0-9]*", "", rc[1])
+		#stip any comment from the end of the line
+		uid_min = uid_min.split("#")[0]
+		uid_min = uid_min.strip()
+		if int(uid_min) < starting_uid:
+			starting_uid = int(uid_min)
+	rc=commands.getstatusoutput("grep -h '^LU_UIDNUMBER' /etc/libuser.conf")
+	if rc[0] == 0:
+		lu_uidnumber = re.sub("^LU_UIDNUMBER[^0-9]*", "", rc[1])
+		#stip any comment from the end of the line
+		lu_uidnumber = re.sub("[ \t].*", "", lu_uidnumber)
+		lu_uidnumber = lu_uidnumber.split("#")[0]
+		lu_uidnumber = lu_uidnumber.strip()
+		if int(lu_uidnumber) < starting_uid:
+			starting_uid = int(lu_uidnumber)
+	if starting_uid == sys.maxint:
+		starting_uid = 500
+	return starting_uid
+
+#############################################################################
+#
+# This section is just for backwards compatability
+#
+#############################################################################
+def getPrefixes():
+	ulist = pwd.getpwall()
+	STARTING_UID=getStartingUID()
+	prefixes = {}
+	for u in ulist:
+		if u[2] >= STARTING_UID and \
+				not u[6] in EXCLUDE_LOGINS and \
+				u[5] != "/" and \
+				string.count(u[5], "/") > 1:
+			prefix = u[5][:string.rfind(u[5], "/")]
+			if not prefixes.has_key(prefix):
+				prefixes[prefix] = ""
+	return prefixes
+ 
+def getUsers(filecontextdir):
+	rc = commands.getstatusoutput("grep ^user %s/users" % filecontextdir)
+	udict = {}
+	if rc[0] == 0:
+		ulist = rc[1].strip().split("\n")
+		for u in ulist:
+			user = u.split()
+			try:
+				if user[1] == "user_u" or user[1] == "system_u":
+					continue
+				# !!! chooses first role in the list to use in the file context !!!
+				role = user[3]
+				if role == "{":
+					role = user[4]
+				role = role.split("_r")[0]
+				home = pwd.getpwnam(user[1])[5]
+				if home == "/":
+					continue
+				prefs = {}
+				prefs["role"] = role
+				prefs["home"] = home
+				udict[user[1]] = prefs
+			except KeyError:
+				sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user[1])
+	return udict
+
+def update(filecontext, user, prefs):
+	rc=commands.getstatusoutput("grep -h '^HOME_DIR' %s | grep -v vmware | sed -e 's|HOME_DIR|%s|' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (filecontext, prefs["home"], prefs["role"], user))
+	if rc[0] == 0:
+		print rc[1]
+	else:
+		errorExit(string.join("grep/sed error ", rc[1]))
+	return rc
+
+def oldgenhomedircon(filecontextdir, filecontext):
+	sys.stderr.flush()
+
+	if os.path.isdir(filecontextdir) == 0:
+		sys.stderr.write("New usage is the following\n")
+		usage()
+        #We are going to define home directory used by libuser and show-utils as a home directory root
+        prefixes = {}
+        rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd")
+        if rc[0] == 0:
+                homedir = rc[1].split("=")[1]
+                homedir = homedir.split("#")[0]
+                homedir = homedir.strip()
+                if not prefixes.has_key(homedir):
+                        prefixes[homedir] = ""
+        else:
+                #rc[0] == 256 means the file was there, we read it, but the grep didn't match
+                if rc[0] != 256:
+                        sys.stderr.write("%s\n" % rc[1])
+                        sys.stderr.write("You do not have access to /etc/default/useradd HOME=\n")
+                        sys.stderr.flush()
+
+
+        rc=commands.getstatusoutput("grep -h '^LU_HOMEDIRECTORY' /etc/libuser.conf")
+        if rc[0] == 0:
+                homedir = rc[1].split("=")[1]
+                homedir = homedir.split("#")[0]
+                homedir = homedir.strip()
+                homedir = re.sub(r"[^/a-zA-Z0-9].*$", "", homedir)
+                if not prefixes.has_key(homedir):
+                        prefixes[homedir] = ""
+
+        #the idea is that we need to find all of the home_root_t directories we do this by just accepting
+        #any default home directory defined by either /etc/libuser.conf or /etc/default/useradd
+        #we then get the potential home directory roots from /etc/passwd or nis or wherever and look at
+        #the defined homedir for all users with UID > STARTING_UID.  This list of possible root homedirs
+        #is then checked to see if it has an explicite context defined in the file_contexts.  Explicit
+        #is any regex that would match it which does not end with .*$ or .+$ since those are general
+        #recursive matches.  We then take any regex which ends with [pattern](/.*)?$ and just check against
+        #[pattern]
+        potential_prefixes = getPrefixes()
+        prefix_regex = {}
+        #this works by grepping the file_contexts for
+        # 1. ^/ makes sure this is not a comment
+        # 2. prints only the regex in the first column first cut on \t then on space
+        rc=commands.getstatusoutput("grep \"^/\" %s | cut -f 1 | cut -f 1 -d \" \" " %  (sys.argv[2]) )
+        if rc[0] == 0:
+                prefix_regex = rc[1].split("\n")
+        else:
+                sys.stderr.write("%s\n" % rc[1])
+                sys.stderr.write("You do not have access to grep/cut/the file contexts\n")
+                sys.stderr.flush()
+        for potential in potential_prefixes.keys():
+                addme = 1
+                for regex in prefix_regex:
+                        #match a trailing (/*)? which is actually a bug in rpc_pipefs
+                        regex = re.sub("\(/\*\)\?$", "", regex)
+                        #match a trailing .+
+                        regex = re.sub("\.+$", "", regex)
+                        #match a trailing .*
+                        regex = re.sub("\.\*$", "", regex)
+                        #strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s
+                        regex = re.sub("\(\/\.\*\)\?", "", regex)
+                        regex = regex + "/*$"
+                        if re.search(regex, potential, 0):
+                                addme = 0
+                if addme == 1:
+                        if not prefixes.has_key(potential):
+                                prefixes[potential] = ""
+
+
+        if prefixes.__eq__({}):
+                sys.stderr.write("LU_HOMEDIRECTORY not set in /etc/libuser.conf\n")
+                sys.stderr.write("HOME= not set in /etc/default/useradd\n")
+                sys.stderr.write("And no users with a reasonable homedir found in passwd/nis/ldap/etc...\n")
+                sys.stderr.write("Assuming /home is the root of home directories\n")
+                sys.stderr.flush()
+                prefixes["/home"] = ""
+
+	# There may be a more elegant sed script to expand a macro to multiple lines, but this works
+	sed_root = "h; s|^HOME_ROOT|%s|" % (string.join(prefixes.keys(), "|; p; g; s|^HOME_ROOT|"),)
+	sed_dir = "h; s|^HOME_DIR|%s/[^/]+|; s|ROLE_|user_|" % (string.join(prefixes.keys(), "/[^/]+|; s|ROLE_|user_|; p; g; s|^HOME_DIR|"),)
+
+	# Fill in HOME_ROOT, HOME_DIR, and ROLE for users not explicitly defined in /etc/security/selinux/src/policy/users
+	rc=commands.getstatusoutput("sed -e \"/^HOME_ROOT/{%s}\" -e \"/^HOME_DIR/{%s}\" %s" % (sed_root, sed_dir, filecontext))
+	if rc[0] == 0:
+		print rc[1]
+	else:
+		errorExit(string.join("sed error ", rc[1]))
+
+	users = getUsers(filecontextdir)
+	print "\n#\n# User-specific file contexts\n#\n"
+
+	# Fill in HOME and ROLE for users that are defined
+	for u in users.keys():
+		update(filecontext, u, users[u]) 
+
+#############################################################################
+#
+# End of backwards compatability section
+#
+#############################################################################
+
+def getDefaultHomeDir():
+	ret = []
+	rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd")
+	if rc[0] == 0:
+		homedir = rc[1].split("=")[1]
+		homedir = homedir.split("#")[0]
+		homedir = homedir.strip()
+		if not homedir in ret:
+			ret.append(homedir)
+	else:
+		#rc[0] == 256 means the file was there, we read it, but the grep didn't match
+		if rc[0] != 256:
+			sys.stderr.write("%s\n" % rc[1])
+			sys.stderr.write("You do not have access to /etc/default/useradd HOME=\n")
+			sys.stderr.flush()
+	rc=commands.getstatusoutput("grep -h '^LU_HOMEDIRECTORY' /etc/libuser.conf")
+	if rc[0] == 0:
+		homedir = rc[1].split("=")[1]
+		homedir = homedir.split("#")[0]
+		homedir = homedir.strip()
+		if not homedir in ret:
+			ret.append(homedir)
+	else:
+		#rc[0] == 256 means the file was there, we read it, but the grep didn't match
+		if rc[0] != 256:
+			sys.stderr.write("%s\n" % rc[1])
+			sys.stderr.write("You do not have access to /etc/libuser.conf LU_HOMEDIRECTORY=\n")
+			sys.stderr.flush()
+	if ret == []:
+		ret.append("/home")
+	return ret
+
+def getSELinuxType(directory):
+	rc=commands.getstatusoutput("grep ^SELINUXTYPE= %s/config" % directory)
+	if rc[0]==0:
+		return rc[1].split("=")[-1].strip()
+	return "targeted"
+
+def usage(error = ""):
+	if error != "":
+		sys.stderr.write("%s\n" % error)
+	sys.stderr.write("Usage: %s [ -d selinuxdir ] [-n | --nopasswd] [-t selinuxtype ]\n" % sys.argv[0])
+	sys.stderr.flush()
+	sys.exit(1)
+
+def warning(warning = ""):
+	sys.stderr.write("%s\n" % warning)
+	sys.stderr.flush()
+	
+def errorExit(error):
+	sys.stderr.write("%s exiting for: " % sys.argv[0])
+	sys.stderr.write("%s\n" % error)
+	sys.stderr.flush()
+	sys.exit(1)
+
+class selinuxConfig:
+	def __init__(self, selinuxdir="/etc/selinux", type="targeted", usepwd=1):
+		self.type=type
+		self.selinuxdir=selinuxdir +"/"
+		self.contextdir="/contexts"
+		self.filecontextdir=self.contextdir+"/files"
+		self.usepwd=usepwd
+
+	def getFileContextDir(self):
+		return self.selinuxdir+self.type+self.filecontextdir
+
+	def getFileContextFile(self):
+		return self.getFileContextDir()+"/file_contexts"
+	
+	def getContextDir(self):
+		return self.selinuxdir+self.type+self.contextdir
+
+	def getHomeDirTemplate(self):
+		return self.getFileContextDir()+"/homedir_template"
+
+	def getHomeRootContext(self, homedir):
+		rc=commands.getstatusoutput("grep HOME_ROOT  %s | sed -e \"s|^HOME_ROOT|%s|\"" % ( self.getHomeDirTemplate(), homedir))
+		if rc[0] == 0:
+			return rc[1]+"\n"
+		else:
+			errorExit(string.join("sed error ", rc[1]))
+
+	def getUsersFile(self):
+		return self.selinuxdir+self.type+"/users/local.users"
+
+	def getSystemUsersFile(self):
+		return self.selinuxdir+self.type+"/users/system.users"
+		
+	def heading(self):
+		ret = "\n#\n#\n# User-specific file contexts, generated via %s\n" % sys.argv[0]
+		ret += "# edit %s to change file_context\n#\n#\n" % self.getUsersFile()
+		return ret
+
+	def getUsers(self):
+		users=""
+		rc = commands.getstatusoutput('grep "^user" %s' % self.getSystemUsersFile())
+		if rc[0] == 0:
+			users+=rc[1]+"\n"
+		rc = commands.getstatusoutput("grep ^user %s" % self.getUsersFile())
+		if rc[0] == 0:
+			users+=rc[1]
+		udict = {}
+		prefs = {}
+		if users != "":
+			ulist = users.split("\n")
+			for u in ulist:
+				user = u.split()
+				try:
+					if len(user)==0 or user[1] == "user_u" or user[1] == "system_u":
+						continue
+					# !!! chooses first role in the list to use in the file context !!!
+					role = user[3]
+					if role == "{":
+						role = user[4]
+					role = role.split("_r")[0]
+					home = pwd.getpwnam(user[1])[5]
+					if home == "/":
+						continue
+					prefs = {}
+					prefs["role"] = role
+					prefs["home"] = home
+					udict[user[1]] = prefs
+				except KeyError:
+					sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user[1])
+		return udict
+
+	def getHomeDirContext(self, user, home, role):
+		ret="\n\n#\n# Context for user %s\n#\n\n" % user
+		rc=commands.getstatusoutput("grep '^HOME_DIR' %s | sed -e 's|HOME_DIR|%s|' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (self.getHomeDirTemplate(), home, role, user))
+		return ret + rc[1] + "\n"
+
+	def genHomeDirContext(self):
+		users = self.getUsers()
+		ret=""
+		# Fill in HOME and ROLE for users that are defined
+		for u in users.keys():
+			ret += self.getHomeDirContext (u, users[u]["home"], users[u]["role"])
+		return ret+"\n"
+
+	def checkExists(self, home):
+		if commands.getstatusoutput("grep -E '^%s[^[:alnum:]_-]' %s" % (home, self.getFileContextFile()))[0] == 0:
+			return 0
+		#this works by grepping the file_contexts for
+		# 1. ^/ makes sure this is not a comment
+		# 2. prints only the regex in the first column first cut on \t then on space
+		rc=commands.getstatusoutput("grep \"^/\" %s | cut -f 1 | cut -f 1 -d \" \" " %  self.getFileContextFile() )
+		if rc[0] == 0:
+			prefix_regex = rc[1].split("\n")
+		else:
+			sys.stderr.write("%s\n" % rc[1])
+			sys.stderr.write("You do not have access to grep/cut/the file contexts\n")
+			sys.stderr.flush()
+		exists=1
+		for regex in prefix_regex:
+			#match a trailing (/*)? which is actually a bug in rpc_pipefs
+			regex = re.sub("\(/\*\)\?$", "", regex)
+			#match a trailing .+
+			regex = re.sub("\.+$", "", regex)
+			#match a trailing .*
+			regex = re.sub("\.\*$", "", regex)
+			#strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s
+			regex = re.sub("\(\/\.\*\)\?", "", regex)
+			regex = regex + "/*$"
+			if re.search(regex, home, 0):
+				exists = 0
+				break
+		if exists == 1:
+			return 1
+		else:
+			return 0
+
+
+	def getHomeDirs(self):
+		homedirs = []
+		homedirs = homedirs + getDefaultHomeDir()
+		starting_uid=getStartingUID()
+		if self.usepwd==0:
+			return homedirs
+		ulist = pwd.getpwall()
+		for u in ulist:
+			if u[2] >= starting_uid and \
+					not u[6] in EXCLUDE_LOGINS and \
+					u[5] != "/" and \
+					string.count(u[5], "/") > 1:
+				homedir = u[5][:string.rfind(u[5], "/")]
+				if not homedir in homedirs:
+					if self.checkExists(homedir)==0:
+						warning("%s is already defined in %s,\n%s will not create a new context." % (homedir, self.getFileContextFile(), sys.argv[0]))
+					else:
+						homedirs.append(homedir)
+
+		homedirs.sort()
+		return homedirs
+ 
+	def genoutput(self):
+		ret= self.heading()
+		for h in self.getHomeDirs():
+			ret += self.getHomeDirContext ("user_u" , h+'/[^/]*', "user")
+			ret += self.getHomeRootContext(h)
+		ret += self.genHomeDirContext()
+		return ret
+
+	def printout(self):
+		print self.genoutput()
+
+	def write(self):
+		try:
+			fd = open(self.getFileContextDir()+"/file_contexts.homedirs", "w")
+			fd.write(self.genoutput())
+			fd.close()
+		except IOError, error:
+			sys.stderr.write("%s: %s\n" % ( sys.argv[0], error ))
+
+
+
+#
+# This script will generate home dir file context
+# based off the homedir_template file, entries in the password file, and
+#
+try:
+	usepwd=1
+	directory="/etc/selinux"
+	type=None
+	gopts, cmds = getopt.getopt(sys.argv[1:], 'nd:t:', ['help',
+						'type=',
+						'nopasswd',
+						'dir='])
+	for o,a in gopts:
+		if o == '--type' or o == "-t":
+			type=a
+		if o == '--nopasswd'  or o == "-n":
+			usepwd=0
+		if o == '--dir'  or o == "-d":
+			directory=a
+		if o == '--help':
+			usage()
+
+
+	if type==None:
+		type=getSELinuxType(directory)
+
+	if len(cmds) == 2:
+		oldgenhomedircon(cmds[0], cmds[1])
+		sys.exit(0)
+
+	if len(cmds) != 0:
+		usage()
+	selconf=selinuxConfig(directory, type, usepwd)
+	selconf.write()
+
+except getopt.error, error:
+	errorExit(string.join("Options Error ", error))
+except ValueError, error:
+	errorExit(string.join("ValueError ", error))
+except IndexError, error:
+	errorExit("IndexError")
diff --git a/support/gennetfilter.py b/support/gennetfilter.py
new file mode 100644
index 00000000..866db91a
--- /dev/null
+++ b/support/gennetfilter.py
@@ -0,0 +1,163 @@
+#!/usr/bin/python
+
+# Author: Chris PeBenito <cpebenito@tresys.com>
+#
+# Copyright (C) 2006 Tresys Technology, LLC
+#      This program is free software; you can redistribute it and/or modify
+#      it under the terms of the GNU General Public License as published by
+#      the Free Software Foundation, version 2.
+
+import sys,string,getopt,re
+
+NETPORT = re.compile("^network_port\(\s*\w+\s*(\s*,\s*\w+\s*,\s*\w+\s*,\s*\w+\s*)+\s*\)\s*(#|$)")
+
+DEFAULT_INPUT_PACKET = "server_packet_t"
+DEFAULT_OUTPUT_PACKET = "client_packet_t"
+DEFAULT_MCS = "s0"
+DEFAULT_MLS = "s0"
+
+PACKET_INPUT = "_server_packet_t"
+PACKET_OUTPUT = "_client_packet_t"
+
+class Port:
+	def __init__(self, proto, num, mls_sens, mcs_cats=""):
+		# protocol of the port
+		self.proto = proto
+
+		# port number
+		self.num = num
+
+		# MLS sensitivity
+		self.mls_sens = mls_sens
+
+		# MCS categories
+		# not currently supported, so we always get s0
+		self.mcs_cats = DEFAULT_MCS
+
+class Packet:
+	def __init__(self, prefix, ports):
+		# prefix
+		self.prefix = prefix
+
+		# A list of Ports
+		self.ports = ports
+
+def print_input_rules(packets,mls,mcs):
+	line = "base -A selinux_new_input -j SECMARK --selctx system_u:object_r:"+DEFAULT_INPUT_PACKET
+	if mls:
+		line += ":"+DEFAULT_MLS
+	elif mcs:
+		line += ":"+DEFAULT_MCS
+
+	print line
+
+	for i in packets:
+		for j in i.ports:
+			line="base -A selinux_new_input -p "+j.proto+" --dport "+j.num+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_INPUT
+			if mls:
+				line += ":"+j.mls_sens
+			elif mcs:
+				line += ":"+j.mcs_cats
+			print line
+
+	print "post -A selinux_new_input -j CONNSECMARK --save"
+	print "post -A selinux_new_input -j RETURN"
+
+def print_output_rules(packets,mls,mcs):
+	line = "base -A selinux_new_output -j SECMARK --selctx system_u:object_r:"+DEFAULT_OUTPUT_PACKET
+	if mls:
+		line += ":"+DEFAULT_MLS
+	elif mcs:
+		line += ":"+DEFAULT_MCS
+	print line
+
+	for i in packets:
+		for j in i.ports:
+			line = "base -A selinux_new_output -p "+j.proto+" --dport "+j.num+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_OUTPUT
+			if mls:
+				line += ":"+j.mls_sens
+			elif mcs:
+				line += ":"+j.mcs_cats
+			print line
+
+	print "post -A selinux_new_output -j CONNSECMARK --save"
+	print "post -A selinux_new_output -j RETURN"
+
+def parse_corenet(file_name):
+	packets = []
+
+	corenet_te_in = open(file_name, "r")
+
+	while True:
+		corenet_line = corenet_te_in.readline()
+
+		# If EOF has been reached:
+		if not corenet_line:
+			break
+
+		if NETPORT.match(corenet_line):
+			corenet_line = corenet_line.strip();
+
+			# parse out the parameters
+			openparen = string.find(corenet_line,'(')+1
+			closeparen = string.find(corenet_line,')',openparen)
+			parms = re.split('\W+',corenet_line[openparen:closeparen])
+			name = parms[0]
+			del parms[0];
+
+			ports = []
+			while len(parms) > 0:
+				# add a port combination.
+				ports.append(Port(parms[0],parms[1],parms[2]))
+				del parms[:3]
+
+			packets.append(Packet(name,ports))
+		
+	corenet_te_in.close()
+
+	return packets
+
+def print_netfilter_config(packets,mls,mcs):
+	print "pre *mangle"
+	print "pre :PREROUTING ACCEPT [0:0]"
+	print "pre :INPUT ACCEPT [0:0]"
+	print "pre :FORWARD ACCEPT [0:0]"
+	print "pre :OUTPUT ACCEPT [0:0]"
+	print "pre :POSTROUTING ACCEPT [0:0]"
+	print "pre :selinux_input - [0:0]"
+	print "pre :selinux_output - [0:0]"
+	print "pre :selinux_new_input - [0:0]"
+	print "pre :selinux_new_output - [0:0]"
+	print "pre -A INPUT -j selinux_input"
+	print "pre -A OUTPUT -j selinux_output"
+	print "pre -A selinux_input -m state --state NEW -j selinux_new_input"
+	print "pre -A selinux_input -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore"
+	print "pre -A selinux_output -m state --state NEW -j selinux_new_output"
+	print "pre -A selinux_output -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore"
+	print_input_rules(packets,mls,mcs)
+	print_output_rules(packets,mls,mcs)
+	print "post COMMIT"
+
+mls = False
+mcs = False
+
+try:
+	opts, paths = getopt.getopt(sys.argv[1:],'mc',['mls','mcs'])
+except getopt.GetoptError, error:
+	print "Invalid options."
+	sys.exit(1)
+
+for o, a in opts:
+	if o in ("-c","--mcs"):
+		mcs = True
+	if o in ("-m","--mls"):
+		mls = True
+
+if len(paths) == 0:
+	sys.stderr.write("Need a path for corenetwork.te.in!\n")
+	sys.exit(1)
+elif len(paths) > 1:
+	sys.stderr.write("Ignoring extra specified paths\n")
+
+packets=parse_corenet(paths[0])
+print_netfilter_config(packets,mls,mcs)
diff --git a/support/get_type_attr_decl.sed b/support/get_type_attr_decl.sed
new file mode 100644
index 00000000..69c6ccd4
--- /dev/null
+++ b/support/get_type_attr_decl.sed
@@ -0,0 +1,13 @@
+#n
+# print out type and attribute declarations that
+# are not inside require and optional blocks.
+
+/require \{/,/} # end require/b nextline
+/optional \{/,/} # end optional/b nextline
+
+/^[[:blank:]]*(attribute(_role)?|type(alias)?|bool) /{
+	s/^[[:blank:]]+//
+	p
+}
+
+:nextline
diff --git a/support/iferror.m4 b/support/iferror.m4
new file mode 100644
index 00000000..a3f36f89
--- /dev/null
+++ b/support/iferror.m4
@@ -0,0 +1 @@
+ifdef(`__if_error',`m4exit(1)')
diff --git a/support/pyplate.py b/support/pyplate.py
new file mode 100644
index 00000000..c7532cc5
--- /dev/null
+++ b/support/pyplate.py
@@ -0,0 +1,364 @@
+"""PyPlate : a simple Python-based templating program
+
+PyPlate parses a file and replaces directives (in double square brackets [[ ... ]])
+by various means using a given dictionary of variables.  Arbitrary Python code
+can be run inside many of the directives, making this system highly flexible.
+
+Usage:
+# Load and parse template file
+template = pyplate.Template("output") (filename or string)
+# Execute it with a dictionary of variables
+template.execute_file(output_stream, locals())
+
+PyPlate defines the following directives:
+  [[...]]       evaluate the arbitrary Python expression and insert the
+                result into the output
+
+  [[# ... #]]   comment.
+
+  [[exec ...]]  execute arbitrary Python code in the sandbox namespace
+
+  [[if ...]]    conditional expressions with usual Python semantics
+  [[elif ...]]
+  [[else]]
+  [[end]]
+
+  [[for ... in ...]]  for-loop with usual Python semantics
+  [[end]]
+
+  [[def ...(...)]]  define a "function" out of other templating elements
+  [[end]]
+
+  [[call ...]]  call a templating function (not a regular Python function)
+"""
+
+#
+# Copyright (C) 2002 Michael Droettboom
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+#
+
+from __future__ import nested_scopes
+import sys, string, re, cStringIO
+
+re_directive = re.compile("\[\[(.*)\]\]")
+re_for_loop = re.compile("for (.*) in (.*)")
+re_if = re.compile("if (.*)")
+re_elif = re.compile("elif (.*)")
+re_def = re.compile("def (.*?)\((.*)\)")
+re_call = re.compile("call (.*?)\((.*)\)")
+re_exec = re.compile("exec (.*)")
+re_comment = re.compile("#(.*)#")
+
+############################################################
+# Template parser
+class ParserException(Exception):
+  def __init__(self, lineno, s):
+    Exception.__init__(self, "line %d: %s" % (lineno, s))
+
+class Template:
+  def __init__(self, filename=None):
+    if filename != None:
+      try:
+        self.parse_file(filename)
+      except:
+        self.parse_string(filename)
+
+  def parse_file(self, filename):
+    file = open(filename, 'r')
+    self.parse(file)
+    file.close()
+
+  def parse_string(self, template):
+    file = cStringIO.StringIO(template)
+    self.parse(file)
+    file.close()
+
+  def parse(self, file):
+    self.file = file
+    self.line = self.file.read()
+    self.lineno = 0
+    self.functions = {}
+    self.tree = TopLevelTemplateNode(self)
+
+  def parser_get(self):
+    if self.line == '':
+      return None
+    return self.line
+
+  def parser_eat(self, chars):
+    self.lineno = self.lineno + self.line[:chars].count("\n")
+    self.line = self.line[chars:]
+
+  def parser_exception(self, s):
+    raise ParserException(self.lineno, s)
+
+  def execute_file(self, filename, data):
+    file = open(filename, 'w')
+    self.execute(file, data)
+    file.close()
+
+  def execute_string(self, data):
+    s = cStringIO.StringIO()
+    self.execute(s, data)
+    return s.getvalue()
+
+  def execute_stdout(self, data):
+    self.execute(sys.stdout, data)
+
+  def execute(self, stream=sys.stdout, data={}):
+    self.tree.execute(stream, data)
+
+  def __repr__(self):
+    return repr(self.tree)
+
+
+############################################################
+# NODES
+class TemplateNode:
+  def __init__(self, parent, s):
+    self.parent = parent
+    self.s = s
+    self.node_list = []
+    while 1:
+      new_node = TemplateNodeFactory(parent)
+      if self.add_node(new_node):
+        break
+
+  def add_node(self, node):
+    if node == 'end':
+      return 1
+    elif node != None:
+      self.node_list.append(node)
+    else:
+      raise self.parent.parser_exception(
+        "[[%s]] does not have a matching [[end]]" % self.s)
+
+  def execute(self, stream, data):
+    for node in self.node_list:
+      node.execute(stream, data)
+
+  def __repr__(self):
+    r = "<" + self.__class__.__name__ + " "
+    for i in self.node_list:
+      r = r + repr(i)
+    r = r + ">"
+    return r
+
+class TopLevelTemplateNode(TemplateNode):
+  def __init__(self, parent):
+    TemplateNode.__init__(self, parent, '')
+
+  def add_node(self, node):
+    if node != None:
+      self.node_list.append(node)
+    else:
+      return 1
+
+class ForTemplateNode(TemplateNode):
+  def __init__(self, parent, s):
+    TemplateNode.__init__(self, parent, s)
+    match = re_for_loop.match(s)
+    if match == None:
+      raise self.parent.parser_exception(
+        "[[%s]] is not a valid for-loop expression" % self.s)
+    else:
+      self.vars_temp = match.group(1).split(",")
+      self.vars = []
+      for v in self.vars_temp:
+        self.vars.append(v.strip())
+      #print self.vars
+      self.expression = match.group(2)
+
+  def execute(self, stream, data):
+    remember_vars = {}
+    for var in self.vars:
+      if data.has_key(var):
+        remember_vars[var] = data[var]
+    for list in eval(self.expression, globals(), data):
+      if is_sequence(list):
+        for index, value in enumerate(list):
+          data[self.vars[index]] = value
+      else:
+        data[self.vars[0]] = list
+      TemplateNode.execute(self, stream, data)
+    for key, value in remember_vars.items():
+      data[key] = value
+
+class IfTemplateNode(TemplateNode):
+  def __init__(self, parent, s):
+    self.else_node = None
+    TemplateNode.__init__(self, parent, s)
+    match = re_if.match(s)
+    if match == None:
+      raise self.parent.parser_exception(
+        "[[%s]] is not a valid if expression" % self.s)
+    else:
+      self.expression = match.group(1)
+
+  def add_node(self, node):
+    if node == 'end':
+      return 1
+    elif isinstance(node, ElseTemplateNode):
+      self.else_node = node
+      return 1
+    elif isinstance(node, ElifTemplateNode):
+      self.else_node = node
+      return 1
+    elif node != None:
+      self.node_list.append(node)
+    else:
+      raise self.parent.parser_exception(
+        "[[%s]] does not have a matching [[end]]" % self.s)
+
+  def execute(self, stream, data):
+    if eval(self.expression, globals(), data):
+      TemplateNode.execute(self, stream, data)
+    elif self.else_node != None:
+      self.else_node.execute(stream, data)
+
+class ElifTemplateNode(IfTemplateNode):
+  def __init__(self, parent, s):
+    self.else_node = None
+    TemplateNode.__init__(self, parent, s)
+    match = re_elif.match(s)
+    if match == None:
+      self.parent.parser_exception(
+        "[[%s]] is not a valid elif expression" % self.s)
+    else:
+      self.expression = match.group(1)
+
+class ElseTemplateNode(TemplateNode):
+  pass
+
+class FunctionTemplateNode(TemplateNode):
+  def __init__(self, parent, s):
+    TemplateNode.__init__(self, parent, s)
+    match = re_def.match(s)
+    if match == None:
+      self.parent.parser_exception(
+        "[[%s]] is not a valid function definition" % self.s)
+    self.function_name = match.group(1)
+    self.vars_temp = match.group(2).split(",")
+    self.vars = []
+    for v in self.vars_temp:
+      self.vars.append(v.strip())
+    #print self.vars
+    self.parent.functions[self.function_name] = self
+
+  def execute(self, stream, data):
+    pass
+
+  def call(self, args, stream, data):
+    remember_vars = {}
+    for index, var in enumerate(self.vars):
+      if data.has_key(var):
+        remember_vars[var] = data[var]
+      data[var] = args[index]
+    TemplateNode.execute(self, stream, data)
+    for key, value in remember_vars.items():
+      data[key] = value
+      
+class LeafTemplateNode(TemplateNode):
+  def __init__(self, parent, s):
+    self.parent = parent
+    self.s = s
+
+  def execute(self, stream, data):
+    stream.write(self.s)
+
+  def __repr__(self):
+    return "<" + self.__class__.__name__ + ">"
+
+class CommentTemplateNode(LeafTemplateNode):
+  def execute(self, stream, data):
+    pass
+
+class ExpressionTemplateNode(LeafTemplateNode):
+  def execute(self, stream, data):
+    stream.write(str(eval(self.s, globals(), data)))
+
+class ExecTemplateNode(LeafTemplateNode):
+  def __init__(self, parent, s):
+    LeafTemplateNode.__init__(self, parent, s)
+    match = re_exec.match(s)
+    if match == None:
+      self.parent.parser_exception(
+        "[[%s]] is not a valid statement" % self.s)
+    self.s = match.group(1)
+
+  def execute(self, stream, data):
+    exec(self.s, globals(), data)
+    pass
+    
+class CallTemplateNode(LeafTemplateNode):
+  def __init__(self, parent, s):
+    LeafTemplateNode.__init__(self, parent, s)
+    match = re_call.match(s)
+    if match == None:
+      self.parent.parser_exception(
+        "[[%s]] is not a valid function call" % self.s)
+    self.function_name = match.group(1)
+    self.vars = "(" + match.group(2).strip() + ",)"
+  
+  def execute(self, stream, data):
+    self.parent.functions[self.function_name].call(
+      eval(self.vars, globals(), data), stream, data)
+
+
+############################################################
+# Node factory
+template_factory_type_map = {
+  'if'   : IfTemplateNode,
+  'for'  : ForTemplateNode,
+  'elif' : ElifTemplateNode,
+  'else' : ElseTemplateNode,
+  'def'  : FunctionTemplateNode,
+  'call' : CallTemplateNode,
+  'exec' : ExecTemplateNode }
+template_factory_types = template_factory_type_map.keys()
+
+def TemplateNodeFactory(parent):
+  src = parent.parser_get()
+
+  if src == None:
+    return None
+  match = re_directive.search(src)
+  if match == None:
+    parent.parser_eat(len(src))
+    return LeafTemplateNode(parent, src)
+  elif src == '' or match.start() != 0:
+    parent.parser_eat(match.start())
+    return LeafTemplateNode(parent, src[:match.start()])
+  else:
+    directive = match.group()[2:-2].strip()
+    parent.parser_eat(match.end())
+    if directive == 'end':
+      return 'end'
+    elif re_comment.match(directive):
+      return CommentTemplateNode(parent, directive)
+    else:
+      for i in template_factory_types:
+        if directive[0:len(i)] == i:
+          return template_factory_type_map[i](parent, directive)
+      return ExpressionTemplateNode(parent, directive)
+
+def is_sequence(object):
+  try:
+    test = object[0:0]
+  except:
+    return False
+  else:
+    return True
diff --git a/support/sedoctool.py b/support/sedoctool.py
new file mode 100644
index 00000000..5bbaf763
--- /dev/null
+++ b/support/sedoctool.py
@@ -0,0 +1,847 @@
+#!/usr/bin/python
+
+#  Author: Joshua Brindle <jbrindle@tresys.com>
+#          Caleb Case <ccase@tresys.com>
+#
+# Copyright (C) 2005 - 2006 Tresys Technology, LLC
+#      This program is free software; you can redistribute it and/or modify
+#      it under the terms of the GNU General Public License as published by
+#      the Free Software Foundation, version 2.
+
+"""
+	This module generates configuration files and documentation from the 
+	SELinux reference policy XML format. 
+"""
+
+import sys
+import getopt
+import pyplate
+import os
+import string
+from xml.dom.minidom import parse, parseString
+
+#modules enabled and disabled values
+MOD_BASE = "base"
+MOD_ENABLED = "module"
+MOD_DISABLED = "off"
+
+#booleans enabled and disabled values
+BOOL_ENABLED = "true"
+BOOL_DISABLED = "false"
+
+#tunables enabled and disabled values
+TUN_ENABLED = "true"
+TUN_DISABLED = "false"
+
+
+def read_policy_xml(filename):
+	"""
+	Takes in XML from a file and returns a parsed file.
+	"""
+
+	try:
+		xml_fh = open(filename)
+	except:
+		error("error opening " + filename)
+
+	try:
+		doc = parseString(xml_fh.read())
+	except: 
+		xml_fh.close()
+		error("Error while parsing xml")
+
+	xml_fh.close()	
+	return doc
+
+def gen_booleans_conf(doc, file_name, namevalue_list):
+	"""
+	Generates the booleans configuration file using the XML provided and the
+	previous booleans configuration.
+	"""
+
+	for node in doc.getElementsByTagName("bool"):
+		for desc in node.getElementsByTagName("desc"):
+			bool_desc = format_txt_desc(desc)
+		s = string.split(bool_desc, "\n")
+		file_name.write("#\n")
+		for line in s:
+			file_name.write("# %s\n" % line)
+
+		bool_name = bool_val = None
+		for (name, value) in node.attributes.items():
+			if name == "name":
+				bool_name = value
+			elif name == "dftval":
+				bool_val = value
+
+			if [bool_name,BOOL_ENABLED] in namevalue_list:
+				bool_val = BOOL_ENABLED
+			elif [bool_name,BOOL_DISABLED] in namevalue_list:
+				bool_val = BOOL_DISABLED
+
+			if bool_name and bool_val:
+	            		file_name.write("%s = %s\n\n" % (bool_name, bool_val))
+				bool_name = bool_val = None
+
+	# tunables are currently implemented as booleans
+	for node in doc.getElementsByTagName("tunable"):
+		for desc in node.getElementsByTagName("desc"):
+			bool_desc = format_txt_desc(desc)
+		s = string.split(bool_desc, "\n")
+		file_name.write("#\n")
+		for line in s:
+			file_name.write("# %s\n" % line)
+
+		bool_name = bool_val = None
+		for (name, value) in node.attributes.items():
+			if name == "name":
+				bool_name = value
+			elif name == "dftval":
+				bool_val = value
+
+			if [bool_name,BOOL_ENABLED] in namevalue_list:
+				bool_val = BOOL_ENABLED
+			elif [bool_name,BOOL_DISABLED] in namevalue_list:
+				bool_val = BOOL_DISABLED
+
+			if bool_name and bool_val:
+	            		file_name.write("%s = %s\n\n" % (bool_name, bool_val))
+				bool_name = bool_val = None
+
+def gen_module_conf(doc, file_name, namevalue_list):
+	"""
+	Generates the module configuration file using the XML provided and the
+	previous module configuration.
+	"""
+	# If file exists, preserve settings and modify if needed.
+	# Otherwise, create it.
+
+	file_name.write("#\n# This file contains a listing of available modules.\n")
+	file_name.write("# To prevent a module from  being used in policy\n")
+	file_name.write("# creation, set the module name to \"%s\".\n#\n" % MOD_DISABLED)
+	file_name.write("# For monolithic policies, modules set to \"%s\" and \"%s\"\n" % (MOD_BASE, MOD_ENABLED))
+	file_name.write("# will be built into the policy.\n#\n")
+	file_name.write("# For modular policies, modules set to \"%s\" will be\n" % MOD_BASE)
+	file_name.write("# included in the base module.  \"%s\" will be compiled\n" % MOD_ENABLED)
+	file_name.write("# as individual loadable modules.\n#\n\n")
+
+	# For required in [True,False] is present so that the requiered modules
+	# are at the top of the config file.
+	for required in [True,False]:
+		for node in doc.getElementsByTagName("module"):
+			mod_req = False
+			for req in node.getElementsByTagName("required"):
+				if req.getAttribute("val") == "true":
+					mod_req = True
+
+			# Skip if we arnt working on the right set of modules.
+			if mod_req and not required or not mod_req and required:
+				continue
+
+
+			mod_name = mod_layer = None
+
+			mod_name = node.getAttribute("name")	
+			mod_layer = node.parentNode.getAttribute("name")
+
+			if mod_name and mod_layer:
+				file_name.write("# Layer: %s\n# Module: %s\n" % (mod_layer,mod_name))
+				if required:
+					file_name.write("# Required in base\n")
+				file_name.write("#\n")
+
+			for desc in node.getElementsByTagName("summary"):
+				if not desc.parentNode == node:
+					continue
+				s = string.split(format_txt_desc(desc), "\n")
+				for line in s:
+					file_name.write("# %s\n" % line)
+
+				# If the module is set as disabled.
+				if [mod_name, MOD_DISABLED] in namevalue_list:
+					file_name.write("%s = %s\n\n" % (mod_name, MOD_DISABLED))
+				# If the module is set as enabled.
+				elif [mod_name, MOD_ENABLED] in namevalue_list:
+					file_name.write("%s = %s\n\n" % (mod_name, MOD_ENABLED))
+				# If the module is set as base.
+				elif [mod_name, MOD_BASE] in namevalue_list:
+					file_name.write("%s = %s\n\n" % (mod_name, MOD_BASE))
+				# If the module is a new module.
+				else:
+					# Set the module to base if it is marked as required.
+					if mod_req:
+						file_name.write("%s = %s\n\n" % (mod_name, MOD_BASE))
+					# Set the module to enabled if it is not required. 
+					else:
+						file_name.write("%s = %s\n\n" % (mod_name, MOD_ENABLED))
+
+def get_conf(conf):
+	"""
+	Returns a list of [name, value] pairs from a config file with the format
+	name = value
+	"""
+
+	conf_lines = conf.readlines()
+
+	namevalue_list = []
+	for i in range(0,len(conf_lines)):
+		line = conf_lines[i]
+		if line.strip() != '' and line.strip()[0] != "#":
+			namevalue = line.strip().split("=")
+			if len(namevalue) != 2:
+				warning("line %d: \"%s\" is not a valid line, skipping"\
+					 % (i, line.strip()))
+				continue
+
+			namevalue[0] = namevalue[0].strip()
+			if len(namevalue[0].split()) > 1:
+				warning("line %d: \"%s\" is not a valid line, skipping"\
+					 % (i, line.strip()))
+				continue
+
+			namevalue[1] = namevalue[1].strip()
+			if len(namevalue[1].split()) > 1:
+				warning("line %d: \"%s\" is not a valid line, skipping"\
+					 % (i, line.strip()))
+				continue
+
+			namevalue_list.append(namevalue)
+
+	return namevalue_list
+
+def first_cmp(a, b):
+	"""
+	Compares the two first elements of a list instead of the entire list.
+	"""
+
+	return cmp(a[0], b[0])
+
+def int_cmp(a, b):
+	"""
+	Compares two interfaces.
+	"""
+
+	return cmp(a["interface_name"], b["interface_name"])
+		
+def temp_cmp(a, b):
+	"""
+	Compares two templates.
+	"""
+
+	return cmp(a["template_name"], b["template_name"])
+
+def tun_cmp(a, b):
+	"""
+	Compares two tunables.
+	"""
+
+	return cmp(a["tun_name"], b["tun_name"])
+def bool_cmp(a, b):
+	"""
+	Compares two booleans.
+	"""
+
+	return cmp(a["bool_name"], b["bool_name"])
+
+def gen_doc_menu(mod_layer, module_list):
+	"""
+	Generates the HTML document menu.
+	"""
+
+	menu = []
+	for layer, value in module_list.iteritems():
+		cur_menu = (layer, [])
+		menu.append(cur_menu)
+		if layer != mod_layer and mod_layer != None:
+			continue
+		#we are in our layer so fill in the other modules or we want them all
+		for mod, desc in value.iteritems():
+			cur_menu[1].append((mod, desc))
+
+	menu.sort(first_cmp)
+	for x in menu:
+		x[1].sort(first_cmp)
+	return menu
+
+def format_html_desc(node):
+	"""
+	Formats a XML node into a HTML format.
+	"""
+
+	desc_buf = ''
+	for desc in node.childNodes:
+		if desc.nodeName == "#text":
+			if desc.data is not '':
+				if desc.parentNode.nodeName != "p":
+					desc_buf += "<p>" + desc.data + "</p>"
+				else:
+					desc_buf += desc.data
+		else:
+			desc_buf += "<" + desc.nodeName + ">" \
+				 + format_html_desc(desc) \
+				 + "</" + desc.nodeName +">"
+
+	return desc_buf
+
+def format_txt_desc(node):
+	"""
+	Formats a XML node into a plain text format.
+	"""
+
+	desc_buf = ''
+	for desc in node.childNodes:
+		if desc.nodeName == "#text":
+			desc_buf += desc.data + "\n"
+		elif desc.nodeName == "p":
+			desc_buf += desc.firstChild.data + "\n"
+			for chld in desc.childNodes: 
+				if chld.nodeName == "ul":
+					desc_buf += "\n"
+					for li in chld.getElementsByTagName("li"):
+						desc_buf += "\t -" + li.firstChild.data + "\n"
+
+	return desc_buf.strip() + "\n"
+
+def gen_docs(doc, working_dir, templatedir):
+	"""
+	Generates all the documentation.
+	"""
+
+	try:
+		#get the template data ahead of time so we don't reopen them over and over
+		bodyfile = open(templatedir + "/header.html", "r")
+		bodydata = bodyfile.read()
+		bodyfile.close()
+		intfile = open(templatedir + "/interface.html", "r")
+		intdata = intfile.read()
+		intfile.close()
+		templatefile = open(templatedir + "/template.html", "r")
+		templatedata = templatefile.read()
+		templatefile.close()
+		tunfile = open(templatedir + "/tunable.html", "r")
+		tundata = tunfile.read()
+		tunfile.close()
+		boolfile = open(templatedir + "/boolean.html", "r")
+		booldata = boolfile.read()
+		boolfile.close()
+		menufile = open(templatedir + "/menu.html", "r")
+		menudata = menufile.read()
+		menufile.close()
+		indexfile = open(templatedir + "/module_list.html","r")
+		indexdata = indexfile.read()
+		indexfile.close()
+		modulefile = open(templatedir + "/module.html","r")
+		moduledata = modulefile.read()
+		modulefile.close()
+		intlistfile = open(templatedir + "/int_list.html", "r")
+		intlistdata = intlistfile.read()
+		intlistfile.close()
+		templistfile = open(templatedir + "/temp_list.html", "r")
+		templistdata = templistfile.read()
+		templistfile.close()
+		tunlistfile = open(templatedir + "/tun_list.html", "r")
+		tunlistdata = tunlistfile.read()
+		tunlistfile.close()
+		boollistfile = open(templatedir + "/bool_list.html", "r")
+		boollistdata = boollistfile.read()
+		boollistfile.close()
+		gboollistfile = open(templatedir + "/global_bool_list.html", "r")
+		gboollistdata = gboollistfile.read()
+		gboollistfile.close()
+		gtunlistfile = open(templatedir + "/global_tun_list.html", "r")
+		gtunlistdata = gtunlistfile.read()
+		gtunlistfile.close()
+	except:
+		error("Could not open templates")
+
+
+	try:
+		os.chdir(working_dir)
+	except:
+		error("Could not chdir to target directory")	
+
+
+#arg, i have to go through this dom tree ahead of time to build up the menus
+	module_list = {}
+	for node in doc.getElementsByTagName("module"):
+                mod_name = mod_layer = interface_buf = ''
+
+		mod_name = node.getAttribute("name")
+		mod_layer = node.parentNode.getAttribute("name")
+
+		for desc in node.getElementsByTagName("summary"):
+			if desc.parentNode == node and desc:
+				mod_summary = format_html_desc(desc)
+		if not module_list.has_key(mod_layer):
+			module_list[mod_layer] = {}
+
+		module_list[mod_layer][mod_name] = mod_summary
+
+#generate index pages
+	main_content_buf = ''
+	for mod_layer,modules in module_list.iteritems():
+		menu = gen_doc_menu(mod_layer, module_list)
+
+		layer_summary = None
+		for desc in doc.getElementsByTagName("summary"):
+			if desc.parentNode.getAttribute("name") == mod_layer:
+				layer_summary = format_html_desc(desc)
+
+		menu_args = { "menulist" : menu,
+			      "mod_layer" : mod_layer,
+			      "layer_summary" : layer_summary }
+		menu_tpl = pyplate.Template(menudata)
+		menu_buf = menu_tpl.execute_string(menu_args)
+
+		content_tpl = pyplate.Template(indexdata)
+		content_buf = content_tpl.execute_string(menu_args)
+
+		main_content_buf += content_buf
+
+		body_args = { "menu" : menu_buf,
+			      "content" : content_buf }
+	
+		index_file = mod_layer + ".html"
+		index_fh = open(index_file, "w")
+		body_tpl = pyplate.Template(bodydata)
+		body_tpl.execute(index_fh, body_args)
+		index_fh.close()	
+
+	menu = gen_doc_menu(None, module_list)
+	menu_args = { "menulist" : menu,
+		      "mod_layer" : None }
+	menu_tpl = pyplate.Template(menudata)
+	menu_buf = menu_tpl.execute_string(menu_args)
+
+	body_args = { "menu" : menu_buf,
+		      "content" : main_content_buf }
+
+	index_file = "index.html"
+	index_fh = open(index_file, "w")
+	body_tpl = pyplate.Template(bodydata)
+	body_tpl.execute(index_fh, body_args)
+	index_fh.close()
+#now generate the individual module pages
+
+	all_interfaces = []
+	all_templates = []
+	all_tunables = []
+	all_booleans = []
+	for node in doc.getElementsByTagName("module"):
+                mod_name = mod_layer = mod_desc = interface_buf = ''
+
+		mod_name = node.getAttribute("name")
+		mod_layer = node.parentNode.getAttribute("name")
+
+		mod_req = None
+		for req in node.getElementsByTagName("required"):
+			if req.getAttribute("val") == "true":
+				mod_req = True
+
+		for desc in node.getElementsByTagName("summary"):
+			if desc.parentNode == node:
+				mod_summary = format_html_desc(desc)
+		for desc in node.getElementsByTagName("desc"):
+			if desc.parentNode == node:
+				mod_desc = format_html_desc(desc)
+
+		interfaces = []
+		for interface in node.getElementsByTagName("interface"):
+			interface_parameters = []
+			interface_desc = interface_summary = None
+			interface_name = interface.getAttribute("name")
+			interface_line = interface.getAttribute("lineno")
+			for desc in interface.childNodes:
+				if desc.nodeName == "desc":
+					interface_desc = format_html_desc(desc)
+				elif desc.nodeName == "summary":
+					interface_summary = format_html_desc(desc)
+
+			for args in interface.getElementsByTagName("param"):
+				for desc in args.getElementsByTagName("summary"):
+					paramdesc = format_html_desc(desc)
+				paramname = args.getAttribute("name")
+				if args.getAttribute("optional") == "true":
+					paramopt = "Yes"
+				else:
+					paramopt = "No"
+				if args.getAttribute("unused") == "true":
+					paramunused = "Yes"
+				else:
+					paramunused = "No"
+				parameter = { "name" : paramname,
+					      "desc" : paramdesc,
+					      "optional" : paramopt,
+					      "unused" : paramunused }
+				interface_parameters.append(parameter)
+			interfaces.append( { "interface_name" : interface_name,
+					   "interface_summary" : interface_summary,
+					   "interface_desc" : interface_desc,
+					   "interface_parameters" : interface_parameters })
+			#all_interfaces is for the main interface index with all interfaces
+			all_interfaces.append( { "interface_name" : interface_name,
+					   "interface_summary" : interface_summary,
+					   "interface_desc" : interface_desc,
+					   "interface_parameters" : interface_parameters,
+					   "mod_name": mod_name,
+					   "mod_layer" : mod_layer })
+		interfaces.sort(int_cmp)	
+		interface_tpl = pyplate.Template(intdata)
+		interface_buf = interface_tpl.execute_string({"interfaces" : interfaces})
+	
+
+# now generate individual template pages
+		templates = []
+		for template in node.getElementsByTagName("template"):
+			template_parameters = []
+			template_desc = template_summary = None
+			template_name = template.getAttribute("name")
+			template_line = template.getAttribute("lineno")
+			for desc in template.childNodes:
+				if desc.nodeName == "desc":
+					template_desc = format_html_desc(desc)
+				elif desc.nodeName == "summary":
+					template_summary = format_html_desc(desc)
+
+			for args in template.getElementsByTagName("param"):
+				for desc in args.getElementsByTagName("summary"):
+					paramdesc = format_html_desc(desc)
+				paramname = args.getAttribute("name")
+				if args.getAttribute("optional") == "true":
+					paramopt = "Yes"
+				else:
+					paramopt = "No"
+				if args.getAttribute("unused") == "true":
+					paramunused = "Yes"
+				else:
+					paramunused = "No"
+				parameter = { "name" : paramname,
+					      "desc" : paramdesc,
+					      "optional" : paramopt,
+					      "unused": paramunused }
+				template_parameters.append(parameter)
+			templates.append( { "template_name" : template_name,
+					   "template_summary" : template_summary,
+					   "template_desc" : template_desc,
+					   "template_parameters" : template_parameters })
+			#all_templates is for the main interface index with all templates
+			all_templates.append( { "template_name" : template_name,
+					   "template_summary" : template_summary,
+					   "template_desc" : template_desc,
+					   "template_parameters" : template_parameters,
+					   "mod_name": mod_name,
+					   "mod_layer" : mod_layer })
+
+		templates.sort(temp_cmp)	
+		template_tpl = pyplate.Template(templatedata)
+		template_buf = template_tpl.execute_string({"templates" : templates})
+
+		#generate 'boolean' pages
+		booleans = []
+		for boolean in node.getElementsByTagName("bool"):
+			boolean_parameters = []
+			boolean_desc = None
+			boolean_name = boolean.getAttribute("name")
+			boolean_dftval = boolean.getAttribute("dftval")
+			for desc in boolean.childNodes:
+				if desc.nodeName == "desc":
+					boolean_desc = format_html_desc(desc)
+
+			booleans.append({ "bool_name" : boolean_name,
+					  "desc" : boolean_desc,
+					  "def_val" : boolean_dftval })
+			#all_booleans is for the main boolean index with all booleans
+			all_booleans.append({ "bool_name" : boolean_name,
+					   "desc" : boolean_desc,
+					   "def_val" : boolean_dftval,
+					   "mod_name": mod_name,
+					   "mod_layer" : mod_layer })
+		booleans.sort(bool_cmp)
+		boolean_tpl = pyplate.Template(booldata)
+		boolean_buf = boolean_tpl.execute_string({"booleans" : booleans})
+
+		#generate 'tunable' pages
+		tunables = []
+		for tunable in node.getElementsByTagName("tunable"):
+			tunable_parameters = []
+			tunable_desc = None
+			tunable_name = tunable.getAttribute("name")
+			tunable_dftval = tunable.getAttribute("dftval")
+			for desc in tunable.childNodes:
+				if desc.nodeName == "desc":
+					tunable_desc = format_html_desc(desc)
+
+			tunables.append({ "tun_name" : tunable_name,
+					  "desc" : tunable_desc,
+					  "def_val" : tunable_dftval })
+			#all_tunables is for the main tunable index with all tunables
+			all_tunables.append({ "tun_name" : tunable_name,
+					   "desc" : tunable_desc,
+					   "def_val" : tunable_dftval,
+					   "mod_name": mod_name,
+					   "mod_layer" : mod_layer })
+		tunables.sort(tun_cmp)
+		tunable_tpl = pyplate.Template(tundata)
+		tunable_buf = tunable_tpl.execute_string({"tunables" : tunables})
+	
+
+		menu = gen_doc_menu(mod_layer, module_list)
+
+		menu_tpl = pyplate.Template(menudata)
+		menu_buf = menu_tpl.execute_string({ "menulist" : menu })
+
+
+		# pyplate's execute_string gives us a line of whitespace in
+		# template_buf or interface_buf if there are no interfaces or
+		# templates for this module. This is problematic because the
+		# HTML templates use a conditional if on interface_buf or
+		# template_buf being 'None' to decide if the "Template:" or
+		# "Interface:" headers need to be printed in the module pages.
+		# This detects if either of these are just whitespace, and sets
+		# their values to 'None' so that when applying it to the
+		# templates, they are properly recognized as not existing.
+		if not interface_buf.strip():
+			interface_buf = None
+		if not template_buf.strip():
+			template_buf = None
+		if not tunable_buf.strip():
+			tunable_buf = None
+		if not boolean_buf.strip():
+			boolean_buf = None
+
+		module_args = { "mod_layer" : mod_layer,
+			      "mod_name" : mod_name,	
+			      "mod_summary" : mod_summary,
+			      "mod_desc" : mod_desc,
+			      "mod_req" : mod_req,
+			      "interfaces" : interface_buf,
+			      "templates" : template_buf,
+			      "tunables" : tunable_buf,
+			      "booleans" : boolean_buf }
+
+		module_tpl = pyplate.Template(moduledata)
+		module_buf = module_tpl.execute_string(module_args)
+
+		body_args = { "menu" : menu_buf,
+			      "content" : module_buf }
+			  
+		module_file = mod_layer + "_" + mod_name + ".html"
+		module_fh = open(module_file, "w")
+		body_tpl = pyplate.Template(bodydata)
+		body_tpl.execute(module_fh, body_args)
+		module_fh.close()
+
+		
+	menu = gen_doc_menu(None, module_list)
+	menu_args = { "menulist" : menu,
+		      "mod_layer" : None }
+	menu_tpl = pyplate.Template(menudata)
+	menu_buf = menu_tpl.execute_string(menu_args)
+	
+	#build the interface index
+	all_interfaces.sort(int_cmp)
+	interface_tpl = pyplate.Template(intlistdata)
+	interface_buf = interface_tpl.execute_string({"interfaces" : all_interfaces})
+	int_file = "interfaces.html"
+	int_fh = open(int_file, "w")
+	body_tpl = pyplate.Template(bodydata)
+
+	body_args = { "menu" : menu_buf, 
+		      "content" : interface_buf }
+
+	body_tpl.execute(int_fh, body_args)
+	int_fh.close()
+
+
+	#build the template index
+	all_templates.sort(temp_cmp)
+	template_tpl = pyplate.Template(templistdata)
+	template_buf = template_tpl.execute_string({"templates" : all_templates})
+	temp_file = "templates.html"
+	temp_fh = open(temp_file, "w")
+	body_tpl = pyplate.Template(bodydata)
+
+	body_args = { "menu" : menu_buf, 
+		      "content" : template_buf }
+
+	body_tpl.execute(temp_fh, body_args)
+	temp_fh.close()
+
+
+	#build the global tunable index
+	global_tun = []
+	for tunable in doc.getElementsByTagName("tunable"):
+		if tunable.parentNode.nodeName == "policy":
+			tunable_name = tunable.getAttribute("name")
+			default_value = tunable.getAttribute("dftval")
+			for desc in tunable.getElementsByTagName("desc"):
+				description = format_html_desc(desc)
+			global_tun.append( { "tun_name" : tunable_name,
+						"def_val" : default_value,
+						"desc" : description } )
+	global_tun.sort(tun_cmp)
+	global_tun_tpl = pyplate.Template(gtunlistdata)
+	global_tun_buf = global_tun_tpl.execute_string({"tunables" : global_tun})
+	global_tun_file = "global_tunables.html"
+	global_tun_fh = open(global_tun_file, "w")
+	body_tpl = pyplate.Template(bodydata)
+
+	body_args = { "menu" : menu_buf,
+		      "content" : global_tun_buf }
+
+	body_tpl.execute(global_tun_fh, body_args)
+	global_tun_fh.close()
+
+	#build the tunable index
+	all_tunables = all_tunables + global_tun
+	all_tunables.sort(tun_cmp)
+	tunable_tpl = pyplate.Template(tunlistdata)
+	tunable_buf = tunable_tpl.execute_string({"tunables" : all_tunables})
+	temp_file = "tunables.html"
+	temp_fh = open(temp_file, "w")
+	body_tpl = pyplate.Template(bodydata)
+
+	body_args = { "menu" : menu_buf, 
+		      "content" : tunable_buf }
+
+	body_tpl.execute(temp_fh, body_args)
+	temp_fh.close()
+
+	#build the global boolean index
+	global_bool = []
+	for boolean in doc.getElementsByTagName("bool"):
+		if boolean.parentNode.nodeName == "policy":
+			bool_name = boolean.getAttribute("name")
+			default_value = boolean.getAttribute("dftval")
+			for desc in boolean.getElementsByTagName("desc"):
+				description = format_html_desc(desc)
+			global_bool.append( { "bool_name" : bool_name,
+						"def_val" : default_value,
+						"desc" : description } )
+	global_bool.sort(bool_cmp)
+	global_bool_tpl = pyplate.Template(gboollistdata)
+	global_bool_buf = global_bool_tpl.execute_string({"booleans" : global_bool})
+	global_bool_file = "global_booleans.html"
+	global_bool_fh = open(global_bool_file, "w")
+	body_tpl = pyplate.Template(bodydata)
+
+	body_args = { "menu" : menu_buf,
+		      "content" : global_bool_buf }
+
+	body_tpl.execute(global_bool_fh, body_args)
+	global_bool_fh.close()
+	
+	#build the boolean index
+	all_booleans = all_booleans + global_bool
+	all_booleans.sort(bool_cmp)
+	boolean_tpl = pyplate.Template(boollistdata)
+	boolean_buf = boolean_tpl.execute_string({"booleans" : all_booleans})
+	temp_file = "booleans.html"
+	temp_fh = open(temp_file, "w")
+	body_tpl = pyplate.Template(bodydata)
+
+	body_args = { "menu" : menu_buf, 
+		      "content" : boolean_buf }
+
+	body_tpl.execute(temp_fh, body_args)
+	temp_fh.close()
+
+
+
+def error(error):
+	"""
+	Print an error message and exit.
+	"""
+
+        sys.stderr.write("%s exiting for: " % sys.argv[0])
+        sys.stderr.write("%s\n" % error)
+        sys.stderr.flush()
+        sys.exit(1)
+
+def warning(warn):
+	"""
+	Print a warning message.
+	"""
+
+	sys.stderr.write("%s warning: " % sys.argv[0])
+	sys.stderr.write("%s\n" % warn)
+
+def usage():
+	"""
+	Describes the proper usage of this tool.
+	"""
+
+	sys.stdout.write("%s [-tmdT] -x <xmlfile>\n\n" % sys.argv[0])
+	sys.stdout.write("Options:\n")
+	sys.stdout.write("-b --booleans	<file>		--	write boolean config to <file>\n")
+	sys.stdout.write("-m --modules <file>		--	write module config to <file>\n")
+	sys.stdout.write("-d --docs <dir>		--	write interface documentation to <dir>\n")
+	sys.stdout.write("-x --xml <file>		--	filename to read xml data from\n")
+	sys.stdout.write("-T --templates <dir>		--	template directory for documents\n")
+
+
+# MAIN PROGRAM
+try:
+	opts, args = getopt.getopt(sys.argv[1:], "b:m:d:x:T:", ["booleans","modules","docs","xml", "templates"])
+except getopt.GetoptError:
+	usage()
+	sys.exit(1)
+
+booleans = modules = docsdir = None
+templatedir = "templates/"
+xmlfile = "policy.xml"
+
+for opt, val in opts:
+	if opt in ("-b", "--booleans"):
+		booleans = val
+	if opt in ("-m", "--modules"):
+		modules = val
+	if opt in ("-d", "--docs"):
+		docsdir = val
+	if opt in ("-x", "--xml"):
+		xmlfile = val
+	if opt in ("-T", "--templates"):
+		templatedir = val
+
+doc = read_policy_xml(xmlfile)
+		
+if booleans:
+	namevalue_list = []
+	if os.path.exists(booleans):
+		try:
+			conf = open(booleans, 'r')
+		except:
+			error("Could not open booleans file for reading")
+
+		namevalue_list = get_conf(conf)
+
+		conf.close()
+
+	try:
+		conf = open(booleans, 'w')
+	except:
+		error("Could not open booleans file for writing")
+
+	gen_booleans_conf(doc, conf, namevalue_list)
+	conf.close()
+
+
+if modules:
+	namevalue_list = []
+	if os.path.exists(modules):
+		try:
+			conf = open(modules, 'r')
+		except:
+			error("Could not open modules file for reading")
+		namevalue_list = get_conf(conf)	
+		conf.close()
+
+	try:
+		conf = open(modules, 'w')
+	except:
+		error("Could not open modules file for writing")
+	gen_module_conf(doc, conf, namevalue_list)
+	conf.close()
+
+if docsdir: 
+	gen_docs(doc, docsdir, templatedir)
diff --git a/support/segenxml.py b/support/segenxml.py
new file mode 100644
index 00000000..5f4f7d01
--- /dev/null
+++ b/support/segenxml.py
@@ -0,0 +1,391 @@
+#!/usr/bin/python
+
+#  Author(s): Donald Miner <dminer@tresys.com>
+#	     Dave Sugar <dsugar@tresys.com>
+#	     Brian Williams <bwilliams@tresys.com>
+#	     Caleb Case <ccase@tresys.com>
+#
+# Copyright (C) 2005 - 2006 Tresys Technology, LLC
+#      This program is free software; you can redistribute it and/or modify
+#      it under the terms of the GNU General Public License as published by
+#      the Free Software Foundation, version 2.
+
+"""
+	This script generates XML documentation information for layers specified
+	by the user.
+"""
+
+import sys
+import os
+import glob
+import re
+import getopt
+
+# GLOBALS
+
+# Default values of command line arguments:
+warn = False
+meta = "metadata"
+third_party = "third-party"
+layers = {}
+tunable_files = []
+bool_files = []
+xml_tunable_files = []
+xml_bool_files = []
+output_dir = ""
+
+# Pre compiled regular expressions:
+
+# Matches either an interface or a template declaration. Will give the tuple:
+#	("interface" or "template", name)
+# Some examples:
+#	"interface(`kernel_read_system_state',`"
+#	 -> ("interface", "kernel_read_system_state")
+#	"template(`base_user_template',`"
+#	 -> ("template", "base_user_template")
+INTERFACE = re.compile("^\s*(interface|template)\(`(\w*)'")
+
+# Matches either a gen_bool or a gen_tunable statement. Will give the tuple:
+#	("tunable" or "bool", name, "true" or "false")
+# Some examples:
+#	"gen_bool(secure_mode, false)"
+#	 -> ("bool", "secure_mode", "false")
+#	"gen_tunable(allow_kerberos, false)"
+#	 -> ("tunable", "allow_kerberos", "false")
+BOOLEAN = re.compile("^\s*gen_(tunable|bool)\(\s*(\w*)\s*,\s*(true|false)\s*\)")
+
+# Matches a XML comment in the policy, which is defined as any line starting
+#  with two # and at least one character of white space. Will give the single
+#  valued tuple:
+#	("comment")
+# Some Examples:
+#	"## <summary>"
+#	 -> ("<summary>")
+#	"##		The domain allowed access.	"
+#	 -> ("The domain allowed access.")
+XML_COMMENT = re.compile("^##\s+(.*?)\s*$")
+
+
+# FUNCTIONS
+def getModuleXML(file_name):
+	'''
+	Returns the XML data for a module in a list, one line per list item.
+	'''
+
+	# Gather information.
+	module_dir = os.path.dirname(file_name)
+	module_name = os.path.basename(file_name)
+	module_te = "%s/%s.te" % (module_dir, module_name)
+	module_if = "%s/%s.if" % (module_dir, module_name)
+
+	# Try to open the file, if it cant, just ignore it.
+	try:
+		module_file = open(module_if, "r")
+		module_code = module_file.readlines()
+		module_file.close()
+	except:
+		warning("cannot open file %s for read, skipping" % file_name)
+		return []
+
+	module_buf = []
+
+	# Infer the module name, which is the base of the file name.
+	module_buf.append("<module name=\"%s\" filename=\"%s\">\n" 
+		% (os.path.splitext(os.path.split(file_name)[-1])[0], module_if))
+
+	temp_buf = []
+	interface = None
+
+	# finding_header is a flag to denote whether we are still looking
+	#  for the XML documentation at the head of the file.
+	finding_header = True
+
+	# Get rid of whitespace at top of file
+	while(module_code and module_code[0].isspace()):
+		module_code = module_code[1:]
+
+	# Go line by line and figure out what to do with it.
+	line_num = 0
+	for line in module_code:
+		line_num += 1
+		if finding_header:
+			# If there is a XML comment, add it to the temp buffer.
+			comment = XML_COMMENT.match(line)
+			if comment:
+				temp_buf.append(comment.group(1) + "\n")
+				continue
+
+			# Once a line that is not an XML comment is reached,
+			#  either put the XML out to module buffer as the
+			#  module's documentation, or attribute it to an
+			#  interface/template.
+			elif temp_buf:
+				finding_header = False
+				interface = INTERFACE.match(line)
+				if not interface:
+					module_buf += temp_buf
+					temp_buf = []
+					continue
+
+		# Skip over empty lines
+		if line.isspace():
+			continue
+
+		# Grab a comment and add it to the temprorary buffer, if it
+		#  is there.
+		comment = XML_COMMENT.match(line)
+		if comment:
+			temp_buf.append(comment.group(1) + "\n")
+			continue
+
+		# Grab the interface information. This is only not true when
+		#  the interface is at the top of the file and there is no
+		#  documentation for the module.
+		if not interface:
+			interface = INTERFACE.match(line)
+		if interface:
+			# Add the opening tag for the interface/template
+			groups = interface.groups()
+			module_buf.append("<%s name=\"%s\" lineno=\"%s\">\n" % (groups[0], groups[1], line_num))
+
+			# Add all the comments attributed to this interface to
+			#  the module buffer.
+			if temp_buf:
+				module_buf += temp_buf
+				temp_buf = []
+
+			# Add default summaries and parameters so that the
+			#  DTD is happy.
+			else:
+				warning ("unable to find XML for %s %s()" % (groups[0], groups[1]))	
+				module_buf.append("<summary>\n")
+				module_buf.append("Summary is missing!\n")
+				module_buf.append("</summary>\n")
+				module_buf.append("<param name=\"?\">\n")
+				module_buf.append("<summary>\n")
+				module_buf.append("Parameter descriptions are missing!\n")
+				module_buf.append("</summary>\n")
+				module_buf.append("</param>\n")
+
+			# Close the interface/template tag.
+			module_buf.append("</%s>\n" % interface.group(1))
+
+			interface = None
+			continue
+
+
+
+	# If the file just had a header, add the comments to the module buffer.
+	if finding_header:
+		module_buf += temp_buf
+	# Otherwise there are some lingering XML comments at the bottom, warn
+	#  the user.
+	elif temp_buf:
+		warning("orphan XML comments at bottom of file %s" % file_name)
+
+	# Process the TE file if it exists.
+	module_buf = module_buf + getTunableXML(module_te, "both")
+
+	module_buf.append("</module>\n")
+
+	return module_buf
+
+def getTunableXML(file_name, kind):
+	'''
+	Return all the XML for the tunables/bools in the file specified.
+	'''
+
+	# Try to open the file, if it cant, just ignore it.
+	try:
+		tunable_file = open(file_name, "r")
+		tunable_code = tunable_file.readlines()
+		tunable_file.close()
+	except:
+		warning("cannot open file %s for read, skipping" % file_name)
+		return []
+
+	tunable_buf = []
+	temp_buf = []
+
+	# Find tunables and booleans line by line and use the comments above
+	# them.
+	for line in tunable_code:
+		# If it is an XML comment, add it to the buffer and go on.
+		comment = XML_COMMENT.match(line)
+		if comment:
+			temp_buf.append(comment.group(1) + "\n")
+			continue
+
+		# Get the boolean/tunable data.
+		boolean = BOOLEAN.match(line)
+
+		# If we reach a boolean/tunable declaration, attribute all XML
+		#  in the temp buffer to it and add XML to the tunable buffer.
+		if boolean:
+			# If there is a gen_bool in a tunable file or a
+			# gen_tunable in a boolean file, error and exit.
+			# Skip if both kinds are valid.
+			if kind != "both":
+				if boolean.group(1) != kind:
+					error("%s in a %s file." % (boolean.group(1), kind))
+
+			tunable_buf.append("<%s name=\"%s\" dftval=\"%s\">\n" % boolean.groups())
+			tunable_buf += temp_buf
+			temp_buf = []
+			tunable_buf.append("</%s>\n" % boolean.group(1))
+
+	# If there are XML comments at the end of the file, they arn't
+	# attributed to anything. These are ignored.
+	if len(temp_buf):
+		warning("orphan XML comments at bottom of file %s" % file_name)
+
+
+	# If the caller requested a the global_tunables and global_booleans to be
+	# output to a file output them now
+	if len(output_dir) > 0:
+		xmlfile = os.path.split(file_name)[1] + ".xml"
+
+		try:
+			xml_outfile = open(output_dir + "/" + xmlfile, "w")
+			for tunable_line in tunable_buf:
+				xml_outfile.write (tunable_line)
+			xml_outfile.close()
+		except:
+			warning ("cannot write to file %s, skipping creation" % xmlfile)
+
+	return tunable_buf
+
+def getXMLFileContents (file_name):
+	'''
+	Return all the XML in the file specified.
+	'''
+
+	tunable_buf = []
+	# Try to open the xml file for this type of file
+	# append the contents to the buffer.
+	try:
+		tunable_xml = open(file_name, "r")
+		tunable_buf += tunable_xml.readlines()
+		tunable_xml.close()
+	except:
+		warning("cannot open file %s for read, assuming no data" % file_name)
+
+	return tunable_buf
+
+def getPolicyXML():
+	'''
+	Return the compelete reference policy XML documentation through a list,
+	one line per item.
+	'''
+
+	policy_buf = []
+	policy_buf.append("<policy>\n")
+
+	# Add to the XML each layer specified by the user.
+	for layer in layers.keys ():
+		policy_buf += getLayerXML(layer, layers[layer])
+
+	# Add to the XML each tunable file specified by the user.
+	for tunable_file in tunable_files:
+		policy_buf += getTunableXML(tunable_file, "tunable")
+
+	# Add to the XML each XML tunable file specified by the user.
+	for tunable_file in xml_tunable_files:
+		policy_buf += getXMLFileContents (tunable_file)
+
+	# Add to the XML each bool file specified by the user.
+	for bool_file in bool_files:
+		policy_buf += getTunableXML(bool_file, "bool")
+
+	# Add to the XML each XML bool file specified by the user.
+	for bool_file in xml_bool_files:
+		policy_buf += getXMLFileContents (bool_file)
+
+	policy_buf.append("</policy>\n")
+
+	return policy_buf
+
+def usage():
+	"""
+	Displays a message describing the proper usage of this script.
+	"""
+
+	sys.stdout.write("usage: %s [-w] [-mtb] <file>\n\n" % sys.argv[0])
+	sys.stdout.write("-w --warn\t\t\tshow warnings\n"+\
+	"-m --module <file>\t\tname of module to process\n"+\
+	"-t --tunable <file>\t\tname of global tunable file to process\n"+\
+	"-b --boolean <file>\t\tname of global boolean file to process\n\n")
+
+	sys.stdout.write("examples:\n")
+	sys.stdout.write("> %s -w -m policy/modules/apache\n" % sys.argv[0])
+	sys.stdout.write("> %s -t policy/global_tunables\n" % sys.argv[0])
+
+def warning(description):
+	'''
+	Warns the user of a non-critical error.
+	'''
+
+	if warn:
+		sys.stderr.write("%s: " % sys.argv[0] )
+		sys.stderr.write("warning: " + description + "\n")
+
+def error(description):
+	'''
+	Describes an error and exists the program.
+	'''
+
+	sys.stderr.write("%s: " % sys.argv[0] )
+	sys.stderr.write("error: " + description + "\n")
+	sys.stderr.flush()
+	sys.exit(1)
+
+
+
+# MAIN PROGRAM
+
+# Defaults
+warn = False
+module = False
+tunable = False
+boolean = False
+
+# Check that there are command line arguments.
+if len(sys.argv) <= 1:
+	usage()
+	sys.exit(1)
+
+# Parse command line args
+try:
+	opts, args = getopt.getopt(sys.argv[1:], 'whm:t:b:', ['warn', 'help', 'module=', 'tunable=', 'boolean='])
+except getopt.GetoptError:
+	usage()
+	sys.exit(2)
+for o, a in opts:
+	if o in ('-w', '--warn'):
+		warn = True
+	elif o in ('-h', '--help'):
+		usage()
+		sys.exit(0)
+	elif o in ('-m', '--module'):
+		module = a
+		break
+	elif o in ('-t', '--tunable'):
+		tunable = a
+		break
+	elif o in ('-b', '--boolean'):
+		boolean = a
+		break
+	else:
+		usage()
+		sys.exit(2)
+
+if module:
+	sys.stdout.writelines(getModuleXML(module))
+elif tunable:
+	sys.stdout.writelines(getTunableXML(tunable, "tunable"))
+elif boolean:
+	sys.stdout.writelines(getTunableXML(boolean, "bool"))
+else:
+	usage()
+	sys.exit(2)
+
diff --git a/support/selinux-policy-refpolicy.spec b/support/selinux-policy-refpolicy.spec
new file mode 100644
index 00000000..7a8df030
--- /dev/null
+++ b/support/selinux-policy-refpolicy.spec
@@ -0,0 +1,438 @@
+%define distro redhat
+%define direct_initrc y
+%define monolithic n
+%define polname1 targeted
+%define type1 targeted-mcs
+%define polname2 strict
+%define type2 strict-mcs
+Summary: SELinux policy configuration
+Name: selinux-policy
+Version: 20051019
+Release: 1
+License: GPL
+Group: System Environment/Base
+Source: refpolicy-%{version}.tar.bz2
+Url: http://serefpolicy.sourceforge.net
+BuildRoot: %{_tmppath}/refpolicy-buildroot
+BuildArch: noarch
+# FIXME Need to ensure these have correct versions
+BuildRequires: checkpolicy m4 policycoreutils python make gcc
+PreReq: kernel >= 2.6.4-1.300 policycoreutils >= %{POLICYCOREUTILSVER}
+Obsoletes: policy 
+
+%description
+SELinux Reference Policy - modular.
+
+%prep
+%setup -q
+make conf
+
+%build
+
+%install
+%{__rm} -fR $RPM_BUILD_ROOT
+make NAME=%{polname1} TYPE=%{type1} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} base.pp
+make NAME=%{polname1} TYPE=%{type1} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} modules
+%{__mkdir} -p $RPM_BUILD_ROOT/%{_usr}/share/selinux/%{polname1}/%{type1}
+%{__cp} *.pp $RPM_BUILD_ROOT/%{_usr}/share/selinux/%{polname1}/%{type1}
+%{__mkdir} -p $RPM_BUILD_ROOT/%{_sysconfdir}/selinux/%{polname1}/policy
+%{__mkdir} -p $RPM_BUILD_ROOT/%{_sysconfdir}/selinux/%{polname1}/contexts/files
+make NAME=%{polname1} TYPE=%{type1} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=y DESTDIR=$RPM_BUILD_ROOT install-appconfig
+make NAME=%{polname1} TYPE=%{type1} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} DESTDIR=$RPM_BUILD_ROOT $RPM_BUILD_ROOT%{_sysconfdir}/selinux/%{polname1}/users/local.users
+make NAME=%{polname1} TYPE=%{type1} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} DESTDIR=$RPM_BUILD_ROOT $RPM_BUILD_ROOT%{_sysconfdir}/selinux/%{polname1}/users/system.users
+make NAME=%{polname2} TYPE=%{type2} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} base.pp
+make NAME=%{polname2} TYPE=%{type2} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} modules
+%{__mkdir} -p $RPM_BUILD_ROOT/%{_usr}/share/selinux/%{polname2}/%{type2}
+%{__cp} *.pp $RPM_BUILD_ROOT/%{_usr}/share/selinux/%{polname2}/%{type2}
+%{__mkdir} -p $RPM_BUILD_ROOT/%{_sysconfdir}/selinux/%{polname2}/policy
+%{__mkdir} -p $RPM_BUILD_ROOT/%{_sysconfdir}/selinux/%{polname2}/contexts/files
+make NAME=%{polname2} TYPE=%{type2} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=y DESTDIR=$RPM_BUILD_ROOT install-appconfig
+make NAME=%{polname2} TYPE=%{type2} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} DESTDIR=$RPM_BUILD_ROOT $RPM_BUILD_ROOT%{_sysconfdir}/selinux/%{polname2}/users/local.users
+make NAME=%{polname2} TYPE=%{type2} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} DESTDIR=$RPM_BUILD_ROOT $RPM_BUILD_ROOT%{_sysconfdir}/selinux/%{polname2}/users/system.users
+
+%clean
+%{__rm} -fR $RPM_BUILD_ROOT
+
+%files
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_sysconfdir}/selinux
+%dir %{_usr}/share/selinux/*
+%dir %{_usr}/share/selinux/*/*
+%config %{_usr}/share/selinux/*/*/*.pp
+#%ghost %config(noreplace) %{_sysconfdir}/selinux/config
+%dir %{_sysconfdir}/selinux/*
+%ghost %config %{_sysconfdir}/selinux/*/booleans
+%dir %{_sysconfdir}/selinux/*/policy
+#%ghost %config %{_sysconfdir}/selinux/*/policy/policy.*
+%dir %{_sysconfdir}/selinux/*/contexts
+%config(noreplace) %{_sysconfdir}/selinux/*/contexts/customizable_types
+%config(noreplace) %{_sysconfdir}/selinux/*/contexts/dbus_contexts
+%config(noreplace) %{_sysconfdir}/selinux/*/contexts/default_contexts
+%config(noreplace) %{_sysconfdir}/selinux/*/contexts/default_type
+%config(noreplace) %{_sysconfdir}/selinux/*/contexts/failsafe_context
+%config(noreplace) %{_sysconfdir}/selinux/*/contexts/initrc_context
+%config(noreplace) %{_sysconfdir}/selinux/*/contexts/removable_context
+%config(noreplace) %{_sysconfdir}/selinux/*/contexts/userhelper_context
+%config(noreplace) %{_sysconfdir}/selinux/*/contexts/sepgsql_contexts
+%config(noreplace) %{_sysconfdir}/selinux/*/contexts/x_contexts
+%dir %{_sysconfdir}/selinux/*/contexts/files
+#%ghost %config %{_sysconfdir}/selinux/*/contexts/files/file_contexts
+#%ghost %config %{_sysconfdir}/selinux/*/contexts/files/homedir_template
+#%ghost %config %{_sysconfdir}/selinux/*/contexts/files/file_contexts.homedirs
+%config %{_sysconfdir}/selinux/*/contexts/files/media
+%dir %{_sysconfdir}/selinux/*/users
+%config %{_sysconfdir}/selinux/*/users/system.users
+%config %{_sysconfdir}/selinux/*/users/local.users
+#%ghost %dir %{_sysconfdir}/selinux/*/modules
+
+%pre
+
+%post
+
+%package base-targeted
+Summary: SELinux %{polname1} base policy
+Group: System Environment/Base
+Provides: selinux-policy-base
+
+%description base-targeted
+SELinux Reference policy targeted base module.
+
+%files base-targeted
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/%{polname1}
+%dir %{_usr}/share/selinux/%{polname1}/%{type1}
+%config %{_usr}/share/selinux/%{polname1}/%{type1}/base.pp
+%dir %{_sysconfdir}/selinux
+#%ghost %config(noreplace) %{_sysconfdir}/selinux/config
+%dir %{_sysconfdir}/selinux/%{polname1}
+%ghost %config %{_sysconfdir}/selinux/%{polname1}/booleans
+%dir %{_sysconfdir}/selinux/%{polname1}/policy
+#%ghost %config %{_sysconfdir}/selinux/%{polname1}/policy/policy.*
+%dir %{_sysconfdir}/selinux/%{polname1}/contexts
+%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/customizable_types
+%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/dbus_contexts
+%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/default_contexts
+%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/default_type
+%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/failsafe_context
+%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/initrc_context
+%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/removable_context
+%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/userhelper_context
+%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/sepgsql_contexts
+%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/x_contexts
+%dir %{_sysconfdir}/selinux/%{polname1}/contexts/files
+#%ghost %config %{_sysconfdir}/selinux/%{polname1}/contexts/files/file_contexts
+#%ghost %config %{_sysconfdir}/selinux/%{polname1}/contexts/files/homedir_template
+#%ghost %config %{_sysconfdir}/selinux/%{polname1}/contexts/files/file_contexts.homedirs
+%config %{_sysconfdir}/selinux/%{polname1}/contexts/files/media
+%dir %{_sysconfdir}/selinux/%{polname1}/users
+%config %{_sysconfdir}/selinux/%{polname1}/users/system.users
+%config %{_sysconfdir}/selinux/%{polname1}/users/local.users
+#%ghost %dir %{_sysconfdir}/selinux/%{polname1}/modules
+
+%post base-targeted
+semodule -b /usr/share/selinux/%{polname1}/%{type1}/base.pp -s %{_sysconfdir}/selinux/%{polname1}
+for file in $(ls /usr/share/selinux/%{polname1}/%{type1} | grep -v base.pp)
+do semodule -i /usr/share/selinux/%{polname1}/%{type1}/$file -s %{_sysconfdir}/selinux/%{polname1}
+done
+
+%package base-strict
+Summary: SELinux %{polname2} base policy
+Group: System Environment/Base
+Provides: selinux-policy-base
+
+%description base-strict
+SELinux Reference policy strict base module.
+
+%files base-strict
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/%{polname2}
+%dir %{_usr}/share/selinux/%{polname2}/%{type2}
+%config %{_usr}/share/selinux/%{polname2}/%{type2}/base.pp
+%dir %{_sysconfdir}/selinux
+#%ghost %config(noreplace) %{_sysconfdir}/selinux/config
+%dir %{_sysconfdir}/selinux/%{polname2}
+%ghost %config %{_sysconfdir}/selinux/%{polname2}/booleans
+%dir %{_sysconfdir}/selinux/%{polname2}/policy
+#%ghost %config %{_sysconfdir}/selinux/%{polname2}/policy/policy.*
+%dir %{_sysconfdir}/selinux/%{polname2}/contexts
+%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/customizable_types
+%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/dbus_contexts
+%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/default_contexts
+%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/default_type
+%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/failsafe_context
+%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/initrc_context
+%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/removable_context
+%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/userhelper_context
+%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/sepgsql_contexts
+%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/x_contexts
+%dir %{_sysconfdir}/selinux/%{polname2}/contexts/files
+#%ghost %config %{_sysconfdir}/selinux/%{polname2}/contexts/files/file_contexts
+#%ghost %config %{_sysconfdir}/selinux/%{polname2}/contexts/files/homedir_template
+#%ghost %config %{_sysconfdir}/selinux/%{polname2}/contexts/files/file_contexts.homedirs
+%config %{_sysconfdir}/selinux/%{polname2}/contexts/files/media
+%dir %{_sysconfdir}/selinux/%{polname2}/users
+%config %{_sysconfdir}/selinux/%{polname2}/users/system.users
+%config %{_sysconfdir}/selinux/%{polname2}/users/local.users
+#%ghost %dir %{_sysconfdir}/selinux/%{polname2}/modules
+
+%post base-strict
+semodule -b /usr/share/selinux/%{polname2}/%{type2}/base.pp -s %{_sysconfdir}/selinux/%{polname2}
+for file in $(ls /usr/share/selinux/%{polname2}/%{type2} | grep -v base.pp)
+do semodule -i /usr/share/selinux/%{polname2}/%{type2}/$file -s %{_sysconfdir}/selinux/%{polname2}
+done
+
+%package apache
+Summary: SELinux apache policy
+Group: System Environment/Base
+Requires: selinux-policy-base
+
+%description apache
+SELinux Reference policy apache module.
+
+%files apache
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/*
+%dir %{_usr}/share/selinux/*/*
+%config %{_usr}/share/selinux/*/*/apache.pp
+
+%post apache
+if [ -d %{_sysconfdir}/selinux/%{polname1}/modules ] ; then
+semodule -n -i %{_usr}/share/selinux/%{polname1}/%{type1}/apache.pp -s %{_sysconfdir}/selinux/%{polname1}
+fi
+if [ -d %{_sysconfdir}/selinux/%{polname2}/modules ] ; then
+semodule -i %{_usr}/share/selinux/%{polname2}/%{type2}/apache.pp -s %{_sysconfdir}/selinux/%{polname2}
+fi
+
+%preun apache
+if [ -d %{_sysconfdir}/selinux/%{polname1}/modules ]
+then semodule -n -r apache -s %{_sysconfdir}/selinux/%{polname1}
+fi
+if [ -d %{_sysconfdir}/selinux/%{polname2}/modules ]
+then semodule -n -r apache -s %{_sysconfdir}/selinux/%{polname2}
+fi
+
+%package bind
+Summary: SELinux bind policy
+Group: System Environment/Base
+
+%description bind
+SELinux Reference policy bind module.
+
+%files bind
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/*
+%dir %{_usr}/share/selinux/*/*
+%config %{_usr}/share/selinux/*/*/bind.pp
+
+%post bind
+semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/bind.pp
+
+%preun bind
+semodule -r bind
+
+%package dhcp
+Summary: SELinux dhcp policy
+Group: System Environment/Base
+
+%description dhcp
+SELinux Reference policy dhcp module.
+
+%files dhcp
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/*
+%dir %{_usr}/share/selinux/*/*
+%config %{_usr}/share/selinux/*/*/dhcp.pp
+
+%post dhcp
+semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/dhcp.pp
+
+%preun dhcp
+semodule -r dhcp
+
+%package ldap
+Summary: SELinux ldap policy
+Group: System Environment/Base
+
+%description ldap
+SELinux Reference policy ldap module.
+
+%files ldap
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/*
+%dir %{_usr}/share/selinux/*/*
+%config %{_usr}/share/selinux/*/*/ldap.pp
+
+%post ldap
+semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/ldap.pp
+
+%preun ldap
+semodule -r ldap
+
+%package mailman
+Summary: SELinux mailman policy
+Group: System Environment/Base
+
+%description mailman
+SELinux Reference policy mailman module.
+
+%files mailman
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/*
+%dir %{_usr}/share/selinux/*/*
+%config %{_usr}/share/selinux/*/*/mailman.pp
+
+%post mailman
+semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/mailman.pp
+
+%preun mailman
+semodule -r mailman
+
+%package mysql
+Summary: SELinux mysql policy
+Group: System Environment/Base
+
+%description mysql
+SELinux Reference policy mysql module.
+
+%files mysql
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/*
+%dir %{_usr}/share/selinux/*/*
+%config %{_usr}/share/selinux/*/*/mysql.pp
+
+%post mysql
+semodule -i %{_usr}/share/selinux/targeted/targeted-mcsmysql.pp
+
+%preun mysql
+semodule -r mysql
+
+%package portmap
+Summary: SELinux portmap policy
+Group: System Environment/Base
+
+%description portmap
+SELinux Reference policy portmap module.
+
+%files portmap
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/*
+%dir %{_usr}/share/selinux/*/*
+%config %{_usr}/share/selinux/*/*/portmap.pp
+
+%post portmap
+semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/portmap.pp
+
+%preun portmap
+semodule -r portmap
+
+%package postgresql
+Summary: SELinux postgresql policy
+Group: System Environment/Base
+
+%description postgresql
+SELinux Reference policy postgresql module.
+
+%files postgresql
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/*
+%dir %{_usr}/share/selinux/*/*
+%config %{_usr}/share/selinux/*/*/postgresql.pp
+
+%post postgresql
+semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/postgresql.pp
+
+%preun postgresql
+semodule -r postgresql
+
+%package samba
+Summary: SELinux samba policy
+Group: System Environment/Base
+
+%description samba
+SELinux Reference policy samba module.
+
+%files samba
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/*
+%dir %{_usr}/share/selinux/*/*
+%config %{_usr}/share/selinux/*/*/samba.pp
+
+%post samba
+semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/samba.pp
+
+%preun samba
+semodule -r samba
+
+%package snmp
+Summary: SELinux snmp policy
+Group: System Environment/Base
+
+%description snmp
+SELinux Reference policy snmp module.
+
+%files snmp
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/*
+%dir %{_usr}/share/selinux/*/*
+%config %{_usr}/share/selinux/*/*/snmp.pp
+
+%post snmp
+semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/snmp.pp
+
+%preun snmp
+semodule -r snmp
+
+%package squid
+Summary: SELinux squid policy
+Group: System Environment/Base
+
+%description squid
+SELinux Reference policy squid module.
+
+%files squid
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/*
+%dir %{_usr}/share/selinux/*/*
+%config %{_usr}/share/selinux/*/*/squid.pp
+
+%post squid
+semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/squid.pp
+
+%preun squid
+semodule -r squid
+
+%package webalizer
+Summary: SELinux webalizer policy
+Group: System Environment/Base
+
+%description webalizer
+SELinux Reference policy webalizer module.
+
+%files webalizer
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/*
+%dir %{_usr}/share/selinux/*/*
+%config %{_usr}/share/selinux/*/*/webalizer.pp
+
+%post webalizer
+semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/webalizer.pp
+
+%preun webalizer
+semodule -r webalizer
+
+%changelog
diff --git a/support/selinux-refpolicy-sources.spec.skel b/support/selinux-refpolicy-sources.spec.skel
new file mode 100644
index 00000000..8973bc71
--- /dev/null
+++ b/support/selinux-refpolicy-sources.spec.skel
@@ -0,0 +1,49 @@
+%define type refpolicy
+%define POLICYDIR /etc/selinux/%{type}
+%define FILE_CON ${POLICYDIR}/contexts/files/file_contexts
+%define FC_PRE ${FILE_CON}.pre
+
+Summary: SELinux Reference Policy configuration source files 
+Name: selinux-refpolicy-sources
+Version: REFPOL_VERSION
+Release: 1
+License: GPL
+Group: System Environment/Base
+PreReq: m4 make policycoreutils kernel gcc
+Requires: checkpolicy >= 1.33.1
+Requires: python make m4
+BuildRequires: make m4 python
+Obsoletes: policy-sources
+Source: refpolicy-%{version}.tar.bz2
+Url: http://oss.tresys.com/projects/refpolicy
+BuildArch: noarch
+BuildRoot: /tmp/rpmbuild/%{name}
+
+%description
+This subpackage includes the SELinux Reference Policy
+source files, which can be used to build a targeted policy
+or strict policy configuration.
+
+%prep
+%setup -q -n refpolicy
+
+%build
+sed -i -e '/^TYPE/s/strict/targeted/' Makefile
+sed -i -e 's/^#DISTRO/DISTRO/' Makefile
+sed -i -e '/^DIRECT_INITRC/s/n/y/' Makefile
+make conf
+make clean
+rm -f support/*.pyc
+
+%install
+rm -fR $RPM_BUILD_ROOT
+make DESTDIR=$RPM_BUILD_ROOT install-src
+
+%clean
+rm -fR $RPM_BUILD_ROOT
+
+%files
+%defattr(-,root,root,-)
+%{_sysconfdir}/selinux/%{type}/src/policy/
+
+%changelog
diff --git a/support/set_bools_tuns.awk b/support/set_bools_tuns.awk
new file mode 100644
index 00000000..cedc19b7
--- /dev/null
+++ b/support/set_bools_tuns.awk
@@ -0,0 +1,11 @@
+# Read booleans.conf and output M4 directives to
+# override default settings in global_booleans
+
+BEGIN {
+	FS="="
+}
+
+/^[[:blank:]]*[[:alpha:]]+/{ 
+	gsub(/[[:blank:]]*/,"")
+	print "define(`"$1"_conf',`"$2"')"
+}
diff --git a/support/undivert.m4 b/support/undivert.m4
new file mode 100644
index 00000000..8545e477
--- /dev/null
+++ b/support/undivert.m4
@@ -0,0 +1 @@
+divert
\ No newline at end of file