diff --git a/booleans-strict.conf b/booleans-strict.conf
deleted file mode 100644
index 041473b..0000000
--- a/booleans-strict.conf
+++ /dev/null
@@ -1,228 +0,0 @@
-# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
-#
-allow_execmem = false
-
-# Allow making a modified private filemapping executable (text relocation).
-#
-allow_execmod = false
-
-# Allow making the stack executable via mprotect.Also requires allow_execmem.
-#
-allow_execstack = false
-
-# Allow ftp servers to modify public filesused for public file transfer services.
-#
-allow_ftpd_anon_write = false
-
-# Allow gssd to read temp directory.
-#
-allow_gssd_read_tmp = false
-
-# Allow Apache to modify public filesused for public file transfer services.
-#
-allow_httpd_anon_write = false
-
-# Allow system to run with kerberos
-#
-allow_kerberos = true
-
-# Allow rsync to modify public filesused for public file transfer services.
-#
-allow_rsync_anon_write = false
-
-# Allow sasl to read shadow
-#
-allow_saslauthd_read_shadow = false
-
-# Allow samba to modify public filesused for public file transfer services.
-#
-allow_smbd_anon_write = false
-
-# Allow sysadm to ptrace all processes
-#
-allow_ptrace = false
-
-# Allow system to run with NIS
-#
-allow_ypbind = false
-
-# Enable extra rules in the cron domainto support fcron.
-#
-fcron_crond = false
-
-# Allow ftp to read and write files in the user home directories
-#
-ftp_home_dir = false
-
-# Allow ftpd to run directly without inetd
-#
-ftpd_is_daemon = true
-
-# Allow httpd to use built in scripting (usually php)
-#
-httpd_builtin_scripting = false
-
-# Allow http daemon to tcp connect
-#
-httpd_can_network_connect = false
-
-# Allow httpd cgi support
-#
-httpd_enable_cgi = false
-
-# Allow httpd to act as a FTP server bylistening on the ftp port.
-#
-httpd_enable_ftp_server = false
-
-# Allow httpd to read home directories
-#
-httpd_enable_homedirs = false
-
-# Run SSI execs in system CGI script domain.
-#
-httpd_ssi_exec = false
-
-# Allow http daemon to communicate with the TTY
-#
-httpd_tty_comm = false
-
-# Run CGI in the main httpd domain
-#
-httpd_unified = false
-
-# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
-#
-named_write_master_zones = false
-
-# Allow nfs to be exported read/write.
-#
-nfs_export_all_rw = false
-
-# Allow nfs to be exported read only
-#
-nfs_export_all_ro = false
-
-# Allow pppd to load kernel modules for certain modems
-#
-pppd_can_insmod = false
-
-# Allow reading of default_t files.
-#
-read_default_t = false
-
-# Allow ssh to run from inetd instead of as a daemon.
-#
-run_ssh_inetd = false
-
-# Allow samba to export user home directories.
-#
-samba_enable_home_dirs = false
-
-# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
-#
-squid_connect_any = false
-
-# Allow ssh logins as sysadm_r:sysadm_t
-#
-ssh_sysadm_login = false
-
-# Configure stunnel to be a standalone daemon orinetd service.
-#
-stunnel_is_daemon = false
-
-# Support NFS home directories
-#
-use_nfs_home_dirs = false
-
-# Support SAMBA home directories
-#
-use_samba_home_dirs = false
-
-# Control users use of ping and traceroute
-#
-user_ping = false
-
-# Allow gpg executable stack
-#
-allow_gpg_execstack = false
-
-# allow host key based authentication
-#
-allow_ssh_keysign = false
-
-# Allow users to connect to mysql
-#
-allow_user_mysql_connect = false
-
-# Allow system cron jobs to relabel filesystemfor restoring file contexts.
-#
-cron_can_relabel = false
-
-# Allow pppd to be run for a regular user
-#
-pppd_for_user = false
-
-# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted
-#
-read_untrusted_content = true
-
-# Allow user spamassassin clients to use the network.
-#
-spamassassin_can_network = false
-
-# Allow staff_r users to search the sysadm homedir and read files (such as ~/.bashrc)
-#
-staff_read_sysadm_file = false
-
-# Allow regular users direct mouse access
-#
-user_direct_mouse = false
-
-# Allow users to read system messages.
-#
-user_dmesg = false
-
-# Allow users to control network interfaces(also needs USERCTL=true)
-#
-user_net_control = false
-
-# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
-#
-user_rw_noexattrfile = false
-
-# Allow users to rw usb devices
-#
-user_rw_usb = false
-
-# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols.
-#
-user_tcp_server = false
-
-# Allow w to display everyone
-#
-user_ttyfile_stat = false
-
-# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored.
-#
-write_untrusted_content = true
-
-spamd_enable_home_dirs = false
-
-# Allow login domains to polyinstatiate directories
-#
-allow_polyinstantiation = false
-
-# Allow sysadm to ptrace all processes
-#
-allow_ptrace = false
-
-## Control users use of ping and traceroute
-user_ping = true
-
-# Allow unlabeled packets to flow
-#
-allow_unlabeled_packets = true
-
-# Allow samba to act as the domain controller
-#
-samba_domain_controller = false
diff --git a/modules-strict.conf b/modules-strict.conf
deleted file mode 100644
index 071f6fb..0000000
--- a/modules-strict.conf
+++ /dev/null
@@ -1,1408 +0,0 @@
-#
-# This file contains a listing of available modules.
-# To prevent a module from being used in policy
-# creation, set the module name to "off".
-#
-# For monolithic policies, modules set to "base" and "module"
-# will be built into the policy.
-#
-# For modular policies, modules set to "base" will be
-# included in the base module. "module" will be compiled
-# as individual loadable modules.
-#
-
-# Layer: kernel
-# Module: terminal
-# Required in base
-#
-# Policy for terminals.
-#
-terminal = base
-
-# Layer: kernel
-# Module: mcs
-# Required in base
-#
-# Multicategory security policy
-#
-mcs = base
-
-# Layer: kernel
-# Module: files
-# Required in base
-#
-# Basic filesystem types and interfaces.
-#
-files = base
-
-# Layer: kernel
-# Module: kernel
-# Required in base
-#
-# Policy for kernel threads, proc filesystem,
-# and unlabeled processes and objects.
-#
-kernel = base
-
-# Layer: kernel
-# Module: filesystem
-# Required in base
-#
-# Policy for filesystems.
-#
-filesystem = base
-
-# Layer: kernel
-# Module: devices
-# Required in base
-#
-# Device nodes and interfaces for many basic system devices.
-#
-devices = base
-
-# Layer: kernel
-# Module: domain
-# Required in base
-#
-# Core policy for domains.
-#
-domain = base
-
-# Layer: kernel
-# Module: corecommands
-# Required in base
-#
-# Core policy for shells, and generic programs
-# in /bin, /sbin, /usr/bin, and /usr/sbin.
-#
-corecommands = base
-
-# Layer: kernel
-# Module: corenetwork
-# Required in base
-#
-# Policy controlling access to network objects
-#
-corenetwork = base
-
-# Layer: kernel
-# Module: mls
-# Required in base
-#
-# Multilevel security policy
-#
-mls = base
-
-# Layer: kernel
-# Module: selinux
-# Required in base
-#
-# Policy for kernel security interface, in particular, selinuxfs.
-#
-selinux = base
-
-# Layer: admin
-# Module: prelink
-#
-# Prelink ELF shared library mappings.
-#
-prelink = module
-
-# Layer: admin
-# Module: acct
-#
-# Berkeley process accounting
-#
-acct = module
-
-# Layer: admin
-# Module: usermanage
-#
-# Policy for managing user accounts.
-#
-usermanage = module
-
-# Layer: admin
-# Module: rpm
-#
-# Policy for the RPM package manager.
-#
-rpm = module
-
-# Layer: admin
-# Module: readahead
-#
-# Readahead, read files into page cache for improved performance
-#
-readahead = module
-
-# Layer: admin
-# Module: kudzu
-#
-# Hardware detection and configuration tools
-#
-kudzu = module
-
-# Layer: admin
-# Module: bootloader
-#
-# Policy for the kernel modules, kernel image, and bootloader.
-#
-bootloader = base
-
-# Layer: admin
-# Module: updfstab
-#
-# Red Hat utility to change /etc/fstab.
-#
-updfstab = module
-
-# Layer: admin
-# Module: netutils
-#
-# Network analysis utilities
-#
-netutils = base
-
-# Layer: admin
-# Module: alsa
-#
-# Ainit ALSA configuration tool
-#
-alsa = module
-
-# Layer: admin
-# Module: vpn
-#
-# Virtual Private Networking client
-#
-vpn = module
-
-# Layer: admin
-# Module: portage
-#
-# Portage Package Management System. The primary package management and
-# distribution system for Gentoo.
-#
-portage = module
-
-# Layer: admin
-# Module: su
-#
-# Run shells with substitute user and group
-#
-su = module
-
-# Layer: admin
-# Module: apt
-#
-# APT advanced package toll.
-#
-apt = off
-
-# Layer: admin
-# Module: dmesg
-#
-# Policy for dmesg.
-#
-dmesg = module
-
-# Layer: admin
-# Module: anaconda
-#
-# Policy for the Anaconda installer.
-#
-anaconda = module
-
-# Layer: admin
-# Module: dpkg
-#
-# Policy for the Debian package manager.
-#
-dpkg = off
-
-# Layer: admin
-# Module: amanda
-#
-# Automated backup program.
-#
-amanda = module
-
-# Layer: admin
-# Module: logrotate
-#
-# Rotate and archive system logs
-#
-logrotate = module
-
-# Layer: admin
-# Module: ddcprobe
-#
-# ddcprobe retrieves monitor and graphics card information
-#
-ddcprobe = module
-
-# Layer: admin
-# Module: quota
-#
-# File system quota management
-#
-quota = module
-
-# Layer: admin
-# Module: consoletype
-#
-# Determine of the console connected to the controlling terminal.
-#
-consoletype = module
-
-# Layer: admin
-# Module: sudo
-#
-# Execute a command with a substitute user
-#
-sudo = module
-
-# Layer: admin
-# Module: vbetool
-#
-# run real-mode video BIOS code to alter hardware state
-#
-vbetool = module
-
-# Layer: admin
-# Module: usbmodules
-#
-# List kernel modules of USB devices
-#
-usbmodules = module
-
-# Layer: admin
-# Module: firstboot
-#
-# Final system configuration run during the first boot
-# after installation of Red Hat/Fedora systems.
-#
-firstboot = module
-
-# Layer: admin
-# Module: certwatch
-#
-# Digital Certificate Tracking
-#
-certwatch = module
-
-# Layer: admin
-# Module: tmpreaper
-#
-# Manage temporary directory sizes and file ages
-#
-tmpreaper = module
-
-# Layer: admin
-# Module: mrtg
-#
-# Network traffic graphing
-#
-mrtg = module
-
-# Layer: admin
-# Module: dmidecode
-#
-# Decode DMI data for x86/ia64 bioses.
-#
-dmidecode = module
-
-# Layer: admin
-# Module: logwatch
-#
-# System log analyzer and reporter
-#
-logwatch = module
-
-# Layer: kernel
-# Module: storage
-#
-# Policy controlling access to storage devices
-#
-storage = base
-
-# Layer: apps
-# Module: evolution
-#
-# Evolution email client
-#
-evolution = module
-
-# Layer: apps
-# Module: mozilla
-#
-# Policy for Mozilla and related web browsers
-#
-mozilla = module
-
-# Layer: apps
-# Module: irc
-#
-# IRC client policy
-#
-irc = module
-
-# Layer: apps
-# Module: lockdev
-#
-# device locking policy for lockdev
-#
-lockdev = module
-
-# Layer: apps
-# Module: usernetctl
-#
-# User network interface configuration helper
-#
-usernetctl = module
-
-# Layer: apps
-# Module: gpg
-#
-# Policy for GNU Privacy Guard and related programs.
-#
-gpg = module
-
-# Layer: apps
-# Module: thunderbird
-#
-# Thunderbird email client
-#
-thunderbird = module
-
-# Layer: apps
-# Module: wine
-#
-# Wine Is Not an Emulator. Run Windows programs in Linux.
-#
-wine = module
-
-# Layer: apps
-# Module: loadkeys
-#
-# Load keyboard mappings.
-#
-loadkeys = module
-
-# Layer: apps
-# Module: screen
-#
-# GNU terminal multiplexer
-#
-screen = module
-
-# Layer: apps
-# Module: calamaris
-#
-# Squid log analysis
-#
-calamaris = module
-
-# Layer: apps
-# Module: tvtime
-#
-# tvtime - a high quality television application
-#
-tvtime = module
-
-# Layer: apps
-# Module: java
-#
-# Java virtual machine
-#
-java = module
-
-# Layer: apps
-# Module: uml
-#
-# Policy for UML
-#
-uml = module
-
-# Layer: apps
-# Module: cdrecord
-#
-# Policy for cdrecord
-#
-cdrecord = module
-
-# Layer: apps
-# Module: mplayer
-#
-# Mplayer media player and encoder
-#
-mplayer = module
-
-# Layer: apps
-# Module: webalizer
-#
-# Web server log analysis
-#
-webalizer = module
-
-# Layer: apps
-# Module: ethereal
-#
-# Ethereal packet capture tool.
-#
-ethereal = module
-
-# Layer: apps
-# Module: userhelper
-#
-# A helper interface to pam.
-#
-userhelper = module
-
-# Layer: apps
-# Module: games
-#
-# Games
-#
-games = module
-
-# Layer: apps
-# Module: mono
-#
-# Run .NET server and client applications on Linux.
-#
-mono = module
-
-# Layer: apps
-# Module: slocate
-#
-# Update database for mlocate
-#
-slocate = module
-
-# Layer: system
-# Module: application
-# Required in base
-#
-# Defines attributs and interfaces for all user applications
-#
-application = base
-
-# Layer: system
-# Module: xen
-#
-# Xen hypervisor
-#
-xen = module
-
-# Layer: system
-# Module: fstools
-#
-# Tools for filesystem management, such as mkfs and fsck.
-#
-fstools = base
-
-# Layer: system
-# Module: logging
-#
-# Policy for the kernel message logger and system logging daemon.
-#
-logging = base
-
-# Layer: system
-# Module: hostname
-#
-# Policy for changing the system host name.
-#
-hostname = module
-
-# Layer: system
-# Module: daemontools
-#
-# Collection of tools for managing UNIX services
-#
-daemontools = module
-
-# Layer: system
-# Module: getty
-#
-# Policy for getty.
-#
-getty = module
-
-# Layer: system
-# Module: lvm
-#
-# Policy for logical volume management programs.
-#
-lvm = base
-
-# Layer: system
-# Module: sysnetwork
-#
-# Policy for network configuration: ifconfig and dhcp client.
-#
-sysnetwork = base
-
-# Layer: system
-# Module: init
-#
-# System initialization programs (init and init scripts).
-#
-init = base
-
-# Layer: system
-# Module: selinuxutil
-#
-# Policy for SELinux policy and userland applications.
-#
-selinuxutil = base
-
-# Layer: system
-# Module: udev
-#
-# Policy for udev.
-#
-udev = base
-
-# Layer: system
-# Module: pcmcia
-#
-# PCMCIA card management services
-#
-pcmcia = module
-
-# Layer: system
-# Module: authlogin
-#
-# Common policy for authentication and user login.
-#
-authlogin = base
-
-# Layer: system
-# Module: libraries
-#
-# Policy for system libraries.
-#
-libraries = base
-
-# Layer: system
-# Module: raid
-#
-# RAID array management tools
-#
-raid = module
-
-# Layer: system
-# Module: userdomain
-#
-# Policy for user domains
-#
-userdomain = base
-
-# Layer: system
-# Module: modutils
-#
-# Policy for kernel module utilities
-#
-modutils = base
-
-# Layer: system
-# Module: hotplug
-#
-# Policy for hotplug system, for supporting the
-# connection and disconnection of devices at runtime.
-#
-hotplug = base
-
-# Layer: system
-# Module: clock
-#
-# Policy for reading and setting the hardware clock.
-#
-clock = base
-
-# Layer: system
-# Module: locallogin
-#
-# Policy for local logins.
-#
-locallogin = base
-
-# Layer: system
-# Module: iptables
-#
-# Policy for iptables.
-#
-iptables = module
-
-# Layer: system
-# Module: mount
-#
-# Policy for mount.
-#
-mount = base
-
-# Layer: system
-# Module: unconfined
-#
-# The unconfined domain.
-#
-unconfined = module
-
-# Layer: system
-# Module: miscfiles
-#
-# Miscelaneous files.
-#
-miscfiles = base
-
-# Layer: system
-# Module: ipsec
-#
-# TCP/IP encryption
-#
-ipsec = module
-
-# Layer: services
-# Module: nis
-#
-# Policy for NIS (YP) servers and clients
-#
-nis = module
-
-# Layer: services
-# Module: distcc
-#
-# Distributed compiler daemon
-#
-distcc = module
-
-# Layer: services
-# Module: tor
-#
-# TOR, the onion router
-#
-tor = module
-
-# Layer: services
-# Module: rshd
-#
-# Remote shell service.
-#
-rshd = module
-
-# Layer: services
-# Module: cpucontrol
-#
-# Services for loading CPU microcode and CPU frequency scaling.
-#
-cpucontrol = module
-
-# Layer: services
-# Module: bind
-#
-# Berkeley internet name domain DNS server.
-#
-bind = module
-
-# Layer: services
-# Module: cipe
-#
-# Encrypted tunnel daemon
-#
-cipe = module
-
-# Layer: services
-# Module: canna
-#
-# Canna - kana-kanji conversion server
-#
-canna = module
-
-# Layer: services
-# Module: i18n_input
-#
-# IIIMF htt server
-#
-i18n_input = module
-
-# Layer: services
-# Module: uucp
-#
-# Unix to Unix Copy
-#
-uucp = module
-
-# Layer: services
-# Module: sasl
-#
-# SASL authentication server
-#
-sasl = module
-
-# Layer: services
-# Module: pegasus
-#
-# The Open Group Pegasus CIM/WBEM Server.
-#
-pegasus = module
-
-# Layer: services
-# Module: cron
-#
-# Periodic execution of scheduled commands.
-#
-cron = module
-
-# Layer: services
-# Module: sendmail
-#
-# Policy for sendmail.
-#
-sendmail = module
-
-# Layer: services
-# Module: samba
-#
-# SMB and CIFS client/server programs for UNIX and
-# name Service Switch daemon for resolving names
-# from Windows NT servers.
-#
-samba = module
-
-# Layer: services
-# Module: dbus
-#
-# Desktop messaging bus
-#
-dbus = module
-
-# Layer: services
-# Module: howl
-#
-# Port of Apple Rendezvous multicast DNS
-#
-howl = module
-
-# Layer: services
-# Module: timidity
-#
-# MIDI to WAV converter and player configured as a service
-#
-timidity = module
-
-# Layer: services
-# Module: postgresql
-#
-# PostgreSQL relational database
-#
-postgresql = module
-
-# Layer: services
-# Module: openct
-#
-# Service for handling smart card readers.
-#
-openct = module
-
-# Layer: services
-# Module: snmp
-#
-# Simple network management protocol services
-#
-snmp = module
-
-# Layer: services
-# Module: publicfile
-#
-# publicfile supplies files to the public through HTTP and FTP
-#
-publicfile = module
-
-# Layer: services
-# Module: roundup
-#
-# Roundup Issue Tracking System policy
-#
-roundup = module
-
-# Layer: services
-# Module: remotelogin
-#
-# Policy for rshd, rlogind, and telnetd.
-#
-remotelogin = module
-
-# Layer: services
-# Module: telnet
-#
-# Telnet daemon
-#
-telnet = module
-
-# Layer: services
-# Module: irqbalance
-#
-# IRQ balancing daemon
-#
-irqbalance = module
-
-# Layer: services
-# Module: mailman
-#
-# Mailman is for managing electronic mail discussion and e-newsletter lists
-#
-mailman = module
-
-# Layer: services
-# Module: dbskk
-#
-# Dictionary server for the SKK Japanese input method system.
-#
-dbskk = module
-
-# Layer: services
-# Module: ldap
-#
-# OpenLDAP directory server
-#
-ldap = module
-
-# Layer: services
-# Module: tftp
-#
-# Trivial file transfer protocol daemon
-#
-tftp = module
-
-# Layer: services
-# Module: portmap
-#
-# RPC port mapping service.
-#
-portmap = module
-
-# Layer: services
-# Module: arpwatch
-#
-# Ethernet activity monitor.
-#
-arpwatch = module
-
-# Layer: services
-# Module: dovecot
-#
-# Dovecot POP and IMAP mail server
-#
-dovecot = module
-
-# Layer: services
-# Module: amavis
-#
-# Daemon that interfaces mail transfer agents and content
-# checkers, such as virus scanners.
-#
-amavis = module
-
-# Layer: services
-# Module: cups
-#
-# Common UNIX printing system
-#
-cups = module
-
-# Layer: services
-# Module: networkmanager
-#
-# Manager for dynamically switching between networks.
-#
-networkmanager = module
-
-# Layer: services
-# Module: inn
-#
-# Internet News NNTP server
-#
-inn = module
-
-# Layer: services
-# Module: sysstat
-#
-# Policy for sysstat. Reports on various system states
-#
-sysstat = module
-
-# Layer: services
-# Module: comsat
-#
-# Comsat, a biff server.
-#
-comsat = module
-
-# Layer: services
-# Module: squid
-#
-# Squid caching http proxy server
-#
-squid = module
-
-# Layer: services
-# Module: zebra
-#
-# Zebra border gateway protocol network routing service
-#
-zebra = module
-
-# Layer: services
-# Module: xfs
-#
-# X Windows Font Server
-#
-xfs = module
-
-# Layer: services
-# Module: ktalk
-#
-# KDE Talk daemon
-#
-ktalk = module
-
-# Layer: services
-# Module: procmail
-#
-# Procmail mail delivery agent
-#
-procmail = module
-
-# Layer: services
-# Module: lpd
-#
-# Line printer daemon
-#
-lpd = module
-
-# Layer: services
-# Module: cyrus
-#
-# Cyrus is an IMAP service intended to be run on sealed servers
-#
-cyrus = module
-
-# Layer: services
-# Module: rdisc
-#
-# Network router discovery daemon
-#
-rdisc = module
-
-# Layer: services
-# Module: nscd
-#
-# Name service cache daemon
-#
-nscd = module
-
-# Layer: services
-# Module: ppp
-#
-# Point to Point Protocol daemon creates links in ppp networks
-#
-ppp = module
-
-# Layer: services
-# Module: smartmon
-#
-# Smart disk monitoring daemon policy
-#
-smartmon = module
-
-# Layer: services
-# Module: ftp
-#
-# File transfer protocol service
-#
-ftp = module
-
-# Layer: services
-# Module: gpm
-#
-# General Purpose Mouse driver
-#
-gpm = module
-
-# Layer: services
-# Module: audioentropy
-#
-# Generate entropy from audio input
-#
-audioentropy = module
-
-# Layer: services
-# Module: mta
-#
-# Policy common to all email tranfer agents.
-#
-mta = base
-
-# Layer: services
-# Module: rhgb
-#
-# Red Hat Graphical Boot
-#
-rhgb = module
-
-# Layer: services
-# Module: postfix
-#
-# Postfix email server
-#
-postfix = module
-
-# Layer: services
-# Module: fetchmail
-#
-# Remote-mail retrieval and forwarding utility
-#
-fetchmail = module
-
-# Layer: services
-# Module: ntp
-#
-# Network time protocol daemon
-#
-ntp = module
-
-# Layer: services
-# Module: bluetooth
-#
-# Bluetooth tools and system services.
-#
-bluetooth = module
-
-# Layer: services
-# Module: hal
-#
-# Hardware abstraction layer
-#
-hal = module
-
-# Layer: services
-# Module: consolekit
-#
-# ConsoleKit is a system daemon for tracking what users are logged
-#
-consolekit = module
-
-# Layer: services
-# Module: avahi
-#
-# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture
-#
-avahi = module
-
-# Layer: services
-# Module: rpc
-#
-# Remote Procedure Call Daemon for managment of network based process communication
-#
-rpc = module
-
-# Layer: services
-# Module: xserver
-#
-# X Windows Server
-#
-xserver = module
-
-# Layer: services
-# Module: apache
-#
-# Apache web server
-#
-apache = module
-
-# Layer: services
-# Module: slrnpull
-#
-# Service for downloading news feeds the slrn newsreader.
-#
-slrnpull = module
-
-# Layer: services
-# Module: clamav
-#
-# ClamAV Virus Scanner
-#
-clamav = module
-
-# Layer: services
-# Module: rsync
-#
-# Fast incremental file transfer for synchronization
-#
-rsync = module
-
-# Layer: services
-# Module: rwho
-#
-# who is logged in on local machines
-#
-rwho = module
-
-# Layer: services
-# Module: djbdns
-#
-# small and secure DNS daemon
-#
-djbdns = module
-
-# Layer: services
-# Module: automount
-#
-# Filesystem automounter service.
-#
-automount = module
-
-# Layer: services
-# Module: kerberos
-#
-# MIT Kerberos admin and KDC
-#
-kerberos = module
-
-# Layer: services
-# Module: dhcp
-#
-# Dynamic host configuration protocol (DHCP) server
-#
-dhcp = module
-
-# Layer: services
-# Module: ssh
-#
-# Secure shell client and server policy.
-#
-ssh = module
-
-# Layer: services
-# Module: inetd
-#
-# Internet services daemon.
-#
-inetd = module
-
-# Layer: services
-# Module: mysql
-#
-# Policy for MySQL
-#
-mysql = module
-
-# Layer: services
-# Module: dictd
-#
-# Dictionary daemon
-#
-dictd = module
-
-# Layer: services
-# Module: finger
-#
-# Finger user information service.
-#
-finger = module
-
-# Layer: services
-# Module: radius
-#
-# RADIUS authentication and accounting server.
-#
-radius = module
-
-# Layer: services
-# Module: spamassassin
-#
-# Filter used for removing unsolicited email.
-#
-spamassassin = module
-
-# Layer: services
-# Module: radvd
-#
-# IPv6 router advertisement daemon
-#
-radvd = module
-
-# Layer: services
-# Module: apm
-#
-# Advanced power management daemon
-#
-apm = module
-
-
-# Layer: system
-# Module: application
-# Required in base
-#
-# Defines attributs and interfaces for all user applications
-#
-application = base
-
-# Layer: services
-# Module: tcpd
-#
-# Policy for TCP daemon.
-#
-tcpd = module
-
-# Layer: services
-# Module: stunnel
-#
-# SSL Tunneling Proxy
-#
-stunnel = module
-
-# Layer: services
-# Module: privoxy
-#
-# Privacy enhancing web proxy.
-#
-privoxy = module
-
-# Layer: services
-# Module: cvs
-#
-# Concurrent versions system
-#
-cvs = module
-
-# Layer: services
-# Module: rlogin
-#
-# Remote login daemon
-#
-rlogin = module
-
-# Layer: system
-# Module: setrans
-# Required in base
-#
-# Policy for setrans
-#
-setrans = base
-
-# Layer: services
-# Module: openvpn
-#
-# Policy for OPENVPN full-featured SSL VPN solution
-#
-openvpn = base
-
-# Layer: services
-# Module: setroubleshoot
-#
-# Policy for the SELinux troubleshooting utility
-#
-setroubleshoot = base
-
-# Layer: services
-# Module: nagios
-#
-# policy for nagios Host/service/network monitoring program
-#
-nagios = module
-
-# Layer: service
-# Module: pcscd
-#
-# PC/SC Smart Card Daemon
-#
-pcscd = module
-
-# Layer: system
-# Module: tzdata
-#
-# Policy for tzdata-update
-#
-tzdata = base
-
-# Layer: apps
-# Module: gnome
-#
-# gnome session and gconf
-#
-gnome = module
-
-# Layer: services
-# Module: qmail
-#
-# Policy for sendmail.
-#
-qmail = module
-
-# Layer: services
-# Module: fail2ban
-#
-# daiemon that bans IP that makes too many password failures
-#
-fail2ban = module
-
-# Layer: services
-# Module: pyzor
-#
-# Spam Blocker
-#
-pyzor = module
-
-# Layer: services
-# Module: ricci
-#
-# policy for ricci
-#
-ricci = module
-
-# Layer: admin
-# Module: amtu
-#
-# Abstract Machine Test Utility (AMTU)
-#
-amtu = module
-
-# Layer: services
-# Module: zabbix
-#
-# Open-source monitoring solution for your IT infrastructure
-#
-zabbix = module
-
-# Layer: system
-# Module: fusermount
-#
-# File System in Userspace (FUSE) utilities
-#
-fusermount = base
-
-# Layer: services
-# Module: apcupsd
-#
-# daemon for most APC’s UPS for Linux
-#
-apcupsd = module
-
-# Layer: services
-# Module: w3c
-#
-# w3c
-#
-w3c = module
-
-# Layer: service
-# Module: openct
-#
-# Middleware framework for smart card terminals
-#
-openct = module
-
diff --git a/policy-20071130.patch b/policy-20071130.patch
index 331d796..66030ba 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -31398,7 +31398,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 09:52:56.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-22 14:42:13.232490000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-22 15:47:48.878576000 -0400
@@ -29,9 +29,14 @@
')
@@ -33834,7 +33834,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ fs_dontaudit_read_nfs_files($1)
+ ')
+
-+ tunable_policy(`use_cifs_home_dirs',`
++ tunable_policy(`use_samba_home_dirs',`
+ fs_dontaudit_read_cifs_files($1)
+ ')
+')
@@ -33898,7 +33898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
##
-@@ -5554,13 +5910,50 @@
+@@ -5554,12 +5910,49 @@
##
##
#
@@ -33910,7 +33910,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
- read_files_pattern($1,userdomain,userdomain)
-- kernel_search_proc($1)
+ allow $1 user_ttynode:chr_file rw_term_perms;
+')
+
@@ -33949,10 +33948,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ ')
+
+ ps_process_pattern($1,userdomain)
-+ kernel_search_proc($1)
+ kernel_search_proc($1)
')
- ########################################
@@ -5674,6 +6067,42 @@
########################################
diff --git a/policy-init.patch b/policy-init.patch
deleted file mode 100644
index c78ab07..0000000
--- a/policy-init.patch
+++ /dev/null
@@ -1,11 +0,0 @@
-diff -up serefpolicy-3.3.1/policy/modules/services/rhgb.te.foo serefpolicy-3.3.1/policy/modules/services/rhgb.te
---- serefpolicy-3.3.1/policy/modules/services/rhgb.te.foo 2008-03-11 17:50:18.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/rhgb.te 2008-03-11 17:50:18.000000000 -0400
-@@ -92,6 +92,7 @@ term_use_ptmx(rhgb_t)
- term_getattr_pty_fs(rhgb_t)
-
- init_write_initctl(rhgb_t)
-+init_chat(rhgb_t)
-
- libs_use_ld_so(rhgb_t)
- libs_use_shared_libs(rhgb_t)
diff --git a/policy-udev_tbl.patch b/policy-udev_tbl.patch
deleted file mode 100644
index b0f26f3..0000000
--- a/policy-udev_tbl.patch
+++ /dev/null
@@ -1,10 +0,0 @@
---- serefpolicy-2.5.9/policy/modules/system/udev.fc.udev_tbl 2007-03-20 09:36:50.000000000 -0400
-+++ serefpolicy-2.5.9/policy/modules/system/udev.fc 2007-03-22 06:36:55.000000000 -0400
-@@ -1,6 +1,6 @@
- # udev
-
--/dev/\.udev(/.*)? gen_context(system_u:object_r:udev_tbl_t,s0)
-+/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0)
- /dev/\.udevdb -- gen_context(system_u:object_r:udev_tbl_t,s0)
- /dev/udev\.tbl -- gen_context(system_u:object_r:udev_tbl_t,s0)
-
diff --git a/securetty_types-strict b/securetty_types-strict
deleted file mode 100644
index fe7ce17..0000000
--- a/securetty_types-strict
+++ /dev/null
@@ -1,3 +0,0 @@
-sysadm_tty_device_t
-user_tty_device_t
-staff_tty_device_t
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a2c409d..ff08933 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 36%{?dist}
+Release: 38%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -303,6 +303,8 @@ exit 0
%triggerpostun targeted -- selinux-policy-targeted < 3.2.5-9.fc9
+. /etc/selinux/config
+[ "${SELINUXTYPE}" != "targeted" ] && exit 0
setsebool -P use_nfs_home_dirs=1
semanage user -l | grep -s unconfined_u
if [ $? -eq 0 ]; then
@@ -311,9 +313,9 @@ else
semanage user -a -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null
fi
seuser=`semanage login -l | grep __default__ | awk '{ print $2 }'`
-[ $seuser == "system_u" ] && semanage login -m -s "unconfined_u" -r s0-s0:c0.c1023 __default__
+[ "$seuser" != "unconfined_u" ] && semanage login -m -s "unconfined_u" -r s0-s0:c0.c1023 __default__
seuser=`semanage login -l | grep root | awk '{ print $2 }'`
-[ $seuser == "system_u" ] && semanage login -m -s "unconfined_u" -r s0-s0:c0.c1023 root
+[ "$seuser" == "system_u" ] && semanage login -m -s "unconfined_u" -r s0-s0:c0.c1023 root
restorecon -R /root /etc/selinux/targeted 2> /dev/null
semodule -r qmail 2> /dev/null
exit 0
@@ -383,6 +385,12 @@ exit 0
%endif
%changelog
+* Tue Apr 22 2008 Dan Walsh 3.3.1-38
+- Bump for release
+
+* Fri Apr 14 2008 Dan Walsh 3.3.1-37
+- Lots of fixes for confined domains on NFS_t homedir
+
* Mon Apr 14 2008 Dan Walsh 3.3.1-36
- dontaudit mrtg reading /proc
- Allow iscsi to signal itself
diff --git a/setrans-strict.conf b/setrans-strict.conf
deleted file mode 100644
index 9b46bbd..0000000
--- a/setrans-strict.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-#
-# Multi-Category Security translation table for SELinux
-#
-# Uncomment the following to disable translation libary
-# disable=1
-#
-# Objects can be categorized with 0-1023 categories defined by the admin.
-# Objects can be in more than one category at a time.
-# Categories are stored in the system as c0-c1023. Users can use this
-# table to translate the categories into a more meaningful output.
-# Examples:
-# s0:c0=CompanyConfidential
-# s0:c1=PatientRecord
-# s0:c2=Unclassified
-# s0:c3=TopSecret
-# s0:c1,c3=CompanyConfidentialRedHat
-s0=
-s0-s0:c0.c1023=SystemLow-SystemHigh
-s0:c0.c1023=SystemHigh
diff --git a/seusers-strict b/seusers-strict
deleted file mode 100644
index 4494f87..0000000
--- a/seusers-strict
+++ /dev/null
@@ -1,3 +0,0 @@
-system_u:system_u:s0-s0:c0.c1023
-root:root:s0-s0:c0.c1023
-__default__:user_u:s0
diff --git a/users_extra-strict b/users_extra-strict
deleted file mode 100644
index 28799f4..0000000
--- a/users_extra-strict
+++ /dev/null
@@ -1,4 +0,0 @@
-user root prefix staff;
-user staff_u prefix staff;
-user user_u prefix user;
-user sysadm_u prefix sysadm;
diff --git a/xm.patch b/xm.patch
deleted file mode 100644
index b55f010..0000000
--- a/xm.patch
+++ /dev/null
@@ -1,136 +0,0 @@
-diff -ru serefpolicy-2.2.35-orig/policy/modules/system/xen.fc serefpolicy-2.2.35/policy/modules/system/xen.fc
---- serefpolicy-2.2.35-orig/policy/modules/system/xen.fc 2006-04-24 20:14:54.000000000 -0400
-+++ serefpolicy-2.2.35/policy/modules/system/xen.fc 2006-04-25 11:01:03.000000000 -0400
-@@ -14,3 +14,4 @@
- /var/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0)
- /var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0)
- /var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0)
-+/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
---- serefpolicy-2.2.35-orig/policy/modules/system/xen.if 2006-04-25 10:27:36.000000000 -0400
-+++ serefpolicy-2.2.35/policy/modules/system/xen.if 2006-04-25 11:03:07.000000000 -0400
-@@ -83,3 +83,66 @@
- allow $1 xenstored_var_run_t:sock_file { getattr write };
- allow $1 xenstored_t:unix_stream_socket connectto;
- ')
-+
-+########################################
-+##
-+## Connect to xend over an unix stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xen_connect',`
-+ gen_require(`
-+ type xend_t, xend_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 xend_var_run_t:dir search;
-+ allow $1 xend_var_run_t:sock_file getattr;
-+ allow $1 xend_t:unix_stream_socket connectto;
-+')
-+
-+########################################
-+##
-+## Write to xend over an unix stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xen_writeto',`
-+ gen_require(`
-+ type xend_var_run_t;
-+ ')
-+
-+ allow $1 xend_var_run_t:sock_file write;
-+')
-+
-+
-+########################################
-+##
-+## Execute a domain transition to run xm.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`xm_domtrans',`
-+ gen_requires(`
-+ type xm_t, xm_exec_t;
-+ ')
-+
-+ domain_auto_trans($1,xm_exec_t,xm_t)
-+
-+ allow $1 xm_t:fd use;
-+ allow xm_t $1:fd use;
-+ allow xm_t:$1:fifo_file rw_file_perms;
-+ allow xm_t $1:process sigchld;
-+')
-Only in serefpolicy-2.2.35/policy/modules/system: xen.if~
---- serefpolicy-2.2.35-orig/policy/modules/system/xen.te 2006-04-25 10:27:36.000000000 -0400
-+++ serefpolicy-2.2.35/policy/modules/system/xen.te 2006-04-25 11:01:03.000000000 -0400
-@@ -224,3 +224,55 @@
- miscfiles_read_localization(xenstored_t)
-
- xen_append_log(xenstored_t)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type xm_t;
-+type xm_exec_t;
-+domain_type(xm_t)
-+init_daemon_domain(xm_t, xm_exec_t)
-+
-+########################################
-+#
-+# xm local policy
-+#
-+# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.
-+
-+# Some common macros (you might be able to remove some)
-+files_read_etc_files(xm_t)
-+libs_use_ld_so(xm_t)
-+libs_use_shared_libs(xm_t)
-+miscfiles_read_localization(xm_t)
-+# internal communication is often done using fifo and unix sockets.
-+allow xm_t self:fifo_file { read write };
-+allow xm_t self:unix_stream_socket create_stream_socket_perms;
-+
-+
-+# james -- aujdit2allow
-+
-+corecmd_exec_bin(xm_t)
-+corecmd_exec_sbin(xm_t)
-+
-+kernel_read_system_state(xm_t)
-+kernel_read_kernel_sysctls(xm_t)
-+kernel_read_xen_state(xm_t)
-+kernel_write_xen_state(xm_t)
-+term_use_all_terms(xm_t)
-+
-+dev_read_urand(xm_t)
-+
-+xen_append_log(xm_t)
-+xen_connect(xm_t)
-+xen_writeto(xm_t)
-+
-+xen_stream_connect_xenstore(xm_t)
-+allow xm_t self:capability dac_override;
-+
-+
-+# allow xm_t root_t:dir search;
-+# Need to relabel files for xen
-+auth_read_all_files_except_shadow(xm_t)
-+