diff --git a/_servicedata b/_servicedata
index 1994f5d..6cb5171 100644
--- a/_servicedata
+++ b/_servicedata
@@ -1,4 +1,4 @@
https://gitlab.suse.de/selinux/selinux-policy.git
- e897b9b38aafb39b5b9bb4ab6d497bd23ec39f3c
\ No newline at end of file
+ da1e0e20a01fbeb119d494032a15b17984baf509
\ No newline at end of file
diff --git a/booleans-minimum.conf b/booleans-minimum.conf
deleted file mode 100644
index 5185257..0000000
--- a/booleans-minimum.conf
+++ /dev/null
@@ -1,232 +0,0 @@
-# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
-#
-allow_execmem = false
-
-# Allow making a modified private filemapping executable (text relocation).
-#
-selinuxuser_execmod = false
-
-# Allow making the stack executable via mprotect.Also requires allow_execmem.
-#
-selinuxuser_execstack = false
-
-# Allow ftpd to read cifs directories.
-#
-ftpd_use_cifs = false
-
-# Allow ftpd to read nfs directories.
-#
-ftpd_use_nfs = false
-
-# Allow ftp servers to modify public filesused for public file transfer services.
-#
-allow_ftpd_anon_write = false
-
-# Allow gssd to read temp directory.
-#
-gssd_read_tmp = true
-
-# Allow Apache to modify public filesused for public file transfer services.
-#
-allow_httpd_anon_write = false
-
-# Allow Apache to use mod_auth_pam module
-#
-httpd_mod_auth_pam = false
-
-# Allow system to run with kerberos
-#
-allow_kerberos = true
-
-# Allow rsync to modify public filesused for public file transfer services.
-#
-allow_rsync_anon_write = false
-
-# Allow sasl to read shadow
-#
-saslauthd_read_shadow = false
-
-# Allow samba to modify public filesused for public file transfer services.
-#
-allow_smbd_anon_write = false
-
-# Allow system to run with NIS
-#
-allow_ypbind = false
-
-# Allow zebra to write it own configuration files
-#
-zebra_write_config = false
-
-# Enable extra rules in the cron domainto support fcron.
-#
-fcron_crond = false
-
-#
-# allow httpd to connect to mysql/posgresql
-httpd_can_network_connect_db = false
-
-#
-# allow httpd to send dbus messages to avahi
-httpd_dbus_avahi = true
-
-#
-# allow httpd to network relay
-httpd_can_network_relay = false
-
-# Allow httpd to use built in scripting (usually php)
-#
-httpd_builtin_scripting = true
-
-# Allow http daemon to tcp connect
-#
-httpd_can_network_connect = false
-
-# Allow httpd cgi support
-#
-httpd_enable_cgi = true
-
-# Allow httpd to act as a FTP server bylistening on the ftp port.
-#
-httpd_enable_ftp_server = false
-
-# Allow httpd to read home directories
-#
-httpd_enable_homedirs = false
-
-# Run SSI execs in system CGI script domain.
-#
-httpd_ssi_exec = false
-
-# Allow http daemon to communicate with the TTY
-#
-httpd_tty_comm = false
-
-# Run CGI in the main httpd domain
-#
-httpd_unified = false
-
-# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
-#
-named_write_master_zones = false
-
-# Allow nfs to be exported read/write.
-#
-nfs_export_all_rw = true
-
-# Allow nfs to be exported read only
-#
-nfs_export_all_ro = true
-
-# Allow pppd to load kernel modules for certain modems
-#
-pppd_can_insmod = false
-
-# Allow reading of default_t files.
-#
-read_default_t = false
-
-# Allow samba to export user home directories.
-#
-samba_enable_home_dirs = false
-
-# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
-#
-squid_connect_any = false
-
-# Support NFS home directories
-#
-use_nfs_home_dirs = true
-
-# Support SAMBA home directories
-#
-use_samba_home_dirs = false
-
-# Control users use of ping and traceroute
-#
-user_ping = false
-
-# allow host key based authentication
-#
-ssh_keysign = false
-
-# Allow pppd to be run for a regular user
-#
-pppd_for_user = false
-
-# Allow spamd to write to users homedirs
-#
-spamd_enable_home_dirs = false
-
-# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
-#
-user_rw_noexattrfile = true
-
-# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols.
-#
-user_tcp_server = false
-
-# Allow all domains to talk to ttys
-#
-daemons_use_tty = false
-
-# Allow login domains to polyinstatiate directories
-#
-polyinstantiation_enabled = false
-
-# Allow all domains to dump core
-#
-daemons_dump_core = true
-
-# Allow samba to act as the domain controller
-#
-samba_domain_controller = false
-
-# Allow samba to export user home directories.
-#
-samba_run_unconfined = false
-
-# Allows XServer to execute writable memory
-#
-xserver_execmem = false
-
-# disallow guest accounts to execute files that they can create
-#
-guest_exec_content = false
-xguest_exec_content = false
-
-# Allow postfix locat to write to mail spool
-#
-postfix_local_write_mail_spool = false
-
-# Allow common users to read/write noexattrfile systems
-#
-user_rw_noexattrfile = true
-
-# Allow qemu to connect fully to the network
-#
-qemu_full_network = true
-
-# System uses init upstart program
-#
-init_upstart = true
-
-# Allow mount to mount any file/dir
-#
-mount_anyfile = true
-
-# Allow all domains to mmap files
-#
-domain_can_mmap_files = true
-
-# Allow confined applications to use nscd shared memory
-#
-nscd_use_shm = true
-
-# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
-#
-unconfined_chrome_sandbox_transition = true
-
-# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
-#
-unconfined_mozilla_plugin_transition = true
diff --git a/booleans-mls.conf b/booleans-mls.conf
deleted file mode 100644
index 3892f99..0000000
--- a/booleans-mls.conf
+++ /dev/null
@@ -1,232 +0,0 @@
-# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
-#
-allow_execmem = false
-
-# Allow making a modified private filemapping executable (text relocation).
-#
-selinuxuser_execmod = false
-
-# Allow making the stack executable via mprotect.Also requires allow_execmem.
-#
-selinuxuser_execstack = false
-
-# Allow ftpd to read cifs directories.
-#
-ftpd_use_cifs = false
-
-# Allow ftpd to read nfs directories.
-#
-ftpd_use_nfs = false
-
-# Allow ftp servers to modify public filesused for public file transfer services.
-#
-allow_ftpd_anon_write = false
-
-# Allow gssd to read temp directory.
-#
-gssd_read_tmp = true
-
-# Allow Apache to modify public filesused for public file transfer services.
-#
-allow_httpd_anon_write = false
-
-# Allow Apache to use mod_auth_pam module
-#
-httpd_mod_auth_pam = false
-
-# Allow system to run with kerberos
-#
-allow_kerberos = true
-
-# Allow rsync to modify public filesused for public file transfer services.
-#
-allow_rsync_anon_write = false
-
-# Allow sasl to read shadow
-#
-saslauthd_read_shadow = false
-
-# Allow samba to modify public filesused for public file transfer services.
-#
-allow_smbd_anon_write = false
-
-# Allow system to run with NIS
-#
-allow_ypbind = false
-
-# Allow zebra to write it own configuration files
-#
-zebra_write_config = false
-
-# Enable extra rules in the cron domainto support fcron.
-#
-fcron_crond = false
-
-#
-# allow httpd to connect to mysql/posgresql
-httpd_can_network_connect_db = false
-
-#
-# allow httpd to send dbus messages to avahi
-httpd_dbus_avahi = true
-
-#
-# allow httpd to network relay
-httpd_can_network_relay = false
-
-# Allow httpd to use built in scripting (usually php)
-#
-httpd_builtin_scripting = true
-
-# Allow http daemon to tcp connect
-#
-httpd_can_network_connect = false
-
-# Allow httpd cgi support
-#
-httpd_enable_cgi = true
-
-# Allow httpd to act as a FTP server bylistening on the ftp port.
-#
-httpd_enable_ftp_server = false
-
-# Allow httpd to read home directories
-#
-httpd_enable_homedirs = false
-
-# Run SSI execs in system CGI script domain.
-#
-httpd_ssi_exec = false
-
-# Allow http daemon to communicate with the TTY
-#
-httpd_tty_comm = false
-
-# Run CGI in the main httpd domain
-#
-httpd_unified = false
-
-# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
-#
-named_write_master_zones = false
-
-# Allow nfs to be exported read/write.
-#
-nfs_export_all_rw = true
-
-# Allow nfs to be exported read only
-#
-nfs_export_all_ro = true
-
-# Allow pppd to load kernel modules for certain modems
-#
-pppd_can_insmod = false
-
-# Allow reading of default_t files.
-#
-read_default_t = false
-
-# Allow samba to export user home directories.
-#
-samba_enable_home_dirs = false
-
-# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
-#
-squid_connect_any = false
-
-# Support NFS home directories
-#
-use_nfs_home_dirs = true
-
-# Support SAMBA home directories
-#
-use_samba_home_dirs = false
-
-# Control users use of ping and traceroute
-#
-user_ping = false
-
-# allow host key based authentication
-#
-ssh_keysign = false
-
-# Allow pppd to be run for a regular user
-#
-pppd_for_user = false
-
-# Allow spamd to write to users homedirs
-#
-spamd_enable_home_dirs = false
-
-# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
-#
-user_rw_noexattrfile = true
-
-# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols.
-#
-user_tcp_server = false
-
-# Allow all domains to talk to ttys
-#
-daemons_use_tty = false
-
-# Allow login domains to polyinstatiate directories
-#
-polyinstantiation_enabled = false
-
-# Allow all domains to dump core
-#
-daemons_dump_core = true
-
-# Allow samba to act as the domain controller
-#
-samba_domain_controller = false
-
-# Allow samba to export user home directories.
-#
-samba_run_unconfined = false
-
-# Allows XServer to execute writable memory
-#
-xserver_execmem = false
-
-# disallow guest accounts to execute files that they can create
-#
-guest_exec_content = false
-xguest_exec_content = false
-
-# Allow postfix locat to write to mail spool
-#
-postfix_local_write_mail_spool = false
-
-# Allow common users to read/write noexattrfile systems
-#
-user_rw_noexattrfile = true
-
-# Allow qemu to connect fully to the network
-#
-qemu_full_network = true
-
-# System uses init upstart program
-#
-init_upstart = true
-
-# Allow mount to mount any file/dir
-#
-mount_anyfile = true
-
-# Allow all domains to mmap files
-#
-domain_can_mmap_files = true
-
-# Allow confined applications to use nscd shared memory
-#
-nscd_use_shm = true
-
-# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
-#
-unconfined_chrome_sandbox_transition = false
-
-# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
-#
-unconfined_mozilla_plugin_transition = false
diff --git a/booleans-targeted.conf b/booleans-targeted.conf
deleted file mode 100644
index 5185257..0000000
--- a/booleans-targeted.conf
+++ /dev/null
@@ -1,232 +0,0 @@
-# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
-#
-allow_execmem = false
-
-# Allow making a modified private filemapping executable (text relocation).
-#
-selinuxuser_execmod = false
-
-# Allow making the stack executable via mprotect.Also requires allow_execmem.
-#
-selinuxuser_execstack = false
-
-# Allow ftpd to read cifs directories.
-#
-ftpd_use_cifs = false
-
-# Allow ftpd to read nfs directories.
-#
-ftpd_use_nfs = false
-
-# Allow ftp servers to modify public filesused for public file transfer services.
-#
-allow_ftpd_anon_write = false
-
-# Allow gssd to read temp directory.
-#
-gssd_read_tmp = true
-
-# Allow Apache to modify public filesused for public file transfer services.
-#
-allow_httpd_anon_write = false
-
-# Allow Apache to use mod_auth_pam module
-#
-httpd_mod_auth_pam = false
-
-# Allow system to run with kerberos
-#
-allow_kerberos = true
-
-# Allow rsync to modify public filesused for public file transfer services.
-#
-allow_rsync_anon_write = false
-
-# Allow sasl to read shadow
-#
-saslauthd_read_shadow = false
-
-# Allow samba to modify public filesused for public file transfer services.
-#
-allow_smbd_anon_write = false
-
-# Allow system to run with NIS
-#
-allow_ypbind = false
-
-# Allow zebra to write it own configuration files
-#
-zebra_write_config = false
-
-# Enable extra rules in the cron domainto support fcron.
-#
-fcron_crond = false
-
-#
-# allow httpd to connect to mysql/posgresql
-httpd_can_network_connect_db = false
-
-#
-# allow httpd to send dbus messages to avahi
-httpd_dbus_avahi = true
-
-#
-# allow httpd to network relay
-httpd_can_network_relay = false
-
-# Allow httpd to use built in scripting (usually php)
-#
-httpd_builtin_scripting = true
-
-# Allow http daemon to tcp connect
-#
-httpd_can_network_connect = false
-
-# Allow httpd cgi support
-#
-httpd_enable_cgi = true
-
-# Allow httpd to act as a FTP server bylistening on the ftp port.
-#
-httpd_enable_ftp_server = false
-
-# Allow httpd to read home directories
-#
-httpd_enable_homedirs = false
-
-# Run SSI execs in system CGI script domain.
-#
-httpd_ssi_exec = false
-
-# Allow http daemon to communicate with the TTY
-#
-httpd_tty_comm = false
-
-# Run CGI in the main httpd domain
-#
-httpd_unified = false
-
-# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
-#
-named_write_master_zones = false
-
-# Allow nfs to be exported read/write.
-#
-nfs_export_all_rw = true
-
-# Allow nfs to be exported read only
-#
-nfs_export_all_ro = true
-
-# Allow pppd to load kernel modules for certain modems
-#
-pppd_can_insmod = false
-
-# Allow reading of default_t files.
-#
-read_default_t = false
-
-# Allow samba to export user home directories.
-#
-samba_enable_home_dirs = false
-
-# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
-#
-squid_connect_any = false
-
-# Support NFS home directories
-#
-use_nfs_home_dirs = true
-
-# Support SAMBA home directories
-#
-use_samba_home_dirs = false
-
-# Control users use of ping and traceroute
-#
-user_ping = false
-
-# allow host key based authentication
-#
-ssh_keysign = false
-
-# Allow pppd to be run for a regular user
-#
-pppd_for_user = false
-
-# Allow spamd to write to users homedirs
-#
-spamd_enable_home_dirs = false
-
-# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
-#
-user_rw_noexattrfile = true
-
-# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols.
-#
-user_tcp_server = false
-
-# Allow all domains to talk to ttys
-#
-daemons_use_tty = false
-
-# Allow login domains to polyinstatiate directories
-#
-polyinstantiation_enabled = false
-
-# Allow all domains to dump core
-#
-daemons_dump_core = true
-
-# Allow samba to act as the domain controller
-#
-samba_domain_controller = false
-
-# Allow samba to export user home directories.
-#
-samba_run_unconfined = false
-
-# Allows XServer to execute writable memory
-#
-xserver_execmem = false
-
-# disallow guest accounts to execute files that they can create
-#
-guest_exec_content = false
-xguest_exec_content = false
-
-# Allow postfix locat to write to mail spool
-#
-postfix_local_write_mail_spool = false
-
-# Allow common users to read/write noexattrfile systems
-#
-user_rw_noexattrfile = true
-
-# Allow qemu to connect fully to the network
-#
-qemu_full_network = true
-
-# System uses init upstart program
-#
-init_upstart = true
-
-# Allow mount to mount any file/dir
-#
-mount_anyfile = true
-
-# Allow all domains to mmap files
-#
-domain_can_mmap_files = true
-
-# Allow confined applications to use nscd shared memory
-#
-nscd_use_shm = true
-
-# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
-#
-unconfined_chrome_sandbox_transition = true
-
-# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
-#
-unconfined_mozilla_plugin_transition = true
diff --git a/booleans.subs_dist b/booleans.subs_dist
deleted file mode 100644
index e4f1c19..0000000
--- a/booleans.subs_dist
+++ /dev/null
@@ -1,54 +0,0 @@
-allow_auditadm_exec_content auditadm_exec_content
-allow_console_login login_console_enabled
-allow_cvs_read_shadow cvs_read_shadow
-allow_daemons_dump_core daemons_dump_core
-allow_daemons_use_tcp_wrapper daemons_use_tcp_wrapper
-allow_daemons_use_tty daemons_use_tty
-allow_domain_fd_use domain_fd_use
-allow_execheap selinuxuser_execheap
-allow_execmod selinuxuser_execmod
-allow_execstack selinuxuser_execstack
-allow_ftpd_anon_write ftpd_anon_write
-allow_ftpd_full_access ftpd_full_access
-allow_ftpd_use_cifs ftpd_use_cifs
-allow_ftpd_use_nfs ftpd_use_nfs
-allow_gssd_read_tmp gssd_read_tmp
-allow_guest_exec_content guest_exec_content
-allow_httpd_anon_write httpd_anon_write
-allow_httpd_mod_auth_ntlm_winbind httpd_mod_auth_ntlm_winbind
-allow_httpd_mod_auth_pam httpd_mod_auth_pam
-allow_httpd_sys_script_anon_write httpd_sys_script_anon_write
-allow_kerberos kerberos_enabled
-allow_mplayer_execstack mplayer_execstack
-allow_mount_anyfile mount_anyfile
-allow_nfsd_anon_write nfsd_anon_write
-allow_polyinstantiation polyinstantiation_enabled
-allow_postfix_local_write_mail_spool postfix_local_write_mail_spool
-allow_rsync_anon_write rsync_anon_write
-allow_saslauthd_read_shadow saslauthd_read_shadow
-allow_secadm_exec_content secadm_exec_content
-allow_smbd_anon_write smbd_anon_write
-allow_ssh_keysign ssh_keysign
-allow_staff_exec_content staff_exec_content
-allow_sysadm_exec_content sysadm_exec_content
-allow_user_exec_content user_exec_content
-allow_user_mysql_connect selinuxuser_mysql_connect_enabled
-allow_user_postgresql_connect selinuxuser_postgresql_connect_enabled
-allow_write_xshm xserver_clients_write_xshm
-allow_xguest_exec_content xguest_exec_content
-allow_xserver_execmem xserver_execmem
-allow_ypbind nis_enabled
-allow_zebra_write_config zebra_write_config
-user_direct_dri selinuxuser_direct_dri_enabled
-user_ping selinuxuser_ping
-user_share_music selinuxuser_share_music
-user_tcp_server selinuxuser_tcp_server
-sepgsql_enable_pitr_implementation postgresql_can_rsync
-sepgsql_enable_users_ddl postgresql_selinux_users_ddl
-sepgsql_transmit_client_label postgresql_selinux_transmit_client_label
-sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm
-clamd_use_jit antivirus_use_jit
-amavis_use_jit antivirus_use_jit
-logwatch_can_sendmail logwatch_can_network_connect_mail
-puppet_manage_all_files puppetagent_manage_all_files
-virt_sandbox_use_nfs virt_use_nfs
diff --git a/container.fc b/container.fc
index 40b03d5..138737b 100644
--- a/container.fc
+++ b/container.fc
@@ -131,7 +131,7 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.* gen_context(system_u:
/var/lib/kubernetes/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0)
/var/lib/kubelet(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
-/var/lib/kubelet/pod-resources/kubelet.sock gen_context(system_u:object_r:container_file_t,s0)
+/var/lib/kubelet/pod-resources(/.*)? gen_context(system_u:object_r:kubelet_var_lib_t,s0)
/var/lib/docker-latest(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/docker-latest/.*/config\.env gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/docker-latest/containers/.*/.*\.log gen_context(system_u:object_r:container_log_t,s0)
@@ -162,6 +162,7 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.* gen_context(system_u:
/run/lock/lxc(/.*)? gen_context(system_u:object_r:container_lock_t,s0)
+/var/log/kube-apiserver(/.*)? gen_context(system_u:object_r:container_log_t,s0)
/var/log/lxc(/.*)? gen_context(system_u:object_r:container_log_t,s0)
/var/log/lxd(/.*)? gen_context(system_u:object_r:container_log_t,s0)
/etc/kubernetes(/.*)? gen_context(system_u:object_r:kubernetes_file_t,s0)
diff --git a/container.if b/container.if
index cf864df..5dc82b5 100644
--- a/container.if
+++ b/container.if
@@ -512,6 +512,7 @@ interface(`container_filetrans_named_content',`
files_pid_filetrans($1, container_var_run_t, dir, "containers")
files_pid_filetrans($1, container_kvm_var_run_t, dir, "kata-containers")
+ logging_log_filetrans($1, container_log_t, dir, "kube-apiserver")
logging_log_filetrans($1, container_log_t, dir, "lxc")
files_var_lib_filetrans($1, container_var_lib_t, dir, "containers")
files_var_lib_filetrans($1, container_file_t, dir, "origin")
diff --git a/container.te b/container.te
index 803530a..900815d 100644
--- a/container.te
+++ b/container.te
@@ -1,4 +1,4 @@
-policy_module(container, 2.232.1)
+policy_module(container, 2.234.0)
gen_require(`
class passwd rootok;
@@ -757,6 +757,7 @@ tunable_policy(`container_connect_any',`
#
allow spc_t { container_file_t container_var_lib_t container_ro_file_t container_runtime_tmpfs_t}:file entrypoint;
role system_r types spc_t;
+dontaudit spc_t self:memprotect mmap_zero;
domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t)
domtrans_pattern(container_runtime_domain, container_var_lib_t, spc_t)
@@ -1450,11 +1451,14 @@ allow container_engine_t sysctl_t:{dir file} mounton;
allow container_engine_t fusefs_t:dir { relabelfrom relabelto };
allow container_engine_t fusefs_t:file relabelto;
allow container_engine_t kernel_t:system module_request;
-allow container_engine_t null_device_t:chr_file mounton;
+allow container_engine_t null_device_t:chr_file { mounton setattr_chr_file_perms };
allow container_engine_t random_device_t:chr_file mounton;
allow container_engine_t self:netlink_tcpdiag_socket nlmsg_read;
allow container_engine_t urandom_device_t:chr_file mounton;
allow container_engine_t zero_device_t:chr_file mounton;
+allow container_engine_t container_file_t:sock_file mounton;
+allow container_engine_t container_runtime_tmpfs_t:dir { ioctl list_dir_perms };
+allow container_engine_t devpts_t:chr_file setattr;
manage_chr_files_pattern(container_engine_t, fusefs_t, fusefs_t)
@@ -1483,6 +1487,17 @@ application_executable_file(kubelet_exec_t)
can_exec(container_runtime_t, kubelet_exec_t)
allow kubelet_t kubelet_exec_t:file entrypoint;
+type kubelet_var_lib_t;
+files_type(kubelet_var_lib_t)
+
+manage_dirs_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
+manage_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
+manage_lnk_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
+manage_sock_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
+
+files_var_lib_filetrans(kubelet_t, kubelet_var_lib_t, dir, "pod-resources")
+filetrans_pattern(kubelet_t, container_var_lib_t, kubelet_var_lib_t, dir, "pod-resources")
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(kubelet_t, kubelet_exec_t, s0 - mcs_systemhigh)
')
@@ -1516,10 +1531,12 @@ allow container_device_t device_node:chr_file rw_chr_file_perms;
# Standard container which needs to be allowed to use any device and
# communicate with kubelet
container_domain_template(container_device_plugin, container)
+typeattribute container_device_plugin_t container_net_domain;
allow container_device_plugin_t device_node:chr_file rw_chr_file_perms;
dev_rw_sysfs(container_device_plugin_t)
kernel_read_debugfs(container_device_plugin_t)
container_kubelet_stream_connect(container_device_plugin_t)
+stream_connect_pattern(container_device_plugin_t, container_var_lib_t, kubelet_var_lib_t, kubelet_t)
# Standard container which needs to be allowed to use any device and
# modify kubelet configuration
diff --git a/customizable_types b/customizable_types
deleted file mode 100644
index 854cbf6..0000000
--- a/customizable_types
+++ /dev/null
@@ -1,13 +0,0 @@
-sandbox_file_t
-svirt_image_t
-svirt_home_t
-svirt_lxc_file_t
-virt_content_t
-httpd_user_htaccess_t
-httpd_user_script_exec_t
-httpd_user_rw_content_t
-httpd_user_ra_content_t
-httpd_user_content_t
-git_session_content_t
-home_bin_t
-user_tty_device_t
diff --git a/debug-build.sh b/debug-build.sh
index 44a626f..62b657c 100644
--- a/debug-build.sh
+++ b/debug-build.sh
@@ -23,7 +23,7 @@ VERSION=$(grep -Po '^Version:\s*\K.*?(?=$)' $REPO_NAME.spec)
# Create tar file with name like selinux-policy-.tar.xz
TAR_NAME=$REPO_NAME-$VERSION.tar.xz
echo "Creating tar file: $TAR_NAME"
-tar --exclude-vcs -cJf $TAR_NAME --transform "s,^,$REPO_NAME-$VERSION/," -C $REPO_NAME .
+tar --exclude-vcs -cJhf $TAR_NAME --transform "s,^,$REPO_NAME-$VERSION/," -C $REPO_NAME .
# Some helpful prompts
if test $? -eq 0; then
diff --git a/file_contexts.subs_dist b/file_contexts.subs_dist
deleted file mode 100644
index b316d2e..0000000
--- a/file_contexts.subs_dist
+++ /dev/null
@@ -1,22 +0,0 @@
-/var/run /run
-/var/lock /run/lock
-/var/run/lock /var/lock
-/lib /usr/lib
-/lib64 /usr/lib
-/usr/lib64 /usr/lib
-/usr/local /usr
-/usr/local/lib64 /usr/lib
-/usr/local/lib32 /usr/lib
-/etc/systemd/system /usr/lib/systemd/system
-/run/systemd/system /usr/lib/systemd/system
-/run/systemd/generator /usr/lib/systemd/system
-/run/systemd/generator.early /usr/lib/systemd/system
-/run/systemd/generator.late /usr/lib/systemd/system
-/var/lib/xguest/home /home
-/var/run/netconfig /etc
-/var/adm/netconfig/md5/etc /etc
-/var/adm/netconfig/md5/var /var
-/usr/etc /etc
-/bin /usr/bin
-/sbin /usr/bin
-/usr/sbin /usr/bin
diff --git a/modules-minimum-base.conf b/modules-minimum-base.conf
deleted file mode 100644
index 853e975..0000000
--- a/modules-minimum-base.conf
+++ /dev/null
@@ -1,414 +0,0 @@
-# Layer: kernel
-# Module: bootloader
-#
-# Policy for the kernel modules, kernel image, and bootloader.
-#
-bootloader = module
-
-# Layer: kernel
-# Module: corecommands
-# Required in base
-#
-# Core policy for shells, and generic programs
-# in /bin, /sbin, /usr/bin, and /usr/sbin.
-#
-corecommands = base
-
-# Layer: kernel
-# Module: corenetwork
-# Required in base
-#
-# Policy controlling access to network objects
-#
-corenetwork = base
-
-# Layer: admin
-# Module: dmesg
-#
-# Policy for dmesg.
-#
-dmesg = module
-
-# Layer: admin
-# Module: netutils
-#
-# Network analysis utilities
-#
-netutils = module
-
-# Layer: admin
-# Module: sudo
-#
-# Execute a command with a substitute user
-#
-sudo = module
-
-# Layer: admin
-# Module: su
-#
-# Run shells with substitute user and group
-#
-su = module
-
-# Layer: admin
-# Module: usermanage
-#
-# Policy for managing user accounts.
-#
-usermanage = module
-
-# Layer: apps
-# Module: seunshare
-#
-# seunshare executable
-#
-seunshare = module
-
-# Module: devices
-# Required in base
-#
-# Device nodes and interfaces for many basic system devices.
-#
-devices = base
-
-# Module: domain
-# Required in base
-#
-# Core policy for domains.
-#
-domain = base
-
-# Layer: system
-# Module: userdomain
-#
-# Policy for user domains
-#
-userdomain = module
-
-# Module: files
-# Required in base
-#
-# Basic filesystem types and interfaces.
-#
-files = base
-
-# Layer: system
-# Module: miscfiles
-#
-# Miscelaneous files.
-#
-miscfiles = module
-
-# Module: filesystem
-# Required in base
-#
-# Policy for filesystems.
-#
-filesystem = base
-
-# Module: kernel
-# Required in base
-#
-# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
-#
-kernel = base
-
-# Module: mcs
-# Required in base
-#
-# MultiCategory security policy
-#
-mcs = base
-
-# Module: mls
-# Required in base
-#
-# Multilevel security policy
-#
-mls = base
-
-# Module: selinux
-# Required in base
-#
-# Policy for kernel security interface, in particular, selinuxfs.
-#
-selinux = base
-
-# Layer: kernel
-# Module: storage
-#
-# Policy controlling access to storage devices
-#
-storage = base
-
-# Module: terminal
-# Required in base
-#
-# Policy for terminals.
-#
-terminal = base
-
-# Layer: kernel
-# Module: ubac
-#
-#
-#
-ubac = base
-
-# Layer: kernel
-# Module: unconfined
-#
-# The unlabelednet module.
-#
-unlabelednet = module
-
-# Layer: role
-# Module: auditadm
-#
-# auditadm account on tty logins
-#
-auditadm = module
-
-# Layer: role
-# Module: logadm
-#
-# Minimally prived root role for managing logging system
-#
-logadm = module
-
-# Layer: role
-# Module: secadm
-#
-# secadm account on tty logins
-#
-secadm = module
-
-# Layer:role
-# Module: sysadm_secadm
-#
-# System Administrator with Security Admin rules
-#
-sysadm_secadm = module
-
-# Module: staff
-#
-# admin account
-#
-staff = module
-
-# Layer:role
-# Module: sysadm
-#
-# System Administrator
-#
-sysadm = module
-
-# Layer: role
-# Module: unconfineduser
-#
-# The unconfined user domain.
-#
-unconfineduser = module
-
-# Layer: role
-# Module: unprivuser
-#
-# Minimally privs guest account on tty logins
-#
-unprivuser = module
-
-# Layer: services
-# Module: postgresql
-#
-# PostgreSQL relational database
-#
-postgresql = module
-
-# Layer: services
-# Module: ssh
-#
-# Secure shell client and server policy.
-#
-ssh = module
-
-# Layer: services
-# Module: xserver
-#
-# X windows login display manager
-#
-xserver = module
-
-# Module: application
-# Required in base
-#
-# Defines attributs and interfaces for all user applications
-#
-application = module
-
-# Layer: system
-# Module: authlogin
-#
-# Common policy for authentication and user login.
-#
-authlogin = module
-
-# Layer: system
-# Module: clock
-#
-# Policy for reading and setting the hardware clock.
-#
-clock = module
-
-# Layer: system
-# Module: fstools
-#
-# Tools for filesystem management, such as mkfs and fsck.
-#
-fstools = module
-
-# Layer: system
-# Module: getty
-#
-# Policy for getty.
-#
-getty = module
-
-# Layer: system
-# Module: hostname
-#
-# Policy for changing the system host name.
-#
-hostname = module
-
-# Layer: system
-# Module: init
-#
-# System initialization programs (init and init scripts).
-#
-init = module
-
-# Layer: system
-# Module: ipsec
-#
-# TCP/IP encryption
-#
-ipsec = module
-
-# Layer: system
-# Module: iptables
-#
-# Policy for iptables.
-#
-iptables = module
-
-# Layer: system
-# Module: libraries
-#
-# Policy for system libraries.
-#
-libraries = module
-
-# Layer: system
-# Module: locallogin
-#
-# Policy for local logins.
-#
-locallogin = module
-
-# Layer: system
-# Module: logging
-#
-# Policy for the kernel message logger and system logging daemon.
-#
-logging = module
-
-# Layer: system
-# Module: lvm
-#
-# Policy for logical volume management programs.
-#
-lvm = module
-
-# Layer: system
-# Module: modutils
-#
-# Policy for kernel module utilities
-#
-modutils = module
-
-# Layer: system
-# Module: mount
-#
-# Policy for mount.
-#
-mount = module
-
-# Layer: system
-# Module: netlabel
-#
-# Basic netlabel types and interfaces.
-#
-netlabel = module
-
-# Layer: system
-# Module: selinuxutil
-#
-# Policy for SELinux policy and userland applications.
-#
-selinuxutil = module
-
-# Module: setrans
-# Required in base
-#
-# Policy for setrans
-#
-setrans = module
-
-# Layer: system
-# Module: sysnetwork
-#
-# Policy for network configuration: ifconfig and dhcp client.
-#
-sysnetwork = module
-
-# Layer: system
-# Module: systemd
-#
-# Policy for systemd components
-#
-systemd = module
-
-# Layer: system
-# Module: udev
-#
-# Policy for udev.
-#
-udev = module
-
-# Layer: system
-# Module: unconfined
-#
-# The unconfined domain.
-#
-unconfined = module
-
-# Layer: admin
-# Module: rpm
-#
-# Policy for the RPM package manager.
-#
-rpm = module
-
-# Layer: contrib
-# Module: packagekit
-#
-# Temporary permissive module for packagekit
-#
-packagekit = module
-
-# Layer: services
-# Module: nscd
-#
-# Name service cache daemon
-#
-nscd = module
diff --git a/modules-minimum-contrib.conf b/modules-minimum-contrib.conf
deleted file mode 100644
index be139ed..0000000
--- a/modules-minimum-contrib.conf
+++ /dev/null
@@ -1,2609 +0,0 @@
-# Layer: services
-# Module: abrt
-#
-# Automatic bug detection and reporting tool
-#
-abrt = module
-
-# Layer: services
-# Module: accountsd
-#
-# An application to view and modify user accounts information
-#
-accountsd = module
-
-# Layer: admin
-# Module: acct
-#
-# Berkeley process accounting
-#
-acct = module
-
-# Layer: services
-# Module: afs
-#
-# Andrew Filesystem server
-#
-afs = module
-
-# Layer: services
-# Module: aiccu
-#
-# SixXS Automatic IPv6 Connectivity Client Utility
-#
-aiccu = module
-
-# Layer: services
-# Module: aide
-#
-# Policy for aide
-#
-aide = module
-
-# Layer: services
-# Module: ajaxterm
-#
-# Web Based Terminal
-#
-ajaxterm = module
-
-# Layer: admin
-# Module: alsa
-#
-# Ainit ALSA configuration tool
-#
-alsa = module
-
-# Layer: admin
-# Module: amanda
-#
-# Automated backup program.
-#
-amanda = module
-
-# Layer: admin
-# Module: amtu
-#
-# Abstract Machine Test Utility (AMTU)
-#
-amtu = module
-
-# Layer: admin
-# Module: anaconda
-#
-# Policy for the Anaconda installer.
-#
-anaconda = module
-
-# Layer: contrib
-# Module: antivirus
-#
-# SELinux policy for antivirus programs
-#
-antivirus = module
-
-# Layer: services
-# Module: apache
-#
-# Apache web server
-#
-apache = module
-
-# Layer: services
-# Module: apcupsd
-#
-# daemon for most APC’s UPS for Linux
-#
-apcupsd = module
-
-# Layer: services
-# Module: apm
-#
-# Advanced power management daemon
-#
-apm = module
-
-# Layer: services
-# Module: arpwatch
-#
-# Ethernet activity monitor.
-#
-arpwatch = module
-
-# Layer: services
-# Module: asterisk
-#
-# Asterisk IP telephony server
-#
-asterisk = module
-
-# Layer: contrib
-# Module: authconfig
-#
-# Authorization configuration tool
-#
-authconfig = module
-
-# Layer: services
-# Module: automount
-#
-# Filesystem automounter service.
-#
-automount = module
-
-# Layer: services
-# Module: avahi
-#
-# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture
-#
-avahi = module
-
-# Layer: module
-# Module: awstats
-#
-# awstats executable
-#
-awstats = module
-
-# Layer: services
-# Module: bcfg2
-#
-# Configuration management server
-#
-bcfg2 = module
-
-# Layer: services
-# Module: bind
-#
-# Berkeley internet name domain DNS server.
-#
-bind = module
-
-# Layer: contrib
-# Module: rngd
-#
-# Daemon used to feed random data from hardware device to kernel random device
-#
-rngd = module
-
-# Layer: services
-# Module: bitlbee
-#
-# An IRC to other chat networks gateway
-#
-bitlbee = module
-
-# Layer: services
-# Module: blueman
-#
-# Blueman tools and system services.
-#
-blueman = module
-
-# Layer: services
-# Module: bluetooth
-#
-# Bluetooth tools and system services.
-#
-bluetooth = module
-
-# Layer: services
-# Module: boinc
-#
-# Berkeley Open Infrastructure for Network Computing
-#
-boinc = module
-
-# Layer: system
-# Module: brctl
-#
-# Utilities for configuring the linux ethernet bridge
-#
-brctl = module
-
-# Layer: services
-# Module: bugzilla
-#
-# Bugzilla server
-#
-bugzilla = module
-
-# Layer: services
-# Module: bumblebee
-#
-# Support NVIDIA Optimus technology under Linux
-#
-bumblebee = module
-
-# Layer: services
-# Module: cachefilesd
-#
-# CacheFiles userspace management daemon
-#
-cachefilesd = module
-
-# Module: calamaris
-#
-#
-# Squid log analysis
-#
-calamaris = module
-
-# Layer: services
-# Module: callweaver
-#
-# callweaver telephony sever
-#
-callweaver = module
-
-# Layer: services
-# Module: canna
-#
-# Canna - kana-kanji conversion server
-#
-canna = module
-
-# Layer: services
-# Module: ccs
-#
-# policy for ccs
-#
-ccs = module
-
-# Layer: apps
-# Module: cdrecord
-#
-# Policy for cdrecord
-#
-cdrecord = module
-
-# Layer: admin
-# Module: certmaster
-#
-# Digital Certificate master
-#
-certmaster = module
-
-# Layer: services
-# Module: certmonger
-#
-# Certificate status monitor and PKI enrollment client
-#
-certmonger = module
-
-# Layer: admin
-# Module: certwatch
-#
-# Digital Certificate Tracking
-#
-certwatch = module
-
-# Layer: services
-# Module: cfengine
-#
-# cfengine
-#
-cfengine = module
-
-# Layer: services
-# Module: cgroup
-#
-# Tools and libraries to control and monitor control groups
-#
-cgroup = module
-
-# Layer: apps
-# Module: chrome
-#
-# chrome sandbox
-#
-chrome = module
-
-# Layer: services
-# Module: chronyd
-#
-# Daemon for maintaining clock time
-#
-chronyd = module
-
-# Layer: services
-# Module: cipe
-#
-# Encrypted tunnel daemon
-#
-cipe = module
-
-
-# Layer: services
-# Module: clogd
-#
-# clogd - clustered mirror log server
-#
-clogd = module
-
-# Layer: services
-# Module: cloudform
-#
-# cloudform daemons
-#
-cloudform = module
-
-# Layer: services
-# Module: cmirrord
-#
-# cmirrord - daemon providing device-mapper-base mirrors in a shared-storege cluster
-#
-cmirrord = module
-
-# Layer: services
-# Module: cobbler
-#
-# cobbler
-#
-cobbler = module
-
-# Layer: services
-# Module: collectd
-#
-# Statistics collection daemon for filling RRD files
-#
-collectd = module
-
-# Layer: services
-# Module: colord
-#
-# color device daemon
-#
-colord = module
-
-# Layer: services
-# Module: comsat
-#
-# Comsat, a biff server.
-#
-comsat = module
-
-# Layer: services
-# Module: condor
-#
-# policy for condor
-#
-condor = module
-
-# Layer: services
-# Module: conman
-#
-# Conman is a program for connecting to remote consoles being managed by conmand
-#
-conman = module
-
-# Layer: services
-# Module: consolekit
-#
-# ConsoleKit is a system daemon for tracking what users are logged
-#
-consolekit = module
-
-# Layer: services
-# Module: couchdb
-#
-# Apache CouchDB database server
-#
-couchdb = module
-
-# Layer: services
-# Module: courier
-#
-# IMAP and POP3 email servers
-#
-courier = module
-
-# Layer: services
-# Module: cpucontrol
-#
-# Services for loading CPU microcode and CPU frequency scaling.
-#
-cpucontrol = module
-
-# Layer: apps
-# Module: cpufreqselector
-#
-# cpufreqselector executable
-#
-cpufreqselector = module
-
-# Layer: services
-# Module: cron
-#
-# Periodic execution of scheduled commands.
-#
-cron = module
-
-# Layer: services
-# Module: ctdbd
-#
-# Cluster Daemon
-#
-ctdb = module
-
-# Layer: services
-# Module: cups
-#
-# Common UNIX printing system
-#
-cups = module
-
-# Layer: services
-# Module: cvs
-#
-# Concurrent versions system
-#
-cvs = module
-
-# Layer: services
-# Module: cyphesis
-#
-# cyphesis game server
-#
-cyphesis = module
-
-# Layer: services
-# Module: cyrus
-#
-# Cyrus is an IMAP service intended to be run on sealed servers
-#
-cyrus = module
-
-# Layer: system
-# Module: daemontools
-#
-# Collection of tools for managing UNIX services
-#
-daemontools = module
-
-# Layer: role
-# Module: dbadm
-#
-# Minimally prived root role for managing databases
-#
-dbadm = module
-
-# Layer: services
-# Module: dbskk
-#
-# Dictionary server for the SKK Japanese input method system.
-#
-dbskk = module
-
-# Layer: services
-# Module: dbus
-#
-# Desktop messaging bus
-#
-dbus = module
-
-# Layer: services
-# Module: dcc
-#
-# A distributed, collaborative, spam detection and filtering network.
-#
-dcc = module
-
-# Layer: services
-# Module: ddclient
-#
-# Update dynamic IP address at DynDNS.org
-#
-ddclient = module
-
-# Layer: admin
-# Module: ddcprobe
-#
-# ddcprobe retrieves monitor and graphics card information
-#
-ddcprobe = off
-
-# Layer: services
-# Module: denyhosts
-#
-# script to help thwart ssh server attacks
-#
-denyhosts = module
-
-# Layer: services
-# Module: devicekit
-#
-# devicekit-daemon
-#
-devicekit = module
-
-# Layer: services
-# Module: dhcp
-#
-# Dynamic host configuration protocol (DHCP) server
-#
-dhcp = module
-
-# Layer: services
-# Module: dictd
-#
-# Dictionary daemon
-#
-dictd = module
-
-# Layer: services
-# Module: dirsrv-admin
-#
-# An 309 directory admin server
-#
-dirsrv-admin = module
-
-# Layer: services
-# Module: dirsrv
-#
-# An 309 directory server
-#
-dirsrv = module
-
-# Layer: services
-# Module: distcc
-#
-# Distributed compiler daemon
-#
-distcc = off
-
-# Layer: admin
-# Module: dmidecode
-#
-# Decode DMI data for x86/ia64 bioses.
-#
-dmidecode = module
-
-# Layer: services
-# Module: dnsmasq
-#
-# A lightweight DHCP and caching DNS server.
-#
-dnsmasq = module
-
-# Layer: services
-# Module: dnssec
-#
-# A dnssec server application
-#
-dnssec = module
-
-# Layer: services
-# Module: dovecot
-#
-# Dovecot POP and IMAP mail server
-#
-dovecot = module
-
-# Layer: services
-# Module: drbd
-#
-# DRBD mirrors a block device over the network to another machine.
-#
-drbd = module
-
-# Layer: services
-# Module: dspam
-#
-# dspam - library and Mail Delivery Agent for Bayesian SPAM filtering
-#
-dspam = module
-
-# Layer: services
-# Module: entropy
-#
-# Generate entropy from audio input
-#
-entropyd = module
-
-# Layer: services
-# Module: exim
-#
-# exim mail server
-#
-exim = module
-
-# Layer: services
-# Module: fail2ban
-#
-# daiemon that bans IP that makes too many password failures
-#
-fail2ban = module
-
-# Layer: services
-# Module: fcoe
-#
-# fcoe
-#
-fcoe = module
-
-# Layer: services
-# Module: fetchmail
-#
-# Remote-mail retrieval and forwarding utility
-#
-fetchmail = module
-
-# Layer: services
-# Module: finger
-#
-# Finger user information service.
-#
-finger = module
-
-# Layer: services
-# Module: firewalld
-#
-# firewalld is firewall service daemon that provides dynamic customizable
-#
-firewalld = module
-
-# Layer: apps
-# Module: firewallgui
-#
-# policy for system-config-firewall
-#
-firewallgui = module
-
-# Module: firstboot
-#
-# Final system configuration run during the first boot
-# after installation of Red Hat/Fedora systems.
-#
-firstboot = module
-
-# Layer: services
-# Module: fprintd
-#
-# finger print server
-#
-fprintd = module
-
-# Layer: services
-# Module: freqset
-#
-# Utility for CPU frequency scaling
-#
-freqset = module
-
-# Layer: services
-# Module: ftp
-#
-# File transfer protocol service
-#
-ftp = module
-
-# Layer: apps
-# Module: games
-#
-# The Open Group Pegasus CIM/WBEM Server.
-#
-games = module
-
-# Layer: apps
-# Module: gitosis
-#
-# Policy for gitosis
-#
-gitosis = module
-
-# Layer: services
-# Module: git
-#
-# Policy for the stupid content tracker
-#
-git = module
-
-# Layer: services
-# Module: glance
-#
-# Policy for glance
-#
-glance = module
-
-# Layer: contrib
-# Module: glusterd
-#
-# policy for glusterd service
-#
-glusterd = module
-
-# Layer: apps
-# Module: gnome
-#
-# gnome session and gconf
-#
-gnome = module
-
-# Layer: apps
-# Module: gpg
-#
-# Policy for GNU Privacy Guard and related programs.
-#
-gpg = module
-
-# Layer: services
-# Module: gpm
-#
-# General Purpose Mouse driver
-#
-gpm = module
-
-# Module: gpsd
-#
-# gpsd monitor daemon
-#
-#
-gpsd = module
-
-# Module: gssproxy
-#
-# A proxy for GSSAPI credential handling
-#
-#
-gssproxy = module
-
-# Layer: role
-# Module: guest
-#
-# Minimally privs guest account on tty logins
-#
-guest = module
-
-# Layer: role
-# Module: xguest
-#
-# Minimally privs guest account on X Windows logins
-#
-xguest = module
-
-# Layer: services
-# Module: hddtemp
-#
-# hddtemp hard disk temperature tool running as a daemon
-#
-hddtemp = module
-
-# Layer: services
-# Module: hostapd
-#
-# hostapd - IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
-#
-hostapd = module
-
-# Layer: services
-# Module: i18n_input
-#
-# IIIMF htt server
-#
-i18n_input = off
-
-# Layer: services
-# Module: icecast
-#
-# ShoutCast compatible streaming media server
-#
-icecast = module
-
-# Layer: services
-# Module: inetd
-#
-# Internet services daemon.
-#
-inetd = module
-
-# Layer: services
-# Module: inn
-#
-# Internet News NNTP server
-#
-inn = module
-
-# Layer: services
-# Module: lircd
-#
-# LIRC daemon - decodes infrared signals and provides them on a Unix domain socket.
-#
-lircd = module
-
-# Layer: apps
-# Module: irc
-#
-# IRC client policy
-#
-irc = module
-
-# Layer: services
-# Module: irqbalance
-#
-# IRQ balancing daemon
-#
-irqbalance = module
-
-# Layer: system
-# Module: iscsi
-#
-# Open-iSCSI daemon
-#
-iscsi = module
-
-# Layer: system
-# Module: isnsd
-#
-#
-#
-isns = module
-
-# Layer: services
-# Module: jabber
-#
-# Jabber instant messaging server
-#
-jabber = module
-
-# Layer: services
-# Module: jetty
-#
-# Java based http server
-#
-jetty = module
-
-# Layer: apps
-# Module: jockey
-#
-# policy for jockey-backend
-#
-jockey = module
-
-# Layer: apps
-# Module: kdumpgui
-#
-# system-config-kdump policy
-#
-kdumpgui = module
-
-# Layer: admin
-# Module: kdump
-#
-# kdump is kernel crash dumping mechanism
-#
-kdump = module
-
-# Layer: services
-# Module: kerberos
-#
-# MIT Kerberos admin and KDC
-#
-kerberos = module
-
-# Layer: services
-# Module: keepalived
-#
-# keepalived - load-balancing and high-availability service
-#
-keepalived = module
-
-# Module: keyboardd
-#
-# system-setup-keyboard is a keyboard layout daemon that monitors
-# /etc/sysconfig/keyboard and writes out an xorg.conf.d snippet
-#
-keyboardd = module
-
-# Layer: services
-# Module: keystone
-#
-# openstack-keystone
-#
-keystone = module
-
-# Layer: services
-# Module: kismet
-#
-# Wireless sniffing and monitoring
-#
-kismet = module
-
-# Layer: services
-# Module: ksmtuned
-#
-# Kernel Samepage Merging (KSM) Tuning Daemon
-#
-ksmtuned = module
-
-# Layer: services
-# Module: ktalk
-#
-# KDE Talk daemon
-#
-ktalk = module
-
-# Layer: services
-# Module: l2ltpd
-#
-# Layer 2 Tunnelling Protocol Daemon
-#
-l2tp = module
-
-# Layer: services
-# Module: ldap
-#
-# OpenLDAP directory server
-#
-ldap = module
-
-# Layer: services
-# Module: likewise
-#
-# Likewise Active Directory support for UNIX
-#
-likewise = module
-
-# Layer: apps
-# Module: livecd
-#
-# livecd creator
-#
-livecd = module
-
-# Layer: services
-# Module: lldpad
-#
-# lldpad - Link Layer Discovery Protocol (LLDP) agent daemon
-#
-lldpad = module
-
-# Layer: apps
-# Module: loadkeys
-#
-# Load keyboard mappings.
-#
-loadkeys = module
-
-# Layer: apps
-# Module: lockdev
-#
-# device locking policy for lockdev
-#
-lockdev = module
-
-# Layer: admin
-# Module: logrotate
-#
-# Rotate and archive system logs
-#
-logrotate = module
-
-# Layer: services
-# Module: logwatch
-#
-# logwatch executable
-#
-logwatch = module
-
-# Layer: services
-# Module: lpd
-#
-# Line printer daemon
-#
-lpd = module
-
-# Layer: services
-# Module: mailman
-#
-# Mailman is for managing electronic mail discussion and e-newsletter lists
-#
-mailman = module
-
-# Layer: services
-# Module: mailman
-#
-# Policy for mailscanner
-#
-mailscanner = module
-
-# Layer: apps
-# Module: man2html
-#
-# policy for man2html apps
-#
-man2html = module
-
-# Layer: admin
-# Module: mcelog
-#
-# Policy for mcelog.
-#
-mcelog = module
-
-# Layer: apps
-# Module: mediawiki
-#
-# mediawiki
-#
-mediawiki = module
-
-# Layer: services
-# Module: memcached
-#
-# high-performance memory object caching system
-#
-memcached = module
-
-# Layer: services
-# Module: milter
-#
-#
-#
-milter = module
-
-# Layer: services
-# Module: mip6d
-#
-# UMIP Mobile IPv6 and NEMO Basic Support protocol implementation
-#
-mip6d = module
-
-# Layer: services
-# Module: mock
-#
-# Policy for mock rpm builder
-#
-mock = module
-
-# Layer: services
-# Module: modemmanager
-#
-# Manager for dynamically switching between modems.
-#
-modemmanager = module
-
-# Layer: services
-# Module: mojomojo
-#
-# Wiki server
-#
-mojomojo = module
-
-# Layer: apps
-# Module: mozilla
-#
-# Policy for Mozilla and related web browsers
-#
-mozilla = module
-
-# Layer: services
-# Module: mpd
-#
-# mpd - daemon for playing music
-#
-mpd = module
-
-# Layer: apps
-# Module: mplayer
-#
-# Policy for Mozilla and related web browsers
-#
-mplayer = module
-
-# Layer: admin
-# Module: mrtg
-#
-# Network traffic graphing
-#
-mrtg = module
-
-# Layer: services
-# Module: mta
-#
-# Policy common to all email tranfer agents.
-#
-mta = module
-
-# Layer: services
-# Module: munin
-#
-# Munin
-#
-munin = module
-
-# Layer: services
-# Module: mysql
-#
-# Policy for MySQL
-#
-mysql = module
-
-# Layer: contrib
-# Module: mythtv
-#
-# Policy for Mythtv (Web Server)
-#
-mythtv = module
-
-# Layer: services
-# Module: nagios
-#
-# policy for nagios Host/service/network monitoring program
-#
-nagios = module
-
-# Layer: apps
-# Module: namespace
-#
-# policy for namespace.init script
-#
-namespace = module
-
-# Layer: admin
-# Module: ncftool
-#
-# Tool to modify the network configuration of a system
-#
-ncftool = module
-
-# Layer: services
-# Module: networkmanager
-#
-# Manager for dynamically switching between networks.
-#
-networkmanager = module
-
-# Layer: services
-# Module: ninfod
-#
-# Respond to IPv6 Node Information Queries
-#
-ninfod = module
-
-# Layer: services
-# Module: nis
-#
-# Policy for NIS (YP) servers and clients
-#
-nis = module
-
-# Layer: services
-# Module: nova
-#
-# openstack-nova
-#
-nova = module
-
-# Layer: services
-# Module: nslcd
-#
-# Policy for nslcd
-#
-nslcd = module
-
-# Layer: services
-# Module: ntop
-#
-# Policy for ntop
-#
-ntop = module
-
-# Layer: services
-# Module: ntp
-#
-# Network time protocol daemon
-#
-ntp = module
-
-# Layer: services
-# Module: numad
-#
-# numad - user-level daemon that provides advice and managment for optimum use of CPUs and memory on systems with NUMA topology
-#
-numad = module
-
-# Layer: services
-# Module: nut
-#
-# nut - Network UPS Tools
-#
-nut = module
-
-# Layer: services
-# Module: nx
-#
-# NX Remote Desktop
-#
-nx = module
-
-# Layer: services
-# Module: obex
-#
-# policy for obex-data-server
-#
-obex = module
-
-# Layer: services
-# Module: oddjob
-#
-# policy for oddjob
-#
-oddjob = module
-
-# Layer: services
-# Module: openct
-#
-# Service for handling smart card readers.
-#
-openct = off
-
-# Layer: service
-# Module: openct
-#
-# Middleware framework for smart card terminals
-#
-openct = module
-
-# Layer: contrib
-# Module: openshift-origin
-#
-# Origin version of openshift policy
-#
-openshift-origin = module
-# Layer: contrib
-# Module: openshift
-#
-# Core openshift policy
-#
-openshift = module
-
-# Layer: services
-# Module: opensm
-#
-# InfiniBand subnet manager and administration (SM/SA)
-#
-opensm = module
-
-# Layer: services
-# Module: openvpn
-#
-# Policy for OPENVPN full-featured SSL VPN solution
-#
-openvpn = module
-
-# Layer: contrib
-# Module: openvswitch
-#
-# SELinux policy for openvswitch programs
-#
-openvswitch = module
-
-# Layer: services
-# Module: openwsman
-#
-# WS-Management Server
-#
-openwsman = module
-
-# Layer: services
-# Module: osad
-#
-# Client-side service written in Python that responds to pings
-#
-osad = module
-
-# Layer: contrib
-# Module: prelude
-#
-# SELinux policy for prelude
-#
-prelude = module
-
-# Layer: contrib
-# Module: prosody
-#
-# SELinux policy for prosody flexible communications server for Jabber/XMPP
-#
-prosody = module
-
-# Layer: services
-# Module: pads
-#
-pads = module
-
-# Layer: services
-# Module: passenger
-#
-# Passenger
-#
-passenger = module
-
-# Layer: system
-# Module: pcmcia
-#
-# PCMCIA card management services
-#
-pcmcia = module
-
-# Layer: service
-# Module: pcscd
-#
-# PC/SC Smart Card Daemon
-#
-pcscd = module
-
-# Layer: services
-# Module: pdns
-#
-# PowerDNS DNS server
-#
-pdns = module
-
-# Layer: services
-# Module: pegasus
-#
-# The Open Group Pegasus CIM/WBEM Server.
-#
-pegasus = module
-
-# Layer: services
-# Module: pingd
-#
-#
-pingd = module
-
-# Layer: services
-# Module: piranha
-#
-# piranha - various tools to administer and configure the Linux Virtual Server
-#
-piranha = module
-
-# Layer: contrib
-# Module: pkcs
-#
-# daemon manages PKCS#11 objects between PKCS#11-enabled applications
-#
-pkcs = module
-
-# Layer: services
-# Module: plymouthd
-#
-# Plymouth
-#
-plymouthd = module
-
-# Layer: apps
-# Module: podsleuth
-#
-# Podsleuth probes, identifies, and exposes properties and metadata bound to iPods.
-#
-podsleuth = module
-
-# Layer: services
-# Module: policykit
-#
-# Hardware abstraction layer
-#
-policykit = module
-
-# Layer: services
-# Module: polipo
-#
-# polipo
-#
-polipo = module
-
-# Layer: services
-# Module: portmap
-#
-# RPC port mapping service.
-#
-portmap = module
-
-# Layer: services
-# Module: portreserve
-#
-# reserve ports to prevent portmap mapping them
-#
-portreserve = module
-
-# Layer: services
-# Module: postfix
-#
-# Postfix email server
-#
-postfix = module
-
-# Layer: services
-# Module: postgrey
-#
-# email scanner
-#
-postgrey = module
-
-# Layer: services
-# Module: ppp
-#
-# Point to Point Protocol daemon creates links in ppp networks
-#
-ppp = module
-
-# Layer: admin
-# Module: prelink
-#
-# Manage temporary directory sizes and file ages
-#
-prelink = module
-
-# Layer: services
-# Module: privoxy
-#
-# Privacy enhancing web proxy.
-#
-privoxy = module
-
-# Layer: services
-# Module: procmail
-#
-# Procmail mail delivery agent
-#
-procmail = module
-
-# Layer: services
-# Module: psad
-#
-# Analyze iptables log for hostile traffic
-#
-psad = module
-
-# Layer: apps
-# Module: ptchown
-#
-# helper function for grantpt(3), changes ownship and permissions of pseudotty
-#
-ptchown = module
-
-# Layer: apps
-# Module: pulseaudio
-#
-# The PulseAudio Sound System
-#
-pulseaudio = module
-
-# Layer: services
-# Module: puppet
-#
-# A network tool for managing many disparate systems
-#
-puppet = module
-
-# Layer: apps
-# Module: pwauth
-#
-# External plugin for mod_authnz_external authenticator
-#
-pwauth = module
-
-# Layer: services
-# Module: qmail
-#
-# Policy for qmail
-#
-qmail = module
-
-# Layer: services
-# Module: qpidd
-#
-# Policy for qpidd
-#
-qpid = module
-
-# Layer: services
-# Module: quantum
-#
-# Quantum is a virtual network service for Openstack
-#
-quantum = module
-
-# Layer: admin
-# Module: quota
-#
-# File system quota management
-#
-quota = module
-
-# Layer: services
-# Module: rabbitmq
-#
-# rabbitmq daemons
-#
-rabbitmq = module
-
-# Layer: services
-# Module: radius
-#
-# RADIUS authentication and accounting server.
-#
-radius = module
-
-# Layer: services
-# Module: radvd
-#
-# IPv6 router advertisement daemon
-#
-radvd = module
-
-# Layer: system
-# Module: raid
-#
-# RAID array management tools
-#
-raid = module
-
-# Layer: services
-# Module: rasdaemon
-#
-# The rasdaemon program is a daemon with monitors the RAS trace events from /sys/kernel/debug/tracing
-#
-rasdaemon = module
-
-# Layer: services
-# Module: rdisc
-#
-# Network router discovery daemon
-#
-rdisc = module
-
-# Layer: admin
-# Module: readahead
-#
-# Readahead, read files into page cache for improved performance
-#
-readahead = module
-
-# Layer: contrib
-# Module: stapserver
-#
-# dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA
-#
-realmd = module
-
-# Layer: services
-# Module: remotelogin
-#
-# Policy for rshd, rlogind, and telnetd.
-#
-remotelogin = module
-
-# Layer: services
-# Module: rhcs
-#
-# RHCS - Red Hat Cluster Suite
-#
-rhcs = module
-
-# Layer: services
-# Module: rhev
-#
-# rhev policy module contains policies for rhev apps
-#
-rhev = module
-
-# Layer: services
-# Module: rhgb
-#
-# X windows login display manager
-#
-rhgb = module
-
-# Layer: services
-# Module: rhsmcertd
-#
-# Subscription Management Certificate Daemon policy
-#
-rhsmcertd = module
-
-# Layer: services
-# Module: ricci
-#
-# policy for ricci
-#
-ricci = module
-
-# Layer: services
-# Module: rlogin
-#
-# Remote login daemon
-#
-rlogin = module
-
-# Layer: services
-# Module: roundup
-#
-# Roundup Issue Tracking System policy
-#
-roundup = module
-
-# Layer: services
-# Module: rpcbind
-#
-# universal addresses to RPC program number mapper
-#
-rpcbind = module
-
-# Layer: services
-# Module: rpc
-#
-# Remote Procedure Call Daemon for managment of network based process communication
-#
-rpc = module
-
-# Layer: services
-# Module: rshd
-#
-# Remote shell service.
-#
-rshd = module
-
-# Layer: apps
-# Module: rssh
-#
-# Restricted (scp/sftp) only shell
-#
-rssh = module
-
-# Layer: services
-# Module: rsync
-#
-# Fast incremental file transfer for synchronization
-#
-rsync = module
-
-# Layer: services
-# Module: rtkit
-#
-# Real Time Kit Daemon
-#
-rtkit = module
-
-# Layer: services
-# Module: rwho
-#
-# who is logged in on local machines
-#
-rwho = module
-
-# Layer: apps
-# Module: sambagui
-#
-# policy for system-config-samba
-#
-sambagui = module
-
-#
-# SMB and CIFS client/server programs for UNIX and
-# name Service Switch daemon for resolving names
-# from Windows NT servers.
-#
-samba = module
-
-# Layer: apps
-# Module: sandbox
-#
-# Policy for running apps within a sandbox
-#
-sandbox = module
-
-# Layer: apps
-# Module: sandbox
-#
-# Policy for running apps within a X sandbox
-#
-sandboxX = module
-
-# Layer: services
-# Module: sanlock
-#
-# sanlock policy
-#
-sanlock = module
-
-# Layer: services
-# Module: sasl
-#
-# SASL authentication server
-#
-sasl = module
-
-# Layer: services
-# Module: sblim
-#
-# sblim
-#
-sblim = module
-
-# Layer: apps
-# Module: screen
-#
-# GNU terminal multiplexer
-#
-screen = module
-
-# Layer: admin
-# Module: sectoolm
-#
-# Policy for sectool-mechanism
-#
-sectoolm = module
-
-# Layer: services
-# Module: sendmail
-#
-# Policy for sendmail.
-#
-sendmail = module
-
-# Layer: contrib
-# Module: sensord
-#
-# Sensor information logging daemon
-#
-sensord = module
-
-# Layer: services
-# Module: setroubleshoot
-#
-# Policy for the SELinux troubleshooting utility
-#
-setroubleshoot = module
-
-# Layer: services
-# Module: sge
-#
-# policy for grindengine MPI jobs
-#
-sge = module
-
-# Layer: admin
-# Module: shorewall
-#
-# Policy for shorewall
-#
-shorewall = module
-
-# Layer: apps
-# Module: slocate
-#
-# Update database for mlocate
-#
-slocate = module
-
-# Layer: contrib
-# Module: slpd
-#
-# OpenSLP server daemon to dynamically register services
-#
-slpd = module
-
-# Layer: services
-# Module: slrnpull
-#
-# Service for downloading news feeds the slrn newsreader.
-#
-slrnpull = off
-
-# Layer: services
-# Module: smartmon
-#
-# Smart disk monitoring daemon policy
-#
-smartmon = module
-
-# Layer: services
-# Module: smokeping
-#
-# Latency Logging and Graphing System
-#
-smokeping = module
-
-# Layer: admin
-# Module: smoltclient
-#
-#The Fedora hardware profiler client
-#
-smoltclient = module
-
-# Layer: services
-# Module: snmp
-#
-# Simple network management protocol services
-#
-snmp = module
-
-# Layer: services
-# Module: snort
-#
-# Snort network intrusion detection system
-#
-snort = module
-
-# Layer: admin
-# Module: sosreport
-#
-# sosreport debuggin information generator
-#
-sosreport = module
-
-# Layer: services
-# Module: soundserver
-#
-# sound server for network audio server programs, nasd, yiff, etc
-#
-soundserver = module
-
-# Layer: services
-# Module: spamassassin
-#
-# Filter used for removing unsolicited email.
-#
-spamassassin = module
-
-# Layer: services
-# Module: speech-dispatcher
-#
-# speech-dispatcher - server process managing speech requests in Speech Dispatcher
-#
-speech-dispatcher = module
-
-# Layer: services
-# Module: squid
-#
-# Squid caching http proxy server
-#
-squid = module
-
-# Layer: services
-# Module: sssd
-#
-# System Security Services Daemon
-#
-sssd = module
-
-# Layer: services
-# Module: sslh
-#
-# Applicative protocol(SSL/SSH) multiplexer
-#
-sslh = module
-
-# Layer: contrib
-# Module: stapserver
-#
-# Instrumentation System Server
-#
-stapserver = module
-
-# Layer: services
-# Module: stunnel
-#
-# SSL Tunneling Proxy
-#
-stunnel = module
-
-# Layer: services
-# Module: svnserve
-#
-# policy for subversion service
-#
-svnserve = module
-
-# Layer: services
-# Module: swift
-#
-# openstack-swift
-#
-swift = module
-
-# Layer: services
-# Module: sysstat
-#
-# Policy for sysstat. Reports on various system states
-#
-sysstat = module
-
-# Layer: services
-# Module: tcpd
-#
-# Policy for TCP daemon.
-#
-tcpd = module
-
-# Layer: services
-# Module: tcsd
-#
-# tcsd - daemon that manages Trusted Computing resources
-#
-tcsd = module
-
-# Layer: apps
-# Module: telepathy
-#
-# telepathy - Policy for Telepathy framework
-#
-telepathy = module
-
-# Layer: services
-# Module: telnet
-#
-# Telnet daemon
-#
-telnet = module
-
-# Layer: services
-# Module: tftp
-#
-# Trivial file transfer protocol daemon
-#
-tftp = module
-
-# Layer: services
-# Module: tgtd
-#
-# Linux Target Framework Daemon.
-#
-tgtd = module
-
-# Layer: apps
-# Module: thumb
-#
-# Thumbnailer confinement
-#
-thumb = module
-
-# Layer: services
-# Module: timidity
-#
-# MIDI to WAV converter and player configured as a service
-#
-timidity = off
-
-# Layer: admin
-# Module: tmpreaper
-#
-# Manage temporary directory sizes and file ages
-#
-tmpreaper = module
-
-# Layer: contrib
-# Module: glusterd
-#
-# policy for tomcat service
-#
-tomcat = module
-# Layer: services
-# Module: tor
-#
-# TOR, the onion router
-#
-tor = module
-
-# Layer: services
-# Module: tuned
-#
-# Dynamic adaptive system tuning daemon
-#
-tuned = module
-
-# Layer: apps
-# Module: tvtime
-#
-# tvtime - a high quality television application
-#
-tvtime = module
-
-# Layer: services
-# Module: ulogd
-#
-# netfilter/iptables ULOG daemon
-#
-ulogd = module
-
-# Layer: apps
-# Module: uml
-#
-# Policy for UML
-#
-uml = module
-
-# Layer: admin
-# Module: updfstab
-#
-# Red Hat utility to change /etc/fstab.
-#
-updfstab = module
-
-# Layer: admin
-# Module: usbmodules
-#
-# List kernel modules of USB devices
-#
-usbmodules = module
-
-# Layer: services
-# Module: usbmuxd
-#
-# Daemon for communicating with Apple's iPod Touch and iPhone
-#
-usbmuxd = module
-
-# Layer: apps
-# Module: userhelper
-#
-# A helper interface to pam.
-#
-userhelper = module
-
-# Layer: apps
-# Module: usernetctl
-#
-# User network interface configuration helper
-#
-usernetctl = module
-
-# Layer: services
-# Module: uucp
-#
-# Unix to Unix Copy
-#
-uucp = module
-
-# Layer: services
-# Module: uuidd
-#
-# UUID generation daemon
-#
-uuidd = module
-
-# Layer: services
-# Module: varnishd
-#
-# Varnishd http accelerator daemon
-#
-varnishd = module
-
-# Layer: services
-# Module: vdagent
-#
-# vdagent
-#
-vdagent = module
-
-# Layer: services
-# Module: vhostmd
-#
-# vhostmd - spice guest agent daemon.
-#
-vhostmd = module
-
-# Layer: services
-# Module: virt
-#
-# Virtualization libraries
-#
-virt = module
-
-# Layer: apps
-# Module: vhostmd
-#
-# vlock - Virtual Console lock program
-#
-vlock = module
-
-# Layer: services
-# Module: vmtools
-#
-# VMware Tools daemon
-#
-vmtools = module
-
-# Layer: apps
-# Module: vmware
-#
-# VMWare Workstation virtual machines
-#
-vmware = module
-
-# Layer: services
-# Module: vnstatd
-#
-# Network traffic Monitor
-#
-vnstatd = module
-
-# Layer: admin
-# Module: vpn
-#
-# Virtual Private Networking client
-#
-vpn = module
-
-# Layer: services
-# Module: w3c
-#
-# w3c
-#
-w3c = module
-
-# Layer: services
-# Module: wdmd
-#
-# wdmd policy
-#
-wdmd = module
-
-# Layer: role
-# Module: webadm
-#
-# Minimally prived root role for managing apache
-#
-webadm = module
-
-# Layer: apps
-# Module: webalizer
-#
-# Web server log analysis
-#
-webalizer = module
-
-# Layer: apps
-# Module: wine
-#
-# wine executable
-#
-wine = module
-
-# Layer: apps
-# Module: wireshark
-#
-# wireshark executable
-#
-wireshark = module
-
-# Layer: system
-# Module: xen
-#
-# virtualization software
-#
-xen = module
-
-# Layer: services
-# Module: zabbix
-#
-# Open-source monitoring solution for your IT infrastructure
-#
-zabbix = module
-
-# Layer: services
-# Module: zarafa
-#
-# Zarafa Collaboration Platform
-#
-zarafa = module
-
-# Layer: services
-# Module: zebra
-#
-# Zebra border gateway protocol network routing service
-#
-zebra = module
-
-# Layer: services
-# Module: zoneminder
-#
-# Zoneminder Camera Security Surveillance Solution
-#
-zoneminder = module
-
-# Layer: services
-# Module: zosremote
-#
-# policy for z/OS Remote-services Audit dispatcher plugin
-#
-zosremote = module
-
-# Layer: contrib
-# Module: thin
-#
-# Policy for thin
-#
-thin = module
-
-# Layer: contrib
-# Module: mandb
-#
-# Policy for mandb
-#
-mandb = module
-
-# Layer: services
-# Module: pki
-#
-# policy for pki
-#
-pki = module
-
-# Layer: services
-# Module: smsd
-#
-# policy for smsd
-#
-smsd = module
-
-# Layer: contrib
-# Module: pesign
-#
-# policy for pesign
-#
-pesign = module
-
-# Layer: contrib
-# Module: nsd
-#
-# Fast and lean authoritative DNS Name Server
-#
-nsd = module
-
-# Layer: contrib
-# Module: iodine
-#
-# Fast and lean authoritative DNS Name Server
-#
-iodine = module
-
-# Layer: contrib
-# Module: openhpid
-#
-# OpenHPI daemon runs as a background process and accepts connecti
-#
-openhpid = module
-
-# Layer: contrib
-# Module: watchdog
-#
-# Watchdog policy
-#
-watchdog = module
-
-# Layer: contrib
-# Module: oracleasm
-#
-# oracleasm policy
-#
-oracleasm = module
-
-# Layer: contrib
-# Module: redis
-#
-# redis policy
-#
-redis = module
-
-# Layer: contrib
-# Module: hypervkvp
-#
-# hypervkvp policy
-#
-hypervkvp = module
-
-# Layer: contrib
-# Module: lsm
-#
-# lsm policy
-#
-lsm = module
-
-# Layer: contrib
-# Module: motion
-#
-# Daemon for detect motion using a video4linux device
-motion = module
-
-# Layer: contrib
-# Module: rtas
-#
-# rtas policy
-#
-rtas = module
-
-# Layer: contrib
-# Module: journalctl
-#
-# journalctl policy
-#
-journalctl = module
-
-# Layer: contrib
-# Module: gdomap
-#
-# gdomap policy
-#
-gdomap = module
-
-# Layer: contrib
-# Module: minidlna
-#
-# minidlna policy
-#
-minidlna = module
-
-# Layer: contrib
-# Module: minissdpd
-#
-# minissdpd policy
-#
-minissdpd = module
-
-# Layer: contrib
-# Module: freeipmi
-#
-# Remote-Console (out-of-band) and System Management Software (in-band)
-# based on IntelligentPlatform Management Interface specification
-#
-freeipmi = module
-
-# Layer: contrib
-# Module: mirrormanager
-#
-# mirrormanager policy
-#
-mirrormanager = module
-
-# Layer: contrib
-# Module: snapper
-#
-# snapper policy
-#
-snapper = module
-
-# Layer: contrib
-# Module: pcp
-#
-# pcp policy
-#
-pcp = module
-
-# Layer: contrib
-# Module: geoclue
-#
-# Add policy for Geoclue. Geoclue is a D-Bus service that provides location information
-#
-geoclue = module
-
-# Layer: contrib
-# Module: rkhunter
-#
-# rkhunter policy for /var/lib/rkhunter
-#
-rkhunter = module
-
-# Layer: contrib
-# Module: bacula
-#
-# bacula policy
-#
-bacula = module
-
-# Layer: contrib
-# Module: rhnsd
-#
-# rhnsd policy
-#
-rhnsd = module
-
-# Layer: contrib
-# Module: mongodb
-#
-# mongodb policy
-#
-
-mongodb = module
-
-# Layer: contrib
-# Module: iotop
-#
-# iotop policy
-#
-
-iotop = module
-
-# Layer: contrib
-# Module: kmscon
-#
-# kmscon policy
-#
-
-kmscon = module
-
-# Layer: contrib
-# Module: naemon
-#
-# naemon policy
-#
-naemon = module
-
-# Layer: contrib
-# Module: brltty
-#
-# brltty policy
-#
-brltty = module
-
-# Layer: contrib
-# Module: cpuplug
-#
-# cpuplug policy
-#
-cpuplug = module
-
-# Layer: contrib
-# Module: mon_statd
-#
-# mon_statd policy
-#
-mon_statd = module
-
-# Layer: contrib
-# Module: cinder
-#
-# openstack-cinder policy
-#
-cinder = module
-
-# Layer: contrib
-# Module: linuxptp
-#
-# linuxptp policy
-#
-linuxptp = module
-
-# Layer: contrib
-# Module: rolekit
-#
-# rolekit policy
-#
-rolekit = module
-
-# Layer: contrib
-# Module: targetd
-#
-# targetd policy
-#
-targetd = module
-
-# Layer: contrib
-# Module: hsqldb
-#
-# Hsqldb is transactional database engine with in-memory and disk-based tables, supporting embedded and server modes.
-#
-hsqldb = module
-
-# Layer: contrib
-# Module: blkmapd
-#
-# The blkmapd daemon performs device discovery and mapping for pNFS block layout client.
-#
-blkmapd = module
-
-# Layer: contrib
-# Module: pkcs11proxyd
-#
-# pkcs11proxyd policy
-#
-pkcs11proxyd = module
-
-# Layer: contrib
-# Module: ipmievd
-#
-# IPMI event daemon for sending events to syslog
-#
-ipmievd = module
-
-# Layer: contrib
-# Module: openfortivpn
-#
-# Fortinet compatible SSL VPN daemons.
-#
-openfortivpn = module
-
-# Layer: contrib
-# Module: fwupd
-#
-# fwupd is a daemon to allow session software to update device firmware.
-#
-fwupd = module
-
-# Layer: contrib
-# Module: lttng-tools
-#
-# LTTng 2.x central tracing registry session daemon.
-#
-lttng-tools = module
-
-# Layer: contrib
-# Module: rkt
-#
-# CLI for running app containers
-#
-rkt = module
-
-# Layer: contrib
-# Module: opendnssec
-#
-# opendnssec
-#
-opendnssec = module
-
-# Layer: contrib
-# Module: hwloc
-#
-# hwloc
-#
-hwloc = module
-
-# Layer: contrib
-# Module: sbd
-#
-# sbd
-#
-sbd = module
-
-# Layer: contrib
-# Module: tlp
-#
-# tlp
-#
-tlp = module
-
-# Layer: contrib
-# Module: conntrackd
-#
-# conntrackd
-#
-conntrackd = module
-
-# Layer: contrib
-# Module: tangd
-#
-# tangd
-#
-tangd = module
-
-# Layer: contrib
-# Module: ibacm
-#
-# ibacm
-#
-ibacm = module
-
-# Layer: contrib
-# Module: opafm
-#
-# opafm
-#
-opafm = module
-
-# Layer: contrib
-# Module: boltd
-#
-# boltd
-#
-boltd = module
-
-# Layer: contrib
-# Module: kpatch
-#
-# kpatch
-#
-kpatch = module
diff --git a/modules-minimum-disable.lst b/modules-minimum-disable.lst
deleted file mode 100644
index b3fe239..0000000
--- a/modules-minimum-disable.lst
+++ /dev/null
@@ -1 +0,0 @@
-abrt accountsd acct afs aiccu aide ajaxterm alsa amanda amtu anaconda antivirus apache apcupsd apm arpwatch asterisk authconfig automount avahi awstats bcfg2 bind rpcbind rngd bitlbee blueman bluetooth boinc brctl bugzilla cachefilesd calamaris callweaver canna ccs cdrecord certmaster certmonger certwatch cfengine cgroup chrome chronyd cipe clogd cloudform cmirrord cobbler collectd colord comsat condor consolekit couchdb courier cpucontrol cpufreqselector cron ctdb cups cvs cyphesis cyrus daemontools dbadm dbskk dbus dcc ddclient denyhosts devicekit dhcp dictd dirsrv-admin dirsrv dmidecode dnsmasq dnssec dovecot drbd dspam entropyd exim fail2ban fcoe fetchmail finger firewalld firewallgui firstboot fprintd ftp tftp games gitosis git glance glusterd gnome gpg gpg gpm gpsd guest xguest hddtemp icecast inetd inn lircd irc irqbalance iscsi isns jabber jetty jockey kdumpgui kdump kerberos keyboardd keystone kismet ksmtuned ktalk l2tp ldap likewise lircd livecd lldpad loadkeys lockdev logrotate logwatch lpd slpd mailman mailscanner man2html mcelog mediawiki memcached milter mock modemmanager mojomojo mozilla mpd mplayer mrtg mta munin mysql mythtv nagios namespace ncftool ncftool networkmanager nis nova nslcd ntop ntp numad nut nx obex oddjob openct openshift-origin openshift openvpn openvswitch prelude pads passenger pcmcia pcscd pegasus pingd piranha plymouthd podsleuth policykit polipo portmap portreserve postfix postgrey ppp prelink unprivuser prelude privoxy procmail psad ptchown pulseaudio puppet pwauth qmail qpid quantum quota rabbitmq radius radvd raid rdisc readahead realmd remotelogin rhcs rhev rhgb rhsmcertd ricci rlogin roundup rpcbind rpc rpm rshd rssh rsync rtkit rwho sambagui samba sandbox sandboxX sanlock sasl sblim screen sectoolm sendmail sensord setroubleshoot sge shorewall slocate slpd smartmon smokeping smoltclient snmp snort sosreport soundserver spamassassin squid sssd stapserver stunnel svnserve swift sysstat tcpd tcsd telepathy telnet tftp tgtd thumb tmpreaper tomcat cpufreqselector tor ksmtuned tuned tvtime ulogd uml updfstab usbmodules usbmuxd userhelper usernetctl uucp uuidd varnishd vbetool vbetool vdagent vhostmd virt vlock vmware vnstatd openvpn vpn w3c wdmd webadm webalizer wine wireshark xen xguest zabbix zarafa zebra zoneminder zosremote thin mandb pki smsd sslh obs
diff --git a/modules-minimum.lst b/modules-minimum.lst
new file mode 100644
index 0000000..e696b6f
--- /dev/null
+++ b/modules-minimum.lst
@@ -0,0 +1,52 @@
+apache
+application
+auditadm
+authlogin
+base
+bootloader
+clock
+dbus
+dmesg
+fstools
+getty
+hostname
+inetd
+init
+ipsec
+iptables
+kerberos
+libraries
+locallogin
+logadm
+logging
+lvm
+miscfiles
+modutils
+mount
+mta
+netlabel
+netutils
+nis
+postgresql
+rpm
+secadm
+selinuxutil
+setrans
+seunshare
+snapper
+ssh
+staff
+su
+sudo
+sysadm
+sysadm_secadm
+sysnetwork
+systemd
+udev
+unconfined
+unconfineduser
+unlabelednet
+unprivuser
+userdomain
+usermanage
+xserver
diff --git a/modules-mls-base.conf b/modules-mls-base.conf
deleted file mode 100644
index 29a3aa7..0000000
--- a/modules-mls-base.conf
+++ /dev/null
@@ -1,380 +0,0 @@
-# Layer: kernel
-# Module: bootloader
-#
-# Policy for the kernel modules, kernel image, and bootloader.
-#
-bootloader = module
-
-# Layer: kernel
-# Module: corenetwork
-# Required in base
-#
-# Policy controlling access to network objects
-#
-corenetwork = base
-
-# Layer: admin
-# Module: dmesg
-#
-# Policy for dmesg.
-#
-dmesg = module
-
-# Layer: admin
-# Module: netutils
-#
-# Network analysis utilities
-#
-netutils = module
-
-# Layer: admin
-# Module: sudo
-#
-# Execute a command with a substitute user
-#
-sudo = module
-
-# Layer: admin
-# Module: su
-#
-# Run shells with substitute user and group
-#
-su = module
-
-# Layer: admin
-# Module: usermanage
-#
-# Policy for managing user accounts.
-#
-usermanage = module
-
-# Layer: apps
-# Module: seunshare
-#
-# seunshare executable
-#
-seunshare = module
-
-# Layer: kernel
-# Module: corecommands
-# Required in base
-#
-# Core policy for shells, and generic programs
-# in /bin, /sbin, /usr/bin, and /usr/sbin.
-#
-corecommands = base
-
-# Module: devices
-# Required in base
-#
-# Device nodes and interfaces for many basic system devices.
-#
-devices = base
-
-# Module: domain
-# Required in base
-#
-# Core policy for domains.
-#
-domain = base
-
-# Layer: system
-# Module: userdomain
-#
-# Policy for user domains
-#
-userdomain = module
-
-# Module: files
-# Required in base
-#
-# Basic filesystem types and interfaces.
-#
-files = base
-
-# Module: filesystem
-# Required in base
-#
-# Policy for filesystems.
-#
-filesystem = base
-
-# Module: kernel
-# Required in base
-#
-# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
-#
-kernel = base
-
-# Module: mcs
-# Required in base
-#
-# MultiCategory security policy
-#
-mcs = base
-
-# Module: mls
-# Required in base
-#
-# Multilevel security policy
-#
-mls = base
-
-# Module: selinux
-# Required in base
-#
-# Policy for kernel security interface, in particular, selinuxfs.
-#
-selinux = base
-
-# Layer: kernel
-# Module: storage
-#
-# Policy controlling access to storage devices
-#
-storage = base
-
-# Module: terminal
-# Required in base
-#
-# Policy for terminals.
-#
-terminal = base
-
-# Layer: kernel
-# Module: ubac
-#
-#
-#
-ubac = base
-
-# Layer: kernel
-# Module: unlabelednet
-#
-# The unlabelednet module.
-#
-unlabelednet = module
-
-# Layer: role
-# Module: auditadm
-#
-# auditadm account on tty logins
-#
-auditadm = module
-
-# Layer: role
-# Module: logadm
-#
-# Minimally prived root role for managing logging system
-#
-logadm = module
-
-# Layer: role
-# Module: secadm
-#
-# secadm account on tty logins
-#
-secadm = module
-
-# Layer:role
-# Module: staff
-#
-# admin account
-#
-staff = module
-
-# Layer:role
-# Module: sysadm_secadm
-#
-# System Administrator with Security Admin rules
-#
-sysadm_secadm = module
-
-# Layer:role
-# Module: sysadm
-#
-# System Administrator
-#
-sysadm = module
-
-# Layer: role
-# Module: unprivuser
-#
-# Minimally privs guest account on tty logins
-#
-unprivuser = module
-
-# Layer: services
-# Module: postgresql
-#
-# PostgreSQL relational database
-#
-postgresql = module
-
-# Layer: services
-# Module: ssh
-#
-# Secure shell client and server policy.
-#
-ssh = module
-
-# Layer: services
-# Module: xserver
-#
-# X windows login display manager
-#
-xserver = module
-
-# Module: application
-# Required in base
-#
-# Defines attributs and interfaces for all user applications
-#
-application = module
-
-# Layer: system
-# Module: authlogin
-#
-# Common policy for authentication and user login.
-#
-authlogin = module
-
-# Layer: system
-# Module: clock
-#
-# Policy for reading and setting the hardware clock.
-#
-clock = module
-
-# Layer: system
-# Module: fstools
-#
-# Tools for filesystem management, such as mkfs and fsck.
-#
-fstools = module
-
-# Layer: system
-# Module: getty
-#
-# Policy for getty.
-#
-getty = module
-
-# Layer: system
-# Module: hostname
-#
-# Policy for changing the system host name.
-#
-hostname = module
-
-# Layer: system
-# Module: init
-#
-# System initialization programs (init and init scripts).
-#
-init = module
-
-# Layer: system
-# Module: ipsec
-#
-# TCP/IP encryption
-#
-ipsec = module
-
-# Layer: system
-# Module: iptables
-#
-# Policy for iptables.
-#
-iptables = module
-
-# Layer: system
-# Module: libraries
-#
-# Policy for system libraries.
-#
-libraries = module
-
-# Layer: system
-# Module: locallogin
-#
-# Policy for local logins.
-#
-locallogin = module
-
-# Layer: system
-# Module: logging
-#
-# Policy for the kernel message logger and system logging daemon.
-#
-logging = module
-
-# Layer: system
-# Module: lvm
-#
-# Policy for logical volume management programs.
-#
-lvm = module
-
-# Layer: system
-# Module: miscfiles
-#
-# Miscelaneous files.
-#
-miscfiles = module
-
-# Layer: system
-# Module: modutils
-#
-# Policy for kernel module utilities
-#
-modutils = module
-
-# Layer: system
-# Module: mount
-#
-# Policy for mount.
-#
-mount = module
-
-# Layer: system
-# Module: netlabel
-#
-# Basic netlabel types and interfaces.
-#
-netlabel = module
-
-# Layer: system
-# Module: selinuxutil
-#
-# Policy for SELinux policy and userland applications.
-#
-selinuxutil = module
-
-# Module: setrans
-# Required in base
-#
-# Policy for setrans
-#
-setrans = module
-
-# Layer: system
-# Module: sysnetwork
-#
-# Policy for network configuration: ifconfig and dhcp client.
-#
-sysnetwork = module
-
-# Layer: system
-# Module: systemd
-#
-# Policy for systemd components
-#
-systemd = module
-
-# Layer: system
-# Module: udev
-#
-# Policy for udev.
-#
-udev = module
diff --git a/modules-mls-contrib.conf b/modules-mls-contrib.conf
deleted file mode 100644
index 509900e..0000000
--- a/modules-mls-contrib.conf
+++ /dev/null
@@ -1,1581 +0,0 @@
-# Layer: services
-# Module: accountsd
-#
-# An application to view and modify user accounts information
-#
-accountsd = module
-
-# Layer: admin
-# Module: acct
-#
-# Berkeley process accounting
-#
-acct = module
-
-# Layer: services
-# Module: afs
-#
-# Andrew Filesystem server
-#
-afs = module
-
-# Layer: services
-# Module: aide
-#
-# Policy for aide
-#
-aide = module
-
-# Layer: admin
-# Module: alsa
-#
-# Ainit ALSA configuration tool
-#
-alsa = module
-
-# Layer: admin
-# Module: amanda
-#
-# Automated backup program.
-#
-amanda = module
-
-# Layer: contrib
-# Module: antivirus
-#
-# Anti-virus
-#
-antivirus = module
-
-# Layer: admin
-# Module: amtu
-#
-# Abstract Machine Test Utility (AMTU)
-#
-amtu = module
-
-# Layer: admin
-# Module: anaconda
-#
-# Policy for the Anaconda installer.
-#
-anaconda = module
-
-# Layer: services
-# Module: apache
-#
-# Apache web server
-#
-apache = module
-
-# Layer: services
-# Module: apcupsd
-#
-# daemon for most APC’s UPS for Linux
-#
-apcupsd = module
-
-# Layer: services
-# Module: apm
-#
-# Advanced power management daemon
-#
-apm = module
-
-# Layer: services
-# Module: arpwatch
-#
-# Ethernet activity monitor.
-#
-arpwatch = module
-
-# Layer: services
-# Module: automount
-#
-# Filesystem automounter service.
-#
-automount = module
-
-# Layer: services
-# Module: avahi
-#
-# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture
-#
-avahi = module
-
-# Layer: modules
-# Module: awstats
-#
-# awstats executable
-#
-awstats = module
-
-# Layer: services
-# Module: bind
-#
-# Berkeley internet name domain DNS server.
-#
-bind = module
-
-# Layer: services
-# Module: bitlbee
-#
-# An IRC to other chat networks gateway
-#
-bitlbee = module
-
-# Layer: services
-# Module: bluetooth
-#
-# Bluetooth tools and system services.
-#
-bluetooth = module
-
-# Layer: services
-# Module: boinc
-#
-# Berkeley Open Infrastructure for Network Computing
-#
-boinc = module
-
-# Layer: system
-# Module: brctl
-#
-# Utilities for configuring the linux ethernet bridge
-#
-brctl = module
-
-# Layer: services
-# Module: bugzilla
-#
-# Bugzilla server
-#
-bugzilla = module
-
-# Layer: services
-# Module: cachefilesd
-#
-# CacheFiles userspace management daemon
-#
-cachefilesd = module
-
-# Module: calamaris
-#
-#
-# Squid log analysis
-#
-calamaris = module
-
-# Layer: services
-# Module: canna
-#
-# Canna - kana-kanji conversion server
-#
-canna = module
-
-# Layer: services
-# Module: ccs
-#
-# policy for ccs
-#
-ccs = module
-
-# Layer: apps
-# Module: cdrecord
-#
-# Policy for cdrecord
-#
-cdrecord = module
-
-# Layer: admin
-# Module: certmaster
-#
-# Digital Certificate master
-#
-certmaster = module
-
-# Layer: services
-# Module: certmonger
-#
-# Certificate status monitor and PKI enrollment client
-#
-certmonger = module
-
-# Layer: admin
-# Module: certwatch
-#
-# Digital Certificate Tracking
-#
-certwatch = module
-
-# Layer: services
-# Module: cgroup
-#
-# Tools and libraries to control and monitor control groups
-#
-cgroup = module
-
-# Layer: apps
-# Module: chrome
-#
-# chrome sandbox
-#
-chrome = module
-
-# Layer: services
-# Module: chronyd
-#
-# Daemon for maintaining clock time
-#
-chronyd = module
-
-# Layer: services
-# Module: cipe
-#
-# Encrypted tunnel daemon
-#
-cipe = module
-
-# Layer: services
-# Module: clogd
-#
-# clogd - clustered mirror log server
-#
-clogd = module
-
-# Layer: services
-# Module: cmirrord
-#
-# cmirrord - daemon providing device-mapper-base mirrors in a shared-storege cluster
-#
-cmirrord = module
-
-# Layer: services
-# Module: colord
-#
-# color device daemon
-#
-colord = module
-
-# Layer: services
-# Module: comsat
-#
-# Comsat, a biff server.
-#
-comsat = module
-
-# Layer: services
-# Module: courier
-#
-# IMAP and POP3 email servers
-#
-courier = module
-
-# Layer: services
-# Module: cpucontrol
-#
-# Services for loading CPU microcode and CPU frequency scaling.
-#
-cpucontrol = module
-
-# Layer: apps
-# Module: cpufreqselector
-#
-# cpufreqselector executable
-#
-cpufreqselector = module
-
-# Layer: services
-# Module: cron
-#
-# Periodic execution of scheduled commands.
-#
-cron = module
-
-# Layer: services
-# Module: cups
-#
-# Common UNIX printing system
-#
-cups = module
-
-# Layer: services
-# Module: cvs
-#
-# Concurrent versions system
-#
-cvs = module
-
-# Layer: services
-# Module: cyphesis
-#
-# cyphesis game server
-#
-cyphesis = module
-
-# Layer: services
-# Module: cyrus
-#
-# Cyrus is an IMAP service intended to be run on sealed servers
-#
-cyrus = module
-
-# Layer: system
-# Module: daemontools
-#
-# Collection of tools for managing UNIX services
-#
-daemontools = module
-
-# Layer: role
-# Module: dbadm
-#
-# Minimally prived root role for managing databases
-#
-dbadm = module
-
-# Layer: services
-# Module: dbskk
-#
-# Dictionary server for the SKK Japanese input method system.
-#
-dbskk = module
-
-# Layer: services
-# Module: dbus
-#
-# Desktop messaging bus
-#
-dbus = module
-
-# Layer: services
-# Module: dcc
-#
-# A distributed, collaborative, spam detection and filtering network.
-#
-dcc = module
-
-# Layer: admin
-# Module: ddcprobe
-#
-# ddcprobe retrieves monitor and graphics card information
-#
-ddcprobe = off
-
-# Layer: services
-# Module: devicekit
-#
-# devicekit-daemon
-#
-devicekit = module
-
-# Layer: services
-# Module: dhcp
-#
-# Dynamic host configuration protocol (DHCP) server
-#
-dhcp = module
-
-# Layer: services
-# Module: dictd
-#
-# Dictionary daemon
-#
-dictd = module
-
-# Layer: services
-# Module: distcc
-#
-# Distributed compiler daemon
-#
-distcc = off
-
-# Layer: admin
-# Module: dmidecode
-#
-# Decode DMI data for x86/ia64 bioses.
-#
-dmidecode = module
-
-# Layer: services
-# Module: dnsmasq
-#
-# A lightweight DHCP and caching DNS server.
-#
-dnsmasq = module
-
-# Layer: services
-# Module: dnssec
-#
-# A dnssec server application
-#
-dnssec = module
-
-# Layer: services
-# Module: dovecot
-#
-# Dovecot POP and IMAP mail server
-#
-dovecot = module
-
-# Layer: services
-# Module: entropy
-#
-# Generate entropy from audio input
-#
-entropyd = module
-
-# Layer: services
-# Module: exim
-#
-# exim mail server
-#
-exim = module
-
-# Layer: services
-# Module: fail2ban
-#
-# daiemon that bans IP that makes too many password failures
-#
-fail2ban = module
-
-# Layer: services
-# Module: fetchmail
-#
-# Remote-mail retrieval and forwarding utility
-#
-fetchmail = module
-
-# Layer: services
-# Module: finger
-#
-# Finger user information service.
-#
-finger = module
-
-# Layer: services
-# Module: firewalld
-#
-# firewalld is firewall service daemon that provides dynamic customizable
-#
-firewalld = module
-
-# Layer: apps
-# Module: firewallgui
-#
-# policy for system-config-firewall
-#
-firewallgui = module
-
-# Module: firstboot
-#
-# Final system configuration run during the first boot
-# after installation of Red Hat/Fedora systems.
-#
-firstboot = module
-
-# Layer: services
-# Module: fprintd
-#
-# finger print server
-#
-fprintd = module
-
-# Layer: services
-# Module: ftp
-#
-# File transfer protocol service
-#
-ftp = module
-
-# Layer: apps
-# Module: games
-#
-# The Open Group Pegasus CIM/WBEM Server.
-#
-games = module
-
-# Layer: apps
-# Module: gitosis
-#
-# Policy for gitosis
-#
-gitosis = module
-
-# Layer: services
-# Module: git
-#
-# Policy for the stupid content tracker
-#
-git = module
-
-# Layer: services
-# Module: glance
-#
-# Policy for glance
-#
-glance = module
-
-# Layer: apps
-# Module: gnome
-#
-# gnome session and gconf
-#
-gnome = module
-
-# Layer: apps
-# Module: gpg
-#
-# Policy for Mozilla and related web browsers
-#
-gpg = module
-
-# Layer: services
-# Module: gpm
-#
-# General Purpose Mouse driver
-#
-gpm = module
-
-# Module: gpsd
-#
-# gpsd monitor daemon
-#
-#
-gpsd = module
-
-# Module: gssproxy
-#
-# A proxy for GSSAPI credential handling
-#
-#
-gssproxy = module
-
-# Layer: role
-# Module: guest
-#
-# Minimally privs guest account on tty logins
-#
-guest = module
-
-# Layer: services
-# Module: i18n_input
-#
-# IIIMF htt server
-#
-i18n_input = off
-
-# Layer: services
-# Module: inetd
-#
-# Internet services daemon.
-#
-inetd = module
-
-# Layer: services
-# Module: inn
-#
-# Internet News NNTP server
-#
-inn = module
-
-# Layer: apps
-# Module: irc
-#
-# IRC client policy
-#
-irc = module
-
-# Layer: services
-# Module: irqbalance
-#
-# IRQ balancing daemon
-#
-irqbalance = module
-
-# Layer: system
-# Module: iscsi
-#
-# Open-iSCSI daemon
-#
-iscsi = module
-
-# Layer: services
-# Module: jabber
-#
-# Jabber instant messaging server
-#
-jabber = module
-
-# Layer: apps
-# Module: kdumpgui
-#
-# system-config-kdump policy
-#
-kdumpgui = module
-
-# Layer: admin
-# Module: kdump
-#
-# kdump is kernel crash dumping mechanism
-#
-kdump = module
-
-# Layer: services
-# Module: kerberos
-#
-# MIT Kerberos admin and KDC
-#
-kerberos = module
-
-# Layer: services
-# Module: kismet
-#
-# Wireless sniffing and monitoring
-#
-kismet = module
-
-# Layer: services
-# Module: ktalk
-#
-# KDE Talk daemon
-#
-ktalk = module
-
-# Layer: services
-# Module: ldap
-#
-# OpenLDAP directory server
-#
-ldap = module
-
-# Layer: services
-# Module: lircd
-#
-# LIRC daemon - decodes infrared signals and provides them on a Unix domain socket.
-#
-lircd = module
-
-# Layer: apps
-# Module: loadkeys
-#
-# Load keyboard mappings.
-#
-loadkeys = module
-
-# Layer: apps
-# Module: lockdev
-#
-# device locking policy for lockdev
-#
-lockdev = module
-
-# Layer: admin
-# Module: logrotate
-#
-# Rotate and archive system logs
-#
-logrotate = module
-
-# Layer: services
-# Module: logwatch
-#
-# logwatch executable
-#
-logwatch = module
-
-# Layer: services
-# Module: lpd
-#
-# Line printer daemon
-#
-lpd = module
-
-# Layer: services
-# Module: lsm
-#
-# lsm policy
-#
-lsm = module
-
-# Layer: services
-# Module: mailman
-#
-# Mailman is for managing electronic mail discussion and e-newsletter lists
-#
-mailman = module
-
-# Layer: admin
-# Module: mcelog
-#
-# mcelog is a daemon that collects and decodes Machine Check Exception data on x86-64 machines.
-#
-mcelog = module
-
-# Layer: services
-# Module: memcached
-#
-# high-performance memory object caching system
-#
-memcached = module
-
-# Layer: services
-# Module: milter
-#
-#
-#
-milter = module
-
-# Layer: services
-# Module: modemmanager
-#
-# Manager for dynamically switching between modems.
-#
-modemmanager = module
-
-# Layer: services
-# Module: mojomojo
-#
-# Wiki server
-#
-mojomojo = module
-
-# Layer: apps
-# Module: mozilla
-#
-# Policy for Mozilla and related web browsers
-#
-mozilla = module
-
-# Layer: apps
-# Module: mplayer
-#
-# Policy for Mozilla and related web browsers
-#
-mplayer = module
-
-# Layer: admin
-# Module: mrtg
-#
-# Network traffic graphing
-#
-mrtg = module
-
-# Layer: services
-# Module: mta
-#
-# Policy common to all email tranfer agents.
-#
-mta = module
-
-# Layer: services
-# Module: munin
-#
-# Munin
-#
-munin = module
-
-# Layer: services
-# Module: mysql
-#
-# Policy for MySQL
-#
-mysql = module
-
-# Layer: services
-# Module: nagios
-#
-# policy for nagios Host/service/network monitoring program
-#
-nagios = module
-
-# Layer: apps
-# Module: namespace
-#
-# policy for namespace.init script
-#
-namespace = module
-
-# Layer: admin
-# Module: ncftool
-#
-# Tool to modify the network configuration of a system
-#
-ncftool = module
-
-# Layer: services
-# Module: networkmanager
-#
-# Manager for dynamically switching between networks.
-#
-networkmanager = module
-
-# Layer: services
-# Module: nis
-#
-# Policy for NIS (YP) servers and clients
-#
-nis = module
-
-# Layer: services
-# Module: nscd
-#
-# Name service cache daemon
-#
-nscd = module
-
-# Layer: services
-# Module: nslcd
-#
-# Policy for nslcd
-#
-nslcd = module
-
-# Layer: services
-# Module: ntop
-#
-# Policy for ntop
-#
-ntop = module
-
-# Layer: services
-# Module: ntp
-#
-# Network time protocol daemon
-#
-ntp = module
-
-# Layer: services
-# Module: nx
-#
-# NX Remote Desktop
-#
-nx = module
-
-# Layer: services
-# Module: oddjob
-#
-# policy for oddjob
-#
-oddjob = module
-
-# Layer: services
-# Module: openct
-#
-# Service for handling smart card readers.
-#
-openct = off
-
-# Layer: service
-# Module: openct
-#
-# Middleware framework for smart card terminals
-#
-openct = module
-
-# Layer: services
-# Module: openvpn
-#
-# Policy for OPENVPN full-featured SSL VPN solution
-#
-openvpn = module
-
-# Layer: contrib
-# Module: prelude
-#
-# SELinux policy for prelude
-#
-prelude = module
-
-# Layer: contrib
-# Module: prosody
-#
-# SELinux policy for prosody flexible communications server for Jabber/XMPP
-#
-prosody = module
-
-# Layer: services
-# Module: pads
-#
-pads = module
-
-# Layer: system
-# Module: pcmcia
-#
-# PCMCIA card management services
-#
-pcmcia = module
-
-# Layer: service
-# Module: pcscd
-#
-# PC/SC Smart Card Daemon
-#
-pcscd = module
-
-# Layer: services
-# Module: pegasus
-#
-# The Open Group Pegasus CIM/WBEM Server.
-#
-pegasus = module
-
-
-# Layer: services
-# Module: pingd
-#
-#
-pingd = module
-
-# Layer: services
-# Module: piranha
-#
-# piranha - various tools to administer and configure the Linux Virtual Server
-#
-piranha = module
-
-# Layer: services
-# Module: plymouthd
-#
-# Plymouth
-#
-plymouthd = module
-
-# Layer: apps
-# Module: podsleuth
-#
-# Podsleuth probes, identifies, and exposes properties and metadata bound to iPods.
-#
-podsleuth = module
-
-# Layer: services
-# Module: policykit
-#
-# Hardware abstraction layer
-#
-policykit = module
-
-# Layer: services
-# Module: polipo
-#
-# polipo
-#
-polipo = module
-
-# Layer: services
-# Module: portmap
-#
-# RPC port mapping service.
-#
-portmap = module
-
-# Layer: services
-# Module: portreserve
-#
-# reserve ports to prevent portmap mapping them
-#
-portreserve = module
-
-# Layer: services
-# Module: postfix
-#
-# Postfix email server
-#
-postfix = module
-
-o# Layer: services
-# Module: postgrey
-#
-# email scanner
-#
-postgrey = module
-
-# Layer: services
-# Module: ppp
-#
-# Point to Point Protocol daemon creates links in ppp networks
-#
-ppp = module
-
-# Layer: admin
-# Module: prelink
-#
-# Manage temporary directory sizes and file ages
-#
-prelink = module
-
-unprivuser = module
-
-# Layer: services
-# Module: privoxy
-#
-# Privacy enhancing web proxy.
-#
-privoxy = module
-
-# Layer: services
-# Module: procmail
-#
-# Procmail mail delivery agent
-#
-procmail = module
-
-# Layer: services
-# Module: psad
-#
-# Analyze iptables log for hostile traffic
-#
-psad = module
-
-# Layer: apps
-# Module: ptchown
-#
-# helper function for grantpt(3), changes ownship and permissions of pseudotty
-#
-ptchown = module
-
-# Layer: apps
-# Module: pulseaudio
-#
-# The PulseAudio Sound System
-#
-pulseaudio = module
-
-# Layer: services
-# Module: qmail
-#
-# Policy for qmail
-#
-qmail = module
-
-# Layer: services
-# Module: qpidd
-#
-# Policy for qpidd
-#
-qpid = module
-
-# Layer: admin
-# Module: quota
-#
-# File system quota management
-#
-quota = module
-
-# Layer: services
-# Module: radius
-#
-# RADIUS authentication and accounting server.
-#
-radius = module
-
-# Layer: services
-# Module: radvd
-#
-# IPv6 router advertisement daemon
-#
-radvd = module
-
-# Layer: system
-# Module: raid
-#
-# RAID array management tools
-#
-raid = module
-
-# Layer: services
-# Module: rdisc
-#
-# Network router discovery daemon
-#
-rdisc = module
-
-# Layer: admin
-# Module: readahead
-#
-# Readahead, read files into page cache for improved performance
-#
-readahead = module
-
-# Layer: services
-# Module: remotelogin
-#
-# Policy for rshd, rlogind, and telnetd.
-#
-remotelogin = module
-
-# Layer: services
-# Module: rhcs
-#
-# RHCS - Red Hat Cluster Suite
-#
-rhcs = module
-
-# Layer: services
-# Module: rhgb
-#
-# X windows login display manager
-#
-rhgb = module
-
-# Layer: services
-# Module: ricci
-#
-# policy for ricci
-#
-ricci = module
-
-# Layer: services
-# Module: rlogin
-#
-# Remote login daemon
-#
-rlogin = module
-
-# Layer: services
-# Module: roundup
-#
-# Roundup Issue Tracking System policy
-#
-roundup = module
-
-# Layer: services
-# Module: rpcbind
-#
-# universal addresses to RPC program number mapper
-#
-rpcbind = module
-
-# Layer: services
-# Module: rpc
-#
-# Remote Procedure Call Daemon for managment of network based process communication
-#
-rpc = module
-
-# Layer: admin
-# Module: rpm
-#
-# Policy for the RPM package manager.
-#
-rpm = module
-
-# Layer: services
-# Module: rshd
-#
-# Remote shell service.
-#
-rshd = module
-
-# Layer: services
-# Module: rsync
-#
-# Fast incremental file transfer for synchronization
-#
-rsync = module
-
-# Layer: services
-# Module: rtkit
-#
-# Real Time Kit Daemon
-#
-rtkit = module
-
-# Layer: services
-# Module: rwho
-#
-# who is logged in on local machines
-#
-rwho = module
-
-# Layer: apps
-# Module: sambagui
-#
-# policy for system-config-samba
-#
-sambagui = module
-
-#
-# SMB and CIFS client/server programs for UNIX and
-# name Service Switch daemon for resolving names
-# from Windows NT servers.
-#
-samba = module
-
-# Layer: services
-# Module: sasl
-#
-# SASL authentication server
-#
-sasl = module
-
-# Layer: apps
-# Module: screen
-#
-# GNU terminal multiplexer
-#
-screen = module
-
-# Layer: services
-# Module: sendmail
-#
-# Policy for sendmail.
-#
-sendmail = module
-
-# Layer: services
-# Module: setroubleshoot
-#
-# Policy for the SELinux troubleshooting utility
-#
-setroubleshoot = module
-
-# Layer: admin
-# Module: shorewall
-#
-# Policy for shorewall
-#
-shorewall = module
-
-# Layer: apps
-# Module: slocate
-#
-# Update database for mlocate
-#
-slocate = module
-
-# Layer: services
-# Module: slrnpull
-#
-# Service for downloading news feeds the slrn newsreader.
-#
-slrnpull = off
-
-# Layer: services
-# Module: smartmon
-#
-# Smart disk monitoring daemon policy
-#
-smartmon = module
-
-# Layer: services
-# Module: snmp
-#
-# Simple network management protocol services
-#
-snmp = module
-
-# Layer: services
-# Module: snort
-#
-# Snort network intrusion detection system
-#
-snort = module
-
-# Layer: admin
-# Module: sosreport
-#
-# sosreport debuggin information generator
-#
-sosreport = module
-
-# Layer: services
-# Module: soundserver
-#
-# sound server for network audio server programs, nasd, yiff, etc
-#
-soundserver = module
-
-# Layer: services
-# Module: spamassassin
-#
-# Filter used for removing unsolicited email.
-#
-spamassassin = module
-
-# Layer: services
-# Module: squid
-#
-# Squid caching http proxy server
-#
-squid = module
-
-# Layer: services
-# Module: sssd
-#
-# System Security Services Daemon
-#
-sssd = module
-
-# Layer: services
-# Module: stunnel
-#
-# SSL Tunneling Proxy
-#
-stunnel = module
-
-# Layer: services
-# Module: sysstat
-#
-# Policy for sysstat. Reports on various system states
-#
-sysstat = module
-
-# Layer: services
-# Module: tcpd
-#
-# Policy for TCP daemon.
-#
-tcpd = module
-
-# Layer: services
-# Module: tcsd
-#
-# tcsd - daemon that manages Trusted Computing resources
-#
-tcsd = module
-
-# Layer: apps
-# Module: telepathy
-#
-# telepathy - Policy for Telepathy framework
-#
-telepathy = module
-
-# Layer: services
-# Module: telnet
-#
-# Telnet daemon
-#
-telnet = module
-
-# Layer: services
-# Module: tftp
-#
-# Trivial file transfer protocol daemon
-#
-tftp = module
-
-# Layer: services
-# Module: tgtd
-#
-# Linux Target Framework Daemon.
-#
-tgtd = module
-
-# Layer: apps
-# Module: thumb
-#
-# Thumbnailer confinement
-#
-thumb = module
-
-# Layer: services
-# Module: timidity
-#
-# MIDI to WAV converter and player configured as a service
-#
-timidity = off
-
-# Layer: admin
-# Module: tmpreaper
-#
-# Manage temporary directory sizes and file ages
-#
-tmpreaper = module
-
-# Layer: services
-# Module: tor
-#
-# TOR, the onion router
-#
-tor = module
-
-# Layer: services
-# Module: ksmtuned
-#
-# Kernel Samepage Merging (KSM) Tuning Daemon
-#
-ksmtuned = module
-
-# Layer: services
-# Module: tuned
-#
-# Dynamic adaptive system tuning daemon
-#
-tuned = module
-
-# Layer: apps
-# Module: tvtime
-#
-# tvtime - a high quality television application
-#
-tvtime = module
-
-# Layer: services
-# Module: ulogd
-#
-#
-#
-ulogd = module
-
-# Layer: apps
-# Module: uml
-#
-# Policy for UML
-#
-uml = module
-
-# Layer: admin
-# Module: updfstab
-#
-# Red Hat utility to change /etc/fstab.
-#
-updfstab = module
-
-# Layer: admin
-# Module: usbmodules
-#
-# List kernel modules of USB devices
-#
-usbmodules = module
-
-# Layer: apps
-# Module: userhelper
-#
-# A helper interface to pam.
-#
-userhelper = module
-
-# Layer: apps
-# Module: usernetctl
-#
-# User network interface configuration helper
-#
-usernetctl = module
-
-# Layer: services
-# Module: uucp
-#
-# Unix to Unix Copy
-#
-uucp = module
-
-# Layer: services
-# Module: virt
-#
-# Virtualization libraries
-#
-virt = module
-
-# Layer: services
-# Module: virt_supplementary
-#
-# non-libvirt virtualization libraries
-#
-virt_supplementary = module
-
-# Layer: apps
-# Module: vmware
-#
-# VMWare Workstation virtual machines
-#
-vmware = module
-
-# Layer: contrib
-# Module: openvswitch
-#
-# SELinux policy for openvswitch programs
-#
-openvswitch = module
-
-# Layer: admin
-# Module: vpn
-#
-# Virtual Private Networking client
-#
-vpn = module
-
-# Layer: services
-# Module: w3c
-#
-# w3c
-#
-w3c = module
-
-# Layer: role
-# Module: webadm
-#
-# Minimally prived root role for managing apache
-#
-webadm = module
-
-# Layer: apps
-# Module: webalizer
-#
-# Web server log analysis
-#
-webalizer = module
-
-# Layer: apps
-# Module: wine
-#
-# wine executable
-#
-wine = module
-
-# Layer: apps
-# Module: wireshark
-#
-# wireshark executable
-#
-wireshark = module
-
-# Layer: apps
-# Module: wm
-#
-# X windows window manager
-#
-wm = module
-
-# Layer: system
-# Module: xen
-#
-# virtualization software
-#
-xen = module
-
-# Layer: role
-# Module: xguest
-#
-# Minimally privs guest account on X Windows logins
-#
-xguest = module
-
-# Layer: services
-# Module: zabbix
-#
-# Open-source monitoring solution for your IT infrastructure
-#
-zabbix = module
-
-# Layer: services
-# Module: zebra
-#
-# Zebra border gateway protocol network routing service
-#
-zebra = module
-
-# Layer: services
-# Module: zosremote
-#
-# policy for z/OS Remote-services Audit dispatcher plugin
-#
-zosremote = module
-
-# Layer: contrib
-# Module: mandb
-#
-# Policy for mandb
-#
-mandb = module
diff --git a/modules-targeted-base.conf b/modules-targeted-base.conf
deleted file mode 100644
index 5e255b5..0000000
--- a/modules-targeted-base.conf
+++ /dev/null
@@ -1,421 +0,0 @@
-# Layer: kernel
-# Module: bootloader
-#
-# Policy for the kernel modules, kernel image, and bootloader.
-#
-bootloader = module
-
-# Layer: kernel
-# Module: corecommands
-# Required in base
-#
-# Core policy for shells, and generic programs
-# in /bin, /sbin, /usr/bin, and /usr/sbin.
-#
-corecommands = base
-
-# Layer: kernel
-# Module: corenetwork
-# Required in base
-#
-# Policy controlling access to network objects
-#
-corenetwork = base
-
-# Layer: admin
-# Module: dmesg
-#
-# Policy for dmesg.
-#
-dmesg = module
-
-# Layer: admin
-# Module: netutils
-#
-# Network analysis utilities
-#
-netutils = module
-
-# Layer: admin
-# Module: sudo
-#
-# Execute a command with a substitute user
-#
-sudo = module
-
-# Layer: admin
-# Module: su
-#
-# Run shells with substitute user and group
-#
-su = module
-
-# Layer: admin
-# Module: usermanage
-#
-# Policy for managing user accounts.
-#
-usermanage = module
-
-# Layer: apps
-# Module: seunshare
-#
-# seunshare executable
-#
-seunshare = module
-
-# Module: devices
-# Required in base
-#
-# Device nodes and interfaces for many basic system devices.
-#
-devices = base
-
-# Module: domain
-# Required in base
-#
-# Core policy for domains.
-#
-domain = base
-
-# Layer: system
-# Module: userdomain
-#
-# Policy for user domains
-#
-userdomain = module
-
-# Module: files
-# Required in base
-#
-# Basic filesystem types and interfaces.
-#
-files = base
-
-# Layer: system
-# Module: miscfiles
-#
-# Miscelaneous files.
-#
-miscfiles = module
-
-# Module: filesystem
-# Required in base
-#
-# Policy for filesystems.
-#
-filesystem = base
-
-# Module: kernel
-# Required in base
-#
-# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
-#
-kernel = base
-
-# Module: mcs
-# Required in base
-#
-# MultiCategory security policy
-#
-mcs = base
-
-# Module: mls
-# Required in base
-#
-# Multilevel security policy
-#
-mls = base
-
-# Module: selinux
-# Required in base
-#
-# Policy for kernel security interface, in particular, selinuxfs.
-#
-selinux = base
-
-# Layer: kernel
-# Module: storage
-#
-# Policy controlling access to storage devices
-#
-storage = base
-
-# Module: terminal
-# Required in base
-#
-# Policy for terminals.
-#
-terminal = base
-
-# Layer: kernel
-# Module: ubac
-#
-#
-#
-ubac = base
-
-# Layer: kernel
-# Module: unconfined
-#
-# The unlabelednet module.
-#
-unlabelednet = module
-
-# Layer: role
-# Module: auditadm
-#
-# auditadm account on tty logins
-#
-auditadm = module
-
-# Layer: role
-# Module: logadm
-#
-# Minimally prived root role for managing logging system
-#
-logadm = module
-
-# Layer: role
-# Module: secadm
-#
-# secadm account on tty logins
-#
-secadm = module
-
-# Layer:role
-# Module: sysadm_secadm
-#
-# System Administrator with Security Admin rules
-#
-sysadm_secadm = module
-
-# Module: staff
-#
-# admin account
-#
-staff = module
-
-# Layer:role
-# Module: sysadm
-#
-# System Administrator
-#
-sysadm = module
-
-# Layer: role
-# Module: unconfineduser
-#
-# The unconfined user domain.
-#
-unconfineduser = module
-
-# Layer: role
-# Module: unprivuser
-#
-# Minimally privs guest account on tty logins
-#
-unprivuser = module
-
-# Layer: services
-# Module: postgresql
-#
-# PostgreSQL relational database
-#
-postgresql = module
-
-# Layer: services
-# Module: ssh
-#
-# Secure shell client and server policy.
-#
-ssh = module
-
-# Layer: services
-# Module: xserver
-#
-# X windows login display manager
-#
-xserver = module
-
-# Module: application
-# Required in base
-#
-# Defines attributs and interfaces for all user applications
-#
-application = module
-
-# Layer: system
-# Module: authlogin
-#
-# Common policy for authentication and user login.
-#
-authlogin = module
-
-# Layer: system
-# Module: clock
-#
-# Policy for reading and setting the hardware clock.
-#
-clock = module
-
-# Layer: system
-# Module: fstools
-#
-# Tools for filesystem management, such as mkfs and fsck.
-#
-fstools = module
-
-# Layer: system
-# Module: getty
-#
-# Policy for getty.
-#
-getty = module
-
-# Layer: system
-# Module: hostname
-#
-# Policy for changing the system host name.
-#
-hostname = module
-
-# Layer: system
-# Module: init
-#
-# System initialization programs (init and init scripts).
-#
-init = module
-
-# Layer: system
-# Module: ipsec
-#
-# TCP/IP encryption
-#
-ipsec = module
-
-# Layer: system
-# Module: iptables
-#
-# Policy for iptables.
-#
-iptables = module
-
-# Layer: system
-# Module: libraries
-#
-# Policy for system libraries.
-#
-libraries = module
-
-# Layer: system
-# Module: locallogin
-#
-# Policy for local logins.
-#
-locallogin = module
-
-# Layer: system
-# Module: logging
-#
-# Policy for the kernel message logger and system logging daemon.
-#
-logging = module
-
-# Layer: system
-# Module: lvm
-#
-# Policy for logical volume management programs.
-#
-lvm = module
-
-# Layer: system
-# Module: modutils
-#
-# Policy for kernel module utilities
-#
-modutils = module
-
-# Layer: system
-# Module: mount
-#
-# Policy for mount.
-#
-mount = module
-
-# Layer: system
-# Module: netlabel
-#
-# Basic netlabel types and interfaces.
-#
-netlabel = module
-
-# Layer: system
-# Module: selinuxutil
-#
-# Policy for SELinux policy and userland applications.
-#
-selinuxutil = module
-
-# Module: setrans
-# Required in base
-#
-# Policy for setrans
-#
-setrans = module
-
-# Layer: system
-# Module: sysnetwork
-#
-# Policy for network configuration: ifconfig and dhcp client.
-#
-sysnetwork = module
-
-# Layer: system
-# Module: systemd
-#
-# Policy for systemd components
-#
-systemd = module
-
-# Layer: system
-# Module: udev
-#
-# Policy for udev.
-#
-udev = module
-
-# Layer: system
-# Module: unconfined
-#
-# The unconfined domain.
-#
-unconfined = module
-
-# Layer: contrib
-# Module: packagekit
-#
-# Temporary permissive module for packagekit
-#
-packagekit = module
-
-# Layer: contrib
-# Module: rtorrent
-#
-# Policy for rtorrent
-#
-rtorrent = module
-
-# Layer: contrib
-# Module: wicked
-#
-# Policy for wicked
-#
-wicked = module
-
-# Layer: system
-# Module: rebootmgr
-#
-# Policy for rebootmgr
-#
-rebootmgr = module
diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf
deleted file mode 100644
index b87a6db..0000000
--- a/modules-targeted-contrib.conf
+++ /dev/null
@@ -1,2777 +0,0 @@
-# Layer: services
-# Module: abrt
-#
-# Automatic bug detection and reporting tool
-#
-abrt = module
-
-# Layer: services
-# Module: accountsd
-#
-# An application to view and modify user accounts information
-#
-accountsd = module
-
-# Layer: admin
-# Module: acct
-#
-# Berkeley process accounting
-#
-acct = module
-
-# Layer: services
-# Module: afs
-#
-# Andrew Filesystem server
-#
-afs = module
-
-# Layer: services
-# Module: aiccu
-#
-# SixXS Automatic IPv6 Connectivity Client Utility
-#
-aiccu = module
-
-# Layer: services
-# Module: aide
-#
-# Policy for aide
-#
-aide = module
-
-# Layer: services
-# Module: ajaxterm
-#
-# Web Based Terminal
-#
-ajaxterm = module
-
-# Layer: admin
-# Module: alsa
-#
-# Ainit ALSA configuration tool
-#
-alsa = module
-
-# Layer: admin
-# Module: amanda
-#
-# Automated backup program.
-#
-amanda = module
-
-# Layer: admin
-# Module: amtu
-#
-# Abstract Machine Test Utility (AMTU)
-#
-amtu = module
-
-# Layer: admin
-# Module: anaconda
-#
-# Policy for the Anaconda installer.
-#
-anaconda = module
-
-# Layer: contrib
-# Module: antivirus
-#
-# SELinux policy for antivirus programs
-#
-antivirus = module
-
-# Layer: services
-# Module: apache
-#
-# Apache web server
-#
-apache = module
-
-# Layer: services
-# Module: apcupsd
-#
-# daemon for most APC’s UPS for Linux
-#
-apcupsd = module
-
-# Layer: services
-# Module: apm
-#
-# Advanced power management daemon
-#
-apm = module
-
-# Layer: services
-# Module: arpwatch
-#
-# Ethernet activity monitor.
-#
-arpwatch = module
-
-# Layer: services
-# Module: asterisk
-#
-# Asterisk IP telephony server
-#
-asterisk = module
-
-# Layer: contrib
-# Module: authconfig
-#
-# Authorization configuration tool
-#
-authconfig = module
-
-# Layer: services
-# Module: automount
-#
-# Filesystem automounter service.
-#
-automount = module
-
-# Layer: services
-# Module: avahi
-#
-# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture
-#
-avahi = module
-
-# Layer: module
-# Module: awstats
-#
-# awstats executable
-#
-awstats = module
-
-# Layer: services
-# Module: bcfg2
-#
-# Configuration management server
-#
-bcfg2 = module
-
-# Layer: services
-# Module: bind
-#
-# Berkeley internet name domain DNS server.
-#
-bind = module
-
-# Layer: contrib
-# Module: rngd
-#
-# Daemon used to feed random data from hardware device to kernel random device
-#
-rngd = module
-
-# Layer: services
-# Module: bitlbee
-#
-# An IRC to other chat networks gateway
-#
-bitlbee = module
-
-# Layer: services
-# Module: blueman
-#
-# Blueman tools and system services.
-#
-blueman = module
-
-# Layer: services
-# Module: bluetooth
-#
-# Bluetooth tools and system services.
-#
-bluetooth = module
-
-# Layer: services
-# Module: boinc
-#
-# Berkeley Open Infrastructure for Network Computing
-#
-boinc = module
-
-# Layer: system
-# Module: brctl
-#
-# Utilities for configuring the linux ethernet bridge
-#
-brctl = module
-
-# Layer: services
-# Module: bugzilla
-#
-# Bugzilla server
-#
-bugzilla = module
-
-# Layer: services
-# Module: bumblebee
-#
-# Support NVIDIA Optimus technology under Linux
-#
-bumblebee = module
-
-# Layer: services
-# Module: cachefilesd
-#
-# CacheFiles userspace management daemon
-#
-cachefilesd = module
-
-# Module: calamaris
-#
-#
-# Squid log analysis
-#
-calamaris = module
-
-# Layer: services
-# Module: callweaver
-#
-# callweaver telephony sever
-#
-callweaver = module
-
-# Layer: services
-# Module: canna
-#
-# Canna - kana-kanji conversion server
-#
-canna = module
-
-# Layer: services
-# Module: ccs
-#
-# policy for ccs
-#
-ccs = module
-
-# Layer: apps
-# Module: cdrecord
-#
-# Policy for cdrecord
-#
-cdrecord = module
-
-# Layer: admin
-# Module: certmaster
-#
-# Digital Certificate master
-#
-certmaster = module
-
-# Layer: services
-# Module: certmonger
-#
-# Certificate status monitor and PKI enrollment client
-#
-certmonger = module
-
-# Layer: admin
-# Module: certwatch
-#
-# Digital Certificate Tracking
-#
-certwatch = module
-
-# Layer: services
-# Module: cfengine
-#
-# cfengine
-#
-cfengine = module
-
-# Layer: services
-# Module: cgroup
-#
-# Tools and libraries to control and monitor control groups
-#
-cgroup = module
-
-# Layer: apps
-# Module: chrome
-#
-# chrome sandbox
-#
-chrome = module
-
-# Layer: services
-# Module: chronyd
-#
-# Daemon for maintaining clock time
-#
-chronyd = module
-
-# Layer: services
-# Module: cipe
-#
-# Encrypted tunnel daemon
-#
-cipe = module
-
-
-# Layer: services
-# Module: clogd
-#
-# clogd - clustered mirror log server
-#
-clogd = module
-
-# Layer: services
-# Module: cloudform
-#
-# cloudform daemons
-#
-cloudform = module
-
-# Layer: services
-# Module: cmirrord
-#
-# cmirrord - daemon providing device-mapper-base mirrors in a shared-storege cluster
-#
-cmirrord = module
-
-# Layer: services
-# Module: cobbler
-#
-# cobbler
-#
-cobbler = module
-
-# Layer: services
-# Module: collectd
-#
-# Statistics collection daemon for filling RRD files
-#
-collectd = module
-
-# Layer: services
-# Module: colord
-#
-# color device daemon
-#
-colord = module
-
-# Layer: services
-# Module: comsat
-#
-# Comsat, a biff server.
-#
-comsat = module
-
-# Layer: services
-# Module: condor
-#
-# policy for condor
-#
-condor = module
-
-# Layer: services
-# Module: conman
-#
-# Conman is a program for connecting to remote consoles being managed by conmand
-#
-conman = module
-
-# Layer: services
-# Module: consolekit
-#
-# ConsoleKit is a system daemon for tracking what users are logged
-#
-consolekit = module
-
-# Layer: services
-# Module: couchdb
-#
-# Apache CouchDB database server
-#
-couchdb = module
-
-# Layer: services
-# Module: courier
-#
-# IMAP and POP3 email servers
-#
-courier = module
-
-# Layer: services
-# Module: cpucontrol
-#
-# Services for loading CPU microcode and CPU frequency scaling.
-#
-cpucontrol = module
-
-# Layer: apps
-# Module: cpufreqselector
-#
-# cpufreqselector executable
-#
-cpufreqselector = module
-
-# Layer: services
-# Module: cron
-#
-# Periodic execution of scheduled commands.
-#
-cron = module
-
-# Layer: services
-# Module: ctdbd
-#
-# Cluster Daemon
-#
-ctdb = module
-
-# Layer: services
-# Module: cups
-#
-# Common UNIX printing system
-#
-cups = module
-
-# Layer: services
-# Module: cvs
-#
-# Concurrent versions system
-#
-cvs = module
-
-# Layer: services
-# Module: cyphesis
-#
-# cyphesis game server
-#
-cyphesis = module
-
-# Layer: services
-# Module: cyrus
-#
-# Cyrus is an IMAP service intended to be run on sealed servers
-#
-cyrus = module
-
-# Layer: system
-# Module: daemontools
-#
-# Collection of tools for managing UNIX services
-#
-daemontools = module
-
-# Layer: role
-# Module: dbadm
-#
-# Minimally prived root role for managing databases
-#
-dbadm = module
-
-# Layer: services
-# Module: dbskk
-#
-# Dictionary server for the SKK Japanese input method system.
-#
-dbskk = module
-
-# Layer: services
-# Module: dbus
-#
-# Desktop messaging bus
-#
-dbus = module
-
-# Layer: services
-# Module: dcc
-#
-# A distributed, collaborative, spam detection and filtering network.
-#
-dcc = module
-
-# Layer: services
-# Module: ddclient
-#
-# Update dynamic IP address at DynDNS.org
-#
-ddclient = module
-
-# Layer: admin
-# Module: ddcprobe
-#
-# ddcprobe retrieves monitor and graphics card information
-#
-ddcprobe = off
-
-# Layer: services
-# Module: denyhosts
-#
-# script to help thwart ssh server attacks
-#
-denyhosts = module
-
-# Layer: services
-# Module: devicekit
-#
-# devicekit-daemon
-#
-devicekit = module
-
-# Layer: services
-# Module: dhcp
-#
-# Dynamic host configuration protocol (DHCP) server
-#
-dhcp = module
-
-# Layer: services
-# Module: dictd
-#
-# Dictionary daemon
-#
-dictd = module
-
-# Layer: services
-# Module: dirsrv-admin
-#
-# An 309 directory admin server
-#
-dirsrv-admin = module
-
-# Layer: services
-# Module: dirsrv
-#
-# An 309 directory server
-#
-dirsrv = module
-
-# Layer: services
-# Module: distcc
-#
-# Distributed compiler daemon
-#
-distcc = off
-
-# Layer: admin
-# Module: dmidecode
-#
-# Decode DMI data for x86/ia64 bioses.
-#
-dmidecode = module
-
-# Layer: services
-# Module: dnsmasq
-#
-# A lightweight DHCP and caching DNS server.
-#
-dnsmasq = module
-
-# Layer: services
-# Module: dnssec
-#
-# A dnssec server application
-#
-dnssec = module
-
-# Layer: services
-# Module: dovecot
-#
-# Dovecot POP and IMAP mail server
-#
-dovecot = module
-
-# Layer: services
-# Module: drbd
-#
-# DRBD mirrors a block device over the network to another machine.
-#
-drbd = module
-
-# Layer: services
-# Module: dspam
-#
-# dspam - library and Mail Delivery Agent for Bayesian SPAM filtering
-#
-dspam = module
-
-# Layer: services
-# Module: entropy
-#
-# Generate entropy from audio input
-#
-entropyd = module
-
-# Layer: services
-# Module: exim
-#
-# exim mail server
-#
-exim = module
-
-# Layer: services
-# Module: fail2ban
-#
-# daiemon that bans IP that makes too many password failures
-#
-fail2ban = module
-
-# Layer: services
-# Module: fcoe
-#
-# fcoe
-#
-fcoe = module
-
-# Layer: services
-# Module: fetchmail
-#
-# Remote-mail retrieval and forwarding utility
-#
-fetchmail = module
-
-# Layer: services
-# Module: finger
-#
-# Finger user information service.
-#
-finger = module
-
-# Layer: services
-# Module: firewalld
-#
-# firewalld is firewall service daemon that provides dynamic customizable
-#
-firewalld = module
-
-# Layer: apps
-# Module: firewallgui
-#
-# policy for system-config-firewall
-#
-firewallgui = module
-
-# Module: firstboot
-#
-# Final system configuration run during the first boot
-# after installation of Red Hat/Fedora systems.
-#
-firstboot = module
-
-# Layer: services
-# Module: fprintd
-#
-# finger print server
-#
-fprintd = module
-
-# Layer: services
-# Module: freqset
-#
-# Utility for CPU frequency scaling
-#
-freqset = module
-
-# Layer: services
-# Module: ftp
-#
-# File transfer protocol service
-#
-ftp = module
-
-# Layer: apps
-# Module: games
-#
-# The Open Group Pegasus CIM/WBEM Server.
-#
-games = module
-
-# Layer: apps
-# Module: gitosis
-#
-# Policy for gitosis
-#
-gitosis = module
-
-# Layer: services
-# Module: git
-#
-# Policy for the stupid content tracker
-#
-git = module
-
-# Layer: services
-# Module: glance
-#
-# Policy for glance
-#
-glance = module
-
-# Layer: contrib
-# Module: glusterd
-#
-# policy for glusterd service
-#
-glusterd = module
-
-# Layer: apps
-# Module: gnome
-#
-# gnome session and gconf
-#
-gnome = module
-
-# Layer: apps
-# Module: gpg
-#
-# Policy for GNU Privacy Guard and related programs.
-#
-gpg = module
-
-# Layer: services
-# Module: gpm
-#
-# General Purpose Mouse driver
-#
-gpm = module
-
-# Module: gpsd
-#
-# gpsd monitor daemon
-#
-#
-gpsd = module
-
-# Module: gssproxy
-#
-# A proxy for GSSAPI credential handling
-#
-#
-gssproxy = module
-
-# Layer: role
-# Module: guest
-#
-# Minimally privs guest account on tty logins
-#
-guest = module
-
-# Layer: role
-# Module: xguest
-#
-# Minimally privs guest account on X Windows logins
-#
-xguest = module
-
-# Layer: services
-# Module: hddtemp
-#
-# hddtemp hard disk temperature tool running as a daemon
-#
-hddtemp = module
-
-# Layer: services
-# Module: hostapd
-#
-# hostapd - IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
-#
-hostapd = module
-
-# Layer: services
-# Module: i18n_input
-#
-# IIIMF htt server
-#
-i18n_input = off
-
-# Layer: services
-# Module: icecast
-#
-# ShoutCast compatible streaming media server
-#
-icecast = module
-
-# Layer: services
-# Module: inetd
-#
-# Internet services daemon.
-#
-inetd = module
-
-# Layer: services
-# Module: inn
-#
-# Internet News NNTP server
-#
-inn = module
-
-# Layer: services
-# Module: lircd
-#
-# LIRC daemon - decodes infrared signals and provides them on a Unix domain socket.
-#
-lircd = module
-
-# Layer: apps
-# Module: irc
-#
-# IRC client policy
-#
-irc = module
-
-# Layer: services
-# Module: irqbalance
-#
-# IRQ balancing daemon
-#
-irqbalance = module
-
-# Layer: system
-# Module: iscsi
-#
-# Open-iSCSI daemon
-#
-iscsi = module
-
-# Layer: system
-# Module: isnsd
-#
-#
-#
-isns = module
-
-# Layer: services
-# Module: jabber
-#
-# Jabber instant messaging server
-#
-jabber = module
-
-# Layer: services
-# Module: jetty
-#
-# Java based http server
-#
-jetty = module
-
-# Layer: apps
-# Module: jockey
-#
-# policy for jockey-backend
-#
-jockey = module
-
-# Layer: apps
-# Module: kdumpgui
-#
-# system-config-kdump policy
-#
-kdumpgui = module
-
-# Layer: admin
-# Module: kdump
-#
-# kdump is kernel crash dumping mechanism
-#
-kdump = module
-
-# Layer: services
-# Module: kerberos
-#
-# MIT Kerberos admin and KDC
-#
-kerberos = module
-
-# Layer: services
-# Module: keepalived
-#
-# keepalived - load-balancing and high-availability service
-#
-keepalived = module
-
-# Module: keyboardd
-#
-# system-setup-keyboard is a keyboard layout daemon that monitors
-# /etc/sysconfig/keyboard and writes out an xorg.conf.d snippet
-#
-keyboardd = module
-
-# Layer: services
-# Module: keystone
-#
-# openstack-keystone
-#
-keystone = module
-
-# Layer: services
-# Module: kismet
-#
-# Wireless sniffing and monitoring
-#
-kismet = module
-
-# Layer: services
-# Module: ksmtuned
-#
-# Kernel Samepage Merging (KSM) Tuning Daemon
-#
-ksmtuned = module
-
-# Layer: services
-# Module: ktalk
-#
-# KDE Talk daemon
-#
-ktalk = module
-
-# Layer: services
-# Module: l2ltpd
-#
-# Layer 2 Tunnelling Protocol Daemon
-#
-l2tp = module
-
-# Layer: services
-# Module: ldap
-#
-# OpenLDAP directory server
-#
-ldap = module
-
-# Layer: services
-# Module: likewise
-#
-# Likewise Active Directory support for UNIX
-#
-likewise = module
-
-# Layer: apps
-# Module: livecd
-#
-# livecd creator
-#
-livecd = module
-
-# Layer: services
-# Module: lldpad
-#
-# lldpad - Link Layer Discovery Protocol (LLDP) agent daemon
-#
-lldpad = module
-
-# Layer: apps
-# Module: loadkeys
-#
-# Load keyboard mappings.
-#
-loadkeys = module
-
-# Layer: apps
-# Module: lockdev
-#
-# device locking policy for lockdev
-#
-lockdev = module
-
-# Layer: admin
-# Module: logrotate
-#
-# Rotate and archive system logs
-#
-logrotate = module
-
-# Layer: services
-# Module: logwatch
-#
-# logwatch executable
-#
-logwatch = module
-
-# Layer: services
-# Module: lpd
-#
-# Line printer daemon
-#
-lpd = module
-
-# Layer: services
-# Module: mailman
-#
-# Mailman is for managing electronic mail discussion and e-newsletter lists
-#
-mailman = module
-
-# Layer: services
-# Module: mailman
-#
-# Policy for mailscanner
-#
-mailscanner = module
-
-# Layer: apps
-# Module: man2html
-#
-# policy for man2html apps
-#
-man2html = module
-
-# Layer: admin
-# Module: mcelog
-#
-# Policy for mcelog.
-#
-mcelog = module
-
-# Layer: apps
-# Module: mediawiki
-#
-# mediawiki
-#
-mediawiki = module
-
-# Layer: services
-# Module: memcached
-#
-# high-performance memory object caching system
-#
-memcached = module
-
-# Layer: services
-# Module: milter
-#
-#
-#
-milter = module
-
-# Layer: services
-# Module: mip6d
-#
-# UMIP Mobile IPv6 and NEMO Basic Support protocol implementation
-#
-mip6d = module
-
-# Layer: services
-# Module: mock
-#
-# Policy for mock rpm builder
-#
-mock = module
-
-# Layer: services
-# Module: modemmanager
-#
-# Manager for dynamically switching between modems.
-#
-modemmanager = module
-
-# Layer: services
-# Module: mojomojo
-#
-# Wiki server
-#
-mojomojo = module
-
-# Layer: apps
-# Module: mozilla
-#
-# Policy for Mozilla and related web browsers
-#
-mozilla = module
-
-# Layer: services
-# Module: mpd
-#
-# mpd - daemon for playing music
-#
-mpd = module
-
-# Layer: apps
-# Module: mplayer
-#
-# Policy for Mozilla and related web browsers
-#
-mplayer = module
-
-# Layer: admin
-# Module: mrtg
-#
-# Network traffic graphing
-#
-mrtg = module
-
-# Layer: services
-# Module: mta
-#
-# Policy common to all email tranfer agents.
-#
-mta = module
-
-# Layer: services
-# Module: munin
-#
-# Munin
-#
-munin = module
-
-# Layer: services
-# Module: mysql
-#
-# Policy for MySQL
-#
-mysql = module
-
-# Layer: contrib
-# Module: mythtv
-#
-# Policy for Mythtv (Web Server)
-#
-mythtv = module
-
-# Layer: services
-# Module: nagios
-#
-# policy for nagios Host/service/network monitoring program
-#
-nagios = module
-
-# Layer: apps
-# Module: namespace
-#
-# policy for namespace.init script
-#
-namespace = module
-
-# Layer: admin
-# Module: ncftool
-#
-# Tool to modify the network configuration of a system
-#
-ncftool = module
-
-# Layer: services
-# Module: networkmanager
-#
-# Manager for dynamically switching between networks.
-#
-networkmanager = module
-
-# Layer: services
-# Module: ninfod
-#
-# Respond to IPv6 Node Information Queries
-#
-ninfod = module
-
-# Layer: services
-# Module: nis
-#
-# Policy for NIS (YP) servers and clients
-#
-nis = module
-
-# Layer: services
-# Module: nova
-#
-# openstack-nova
-#
-nova = module
-
-# Layer: services
-# Module: nscd
-#
-# Name service cache daemon
-#
-nscd = module
-
-# Layer: services
-# Module: nslcd
-#
-# Policy for nslcd
-#
-nslcd = module
-
-# Layer: services
-# Module: ntop
-#
-# Policy for ntop
-#
-ntop = module
-
-# Layer: services
-# Module: ntp
-#
-# Network time protocol daemon
-#
-ntp = module
-
-# Layer: services
-# Module: numad
-#
-# numad - user-level daemon that provides advice and managment for optimum use of CPUs and memory on systems with NUMA topology
-#
-numad = module
-
-# Layer: services
-# Module: nut
-#
-# nut - Network UPS Tools
-#
-nut = module
-
-# Layer: services
-# Module: nx
-#
-# NX Remote Desktop
-#
-nx = module
-
-# Layer: services
-# Module: obex
-#
-# policy for obex-data-server
-#
-obex = module
-
-# Layer: services
-# Module: oddjob
-#
-# policy for oddjob
-#
-oddjob = module
-
-# Layer: services
-# Module: openct
-#
-# Service for handling smart card readers.
-#
-openct = off
-
-# Layer: service
-# Module: openct
-#
-# Middleware framework for smart card terminals
-#
-openct = module
-
-# Layer: contrib
-# Module: openshift-origin
-#
-# Origin version of openshift policy
-#
-openshift-origin = module
-# Layer: contrib
-# Module: openshift
-#
-# Core openshift policy
-#
-openshift = module
-
-# Layer: services
-# Module: opensm
-#
-# InfiniBand subnet manager and administration (SM/SA)
-#
-opensm = module
-
-# Layer: services
-# Module: openvpn
-#
-# Policy for OPENVPN full-featured SSL VPN solution
-#
-openvpn = module
-
-# Layer: contrib
-# Module: openvswitch
-#
-# SELinux policy for openvswitch programs
-#
-openvswitch = module
-
-# Layer: services
-# Module: openwsman
-#
-# WS-Management Server
-#
-openwsman = module
-
-# Layer: services
-# Module: osad
-#
-# Client-side service written in Python that responds to pings
-#
-osad = module
-
-# Layer: contrib
-# Module: prelude
-#
-# SELinux policy for prelude
-#
-prelude = module
-
-# Layer: contrib
-# Module: prosody
-#
-# SELinux policy for prosody flexible communications server for Jabber/XMPP
-#
-prosody = module
-
-# Layer: services
-# Module: pads
-#
-pads = module
-
-# Layer: services
-# Module: passenger
-#
-# Passenger
-#
-passenger = module
-
-# Layer: system
-# Module: pcmcia
-#
-# PCMCIA card management services
-#
-pcmcia = module
-
-# Layer: service
-# Module: pcscd
-#
-# PC/SC Smart Card Daemon
-#
-pcscd = module
-
-# Layer: services
-# Module: pdns
-#
-# PowerDNS DNS server
-#
-pdns = module
-
-# Layer: services
-# Module: pegasus
-#
-# The Open Group Pegasus CIM/WBEM Server.
-#
-pegasus = module
-
-# Layer: services
-# Module: pingd
-#
-#
-pingd = module
-
-# Layer: services
-# Module: piranha
-#
-# piranha - various tools to administer and configure the Linux Virtual Server
-#
-piranha = module
-
-# Layer: contrib
-# Module: pkcs
-#
-# daemon manages PKCS#11 objects between PKCS#11-enabled applications
-#
-pkcs = module
-
-# Layer: services
-# Module: plymouthd
-#
-# Plymouth
-#
-plymouthd = module
-
-# Layer: apps
-# Module: podsleuth
-#
-# Podsleuth probes, identifies, and exposes properties and metadata bound to iPods.
-#
-podsleuth = module
-
-# Layer: services
-# Module: policykit
-#
-# Hardware abstraction layer
-#
-policykit = module
-
-# Layer: services
-# Module: polipo
-#
-# polipo
-#
-polipo = module
-
-# Layer: services
-# Module: portmap
-#
-# RPC port mapping service.
-#
-portmap = module
-
-# Layer: services
-# Module: portreserve
-#
-# reserve ports to prevent portmap mapping them
-#
-portreserve = module
-
-# Layer: services
-# Module: postfix
-#
-# Postfix email server
-#
-postfix = module
-
-# Layer: services
-# Module: postgrey
-#
-# email scanner
-#
-postgrey = module
-
-# Layer: services
-# Module: ppp
-#
-# Point to Point Protocol daemon creates links in ppp networks
-#
-ppp = module
-
-# Layer: admin
-# Module: prelink
-#
-# Manage temporary directory sizes and file ages
-#
-prelink = module
-
-# Layer: services
-# Module: privoxy
-#
-# Privacy enhancing web proxy.
-#
-privoxy = module
-
-# Layer: services
-# Module: procmail
-#
-# Procmail mail delivery agent
-#
-procmail = module
-
-# Layer: services
-# Module: psad
-#
-# Analyze iptables log for hostile traffic
-#
-psad = module
-
-# Layer: apps
-# Module: ptchown
-#
-# helper function for grantpt(3), changes ownship and permissions of pseudotty
-#
-ptchown = module
-
-# Layer: apps
-# Module: pulseaudio
-#
-# The PulseAudio Sound System
-#
-pulseaudio = module
-
-# Layer: services
-# Module: puppet
-#
-# A network tool for managing many disparate systems
-#
-puppet = module
-
-# Layer: apps
-# Module: pwauth
-#
-# External plugin for mod_authnz_external authenticator
-#
-pwauth = module
-
-# Layer: services
-# Module: qmail
-#
-# Policy for qmail
-#
-qmail = module
-
-# Layer: services
-# Module: qpidd
-#
-# Policy for qpidd
-#
-qpid = module
-
-# Layer: services
-# Module: quantum
-#
-# Quantum is a virtual network service for Openstack
-#
-quantum = module
-
-# Layer: admin
-# Module: quota
-#
-# File system quota management
-#
-quota = module
-
-# Layer: services
-# Module: rabbitmq
-#
-# rabbitmq daemons
-#
-rabbitmq = module
-
-# Layer: services
-# Module: radius
-#
-# RADIUS authentication and accounting server.
-#
-radius = module
-
-# Layer: services
-# Module: radvd
-#
-# IPv6 router advertisement daemon
-#
-radvd = module
-
-# Layer: system
-# Module: raid
-#
-# RAID array management tools
-#
-raid = module
-
-# Layer: services
-# Module: rasdaemon
-#
-# The rasdaemon program is a daemon with monitors the RAS trace events from /sys/kernel/debug/tracing
-#
-rasdaemon = module
-
-# Layer: services
-# Module: rdisc
-#
-# Network router discovery daemon
-#
-rdisc = module
-
-# Layer: admin
-# Module: readahead
-#
-# Readahead, read files into page cache for improved performance
-#
-readahead = module
-
-# Layer: contrib
-# Module: stapserver
-#
-# dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA
-#
-realmd = module
-
-# Layer: services
-# Module: remotelogin
-#
-# Policy for rshd, rlogind, and telnetd.
-#
-remotelogin = module
-
-# Layer: services
-# Module: rhcs
-#
-# RHCS - Red Hat Cluster Suite
-#
-rhcs = module
-
-# Layer: services
-# Module: rhev
-#
-# rhev policy module contains policies for rhev apps
-#
-rhev = module
-
-# Layer: services
-# Module: rhgb
-#
-# X windows login display manager
-#
-rhgb = module
-
-# Layer: services
-# Module: rhsmcertd
-#
-# Subscription Management Certificate Daemon policy
-#
-rhsmcertd = module
-
-# Layer: services
-# Module: ricci
-#
-# policy for ricci
-#
-ricci = module
-
-# Layer: services
-# Module: rlogin
-#
-# Remote login daemon
-#
-rlogin = module
-
-# Layer: services
-# Module: roundup
-#
-# Roundup Issue Tracking System policy
-#
-roundup = module
-
-# Layer: services
-# Module: rpcbind
-#
-# universal addresses to RPC program number mapper
-#
-rpcbind = module
-
-# Layer: services
-# Module: rpc
-#
-# Remote Procedure Call Daemon for managment of network based process communication
-#
-rpc = module
-
-# Layer: admin
-# Module: rpm
-#
-# Policy for the RPM package manager.
-#
-rpm = module
-
-# Layer: services
-# Module: rshd
-#
-# Remote shell service.
-#
-rshd = module
-
-# Layer: apps
-# Module: rssh
-#
-# Restricted (scp/sftp) only shell
-#
-rssh = module
-
-# Layer: services
-# Module: rsync
-#
-# Fast incremental file transfer for synchronization
-#
-rsync = module
-
-# Layer: services
-# Module: rtkit
-#
-# Real Time Kit Daemon
-#
-rtkit = module
-
-# Layer: services
-# Module: rwho
-#
-# who is logged in on local machines
-#
-rwho = module
-
-# Layer: apps
-# Module: sambagui
-#
-# policy for system-config-samba
-#
-sambagui = module
-
-#
-# SMB and CIFS client/server programs for UNIX and
-# name Service Switch daemon for resolving names
-# from Windows NT servers.
-#
-samba = module
-
-# Layer: apps
-# Module: sandbox
-#
-# Policy for running apps within a sandbox
-#
-sandbox = module
-
-# Layer: apps
-# Module: sandbox
-#
-# Policy for running apps within a X sandbox
-#
-sandboxX = module
-
-# Layer: services
-# Module: sanlock
-#
-# sanlock policy
-#
-sanlock = module
-
-# Layer: services
-# Module: sasl
-#
-# SASL authentication server
-#
-sasl = module
-
-# Layer: services
-# Module: sblim
-#
-# sblim
-#
-sblim = module
-
-# Layer: apps
-# Module: screen
-#
-# GNU terminal multiplexer
-#
-screen = module
-
-# Layer: admin
-# Module: sectoolm
-#
-# Policy for sectool-mechanism
-#
-sectoolm = module
-
-# Layer: services
-# Module: sendmail
-#
-# Policy for sendmail.
-#
-sendmail = module
-
-# Layer: contrib
-# Module: sensord
-#
-# Sensor information logging daemon
-#
-sensord = module
-
-# Layer: services
-# Module: setroubleshoot
-#
-# Policy for the SELinux troubleshooting utility
-#
-setroubleshoot = module
-
-# Layer: services
-# Module: sge
-#
-# policy for grindengine MPI jobs
-#
-sge = module
-
-# Layer: admin
-# Module: shorewall
-#
-# Policy for shorewall
-#
-shorewall = module
-
-# Layer: apps
-# Module: slocate
-#
-# Update database for mlocate
-#
-slocate = module
-
-# Layer: contrib
-# Module: slpd
-#
-# OpenSLP server daemon to dynamically register services
-#
-slpd = module
-
-# Layer: services
-# Module: slrnpull
-#
-# Service for downloading news feeds the slrn newsreader.
-#
-slrnpull = off
-
-# Layer: services
-# Module: smartmon
-#
-# Smart disk monitoring daemon policy
-#
-smartmon = module
-
-# Layer: services
-# Module: smokeping
-#
-# Latency Logging and Graphing System
-#
-smokeping = module
-
-# Layer: admin
-# Module: smoltclient
-#
-#The Fedora hardware profiler client
-#
-smoltclient = module
-
-# Layer: services
-# Module: snmp
-#
-# Simple network management protocol services
-#
-snmp = module
-
-# Layer: services
-# Module: snort
-#
-# Snort network intrusion detection system
-#
-snort = module
-
-# Layer: admin
-# Module: sosreport
-#
-# sosreport debuggin information generator
-#
-sosreport = module
-
-# Layer: services
-# Module: soundserver
-#
-# sound server for network audio server programs, nasd, yiff, etc
-#
-soundserver = module
-
-# Layer: services
-# Module: spamassassin
-#
-# Filter used for removing unsolicited email.
-#
-spamassassin = module
-
-# Layer: services
-# Module: speech-dispatcher
-#
-# speech-dispatcher - server process managing speech requests in Speech Dispatcher
-#
-speech-dispatcher = module
-
-# Layer: services
-# Module: squid
-#
-# Squid caching http proxy server
-#
-squid = module
-
-# Layer: services
-# Module: sssd
-#
-# System Security Services Daemon
-#
-sssd = module
-
-# Layer: services
-# Module: sslh
-#
-# Applicative protocol(SSL/SSH) multiplexer
-#
-sslh = module
-
-# Layer: contrib
-# Module: stapserver
-#
-# Instrumentation System Server
-#
-stapserver = module
-
-# Layer: services
-# Module: stunnel
-#
-# SSL Tunneling Proxy
-#
-stunnel = module
-
-# Layer: services
-# Module: svnserve
-#
-# policy for subversion service
-#
-svnserve = module
-
-# Layer: services
-# Module: swift
-#
-# openstack-swift
-#
-swift = module
-
-# Layer: services
-# Module: sysstat
-#
-# Policy for sysstat. Reports on various system states
-#
-sysstat = module
-
-# Layer: services
-# Module: tcpd
-#
-# Policy for TCP daemon.
-#
-tcpd = module
-
-# Layer: services
-# Module: tcsd
-#
-# tcsd - daemon that manages Trusted Computing resources
-#
-tcsd = module
-
-# Layer: apps
-# Module: telepathy
-#
-# telepathy - Policy for Telepathy framework
-#
-telepathy = module
-
-# Layer: services
-# Module: telnet
-#
-# Telnet daemon
-#
-telnet = module
-
-# Layer: services
-# Module: tftp
-#
-# Trivial file transfer protocol daemon
-#
-tftp = module
-
-# Layer: services
-# Module: tgtd
-#
-# Linux Target Framework Daemon.
-#
-tgtd = module
-
-# Layer: apps
-# Module: thumb
-#
-# Thumbnailer confinement
-#
-thumb = module
-
-# Layer: services
-# Module: timidity
-#
-# MIDI to WAV converter and player configured as a service
-#
-timidity = off
-
-# Layer: admin
-# Module: tmpreaper
-#
-# Manage temporary directory sizes and file ages
-#
-tmpreaper = module
-
-# Layer: contrib
-# Module: glusterd
-#
-# policy for tomcat service
-#
-tomcat = module
-# Layer: services
-# Module: tor
-#
-# TOR, the onion router
-#
-tor = module
-
-# Layer: services
-# Module: tuned
-#
-# Dynamic adaptive system tuning daemon
-#
-tuned = module
-
-# Layer: apps
-# Module: tvtime
-#
-# tvtime - a high quality television application
-#
-tvtime = module
-
-# Layer: services
-# Module: ulogd
-#
-# netfilter/iptables ULOG daemon
-#
-ulogd = module
-
-# Layer: apps
-# Module: uml
-#
-# Policy for UML
-#
-uml = module
-
-# Layer: admin
-# Module: updfstab
-#
-# Red Hat utility to change /etc/fstab.
-#
-updfstab = module
-
-# Layer: admin
-# Module: usbmodules
-#
-# List kernel modules of USB devices
-#
-usbmodules = module
-
-# Layer: services
-# Module: usbmuxd
-#
-# Daemon for communicating with Apple's iPod Touch and iPhone
-#
-usbmuxd = module
-
-# Layer: apps
-# Module: userhelper
-#
-# A helper interface to pam.
-#
-userhelper = module
-
-# Layer: apps
-# Module: usernetctl
-#
-# User network interface configuration helper
-#
-usernetctl = module
-
-# Layer: services
-# Module: uucp
-#
-# Unix to Unix Copy
-#
-uucp = module
-
-# Layer: services
-# Module: uuidd
-#
-# UUID generation daemon
-#
-uuidd = module
-
-# Layer: services
-# Module: varnishd
-#
-# Varnishd http accelerator daemon
-#
-varnishd = module
-
-# Layer: services
-# Module: vdagent
-#
-# vdagent
-#
-vdagent = module
-
-# Layer: services
-# Module: vhostmd
-#
-# vhostmd - spice guest agent daemon.
-#
-vhostmd = module
-
-# Layer: services
-# Module: virt
-#
-# Virtualization libraries
-#
-virt = module
-
-# Layer: services
-# Module: virt_supplementary
-#
-# non-libvirt virtualization libraries
-#
-virt_supplementary = module
-
-# Layer: apps
-# Module: vhostmd
-#
-# vlock - Virtual Console lock program
-#
-vlock = module
-
-# Layer: services
-# Module: vmtools
-#
-# VMware Tools daemon
-#
-vmtools = module
-
-# Layer: apps
-# Module: vmware
-#
-# VMWare Workstation virtual machines
-#
-vmware = module
-
-# Layer: services
-# Module: vnstatd
-#
-# Network traffic Monitor
-#
-vnstatd = module
-
-# Layer: admin
-# Module: vpn
-#
-# Virtual Private Networking client
-#
-vpn = module
-
-# Layer: services
-# Module: w3c
-#
-# w3c
-#
-w3c = module
-
-# Layer: services
-# Module: wdmd
-#
-# wdmd policy
-#
-wdmd = module
-
-# Layer: role
-# Module: webadm
-#
-# Minimally prived root role for managing apache
-#
-webadm = module
-
-# Layer: apps
-# Module: webalizer
-#
-# Web server log analysis
-#
-webalizer = module
-
-# Layer: apps
-# Module: wine
-#
-# wine executable
-#
-wine = module
-
-# Layer: apps
-# Module: wireshark
-#
-# wireshark executable
-#
-wireshark = module
-
-# Layer: system
-# Module: xen
-#
-# virtualization software
-#
-xen = module
-
-# Layer: services
-# Module: zabbix
-#
-# Open-source monitoring solution for your IT infrastructure
-#
-zabbix = module
-
-# Layer: services
-# Module: zarafa
-#
-# Zarafa Collaboration Platform
-#
-zarafa = module
-
-# Layer: services
-# Module: zebra
-#
-# Zebra border gateway protocol network routing service
-#
-zebra = module
-
-# Layer: services
-# Module: zoneminder
-#
-# Zoneminder Camera Security Surveillance Solution
-#
-zoneminder = module
-
-# Layer: services
-# Module: zosremote
-#
-# policy for z/OS Remote-services Audit dispatcher plugin
-#
-zosremote = module
-
-# Layer: contrib
-# Module: thin
-#
-# Policy for thin
-#
-thin = module
-
-# Layer: contrib
-# Module: mandb
-#
-# Policy for mandb
-#
-mandb = module
-
-# Layer: services
-# Module: pki
-#
-# policy for pki
-#
-pki = module
-
-# Layer: services
-# Module: smsd
-#
-# policy for smsd
-#
-smsd = module
-
-# Layer: contrib
-# Module: pesign
-#
-# policy for pesign
-#
-pesign = module
-
-# Layer: contrib
-# Module: nsd
-#
-# Fast and lean authoritative DNS Name Server
-#
-nsd = module
-
-# Layer: contrib
-# Module: iodine
-#
-# Fast and lean authoritative DNS Name Server
-#
-iodine = module
-
-# Layer: contrib
-# Module: openhpid
-#
-# OpenHPI daemon runs as a background process and accepts connecti
-#
-openhpid = module
-
-# Layer: contrib
-# Module: watchdog
-#
-# Watchdog policy
-#
-watchdog = module
-
-# Layer: contrib
-# Module: oracleasm
-#
-# oracleasm policy
-#
-oracleasm = module
-
-# Layer: contrib
-# Module: redis
-#
-# redis policy
-#
-redis = module
-
-# Layer: contrib
-# Module: hypervkvp
-#
-# hypervkvp policy
-#
-hypervkvp = module
-
-# Layer: contrib
-# Module: lsm
-#
-# lsm policy
-#
-lsm = module
-
-# Layer: contrib
-# Module: motion
-#
-# Daemon for detect motion using a video4linux device
-motion = module
-
-# Layer: contrib
-# Module: rtas
-#
-# rtas policy
-#
-rtas = module
-
-# Layer: contrib
-# Module: journalctl
-#
-# journalctl policy
-#
-journalctl = module
-
-# Layer: contrib
-# Module: gdomap
-#
-# gdomap policy
-#
-gdomap = module
-
-# Layer: contrib
-# Module: minidlna
-#
-# minidlna policy
-#
-minidlna = module
-
-# Layer: contrib
-# Module: minissdpd
-#
-# minissdpd policy
-#
-minissdpd = module
-
-# Layer: contrib
-# Module: freeipmi
-#
-# Remote-Console (out-of-band) and System Management Software (in-band)
-# based on IntelligentPlatform Management Interface specification
-#
-freeipmi = module
-
-# Layer: contrib
-# Module: mirrormanager
-#
-# mirrormanager policy
-#
-mirrormanager = module
-
-# Layer: contrib
-# Module: snapper
-#
-# snapper policy
-#
-snapper = module
-
-# Layer: contrib
-# Module: pcp
-#
-# pcp policy
-#
-pcp = module
-
-# Layer: contrib
-# Module: geoclue
-#
-# Add policy for Geoclue. Geoclue is a D-Bus service that provides location information
-#
-geoclue = module
-
-# Layer: contrib
-# Module: rkhunter
-#
-# rkhunter policy for /var/lib/rkhunter
-#
-rkhunter = module
-
-# Layer: contrib
-# Module: bacula
-#
-# bacula policy
-#
-bacula = module
-
-# Layer: contrib
-# Module: rhnsd
-#
-# rhnsd policy
-#
-rhnsd = module
-
-# Layer: contrib
-# Module: mongodb
-#
-# mongodb policy
-#
-
-mongodb = module
-
-# Layer: contrib
-# Module: iotop
-#
-# iotop policy
-#
-
-iotop = module
-
-# Layer: contrib
-# Module: kmscon
-#
-# kmscon policy
-#
-
-kmscon = module
-
-# Layer: contrib
-# Module: naemon
-#
-# naemon policy
-#
-naemon = module
-
-# Layer: contrib
-# Module: brltty
-#
-# brltty policy
-#
-brltty = module
-
-# Layer: contrib
-# Module: cpuplug
-#
-# cpuplug policy
-#
-cpuplug = module
-
-# Layer: contrib
-# Module: mon_statd
-#
-# mon_statd policy
-#
-mon_statd = module
-
-# Layer: contrib
-# Module: cinder
-#
-# openstack-cinder policy
-#
-cinder = module
-
-# Layer: contrib
-# Module: linuxptp
-#
-# linuxptp policy
-#
-linuxptp = module
-
-# Layer: contrib
-# Module: rolekit
-#
-# rolekit policy
-#
-rolekit = module
-
-# Layer: contrib
-# Module: targetd
-#
-# targetd policy
-#
-targetd = module
-
-# Layer: contrib
-# Module: hsqldb
-#
-# Hsqldb is transactional database engine with in-memory and disk-based tables, supporting embedded and server modes.
-#
-hsqldb = module
-
-# Layer: contrib
-# Module: blkmapd
-#
-# The blkmapd daemon performs device discovery and mapping for pNFS block layout client.
-#
-blkmapd = module
-
-# Layer: contrib
-# Module: pkcs11proxyd
-#
-# pkcs11proxyd policy
-#
-pkcs11proxyd = module
-
-# Layer: contrib
-# Module: ipmievd
-#
-# IPMI event daemon for sending events to syslog
-#
-ipmievd = module
-
-# Layer: contrib
-# Module: openfortivpn
-#
-# Fortinet compatible SSL VPN daemons.
-#
-openfortivpn = module
-
-# Layer: contrib
-# Module: fwupd
-#
-# fwupd is a daemon to allow session software to update device firmware.
-#
-fwupd = module
-
-# Layer: contrib
-# Module: lttng-tools
-#
-# LTTng 2.x central tracing registry session daemon.
-#
-lttng-tools = module
-
-# Layer: contrib
-# Module: rkt
-#
-# CLI for running app containers
-#
-rkt = module
-
-# Layer: contrib
-# Module: opendnssec
-#
-# opendnssec
-#
-opendnssec = module
-
-# Layer: contrib
-# Module: hwloc
-#
-# hwloc
-#
-hwloc = module
-
-# Layer: contrib
-# Module: sbd
-#
-# sbd
-#
-sbd = module
-
-# Layer: contrib
-# Module: tlp
-#
-# tlp
-#
-tlp = module
-
-# Layer: contrib
-# Module: conntrackd
-#
-# conntrackd
-#
-conntrackd = module
-
-# Layer: contrib
-# Module: tangd
-#
-# tangd
-#
-tangd = module
-
-# Layer: contrib
-# Module: ibacm
-#
-# ibacm
-#
-ibacm = module
-
-# Layer: contrib
-# Module: opafm
-#
-# opafm
-#
-opafm = module
-
-# Layer: contrib
-# Module: boltd
-#
-# boltd
-#
-boltd = module
-
-# Layer: contrib
-# Module: kpatch
-#
-# kpatch
-#
-kpatch = module
-
-# Layer: contrib
-# Module: timedatex
-#
-# timedatex
-#
-timedatex = module
-
-# Layer: contrib
-# Module: rrdcached
-#
-# rrdcached
-#
-rrdcached = module
-
-# Layer: contrib
-# Module: stratisd
-#
-# stratisd
-#
-stratisd = module
-
-# Layer: contrib
-# Module: ica
-#
-# ica
-#
-ica = module
-
-# Layer: contrib
-# Module: fedoratp
-#
-# fedoratp
-#
-fedoratp = module
-
-# Layer: contrib
-# Module: stalld
-#
-# stalld
-#
-stalld = module
-
-# Layer: contrib
-# Module: rhcd
-#
-# rhcd
-#
-rhcd = module
-
-# Layer: contrib
-# Module: wireguard
-#
-# wireguard
-#
-wireguard = module
-
-# Layer: contrib
-# Module: keyutils
-#
-# keyutils - Linux Key Management Utilities
-#
-keyutils = module
-
-# Layer: contrib
-# Module: cifsutils
-#
-# cifsutils - Utilities for managing CIFS mounts
-#
-cifsutils = module
-
-# Layer: contrib
-# Module: boothd
-#
-# boothd - Booth cluster ticket manager
-#
-boothd = module
-
-# Layer: contrib
-# Module: kafs
-#
-# kafs - Tools for kAFS
-#
-kafs = module
-
-# Layer: contrib
-# Module: bootupd
-#
-# bootupd - bootloader update daemon
-#
-bootupd = module
-
-# Layer: contrib
-# Module: fdo
-#
-# fdo - fido device onboard protocol for IoT devices
-#
-fdo = module
-
-# Layer: contrib
-# Module: qatlib
-#
-# qatlib - Intel QuickAssist technology library and resources management
-#
-qatlib = module
-
-# Layer: contrib
-# Module: afterburn
-#
-# afterburn
-#
-afterburn = module
-
-# Layer: contrib
-# Module: nvme_stas
-#
-# nvme_stas
-#
-nvme_stas = module
-
-# Layer: contrib
-# Module: coreos_installer
-#
-# coreos_installer
-#
-coreos_installer = module
-
-## Layer: contrib
-## Module: libalternatives
-##
-## libalternatives
-##
-libalternatives = module
-
-## Layer: contrib
-## Module: kiwi
-##
-## kiw
-##
-kiwi = module
-
-# Layer: contrib
-# Module: sap
-#
-# sap
-#
-sap = module
diff --git a/securetty_types-minimum b/securetty_types-minimum
deleted file mode 100644
index d13f103..0000000
--- a/securetty_types-minimum
+++ /dev/null
@@ -1,4 +0,0 @@
-console_device_t
-sysadm_tty_device_t
-user_tty_device_t
-staff_tty_device_t
diff --git a/securetty_types-mls b/securetty_types-mls
deleted file mode 100644
index c65327a..0000000
--- a/securetty_types-mls
+++ /dev/null
@@ -1,6 +0,0 @@
-console_device_t
-sysadm_tty_device_t
-user_tty_device_t
-staff_tty_device_t
-auditadm_tty_device_t
-secureadm_tty_device_t
diff --git a/securetty_types-targeted b/securetty_types-targeted
deleted file mode 100644
index d13f103..0000000
--- a/securetty_types-targeted
+++ /dev/null
@@ -1,4 +0,0 @@
-console_device_t
-sysadm_tty_device_t
-user_tty_device_t
-staff_tty_device_t
diff --git a/selinux-policy-20240604+git390.e897b9b3.tar.xz b/selinux-policy-20240604+git390.e897b9b3.tar.xz
deleted file mode 100644
index e971788..0000000
--- a/selinux-policy-20240604+git390.e897b9b3.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:226e9441664442497a351d376f948a56764edc540622fc661009b42d923a6a2e
-size 773952
diff --git a/selinux-policy-20240604+git689.da1e0e20.tar.xz b/selinux-policy-20240604+git689.da1e0e20.tar.xz
new file mode 100644
index 0000000..7238fb0
--- /dev/null
+++ b/selinux-policy-20240604+git689.da1e0e20.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:dd635247ae75471f54947090168d86adf87d1159c185556e94502313f36a5b91
+size 780292
diff --git a/selinux-policy.changes b/selinux-policy.changes
index fbf2448..5ad76a4 100644
--- a/selinux-policy.changes
+++ b/selinux-policy.changes
@@ -1,3 +1,345 @@
+-------------------------------------------------------------------
+Mon Jan 27 08:27:09 UTC 2025 - cathy.hu@suse.com
+
+- Update to version 20240604+git689.da1e0e20:
+ * Transition samba-dcerpcd pid file from smbd_var_run_t to winbind_var_run_t (bsc#1235801)
+ * /run/samba/samba-dcerpcd.pid needs fc type winbind_rpcd_var_run_t (bsc#1235801)
+ * Adjust rpcd_lsad, samba-bgqd, samba-dcerpcd to SUSE-specific part (bsc#1235801)
+ * Transition nmbd pid file from smbd_var_run_t to nmbd_var_run_t (bsc#1235801)
+
+-------------------------------------------------------------------
+Tue Jan 21 10:21:51 UTC 2025 - cathy.hu@suse.com
+
+- Update to version 20240604+git684.814e5b91:
+ * wtmpdbd systemd service uses NoNewPrivileges (bsc#1235660)
+
+-------------------------------------------------------------------
+Mon Jan 20 09:02:10 UTC 2025 - cathy.hu@suse.com
+
+- Update to version 20240604+git682.1bebca04:
+ * Label xrdp scripts in /etc as bin_t (bsc#1233738)
+ * introduce unconfined_service_transition_to_unconfined_user boolean (bsc#1233738)
+ * Allow database rotation for wtmpdbd_t
+ * Allow wtmpdbd to send messages notifications
+ * Introduce policy for wtmpdbd (bsc#1235660)
+
+-------------------------------------------------------------------
+Thu Jan 09 13:44:10 UTC 2025 - cathy.hu@suse.com
+
+- Sync content of factory branch to SLFO (git commit: 33c703587e800be11fca3101b7caf2d4a5c77117,
+ OBS Factory: selinux-policy-20241220) and update packaging for SLE 16.
+ This includes:
+ - Fix minimum policy by readding rpm module (bsc#1234314)
+ - Fix minimum policy by readding snapper module (bsc#1234037)
+ - Packaging rework: moving all config files to git repository
+ https://gitlab.suse.de/selinux/selinux-policy
+ - Moved booleans to dist/*/booleans.conf and dropped from package:
+ * booleans-minimum.conf
+ - user facing change: boolean settings are now the same as in upstream
+ * booleans-mls.conf
+ - user facing change: boolean settings are now the same as in upstream
+ * booleans-targeted.conf
+ - user facing change: kerberos_enabled boolean was not enabled due to a bug, now it is enabled
+ - Moved booleans.subs_dist to dist/booleans.subs_dist and dropped from package
+ - Moved customizable_types to dist/customizable_types and dropped from package
+ - user facing change: using upstream version
+ - Moved file_contexts.subs_dist to config/file_contexts.subs_dist and dropped from package
+ - user facing change: changed systemd entries in file_contexts.subs_dist:
+ /run/systemd/system -> dropped from file
+ /run/systemd/generator.early /run/systemd/generator
+ /run/systemd/generator.late /run/systemd/generator
+ - Moved modules config to dist//modules.conf and dropped from package:
+ - user facing change: minimum policy: modules base and contrib are merged into modules.lst
+ and modules-enabled.lst was added which contains the enabled modules, replacing modules-minimum-disable.lst
+ * modules-minimum-base.conf
+ * modules-minimum-contrib.conf
+ * modules-minimum-disable.lst
+ * Added: modules-minimum.lst
+ - user facing change: mls policy: modules base + contrib are merged into modules.lst
+ * modules-mls-base.conf
+ * modules-mls-contrib.conf
+ - user facing change: targeted policy: modules base + contrib are merged into modules.lst:
+ * modules-targeted-base.conf
+ * modules-targeted-contrib.conf
+ - Moved securetty config to config/appconfig-/securetty_types and dropped from package
+ - user facing change: using upstream version for all policy types
+ * securetty_types-minimum
+ * securetty_types-mls
+ * securetty_types-targeted
+ - Moved setrans config to dist//setrans.conf and dropped from package
+ * setrans-minimum.conf
+ * setrans-mls.conf
+ * setrans-targeted.conf
+ - Moved users config to dist//users and dropped from package
+ * users-minimum
+ - user facing change: added guest_u and xguest_u
+ * users-mls
+ * users-targeted
+ - Fix debug-build.sh to follow symlinks when creating
+ the tarball
+ - Update embedded container-selinux version to commit:
+ * 3f06c141bebc00a07eec4c0ded038aac4f2ae3f0
+ - Sync modules-targeted-contrib.conf with Fedora targeted modules.conf
+ - Disable build of the MLS policy. We currently don't know if it works
+ and don't want to encourage users to apply it
+ - Enable named_write_master_zones boolean by default (bsc#1229479)
+
+- Update to version 20240604+git675.f1f499c0:
+ * Revert "Remove the fail2ban module sources"
+ * Revert "Remove the linuxptp module sources"
+ * Revert "Remove the amtu module sources"
+ * Allow vhostmd_t list virtqemud pid dirs (bsc#1230961)
+ * Allow auditctl signal auditd
+ * Dontaudit systemd-coredump the sys_resource capability
+ * Allow traceroute_t bind rawip sockets to unreserved ports
+ * Fix the cups_read_pid_files() interface to use read_files_pattern
+ * Allow virtqemud additional permissions for tmpfs_t blk devices
+ * Allow virtqemud rw access to svirt_image_t chr files
+ * Allow virtqemud rw and setattr access to fixed block devices
+ * Label /etc/mdevctl.d/scripts.d with bin_t
+ * Allow virtqemud open svirt_devpts_t char files
+ * Allow virtqemud relabelfrom virt_log_t files
+ * Allow svirt_tcg_t read virtqemud_t fifo_files
+ * Allow virtqemud rw and setattr access to sev devices
+ * Allow virtqemud directly read and write to a fixed disk
+ * Allow virtqemud_t relabel virt_var_lib_t files
+ * Allow virtqemud_t relabel virtqemud_var_run_t sock_files
+ * Add gnome_filetrans_gstreamer_admin_home_content() interface
+ * Label /dev/swradio, /dev/v4l-subdev, /dev/v4l-touch with v4l_device_t
+ * Make bootupd_t permissive
+ * Allow init_t nnp domain transition to locate_t
+ * allow gdm and iiosensorproxy talk to each other via D-bus
+ * Allow systemd-journald getattr nsfs files
+ * Allow sendmail to map mail server configuration files
+ * Allow procmail to read mail aliases
+ * Allow cifs.idmap helper to set attributes on kernel keys
+ * Allow irqbalance setpcap capability in the user namespace
+ * Allow sssd_selinux_manager_t the setcap process permission
+ * Allow systemd-sleep manage efivarfs files
+ * Allow systemd-related domains getattr nsfs files
+ * Allow svirt_t the sys_rawio capability
+ * Allow alsa watch generic device directories
+ * Move systemd-homed interfaces to seperate optional_policy block
+ * Move systemd-homed interfaces to seperate optional_policy block (bsc#1234228)
+ * Update samba-bgqd policy
+ * Update virtlogd policy
+ * Allow svirt_t the sys_rawio capability
+ * Allow qemu-ga the dac_override and dac_read_search capabilities
+ * Add policy for importctl (bsc#1232670)
+ * adjust kandim binary paths (bsc#1232328)
+ * Allow bacula execute container in the container domain
+ * Allow httpd get attributes of dirsrv unit files
+ * Allow samba-bgqd read cups config files
+ * Add label rshim_var_run_t for /run/rshim.pid
+ * [5/5][sync from 'mysql-selinux'] Add mariadb-backup
+ * [4/5][sync from 'mysql-selinux'] Fix regex to also match '/var/lib/mysql/mysqlx.sock'
+ * [3/5][sync from 'mysql-selinux'] Allow mysqld_t to read and write to the 'memory.pressure' file in cgroup2
+ * [2/5][sync from 'mysql-selinux'] 2nd attempt to fix rhbz#2186996 rhbz#2221433 rhbz#2245705
+ * [1/5][sync from 'mysql-selinux'] Allow 'mysqld' to use '/usr/bin/hostname'
+ * Allow systemd-networkd read mount pid files
+ * Update policy for samba-bgqd
+ * Allow chronyd read networkmanager's pid files
+ * Allow staff user connect to generic tcp ports
+ * Allow gnome-remote-desktop dbus chat with policykit
+ * Allow tlp the setpgid process permission
+ * Update the bootupd policy
+ * Allow sysadm_t use the io_uring API
+ * Allow sysadm user dbus chat with virt-dbus
+ * Allow virtqemud_t read virsh_t files
+ * Allow virt_dbus_t connect to virtd_t over a unix stream socket
+ * Allow systemd-tpm2-generator read hardware state information
+ * Allow coreos-installer-generator execute generic programs
+ * Allow coreos-installer domain transition on udev execution
+ * Add workaround for /run/rpmdb lockfile (bsc#1231127)
+ * Add dedicated health-checker module (bsc#1231127)
+ * Revert "Allow unconfined_t execute kmod in the kmod domain"
+ * Allow iio-sensor-proxy create and use unix dgram socket
+ * Allow virtstoraged read vm sysctls
+ * Support ssh connections via systemd-ssh-generator
+ * Label all semanage store files in /etc as semanage_store_t
+ * Add file transition for nvidia-modeset
+ * Re-add kanidm module to dist/targeted/modules.conf
+ * Add SUSE-specific file contexts to file_contexts.subs_dist
+ * Disallow execstack in dist/minimum/booleans.conf
+ * Add SUSE-specific booleans to dist/targeted/booleans.conf
+ * Add SUSE specific modules to targeted modules.conf
+ * Label /var/cache/systemd/home with systemd_homed_cache_t
+ * Allow login_userdomain connect to systemd-homed over a unix socket
+ * Allow boothd connect to systemd-homed over a unix socket
+ * Allow systemd-homed get attributes of a tmpfs filesystem
+ * Allow abrt-dump-journal-core connect to systemd-homed over a unix socket
+ * Allow aide connect to systemd-homed over a unix socket
+ * Label /dev/hfi1_[0-9]+ devices
+ * Remove the openct module sources
+ * Remove the timidity module sources
+ * Enable the slrn module
+ * Remove i18n_input module sources
+ * Enable the distcc module
+ * Remove the ddcprobe module sources
+ * Remove the timedatex module sources
+ * Remove the djbdns module sources
+ * Confine iio-sensor-proxy
+ * Allow staff user nlmsg_write
+ * Update policy for xdm with confined users
+ * Allow virtnodedev watch mdevctl config dirs
+ * Allow ssh watch home config dirs
+ * Allow ssh map home configs files
+ * Allow ssh read network sysctls
+ * Allow chronyc sendto to chronyd-restricted
+ * Allow cups sys_ptrace capability in the user namespace
+ * Add policy for systemd-homed
+ * Remove fc entry for /usr/bin/pump
+ * Label /usr/bin/noping and /usr/bin/oping with ping_exec_t
+ * Allow accountsd read gnome-initial-setup tmp files
+ * Allow xdm write to gnome-initial-setup fifo files
+ * Allow rngd read and write generic usb devices
+ * Allow qatlib search the content of the kernel debugging filesystem
+ * Allow qatlib connect to systemd-machined over a unix socket
+ * mls/modules.conf - fix typo
+ * Use dist/targeted/modules.conf in build workflow
+ * Fix default and dist config files
+ * Allow unprivileged user watch /run/systemd
+ * CI: update to actions/checkout@v4
+ * Allow boothd connect to kernel over a unix socket
+ * Clean up and sync securetty_types
+ * Bring config files from dist-git into the source repo
+ * Confine gnome-remote-desktop
+ * Allow virtstoraged execute mount programs in the mount domain
+ * Make mdevctl_conf_t member of the file_type attribute
+ * Allow virt_dbus_t to connect to virtd_t over unix_stream_socket (bsc#1232655)
+ * Label /var/livepatches as lib_t for ULP on micro (bsc#1228879)
+ * Allow dirsrv-snmp map dirsv_tmpfs_t files
+ * Label /usr/lib/node_modules_22/npm/bin with bin_t
+ * Add policy for /usr/libexec/samba/samba-bgqd
+ * Allow gnome-remote-desktop watch /etc directory
+ * Allow rpcd read network sysctls
+ * Allow journalctl connect to systemd-userdbd over a unix socket
+ * Allow some confined users send to lldpad over a unix dgram socket
+ * Allow lldpad send to unconfined_t over a unix dgram socket
+ * Allow lldpd connect to systemd-machined over a unix socket
+ * Confine the ktls service
+ * Allow dirsrv read network sysctls
+ * Label /run/sssd with sssd_var_run_t
+ * Label /etc/sysctl.d and /run/sysctl.d with system_conf_t
+ * Allow unconfined_t execute kmod in the kmod domain
+ * Allow confined users r/w to screen unix stream socket
+ * Label /root/.screenrc and /root/.tmux.conf with screen_home_t
+ * Allow virtqemud read virtd_t files
+ * Allow ping_t read network sysctls
+ * Allow systemd-homework connect to init over a unix socket
+ * Fix systemd-homed blobs directory permissions
+ * Allow virtqemud read sgx_vepc devices
+ * Allow lldpad create and use netlink_generic_socket
+ * Allow snapperd to execute systemctl (bsc#1231489)
+ * rsync: add rsync_exec_commands boolean and enable it by default (bsc#1231494)
+ * Allow slpd to create TCPDIAG netlink socket (bsc#1231491)
+ * Allow slpd to use sys_chroot (bsc#1231491)
+ * Allow openvswitch-ipsec use strongswan (bsc#1231493)
+ * Allow systemd-homework write to init pid socket
+ * Allow init create /var/cache/systemd/home
+ * Confine the pcm service
+ * Allow login_userdomain read thumb tmp files
+ * Update power-profiles-daemon policy
+ * Fix the /etc/mdevctl\.d(/.*)? regexp
+ * Grant rhsmcertd chown capability & userdb access
+ * Allow iio-sensor-proxy the bpf capability
+ * Allow systemd-machined the kill user-namespace capability
+ * Remove the fail2ban module sources
+ * Remove the linuxptp module sources
+ * Remove legacy rules for slrnpull
+ * Remove the aiccu module sources
+ * Remove the bcfg2 module sources
+ * Remove the amtu module sources
+ * Remove the rhev module sources
+ * Remove all file context entries for /bin and /lib
+ * Allow ptp4l the sys_admin capability
+ * Confine power-profiles-daemon
+ * Label /var/cache/systemd/home with systemd_homed_cache_t
+ * Allow login_userdomain connect to systemd-homed over a unix socket
+ * Allow boothd connect to systemd-homed over a unix socket
+ * Allow systemd-homed get attributes of a tmpfs filesystem
+ * Allow abrt-dump-journal-core connect to systemd-homed over a unix socket
+ * Allow aide connect to systemd-homed over a unix socket
+ * Label /dev/hfi1_[0-9]+ devices
+ * Remove the openct module sources
+ * Remove the timidity module sources
+ * Enable the slrn module
+ * Remove i18n_input module sources
+ * Enable the distcc module
+ * Remove the ddcprobe module sources
+ * Remove the timedatex module sources
+ * Remove the djbdns module sources
+ * Confine iio-sensor-proxy
+ * Allow staff user nlmsg_write
+ * Update policy for xdm with confined users
+ * Allow virtnodedev watch mdevctl config dirs
+ * Allow ssh watch home config dirs
+ * Allow ssh map home configs files
+ * Allow ssh read network sysctls
+ * Allow chronyc sendto to chronyd-restricted
+ * Allow cups sys_ptrace capability in the user namespace
+ * Label auutyast binaries correctly
+ * Allow snapperd to manage unlabeled_t files (bsc#1230966)
+ * Add policy for systemd-homed
+ * Revert "Allow virtstoraged to manage images (bsc#1228742)"
+ * Remove fc entry for /usr/bin/pump
+ * Label /usr/bin/noping and /usr/bin/oping with ping_exec_t
+ * Allow accountsd read gnome-initial-setup tmp files
+ * Allow xdm write to gnome-initial-setup fifo files
+ * Allow rngd read and write generic usb devices
+ * Allow qatlib search the content of the kernel debugging filesystem
+ * Allow qatlib connect to systemd-machined over a unix socket
+ * mls/modules.conf - fix typo
+ * Use dist/targeted/modules.conf in build workflow
+ * Fix default and dist config files
+ * Allow unprivileged user watch /run/systemd
+ * CI: update to actions/checkout@v4
+ * Allow boothd connect to kernel over a unix socket
+ * Clean up and sync securetty_types
+ * Bring config files from dist-git into the source repo
+ * Confine gnome-remote-desktop
+ * Allow systemd_ibft_rule_generator_t to create udev_rules_t dirs (bsc#1230011)
+ * Allow virtstoraged execute mount programs in the mount domain
+ * Make mdevctl_conf_t member of the file_type attribute
+ * Allow systemd_udev_trigger_generator_t list and read sysctls (bsc#1230315)
+ * Initial policy for udev-trigger-generator (bsc#1230315)
+ * Allow init_t mount syslog socket (bsc#1230134)
+ * Allow init_t create syslog files (bsc#1230134)
+ * Introduce initial policy for btrfs-soft-reboot-generator (bsc#1230134)
+ * Label /etc/mdevctl.d with mdevctl_conf_t
+ * Sync users with Fedora targeted users
+ * Update policy for rpc-virtstorage
+ * Allow virtstoraged get attributes of configfs dirs
+ * Fix SELinux policy for sandbox X server to fix 'sandbox -X' command
+ * Update bootupd policy when ESP is not mounted
+ * Allow thumb_t map dri devices
+ * Allow samba use the io_uring API
+ * Allow the sysadm user use the secretmem API
+ * Allow nut-upsmon read systemd-logind session files
+ * Allow sysadm_t to create PF_KEY sockets
+ * Update bootupd policy for the removing-state-file test
+ * Allow xen to use qemu as dom0 disk backend (bsc#1228540)
+ * Label /var/lib/xen/xenstore as xenstored_var_lib_t (bsc#1228540)
+ * Allow coreos-installer-generator manage mdadm_conf_t files
+ * Allow virtstoraged to manage images (bsc#1228742)
+ * Allow virtstoraged_t domtrans to udev (bsc#1228742)
+ * Allow setsebool_t relabel selinux data files
+ * Allow virtqemud relabelfrom virtqemud_var_run_t dirs
+ * Use better escape method for "interface"
+ * Allow init and systemd-logind to inherit fds from sshd
+ * Allow systemd-ssh-generator read sysctl files
+ * Sync modules.conf with Fedora targeted modules
+ * Allow systemd-ssh-generator to load net-pf-40 (bsc#1229766)
+ * Allow virtqemud relabel user tmp files and socket files
+ * Add missing sys_chroot capability to groupadd policy
+ * Label /run/libvirt/qemu/channel with virtqemud_var_run_t
+ * Allow rasdaemon write access to sysfs (bsc#1229587)
+ * Allow xl to access hypercall interfaces to xen hypervisor (bsc#1228540)
+ * Initial policy for syslog-ng (bsc#1229153)
+ * Allow virtqemud relabelfrom also for file and sock_file
+ * Add virt_create_log() and virt_write_log() interfaces
+ * allow sshd_t and sshd_net_t access to ssh vsockets (bsc#1228831)
+
-------------------------------------------------------------------
Mon Dec 16 16:18:50 UTC 2024 - cathy.hu@suse.com
diff --git a/selinux-policy.spec b/selinux-policy.spec
index accb0bf..c675314 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -24,7 +24,10 @@
%define monolithic n
%define BUILD_TARGETED 1
%define BUILD_MINIMUM 1
-%define BUILD_MLS 1
+# At the moment we don't build the MLS policy. We didn't do any testing for this and have no
+# confidence that it works. Feel free to branch the package and enable it, but be aware that
+# you're on your own
+%define BUILD_MLS 0
%define POLICYCOREUTILSVER %(rpm -q --qf %%{version} policycoreutils)
%define CHECKPOLICYVER %POLICYCOREUTILSVER
@@ -33,7 +36,7 @@ Summary: SELinux policy configuration
License: GPL-2.0-or-later
Group: System/Management
Name: selinux-policy
-Version: 20240604+git390.e897b9b3
+Version: 20240604+git689.da1e0e20
Release: 0
Source0: %{name}-%{version}.tar.xz
Source1: container.fc
@@ -44,37 +47,11 @@ Source5: README.Update
Source6: update.sh
Source7: debug-build.sh
-Source10: modules-targeted-base.conf
-Source11: modules-targeted-contrib.conf
-Source12: modules-mls-base.conf
-Source13: modules-mls-contrib.conf
-Source14: modules-minimum-base.conf
-Source15: modules-minimum-contrib.conf
-Source18: modules-minimum-disable.lst
-
-Source20: booleans-targeted.conf
-Source21: booleans-mls.conf
-Source22: booleans-minimum.conf
-Source23: booleans.subs_dist
-
-Source30: setrans-targeted.conf
-Source31: setrans-mls.conf
-Source32: setrans-minimum.conf
-
-Source40: securetty_types-targeted
-Source41: securetty_types-mls
-Source42: securetty_types-minimum
-
-Source50: users-targeted
-Source51: users-mls
-Source52: users-minimum
+Source18: modules-minimum.lst
Source60: selinux-policy.conf
Source91: Makefile.devel
-Source92: customizable_types
-#Source93: config.tgz
-Source94: file_contexts.subs_dist
Source95: macros.selinux-policy
URL: https://github.com/fedora-selinux/selinux-policy.git
@@ -107,17 +84,11 @@ Recommends: selinux-autorelabel
%define makeCmds() \
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 bare \
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 conf \
-cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \
-cp -f selinux_config/users-%1 ./policy/users \
-#cp -f selinux_config/modules-%1-base.conf ./policy/modules.conf \
+install -p -m0644 ./dist/%1/booleans.conf ./policy/booleans.conf \
+install -p -m0644 ./dist/%1/users ./policy/users \
%define makeModulesConf() \
-cp -f selinux_config/modules-%1-%2.conf ./policy/modules-base.conf \
-cp -f selinux_config/modules-%1-%2.conf ./policy/modules.conf \
-if [ %3 == "contrib" ];then \
- cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \
- cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \
-fi; \
+install -p -m0644 ./dist/%1/modules.conf ./policy/modules.conf \
%define installCmds() \
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 base.pp \
@@ -128,14 +99,13 @@ make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} SEMODULE="
%{__mkdir} -p %{buildroot}%{_sysconfdir}/selinux/%1/logins \
%{__mkdir} -p %{buildroot}%{_sharedstatedir}/selinux/%1/active/modules/{1,2,4}00 \
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
-install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \
-install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \
-install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \
-install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \
+install -m0644 ./config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \
+install -m0644 ./dist/%1/setrans.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \
+install -m0644 ./dist/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \
-cp %{SOURCE23} %{buildroot}%{_sysconfdir}/selinux/%1 \
+install -p -m0644 ./dist/booleans.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1 \
rm -f %{buildroot}%{_datadir}/selinux/%1/*pp* \
%{_bindir}/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.* | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \
@@ -198,8 +168,7 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
%dir %{_datadir}/selinux/%1 \
%dir %{_datadir}/selinux/packages/%1 \
%{_datadir}/selinux/%1/base.lst \
-%{_datadir}/selinux/%1/modules-base.lst \
-%{_datadir}/selinux/%1/modules-contrib.lst \
+%{_datadir}/selinux/%1/modules.lst \
%{_datadir}/selinux/%1/nonbasemodules.lst \
%dir %{_sharedstatedir}/selinux/%1 \
%{_sharedstatedir}/selinux/%1/active/commit_num \
@@ -276,16 +245,12 @@ else \
fi;
%define modulesList() \
-awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/modules-base.lst \
-awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/base.lst \
-if [ -e ./policy/modules-contrib.conf ];then \
- awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst; \
-fi;
+awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules.conf > %{buildroot}%{_datadir}/selinux/%1/modules.lst \
+awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules.conf > %{buildroot}%{_datadir}/selinux/%1/base.lst \
%define nonBaseModulesList() \
-contrib_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst` \
-base_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-base.lst` \
-for i in $contrib_modules $base_modules; do \
+modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules.lst` \
+for i in $modules; do \
if [ $i != "sandbox" ];then \
echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}%{_datadir}/selinux/%1/nonbasemodules.lst \
fi; \
@@ -366,15 +331,10 @@ mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/
mkdir -p %{buildroot}%{_datadir}/selinux/packages/{targeted,mls,minimum,modules}/
-mkdir selinux_config
-for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE30} %{SOURCE31} %{SOURCE32} %{SOURCE40} %{SOURCE41} %{SOURCE42} %{SOURCE50} %{SOURCE51} %{SOURCE52} %{SOURCE91} %{SOURCE92} %{SOURCE94};do
- cp $i selinux_config
-done
-
make clean
%if %{BUILD_TARGETED}
%makeCmds targeted mcs allow
-%makeModulesConf targeted base contrib
+%makeModulesConf targeted
%installCmds targeted mcs allow
# recreate sandbox.pp
rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox
@@ -386,19 +346,19 @@ mv sandbox.pp %{buildroot}%{_datadir}/selinux/packages/sandbox.pp
%if %{BUILD_MINIMUM}
%makeCmds minimum mcs allow
-%makeModulesConf targeted base contrib
+%makeModulesConf targeted
%installCmds minimum mcs allow
-install -m0644 %{SOURCE18} %{buildroot}%{_datadir}/selinux/minimum/modules-minimum-disable.lst
# Sandbox is only targeted
rm -f %{buildroot}%{_sysconfdir}/selinux/minimum/modules/active/modules/sandbox.pp
rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox
+install -p -m 644 %{SOURCE18} %{buildroot}%{_datadir}/selinux/minimum/modules-enabled.lst
%modulesList minimum
%nonBaseModulesList minimum
%endif
%if %{BUILD_MLS}
%makeCmds mls mls deny
-%makeModulesConf mls base contrib
+%makeModulesConf mls
%installCmds mls mls deny
%modulesList mls
%nonBaseModulesList mls
@@ -411,7 +371,7 @@ make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot}
make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-headers
mkdir %{buildroot}%{_datadir}/selinux/devel/
mv %{buildroot}%{_datadir}/selinux/targeted/include %{buildroot}%{_datadir}/selinux/devel/include
-install -m 644 selinux_config/Makefile.devel %{buildroot}%{_datadir}/selinux/devel/Makefile
+install -m 644 %{SOURCE91} %{buildroot}%{_datadir}/selinux/devel/Makefile
install -m 644 doc/example.* %{buildroot}%{_datadir}/selinux/devel/
install -m 644 doc/policy.* %{buildroot}%{_datadir}/selinux/devel/
%{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot}
@@ -570,16 +530,19 @@ if [ $1 -ne 1 ]; then
fi
%post minimum
-contribpackages=`cat %{_datadir}/selinux/minimum/modules-contrib.lst`
-basepackages=`cat %{_datadir}/selinux/minimum/modules-base.lst`
-mkdir -p %{_sharedstatedir}/selinux/minimum/active/modules/disabled 2>/dev/null
+modules=`cat %{_datadir}/selinux/minimum/modules.lst`
+basemodules=`cat %{_datadir}/selinux/minimum/base.lst`
+enabledmodules=`cat %{_datadir}/selinux/minimum/modules-enabled.lst`
+if [ ! -d %{_sharedstatedir}/selinux/minimum/active/modules/disabled ]; then
+ mkdir %{_sharedstatedir}/selinux/minimum/active/modules/disabled
+fi
if [ $1 -eq 1 ]; then
- for p in $contribpackages; do
- touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
- done
- for p in $basepackages snapper dbus kerberos nscd rpm rtkit; do
- rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
- done
+for p in $modules; do
+ touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
+done
+for p in $basemodules $enabledmodules; do
+ rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
+done
%{_sbindir}/semanage import -S minimum -f - << __eof
login -m -s unconfined_u -r s0-s0:c0.c1023 __default__
login -m -s unconfined_u -r s0-s0:c0.c1023 root
@@ -588,7 +551,7 @@ __eof
%{_sbindir}/semodule -B -s minimum
else
instpackages=`cat %{_datadir}/selinux/minimum/instmodules.lst`
- for p in $contribpackages; do
+ for p in $packages; do
touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
done
for p in $instpackages snapper dbus kerberos nscd rtkit; do
@@ -605,7 +568,7 @@ exit 0
%files minimum -f %{buildroot}%{_datadir}/selinux/minimum/nonbasemodules.lst
%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u
%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u
-%{_datadir}/selinux/minimum/modules-minimum-disable.lst
+%{_datadir}/selinux/minimum/modules-enabled.lst
%fileList minimum
%endif
diff --git a/setrans-minimum.conf b/setrans-minimum.conf
deleted file mode 100644
index 77c700c..0000000
--- a/setrans-minimum.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-#
-# Multi-Category Security translation table for SELinux
-#
-# Uncomment the following to disable translation libary
-# disable=1
-#
-# Objects can be categorized with 0-1023 categories defined by the admin.
-# Objects can be in more than one category at a time.
-# Categories are stored in the system as c0-c1023. Users can use this
-# table to translate the categories into a more meaningful output.
-# Examples:
-# s0:c0=CompanyConfidential
-# s0:c1=PatientRecord
-# s0:c2=Unclassified
-# s0:c3=TopSecret
-# s0:c1,c3=CompanyConfidentialRedHat
-s0=SystemLow
-s0-s0:c0.c1023=SystemLow-SystemHigh
-s0:c0.c1023=SystemHigh
diff --git a/setrans-mls.conf b/setrans-mls.conf
deleted file mode 100644
index 57e7e3d..0000000
--- a/setrans-mls.conf
+++ /dev/null
@@ -1,52 +0,0 @@
-#
-# Multi-Level Security translation table for SELinux
-#
-# Uncomment the following to disable translation libary
-# disable=1
-#
-# Objects can be labeled with one of 16 levels and be categorized with 0-1023
-# categories defined by the admin.
-# Objects can be in more than one category at a time.
-# Users can modify this table to translate the MLS labels for different purpose.
-#
-# Assumptions: using below MLS labels.
-# SystemLow
-# SystemHigh
-# Unclassified
-# Secret with compartments A and B.
-#
-# SystemLow and SystemHigh
-s0=SystemLow
-s15:c0.c1023=SystemHigh
-s0-s15:c0.c1023=SystemLow-SystemHigh
-
-# Unclassified level
-s1=Unclassified
-
-# Secret level with compartments
-s2=Secret
-s2:c0=A
-s2:c1=B
-
-# ranges for Unclassified
-s0-s1=SystemLow-Unclassified
-s1-s2=Unclassified-Secret
-s1-s15:c0.c1023=Unclassified-SystemHigh
-
-# ranges for Secret with compartments
-s0-s2=SystemLow-Secret
-s0-s2:c0=SystemLow-Secret:A
-s0-s2:c1=SystemLow-Secret:B
-s0-s2:c0,c1=SystemLow-Secret:AB
-s1-s2:c0=Unclassified-Secret:A
-s1-s2:c1=Unclassified-Secret:B
-s1-s2:c0,c1=Unclassified-Secret:AB
-s2-s2:c0=Secret-Secret:A
-s2-s2:c1=Secret-Secret:B
-s2-s2:c0,c1=Secret-Secret:AB
-s2-s15:c0.c1023=Secret-SystemHigh
-s2:c0-s2:c0,c1=Secret:A-Secret:AB
-s2:c0-s15:c0.c1023=Secret:A-SystemHigh
-s2:c1-s2:c0,c1=Secret:B-Secret:AB
-s2:c1-s15:c0.c1023=Secret:B-SystemHigh
-s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh
diff --git a/setrans-targeted.conf b/setrans-targeted.conf
deleted file mode 100644
index 77c700c..0000000
--- a/setrans-targeted.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-#
-# Multi-Category Security translation table for SELinux
-#
-# Uncomment the following to disable translation libary
-# disable=1
-#
-# Objects can be categorized with 0-1023 categories defined by the admin.
-# Objects can be in more than one category at a time.
-# Categories are stored in the system as c0-c1023. Users can use this
-# table to translate the categories into a more meaningful output.
-# Examples:
-# s0:c0=CompanyConfidential
-# s0:c1=PatientRecord
-# s0:c2=Unclassified
-# s0:c3=TopSecret
-# s0:c1,c3=CompanyConfidentialRedHat
-s0=SystemLow
-s0-s0:c0.c1023=SystemLow-SystemHigh
-s0:c0.c1023=SystemHigh
diff --git a/users-minimum b/users-minimum
deleted file mode 100644
index 8ccacae..0000000
--- a/users-minimum
+++ /dev/null
@@ -1,39 +0,0 @@
-##################################
-#
-# Core User configuration.
-#
-
-#
-# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
-#
-# Note: Identities without a prefix wil not be listed
-# in the users_extra file used by genhomedircon.
-
-#
-# system_u is the user identity for system processes and objects.
-# There should be no corresponding Unix user identity for system,
-# and a user process should never be assigned the system user
-# identity.
-#
-gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
-#
-# user_u is a generic user identity for Linux users who have no
-# SELinux user identity defined. The modified daemons will use
-# this user identity in the security context if there is no matching
-# SELinux user identity for a Linux user. If you do not want to
-# permit any access to such users, then remove this entry.
-#
-gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
-#
-# The following users correspond to Unix identities.
-# These identities are typically assigned as the user attribute
-# when login starts the user shell. Users with access to the sysadm_r
-# role should use the staff_r role instead of the user_r role when
-# not in the sysadm_r.
-#
-gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
diff --git a/users-mls b/users-mls
deleted file mode 100644
index 167ba7c..0000000
--- a/users-mls
+++ /dev/null
@@ -1,40 +0,0 @@
-##################################
-#
-# Core User configuration.
-#
-
-#
-# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
-#
-# Note: Identities without a prefix wil not be listed
-# in the users_extra file used by genhomedircon.
-
-#
-# system_u is the user identity for system processes and objects.
-# There should be no corresponding Unix user identity for system,
-# and a user process should never be assigned the system user
-# identity.
-#
-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
-#
-# user_u is a generic user identity for Linux users who have no
-# SELinux user identity defined. The modified daemons will use
-# this user identity in the security context if there is no matching
-# SELinux user identity for a Linux user. If you do not want to
-# permit any access to such users, then remove this entry.
-#
-gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
-#
-# The following users correspond to Unix identities.
-# These identities are typically assigned as the user attribute
-# when login starts the user shell. Users with access to the sysadm_r
-# role should use the staff_r role instead of the user_r role when
-# not in the sysadm_r.
-#
-gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(guest_u, user, guest_r, s0, s0)
-gen_user(xguest_u, user, xguest_r, s0, s0)
diff --git a/users-targeted b/users-targeted
deleted file mode 100644
index e943336..0000000
--- a/users-targeted
+++ /dev/null
@@ -1,41 +0,0 @@
-##################################
-#
-# Core User configuration.
-#
-
-#
-# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
-#
-# Note: Identities without a prefix wil not be listed
-# in the users_extra file used by genhomedircon.
-
-#
-# system_u is the user identity for system processes and objects.
-# There should be no corresponding Unix user identity for system,
-# and a user process should never be assigned the system user
-# identity.
-#
-gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
-#
-# user_u is a generic user identity for Linux users who have no
-# SELinux user identity defined. The modified daemons will use
-# this user identity in the security context if there is no matching
-# SELinux user identity for a Linux user. If you do not want to
-# permit any access to such users, then remove this entry.
-#
-gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
-#
-# The following users correspond to Unix identities.
-# These identities are typically assigned as the user attribute
-# when login starts the user shell. Users with access to the sysadm_r
-# role should use the staff_r role instead of the user_r role when
-# not in the sysadm_r.
-#
-gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(guest_u, user, guest_r, s0, s0)
-gen_user(xguest_u, user, xguest_r, s0, s0)