diff --git a/booleans-minimum.conf b/booleans-minimum.conf
index abba8cf..26b0dc4 100644
--- a/booleans-minimum.conf
+++ b/booleans-minimum.conf
@@ -1,1848 +1,248 @@
-#
-# Disable kernel module loading.
-# 
-secure_mode_insmod = false
-
-#
-# Boolean to determine whether the system permits loading policy, setting
-# enforcing mode, and changing boolean values.  Set this to true and you
-# have to reboot to set it back.
-# 
-secure_mode_policyload = false
-
-#
-# Enabling secure mode disallows programs, such as
-# newrole, from transitioning to administrative
-# user domains.
-# 
-secure_mode = false
-
-#
-# Grant the firstboot domains read access to generic user content
-# 
-firstboot_read_generic_user_content = true
-
-#
-# Grant the firstboot domains read access to all user content
-# 
-firstboot_read_all_user_content = false
-
-#
-# Grant the firstboot domains manage rights on generic user content
-# 
-firstboot_manage_generic_user_content = false
-
-#
-# Grant the firstboot domains manage rights on all user content
-# 
-firstboot_manage_all_user_content = false
-
-#
-# Determine whether logwatch can connect
-# to mail over the network.
-# 
-logwatch_can_network_connect_mail = false
-
-#
-# Determine whether mcelog supports
-# client mode.
-# 
-mcelog_client = false
-
-#
-# Determine whether mcelog can execute scripts.
-# 
-mcelog_exec_scripts = true
-
-#
-# Determine whether mcelog can use all
-# the user ttys.
-# 
-mcelog_foreground = false
-
-#
-# Determine whether mcelog supports
-# server mode.
-# 
-mcelog_server = false
-
-#
-# Determine whether mcelog can use syslog.
-# 
-mcelog_syslog = false
-
-#
-# Control users use of ping and traceroute
-# 
-user_ping = false
-
-#
-# Determine whether portage can
-# use nfs filesystems.
-# 
-portage_use_nfs = false
-
-#
-# Determine whether puppet can
-# manage all non-security files.
-# 
-puppet_manage_all_files = false
-
-#
-# Determine whether rkhunter can connect
-# to http ports. This is required by the
-# --update option.
-# 
-rkhunter_connect_http = false
-
-#
-# Determine whether attempts by
-# vbetool to mmap low regions should
-# be silently blocked.
-# 
-vbetool_mmap_zero_ignore = false
-
-#
-# Determine whether awstats can
-# purge httpd log files.
-# 
-awstats_purge_apache_log_files = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_awstats_script_anon_write = false
-
-#
-# Determine whether cdrecord can read
-# various content. nfs, samba, removable
-# devices, user temp and untrusted
-# content files
-# 
-cdrecord_read_content = false
-
-#
-# Allow evolution to create and write
-# user certificates in addition to
-# being able to read them
-# 
-evolution_manage_user_certs = false
-
-#
-# Grant the evolution domains read access to generic user content
-# 
-evolution_read_generic_user_content = true
-
-#
-# Grant the evolution domains read access to all user content
-# 
-evolution_read_all_user_content = false
-
-#
-# Grant the evolution domains manage rights on generic user content
-# 
-evolution_manage_generic_user_content = false
-
-#
-# Grant the evolution domains manage rights on all user content
-# 
-evolution_manage_all_user_content = false
-
-#
-# Determine whether Gitosis can send mail.
-# 
-gitosis_can_sendmail = false
-
-#
-# Determine whether GPG agent can manage
-# generic user home content files. This is
-# required by the --write-env-file option.
-# 
-gpg_agent_env_file = false
-
-#
-# Determine whether GPG agent can use OpenPGP
-# cards or Yubikeys over USB
-# 
-gpg_agent_use_card = false
-
-#
-# Grant the gpg domains read access to generic user content
-# 
-gpg_read_generic_user_content = true
-
-#
-# Grant the gpg domains read access to all user content
-# 
-gpg_read_all_user_content = false
-
-#
-# Grant the gpg domains manage rights on generic user content
-# 
-gpg_manage_generic_user_content = false
-
-#
-# Grant the gpg domains manage rights on all user content
-# 
-gpg_manage_all_user_content = false
-
-#
-# Determine whether irc clients can
-# listen on and connect to any
-# unreserved TCP ports.
-# 
-irc_use_any_tcp_ports = false
-
-#
-# Grant the irc domains read access to generic user content
-# 
-irc_read_generic_user_content = true
-
-#
-# Grant the irc domains read access to all user content
-# 
-irc_read_all_user_content = false
-
-#
-# Grant the irc domains manage rights on generic user content
-# 
-irc_manage_generic_user_content = false
-
-#
-# Grant the irc domains manage rights on all user content
-# 
-irc_manage_all_user_content = false
-
-#
-# Determine whether java can make
-# its stack executable.
-# 
-allow_java_execstack = false
-
-#
-# Grant the java domains read access to generic user content
-# 
-java_read_generic_user_content = true
-
-#
-# Grant the java domains read access to all user content
-# 
-java_read_all_user_content = false
-
-#
-# Grant the java domains manage rights on generic user content
-# 
-java_manage_generic_user_content = false
-
-#
-# Grant the java domains manage rights on all user content
-# 
-java_manage_all_user_content = false
-
-#
-# Determine whether libmtp can read
-# and manage the user home directories
-# and files.
-# 
-libmtp_enable_home_dirs = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_lightsquid_script_anon_write = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_man2html_script_anon_write = false
-
-#
-# Determine whether mozilla can
-# make its stack executable.
-# 
-mozilla_execstack = false
-
-#
-# Grant the mozilla domains read access to generic user content
-# 
-mozilla_read_generic_user_content = true
-
-#
-# Grant the mozilla domains read access to all user content
-# 
-mozilla_read_all_user_content = false
-
-#
-# Grant the mozilla domains manage rights on generic user content
-# 
-mozilla_manage_generic_user_content = false
-
-#
-# Grant the mozilla domains manage rights on all user content
-# 
-mozilla_manage_all_user_content = false
-
-#
-# Determine whether mplayer can make
-# its stack executable.
-# 
-allow_mplayer_execstack = false
-
-#
-# Grant the mplayer_mencoder domains read access to generic user content
-# 
-mplayer_mencoder_read_generic_user_content = true
-
-#
-# Grant the mplayer_mencoder domains read access to all user content
-# 
-mplayer_mencoder_read_all_user_content = false
-
-#
-# Grant the mplayer_mencoder domains manage rights on generic user content
-# 
-mplayer_mencoder_manage_generic_user_content = false
-
-#
-# Grant the mplayer_mencoder domains manage rights on all user content
-# 
-mplayer_mencoder_manage_all_user_content = false
-
-#
-# Grant the mplayer domains read access to generic user content
-# 
-mplayer_read_generic_user_content = true
-
-#
-# Grant the mplayer domains read access to all user content
-# 
-mplayer_read_all_user_content = false
-
-#
-# Grant the mplayer domains manage rights on generic user content
-# 
-mplayer_manage_generic_user_content = false
-
-#
-# Grant the mplayer domains manage rights on all user content
-# 
-mplayer_manage_all_user_content = false
-
-#
-# Determine whether openoffice can
-# download software updates from the
-# network (application and/or
-# extensions).
-# 
-openoffice_allow_update = true
-
-#
-# Determine whether openoffice writer
-# can send emails directly (print to
-# email). This is different from the
-# functionality of sending emails
-# through external clients which is
-# always enabled.
-# 
-openoffice_allow_email = false
-
-#
-# Grant the openoffice domains read access to generic user content
-# 
-openoffice_read_generic_user_content = true
-
-#
-# Grant the openoffice domains read access to all user content
-# 
-openoffice_read_all_user_content = false
-
-#
-# Grant the openoffice domains manage rights on generic user content
-# 
-openoffice_manage_generic_user_content = false
-
-#
-# Grant the openoffice domains manage rights on all user content
-# 
-openoffice_manage_all_user_content = false
-
-#
-# Allow pulseaudio to execute code in
-# writable memory
-# 
-pulseaudio_execmem = false
-
-#
-# Determine whether qemu has full
-# access to the network.
-# 
-qemu_full_network = false
-
-#
-# Grant the syncthing domains read access to generic user content
-# 
-syncthing_read_generic_user_content = true
-
-#
-# Grant the syncthing domains read access to all user content
-# 
-syncthing_read_all_user_content = false
-
-#
-# Grant the syncthing domains manage rights on generic user content
-# 
-syncthing_manage_generic_user_content = false
-
-#
-# Grant the syncthing domains manage rights on all user content
-# 
-syncthing_manage_all_user_content = false
-
-#
-# Determine whether telepathy connection
-# managers can connect to generic tcp ports.
-# 
-telepathy_tcp_connect_generic_network_ports = false
-
-#
-# Determine whether telepathy connection
-# managers can connect to any port.
-# 
-telepathy_connect_all_ports = false
-
-#
-# Grant the thunderbird domains read access to generic user content
-# 
-thunderbird_read_generic_user_content = true
-
-#
-# Grant the thunderbird domains read access to all user content
-# 
-thunderbird_read_all_user_content = false
-
-#
-# Grant the thunderbird domains manage rights on generic user content
-# 
-thunderbird_manage_generic_user_content = false
-
-#
-# Grant the thunderbird domains manage rights on all user content
-# 
-thunderbird_manage_all_user_content = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_webalizer_script_anon_write = false
-
-#
-# Determine whether attempts by
-# wine to mmap low regions should
-# be silently blocked.
-# 
-wine_mmap_zero_ignore = false
-
-#
-# Grant the wireshark domains read access to generic user content
-# 
-wireshark_read_generic_user_content = true
-
-#
-# Grant the wireshark domains read access to all user content
-# 
-wireshark_read_all_user_content = false
-
-#
-# Grant the wireshark domains manage rights on generic user content
-# 
-wireshark_manage_generic_user_content = false
-
-#
-# Grant the wireshark domains manage rights on all user content
-# 
-wireshark_manage_all_user_content = false
-
-#
-# Grant the xscreensaver domains read access to generic user content
-# 
-xscreensaver_read_generic_user_content = true
-
-#
-# Control the ability to mmap a low area of the address space,
-# as configured by /proc/sys/kernel/mmap_min_addr.
-# 
-mmap_low_allowed = false
-
-#
-# Determine whether dbadm can manage
-# generic user files.
-# 
-dbadm_manage_user_files = false
-
-#
-# Determine whether dbadm can read
-# generic user files.
-# 
-dbadm_read_user_files = false
-
-#
-# Allow sysadm to debug or ptrace all processes.
-# 
-allow_ptrace = false
-
-#
-# Determine whether webadm can
-# manage generic user files.
-# 
-webadm_manage_user_files = false
-
-#
-# Determine whether webadm can
-# read generic user files.
-# 
-webadm_read_user_files = false
-
-#
-# Determine whether xguest can
-# mount removable media.
-# 
-xguest_mount_media = false
-
-#
-# Determine whether xguest can
-# configure network manager.
-# 
-xguest_connect_network = false
-
-#
-# Determine whether xguest can
-# use blue tooth devices.
-# 
-xguest_use_bluetooth = false
-
-#
-# Determine whether ABRT can modify
-# public files used for public file
-# transfer services.
-# 
-abrt_anon_write = false
-
-#
-# Determine whether abrt-handle-upload
-# can modify public files used for public file
-# transfer services in /var/spool/abrt-upload/.
-# 
-abrt_upload_watch_anon_write = true
-
-#
-# Determine whether ABRT can run in
-# the abrt_handle_event_t domain to
-# handle ABRT event scripts.
-# 
-abrt_handle_event = false
-
-#
-# Determine whether amavis can
-# use JIT compiler.
-# 
-amavis_use_jit = false
-
-#
-# Determine whether httpd can modify
-# public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_anon_write = false
-
-#
-# Determine whether httpd can use mod_auth_pam.
-# 
-allow_httpd_mod_auth_pam = false
-
-#
-# Determine whether httpd can use built in scripting.
-# 
-httpd_builtin_scripting = false
-
-#
-# Determine whether httpd can check spam.
-# 
-httpd_can_check_spam = false
-
-#
-# Determine whether httpd scripts and modules
-# can connect to the network using TCP.
-# 
-httpd_can_network_connect = false
-
-#
-# Determine whether httpd scripts and modules
-# can connect to cobbler over the network.
-# 
-httpd_can_network_connect_cobbler = false
-
-#
-# Determine whether scripts and modules can
-# connect to databases over the network.
-# 
-httpd_can_network_connect_db = false
-
-#
-# Determine whether httpd can connect to
-# ldap over the network.
-# 
-httpd_can_network_connect_ldap = false
-
-#
-# Determine whether httpd can connect
-# to memcache server over the network.
-# 
-httpd_can_network_connect_memcache = false
-
-#
-# Determine whether httpd can act as a relay.
-# 
-httpd_can_network_relay = false
-
-#
-# Determine whether httpd daemon can
-# connect to zabbix over the network.
-# 
-httpd_can_network_connect_zabbix = false
-
-#
-# Determine whether httpd can send mail.
-# 
-httpd_can_sendmail = false
-
-#
-# Determine whether httpd can communicate
-# with avahi service via dbus.
-# 
-httpd_dbus_avahi = false
-
-#
-# Determine wether httpd can use support.
-# 
-httpd_enable_cgi = false
-
-#
-# Determine whether httpd can act as a
-# FTP server by listening on the ftp port.
-# 
-httpd_enable_ftp_server = false
-
-#
-# Determine whether httpd can traverse
-# user home directories.
-# 
-httpd_enable_homedirs = false
-
-#
-# Determine whether httpd gpg can modify
-# public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-httpd_gpg_anon_write = false
-
-#
-# Determine whether httpd can execute
-# its temporary content.
-# 
-httpd_tmp_exec = false
-
-#
-# Determine whether httpd scripts and
-# modules can use execmem and execstack.
-# 
-httpd_execmem = false
-
-#
-# Determine whether httpd can connect
-# to port 80 for graceful shutdown.
-# 
-httpd_graceful_shutdown = false
-
-#
-# Determine whether httpd can
-# manage IPA content files.
-# 
-httpd_manage_ipa = false
-
-#
-# Determine whether httpd can use mod_auth_ntlm_winbind.
-# 
-httpd_mod_auth_ntlm_winbind = false
-
-#
-# Determine whether httpd can read
-# generic user home content files.
-# 
-httpd_read_user_content = false
-
-#
-# Determine whether httpd can change
-# its resource limits.
-# 
-httpd_setrlimit = false
-
-#
-# Determine whether httpd can run
-# SSI executables in the same domain
-# as system CGI scripts.
-# 
-httpd_ssi_exec = false
-
-#
-# Determine whether httpd can communicate
-# with the terminal. Needed for entering the
-# passphrase for certificates at the terminal.
-# 
-httpd_tty_comm = false
-
-#
-# Determine whether httpd can have full access
-# to its content types.
-# 
-httpd_unified = false
-
-#
-# Determine whether httpd can use
-# cifs file systems.
-# 
-httpd_use_cifs = false
-
-#
-# Determine whether httpd can
-# use fuse file systems.
-# 
-httpd_use_fusefs = false
-
-#
-# Determine whether httpd can use gpg.
-# 
-httpd_use_gpg = false
-
-#
-# Determine whether httpd can use
-# nfs file systems.
-# 
-httpd_use_nfs = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_sys_script_anon_write = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_user_script_anon_write = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_unconfined_script_anon_write = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_apcupsd_cgi_script_anon_write = false
-
-#
-# Determine whether Bind can bind tcp socket to http ports.
-# 
-named_tcp_bind_http_port = false
-
-#
-# Determine whether Bind can write to master zone files.
-# Generally this is used for dynamic DNS or zone transfers.
-# 
-named_write_master_zones = false
-
-#
-# Determine whether boinc can execmem/execstack.
-# 
-boinc_execmem = true
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_bugzilla_script_anon_write = false
-
-#
-# Determine whether clamscan can
-# read user content files.
-# 
-clamav_read_user_content_files_clamscan = false
-
-#
-# Determine whether clamscan can read
-# all non-security files.
-# 
-clamav_read_all_non_security_files_clamscan = false
-
-#
-# Determine whether can clamd use JIT compiler.
-# 
-clamd_use_jit = false
-
-#
-# Determine whether Cobbler can modify
-# public files used for public file
-# transfer services.
-# 
-cobbler_anon_write = false
-
-#
-# Determine whether Cobbler can connect
-# to the network using TCP.
-# 
-cobbler_can_network_connect = false
-
-#
-# Determine whether Cobbler can access
-# cifs file systems.
-# 
-cobbler_use_cifs = false
-
-#
-# Determine whether Cobbler can access
-# nfs file systems.
-# 
-cobbler_use_nfs = false
-
-#
-# Determine whether collectd can connect
-# to the network using TCP.
-# 
-collectd_tcp_network_connect = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_collectd_script_anon_write = false
-
-#
-# Determine whether Condor can connect
-# to the network using TCP.
-# 
-condor_tcp_network_connect = false
-
-#
-# Determine whether system cron jobs
-# can relabel filesystem for
-# restoring file contexts.
-# 
-cron_can_relabel = false
-
-#
-# Determine whether crond can execute jobs
-# in the user domain as opposed to the
-# the generic cronjob domain.
-# 
-cron_userdomain_transition = false
-
-#
-# Determine whether extra rules
-# should be enabled to support fcron.
-# 
-fcron_crond = false
-
-#
-# Grant the cron domains read access to generic user content
-# 
-cron_read_generic_user_content = true
-
-#
-# Grant the cron domains read access to all user content
-# 
-cron_read_all_user_content = false
-
-#
-# Grant the cron domains manage rights on generic user content
-# 
-cron_manage_generic_user_content = false
-
-#
-# Grant the cron domains manage rights on all user content
-# 
-cron_manage_all_user_content = false
-
-#
-# Determine whether cvs can read shadow
-# password files.
-# 
-allow_cvs_read_shadow = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_cvs_script_anon_write = false
-
-#
-# Determine whether DHCP daemon
-# can use LDAP backends.
-# 
-dhcpd_use_ldap = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_dspam_script_anon_write = false
-
-#
-# Determine whether entropyd can use
-# audio devices as the source for
-# the entropy feeds.
-# 
-entropyd_use_audio = false
-
-#
-# Determine whether exim can connect to
-# databases.
-# 
-exim_can_connect_db = false
-
-#
-# Determine whether exim can read generic
-# user content files.
-# 
-exim_read_user_files = false
-
-#
-# Determine whether exim can create,
-# read, write, and delete generic user
-# content files.
-# 
-exim_manage_user_files = false
-
-#
-# Determine whether ftpd can modify
-# public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_ftpd_anon_write = false
-
-#
-# Determine whether ftpd can login to
-# local users and can read and write
-# all files on the system, governed by DAC.
-# 
-allow_ftpd_full_access = false
-
-#
-# Determine whether ftpd can use CIFS
-# used for public file transfer services.
-# 
-allow_ftpd_use_cifs = false
-
-#
-# Determine whether ftpd can use NFS
-# used for public file transfer services.
-# 
-allow_ftpd_use_nfs = false
-
-#
-# Determine whether ftpd can connect to
-# databases over the TCP network.
-# 
-ftpd_connect_db = false
-
-#
-# Determine whether ftpd can bind to all
-# unreserved ports for passive mode.
-# 
-ftpd_use_passive_mode = false
-
-#
-# Determine whether ftpd can connect to
-# all unreserved ports.
-# 
-ftpd_connect_all_unreserved = false
-
-#
-# Determine whether ftpd can read and write
-# files in user home directories.
-# 
-ftp_home_dir = false
-
-#
-# Determine whether sftpd can modify
-# public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-sftpd_anon_write = false
-
-#
-# Determine whether sftpd-can read and write
-# files in user home directories.
-# 
-sftpd_enable_homedirs = false
-
-#
-# Determine whether sftpd-can login to
-# local users and read and write all
-# files on the system, governed by DAC.
-# 
-sftpd_full_access = false
-
-#
-# Determine whether sftpd can read and write
-# files in user ssh home directories.
-# 
-sftpd_write_ssh_home = false
-
-#
-# Determine whether Git CGI
-# can search home directories.
-# 
-git_cgi_enable_homedirs = false
-
-#
-# Determine whether Git CGI
-# can access cifs file systems.
-# 
-git_cgi_use_cifs = false
-
-#
-# Determine whether Git CGI
-# can access nfs file systems.
-# 
-git_cgi_use_nfs = false
-
-#
-# Determine whether Git session daemon
-# can bind TCP sockets to all
-# unreserved ports.
-# 
-git_session_bind_all_unreserved_ports = false
-
-#
-# Determine whether calling user domains
-# can execute Git daemon in the
-# git_session_t domain.
-# 
-git_session_users = false
-
-#
-# Determine whether Git session daemons
-# can send syslog messages.
-# 
-git_session_send_syslog_msg = false
-
-#
-# Determine whether Git system daemon
-# can search home directories.
-# 
-git_system_enable_homedirs = false
-
-#
-# Determine whether Git system daemon
-# can access cifs file systems.
-# 
-git_system_use_cifs = false
-
-#
-# Determine whether Git system daemon
-# can access nfs file systems.
-# 
-git_system_use_nfs = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_git_script_anon_write = false
-
-#
-# Grant the i18n_input domains read access to generic user content
-# 
-i18n_input_read_generic_user_content = true
-
-#
-# Determine whether icecast can listen
-# on and connect to any TCP port.
-# 
-icecast_use_any_tcp_ports = false
-
-#
-# Determine whether kerberos is supported.
-# 
-allow_kerberos = false
-
-#
-# Determine whether to support lpd server.
-# 
-use_lpd_server = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_mediawiki_script_anon_write = false
-
-#
-# Determine whether minidlna can read generic user content.
-# 
-minidlna_read_generic_user_content = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_mojomojo_script_anon_write = false
-
-#
-# Allow monit to start/stop services
-# 
-monit_startstop_services = false
-
-#
-# Determine whether mpd can traverse
-# user home directories.
-# 
-mpd_enable_homedirs = false
-
-#
-# Determine whether mpd can use
-# cifs file systems.
-# 
-mpd_use_cifs = false
-
-#
-# Determine whether mpd can use
-# nfs file systems.
-# 
-mpd_use_nfs = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_munin_script_anon_write = false
-
-#
-# Determine whether mysqld can
-# connect to all TCP ports.
-# 
-mysql_connect_any = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_nagios_script_anon_write = false
-
-#
-# Determine whether confined applications
-# can use nscd shared memory.
-# 
-nscd_use_shm = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_nutups_cgi_script_anon_write = false
-
-#
-# Determine whether openvpn can
-# read generic user home content files.
-# 
-openvpn_enable_homedirs = false
-
-#
-# Determine whether openvpn can
-# connect to the TCP network.
-# 
-openvpn_can_network_connect = false
-
-#
-# Determine whether Polipo system
-# daemon can access CIFS file systems.
-# 
-polipo_system_use_cifs = false
-
-#
-# Determine whether Polipo system
-# daemon can access NFS file systems.
-# 
-polipo_system_use_nfs = false
-
-#
-# Determine whether calling user domains
-# can execute Polipo daemon in the
-# polipo_session_t domain.
-# 
-polipo_session_users = false
-
-#
-# Determine whether Polipo session daemon
-# can send syslog messages.
-# 
-polipo_session_send_syslog_msg = false
-
-#
-# Determine whether postfix local
-# can manage mail spool content.
-# 
-postfix_local_write_mail_spool = true
-
-#
-# Grant the postfix domains read access to generic user content
-# 
-postfix_read_generic_user_content = true
-
-#
-# Grant the postfix domains read access to all user content
-# 
-postfix_read_all_user_content = false
-
-#
-# Grant the postfix domains manage rights on generic user content
-# 
-postfix_manage_generic_user_content = false
-
-#
-# Grant the postfix domains manage rights on all user content
-# 
-postfix_manage_all_user_content = false
-
-#
-# Allow unprived users to execute DDL statement
-# 
-sepgsql_enable_users_ddl = false
-
-#
-# Allow transmit client label to foreign database
-# 
-sepgsql_transmit_client_label = false
-
-#
-# Allow database admins to execute DML statement
-# 
-sepgsql_unconfined_dbadm = false
-
-#
-# Determine whether pppd can
-# load kernel modules.
-# 
-pppd_can_insmod = false
-
-#
-# Determine whether common users can
-# run pppd with a domain transition.
-# 
-pppd_for_user = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_prewikka_script_anon_write = false
-
-#
-# Determine whether privoxy can
-# connect to all tcp ports.
-# 
-privoxy_connect_any = false
-
-#
-# Determine whether rgmanager can
-# connect to the network using TCP.
-# 
-rgmanager_can_network_connect = false
-
-#
-# Determine whether fenced can
-# connect to the TCP network.
-# 
-fenced_can_network_connect = false
-
-#
-# Determine whether fenced can use ssh.
-# 
-fenced_can_ssh = false
-
-#
-# Determine whether gssd can read
-# generic user temporary content.
-# 
-allow_gssd_read_tmp = false
-
-#
-# Determine whether gssd can write
-# generic user temporary content.
-# 
-allow_gssd_write_tmp = false
-
-#
-# Determine whether nfs can modify
-# public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_nfsd_anon_write = false
-
-#
-# Determine whether rsync can use
-# cifs file systems.
-# 
-rsync_use_cifs = false
-
-#
-# Determine whether rsync can
-# use fuse file systems.
-# 
-rsync_use_fusefs = false
-
-#
-# Determine whether rsync can use
-# nfs file systems.
-# 
-rsync_use_nfs = false
-
-#
-# Determine whether rsync can
-# run as a client
-# 
-rsync_client = false
-
-#
-# Determine whether rsync can
-# export all content read only.
-# 
-rsync_export_all_ro = false
-
-#
-# Determine whether rsync can modify
-# public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_rsync_anon_write = false
-
-#
-# Determine whether smbd_t can
-# read shadow files.
-# 
-samba_read_shadow = false
-
-#
-# Determine whether samba can modify
-# public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_smbd_anon_write = false
-
-#
-# Determine whether samba can
-# create home directories via pam.
-# 
-samba_create_home_dirs = false
-
-#
-# Determine whether samba can act as the
-# domain controller, add users, groups
-# and change passwords.
-# 
-samba_domain_controller = false
-
-#
-# Determine whether samba can
-# act as a portmapper.
-# 
-samba_portmapper = false
-
-#
-# Determine whether samba can share
-# users home directories.
-# 
-samba_enable_home_dirs = false
-
-#
-# Determine whether samba can share
-# any content read only.
-# 
-samba_export_all_ro = false
-
-#
-# Determine whether samba can share any
-# content readable and writable.
-# 
-samba_export_all_rw = false
-
-#
-# Determine whether samba can
-# run unconfined scripts.
-# 
-samba_run_unconfined = false
-
-#
-# Determine whether samba can
-# use nfs file systems.
-# 
-samba_share_nfs = false
-
-#
-# Determine whether samba can
-# use fuse file systems.
-# 
-samba_share_fusefs = false
-
-#
-# Determine whether sanlock can use
-# nfs file systems.
-# 
-sanlock_use_nfs = false
-
-#
-# Determine whether sanlock can use
-# cifs file systems.
-# 
-sanlock_use_samba = false
-
-#
-# Determine whether sasl can
-# read shadow files.
-# 
-allow_saslauthd_read_shadow = false
-
-#
-# Determine whether smartmon can support
-# devices on 3ware controllers.
-# 
-smartmon_3ware = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_smokeping_cgi_script_anon_write = false
-
-#
-# Determine whether spamassassin
-# clients can use the network.
-# 
-spamassassin_can_network = false
-
-#
-# Determine whether spamd can manage
-# generic user home content.
-# 
-spamd_enable_home_dirs = false
-
-#
-# Determine whether squid can
-# connect to all TCP ports.
-# 
-squid_connect_any = false
-
-#
-# Determine whether squid can run
-# as a transparent proxy.
-# 
-squid_use_tproxy = false
-
-#
-# Determine whether squid can use the
-# pinger daemon (needs raw net access)
-# 
-squid_use_pinger = true
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_squid_script_anon_write = false
-
-#
-# allow host key based authentication
-# 
-allow_ssh_keysign = false
-
-#
-# Allow ssh logins as sysadm_r:sysadm_t
-# 
-ssh_sysadm_login = false
-
-#
-# Allow ssh to use gpg-agent
-# 
-ssh_use_gpg_agent = false
-
-#
-# Determine whether tftp can modify
-# public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-tftp_anon_write = false
-
-#
-# Determine whether tftp can manage
-# generic user home content.
-# 
-tftp_enable_homedir = false
-
-#
-# Determine whether tor can bind
-# tcp sockets to all unreserved ports.
-# 
-tor_bind_all_unreserved_ports = false
-
-#
-# Determine whether varnishd can
-# use the full TCP network.
-# 
-varnishd_connect_any = false
-
-#
-# Determine whether confined virtual guests
-# can use serial/parallel communication ports.
-# 
-virt_use_comm = false
-
-#
-# Determine whether confined virtual guests
-# can use executable memory and can make
-# their stack executable.
-# 
-virt_use_execmem = false
-
-#
-# Determine whether confined virtual guests
-# can use fuse file systems.
-# 
-virt_use_fusefs = false
-
-#
-# Determine whether confined virtual guests
-# can use nfs file systems.
-# 
-virt_use_nfs = false
-
-#
-# Determine whether confined virtual guests
-# can use cifs file systems.
-# 
-virt_use_samba = false
-
-#
-# Determine whether confined virtual guests
-# can manage device configuration.
-# 
-virt_use_sysfs = false
-
-#
-# Determine whether confined virtual guests
-# can use usb devices.
-# 
-virt_use_usb = false
-
-#
-# Determine whether confined virtual guests
-# can interact with xserver.
-# 
-virt_use_xserver = false
-
-#
-# Determine whether confined virtual guests
-# can use vfio for pci device pass through (vt-d).
-# 
-virt_use_vfio = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_w3c_validator_script_anon_write = false
-
-#
-# Allows clients to write to the X server shared
-# memory segments.
-# 
-allow_write_xshm = false
-
-#
-# Allow xdm logins as sysadm
-# 
-xdm_sysadm_login = false
-
-#
-# Use gnome-shell in gdm mode as the
-# X Display Manager (XDM)
-# 
-xserver_gnome_xdm = false
-
-#
-# Support X userspace object manager
-# 
-xserver_object_manager = false
-
-#
-# Determine whether zabbix can
-# connect to all TCP ports
-# 
-zabbix_can_network = false
-
-#
-# Determine whether zebra daemon can
-# manage its configuration files.
-# 
-allow_zebra_write_config = false
-
-#
-# Allow users to resolve user passwd entries directly from ldap rather then using a sssd server
-# 
-authlogin_nsswitch_use_ldap = false
-
-#
-# Enable support for upstart as the init program.
-# 
-init_upstart = false
-
-#
-# Allow all daemons the ability to read/write terminals
-# 
-init_daemons_use_tty = false
-
-#
-# Allow racoon to read shadow
-# 
-racoon_read_shadow = false
-
-#
-# Allow the mount command to mount any directory or file.
-# 
-allow_mount_anyfile = false
-
-#
-# Enable support for systemd-tmpfiles to manage all non-security files.
-# 
-systemd_tmpfiles_manage_all = false
-
-#
-# Allow systemd-nspawn to create a labelled namespace with the same types
-# as parent environment
-# 
-systemd_nspawn_labeled_namespace = false
-
-#
-# Allow users to connect to mysql
-# 
-allow_user_mysql_connect = false
-
-#
-# Allow users to connect to PostgreSQL
-# 
-allow_user_postgresql_connect = false
-
-#
-# Allow regular users direct mouse access
-# 
-user_direct_mouse = false
-
-#
-# Allow users to read system messages.
-# 
-user_dmesg = false
-
-#
-# Allow user to r/w files on filesystems
-# that do not have extended attributes (FAT, CDROM, FLOPPY)
-# 
-user_rw_noexattrfile = false
-
-#
-# Allow user to execute files on filesystems
-# that do not have extended attributes (FAT, CDROM, FLOPPY)
-# 
-user_exec_noexattrfile = false
-
-#
-# Allow user to write files on removable
-# devices (e.g. external USB memory
-# devices or floppies)
-# 
-user_write_removable = false
-
-#
-# Allow w to display everyone
-# 
-user_ttyfile_stat = false
-
-#
-# Determine whether xend can
-# run blktapctrl and tapdisk.
-# 
-xend_run_blktap = false
-
-#
-# Determine whether xen can
-# use fusefs file systems.
-# 
-xen_use_fusefs = false
-
-#
-# Determine whether xen can
-# use nfs file systems.
-# 
-xen_use_nfs = false
-
-#
-# Determine whether xen can
-# use samba file systems.
-# 
-xen_use_samba = false
-
-#
-# Allow unconfined executables to make their heap memory executable.  Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
-# 
-allow_execheap = false
-
-#
-# Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")
+# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
 # 
 allow_execmem = false
 
-#
-# Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")
+# Allow making a modified private filemapping executable (text relocation).
 # 
 allow_execmod = false
 
-#
-# Allow unconfined executables to make their stack executable.  This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")
+# Allow making the stack executable via mprotect.Also requires allow_execmem.
 # 
-allow_execstack = false
+allow_execstack = true
 
-#
-# Enable polyinstantiated directory support.
+# Allow ftpd to read cifs directories.
 # 
-allow_polyinstantiation = false
+allow_ftpd_use_cifs = false
+
+# Allow ftpd to read nfs directories.
+# 
+allow_ftpd_use_nfs = false
+
+# Allow ftp servers to modify public filesused for public file transfer services.
+# 
+allow_ftpd_anon_write = false
+
+# Allow gssd to read temp directory.
+# 
+allow_gssd_read_tmp = true
+
+# Allow Apache to modify public filesused for public file transfer services.
+# 
+allow_httpd_anon_write = false
+
+# Allow Apache to use mod_auth_pam module
+# 
+allow_httpd_mod_auth_pam = false
+
+# Allow system to run with kerberos
+# 
+allow_kerberos = true
+
+# Allow rsync to modify public filesused for public file transfer services.
+# 
+allow_rsync_anon_write = false
+
+# Allow sasl to read shadow
+# 
+allow_saslauthd_read_shadow = false
+
+# Allow samba to modify public filesused for public file transfer services.
+# 
+allow_smbd_anon_write = false
 
-#
 # Allow system to run with NIS
 # 
 allow_ypbind = false
 
-#
-# Allow logging in and using the system from /dev/console.
+# Allow zebra to write it own configuration files
 # 
-console_login = true
+allow_zebra_write_config = false
+
+# Enable extra rules in the cron domainto support fcron.
+# 
+fcron_crond = false
 
 #
-# Enable reading of urandom for all domains.
-# 
-# 
-# 
-# 
-# This should be enabled when all programs
-# are compiled with ProPolice/SSP
-# stack smashing protection.  All domains will
-# be allowed to read from /dev/urandom.
-# 
-global_ssp = false
+# allow httpd to connect to mysql/posgresql 
+httpd_can_network_connect_db = false
 
 #
-# Allow email client to various content.
-# nfs, samba, removable devices, and user temp
-# files
-# 
-mail_read_content = false
+# allow httpd to send dbus messages to avahi
+httpd_dbus_avahi = true
 
 #
-# Allow any files/directories to be exported read/write via NFS.
-# 
-nfs_export_all_rw = false
+# allow httpd to network relay
+httpd_can_network_relay = false
 
-#
-# Allow any files/directories to be exported read/only via NFS.
+# Allow httpd to use built in scripting (usually php)
 # 
-nfs_export_all_ro = false
+httpd_builtin_scripting = true
+
+# Allow http daemon to tcp connect
+# 
+httpd_can_network_connect = false
+
+# Allow httpd cgi support
+# 
+httpd_enable_cgi = true
+
+# Allow httpd to act as a FTP server bylistening on the ftp port.
+# 
+httpd_enable_ftp_server = false
+
+# Allow httpd to read home directories
+# 
+httpd_enable_homedirs = false
+
+# Run SSI execs in system CGI script domain.
+# 
+httpd_ssi_exec = false
+
+# Allow http daemon to communicate with the TTY
+# 
+httpd_tty_comm = false
+
+# Run CGI in the main httpd domain
+# 
+httpd_unified = false
+
+# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
+# 
+named_write_master_zones = false
+
+# Allow nfs to be exported read/write.
+# 
+nfs_export_all_rw = true
+
+# Allow nfs to be exported read only
+# 
+nfs_export_all_ro = true
+
+# Allow pppd to load kernel modules for certain modems
+# 
+pppd_can_insmod = false
+
+# Allow reading of default_t files.
+# 
+read_default_t = false
+
+# Allow samba to export user home directories.
+# 
+samba_enable_home_dirs = false
+
+# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
+# 
+squid_connect_any = false
 
-#
 # Support NFS home directories
 # 
-use_nfs_home_dirs = false
+use_nfs_home_dirs = true
 
-#
 # Support SAMBA home directories
 # 
 use_samba_home_dirs = false
 
-#
-# Allow users to run TCP servers (bind to ports and accept connection from
-# the same domain and outside users)  disabling this forces FTP passive mode
-# and may change other protocols.
+# Control users use of ping and traceroute
+# 
+user_ping = false
+
+# allow host key based authentication
+# 
+allow_ssh_keysign = false
+
+# Allow pppd to be run for a regular user
+# 
+pppd_for_user = false
+
+# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted
+# 
+read_untrusted_content = false
+
+# Allow spamd to write to users homedirs
+# 
+spamd_enable_home_dirs = false
+
+# Allow regular users direct mouse access
+# 
+user_direct_mouse = false
+
+# Allow users to read system messages.
+# 
+user_dmesg = false
+
+# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
+# 
+user_rw_noexattrfile = false
+
+# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users)  disabling this forces FTP passive modeand may change other protocols.
 # 
 user_tcp_server = false
 
-#
-# Allow users to run UDP servers (bind to ports and accept connection from
-# the same domain and outside users)
+# Allow w to display everyone
 # 
-user_udp_server = false
+user_ttyfile_stat = false
 
+# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored.
+# 
+write_untrusted_content = false
+
+# Allow all domains to talk to ttys
+# 
+allow_daemons_use_tty = false
+
+# Allow login domains to polyinstatiate directories
+# 
+allow_polyinstantiation = false
+
+# Allow all domains to dump core
+# 
+allow_daemons_dump_core = true
+
+# Allow samba to act as the domain controller
+# 
+samba_domain_controller = false
+
+# Allow samba to export user home directories.
+# 
+samba_run_unconfined = false
+
+# Allows XServer to execute writable memory
+# 
+allow_xserver_execmem = false
+
+# disallow guest accounts to execute files that they can create 
+# 
+allow_guest_exec_content = false
+allow_xguest_exec_content = false
+
+# Only allow browser to use the web
+# 
+browser_confine_xguest=false
+
+# Allow postfix locat to write to mail spool
+# 
+allow_postfix_local_write_mail_spool=false
+
+# Allow common users to read/write noexattrfile systems
+# 
+user_rw_noexattrfile=true
+
+# Allow qemu to connect fully to the network
+# 
+qemu_full_network=true
+
+# Allow nsplugin execmem/execstack for bad plugins
+# 
+allow_nsplugin_execmem=true
+
+# Allow unconfined domain to transition to confined domain
+# 
+allow_unconfined_nsplugin_transition=true
+
+# System uses init upstart program
+# 
+init_upstart = true
+
+# Allow mount to mount any file/dir
+# 
+allow_mount_anyfile = true
diff --git a/booleans-mls.conf b/booleans-mls.conf
index abba8cf..6b75dd8 100644
--- a/booleans-mls.conf
+++ b/booleans-mls.conf
@@ -1,1848 +1,6 @@
-#
-# Disable kernel module loading.
-# 
-secure_mode_insmod = false
-
-#
-# Boolean to determine whether the system permits loading policy, setting
-# enforcing mode, and changing boolean values.  Set this to true and you
-# have to reboot to set it back.
-# 
-secure_mode_policyload = false
-
-#
-# Enabling secure mode disallows programs, such as
-# newrole, from transitioning to administrative
-# user domains.
-# 
-secure_mode = false
-
-#
-# Grant the firstboot domains read access to generic user content
-# 
-firstboot_read_generic_user_content = true
-
-#
-# Grant the firstboot domains read access to all user content
-# 
-firstboot_read_all_user_content = false
-
-#
-# Grant the firstboot domains manage rights on generic user content
-# 
-firstboot_manage_generic_user_content = false
-
-#
-# Grant the firstboot domains manage rights on all user content
-# 
-firstboot_manage_all_user_content = false
-
-#
-# Determine whether logwatch can connect
-# to mail over the network.
-# 
-logwatch_can_network_connect_mail = false
-
-#
-# Determine whether mcelog supports
-# client mode.
-# 
-mcelog_client = false
-
-#
-# Determine whether mcelog can execute scripts.
-# 
-mcelog_exec_scripts = true
-
-#
-# Determine whether mcelog can use all
-# the user ttys.
-# 
-mcelog_foreground = false
-
-#
-# Determine whether mcelog supports
-# server mode.
-# 
-mcelog_server = false
-
-#
-# Determine whether mcelog can use syslog.
-# 
-mcelog_syslog = false
-
-#
-# Control users use of ping and traceroute
-# 
-user_ping = false
-
-#
-# Determine whether portage can
-# use nfs filesystems.
-# 
-portage_use_nfs = false
-
-#
-# Determine whether puppet can
-# manage all non-security files.
-# 
-puppet_manage_all_files = false
-
-#
-# Determine whether rkhunter can connect
-# to http ports. This is required by the
-# --update option.
-# 
-rkhunter_connect_http = false
-
-#
-# Determine whether attempts by
-# vbetool to mmap low regions should
-# be silently blocked.
-# 
-vbetool_mmap_zero_ignore = false
-
-#
-# Determine whether awstats can
-# purge httpd log files.
-# 
-awstats_purge_apache_log_files = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_awstats_script_anon_write = false
-
-#
-# Determine whether cdrecord can read
-# various content. nfs, samba, removable
-# devices, user temp and untrusted
-# content files
-# 
-cdrecord_read_content = false
-
-#
-# Allow evolution to create and write
-# user certificates in addition to
-# being able to read them
-# 
-evolution_manage_user_certs = false
-
-#
-# Grant the evolution domains read access to generic user content
-# 
-evolution_read_generic_user_content = true
-
-#
-# Grant the evolution domains read access to all user content
-# 
-evolution_read_all_user_content = false
-
-#
-# Grant the evolution domains manage rights on generic user content
-# 
-evolution_manage_generic_user_content = false
-
-#
-# Grant the evolution domains manage rights on all user content
-# 
-evolution_manage_all_user_content = false
-
-#
-# Determine whether Gitosis can send mail.
-# 
-gitosis_can_sendmail = false
-
-#
-# Determine whether GPG agent can manage
-# generic user home content files. This is
-# required by the --write-env-file option.
-# 
-gpg_agent_env_file = false
-
-#
-# Determine whether GPG agent can use OpenPGP
-# cards or Yubikeys over USB
-# 
-gpg_agent_use_card = false
-
-#
-# Grant the gpg domains read access to generic user content
-# 
-gpg_read_generic_user_content = true
-
-#
-# Grant the gpg domains read access to all user content
-# 
-gpg_read_all_user_content = false
-
-#
-# Grant the gpg domains manage rights on generic user content
-# 
-gpg_manage_generic_user_content = false
-
-#
-# Grant the gpg domains manage rights on all user content
-# 
-gpg_manage_all_user_content = false
-
-#
-# Determine whether irc clients can
-# listen on and connect to any
-# unreserved TCP ports.
-# 
-irc_use_any_tcp_ports = false
-
-#
-# Grant the irc domains read access to generic user content
-# 
-irc_read_generic_user_content = true
-
-#
-# Grant the irc domains read access to all user content
-# 
-irc_read_all_user_content = false
-
-#
-# Grant the irc domains manage rights on generic user content
-# 
-irc_manage_generic_user_content = false
-
-#
-# Grant the irc domains manage rights on all user content
-# 
-irc_manage_all_user_content = false
-
-#
-# Determine whether java can make
-# its stack executable.
-# 
-allow_java_execstack = false
-
-#
-# Grant the java domains read access to generic user content
-# 
-java_read_generic_user_content = true
-
-#
-# Grant the java domains read access to all user content
-# 
-java_read_all_user_content = false
-
-#
-# Grant the java domains manage rights on generic user content
-# 
-java_manage_generic_user_content = false
-
-#
-# Grant the java domains manage rights on all user content
-# 
-java_manage_all_user_content = false
-
-#
-# Determine whether libmtp can read
-# and manage the user home directories
-# and files.
-# 
-libmtp_enable_home_dirs = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_lightsquid_script_anon_write = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_man2html_script_anon_write = false
-
-#
-# Determine whether mozilla can
-# make its stack executable.
-# 
-mozilla_execstack = false
-
-#
-# Grant the mozilla domains read access to generic user content
-# 
-mozilla_read_generic_user_content = true
-
-#
-# Grant the mozilla domains read access to all user content
-# 
-mozilla_read_all_user_content = false
-
-#
-# Grant the mozilla domains manage rights on generic user content
-# 
-mozilla_manage_generic_user_content = false
-
-#
-# Grant the mozilla domains manage rights on all user content
-# 
-mozilla_manage_all_user_content = false
-
-#
-# Determine whether mplayer can make
-# its stack executable.
-# 
-allow_mplayer_execstack = false
-
-#
-# Grant the mplayer_mencoder domains read access to generic user content
-# 
-mplayer_mencoder_read_generic_user_content = true
-
-#
-# Grant the mplayer_mencoder domains read access to all user content
-# 
-mplayer_mencoder_read_all_user_content = false
-
-#
-# Grant the mplayer_mencoder domains manage rights on generic user content
-# 
-mplayer_mencoder_manage_generic_user_content = false
-
-#
-# Grant the mplayer_mencoder domains manage rights on all user content
-# 
-mplayer_mencoder_manage_all_user_content = false
-
-#
-# Grant the mplayer domains read access to generic user content
-# 
-mplayer_read_generic_user_content = true
-
-#
-# Grant the mplayer domains read access to all user content
-# 
-mplayer_read_all_user_content = false
-
-#
-# Grant the mplayer domains manage rights on generic user content
-# 
-mplayer_manage_generic_user_content = false
-
-#
-# Grant the mplayer domains manage rights on all user content
-# 
-mplayer_manage_all_user_content = false
-
-#
-# Determine whether openoffice can
-# download software updates from the
-# network (application and/or
-# extensions).
-# 
-openoffice_allow_update = true
-
-#
-# Determine whether openoffice writer
-# can send emails directly (print to
-# email). This is different from the
-# functionality of sending emails
-# through external clients which is
-# always enabled.
-# 
-openoffice_allow_email = false
-
-#
-# Grant the openoffice domains read access to generic user content
-# 
-openoffice_read_generic_user_content = true
-
-#
-# Grant the openoffice domains read access to all user content
-# 
-openoffice_read_all_user_content = false
-
-#
-# Grant the openoffice domains manage rights on generic user content
-# 
-openoffice_manage_generic_user_content = false
-
-#
-# Grant the openoffice domains manage rights on all user content
-# 
-openoffice_manage_all_user_content = false
-
-#
-# Allow pulseaudio to execute code in
-# writable memory
-# 
-pulseaudio_execmem = false
-
-#
-# Determine whether qemu has full
-# access to the network.
-# 
-qemu_full_network = false
-
-#
-# Grant the syncthing domains read access to generic user content
-# 
-syncthing_read_generic_user_content = true
-
-#
-# Grant the syncthing domains read access to all user content
-# 
-syncthing_read_all_user_content = false
-
-#
-# Grant the syncthing domains manage rights on generic user content
-# 
-syncthing_manage_generic_user_content = false
-
-#
-# Grant the syncthing domains manage rights on all user content
-# 
-syncthing_manage_all_user_content = false
-
-#
-# Determine whether telepathy connection
-# managers can connect to generic tcp ports.
-# 
-telepathy_tcp_connect_generic_network_ports = false
-
-#
-# Determine whether telepathy connection
-# managers can connect to any port.
-# 
-telepathy_connect_all_ports = false
-
-#
-# Grant the thunderbird domains read access to generic user content
-# 
-thunderbird_read_generic_user_content = true
-
-#
-# Grant the thunderbird domains read access to all user content
-# 
-thunderbird_read_all_user_content = false
-
-#
-# Grant the thunderbird domains manage rights on generic user content
-# 
-thunderbird_manage_generic_user_content = false
-
-#
-# Grant the thunderbird domains manage rights on all user content
-# 
-thunderbird_manage_all_user_content = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_webalizer_script_anon_write = false
-
-#
-# Determine whether attempts by
-# wine to mmap low regions should
-# be silently blocked.
-# 
-wine_mmap_zero_ignore = false
-
-#
-# Grant the wireshark domains read access to generic user content
-# 
-wireshark_read_generic_user_content = true
-
-#
-# Grant the wireshark domains read access to all user content
-# 
-wireshark_read_all_user_content = false
-
-#
-# Grant the wireshark domains manage rights on generic user content
-# 
-wireshark_manage_generic_user_content = false
-
-#
-# Grant the wireshark domains manage rights on all user content
-# 
-wireshark_manage_all_user_content = false
-
-#
-# Grant the xscreensaver domains read access to generic user content
-# 
-xscreensaver_read_generic_user_content = true
-
-#
-# Control the ability to mmap a low area of the address space,
-# as configured by /proc/sys/kernel/mmap_min_addr.
-# 
-mmap_low_allowed = false
-
-#
-# Determine whether dbadm can manage
-# generic user files.
-# 
-dbadm_manage_user_files = false
-
-#
-# Determine whether dbadm can read
-# generic user files.
-# 
-dbadm_read_user_files = false
-
-#
-# Allow sysadm to debug or ptrace all processes.
-# 
-allow_ptrace = false
-
-#
-# Determine whether webadm can
-# manage generic user files.
-# 
-webadm_manage_user_files = false
-
-#
-# Determine whether webadm can
-# read generic user files.
-# 
-webadm_read_user_files = false
-
-#
-# Determine whether xguest can
-# mount removable media.
-# 
-xguest_mount_media = false
-
-#
-# Determine whether xguest can
-# configure network manager.
-# 
-xguest_connect_network = false
-
-#
-# Determine whether xguest can
-# use blue tooth devices.
-# 
-xguest_use_bluetooth = false
-
-#
-# Determine whether ABRT can modify
-# public files used for public file
-# transfer services.
-# 
-abrt_anon_write = false
-
-#
-# Determine whether abrt-handle-upload
-# can modify public files used for public file
-# transfer services in /var/spool/abrt-upload/.
-# 
-abrt_upload_watch_anon_write = true
-
-#
-# Determine whether ABRT can run in
-# the abrt_handle_event_t domain to
-# handle ABRT event scripts.
-# 
-abrt_handle_event = false
-
-#
-# Determine whether amavis can
-# use JIT compiler.
-# 
-amavis_use_jit = false
-
-#
-# Determine whether httpd can modify
-# public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_anon_write = false
-
-#
-# Determine whether httpd can use mod_auth_pam.
-# 
-allow_httpd_mod_auth_pam = false
-
-#
-# Determine whether httpd can use built in scripting.
-# 
-httpd_builtin_scripting = false
-
-#
-# Determine whether httpd can check spam.
-# 
-httpd_can_check_spam = false
-
-#
-# Determine whether httpd scripts and modules
-# can connect to the network using TCP.
-# 
-httpd_can_network_connect = false
-
-#
-# Determine whether httpd scripts and modules
-# can connect to cobbler over the network.
-# 
-httpd_can_network_connect_cobbler = false
-
-#
-# Determine whether scripts and modules can
-# connect to databases over the network.
-# 
-httpd_can_network_connect_db = false
-
-#
-# Determine whether httpd can connect to
-# ldap over the network.
-# 
-httpd_can_network_connect_ldap = false
-
-#
-# Determine whether httpd can connect
-# to memcache server over the network.
-# 
-httpd_can_network_connect_memcache = false
-
-#
-# Determine whether httpd can act as a relay.
-# 
-httpd_can_network_relay = false
-
-#
-# Determine whether httpd daemon can
-# connect to zabbix over the network.
-# 
-httpd_can_network_connect_zabbix = false
-
-#
-# Determine whether httpd can send mail.
-# 
-httpd_can_sendmail = false
-
-#
-# Determine whether httpd can communicate
-# with avahi service via dbus.
-# 
-httpd_dbus_avahi = false
-
-#
-# Determine wether httpd can use support.
-# 
-httpd_enable_cgi = false
-
-#
-# Determine whether httpd can act as a
-# FTP server by listening on the ftp port.
-# 
-httpd_enable_ftp_server = false
-
-#
-# Determine whether httpd can traverse
-# user home directories.
-# 
-httpd_enable_homedirs = false
-
-#
-# Determine whether httpd gpg can modify
-# public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-httpd_gpg_anon_write = false
-
-#
-# Determine whether httpd can execute
-# its temporary content.
-# 
-httpd_tmp_exec = false
-
-#
-# Determine whether httpd scripts and
-# modules can use execmem and execstack.
-# 
-httpd_execmem = false
-
-#
-# Determine whether httpd can connect
-# to port 80 for graceful shutdown.
-# 
-httpd_graceful_shutdown = false
-
-#
-# Determine whether httpd can
-# manage IPA content files.
-# 
-httpd_manage_ipa = false
-
-#
-# Determine whether httpd can use mod_auth_ntlm_winbind.
-# 
-httpd_mod_auth_ntlm_winbind = false
-
-#
-# Determine whether httpd can read
-# generic user home content files.
-# 
-httpd_read_user_content = false
-
-#
-# Determine whether httpd can change
-# its resource limits.
-# 
-httpd_setrlimit = false
-
-#
-# Determine whether httpd can run
-# SSI executables in the same domain
-# as system CGI scripts.
-# 
-httpd_ssi_exec = false
-
-#
-# Determine whether httpd can communicate
-# with the terminal. Needed for entering the
-# passphrase for certificates at the terminal.
-# 
-httpd_tty_comm = false
-
-#
-# Determine whether httpd can have full access
-# to its content types.
-# 
-httpd_unified = false
-
-#
-# Determine whether httpd can use
-# cifs file systems.
-# 
-httpd_use_cifs = false
-
-#
-# Determine whether httpd can
-# use fuse file systems.
-# 
-httpd_use_fusefs = false
-
-#
-# Determine whether httpd can use gpg.
-# 
-httpd_use_gpg = false
-
-#
-# Determine whether httpd can use
-# nfs file systems.
-# 
-httpd_use_nfs = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_sys_script_anon_write = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_user_script_anon_write = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_unconfined_script_anon_write = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_apcupsd_cgi_script_anon_write = false
-
-#
-# Determine whether Bind can bind tcp socket to http ports.
-# 
-named_tcp_bind_http_port = false
-
-#
-# Determine whether Bind can write to master zone files.
-# Generally this is used for dynamic DNS or zone transfers.
-# 
-named_write_master_zones = false
-
-#
-# Determine whether boinc can execmem/execstack.
-# 
-boinc_execmem = true
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_bugzilla_script_anon_write = false
-
-#
-# Determine whether clamscan can
-# read user content files.
-# 
-clamav_read_user_content_files_clamscan = false
-
-#
-# Determine whether clamscan can read
-# all non-security files.
-# 
-clamav_read_all_non_security_files_clamscan = false
-
-#
-# Determine whether can clamd use JIT compiler.
-# 
-clamd_use_jit = false
-
-#
-# Determine whether Cobbler can modify
-# public files used for public file
-# transfer services.
-# 
-cobbler_anon_write = false
-
-#
-# Determine whether Cobbler can connect
-# to the network using TCP.
-# 
-cobbler_can_network_connect = false
-
-#
-# Determine whether Cobbler can access
-# cifs file systems.
-# 
-cobbler_use_cifs = false
-
-#
-# Determine whether Cobbler can access
-# nfs file systems.
-# 
-cobbler_use_nfs = false
-
-#
-# Determine whether collectd can connect
-# to the network using TCP.
-# 
-collectd_tcp_network_connect = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_collectd_script_anon_write = false
-
-#
-# Determine whether Condor can connect
-# to the network using TCP.
-# 
-condor_tcp_network_connect = false
-
-#
-# Determine whether system cron jobs
-# can relabel filesystem for
-# restoring file contexts.
-# 
-cron_can_relabel = false
-
-#
-# Determine whether crond can execute jobs
-# in the user domain as opposed to the
-# the generic cronjob domain.
-# 
-cron_userdomain_transition = false
-
-#
-# Determine whether extra rules
-# should be enabled to support fcron.
-# 
-fcron_crond = false
-
-#
-# Grant the cron domains read access to generic user content
-# 
-cron_read_generic_user_content = true
-
-#
-# Grant the cron domains read access to all user content
-# 
-cron_read_all_user_content = false
-
-#
-# Grant the cron domains manage rights on generic user content
-# 
-cron_manage_generic_user_content = false
-
-#
-# Grant the cron domains manage rights on all user content
-# 
-cron_manage_all_user_content = false
-
-#
-# Determine whether cvs can read shadow
-# password files.
-# 
-allow_cvs_read_shadow = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_cvs_script_anon_write = false
-
-#
-# Determine whether DHCP daemon
-# can use LDAP backends.
-# 
-dhcpd_use_ldap = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_dspam_script_anon_write = false
-
-#
-# Determine whether entropyd can use
-# audio devices as the source for
-# the entropy feeds.
-# 
-entropyd_use_audio = false
-
-#
-# Determine whether exim can connect to
-# databases.
-# 
-exim_can_connect_db = false
-
-#
-# Determine whether exim can read generic
-# user content files.
-# 
-exim_read_user_files = false
-
-#
-# Determine whether exim can create,
-# read, write, and delete generic user
-# content files.
-# 
-exim_manage_user_files = false
-
-#
-# Determine whether ftpd can modify
-# public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_ftpd_anon_write = false
-
-#
-# Determine whether ftpd can login to
-# local users and can read and write
-# all files on the system, governed by DAC.
-# 
-allow_ftpd_full_access = false
-
-#
-# Determine whether ftpd can use CIFS
-# used for public file transfer services.
-# 
-allow_ftpd_use_cifs = false
-
-#
-# Determine whether ftpd can use NFS
-# used for public file transfer services.
-# 
-allow_ftpd_use_nfs = false
-
-#
-# Determine whether ftpd can connect to
-# databases over the TCP network.
-# 
-ftpd_connect_db = false
-
-#
-# Determine whether ftpd can bind to all
-# unreserved ports for passive mode.
-# 
-ftpd_use_passive_mode = false
-
-#
-# Determine whether ftpd can connect to
-# all unreserved ports.
-# 
-ftpd_connect_all_unreserved = false
-
-#
-# Determine whether ftpd can read and write
-# files in user home directories.
-# 
-ftp_home_dir = false
-
-#
-# Determine whether sftpd can modify
-# public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-sftpd_anon_write = false
-
-#
-# Determine whether sftpd-can read and write
-# files in user home directories.
-# 
-sftpd_enable_homedirs = false
-
-#
-# Determine whether sftpd-can login to
-# local users and read and write all
-# files on the system, governed by DAC.
-# 
-sftpd_full_access = false
-
-#
-# Determine whether sftpd can read and write
-# files in user ssh home directories.
-# 
-sftpd_write_ssh_home = false
-
-#
-# Determine whether Git CGI
-# can search home directories.
-# 
-git_cgi_enable_homedirs = false
-
-#
-# Determine whether Git CGI
-# can access cifs file systems.
-# 
-git_cgi_use_cifs = false
-
-#
-# Determine whether Git CGI
-# can access nfs file systems.
-# 
-git_cgi_use_nfs = false
-
-#
-# Determine whether Git session daemon
-# can bind TCP sockets to all
-# unreserved ports.
-# 
-git_session_bind_all_unreserved_ports = false
-
-#
-# Determine whether calling user domains
-# can execute Git daemon in the
-# git_session_t domain.
-# 
-git_session_users = false
-
-#
-# Determine whether Git session daemons
-# can send syslog messages.
-# 
-git_session_send_syslog_msg = false
-
-#
-# Determine whether Git system daemon
-# can search home directories.
-# 
-git_system_enable_homedirs = false
-
-#
-# Determine whether Git system daemon
-# can access cifs file systems.
-# 
-git_system_use_cifs = false
-
-#
-# Determine whether Git system daemon
-# can access nfs file systems.
-# 
-git_system_use_nfs = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_git_script_anon_write = false
-
-#
-# Grant the i18n_input domains read access to generic user content
-# 
-i18n_input_read_generic_user_content = true
-
-#
-# Determine whether icecast can listen
-# on and connect to any TCP port.
-# 
-icecast_use_any_tcp_ports = false
-
-#
-# Determine whether kerberos is supported.
-# 
-allow_kerberos = false
-
-#
-# Determine whether to support lpd server.
-# 
-use_lpd_server = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_mediawiki_script_anon_write = false
-
-#
-# Determine whether minidlna can read generic user content.
-# 
-minidlna_read_generic_user_content = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_mojomojo_script_anon_write = false
-
-#
-# Allow monit to start/stop services
-# 
-monit_startstop_services = false
-
-#
-# Determine whether mpd can traverse
-# user home directories.
-# 
-mpd_enable_homedirs = false
-
-#
-# Determine whether mpd can use
-# cifs file systems.
-# 
-mpd_use_cifs = false
-
-#
-# Determine whether mpd can use
-# nfs file systems.
-# 
-mpd_use_nfs = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_munin_script_anon_write = false
-
-#
-# Determine whether mysqld can
-# connect to all TCP ports.
-# 
-mysql_connect_any = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_nagios_script_anon_write = false
-
-#
-# Determine whether confined applications
-# can use nscd shared memory.
-# 
-nscd_use_shm = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_nutups_cgi_script_anon_write = false
-
-#
-# Determine whether openvpn can
-# read generic user home content files.
-# 
-openvpn_enable_homedirs = false
-
-#
-# Determine whether openvpn can
-# connect to the TCP network.
-# 
-openvpn_can_network_connect = false
-
-#
-# Determine whether Polipo system
-# daemon can access CIFS file systems.
-# 
-polipo_system_use_cifs = false
-
-#
-# Determine whether Polipo system
-# daemon can access NFS file systems.
-# 
-polipo_system_use_nfs = false
-
-#
-# Determine whether calling user domains
-# can execute Polipo daemon in the
-# polipo_session_t domain.
-# 
-polipo_session_users = false
-
-#
-# Determine whether Polipo session daemon
-# can send syslog messages.
-# 
-polipo_session_send_syslog_msg = false
-
-#
-# Determine whether postfix local
-# can manage mail spool content.
-# 
-postfix_local_write_mail_spool = true
-
-#
-# Grant the postfix domains read access to generic user content
-# 
-postfix_read_generic_user_content = true
-
-#
-# Grant the postfix domains read access to all user content
-# 
-postfix_read_all_user_content = false
-
-#
-# Grant the postfix domains manage rights on generic user content
-# 
-postfix_manage_generic_user_content = false
-
-#
-# Grant the postfix domains manage rights on all user content
-# 
-postfix_manage_all_user_content = false
-
-#
-# Allow unprived users to execute DDL statement
-# 
-sepgsql_enable_users_ddl = false
-
-#
-# Allow transmit client label to foreign database
-# 
-sepgsql_transmit_client_label = false
-
-#
-# Allow database admins to execute DML statement
-# 
-sepgsql_unconfined_dbadm = false
-
-#
-# Determine whether pppd can
-# load kernel modules.
-# 
-pppd_can_insmod = false
-
-#
-# Determine whether common users can
-# run pppd with a domain transition.
-# 
-pppd_for_user = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_prewikka_script_anon_write = false
-
-#
-# Determine whether privoxy can
-# connect to all tcp ports.
-# 
-privoxy_connect_any = false
-
-#
-# Determine whether rgmanager can
-# connect to the network using TCP.
-# 
-rgmanager_can_network_connect = false
-
-#
-# Determine whether fenced can
-# connect to the TCP network.
-# 
-fenced_can_network_connect = false
-
-#
-# Determine whether fenced can use ssh.
-# 
-fenced_can_ssh = false
-
-#
-# Determine whether gssd can read
-# generic user temporary content.
-# 
-allow_gssd_read_tmp = false
-
-#
-# Determine whether gssd can write
-# generic user temporary content.
-# 
-allow_gssd_write_tmp = false
-
-#
-# Determine whether nfs can modify
-# public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_nfsd_anon_write = false
-
-#
-# Determine whether rsync can use
-# cifs file systems.
-# 
-rsync_use_cifs = false
-
-#
-# Determine whether rsync can
-# use fuse file systems.
-# 
-rsync_use_fusefs = false
-
-#
-# Determine whether rsync can use
-# nfs file systems.
-# 
-rsync_use_nfs = false
-
-#
-# Determine whether rsync can
-# run as a client
-# 
-rsync_client = false
-
-#
-# Determine whether rsync can
-# export all content read only.
-# 
-rsync_export_all_ro = false
-
-#
-# Determine whether rsync can modify
-# public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_rsync_anon_write = false
-
-#
-# Determine whether smbd_t can
-# read shadow files.
-# 
-samba_read_shadow = false
-
-#
-# Determine whether samba can modify
-# public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_smbd_anon_write = false
-
-#
-# Determine whether samba can
-# create home directories via pam.
-# 
-samba_create_home_dirs = false
-
-#
-# Determine whether samba can act as the
-# domain controller, add users, groups
-# and change passwords.
-# 
-samba_domain_controller = false
-
-#
-# Determine whether samba can
-# act as a portmapper.
-# 
-samba_portmapper = false
-
-#
-# Determine whether samba can share
-# users home directories.
-# 
-samba_enable_home_dirs = false
-
-#
-# Determine whether samba can share
-# any content read only.
-# 
-samba_export_all_ro = false
-
-#
-# Determine whether samba can share any
-# content readable and writable.
-# 
-samba_export_all_rw = false
-
-#
-# Determine whether samba can
-# run unconfined scripts.
-# 
-samba_run_unconfined = false
-
-#
-# Determine whether samba can
-# use nfs file systems.
-# 
-samba_share_nfs = false
-
-#
-# Determine whether samba can
-# use fuse file systems.
-# 
-samba_share_fusefs = false
-
-#
-# Determine whether sanlock can use
-# nfs file systems.
-# 
-sanlock_use_nfs = false
-
-#
-# Determine whether sanlock can use
-# cifs file systems.
-# 
-sanlock_use_samba = false
-
-#
-# Determine whether sasl can
-# read shadow files.
-# 
-allow_saslauthd_read_shadow = false
-
-#
-# Determine whether smartmon can support
-# devices on 3ware controllers.
-# 
-smartmon_3ware = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_smokeping_cgi_script_anon_write = false
-
-#
-# Determine whether spamassassin
-# clients can use the network.
-# 
-spamassassin_can_network = false
-
-#
-# Determine whether spamd can manage
-# generic user home content.
-# 
-spamd_enable_home_dirs = false
-
-#
-# Determine whether squid can
-# connect to all TCP ports.
-# 
-squid_connect_any = false
-
-#
-# Determine whether squid can run
-# as a transparent proxy.
-# 
-squid_use_tproxy = false
-
-#
-# Determine whether squid can use the
-# pinger daemon (needs raw net access)
-# 
-squid_use_pinger = true
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_squid_script_anon_write = false
-
-#
-# allow host key based authentication
-# 
-allow_ssh_keysign = false
-
-#
-# Allow ssh logins as sysadm_r:sysadm_t
-# 
-ssh_sysadm_login = false
-
-#
-# Allow ssh to use gpg-agent
-# 
-ssh_use_gpg_agent = false
-
-#
-# Determine whether tftp can modify
-# public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-tftp_anon_write = false
-
-#
-# Determine whether tftp can manage
-# generic user home content.
-# 
-tftp_enable_homedir = false
-
-#
-# Determine whether tor can bind
-# tcp sockets to all unreserved ports.
-# 
-tor_bind_all_unreserved_ports = false
-
-#
-# Determine whether varnishd can
-# use the full TCP network.
-# 
-varnishd_connect_any = false
-
-#
-# Determine whether confined virtual guests
-# can use serial/parallel communication ports.
-# 
-virt_use_comm = false
-
-#
-# Determine whether confined virtual guests
-# can use executable memory and can make
-# their stack executable.
-# 
-virt_use_execmem = false
-
-#
-# Determine whether confined virtual guests
-# can use fuse file systems.
-# 
-virt_use_fusefs = false
-
-#
-# Determine whether confined virtual guests
-# can use nfs file systems.
-# 
-virt_use_nfs = false
-
-#
-# Determine whether confined virtual guests
-# can use cifs file systems.
-# 
-virt_use_samba = false
-
-#
-# Determine whether confined virtual guests
-# can manage device configuration.
-# 
-virt_use_sysfs = false
-
-#
-# Determine whether confined virtual guests
-# can use usb devices.
-# 
-virt_use_usb = false
-
-#
-# Determine whether confined virtual guests
-# can interact with xserver.
-# 
-virt_use_xserver = false
-
-#
-# Determine whether confined virtual guests
-# can use vfio for pci device pass through (vt-d).
-# 
-virt_use_vfio = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_w3c_validator_script_anon_write = false
-
-#
-# Allows clients to write to the X server shared
-# memory segments.
-# 
-allow_write_xshm = false
-
-#
-# Allow xdm logins as sysadm
-# 
-xdm_sysadm_login = false
-
-#
-# Use gnome-shell in gdm mode as the
-# X Display Manager (XDM)
-# 
-xserver_gnome_xdm = false
-
-#
-# Support X userspace object manager
-# 
-xserver_object_manager = false
-
-#
-# Determine whether zabbix can
-# connect to all TCP ports
-# 
-zabbix_can_network = false
-
-#
-# Determine whether zebra daemon can
-# manage its configuration files.
-# 
-allow_zebra_write_config = false
-
-#
-# Allow users to resolve user passwd entries directly from ldap rather then using a sssd server
-# 
-authlogin_nsswitch_use_ldap = false
-
-#
-# Enable support for upstart as the init program.
-# 
-init_upstart = false
-
-#
-# Allow all daemons the ability to read/write terminals
-# 
-init_daemons_use_tty = false
-
-#
-# Allow racoon to read shadow
-# 
-racoon_read_shadow = false
-
-#
-# Allow the mount command to mount any directory or file.
-# 
-allow_mount_anyfile = false
-
-#
-# Enable support for systemd-tmpfiles to manage all non-security files.
-# 
-systemd_tmpfiles_manage_all = false
-
-#
-# Allow systemd-nspawn to create a labelled namespace with the same types
-# as parent environment
-# 
-systemd_nspawn_labeled_namespace = false
-
-#
-# Allow users to connect to mysql
-# 
-allow_user_mysql_connect = false
-
-#
-# Allow users to connect to PostgreSQL
-# 
-allow_user_postgresql_connect = false
-
-#
-# Allow regular users direct mouse access
-# 
-user_direct_mouse = false
-
-#
-# Allow users to read system messages.
-# 
-user_dmesg = false
-
-#
-# Allow user to r/w files on filesystems
-# that do not have extended attributes (FAT, CDROM, FLOPPY)
-# 
-user_rw_noexattrfile = false
-
-#
-# Allow user to execute files on filesystems
-# that do not have extended attributes (FAT, CDROM, FLOPPY)
-# 
-user_exec_noexattrfile = false
-
-#
-# Allow user to write files on removable
-# devices (e.g. external USB memory
-# devices or floppies)
-# 
-user_write_removable = false
-
-#
-# Allow w to display everyone
-# 
-user_ttyfile_stat = false
-
-#
-# Determine whether xend can
-# run blktapctrl and tapdisk.
-# 
-xend_run_blktap = false
-
-#
-# Determine whether xen can
-# use fusefs file systems.
-# 
-xen_use_fusefs = false
-
-#
-# Determine whether xen can
-# use nfs file systems.
-# 
-xen_use_nfs = false
-
-#
-# Determine whether xen can
-# use samba file systems.
-# 
-xen_use_samba = false
-
-#
-# Allow unconfined executables to make their heap memory executable.  Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
-# 
-allow_execheap = false
-
-#
-# Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")
-# 
-allow_execmem = false
-
-#
-# Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")
-# 
-allow_execmod = false
-
-#
-# Allow unconfined executables to make their stack executable.  This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")
-# 
-allow_execstack = false
-
-#
-# Enable polyinstantiated directory support.
-# 
-allow_polyinstantiation = false
-
-#
-# Allow system to run with NIS
-# 
-allow_ypbind = false
-
-#
-# Allow logging in and using the system from /dev/console.
-# 
-console_login = true
-
-#
-# Enable reading of urandom for all domains.
-# 
-# 
-# 
-# 
-# This should be enabled when all programs
-# are compiled with ProPolice/SSP
-# stack smashing protection.  All domains will
-# be allowed to read from /dev/urandom.
-# 
-global_ssp = false
-
-#
-# Allow email client to various content.
-# nfs, samba, removable devices, and user temp
-# files
-# 
-mail_read_content = false
-
-#
-# Allow any files/directories to be exported read/write via NFS.
-# 
-nfs_export_all_rw = false
-
-#
-# Allow any files/directories to be exported read/only via NFS.
-# 
-nfs_export_all_ro = false
-
-#
-# Support NFS home directories
-# 
-use_nfs_home_dirs = false
-
-#
-# Support SAMBA home directories
-# 
-use_samba_home_dirs = false
-
-#
-# Allow users to run TCP servers (bind to ports and accept connection from
-# the same domain and outside users)  disabling this forces FTP passive mode
-# and may change other protocols.
-# 
-user_tcp_server = false
-
-#
-# Allow users to run UDP servers (bind to ports and accept connection from
-# the same domain and outside users)
-# 
-user_udp_server = false
-
+kerberos_enabled = true
+mount_anyfile = true
+polyinstantiation_enabled = true
+ftpd_is_daemon = true
+selinuxuser_ping = true
+xserver_object_manager = true
diff --git a/booleans-targeted.conf b/booleans-targeted.conf
index abba8cf..d943d04 100644
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@@ -1,1848 +1,24 @@
-#
-# Disable kernel module loading.
-# 
-secure_mode_insmod = false
-
-#
-# Boolean to determine whether the system permits loading policy, setting
-# enforcing mode, and changing boolean values.  Set this to true and you
-# have to reboot to set it back.
-# 
-secure_mode_policyload = false
-
-#
-# Enabling secure mode disallows programs, such as
-# newrole, from transitioning to administrative
-# user domains.
-# 
-secure_mode = false
-
-#
-# Grant the firstboot domains read access to generic user content
-# 
-firstboot_read_generic_user_content = true
-
-#
-# Grant the firstboot domains read access to all user content
-# 
-firstboot_read_all_user_content = false
-
-#
-# Grant the firstboot domains manage rights on generic user content
-# 
-firstboot_manage_generic_user_content = false
-
-#
-# Grant the firstboot domains manage rights on all user content
-# 
-firstboot_manage_all_user_content = false
-
-#
-# Determine whether logwatch can connect
-# to mail over the network.
-# 
-logwatch_can_network_connect_mail = false
-
-#
-# Determine whether mcelog supports
-# client mode.
-# 
-mcelog_client = false
-
-#
-# Determine whether mcelog can execute scripts.
-# 
-mcelog_exec_scripts = true
-
-#
-# Determine whether mcelog can use all
-# the user ttys.
-# 
-mcelog_foreground = false
-
-#
-# Determine whether mcelog supports
-# server mode.
-# 
-mcelog_server = false
-
-#
-# Determine whether mcelog can use syslog.
-# 
-mcelog_syslog = false
-
-#
-# Control users use of ping and traceroute
-# 
-user_ping = false
-
-#
-# Determine whether portage can
-# use nfs filesystems.
-# 
-portage_use_nfs = false
-
-#
-# Determine whether puppet can
-# manage all non-security files.
-# 
-puppet_manage_all_files = false
-
-#
-# Determine whether rkhunter can connect
-# to http ports. This is required by the
-# --update option.
-# 
-rkhunter_connect_http = false
-
-#
-# Determine whether attempts by
-# vbetool to mmap low regions should
-# be silently blocked.
-# 
-vbetool_mmap_zero_ignore = false
-
-#
-# Determine whether awstats can
-# purge httpd log files.
-# 
-awstats_purge_apache_log_files = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_awstats_script_anon_write = false
-
-#
-# Determine whether cdrecord can read
-# various content. nfs, samba, removable
-# devices, user temp and untrusted
-# content files
-# 
-cdrecord_read_content = false
-
-#
-# Allow evolution to create and write
-# user certificates in addition to
-# being able to read them
-# 
-evolution_manage_user_certs = false
-
-#
-# Grant the evolution domains read access to generic user content
-# 
-evolution_read_generic_user_content = true
-
-#
-# Grant the evolution domains read access to all user content
-# 
-evolution_read_all_user_content = false
-
-#
-# Grant the evolution domains manage rights on generic user content
-# 
-evolution_manage_generic_user_content = false
-
-#
-# Grant the evolution domains manage rights on all user content
-# 
-evolution_manage_all_user_content = false
-
-#
-# Determine whether Gitosis can send mail.
-# 
-gitosis_can_sendmail = false
-
-#
-# Determine whether GPG agent can manage
-# generic user home content files. This is
-# required by the --write-env-file option.
-# 
-gpg_agent_env_file = false
-
-#
-# Determine whether GPG agent can use OpenPGP
-# cards or Yubikeys over USB
-# 
-gpg_agent_use_card = false
-
-#
-# Grant the gpg domains read access to generic user content
-# 
-gpg_read_generic_user_content = true
-
-#
-# Grant the gpg domains read access to all user content
-# 
-gpg_read_all_user_content = false
-
-#
-# Grant the gpg domains manage rights on generic user content
-# 
-gpg_manage_generic_user_content = false
-
-#
-# Grant the gpg domains manage rights on all user content
-# 
-gpg_manage_all_user_content = false
-
-#
-# Determine whether irc clients can
-# listen on and connect to any
-# unreserved TCP ports.
-# 
-irc_use_any_tcp_ports = false
-
-#
-# Grant the irc domains read access to generic user content
-# 
-irc_read_generic_user_content = true
-
-#
-# Grant the irc domains read access to all user content
-# 
-irc_read_all_user_content = false
-
-#
-# Grant the irc domains manage rights on generic user content
-# 
-irc_manage_generic_user_content = false
-
-#
-# Grant the irc domains manage rights on all user content
-# 
-irc_manage_all_user_content = false
-
-#
-# Determine whether java can make
-# its stack executable.
-# 
-allow_java_execstack = false
-
-#
-# Grant the java domains read access to generic user content
-# 
-java_read_generic_user_content = true
-
-#
-# Grant the java domains read access to all user content
-# 
-java_read_all_user_content = false
-
-#
-# Grant the java domains manage rights on generic user content
-# 
-java_manage_generic_user_content = false
-
-#
-# Grant the java domains manage rights on all user content
-# 
-java_manage_all_user_content = false
-
-#
-# Determine whether libmtp can read
-# and manage the user home directories
-# and files.
-# 
-libmtp_enable_home_dirs = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_lightsquid_script_anon_write = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_man2html_script_anon_write = false
-
-#
-# Determine whether mozilla can
-# make its stack executable.
-# 
-mozilla_execstack = false
-
-#
-# Grant the mozilla domains read access to generic user content
-# 
-mozilla_read_generic_user_content = true
-
-#
-# Grant the mozilla domains read access to all user content
-# 
-mozilla_read_all_user_content = false
-
-#
-# Grant the mozilla domains manage rights on generic user content
-# 
-mozilla_manage_generic_user_content = false
-
-#
-# Grant the mozilla domains manage rights on all user content
-# 
-mozilla_manage_all_user_content = false
-
-#
-# Determine whether mplayer can make
-# its stack executable.
-# 
-allow_mplayer_execstack = false
-
-#
-# Grant the mplayer_mencoder domains read access to generic user content
-# 
-mplayer_mencoder_read_generic_user_content = true
-
-#
-# Grant the mplayer_mencoder domains read access to all user content
-# 
-mplayer_mencoder_read_all_user_content = false
-
-#
-# Grant the mplayer_mencoder domains manage rights on generic user content
-# 
-mplayer_mencoder_manage_generic_user_content = false
-
-#
-# Grant the mplayer_mencoder domains manage rights on all user content
-# 
-mplayer_mencoder_manage_all_user_content = false
-
-#
-# Grant the mplayer domains read access to generic user content
-# 
-mplayer_read_generic_user_content = true
-
-#
-# Grant the mplayer domains read access to all user content
-# 
-mplayer_read_all_user_content = false
-
-#
-# Grant the mplayer domains manage rights on generic user content
-# 
-mplayer_manage_generic_user_content = false
-
-#
-# Grant the mplayer domains manage rights on all user content
-# 
-mplayer_manage_all_user_content = false
-
-#
-# Determine whether openoffice can
-# download software updates from the
-# network (application and/or
-# extensions).
-# 
-openoffice_allow_update = true
-
-#
-# Determine whether openoffice writer
-# can send emails directly (print to
-# email). This is different from the
-# functionality of sending emails
-# through external clients which is
-# always enabled.
-# 
-openoffice_allow_email = false
-
-#
-# Grant the openoffice domains read access to generic user content
-# 
-openoffice_read_generic_user_content = true
-
-#
-# Grant the openoffice domains read access to all user content
-# 
-openoffice_read_all_user_content = false
-
-#
-# Grant the openoffice domains manage rights on generic user content
-# 
-openoffice_manage_generic_user_content = false
-
-#
-# Grant the openoffice domains manage rights on all user content
-# 
-openoffice_manage_all_user_content = false
-
-#
-# Allow pulseaudio to execute code in
-# writable memory
-# 
-pulseaudio_execmem = false
-
-#
-# Determine whether qemu has full
-# access to the network.
-# 
-qemu_full_network = false
-
-#
-# Grant the syncthing domains read access to generic user content
-# 
-syncthing_read_generic_user_content = true
-
-#
-# Grant the syncthing domains read access to all user content
-# 
-syncthing_read_all_user_content = false
-
-#
-# Grant the syncthing domains manage rights on generic user content
-# 
-syncthing_manage_generic_user_content = false
-
-#
-# Grant the syncthing domains manage rights on all user content
-# 
-syncthing_manage_all_user_content = false
-
-#
-# Determine whether telepathy connection
-# managers can connect to generic tcp ports.
-# 
-telepathy_tcp_connect_generic_network_ports = false
-
-#
-# Determine whether telepathy connection
-# managers can connect to any port.
-# 
-telepathy_connect_all_ports = false
-
-#
-# Grant the thunderbird domains read access to generic user content
-# 
-thunderbird_read_generic_user_content = true
-
-#
-# Grant the thunderbird domains read access to all user content
-# 
-thunderbird_read_all_user_content = false
-
-#
-# Grant the thunderbird domains manage rights on generic user content
-# 
-thunderbird_manage_generic_user_content = false
-
-#
-# Grant the thunderbird domains manage rights on all user content
-# 
-thunderbird_manage_all_user_content = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_webalizer_script_anon_write = false
-
-#
-# Determine whether attempts by
-# wine to mmap low regions should
-# be silently blocked.
-# 
-wine_mmap_zero_ignore = false
-
-#
-# Grant the wireshark domains read access to generic user content
-# 
-wireshark_read_generic_user_content = true
-
-#
-# Grant the wireshark domains read access to all user content
-# 
-wireshark_read_all_user_content = false
-
-#
-# Grant the wireshark domains manage rights on generic user content
-# 
-wireshark_manage_generic_user_content = false
-
-#
-# Grant the wireshark domains manage rights on all user content
-# 
-wireshark_manage_all_user_content = false
-
-#
-# Grant the xscreensaver domains read access to generic user content
-# 
-xscreensaver_read_generic_user_content = true
-
-#
-# Control the ability to mmap a low area of the address space,
-# as configured by /proc/sys/kernel/mmap_min_addr.
-# 
-mmap_low_allowed = false
-
-#
-# Determine whether dbadm can manage
-# generic user files.
-# 
-dbadm_manage_user_files = false
-
-#
-# Determine whether dbadm can read
-# generic user files.
-# 
-dbadm_read_user_files = false
-
-#
-# Allow sysadm to debug or ptrace all processes.
-# 
-allow_ptrace = false
-
-#
-# Determine whether webadm can
-# manage generic user files.
-# 
-webadm_manage_user_files = false
-
-#
-# Determine whether webadm can
-# read generic user files.
-# 
-webadm_read_user_files = false
-
-#
-# Determine whether xguest can
-# mount removable media.
-# 
-xguest_mount_media = false
-
-#
-# Determine whether xguest can
-# configure network manager.
-# 
-xguest_connect_network = false
-
-#
-# Determine whether xguest can
-# use blue tooth devices.
-# 
-xguest_use_bluetooth = false
-
-#
-# Determine whether ABRT can modify
-# public files used for public file
-# transfer services.
-# 
-abrt_anon_write = false
-
-#
-# Determine whether abrt-handle-upload
-# can modify public files used for public file
-# transfer services in /var/spool/abrt-upload/.
-# 
-abrt_upload_watch_anon_write = true
-
-#
-# Determine whether ABRT can run in
-# the abrt_handle_event_t domain to
-# handle ABRT event scripts.
-# 
-abrt_handle_event = false
-
-#
-# Determine whether amavis can
-# use JIT compiler.
-# 
-amavis_use_jit = false
-
-#
-# Determine whether httpd can modify
-# public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_anon_write = false
-
-#
-# Determine whether httpd can use mod_auth_pam.
-# 
-allow_httpd_mod_auth_pam = false
-
-#
-# Determine whether httpd can use built in scripting.
-# 
-httpd_builtin_scripting = false
-
-#
-# Determine whether httpd can check spam.
-# 
-httpd_can_check_spam = false
-
-#
-# Determine whether httpd scripts and modules
-# can connect to the network using TCP.
-# 
-httpd_can_network_connect = false
-
-#
-# Determine whether httpd scripts and modules
-# can connect to cobbler over the network.
-# 
-httpd_can_network_connect_cobbler = false
-
-#
-# Determine whether scripts and modules can
-# connect to databases over the network.
-# 
-httpd_can_network_connect_db = false
-
-#
-# Determine whether httpd can connect to
-# ldap over the network.
-# 
-httpd_can_network_connect_ldap = false
-
-#
-# Determine whether httpd can connect
-# to memcache server over the network.
-# 
-httpd_can_network_connect_memcache = false
-
-#
-# Determine whether httpd can act as a relay.
-# 
-httpd_can_network_relay = false
-
-#
-# Determine whether httpd daemon can
-# connect to zabbix over the network.
-# 
-httpd_can_network_connect_zabbix = false
-
-#
-# Determine whether httpd can send mail.
-# 
-httpd_can_sendmail = false
-
-#
-# Determine whether httpd can communicate
-# with avahi service via dbus.
-# 
-httpd_dbus_avahi = false
-
-#
-# Determine wether httpd can use support.
-# 
-httpd_enable_cgi = false
-
-#
-# Determine whether httpd can act as a
-# FTP server by listening on the ftp port.
-# 
-httpd_enable_ftp_server = false
-
-#
-# Determine whether httpd can traverse
-# user home directories.
-# 
-httpd_enable_homedirs = false
-
-#
-# Determine whether httpd gpg can modify
-# public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-httpd_gpg_anon_write = false
-
-#
-# Determine whether httpd can execute
-# its temporary content.
-# 
-httpd_tmp_exec = false
-
-#
-# Determine whether httpd scripts and
-# modules can use execmem and execstack.
-# 
-httpd_execmem = false
-
-#
-# Determine whether httpd can connect
-# to port 80 for graceful shutdown.
-# 
-httpd_graceful_shutdown = false
-
-#
-# Determine whether httpd can
-# manage IPA content files.
-# 
-httpd_manage_ipa = false
-
-#
-# Determine whether httpd can use mod_auth_ntlm_winbind.
-# 
-httpd_mod_auth_ntlm_winbind = false
-
-#
-# Determine whether httpd can read
-# generic user home content files.
-# 
-httpd_read_user_content = false
-
-#
-# Determine whether httpd can change
-# its resource limits.
-# 
-httpd_setrlimit = false
-
-#
-# Determine whether httpd can run
-# SSI executables in the same domain
-# as system CGI scripts.
-# 
-httpd_ssi_exec = false
-
-#
-# Determine whether httpd can communicate
-# with the terminal. Needed for entering the
-# passphrase for certificates at the terminal.
-# 
-httpd_tty_comm = false
-
-#
-# Determine whether httpd can have full access
-# to its content types.
-# 
-httpd_unified = false
-
-#
-# Determine whether httpd can use
-# cifs file systems.
-# 
-httpd_use_cifs = false
-
-#
-# Determine whether httpd can
-# use fuse file systems.
-# 
-httpd_use_fusefs = false
-
-#
-# Determine whether httpd can use gpg.
-# 
-httpd_use_gpg = false
-
-#
-# Determine whether httpd can use
-# nfs file systems.
-# 
-httpd_use_nfs = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_sys_script_anon_write = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_user_script_anon_write = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_unconfined_script_anon_write = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_apcupsd_cgi_script_anon_write = false
-
-#
-# Determine whether Bind can bind tcp socket to http ports.
-# 
-named_tcp_bind_http_port = false
-
-#
-# Determine whether Bind can write to master zone files.
-# Generally this is used for dynamic DNS or zone transfers.
-# 
-named_write_master_zones = false
-
-#
-# Determine whether boinc can execmem/execstack.
-# 
-boinc_execmem = true
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_bugzilla_script_anon_write = false
-
-#
-# Determine whether clamscan can
-# read user content files.
-# 
-clamav_read_user_content_files_clamscan = false
-
-#
-# Determine whether clamscan can read
-# all non-security files.
-# 
-clamav_read_all_non_security_files_clamscan = false
-
-#
-# Determine whether can clamd use JIT compiler.
-# 
-clamd_use_jit = false
-
-#
-# Determine whether Cobbler can modify
-# public files used for public file
-# transfer services.
-# 
-cobbler_anon_write = false
-
-#
-# Determine whether Cobbler can connect
-# to the network using TCP.
-# 
-cobbler_can_network_connect = false
-
-#
-# Determine whether Cobbler can access
-# cifs file systems.
-# 
-cobbler_use_cifs = false
-
-#
-# Determine whether Cobbler can access
-# nfs file systems.
-# 
-cobbler_use_nfs = false
-
-#
-# Determine whether collectd can connect
-# to the network using TCP.
-# 
-collectd_tcp_network_connect = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_collectd_script_anon_write = false
-
-#
-# Determine whether Condor can connect
-# to the network using TCP.
-# 
-condor_tcp_network_connect = false
-
-#
-# Determine whether system cron jobs
-# can relabel filesystem for
-# restoring file contexts.
-# 
-cron_can_relabel = false
-
-#
-# Determine whether crond can execute jobs
-# in the user domain as opposed to the
-# the generic cronjob domain.
-# 
-cron_userdomain_transition = false
-
-#
-# Determine whether extra rules
-# should be enabled to support fcron.
-# 
-fcron_crond = false
-
-#
-# Grant the cron domains read access to generic user content
-# 
-cron_read_generic_user_content = true
-
-#
-# Grant the cron domains read access to all user content
-# 
-cron_read_all_user_content = false
-
-#
-# Grant the cron domains manage rights on generic user content
-# 
-cron_manage_generic_user_content = false
-
-#
-# Grant the cron domains manage rights on all user content
-# 
-cron_manage_all_user_content = false
-
-#
-# Determine whether cvs can read shadow
-# password files.
-# 
-allow_cvs_read_shadow = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_cvs_script_anon_write = false
-
-#
-# Determine whether DHCP daemon
-# can use LDAP backends.
-# 
-dhcpd_use_ldap = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_dspam_script_anon_write = false
-
-#
-# Determine whether entropyd can use
-# audio devices as the source for
-# the entropy feeds.
-# 
-entropyd_use_audio = false
-
-#
-# Determine whether exim can connect to
-# databases.
-# 
-exim_can_connect_db = false
-
-#
-# Determine whether exim can read generic
-# user content files.
-# 
-exim_read_user_files = false
-
-#
-# Determine whether exim can create,
-# read, write, and delete generic user
-# content files.
-# 
-exim_manage_user_files = false
-
-#
-# Determine whether ftpd can modify
-# public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_ftpd_anon_write = false
-
-#
-# Determine whether ftpd can login to
-# local users and can read and write
-# all files on the system, governed by DAC.
-# 
-allow_ftpd_full_access = false
-
-#
-# Determine whether ftpd can use CIFS
-# used for public file transfer services.
-# 
-allow_ftpd_use_cifs = false
-
-#
-# Determine whether ftpd can use NFS
-# used for public file transfer services.
-# 
-allow_ftpd_use_nfs = false
-
-#
-# Determine whether ftpd can connect to
-# databases over the TCP network.
-# 
-ftpd_connect_db = false
-
-#
-# Determine whether ftpd can bind to all
-# unreserved ports for passive mode.
-# 
-ftpd_use_passive_mode = false
-
-#
-# Determine whether ftpd can connect to
-# all unreserved ports.
-# 
-ftpd_connect_all_unreserved = false
-
-#
-# Determine whether ftpd can read and write
-# files in user home directories.
-# 
-ftp_home_dir = false
-
-#
-# Determine whether sftpd can modify
-# public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-sftpd_anon_write = false
-
-#
-# Determine whether sftpd-can read and write
-# files in user home directories.
-# 
-sftpd_enable_homedirs = false
-
-#
-# Determine whether sftpd-can login to
-# local users and read and write all
-# files on the system, governed by DAC.
-# 
-sftpd_full_access = false
-
-#
-# Determine whether sftpd can read and write
-# files in user ssh home directories.
-# 
-sftpd_write_ssh_home = false
-
-#
-# Determine whether Git CGI
-# can search home directories.
-# 
-git_cgi_enable_homedirs = false
-
-#
-# Determine whether Git CGI
-# can access cifs file systems.
-# 
-git_cgi_use_cifs = false
-
-#
-# Determine whether Git CGI
-# can access nfs file systems.
-# 
-git_cgi_use_nfs = false
-
-#
-# Determine whether Git session daemon
-# can bind TCP sockets to all
-# unreserved ports.
-# 
-git_session_bind_all_unreserved_ports = false
-
-#
-# Determine whether calling user domains
-# can execute Git daemon in the
-# git_session_t domain.
-# 
-git_session_users = false
-
-#
-# Determine whether Git session daemons
-# can send syslog messages.
-# 
-git_session_send_syslog_msg = false
-
-#
-# Determine whether Git system daemon
-# can search home directories.
-# 
-git_system_enable_homedirs = false
-
-#
-# Determine whether Git system daemon
-# can access cifs file systems.
-# 
-git_system_use_cifs = false
-
-#
-# Determine whether Git system daemon
-# can access nfs file systems.
-# 
-git_system_use_nfs = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_git_script_anon_write = false
-
-#
-# Grant the i18n_input domains read access to generic user content
-# 
-i18n_input_read_generic_user_content = true
-
-#
-# Determine whether icecast can listen
-# on and connect to any TCP port.
-# 
-icecast_use_any_tcp_ports = false
-
-#
-# Determine whether kerberos is supported.
-# 
-allow_kerberos = false
-
-#
-# Determine whether to support lpd server.
-# 
-use_lpd_server = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_mediawiki_script_anon_write = false
-
-#
-# Determine whether minidlna can read generic user content.
-# 
-minidlna_read_generic_user_content = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_mojomojo_script_anon_write = false
-
-#
-# Allow monit to start/stop services
-# 
-monit_startstop_services = false
-
-#
-# Determine whether mpd can traverse
-# user home directories.
-# 
-mpd_enable_homedirs = false
-
-#
-# Determine whether mpd can use
-# cifs file systems.
-# 
-mpd_use_cifs = false
-
-#
-# Determine whether mpd can use
-# nfs file systems.
-# 
-mpd_use_nfs = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_munin_script_anon_write = false
-
-#
-# Determine whether mysqld can
-# connect to all TCP ports.
-# 
-mysql_connect_any = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_nagios_script_anon_write = false
-
-#
-# Determine whether confined applications
-# can use nscd shared memory.
-# 
-nscd_use_shm = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_nutups_cgi_script_anon_write = false
-
-#
-# Determine whether openvpn can
-# read generic user home content files.
-# 
-openvpn_enable_homedirs = false
-
-#
-# Determine whether openvpn can
-# connect to the TCP network.
-# 
-openvpn_can_network_connect = false
-
-#
-# Determine whether Polipo system
-# daemon can access CIFS file systems.
-# 
-polipo_system_use_cifs = false
-
-#
-# Determine whether Polipo system
-# daemon can access NFS file systems.
-# 
-polipo_system_use_nfs = false
-
-#
-# Determine whether calling user domains
-# can execute Polipo daemon in the
-# polipo_session_t domain.
-# 
-polipo_session_users = false
-
-#
-# Determine whether Polipo session daemon
-# can send syslog messages.
-# 
-polipo_session_send_syslog_msg = false
-
-#
-# Determine whether postfix local
-# can manage mail spool content.
-# 
-postfix_local_write_mail_spool = true
-
-#
-# Grant the postfix domains read access to generic user content
-# 
-postfix_read_generic_user_content = true
-
-#
-# Grant the postfix domains read access to all user content
-# 
-postfix_read_all_user_content = false
-
-#
-# Grant the postfix domains manage rights on generic user content
-# 
-postfix_manage_generic_user_content = false
-
-#
-# Grant the postfix domains manage rights on all user content
-# 
-postfix_manage_all_user_content = false
-
-#
-# Allow unprived users to execute DDL statement
-# 
-sepgsql_enable_users_ddl = false
-
-#
-# Allow transmit client label to foreign database
-# 
-sepgsql_transmit_client_label = false
-
-#
-# Allow database admins to execute DML statement
-# 
-sepgsql_unconfined_dbadm = false
-
-#
-# Determine whether pppd can
-# load kernel modules.
-# 
+gssd_read_tmp = true
+httpd_builtin_scripting = true
+httpd_enable_cgi = true
+kerberos_enabled = true
+mount_anyfile = true
+nfs_export_all_ro = true
+nfs_export_all_rw = true
+nscd_use_shm = true
+openvpn_enable_homedirs = true
+postfix_local_write_mail_spool=true
 pppd_can_insmod = false
-
-#
-# Determine whether common users can
-# run pppd with a domain transition.
-# 
-pppd_for_user = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_prewikka_script_anon_write = false
-
-#
-# Determine whether privoxy can
-# connect to all tcp ports.
-# 
-privoxy_connect_any = false
-
-#
-# Determine whether rgmanager can
-# connect to the network using TCP.
-# 
-rgmanager_can_network_connect = false
-
-#
-# Determine whether fenced can
-# connect to the TCP network.
-# 
-fenced_can_network_connect = false
-
-#
-# Determine whether fenced can use ssh.
-# 
-fenced_can_ssh = false
-
-#
-# Determine whether gssd can read
-# generic user temporary content.
-# 
-allow_gssd_read_tmp = false
-
-#
-# Determine whether gssd can write
-# generic user temporary content.
-# 
-allow_gssd_write_tmp = false
-
-#
-# Determine whether nfs can modify
-# public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_nfsd_anon_write = false
-
-#
-# Determine whether rsync can use
-# cifs file systems.
-# 
-rsync_use_cifs = false
-
-#
-# Determine whether rsync can
-# use fuse file systems.
-# 
-rsync_use_fusefs = false
-
-#
-# Determine whether rsync can use
-# nfs file systems.
-# 
-rsync_use_nfs = false
-
-#
-# Determine whether rsync can
-# run as a client
-# 
-rsync_client = false
-
-#
-# Determine whether rsync can
-# export all content read only.
-# 
-rsync_export_all_ro = false
-
-#
-# Determine whether rsync can modify
-# public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_rsync_anon_write = false
-
-#
-# Determine whether smbd_t can
-# read shadow files.
-# 
-samba_read_shadow = false
-
-#
-# Determine whether samba can modify
-# public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_smbd_anon_write = false
-
-#
-# Determine whether samba can
-# create home directories via pam.
-# 
-samba_create_home_dirs = false
-
-#
-# Determine whether samba can act as the
-# domain controller, add users, groups
-# and change passwords.
-# 
-samba_domain_controller = false
-
-#
-# Determine whether samba can
-# act as a portmapper.
-# 
-samba_portmapper = false
-
-#
-# Determine whether samba can share
-# users home directories.
-# 
-samba_enable_home_dirs = false
-
-#
-# Determine whether samba can share
-# any content read only.
-# 
-samba_export_all_ro = false
-
-#
-# Determine whether samba can share any
-# content readable and writable.
-# 
-samba_export_all_rw = false
-
-#
-# Determine whether samba can
-# run unconfined scripts.
-# 
-samba_run_unconfined = false
-
-#
-# Determine whether samba can
-# use nfs file systems.
-# 
-samba_share_nfs = false
-
-#
-# Determine whether samba can
-# use fuse file systems.
-# 
-samba_share_fusefs = false
-
-#
-# Determine whether sanlock can use
-# nfs file systems.
-# 
-sanlock_use_nfs = false
-
-#
-# Determine whether sanlock can use
-# cifs file systems.
-# 
-sanlock_use_samba = false
-
-#
-# Determine whether sasl can
-# read shadow files.
-# 
-allow_saslauthd_read_shadow = false
-
-#
-# Determine whether smartmon can support
-# devices on 3ware controllers.
-# 
-smartmon_3ware = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_smokeping_cgi_script_anon_write = false
-
-#
-# Determine whether spamassassin
-# clients can use the network.
-# 
-spamassassin_can_network = false
-
-#
-# Determine whether spamd can manage
-# generic user home content.
-# 
-spamd_enable_home_dirs = false
-
-#
-# Determine whether squid can
-# connect to all TCP ports.
-# 
-squid_connect_any = false
-
-#
-# Determine whether squid can run
-# as a transparent proxy.
-# 
-squid_use_tproxy = false
-
-#
-# Determine whether squid can use the
-# pinger daemon (needs raw net access)
-# 
-squid_use_pinger = true
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_squid_script_anon_write = false
-
-#
-# allow host key based authentication
-# 
-allow_ssh_keysign = false
-
-#
-# Allow ssh logins as sysadm_r:sysadm_t
-# 
-ssh_sysadm_login = false
-
-#
-# Allow ssh to use gpg-agent
-# 
-ssh_use_gpg_agent = false
-
-#
-# Determine whether tftp can modify
-# public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-tftp_anon_write = false
-
-#
-# Determine whether tftp can manage
-# generic user home content.
-# 
-tftp_enable_homedir = false
-
-#
-# Determine whether tor can bind
-# tcp sockets to all unreserved ports.
-# 
-tor_bind_all_unreserved_ports = false
-
-#
-# Determine whether varnishd can
-# use the full TCP network.
-# 
-varnishd_connect_any = false
-
-#
-# Determine whether confined virtual guests
-# can use serial/parallel communication ports.
-# 
-virt_use_comm = false
-
-#
-# Determine whether confined virtual guests
-# can use executable memory and can make
-# their stack executable.
-# 
-virt_use_execmem = false
-
-#
-# Determine whether confined virtual guests
-# can use fuse file systems.
-# 
-virt_use_fusefs = false
-
-#
-# Determine whether confined virtual guests
-# can use nfs file systems.
-# 
-virt_use_nfs = false
-
-#
-# Determine whether confined virtual guests
-# can use cifs file systems.
-# 
-virt_use_samba = false
-
-#
-# Determine whether confined virtual guests
-# can manage device configuration.
-# 
-virt_use_sysfs = false
-
-#
-# Determine whether confined virtual guests
-# can use usb devices.
-# 
-virt_use_usb = false
-
-#
-# Determine whether confined virtual guests
-# can interact with xserver.
-# 
-virt_use_xserver = false
-
-#
-# Determine whether confined virtual guests
-# can use vfio for pci device pass through (vt-d).
-# 
-virt_use_vfio = false
-
-#
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_w3c_validator_script_anon_write = false
-
-#
-# Allows clients to write to the X server shared
-# memory segments.
-# 
-allow_write_xshm = false
-
-#
-# Allow xdm logins as sysadm
-# 
-xdm_sysadm_login = false
-
-#
-# Use gnome-shell in gdm mode as the
-# X Display Manager (XDM)
-# 
-xserver_gnome_xdm = false
-
-#
-# Support X userspace object manager
-# 
-xserver_object_manager = false
-
-#
-# Determine whether zabbix can
-# connect to all TCP ports
-# 
-zabbix_can_network = false
-
-#
-# Determine whether zebra daemon can
-# manage its configuration files.
-# 
-allow_zebra_write_config = false
-
-#
-# Allow users to resolve user passwd entries directly from ldap rather then using a sssd server
-# 
-authlogin_nsswitch_use_ldap = false
-
-#
-# Enable support for upstart as the init program.
-# 
-init_upstart = false
-
-#
-# Allow all daemons the ability to read/write terminals
-# 
-init_daemons_use_tty = false
-
-#
-# Allow racoon to read shadow
-# 
-racoon_read_shadow = false
-
-#
-# Allow the mount command to mount any directory or file.
-# 
-allow_mount_anyfile = false
-
-#
-# Enable support for systemd-tmpfiles to manage all non-security files.
-# 
-systemd_tmpfiles_manage_all = false
-
-#
-# Allow systemd-nspawn to create a labelled namespace with the same types
-# as parent environment
-# 
-systemd_nspawn_labeled_namespace = false
-
-#
-# Allow users to connect to mysql
-# 
-allow_user_mysql_connect = false
-
-#
-# Allow users to connect to PostgreSQL
-# 
-allow_user_postgresql_connect = false
-
-#
-# Allow regular users direct mouse access
-# 
-user_direct_mouse = false
-
-#
-# Allow users to read system messages.
-# 
-user_dmesg = false
-
-#
-# Allow user to r/w files on filesystems
-# that do not have extended attributes (FAT, CDROM, FLOPPY)
-# 
-user_rw_noexattrfile = false
-
-#
-# Allow user to execute files on filesystems
-# that do not have extended attributes (FAT, CDROM, FLOPPY)
-# 
-user_exec_noexattrfile = false
-
-#
-# Allow user to write files on removable
-# devices (e.g. external USB memory
-# devices or floppies)
-# 
-user_write_removable = false
-
-#
-# Allow w to display everyone
-# 
-user_ttyfile_stat = false
-
-#
-# Determine whether xend can
-# run blktapctrl and tapdisk.
-# 
-xend_run_blktap = false
-
-#
-# Determine whether xen can
-# use fusefs file systems.
-# 
-xen_use_fusefs = false
-
-#
-# Determine whether xen can
-# use nfs file systems.
-# 
-xen_use_nfs = false
-
-#
-# Determine whether xen can
-# use samba file systems.
-# 
-xen_use_samba = false
-
-#
-# Allow unconfined executables to make their heap memory executable.  Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
-# 
-allow_execheap = false
-
-#
-# Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")
-# 
-allow_execmem = false
-
-#
-# Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")
-# 
-allow_execmod = false
-
-#
-# Allow unconfined executables to make their stack executable.  This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")
-# 
-allow_execstack = false
-
-#
-# Enable polyinstantiated directory support.
-# 
-allow_polyinstantiation = false
-
-#
-# Allow system to run with NIS
-# 
-allow_ypbind = false
-
-#
-# Allow logging in and using the system from /dev/console.
-# 
-console_login = true
-
-#
-# Enable reading of urandom for all domains.
-# 
-# 
-# 
-# 
-# This should be enabled when all programs
-# are compiled with ProPolice/SSP
-# stack smashing protection.  All domains will
-# be allowed to read from /dev/urandom.
-# 
-global_ssp = false
-
-#
-# Allow email client to various content.
-# nfs, samba, removable devices, and user temp
-# files
-# 
-mail_read_content = false
-
-#
-# Allow any files/directories to be exported read/write via NFS.
-# 
-nfs_export_all_rw = false
-
-#
-# Allow any files/directories to be exported read/only via NFS.
-# 
-nfs_export_all_ro = false
-
-#
-# Support NFS home directories
-# 
-use_nfs_home_dirs = false
-
-#
-# Support SAMBA home directories
-# 
-use_samba_home_dirs = false
-
-#
-# Allow users to run TCP servers (bind to ports and accept connection from
-# the same domain and outside users)  disabling this forces FTP passive mode
-# and may change other protocols.
-# 
-user_tcp_server = false
-
-#
-# Allow users to run UDP servers (bind to ports and accept connection from
-# the same domain and outside users)
-# 
-user_udp_server = false
-
+privoxy_connect_any = true
+selinuxuser_direct_dri_enabled = true
+selinuxuser_execmem = true
+selinuxuser_execmod = true
+selinuxuser_execstack = true
+selinuxuser_rw_noexattrfile=true
+selinuxuser_ping = true
+squid_connect_any = true
+telepathy_tcp_connect_generic_network_ports=true
+unconfined_chrome_sandbox_transition=true
+unconfined_mozilla_plugin_transition=true
+xguest_exec_content = true
+mozilla_plugin_can_network_connect = true
diff --git a/booleans.subs_dist b/booleans.subs_dist
new file mode 100644
index 0000000..e4f1c19
--- /dev/null
+++ b/booleans.subs_dist
@@ -0,0 +1,54 @@
+allow_auditadm_exec_content auditadm_exec_content
+allow_console_login login_console_enabled
+allow_cvs_read_shadow cvs_read_shadow
+allow_daemons_dump_core daemons_dump_core
+allow_daemons_use_tcp_wrapper daemons_use_tcp_wrapper
+allow_daemons_use_tty daemons_use_tty
+allow_domain_fd_use domain_fd_use
+allow_execheap selinuxuser_execheap
+allow_execmod selinuxuser_execmod
+allow_execstack selinuxuser_execstack
+allow_ftpd_anon_write ftpd_anon_write
+allow_ftpd_full_access ftpd_full_access
+allow_ftpd_use_cifs ftpd_use_cifs
+allow_ftpd_use_nfs ftpd_use_nfs
+allow_gssd_read_tmp gssd_read_tmp
+allow_guest_exec_content guest_exec_content
+allow_httpd_anon_write httpd_anon_write
+allow_httpd_mod_auth_ntlm_winbind httpd_mod_auth_ntlm_winbind
+allow_httpd_mod_auth_pam httpd_mod_auth_pam
+allow_httpd_sys_script_anon_write httpd_sys_script_anon_write
+allow_kerberos kerberos_enabled
+allow_mplayer_execstack mplayer_execstack
+allow_mount_anyfile mount_anyfile
+allow_nfsd_anon_write nfsd_anon_write
+allow_polyinstantiation polyinstantiation_enabled
+allow_postfix_local_write_mail_spool postfix_local_write_mail_spool
+allow_rsync_anon_write rsync_anon_write
+allow_saslauthd_read_shadow saslauthd_read_shadow
+allow_secadm_exec_content secadm_exec_content
+allow_smbd_anon_write smbd_anon_write
+allow_ssh_keysign ssh_keysign
+allow_staff_exec_content staff_exec_content
+allow_sysadm_exec_content sysadm_exec_content
+allow_user_exec_content user_exec_content
+allow_user_mysql_connect selinuxuser_mysql_connect_enabled
+allow_user_postgresql_connect selinuxuser_postgresql_connect_enabled
+allow_write_xshm xserver_clients_write_xshm
+allow_xguest_exec_content xguest_exec_content
+allow_xserver_execmem xserver_execmem
+allow_ypbind nis_enabled
+allow_zebra_write_config zebra_write_config
+user_direct_dri selinuxuser_direct_dri_enabled
+user_ping selinuxuser_ping
+user_share_music selinuxuser_share_music
+user_tcp_server selinuxuser_tcp_server
+sepgsql_enable_pitr_implementation postgresql_can_rsync
+sepgsql_enable_users_ddl  postgresql_selinux_users_ddl 
+sepgsql_transmit_client_label postgresql_selinux_transmit_client_label
+sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm
+clamd_use_jit antivirus_use_jit
+amavis_use_jit antivirus_use_jit
+logwatch_can_sendmail logwatch_can_network_connect_mail
+puppet_manage_all_files puppetagent_manage_all_files
+virt_sandbox_use_nfs virt_use_nfs
diff --git a/config.tgz b/config.tgz
deleted file mode 100644
index 5352b33..0000000
--- a/config.tgz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:652101e6cd75232a223d53d498a9190f0c21d513c9587d34956805fd56545ee2
-size 3189
diff --git a/fedora-policy.20190802.tar.bz2 b/fedora-policy.20190802.tar.bz2
new file mode 100644
index 0000000..409383d
--- /dev/null
+++ b/fedora-policy.20190802.tar.bz2
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3ff2142bd458599826f79aa85344da39a6ef833e5c644d0da46dfc686baf9bd3
+size 730294
diff --git a/fix_dbus.patch b/fix_dbus.patch
new file mode 100644
index 0000000..39f1fc6
--- /dev/null
+++ b/fix_dbus.patch
@@ -0,0 +1,35 @@
+Index: fedora-policy/policy/modules/contrib/evolution.te
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/evolution.te	2019-08-05 09:39:48.641670181 +0200
++++ fedora-policy/policy/modules/contrib/evolution.te	2019-08-05 09:57:29.695474175 +0200
+@@ -228,7 +228,6 @@ optional_policy(`
+ 
+ optional_policy(`
+ 	dbus_system_bus_client(evolution_t)
+-	dbus_all_session_bus_client(evolution_t)
+ ')
+ 
+ optional_policy(`
+@@ -309,10 +308,6 @@ tunable_policy(`use_samba_home_dirs',`
+ ')
+ 
+ optional_policy(`
+-	dbus_all_session_bus_client(evolution_alarm_t)
+-')
+-
+-optional_policy(`
+ 	gnome_stream_connect_gconf(evolution_alarm_t)
+ ')
+ 
+Index: fedora-policy/policy/modules/contrib/thunderbird.te
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/thunderbird.te	2019-08-05 09:39:48.681670851 +0200
++++ fedora-policy/policy/modules/contrib/thunderbird.te	2019-08-05 09:57:38.503622198 +0200
+@@ -121,7 +121,6 @@ ifndef(`enable_mls',`
+ 
+ optional_policy(`
+ 	dbus_system_bus_client(thunderbird_t)
+-	dbus_all_session_bus_client(thunderbird_t)
+ 
+ 	optional_policy(`
+ 		cups_dbus_chat(thunderbird_t)
diff --git a/fix_djbdns.patch b/fix_djbdns.patch
new file mode 100644
index 0000000..c3015b7
--- /dev/null
+++ b/fix_djbdns.patch
@@ -0,0 +1,33 @@
+Index: fedora-policy/policy/modules/contrib/djbdns.te
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/djbdns.te	2019-08-05 09:39:48.641670181 +0200
++++ fedora-policy/policy/modules/contrib/djbdns.te	2019-08-05 09:53:08.383084236 +0200
+@@ -24,28 +24,6 @@ allow djbdns_domain self:fifo_file rw_fi
+ allow djbdns_domain self:tcp_socket create_stream_socket_perms;
+ allow djbdns_domain self:udp_socket create_socket_perms;
+ 
+-corenet_all_recvfrom_unlabeled(djbdns_domain)
+-corenet_all_recvfrom_netlabel(djbdns_domain)
+-corenet_tcp_sendrecv_generic_if(djbdns_domain)
+-corenet_udp_sendrecv_generic_if(djbdns_domain)
+-corenet_tcp_sendrecv_generic_node(djbdns_domain)
+-corenet_udp_sendrecv_generic_node(djbdns_domain)
+-corenet_tcp_sendrecv_all_ports(djbdns_domain)
+-corenet_udp_sendrecv_all_ports(djbdns_domain)
+-corenet_tcp_bind_generic_node(djbdns_domain)
+-corenet_udp_bind_generic_node(djbdns_domain)
+-
+-corenet_sendrecv_dns_server_packets(djbdns_domain)
+-corenet_tcp_bind_dns_port(djbdns_domain)
+-corenet_udp_bind_dns_port(djbdns_domain)
+-
+-corenet_sendrecv_dns_client_packets(djbdns_domain)
+-corenet_tcp_connect_dns_port(djbdns_domain)
+-
+-corenet_sendrecv_generic_server_packets(djbdns_domain)
+-corenet_tcp_bind_generic_port(djbdns_domain)
+-corenet_udp_bind_generic_port(djbdns_domain)
+-
+ files_search_var(djbdns_domain)
+ 
+ daemontools_ipc_domain(djbdns_axfrdns_t)
diff --git a/fix_gift.patch b/fix_gift.patch
new file mode 100644
index 0000000..191375e
--- /dev/null
+++ b/fix_gift.patch
@@ -0,0 +1,9 @@
+Index: fedora-policy/policy/modules/contrib/gift.te
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/gift.te	2019-08-05 09:39:48.645670248 +0200
++++ fedora-policy/policy/modules/contrib/gift.te	2019-08-05 10:05:44.787808191 +0200
+@@ -113,4 +113,3 @@ files_read_etc_runtime_files(giftd_t)
+ sysnet_dns_name_resolve(giftd_t)
+ 
+ userdom_use_inherited_user_terminals(giftd_t)
+-userdom_home_manager(gitd_t)
diff --git a/fix_hadoop.patch b/fix_hadoop.patch
new file mode 100644
index 0000000..3782c40
--- /dev/null
+++ b/fix_hadoop.patch
@@ -0,0 +1,30 @@
+Index: fedora-policy/policy/modules/roles/sysadm.te
+===================================================================
+--- fedora-policy.orig/policy/modules/roles/sysadm.te	2019-08-05 09:39:39.113510611 +0200
++++ fedora-policy/policy/modules/roles/sysadm.te	2019-08-05 14:11:28.416872543 +0200
+@@ -282,10 +282,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	hadoop_role(sysadm_r, sysadm_t)
+-')
+-
+-optional_policy(`
+     iotop_run(sysadm_t, sysadm_r)
+ ')
+ 
+Index: fedora-policy/policy/modules/roles/unprivuser.te
+===================================================================
+--- fedora-policy.orig/policy/modules/roles/unprivuser.te	2019-08-05 09:39:39.113510611 +0200
++++ fedora-policy/policy/modules/roles/unprivuser.te	2019-08-05 14:11:22.908782828 +0200
+@@ -192,10 +192,6 @@ ifndef(`distro_redhat',`
+ 	')
+ 
+ 	optional_policy(`
+-		hadoop_role(user_r, user_t)
+-	')
+-
+-	optional_policy(`
+ 		irc_role(user_r, user_t)
+ 	')
+ 
diff --git a/fix_java.patch b/fix_java.patch
new file mode 100644
index 0000000..f1f2358
--- /dev/null
+++ b/fix_java.patch
@@ -0,0 +1,41 @@
+Index: fedora-policy/policy/modules/contrib/java.te
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/java.te	2019-08-05 13:50:32.925673660 +0200
++++ fedora-policy/policy/modules/contrib/java.te	2019-08-05 14:06:51.896425229 +0200
+@@ -21,6 +21,7 @@ roleattribute system_r java_roles;
+ attribute_role unconfined_java_roles;
+ 
+ type java_t, java_domain;
++typealias java_t alias java_domain_t;
+ type java_exec_t;
+ userdom_user_application_domain(java_t, java_exec_t)
+ typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t };
+@@ -71,19 +72,9 @@ can_exec(java_domain, { java_exec_t java
+ kernel_read_all_sysctls(java_domain)
+ kernel_search_vm_sysctl(java_domain)
+ kernel_read_network_state(java_domain)
+-kernel_read_system_state(java_domain)
+ 
+ corecmd_search_bin(java_domain)
+ 
+-corenet_all_recvfrom_unlabeled(java_domain)
+-corenet_all_recvfrom_netlabel(java_domain)
+-corenet_tcp_sendrecv_generic_if(java_domain)
+-corenet_tcp_sendrecv_generic_node(java_domain)
+-
+-corenet_sendrecv_all_client_packets(java_domain)
+-corenet_tcp_connect_all_ports(java_domain)
+-corenet_tcp_sendrecv_all_ports(java_domain)
+-
+ dev_read_sound(java_domain)
+ dev_write_sound(java_domain)
+ dev_read_urand(java_domain)
+@@ -95,8 +86,6 @@ files_read_etc_runtime_files(java_domain
+ fs_getattr_all_fs(java_domain)
+ fs_dontaudit_rw_tmpfs_files(java_domain)
+ 
+-logging_send_syslog_msg(java_domain)
+-
+ miscfiles_read_localization(java_domain)
+ miscfiles_read_fonts(java_domain)
+ 
diff --git a/fix_logging.patch b/fix_logging.patch
new file mode 100644
index 0000000..f26a61d
--- /dev/null
+++ b/fix_logging.patch
@@ -0,0 +1,12 @@
+Index: fedora-policy/policy/modules/system/logging.fc
+===================================================================
+--- fedora-policy.orig/policy/modules/system/logging.fc	2019-08-22 11:28:09.250979768 +0200
++++ fedora-policy/policy/modules/system/logging.fc	2019-08-22 11:45:28.360015899 +0200
+@@ -3,6 +3,7 @@
+ /etc/rsyslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
+ /etc/syslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
+ /etc/rsyslog.d(/.*)?		gen_context(system_u:object_r:syslog_conf_t,s0)
++/var//run/rsyslog/additional-log-sockets.conf 	--		gen_context(system_u:object_r:syslog_conf_t,s0)
+ /etc/audit(/.*)?		gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
+ /etc/rc\.d/init\.d/auditd --	gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/rsyslog --	gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
diff --git a/fix_miscfiles.patch b/fix_miscfiles.patch
new file mode 100644
index 0000000..9a954e0
--- /dev/null
+++ b/fix_miscfiles.patch
@@ -0,0 +1,12 @@
+Index: fedora-policy/policy/modules/system/miscfiles.fc
+===================================================================
+--- fedora-policy.orig/policy/modules/system/miscfiles.fc	2019-08-05 09:39:39.117510678 +0200
++++ fedora-policy/policy/modules/system/miscfiles.fc	2019-08-22 12:44:01.678484113 +0200
+@@ -46,6 +46,7 @@ ifdef(`distro_redhat',`
+ /usr/man(/.*)?			gen_context(system_u:object_r:man_t,s0)
+ 
+ /usr/share/ca-certificates(/.*)?	gen_context(system_u:object_r:cert_t,s0)
++/var/lib/ca-certificates(/.*)?	gen_context(system_u:object_r:cert_t,s0)
+ /usr/share/fonts(/.*)?		gen_context(system_u:object_r:fonts_t,s0)
+ /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+ /usr/share/locale(/.*)?		gen_context(system_u:object_r:locale_t,s0)
diff --git a/fix_nscd.patch b/fix_nscd.patch
new file mode 100644
index 0000000..caba7f0
--- /dev/null
+++ b/fix_nscd.patch
@@ -0,0 +1,16 @@
+Index: fedora-policy/policy/modules/contrib/nscd.fc
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/nscd.fc	2019-08-05 09:39:48.661670516 +0200
++++ fedora-policy/policy/modules/contrib/nscd.fc	2019-08-15 14:13:18.681607730 +0200
+@@ -8,8 +8,10 @@
+ /var/log/nscd\.log.*	--	gen_context(system_u:object_r:nscd_log_t,s0)
+ 
+ /var/run/nscd\.pid	--	gen_context(system_u:object_r:nscd_var_run_t,s0)
+-/var/run/\.nscd_socket	-s	gen_context(system_u:object_r:nscd_var_run_t,s0)
++/var/run/nscd/socket		-s	gen_context(system_u:object_r:nscd_var_run_t,s0)
+ 
++/var/lib/nscd(/.*)?		gen_context(system_u:object_r:nscd_var_run_t,s0)
+ /var/run/nscd(/.*)?		gen_context(system_u:object_r:nscd_var_run_t,s0)
+ 
+ /usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0)
++
diff --git a/fix_sysnetwork.patch b/fix_sysnetwork.patch
new file mode 100644
index 0000000..ef929e2
--- /dev/null
+++ b/fix_sysnetwork.patch
@@ -0,0 +1,13 @@
+Index: fedora-policy/policy/modules/system/sysnetwork.fc
+===================================================================
+--- fedora-policy.orig/policy/modules/system/sysnetwork.fc	2019-08-05 09:39:39.121510745 +0200
++++ fedora-policy/policy/modules/system/sysnetwork.fc	2019-08-21 13:47:17.253328905 +0200
+@@ -102,6 +102,8 @@ ifdef(`distro_debian',`
+ /var/run/network(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
+ ')
+ 
++/var/run/netconfig(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
++
+ /var/run/netns(/.*)?		gen_context(system_u:object_r:ifconfig_var_run_t,s0)
+ /etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
+ 
diff --git a/fix_thunderbird.patch b/fix_thunderbird.patch
new file mode 100644
index 0000000..93ceda7
--- /dev/null
+++ b/fix_thunderbird.patch
@@ -0,0 +1,12 @@
+Index: fedora-policy/policy/modules/contrib/thunderbird.te
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/thunderbird.te	2019-08-21 13:42:54.325021721 +0200
++++ fedora-policy/policy/modules/contrib/thunderbird.te	2019-08-21 13:42:58.249085986 +0200
+@@ -138,7 +138,6 @@ optional_policy(`
+ optional_policy(`
+ 	gnome_stream_connect_gconf(thunderbird_t)
+ 	gnome_domtrans_gconfd(thunderbird_t)
+-	gnome_manage_generic_home_content(thunderbird_t)
+ ')
+ 
+ optional_policy(`
diff --git a/fix_xserver.patch b/fix_xserver.patch
new file mode 100644
index 0000000..04e2aa2
--- /dev/null
+++ b/fix_xserver.patch
@@ -0,0 +1,12 @@
+Index: fedora-policy/policy/modules/services/xserver.fc
+===================================================================
+--- fedora-policy.orig/policy/modules/services/xserver.fc	2019-08-05 09:39:39.113510611 +0200
++++ fedora-policy/policy/modules/services/xserver.fc	2019-08-22 11:44:16.178832073 +0200
+@@ -133,6 +133,7 @@ HOME_DIR/\.dmrc.*	--	gen_context(system_
+ /usr/X11R6/lib/X11/xkb	-d	gen_context(system_u:object_r:xkb_var_lib_t,s0)
+ /usr/X11R6/lib/X11/xkb/.* --	gen_context(system_u:object_r:xkb_var_lib_t,s0)
+ 
++/usr/lib/X11/display-manager 	-- 	gen_context(system_u:object_r:xdm_exec_t,s0)
+ ifndef(`distro_debian',`
+ /usr/var/[xgkw]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
+ ')
diff --git a/label_sysconfig.selinux.patch b/label_sysconfig.selinux.patch
deleted file mode 100644
index 0e797db..0000000
--- a/label_sysconfig.selinux.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-Index: refpolicy/policy/modules/system/selinuxutil.fc
-===================================================================
---- refpolicy.orig/policy/modules/system/selinuxutil.fc	2018-11-27 11:44:18.621994420 +0100
-+++ refpolicy/policy/modules/system/selinuxutil.fc	2018-11-27 11:45:11.406831098 +0100
-@@ -13,6 +13,7 @@
- /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK --	gen_context(system_u:object_r:semanage_read_lock_t,s0)
- /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK --	gen_context(system_u:object_r:semanage_trans_lock_t,s0)
- /etc/selinux/([^/]*/)?users(/.*)?		--	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
-+/etc/sysconfig/selinux-policy			-- 	gen_context(system_u:object_r:selinux_config_t,s0)
- 
- #
- # /root
diff --git a/label_var_run_rsyslog.patch b/label_var_run_rsyslog.patch
deleted file mode 100644
index 897d2fc..0000000
--- a/label_var_run_rsyslog.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-Index: refpolicy/policy/modules/system/logging.fc
-===================================================================
---- refpolicy.orig/policy/modules/system/logging.fc	2019-06-09 20:05:20.000000000 +0200
-+++ refpolicy/policy/modules/system/logging.fc	2019-07-11 14:31:20.605624453 +0200
-@@ -62,6 +62,7 @@ ifdef(`distro_suse', `
- /var/log/spooler[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
- /var/log/audit(/.*)?		gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
- /var/log/syslog-ng(/.*)? 	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
-+/var/log/syslog(/.*)? 		gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
- 
- ifndef(`distro_gentoo',`
- /var/log/audit\.log	--	gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
diff --git a/minimum_temp_fixes.fc b/minimum_temp_fixes.fc
new file mode 100644
index 0000000..473a0f4
diff --git a/minimum_temp_fixes.if b/minimum_temp_fixes.if
new file mode 100644
index 0000000..5846dc1
--- /dev/null
+++ b/minimum_temp_fixes.if
@@ -0,0 +1 @@
+## <summary></summary>
diff --git a/minimum_temp_fixes.te b/minimum_temp_fixes.te
new file mode 100644
index 0000000..13534a8
--- /dev/null
+++ b/minimum_temp_fixes.te
@@ -0,0 +1,95 @@
+policy_module(minimum_temp_fixes, 1.0)
+
+require {
+	type sshd_t;
+	type lib_t;
+	type init_t;
+	type unconfined_t;
+	type systemd_localed_t;
+	type systemd_logind_t;
+	type unconfined_service_t;
+	type chkpwd_t;
+	type bin_t;
+	type fsadm_t;
+	type getty_t;
+	type systemd_tmpfiles_t;
+	type systemd_systemctl_exec_t;
+	type unconfined_dbusd_t;
+	type rtkit_daemon_t;
+	type system_dbusd_t;
+	class dir mounton;
+	class dbus { acquire_svc send_msg };
+	class nscd { getgrp shmemgrp shmemhost shmempwd getpwd gethost getserv shmemserv };
+	class process { execmem transition };
+	class file { entrypoint execmod };
+}
+
+#============= chkpwd_t ==============
+allow chkpwd_t unconfined_service_t:nscd { shmempwd getpwd };
+files_map_var_lib_files(chkpwd_t)
+files_read_var_lib_files(chkpwd_t)
+files_write_generic_pid_sockets(chkpwd_t)
+
+#============= fsadm_t ==============
+allow fsadm_t unconfined_service_t:nscd { shmemgrp shmempwd };
+
+#============= getty_t ==============
+allow getty_t unconfined_service_t:nscd shmemgrp;
+files_map_var_lib_files(getty_t)
+files_read_var_lib_files(getty_t)
+files_write_generic_pid_sockets(getty_t)
+
+#============= init_t ==============
+allow init_t bin_t:dir mounton;
+allow init_t lib_t:dir mounton;
+allow init_t self:process execmem;
+allow init_t unconfined_service_t:dbus { acquire_svc send_msg };
+allow init_t unconfined_service_t:nscd { gethost getserv shmemhost shmemserv shmemgrp shmempwd getpwd };
+files_manage_generic_spool(init_t)
+corenet_udp_bind_generic_node(init_t)
+files_map_var_lib_files(init_t)
+files_read_var_files(init_t)
+files_manage_var_files(init_t)
+storage_raw_read_removable_device(init_t)
+
+#============= sshd_t ==============
+allow sshd_t unconfined_service_t:nscd { shmemgrp shmemhost shmempwd getgrp getpwd };
+files_exec_generic_pid_files(sshd_t)
+files_map_var_lib_files(sshd_t)
+files_read_var_lib_files(sshd_t)
+files_write_generic_pid_sockets(sshd_t)
+unconfined_server_dbus_chat(sshd_t)
+
+#============= systemd_localed_t ==============
+allow systemd_localed_t unconfined_service_t:dbus { acquire_svc send_msg };
+files_write_generic_pid_sockets(systemd_localed_t)
+
+#============= systemd_logind_t ==============
+allow systemd_logind_t unconfined_service_t:dbus { acquire_svc send_msg };
+allow systemd_logind_t unconfined_service_t:nscd { shmempwd getpwd };
+files_map_var_lib_files(systemd_logind_t)
+files_read_var_lib_files(systemd_logind_t)
+files_write_generic_pid_sockets(systemd_logind_t)
+systemd_dbus_chat_logind(systemd_logind_t)
+
+#============= systemd_tmpfiles_t ==============
+allow systemd_tmpfiles_t unconfined_service_t:nscd { getpwd getgrp shmemgrp shmempwd };
+files_map_var_lib_files(systemd_tmpfiles_t)
+
+#============= unconfined_service_t ==============
+allow unconfined_service_t unconfined_t:process transition;
+init_dbus_chat(unconfined_service_t)
+unconfined_server_dbus_chat(unconfined_service_t)
+
+#============= unconfined_t ==============
+allow unconfined_t systemd_systemctl_exec_t:file entrypoint;
+allow unconfined_t unconfined_service_t:nscd { shmemgrp shmempwd getgrp gethost getpwd getserv shmemhost shmemserv };
+
+#============= unconfined_dbusd_t ==============
+allow unconfined_dbusd_t unconfined_service_t:nscd { getgrp getpwd shmemgrp shmempwd };
+
+#============= rtkit_daemon_t ==============
+allow rtkit_daemon_t unconfined_service_t:nscd { getpwd shmempwd };
+
+#============= system_dbusd_t ==============
+allow system_dbusd_t unconfined_service_t:nscd { getgrp getpwd shmemgrp shmempwd };
diff --git a/modules-minimum-base.conf b/modules-minimum-base.conf
new file mode 100644
index 0000000..42d49a3
--- /dev/null
+++ b/modules-minimum-base.conf
@@ -0,0 +1,429 @@
+# Layer: kernel
+# Module: bootloader
+#
+# Policy for the kernel modules, kernel image, and bootloader.
+# 
+bootloader = module
+
+# Layer: kernel
+# Module: corecommands
+# Required in base
+#
+# Core policy for shells, and generic programs
+# in /bin, /sbin, /usr/bin, and /usr/sbin.
+#
+corecommands = base
+
+# Layer: kernel
+# Module: corenetwork
+# Required in base
+#
+# Policy controlling access to network objects
+#
+corenetwork = base
+
+# Layer: admin
+# Module: dmesg
+#
+# Policy for dmesg.
+# 
+dmesg = module
+
+# Layer: admin
+# Module: netutils
+#
+# Network analysis utilities
+# 
+netutils = module
+
+# Layer: admin
+# Module: sudo
+#
+# Execute a command with a substitute user
+# 
+sudo = module
+
+# Layer: admin
+# Module: su
+#
+# Run shells with substitute user and group
+# 
+su = module
+
+# Layer: admin
+# Module: usermanage
+#
+# Policy for managing user accounts.
+# 
+usermanage = module
+
+# Layer: apps
+# Module: seunshare
+#
+# seunshare executable
+# 
+seunshare = module
+
+# Module: devices
+# Required in base
+#
+# Device nodes and interfaces for many basic system devices.
+# 
+devices = base
+
+# Module: domain
+# Required in base
+#
+# Core policy for domains.
+# 
+domain = base
+
+# Layer: system
+# Module: userdomain
+#
+# Policy for user domains
+# 
+userdomain = module
+
+# Module: files
+# Required in base
+#
+# Basic filesystem types and interfaces.
+# 
+files = base
+
+# Layer: system
+# Module: miscfiles
+#
+# Miscelaneous files.
+# 
+miscfiles = module
+
+# Module: filesystem
+# Required in base
+#
+# Policy for filesystems.
+# 
+filesystem = base
+
+# Module: kernel
+# Required in base
+#
+# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
+# 
+kernel = base
+
+# Module: mcs
+# Required in base
+#
+# MultiCategory security policy
+# 
+mcs = base
+
+# Module: mls
+# Required in base
+#
+# Multilevel security policy
+# 
+mls = base
+
+# Module: selinux
+# Required in base
+#
+# Policy for kernel security interface, in particular, selinuxfs.
+# 
+selinux = base
+
+# Layer: kernel
+# Module: storage
+#
+# Policy controlling access to storage devices
+# 
+storage = base
+
+# Module: terminal
+# Required in base
+#
+# Policy for terminals.
+# 
+terminal = base
+
+# Layer: kernel
+# Module: ubac
+#
+# 
+# 
+ubac = base
+
+# Layer: kernel
+# Module: unconfined
+#
+# The unlabelednet module.
+#
+unlabelednet = module
+
+# Layer: role
+# Module: auditadm
+#
+# auditadm account on tty logins
+# 
+auditadm = module
+
+# Layer: role
+# Module: logadm
+#
+# Minimally prived root role for managing logging system
+# 
+logadm = module
+
+# Layer: role
+# Module: secadm
+#
+# secadm account on tty logins
+# 
+secadm = module
+
+# Layer:role
+# Module: sysadm_secadm
+#
+# System Administrator with Security Admin rules
+# 
+sysadm_secadm = module
+
+# Module: staff
+#
+# admin account 
+# 
+staff = module
+
+# Layer:role
+# Module: sysadm
+#
+# System Administrator
+# 
+sysadm = module
+
+# Layer: role
+# Module: unconfineduser
+#
+# The unconfined user domain.
+# 
+unconfineduser = module
+
+# Layer: role
+# Module: unprivuser
+#
+# Minimally privs guest account on tty logins
+# 
+unprivuser = module
+
+# Layer: services
+# Module: postgresql
+#
+# PostgreSQL relational database
+# 
+postgresql = module
+
+# Layer: services
+# Module: ssh
+#
+# Secure shell client and server policy.
+# 
+ssh = module
+
+# Layer: services
+# Module: xserver
+#
+# X windows login display manager
+# 
+xserver = module
+
+# Module: application
+# Required in base
+#
+# Defines attributs and interfaces for all user applications
+# 
+application = module
+
+# Layer: system
+# Module: authlogin
+#
+# Common policy for authentication and user login.
+# 
+authlogin = module
+
+# Layer: system
+# Module: clock
+#
+# Policy for reading and setting the hardware clock.
+# 
+clock = module
+
+# Layer: system
+# Module: fstools
+#
+# Tools for filesystem management, such as mkfs and fsck.
+# 
+fstools = module
+
+# Layer: system
+# Module: getty
+#
+# Policy for getty.
+# 
+getty = module
+
+# Layer: system
+# Module: hostname
+#
+# Policy for changing the system host name.
+# 
+hostname = module
+
+# Layer: system
+# Module: init
+#
+# System initialization programs (init and init scripts).
+# 
+init = module
+
+# Layer: system
+# Module: ipsec
+#
+# TCP/IP encryption
+# 
+ipsec = module
+
+# Layer: system
+# Module: iptables
+#
+# Policy for iptables.
+# 
+iptables = module
+
+# Layer: system
+# Module: libraries
+#
+# Policy for system libraries.
+# 
+libraries = module
+
+# Layer: system
+# Module: locallogin
+#
+# Policy for local logins.
+# 
+locallogin = module
+
+# Layer: system
+# Module: logging
+#
+# Policy for the kernel message logger and system logging daemon.
+# 
+logging = module
+
+# Layer: system
+# Module: lvm
+#
+# Policy for logical volume management programs.
+# 
+lvm = module
+
+# Layer: system
+# Module: modutils
+#
+# Policy for kernel module utilities
+# 
+modutils = module
+
+# Layer: system
+# Module: mount
+#
+# Policy for mount.
+# 
+mount = module
+
+# Layer: system
+# Module: netlabel
+#
+# Basic netlabel types and interfaces.
+# 
+netlabel = module
+
+# Layer: system
+# Module: selinuxutil
+#
+# Policy for SELinux policy and userland applications.
+# 
+selinuxutil = module
+
+# Module: setrans
+# Required in base
+#
+# Policy for setrans
+# 
+setrans = module
+
+# Layer: system
+# Module: sysnetwork
+#
+# Policy for network configuration: ifconfig and dhcp client.
+# 
+sysnetwork = module
+
+# Layer: system
+# Module: systemd
+#
+# Policy for systemd components
+# 
+systemd = module
+
+# Layer: system
+# Module: udev
+#
+# Policy for udev.
+# 
+udev = module
+
+# Layer: system
+# Module: unconfined
+#
+# The unconfined domain.
+# 
+unconfined = module
+
+# Layer: system
+# Module: kdbus
+#
+# Policy for kdbus.
+#
+kdbus = module
+
+# Layer: admin
+# Module: rpm
+#
+# Policy for the RPM package manager.
+# 
+rpm = module
+
+# Layer: contrib
+# Module: minimum_temp_fixes
+#
+# Temporary fixes for the minimum policy.
+#
+minimum_temp_fixes = module
+
+# Layer: contrib
+# Module: packagekit
+#
+# Temporary permissive module for packagekit
+#
+packagekit = module
+
+# Layer: services
+# Module: nscd
+#
+# Name service cache daemon
+# 
+nscd = module
+
diff --git a/modules-minimum-contrib.conf b/modules-minimum-contrib.conf
new file mode 100644
index 0000000..1be2194
--- /dev/null
+++ b/modules-minimum-contrib.conf
@@ -0,0 +1,2630 @@
+# Layer: services
+# Module: abrt
+#
+# Automatic bug detection and reporting tool
+# 
+abrt = module
+
+# Layer: services
+# Module: accountsd
+#
+#  An application to view and modify user accounts information
+# 
+accountsd = module
+
+# Layer: admin
+# Module: acct
+#
+# Berkeley process accounting
+# 
+acct = module
+
+# Layer: services
+# Module: afs
+#
+# Andrew Filesystem server
+# 
+afs = module
+
+# Layer: services
+# Module: aiccu
+#
+# SixXS Automatic IPv6 Connectivity Client Utility
+# 
+aiccu = module
+
+# Layer: services
+# Module: aide
+#
+# Policy for aide
+# 
+aide = module
+ 
+# Layer: services
+# Module: ajaxterm
+#
+# Web Based Terminal
+# 
+ajaxterm = module
+
+# Layer: admin
+# Module: alsa
+#
+# Ainit ALSA configuration tool
+# 
+alsa = module
+
+# Layer: admin
+# Module: amanda
+#
+# Automated backup program.
+# 
+amanda = module
+
+# Layer: admin
+# Module: amtu
+#
+# Abstract Machine Test Utility (AMTU)
+# 
+amtu = module
+
+# Layer: admin
+# Module: anaconda
+#
+# Policy for the Anaconda installer.
+# 
+anaconda = module
+
+# Layer: contrib
+# Module: antivirus
+#
+# SELinux policy for antivirus programs
+#
+antivirus = module
+
+# Layer: services
+# Module: apache
+#
+# Apache web server
+# 
+apache = module
+
+# Layer: services
+# Module: apcupsd
+#
+# daemon for most APC’s UPS for Linux
+#
+apcupsd = module
+
+# Layer: services
+# Module: apm
+#
+# Advanced power management daemon
+# 
+apm = module
+
+# Layer: services
+# Module: arpwatch
+#
+# Ethernet activity monitor.
+# 
+arpwatch = module
+
+# Layer: services
+# Module: asterisk
+#
+# Asterisk IP telephony server
+# 
+asterisk = module
+
+# Layer: contrib
+# Module: authconfig
+#
+# Authorization configuration tool
+# 
+authconfig = module
+
+# Layer: services
+# Module: automount
+#
+# Filesystem automounter service.
+# 
+automount = module
+
+# Layer: services
+# Module: avahi
+#
+# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture
+# 
+avahi = module
+
+# Layer: module
+# Module: awstats
+#
+# awstats executable
+# 
+awstats = module
+
+# Layer: services
+# Module: bcfg2
+#
+# Configuration management server
+#
+bcfg2 = module
+
+# Layer: services
+# Module: bind
+#
+# Berkeley internet name domain DNS server.
+# 
+bind = module
+
+# Layer: contrib
+# Module: rngd
+#
+#  Daemon used to feed random data from hardware device to kernel random device
+# 
+rngd = module
+
+# Layer: services
+# Module: bitlbee
+#
+# An IRC to other chat networks  gateway
+# 
+bitlbee = module
+
+# Layer: services
+# Module: blueman
+#
+# Blueman tools and system services.
+# 
+blueman = module
+
+# Layer: services
+# Module: bluetooth
+#
+# Bluetooth tools and system services.
+# 
+bluetooth = module
+
+# Layer: services
+# Module: boinc
+#
+# Berkeley Open Infrastructure for Network Computing
+#
+boinc = module
+
+# Layer: system
+# Module: brctl
+#
+# Utilities for configuring the linux ethernet bridge
+# 
+brctl = module
+
+# Layer: services
+# Module: bugzilla
+#
+# Bugzilla server
+# 
+bugzilla = module
+
+# Layer: services
+# Module: bumblebee
+#
+# Support NVIDIA Optimus technology under Linux
+#
+bumblebee = module
+
+# Layer: services
+# Module: cachefilesd
+#
+# CacheFiles userspace management daemon
+# 
+cachefilesd = module
+
+# Module: calamaris
+#
+#
+# Squid log analysis
+# 
+calamaris = module
+
+# Layer: services
+# Module: callweaver
+#
+# callweaver telephony sever
+# 
+callweaver = module
+
+# Layer: services
+# Module: canna
+#
+# Canna - kana-kanji conversion server
+# 
+canna = module
+
+# Layer: services
+# Module: ccs
+#
+# policy for ccs
+# 
+ccs = module
+
+# Layer: apps
+# Module: cdrecord
+#
+# Policy for cdrecord
+# 
+cdrecord = module
+
+# Layer: admin
+# Module: certmaster
+#
+# Digital Certificate master
+# 
+certmaster = module
+
+# Layer: services
+# Module: certmonger
+#
+# Certificate status monitor and PKI enrollment client
+# 
+certmonger = module
+
+# Layer: admin
+# Module: certwatch
+#
+# Digital Certificate Tracking
+# 
+certwatch = module
+
+# Layer: services
+# Module: cfengine
+#
+# cfengine
+#
+cfengine = module
+
+# Layer: services
+# Module: cgroup
+#
+# Tools and libraries to control and monitor control groups
+# 
+cgroup = module
+
+# Layer: apps
+# Module: chrome
+#
+# chrome sandbox
+# 
+chrome = module
+
+# Layer: services
+# Module: chronyd
+#
+# Daemon for maintaining clock time
+# 
+chronyd = module
+
+# Layer: services
+# Module: cipe
+#
+# Encrypted tunnel daemon
+# 
+cipe = module
+
+
+# Layer: services
+# Module: clogd
+#
+# clogd - clustered mirror log server
+# 
+clogd = module
+ 
+# Layer: services
+# Module: cloudform
+# 
+#  cloudform daemons 
+#
+cloudform = module
+
+# Layer: services
+# Module: cmirrord
+#
+# cmirrord - daemon providing device-mapper-base mirrors in a shared-storege cluster
+# 
+cmirrord = module
+ 
+# Layer: services
+# Module: cobbler
+#
+# cobbler
+# 
+cobbler = module
+
+# Layer: contrib
+# Module: cockpit
+#
+# cockpit - Cockpit runs in a browser and can manage your network of GNU/Linux machines.
+# 
+cockpit = module
+
+# Layer: services
+# Module: collectd
+#
+# Statistics collection daemon for filling RRD files
+# 
+collectd = module
+
+# Layer: services
+# Module: colord
+#
+# color device daemon
+# 
+colord = module
+
+# Layer: services
+# Module: comsat
+#
+# Comsat, a biff server.
+# 
+comsat = module
+
+# Layer: services
+# Module: condor
+# 
+#  policy for condor
+# 
+condor = module 
+
+# Layer: services
+# Module: conman
+#
+# Conman is a program for connecting to remote consoles being managed by conmand
+#
+conman = module
+
+# Layer: services
+# Module: consolekit
+#
+# ConsoleKit is a system daemon for tracking what users are logged
+# 
+consolekit = module
+
+# Layer: services
+# Module: couchdb
+#
+# Apache CouchDB database server
+# 
+couchdb = module
+
+# Layer: services
+# Module: courier
+#
+# IMAP and POP3 email servers
+# 
+courier = module
+
+# Layer: services
+# Module: cpucontrol
+#
+# Services for loading CPU microcode and CPU frequency scaling.
+# 
+cpucontrol = module
+
+# Layer: apps
+# Module: cpufreqselector 
+#
+# cpufreqselector executable
+# 
+cpufreqselector = module
+
+# Layer: services
+# Module: cron
+#
+# Periodic execution of scheduled commands.
+# 
+cron = module
+
+# Layer: services
+# Module: ctdbd
+#
+# Cluster Daemon
+# 
+ctdb = module
+
+# Layer: services
+# Module: cups
+#
+# Common UNIX printing system
+# 
+cups = module
+
+# Layer: services
+# Module: cvs
+#
+# Concurrent versions system
+# 
+cvs = module
+
+# Layer: services
+# Module: cyphesis
+#
+# cyphesis game server
+# 
+cyphesis = module
+
+# Layer: services
+# Module: cyrus
+#
+# Cyrus is an IMAP service intended to be run on sealed servers
+# 
+cyrus = module
+
+# Layer: system
+# Module: daemontools
+#
+# Collection of tools for managing UNIX services
+# 
+daemontools = module
+
+# Layer: role
+# Module: dbadm
+#
+# Minimally prived root role for managing databases
+# 
+dbadm = module
+
+# Layer: services
+# Module: dbskk
+#
+# Dictionary server for the SKK Japanese input method system.
+# 
+dbskk = module
+
+# Layer: services
+# Module: dbus
+#
+# Desktop messaging bus
+# 
+dbus = module
+
+# Layer: services
+# Module: dcc
+#
+# A distributed, collaborative, spam detection and filtering network.
+# 
+dcc = module
+
+# Layer: services
+# Module: ddclient
+#
+# Update dynamic IP address at DynDNS.org
+#
+ddclient = module
+
+# Layer: admin
+# Module: ddcprobe
+#
+# ddcprobe retrieves monitor and graphics card information
+# 
+ddcprobe = off
+
+# Layer: services
+# Module: denyhosts
+#
+# script to help thwart ssh server attacks
+# 
+denyhosts = module
+
+# Layer: services
+# Module: devicekit
+#
+# devicekit-daemon
+# 
+devicekit = module
+
+# Layer: services
+# Module: dhcp
+#
+# Dynamic host configuration protocol (DHCP) server
+# 
+dhcp = module
+
+# Layer: services
+# Module: dictd
+#
+# Dictionary daemon
+# 
+dictd = module
+
+# Layer: services
+# Module: dirsrv-admin
+#
+#  An 309 directory admin server
+# 
+dirsrv-admin = module
+
+# Layer: services
+# Module: dirsrv
+#
+#  An 309 directory server
+# 
+dirsrv = module
+
+# Layer: services
+# Module: distcc
+#
+# Distributed compiler daemon
+# 
+distcc = off
+
+# Layer: admin
+# Module: dmidecode
+#
+# Decode DMI data for x86/ia64 bioses.
+# 
+dmidecode = module
+
+# Layer: services
+# Module: dnsmasq
+#
+# A lightweight DHCP and caching DNS server.
+# 
+dnsmasq = module
+
+# Layer: services
+# Module: dnssec
+#
+# A dnssec server application
+# 
+dnssec = module
+
+# Layer: services
+# Module: dovecot
+#
+# Dovecot POP and IMAP mail server
+# 
+dovecot = module
+
+# Layer: services
+# Module: drbd
+#
+# DRBD mirrors a block device over the network to another machine.
+#
+drbd = module
+
+# Layer: services
+# Module: dspam
+#
+# dspam - library and Mail Delivery Agent for Bayesian SPAM filtering
+#
+dspam = module
+
+# Layer: services
+# Module: entropy
+#
+# Generate entropy from audio input
+# 
+entropyd = module
+
+# Layer: services
+# Module: exim
+#
+# exim mail server 
+# 
+exim = module
+
+# Layer: services
+# Module: fail2ban
+#
+# daiemon that bans IP that makes too many password failures
+# 
+fail2ban = module
+
+# Layer: services
+# Module: fcoe
+#
+# fcoe
+#
+fcoe = module
+
+# Layer: services
+# Module: fetchmail
+#
+# Remote-mail retrieval and forwarding utility
+# 
+fetchmail = module
+
+# Layer: services
+# Module: finger
+#
+# Finger user information service.
+# 
+finger = module
+
+# Layer: services
+# Module: firewalld
+#
+# firewalld is firewall service daemon that provides dynamic customizable
+# 
+firewalld = module
+
+# Layer: apps
+# Module: firewallgui
+#
+# policy for system-config-firewall
+# 
+firewallgui = module
+
+# Module: firstboot
+#
+# Final system configuration run during the first boot
+# after installation of Red Hat/Fedora systems.
+# 
+firstboot = module
+
+# Layer: services
+# Module: fprintd
+#
+# finger print server
+# 
+fprintd = module
+
+# Layer: services
+# Module: freqset
+#
+# Utility for CPU frequency scaling
+#
+freqset = module
+
+# Layer: services
+# Module: ftp
+#
+# File transfer protocol service
+# 
+ftp = module
+
+# Layer: apps
+# Module: games
+#
+# The Open Group Pegasus CIM/WBEM Server.
+# 
+games = module
+
+# Layer: apps
+# Module: gitosis
+#
+# Policy for gitosis
+# 
+gitosis = module
+ 
+# Layer: services
+# Module: git
+#
+# Policy for the stupid content tracker
+# 
+git = module
+
+# Layer: services
+# Module: glance
+#
+# Policy for glance
+# 
+glance = module
+
+# Layer: contrib
+# Module: glusterd
+#  
+#  policy for glusterd service
+#
+glusterd =  module
+
+# Layer: apps
+# Module: gnome
+#
+# gnome session and gconf
+# 
+gnome = module
+
+# Layer: apps
+# Module: gpg
+#
+# Policy for GNU Privacy Guard and related programs.
+# 
+gpg = module
+
+# Layer: services
+# Module: gpm
+#
+# General Purpose Mouse driver
+# 
+gpm = module
+
+# Module: gpsd
+#
+# gpsd monitor daemon
+#
+# 
+gpsd = module
+
+# Module: gssproxy
+#
+#  A proxy for GSSAPI credential handling
+#
+# 
+gssproxy = module
+
+# Layer: role
+# Module: guest
+#
+# Minimally privs guest account on tty logins
+# 
+guest = module
+
+# Layer: role
+# Module: xguest
+#
+# Minimally privs guest account on X Windows logins
+# 
+xguest = module
+
+# Layer: services
+# Module: hddtemp
+#
+# hddtemp hard disk temperature tool running as a daemon
+# 
+hddtemp = module
+
+# Layer: services
+# Module: hostapd
+#
+# hostapd - IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
+# 
+hostapd = module
+
+# Layer: services
+# Module: i18n_input
+#
+# IIIMF htt server
+# 
+i18n_input = off
+
+# Layer: services
+# Module: icecast 
+#
+#  ShoutCast compatible streaming media server
+# 
+icecast = module
+
+# Layer: services
+# Module: inetd
+#
+# Internet services daemon.
+# 
+inetd = module
+
+# Layer: services
+# Module: inn
+#
+# Internet News NNTP server
+# 
+inn = module
+
+# Layer: services
+# Module: lircd
+#
+# LIRC daemon - decodes infrared signals and provides them on a Unix domain socket.  
+# 
+lircd = module
+
+# Layer: apps
+# Module: irc
+#
+# IRC client policy
+# 
+irc = module
+
+# Layer: services
+# Module: irqbalance
+#
+# IRQ balancing daemon
+# 
+irqbalance = module
+
+# Layer: system
+# Module: iscsi
+#
+# Open-iSCSI daemon
+# 
+iscsi = module
+
+# Layer: system
+# Module: isnsd
+#
+# 
+# 
+isns = module
+
+# Layer: services
+# Module: jabber
+#
+# Jabber instant messaging server
+# 
+jabber = module
+
+# Layer: services
+# Module: jetty
+#
+# Java based http server
+# 
+jetty = module
+
+# Layer: apps
+# Module: jockey
+# 
+#  policy for jockey-backend
+#
+jockey = module
+
+# Layer: apps
+# Module: kdumpgui
+#
+# system-config-kdump policy
+# 
+kdumpgui = module
+
+# Layer: admin
+# Module: kdump
+#
+# kdump is kernel crash dumping mechanism
+# 
+kdump = module
+
+# Layer: services
+# Module: kerberos
+#
+# MIT Kerberos admin and KDC
+# 
+kerberos = module
+
+# Layer: services
+# Module: keepalived
+#
+# keepalived - load-balancing and high-availability service
+#
+keepalived = module
+
+# Module: keyboardd
+#
+# system-setup-keyboard is a keyboard layout daemon that monitors 
+# /etc/sysconfig/keyboard and writes out an xorg.conf.d snippet
+#
+keyboardd = module
+
+# Layer: services
+# Module: keystone
+#
+#  openstack-keystone
+#
+keystone = module
+
+# Layer: services
+# Module: kismet
+#
+# Wireless sniffing and monitoring
+# 
+kismet = module
+
+# Layer: services
+# Module: ksmtuned
+#
+#  Kernel Samepage Merging (KSM) Tuning Daemon
+# 
+ksmtuned = module
+
+# Layer: services
+# Module: ktalk
+#
+# KDE Talk daemon
+# 
+ktalk = module
+
+# Layer: services
+# Module: l2ltpd
+#
+# Layer 2 Tunnelling Protocol Daemon
+# 
+l2tp = module
+
+# Layer: services
+# Module: ldap
+#
+# OpenLDAP directory server
+# 
+ldap = module
+
+# Layer: services
+# Module: likewise
+#
+# Likewise Active Directory support for UNIX
+# 
+likewise = module
+
+# Layer: apps
+# Module: livecd
+#
+# livecd creator
+# 
+livecd = module
+
+# Layer: services
+# Module: lldpad
+#
+# lldpad - Link Layer Discovery Protocol (LLDP) agent daemon
+#
+lldpad = module
+
+# Layer: apps
+# Module: loadkeys
+#
+# Load keyboard mappings.
+# 
+loadkeys = module
+
+# Layer: apps
+# Module: lockdev
+#
+# device locking policy for lockdev
+# 
+lockdev = module
+
+# Layer: admin
+# Module: logrotate
+#
+# Rotate and archive system logs
+# 
+logrotate = module
+
+# Layer: services
+# Module: logwatch
+#
+# logwatch executable
+# 
+logwatch = module
+
+# Layer: services
+# Module: lpd
+#
+# Line printer daemon
+# 
+lpd = module
+
+# Layer: services
+# Module: mailman
+#
+# Mailman is for managing electronic mail discussion and e-newsletter lists
+# 
+mailman = module
+
+# Layer: services
+# Module: mailman
+# 
+# Policy for mailscanner
+# 
+mailscanner = module
+
+# Layer: apps
+# Module: man2html
+#  
+#  policy for man2html apps
+# 
+man2html =  module
+
+# Layer: admin
+# Module: mcelog
+#
+# Policy for mcelog.
+# 
+mcelog = module
+
+# Layer: apps
+# Module: mediawiki
+#
+# mediawiki
+# 
+mediawiki = module
+
+# Layer: services
+# Module: memcached
+#
+#  high-performance memory object caching system
+# 
+memcached = module
+
+# Layer: services
+# Module: milter
+#
+# 
+# 
+milter = module
+
+# Layer: services
+# Module: mip6d
+#
+# UMIP Mobile IPv6 and NEMO Basic Support protocol implementation
+#
+mip6d = module
+
+# Layer: services
+# Module: mock
+#
+# Policy for mock rpm builder
+# 
+mock = module
+
+# Layer: services
+# Module: modemmanager
+#
+# Manager for dynamically switching between modems.
+# 
+modemmanager = module
+
+# Layer: services
+# Module: mojomojo
+#
+# Wiki server
+# 
+mojomojo = module
+
+# Layer: apps
+# Module: mozilla
+#
+# Policy for Mozilla and related web browsers
+# 
+mozilla = module
+
+# Layer: services
+# Module: mpd
+#
+# mpd - daemon for playing music
+# 
+mpd = module
+ 
+# Layer: apps
+# Module: mplayer
+#
+# Policy for Mozilla and related web browsers
+# 
+mplayer = module
+
+# Layer: admin
+# Module: mrtg
+#
+# Network traffic graphing
+# 
+mrtg = module
+
+# Layer: services
+# Module: mta
+#
+# Policy common to all email tranfer agents.
+# 
+mta = module
+
+# Layer: services
+# Module: munin
+#
+# Munin
+# 
+munin = module
+
+# Layer: services
+# Module: mysql
+#
+# Policy for MySQL
+# 
+mysql = module
+
+# Layer: contrib
+# Module: mythtv
+#
+# Policy for Mythtv (Web Server)
+# 
+mythtv = module
+
+# Layer: services
+# Module: nagios
+#
+# policy for nagios Host/service/network monitoring program
+# 
+nagios = module
+
+# Layer: apps
+# Module: namespace
+#
+# policy for namespace.init script 
+#
+namespace = module
+
+# Layer: admin
+# Module: ncftool
+#
+# Tool to modify the network configuration of a system
+# 
+ncftool = module
+
+# Layer: services
+# Module: networkmanager
+#
+# Manager for dynamically switching between networks.
+# 
+networkmanager = module
+
+# Layer: services
+# Module: ninfod
+#
+# Respond to IPv6 Node Information Queries
+#
+ninfod = module
+
+# Layer: services
+# Module: nis
+#
+# Policy for NIS (YP) servers and clients
+# 
+nis = module
+
+# Layer: services
+# Module: nova
+#
+#  openstack-nova
+#
+nova = module
+
+# Layer: services
+# Module: nslcd
+#
+# Policy for nslcd
+# 
+nslcd = module
+
+# Layer: services
+# Module: ntop
+#
+# Policy for ntop
+# 
+ntop = module
+
+# Layer: services
+# Module: ntp
+#
+# Network time protocol daemon
+# 
+ntp = module
+
+# Layer: services
+# Module: numad
+# 
+#  numad - user-level daemon that provides advice and managment for optimum use of CPUs and memory on systems with NUMA topology
+#
+numad = module
+
+# Layer: services
+# Module: nut
+# 
+# nut - Network UPS Tools
+#
+nut = module
+
+# Layer: services
+# Module: nx
+#
+# NX Remote Desktop
+# 
+nx = module
+
+# Layer: services
+# Module: obex
+# 
+#  policy for obex-data-server 
+#
+obex = module
+
+# Layer: services
+# Module: oddjob
+#
+# policy for oddjob
+# 
+oddjob = module
+
+# Layer: services
+# Module: openct
+#
+# Service for handling smart card readers.
+# 
+openct = off
+
+# Layer: service
+# Module: openct
+# 
+# Middleware framework for smart card terminals
+#
+openct = module
+
+# Layer: contrib
+# Module: openshift-origin
+#  
+# Origin version of openshift policy
+#
+openshift-origin = module
+# Layer: contrib
+# Module: openshift  
+#  
+# Core openshift policy
+#
+openshift = module
+
+# Layer: services
+# Module: opensm
+#
+# InfiniBand subnet manager and administration (SM/SA)
+#
+opensm = module
+
+# Layer: services
+# Module: openvpn
+#
+# Policy for OPENVPN full-featured SSL VPN solution
+# 
+openvpn = module
+
+# Layer: contrib
+# Module: openvswitch
+#
+# SELinux policy for openvswitch programs
+#
+openvswitch = module
+
+# Layer: services
+# Module: openwsman
+#
+# WS-Management Server
+#
+openwsman = module
+
+# Layer: services
+# Module: osad
+#
+# Client-side service written in Python that responds to pings
+#
+osad = module
+
+# Layer: contrib
+# Module: prelude
+#
+# SELinux policy for prelude
+#
+prelude = module
+
+# Layer: contrib
+# Module: prosody
+#
+# SELinux policy for prosody flexible communications server for Jabber/XMPP
+#
+prosody = module
+
+# Layer: services
+# Module: pads
+#
+pads = module
+
+# Layer: services
+# Module: passenger
+#
+# Passenger 
+# 
+passenger = module
+
+# Layer: system
+# Module: pcmcia
+#
+# PCMCIA card management services
+# 
+pcmcia = module
+
+# Layer: service
+# Module: pcscd
+#
+# PC/SC Smart Card Daemon
+#
+pcscd = module
+
+# Layer: services
+# Module: pdns
+#
+# PowerDNS DNS server
+# 
+pdns = module
+
+# Layer: services
+# Module: pegasus
+#
+# The Open Group Pegasus CIM/WBEM Server.
+# 
+pegasus = module
+
+# Layer: services
+# Module: pingd
+#
+# 
+pingd = module
+
+# Layer: services
+# Module: piranha
+#
+# piranha - various tools to administer and configure the Linux Virtual Server
+#
+piranha = module
+
+# Layer: contrib
+# Module: pkcs
+#  
+# daemon manages PKCS#11 objects between PKCS#11-enabled applications
+#
+pkcs = module
+
+# Layer: services
+# Module: plymouthd
+#
+#  Plymouth
+# 
+plymouthd = module
+
+# Layer: apps
+# Module: podsleuth
+#
+# Podsleuth probes, identifies, and exposes properties and metadata bound to iPods.
+# 
+podsleuth = module
+
+# Layer: services
+# Module: policykit
+#
+# Hardware abstraction layer
+# 
+policykit = module
+
+# Layer: services
+# Module: polipo
+#
+# polipo
+#
+polipo = module
+
+# Layer: services
+# Module: portmap
+#
+# RPC port mapping service.
+# 
+portmap = module
+
+# Layer: services
+# Module: portreserve
+#
+#  reserve ports to prevent portmap mapping them
+# 
+portreserve = module
+
+# Layer: services
+# Module: postfix
+#
+# Postfix email server
+# 
+postfix = module
+
+# Layer: services
+# Module: postgrey
+#
+# email scanner
+# 
+postgrey = module
+
+# Layer: services
+# Module: ppp
+#
+# Point to Point Protocol daemon creates links in ppp networks
+# 
+ppp = module
+
+# Layer: admin
+# Module: prelink
+#
+# Manage temporary directory sizes and file ages
+# 
+prelink = module
+
+# Layer: services
+# Module: privoxy
+#
+# Privacy enhancing web proxy.
+# 
+privoxy = module
+
+# Layer: services
+# Module: procmail
+#
+# Procmail mail delivery agent
+# 
+procmail = module
+
+# Layer: services
+# Module: psad
+#
+# Analyze iptables log for hostile traffic
+# 
+psad = module
+
+# Layer: apps
+# Module: ptchown
+#
+# helper function for grantpt(3), changes ownship and permissions of pseudotty
+# 
+ptchown = module
+
+# Layer: services
+# Module: publicfile
+#
+# publicfile supplies files to the public through HTTP and FTP
+# 
+publicfile = module
+
+# Layer: apps
+# Module: pulseaudio
+#
+# The PulseAudio Sound System
+# 
+pulseaudio = module
+
+# Layer: services
+# Module: puppet
+#
+#  A network tool for managing many disparate systems
+# 
+puppet = module
+
+# Layer: apps
+# Module: pwauth
+#
+#  External plugin for mod_authnz_external authenticator
+# 
+pwauth = module
+
+# Layer: services
+# Module: qmail
+#
+# Policy for qmail
+# 
+qmail = module
+
+# Layer: services
+# Module: qpidd
+#
+# Policy for qpidd
+# 
+qpid = module
+
+# Layer: services
+# Module: quantum
+#
+# Quantum is a virtual network service for Openstack
+# 
+quantum = module
+
+# Layer: admin
+# Module: quota
+#
+# File system quota management
+# 
+quota = module
+
+# Layer: services
+# Module: rabbitmq
+#
+#  rabbitmq daemons 
+#
+rabbitmq = module
+
+# Layer: services
+# Module: radius
+#
+# RADIUS authentication and accounting server.
+# 
+radius = module
+
+# Layer: services
+# Module: radvd
+#
+# IPv6 router advertisement daemon
+# 
+radvd = module
+
+# Layer: system
+# Module: raid
+#
+# RAID array management tools
+# 
+raid = module
+
+# Layer: services
+# Module: rasdaemon
+#
+# The rasdaemon program is a daemon with monitors the RAS trace events from /sys/kernel/debug/tracing
+#
+rasdaemon = module
+
+# Layer: services
+# Module: rdisc
+#
+# Network router discovery daemon
+# 
+rdisc = module
+
+# Layer: admin
+# Module: readahead
+#
+# Readahead, read files into page cache for improved performance
+# 
+readahead = module
+
+# Layer: contrib
+# Module: stapserver
+#  
+# dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA
+#
+realmd = module
+
+# Layer: services
+# Module: remotelogin
+#
+# Policy for rshd, rlogind, and telnetd.
+# 
+remotelogin = module
+
+# Layer: services
+# Module: rhcs
+#
+# RHCS - Red Hat Cluster Suite
+#
+rhcs = module
+ 
+# Layer: services
+# Module: rhev
+#
+# rhev policy module contains policies for rhev apps
+#
+rhev = module
+
+# Layer: services
+# Module: rhgb
+#
+# X windows login display manager
+# 
+rhgb = module
+
+# Layer: services
+# Module: rhsmcertd
+#
+# Subscription Management Certificate Daemon policy
+#
+rhsmcertd = module
+
+# Layer: services
+# Module: ricci
+#
+# policy for ricci
+# 
+ricci = module
+
+# Layer: services
+# Module: rlogin
+#
+# Remote login daemon
+# 
+rlogin = module
+
+# Layer: services
+# Module: roundup
+#
+# Roundup Issue Tracking System policy
+# 
+roundup = module
+
+# Layer: services
+# Module: rpcbind
+#
+#  universal addresses to RPC program number mapper
+# 
+rpcbind = module
+
+# Layer: services
+# Module: rpc
+#
+# Remote Procedure Call Daemon for managment of network based process communication
+# 
+rpc = module
+
+# Layer: services
+# Module: rshd
+#
+# Remote shell service.
+# 
+rshd = module
+
+# Layer: apps
+# Module: rssh
+#
+#  Restricted (scp/sftp) only shell
+# 
+rssh = module
+
+# Layer: services
+# Module: rsync
+#
+# Fast incremental file transfer for synchronization
+# 
+rsync = module
+
+# Layer: services
+# Module: rtkit
+#
+# Real Time Kit Daemon
+# 
+rtkit = module
+
+# Layer: services
+# Module: rwho
+#
+# who is logged in on local machines
+# 
+rwho = module
+
+# Layer: apps
+# Module: sambagui
+#
+# policy for system-config-samba
+# 
+sambagui = module
+
+#
+# SMB and CIFS client/server programs for UNIX and
+# name  Service  Switch  daemon for resolving names
+# from Windows NT servers.
+# 
+samba = module
+
+# Layer: apps
+# Module: sandbox
+#
+# Policy for running apps within a sandbox
+# 
+sandbox = module
+
+# Layer: apps
+# Module: sandbox
+#
+# Policy for running apps within a X sandbox
+# 
+sandboxX = module
+
+# Layer: services
+# Module: sanlock
+#
+# sanlock policy
+# 
+sanlock = module
+
+# Layer: services
+# Module: sasl
+#
+# SASL authentication server
+# 
+sasl = module
+
+# Layer: services
+# Module: sblim
+#
+# sblim
+#
+sblim = module
+
+# Layer: apps
+# Module: screen
+#
+# GNU terminal multiplexer
+# 
+screen = module
+
+# Layer: admin
+# Module: sectoolm
+#
+# Policy for sectool-mechanism
+# 
+sectoolm = module
+
+# Layer: services
+# Module: sendmail
+#
+# Policy for sendmail.
+# 
+sendmail = module
+
+# Layer: contrib
+# Module: sensord
+#  
+# Sensor information logging daemon
+#
+sensord =  module
+
+# Layer: services
+# Module: setroubleshoot
+#
+# Policy for the SELinux troubleshooting utility
+# 
+setroubleshoot = module
+
+# Layer: services
+# Module: sge
+# 
+#  policy for grindengine MPI jobs
+#
+sge = module
+
+# Layer: admin
+# Module: shorewall
+#
+# Policy for shorewall
+# 
+shorewall = module
+
+# Layer: apps
+# Module: slocate
+#
+# Update database for mlocate
+# 
+slocate = module
+
+# Layer: contrib
+# Module: slpd
+#  
+# OpenSLP server daemon to dynamically register services
+#
+slpd = module
+
+# Layer: services
+# Module: slrnpull
+#
+# Service for downloading news feeds the slrn newsreader.
+# 
+slrnpull = off
+
+# Layer: services
+# Module: smartmon
+#
+# Smart disk monitoring daemon policy
+# 
+smartmon = module
+
+# Layer: services 
+# Module: smokeping
+#
+# Latency Logging and Graphing System
+# 
+smokeping = module
+
+# Layer: admin
+# Module: smoltclient
+#
+#The Fedora hardware profiler client
+# 
+smoltclient = module
+
+# Layer: services
+# Module: snmp
+#
+# Simple network management protocol services
+# 
+snmp = module
+
+# Layer: services
+# Module: snort
+#
+# Snort network intrusion detection system
+# 
+snort = module
+
+# Layer: admin
+# Module: sosreport
+#
+# sosreport debuggin information generator
+# 
+sosreport = module
+
+# Layer: services
+# Module: soundserver
+#
+# sound server for network audio server programs, nasd, yiff, etc</summary>
+# 
+soundserver = module
+
+# Layer: services
+# Module: spamassassin
+#
+# Filter used for removing unsolicited email.
+# 
+spamassassin = module
+
+# Layer: services
+# Module: speech-dispatcher
+#
+# speech-dispatcher - server process managing speech requests in Speech Dispatcher
+#
+speech-dispatcher = module
+
+# Layer: services
+# Module: squid
+#
+# Squid caching http proxy server
+# 
+squid = module
+
+# Layer: services
+# Module: sssd
+#
+# System Security Services Daemon
+# 
+sssd = module
+
+# Layer: services
+# Module: sslh
+#
+# Applicative protocol(SSL/SSH) multiplexer
+# 
+sslh = module
+
+# Layer: contrib
+# Module: stapserver
+#  
+#  Instrumentation System Server
+#
+stapserver = module
+
+# Layer: services
+# Module: stunnel
+#
+# SSL Tunneling Proxy
+# 
+stunnel = module
+
+# Layer: services
+# Module: svnserve
+#  
+#  policy for subversion service
+# 
+svnserve =  module
+
+# Layer: services
+# Module: swift
+#
+#  openstack-swift
+#
+swift = module
+
+# Layer: services
+# Module: sysstat
+#
+# Policy for sysstat. Reports on various system states
+# 
+sysstat = module
+
+# Layer: services
+# Module: tcpd
+#
+# Policy for TCP daemon.
+# 
+tcpd = module
+
+# Layer: services
+# Module: tcsd
+# 
+# tcsd - daemon that manages Trusted Computing resources
+# 
+tcsd = module
+
+# Layer: apps
+# Module: telepathy
+#
+# telepathy - Policy for Telepathy framework
+# 
+telepathy = module
+
+# Layer: services
+# Module: telnet
+#
+# Telnet daemon
+# 
+telnet = module
+
+# Layer: services
+# Module: tftp
+#
+# Trivial file transfer protocol daemon
+# 
+tftp = module
+
+# Layer: services
+# Module: tgtd
+#
+# Linux Target Framework Daemon.
+# 
+tgtd = module
+
+# Layer: apps
+# Module: thumb
+#
+# Thumbnailer confinement
+# 
+thumb = module
+
+# Layer: services
+# Module: timidity
+#
+# MIDI to WAV converter and player configured as a service
+# 
+timidity = off
+
+# Layer: admin
+# Module: tmpreaper
+#
+# Manage temporary directory sizes and file ages
+# 
+tmpreaper = module
+
+# Layer: contrib
+# Module: glusterd
+#  
+#  policy for tomcat service
+#
+tomcat = module
+# Layer: services
+# Module: tor
+#
+# TOR, the onion router
+# 
+tor = module
+
+# Layer: services
+# Module: tuned
+#
+# Dynamic adaptive system tuning daemon
+#
+tuned = module
+
+# Layer: apps
+# Module: tvtime
+#
+# tvtime - a high quality television application
+# 
+tvtime = module
+
+# Layer: services
+# Module: ulogd
+#
+# netfilter/iptables ULOG daemon
+# 
+ulogd = module
+
+# Layer: apps
+# Module: uml
+#
+# Policy for UML
+# 
+uml = module
+
+# Layer: admin
+# Module: updfstab
+#
+# Red Hat utility to change /etc/fstab.
+# 
+updfstab = module
+
+# Layer: admin
+# Module: usbmodules
+#
+# List kernel modules of USB devices
+# 
+usbmodules = module
+
+# Layer: services
+# Module: usbmuxd
+#
+# Daemon for communicating with Apple's iPod Touch and iPhone
+# 
+usbmuxd = module
+
+# Layer: apps
+# Module: userhelper
+#
+# A helper interface to pam.
+# 
+userhelper = module
+
+# Layer: apps
+# Module: usernetctl
+#
+# User network interface configuration helper
+# 
+usernetctl = module
+
+# Layer: services
+# Module: uucp
+#
+# Unix to Unix Copy
+# 
+uucp = module
+
+# Layer: services
+# Module: uuidd
+#
+# UUID generation daemon
+# 
+uuidd = module
+
+# Layer: services
+# Module: varnishd
+#
+# Varnishd http accelerator daemon
+# 
+varnishd = module
+
+# Layer: services
+# Module: vdagent
+#
+# vdagent
+# 
+vdagent = module
+
+# Layer: services
+# Module: vhostmd
+#
+# vhostmd - spice guest agent daemon.
+# 
+vhostmd = module
+
+# Layer: services
+# Module: virt
+#
+# Virtualization libraries
+# 
+virt = module
+
+# Layer: apps
+# Module: vhostmd
+#
+# vlock - Virtual Console lock program
+# 
+vlock = module
+
+# Layer: services
+# Module: vmtools
+#
+# VMware Tools daemon
+#
+vmtools = module
+
+# Layer: apps
+# Module: vmware
+#
+# VMWare Workstation virtual machines
+# 
+vmware = module
+
+# Layer: services
+# Module: vnstatd
+#
+# Network traffic Monitor
+# 
+vnstatd = module
+
+# Layer: admin
+# Module: vpn
+#
+# Virtual Private Networking client
+# 
+vpn = module
+
+# Layer: services
+# Module: w3c
+#
+# w3c
+# 
+w3c = module
+
+# Layer: services
+# Module: wdmd
+#
+# wdmd policy
+# 
+wdmd = module
+
+# Layer: role
+# Module: webadm
+#
+# Minimally prived root role for managing apache
+# 
+webadm = module
+
+# Layer: apps
+# Module: webalizer
+#
+# Web server log analysis
+# 
+webalizer = module
+
+# Layer: apps
+# Module: wine
+#
+# wine executable
+# 
+wine = module
+
+# Layer: apps
+# Module: wireshark
+#
+# wireshark executable
+# 
+wireshark = module
+
+# Layer: system
+# Module: xen
+#
+# virtualization software
+# 
+xen = module
+
+# Layer: services
+# Module: zabbix
+#
+# Open-source monitoring solution for your IT infrastructure
+#
+zabbix = module
+
+# Layer: services
+# Module: zarafa
+#
+# Zarafa Collaboration Platform
+# 
+zarafa = module
+
+# Layer: services
+# Module: zebra
+#
+# Zebra border gateway protocol network routing service
+# 
+zebra = module
+
+# Layer: services
+# Module: zoneminder
+#
+# Zoneminder Camera Security Surveillance Solution
+# 
+zoneminder = module
+
+# Layer: services
+# Module: zosremote
+#
+# policy for z/OS Remote-services Audit dispatcher plugin</summary>
+# 
+zosremote = module
+
+# Layer: contrib
+# Module: thin
+# 
+# Policy for thin
+# 
+thin = module
+
+# Layer: contrib
+# Module: mandb
+# 
+# Policy for mandb
+# 
+mandb = module
+
+# Layer: services
+# Module: pki
+#
+# policy for pki
+#
+pki = module
+
+# Layer: services
+# Module: smsd
+#
+# policy for smsd
+#
+smsd = module
+
+# Layer: contrib
+# Module: pesign
+#
+# policy for pesign
+#
+pesign = module
+
+# Layer: contrib
+# Module: nsd
+#
+# Fast and lean authoritative DNS Name Server
+#
+nsd = module   
+
+# Layer: contrib
+# Module: iodine
+#
+# Fast and lean authoritative DNS Name Server
+#
+iodine = module
+
+# Layer: contrib
+# Module: openhpid
+# 
+# OpenHPI daemon runs as a background process and accepts connecti
+#
+openhpid = module
+
+# Layer: contrib
+# Module: watchdog
+# 
+# Watchdog policy
+#
+watchdog = module
+
+# Layer: contrib
+# Module: oracleasm
+# 
+# oracleasm policy
+#
+oracleasm = module
+
+# Layer: contrib
+# Module: redis
+# 
+# redis policy
+#
+redis = module
+
+# Layer: contrib
+# Module: hypervkvp
+# 
+# hypervkvp policy
+#
+hypervkvp = module
+
+# Layer: contrib
+# Module: lsm
+# 
+# lsm policy
+#
+lsm = module
+
+# Layer: contrib
+# Module: motion
+#
+# Daemon for detect motion using a video4linux device
+motion = module
+
+# Layer: contrib
+# Module: rtas
+# 
+# rtas policy
+#
+rtas = module
+
+# Layer: contrib
+# Module: journalctl
+# 
+# journalctl policy
+#
+journalctl = module
+
+# Layer: contrib
+# Module: gdomap
+# 
+# gdomap policy
+#
+gdomap = module
+
+# Layer: contrib
+# Module: minidlna
+# 
+# minidlna policy
+#
+minidlna = module
+
+# Layer: contrib
+# Module: minissdpd
+# 
+# minissdpd policy
+#
+minissdpd = module
+
+# Layer: contrib
+# Module: freeipmi
+# 
+# Remote-Console (out-of-band) and System Management Software (in-band) 
+# based on IntelligentPlatform Management Interface specification
+#
+freeipmi = module
+
+# Layer: contrib
+# Module: freeipmi
+# 
+# ipa policy module contain SELinux policies for IPA services
+#
+ipa = module
+
+# Layer: contrib
+# Module: mirrormanager
+# 
+# mirrormanager policy
+#
+mirrormanager = module
+
+# Layer: contrib
+# Module: snapper 
+# 
+# snapper policy
+#
+snapper = module
+
+# Layer: contrib
+# Module: pcp
+# 
+# pcp policy
+#
+pcp = module
+
+# Layer: contrib
+# Module: geoclue
+#
+# Add policy for Geoclue. Geoclue is a D-Bus service that provides location information
+#
+geoclue = module
+
+# Layer: contrib
+# Module: rkhunter
+#
+# rkhunter policy for /var/lib/rkhunter
+#
+rkhunter = module
+
+# Layer: contrib
+# Module: bacula
+#
+# bacula policy
+#
+bacula = module
+
+# Layer: contrib
+# Module: rhnsd
+#
+# rhnsd policy
+#
+rhnsd = module
+
+# Layer: contrib
+# Module: mongodb
+#
+# mongodb policy
+#
+
+mongodb = module
+
+# Layer: contrib
+# Module: iotop
+#
+# iotop policy
+#
+
+iotop = module
+
+# Layer: contrib
+# Module: kmscon
+#
+# kmscon policy
+#
+
+kmscon = module
+
+# Layer: contrib
+# Module: naemon
+#
+# naemon policy
+#
+naemon = module
+
+# Layer: contrib
+# Module: brltty
+#
+# brltty policy
+#
+brltty = module
+
+# Layer: contrib
+# Module: cpuplug
+#
+# cpuplug policy
+#
+cpuplug = module
+
+# Layer: contrib
+# Module: mon_statd
+#
+# mon_statd policy
+#
+mon_statd = module
+
+# Layer: contrib
+# Module: cinder
+#
+# openstack-cinder policy
+#
+cinder = module
+
+# Layer: contrib
+# Module: linuxptp
+#
+# linuxptp policy
+#
+linuxptp = module
+
+# Layer: contrib
+# Module: rolekit
+#
+# rolekit policy
+#
+rolekit = module
+
+# Layer: contrib
+# Module: targetd
+#
+# targetd policy
+#
+targetd = module
+
+# Layer: contrib
+# Module: hsqldb
+#
+# Hsqldb is transactional database engine with in-memory and disk-based tables, supporting embedded and server modes.
+#
+hsqldb = module
+
+# Layer: contrib
+# Module: blkmapd
+#
+# The blkmapd daemon performs device discovery and mapping for pNFS block layout client.
+#
+blkmapd = module
+
+# Layer: contrib
+# Module: pkcs11proxyd
+#
+# pkcs11proxyd policy
+#
+pkcs11proxyd = module
+
+# Layer: contrib
+# Module: ipmievd
+#
+# IPMI event daemon for sending events to syslog
+#
+ipmievd = module
+
+# Layer: contrib
+# Module: openfortivpn
+#
+# Fortinet compatible SSL VPN daemons.
+#
+openfortivpn = module
+
+# Layer: contrib
+# Module: fwupd
+#
+# fwupd is a daemon to allow session software to update device firmware.
+#
+fwupd = module
+
+# Layer: contrib
+# Module: lttng-tools
+#
+# LTTng 2.x central tracing registry session daemon.
+#
+lttng-tools = module
+
+# Layer: contrib
+# Module: rkt
+#
+# CLI for running app containers
+#
+rkt = module
+
+# Layer: contrib
+# Module: opendnssec
+#
+# opendnssec
+#
+opendnssec = module
+
+# Layer: contrib
+# Module: hwloc
+#
+# hwloc
+#
+hwloc = module
+
+# Layer: contrib
+# Module: sbd
+#
+# sbd
+#
+sbd = module
+
+# Layer: contrib
+# Module: tlp
+#
+# tlp
+#
+tlp = module
+
+# Layer: contrib
+# Module: conntrackd
+#
+# conntrackd
+#
+conntrackd = module
+
+# Layer: contrib
+# Module: tangd
+#
+# tangd
+#
+tangd = module
+
+# Layer: contrib
+# Module: ibacm
+#
+# ibacm
+#
+ibacm = module
+
+# Layer: contrib
+# Module: opafm
+#
+# opafm
+#
+opafm = module
+
+# Layer: contrib
+# Module: boltd
+#
+# boltd
+#
+boltd = module
+
+# Layer: contrib
+# Module: kpatch
+#
+# kpatch
+#
+kpatch = module
diff --git a/modules-minimum-disable.lst b/modules-minimum-disable.lst
index 9396cb2..d731579 100644
--- a/modules-minimum-disable.lst
+++ b/modules-minimum-disable.lst
@@ -1 +1 @@
-abrt accountsd acct afs aiccu aide ajaxterm alsa amanda amtu anaconda antivirus apache apcupsd apm arpwatch asterisk authconfig automount avahi awstats bcfg2 bind rpcbind rngd bitlbee blueman bluetooth boinc brctl bugzilla cachefilesd calamaris callweaver canna ccs cdrecord certmaster certmonger certwatch cfengine cgroup chrome chronyd cipe clogd cloudform cmirrord cobbler collectd colord comsat condor consolekit couchdb courier cpucontrol cpufreqselector cron ctdb cups cvs cyphesis cyrus daemontools dbadm dbskk dbus dcc ddclient denyhosts devicekit dhcp dictd dirsrv-admin dirsrv dmidecode dnsmasq dnssec dovecot drbd dspam entropyd exim fail2ban fcoe fetchmail finger firewalld firewallgui firstboot fprintd ftp tftp games gitosis git glance glusterd gnome gpg gpg gpm gpsd guest xguest hddtemp icecast inetd inn lircd irc irqbalance iscsi isns jabber jetty jockey kdumpgui kdump kerberos keyboardd keystone kismet ksmtuned ktalk l2tp ldap likewise lircd livecd lldpad loadkeys lockdev logrotate logwatch lpd slpd mailman mailscanner man2html mcelog mediawiki memcached milter mock modemmanager mojomojo mozilla mpd mplayer mrtg mta munin mysql mythtv nagios namespace ncftool ncftool networkmanager nis nova nscd nslcd ntop ntp numad nut nx obex oddjob openct openshift-origin openshift openvpn openvswitch prelude pads passenger pcmcia pcscd pegasus pingd piranha plymouthd podsleuth policykit polipo portmap portreserve postfix postgrey ppp prelink unprivuser prelude privoxy procmail psad ptchown publicfile pulseaudio puppet pwauth qmail qpid quantum quota rabbitmq radius radvd raid rdisc readahead realmd remotelogin rhcs rhev rhgb rhsmcertd ricci rlogin roundup rpcbind rpc rpm rshd rssh rsync rtkit rwho sambagui samba sandbox sandboxX sanlock sasl sblim screen sectoolm sendmail sensord setroubleshoot sge shorewall slocate slpd smartmon smokeping smoltclient snmp snort sosreport soundserver spamassassin squid sssd stapserver stunnel svnserve swift sysstat tcpd tcsd telepathy telnet tftp tgtd thumb tmpreaper tomcat cpufreqselector tor ksmtuned tuned tvtime ulogd uml updfstab usbmodules usbmuxd userhelper usernetctl uucp uuidd varnishd vbetool vbetool vdagent vhostmd virt vlock vmware vnstatd openvpn vpn w3c wdmd webadm webalizer wine wireshark xen xguest zabbix zarafa zebra zoneminder zosremote thin mandb pki smsd sslh obs 
\ No newline at end of file
+abrt accountsd acct afs aiccu aide ajaxterm alsa amanda amtu anaconda antivirus apache apcupsd apm arpwatch asterisk authconfig automount avahi awstats bcfg2 bind rpcbind rngd bitlbee blueman bluetooth boinc brctl bugzilla cachefilesd calamaris callweaver canna ccs cdrecord certmaster certmonger certwatch cfengine cgroup chrome chronyd cipe clogd cloudform cmirrord cobbler collectd colord comsat condor consolekit couchdb courier cpucontrol cpufreqselector cron ctdb cups cvs cyphesis cyrus daemontools dbadm dbskk dbus dcc ddclient denyhosts devicekit dhcp dictd dirsrv-admin dirsrv dmidecode dnsmasq dnssec dovecot drbd dspam entropyd exim fail2ban fcoe fetchmail finger firewalld firewallgui firstboot fprintd ftp tftp games gitosis git glance glusterd gnome gpg gpg gpm gpsd guest xguest hddtemp icecast inetd inn lircd irc irqbalance iscsi isns jabber jetty jockey kdumpgui kdump kerberos keyboardd keystone kismet ksmtuned ktalk l2tp ldap likewise lircd livecd lldpad loadkeys lockdev logrotate logwatch lpd slpd mailman mailscanner man2html mcelog mediawiki memcached milter mock modemmanager mojomojo mozilla mpd mplayer mrtg mta munin mysql mythtv nagios namespace ncftool ncftool networkmanager nis nova nslcd ntop ntp numad nut nx obex oddjob openct openshift-origin openshift openvpn openvswitch prelude pads passenger pcmcia pcscd pegasus pingd piranha plymouthd podsleuth policykit polipo portmap portreserve postfix postgrey ppp prelink unprivuser prelude privoxy procmail psad ptchown publicfile pulseaudio puppet pwauth qmail qpid quantum quota rabbitmq radius radvd raid rdisc readahead realmd remotelogin rhcs rhev rhgb rhsmcertd ricci rlogin roundup rpcbind rpc rpm rshd rssh rsync rtkit rwho sambagui samba sandbox sandboxX sanlock sasl sblim screen sectoolm sendmail sensord setroubleshoot sge shorewall slocate slpd smartmon smokeping smoltclient snmp snort sosreport soundserver spamassassin squid sssd stapserver stunnel svnserve swift sysstat tcpd tcsd telepathy telnet tftp tgtd thumb tmpreaper tomcat cpufreqselector tor ksmtuned tuned tvtime ulogd uml updfstab usbmodules usbmuxd userhelper usernetctl uucp uuidd varnishd vbetool vbetool vdagent vhostmd virt vlock vmware vnstatd openvpn vpn w3c wdmd webadm webalizer wine wireshark xen xguest zabbix zarafa zebra zoneminder zosremote thin mandb pki smsd sslh obs 
diff --git a/modules-mls-base.conf b/modules-mls-base.conf
index ad5a0cc..29a3aa7 100644
--- a/modules-mls-base.conf
+++ b/modules-mls-base.conf
@@ -1,15 +1,59 @@
+# Layer: kernel
+# Module: bootloader
 #
-# This file contains a listing of available modules.
-# To prevent a module from  being used in policy
-# creation, set the module name to "off".
+# Policy for the kernel modules, kernel image, and bootloader.
+# 
+bootloader = module
+
+# Layer: kernel
+# Module: corenetwork
+# Required in base
 #
-# For monolithic policies, modules set to "base" and "module"
-# will be built into the policy.
+# Policy controlling access to network objects
+# 
+corenetwork = base
+
+# Layer: admin
+# Module: dmesg
 #
-# For modular policies, modules set to "base" will be
-# included in the base module.  "module" will be compiled
-# as individual loadable modules.
+# Policy for dmesg.
+# 
+dmesg = module
+
+# Layer: admin
+# Module: netutils
 #
+# Network analysis utilities
+# 
+netutils = module
+
+# Layer: admin
+# Module: sudo
+#
+# Execute a command with a substitute user
+# 
+sudo = module
+
+# Layer: admin
+# Module: su
+#
+# Run shells with substitute user and group
+# 
+su = module
+
+# Layer: admin
+# Module: usermanage
+#
+# Policy for managing user accounts.
+# 
+usermanage = module
+
+# Layer: apps
+# Module: seunshare
+#
+# seunshare executable
+# 
+seunshare = module
 
 # Layer: kernel
 # Module: corecommands
@@ -20,15 +64,6 @@
 # 
 corecommands = base
 
-# Layer: kernel
-# Module: corenetwork
-# Required in base
-#
-# Policy controlling access to network objects
-# 
-corenetwork = base
-
-# Layer: kernel
 # Module: devices
 # Required in base
 #
@@ -36,7 +71,6 @@ corenetwork = base
 # 
 devices = base
 
-# Layer: kernel
 # Module: domain
 # Required in base
 #
@@ -44,7 +78,13 @@ devices = base
 # 
 domain = base
 
-# Layer: kernel
+# Layer: system
+# Module: userdomain
+#
+# Policy for user domains
+# 
+userdomain = module
+
 # Module: files
 # Required in base
 #
@@ -52,7 +92,6 @@ domain = base
 # 
 files = base
 
-# Layer: kernel
 # Module: filesystem
 # Required in base
 #
@@ -60,24 +99,20 @@ files = base
 # 
 filesystem = base
 
-# Layer: kernel
 # Module: kernel
 # Required in base
 #
-# Policy for kernel threads, proc filesystem,
-# and unlabeled processes and objects.
+# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
 # 
 kernel = base
 
-# Layer: kernel
 # Module: mcs
 # Required in base
 #
-# Multicategory security policy
+# MultiCategory security policy
 # 
 mcs = base
 
-# Layer: kernel
 # Module: mls
 # Required in base
 #
@@ -85,7 +120,6 @@ mcs = base
 # 
 mls = base
 
-# Layer: kernel
 # Module: selinux
 # Required in base
 #
@@ -94,6 +128,12 @@ mls = base
 selinux = base
 
 # Layer: kernel
+# Module: storage
+#
+# Policy controlling access to storage devices
+# 
+storage = base
+
 # Module: terminal
 # Required in base
 #
@@ -103,2049 +143,67 @@ terminal = base
 
 # Layer: kernel
 # Module: ubac
-# Required in base
 #
-# User-based access control policy
+# 
 # 
 ubac = base
 
-# Layer: admin
-# Module: acct
-#
-# Berkeley process accounting.
-# 
-acct = module
-
-# Layer: admin
-# Module: aide
-#
-# Aide filesystem integrity checker.
-# 
-aide = module
-
-# Layer: admin
-# Module: alsa
-#
-# Advanced Linux Sound Architecture utilities.
-# 
-alsa = module
-
-# Layer: admin
-# Module: amanda
-#
-# Advanced Maryland Automatic Network Disk Archiver.
-# 
-amanda = module
-
-# Layer: admin
-# Module: amtu
-#
-# Abstract Machine Test Utility.
-# 
-amtu = module
-
-# Layer: admin
-# Module: anaconda
-#
-# Anaconda installer.
-# 
-anaconda = module
-
-# Layer: admin
-# Module: apt
-#
-# Advanced package tool.
-# 
-apt = module
-
-# Layer: admin
-# Module: backup
-#
-# System backup scripts.
-# 
-backup = module
-
-# Layer: admin
-# Module: bacula
-#
-# Cross platform network backup.
-# 
-bacula = module
-
-# Layer: admin
-# Module: bcfg2
-#
-# configuration management suite.
-# 
-bcfg2 = module
-
-# Layer: admin
-# Module: blueman
-#
-# Tool to manage Bluetooth devices.
-# 
-blueman = module
-
-# Layer: admin
-# Module: bootloader
-#
-# Policy for the kernel modules, kernel image, and bootloader.
-# 
-bootloader = module
-
-# Layer: admin
-# Module: brctl
-#
-# Utilities for configuring the Linux ethernet bridge.
-# 
-brctl = module
-
-# Layer: admin
-# Module: certwatch
-#
-# Digital Certificate Tracking.
-# 
-certwatch = module
-
-# Layer: admin
-# Module: cfengine
-#
-# System administration tool for networks.
-# 
-cfengine = module
-
-# Layer: admin
-# Module: chkrootkit
-#
-# chkrootkit - rootkit checker.
-# 
-chkrootkit = module
-
-# Layer: admin
-# Module: consoletype
-#
-# Determine of the console connected to the controlling terminal.
-# 
-consoletype = module
-
-# Layer: admin
-# Module: ddcprobe
-#
-# ddcprobe retrieves monitor and graphics card information.
-# 
-ddcprobe = module
-
-# Layer: admin
-# Module: dmesg
-#
-# Policy for dmesg.
-# 
-dmesg = module
-
-# Layer: admin
-# Module: dmidecode
-#
-# Decode DMI data for x86/ia64 bioses.
-# 
-dmidecode = module
-
-# Layer: admin
-# Module: dphysswapfile
-#
-# Set up, mount/unmount, and delete an swap file.
-# 
-dphysswapfile = module
-
-# Layer: admin
-# Module: dpkg
-#
-# Debian package manager.
-# 
-dpkg = module
-
-# Layer: admin
-# Module: fakehwclock
-#
-# fake-hwclock - Control fake hardware clock.
-# 
-fakehwclock = module
-
-# Layer: admin
-# Module: firstboot
-#
-# Initial system configuration utility.
-# 
-firstboot = module
-
-# Layer: admin
-# Module: hwloc
-#
-# Dump topology and locality information from hardware tables.
-# 
-hwloc = module
-
-# Layer: admin
-# Module: kdump
-#
-# Kernel crash dumping mechanism.
-# 
-kdump = module
-
-# Layer: admin
-# Module: kdumpgui
-#
-# System-config-kdump GUI.
-# 
-kdumpgui = module
-
-# Layer: admin
-# Module: kismet
-#
-# IEEE 802.11 wireless LAN sniffer.
-# 
-kismet = module
-
-# Layer: admin
-# Module: kudzu
-#
-# Hardware detection and configuration tools.
-# 
-kudzu = module
-
-# Layer: admin
-# Module: logrotate
-#
-# Rotates, compresses, removes and mails system log files.
-# 
-logrotate = module
-
-# Layer: admin
-# Module: logwatch
-#
-# System log analyzer and reporter.
-# 
-logwatch = module
-
-# Layer: admin
-# Module: mcelog
-#
-# Linux hardware error daemon.
-# 
-mcelog = module
-
-# Layer: admin
-# Module: mrtg
-#
-# Network traffic graphing.
-# 
-mrtg = module
-
-# Layer: admin
-# Module: ncftool
-#
-# Cross-platform network configuration library.
-# 
-ncftool = module
-
-# Layer: admin
-# Module: netutils
-#
-# Network analysis utilities
-# 
-netutils = module
-
-# Layer: admin
-# Module: passenger
-#
-# Ruby on rails deployment for Apache and Nginx servers.
-# 
-passenger = module
-
-# Layer: admin
-# Module: portage
-#
-# Package Management System.
-# 
-portage = module
-
-# Layer: admin
-# Module: prelink
-#
-# Prelink ELF shared library mappings.
-# 
-prelink = module
-
-# Layer: admin
-# Module: puppet
-#
-# Configuration management system.
-# 
-puppet = module
-
-# Layer: admin
-# Module: quota
-#
-# File system quota management.
-# 
-quota = module
-
-# Layer: admin
-# Module: readahead
-#
-# Read files into page cache for improved performance.
-# 
-readahead = module
-
-# Layer: admin
-# Module: rkhunter
-#
-# rkhunter - rootkit checker.
-# 
-rkhunter = module
-
-# Layer: admin
-# Module: rpm
-#
-# Redhat package manager.
-# 
-rpm = module
-
-# Layer: admin
-# Module: samhain
-#
-# Check file integrity.
-# 
-samhain = module
-
-# Layer: admin
-# Module: sblim
-#
-# Standards Based Linux Instrumentation for Manageability.
-# 
-sblim = module
-
-# Layer: admin
-# Module: sectoolm
-#
-# Sectool security audit tool.
-# 
-sectoolm = module
-
-# Layer: admin
-# Module: shorewall
-#
-# Shoreline Firewall high-level tool for configuring netfilter.
-# 
-shorewall = module
-
-# Layer: admin
-# Module: shutdown
-#
-# System shutdown command.
-# 
-shutdown = module
-
-# Layer: admin
-# Module: smoltclient
-#
-# The Fedora hardware profiler client.
-# 
-smoltclient = module
-
-# Layer: admin
-# Module: sosreport
-#
-# Generate debugging information for system.
-# 
-sosreport = module
-
-# Layer: admin
-# Module: su
-#
-# Run shells with substitute user and group.
-# 
-su = module
-
-# Layer: admin
-# Module: sudo
-#
-# Execute a command with a substitute user
-# 
-sudo = module
-
-# Layer: admin
-# Module: sxid
-#
-# SUID/SGID program monitoring.
-# 
-sxid = module
-
-# Layer: admin
-# Module: tboot
-#
-# Utilities for the tboot TXT module.
-# 
-tboot = module
-
-# Layer: admin
-# Module: tmpreaper
-#
-# Manage temporary directory sizes and file ages.
-# 
-tmpreaper = module
-
-# Layer: admin
-# Module: tripwire
-#
-# File integrity checker.
-# 
-tripwire = module
-
-# Layer: admin
-# Module: tzdata
-#
-# Time zone updater.
-# 
-tzdata = module
-
-# Layer: admin
-# Module: updfstab
-#
-# Red Hat utility to change fstab.
-# 
-updfstab = module
-
-# Layer: admin
-# Module: usbmodules
-#
-# List kernel modules of USB devices.
-# 
-usbmodules = module
-
-# Layer: admin
-# Module: usermanage
-#
-# Policy for managing user accounts.
-# 
-usermanage = module
-
-# Layer: admin
-# Module: vbetool
-#
-# run real-mode video BIOS code to alter hardware state.
-# 
-vbetool = module
-
-# Layer: admin
-# Module: vpn
-#
-# Virtual Private Networking client.
-# 
-vpn = module
-
-# Layer: apps
-# Module: ada
-#
-# GNAT Ada95 compiler.
-# 
-ada = module
-
-# Layer: apps
-# Module: awstats
-#
-# Log file analyzer for advanced statistics.
-# 
-awstats = module
-
-# Layer: apps
-# Module: calamaris
-#
-# Squid log analysis.
-# 
-calamaris = module
-
-# Layer: apps
-# Module: cdrecord
-#
-# Record audio or data Compact Discs from a master.
-# 
-cdrecord = module
-
-# Layer: apps
-# Module: cpufreqselector
-#
-# Command-line CPU frequency settings.
-# 
-cpufreqselector = module
-
-# Layer: apps
-# Module: evolution
-#
-# Evolution email client.
-# 
-evolution = module
-
-# Layer: apps
-# Module: firewallgui
-#
-# system-config-firewall dbus system service.
-# 
-firewallgui = module
-
-# Layer: apps
-# Module: games
-#
-# Various games.
-# 
-games = module
-
-# Layer: apps
-# Module: gift
-#
-# Peer to peer file sharing tool.
-# 
-gift = module
-
-# Layer: apps
-# Module: gitosis
-#
-# Tools for managing and hosting git repositories.
-# 
-gitosis = module
-
-# Layer: apps
-# Module: gnome
-#
-# GNU network object model environment.
-# 
-gnome = module
-
-# Layer: apps
-# Module: gpg
-#
-# Policy for GNU Privacy Guard and related programs.
-# 
-gpg = module
-
-# Layer: apps
-# Module: irc
-#
-# IRC client policy.
-# 
-irc = module
-
-# Layer: apps
-# Module: java
-#
-# Java virtual machine
-# 
-java = module
-
-# Layer: apps
-# Module: libmtp
-#
-# libmtp: An Initiatior implementation of the Media Transfer Protocol (MTP).
-# 
-libmtp = module
-
-# Layer: apps
-# Module: lightsquid
-#
-# Log analyzer for squid proxy.
-# 
-lightsquid = module
-
-# Layer: apps
-# Module: livecd
-#
-# Tool for building alternate livecd for different os and policy versions.
-# 
-livecd = module
-
-# Layer: apps
-# Module: loadkeys
-#
-# Load keyboard mappings.
-# 
-loadkeys = module
-
-# Layer: apps
-# Module: lockdev
-#
-# Library for locking devices.
-# 
-lockdev = module
-
-# Layer: apps
-# Module: man2html
-#
-# A Unix manpage-to-HTML converter.
-# 
-man2html = module
-
-# Layer: apps
-# Module: mandb
-#
-# On-line manual database.
-# 
-mandb = module
-
-# Layer: apps
-# Module: mono
-#
-# Run .NET server and client applications on Linux.
-# 
-mono = module
-
-# Layer: apps
-# Module: mozilla
-#
-# Policy for Mozilla and related web browsers.
-# 
-mozilla = module
-
-# Layer: apps
-# Module: mplayer
-#
-# Mplayer media player and encoder.
-# 
-mplayer = module
-
-# Layer: apps
-# Module: openoffice
-#
-# Openoffice suite.
-# 
-openoffice = module
-
-# Layer: apps
-# Module: podsleuth
-#
-# Podsleuth is a tool to get information about an Apple (TM) iPod (TM).
-# 
-podsleuth = module
-
-# Layer: apps
-# Module: ptchown
-#
-# helper function for grantpt(3), changes ownship and permissions of pseudotty.
-# 
-ptchown = module
-
-# Layer: apps
-# Module: pulseaudio
-#
-# Pulseaudio network sound server.
-# 
-pulseaudio = module
-
-# Layer: apps
-# Module: qemu
-#
-# QEMU machine emulator and virtualizer.
-# 
-qemu = module
-
-# Layer: apps
-# Module: rssh
-#
-# Restricted (scp/sftp) only shell.
-# 
-rssh = module
-
-# Layer: apps
-# Module: sambagui
-#
-# system-config-samba dbus service.
-# 
-sambagui = module
-
-# Layer: apps
-# Module: screen
-#
-# GNU terminal multiplexer.
-# 
-screen = module
-
-# Layer: apps
-# Module: seunshare
-#
-# Filesystem namespacing/polyinstantiation application.
-# 
-seunshare = module
-
-# Layer: apps
-# Module: slocate
-#
-# Update database for mlocate.
-# 
-slocate = module
-
-# Layer: apps
-# Module: syncthing
-#
-# Application that lets you synchronize your files across multiple devices.
-# 
-syncthing = module
-
-# Layer: apps
-# Module: telepathy
-#
-# Telepathy communications framework.
-# 
-telepathy = module
-
-# Layer: apps
-# Module: thunderbird
-#
-# Thunderbird email client.
-# 
-thunderbird = module
-
-# Layer: apps
-# Module: tvtime
-#
-# High quality television application.
-# 
-tvtime = module
-
-# Layer: apps
-# Module: uml
-#
-# User mode linux tools and services.
-# 
-uml = module
-
-# Layer: apps
-# Module: userhelper
-#
-# A wrapper that helps users run system programs.
-# 
-userhelper = module
-
-# Layer: apps
-# Module: usernetctl
-#
-# User network interface configuration helper.
-# 
-usernetctl = module
-
-# Layer: apps
-# Module: vlock
-#
-# Lock one or more sessions on the Linux console.
-# 
-vlock = module
-
-# Layer: apps
-# Module: vmware
-#
-# VMWare Workstation virtual machines.
-# 
-vmware = module
-
-# Layer: apps
-# Module: webalizer
-#
-# Web server log analysis.
-# 
-webalizer = module
-
-# Layer: apps
-# Module: wine
-#
-# Run Windows programs in Linux.
-# 
-wine = module
-
-# Layer: apps
-# Module: wireshark
-#
-# Wireshark packet capture tool.
-# 
-wireshark = module
-
-# Layer: apps
-# Module: wm
-#
-# X Window Managers.
-# 
-wm = module
-
-# Layer: apps
-# Module: xscreensaver
-#
-# Modular screen saver and locker for X11.
-# 
-xscreensaver = module
-
-# Layer: apps
-# Module: yam
-#
-# Yum/Apt Mirroring.
-# 
-yam = module
-
 # Layer: kernel
-# Module: storage
+# Module: unlabelednet
 #
-# Policy controlling access to storage devices
-# 
-storage = module
+# The unlabelednet module.
+#
+unlabelednet = module
 
-# Layer: roles
+# Layer: role
 # Module: auditadm
 #
-# Audit administrator role
+# auditadm account on tty logins
 # 
 auditadm = module
 
-# Layer: roles
-# Module: dbadm
-#
-# Database administrator role.
-# 
-dbadm = module
-
-# Layer: roles
-# Module: guest
-#
-# Least privledge terminal user role.
-# 
-guest = module
-
-# Layer: roles
+# Layer: role
 # Module: logadm
 #
-# Log administrator role
+# Minimally prived root role for managing logging system
 # 
 logadm = module
 
-# Layer: roles
+# Layer: role
 # Module: secadm
 #
-# Security administrator role
+# secadm account on tty logins
 # 
 secadm = module
 
-# Layer: roles
+# Layer:role
 # Module: staff
 #
-# Administrator's unprivileged user role
+# admin account 
 # 
 staff = module
 
-# Layer: roles
+# Layer:role
+# Module: sysadm_secadm
+#
+# System Administrator with Security Admin rules
+# 
+sysadm_secadm = module
+
+# Layer:role
 # Module: sysadm
 #
-# General system administration role
+# System Administrator
 # 
 sysadm = module
 
-# Layer: roles
+# Layer: role
 # Module: unprivuser
 #
-# Generic unprivileged user role
+# Minimally privs guest account on tty logins
 # 
 unprivuser = module
 
-# Layer: roles
-# Module: webadm
-#
-# Web administrator role.
-# 
-webadm = module
-
-# Layer: roles
-# Module: xguest
-#
-# Least privledge xwindows user role.
-# 
-xguest = module
-
-# Layer: services
-# Module: abrt
-#
-# Automated bug-reporting tool.
-# 
-abrt = module
-
-# Layer: services
-# Module: accountsd
-#
-# AccountsService and daemon for manipulating user account information via D-Bus.
-# 
-accountsd = module
-
-# Layer: services
-# Module: acpi
-#
-# Advanced power management.
-# 
-acpi = module
-
-# Layer: services
-# Module: afs
-#
-# Andrew Filesystem server.
-# 
-afs = module
-
-# Layer: services
-# Module: aiccu
-#
-# Automatic IPv6 Connectivity Client Utility.
-# 
-aiccu = module
-
-# Layer: services
-# Module: aisexec
-#
-# Aisexec Cluster Engine.
-# 
-aisexec = module
-
-# Layer: services
-# Module: amavis
-#
-# High-performance interface between an email server and content checkers.
-# 
-amavis = module
-
-# Layer: services
-# Module: apache
-#
-# Various web servers.
-# 
-apache = module
-
-# Layer: services
-# Module: apcupsd
-#
-# APC UPS monitoring daemon.
-# 
-apcupsd = module
-
-# Layer: services
-# Module: arpwatch
-#
-# Ethernet activity monitor.
-# 
-arpwatch = module
-
-# Layer: services
-# Module: asterisk
-#
-# Asterisk IP telephony server.
-# 
-asterisk = module
-
-# Layer: services
-# Module: automount
-#
-# Filesystem automounter service.
-# 
-automount = module
-
-# Layer: services
-# Module: avahi
-#
-# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture.
-# 
-avahi = module
-
-# Layer: services
-# Module: bind
-#
-# Berkeley Internet name domain DNS server.
-# 
-bind = module
-
-# Layer: services
-# Module: bird
-#
-# BIRD Internet Routing Daemon.
-# 
-bird = module
-
-# Layer: services
-# Module: bitlbee
-#
-# Tunnels instant messaging traffic to a virtual IRC channel.
-# 
-bitlbee = module
-
-# Layer: services
-# Module: bluetooth
-#
-# Bluetooth tools and system services.
-# 
-bluetooth = module
-
-# Layer: services
-# Module: boinc
-#
-# Platform for computing using volunteered resources.
-# 
-boinc = module
-
-# Layer: services
-# Module: bugzilla
-#
-# Bugtracker.
-# 
-bugzilla = module
-
-# Layer: services
-# Module: cachefilesd
-#
-# CacheFiles user-space management daemon.
-# 
-cachefilesd = module
-
-# Layer: services
-# Module: callweaver
-#
-# PBX software.
-# 
-callweaver = module
-
-# Layer: services
-# Module: canna
-#
-# Kana-kanji conversion server.
-# 
-canna = module
-
-# Layer: services
-# Module: ccs
-#
-# Cluster Configuration System.
-# 
-ccs = module
-
-# Layer: services
-# Module: certmaster
-#
-# Remote certificate distribution framework.
-# 
-certmaster = module
-
-# Layer: services
-# Module: certmonger
-#
-# Certificate status monitor and PKI enrollment client.
-# 
-certmonger = module
-
-# Layer: services
-# Module: cgmanager
-#
-# Control Group manager daemon.
-# 
-cgmanager = module
-
-# Layer: services
-# Module: cgroup
-#
-# libcg is a library that abstracts the control group file system in Linux.
-# 
-cgroup = module
-
-# Layer: services
-# Module: chronyd
-#
-# Chrony NTP background daemon.
-# 
-chronyd = module
-
-# Layer: services
-# Module: cipe
-#
-# Encrypted tunnel daemon.
-# 
-cipe = module
-
-# Layer: services
-# Module: clamav
-#
-# ClamAV Virus Scanner.
-# 
-clamav = module
-
-# Layer: services
-# Module: clockspeed
-#
-# Clock speed measurement and manipulation.
-# 
-clockspeed = module
-
-# Layer: services
-# Module: clogd
-#
-# Clustered Mirror Log Server.
-# 
-clogd = module
-
-# Layer: services
-# Module: cmirrord
-#
-# Cluster mirror log daemon.
-# 
-cmirrord = module
-
-# Layer: services
-# Module: cobbler
-#
-# Cobbler installation server.
-# 
-cobbler = module
-
-# Layer: services
-# Module: collectd
-#
-# Statistics collection daemon for filling RRD files.
-# 
-collectd = module
-
-# Layer: services
-# Module: colord
-#
-# GNOME color manager.
-# 
-colord = module
-
-# Layer: services
-# Module: comsat
-#
-# Comsat, a biff server.
-# 
-comsat = module
-
-# Layer: services
-# Module: condor
-#
-# High-Throughput Computing System.
-# 
-condor = module
-
-# Layer: services
-# Module: consolekit
-#
-# Framework for facilitating multiple user sessions on desktops.
-# 
-consolekit = module
-
-# Layer: services
-# Module: corosync
-#
-# Corosync Cluster Engine.
-# 
-corosync = module
-
-# Layer: services
-# Module: couchdb
-#
-# Document database server.
-# 
-couchdb = module
-
-# Layer: services
-# Module: courier
-#
-# Courier IMAP and POP3 email servers.
-# 
-courier = module
-
-# Layer: services
-# Module: cpucontrol
-#
-# Services for loading CPU microcode and CPU frequency scaling.
-# 
-cpucontrol = module
-
-# Layer: services
-# Module: cron
-#
-# Periodic execution of scheduled commands.
-# 
-cron = module
-
-# Layer: services
-# Module: ctdb
-#
-# Clustered Database based on Samba Trivial Database.
-# 
-ctdb = module
-
-# Layer: services
-# Module: cups
-#
-# Common UNIX printing system.
-# 
-cups = module
-
-# Layer: services
-# Module: cvs
-#
-# Concurrent versions system.
-# 
-cvs = module
-
-# Layer: services
-# Module: cyphesis
-#
-# Cyphesis WorldForge game server.
-# 
-cyphesis = module
-
-# Layer: services
-# Module: cyrus
-#
-# Cyrus is an IMAP service intended to be run on sealed servers.
-# 
-cyrus = module
-
-# Layer: services
-# Module: dante
-#
-# Dante msproxy and socks4/5 proxy server.
-# 
-dante = module
-
-# Layer: services
-# Module: dbskk
-#
-# Dictionary server for the SKK Japanese input method system.
-# 
-dbskk = module
-
-# Layer: services
-# Module: dbus
-#
-# Desktop messaging bus.
-# 
-dbus = module
-
-# Layer: services
-# Module: dcc
-#
-# Distributed checksum clearinghouse spam filtering.
-# 
-dcc = module
-
-# Layer: services
-# Module: ddclient
-#
-# Update dynamic IP address at DynDNS.org.
-# 
-ddclient = module
-
-# Layer: services
-# Module: denyhosts
-#
-# SSH dictionary attack mitigation.
-# 
-denyhosts = module
-
-# Layer: services
-# Module: devicekit
-#
-# Devicekit modular hardware abstraction layer.
-# 
-devicekit = module
-
-# Layer: services
-# Module: dhcp
-#
-# Dynamic host configuration protocol server.
-# 
-dhcp = module
-
-# Layer: services
-# Module: dictd
-#
-# Dictionary daemon.
-# 
-dictd = module
-
-# Layer: services
-# Module: dirmngr
-#
-# Server for managing and downloading certificate revocation lists.
-# 
-dirmngr = module
-
-# Layer: services
-# Module: distcc
-#
-# Distributed compiler daemon.
-# 
-distcc = module
-
-# Layer: services
-# Module: djbdns
-#
-# Small and secure DNS daemon.
-# 
-djbdns = module
-
-# Layer: services
-# Module: dkim
-#
-# DomainKeys Identified Mail milter.
-# 
-dkim = module
-
-# Layer: services
-# Module: dnsmasq
-#
-# DNS forwarder and DHCP server.
-# 
-dnsmasq = module
-
-# Layer: services
-# Module: dnssectrigger
-#
-# Enables DNSSEC protection for DNS traffic.
-# 
-dnssectrigger = module
-
-# Layer: services
-# Module: dovecot
-#
-# POP and IMAP mail server.
-# 
-dovecot = module
-
-# Layer: services
-# Module: drbd
-#
-# Mirrors a block device over the network to another machine.
-# 
-drbd = module
-
-# Layer: services
-# Module: dspam
-#
-# Content-based spam filter designed for multi-user enterprise systems.
-# 
-dspam = module
-
-# Layer: services
-# Module: entropyd
-#
-# Generate entropy from audio input.
-# 
-entropyd = module
-
-# Layer: services
-# Module: exim
-#
-# Mail transfer agent.
-# 
-exim = module
-
-# Layer: services
-# Module: fail2ban
-#
-# Update firewall filtering to ban IP addresses with too many password failures.
-# 
-fail2ban = module
-
-# Layer: services
-# Module: fcoe
-#
-# Fibre Channel over Ethernet utilities.
-# 
-fcoe = module
-
-# Layer: services
-# Module: fetchmail
-#
-# Remote-mail retrieval and forwarding utility.
-# 
-fetchmail = module
-
-# Layer: services
-# Module: finger
-#
-# Finger user information service.
-# 
-finger = module
-
-# Layer: services
-# Module: firewalld
-#
-# Service daemon with a D-BUS interface that provides a dynamic managed firewall.
-# 
-firewalld = module
-
-# Layer: services
-# Module: fprintd
-#
-# DBus fingerprint reader service.
-# 
-fprintd = module
-
-# Layer: services
-# Module: ftp
-#
-# File transfer protocol service.
-# 
-ftp = module
-
-# Layer: services
-# Module: gatekeeper
-#
-# OpenH.323 Voice-Over-IP Gatekeeper.
-# 
-gatekeeper = module
-
-# Layer: services
-# Module: gdomap
-#
-# GNUstep distributed object mapper.
-# 
-gdomap = module
-
-# Layer: services
-# Module: geoclue
-#
-# Geoclue is a D-Bus service that provides location information.
-# 
-geoclue = module
-
-# Layer: services
-# Module: git
-#
-# GIT revision control system.
-# 
-git = module
-
-# Layer: services
-# Module: glance
-#
-# OpenStack image registry and delivery service.
-# 
-glance = module
-
-# Layer: services
-# Module: glusterfs
-#
-# Cluster File System binary, daemon and command line.
-# 
-glusterfs = module
-
-# Layer: services
-# Module: gnomeclock
-#
-# Gnome clock handler for setting the time.
-# 
-gnomeclock = module
-
-# Layer: services
-# Module: gpm
-#
-# General Purpose Mouse driver.
-# 
-gpm = module
-
-# Layer: services
-# Module: gpsd
-#
-# gpsd monitor daemon.
-# 
-gpsd = module
-
-# Layer: services
-# Module: gssproxy
-#
-# policy for gssproxy - daemon to proxy GSSAPI context establishment and channel handling
-# 
-gssproxy = module
-
-# Layer: services
-# Module: hadoop
-#
-# Software for reliable, scalable, distributed computing.
-# 
-hadoop = module
-
-# Layer: services
-# Module: hal
-#
-# Hardware abstraction layer.
-# 
-hal = module
-
-# Layer: services
-# Module: hddtemp
-#
-# Hard disk temperature tool running as a daemon.
-# 
-hddtemp = module
-
-# Layer: services
-# Module: howl
-#
-# Port of Apple Rendezvous multicast DNS.
-# 
-howl = module
-
-# Layer: services
-# Module: hypervkvp
-#
-# HyperV key value pair (KVP).
-# 
-hypervkvp = module
-
-# Layer: services
-# Module: i18n_input
-#
-# IIIMF htt server.
-# 
-i18n_input = module
-
-# Layer: services
-# Module: icecast
-#
-# ShoutCast compatible streaming media server.
-# 
-icecast = module
-
-# Layer: services
-# Module: ifplugd
-#
-# Bring up/down ethernet interfaces based on cable detection.
-# 
-ifplugd = module
-
-# Layer: services
-# Module: imaze
-#
-# iMaze game server.
-# 
-imaze = module
-
-# Layer: services
-# Module: inetd
-#
-# Internet services daemon.
-# 
-inetd = module
-
-# Layer: services
-# Module: inn
-#
-# Internet News NNTP server.
-# 
-inn = module
-
-# Layer: services
-# Module: iodine
-#
-# IP over DNS tunneling daemon.
-# 
-iodine = module
-
-# Layer: services
-# Module: ircd
-#
-# IRC servers.
-# 
-ircd = module
-
-# Layer: services
-# Module: irqbalance
-#
-# IRQ balancing daemon.
-# 
-irqbalance = module
-
-# Layer: services
-# Module: isns
-#
-# Internet Storage Name Service.
-# 
-isns = module
-
-# Layer: services
-# Module: jabber
-#
-# Jabber instant messaging servers.
-# 
-jabber = module
-
-# Layer: services
-# Module: jockey
-#
-# Jockey driver manager.
-# 
-jockey = module
-
-# Layer: services
-# Module: kerberos
-#
-# MIT Kerberos admin and KDC.
-# 
-kerberos = module
-
-# Layer: services
-# Module: kerneloops
-#
-# Service for reporting kernel oopses to kerneloops.org.
-# 
-kerneloops = module
-
-# Layer: services
-# Module: keyboardd
-#
-# Xorg.conf keyboard layout callout.
-# 
-keyboardd = module
-
-# Layer: services
-# Module: keystone
-#
-# Python implementation of the OpenStack identity service API.
-# 
-keystone = module
-
-# Layer: services
-# Module: ksmtuned
-#
-# Kernel Samepage Merging Tuning Daemon.
-# 
-ksmtuned = module
-
-# Layer: services
-# Module: ktalk
-#
-# KDE Talk daemon.
-# 
-ktalk = module
-
-# Layer: services
-# Module: l2tp
-#
-# Layer 2 Tunneling Protocol.
-# 
-l2tp = module
-
-# Layer: services
-# Module: ldap
-#
-# OpenLDAP directory server.
-# 
-ldap = module
-
-# Layer: services
-# Module: likewise
-#
-# Likewise Active Directory support for UNIX.
-# 
-likewise = module
-
-# Layer: services
-# Module: lircd
-#
-# Linux infared remote control daemon.
-# 
-lircd = module
-
-# Layer: services
-# Module: lldpad
-#
-# Intel LLDP Agent.
-# 
-lldpad = module
-
-# Layer: services
-# Module: lpd
-#
-# Line printer daemon.
-# 
-lpd = module
-
-# Layer: services
-# Module: lsm
-#
-# Storage array management library.
-# 
-lsm = module
-
-# Layer: services
-# Module: mailman
-#
-# Manage electronic mail discussion and e-newsletter lists.
-# 
-mailman = module
-
-# Layer: services
-# Module: mailscanner
-#
-# E-mail security and anti-spam package for e-mail gateway systems.
-# 
-mailscanner = module
-
-# Layer: services
-# Module: mediawiki
-#
-# Open source wiki package written in PHP.
-# 
-mediawiki = module
-
-# Layer: services
-# Module: memcached
-#
-# High-performance memory object caching system.
-# 
-memcached = module
-
-# Layer: services
-# Module: milter
-#
-# Milter mail filters.
-# 
-milter = module
-
-# Layer: services
-# Module: minidlna
-#
-# MiniDLNA lightweight DLNA/UPnP media server
-# 
-minidlna = module
-
-# Layer: services
-# Module: minissdpd
-#
-# Daemon used by MiniUPnPc to speed up device discoveries.
-# 
-minissdpd = module
-
-# Layer: services
-# Module: modemmanager
-#
-# Provides a DBus interface to communicate with mobile broadband (GSM, CDMA, UMTS, ...) cards.
-# 
-modemmanager = module
-
-# Layer: services
-# Module: mojomojo
-#
-# MojoMojo Wiki.
-# 
-mojomojo = module
-
-# Layer: services
-# Module: mon
-#
-# mon network monitoring daemon.
-# 
-mon = module
-
-# Layer: services
-# Module: mongodb
-#
-# Scalable, high-performance, open source NoSQL database.
-# 
-mongodb = module
-
-# Layer: services
-# Module: monit
-#
-# Monit - utility for monitoring services on a Unix system.
-# 
-monit = module
-
-# Layer: services
-# Module: monop
-#
-# Monopoly daemon.
-# 
-monop = module
-
-# Layer: services
-# Module: mpd
-#
-# Music Player Daemon.
-# 
-mpd = module
-
-# Layer: services
-# Module: mta
-#
-# Common e-mail transfer agent policy.
-# 
-mta = module
-
-# Layer: services
-# Module: munin
-#
-# Munin network-wide load graphing.
-# 
-munin = module
-
-# Layer: services
-# Module: mysql
-#
-# Open source database.
-# 
-mysql = module
-
-# Layer: services
-# Module: nagios
-#
-# Network monitoring server.
-# 
-nagios = module
-
-# Layer: services
-# Module: nessus
-#
-# Network scanning daemon.
-# 
-nessus = module
-
-# Layer: services
-# Module: networkmanager
-#
-# Manager for dynamically switching between networks.
-# 
-networkmanager = module
-
-# Layer: services
-# Module: nis
-#
-# Policy for NIS (YP) servers and clients.
-# 
-nis = module
-
-# Layer: services
-# Module: nscd
-#
-# Name service cache daemon.
-# 
-nscd = module
-
-# Layer: services
-# Module: nsd
-#
-# Authoritative only name server.
-# 
-nsd = module
-
-# Layer: services
-# Module: nslcd
-#
-# Local LDAP name service daemon.
-# 
-nslcd = module
-
-# Layer: services
-# Module: ntop
-#
-# A network traffic probe similar to the UNIX top command.
-# 
-ntop = module
-
-# Layer: services
-# Module: ntp
-#
-# Network time protocol daemon.
-# 
-ntp = module
-
-# Layer: services
-# Module: numad
-#
-# Non-Uniform Memory Alignment Daemon.
-# 
-numad = module
-
-# Layer: services
-# Module: nut
-#
-# Network UPS Tools
-# 
-nut = module
-
-# Layer: services
-# Module: nx
-#
-# NX remote desktop.
-# 
-nx = module
-
-# Layer: services
-# Module: oav
-#
-# Open AntiVirus scannerdaemon and signature update.
-# 
-oav = module
-
-# Layer: services
-# Module: obex
-#
-# D-Bus service providing high-level OBEX client and server side functionality.
-# 
-obex = module
-
-# Layer: services
-# Module: oddjob
-#
-# D-BUS service which runs odd jobs on behalf of client applications.
-# 
-oddjob = module
-
-# Layer: services
-# Module: oident
-#
-# An ident daemon with IP masq/NAT support and the ability to specify responses.
-# 
-oident = module
-
-# Layer: services
-# Module: openca
-#
-# Open Certificate Authority.
-# 
-openca = module
-
-# Layer: services
-# Module: openct
-#
-# Service for handling smart card readers.
-# 
-openct = module
-
-# Layer: services
-# Module: openhpi
-#
-# Open source implementation of the Service Availability Forum Hardware Platform Interface.
-# 
-openhpi = module
-
-# Layer: services
-# Module: openvpn
-#
-# full-featured SSL VPN solution.
-# 
-openvpn = module
-
-# Layer: services
-# Module: openvswitch
-#
-# Multilayer virtual switch.
-# 
-openvswitch = module
-
-# Layer: services
-# Module: pacemaker
-#
-# A scalable high-availability cluster resource manager.
-# 
-pacemaker = module
-
-# Layer: services
-# Module: pads
-#
-# Passive Asset Detection System.
-# 
-pads = module
-
-# Layer: services
-# Module: pcscd
-#
-# PCSC smart card service.
-# 
-pcscd = module
-
-# Layer: services
-# Module: pegasus
-#
-# The Open Group Pegasus CIM/WBEM Server.
-# 
-pegasus = module
-
-# Layer: services
-# Module: perdition
-#
-# Perdition POP and IMAP proxy.
-# 
-perdition = module
-
-# Layer: services
-# Module: pingd
-#
-# Pingd of the Whatsup cluster node up/down detection utility.
-# 
-pingd = module
-
-# Layer: services
-# Module: pkcs
-#
-# Implementations of the Cryptoki specification.
-# 
-pkcs = module
-
-# Layer: services
-# Module: plymouthd
-#
-# Plymouth graphical boot.
-# 
-plymouthd = module
-
-# Layer: services
-# Module: policykit
-#
-# Policy framework for controlling privileges for system-wide services.
-# 
-policykit = module
-
-# Layer: services
-# Module: polipo
-#
-# Lightweight forwarding and caching proxy server.
-# 
-polipo = module
-
-# Layer: services
-# Module: portmap
-#
-# RPC port mapping service.
-# 
-portmap = module
-
-# Layer: services
-# Module: portreserve
-#
-# Reserve well-known ports in the RPC port range.
-# 
-portreserve = module
-
-# Layer: services
-# Module: portslave
-#
-# Portslave terminal server software.
-# 
-portslave = module
-
-# Layer: services
-# Module: postfix
-#
-# Postfix email server.
-# 
-postfix = module
-
-# Layer: services
-# Module: postfixpolicyd
-#
-# Postfix policy server.
-# 
-postfixpolicyd = module
-
 # Layer: services
 # Module: postgresql
 #
@@ -2153,391 +211,6 @@ postfixpolicyd = module
 # 
 postgresql = module
 
-# Layer: services
-# Module: postgrey
-#
-# Postfix grey-listing server.
-# 
-postgrey = module
-
-# Layer: services
-# Module: ppp
-#
-# Point to Point Protocol daemon creates links in ppp networks.
-# 
-ppp = module
-
-# Layer: services
-# Module: prelude
-#
-# Prelude hybrid intrusion detection system.
-# 
-prelude = module
-
-# Layer: services
-# Module: privoxy
-#
-# Privacy enhancing web proxy.
-# 
-privoxy = module
-
-# Layer: services
-# Module: procmail
-#
-# Procmail mail delivery agent.
-# 
-procmail = module
-
-# Layer: services
-# Module: psad
-#
-# Intrusion Detection and Log Analysis with iptables.
-# 
-psad = module
-
-# Layer: services
-# Module: publicfile
-#
-# publicfile supplies files to the public through HTTP and FTP.
-# 
-publicfile = module
-
-# Layer: services
-# Module: pwauth
-#
-# External plugin for mod_authnz_external authenticator.
-# 
-pwauth = module
-
-# Layer: services
-# Module: pxe
-#
-# Server for the PXE network boot protocol.
-# 
-pxe = module
-
-# Layer: services
-# Module: pyicqt
-#
-# ICQ transport for XMPP server.
-# 
-pyicqt = module
-
-# Layer: services
-# Module: pyzor
-#
-# Pyzor is a distributed, collaborative spam detection and filtering network.
-# 
-pyzor = module
-
-# Layer: services
-# Module: qmail
-#
-# Qmail Mail Server.
-# 
-qmail = module
-
-# Layer: services
-# Module: qpid
-#
-# Apache QPID AMQP messaging server.
-# 
-qpid = module
-
-# Layer: services
-# Module: quantum
-#
-# Virtual network service for Openstack.
-# 
-quantum = module
-
-# Layer: services
-# Module: rabbitmq
-#
-# AMQP server written in Erlang.
-# 
-rabbitmq = module
-
-# Layer: services
-# Module: radius
-#
-# RADIUS authentication and accounting server.
-# 
-radius = module
-
-# Layer: services
-# Module: radvd
-#
-# IPv6 router advertisement daemon.
-# 
-radvd = module
-
-# Layer: services
-# Module: razor
-#
-# A distributed, collaborative, spam detection and filtering network.
-# 
-razor = module
-
-# Layer: services
-# Module: rdisc
-#
-# Network router discovery daemon.
-# 
-rdisc = module
-
-# Layer: services
-# Module: realmd
-#
-# Dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA.
-# 
-realmd = module
-
-# Layer: services
-# Module: redis
-#
-# Advanced key-value store.
-# 
-redis = module
-
-# Layer: services
-# Module: remotelogin
-#
-# Rshd, rlogind, and telnetd.
-# 
-remotelogin = module
-
-# Layer: services
-# Module: resmgr
-#
-# Resource management daemon.
-# 
-resmgr = module
-
-# Layer: services
-# Module: rgmanager
-#
-# Resource Group Manager.
-# 
-rgmanager = module
-
-# Layer: services
-# Module: rhcs
-#
-# Red Hat Cluster Suite.
-# 
-rhcs = module
-
-# Layer: services
-# Module: rhgb
-#
-# Red Hat Graphical Boot.
-# 
-rhgb = module
-
-# Layer: services
-# Module: rhsmcertd
-#
-# Subscription Management Certificate Daemon.
-# 
-rhsmcertd = module
-
-# Layer: services
-# Module: ricci
-#
-# Ricci cluster management agent.
-# 
-ricci = module
-
-# Layer: services
-# Module: rlogin
-#
-# Remote login daemon.
-# 
-rlogin = module
-
-# Layer: services
-# Module: rngd
-#
-# Check and feed random data from hardware device to kernel random device.
-# 
-rngd = module
-
-# Layer: services
-# Module: roundup
-#
-# Roundup Issue Tracking System.
-# 
-roundup = module
-
-# Layer: services
-# Module: rpc
-#
-# Remote Procedure Call Daemon.
-# 
-rpc = module
-
-# Layer: services
-# Module: rpcbind
-#
-# Universal Addresses to RPC Program Number Mapper.
-# 
-rpcbind = module
-
-# Layer: services
-# Module: rshd
-#
-# Remote shell service.
-# 
-rshd = module
-
-# Layer: services
-# Module: rsync
-#
-# Fast incremental file transfer for synchronization.
-# 
-rsync = module
-
-# Layer: services
-# Module: rtkit
-#
-# Realtime scheduling for user processes.
-# 
-rtkit = module
-
-# Layer: services
-# Module: rwho
-#
-# Who is logged in on other machines?
-# 
-rwho = module
-
-# Layer: services
-# Module: samba
-#
-# SMB and CIFS client/server programs.
-# 
-samba = module
-
-# Layer: services
-# Module: sanlock
-#
-# shared storage lock manager.
-# 
-sanlock = module
-
-# Layer: services
-# Module: sasl
-#
-# SASL authentication server.
-# 
-sasl = module
-
-# Layer: services
-# Module: sendmail
-#
-# Internetwork email routing facility.
-# 
-sendmail = module
-
-# Layer: services
-# Module: sensord
-#
-# Sensor information logging daemon.
-# 
-sensord = module
-
-# Layer: services
-# Module: setroubleshoot
-#
-# SELinux troubleshooting service.
-# 
-setroubleshoot = module
-
-# Layer: services
-# Module: shibboleth
-#
-# Shibboleth authentication deamon
-# 
-shibboleth = module
-
-# Layer: services
-# Module: slpd
-#
-# OpenSLP server daemon to dynamically register services.
-# 
-slpd = module
-
-# Layer: services
-# Module: slrnpull
-#
-# Service for downloading news feeds the slrn newsreader.
-# 
-slrnpull = module
-
-# Layer: services
-# Module: smartmon
-#
-# Smart disk monitoring daemon.
-# 
-smartmon = module
-
-# Layer: services
-# Module: smokeping
-#
-# Smokeping network latency measurement.
-# 
-smokeping = module
-
-# Layer: services
-# Module: smstools
-#
-# Tools to send and receive short messages through GSM modems or mobile phones.
-# 
-smstools = module
-
-# Layer: services
-# Module: snmp
-#
-# Simple network management protocol services.
-# 
-snmp = module
-
-# Layer: services
-# Module: snort
-#
-# Snort network intrusion detection system.
-# 
-snort = module
-
-# Layer: services
-# Module: soundserver
-#
-# sound server for network audio server programs, nasd, yiff, etc
-# 
-soundserver = module
-
-# Layer: services
-# Module: spamassassin
-#
-# Filter used for removing unsolicited email.
-# 
-spamassassin = module
-
-# Layer: services
-# Module: speedtouch
-#
-# Alcatel speedtouch USB ADSL modem
-# 
-speedtouch = module
-
-# Layer: services
-# Module: squid
-#
-# Squid caching http proxy server.
-# 
-squid = module
-
 # Layer: services
 # Module: ssh
 #
@@ -2545,262 +218,17 @@ squid = module
 # 
 ssh = module
 
-# Layer: services
-# Module: sssd
-#
-# System Security Services Daemon.
-# 
-sssd = module
-
-# Layer: services
-# Module: stunnel
-#
-# SSL Tunneling Proxy.
-# 
-stunnel = module
-
-# Layer: services
-# Module: svnserve
-#
-# Server for the svn repository access method.
-# 
-svnserve = module
-
-# Layer: services
-# Module: sysstat
-#
-# Reports on various system states.
-# 
-sysstat = module
-
-# Layer: services
-# Module: systemtap
-#
-# instrumentation system for Linux.
-# 
-systemtap = module
-
-# Layer: services
-# Module: tcpd
-#
-# TCP daemon.
-# 
-tcpd = module
-
-# Layer: services
-# Module: tcsd
-#
-# TSS Core Services daemon.
-# 
-tcsd = module
-
-# Layer: services
-# Module: telnet
-#
-# Telnet daemon.
-# 
-telnet = module
-
-# Layer: services
-# Module: tftp
-#
-# Trivial file transfer protocol daemon.
-# 
-tftp = module
-
-# Layer: services
-# Module: tgtd
-#
-# Linux Target Framework Daemon.
-# 
-tgtd = module
-
-# Layer: services
-# Module: timidity
-#
-# MIDI to WAV converter and player configured as a service.
-# 
-timidity = module
-
-# Layer: services
-# Module: tor
-#
-# The onion router.
-# 
-tor = module
-
-# Layer: services
-# Module: transproxy
-#
-# Portable Transparent Proxy Solution.
-# 
-transproxy = module
-
-# Layer: services
-# Module: tuned
-#
-# Dynamic adaptive system tuning daemon.
-# 
-tuned = module
-
-# Layer: services
-# Module: ucspitcp
-#
-# UNIX Client-Server Program Interface for TCP.
-# 
-ucspitcp = module
-
-# Layer: services
-# Module: ulogd
-#
-# Iptables/netfilter userspace logging daemon.
-# 
-ulogd = module
-
-# Layer: services
-# Module: uptime
-#
-# Daemon to record and keep track of system up times.
-# 
-uptime = module
-
-# Layer: services
-# Module: usbmuxd
-#
-# USB multiplexing daemon for communicating with Apple iPod Touch and iPhone.
-# 
-usbmuxd = module
-
-# Layer: services
-# Module: uucp
-#
-# Unix to Unix Copy.
-# 
-uucp = module
-
-# Layer: services
-# Module: uuidd
-#
-# UUID generation daemon.
-# 
-uuidd = module
-
-# Layer: services
-# Module: uwimap
-#
-# University of Washington IMAP toolkit POP3 and IMAP mail server.
-# 
-uwimap = module
-
-# Layer: services
-# Module: varnishd
-#
-# Varnishd http accelerator daemon.
-# 
-varnishd = module
-
-# Layer: services
-# Module: vdagent
-#
-# Spice agent for Linux.
-# 
-vdagent = module
-
-# Layer: services
-# Module: vhostmd
-#
-# Virtual host metrics daemon.
-# 
-vhostmd = module
-
-# Layer: services
-# Module: virt
-#
-# Libvirt virtualization API.
-# 
-virt = module
-
-# Layer: services
-# Module: vnstatd
-#
-# Console network traffic monitor.
-# 
-vnstatd = module
-
-# Layer: services
-# Module: w3c
-#
-# W3C Markup Validator.
-# 
-w3c = module
-
-# Layer: services
-# Module: watchdog
-#
-# Software watchdog.
-# 
-watchdog = module
-
-# Layer: services
-# Module: wdmd
-#
-# Watchdog multiplexing daemon.
-# 
-wdmd = module
-
-# Layer: services
-# Module: xfs
-#
-# X Windows Font Server.
-# 
-xfs = module
-
-# Layer: services
-# Module: xprint
-#
-# A X11-based print system and API.
-# 
-xprint = module
-
 # Layer: services
 # Module: xserver
 #
-# X Windows Server
+# X windows login display manager
 # 
 xserver = module
 
-# Layer: services
-# Module: zabbix
-#
-# Distributed infrastructure monitoring.
-# 
-zabbix = module
-
-# Layer: services
-# Module: zarafa
-#
-# Zarafa collaboration platform.
-# 
-zarafa = module
-
-# Layer: services
-# Module: zebra
-#
-# Zebra border gateway protocol network routing service.
-# 
-zebra = module
-
-# Layer: services
-# Module: zosremote
-#
-# z/OS Remote-services Audit dispatcher plugin.
-# 
-zosremote = module
-
-# Layer: system
 # Module: application
+# Required in base
 #
-# Policy for user executable applications.
+# Defines attributs and interfaces for all user applications
 # 
 application = module
 
@@ -2818,13 +246,6 @@ authlogin = module
 # 
 clock = module
 
-# Layer: system
-# Module: daemontools
-#
-# Collection of tools for managing UNIX services.
-# 
-daemontools = module
-
 # Layer: system
 # Module: fstools
 #
@@ -2835,7 +256,7 @@ fstools = module
 # Layer: system
 # Module: getty
 #
-# Manages physical or virtual terminals.
+# Policy for getty.
 # 
 getty = module
 
@@ -2846,14 +267,6 @@ getty = module
 # 
 hostname = module
 
-# Layer: system
-# Module: hotplug
-#
-# Policy for hotplug system, for supporting the
-# connection and disconnection of devices at runtime.
-# 
-hotplug = module
-
 # Layer: system
 # Module: init
 #
@@ -2871,17 +284,10 @@ ipsec = module
 # Layer: system
 # Module: iptables
 #
-# Administration tool for IP packet filtering and NAT.
+# Policy for iptables.
 # 
 iptables = module
 
-# Layer: system
-# Module: iscsi
-#
-# Establish connections to iSCSI devices.
-# 
-iscsi = module
-
 # Layer: system
 # Module: libraries
 #
@@ -2913,7 +319,7 @@ lvm = module
 # Layer: system
 # Module: miscfiles
 #
-# Miscellaneous files.
+# Miscelaneous files.
 # 
 miscfiles = module
 
@@ -2934,24 +340,10 @@ mount = module
 # Layer: system
 # Module: netlabel
 #
-# NetLabel/CIPSO labeled networking management
+# Basic netlabel types and interfaces.
 # 
 netlabel = module
 
-# Layer: system
-# Module: pcmcia
-#
-# PCMCIA card management services.
-# 
-pcmcia = module
-
-# Layer: system
-# Module: raid
-#
-# RAID array management tools.
-# 
-raid = module
-
 # Layer: system
 # Module: selinuxutil
 #
@@ -2959,10 +351,10 @@ raid = module
 # 
 selinuxutil = module
 
-# Layer: system
 # Module: setrans
+# Required in base
 #
-# SELinux MLS/MCS label translation service.
+# Policy for setrans
 # 
 setrans = module
 
@@ -2976,7 +368,7 @@ sysnetwork = module
 # Layer: system
 # Module: systemd
 #
-# Systemd components (not PID 1)
+# Policy for systemd components
 # 
 systemd = module
 
@@ -2986,32 +378,3 @@ systemd = module
 # Policy for udev.
 # 
 udev = module
-
-# Layer: system
-# Module: unconfined
-#
-# The unconfined domain.
-# 
-unconfined = module
-
-# Layer: system
-# Module: userdomain
-#
-# Policy for user domains
-# 
-userdomain = module
-
-# Layer: system
-# Module: xdg
-#
-# Freedesktop standard locations (formerly known as X Desktop Group)
-# 
-xdg = module
-
-# Layer: system
-# Module: xen
-#
-# Xen hypervisor.
-# 
-xen = module
-
diff --git a/modules-mls-contrib.conf b/modules-mls-contrib.conf
new file mode 100644
index 0000000..322807c
--- /dev/null
+++ b/modules-mls-contrib.conf
@@ -0,0 +1,1581 @@
+# Layer: services
+# Module: accountsd
+#
+#  An application to view and modify user accounts information
+# 
+accountsd = module
+
+# Layer: admin
+# Module: acct
+#
+# Berkeley process accounting
+# 
+acct = module
+
+# Layer: services
+# Module: afs
+#
+# Andrew Filesystem server
+# 
+afs = module
+
+# Layer: services
+# Module: aide
+#
+# Policy for aide
+# 
+aide = module
+ 
+# Layer: admin
+# Module: alsa
+#
+# Ainit ALSA configuration tool
+# 
+alsa = module
+
+# Layer: admin
+# Module: amanda
+#
+# Automated backup program.
+# 
+amanda = module
+
+# Layer: contrib
+# Module: antivirus
+#
+# Anti-virus
+# 
+antivirus = module
+
+# Layer: admin
+# Module: amtu
+#
+# Abstract Machine Test Utility (AMTU)
+# 
+amtu = module
+
+# Layer: admin
+# Module: anaconda
+#
+# Policy for the Anaconda installer.
+# 
+anaconda = module
+
+# Layer: services
+# Module: apache
+#
+# Apache web server
+# 
+apache = module
+
+# Layer: services
+# Module: apcupsd
+#
+# daemon for most APC’s UPS for Linux
+#
+apcupsd = module
+
+# Layer: services
+# Module: apm
+#
+# Advanced power management daemon
+# 
+apm = module
+
+# Layer: services
+# Module: arpwatch
+#
+# Ethernet activity monitor.
+# 
+arpwatch = module
+
+# Layer: services
+# Module: automount
+#
+# Filesystem automounter service.
+# 
+automount = module
+
+# Layer: services
+# Module: avahi
+#
+# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture
+# 
+avahi = module
+
+# Layer: modules
+# Module: awstats
+#
+# awstats executable
+# 
+awstats = module
+
+# Layer: services
+# Module: bind
+#
+# Berkeley internet name domain DNS server.
+# 
+bind = module
+
+# Layer: services
+# Module: bitlbee
+#
+# An IRC to other chat networks  gateway
+# 
+bitlbee = module
+
+# Layer: services
+# Module: bluetooth
+#
+# Bluetooth tools and system services.
+# 
+bluetooth = module
+
+# Layer: services
+# Module: boinc
+#
+# Berkeley Open Infrastructure for Network Computing
+#
+boinc = module
+
+# Layer: system
+# Module: brctl
+#
+# Utilities for configuring the linux ethernet bridge
+# 
+brctl = module
+
+# Layer: services
+# Module: bugzilla
+#
+# Bugzilla server
+# 
+bugzilla = module
+
+# Layer: services
+# Module: cachefilesd
+#
+# CacheFiles userspace management daemon
+# 
+cachefilesd = module
+
+# Module: calamaris
+#
+#
+# Squid log analysis
+# 
+calamaris = module
+
+# Layer: services
+# Module: canna
+#
+# Canna - kana-kanji conversion server
+# 
+canna = module
+
+# Layer: services
+# Module: ccs
+#
+# policy for ccs
+# 
+ccs = module
+
+# Layer: apps
+# Module: cdrecord
+#
+# Policy for cdrecord
+# 
+cdrecord = module
+
+# Layer: admin
+# Module: certmaster
+#
+# Digital Certificate master
+# 
+certmaster = module
+
+# Layer: services
+# Module: certmonger
+#
+# Certificate status monitor and PKI enrollment client
+# 
+certmonger = module
+
+# Layer: admin
+# Module: certwatch
+#
+# Digital Certificate Tracking
+# 
+certwatch = module
+
+# Layer: services
+# Module: cgroup
+#
+# Tools and libraries to control and monitor control groups
+# 
+cgroup = module
+
+# Layer: apps
+# Module: chrome
+#
+# chrome sandbox
+# 
+chrome = module
+
+# Layer: services
+# Module: chronyd
+#
+# Daemon for maintaining clock time
+# 
+chronyd = module
+
+# Layer: services
+# Module: cipe
+#
+# Encrypted tunnel daemon
+# 
+cipe = module
+
+# Layer: services
+# Module: clogd
+#
+# clogd - clustered mirror log server
+# 
+clogd = module
+
+# Layer: services
+# Module: cmirrord
+#
+# cmirrord - daemon providing device-mapper-base mirrors in a shared-storege cluster
+# 
+cmirrord = module
+
+# Layer: services
+# Module: colord
+#
+# color device daemon
+# 
+colord = module
+
+# Layer: services
+# Module: comsat
+#
+# Comsat, a biff server.
+# 
+comsat = module
+
+# Layer: services
+# Module: courier
+#
+# IMAP and POP3 email servers
+# 
+courier = module
+
+# Layer: services
+# Module: cpucontrol
+#
+# Services for loading CPU microcode and CPU frequency scaling.
+# 
+cpucontrol = module
+
+# Layer: apps
+# Module: cpufreqselector 
+#
+# cpufreqselector executable
+# 
+cpufreqselector = module
+
+# Layer: services
+# Module: cron
+#
+# Periodic execution of scheduled commands.
+# 
+cron = module
+
+# Layer: services
+# Module: cups
+#
+# Common UNIX printing system
+# 
+cups = module
+
+# Layer: services
+# Module: cvs
+#
+# Concurrent versions system
+# 
+cvs = module
+
+# Layer: services
+# Module: cyphesis
+#
+# cyphesis game server
+# 
+cyphesis = module
+
+# Layer: services
+# Module: cyrus
+#
+# Cyrus is an IMAP service intended to be run on sealed servers
+# 
+cyrus = module
+
+# Layer: system
+# Module: daemontools
+#
+# Collection of tools for managing UNIX services
+# 
+daemontools = module
+
+# Layer: role
+# Module: dbadm
+#
+# Minimally prived root role for managing databases
+# 
+dbadm = module
+
+# Layer: services
+# Module: dbskk
+#
+# Dictionary server for the SKK Japanese input method system.
+# 
+dbskk = module
+
+# Layer: services
+# Module: dbus
+#
+# Desktop messaging bus
+# 
+dbus = module
+
+# Layer: services
+# Module: dcc
+#
+# A distributed, collaborative, spam detection and filtering network.
+# 
+dcc = module
+
+# Layer: admin
+# Module: ddcprobe
+#
+# ddcprobe retrieves monitor and graphics card information
+# 
+ddcprobe = off
+
+# Layer: services
+# Module: devicekit
+#
+# devicekit-daemon
+# 
+devicekit = module
+
+# Layer: services
+# Module: dhcp
+#
+# Dynamic host configuration protocol (DHCP) server
+# 
+dhcp = module
+
+# Layer: services
+# Module: dictd
+#
+# Dictionary daemon
+# 
+dictd = module
+
+# Layer: services
+# Module: distcc
+#
+# Distributed compiler daemon
+# 
+distcc = off
+
+# Layer: admin
+# Module: dmidecode
+#
+# Decode DMI data for x86/ia64 bioses.
+# 
+dmidecode = module
+
+# Layer: services
+# Module: dnsmasq
+#
+# A lightweight DHCP and caching DNS server.
+# 
+dnsmasq = module
+
+# Layer: services
+# Module: dnssec
+#
+# A dnssec server application
+# 
+dnssec = module
+
+# Layer: services
+# Module: dovecot
+#
+# Dovecot POP and IMAP mail server
+# 
+dovecot = module
+
+# Layer: services
+# Module: entropy
+#
+# Generate entropy from audio input
+# 
+entropyd = module
+
+# Layer: services
+# Module: exim
+#
+# exim mail server 
+# 
+exim = module
+
+# Layer: services
+# Module: fail2ban
+#
+# daiemon that bans IP that makes too many password failures
+# 
+fail2ban = module
+
+# Layer: services
+# Module: fetchmail
+#
+# Remote-mail retrieval and forwarding utility
+# 
+fetchmail = module
+
+# Layer: services
+# Module: finger
+#
+# Finger user information service.
+# 
+finger = module
+
+# Layer: services
+# Module: firewalld
+#
+# firewalld is firewall service daemon that provides dynamic customizable
+# 
+firewalld = module
+
+# Layer: apps
+# Module: firewallgui
+#
+# policy for system-config-firewall
+# 
+firewallgui = module
+
+# Module: firstboot
+#
+# Final system configuration run during the first boot
+# after installation of Red Hat/Fedora systems.
+# 
+firstboot = module
+
+# Layer: services
+# Module: fprintd
+#
+# finger print server
+# 
+fprintd = module
+
+# Layer: services
+# Module: ftp
+#
+# File transfer protocol service
+# 
+ftp = module
+
+# Layer: apps
+# Module: games
+#
+# The Open Group Pegasus CIM/WBEM Server.
+# 
+games = module
+
+# Layer: apps
+# Module: gitosis
+#
+# Policy for gitosis
+# 
+gitosis = module
+ 
+# Layer: services
+# Module: git
+#
+# Policy for the stupid content tracker
+# 
+git = module
+
+# Layer: services
+# Module: glance
+#
+# Policy for glance
+# 
+glance = module
+
+# Layer: apps
+# Module: gnome
+#
+# gnome session and gconf
+# 
+gnome = module
+
+# Layer: apps
+# Module: gpg
+#
+# Policy for Mozilla and related web browsers
+# 
+gpg = module
+
+# Layer: services
+# Module: gpm
+#
+# General Purpose Mouse driver
+# 
+gpm = module
+
+# Module: gpsd
+#
+# gpsd monitor daemon
+#
+# 
+gpsd = module
+
+# Module: gssproxy
+#
+#  A proxy for GSSAPI credential handling
+#
+# 
+gssproxy = module
+
+# Layer: role
+# Module: guest
+#
+# Minimally privs guest account on tty logins
+# 
+guest = module
+
+# Layer: services
+# Module: i18n_input
+#
+# IIIMF htt server
+# 
+i18n_input = off
+
+# Layer: services
+# Module: inetd
+#
+# Internet services daemon.
+# 
+inetd = module
+
+# Layer: services
+# Module: inn
+#
+# Internet News NNTP server
+# 
+inn = module
+
+# Layer: apps
+# Module: irc
+#
+# IRC client policy
+# 
+irc = module
+
+# Layer: services
+# Module: irqbalance
+#
+# IRQ balancing daemon
+# 
+irqbalance = module
+
+# Layer: system
+# Module: iscsi
+#
+# Open-iSCSI daemon
+# 
+iscsi = module
+
+# Layer: services
+# Module: jabber
+#
+# Jabber instant messaging server
+# 
+jabber = module
+
+# Layer: apps
+# Module: kdumpgui
+#
+# system-config-kdump policy
+# 
+kdumpgui = module
+
+# Layer: admin
+# Module: kdump
+#
+# kdump is kernel crash dumping mechanism
+# 
+kdump = module
+
+# Layer: services
+# Module: kerberos
+#
+# MIT Kerberos admin and KDC
+# 
+kerberos = module
+
+# Layer: services
+# Module: kismet
+#
+# Wireless sniffing and monitoring
+# 
+kismet = module
+
+# Layer: services
+# Module: ktalk
+#
+# KDE Talk daemon
+# 
+ktalk = module
+
+# Layer: services
+# Module: ldap
+#
+# OpenLDAP directory server
+# 
+ldap = module
+
+# Layer: services
+# Module: lircd
+#
+# LIRC daemon - decodes infrared signals and provides them on a Unix domain socket.  
+# 
+lircd = module
+
+# Layer: apps
+# Module: loadkeys
+#
+# Load keyboard mappings.
+# 
+loadkeys = module
+
+# Layer: apps
+# Module: lockdev
+#
+# device locking policy for lockdev
+# 
+lockdev = module
+
+# Layer: admin
+# Module: logrotate
+#
+# Rotate and archive system logs
+# 
+logrotate = module
+
+# Layer: services
+# Module: logwatch
+#
+# logwatch executable
+# 
+logwatch = module
+
+# Layer: services
+# Module: lpd
+#
+# Line printer daemon
+# 
+lpd = module
+
+# Layer: services
+# Module: lsm
+# 
+# lsm policy
+#
+lsm = module
+
+# Layer: services
+# Module: mailman
+#
+# Mailman is for managing electronic mail discussion and e-newsletter lists
+# 
+mailman = module
+
+# Layer: admin
+# Module: mcelog
+#
+# mcelog is a daemon that collects and decodes Machine Check Exception data on x86-64 machines. 
+# 
+mcelog = module
+
+# Layer: services
+# Module: memcached
+#
+#  high-performance memory object caching system
+# 
+memcached = module
+
+# Layer: services
+# Module: milter
+#
+# 
+# 
+milter = module
+
+# Layer: services
+# Module: modemmanager
+#
+# Manager for dynamically switching between modems.
+# 
+modemmanager = module
+
+# Layer: services
+# Module: mojomojo
+#
+# Wiki server
+# 
+mojomojo = module
+
+# Layer: apps
+# Module: mozilla
+#
+# Policy for Mozilla and related web browsers
+# 
+mozilla = module
+
+# Layer: apps
+# Module: mplayer
+#
+# Policy for Mozilla and related web browsers
+# 
+mplayer = module
+
+# Layer: admin
+# Module: mrtg
+#
+# Network traffic graphing
+# 
+mrtg = module
+
+# Layer: services
+# Module: mta
+#
+# Policy common to all email tranfer agents.
+# 
+mta = module
+
+# Layer: services
+# Module: munin
+#
+# Munin
+# 
+munin = module
+
+# Layer: services
+# Module: mysql
+#
+# Policy for MySQL
+# 
+mysql = module
+
+# Layer: services
+# Module: nagios
+#
+# policy for nagios Host/service/network monitoring program
+# 
+nagios = module
+
+# Layer: apps
+# Module: namespace
+#
+# policy for namespace.init script 
+#
+namespace = module
+
+# Layer: admin
+# Module: ncftool
+#
+# Tool to modify the network configuration of a system
+# 
+ncftool = module
+
+# Layer: services
+# Module: networkmanager
+#
+# Manager for dynamically switching between networks.
+# 
+networkmanager = module
+
+# Layer: services
+# Module: nis
+#
+# Policy for NIS (YP) servers and clients
+# 
+nis = module
+
+# Layer: services
+# Module: nscd
+#
+# Name service cache daemon
+# 
+nscd = module
+
+# Layer: services
+# Module: nslcd
+#
+# Policy for nslcd
+# 
+nslcd = module
+
+# Layer: services
+# Module: ntop
+#
+# Policy for ntop
+# 
+ntop = module
+
+# Layer: services
+# Module: ntp
+#
+# Network time protocol daemon
+# 
+ntp = module
+
+# Layer: services
+# Module: nx
+#
+# NX Remote Desktop
+# 
+nx = module
+
+# Layer: services
+# Module: oddjob
+#
+# policy for oddjob
+# 
+oddjob = module
+
+# Layer: services
+# Module: openct
+#
+# Service for handling smart card readers.
+# 
+openct = off
+
+# Layer: service
+# Module: openct
+# 
+# Middleware framework for smart card terminals
+#
+openct = module
+
+# Layer: services
+# Module: openvpn
+#
+# Policy for OPENVPN full-featured SSL VPN solution
+# 
+openvpn = module
+
+# Layer: contrib
+# Module: prelude
+#
+# SELinux policy for prelude
+#
+prelude = module
+
+# Layer: contrib
+# Module: prosody
+#
+# SELinux policy for prosody flexible communications server for Jabber/XMPP
+#
+prosody = module
+
+# Layer: services
+# Module: pads
+#
+pads = module
+
+# Layer: system
+# Module: pcmcia
+#
+# PCMCIA card management services
+# 
+pcmcia = module
+
+# Layer: service
+# Module: pcscd
+#
+# PC/SC Smart Card Daemon
+#
+pcscd = module
+
+# Layer: services
+# Module: pegasus
+#
+# The Open Group Pegasus CIM/WBEM Server.
+# 
+pegasus = module
+
+
+# Layer: services
+# Module: pingd
+#
+# 
+pingd = module
+
+# Layer: services
+# Module: piranha
+#
+# piranha - various tools to administer and configure the Linux Virtual Server
+# 
+piranha = module
+ 
+# Layer: services
+# Module: plymouthd
+#
+#  Plymouth
+# 
+plymouthd = module
+
+# Layer: apps
+# Module: podsleuth
+#
+# Podsleuth probes, identifies, and exposes properties and metadata bound to iPods.
+# 
+podsleuth = module
+
+# Layer: services
+# Module: policykit
+#
+# Hardware abstraction layer
+# 
+policykit = module
+
+# Layer: services
+# Module: polipo
+#
+# polipo
+#
+polipo = module
+
+# Layer: services
+# Module: portmap
+#
+# RPC port mapping service.
+# 
+portmap = module
+
+# Layer: services
+# Module: portreserve
+#
+#  reserve ports to prevent portmap mapping them
+# 
+portreserve = module
+
+# Layer: services
+# Module: postfix
+#
+# Postfix email server
+# 
+postfix = module
+
+o# Layer: services
+# Module: postgrey
+#
+# email scanner
+# 
+postgrey = module
+
+# Layer: services
+# Module: ppp
+#
+# Point to Point Protocol daemon creates links in ppp networks
+# 
+ppp = module
+
+# Layer: admin
+# Module: prelink
+#
+# Manage temporary directory sizes and file ages
+# 
+prelink = module
+
+unprivuser = module
+
+# Layer: services
+# Module: privoxy
+#
+# Privacy enhancing web proxy.
+# 
+privoxy = module
+
+# Layer: services
+# Module: procmail
+#
+# Procmail mail delivery agent
+# 
+procmail = module
+
+# Layer: services
+# Module: psad
+#
+# Analyze iptables log for hostile traffic
+# 
+psad = module
+
+# Layer: apps
+# Module: ptchown
+#
+# helper function for grantpt(3), changes ownship and permissions of pseudotty
+# 
+ptchown = module
+
+# Layer: services
+# Module: publicfile
+#
+# publicfile supplies files to the public through HTTP and FTP
+# 
+publicfile = module
+
+# Layer: apps
+# Module: pulseaudio
+#
+# The PulseAudio Sound System
+# 
+pulseaudio = module
+
+# Layer: services
+# Module: qmail
+#
+# Policy for qmail
+# 
+qmail = module
+
+# Layer: services
+# Module: qpidd
+#
+# Policy for qpidd
+# 
+qpid = module
+
+# Layer: admin
+# Module: quota
+#
+# File system quota management
+# 
+quota = module
+
+# Layer: services
+# Module: radius
+#
+# RADIUS authentication and accounting server.
+# 
+radius = module
+
+# Layer: services
+# Module: radvd
+#
+# IPv6 router advertisement daemon
+# 
+radvd = module
+
+# Layer: system
+# Module: raid
+#
+# RAID array management tools
+# 
+raid = module
+
+# Layer: services
+# Module: rdisc
+#
+# Network router discovery daemon
+# 
+rdisc = module
+
+# Layer: admin
+# Module: readahead
+#
+# Readahead, read files into page cache for improved performance
+# 
+readahead = module
+
+# Layer: services
+# Module: remotelogin
+#
+# Policy for rshd, rlogind, and telnetd.
+# 
+remotelogin = module
+
+# Layer: services
+# Module: rhcs
+#
+# RHCS - Red Hat Cluster Suite
+#
+rhcs = module
+
+# Layer: services
+# Module: rhgb
+#
+# X windows login display manager
+# 
+rhgb = module
+
+# Layer: services
+# Module: ricci
+#
+# policy for ricci
+# 
+ricci = module
+
+# Layer: services
+# Module: rlogin
+#
+# Remote login daemon
+# 
+rlogin = module
+
+# Layer: services
+# Module: roundup
+#
+# Roundup Issue Tracking System policy
+# 
+roundup = module
+
+# Layer: services
+# Module: rpcbind
+#
+#  universal addresses to RPC program number mapper
+# 
+rpcbind = module
+
+# Layer: services
+# Module: rpc
+#
+# Remote Procedure Call Daemon for managment of network based process communication
+# 
+rpc = module
+
+# Layer: admin
+# Module: rpm
+#
+# Policy for the RPM package manager.
+# 
+rpm = module
+
+# Layer: services
+# Module: rshd
+#
+# Remote shell service.
+# 
+rshd = module
+
+# Layer: services
+# Module: rsync
+#
+# Fast incremental file transfer for synchronization
+# 
+rsync = module
+
+# Layer: services
+# Module: rtkit
+#
+# Real Time Kit Daemon
+# 
+rtkit = module
+
+# Layer: services
+# Module: rwho
+#
+# who is logged in on local machines
+# 
+rwho = module
+
+# Layer: apps
+# Module: sambagui
+#
+# policy for system-config-samba
+# 
+sambagui = module
+
+#
+# SMB and CIFS client/server programs for UNIX and
+# name  Service  Switch  daemon for resolving names
+# from Windows NT servers.
+# 
+samba = module
+
+# Layer: services
+# Module: sasl
+#
+# SASL authentication server
+# 
+sasl = module
+
+# Layer: apps
+# Module: screen
+#
+# GNU terminal multiplexer
+# 
+screen = module
+
+# Layer: services
+# Module: sendmail
+#
+# Policy for sendmail.
+# 
+sendmail = module
+
+# Layer: services
+# Module: setroubleshoot
+#
+# Policy for the SELinux troubleshooting utility
+# 
+setroubleshoot = module
+
+# Layer: admin
+# Module: shorewall
+#
+# Policy for shorewall
+# 
+shorewall = module
+
+# Layer: apps
+# Module: slocate
+#
+# Update database for mlocate
+# 
+slocate = module
+
+# Layer: services
+# Module: slrnpull
+#
+# Service for downloading news feeds the slrn newsreader.
+# 
+slrnpull = off
+
+# Layer: services
+# Module: smartmon
+#
+# Smart disk monitoring daemon policy
+# 
+smartmon = module
+
+# Layer: services
+# Module: snmp
+#
+# Simple network management protocol services
+# 
+snmp = module
+
+# Layer: services
+# Module: snort
+#
+# Snort network intrusion detection system
+# 
+snort = module
+
+# Layer: admin
+# Module: sosreport
+#
+# sosreport debuggin information generator
+# 
+sosreport = module
+
+# Layer: services
+# Module: soundserver
+#
+# sound server for network audio server programs, nasd, yiff, etc</summary>
+# 
+soundserver = module
+
+# Layer: services
+# Module: spamassassin
+#
+# Filter used for removing unsolicited email.
+# 
+spamassassin = module
+
+# Layer: services
+# Module: squid
+#
+# Squid caching http proxy server
+# 
+squid = module
+
+# Layer: services
+# Module: sssd
+#
+# System Security Services Daemon
+# 
+sssd = module
+
+# Layer: services
+# Module: stunnel
+#
+# SSL Tunneling Proxy
+# 
+stunnel = module
+
+# Layer: services
+# Module: sysstat
+#
+# Policy for sysstat. Reports on various system states
+# 
+sysstat = module
+
+# Layer: services
+# Module: tcpd
+#
+# Policy for TCP daemon.
+# 
+tcpd = module
+
+# Layer: services
+# Module: tcsd
+# 
+# tcsd - daemon that manages Trusted Computing resources
+# 
+tcsd = module
+
+# Layer: apps
+# Module: telepathy
+#
+# telepathy - Policy for Telepathy framework
+# 
+telepathy = module
+
+# Layer: services
+# Module: telnet
+#
+# Telnet daemon
+# 
+telnet = module
+
+# Layer: services
+# Module: tftp
+#
+# Trivial file transfer protocol daemon
+# 
+tftp = module
+
+# Layer: services
+# Module: tgtd
+#
+# Linux Target Framework Daemon.
+# 
+tgtd = module
+
+# Layer: apps
+# Module: thumb
+#
+# Thumbnailer confinement
+# 
+thumb = module
+
+# Layer: services
+# Module: timidity
+#
+# MIDI to WAV converter and player configured as a service
+# 
+timidity = off
+
+# Layer: admin
+# Module: tmpreaper
+#
+# Manage temporary directory sizes and file ages
+# 
+tmpreaper = module
+
+# Layer: services
+# Module: tor
+#
+# TOR, the onion router
+# 
+tor = module
+
+# Layer: services
+# Module: ksmtuned
+#
+#  Kernel Samepage Merging (KSM) Tuning Daemon
+# 
+ksmtuned = module
+
+# Layer: services
+# Module: tuned
+#
+# Dynamic adaptive system tuning daemon
+#
+tuned = module
+
+# Layer: apps
+# Module: tvtime
+#
+# tvtime - a high quality television application
+# 
+tvtime = module
+
+# Layer: services
+# Module: ulogd
+#
+# 
+# 
+ulogd = module
+
+# Layer: apps
+# Module: uml
+#
+# Policy for UML
+# 
+uml = module
+
+# Layer: admin
+# Module: updfstab
+#
+# Red Hat utility to change /etc/fstab.
+# 
+updfstab = module
+
+# Layer: admin
+# Module: usbmodules
+#
+# List kernel modules of USB devices
+# 
+usbmodules = module
+
+# Layer: apps
+# Module: userhelper
+#
+# A helper interface to pam.
+# 
+userhelper = module
+
+# Layer: apps
+# Module: usernetctl
+#
+# User network interface configuration helper
+# 
+usernetctl = module
+
+# Layer: services
+# Module: uucp
+#
+# Unix to Unix Copy
+# 
+uucp = module
+
+# Layer: services
+# Module: virt
+#
+# Virtualization libraries
+# 
+virt = module
+
+# Layer: apps
+# Module: vmware
+#
+# VMWare Workstation virtual machines
+# 
+vmware = module
+
+# Layer: contrib
+# Module: openvswitch
+#
+# SELinux policy for openvswitch programs
+#
+openvswitch = module
+
+# Layer: admin
+# Module: vpn
+#
+# Virtual Private Networking client
+# 
+vpn = module
+
+# Layer: services
+# Module: w3c
+#
+# w3c
+# 
+w3c = module
+
+# Layer: role
+# Module: webadm
+#
+# Minimally prived root role for managing apache
+# 
+webadm = module
+
+# Layer: apps
+# Module: webalizer
+#
+# Web server log analysis
+# 
+webalizer = module
+
+# Layer: apps
+# Module: wine
+#
+# wine executable
+# 
+wine = module
+
+# Layer: apps
+# Module: wireshark
+#
+# wireshark executable
+# 
+wireshark = module
+
+# Layer: apps
+# Module: wm
+#
+# X windows window manager
+# 
+wm = module
+
+# Layer: system
+# Module: xen
+#
+# virtualization software
+# 
+xen = module
+
+# Layer: role
+# Module: xguest
+#
+# Minimally privs guest account on X Windows logins
+# 
+xguest = module
+
+# Layer: services
+# Module: zabbix
+#
+# Open-source monitoring solution for your IT infrastructure
+#
+zabbix = module
+
+# Layer: services
+# Module: zebra
+#
+# Zebra border gateway protocol network routing service
+# 
+zebra = module
+
+# Layer: services
+# Module: zosremote
+#
+# policy for z/OS Remote-services Audit dispatcher plugin</summary>
+# 
+zosremote = module
+
+# Layer: contrib
+# Module: mandb
+# 
+# Policy for mandb
+# 
+mandb = module
diff --git a/modules-targeted-base.conf b/modules-targeted-base.conf
index ad5a0cc..f2e2ca2 100644
--- a/modules-targeted-base.conf
+++ b/modules-targeted-base.conf
@@ -1,15 +1,9 @@
+# Layer: kernel
+# Module: bootloader
 #
-# This file contains a listing of available modules.
-# To prevent a module from  being used in policy
-# creation, set the module name to "off".
-#
-# For monolithic policies, modules set to "base" and "module"
-# will be built into the policy.
-#
-# For modular policies, modules set to "base" will be
-# included in the base module.  "module" will be compiled
-# as individual loadable modules.
-#
+# Policy for the kernel modules, kernel image, and bootloader.
+# 
+bootloader = module
 
 # Layer: kernel
 # Module: corecommands
@@ -17,7 +11,7 @@
 #
 # Core policy for shells, and generic programs
 # in /bin, /sbin, /usr/bin, and /usr/sbin.
-# 
+#
 corecommands = base
 
 # Layer: kernel
@@ -25,216 +19,9 @@ corecommands = base
 # Required in base
 #
 # Policy controlling access to network objects
-# 
+#
 corenetwork = base
 
-# Layer: kernel
-# Module: devices
-# Required in base
-#
-# Device nodes and interfaces for many basic system devices.
-# 
-devices = base
-
-# Layer: kernel
-# Module: domain
-# Required in base
-#
-# Core policy for domains.
-# 
-domain = base
-
-# Layer: kernel
-# Module: files
-# Required in base
-#
-# Basic filesystem types and interfaces.
-# 
-files = base
-
-# Layer: kernel
-# Module: filesystem
-# Required in base
-#
-# Policy for filesystems.
-# 
-filesystem = base
-
-# Layer: kernel
-# Module: kernel
-# Required in base
-#
-# Policy for kernel threads, proc filesystem,
-# and unlabeled processes and objects.
-# 
-kernel = base
-
-# Layer: kernel
-# Module: mcs
-# Required in base
-#
-# Multicategory security policy
-# 
-mcs = base
-
-# Layer: kernel
-# Module: mls
-# Required in base
-#
-# Multilevel security policy
-# 
-mls = base
-
-# Layer: kernel
-# Module: selinux
-# Required in base
-#
-# Policy for kernel security interface, in particular, selinuxfs.
-# 
-selinux = base
-
-# Layer: kernel
-# Module: terminal
-# Required in base
-#
-# Policy for terminals.
-# 
-terminal = base
-
-# Layer: kernel
-# Module: ubac
-# Required in base
-#
-# User-based access control policy
-# 
-ubac = base
-
-# Layer: admin
-# Module: acct
-#
-# Berkeley process accounting.
-# 
-acct = module
-
-# Layer: admin
-# Module: aide
-#
-# Aide filesystem integrity checker.
-# 
-aide = module
-
-# Layer: admin
-# Module: alsa
-#
-# Advanced Linux Sound Architecture utilities.
-# 
-alsa = module
-
-# Layer: admin
-# Module: amanda
-#
-# Advanced Maryland Automatic Network Disk Archiver.
-# 
-amanda = module
-
-# Layer: admin
-# Module: amtu
-#
-# Abstract Machine Test Utility.
-# 
-amtu = module
-
-# Layer: admin
-# Module: anaconda
-#
-# Anaconda installer.
-# 
-anaconda = module
-
-# Layer: admin
-# Module: apt
-#
-# Advanced package tool.
-# 
-apt = module
-
-# Layer: admin
-# Module: backup
-#
-# System backup scripts.
-# 
-backup = module
-
-# Layer: admin
-# Module: bacula
-#
-# Cross platform network backup.
-# 
-bacula = module
-
-# Layer: admin
-# Module: bcfg2
-#
-# configuration management suite.
-# 
-bcfg2 = module
-
-# Layer: admin
-# Module: blueman
-#
-# Tool to manage Bluetooth devices.
-# 
-blueman = module
-
-# Layer: admin
-# Module: bootloader
-#
-# Policy for the kernel modules, kernel image, and bootloader.
-# 
-bootloader = module
-
-# Layer: admin
-# Module: brctl
-#
-# Utilities for configuring the Linux ethernet bridge.
-# 
-brctl = module
-
-# Layer: admin
-# Module: certwatch
-#
-# Digital Certificate Tracking.
-# 
-certwatch = module
-
-# Layer: admin
-# Module: cfengine
-#
-# System administration tool for networks.
-# 
-cfengine = module
-
-# Layer: admin
-# Module: chkrootkit
-#
-# chkrootkit - rootkit checker.
-# 
-chkrootkit = module
-
-# Layer: admin
-# Module: consoletype
-#
-# Determine of the console connected to the controlling terminal.
-# 
-consoletype = module
-
-# Layer: admin
-# Module: ddcprobe
-#
-# ddcprobe retrieves monitor and graphics card information.
-# 
-ddcprobe = module
-
 # Layer: admin
 # Module: dmesg
 #
@@ -242,111 +29,6 @@ ddcprobe = module
 # 
 dmesg = module
 
-# Layer: admin
-# Module: dmidecode
-#
-# Decode DMI data for x86/ia64 bioses.
-# 
-dmidecode = module
-
-# Layer: admin
-# Module: dphysswapfile
-#
-# Set up, mount/unmount, and delete an swap file.
-# 
-dphysswapfile = module
-
-# Layer: admin
-# Module: dpkg
-#
-# Debian package manager.
-# 
-dpkg = module
-
-# Layer: admin
-# Module: fakehwclock
-#
-# fake-hwclock - Control fake hardware clock.
-# 
-fakehwclock = module
-
-# Layer: admin
-# Module: firstboot
-#
-# Initial system configuration utility.
-# 
-firstboot = module
-
-# Layer: admin
-# Module: hwloc
-#
-# Dump topology and locality information from hardware tables.
-# 
-hwloc = module
-
-# Layer: admin
-# Module: kdump
-#
-# Kernel crash dumping mechanism.
-# 
-kdump = module
-
-# Layer: admin
-# Module: kdumpgui
-#
-# System-config-kdump GUI.
-# 
-kdumpgui = module
-
-# Layer: admin
-# Module: kismet
-#
-# IEEE 802.11 wireless LAN sniffer.
-# 
-kismet = module
-
-# Layer: admin
-# Module: kudzu
-#
-# Hardware detection and configuration tools.
-# 
-kudzu = module
-
-# Layer: admin
-# Module: logrotate
-#
-# Rotates, compresses, removes and mails system log files.
-# 
-logrotate = module
-
-# Layer: admin
-# Module: logwatch
-#
-# System log analyzer and reporter.
-# 
-logwatch = module
-
-# Layer: admin
-# Module: mcelog
-#
-# Linux hardware error daemon.
-# 
-mcelog = module
-
-# Layer: admin
-# Module: mrtg
-#
-# Network traffic graphing.
-# 
-mrtg = module
-
-# Layer: admin
-# Module: ncftool
-#
-# Cross-platform network configuration library.
-# 
-ncftool = module
-
 # Layer: admin
 # Module: netutils
 #
@@ -354,118 +36,6 @@ ncftool = module
 # 
 netutils = module
 
-# Layer: admin
-# Module: passenger
-#
-# Ruby on rails deployment for Apache and Nginx servers.
-# 
-passenger = module
-
-# Layer: admin
-# Module: portage
-#
-# Package Management System.
-# 
-portage = module
-
-# Layer: admin
-# Module: prelink
-#
-# Prelink ELF shared library mappings.
-# 
-prelink = module
-
-# Layer: admin
-# Module: puppet
-#
-# Configuration management system.
-# 
-puppet = module
-
-# Layer: admin
-# Module: quota
-#
-# File system quota management.
-# 
-quota = module
-
-# Layer: admin
-# Module: readahead
-#
-# Read files into page cache for improved performance.
-# 
-readahead = module
-
-# Layer: admin
-# Module: rkhunter
-#
-# rkhunter - rootkit checker.
-# 
-rkhunter = module
-
-# Layer: admin
-# Module: rpm
-#
-# Redhat package manager.
-# 
-rpm = module
-
-# Layer: admin
-# Module: samhain
-#
-# Check file integrity.
-# 
-samhain = module
-
-# Layer: admin
-# Module: sblim
-#
-# Standards Based Linux Instrumentation for Manageability.
-# 
-sblim = module
-
-# Layer: admin
-# Module: sectoolm
-#
-# Sectool security audit tool.
-# 
-sectoolm = module
-
-# Layer: admin
-# Module: shorewall
-#
-# Shoreline Firewall high-level tool for configuring netfilter.
-# 
-shorewall = module
-
-# Layer: admin
-# Module: shutdown
-#
-# System shutdown command.
-# 
-shutdown = module
-
-# Layer: admin
-# Module: smoltclient
-#
-# The Fedora hardware profiler client.
-# 
-smoltclient = module
-
-# Layer: admin
-# Module: sosreport
-#
-# Generate debugging information for system.
-# 
-sosreport = module
-
-# Layer: admin
-# Module: su
-#
-# Run shells with substitute user and group.
-# 
-su = module
-
 # Layer: admin
 # Module: sudo
 #
@@ -474,53 +44,11 @@ su = module
 sudo = module
 
 # Layer: admin
-# Module: sxid
+# Module: su
 #
-# SUID/SGID program monitoring.
+# Run shells with substitute user and group
 # 
-sxid = module
-
-# Layer: admin
-# Module: tboot
-#
-# Utilities for the tboot TXT module.
-# 
-tboot = module
-
-# Layer: admin
-# Module: tmpreaper
-#
-# Manage temporary directory sizes and file ages.
-# 
-tmpreaper = module
-
-# Layer: admin
-# Module: tripwire
-#
-# File integrity checker.
-# 
-tripwire = module
-
-# Layer: admin
-# Module: tzdata
-#
-# Time zone updater.
-# 
-tzdata = module
-
-# Layer: admin
-# Module: updfstab
-#
-# Red Hat utility to change fstab.
-# 
-updfstab = module
-
-# Layer: admin
-# Module: usbmodules
-#
-# List kernel modules of USB devices.
-# 
-usbmodules = module
+su = module
 
 # Layer: admin
 # Module: usermanage
@@ -529,1623 +57,166 @@ usbmodules = module
 # 
 usermanage = module
 
-# Layer: admin
-# Module: vbetool
-#
-# run real-mode video BIOS code to alter hardware state.
-# 
-vbetool = module
-
-# Layer: admin
-# Module: vpn
-#
-# Virtual Private Networking client.
-# 
-vpn = module
-
-# Layer: apps
-# Module: ada
-#
-# GNAT Ada95 compiler.
-# 
-ada = module
-
-# Layer: apps
-# Module: awstats
-#
-# Log file analyzer for advanced statistics.
-# 
-awstats = module
-
-# Layer: apps
-# Module: calamaris
-#
-# Squid log analysis.
-# 
-calamaris = module
-
-# Layer: apps
-# Module: cdrecord
-#
-# Record audio or data Compact Discs from a master.
-# 
-cdrecord = module
-
-# Layer: apps
-# Module: cpufreqselector
-#
-# Command-line CPU frequency settings.
-# 
-cpufreqselector = module
-
-# Layer: apps
-# Module: evolution
-#
-# Evolution email client.
-# 
-evolution = module
-
-# Layer: apps
-# Module: firewallgui
-#
-# system-config-firewall dbus system service.
-# 
-firewallgui = module
-
-# Layer: apps
-# Module: games
-#
-# Various games.
-# 
-games = module
-
-# Layer: apps
-# Module: gift
-#
-# Peer to peer file sharing tool.
-# 
-gift = module
-
-# Layer: apps
-# Module: gitosis
-#
-# Tools for managing and hosting git repositories.
-# 
-gitosis = module
-
-# Layer: apps
-# Module: gnome
-#
-# GNU network object model environment.
-# 
-gnome = module
-
-# Layer: apps
-# Module: gpg
-#
-# Policy for GNU Privacy Guard and related programs.
-# 
-gpg = module
-
-# Layer: apps
-# Module: irc
-#
-# IRC client policy.
-# 
-irc = module
-
-# Layer: apps
-# Module: java
-#
-# Java virtual machine
-# 
-java = module
-
-# Layer: apps
-# Module: libmtp
-#
-# libmtp: An Initiatior implementation of the Media Transfer Protocol (MTP).
-# 
-libmtp = module
-
-# Layer: apps
-# Module: lightsquid
-#
-# Log analyzer for squid proxy.
-# 
-lightsquid = module
-
-# Layer: apps
-# Module: livecd
-#
-# Tool for building alternate livecd for different os and policy versions.
-# 
-livecd = module
-
-# Layer: apps
-# Module: loadkeys
-#
-# Load keyboard mappings.
-# 
-loadkeys = module
-
-# Layer: apps
-# Module: lockdev
-#
-# Library for locking devices.
-# 
-lockdev = module
-
-# Layer: apps
-# Module: man2html
-#
-# A Unix manpage-to-HTML converter.
-# 
-man2html = module
-
-# Layer: apps
-# Module: mandb
-#
-# On-line manual database.
-# 
-mandb = module
-
-# Layer: apps
-# Module: mono
-#
-# Run .NET server and client applications on Linux.
-# 
-mono = module
-
-# Layer: apps
-# Module: mozilla
-#
-# Policy for Mozilla and related web browsers.
-# 
-mozilla = module
-
-# Layer: apps
-# Module: mplayer
-#
-# Mplayer media player and encoder.
-# 
-mplayer = module
-
-# Layer: apps
-# Module: openoffice
-#
-# Openoffice suite.
-# 
-openoffice = module
-
-# Layer: apps
-# Module: podsleuth
-#
-# Podsleuth is a tool to get information about an Apple (TM) iPod (TM).
-# 
-podsleuth = module
-
-# Layer: apps
-# Module: ptchown
-#
-# helper function for grantpt(3), changes ownship and permissions of pseudotty.
-# 
-ptchown = module
-
-# Layer: apps
-# Module: pulseaudio
-#
-# Pulseaudio network sound server.
-# 
-pulseaudio = module
-
-# Layer: apps
-# Module: qemu
-#
-# QEMU machine emulator and virtualizer.
-# 
-qemu = module
-
-# Layer: apps
-# Module: rssh
-#
-# Restricted (scp/sftp) only shell.
-# 
-rssh = module
-
-# Layer: apps
-# Module: sambagui
-#
-# system-config-samba dbus service.
-# 
-sambagui = module
-
-# Layer: apps
-# Module: screen
-#
-# GNU terminal multiplexer.
-# 
-screen = module
-
 # Layer: apps
 # Module: seunshare
 #
-# Filesystem namespacing/polyinstantiation application.
+# seunshare executable
 # 
 seunshare = module
 
-# Layer: apps
-# Module: slocate
+# Module: devices
+# Required in base
 #
-# Update database for mlocate.
+# Device nodes and interfaces for many basic system devices.
 # 
-slocate = module
+devices = base
 
-# Layer: apps
-# Module: syncthing
+# Module: domain
+# Required in base
 #
-# Application that lets you synchronize your files across multiple devices.
+# Core policy for domains.
 # 
-syncthing = module
+domain = base
 
-# Layer: apps
-# Module: telepathy
+# Layer: system
+# Module: userdomain
 #
-# Telepathy communications framework.
+# Policy for user domains
 # 
-telepathy = module
+userdomain = module
 
-# Layer: apps
-# Module: thunderbird
+# Module: files
+# Required in base
 #
-# Thunderbird email client.
+# Basic filesystem types and interfaces.
 # 
-thunderbird = module
+files = base
 
-# Layer: apps
-# Module: tvtime
+# Layer: system
+# Module: miscfiles
 #
-# High quality television application.
+# Miscelaneous files.
 # 
-tvtime = module
+miscfiles = module
 
-# Layer: apps
-# Module: uml
+# Module: filesystem
+# Required in base
 #
-# User mode linux tools and services.
+# Policy for filesystems.
 # 
-uml = module
+filesystem = base
 
-# Layer: apps
-# Module: userhelper
+# Module: kernel
+# Required in base
 #
-# A wrapper that helps users run system programs.
+# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
 # 
-userhelper = module
+kernel = base
 
-# Layer: apps
-# Module: usernetctl
+# Module: mcs
+# Required in base
 #
-# User network interface configuration helper.
+# MultiCategory security policy
 # 
-usernetctl = module
+mcs = base
 
-# Layer: apps
-# Module: vlock
+# Module: mls
+# Required in base
 #
-# Lock one or more sessions on the Linux console.
+# Multilevel security policy
 # 
-vlock = module
+mls = base
 
-# Layer: apps
-# Module: vmware
+# Module: selinux
+# Required in base
 #
-# VMWare Workstation virtual machines.
+# Policy for kernel security interface, in particular, selinuxfs.
 # 
-vmware = module
-
-# Layer: apps
-# Module: webalizer
-#
-# Web server log analysis.
-# 
-webalizer = module
-
-# Layer: apps
-# Module: wine
-#
-# Run Windows programs in Linux.
-# 
-wine = module
-
-# Layer: apps
-# Module: wireshark
-#
-# Wireshark packet capture tool.
-# 
-wireshark = module
-
-# Layer: apps
-# Module: wm
-#
-# X Window Managers.
-# 
-wm = module
-
-# Layer: apps
-# Module: xscreensaver
-#
-# Modular screen saver and locker for X11.
-# 
-xscreensaver = module
-
-# Layer: apps
-# Module: yam
-#
-# Yum/Apt Mirroring.
-# 
-yam = module
+selinux = base
 
 # Layer: kernel
 # Module: storage
 #
 # Policy controlling access to storage devices
 # 
-storage = module
+storage = base
 
-# Layer: roles
+# Module: terminal
+# Required in base
+#
+# Policy for terminals.
+# 
+terminal = base
+
+# Layer: kernel
+# Module: ubac
+#
+# 
+# 
+ubac = base
+
+# Layer: kernel
+# Module: unconfined
+#
+# The unlabelednet module.
+#
+unlabelednet = module
+
+# Layer: role
 # Module: auditadm
 #
-# Audit administrator role
+# auditadm account on tty logins
 # 
 auditadm = module
 
-# Layer: roles
-# Module: dbadm
-#
-# Database administrator role.
-# 
-dbadm = module
-
-# Layer: roles
-# Module: guest
-#
-# Least privledge terminal user role.
-# 
-guest = module
-
-# Layer: roles
+# Layer: role
 # Module: logadm
 #
-# Log administrator role
+# Minimally prived root role for managing logging system
 # 
 logadm = module
 
-# Layer: roles
+# Layer: role
 # Module: secadm
 #
-# Security administrator role
+# secadm account on tty logins
 # 
 secadm = module
 
-# Layer: roles
+# Layer:role
+# Module: sysadm_secadm
+#
+# System Administrator with Security Admin rules
+# 
+sysadm_secadm = module
+
 # Module: staff
 #
-# Administrator's unprivileged user role
+# admin account 
 # 
 staff = module
 
-# Layer: roles
+# Layer:role
 # Module: sysadm
 #
-# General system administration role
+# System Administrator
 # 
 sysadm = module
 
-# Layer: roles
+# Layer: role
+# Module: unconfineduser
+#
+# The unconfined user domain.
+# 
+unconfineduser = module
+
+# Layer: role
 # Module: unprivuser
 #
-# Generic unprivileged user role
+# Minimally privs guest account on tty logins
 # 
 unprivuser = module
 
-# Layer: roles
-# Module: webadm
-#
-# Web administrator role.
-# 
-webadm = module
-
-# Layer: roles
-# Module: xguest
-#
-# Least privledge xwindows user role.
-# 
-xguest = module
-
-# Layer: services
-# Module: abrt
-#
-# Automated bug-reporting tool.
-# 
-abrt = module
-
-# Layer: services
-# Module: accountsd
-#
-# AccountsService and daemon for manipulating user account information via D-Bus.
-# 
-accountsd = module
-
-# Layer: services
-# Module: acpi
-#
-# Advanced power management.
-# 
-acpi = module
-
-# Layer: services
-# Module: afs
-#
-# Andrew Filesystem server.
-# 
-afs = module
-
-# Layer: services
-# Module: aiccu
-#
-# Automatic IPv6 Connectivity Client Utility.
-# 
-aiccu = module
-
-# Layer: services
-# Module: aisexec
-#
-# Aisexec Cluster Engine.
-# 
-aisexec = module
-
-# Layer: services
-# Module: amavis
-#
-# High-performance interface between an email server and content checkers.
-# 
-amavis = module
-
-# Layer: services
-# Module: apache
-#
-# Various web servers.
-# 
-apache = module
-
-# Layer: services
-# Module: apcupsd
-#
-# APC UPS monitoring daemon.
-# 
-apcupsd = module
-
-# Layer: services
-# Module: arpwatch
-#
-# Ethernet activity monitor.
-# 
-arpwatch = module
-
-# Layer: services
-# Module: asterisk
-#
-# Asterisk IP telephony server.
-# 
-asterisk = module
-
-# Layer: services
-# Module: automount
-#
-# Filesystem automounter service.
-# 
-automount = module
-
-# Layer: services
-# Module: avahi
-#
-# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture.
-# 
-avahi = module
-
-# Layer: services
-# Module: bind
-#
-# Berkeley Internet name domain DNS server.
-# 
-bind = module
-
-# Layer: services
-# Module: bird
-#
-# BIRD Internet Routing Daemon.
-# 
-bird = module
-
-# Layer: services
-# Module: bitlbee
-#
-# Tunnels instant messaging traffic to a virtual IRC channel.
-# 
-bitlbee = module
-
-# Layer: services
-# Module: bluetooth
-#
-# Bluetooth tools and system services.
-# 
-bluetooth = module
-
-# Layer: services
-# Module: boinc
-#
-# Platform for computing using volunteered resources.
-# 
-boinc = module
-
-# Layer: services
-# Module: bugzilla
-#
-# Bugtracker.
-# 
-bugzilla = module
-
-# Layer: services
-# Module: cachefilesd
-#
-# CacheFiles user-space management daemon.
-# 
-cachefilesd = module
-
-# Layer: services
-# Module: callweaver
-#
-# PBX software.
-# 
-callweaver = module
-
-# Layer: services
-# Module: canna
-#
-# Kana-kanji conversion server.
-# 
-canna = module
-
-# Layer: services
-# Module: ccs
-#
-# Cluster Configuration System.
-# 
-ccs = module
-
-# Layer: services
-# Module: certmaster
-#
-# Remote certificate distribution framework.
-# 
-certmaster = module
-
-# Layer: services
-# Module: certmonger
-#
-# Certificate status monitor and PKI enrollment client.
-# 
-certmonger = module
-
-# Layer: services
-# Module: cgmanager
-#
-# Control Group manager daemon.
-# 
-cgmanager = module
-
-# Layer: services
-# Module: cgroup
-#
-# libcg is a library that abstracts the control group file system in Linux.
-# 
-cgroup = module
-
-# Layer: services
-# Module: chronyd
-#
-# Chrony NTP background daemon.
-# 
-chronyd = module
-
-# Layer: services
-# Module: cipe
-#
-# Encrypted tunnel daemon.
-# 
-cipe = module
-
-# Layer: services
-# Module: clamav
-#
-# ClamAV Virus Scanner.
-# 
-clamav = module
-
-# Layer: services
-# Module: clockspeed
-#
-# Clock speed measurement and manipulation.
-# 
-clockspeed = module
-
-# Layer: services
-# Module: clogd
-#
-# Clustered Mirror Log Server.
-# 
-clogd = module
-
-# Layer: services
-# Module: cmirrord
-#
-# Cluster mirror log daemon.
-# 
-cmirrord = module
-
-# Layer: services
-# Module: cobbler
-#
-# Cobbler installation server.
-# 
-cobbler = module
-
-# Layer: services
-# Module: collectd
-#
-# Statistics collection daemon for filling RRD files.
-# 
-collectd = module
-
-# Layer: services
-# Module: colord
-#
-# GNOME color manager.
-# 
-colord = module
-
-# Layer: services
-# Module: comsat
-#
-# Comsat, a biff server.
-# 
-comsat = module
-
-# Layer: services
-# Module: condor
-#
-# High-Throughput Computing System.
-# 
-condor = module
-
-# Layer: services
-# Module: consolekit
-#
-# Framework for facilitating multiple user sessions on desktops.
-# 
-consolekit = module
-
-# Layer: services
-# Module: corosync
-#
-# Corosync Cluster Engine.
-# 
-corosync = module
-
-# Layer: services
-# Module: couchdb
-#
-# Document database server.
-# 
-couchdb = module
-
-# Layer: services
-# Module: courier
-#
-# Courier IMAP and POP3 email servers.
-# 
-courier = module
-
-# Layer: services
-# Module: cpucontrol
-#
-# Services for loading CPU microcode and CPU frequency scaling.
-# 
-cpucontrol = module
-
-# Layer: services
-# Module: cron
-#
-# Periodic execution of scheduled commands.
-# 
-cron = module
-
-# Layer: services
-# Module: ctdb
-#
-# Clustered Database based on Samba Trivial Database.
-# 
-ctdb = module
-
-# Layer: services
-# Module: cups
-#
-# Common UNIX printing system.
-# 
-cups = module
-
-# Layer: services
-# Module: cvs
-#
-# Concurrent versions system.
-# 
-cvs = module
-
-# Layer: services
-# Module: cyphesis
-#
-# Cyphesis WorldForge game server.
-# 
-cyphesis = module
-
-# Layer: services
-# Module: cyrus
-#
-# Cyrus is an IMAP service intended to be run on sealed servers.
-# 
-cyrus = module
-
-# Layer: services
-# Module: dante
-#
-# Dante msproxy and socks4/5 proxy server.
-# 
-dante = module
-
-# Layer: services
-# Module: dbskk
-#
-# Dictionary server for the SKK Japanese input method system.
-# 
-dbskk = module
-
-# Layer: services
-# Module: dbus
-#
-# Desktop messaging bus.
-# 
-dbus = module
-
-# Layer: services
-# Module: dcc
-#
-# Distributed checksum clearinghouse spam filtering.
-# 
-dcc = module
-
-# Layer: services
-# Module: ddclient
-#
-# Update dynamic IP address at DynDNS.org.
-# 
-ddclient = module
-
-# Layer: services
-# Module: denyhosts
-#
-# SSH dictionary attack mitigation.
-# 
-denyhosts = module
-
-# Layer: services
-# Module: devicekit
-#
-# Devicekit modular hardware abstraction layer.
-# 
-devicekit = module
-
-# Layer: services
-# Module: dhcp
-#
-# Dynamic host configuration protocol server.
-# 
-dhcp = module
-
-# Layer: services
-# Module: dictd
-#
-# Dictionary daemon.
-# 
-dictd = module
-
-# Layer: services
-# Module: dirmngr
-#
-# Server for managing and downloading certificate revocation lists.
-# 
-dirmngr = module
-
-# Layer: services
-# Module: distcc
-#
-# Distributed compiler daemon.
-# 
-distcc = module
-
-# Layer: services
-# Module: djbdns
-#
-# Small and secure DNS daemon.
-# 
-djbdns = module
-
-# Layer: services
-# Module: dkim
-#
-# DomainKeys Identified Mail milter.
-# 
-dkim = module
-
-# Layer: services
-# Module: dnsmasq
-#
-# DNS forwarder and DHCP server.
-# 
-dnsmasq = module
-
-# Layer: services
-# Module: dnssectrigger
-#
-# Enables DNSSEC protection for DNS traffic.
-# 
-dnssectrigger = module
-
-# Layer: services
-# Module: dovecot
-#
-# POP and IMAP mail server.
-# 
-dovecot = module
-
-# Layer: services
-# Module: drbd
-#
-# Mirrors a block device over the network to another machine.
-# 
-drbd = module
-
-# Layer: services
-# Module: dspam
-#
-# Content-based spam filter designed for multi-user enterprise systems.
-# 
-dspam = module
-
-# Layer: services
-# Module: entropyd
-#
-# Generate entropy from audio input.
-# 
-entropyd = module
-
-# Layer: services
-# Module: exim
-#
-# Mail transfer agent.
-# 
-exim = module
-
-# Layer: services
-# Module: fail2ban
-#
-# Update firewall filtering to ban IP addresses with too many password failures.
-# 
-fail2ban = module
-
-# Layer: services
-# Module: fcoe
-#
-# Fibre Channel over Ethernet utilities.
-# 
-fcoe = module
-
-# Layer: services
-# Module: fetchmail
-#
-# Remote-mail retrieval and forwarding utility.
-# 
-fetchmail = module
-
-# Layer: services
-# Module: finger
-#
-# Finger user information service.
-# 
-finger = module
-
-# Layer: services
-# Module: firewalld
-#
-# Service daemon with a D-BUS interface that provides a dynamic managed firewall.
-# 
-firewalld = module
-
-# Layer: services
-# Module: fprintd
-#
-# DBus fingerprint reader service.
-# 
-fprintd = module
-
-# Layer: services
-# Module: ftp
-#
-# File transfer protocol service.
-# 
-ftp = module
-
-# Layer: services
-# Module: gatekeeper
-#
-# OpenH.323 Voice-Over-IP Gatekeeper.
-# 
-gatekeeper = module
-
-# Layer: services
-# Module: gdomap
-#
-# GNUstep distributed object mapper.
-# 
-gdomap = module
-
-# Layer: services
-# Module: geoclue
-#
-# Geoclue is a D-Bus service that provides location information.
-# 
-geoclue = module
-
-# Layer: services
-# Module: git
-#
-# GIT revision control system.
-# 
-git = module
-
-# Layer: services
-# Module: glance
-#
-# OpenStack image registry and delivery service.
-# 
-glance = module
-
-# Layer: services
-# Module: glusterfs
-#
-# Cluster File System binary, daemon and command line.
-# 
-glusterfs = module
-
-# Layer: services
-# Module: gnomeclock
-#
-# Gnome clock handler for setting the time.
-# 
-gnomeclock = module
-
-# Layer: services
-# Module: gpm
-#
-# General Purpose Mouse driver.
-# 
-gpm = module
-
-# Layer: services
-# Module: gpsd
-#
-# gpsd monitor daemon.
-# 
-gpsd = module
-
-# Layer: services
-# Module: gssproxy
-#
-# policy for gssproxy - daemon to proxy GSSAPI context establishment and channel handling
-# 
-gssproxy = module
-
-# Layer: services
-# Module: hadoop
-#
-# Software for reliable, scalable, distributed computing.
-# 
-hadoop = module
-
-# Layer: services
-# Module: hal
-#
-# Hardware abstraction layer.
-# 
-hal = module
-
-# Layer: services
-# Module: hddtemp
-#
-# Hard disk temperature tool running as a daemon.
-# 
-hddtemp = module
-
-# Layer: services
-# Module: howl
-#
-# Port of Apple Rendezvous multicast DNS.
-# 
-howl = module
-
-# Layer: services
-# Module: hypervkvp
-#
-# HyperV key value pair (KVP).
-# 
-hypervkvp = module
-
-# Layer: services
-# Module: i18n_input
-#
-# IIIMF htt server.
-# 
-i18n_input = module
-
-# Layer: services
-# Module: icecast
-#
-# ShoutCast compatible streaming media server.
-# 
-icecast = module
-
-# Layer: services
-# Module: ifplugd
-#
-# Bring up/down ethernet interfaces based on cable detection.
-# 
-ifplugd = module
-
-# Layer: services
-# Module: imaze
-#
-# iMaze game server.
-# 
-imaze = module
-
-# Layer: services
-# Module: inetd
-#
-# Internet services daemon.
-# 
-inetd = module
-
-# Layer: services
-# Module: inn
-#
-# Internet News NNTP server.
-# 
-inn = module
-
-# Layer: services
-# Module: iodine
-#
-# IP over DNS tunneling daemon.
-# 
-iodine = module
-
-# Layer: services
-# Module: ircd
-#
-# IRC servers.
-# 
-ircd = module
-
-# Layer: services
-# Module: irqbalance
-#
-# IRQ balancing daemon.
-# 
-irqbalance = module
-
-# Layer: services
-# Module: isns
-#
-# Internet Storage Name Service.
-# 
-isns = module
-
-# Layer: services
-# Module: jabber
-#
-# Jabber instant messaging servers.
-# 
-jabber = module
-
-# Layer: services
-# Module: jockey
-#
-# Jockey driver manager.
-# 
-jockey = module
-
-# Layer: services
-# Module: kerberos
-#
-# MIT Kerberos admin and KDC.
-# 
-kerberos = module
-
-# Layer: services
-# Module: kerneloops
-#
-# Service for reporting kernel oopses to kerneloops.org.
-# 
-kerneloops = module
-
-# Layer: services
-# Module: keyboardd
-#
-# Xorg.conf keyboard layout callout.
-# 
-keyboardd = module
-
-# Layer: services
-# Module: keystone
-#
-# Python implementation of the OpenStack identity service API.
-# 
-keystone = module
-
-# Layer: services
-# Module: ksmtuned
-#
-# Kernel Samepage Merging Tuning Daemon.
-# 
-ksmtuned = module
-
-# Layer: services
-# Module: ktalk
-#
-# KDE Talk daemon.
-# 
-ktalk = module
-
-# Layer: services
-# Module: l2tp
-#
-# Layer 2 Tunneling Protocol.
-# 
-l2tp = module
-
-# Layer: services
-# Module: ldap
-#
-# OpenLDAP directory server.
-# 
-ldap = module
-
-# Layer: services
-# Module: likewise
-#
-# Likewise Active Directory support for UNIX.
-# 
-likewise = module
-
-# Layer: services
-# Module: lircd
-#
-# Linux infared remote control daemon.
-# 
-lircd = module
-
-# Layer: services
-# Module: lldpad
-#
-# Intel LLDP Agent.
-# 
-lldpad = module
-
-# Layer: services
-# Module: lpd
-#
-# Line printer daemon.
-# 
-lpd = module
-
-# Layer: services
-# Module: lsm
-#
-# Storage array management library.
-# 
-lsm = module
-
-# Layer: services
-# Module: mailman
-#
-# Manage electronic mail discussion and e-newsletter lists.
-# 
-mailman = module
-
-# Layer: services
-# Module: mailscanner
-#
-# E-mail security and anti-spam package for e-mail gateway systems.
-# 
-mailscanner = module
-
-# Layer: services
-# Module: mediawiki
-#
-# Open source wiki package written in PHP.
-# 
-mediawiki = module
-
-# Layer: services
-# Module: memcached
-#
-# High-performance memory object caching system.
-# 
-memcached = module
-
-# Layer: services
-# Module: milter
-#
-# Milter mail filters.
-# 
-milter = module
-
-# Layer: services
-# Module: minidlna
-#
-# MiniDLNA lightweight DLNA/UPnP media server
-# 
-minidlna = module
-
-# Layer: services
-# Module: minissdpd
-#
-# Daemon used by MiniUPnPc to speed up device discoveries.
-# 
-minissdpd = module
-
-# Layer: services
-# Module: modemmanager
-#
-# Provides a DBus interface to communicate with mobile broadband (GSM, CDMA, UMTS, ...) cards.
-# 
-modemmanager = module
-
-# Layer: services
-# Module: mojomojo
-#
-# MojoMojo Wiki.
-# 
-mojomojo = module
-
-# Layer: services
-# Module: mon
-#
-# mon network monitoring daemon.
-# 
-mon = module
-
-# Layer: services
-# Module: mongodb
-#
-# Scalable, high-performance, open source NoSQL database.
-# 
-mongodb = module
-
-# Layer: services
-# Module: monit
-#
-# Monit - utility for monitoring services on a Unix system.
-# 
-monit = module
-
-# Layer: services
-# Module: monop
-#
-# Monopoly daemon.
-# 
-monop = module
-
-# Layer: services
-# Module: mpd
-#
-# Music Player Daemon.
-# 
-mpd = module
-
-# Layer: services
-# Module: mta
-#
-# Common e-mail transfer agent policy.
-# 
-mta = module
-
-# Layer: services
-# Module: munin
-#
-# Munin network-wide load graphing.
-# 
-munin = module
-
-# Layer: services
-# Module: mysql
-#
-# Open source database.
-# 
-mysql = module
-
-# Layer: services
-# Module: nagios
-#
-# Network monitoring server.
-# 
-nagios = module
-
-# Layer: services
-# Module: nessus
-#
-# Network scanning daemon.
-# 
-nessus = module
-
-# Layer: services
-# Module: networkmanager
-#
-# Manager for dynamically switching between networks.
-# 
-networkmanager = module
-
-# Layer: services
-# Module: nis
-#
-# Policy for NIS (YP) servers and clients.
-# 
-nis = module
-
-# Layer: services
-# Module: nscd
-#
-# Name service cache daemon.
-# 
-nscd = module
-
-# Layer: services
-# Module: nsd
-#
-# Authoritative only name server.
-# 
-nsd = module
-
-# Layer: services
-# Module: nslcd
-#
-# Local LDAP name service daemon.
-# 
-nslcd = module
-
-# Layer: services
-# Module: ntop
-#
-# A network traffic probe similar to the UNIX top command.
-# 
-ntop = module
-
-# Layer: services
-# Module: ntp
-#
-# Network time protocol daemon.
-# 
-ntp = module
-
-# Layer: services
-# Module: numad
-#
-# Non-Uniform Memory Alignment Daemon.
-# 
-numad = module
-
-# Layer: services
-# Module: nut
-#
-# Network UPS Tools
-# 
-nut = module
-
-# Layer: services
-# Module: nx
-#
-# NX remote desktop.
-# 
-nx = module
-
-# Layer: services
-# Module: oav
-#
-# Open AntiVirus scannerdaemon and signature update.
-# 
-oav = module
-
-# Layer: services
-# Module: obex
-#
-# D-Bus service providing high-level OBEX client and server side functionality.
-# 
-obex = module
-
-# Layer: services
-# Module: oddjob
-#
-# D-BUS service which runs odd jobs on behalf of client applications.
-# 
-oddjob = module
-
-# Layer: services
-# Module: oident
-#
-# An ident daemon with IP masq/NAT support and the ability to specify responses.
-# 
-oident = module
-
-# Layer: services
-# Module: openca
-#
-# Open Certificate Authority.
-# 
-openca = module
-
-# Layer: services
-# Module: openct
-#
-# Service for handling smart card readers.
-# 
-openct = module
-
-# Layer: services
-# Module: openhpi
-#
-# Open source implementation of the Service Availability Forum Hardware Platform Interface.
-# 
-openhpi = module
-
-# Layer: services
-# Module: openvpn
-#
-# full-featured SSL VPN solution.
-# 
-openvpn = module
-
-# Layer: services
-# Module: openvswitch
-#
-# Multilayer virtual switch.
-# 
-openvswitch = module
-
-# Layer: services
-# Module: pacemaker
-#
-# A scalable high-availability cluster resource manager.
-# 
-pacemaker = module
-
-# Layer: services
-# Module: pads
-#
-# Passive Asset Detection System.
-# 
-pads = module
-
-# Layer: services
-# Module: pcscd
-#
-# PCSC smart card service.
-# 
-pcscd = module
-
-# Layer: services
-# Module: pegasus
-#
-# The Open Group Pegasus CIM/WBEM Server.
-# 
-pegasus = module
-
-# Layer: services
-# Module: perdition
-#
-# Perdition POP and IMAP proxy.
-# 
-perdition = module
-
-# Layer: services
-# Module: pingd
-#
-# Pingd of the Whatsup cluster node up/down detection utility.
-# 
-pingd = module
-
-# Layer: services
-# Module: pkcs
-#
-# Implementations of the Cryptoki specification.
-# 
-pkcs = module
-
-# Layer: services
-# Module: plymouthd
-#
-# Plymouth graphical boot.
-# 
-plymouthd = module
-
-# Layer: services
-# Module: policykit
-#
-# Policy framework for controlling privileges for system-wide services.
-# 
-policykit = module
-
-# Layer: services
-# Module: polipo
-#
-# Lightweight forwarding and caching proxy server.
-# 
-polipo = module
-
-# Layer: services
-# Module: portmap
-#
-# RPC port mapping service.
-# 
-portmap = module
-
-# Layer: services
-# Module: portreserve
-#
-# Reserve well-known ports in the RPC port range.
-# 
-portreserve = module
-
-# Layer: services
-# Module: portslave
-#
-# Portslave terminal server software.
-# 
-portslave = module
-
-# Layer: services
-# Module: postfix
-#
-# Postfix email server.
-# 
-postfix = module
-
-# Layer: services
-# Module: postfixpolicyd
-#
-# Postfix policy server.
-# 
-postfixpolicyd = module
-
 # Layer: services
 # Module: postgresql
 #
@@ -2153,391 +224,6 @@ postfixpolicyd = module
 # 
 postgresql = module
 
-# Layer: services
-# Module: postgrey
-#
-# Postfix grey-listing server.
-# 
-postgrey = module
-
-# Layer: services
-# Module: ppp
-#
-# Point to Point Protocol daemon creates links in ppp networks.
-# 
-ppp = module
-
-# Layer: services
-# Module: prelude
-#
-# Prelude hybrid intrusion detection system.
-# 
-prelude = module
-
-# Layer: services
-# Module: privoxy
-#
-# Privacy enhancing web proxy.
-# 
-privoxy = module
-
-# Layer: services
-# Module: procmail
-#
-# Procmail mail delivery agent.
-# 
-procmail = module
-
-# Layer: services
-# Module: psad
-#
-# Intrusion Detection and Log Analysis with iptables.
-# 
-psad = module
-
-# Layer: services
-# Module: publicfile
-#
-# publicfile supplies files to the public through HTTP and FTP.
-# 
-publicfile = module
-
-# Layer: services
-# Module: pwauth
-#
-# External plugin for mod_authnz_external authenticator.
-# 
-pwauth = module
-
-# Layer: services
-# Module: pxe
-#
-# Server for the PXE network boot protocol.
-# 
-pxe = module
-
-# Layer: services
-# Module: pyicqt
-#
-# ICQ transport for XMPP server.
-# 
-pyicqt = module
-
-# Layer: services
-# Module: pyzor
-#
-# Pyzor is a distributed, collaborative spam detection and filtering network.
-# 
-pyzor = module
-
-# Layer: services
-# Module: qmail
-#
-# Qmail Mail Server.
-# 
-qmail = module
-
-# Layer: services
-# Module: qpid
-#
-# Apache QPID AMQP messaging server.
-# 
-qpid = module
-
-# Layer: services
-# Module: quantum
-#
-# Virtual network service for Openstack.
-# 
-quantum = module
-
-# Layer: services
-# Module: rabbitmq
-#
-# AMQP server written in Erlang.
-# 
-rabbitmq = module
-
-# Layer: services
-# Module: radius
-#
-# RADIUS authentication and accounting server.
-# 
-radius = module
-
-# Layer: services
-# Module: radvd
-#
-# IPv6 router advertisement daemon.
-# 
-radvd = module
-
-# Layer: services
-# Module: razor
-#
-# A distributed, collaborative, spam detection and filtering network.
-# 
-razor = module
-
-# Layer: services
-# Module: rdisc
-#
-# Network router discovery daemon.
-# 
-rdisc = module
-
-# Layer: services
-# Module: realmd
-#
-# Dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA.
-# 
-realmd = module
-
-# Layer: services
-# Module: redis
-#
-# Advanced key-value store.
-# 
-redis = module
-
-# Layer: services
-# Module: remotelogin
-#
-# Rshd, rlogind, and telnetd.
-# 
-remotelogin = module
-
-# Layer: services
-# Module: resmgr
-#
-# Resource management daemon.
-# 
-resmgr = module
-
-# Layer: services
-# Module: rgmanager
-#
-# Resource Group Manager.
-# 
-rgmanager = module
-
-# Layer: services
-# Module: rhcs
-#
-# Red Hat Cluster Suite.
-# 
-rhcs = module
-
-# Layer: services
-# Module: rhgb
-#
-# Red Hat Graphical Boot.
-# 
-rhgb = module
-
-# Layer: services
-# Module: rhsmcertd
-#
-# Subscription Management Certificate Daemon.
-# 
-rhsmcertd = module
-
-# Layer: services
-# Module: ricci
-#
-# Ricci cluster management agent.
-# 
-ricci = module
-
-# Layer: services
-# Module: rlogin
-#
-# Remote login daemon.
-# 
-rlogin = module
-
-# Layer: services
-# Module: rngd
-#
-# Check and feed random data from hardware device to kernel random device.
-# 
-rngd = module
-
-# Layer: services
-# Module: roundup
-#
-# Roundup Issue Tracking System.
-# 
-roundup = module
-
-# Layer: services
-# Module: rpc
-#
-# Remote Procedure Call Daemon.
-# 
-rpc = module
-
-# Layer: services
-# Module: rpcbind
-#
-# Universal Addresses to RPC Program Number Mapper.
-# 
-rpcbind = module
-
-# Layer: services
-# Module: rshd
-#
-# Remote shell service.
-# 
-rshd = module
-
-# Layer: services
-# Module: rsync
-#
-# Fast incremental file transfer for synchronization.
-# 
-rsync = module
-
-# Layer: services
-# Module: rtkit
-#
-# Realtime scheduling for user processes.
-# 
-rtkit = module
-
-# Layer: services
-# Module: rwho
-#
-# Who is logged in on other machines?
-# 
-rwho = module
-
-# Layer: services
-# Module: samba
-#
-# SMB and CIFS client/server programs.
-# 
-samba = module
-
-# Layer: services
-# Module: sanlock
-#
-# shared storage lock manager.
-# 
-sanlock = module
-
-# Layer: services
-# Module: sasl
-#
-# SASL authentication server.
-# 
-sasl = module
-
-# Layer: services
-# Module: sendmail
-#
-# Internetwork email routing facility.
-# 
-sendmail = module
-
-# Layer: services
-# Module: sensord
-#
-# Sensor information logging daemon.
-# 
-sensord = module
-
-# Layer: services
-# Module: setroubleshoot
-#
-# SELinux troubleshooting service.
-# 
-setroubleshoot = module
-
-# Layer: services
-# Module: shibboleth
-#
-# Shibboleth authentication deamon
-# 
-shibboleth = module
-
-# Layer: services
-# Module: slpd
-#
-# OpenSLP server daemon to dynamically register services.
-# 
-slpd = module
-
-# Layer: services
-# Module: slrnpull
-#
-# Service for downloading news feeds the slrn newsreader.
-# 
-slrnpull = module
-
-# Layer: services
-# Module: smartmon
-#
-# Smart disk monitoring daemon.
-# 
-smartmon = module
-
-# Layer: services
-# Module: smokeping
-#
-# Smokeping network latency measurement.
-# 
-smokeping = module
-
-# Layer: services
-# Module: smstools
-#
-# Tools to send and receive short messages through GSM modems or mobile phones.
-# 
-smstools = module
-
-# Layer: services
-# Module: snmp
-#
-# Simple network management protocol services.
-# 
-snmp = module
-
-# Layer: services
-# Module: snort
-#
-# Snort network intrusion detection system.
-# 
-snort = module
-
-# Layer: services
-# Module: soundserver
-#
-# sound server for network audio server programs, nasd, yiff, etc
-# 
-soundserver = module
-
-# Layer: services
-# Module: spamassassin
-#
-# Filter used for removing unsolicited email.
-# 
-spamassassin = module
-
-# Layer: services
-# Module: speedtouch
-#
-# Alcatel speedtouch USB ADSL modem
-# 
-speedtouch = module
-
-# Layer: services
-# Module: squid
-#
-# Squid caching http proxy server.
-# 
-squid = module
-
 # Layer: services
 # Module: ssh
 #
@@ -2545,262 +231,17 @@ squid = module
 # 
 ssh = module
 
-# Layer: services
-# Module: sssd
-#
-# System Security Services Daemon.
-# 
-sssd = module
-
-# Layer: services
-# Module: stunnel
-#
-# SSL Tunneling Proxy.
-# 
-stunnel = module
-
-# Layer: services
-# Module: svnserve
-#
-# Server for the svn repository access method.
-# 
-svnserve = module
-
-# Layer: services
-# Module: sysstat
-#
-# Reports on various system states.
-# 
-sysstat = module
-
-# Layer: services
-# Module: systemtap
-#
-# instrumentation system for Linux.
-# 
-systemtap = module
-
-# Layer: services
-# Module: tcpd
-#
-# TCP daemon.
-# 
-tcpd = module
-
-# Layer: services
-# Module: tcsd
-#
-# TSS Core Services daemon.
-# 
-tcsd = module
-
-# Layer: services
-# Module: telnet
-#
-# Telnet daemon.
-# 
-telnet = module
-
-# Layer: services
-# Module: tftp
-#
-# Trivial file transfer protocol daemon.
-# 
-tftp = module
-
-# Layer: services
-# Module: tgtd
-#
-# Linux Target Framework Daemon.
-# 
-tgtd = module
-
-# Layer: services
-# Module: timidity
-#
-# MIDI to WAV converter and player configured as a service.
-# 
-timidity = module
-
-# Layer: services
-# Module: tor
-#
-# The onion router.
-# 
-tor = module
-
-# Layer: services
-# Module: transproxy
-#
-# Portable Transparent Proxy Solution.
-# 
-transproxy = module
-
-# Layer: services
-# Module: tuned
-#
-# Dynamic adaptive system tuning daemon.
-# 
-tuned = module
-
-# Layer: services
-# Module: ucspitcp
-#
-# UNIX Client-Server Program Interface for TCP.
-# 
-ucspitcp = module
-
-# Layer: services
-# Module: ulogd
-#
-# Iptables/netfilter userspace logging daemon.
-# 
-ulogd = module
-
-# Layer: services
-# Module: uptime
-#
-# Daemon to record and keep track of system up times.
-# 
-uptime = module
-
-# Layer: services
-# Module: usbmuxd
-#
-# USB multiplexing daemon for communicating with Apple iPod Touch and iPhone.
-# 
-usbmuxd = module
-
-# Layer: services
-# Module: uucp
-#
-# Unix to Unix Copy.
-# 
-uucp = module
-
-# Layer: services
-# Module: uuidd
-#
-# UUID generation daemon.
-# 
-uuidd = module
-
-# Layer: services
-# Module: uwimap
-#
-# University of Washington IMAP toolkit POP3 and IMAP mail server.
-# 
-uwimap = module
-
-# Layer: services
-# Module: varnishd
-#
-# Varnishd http accelerator daemon.
-# 
-varnishd = module
-
-# Layer: services
-# Module: vdagent
-#
-# Spice agent for Linux.
-# 
-vdagent = module
-
-# Layer: services
-# Module: vhostmd
-#
-# Virtual host metrics daemon.
-# 
-vhostmd = module
-
-# Layer: services
-# Module: virt
-#
-# Libvirt virtualization API.
-# 
-virt = module
-
-# Layer: services
-# Module: vnstatd
-#
-# Console network traffic monitor.
-# 
-vnstatd = module
-
-# Layer: services
-# Module: w3c
-#
-# W3C Markup Validator.
-# 
-w3c = module
-
-# Layer: services
-# Module: watchdog
-#
-# Software watchdog.
-# 
-watchdog = module
-
-# Layer: services
-# Module: wdmd
-#
-# Watchdog multiplexing daemon.
-# 
-wdmd = module
-
-# Layer: services
-# Module: xfs
-#
-# X Windows Font Server.
-# 
-xfs = module
-
-# Layer: services
-# Module: xprint
-#
-# A X11-based print system and API.
-# 
-xprint = module
-
 # Layer: services
 # Module: xserver
 #
-# X Windows Server
+# X windows login display manager
 # 
 xserver = module
 
-# Layer: services
-# Module: zabbix
-#
-# Distributed infrastructure monitoring.
-# 
-zabbix = module
-
-# Layer: services
-# Module: zarafa
-#
-# Zarafa collaboration platform.
-# 
-zarafa = module
-
-# Layer: services
-# Module: zebra
-#
-# Zebra border gateway protocol network routing service.
-# 
-zebra = module
-
-# Layer: services
-# Module: zosremote
-#
-# z/OS Remote-services Audit dispatcher plugin.
-# 
-zosremote = module
-
-# Layer: system
 # Module: application
+# Required in base
 #
-# Policy for user executable applications.
+# Defines attributs and interfaces for all user applications
 # 
 application = module
 
@@ -2818,13 +259,6 @@ authlogin = module
 # 
 clock = module
 
-# Layer: system
-# Module: daemontools
-#
-# Collection of tools for managing UNIX services.
-# 
-daemontools = module
-
 # Layer: system
 # Module: fstools
 #
@@ -2835,7 +269,7 @@ fstools = module
 # Layer: system
 # Module: getty
 #
-# Manages physical or virtual terminals.
+# Policy for getty.
 # 
 getty = module
 
@@ -2846,14 +280,6 @@ getty = module
 # 
 hostname = module
 
-# Layer: system
-# Module: hotplug
-#
-# Policy for hotplug system, for supporting the
-# connection and disconnection of devices at runtime.
-# 
-hotplug = module
-
 # Layer: system
 # Module: init
 #
@@ -2871,17 +297,10 @@ ipsec = module
 # Layer: system
 # Module: iptables
 #
-# Administration tool for IP packet filtering and NAT.
+# Policy for iptables.
 # 
 iptables = module
 
-# Layer: system
-# Module: iscsi
-#
-# Establish connections to iSCSI devices.
-# 
-iscsi = module
-
 # Layer: system
 # Module: libraries
 #
@@ -2910,13 +329,6 @@ logging = module
 # 
 lvm = module
 
-# Layer: system
-# Module: miscfiles
-#
-# Miscellaneous files.
-# 
-miscfiles = module
-
 # Layer: system
 # Module: modutils
 #
@@ -2934,24 +346,10 @@ mount = module
 # Layer: system
 # Module: netlabel
 #
-# NetLabel/CIPSO labeled networking management
+# Basic netlabel types and interfaces.
 # 
 netlabel = module
 
-# Layer: system
-# Module: pcmcia
-#
-# PCMCIA card management services.
-# 
-pcmcia = module
-
-# Layer: system
-# Module: raid
-#
-# RAID array management tools.
-# 
-raid = module
-
 # Layer: system
 # Module: selinuxutil
 #
@@ -2959,10 +357,10 @@ raid = module
 # 
 selinuxutil = module
 
-# Layer: system
 # Module: setrans
+# Required in base
 #
-# SELinux MLS/MCS label translation service.
+# Policy for setrans
 # 
 setrans = module
 
@@ -2976,7 +374,7 @@ sysnetwork = module
 # Layer: system
 # Module: systemd
 #
-# Systemd components (not PID 1)
+# Policy for systemd components
 # 
 systemd = module
 
@@ -2995,23 +393,22 @@ udev = module
 unconfined = module
 
 # Layer: system
-# Module: userdomain
+# Module: kdbus
 #
-# Policy for user domains
-# 
-userdomain = module
-
-# Layer: system
-# Module: xdg
+# Policy for kdbus.
 #
-# Freedesktop standard locations (formerly known as X Desktop Group)
-# 
-xdg = module
+kdbus = module
 
-# Layer: system
-# Module: xen
+# Layer: contrib
+# Module: targeted_temp_fixes
 #
-# Xen hypervisor.
-# 
-xen = module
+# Temporary fixes for the targeted policy.
+#
+targeted_temp_fixes = module
 
+# Layer: contrib
+# Module: packagekit
+#
+# Temporary permissive module for packagekit
+#
+packagekit = module
diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf
new file mode 100644
index 0000000..9182671
--- /dev/null
+++ b/modules-targeted-contrib.conf
@@ -0,0 +1,2644 @@
+# Layer: services
+# Module: abrt
+#
+# Automatic bug detection and reporting tool
+# 
+abrt = module
+
+# Layer: services
+# Module: accountsd
+#
+#  An application to view and modify user accounts information
+# 
+accountsd = module
+
+# Layer: admin
+# Module: acct
+#
+# Berkeley process accounting
+# 
+acct = module
+
+# Layer: services
+# Module: afs
+#
+# Andrew Filesystem server
+# 
+afs = module
+
+# Layer: services
+# Module: aiccu
+#
+# SixXS Automatic IPv6 Connectivity Client Utility
+# 
+aiccu = module
+
+# Layer: services
+# Module: aide
+#
+# Policy for aide
+# 
+aide = module
+ 
+# Layer: services
+# Module: ajaxterm
+#
+# Web Based Terminal
+# 
+ajaxterm = module
+
+# Layer: admin
+# Module: alsa
+#
+# Ainit ALSA configuration tool
+# 
+alsa = module
+
+# Layer: admin
+# Module: amanda
+#
+# Automated backup program.
+# 
+amanda = module
+
+# Layer: admin
+# Module: amtu
+#
+# Abstract Machine Test Utility (AMTU)
+# 
+amtu = module
+
+# Layer: admin
+# Module: anaconda
+#
+# Policy for the Anaconda installer.
+# 
+anaconda = module
+
+# Layer: contrib
+# Module: antivirus
+#
+# SELinux policy for antivirus programs
+#
+antivirus = module
+
+# Layer: services
+# Module: apache
+#
+# Apache web server
+# 
+apache = module
+
+# Layer: services
+# Module: apcupsd
+#
+# daemon for most APC’s UPS for Linux
+#
+apcupsd = module
+
+# Layer: services
+# Module: apm
+#
+# Advanced power management daemon
+# 
+apm = module
+
+# Layer: services
+# Module: arpwatch
+#
+# Ethernet activity monitor.
+# 
+arpwatch = module
+
+# Layer: services
+# Module: asterisk
+#
+# Asterisk IP telephony server
+# 
+asterisk = module
+
+# Layer: contrib
+# Module: authconfig
+#
+# Authorization configuration tool
+# 
+authconfig = module
+
+# Layer: services
+# Module: automount
+#
+# Filesystem automounter service.
+# 
+automount = module
+
+# Layer: services
+# Module: avahi
+#
+# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture
+# 
+avahi = module
+
+# Layer: module
+# Module: awstats
+#
+# awstats executable
+# 
+awstats = module
+
+# Layer: services
+# Module: bcfg2
+#
+# Configuration management server
+#
+bcfg2 = module
+
+# Layer: services
+# Module: bind
+#
+# Berkeley internet name domain DNS server.
+# 
+bind = module
+
+# Layer: contrib
+# Module: rngd
+#
+#  Daemon used to feed random data from hardware device to kernel random device
+# 
+rngd = module
+
+# Layer: services
+# Module: bitlbee
+#
+# An IRC to other chat networks  gateway
+# 
+bitlbee = module
+
+# Layer: services
+# Module: blueman
+#
+# Blueman tools and system services.
+# 
+blueman = module
+
+# Layer: services
+# Module: bluetooth
+#
+# Bluetooth tools and system services.
+# 
+bluetooth = module
+
+# Layer: services
+# Module: boinc
+#
+# Berkeley Open Infrastructure for Network Computing
+#
+boinc = module
+
+# Layer: system
+# Module: brctl
+#
+# Utilities for configuring the linux ethernet bridge
+# 
+brctl = module
+
+# Layer: services
+# Module: bugzilla
+#
+# Bugzilla server
+# 
+bugzilla = module
+
+# Layer: services
+# Module: bumblebee
+#
+# Support NVIDIA Optimus technology under Linux
+#
+bumblebee = module
+
+# Layer: services
+# Module: cachefilesd
+#
+# CacheFiles userspace management daemon
+# 
+cachefilesd = module
+
+# Module: calamaris
+#
+#
+# Squid log analysis
+# 
+calamaris = module
+
+# Layer: services
+# Module: callweaver
+#
+# callweaver telephony sever
+# 
+callweaver = module
+
+# Layer: services
+# Module: canna
+#
+# Canna - kana-kanji conversion server
+# 
+canna = module
+
+# Layer: services
+# Module: ccs
+#
+# policy for ccs
+# 
+ccs = module
+
+# Layer: apps
+# Module: cdrecord
+#
+# Policy for cdrecord
+# 
+cdrecord = module
+
+# Layer: admin
+# Module: certmaster
+#
+# Digital Certificate master
+# 
+certmaster = module
+
+# Layer: services
+# Module: certmonger
+#
+# Certificate status monitor and PKI enrollment client
+# 
+certmonger = module
+
+# Layer: admin
+# Module: certwatch
+#
+# Digital Certificate Tracking
+# 
+certwatch = module
+
+# Layer: services
+# Module: cfengine
+#
+# cfengine
+#
+cfengine = module
+
+# Layer: services
+# Module: cgroup
+#
+# Tools and libraries to control and monitor control groups
+# 
+cgroup = module
+
+# Layer: apps
+# Module: chrome
+#
+# chrome sandbox
+# 
+chrome = module
+
+# Layer: services
+# Module: chronyd
+#
+# Daemon for maintaining clock time
+# 
+chronyd = module
+
+# Layer: services
+# Module: cipe
+#
+# Encrypted tunnel daemon
+# 
+cipe = module
+
+
+# Layer: services
+# Module: clogd
+#
+# clogd - clustered mirror log server
+# 
+clogd = module
+ 
+# Layer: services
+# Module: cloudform
+# 
+#  cloudform daemons 
+#
+cloudform = module
+
+# Layer: services
+# Module: cmirrord
+#
+# cmirrord - daemon providing device-mapper-base mirrors in a shared-storege cluster
+# 
+cmirrord = module
+ 
+# Layer: services
+# Module: cobbler
+#
+# cobbler
+# 
+cobbler = module
+
+# Layer: contrib
+# Module: cockpit
+#
+# cockpit - Cockpit runs in a browser and can manage your network of GNU/Linux machines.
+# 
+cockpit = module
+
+# Layer: services
+# Module: collectd
+#
+# Statistics collection daemon for filling RRD files
+# 
+collectd = module
+
+# Layer: services
+# Module: colord
+#
+# color device daemon
+# 
+colord = module
+
+# Layer: services
+# Module: comsat
+#
+# Comsat, a biff server.
+# 
+comsat = module
+
+# Layer: services
+# Module: condor
+# 
+#  policy for condor
+# 
+condor = module 
+
+# Layer: services
+# Module: conman
+#
+# Conman is a program for connecting to remote consoles being managed by conmand
+#
+conman = module
+
+# Layer: services
+# Module: consolekit
+#
+# ConsoleKit is a system daemon for tracking what users are logged
+# 
+consolekit = module
+
+# Layer: services
+# Module: couchdb
+#
+# Apache CouchDB database server
+# 
+couchdb = module
+
+# Layer: services
+# Module: courier
+#
+# IMAP and POP3 email servers
+# 
+courier = module
+
+# Layer: services
+# Module: cpucontrol
+#
+# Services for loading CPU microcode and CPU frequency scaling.
+# 
+cpucontrol = module
+
+# Layer: apps
+# Module: cpufreqselector 
+#
+# cpufreqselector executable
+# 
+cpufreqselector = module
+
+# Layer: services
+# Module: cron
+#
+# Periodic execution of scheduled commands.
+# 
+cron = module
+
+# Layer: services
+# Module: ctdbd
+#
+# Cluster Daemon
+# 
+ctdb = module
+
+# Layer: services
+# Module: cups
+#
+# Common UNIX printing system
+# 
+cups = module
+
+# Layer: services
+# Module: cvs
+#
+# Concurrent versions system
+# 
+cvs = module
+
+# Layer: services
+# Module: cyphesis
+#
+# cyphesis game server
+# 
+cyphesis = module
+
+# Layer: services
+# Module: cyrus
+#
+# Cyrus is an IMAP service intended to be run on sealed servers
+# 
+cyrus = module
+
+# Layer: system
+# Module: daemontools
+#
+# Collection of tools for managing UNIX services
+# 
+daemontools = module
+
+# Layer: role
+# Module: dbadm
+#
+# Minimally prived root role for managing databases
+# 
+dbadm = module
+
+# Layer: services
+# Module: dbskk
+#
+# Dictionary server for the SKK Japanese input method system.
+# 
+dbskk = module
+
+# Layer: services
+# Module: dbus
+#
+# Desktop messaging bus
+# 
+dbus = module
+
+# Layer: services
+# Module: dcc
+#
+# A distributed, collaborative, spam detection and filtering network.
+# 
+dcc = module
+
+# Layer: services
+# Module: ddclient
+#
+# Update dynamic IP address at DynDNS.org
+#
+ddclient = module
+
+# Layer: admin
+# Module: ddcprobe
+#
+# ddcprobe retrieves monitor and graphics card information
+# 
+ddcprobe = off
+
+# Layer: services
+# Module: denyhosts
+#
+# script to help thwart ssh server attacks
+# 
+denyhosts = module
+
+# Layer: services
+# Module: devicekit
+#
+# devicekit-daemon
+# 
+devicekit = module
+
+# Layer: services
+# Module: dhcp
+#
+# Dynamic host configuration protocol (DHCP) server
+# 
+dhcp = module
+
+# Layer: services
+# Module: dictd
+#
+# Dictionary daemon
+# 
+dictd = module
+
+# Layer: services
+# Module: dirsrv-admin
+#
+#  An 309 directory admin server
+# 
+dirsrv-admin = module
+
+# Layer: services
+# Module: dirsrv
+#
+#  An 309 directory server
+# 
+dirsrv = module
+
+# Layer: services
+# Module: distcc
+#
+# Distributed compiler daemon
+# 
+distcc = off
+
+# Layer: admin
+# Module: dmidecode
+#
+# Decode DMI data for x86/ia64 bioses.
+# 
+dmidecode = module
+
+# Layer: services
+# Module: dnsmasq
+#
+# A lightweight DHCP and caching DNS server.
+# 
+dnsmasq = module
+
+# Layer: services
+# Module: dnssec
+#
+# A dnssec server application
+# 
+dnssec = module
+
+# Layer: services
+# Module: dovecot
+#
+# Dovecot POP and IMAP mail server
+# 
+dovecot = module
+
+# Layer: services
+# Module: drbd
+#
+# DRBD mirrors a block device over the network to another machine.
+#
+drbd = module
+
+# Layer: services
+# Module: dspam
+#
+# dspam - library and Mail Delivery Agent for Bayesian SPAM filtering
+#
+dspam = module
+
+# Layer: services
+# Module: entropy
+#
+# Generate entropy from audio input
+# 
+entropyd = module
+
+# Layer: services
+# Module: exim
+#
+# exim mail server 
+# 
+exim = module
+
+# Layer: services
+# Module: fail2ban
+#
+# daiemon that bans IP that makes too many password failures
+# 
+fail2ban = module
+
+# Layer: services
+# Module: fcoe
+#
+# fcoe
+#
+fcoe = module
+
+# Layer: services
+# Module: fetchmail
+#
+# Remote-mail retrieval and forwarding utility
+# 
+fetchmail = module
+
+# Layer: services
+# Module: finger
+#
+# Finger user information service.
+# 
+finger = module
+
+# Layer: services
+# Module: firewalld
+#
+# firewalld is firewall service daemon that provides dynamic customizable
+# 
+firewalld = module
+
+# Layer: apps
+# Module: firewallgui
+#
+# policy for system-config-firewall
+# 
+firewallgui = module
+
+# Module: firstboot
+#
+# Final system configuration run during the first boot
+# after installation of Red Hat/Fedora systems.
+# 
+firstboot = module
+
+# Layer: services
+# Module: fprintd
+#
+# finger print server
+# 
+fprintd = module
+
+# Layer: services
+# Module: freqset
+#
+# Utility for CPU frequency scaling
+#
+freqset = module
+
+# Layer: services
+# Module: ftp
+#
+# File transfer protocol service
+# 
+ftp = module
+
+# Layer: apps
+# Module: games
+#
+# The Open Group Pegasus CIM/WBEM Server.
+# 
+games = module
+
+# Layer: apps
+# Module: gitosis
+#
+# Policy for gitosis
+# 
+gitosis = module
+ 
+# Layer: services
+# Module: git
+#
+# Policy for the stupid content tracker
+# 
+git = module
+
+# Layer: services
+# Module: glance
+#
+# Policy for glance
+# 
+glance = module
+
+# Layer: contrib
+# Module: glusterd
+#  
+#  policy for glusterd service
+#
+glusterd =  module
+
+# Layer: apps
+# Module: gnome
+#
+# gnome session and gconf
+# 
+gnome = module
+
+# Layer: apps
+# Module: gpg
+#
+# Policy for GNU Privacy Guard and related programs.
+# 
+gpg = module
+
+# Layer: services
+# Module: gpm
+#
+# General Purpose Mouse driver
+# 
+gpm = module
+
+# Module: gpsd
+#
+# gpsd monitor daemon
+#
+# 
+gpsd = module
+
+# Module: gssproxy
+#
+#  A proxy for GSSAPI credential handling
+#
+# 
+gssproxy = module
+
+# Layer: role
+# Module: guest
+#
+# Minimally privs guest account on tty logins
+# 
+guest = module
+
+# Layer: role
+# Module: xguest
+#
+# Minimally privs guest account on X Windows logins
+# 
+xguest = module
+
+# Layer: services
+# Module: hddtemp
+#
+# hddtemp hard disk temperature tool running as a daemon
+# 
+hddtemp = module
+
+# Layer: services
+# Module: hostapd
+#
+# hostapd - IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
+# 
+hostapd = module
+
+# Layer: services
+# Module: i18n_input
+#
+# IIIMF htt server
+# 
+i18n_input = off
+
+# Layer: services
+# Module: icecast 
+#
+#  ShoutCast compatible streaming media server
+# 
+icecast = module
+
+# Layer: services
+# Module: inetd
+#
+# Internet services daemon.
+# 
+inetd = module
+
+# Layer: services
+# Module: inn
+#
+# Internet News NNTP server
+# 
+inn = module
+
+# Layer: services
+# Module: lircd
+#
+# LIRC daemon - decodes infrared signals and provides them on a Unix domain socket.  
+# 
+lircd = module
+
+# Layer: apps
+# Module: irc
+#
+# IRC client policy
+# 
+irc = module
+
+# Layer: services
+# Module: irqbalance
+#
+# IRQ balancing daemon
+# 
+irqbalance = module
+
+# Layer: system
+# Module: iscsi
+#
+# Open-iSCSI daemon
+# 
+iscsi = module
+
+# Layer: system
+# Module: isnsd
+#
+# 
+# 
+isns = module
+
+# Layer: services
+# Module: jabber
+#
+# Jabber instant messaging server
+# 
+jabber = module
+
+# Layer: services
+# Module: jetty
+#
+# Java based http server
+# 
+jetty = module
+
+# Layer: apps
+# Module: jockey
+# 
+#  policy for jockey-backend
+#
+jockey = module
+
+# Layer: apps
+# Module: kdumpgui
+#
+# system-config-kdump policy
+# 
+kdumpgui = module
+
+# Layer: admin
+# Module: kdump
+#
+# kdump is kernel crash dumping mechanism
+# 
+kdump = module
+
+# Layer: services
+# Module: kerberos
+#
+# MIT Kerberos admin and KDC
+# 
+kerberos = module
+
+# Layer: services
+# Module: keepalived
+#
+# keepalived - load-balancing and high-availability service
+#
+keepalived = module
+
+# Module: keyboardd
+#
+# system-setup-keyboard is a keyboard layout daemon that monitors 
+# /etc/sysconfig/keyboard and writes out an xorg.conf.d snippet
+#
+keyboardd = module
+
+# Layer: services
+# Module: keystone
+#
+#  openstack-keystone
+#
+keystone = module
+
+# Layer: services
+# Module: kismet
+#
+# Wireless sniffing and monitoring
+# 
+kismet = module
+
+# Layer: services
+# Module: ksmtuned
+#
+#  Kernel Samepage Merging (KSM) Tuning Daemon
+# 
+ksmtuned = module
+
+# Layer: services
+# Module: ktalk
+#
+# KDE Talk daemon
+# 
+ktalk = module
+
+# Layer: services
+# Module: l2ltpd
+#
+# Layer 2 Tunnelling Protocol Daemon
+# 
+l2tp = module
+
+# Layer: services
+# Module: ldap
+#
+# OpenLDAP directory server
+# 
+ldap = module
+
+# Layer: services
+# Module: likewise
+#
+# Likewise Active Directory support for UNIX
+# 
+likewise = module
+
+# Layer: apps
+# Module: livecd
+#
+# livecd creator
+# 
+livecd = module
+
+# Layer: services
+# Module: lldpad
+#
+# lldpad - Link Layer Discovery Protocol (LLDP) agent daemon
+#
+lldpad = module
+
+# Layer: apps
+# Module: loadkeys
+#
+# Load keyboard mappings.
+# 
+loadkeys = module
+
+# Layer: apps
+# Module: lockdev
+#
+# device locking policy for lockdev
+# 
+lockdev = module
+
+# Layer: admin
+# Module: logrotate
+#
+# Rotate and archive system logs
+# 
+logrotate = module
+
+# Layer: services
+# Module: logwatch
+#
+# logwatch executable
+# 
+logwatch = module
+
+# Layer: services
+# Module: lpd
+#
+# Line printer daemon
+# 
+lpd = module
+
+# Layer: services
+# Module: mailman
+#
+# Mailman is for managing electronic mail discussion and e-newsletter lists
+# 
+mailman = module
+
+# Layer: services
+# Module: mailman
+# 
+# Policy for mailscanner
+# 
+mailscanner = module
+
+# Layer: apps
+# Module: man2html
+#  
+#  policy for man2html apps
+# 
+man2html =  module
+
+# Layer: admin
+# Module: mcelog
+#
+# Policy for mcelog.
+# 
+mcelog = module
+
+# Layer: apps
+# Module: mediawiki
+#
+# mediawiki
+# 
+mediawiki = module
+
+# Layer: services
+# Module: memcached
+#
+#  high-performance memory object caching system
+# 
+memcached = module
+
+# Layer: services
+# Module: milter
+#
+# 
+# 
+milter = module
+
+# Layer: services
+# Module: mip6d
+#
+# UMIP Mobile IPv6 and NEMO Basic Support protocol implementation
+#
+mip6d = module
+
+# Layer: services
+# Module: mock
+#
+# Policy for mock rpm builder
+# 
+mock = module
+
+# Layer: services
+# Module: modemmanager
+#
+# Manager for dynamically switching between modems.
+# 
+modemmanager = module
+
+# Layer: services
+# Module: mojomojo
+#
+# Wiki server
+# 
+mojomojo = module
+
+# Layer: apps
+# Module: mozilla
+#
+# Policy for Mozilla and related web browsers
+# 
+mozilla = module
+
+# Layer: services
+# Module: mpd
+#
+# mpd - daemon for playing music
+# 
+mpd = module
+ 
+# Layer: apps
+# Module: mplayer
+#
+# Policy for Mozilla and related web browsers
+# 
+mplayer = module
+
+# Layer: admin
+# Module: mrtg
+#
+# Network traffic graphing
+# 
+mrtg = module
+
+# Layer: services
+# Module: mta
+#
+# Policy common to all email tranfer agents.
+# 
+mta = module
+
+# Layer: services
+# Module: munin
+#
+# Munin
+# 
+munin = module
+
+# Layer: services
+# Module: mysql
+#
+# Policy for MySQL
+# 
+mysql = module
+
+# Layer: contrib
+# Module: mythtv
+#
+# Policy for Mythtv (Web Server)
+# 
+mythtv = module
+
+# Layer: services
+# Module: nagios
+#
+# policy for nagios Host/service/network monitoring program
+# 
+nagios = module
+
+# Layer: apps
+# Module: namespace
+#
+# policy for namespace.init script 
+#
+namespace = module
+
+# Layer: admin
+# Module: ncftool
+#
+# Tool to modify the network configuration of a system
+# 
+ncftool = module
+
+# Layer: services
+# Module: networkmanager
+#
+# Manager for dynamically switching between networks.
+# 
+networkmanager = module
+
+# Layer: services
+# Module: ninfod
+#
+# Respond to IPv6 Node Information Queries
+#
+ninfod = module
+
+# Layer: services
+# Module: nis
+#
+# Policy for NIS (YP) servers and clients
+# 
+nis = module
+
+# Layer: services
+# Module: nova
+#
+#  openstack-nova
+#
+nova = module
+
+# Layer: services
+# Module: nscd
+#
+# Name service cache daemon
+# 
+nscd = module
+
+# Layer: services
+# Module: nslcd
+#
+# Policy for nslcd
+# 
+nslcd = module
+
+# Layer: services
+# Module: ntop
+#
+# Policy for ntop
+# 
+ntop = module
+
+# Layer: services
+# Module: ntp
+#
+# Network time protocol daemon
+# 
+ntp = module
+
+# Layer: services
+# Module: numad
+# 
+#  numad - user-level daemon that provides advice and managment for optimum use of CPUs and memory on systems with NUMA topology
+#
+numad = module
+
+# Layer: services
+# Module: nut
+# 
+# nut - Network UPS Tools
+#
+nut = module
+
+# Layer: services
+# Module: nx
+#
+# NX Remote Desktop
+# 
+nx = module
+
+# Layer: services
+# Module: obex
+# 
+#  policy for obex-data-server 
+#
+obex = module
+
+# Layer: services
+# Module: oddjob
+#
+# policy for oddjob
+# 
+oddjob = module
+
+# Layer: services
+# Module: openct
+#
+# Service for handling smart card readers.
+# 
+openct = off
+
+# Layer: service
+# Module: openct
+# 
+# Middleware framework for smart card terminals
+#
+openct = module
+
+# Layer: contrib
+# Module: openshift-origin
+#  
+# Origin version of openshift policy
+#
+openshift-origin = module
+# Layer: contrib
+# Module: openshift  
+#  
+# Core openshift policy
+#
+openshift = module
+
+# Layer: services
+# Module: opensm
+#
+# InfiniBand subnet manager and administration (SM/SA)
+#
+opensm = module
+
+# Layer: services
+# Module: openvpn
+#
+# Policy for OPENVPN full-featured SSL VPN solution
+# 
+openvpn = module
+
+# Layer: contrib
+# Module: openvswitch
+#
+# SELinux policy for openvswitch programs
+#
+openvswitch = module
+
+# Layer: services
+# Module: openwsman
+#
+# WS-Management Server
+#
+openwsman = module
+
+# Layer: services
+# Module: osad
+#
+# Client-side service written in Python that responds to pings
+#
+osad = module
+
+# Layer: contrib
+# Module: prelude
+#
+# SELinux policy for prelude
+#
+prelude = module
+
+# Layer: contrib
+# Module: prosody
+#
+# SELinux policy for prosody flexible communications server for Jabber/XMPP
+#
+prosody = module
+
+# Layer: services
+# Module: pads
+#
+pads = module
+
+# Layer: services
+# Module: passenger
+#
+# Passenger 
+# 
+passenger = module
+
+# Layer: system
+# Module: pcmcia
+#
+# PCMCIA card management services
+# 
+pcmcia = module
+
+# Layer: service
+# Module: pcscd
+#
+# PC/SC Smart Card Daemon
+#
+pcscd = module
+
+# Layer: services
+# Module: pdns
+#
+# PowerDNS DNS server
+# 
+pdns = module
+
+# Layer: services
+# Module: pegasus
+#
+# The Open Group Pegasus CIM/WBEM Server.
+# 
+pegasus = module
+
+# Layer: services
+# Module: pingd
+#
+# 
+pingd = module
+
+# Layer: services
+# Module: piranha
+#
+# piranha - various tools to administer and configure the Linux Virtual Server
+#
+piranha = module
+
+# Layer: contrib
+# Module: pkcs
+#  
+# daemon manages PKCS#11 objects between PKCS#11-enabled applications
+#
+pkcs = module
+
+# Layer: services
+# Module: plymouthd
+#
+#  Plymouth
+# 
+plymouthd = module
+
+# Layer: apps
+# Module: podsleuth
+#
+# Podsleuth probes, identifies, and exposes properties and metadata bound to iPods.
+# 
+podsleuth = module
+
+# Layer: services
+# Module: policykit
+#
+# Hardware abstraction layer
+# 
+policykit = module
+
+# Layer: services
+# Module: polipo
+#
+# polipo
+#
+polipo = module
+
+# Layer: services
+# Module: portmap
+#
+# RPC port mapping service.
+# 
+portmap = module
+
+# Layer: services
+# Module: portreserve
+#
+#  reserve ports to prevent portmap mapping them
+# 
+portreserve = module
+
+# Layer: services
+# Module: postfix
+#
+# Postfix email server
+# 
+postfix = module
+
+# Layer: services
+# Module: postgrey
+#
+# email scanner
+# 
+postgrey = module
+
+# Layer: services
+# Module: ppp
+#
+# Point to Point Protocol daemon creates links in ppp networks
+# 
+ppp = module
+
+# Layer: admin
+# Module: prelink
+#
+# Manage temporary directory sizes and file ages
+# 
+prelink = module
+
+# Layer: services
+# Module: privoxy
+#
+# Privacy enhancing web proxy.
+# 
+privoxy = module
+
+# Layer: services
+# Module: procmail
+#
+# Procmail mail delivery agent
+# 
+procmail = module
+
+# Layer: services
+# Module: psad
+#
+# Analyze iptables log for hostile traffic
+# 
+psad = module
+
+# Layer: apps
+# Module: ptchown
+#
+# helper function for grantpt(3), changes ownship and permissions of pseudotty
+# 
+ptchown = module
+
+# Layer: services
+# Module: publicfile
+#
+# publicfile supplies files to the public through HTTP and FTP
+# 
+publicfile = module
+
+# Layer: apps
+# Module: pulseaudio
+#
+# The PulseAudio Sound System
+# 
+pulseaudio = module
+
+# Layer: services
+# Module: puppet
+#
+#  A network tool for managing many disparate systems
+# 
+puppet = module
+
+# Layer: apps
+# Module: pwauth
+#
+#  External plugin for mod_authnz_external authenticator
+# 
+pwauth = module
+
+# Layer: services
+# Module: qmail
+#
+# Policy for qmail
+# 
+qmail = module
+
+# Layer: services
+# Module: qpidd
+#
+# Policy for qpidd
+# 
+qpid = module
+
+# Layer: services
+# Module: quantum
+#
+# Quantum is a virtual network service for Openstack
+# 
+quantum = module
+
+# Layer: admin
+# Module: quota
+#
+# File system quota management
+# 
+quota = module
+
+# Layer: services
+# Module: rabbitmq
+#
+#  rabbitmq daemons 
+#
+rabbitmq = module
+
+# Layer: services
+# Module: radius
+#
+# RADIUS authentication and accounting server.
+# 
+radius = module
+
+# Layer: services
+# Module: radvd
+#
+# IPv6 router advertisement daemon
+# 
+radvd = module
+
+# Layer: system
+# Module: raid
+#
+# RAID array management tools
+# 
+raid = module
+
+# Layer: services
+# Module: rasdaemon
+#
+# The rasdaemon program is a daemon with monitors the RAS trace events from /sys/kernel/debug/tracing
+#
+rasdaemon = module
+
+# Layer: services
+# Module: rdisc
+#
+# Network router discovery daemon
+# 
+rdisc = module
+
+# Layer: admin
+# Module: readahead
+#
+# Readahead, read files into page cache for improved performance
+# 
+readahead = module
+
+# Layer: contrib
+# Module: stapserver
+#  
+# dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA
+#
+realmd = module
+
+# Layer: services
+# Module: remotelogin
+#
+# Policy for rshd, rlogind, and telnetd.
+# 
+remotelogin = module
+
+# Layer: services
+# Module: rhcs
+#
+# RHCS - Red Hat Cluster Suite
+#
+rhcs = module
+ 
+# Layer: services
+# Module: rhev
+#
+# rhev policy module contains policies for rhev apps
+#
+rhev = module
+
+# Layer: services
+# Module: rhgb
+#
+# X windows login display manager
+# 
+rhgb = module
+
+# Layer: services
+# Module: rhsmcertd
+#
+# Subscription Management Certificate Daemon policy
+#
+rhsmcertd = module
+
+# Layer: services
+# Module: ricci
+#
+# policy for ricci
+# 
+ricci = module
+
+# Layer: services
+# Module: rlogin
+#
+# Remote login daemon
+# 
+rlogin = module
+
+# Layer: services
+# Module: roundup
+#
+# Roundup Issue Tracking System policy
+# 
+roundup = module
+
+# Layer: services
+# Module: rpcbind
+#
+#  universal addresses to RPC program number mapper
+# 
+rpcbind = module
+
+# Layer: services
+# Module: rpc
+#
+# Remote Procedure Call Daemon for managment of network based process communication
+# 
+rpc = module
+
+# Layer: admin
+# Module: rpm
+#
+# Policy for the RPM package manager.
+# 
+rpm = module
+
+# Layer: services
+# Module: rshd
+#
+# Remote shell service.
+# 
+rshd = module
+
+# Layer: apps
+# Module: rssh
+#
+#  Restricted (scp/sftp) only shell
+# 
+rssh = module
+
+# Layer: services
+# Module: rsync
+#
+# Fast incremental file transfer for synchronization
+# 
+rsync = module
+
+# Layer: services
+# Module: rtkit
+#
+# Real Time Kit Daemon
+# 
+rtkit = module
+
+# Layer: services
+# Module: rwho
+#
+# who is logged in on local machines
+# 
+rwho = module
+
+# Layer: apps
+# Module: sambagui
+#
+# policy for system-config-samba
+# 
+sambagui = module
+
+#
+# SMB and CIFS client/server programs for UNIX and
+# name  Service  Switch  daemon for resolving names
+# from Windows NT servers.
+# 
+samba = module
+
+# Layer: apps
+# Module: sandbox
+#
+# Policy for running apps within a sandbox
+# 
+sandbox = module
+
+# Layer: apps
+# Module: sandbox
+#
+# Policy for running apps within a X sandbox
+# 
+sandboxX = module
+
+# Layer: services
+# Module: sanlock
+#
+# sanlock policy
+# 
+sanlock = module
+
+# Layer: services
+# Module: sasl
+#
+# SASL authentication server
+# 
+sasl = module
+
+# Layer: services
+# Module: sblim
+#
+# sblim
+#
+sblim = module
+
+# Layer: apps
+# Module: screen
+#
+# GNU terminal multiplexer
+# 
+screen = module
+
+# Layer: admin
+# Module: sectoolm
+#
+# Policy for sectool-mechanism
+# 
+sectoolm = module
+
+# Layer: services
+# Module: sendmail
+#
+# Policy for sendmail.
+# 
+sendmail = module
+
+# Layer: contrib
+# Module: sensord
+#  
+# Sensor information logging daemon
+#
+sensord =  module
+
+# Layer: services
+# Module: setroubleshoot
+#
+# Policy for the SELinux troubleshooting utility
+# 
+setroubleshoot = module
+
+# Layer: services
+# Module: sge
+# 
+#  policy for grindengine MPI jobs
+#
+sge = module
+
+# Layer: admin
+# Module: shorewall
+#
+# Policy for shorewall
+# 
+shorewall = module
+
+# Layer: apps
+# Module: slocate
+#
+# Update database for mlocate
+# 
+slocate = module
+
+# Layer: contrib
+# Module: slpd
+#  
+# OpenSLP server daemon to dynamically register services
+#
+slpd = module
+
+# Layer: services
+# Module: slrnpull
+#
+# Service for downloading news feeds the slrn newsreader.
+# 
+slrnpull = off
+
+# Layer: services
+# Module: smartmon
+#
+# Smart disk monitoring daemon policy
+# 
+smartmon = module
+
+# Layer: services 
+# Module: smokeping
+#
+# Latency Logging and Graphing System
+# 
+smokeping = module
+
+# Layer: admin
+# Module: smoltclient
+#
+#The Fedora hardware profiler client
+# 
+smoltclient = module
+
+# Layer: services
+# Module: snmp
+#
+# Simple network management protocol services
+# 
+snmp = module
+
+# Layer: services
+# Module: snort
+#
+# Snort network intrusion detection system
+# 
+snort = module
+
+# Layer: admin
+# Module: sosreport
+#
+# sosreport debuggin information generator
+# 
+sosreport = module
+
+# Layer: services
+# Module: soundserver
+#
+# sound server for network audio server programs, nasd, yiff, etc</summary>
+# 
+soundserver = module
+
+# Layer: services
+# Module: spamassassin
+#
+# Filter used for removing unsolicited email.
+# 
+spamassassin = module
+
+# Layer: services
+# Module: speech-dispatcher
+#
+# speech-dispatcher - server process managing speech requests in Speech Dispatcher
+#
+speech-dispatcher = module
+
+# Layer: services
+# Module: squid
+#
+# Squid caching http proxy server
+# 
+squid = module
+
+# Layer: services
+# Module: sssd
+#
+# System Security Services Daemon
+# 
+sssd = module
+
+# Layer: services
+# Module: sslh
+#
+# Applicative protocol(SSL/SSH) multiplexer
+# 
+sslh = module
+
+# Layer: contrib
+# Module: stapserver
+#  
+#  Instrumentation System Server
+#
+stapserver = module
+
+# Layer: services
+# Module: stunnel
+#
+# SSL Tunneling Proxy
+# 
+stunnel = module
+
+# Layer: services
+# Module: svnserve
+#  
+#  policy for subversion service
+# 
+svnserve =  module
+
+# Layer: services
+# Module: swift
+#
+#  openstack-swift
+#
+swift = module
+
+# Layer: services
+# Module: sysstat
+#
+# Policy for sysstat. Reports on various system states
+# 
+sysstat = module
+
+# Layer: services
+# Module: tcpd
+#
+# Policy for TCP daemon.
+# 
+tcpd = module
+
+# Layer: services
+# Module: tcsd
+# 
+# tcsd - daemon that manages Trusted Computing resources
+# 
+tcsd = module
+
+# Layer: apps
+# Module: telepathy
+#
+# telepathy - Policy for Telepathy framework
+# 
+telepathy = module
+
+# Layer: services
+# Module: telnet
+#
+# Telnet daemon
+# 
+telnet = module
+
+# Layer: services
+# Module: tftp
+#
+# Trivial file transfer protocol daemon
+# 
+tftp = module
+
+# Layer: services
+# Module: tgtd
+#
+# Linux Target Framework Daemon.
+# 
+tgtd = module
+
+# Layer: apps
+# Module: thumb
+#
+# Thumbnailer confinement
+# 
+thumb = module
+
+# Layer: services
+# Module: timidity
+#
+# MIDI to WAV converter and player configured as a service
+# 
+timidity = off
+
+# Layer: admin
+# Module: tmpreaper
+#
+# Manage temporary directory sizes and file ages
+# 
+tmpreaper = module
+
+# Layer: contrib
+# Module: glusterd
+#  
+#  policy for tomcat service
+#
+tomcat = module
+# Layer: services
+# Module: tor
+#
+# TOR, the onion router
+# 
+tor = module
+
+# Layer: services
+# Module: tuned
+#
+# Dynamic adaptive system tuning daemon
+#
+tuned = module
+
+# Layer: apps
+# Module: tvtime
+#
+# tvtime - a high quality television application
+# 
+tvtime = module
+
+# Layer: services
+# Module: ulogd
+#
+# netfilter/iptables ULOG daemon
+# 
+ulogd = module
+
+# Layer: apps
+# Module: uml
+#
+# Policy for UML
+# 
+uml = module
+
+# Layer: admin
+# Module: updfstab
+#
+# Red Hat utility to change /etc/fstab.
+# 
+updfstab = module
+
+# Layer: admin
+# Module: usbmodules
+#
+# List kernel modules of USB devices
+# 
+usbmodules = module
+
+# Layer: services
+# Module: usbmuxd
+#
+# Daemon for communicating with Apple's iPod Touch and iPhone
+# 
+usbmuxd = module
+
+# Layer: apps
+# Module: userhelper
+#
+# A helper interface to pam.
+# 
+userhelper = module
+
+# Layer: apps
+# Module: usernetctl
+#
+# User network interface configuration helper
+# 
+usernetctl = module
+
+# Layer: services
+# Module: uucp
+#
+# Unix to Unix Copy
+# 
+uucp = module
+
+# Layer: services
+# Module: uuidd
+#
+# UUID generation daemon
+# 
+uuidd = module
+
+# Layer: services
+# Module: varnishd
+#
+# Varnishd http accelerator daemon
+# 
+varnishd = module
+
+# Layer: services
+# Module: vdagent
+#
+# vdagent
+# 
+vdagent = module
+
+# Layer: services
+# Module: vhostmd
+#
+# vhostmd - spice guest agent daemon.
+# 
+vhostmd = module
+
+# Layer: services
+# Module: virt
+#
+# Virtualization libraries
+# 
+virt = module
+
+# Layer: apps
+# Module: vhostmd
+#
+# vlock - Virtual Console lock program
+# 
+vlock = module
+
+# Layer: services
+# Module: vmtools
+#
+# VMware Tools daemon
+#
+vmtools = module
+
+# Layer: apps
+# Module: vmware
+#
+# VMWare Workstation virtual machines
+# 
+vmware = module
+
+# Layer: services
+# Module: vnstatd
+#
+# Network traffic Monitor
+# 
+vnstatd = module
+
+# Layer: admin
+# Module: vpn
+#
+# Virtual Private Networking client
+# 
+vpn = module
+
+# Layer: services
+# Module: w3c
+#
+# w3c
+# 
+w3c = module
+
+# Layer: services
+# Module: wdmd
+#
+# wdmd policy
+# 
+wdmd = module
+
+# Layer: role
+# Module: webadm
+#
+# Minimally prived root role for managing apache
+# 
+webadm = module
+
+# Layer: apps
+# Module: webalizer
+#
+# Web server log analysis
+# 
+webalizer = module
+
+# Layer: apps
+# Module: wine
+#
+# wine executable
+# 
+wine = module
+
+# Layer: apps
+# Module: wireshark
+#
+# wireshark executable
+# 
+wireshark = module
+
+# Layer: system
+# Module: xen
+#
+# virtualization software
+# 
+xen = module
+
+# Layer: services
+# Module: zabbix
+#
+# Open-source monitoring solution for your IT infrastructure
+#
+zabbix = module
+
+# Layer: services
+# Module: zarafa
+#
+# Zarafa Collaboration Platform
+# 
+zarafa = module
+
+# Layer: services
+# Module: zebra
+#
+# Zebra border gateway protocol network routing service
+# 
+zebra = module
+
+# Layer: services
+# Module: zoneminder
+#
+# Zoneminder Camera Security Surveillance Solution
+# 
+zoneminder = module
+
+# Layer: services
+# Module: zosremote
+#
+# policy for z/OS Remote-services Audit dispatcher plugin</summary>
+# 
+zosremote = module
+
+# Layer: contrib
+# Module: thin
+# 
+# Policy for thin
+# 
+thin = module
+
+# Layer: contrib
+# Module: mandb
+# 
+# Policy for mandb
+# 
+mandb = module
+
+# Layer: services
+# Module: pki
+#
+# policy for pki
+#
+pki = module
+
+# Layer: services
+# Module: smsd
+#
+# policy for smsd
+#
+smsd = module
+
+# Layer: contrib
+# Module: pesign
+#
+# policy for pesign
+#
+pesign = module
+
+# Layer: contrib
+# Module: nsd
+#
+# Fast and lean authoritative DNS Name Server
+#
+nsd = module   
+
+# Layer: contrib
+# Module: iodine
+#
+# Fast and lean authoritative DNS Name Server
+#
+iodine = module
+
+# Layer: contrib
+# Module: openhpid
+# 
+# OpenHPI daemon runs as a background process and accepts connecti
+#
+openhpid = module
+
+# Layer: contrib
+# Module: watchdog
+# 
+# Watchdog policy
+#
+watchdog = module
+
+# Layer: contrib
+# Module: oracleasm
+# 
+# oracleasm policy
+#
+oracleasm = module
+
+# Layer: contrib
+# Module: redis
+# 
+# redis policy
+#
+redis = module
+
+# Layer: contrib
+# Module: hypervkvp
+# 
+# hypervkvp policy
+#
+hypervkvp = module
+
+# Layer: contrib
+# Module: lsm
+# 
+# lsm policy
+#
+lsm = module
+
+# Layer: contrib
+# Module: motion
+#
+# Daemon for detect motion using a video4linux device
+motion = module
+
+# Layer: contrib
+# Module: rtas
+# 
+# rtas policy
+#
+rtas = module
+
+# Layer: contrib
+# Module: journalctl
+# 
+# journalctl policy
+#
+journalctl = module
+
+# Layer: contrib
+# Module: gdomap
+# 
+# gdomap policy
+#
+gdomap = module
+
+# Layer: contrib
+# Module: minidlna
+# 
+# minidlna policy
+#
+minidlna = module
+
+# Layer: contrib
+# Module: minissdpd
+# 
+# minissdpd policy
+#
+minissdpd = module
+
+# Layer: contrib
+# Module: freeipmi
+# 
+# Remote-Console (out-of-band) and System Management Software (in-band) 
+# based on IntelligentPlatform Management Interface specification
+#
+freeipmi = module
+
+# Layer: contrib
+# Module: freeipmi
+# 
+# ipa policy module contain SELinux policies for IPA services
+#
+ipa = module
+
+# Layer: contrib
+# Module: mirrormanager
+# 
+# mirrormanager policy
+#
+mirrormanager = module
+
+# Layer: contrib
+# Module: snapper 
+# 
+# snapper policy
+#
+snapper = module
+
+# Layer: contrib
+# Module: pcp
+# 
+# pcp policy
+#
+pcp = module
+
+# Layer: contrib
+# Module: geoclue
+#
+# Add policy for Geoclue. Geoclue is a D-Bus service that provides location information
+#
+geoclue = module
+
+# Layer: contrib
+# Module: rkhunter
+#
+# rkhunter policy for /var/lib/rkhunter
+#
+rkhunter = module
+
+# Layer: contrib
+# Module: bacula
+#
+# bacula policy
+#
+bacula = module
+
+# Layer: contrib
+# Module: rhnsd
+#
+# rhnsd policy
+#
+rhnsd = module
+
+# Layer: contrib
+# Module: mongodb
+#
+# mongodb policy
+#
+
+mongodb = module
+
+# Layer: contrib
+# Module: iotop
+#
+# iotop policy
+#
+
+iotop = module
+
+# Layer: contrib
+# Module: kmscon
+#
+# kmscon policy
+#
+
+kmscon = module
+
+# Layer: contrib
+# Module: naemon
+#
+# naemon policy
+#
+naemon = module
+
+# Layer: contrib
+# Module: brltty
+#
+# brltty policy
+#
+brltty = module
+
+# Layer: contrib
+# Module: cpuplug
+#
+# cpuplug policy
+#
+cpuplug = module
+
+# Layer: contrib
+# Module: mon_statd
+#
+# mon_statd policy
+#
+mon_statd = module
+
+# Layer: contrib
+# Module: cinder
+#
+# openstack-cinder policy
+#
+cinder = module
+
+# Layer: contrib
+# Module: linuxptp
+#
+# linuxptp policy
+#
+linuxptp = module
+
+# Layer: contrib
+# Module: rolekit
+#
+# rolekit policy
+#
+rolekit = module
+
+# Layer: contrib
+# Module: targetd
+#
+# targetd policy
+#
+targetd = module
+
+# Layer: contrib
+# Module: hsqldb
+#
+# Hsqldb is transactional database engine with in-memory and disk-based tables, supporting embedded and server modes.
+#
+hsqldb = module
+
+# Layer: contrib
+# Module: blkmapd
+#
+# The blkmapd daemon performs device discovery and mapping for pNFS block layout client.
+#
+blkmapd = module
+
+# Layer: contrib
+# Module: pkcs11proxyd
+#
+# pkcs11proxyd policy
+#
+pkcs11proxyd = module
+
+# Layer: contrib
+# Module: ipmievd
+#
+# IPMI event daemon for sending events to syslog
+#
+ipmievd = module
+
+# Layer: contrib
+# Module: openfortivpn
+#
+# Fortinet compatible SSL VPN daemons.
+#
+openfortivpn = module
+
+# Layer: contrib
+# Module: fwupd
+#
+# fwupd is a daemon to allow session software to update device firmware.
+#
+fwupd = module
+
+# Layer: contrib
+# Module: lttng-tools
+#
+# LTTng 2.x central tracing registry session daemon.
+#
+lttng-tools = module
+
+# Layer: contrib
+# Module: rkt
+#
+# CLI for running app containers
+#
+rkt = module
+
+# Layer: contrib
+# Module: opendnssec
+#
+# opendnssec
+#
+opendnssec = module
+
+# Layer: contrib
+# Module: hwloc
+#
+# hwloc
+#
+hwloc = module
+
+# Layer: contrib
+# Module: sbd
+#
+# sbd
+#
+sbd = module
+
+# Layer: contrib
+# Module: tlp
+#
+# tlp
+#
+tlp = module
+
+# Layer: contrib
+# Module: conntrackd
+#
+# conntrackd
+#
+conntrackd = module
+
+# Layer: contrib
+# Module: tangd
+#
+# tangd
+#
+tangd = module
+
+# Layer: contrib
+# Module: ibacm
+#
+# ibacm
+#
+ibacm = module
+
+# Layer: contrib
+# Module: opafm
+#
+# opafm
+#
+opafm = module
+
+# Layer: contrib
+# Module: boltd
+#
+# boltd
+#
+boltd = module
+
+# Layer: contrib
+# Module: kpatch
+#
+# kpatch
+#
+kpatch = module
diff --git a/packagekit.fc b/packagekit.fc
new file mode 100644
index 0000000..b004ae0
--- /dev/null
+++ b/packagekit.fc
@@ -0,0 +1,44 @@
+/usr/lib/systemd/system/packagekit.*  --  gen_context(system_u:object_r:packagekit_unit_file_t,s0)
+
+/usr/bin/packagekit                   --  gen_context(system_u:object_r:packagekit_exec_t,s0)
+
+#/var/lib/PackageKit(/.*)?                 gen_context(system_u:object_r:packagekit_var_lib_t,s0)
+
+/usr/bin/pkcon                  	--  gen_context(system_u:object_r:packagekit_exec_t,s0)
+/usr/bin/pkmon				--  gen_context(system_u:object_r:packagekit_exec_t,s0)
+/usr/lib/packagekit-direct             --  gen_context(system_u:object_r:packagekit_exec_t,s0)
+/usr/lib/packagekitd                   --  gen_context(system_u:object_r:packagekit_exec_t,s0)
+/usr/lib/pk-offline-update                   --  gen_context(system_u:object_r:packagekit_exec_t,s0)
+
+#/etc/PackageKit
+#/etc/dbus-1/system.d/org.freedesktop.PackageKit.conf
+#/usr/lib/tmpfiles.d
+#/usr/lib/tmpfiles.d/PackageKit.conf
+#/usr/lib64/packagekit-backend
+#/usr/lib64/packagekit-backend/libpk_backend_dummy.so
+#/usr/sbin/rcpackagekit
+#/usr/sbin/rcpackagekit-offline-update
+#/usr/share/PackageKit
+#/usr/share/PackageKit/helpers
+#/usr/share/PackageKit/helpers/test_spawn
+#/usr/share/PackageKit/helpers/test_spawn/search-name.sh
+#/usr/share/PackageKit/packagekit-background.sh
+#/usr/share/PackageKit/pk-upgrade-distro.sh
+#/usr/share/PackageKit/transactions.db
+#/usr/share/bash-completion/completions/pkcon
+#/usr/share/dbus-1/interfaces/org.freedesktop.PackageKit.Transaction.xml
+#/usr/share/dbus-1/interfaces/org.freedesktop.PackageKit.xml
+#/usr/share/dbus-1/system-services/org.freedesktop.PackageKit.service
+#/usr/share/doc/packages/PackageKit
+#/usr/share/doc/packages/PackageKit/AUTHORS
+#/usr/share/doc/packages/PackageKit/HACKING
+#/usr/share/doc/packages/PackageKit/NEWS
+#/usr/share/doc/packages/PackageKit/README
+#/usr/share/doc/packages/PackageKit/org.freedesktop.packagekit.rules
+#/usr/share/licenses/PackageKit
+#/usr/share/licenses/PackageKit/COPYING
+#/usr/share/man/man1/pkcon.1.gz
+#/usr/share/man/man1/pkmon.1.gz
+#/usr/share/polkit-1/actions/org.freedesktop.packagekit.policy
+#/var/cache/PackageKit
+
diff --git a/packagekit.if b/packagekit.if
new file mode 100644
index 0000000..d9235e0
--- /dev/null
+++ b/packagekit.if
@@ -0,0 +1,2 @@
+## <summary>A temporary policy for packagekit.</summary>
+
diff --git a/packagekit.te b/packagekit.te
new file mode 100644
index 0000000..b0e373f
--- /dev/null
+++ b/packagekit.te
@@ -0,0 +1,37 @@
+policy_module(packagekit,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type packagekit_t;
+type packagekit_exec_t;
+init_daemon_domain(packagekit_t,packagekit_exec_t)
+
+permissive packagekit_t;
+
+type packagekit_unit_file_t;
+systemd_unit_file(packagekit_unit_file_t)
+
+type packagekit_var_lib_t;
+files_type(packagekit_var_lib_t)
+
+#allow packagekit_t self:tcp_socket create_stream_socket_perms;
+#
+#manage_dirs_pattern(packagekit_t, packagekit_var_lib_t, packagekit_var_lib_t)
+#manage_files_pattern(packagekit_t, packagekit_var_lib_t, packagekit_var_lib_t)
+#manage_lnk_files_pattern(packagekit_t, packagekit_var_lib_t, packagekit_var_lib_t)
+#files_var_lib_filetrans(packagekit_t, packagekit_var_lib_t, dir)
+#
+#kernel_read_unix_sysctls(packagekit_t)
+#kernel_read_net_sysctls(packagekit_t)
+#
+#corenet_tcp_bind_generic_node(packagekit_t)
+#
+#corenet_tcp_bind_kubernetes_port(packagekit_t)
+#corenet_tcp_bind_afs3_callback_port(packagekit_t)
+#
+#fs_getattr_xattr_fs(packagekit_t)
+#
+#logging_send_syslog_msg(packagekit_t)
diff --git a/postfix_paths.patch b/postfix_paths.patch
new file mode 100644
index 0000000..edd7349
--- /dev/null
+++ b/postfix_paths.patch
@@ -0,0 +1,63 @@
+Index: fedora-policy/policy/modules/contrib/postfix.fc
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/postfix.fc	2019-08-05 09:39:48.669670650 +0200
++++ fedora-policy/policy/modules/contrib/postfix.fc	2019-08-14 11:11:26.195163409 +0200
+@@ -1,36 +1,19 @@
+ # postfix
+ /etc/rc\.d/init\.d/postfix    --  gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
+ /etc/postfix.*		      	gen_context(system_u:object_r:postfix_etc_t,s0)
+-ifdef(`distro_redhat', `
+-/usr/libexec/postfix/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
+-/usr/libexec/postfix/cleanup --	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+-/usr/libexec/postfix/lmtp --	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+-/usr/libexec/postfix/local --	gen_context(system_u:object_r:postfix_local_exec_t,s0)
+-/usr/libexec/postfix/master --	gen_context(system_u:object_r:postfix_master_exec_t,s0)
+-/usr/libexec/postfix/pickup --	gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
+-/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+-/usr/libexec/postfix/showq --	gen_context(system_u:object_r:postfix_showq_exec_t,s0)
+-/usr/libexec/postfix/smtp --	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+-/usr/libexec/postfix/scache --	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+-/usr/libexec/postfix/smtpd --	gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
+-/usr/libexec/postfix/bounce --	gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
+-/usr/libexec/postfix/pipe --	gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+-/usr/libexec/postfix/virtual --	gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
+-', `
+ /usr/lib/postfix/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
+-/usr/lib/postfix/cleanup --	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+-/usr/lib/postfix/local	--	gen_context(system_u:object_r:postfix_local_exec_t,s0)
+-/usr/lib/postfix/master	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
+-/usr/lib/postfix/pickup	--	gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
+-/usr/lib/postfix/(n)?qmgr --	gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+-/usr/lib/postfix/showq	--	gen_context(system_u:object_r:postfix_showq_exec_t,s0)
+-/usr/lib/postfix/smtp	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+-/usr/lib/postfix/lmtp	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+-/usr/lib/postfix/scache	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+-/usr/lib/postfix/smtpd	--	gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
+-/usr/lib/postfix/bounce	--	gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
+-/usr/lib/postfix/pipe	--	gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+-')
++/usr/lib/postfix/bin/cleanup --	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
++/usr/lib/postfix/bin/local	--	gen_context(system_u:object_r:postfix_local_exec_t,s0)
++/usr/lib/postfix/bin/master	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
++/usr/lib/postfix/bin/pickup	--	gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
++/usr/lib/postfix/bin/(n)?qmgr --	gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
++/usr/lib/postfix/bin/showq	--	gen_context(system_u:object_r:postfix_showq_exec_t,s0)
++/usr/lib/postfix/bin/smtp	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
++/usr/lib/postfix/bin/lmtp	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
++/usr/lib/postfix/bin/scache	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
++/usr/lib/postfix/bin/smtpd	--	gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
++/usr/lib/postfix/bin/bounce	--	gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
++/usr/lib/postfix/bin/pipe	--	gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+ /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+ /etc/postfix/prng_exch	--	gen_context(system_u:object_r:postfix_prng_t,s0)
+ /usr/sbin/postalias	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
+@@ -44,6 +27,9 @@ ifdef(`distro_redhat', `
+ /usr/sbin/postqueue	--	gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
+ /usr/sbin/postsuper	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
+ 
++/etc/postfix/system/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
++/etc/postfix/system/update_postmaps	--	gen_context(system_u:object_r:postfix_map_exec_t,s0)
++
+ /var/lib/postfix.*		gen_context(system_u:object_r:postfix_data_t,s0)
+ 
+ /var/spool/postfix.*		gen_context(system_u:object_r:postfix_spool_t,s0)
diff --git a/refpolicy-2.20190609.tar.bz2 b/refpolicy-2.20190609.tar.bz2
deleted file mode 100644
index 097281b..0000000
--- a/refpolicy-2.20190609.tar.bz2
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:67bd1213e9d014ada15512028bb7f35ef6610c2d209cc5117b8577474aa6147f
-size 555882
diff --git a/sedoctool.patch b/sedoctool.patch
new file mode 100644
index 0000000..c905731
--- /dev/null
+++ b/sedoctool.patch
@@ -0,0 +1,22 @@
+Index: fedora-policy/support/sedoctool.py
+===================================================================
+--- fedora-policy.orig/support/sedoctool.py	2019-08-21 13:54:02.175947408 +0200
++++ fedora-policy/support/sedoctool.py	2019-08-21 13:57:57.323782524 +0200
+@@ -810,7 +810,7 @@ if booleans:
+ 	namevalue_list = []
+ 	if os.path.exists(booleans):
+ 		try:
+-			conf = open(booleans, 'r')
++			conf = open(booleans, 'r', errors='replace')
+ 		except:
+ 			error("Could not open booleans file for reading")
+ 
+@@ -831,7 +831,7 @@ if modules:
+ 	namevalue_list = []
+ 	if os.path.exists(modules):
+ 		try:
+-			conf = open(modules, 'r')
++			conf = open(modules, 'r', errors='replace')
+ 		except:
+ 			error("Could not open modules file for reading")
+ 		namevalue_list = get_conf(conf)	
diff --git a/selinux-policy.changes b/selinux-policy.changes
index ade175f..5d926a8 100644
--- a/selinux-policy.changes
+++ b/selinux-policy.changes
@@ -1,3 +1,53 @@
+-------------------------------------------------------------------
+Mon Aug  9 12:11:28 UTC 2019 - Johannes Segitz <jsegitz@suse.de>
+
+- Moved back to fedora policy (20190802)
+- Removed spec file conditionals for old SELinux userland
+- Removed config.tgz
+- Removed patches:
+  * label_sysconfig.selinux.patch
+  * label_var_run_rsyslog.patch
+  * suse_additions_obs.patch
+  * suse_additions_sslh.patch
+  * suse_modifications_apache.patch
+  * suse_modifications_cron.patch
+  * suse_modifications_getty.patch
+  * suse_modifications_logging.patch
+  * suse_modifications_ntp.patch
+  * suse_modifications_usermanage.patch
+  * suse_modifications_virt.patch
+  * suse_modifications_xserver.patch
+  * sysconfig_network_scripts.patch
+  * segenxml_interpreter.patch
+- Added patches:
+  * fix_djbdns.patch
+  * fix_dbus.patch
+  * fix_gift.patch
+  * fix_java.patch
+  * fix_hadoop.patch
+  * fix_thunderbird.patch
+  * postfix_paths.patch
+  * fix_nscd.patch
+  * fix_sysnetwork.patch
+  * fix_logging.patch
+  * fix_xserver.patch
+  * fix_miscfiles.patch
+  to fix problems with the coresponding modules
+- Added sedoctool.patch to prevent build failures
+- This also adds three modules:
+  * packagekit.(te|if|fc)
+    Basic (currently permissive) module for packagekit
+  * minimum_temp_fixes.(te|if|fc)
+    and
+  * targeted_temp_fixes.(te|if|fc)
+    both are currently necessary to get the systems to boot in 
+    enforcing mode. Most of them obviosly stem from mislabeled
+    files, so this needs to be worked through and then removed
+    eventually
+  Also selinuxuser_execstack, selinuxuser_execmod and 
+  domain_can_mmap_files need to be enabled. Especially the first
+  two are bad and should be removed ASAP
+
 -------------------------------------------------------------------
 Thu Jul 11 12:29:29 UTC 2019 -  <jsegitz@suse.com>
 
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d9b4e78..259411d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -24,7 +24,7 @@
 # TODO: This turns on distro-specific policies.
 # There are almost no SUSE specific modifications available in the policy, so we utilize the
 # ones used by redhat and include also the SUSE specific ones (see sed statement below)
-%define distro suse
+%define distro redhat
 %define ubac n
 %define polyinstatiate n
 %define monolithic n
@@ -38,10 +38,6 @@
 
 %define coreutils_ge() %{lua: if (rpm.vercmp(rpm.expand("%POLICYCOREUTILSVER"), rpm.expand("%1")) >= 0) then print "1" else  print "0" end }
 
-# conditional stuff depending on policycoreutils version
-# See https://github.com/SELinuxProject/selinux/wiki/Policy-Store-Migration
-%if %{coreutils_ge 2.5}
-
 # Policy version, see https://selinuxproject.org/page/NB_PolicyType#Policy_Versions
 # It depends on the kernel, but apparently more so on the libsemanage version.
 %define POLICYVER 30
@@ -69,54 +65,6 @@
     %dir %{module_store %%1}/active/modules/disabled \
     %{module_disabled %%1 sandbox}
 %global files_dot_bin() %nil
-%global rm_selinux_mod() rm -rf %%1
-
-%else
-# Policy version, see https://selinuxproject.org/page/NB_PolicyType#Policy_Versions
-# It depends on the kernel, but apparently more so on the libsemanage version.
-%define POLICYVER 29
-
-%global module_store() %{_sysconfdir}/selinux/%%{1}/modules
-%global module_dir active/modules
-%global module_disabled() %{module_store %%{1}}/active/modules/%%{2}.pp.disabled
-
-# FixMe 170315: Why is bzip2 used here rather than semodule -i?
-%global install_pp() \
-	(cd  %{buildroot}/%{_usr}/share/selinux/%%1/ \
-	 bzip2 -c base.pp > %{buildroot}/%{_sysconfdir}/selinux/%%1/modules/active/base.pp \
-	 rm -f base.pp \
-	 for i in *.pp; do \
-	    bzip2 -c $i > %{buildroot}/%{_sysconfdir}/selinux/%%1/modules/active/modules/$i \
-	 done \
-         rm -f *pp* );
-
-# FixMe 170315:
-# Why is base.pp installed in a different path than other modules?
-# Requirement of policycoreutils 2.3 ??
-%global files_base_pp() %verify(not md5 size mtime) %{module_store %%{1}}/active/base.pp
-
-# FixMe 170315: do we really need these?
-%global touch_file_contexts() \
-    touch %{buildroot}%{_sysconfdir}/selinux/%%1/modules/active/file_contexts.local \
-    touch %{buildroot}%{_sysconfdir}/selinux/%%1/modules/active/file_contexts.homedirs.bin \
-    touch %{buildroot}%{_sysconfdir}/selinux/%%1/modules/active/file_contexts.bin;
-
-%global mkdir_other() %nil
-
-# FixMe 170315: do we really need these?
-%global files_file_contexts() \
-    %verify(not md5 size mtime) %{_sysconfdir}/selinux/%%1/modules/active/file_contexts.homedirs \
-    %verify(not md5 size mtime) %{_sysconfdir}/selinux/%%1/modules/active/file_contexts.template
-
-# FixMe 170315: do we really need these?
-%global files_other() \
-    %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%%1/modules/active/seusers.final \
-    %verify(not md5 size mtime) %{_sysconfdir}/selinux/%%1/modules/active/netfilter_contexts
-
-%global files_dot_bin() %ghost %{module_store %%{1}}/active/*.bin
-%global rm_selinux_mod() rm -f %%{1}.pp
-
-%endif
 
 Summary:        SELinux policy configuration
 License:        GPL-2.0-or-later
@@ -124,11 +72,15 @@ Group:          System/Management
 Name:           selinux-policy
 Version:        20190609
 Release:        0
-Source:         https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_%{version}/refpolicy-2.%{version}.tar.bz2
+Source:         fedora-policy.20190802.tar.bz2
 
 Source10:       modules-targeted-base.conf
+Source11:       modules-targeted-contrib.conf
 Source12:       modules-mls-base.conf
-Source13:       modules-minimum-disable.lst
+Source13:       modules-mls-contrib.conf
+Source14:       modules-minimum-base.conf
+Source15:       modules-minimum-contrib.conf
+Source18:       modules-minimum-disable.lst
 
 Source20:       booleans-targeted.conf
 Source21:       booleans-mls.conf
@@ -152,23 +104,35 @@ Source61:       selinux-policy.sysconfig
 Source90:       selinux-policy-rpmlintrc
 Source91:       Makefile.devel
 Source92:       customizable_types
-Source93:       config.tgz
+#Source93:       config.tgz
 Source94:       file_contexts.subs_dist
 
-Patch001:      label_sysconfig.selinux.patch
-Patch002:      label_var_run_rsyslog.patch
-Patch003:      suse_additions_obs.patch
-Patch004:      suse_additions_sslh.patch
-Patch005:      suse_modifications_apache.patch
-Patch007:      suse_modifications_cron.patch
-Patch009:      suse_modifications_getty.patch
-Patch012:      suse_modifications_logging.patch
-Patch013:      suse_modifications_ntp.patch
-Patch021:      suse_modifications_usermanage.patch
-Patch022:      suse_modifications_virt.patch
-Patch023:      suse_modifications_xserver.patch
-Patch024:      sysconfig_network_scripts.patch
-Patch025:      segenxml_interpreter.patch
+Source100:      minimum_temp_fixes.te
+Source101:      minimum_temp_fixes.if
+Source102:      minimum_temp_fixes.fc
+
+Source110:      targeted_temp_fixes.te
+Source111:      targeted_temp_fixes.if
+Source112:      targeted_temp_fixes.fc
+    
+Source120:      packagekit.te
+Source121:      packagekit.if
+Source122:      packagekit.fc
+
+Patch001:       fix_djbdns.patch
+Patch002:       fix_dbus.patch
+Patch003:       fix_gift.patch
+Patch004:       fix_java.patch
+Patch005:       fix_hadoop.patch
+Patch006:       fix_thunderbird.patch
+Patch007: 	postfix_paths.patch
+Patch008: 	fix_nscd.patch
+Patch009: 	fix_sysnetwork.patch
+Patch010: 	fix_logging.patch
+Patch011:       fix_xserver.patch
+Patch012:       fix_miscfiles.patch
+
+Patch100: 	sedoctool.patch
 
 Url:            http://oss.tresys.com/repos/refpolicy/
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@@ -195,26 +159,24 @@ Recommends:     selinux-tools
 Recommends:     python3-policycoreutils
 Recommends:     policycoreutils
 
-%global makeCmds() \
-make %{?_smp_mflags} SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 bare \
-make %{?_smp_mflags} SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 conf \
+%global makeConfig() \
+make %{?_smp_mflags} UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 bare \
+make %{?_smp_mflags} UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 conf \
 cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \
-#cp -f selinux_config/users-%1 ./policy/users \
-#cp -f selinux_config/modules-%1-base.conf  ./policy/modules.conf \
-
-%global makeModulesConf() \
-cp -f selinux_config/modules-%1-%2.conf ./policy/modules-base.conf \
-cp -f selinux_config/modules-%1-%2.conf ./policy/modules.conf \
-#if [ "%3" = "contrib" ];then \
-#  cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \
-#  cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \
-#fi; \
+cp -f selinux_config/users-%1 ./policy/users \
+cp -f selinux_config/modules-%1-base.conf ./policy/modules-base.conf \
+cp -f selinux_config/modules-%1-base.conf ./policy/modules.conf \
+if [ "%5" = "contrib" ];then \
+  cp selinux_config/modules-%1-%5.conf ./policy/modules-contrib.conf; \
+  cat selinux_config/modules-%1-%5.conf >> ./policy/modules.conf; \
+fi; \
 
 %global installCmds() \
-make %{?_smp_mflags} SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 SEMOD_EXP="/usr/bin/semodule_expand -a" base.pp \
-make %{?_smp_mflags} validate SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 SEMOD_EXP="/usr/bin/semodule_expand -a" modules \
-make %{?_smp_mflags} SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install \
-make %{?_smp_mflags} SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install-appconfig \
+make %{?_smp_mflags} UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 base.pp \
+make %{?_smp_mflags} validate UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 modules \
+make %{?_smp_mflags} UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install \
+mkdir -p %{buildroot}/var/lib/selinux/%1 \
+/usr/sbin/semodule -s %%1 -n -B -p %{buildroot}; \
 %{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/logins \
 %{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/policy \
 %{__mkdir} -p %{buildroot}/%{module_store %%{1}}/%{module_dir} \
@@ -235,7 +197,6 @@ touch %{buildroot}%{module_store %%{1}}/active/users_extra.local \
 touch %{buildroot}%{module_store %%{1}}/active/users.local \
 %install_pp %%1 \
 touch %{buildroot}%{module_disabled %%1 sandbox} \
-/usr/sbin/semodule -s %%1 -n -B -p %{buildroot}; \
 /usr/bin/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.* | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \
 rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts  \
 %nil
@@ -243,6 +204,7 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts  \
 %global fileList() \
 %defattr(-,root,root) \
 %dir %{_usr}/share/selinux/%1 \
+%{_usr}/share/selinux/%1/* \
 %dir %{_sysconfdir}/selinux/%1 \
 %config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \
@@ -278,13 +240,15 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts  \
 %config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \
 %config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \
 %config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \
+%config %{_sysconfdir}/selinux/%1/contexts/openssh_contexts \
+%config %{_sysconfdir}/selinux/%1/contexts/snapperd_contexts \
+%config %{_sysconfdir}/selinux/%1/contexts/systemd_contexts \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/removable_context \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/customizable_types \
-%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/openrc_contexts \
 %dir %{_sysconfdir}/selinux/%1/contexts/files \
 %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \
 %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \
@@ -294,10 +258,10 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts  \
 %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \
 %config %{_sysconfdir}/selinux/%1/contexts/files/media \
 %dir %{_sysconfdir}/selinux/%1/contexts/users \
-%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/*
+%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/* 
 
 %define relabel() \
-. %{_sysconfdir}/sysconfig/selinux-policy; \
+. %{_sysconfdir}/selinux/config; \
 FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
 if selinuxenabled; then \
   if [ $? = 0  -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
@@ -329,7 +293,6 @@ fi;
 . %{_sysconfdir}/selinux/config; \
 if [ -e %{_sysconfdir}/selinux/%%2/.rebuild ]; then \
   rm %{_sysconfdir}/selinux/%%2/.rebuild; \
-  (cd %{module_store %%2}/%{module_dir}; for _mod in shutdown amavis clamav gnomeclock matahari xfs kudzu kerneloops execmem openoffice ada tzdata hal hotplug howl java mono moilscanner gamin audio_entropy audioentropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd pyzor razor pki-selinux phpfpm consoletype ctdbd fcoemon isnsd l2tp rgmanager corosync aisexec pacemaker; do %{rm_selinux_mod ${_mod}}; done ) \
   /usr/sbin/semodule -B -n -s %%2; \
 else \
   touch %{module_disabled %%2 sandbox} \
@@ -356,7 +319,7 @@ fi;
 %define modulesList() \
 awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-base.lst \
 if [ -e ./policy/modules-contrib.conf ];then \
-  awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-contrib.lst; \
+awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-contrib.lst; \
 fi;
 
 %files
@@ -373,31 +336,30 @@ SELinux Reference Policy. A complete SELinux policy that can be used as the syst
 systems and used as the basis for creating other policies. 
 
 %prep
-%setup -n refpolicy
+%setup -n fedora-policy
 %patch001 -p1
 %patch002 -p1
 %patch003 -p1
 %patch004 -p1
 %patch005 -p1
+%patch006 -p1
 %patch007 -p1
+%patch008 -p1
 %patch009 -p1
+%patch010 -p1
+%patch011 -p1
 %patch012 -p1
-%patch013 -p1
-%patch021 -p1
-%patch022 -p1
-%patch023 -p1
-%patch024 -p1
-%patch025 -p1
+
+%patch100 -p1
 
 %build
 
 %install
 mkdir selinux_config
-for i in %{SOURCE10} %{SOURCE12} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE30} %{SOURCE31} %{SOURCE32} %{SOURCE40} %{SOURCE41} %{SOURCE42} %{SOURCE91} %{SOURCE92} %{SOURCE93} %{SOURCE94};do
+for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE30} %{SOURCE31} %{SOURCE32} %{SOURCE40} %{SOURCE41} %{SOURCE42} %{SOURCE50} %{SOURCE51} %{SOURCE52} %{SOURCE91} %{SOURCE92} %{SOURCE94};do
  cp $i selinux_config
 done
-tar zxvf selinux_config/config.tgz
-# Build targeted policy
+#tar zxvf selinux_config/config.tgz
 %{__rm} -fR %{buildroot}
 mkdir -p %{buildroot}%{_sysconfdir}/selinux
 mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/
@@ -406,40 +368,45 @@ cp %{SOURCE60} %{buildroot}%{_usr}/lib/tmpfiles.d/
 # Always create policy module package directories
 mkdir -p %{buildroot}%{_usr}/share/selinux/{targeted,mls,minimum,modules}/
 
+for i in %{SOURCE120} %{SOURCE121} %{SOURCE122}; do
+ cp $i policy/modules/contrib
+done
+
 make clean
 %if %{BUILD_TARGETED}
-# Build targeted policy
-mkdir -p %{buildroot}%{_usr}/share/selinux/targeted
-%makeCmds targeted mcs n allow
-%makeModulesConf targeted base contrib
+for i in %{SOURCE110} %{SOURCE111} %{SOURCE112}; do
+ cp $i policy/modules/contrib
+done
+%makeConfig targeted mcs n deny contrib
 %installCmds targeted mcs n allow
 %modulesList targeted
 %endif
-
-%if %{BUILD_MINIMUM}
-# Build minimum policy
-mkdir -p %{buildroot}%{_usr}/share/selinux/minimum
-%makeCmds minimum mcs n allow
-%makeModulesConf targeted base contrib
-%installCmds minimum mcs n allow
-install -m0644 %{SOURCE13} %{buildroot}/usr/share/selinux/minimum/modules-minimum-disable.lst \
-%modulesList minimum
-%endif
+for i in %{SOURCE110} %{SOURCE111} %{SOURCE112}; do
+ rm policy/modules/contrib/$(basename $i)
+done
 
 %if %{BUILD_MLS}
-# Build mls policy
-mkdir -p %{buildroot}%{_usr}/share/selinux/mls
-%makeCmds mls mls n deny
-%makeModulesConf mls base contrib
+%makeConfig mls mls n deny contrib
 %installCmds mls mls n deny
 %modulesList mls
 %endif
 
+%if %{BUILD_MINIMUM}
+for i in %{SOURCE100} %{SOURCE101} %{SOURCE102}; do
+ cp $i policy/modules/contrib
+done
+%makeConfig minimum mcs n deny contrib
+%installCmds minimum mcs n allow
+install -m0644 %{SOURCE18} %{buildroot}/usr/share/selinux/minimum/modules-minimum-disable.lst \
+%modulesList minimum
+%endif
+
+
 # Install devel
 mkdir -p %{buildroot}%{_mandir}
 cp -R  man/* %{buildroot}%{_mandir}
-make SYSTEMD=y UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-docs
-make SYSTEMD=y UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-headers
+make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-docs
+make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-headers
 mkdir %{buildroot}%{_usr}/share/selinux/devel/
 mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include
 chmod +x %{buildroot}%{_usr}/share/selinux/devel/include/support/segenxml.py
@@ -466,6 +433,7 @@ else
   [ -f %{_sysconfdir}/selinux/${SELINUXTYPE}/booleans.local ] && mv %{_sysconfdir}/selinux/${SELINUXTYPE}/booleans.local %{module_store targeted}/active/
   [ -f %{_sysconfdir}/selinux/${SELINUXTYPE}/seusers ] && cp -f %{_sysconfdir}/selinux/${SELINUXTYPE}/seusers %{module_store ${SELINUXTYPE}}/active/seusers
 fi
+%tmpfiles_create %_tmpfilesdir/selinux-policy.conf
 exit 0
 
 %global post_un() \
@@ -495,7 +463,6 @@ SELinux policy development and man page package
 %files devel
 %defattr(-,root,root,-)
 %doc /usr/share/man/ru/man8/*
-%doc /usr/share/man/man8/*
 %dir %{_usr}/share/selinux/devel
 %dir %{_usr}/share/selinux/devel/include
 %{_usr}/share/selinux/devel/include/*
@@ -539,7 +506,6 @@ exit 0
 %files targeted
 %defattr(-,root,root,-)
 %fileList targeted
-%{_usr}/share/selinux/targeted/modules-base.lst
 
 %postun targeted
 %post_un $1
@@ -566,28 +532,40 @@ if [ $1 -ne 1 ]; then
 fi
 
 %post minimum
-contribpackages=`cat /usr/share/selinux/minimum/modules-minimum-disable.lst`
+contribpackages=`cat /usr/share/selinux/minimum/modules-contrib.lst`
+basepackages=`cat /usr/share/selinux/minimum/modules-base.lst`
+if [ ! -d /var/lib/selinux/minimum/active/modules/disabled ]; then
+    mkdir /var/lib/selinux/minimum/active/modules/disabled
+fi
 if [ $1 -eq 1 ]; then
-  for p in $contribpackages djbdns dkim getty geoclue lightsquid openca pyzor portage shibboleth yam portslave qemu xserver evolution thunderbird xscreensaver; do
-    touch %{module_disabled minimum $p}
-  done
-  /sbin/restorecon -R /root /var/log /var/run 2> /dev/null
-  /usr/sbin/semodule -B -s minimum
+for p in $contribpackages; do
+    touch /var/lib/selinux/minimum/active/modules/disabled/$p
+done
+for p in $basepackages apache dbus inetd kerberos mta nis nscd rpm postfix rtkit; do
+    rm -f /var/lib/selinux/minimum/active/modules/disabled/$p
+done
+/usr/sbin/semanage import -S minimum -f - << __eof
+login -m  -s unconfined_u -r s0-s0:c0.c1023 __default__
+login -m  -s unconfined_u -r s0-s0:c0.c1023 root
+__eof
+/sbin/restorecon -R /root /var/log /var/run 2> /dev/null
+/usr/sbin/semodule -B -s minimum
 else
-  instpackages=`cat /usr/share/selinux/minimum/instmodules.lst`
-  for p in $contribpackages djbdns dkim getty geoclue lightsquid openca pyzor portage shibboleth yam portslave qemu xserver evolution thunderbird xscreensaver; do
-    touch %{module_disabled minimum $p}
-  done
-  /usr/sbin/semodule -B -s minimum
-  %relabel minimum
+instpackages=`cat /usr/share/selinux/minimum/instmodules.lst`
+for p in $contribpackages; do
+    touch /var/lib/selinux/minimum/active/modules/disabled/$p
+done
+for p in $instpackages apache dbus inetd kerberos mta nis nscd postfix rtkit; do
+    rm -f /var/lib/selinux/minimum/active/modules/disabled/$p
+done
+/usr/sbin/semodule -B -s minimum
+%relabel minimum
 fi
 exit 0
 
 %files minimum
 %defattr(-,root,root,-)
 %fileList minimum
-%{_usr}/share/selinux/minimum/modules-base.lst
-/usr/share/selinux/minimum/modules-minimum-disable.lst
 
 %postun minimum
 %post_un $1
@@ -598,7 +576,6 @@ exit 0
 Summary:        SELinux mls base policy
 Group:          System/Management
 Provides:       selinux-policy-base = %{version}-%{release}
-Obsoletes:      selinux-policy-mls-sources < 2
 Requires:       policycoreutils-newrole >= %{POLICYCOREUTILSVER}
 Requires:       setransd
 Requires(pre):  policycoreutils >= %{POLICYCOREUTILSVER}
@@ -619,7 +596,6 @@ SELinux Reference policy mls base module.
 %files mls
 %defattr(-,root,root,-)
 %fileList mls
-%{_usr}/share/selinux/mls/modules-base.lst
 
 %postun mls
 %post_un $1
diff --git a/suse_additions_obs.patch b/suse_additions_obs.patch
deleted file mode 100644
index c544d23..0000000
--- a/suse_additions_obs.patch
+++ /dev/null
@@ -1,96 +0,0 @@
-Index: serefpolicy-contrib-20140730/obs.fc
-===================================================================
---- /dev/null
-+++ serefpolicy-contrib-20140730/obs.fc
-@@ -0,0 +1,63 @@
-+/usr/lib/build/Build(/.*)?                      -- gen_context(system_u:object_r:lib_t,s0)
-+/usr/lib/build/Build.pm                         -- gen_context(system_u:object_r:lib_t,s0)
-+
-+/usr/lib/build/configs(/.*)?                    -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/baselibs_global.conf             -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/baselibs_global-deb.conf         -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-pkg                        -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-pkg-arch                   -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-pkg-deb                    -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-pkg-rpm                    -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-recipe                     -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-recipe-arch                -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-recipe-dsc                 -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-recipe-kiwi                -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-recipe-livebuild           -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-recipe-mock                -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-recipe-preinstallimage     -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-recipe-spec                -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-vm                         -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-vm-ec2                     -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-vm-emulator                -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-vm-kvm                     -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-vm-lxc                     -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-vm-openstack               -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-vm-qemu                    -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-vm-uml                     -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-vm-xen                     -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/build-vm-zvm                     -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/lxc.conf                         -- gen_context(system_u:object_r:etc_t,s0)
-+/usr/lib/build/qemu-reg                         -- gen_context(system_u:object_r:etc_t,s0)
-+
-+/usr/lib/build/emulator/.*                      -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/build                            -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/changelog2spec                   -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/common_functions                 -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/computeblocklists                -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/createarchdeps                   -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/createdebdeps                    -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/createrepomddeps                 -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/createrpmdeps                    -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/createyastdeps                   -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/createzyppdeps                   -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/debtransform                     -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/debtransformbz2                  -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/debtransformzip                  -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/download                         -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/expanddeps                       -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/extractbuild                     -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/getbinaryid                      -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/init_buildsystem                 -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/killchroot                       -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/mkbaselibs                       -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/mkdrpms                          -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/order                            -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/queryconfig                      -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/signdummy                        -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/spec2changelog                   -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/spec_add_patch                   -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/spectool                         -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/substitutedeps                   -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/unrpm                            -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/build/vc                               -- gen_context(system_u:object_r:bin_t,s0)
-+
-Index: serefpolicy-contrib-20140730/obs.if
-===================================================================
---- /dev/null
-+++ serefpolicy-contrib-20140730/obs.if
-@@ -0,0 +1 @@
-+#
-Index: serefpolicy-contrib-20140730/obs.te
-===================================================================
---- /dev/null
-+++ serefpolicy-contrib-20140730/obs.te
-@@ -0,0 +1,17 @@
-+policy_module(obs, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+# work out a real policy later on
-+#type obs_t;
-+#type obs_exec_t;
-+#application_domain(obs_t, obs_exec_t)
-+#
-+#type obs_conf_t;
-+#files_config_file(obs_conf_t)
-+#
-+#permissive obs_t;
-+
diff --git a/suse_additions_sslh.patch b/suse_additions_sslh.patch
deleted file mode 100644
index a330c97..0000000
--- a/suse_additions_sslh.patch
+++ /dev/null
@@ -1,149 +0,0 @@
-Index: serefpolicy-contrib-20140730/sslh.fc
-===================================================================
---- /dev/null
-+++ serefpolicy-contrib-20140730/sslh.fc
-@@ -0,0 +1,9 @@
-+/etc/conf.d/sslh 			-- 	gen_context(system_u:object_r:sslh_conf_t,s0)
-+/etc/default/sslh 			-- 	gen_context(system_u:object_r:sslh_conf_t,s0)
-+
-+/etc/init.d/sslh 			-- 	gen_context(system_u:object_r:sslh_initrc_exec_t,s0)
-+/usr/lib/systemd/system/sslh.service  	-- 	gen_context(system_u:object_r:sslh_unit_file_t,s0)
-+
-+#/usr/sbin/rcsslh			--	gen_context(system_u:object_r:sslh_exec_t,s0)
-+/usr/sbin/sslh				--	gen_context(system_u:object_r:sslh_exec_t,s0)
-+
-Index: serefpolicy-contrib-20140730/sslh.if
-===================================================================
---- /dev/null
-+++ serefpolicy-contrib-20140730/sslh.if
-@@ -0,0 +1,77 @@
-+## <summary>sslh Applicative Protocol Multiplexer</summary>
-+
-+#######################################
-+## <summary>
-+##  Allow a domain to getattr on sslh binary.
-+## </summary>
-+## <param name="domain">
-+##  <summary>
-+##  Domain allowed to transition.
-+##  </summary>
-+## </param>
-+#
-+interface(`sslh_getattr_exec',`
-+	gen_require(`
-+		type sslh_exec_t;
-+	')
-+
-+	allow $1 sslh_exec_t:file getattr;
-+')
-+
-+#######################################
-+## <summary>
-+##  Read sslh configuration.
-+## </summary>
-+## <param name="domain">
-+##  <summary>
-+##  Domain allowed access.
-+##  </summary>
-+## </param>
-+#
-+interface(`sslh_read_config',`
-+    gen_require(`
-+        type sslh_conf_t;
-+    ')
-+
-+    files_search_etc($1)
-+    list_dirs_pattern($1, sslh_conf_t, sslh_conf_t)
-+    read_files_pattern($1, sslh_conf_t, sslh_conf_t)
-+')
-+
-+######################################
-+## <summary>
-+##  Write sslh configuration.
-+## </summary>
-+## <param name="domain">
-+##  <summary>
-+##  Domain allowed access.
-+##  </summary>
-+## </param>
-+#
-+interface(`sslh_write_config',`
-+    gen_require(`
-+        type sslh_conf_t;
-+    ')
-+
-+    files_search_etc($1)
-+    write_files_pattern($1, sslh_conf_t, sslh_conf_t)
-+')
-+
-+####################################
-+## <summary>
-+##  Manage sslh configuration.
-+## </summary>
-+## <param name="domain">
-+##  <summary>
-+##  Domain allowed access.
-+##  </summary>
-+## </param>
-+#
-+interface(`sslh_manage_config',`
-+    gen_require(`
-+        type sslh_conf_t;
-+    ')
-+
-+    files_search_etc($1)
-+    manage_files_pattern($1, sslh_conf_t, sslh_conf_t)
-+')
-Index: serefpolicy-contrib-20140730/sslh.te
-===================================================================
---- /dev/null
-+++ serefpolicy-contrib-20140730/sslh.te
-@@ -0,0 +1,48 @@
-+policy_module(sslh, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type sslh_t;
-+type sslh_exec_t;
-+init_daemon_domain(sslh_t, sslh_exec_t)
-+
-+type sslh_initrc_exec_t;
-+init_script_file(sslh_initrc_exec_t)
-+
-+type sslh_conf_t;
-+files_config_file(sslh_conf_t)
-+
-+type sslh_unit_file_t;
-+systemd_unit_file(sslh_unit_file_t)
-+
-+########################################
-+#
-+# sslh local policy
-+#
-+
-+allow sslh_t self:capability { setuid net_bind_service setgid };
-+allow sslh_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
-+allow sslh_t self:process { setcap signal };
-+allow sslh_t self:tcp_socket { getattr setopt bind create listen accept connect write read };
-+
-+corenet_tcp_bind_generic_node(sslh_t)
-+corenet_tcp_bind_all_ports(sslh_t)
-+corenet_tcp_connect_all_ports(sslh_t)
-+
-+corenet_udp_bind_all_ports(sslh_t)
-+corenet_udp_send_generic_if(sslh_t)
-+corenet_udp_receive_generic_if(sslh_t)
-+
-+read_files_pattern(sslh_t, sslh_conf_t, sslh_conf_t)
-+
-+nscd_shm_use(sslh_t)
-+
-+allow sslh_t nscd_var_run_t:file read;
-+
-+# dontaudit?
-+#allow sshd_t chkpwd_t:process { siginh rlimitinh noatsecure };
-+#allow sshd_t unconfined_t:process { siginh noatsecure };
-+
diff --git a/suse_modifications_apache.patch b/suse_modifications_apache.patch
deleted file mode 100644
index 7908f26..0000000
--- a/suse_modifications_apache.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-Index: refpolicy/policy/modules/services/apache.fc
-===================================================================
---- refpolicy.orig/policy/modules/services/apache.fc	2018-11-27 13:33:30.059837794 +0100
-+++ refpolicy/policy/modules/services/apache.fc	2018-11-27 13:34:07.964446972 +0100
-@@ -84,6 +84,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
- 
- ifdef(`distro_suse',`
- /usr/sbin/httpd2-.*					--	gen_context(system_u:object_r:httpd_exec_t,s0)
-+/usr/sbin/start_apache2					--	gen_context(system_u:object_r:httpd_exec_t,s0)
- ')
- 
- /usr/share/dirsrv(/.*)?						gen_context(system_u:object_r:httpd_sys_content_t,s0)
diff --git a/suse_modifications_cron.patch b/suse_modifications_cron.patch
deleted file mode 100644
index f519d8c..0000000
--- a/suse_modifications_cron.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-Index: refpolicy/policy/modules/services/cron.fc
-===================================================================
---- refpolicy.orig/policy/modules/services/cron.fc	2019-06-09 20:05:20.000000000 +0200
-+++ refpolicy/policy/modules/services/cron.fc	2019-07-11 14:31:20.905629406 +0200
-@@ -69,7 +69,9 @@ ifdef(`distro_gentoo',`
- ')
- 
- ifdef(`distro_suse',`
--/var/spool/cron/lastrun	-d	gen_context(system_u:object_r:crond_tmp_t,s0)
-+/var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
- /var/spool/cron/lastrun/[^/]*	--	<<none>>
--/var/spool/cron/tabs	-d	gen_context(system_u:object_r:cron_spool_t,s0)
-+/var/spool/cron/tabs		-d	gen_context(system_u:object_r:cron_spool_t,s0)
-+/var/spool/cron/tabs/root	--	gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
-+/var/spool/cron/tabs/[^/]*	--	gen_context(system_u:object_r:user_cron_spool_t,s0)
- ')
-Index: refpolicy/policy/modules/services/cron.te
-===================================================================
---- refpolicy.orig/policy/modules/services/cron.te	2019-06-09 20:05:20.000000000 +0200
-+++ refpolicy/policy/modules/services/cron.te	2019-07-11 14:31:20.909629472 +0200
-@@ -788,3 +788,9 @@ tunable_policy(`cron_userdomain_transiti
- optional_policy(`
- 	unconfined_domain(unconfined_cronjob_t)
- ')
-+
-+ifdef(`distro_suse',`
-+	files_read_default_symlinks(crontab_t)
-+	userdom_manage_user_home_dirs(crontab_t)
-+	xserver_non_drawing_client(crontab_t)
-+')
-Index: refpolicy/policy/modules/services/cron.if
-===================================================================
---- refpolicy.orig/policy/modules/services/cron.if	2019-06-09 20:05:20.000000000 +0200
-+++ refpolicy/policy/modules/services/cron.if	2019-07-11 14:31:20.909629472 +0200
-@@ -139,7 +139,7 @@ interface(`cron_role',`
- #
- interface(`cron_unconfined_role',`
- 	gen_require(`
--		type unconfined_cronjob_t, crontab_t, crontab_exec_t;
-+		type unconfined_cronjob_t, admin_crontab_t, crontab_t, crontab_exec_t;
- 		type crond_t, user_cron_spool_t;
- 		bool cron_userdomain_transition;
- 	')
-@@ -149,14 +149,14 @@ interface(`cron_unconfined_role',`
- 	# Declarations
- 	#
- 
--	role $1 types { unconfined_cronjob_t crontab_t };
-+	role $1 types { unconfined_cronjob_t admin_crontab_t crontab_t };
- 
- 	##############################
- 	#
- 	# Local policy
- 	#
- 
--	domtrans_pattern($2, crontab_exec_t, crontab_t)
-+	domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
- 
- 	dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
- 	allow $2 crond_t:process sigchld;
diff --git a/suse_modifications_getty.patch b/suse_modifications_getty.patch
deleted file mode 100644
index 8179c24..0000000
--- a/suse_modifications_getty.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-Index: refpolicy/policy/modules/system/getty.te
-===================================================================
---- refpolicy.orig/policy/modules/system/getty.te	2017-08-07 00:45:21.000000000 +0200
-+++ refpolicy/policy/modules/system/getty.te	2018-11-27 14:50:03.798977971 +0100
-@@ -91,6 +91,10 @@ logging_send_syslog_msg(getty_t)
- 
- miscfiles_read_localization(getty_t)
- 
-+allow getty_t var_run_t:sock_file write;
-+plymouthd_exec_plymouth(getty_t)
-+kernel_stream_connect(getty_t)
-+
- ifdef(`distro_gentoo',`
- 	# Gentoo default /etc/issue makes agetty
- 	# do a DNS lookup for the hostname
diff --git a/suse_modifications_logging.patch b/suse_modifications_logging.patch
deleted file mode 100644
index 03840c8..0000000
--- a/suse_modifications_logging.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-Index: refpolicy/policy/modules/system/logging.te
-===================================================================
---- refpolicy.orig/policy/modules/system/logging.te	2019-06-09 20:05:20.000000000 +0200
-+++ refpolicy/policy/modules/system/logging.te	2019-07-11 14:31:20.937629934 +0200
-@@ -555,6 +555,9 @@ ifdef(`init_systemd',`
- 	udev_read_pid_files(syslogd_t)
- ')
- 
-+allow syslogd_t var_run_t:file { read getattr open };
-+allow syslogd_t var_run_t:sock_file write;
-+
- ifdef(`distro_gentoo',`
- 	# default gentoo syslog-ng config appends kernel
- 	# and high priority messages to /dev/tty12
diff --git a/suse_modifications_ntp.patch b/suse_modifications_ntp.patch
deleted file mode 100644
index 1ee7af5..0000000
--- a/suse_modifications_ntp.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-Index: refpolicy/policy/modules/services/ntp.fc
-===================================================================
---- refpolicy.orig/policy/modules/services/ntp.fc	2019-06-09 20:05:20.000000000 +0200
-+++ refpolicy/policy/modules/services/ntp.fc	2019-07-11 14:31:20.957630264 +0200
-@@ -39,3 +39,13 @@
- /var/log/ntp.*				--	gen_context(system_u:object_r:ntpd_log_t,s0)
- /var/log/ntpstats(/.*)?				gen_context(system_u:object_r:ntpd_log_t,s0)
- /var/log/xntpd.*			--	gen_context(system_u:object_r:ntpd_log_t,s0)
-+
-+# SUSE chroot
-+/var/lib/ntp/etc/ntpd?.*\.conf.*	--	gen_context(system_u:object_r:ntp_conf_t,s0)
-+/var/lib/ntp/etc/ntp/crypto(/.*)?		gen_context(system_u:object_r:ntpd_key_t,s0)
-+/var/lib/ntp/etc/ntp/data(/.*)?			gen_context(system_u:object_r:ntp_drift_t,s0)
-+/var/lib/ntp/etc/ntp/keys		--	gen_context(system_u:object_r:ntpd_key_t,s0)
-+/var/lib/ntp/etc/ntp/step-tickers.*	--	gen_context(system_u:object_r:ntp_conf_t,s0)
-+/var/lib/ntp/var/lib/ntp(/.*)?			gen_context(system_u:object_r:ntp_drift_t,s0)
-+/var/lib/ntp/var/lib/sntp-kod(/.*)?		gen_context(system_u:object_r:ntp_drift_t,s0)
-+/var/lib/ntp/var/run/ntp(/.*)?			gen_context(system_u:object_r:ntpd_var_run_t,s0)
diff --git a/suse_modifications_usermanage.patch b/suse_modifications_usermanage.patch
deleted file mode 100644
index 13ec915..0000000
--- a/suse_modifications_usermanage.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Index: refpolicy/policy/modules/admin/usermanage.te
-===================================================================
---- refpolicy.orig/policy/modules/admin/usermanage.te	2019-06-09 20:05:20.000000000 +0200
-+++ refpolicy/policy/modules/admin/usermanage.te	2019-07-11 14:31:20.965630396 +0200
-@@ -251,6 +251,9 @@ userdom_use_unpriv_users_fds(groupadd_t)
- # for when /root is the cwd
- userdom_dontaudit_search_user_home_dirs(groupadd_t)
- 
-+allow groupadd_t self:netlink_selinux_socket { create bind };
-+allow groupadd_t var_run_t:sock_file write;
-+
- optional_policy(`
- 	apt_use_fds(groupadd_t)
- ')
-@@ -571,6 +574,9 @@ optional_policy(`
- 	puppet_rw_tmp(useradd_t)
- ')
- 
-+allow useradd_t var_run_t:sock_file write;
-+selinux_compute_access_vector(useradd_t)
-+
- optional_policy(`
- 	tunable_policy(`samba_domain_controller',`
- 		samba_append_log(useradd_t)
diff --git a/suse_modifications_virt.patch b/suse_modifications_virt.patch
deleted file mode 100644
index 57dffb5..0000000
--- a/suse_modifications_virt.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-Index: refpolicy/policy/modules/services/virt.te
-===================================================================
---- refpolicy.orig/policy/modules/services/virt.te	2018-07-01 17:02:32.000000000 +0200
-+++ refpolicy/policy/modules/services/virt.te	2018-11-27 15:03:42.792334942 +0100
-@@ -1235,6 +1235,8 @@ optional_policy(`
- 	rpm_read_db(svirt_lxc_net_t)
- ')
- 
-+allow svirt_t qemu_exec_t:file execmod;
-+
- #######################################
- #
- # Prot exec local policy
diff --git a/suse_modifications_xserver.patch b/suse_modifications_xserver.patch
deleted file mode 100644
index d97b3bd..0000000
--- a/suse_modifications_xserver.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-Index: refpolicy/policy/modules/services/xserver.fc
-===================================================================
---- refpolicy.orig/policy/modules/services/xserver.fc	2019-06-09 20:05:20.000000000 +0200
-+++ refpolicy/policy/modules/services/xserver.fc	2019-07-11 14:31:20.989630792 +0200
-@@ -77,6 +77,9 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
- /usr/bin/xauth		--	gen_context(system_u:object_r:xauth_exec_t,s0)
- /usr/bin/Xorg		--	gen_context(system_u:object_r:xserver_exec_t,s0)
- 
-+#/usr/lib/gdm/.* 	-- 	gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/X11/display-manager	--	gen_context(system_u:object_r:xdm_exec_t,s0)
-+
- /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
- /usr/lib/xorg/Xorg		--	gen_context(system_u:object_r:xserver_exec_t,s0)
- /usr/lib/xorg/Xorg\.wrap	--	gen_context(system_u:object_r:xserver_exec_t,s0)
-Index: refpolicy/policy/modules/services/xserver.te
-===================================================================
---- refpolicy.orig/policy/modules/services/xserver.te	2019-06-09 20:05:20.000000000 +0200
-+++ refpolicy/policy/modules/services/xserver.te	2019-07-11 14:31:20.989630792 +0200
-@@ -912,6 +912,17 @@ corenet_tcp_bind_vnc_port(xserver_t)
- 
- init_use_fds(xserver_t)
- 
-+ifndef(`distro_suse',`
-+	# this is a neverallow, maybe dontaudit it
-+	#allow xdm_t proc_kcore_t:file getattr;
-+	allow xdm_t var_run_t:lnk_file create;
-+	allow xdm_t var_lib_t:lnk_file read;
-+
-+	dev_getattr_all_blk_files( xdm_t )
-+	dev_getattr_all_chr_files( xdm_t )
-+	logging_r_xconsole(xdm_t)
-+')
-+
- tunable_policy(`use_nfs_home_dirs',`
- 	fs_manage_nfs_dirs(xserver_t)
- 	fs_manage_nfs_files(xserver_t)
diff --git a/sysconfig_network_scripts.patch b/sysconfig_network_scripts.patch
deleted file mode 100644
index 4a48015..0000000
--- a/sysconfig_network_scripts.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-Index: refpolicy/policy/modules/system/sysnetwork.fc
-===================================================================
---- refpolicy.orig/policy/modules/system/sysnetwork.fc	2019-06-09 20:05:20.000000000 +0200
-+++ refpolicy/policy/modules/system/sysnetwork.fc	2019-07-11 14:31:20.997630924 +0200
-@@ -6,6 +6,15 @@ ifdef(`distro_debian',`
- /dev/shm/network(/.*)?		gen_context(system_u:object_r:net_conf_t,s0)
- ')
- 
-+# SUSE
-+# sysconfig network files are stored in /dev/.sysconfig
-+/dev/.sysconfig/network(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
-+# label netconfig files in /var/adm and /var/lib and /var/run
-+/var/adm/netconfig(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
-+/var/lib/ntp/var(/.*)?		gen_context(system_u:object_r:net_conf_t,s0)
-+/var/run/netconfig(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
-+
-+
- #
- # /etc
- #
-@@ -34,6 +43,10 @@ ifdef(`distro_redhat',`
- /etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
- ')
- 
-+/etc/sysconfig/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
-+/etc/sysconfig/network/scripts/.* gen_context(system_u:object_r:bin_t,s0)
-+/etc/sysconfig/scripts/.* gen_context(system_u:object_r:bin_t,s0)
-+
- #
- # /usr
- #
-Index: refpolicy/policy/modules/system/sysnetwork.te
-===================================================================
---- refpolicy.orig/policy/modules/system/sysnetwork.te	2019-06-09 20:05:20.000000000 +0200
-+++ refpolicy/policy/modules/system/sysnetwork.te	2019-07-11 14:31:21.001630990 +0200
-@@ -47,7 +47,8 @@ ifdef(`distro_debian',`
- #
- # DHCP client local policy
- #
--allow dhcpc_t self:capability { dac_override fsetid net_admin net_bind_service net_raw setpcap sys_nice sys_resource sys_tty_config };
-+# need sys_admin to set hostname/domainname
-+allow dhcpc_t self:capability { dac_override fsetid net_admin net_bind_service net_raw setpcap sys_nice sys_resource sys_tty_config sys_admin };
- dontaudit dhcpc_t self:capability { sys_ptrace sys_tty_config };
- # for access("/etc/bashrc", X_OK) on Red Hat
- dontaudit dhcpc_t self:capability { dac_read_search sys_module };
-@@ -80,6 +81,12 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_r
- sysnet_manage_config(dhcpc_t)
- files_etc_filetrans(dhcpc_t, net_conf_t, file)
- 
-+# allow relabel of /dev/.sysconfig
-+dev_associate(net_conf_t)
-+
-+# allow mv /etc/resolv.conf.netconfig
-+allow dhcpc_t etc_runtime_t:file unlink;
-+
- # create temp files
- manage_dirs_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
- manage_files_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
-Index: refpolicy/policy/modules/kernel/devices.fc
-===================================================================
---- refpolicy.orig/policy/modules/kernel/devices.fc	2019-06-09 20:05:20.000000000 +0200
-+++ refpolicy/policy/modules/kernel/devices.fc	2019-07-11 14:31:21.001630990 +0200
-@@ -2,6 +2,7 @@
- /dev			-d	gen_context(system_u:object_r:device_t,s0)
- /dev/.*				gen_context(system_u:object_r:device_t,s0)
- 
-+/dev/.sysconfig(/.*)?	-d	gen_context(system_u:object_r:net_conf_t,s0)
- /dev/.*mouse.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/[0-9].*		-c	gen_context(system_u:object_r:usb_device_t,s0)
- /dev/3dfx		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
diff --git a/targeted_temp_fixes.fc b/targeted_temp_fixes.fc
new file mode 100644
index 0000000..473a0f4
diff --git a/targeted_temp_fixes.if b/targeted_temp_fixes.if
new file mode 100644
index 0000000..5846dc1
--- /dev/null
+++ b/targeted_temp_fixes.if
@@ -0,0 +1 @@
+## <summary></summary>
diff --git a/targeted_temp_fixes.te b/targeted_temp_fixes.te
new file mode 100644
index 0000000..61b1d82
--- /dev/null
+++ b/targeted_temp_fixes.te
@@ -0,0 +1,54 @@
+policy_module(targeted_temp_fixes, 1.0)
+
+require {
+	type iptables_t;
+	type nscd_t;
+	type lib_t;
+	type bin_t;
+	type init_t;
+	type irqbalance_t;
+	type iptables_var_lib_t;
+	type postfix_master_t;
+	type firewalld_t;
+	type postfix_map_exec_t;
+        type xdm_t;
+        type groupadd_t;
+        type useradd_t;
+        class netlink_selinux_socket { bind create };
+	class dir { add_name mounton write };
+	class file { create execute execute_no_trans getattr ioctl lock open read };
+}
+
+#============= firewalld_t ==============
+allow firewalld_t iptables_var_lib_t:dir { add_name write };
+allow firewalld_t iptables_var_lib_t:file { create lock open read };
+
+#============= init_t ==============
+allow init_t bin_t:dir mounton;
+allow init_t lib_t:dir mounton;
+allow init_t postfix_map_exec_t:file { execute execute_no_trans getattr ioctl open read };
+files_rw_var_files(init_t)
+fwupd_manage_cache_dirs(init_t)
+ntp_read_drift_files(init_t)
+
+#============= iptables_t ==============
+kernel_rw_pipes(iptables_t)
+
+#============= irqbalance_t ==============
+init_nnp_daemon_domain(irqbalance_t)
+
+#============= nscd_t ==============
+files_exec_generic_pid_files(nscd_t)
+
+#============= postfix_master_t ==============
+files_read_var_lib_files(postfix_master_t)
+files_read_var_lib_symlinks(postfix_master_t)
+
+#============= xdm_t ==============
+# KDE write to home directories
+userdom_manage_user_home_content_files(xdm_t)
+
+#============= groupadd_t ==============                                                                                                                                                       allow groupadd_t self:netlink_selinux_socket { bind create };
+allow useradd_t self:netlink_selinux_socket { bind create };                                                                                                                                   
+selinux_compute_access_vector(groupadd_t)
+selinux_compute_access_vector(useradd_t) 
diff --git a/users-minimum b/users-minimum
index 64949bc..e49103c 100644
--- a/users-minimum
+++ b/users-minimum
@@ -27,3 +27,12 @@ gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(user_u, user, user_r, s0, s0)
 gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
+#
+# The following users correspond to Unix identities.
+# These identities are typically assigned as the user attribute
+# when login starts the user shell.  Users with access to the sysadm_r
+# role should use the staff_r role instead of the user_r role when
+# not in the sysadm_r.
+#
+gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
diff --git a/users-mls b/users-mls
index 876a8cb..4de9d57 100644
--- a/users-mls
+++ b/users-mls
@@ -27,3 +27,12 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(user_u, user, user_r, s0, s0)
 gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
+#
+# The following users correspond to Unix identities.
+# These identities are typically assigned as the user attribute
+# when login starts the user shell.  Users with access to the sysadm_r
+# role should use the staff_r role instead of the user_r role when
+# not in the sysadm_r.
+#
+gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
diff --git a/users-targeted b/users-targeted
index 64949bc..e49103c 100644
--- a/users-targeted
+++ b/users-targeted
@@ -27,3 +27,12 @@ gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(user_u, user, user_r, s0, s0)
 gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
+#
+# The following users correspond to Unix identities.
+# These identities are typically assigned as the user attribute
+# when login starts the user shell.  Users with access to the sysadm_r
+# role should use the staff_r role instead of the user_r role when
+# not in the sysadm_r.
+#
+gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)