MCS error

MCS error

[Tracy Reed]

[-- Attachment #1: Type: text/plain, Size: 2782 bytes --]

Hello all,

I am implementing Multi-Category Security for a client to contain various
different instances of their web application which all run on the same box.
This sort of multi-tenant operation seems like a perfect fit for MCS.

I am using the following guide as a basis for getting started:

https://www.centos.org/docs/5/html/Deployment_Guide-en-US/sec-mcs-getstarted.html

However, I am actually running CentOS 6. I can't seem to find a CentOS 6
version of this guide.

When I try to add the category to the user I get this error:

[mcstest:/root]# chcat -l -- +user1 user1
libsemanage.validate_handler: MLS range s0-s0:c1 for Unix user user1 exceeds allowed range s0 for SELinux user user_u (No such file or directory).
libsemanage.validate_handler: seuser mapping [user1 -> (user_u, s0-s0:c1)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
/usr/sbin/semanage: Could not commit semanage transaction

Here's some relevant config info:

[mcstest:/root]# chcat -L 
s0:c1                          user1
s0:c2                          user2
s0:c3                          user3
s0                             SystemLow
s0-s0:c0.c1023                 SystemLow-SystemHigh
s0:c0.c1023                    SystemHigh


[mcstest:/root]# semanage user -l 

Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

git_shell_u     user       SystemLow  SystemLow                      git_shell_r
guest_u         user       SystemLow  SystemLow                      guest_r
root            user       SystemLow  SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
staff_u         user       SystemLow  SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
sysadm_u        user       SystemLow  SystemLow-SystemHigh           sysadm_r
system_u        user       SystemLow  SystemLow-SystemHigh           system_r unconfined_r
unconfined_u    user       SystemLow  SystemLow-SystemHigh           system_r unconfined_r
user_u          user       SystemLow  SystemLow                      user_r
xguest_u        user       SystemLow  SystemLow                      xguest_r

I notice that the MCS Range for user_u is only SystemLow. In the documentation
referenced above the output of this command shows user_u as:

user_u                  user           s0                      s0-s0:c0.c1023    system_r sysadm_r user_r

so the MCS range is s0-s0:c0.c1023. This seems to be what is missing in my
setup. But I don't understand how to allow that MCS Range for user_u.

Any pointers are greatly appreciated. Thanks!

-- 
Tracy Reed

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: MCS error

[Stephen Smalley]

On 02/18/2015 08:48 PM, Tracy Reed wrote:
> Hello all,
> 
> I am implementing Multi-Category Security for a client to contain various
> different instances of their web application which all run on the same box.
> This sort of multi-tenant operation seems like a perfect fit for MCS.
> 
> I am using the following guide as a basis for getting started:
> 
> https://www.centos.org/docs/5/html/Deployment_Guide-en-US/sec-mcs-getstarted.html
> 
> However, I am actually running CentOS 6. I can't seem to find a CentOS 6
> version of this guide.
> 
> When I try to add the category to the user I get this error:
> 
> [mcstest:/root]# chcat -l -- +user1 user1
> libsemanage.validate_handler: MLS range s0-s0:c1 for Unix user user1 exceeds allowed range s0 for SELinux user user_u (No such file or directory).
> libsemanage.validate_handler: seuser mapping [user1 -> (user_u, s0-s0:c1)] is invalid (No such file or directory).
> libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
> /usr/sbin/semanage: Could not commit semanage transaction
> 
> Here's some relevant config info:
> 
> [mcstest:/root]# chcat -L 
> s0:c1                          user1
> s0:c2                          user2
> s0:c3                          user3
> s0                             SystemLow
> s0-s0:c0.c1023                 SystemLow-SystemHigh
> s0:c0.c1023                    SystemHigh
> 
> 
> [mcstest:/root]# semanage user -l 
> 
> Labeling   MLS/       MLS/                          
> SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles
> 
> git_shell_u     user       SystemLow  SystemLow                      git_shell_r
> guest_u         user       SystemLow  SystemLow                      guest_r
> root            user       SystemLow  SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
> staff_u         user       SystemLow  SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
> sysadm_u        user       SystemLow  SystemLow-SystemHigh           sysadm_r
> system_u        user       SystemLow  SystemLow-SystemHigh           system_r unconfined_r
> unconfined_u    user       SystemLow  SystemLow-SystemHigh           system_r unconfined_r
> user_u          user       SystemLow  SystemLow                      user_r
> xguest_u        user       SystemLow  SystemLow                      xguest_r
> 
> I notice that the MCS Range for user_u is only SystemLow. In the documentation
> referenced above the output of this command shows user_u as:
> 
> user_u                  user           s0                      s0-s0:c0.c1023    system_r sysadm_r user_r
> 
> so the MCS range is s0-s0:c0.c1023. This seems to be what is missing in my
> setup. But I don't understand how to allow that MCS Range for user_u.
> 
> Any pointers are greatly appreciated. Thanks!

 semanage user -m -r s0-s0:c0.c1023 user_u

Re: MCS error

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 4154 bytes --]

The MCS implementation has been changed a bit over the years on the policy side.

Back in the earlier day's MCS was enforced on all proceses in redhat distro's by default

Nowaday's that is no longer the case, and you need to opt-in for it by associating the mcs_constrained_type type attribute with the type of the process to constrain.

In rhel6 this attribute name does not exist i suspect. It was renamed to aforementioned later.

A seinfo -a | grep mcs might reveal the type attribute used for the same in RHEL6. (i think its something with trusted or untrusted, dunno for sure)

On Thu, Feb 19, 2015 at 08:23:16AM -0500, Stephen Smalley wrote:
> On 02/18/2015 08:48 PM, Tracy Reed wrote:
> > Hello all,
> > 
> > I am implementing Multi-Category Security for a client to contain various
> > different instances of their web application which all run on the same box.
> > This sort of multi-tenant operation seems like a perfect fit for MCS.
> > 
> > I am using the following guide as a basis for getting started:
> > 
> > https://www.centos.org/docs/5/html/Deployment_Guide-en-US/sec-mcs-getstarted.html
> > 
> > However, I am actually running CentOS 6. I can't seem to find a CentOS 6
> > version of this guide.
> > 
> > When I try to add the category to the user I get this error:
> > 
> > [mcstest:/root]# chcat -l -- +user1 user1
> > libsemanage.validate_handler: MLS range s0-s0:c1 for Unix user user1 exceeds allowed range s0 for SELinux user user_u (No such file or directory).
> > libsemanage.validate_handler: seuser mapping [user1 -> (user_u, s0-s0:c1)] is invalid (No such file or directory).
> > libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
> > /usr/sbin/semanage: Could not commit semanage transaction
> > 
> > Here's some relevant config info:
> > 
> > [mcstest:/root]# chcat -L 
> > s0:c1                          user1
> > s0:c2                          user2
> > s0:c3                          user3
> > s0                             SystemLow
> > s0-s0:c0.c1023                 SystemLow-SystemHigh
> > s0:c0.c1023                    SystemHigh
> > 
> > 
> > [mcstest:/root]# semanage user -l 
> > 
> > Labeling   MLS/       MLS/                          
> > SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles
> > 
> > git_shell_u     user       SystemLow  SystemLow                      git_shell_r
> > guest_u         user       SystemLow  SystemLow                      guest_r
> > root            user       SystemLow  SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
> > staff_u         user       SystemLow  SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
> > sysadm_u        user       SystemLow  SystemLow-SystemHigh           sysadm_r
> > system_u        user       SystemLow  SystemLow-SystemHigh           system_r unconfined_r
> > unconfined_u    user       SystemLow  SystemLow-SystemHigh           system_r unconfined_r
> > user_u          user       SystemLow  SystemLow                      user_r
> > xguest_u        user       SystemLow  SystemLow                      xguest_r
> > 
> > I notice that the MCS Range for user_u is only SystemLow. In the documentation
> > referenced above the output of this command shows user_u as:
> > 
> > user_u                  user           s0                      s0-s0:c0.c1023    system_r sysadm_r user_r
> > 
> > so the MCS range is s0-s0:c0.c1023. This seems to be what is missing in my
> > setup. But I don't understand how to allow that MCS Range for user_u.
> > 
> > Any pointers are greatly appreciated. Thanks!
> 
>  semanage user -m -r s0-s0:c0.c1023 user_u
> 
> 
> 
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

-- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift

[-- Attachment #2: Type: application/pgp-signature, Size: 648 bytes --]

Re: MCS error

[Stephen Smalley]

On 02/18/2015 08:48 PM, Tracy Reed wrote:
> Hello all,
> 
> I am implementing Multi-Category Security for a client to contain various
> different instances of their web application which all run on the same box.
> This sort of multi-tenant operation seems like a perfect fit for MCS.
> 
> I am using the following guide as a basis for getting started:
> 
> https://www.centos.org/docs/5/html/Deployment_Guide-en-US/sec-mcs-getstarted.html
> 
> However, I am actually running CentOS 6. I can't seem to find a CentOS 6
> version of this guide.
> 
> When I try to add the category to the user I get this error:
> 
> [mcstest:/root]# chcat -l -- +user1 user1
> libsemanage.validate_handler: MLS range s0-s0:c1 for Unix user user1 exceeds allowed range s0 for SELinux user user_u (No such file or directory).
> libsemanage.validate_handler: seuser mapping [user1 -> (user_u, s0-s0:c1)] is invalid (No such file or directory).
> libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
> /usr/sbin/semanage: Could not commit semanage transaction
> 
> Here's some relevant config info:
> 
> [mcstest:/root]# chcat -L 
> s0:c1                          user1
> s0:c2                          user2
> s0:c3                          user3
> s0                             SystemLow
> s0-s0:c0.c1023                 SystemLow-SystemHigh
> s0:c0.c1023                    SystemHigh
> 
> 
> [mcstest:/root]# semanage user -l 
> 
> Labeling   MLS/       MLS/                          
> SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles
> 
> git_shell_u     user       SystemLow  SystemLow                      git_shell_r
> guest_u         user       SystemLow  SystemLow                      guest_r
> root            user       SystemLow  SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
> staff_u         user       SystemLow  SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
> sysadm_u        user       SystemLow  SystemLow-SystemHigh           sysadm_r
> system_u        user       SystemLow  SystemLow-SystemHigh           system_r unconfined_r
> unconfined_u    user       SystemLow  SystemLow-SystemHigh           system_r unconfined_r
> user_u          user       SystemLow  SystemLow                      user_r
> xguest_u        user       SystemLow  SystemLow                      xguest_r
> 
> I notice that the MCS Range for user_u is only SystemLow. In the documentation
> referenced above the output of this command shows user_u as:
> 
> user_u                  user           s0                      s0-s0:c0.c1023    system_r sysadm_r user_r
> 
> so the MCS range is s0-s0:c0.c1023. This seems to be what is missing in my
> setup. But I don't understand how to allow that MCS Range for user_u.
> 
> Any pointers are greatly appreciated. Thanks!

As Dominick pointed out, Fedora and RHEL migrated away from trying to
using MCS on users to using it for specific use cases, e.g. sandbox,
sVirt (KVM+SELinux), openshift, etc.  So the MCS constraints may not be
applied to anything in that policy except for the domains used for those
specific applications.

The -mls policy might be a better fit if you want to apply it system-wide.

Re: MCS error

[Tracy Reed]

[-- Attachment #1: Type: text/plain, Size: 1349 bytes --]

On Thu, Feb 19, 2015 at 07:40:48AM PST, Dominick Grift spake thusly:
> The MCS implementation has been changed a bit over the years on the policy side.

Is there a RHEL 6 version of the link I pasted below with up to date info?
Lack of documentation and frequent changes rendering documentation obsolete
combined with the inherent complexity of something like this are the main
issues holding back SELinux adoption.

> Back in the earlier day's MCS was enforced on all proceses in redhat distro's by default

Yeah...I actually had it working in a test setup in RHEL 5 but never got it
deployed widely. Now we are trying to redo it with RHEl 6 and running into
issues.

> Nowaday's that is no longer the case, and you need to opt-in for it by associating the mcs_constrained_type type attribute with the type of the process to constrain.
> 
> In rhel6 this attribute name does not exist i suspect. It was renamed to aforementioned later.
> 
> A seinfo -a | grep mcs might reveal the type attribute used for the same in RHEL6. (i think its something with trusted or untrusted, dunno for sure)

I don't follow this part... The seinfo output is:

# seinfo -a | grep mcs
mcssetcats
mcswriteall
mcskillall
mcsreadall
mcsnetwrite
mcsuntrustedproc
mcsptraceall

How do these type attributes relate to MCS?

-- 
Tracy Reed

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: MCS error

[Stephen Smalley]

On 02/19/2015 02:33 PM, Tracy Reed wrote:
> On Thu, Feb 19, 2015 at 07:40:48AM PST, Dominick Grift spake thusly:
>> The MCS implementation has been changed a bit over the years on the policy side.
> 
> Is there a RHEL 6 version of the link I pasted below with up to date info?
> Lack of documentation and frequent changes rendering documentation obsolete
> combined with the inherent complexity of something like this are the main
> issues holding back SELinux adoption.
> 
>> Back in the earlier day's MCS was enforced on all proceses in redhat distro's by default
> 
> Yeah...I actually had it working in a test setup in RHEL 5 but never got it
> deployed widely. Now we are trying to redo it with RHEl 6 and running into
> issues.
> 
>> Nowaday's that is no longer the case, and you need to opt-in for it by associating the mcs_constrained_type type attribute with the type of the process to constrain.
>>
>> In rhel6 this attribute name does not exist i suspect. It was renamed to aforementioned later.
>>
>> A seinfo -a | grep mcs might reveal the type attribute used for the same in RHEL6. (i think its something with trusted or untrusted, dunno for sure)
> 
> I don't follow this part... The seinfo output is:
> 
> # seinfo -a | grep mcs
> mcssetcats
> mcswriteall
> mcskillall
> mcsreadall
> mcsnetwrite
> mcsuntrustedproc
> mcsptraceall
> 
> How do these type attributes relate to MCS?

Domains with those attributes can override the corresponding MCS
constraint.  Depending on version, seinfo --constrain will dump the
actual constraints for you.  In any event, I suspect you need to assign
the mcsuntrustedproc attribute to your web application domains if you
want them to be constrained by MCS at all, plus you'd need to run them
with specific category sets.

Or you could use the -mls policy and then only domains marked with
specific mls attributes would be able to override.

Re: MCS error

[Tracy Reed]

[-- Attachment #1: Type: text/plain, Size: 4493 bytes --]

On Thu, Feb 19, 2015 at 08:19:05AM PST, Stephen Smalley spake thusly:
> As Dominick pointed out, Fedora and RHEL migrated away from trying to
> using MCS on users to using it for specific use cases, e.g. sandbox,
> sVirt (KVM+SELinux), openshift, etc.  So the MCS constraints may not be
> applied to anything in that policy except for the domains used for those
> specific applications.

We intend to use it to sandbox web apps. This sounds like what RHEL is trying
to use it for, right? 

Will it simply not work at all for users in RHEL6 as it used to for RHEL5? That
seemed a very simple way to set it up and would work perfectly for our needs.
If it won't work for users do we now have to assign a specific type/domain to
our app? The app always runs under a specific user so we could actually
associate that user with a domain instead of unconfined, correct?

Here is our current setup, which is all messed up. I'm not sure how we arrived at this:

# semanage login -l

Login Name                SELinux User              MLS/MCS Range            

__default__               unconfined_u              SystemLow-SystemHigh     
p16001                    p16001_u                  p16001                   
p16002                    appuser_u                 AppAdmin-p16002          
p16003                    appuser_u                 AppAdmin-p16003          
p16004                    unconfined_u              s0-s0:c0.c1023,c4        
p16005                    unconfined_u              s0-s0:c0.c1023,c4,c5     
p16006                    unconfined_u              s0-s0:c0.c1023,c6        
p16007                    unconfined_u              s0-s0:c0.c1023,c7        
p16008                    unconfined_u              s0-s0:c0.c1023,c8        
p16009                    unconfined_u              s0-s0:c0.c1023,c9        
root                      unconfined_u              SystemLow-SystemHigh     
system_u                  system_u                  SystemLow-SystemHigh 

So the first problem I see is that the login names p16004-16009 are assigned to
unconfined_u so they will never be denied anything except DAC and MCS will not
be enforced, correct?

Is the user p16001 setup correctly in that it has its own assigned SELinux user
and one specific category assigned to it?

Then we need to fix the MLS/MCS ranges for the other users. Currently
unconfined_u has s0-s0:c0.c1023 plus a seemingly redundant ,c4,c5 etc. Just as
a test I am trying to use:

chcat -l -- -c4 p16005

to remove the c4 category from p16005 but that didn't work for some reason. We
need to remove all of the categories except one which should be unique to each
user since each instance of our web app runs under each user p16001 or p16002
etc. respectively.

Currently I have the above setup and can login as p16001 and see files like this:

-bash-4.1$ id
uid=16001(p16001) gid=16001(p16001) groups=16001(p16001) context=p16001_u:user_r:user_t:p16001
-bash-4.1$ 
-bash-4.1$ ls -laZ
drwxr-xr-x. root   root   system_u:object_r:default_t:SystemLow .
drwxrwxr-x. root   root   system_u:object_r:default_t:SystemLow ..
drwxr-xr-x. p16001 p16001 unconfined_u:object_r:default_t:p16001 p16001
drwxr-xr-x. p16002 p16002 unconfined_u:object_r:default_t:p16002 p16002
drwxr-xr-x. p16003 p16003 unconfined_u:object_r:default_t:p16003 p16003
-bash-4.1$ id
uid=16001(p16001) gid=16001(p16001) groups=16001(p16001) context=p16001_u:user_r:user_t:p16001
-bash-4.1$ cd p16002/
-bash-4.1$ ls -laZ
drwxr-xr-x. p16002 p16002 unconfined_u:object_r:default_t:p16002 .
drwxr-xr-x. root   root   system_u:object_r:default_t:SystemLow ..
-rw-r--r--. p16002 p16002 unconfined_u:object_r:default_t:p16002 testfile
-bash-4.1$ cat testfile 
I am 16002

Why can I cat that file? User p16001 has category p16001 and the file I cat'd
id category p16002. Seems like enforcement is not working here. Is this what
Dominick was referring to in that I need to do something else to "opt-in" to
the enforcement?

What are the best resources for learning how to use MCS in RHEL6?

> The -mls policy might be a better fit if you want to apply it system-wide.

Isn't MLS even less used/supported than MCS? From my description of our use
would you say that MCS is the right fit as opposed to MLS? It seems like the
standard targeted policy for most stuff on the box plus MCS to confine/sandbox
our apps would be the way to go.

Thanks!

-- 
Tracy Reed

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: MCS error

[Tracy Reed]

[-- Attachment #1: Type: text/plain, Size: 842 bytes --]

On Thu, Feb 19, 2015 at 11:46:18AM PST, Stephen Smalley spake thusly:
> Domains with those attributes can override the corresponding MCS
> constraint.  Depending on version, seinfo --constrain will dump the
> actual constraints for you.  In any event, I suspect you need to assign
> the mcsuntrustedproc attribute to your web application domains if you
> want them to be constrained by MCS at all, plus you'd need to run them
> with specific category sets.

How do I assign mcsuntrustedproc attribute to my web application domain? I know
how to set booleans, categories, etc. but have not yet encountered needing to
set an attribute for a domain. Google for "set selinux attribute" turns up
stuff about setting user, role, type etc. as attributes but nothing about
setting attributes such as mcsuntrustedproc.

-- 
Tracy Reed

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: MCS error

[Stephen Smalley]

On 02/19/2015 02:58 PM, Tracy Reed wrote:
> On Thu, Feb 19, 2015 at 08:19:05AM PST, Stephen Smalley spake thusly:
>> As Dominick pointed out, Fedora and RHEL migrated away from trying to
>> using MCS on users to using it for specific use cases, e.g. sandbox,
>> sVirt (KVM+SELinux), openshift, etc.  So the MCS constraints may not be
>> applied to anything in that policy except for the domains used for those
>> specific applications.
> 
> We intend to use it to sandbox web apps. This sounds like what RHEL is trying
> to use it for, right? 
> 
> Will it simply not work at all for users in RHEL6 as it used to for RHEL5? That
> seemed a very simple way to set it up and would work perfectly for our needs.
> If it won't work for users do we now have to assign a specific type/domain to
> our app? The app always runs under a specific user so we could actually
> associate that user with a domain instead of unconfined, correct?

Yes, in theory that should work.  You just need to make sure that all of
the domains you want to confine via MCS have the appropriate mcs type
attribute(s) associated with them.

> So the first problem I see is that the login names p16004-16009 are assigned to
> unconfined_u so they will never be denied anything except DAC and MCS will not
> be enforced, correct?

Correct.  IIRC, under the original MCS model, even unconfined_t was
subject to its constraints but once they switched over to using it for
sandbox, libvirt, and friends, they limited its application to specific
domains and therefore unconfined_t was no longer affected by it.

> Is the user p16001 setup correctly in that it has its own assigned SELinux user
> and one specific category assigned to it?

It helps but you still have to make sure that the process runs in a
domain that is MCS-constrained.  Which could either be based on a domain
transition for the web app, or based on the user's default role/domain
(semanage user -l).

> Then we need to fix the MLS/MCS ranges for the other users. Currently
> unconfined_u has s0-s0:c0.c1023 plus a seemingly redundant ,c4,c5 etc. Just as
> a test I am trying to use:
> 
> chcat -l -- -c4 p16005
> 
> to remove the c4 category from p16005 but that didn't work for some reason. We
> need to remove all of the categories except one which should be unique to each
> user since each instance of our web app runs under each user p16001 or p16002
> etc. respectively.

I'd just use semanage login -m to modify the mappings.  Or
system-config-selinux if you like GUIs.

> Currently I have the above setup and can login as p16001 and see files like this:
> 
> -bash-4.1$ id
> uid=16001(p16001) gid=16001(p16001) groups=16001(p16001) context=p16001_u:user_r:user_t:p16001
> -bash-4.1$ 
> -bash-4.1$ ls -laZ
> drwxr-xr-x. root   root   system_u:object_r:default_t:SystemLow .
> drwxrwxr-x. root   root   system_u:object_r:default_t:SystemLow ..
> drwxr-xr-x. p16001 p16001 unconfined_u:object_r:default_t:p16001 p16001
> drwxr-xr-x. p16002 p16002 unconfined_u:object_r:default_t:p16002 p16002
> drwxr-xr-x. p16003 p16003 unconfined_u:object_r:default_t:p16003 p16003
> -bash-4.1$ id
> uid=16001(p16001) gid=16001(p16001) groups=16001(p16001) context=p16001_u:user_r:user_t:p16001
> -bash-4.1$ cd p16002/
> -bash-4.1$ ls -laZ
> drwxr-xr-x. p16002 p16002 unconfined_u:object_r:default_t:p16002 .
> drwxr-xr-x. root   root   system_u:object_r:default_t:SystemLow ..
> -rw-r--r--. p16002 p16002 unconfined_u:object_r:default_t:p16002 testfile
> -bash-4.1$ cat testfile 
> I am 16002
> 
> Why can I cat that file? User p16001 has category p16001 and the file I cat'd
> id category p16002. Seems like enforcement is not working here. Is this what
> Dominick was referring to in that I need to do something else to "opt-in" to
> the enforcement?

Because your domain (user_t) doesn't have the attribute that would opt
it into MCS confinement.

> What are the best resources for learning how to use MCS in RHEL6?

I don't know.  Aside from indirectly leveraging it as part of sandbox or
libvirt, I've never used it (aside from early experimentation when it
was first introduced).

>> The -mls policy might be a better fit if you want to apply it system-wide.
> 
> Isn't MLS even less used/supported than MCS? From my description of our use
> would you say that MCS is the right fit as opposed to MLS? It seems like the
> standard targeted policy for most stuff on the box plus MCS to confine/sandbox
> our apps would be the way to go.

Perhaps, if you can get it to work.  The potential advantage of MLS is
that it is applied to all processes by default (domains can be exempted
through type attributes, but few should be) and the MLS constraints have
been tested and evaluated by independent parties.

Re: MCS error

[Stephen Smalley]

On 02/19/2015 03:17 PM, Tracy Reed wrote:
> On Thu, Feb 19, 2015 at 11:46:18AM PST, Stephen Smalley spake thusly:
>> Domains with those attributes can override the corresponding MCS
>> constraint.  Depending on version, seinfo --constrain will dump the
>> actual constraints for you.  In any event, I suspect you need to assign
>> the mcsuntrustedproc attribute to your web application domains if you
>> want them to be constrained by MCS at all, plus you'd need to run them
>> with specific category sets.
> 
> How do I assign mcsuntrustedproc attribute to my web application domain? I know
> how to set booleans, categories, etc. but have not yet encountered needing to
> set an attribute for a domain. Google for "set selinux attribute" turns up
> stuff about setting user, role, type etc. as attributes but nothing about
> setting attributes such as mcsuntrustedproc.

You need to create a policy module and install it.

You can either use the refpolicy interface for making it MCS constrained
(look in /usr/share/selinux/devel/include/kernel/mcs.if after installing
selinux-policy-devel), or just directly put a typeattribute statement
into your policy module.

Re: MCS error

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Thu, Feb 19, 2015 at 11:33:37AM -0800, Tracy Reed wrote:
> On Thu, Feb 19, 2015 at 07:40:48AM PST, Dominick Grift spake thusly:
> > The MCS implementation has been changed a bit over the years on the policy side.
> 
> Is there a RHEL 6 version of the link I pasted below with up to date info?
> Lack of documentation and frequent changes rendering documentation obsolete
> combined with the inherent complexity of something like this are the main
> issues holding back SELinux adoption.
> 
> > Back in the earlier day's MCS was enforced on all proceses in redhat distro's by default
> 
> Yeah...I actually had it working in a test setup in RHEL 5 but never got it
> deployed widely. Now we are trying to redo it with RHEl 6 and running into
> issues.
> 
> > Nowaday's that is no longer the case, and you need to opt-in for it by associating the mcs_constrained_type type attribute with the type of the process to constrain.
> > 
> > In rhel6 this attribute name does not exist i suspect. It was renamed to aforementioned later.
> > 
> > A seinfo -a | grep mcs might reveal the type attribute used for the same in RHEL6. (i think its something with trusted or untrusted, dunno for sure)
> 
> I don't follow this part... The seinfo output is:
> 
> # seinfo -a | grep mcs
> mcssetcats
> mcswriteall
> mcskillall
> mcsreadall
> mcsnetwrite
> mcsuntrustedproc
> mcsptraceall
> 
> How do these type attributes relate to MCS?

The mcstrustedproc type attribute makes a specified domain type mcs constrained.

You can associate the attribute with a domain with the type_attribute statement:

type_attribute type attribute

so something like this (where the type associated with the app to constrain is "bla_t"

sudo yum install selinux-policy-devel

cat >> mytest.te <<EOF
policy_module(mytest, 1.0,0)
gen_require(` type bla_t; attribute mcsuntrustedproc; ')
type_attribute bla_t mcsuntrustedproc;
EOF

make -f /usr/share/selinux/devel/Makefile mytest.pp

sudo semodule -i mytest.pp

> 
> -- 
> Tracy Reed



> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.


- -- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCgAGBQJU5kwkAAoJENAR6kfG5xmcrwMMAMrUlM9elnpcPcJ2TvQgesNz
Zfg1RjnjUXiQdkSOWWcv1Kfw8Nwt9ZbGVlReD6o4OuTtIBI5MJ+QlsquFn8N9SGm
GP/pnEGWI2QnVbEWaR0wBwX1Z8mLiaCBS68VG2Zwq9+SNRnIp3TYQxN72N5HigHa
I0oIXNDeRENbTDebSCHd/0pTKlOBMGx+RJPPRiA4lCDRz++VQ7Fbl+8f9TM+1Apa
Q3dxaolczTfhxiVd/CJkoDu0J7DxvUqTxjAqH/8+3Vu+XPsYWRxIWeoTpgdfWVSa
fqvYVZy/OpHx+LrR/NW9x3fmuKDCZZs4FRudcgXawADdyg8P0yTclpST6F3vaSJu
BqTSzV++vPwLUoMEwDty8mi40FeLS27JE3Y1gFTTQGxYohGoM+kefDe6+c3c1uEJ
nlwPpHVOrvM07TFoANOH8ZneNNxguE6WmdetCBQoHDfhUi0saqeb5NBhYt0Q4bmN
l1fhBsckrpbXKVlsLXDv7YlZUOnvPIDWovkp4B5lXg==
=qW3j
-----END PGP SIGNATURE-----

Re: MCS error

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 2202 bytes --]

On Thu, Feb 19, 2015 at 12:17:21PM -0800, Tracy Reed wrote:
> On Thu, Feb 19, 2015 at 11:46:18AM PST, Stephen Smalley spake thusly:
> > Domains with those attributes can override the corresponding MCS
> > constraint.  Depending on version, seinfo --constrain will dump the
> > actual constraints for you.  In any event, I suspect you need to assign
> > the mcsuntrustedproc attribute to your web application domains if you
> > want them to be constrained by MCS at all, plus you'd need to run them
> > with specific category sets.
> 
> How do I assign mcsuntrustedproc attribute to my web application domain? I know
> how to set booleans, categories, etc. but have not yet encountered needing to
> set an attribute for a domain. Google for "set selinux attribute" turns up
> stuff about setting user, role, type etc. as attributes but nothing about
> setting attributes such as mcsuntrustedproc.


I actually have it documented in a set of youtube video's on my "domg4721" channel extensively (like many other SELinux topics)

I encountered it both with mod_selinux, as well as just manually associating compartments with webapps by just using runcon in a web script that runs other scripts (not something i would ever do in a production environment but just a proof of concept).

In my view mcs is generally overkill unless you have many process to compartmentalize. In theory you can also use existing security attributes like for example the identity security attribute, it's there so might as well use that. Or if you have just a few processes to compartmentalize then just use type enforcement.

No need to have a mls policy for that. When things get big though with tens or hundreds of compartmentalized processes then MCS comes in handy.

> 
> -- 
> Tracy Reed



> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.


-- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift

[-- Attachment #2: Type: application/pgp-signature, Size: 648 bytes --]

Re: MCS error

[Thomas Hurd]

On 02/19/2015 03:48 PM, Dominick Grift wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On Thu, Feb 19, 2015 at 11:33:37AM -0800, Tracy Reed wrote:
>> On Thu, Feb 19, 2015 at 07:40:48AM PST, Dominick Grift spake thusly:
>>> The MCS implementation has been changed a bit over the years on the policy side.
>> Is there a RHEL 6 version of the link I pasted below with up to date info?
>> Lack of documentation and frequent changes rendering documentation obsolete
>> combined with the inherent complexity of something like this are the main
>> issues holding back SELinux adoption.
>>
>>> Back in the earlier day's MCS was enforced on all proceses in redhat distro's by default
>> Yeah...I actually had it working in a test setup in RHEL 5 but never got it
>> deployed widely. Now we are trying to redo it with RHEl 6 and running into
>> issues.
>>
>>> Nowaday's that is no longer the case, and you need to opt-in for it by associating the mcs_constrained_type type attribute with the type of the process to constrain.
>>>
>>> In rhel6 this attribute name does not exist i suspect. It was renamed to aforementioned later.
>>>
>>> A seinfo -a | grep mcs might reveal the type attribute used for the same in RHEL6. (i think its something with trusted or untrusted, dunno for sure)
>> I don't follow this part... The seinfo output is:
>>
>> # seinfo -a | grep mcs
>> mcssetcats
>> mcswriteall
>> mcskillall
>> mcsreadall
>> mcsnetwrite
>> mcsuntrustedproc
>> mcsptraceall
>>
>> How do these type attributes relate to MCS?
> The mcstrustedproc type attribute makes a specified domain type mcs constrained.
>
> You can associate the attribute with a domain with the type_attribute statement:
>
> type_attribute type attribute
The typeattribute statement doesn't have an underscore. typeattribute 
and typealias don't have underscores but type_transition, type_member, 
and type_change do.
>
> so something like this (where the type associated with the app to constrain is "bla_t"
>
> sudo yum install selinux-policy-devel
>
> cat >> mytest.te <<EOF
> policy_module(mytest, 1.0,0)
> gen_require(` type bla_t; attribute mcsuntrustedproc; ')
> type_attribute bla_t mcsuntrustedproc;
> EOF
>
> make -f /usr/share/selinux/devel/Makefile mytest.pp
>
> sudo semodule -i mytest.pp
>
>> -- 
>> Tracy Reed
>
>
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>
> - -- 
> 02DFF788
> 4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
> http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
> Dominick Grift
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQGcBAEBCgAGBQJU5kwkAAoJENAR6kfG5xmcrwMMAMrUlM9elnpcPcJ2TvQgesNz
> Zfg1RjnjUXiQdkSOWWcv1Kfw8Nwt9ZbGVlReD6o4OuTtIBI5MJ+QlsquFn8N9SGm
> GP/pnEGWI2QnVbEWaR0wBwX1Z8mLiaCBS68VG2Zwq9+SNRnIp3TYQxN72N5HigHa
> I0oIXNDeRENbTDebSCHd/0pTKlOBMGx+RJPPRiA4lCDRz++VQ7Fbl+8f9TM+1Apa
> Q3dxaolczTfhxiVd/CJkoDu0J7DxvUqTxjAqH/8+3Vu+XPsYWRxIWeoTpgdfWVSa
> fqvYVZy/OpHx+LrR/NW9x3fmuKDCZZs4FRudcgXawADdyg8P0yTclpST6F3vaSJu
> BqTSzV++vPwLUoMEwDty8mi40FeLS27JE3Y1gFTTQGxYohGoM+kefDe6+c3c1uEJ
> nlwPpHVOrvM07TFoANOH8ZneNNxguE6WmdetCBQoHDfhUi0saqeb5NBhYt0Q4bmN
> l1fhBsckrpbXKVlsLXDv7YlZUOnvPIDWovkp4B5lXg==
> =qW3j
> -----END PGP SIGNATURE-----
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

Re: MCS error

[Tracy Reed]

[-- Attachment #1: Type: text/plain, Size: 6183 bytes --]

On Thu, Feb 19, 2015 at 12:48:41PM PST, Dominick Grift spake thusly:
> cat >> mytest.te <<EOF
> policy_module(mytest, 1.0,0)
> gen_require(` type bla_t; attribute mcsuntrustedproc; ')
> type_attribute bla_t mcsuntrustedproc;
> EOF

Ok, great. So I've got this policy in place for user_t and loaded:

policy_module(mytest, 1.0,0)                                                                                   
gen_require(` type user_t; attribute mcsuntrustedproc; ')
typeattribute user_t mcsuntrustedproc;

So I ssh to the machine and login as p16001 which is a Linux user who also has
an SELinux user and is assigned category p16001:

# semanage login -l

Login Name                SELinux User              MLS/MCS Range            

__default__               unconfined_u              SystemLow-SystemHigh     
p16001                    p16001_u                  p16001                   
p16002                    appuser_u                 s0:c1.c499-s0:c2         
p16003                    appuser_u                 s0:c1.c499-s0:c3         
p16004                    unconfined_u              s0-s0:c0.c1023,c4        
p16005                    unconfined_u              s0-s0:c0.c1023,c4,c5     
p16006                    unconfined_u              s0-s0:c0.c1023,c6        
p16007                    unconfined_u              s0-s0:c0.c1023,c7        
p16008                    unconfined_u              s0-s0:c0.c1023,c8        
p16009                    unconfined_u              s0-s0:c0.c1023,c9        
root                      unconfined_u              SystemLow-SystemHigh     
system_u                  system_u                  SystemLow-SystemHigh  

but when I try to test that it is being MCS restricted nothing gets denied:

-bash-4.1$ cd /nodes/p16001/
-bash-4.1$ ls 
testfile
-bash-4.1$ 
-bash-4.1$ id -Z
p16001_u:user_r:user_t:p16001
-bash-4.1$ ls -laZ
drwxr-xr-x. p16001 p16001 user_u:object_r:default_t:p16001 .
drwxr-xr-x. root   root   system_u:object_r:default_t:SystemLow ..
-rw-r--r--. p16001 p16001 user_u:object_r:default_t:p16001 testfile
-bash-4.1$ cat testfile 
I am 16001
-bash-4.1$ cd ../p16002/
-bash-4.1$ ls -laZ
drwxr-xr-x. p16002 p16002 user_u:object_r:default_t:p16002 .
drwxr-xr-x. root   root   system_u:object_r:default_t:SystemLow ..
-rw-r--r--. p16002 p16002 user_u:object_r:default_t:p16002 testfile
-bash-4.1$ cat testfile 
I am 16002

to my understanding user p16001 with only category p16001 should not be able to
read this file of category p16002.

Also, I would really like to clean up the above MCS range for users p16002
through p16009.

# First let's try to remove c4 from p16004:
[mcstest:/nodes/p16001]# chcat -l -- -c4 p16004 p16004

Login Name                SELinux User              MLS/MCS Range            

__default__               unconfined_u              SystemLow-SystemHigh     
p16001                    p16001_u                  p16001                   
p16002                    appuser_u                 s0:c1.c499-s0:c2         
p16003                    appuser_u                 s0:c1.c499-s0:c3         
p16004                    unconfined_u              s0-s0:c0.c1023,c4        
p16005                    unconfined_u              s0-s0:c0.c1023,c4,c5     
p16006                    unconfined_u              s0-s0:c0.c1023,c6        
p16007                    unconfined_u              s0-s0:c0.c1023,c7        
p16008                    unconfined_u              s0-s0:c0.c1023,c8        
p16009                    unconfined_u              s0-s0:c0.c1023,c9        
root                      unconfined_u              SystemLow-SystemHigh     
system_u                  system_u                  SystemLow-SystemHigh     
# That's odd, no change. Let's delete appuser_u since I probably don't need
# that and want each app to run under its own p1600x user:
[mcstest:/nodes/p16001]# semanage user -d appuser_u
[mcstest:/nodes/p16001]# semanage login -l

Login Name                SELinux User              MLS/MCS Range            

__default__               unconfined_u              SystemLow-SystemHigh     
p16001                    p16001_u                  p16001                   
p16002                    appuser_u                 s0:c1.c499-s0:c2         
p16003                    appuser_u                 s0:c1.c499-s0:c3         
p16004                    unconfined_u              s0-s0:c0.c1023,c4        
p16005                    unconfined_u              s0-s0:c0.c1023,c4,c5     
p16006                    unconfined_u              s0-s0:c0.c1023,c6        
p16007                    unconfined_u              s0-s0:c0.c1023,c7        
p16008                    unconfined_u              s0-s0:c0.c1023,c8        
p16009                    unconfined_u              s0-s0:c0.c1023,c9        
root                      unconfined_u              SystemLow-SystemHigh     
system_u                  system_u                  SystemLow-SystemHigh     
# Weird. That didn't seem to do anything either. Let's try the removing the category again:
[mcstest:/nodes/p16001]# chcat -l -- -c4 p16004 p16004
libsemanage.validate_handler: selinux user appuser_u does not exist (No such file or directory).
libsemanage.validate_handler: seuser mapping [p16002 -> (appuser_u, s0:c1.c499-s0:c2)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
/usr/sbin/semanage: Could not commit semanage transaction
# Oops. Now we've got problems. Let's add it back...
[mcstest:/nodes/p16001]# semanage user -a -R user_r appuser_u
libsemanage.validate_handler: selinux user appuser_u does not exist (No such file or directory).
libsemanage.validate_handler: seuser mapping [p16002 -> (appuser_u, s0:c1.c499-s0:c2)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
/usr/sbin/semanage: Could not commit semanage transaction

It's saying it doesn't exist when it's the user I'm trying to add? I'm confused.

-- 
Tracy Reed

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: MCS error

[Tracy Reed]

[-- Attachment #1: Type: text/plain, Size: 4001 bytes --]

On Thu, Feb 19, 2015 at 04:34:25PM PST, Tracy Reed spake thusly:
> # semanage login -l

Ok, part of my confusion here is that I've been confusing semanage login with
semanage user. It's been a while since I've dealt with SELinux. I understand
that semanage login -l shows what Linux users map to what selinux users:

> Login Name                SELinux User              MLS/MCS Range            
> 
> __default__               unconfined_u              SystemLow-SystemHigh     
> p16001                    p16001_u                  p16001                   
> p16002                    appuser_u                 s0:c1.c499-s0:c2         
> p16003                    appuser_u                 s0:c1.c499-s0:c3         
> p16004                    unconfined_u              s0-s0:c0.c1023,c4        
> p16005                    unconfined_u              s0-s0:c0.c1023,c4,c5     
> p16006                    unconfined_u              s0-s0:c0.c1023,c6        
> p16007                    unconfined_u              s0-s0:c0.c1023,c7        
> p16008                    unconfined_u              s0-s0:c0.c1023,c8        
> p16009                    unconfined_u              s0-s0:c0.c1023,c9        
> root                      unconfined_u              SystemLow-SystemHigh     
> system_u                  system_u                  SystemLow-SystemHigh  

So we are mapping p16002 to appuser_u but appuser_u doesn't exist at the
moment. But what's with the MLS/MCS range column?  Is this saying p16002 has
categories s0:c1.c499-s0:c2 is it saying appuser_u (selinux user) has
categories s0:c1.c499-s0:c2? Given that the selinux user is the same but the
categories listed are different for Linux login users p16002 and p16003 I would
think it is saying those categories go with those Linux login users.

How/why is it different from the output of semange user -l ?

# semanage user -l

Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

git_shell_u     user       SystemLow  SystemLow                      git_shell_r
guest_u         user       SystemLow  SystemLow                      guest_r
p16001_u        user       SystemLow  p16001                         user_r
p16002_u        user       SystemLow  p16002                         user_r
root            user       SystemLow  SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
staff_u         user       SystemLow  SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
sysadm_u        user       SystemLow  SystemLow-SystemHigh           sysadm_r
system_u        user       SystemLow  SystemLow-SystemHigh           system_r unconfined_r
unconfined_u    user       SystemLow  SystemLow-SystemHigh           system_r unconfined_r
user_u          user       SystemLow  SystemLow-SystemHigh           user_r
xguest_u        user       SystemLow  SystemLow                      xguest_r

Here there are no Linux users involved, only selinux users it seems, which is
fine. But it shows p16001_u with range  p16001 and p16002_u with p16002.

And that is different yet with respect to the output of the chcat command:

# chcat -L -l p16001 p16002
p16001: s0:c0.c1023
p16002: s0:c0.c1023

This says p16001 and p16002 have access to all categories.

So...who is right?

Also, I'm still trying to figure out how to dig myself out of this hole:

# semanage user -a -R user_r appuser_u
libsemanage.validate_handler: selinux user appuser_u does not exist (No such file or directory).
libsemanage.validate_handler: seuser mapping [p16002 -> (appuser_u, s0:c1.c499-s0:c2)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
/usr/sbin/semanage: Could not commit semanage transaction

This would seem to be a paradox or chicken and egg problem.

Ideas? Thanks! :)

-- 
Tracy Reed

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: MCS error

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Thu, Feb 19, 2015 at 06:02:13PM -0800, Tracy Reed wrote:
> On Thu, Feb 19, 2015 at 04:34:25PM PST, Tracy Reed spake thusly:
> > # semanage login -l
> 
> Ok, part of my confusion here is that I've been confusing semanage login with
> semanage user. It's been a while since I've dealt with SELinux. I understand
> that semanage login -l shows what Linux users map to what selinux users:

Right, this table (login table) shows the associations of selinux identities and selinux securtity levels with linux users, whereas the "user table" shows
associations of selinux roles and security levels with selinux users.

> 
> > Login Name                SELinux User              MLS/MCS Range            
> > 
> > __default__               unconfined_u              SystemLow-SystemHigh     
> > p16001                    p16001_u                  p16001                   
> > p16002                    appuser_u                 s0:c1.c499-s0:c2         
> > p16003                    appuser_u                 s0:c1.c499-s0:c3         
> > p16004                    unconfined_u              s0-s0:c0.c1023,c4        
> > p16005                    unconfined_u              s0-s0:c0.c1023,c4,c5     
> > p16006                    unconfined_u              s0-s0:c0.c1023,c6        
> > p16007                    unconfined_u              s0-s0:c0.c1023,c7        
> > p16008                    unconfined_u              s0-s0:c0.c1023,c8        
> > p16009                    unconfined_u              s0-s0:c0.c1023,c9        
> > root                      unconfined_u              SystemLow-SystemHigh     
> > system_u                  system_u                  SystemLow-SystemHigh  
> 
> So we are mapping p16002 to appuser_u but appuser_u doesn't exist at the
> moment. But what's with the MLS/MCS range column?  Is this saying p16002 has
> categories s0:c1.c499-s0:c2 is it saying appuser_u (selinux user) has
> categories s0:c1.c499-s0:c2? Given that the selinux user is the same but the
> categories listed are different for Linux login users p16002 and p16003 I would
> think it is saying those categories go with those Linux login users.

> 
> How/why is it different from the output of semange user -l ?
> 
> # semanage user -l
> 
> Labeling   MLS/       MLS/                          
> SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles
> 
> git_shell_u     user       SystemLow  SystemLow                      git_shell_r
> guest_u         user       SystemLow  SystemLow                      guest_r
> p16001_u        user       SystemLow  p16001                         user_r
> p16002_u        user       SystemLow  p16002                         user_r
> root            user       SystemLow  SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
> staff_u         user       SystemLow  SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
> sysadm_u        user       SystemLow  SystemLow-SystemHigh           sysadm_r
> system_u        user       SystemLow  SystemLow-SystemHigh           system_r unconfined_r
> unconfined_u    user       SystemLow  SystemLow-SystemHigh           system_r unconfined_r
> user_u          user       SystemLow  SystemLow-SystemHigh           user_r
> xguest_u        user       SystemLow  SystemLow                      xguest_r

> 
> Here there are no Linux users involved, only selinux users it seems, which is
> fine. But it shows p16001_u with range  p16001 and p16002_u with p16002.
> 
> And that is different yet with respect to the output of the chcat command:
> 
> # chcat -L -l p16001 p16002
> p16001: s0:c0.c1023
> p16002: s0:c0.c1023
> 
> This says p16001 and p16002 have access to all categories.
> 
> So...who is right?
> 
> Also, I'm still trying to figure out how to dig myself out of this hole:
> 
> # semanage user -a -R user_r appuser_u
> libsemanage.validate_handler: selinux user appuser_u does not exist (No such file or directory).
> libsemanage.validate_handler: seuser mapping [p16002 -> (appuser_u, s0:c1.c499-s0:c2)] is invalid (No such file or directory).
> libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
> /usr/sbin/semanage: Could not commit semanage transaction
> 
> This would seem to be a paradox or chicken and egg problem.

You are misunderstanding the concept of associating things with "selinux users" (user table) versus the concept of associating things with "linux users" (login table), and how the two relate.

You cannot associate something with a Linux user if that something is not associated with the SELinux user first.

For example the error message above complains that you have a "appuser_u" identity associated with some "linux user(s)" (p16002, p16003). Howver that identity (appuser_u) does not exist in your "user table". 

So to fix that error: re-add the appuser_u selinux user to the "user table" , then remove the references to "appuser_u" from the "login table" *first* , and then finally remove the appuser_u association from the "user table" again.


> 
> Ideas? Thanks! :)
> 
> -- 
> Tracy Reed



> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.


- -- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCgAGBQJU5uMpAAoJENAR6kfG5xmcwaQL/jC8VhAXBKpcOdVUuqvOvCUz
zwBOfJzT0wSbyUQeVnJKcxylp3yrIrY//KuA4KWYLCssHzqASUCRoCmyXK0EPPEh
Rhupour+fS5QK6//CmH+ZnXR5JSAsJgREUgck05UIuY+pEG6OwFFB2htNtFdTe0t
Dva35dHKFRWWuoUJ/Ri8S/3/mdsDsy/p8hXHAL22wKvDYq9nLv04E2nMWvtfv8uJ
wuNuuRwRGehu+QsA07PnpOqvSKhnO53ys+CpQFwGN+uMJBiYYbN1tLeU5uxX4Uvz
xAuEygJYpHiI2Glw0ZClK0UqiSFYp1P1K4j29Ya6h7DETexr+1HAhIf82Lj+x+UD
0P1oMjEIE4B0IjPl1VuVBTclwwdg40JKL7qG72YUiHmV8dBpfsXUAGNT8721QaCu
7s66uS+iJHgV/5ymLlCnXUWG1UWhDJcpBwg0qB2X8bqe3oMFp5dGeOgB5qUOPspF
Vb4VRtxtjzKJcKf184HSDjJMQuY4SWNFX0WUDrX/Aw==
=RGed
-----END PGP SIGNATURE-----

Re: MCS error

[Stephen Smalley]

On 02/19/2015 07:34 PM, Tracy Reed wrote:
> but when I try to test that it is being MCS restricted nothing gets denied:
> 
> -bash-4.1$ cd /nodes/p16001/
> -bash-4.1$ ls 
> testfile
> -bash-4.1$ 
> -bash-4.1$ id -Z
> p16001_u:user_r:user_t:p16001
> -bash-4.1$ ls -laZ
> drwxr-xr-x. p16001 p16001 user_u:object_r:default_t:p16001 .
> drwxr-xr-x. root   root   system_u:object_r:default_t:SystemLow ..
> -rw-r--r--. p16001 p16001 user_u:object_r:default_t:p16001 testfile
> -bash-4.1$ cat testfile 
> I am 16001
> -bash-4.1$ cd ../p16002/
> -bash-4.1$ ls -laZ
> drwxr-xr-x. p16002 p16002 user_u:object_r:default_t:p16002 .
> drwxr-xr-x. root   root   system_u:object_r:default_t:SystemLow ..
> -rw-r--r--. p16002 p16002 user_u:object_r:default_t:p16002 testfile
> -bash-4.1$ cat testfile 
> I am 16002
> 
> to my understanding user p16001 with only category p16001 should not be able to
> read this file of category p16002.

Can you show the actual constraints on RHEL6?  seinfo --constrain
output, or grab the .src.rpm and pull out the mcs file.

Re: MCS error

[Tracy Reed]

[-- Attachment #1: Type: text/plain, Size: 224141 bytes --]

On Fri, Feb 20, 2015 at 05:38:55AM PST, Stephen Smalley spake thusly:
> Can you show the actual constraints on RHEL6?  seinfo --constrain
> output, or grab the .src.rpm and pull out the mcs file.

Here is the seinfo --constrain output from RHEL6. Thanks for having a look!

Constraints: 90
constrain { netlink_audit_socket } { create relabelfrom relabelto  } 
(  u1 u2 ==  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t logrotate_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t sysadm_su_t virtd_lxc_t openshift_app_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t sysadm_t ada_t dhcpc_t fsadm_t kudzu_t lvm_t mdadm_t mono_t rpm_t wine_t xdm_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t cachefiles_kernel_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t oddjob_mkhomedir_t nova_volume_t nova_scheduler_t vmware_host_t saslauthd_t krb5kdc_t haproxy_t newrole_t prelink_t anaconda_t glance_api_t local_login_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t sysadm_passwd_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t staff_consolehelper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t groupadd_t depmod_t dirsrv_t insmod_t kernel_t kpropd_t livecd_t lldpad_t lsassd_t mongod_t oddjob_t passwd_t puppet_t racoon_t updpwd_t apmd_t bcfg2_t chfn_t clvmd_t crond_t ctdbd_t cupsd_t drbd_t ftpd_t inetd_t init_t iwhd_t l2tpd_t numad_t rhnsd_t rshd_t slpd_t smsd_t squid_t sshd_t sssd_t staff_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t puppetmaster_t restorecond_t matahari_sysconfigd_t svnserve_t postgresql_t zarafa_server_t nova_direct_t matahari_hostd_t setfiles_t semanage_t sge_shepherd_t unconfined_t cmirrord_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t rhev_agentd_consolehelper_t openshift_t kadmind_t ncftool_t neutron_t openvpn_t ricci_modcluster_t rlogind_t sulogin_t syslogd_t sensord_t sge_job_t yppasswdd_t zarafa_ical_t telnetd_t useradd_t namespace_init_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  || );

constrain { tcp_socket } { create relabelfrom relabelto  } 
(  u1 u2 ==  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t logrotate_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t sysadm_su_t virtd_lxc_t openshift_app_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t sysadm_t ada_t dhcpc_t fsadm_t kudzu_t lvm_t mdadm_t mono_t rpm_t wine_t xdm_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t cachefiles_kernel_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t oddjob_mkhomedir_t nova_volume_t nova_scheduler_t vmware_host_t saslauthd_t krb5kdc_t haproxy_t newrole_t prelink_t anaconda_t glance_api_t local_login_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t sysadm_passwd_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t staff_consolehelper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t groupadd_t depmod_t dirsrv_t insmod_t kernel_t kpropd_t livecd_t lldpad_t lsassd_t mongod_t oddjob_t passwd_t puppet_t racoon_t updpwd_t apmd_t bcfg2_t chfn_t clvmd_t crond_t ctdbd_t cupsd_t drbd_t ftpd_t inetd_t init_t iwhd_t l2tpd_t numad_t rhnsd_t rshd_t slpd_t smsd_t squid_t sshd_t sssd_t staff_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t puppetmaster_t restorecond_t matahari_sysconfigd_t svnserve_t postgresql_t zarafa_server_t nova_direct_t matahari_hostd_t setfiles_t semanage_t sge_shepherd_t unconfined_t cmirrord_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t rhev_agentd_consolehelper_t openshift_t kadmind_t ncftool_t neutron_t openvpn_t ricci_modcluster_t rlogind_t sulogin_t syslogd_t sensord_t sge_job_t yppasswdd_t zarafa_ical_t telnetd_t useradd_t namespace_init_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  || );

mlsconstrain { tcp_socket } { node_bind  } 
(  h1 h2  dom  t1 { openshift_app_t qemu_t sandbox_x_t svirt_t user_t sandbox_min_t sandbox_net_t sandbox_web_t openshift_t sandbox_t } !=  || );

mlsconstrain { db_procedure } { drop getattr setattr relabelfrom execute install  } 
(  h1 h2  dom );

mlsconstrain { db_procedure } { create relabelto  } 
(  h1 h2  dom  l2 h2  ==  && );

constrain { dir } { create relabelfrom relabelto  } 
(  u1 u2 ==  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t logrotate_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t sysadm_su_t virtd_lxc_t openshift_app_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t sysadm_t ada_t dhcpc_t fsadm_t kudzu_t lvm_t mdadm_t mono_t rpm_t wine_t xdm_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t cachefiles_kernel_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t oddjob_mkhomedir_t nova_volume_t nova_scheduler_t vmware_host_t saslauthd_t krb5kdc_t haproxy_t newrole_t prelink_t anaconda_t glance_api_t local_login_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t sysadm_passwd_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t staff_consolehelper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t groupadd_t depmod_t dirsrv_t insmod_t kernel_t kpropd_t livecd_t lldpad_t lsassd_t mongod_t oddjob_t passwd_t puppet_t racoon_t updpwd_t apmd_t bcfg2_t chfn_t clvmd_t crond_t ctdbd_t cupsd_t drbd_t ftpd_t inetd_t init_t iwhd_t l2tpd_t numad_t rhnsd_t rshd_t slpd_t smsd_t squid_t sshd_t sssd_t staff_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t puppetmaster_t restorecond_t matahari_sysconfigd_t svnserve_t postgresql_t zarafa_server_t nova_direct_t matahari_hostd_t setfiles_t semanage_t sge_shepherd_t unconfined_t cmirrord_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t rhev_agentd_consolehelper_t openshift_t kadmind_t ncftool_t neutron_t openvpn_t ricci_modcluster_t rlogind_t sulogin_t syslogd_t sensord_t sge_job_t yppasswdd_t zarafa_ical_t telnetd_t useradd_t namespace_init_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  || );

mlsconstrain { dir } { create relabelto  } 
(  h1 h2  dom  l2 h2  ==  &&  t1 { openshift_app_t qemu_t sandbox_x_t svirt_t user_t sandbox_min_t sandbox_net_t sandbox_web_t openshift_t sandbox_t } !=  || );

mlsconstrain { dir } { relabelfrom  } 
(  h1 h2  dom );

mlsconstrain { dir } { write setattr append unlink link rename add_name remove_name  } 
(  h1 h2  dom  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t virtd_lxc_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t ada_t fsadm_t kudzu_t lvm_t mdadm_t mono_t postfix_postdrop_t rpm_t wine_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t nova_volume_t nova_scheduler_t vmware_host_t haproxy_t prelink_t anaconda_t glance_api_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t postfix_pickup_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t depmod_t insmod_t kernel_t livecd_t lldpad_t mongod_t puppet_t apmd_t bcfg2_t clvmd_t crond_t ctdbd_t drbd_t inetd_t init_t iwhd_t l2tpd_t mount_t numad_t rhnsd_t slpd_t smsd_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t matahari_sysconfigd_t svnserve_t zarafa_server_t nova_direct_t matahari_hostd_t semanage_t sge_shepherd_t unconfined_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t neutron_t ricci_modcluster_t sensord_t sge_job_t zarafa_ical_t useradd_t namespace_init_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  ||  t1 { openshift_app_t qemu_t sandbox_x_t svirt_t user_t sandbox_min_t sandbox_net_t sandbox_web_t openshift_t sandbox_t } !=  t2 { sosreport_t git_session_t cfengine_execd_t bootloader_t netutils_t qmail_tcp_env_t devicekit_power_t sandbox_x_client_t nova_api_t sblim_reposd_t dkim_milter_t virt_qemu_ga_unconfined_t admin_crontab_t consolekit_t nova_compute_t nova_console_t pam_console_t zarafa_gateway_t policykit_grant_t logrotate_t openvswitch_t update_modules_t ssh_keysign_t nova_network_t qmail_rspawn_t uml_switch_t qmail_inject_t qmail_lspawn_t dirsrvadmin_unconfined_script_t gnomeclock_t httpd_cvs_script_t sandbox_net_client_t munin_mail_plugin_t ldconfig_t loadkeys_t smoltclient_t prelude_lml_t nova_objectstore_t dmidecode_t modemmanager_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t httpd_rotatelogs_t afs_kaserver_t munin_disk_plugin_t keystone_t kdumpgui_t httpd_bugzilla_script_t postfix_bounce_t httpd_smokeping_cgi_script_t nx_server_t policykit_auth_t ssh_keygen_t piranha_pulse_t sysadm_su_t virtd_lxc_t hald_mac_t iptables_t cachefilesd_t courier_sqwebmail_t postfix_cleanup_t munin_services_plugin_t postfix_showq_t openshift_app_t hostname_t shorewall_t showmount_t telepathy_gabble_t abrt_handle_event_t postfix_virtual_t dovecot_deliver_t ifconfig_t condor_startd_ssh_t qmail_clean_t qmail_local_t qmail_smtpd_t qmail_start_t sandbox_xserver_t setfiles_mac_t telepathy_sofiasip_t amanda_t initrc_t locate_t logadm_t mcelog_t nagios_t varnishd_t setkey_t sysadm_t tvtime_t tzdata_t vmware_t webadm_t ada_t afs_t aiccu_t aide_t alsa_t amtu_t apm_t avahi_t boinc_t canna_t ccs_t cdcc_t crack_t cvs_t cyrus_t dccm_t dhcpc_t dmesg_t dspam_t exim_t fsadm_t games_t getty_t gpg_t gpm_t ipsec_t irc_t irssi_t java_t kudzu_t lvm_t mdadm_t mono_t mrtg_t ndc_t nrpe_t pads_t pam_t ping_t postfix_postdrop_t postfix_postqueue_t qemu_t quota_t rdisc_t ricci_t rpm_t rsync_t rwho_t spamc_t vpnc_t wine_t xdm_t xfs_t xm_t zebra_t setroubleshoot_fixit_t staff_dbusd_t postfix_pipe_t virt_qmf_t nova_vncproxy_t httpd_nagios_script_t unconfined_dbusd_t unconfined_mount_t afs_fsserver_t prelink_cron_system_t sge_execd_t sysadm_ssh_agent_t cachefiles_kernel_t httpd_dirsrvadmin_script_t git_system_t httpd_suexec_t abrt_helper_t abrt_retrace_coredump_t usernetctl_t certwatch_t updfstab_t deltacloudd_t user_dbusd_t firewallgui_t glance_registry_t utempter_t setsebool_t telepathy_idle_t telepathy_mission_control_t webalizer_t cpucontrol_t gconfdefaultsm_t matahari_serviced_t httpd_php_t openoffice_t denyhosts_t memcached_t xguest_openoffice_t dirsrv_snmp_t dirsrvadmin_t smbcontrol_t oracleasm_t netlabel_mgmt_t oddjob_mkhomedir_t cyphesis_t gnomesystemmm_t kerneloops_t nova_volume_t varnishlog_t httpd_w3c_validator_script_t user_openoffice_t httpd_user_script_t accountsd_t cgconfig_t user_java_t user_mono_t user_wine_t ipsec_mgmt_t run_init_t sendmail_t shutdown_t audisp_remote_t dovecot_auth_t nova_scheduler_t dlm_controld_t gfs_controld_t smbmount_t asterisk_t bitlbee_t sepgsql_trusted_proc_t vmware_host_t checkpc_t saslauthd_t awstats_t munin_selinux_plugin_t gitosis_t dnsmasq_t krb5kdc_t openshift_cgroup_read_t sysadm_seunshare_t haproxy_t hotplug_t gpg_pinentry_t hwclock_t newrole_t zos_remote_t dcc_client_t mozilla_t plymouth_t procmail_t sanlock_t setrans_t traceroute_t pegasus_t prelink_t prelude_t privoxy_t staff_java_t staff_mono_t staff_sudo_t staff_wine_t wpa_cli_t httpd_awstats_script_t munin_system_plugin_t qmail_send_t anaconda_t glance_api_t piranha_fos_t piranha_lvs_t sandbox_x_t httpd_apcupsd_cgi_script_t local_login_t hald_dccm_t mysqld_safe_t ricci_modservice_t games_srv_t ricci_modstorage_t samba_net_t afs_bosserver_t httpd_nutups_cgi_script_t hald_sonypic_t openhpid_t boinc_project_t condor_procd_t nagios_mail_plugin_t virt_qemu_ga_t condor_negotiator_t nova_ajax_t nova_cert_t amanda_recover_t chrome_sandbox_t zarafa_spooler_t httpd_munin_script_t telepathy_salut_t rpm_script_t sysadm_passwd_t sysadm_screen_t nsplugin_t xguest_execmem_t zarafa_deliver_t sblim_gatherd_t antivirus_t bluetooth_helper_t dcc_dbclean_t nut_upsd_t staff_execmem_t user_execmem_t podsleuth_t system_cronjob_t sge_job_ssh_t zarafa_monitor_t openshift_initrc_t chroot_user_t httpd_openshift_script_t qmail_remote_t zarafa_indexer_t policykit_t httpd_sys_script_t tmpreaper_t staff_consolehelper_t svc_multilog_t ricci_modclusterd_t logwatch_t mailman_cgi_t pulseaudio_t mailman_mail_t mysqlmanagerd_t samba_unconfined_net_t bluetooth_t mencoder_t httpd_dspam_script_t plymouthd_t smokeping_t cfengine_monitord_t ksmtuned_t unconfined_notrans_t httpd_prewikka_script_t ricci_modlog_t ricci_modrpm_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t setroubleshootd_t nsplugin_config_t chrome_sandbox_nacl_t nagios_checkdisk_plugin_t postfix_master_t postfix_pickup_t devicekit_disk_t regex_milter_t firstboot_t hald_acl_t telepathy_sunshine_t postfix_local_t postfix_smtpd_t zabbix_agent_t samba_unconfined_script_t httpd_git_script_t nagios_services_plugin_t nagios_eventhandler_plugin_t rhsmcertd_t virt_bridgehelper_t munin_unconfined_plugin_t openshift_cron_t unconfined_java_t unconfined_mono_t courier_tcpd_t httpd_unconfined_script_t openvpn_unconfined_script_t NetworkManager_t qmail_queue_t sandbox_web_client_t groupadd_t audisp_t auditd_t chkpwd_t comsat_t dbskkd_t dccifd_t depmod_t dirsrv_t fenced_t gconfd_t groupd_t insmod_t iscsid_t kernel_t kismet_t kpropd_t ktalkd_t livecd_t lldpad_t lsassd_t lwregd_t mongod_t mysqld_t oddjob_t openct_t svc_start_t fail2ban_t passwd_t puppet_t qdiskd_t racoon_t soundd_t telepathy_stream_engine_t updpwd_t xguest_t xm_ssh_t ypbind_t ypserv_t zabbix_t abrt_t acct_t apmd_t bcfg2_t brctl_t cgred_t chfn_t ciped_t clogd_t clvmd_t crond_t ctdbd_t cupsd_t dccd_t dhcpd_t dictd_t drbd_t ftpd_t gpsd_t gssd_t guest_t hald_t howl_t hplip_t httpd_t inetd_t init_t innd_t iwhd_t kdump_t klogd_t l2tpd_t lircd_t lpd_t lpr_t lwiod_t lwsmd_t mount_t mpd_t munin_t named_t nfsd_t nmbd_t nscd_t nslcd_t ntop_t ntpd_t numad_t pcscd_t pingd_t pppd_t pptp_t psad_t ptal_t qpidd_t radvd_t rhgb_t rhnsd_t rpcd_t rshd_t rssh_t slapd_t slpd_t smbd_t smsd_t snmpd_t snort_t spamd_t squid_t ssh_t sshd_t sssd_t staff_t svirt_t swat_t tcpd_t tftpd_t tgtd_t thin_t tor_t tuned_t udev_t ulogd_t uml_t user_t uucpd_t uuidd_t uux_t virtd_t wdmd_t xauth_t xend_t ypxfr_t eventlogd_t nagios_system_plugin_t postfix_qmgr_t postfix_smtp_t prelude_audisp_t courier_authdaemon_t afs_vlserver_t fsdaemon_t watchdog_t abrt_retrace_worker_t mozilla_plugin_config_t jabberd_router_t policykit_resolve_t winbind_helper_t load_policy_t nut_upsmon_t cupsd_config_t hald_keymap_t httpd_helper_t rtkit_daemon_t nagios_unconfined_plugin_t glusterd_t sandbox_min_t sandbox_net_t sandbox_web_t user_seunshare_t xguest_java_t xguest_mono_t logwatch_mail_t cupsd_lpd_t devicekit_t postfix_map_t remote_login_t inetd_child_t automount_t ethereal_t fetchmail_t netlogond_t puppetmaster_t tethereal_t system_mail_t httpd_squid_script_t restorecond_t xdm_dbusd_t gpg_helper_t staff_ssh_agent_t matahari_sysconfigd_t portreserve_t cpufreqselector_t readahead_t abrt_dump_oops_t quota_nld_t staff_screen_t system_dbusd_t entropyd_t rhev_agentd_t xenstored_t sandbox_min_client_t cpuspeed_t nagios_admin_plugin_t svnserve_t guest_dbusd_t qmail_splogger_t xguest_dbusd_t cups_pdf_t postgresql_t mozilla_plugin_t courier_pcp_t courier_pop_t zarafa_server_t nova_direct_t matahari_hostd_t publicfile_t usbmodules_t sambagui_t staff_seunshare_t nx_server_ssh_t certmaster_t certmonger_t setfiles_t user_mail_t cdrecord_t sectoolm_t semanage_t checkpolicy_t portmap_helper_t sge_shepherd_t cobblerd_t consoletype_t unconfined_t xenconsoled_t user_ssh_agent_t cmirrord_t cronjob_t crontab_t logrotate_mail_t matahari_netd_t matahari_rpcd_t passenger_t arpwatch_t cardmgr_t cgclear_t chronyd_t cluster_t apcupsd_t fcoemon_t fingerd_t foghorn_t gpg_web_t rhev_agentd_consolehelper_t fprintd_t ftpdctl_t httpd_cobbler_script_t dcerpcd_t dovecot_t evtchnd_t gpg_agent_t telepathy_msn_t auditctl_t openshift_t jabberd_t kadmind_t hddtemp_t spamass_milter_t iceauth_t icecast_t prelude_correlator_t ncftool_t neutron_t openvpn_t postgrey_t lockdev_t mplayer_t ricci_modcluster_t irqbalance_t radiusd_t rlogind_t roundup_t srvsvcd_t stunnel_t sulogin_t svc_run_t syslogd_t sysstat_t nut_upsdrvctl_t rpcbind_t sandbox_t sensord_t sge_job_t portmap_t yppasswdd_t ptchown_t vbetool_t vdagent_t vhostmd_t zarafa_ical_t winbind_t sysadm_sudo_t telnetd_t usbmuxd_t useradd_t afs_ptserver_t namespace_init_t httpd_mediawiki_script_t xserver_t condor_schedd_t condor_startd_t piranha_web_t user_screen_t condor_master_t greylist_milter_t calamaris_t staff_openoffice_t mailman_queue_t } ==  &&  || );

mlsconstrain { dir } { ioctl read lock search  } 
(  h1 h2  dom  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t virtd_lxc_t postfix_showq_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t ada_t fsadm_t kudzu_t lvm_t mdadm_t mono_t postfix_postdrop_t rpm_t wine_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t nova_volume_t nova_scheduler_t vmware_host_t haproxy_t prelink_t anaconda_t glance_api_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t postfix_master_t postfix_pickup_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t depmod_t insmod_t kernel_t livecd_t lldpad_t mongod_t puppet_t apmd_t bcfg2_t cgred_t clvmd_t crond_t ctdbd_t drbd_t hald_t inetd_t init_t iwhd_t l2tpd_t mount_t numad_t rhnsd_t slpd_t smsd_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t matahari_sysconfigd_t readahead_t svnserve_t zarafa_server_t nova_direct_t matahari_hostd_t semanage_t sge_shepherd_t unconfined_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t neutron_t ricci_modcluster_t sensord_t sge_job_t zarafa_ical_t useradd_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  ||  t1 { openshift_app_t qemu_t sandbox_x_t svirt_t user_t sandbox_min_t sandbox_net_t sandbox_web_t openshift_t sandbox_t } !=  t2 { sosreport_t git_session_t cfengine_execd_t bootloader_t netutils_t qmail_tcp_env_t devicekit_power_t sandbox_x_client_t nova_api_t sblim_reposd_t dkim_milter_t virt_qemu_ga_unconfined_t admin_crontab_t consolekit_t nova_compute_t nova_console_t pam_console_t zarafa_gateway_t policykit_grant_t logrotate_t openvswitch_t update_modules_t ssh_keysign_t nova_network_t qmail_rspawn_t uml_switch_t qmail_inject_t qmail_lspawn_t dirsrvadmin_unconfined_script_t gnomeclock_t httpd_cvs_script_t sandbox_net_client_t munin_mail_plugin_t ldconfig_t loadkeys_t smoltclient_t prelude_lml_t nova_objectstore_t dmidecode_t modemmanager_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t httpd_rotatelogs_t afs_kaserver_t munin_disk_plugin_t keystone_t kdumpgui_t httpd_bugzilla_script_t postfix_bounce_t httpd_smokeping_cgi_script_t nx_server_t policykit_auth_t ssh_keygen_t piranha_pulse_t sysadm_su_t virtd_lxc_t hald_mac_t iptables_t cachefilesd_t courier_sqwebmail_t postfix_cleanup_t munin_services_plugin_t postfix_showq_t openshift_app_t hostname_t shorewall_t showmount_t telepathy_gabble_t abrt_handle_event_t postfix_virtual_t dovecot_deliver_t ifconfig_t condor_startd_ssh_t qmail_clean_t qmail_local_t qmail_smtpd_t qmail_start_t sandbox_xserver_t setfiles_mac_t telepathy_sofiasip_t amanda_t initrc_t locate_t logadm_t mcelog_t nagios_t varnishd_t setkey_t sysadm_t tvtime_t tzdata_t vmware_t webadm_t ada_t afs_t aiccu_t aide_t alsa_t amtu_t apm_t avahi_t boinc_t canna_t ccs_t cdcc_t crack_t cvs_t cyrus_t dccm_t dhcpc_t dmesg_t dspam_t exim_t fsadm_t games_t getty_t gpg_t gpm_t ipsec_t irc_t irssi_t java_t kudzu_t lvm_t mdadm_t mono_t mrtg_t ndc_t nrpe_t pads_t pam_t ping_t postfix_postdrop_t postfix_postqueue_t qemu_t quota_t rdisc_t ricci_t rpm_t rsync_t rwho_t spamc_t vpnc_t wine_t xdm_t xfs_t xm_t zebra_t setroubleshoot_fixit_t staff_dbusd_t postfix_pipe_t virt_qmf_t nova_vncproxy_t httpd_nagios_script_t unconfined_dbusd_t unconfined_mount_t afs_fsserver_t prelink_cron_system_t sge_execd_t sysadm_ssh_agent_t cachefiles_kernel_t httpd_dirsrvadmin_script_t git_system_t httpd_suexec_t abrt_helper_t abrt_retrace_coredump_t usernetctl_t certwatch_t updfstab_t deltacloudd_t user_dbusd_t firewallgui_t glance_registry_t utempter_t setsebool_t telepathy_idle_t telepathy_mission_control_t webalizer_t cpucontrol_t gconfdefaultsm_t matahari_serviced_t httpd_php_t openoffice_t denyhosts_t memcached_t xguest_openoffice_t dirsrv_snmp_t dirsrvadmin_t smbcontrol_t oracleasm_t netlabel_mgmt_t oddjob_mkhomedir_t cyphesis_t gnomesystemmm_t kerneloops_t nova_volume_t varnishlog_t httpd_w3c_validator_script_t user_openoffice_t httpd_user_script_t accountsd_t cgconfig_t user_java_t user_mono_t user_wine_t ipsec_mgmt_t run_init_t sendmail_t shutdown_t audisp_remote_t dovecot_auth_t nova_scheduler_t dlm_controld_t gfs_controld_t smbmount_t asterisk_t bitlbee_t sepgsql_trusted_proc_t vmware_host_t checkpc_t saslauthd_t awstats_t munin_selinux_plugin_t gitosis_t dnsmasq_t krb5kdc_t openshift_cgroup_read_t sysadm_seunshare_t haproxy_t hotplug_t gpg_pinentry_t hwclock_t newrole_t zos_remote_t dcc_client_t mozilla_t plymouth_t procmail_t sanlock_t setrans_t traceroute_t pegasus_t prelink_t prelude_t privoxy_t staff_java_t staff_mono_t staff_sudo_t staff_wine_t wpa_cli_t httpd_awstats_script_t munin_system_plugin_t qmail_send_t anaconda_t glance_api_t piranha_fos_t piranha_lvs_t sandbox_x_t httpd_apcupsd_cgi_script_t local_login_t hald_dccm_t mysqld_safe_t ricci_modservice_t games_srv_t ricci_modstorage_t samba_net_t afs_bosserver_t httpd_nutups_cgi_script_t hald_sonypic_t openhpid_t boinc_project_t condor_procd_t nagios_mail_plugin_t virt_qemu_ga_t condor_negotiator_t nova_ajax_t nova_cert_t amanda_recover_t chrome_sandbox_t zarafa_spooler_t httpd_munin_script_t telepathy_salut_t rpm_script_t sysadm_passwd_t sysadm_screen_t nsplugin_t xguest_execmem_t zarafa_deliver_t sblim_gatherd_t antivirus_t bluetooth_helper_t dcc_dbclean_t nut_upsd_t staff_execmem_t user_execmem_t podsleuth_t system_cronjob_t sge_job_ssh_t zarafa_monitor_t openshift_initrc_t chroot_user_t httpd_openshift_script_t qmail_remote_t zarafa_indexer_t policykit_t httpd_sys_script_t tmpreaper_t staff_consolehelper_t svc_multilog_t ricci_modclusterd_t logwatch_t mailman_cgi_t pulseaudio_t mailman_mail_t mysqlmanagerd_t samba_unconfined_net_t bluetooth_t mencoder_t httpd_dspam_script_t plymouthd_t smokeping_t cfengine_monitord_t ksmtuned_t unconfined_notrans_t httpd_prewikka_script_t ricci_modlog_t ricci_modrpm_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t setroubleshootd_t nsplugin_config_t chrome_sandbox_nacl_t nagios_checkdisk_plugin_t postfix_master_t postfix_pickup_t devicekit_disk_t regex_milter_t firstboot_t hald_acl_t telepathy_sunshine_t postfix_local_t postfix_smtpd_t zabbix_agent_t samba_unconfined_script_t httpd_git_script_t nagios_services_plugin_t nagios_eventhandler_plugin_t rhsmcertd_t virt_bridgehelper_t munin_unconfined_plugin_t openshift_cron_t unconfined_java_t unconfined_mono_t courier_tcpd_t httpd_unconfined_script_t openvpn_unconfined_script_t NetworkManager_t qmail_queue_t sandbox_web_client_t groupadd_t audisp_t auditd_t chkpwd_t comsat_t dbskkd_t dccifd_t depmod_t dirsrv_t fenced_t gconfd_t groupd_t insmod_t iscsid_t kernel_t kismet_t kpropd_t ktalkd_t livecd_t lldpad_t lsassd_t lwregd_t mongod_t mysqld_t oddjob_t openct_t svc_start_t fail2ban_t passwd_t puppet_t qdiskd_t racoon_t soundd_t telepathy_stream_engine_t updpwd_t xguest_t xm_ssh_t ypbind_t ypserv_t zabbix_t abrt_t acct_t apmd_t bcfg2_t brctl_t cgred_t chfn_t ciped_t clogd_t clvmd_t crond_t ctdbd_t cupsd_t dccd_t dhcpd_t dictd_t drbd_t ftpd_t gpsd_t gssd_t guest_t hald_t howl_t hplip_t httpd_t inetd_t init_t innd_t iwhd_t kdump_t klogd_t l2tpd_t lircd_t lpd_t lpr_t lwiod_t lwsmd_t mount_t mpd_t munin_t named_t nfsd_t nmbd_t nscd_t nslcd_t ntop_t ntpd_t numad_t pcscd_t pingd_t pppd_t pptp_t psad_t ptal_t qpidd_t radvd_t rhgb_t rhnsd_t rpcd_t rshd_t rssh_t slapd_t slpd_t smbd_t smsd_t snmpd_t snort_t spamd_t squid_t ssh_t sshd_t sssd_t staff_t svirt_t swat_t tcpd_t tftpd_t tgtd_t thin_t tor_t tuned_t udev_t ulogd_t uml_t user_t uucpd_t uuidd_t uux_t virtd_t wdmd_t xauth_t xend_t ypxfr_t eventlogd_t nagios_system_plugin_t postfix_qmgr_t postfix_smtp_t prelude_audisp_t courier_authdaemon_t afs_vlserver_t fsdaemon_t watchdog_t abrt_retrace_worker_t mozilla_plugin_config_t jabberd_router_t policykit_resolve_t winbind_helper_t load_policy_t nut_upsmon_t cupsd_config_t hald_keymap_t httpd_helper_t rtkit_daemon_t nagios_unconfined_plugin_t glusterd_t sandbox_min_t sandbox_net_t sandbox_web_t user_seunshare_t xguest_java_t xguest_mono_t logwatch_mail_t cupsd_lpd_t devicekit_t postfix_map_t remote_login_t inetd_child_t automount_t ethereal_t fetchmail_t netlogond_t puppetmaster_t tethereal_t system_mail_t httpd_squid_script_t restorecond_t xdm_dbusd_t gpg_helper_t staff_ssh_agent_t matahari_sysconfigd_t portreserve_t cpufreqselector_t readahead_t abrt_dump_oops_t quota_nld_t staff_screen_t system_dbusd_t entropyd_t rhev_agentd_t xenstored_t sandbox_min_client_t cpuspeed_t nagios_admin_plugin_t svnserve_t guest_dbusd_t qmail_splogger_t xguest_dbusd_t cups_pdf_t postgresql_t mozilla_plugin_t courier_pcp_t courier_pop_t zarafa_server_t nova_direct_t matahari_hostd_t publicfile_t usbmodules_t sambagui_t staff_seunshare_t nx_server_ssh_t certmaster_t certmonger_t setfiles_t user_mail_t cdrecord_t sectoolm_t semanage_t checkpolicy_t portmap_helper_t sge_shepherd_t cobblerd_t consoletype_t unconfined_t xenconsoled_t user_ssh_agent_t cmirrord_t cronjob_t crontab_t logrotate_mail_t matahari_netd_t matahari_rpcd_t passenger_t arpwatch_t cardmgr_t cgclear_t chronyd_t cluster_t apcupsd_t fcoemon_t fingerd_t foghorn_t gpg_web_t rhev_agentd_consolehelper_t fprintd_t ftpdctl_t httpd_cobbler_script_t dcerpcd_t dovecot_t evtchnd_t gpg_agent_t telepathy_msn_t auditctl_t openshift_t jabberd_t kadmind_t hddtemp_t spamass_milter_t iceauth_t icecast_t prelude_correlator_t ncftool_t neutron_t openvpn_t postgrey_t lockdev_t mplayer_t ricci_modcluster_t irqbalance_t radiusd_t rlogind_t roundup_t srvsvcd_t stunnel_t sulogin_t svc_run_t syslogd_t sysstat_t nut_upsdrvctl_t rpcbind_t sandbox_t sensord_t sge_job_t portmap_t yppasswdd_t ptchown_t vbetool_t vdagent_t vhostmd_t zarafa_ical_t winbind_t sysadm_sudo_t telnetd_t usbmuxd_t useradd_t afs_ptserver_t namespace_init_t httpd_mediawiki_script_t xserver_t condor_schedd_t condor_startd_t piranha_web_t user_screen_t condor_master_t greylist_milter_t calamaris_t staff_openoffice_t mailman_queue_t } ==  &&  || );

mlsconstrain { peer } { recv  } 
(  l1 l2  dom  t1 { openshift_app_t qemu_t sandbox_x_t svirt_t user_t sandbox_min_t sandbox_net_t sandbox_web_t openshift_t sandbox_t } !=  t2 { openshift_app_t qemu_t sandbox_x_t svirt_t user_t sandbox_min_t sandbox_net_t sandbox_web_t openshift_t sandbox_t } !=  &&  || );

constrain { blk_file } { create relabelfrom relabelto  } 
(  u1 u2 ==  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t logrotate_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t sysadm_su_t virtd_lxc_t openshift_app_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t sysadm_t ada_t dhcpc_t fsadm_t kudzu_t lvm_t mdadm_t mono_t rpm_t wine_t xdm_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t cachefiles_kernel_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t oddjob_mkhomedir_t nova_volume_t nova_scheduler_t vmware_host_t saslauthd_t krb5kdc_t haproxy_t newrole_t prelink_t anaconda_t glance_api_t local_login_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t sysadm_passwd_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t staff_consolehelper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t groupadd_t depmod_t dirsrv_t insmod_t kernel_t kpropd_t livecd_t lldpad_t lsassd_t mongod_t oddjob_t passwd_t puppet_t racoon_t updpwd_t apmd_t bcfg2_t chfn_t clvmd_t crond_t ctdbd_t cupsd_t drbd_t ftpd_t inetd_t init_t iwhd_t l2tpd_t numad_t rhnsd_t rshd_t slpd_t smsd_t squid_t sshd_t sssd_t staff_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t puppetmaster_t restorecond_t matahari_sysconfigd_t svnserve_t postgresql_t zarafa_server_t nova_direct_t matahari_hostd_t setfiles_t semanage_t sge_shepherd_t unconfined_t cmirrord_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t rhev_agentd_consolehelper_t openshift_t kadmind_t ncftool_t neutron_t openvpn_t ricci_modcluster_t rlogind_t sulogin_t syslogd_t sensord_t sge_job_t yppasswdd_t zarafa_ical_t telnetd_t useradd_t namespace_init_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  || );

mlsconstrain { blk_file } { create relabelto  } 
(  h1 h2  dom  l2 h2  ==  &&  t1 { openshift_app_t qemu_t sandbox_x_t svirt_t user_t sandbox_min_t sandbox_net_t sandbox_web_t openshift_t sandbox_t } !=  || );

mlsconstrain { blk_file } { relabelfrom  } 
(  h1 h2  dom );

mlsconstrain { blk_file } { write setattr  } 
(  h1 h2  dom  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t virtd_lxc_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t ada_t fsadm_t kudzu_t lvm_t mdadm_t mono_t postfix_postdrop_t rpm_t wine_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t nova_volume_t nova_scheduler_t vmware_host_t haproxy_t prelink_t anaconda_t glance_api_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t postfix_pickup_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t depmod_t insmod_t kernel_t livecd_t lldpad_t mongod_t puppet_t apmd_t bcfg2_t clvmd_t crond_t ctdbd_t drbd_t inetd_t init_t iwhd_t l2tpd_t mount_t numad_t rhnsd_t slpd_t smsd_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t matahari_sysconfigd_t svnserve_t zarafa_server_t nova_direct_t matahari_hostd_t semanage_t sge_shepherd_t unconfined_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t neutron_t ricci_modcluster_t sensord_t sge_job_t zarafa_ical_t useradd_t namespace_init_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  ||  t1 { openshift_app_t qemu_t sandbox_x_t svirt_t user_t sandbox_min_t sandbox_net_t sandbox_web_t openshift_t sandbox_t } !=  t2 { sosreport_t git_session_t cfengine_execd_t bootloader_t netutils_t qmail_tcp_env_t devicekit_power_t sandbox_x_client_t nova_api_t sblim_reposd_t dkim_milter_t virt_qemu_ga_unconfined_t admin_crontab_t consolekit_t nova_compute_t nova_console_t pam_console_t zarafa_gateway_t policykit_grant_t logrotate_t openvswitch_t update_modules_t ssh_keysign_t nova_network_t qmail_rspawn_t uml_switch_t qmail_inject_t qmail_lspawn_t dirsrvadmin_unconfined_script_t gnomeclock_t httpd_cvs_script_t sandbox_net_client_t munin_mail_plugin_t ldconfig_t loadkeys_t smoltclient_t prelude_lml_t nova_objectstore_t dmidecode_t modemmanager_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t httpd_rotatelogs_t afs_kaserver_t munin_disk_plugin_t keystone_t kdumpgui_t httpd_bugzilla_script_t postfix_bounce_t httpd_smokeping_cgi_script_t nx_server_t policykit_auth_t ssh_keygen_t piranha_pulse_t sysadm_su_t virtd_lxc_t hald_mac_t iptables_t cachefilesd_t courier_sqwebmail_t postfix_cleanup_t munin_services_plugin_t postfix_showq_t openshift_app_t hostname_t shorewall_t showmount_t telepathy_gabble_t abrt_handle_event_t postfix_virtual_t dovecot_deliver_t ifconfig_t condor_startd_ssh_t qmail_clean_t qmail_local_t qmail_smtpd_t qmail_start_t sandbox_xserver_t setfiles_mac_t telepathy_sofiasip_t amanda_t initrc_t locate_t logadm_t mcelog_t nagios_t varnishd_t setkey_t sysadm_t tvtime_t tzdata_t vmware_t webadm_t ada_t afs_t aiccu_t aide_t alsa_t amtu_t apm_t avahi_t boinc_t canna_t ccs_t cdcc_t crack_t cvs_t cyrus_t dccm_t dhcpc_t dmesg_t dspam_t exim_t fsadm_t games_t getty_t gpg_t gpm_t ipsec_t irc_t irssi_t java_t kudzu_t lvm_t mdadm_t mono_t mrtg_t ndc_t nrpe_t pads_t pam_t ping_t postfix_postdrop_t postfix_postqueue_t qemu_t quota_t rdisc_t ricci_t rpm_t rsync_t rwho_t spamc_t vpnc_t wine_t xdm_t xfs_t xm_t zebra_t setroubleshoot_fixit_t staff_dbusd_t postfix_pipe_t virt_qmf_t nova_vncproxy_t httpd_nagios_script_t unconfined_dbusd_t unconfined_mount_t afs_fsserver_t prelink_cron_system_t sge_execd_t sysadm_ssh_agent_t cachefiles_kernel_t httpd_dirsrvadmin_script_t git_system_t httpd_suexec_t abrt_helper_t abrt_retrace_coredump_t usernetctl_t certwatch_t updfstab_t deltacloudd_t user_dbusd_t firewallgui_t glance_registry_t utempter_t setsebool_t telepathy_idle_t telepathy_mission_control_t webalizer_t cpucontrol_t gconfdefaultsm_t matahari_serviced_t httpd_php_t openoffice_t denyhosts_t memcached_t xguest_openoffice_t dirsrv_snmp_t dirsrvadmin_t smbcontrol_t oracleasm_t netlabel_mgmt_t oddjob_mkhomedir_t cyphesis_t gnomesystemmm_t kerneloops_t nova_volume_t varnishlog_t httpd_w3c_validator_script_t user_openoffice_t httpd_user_script_t accountsd_t cgconfig_t user_java_t user_mono_t user_wine_t ipsec_mgmt_t run_init_t sendmail_t shutdown_t audisp_remote_t dovecot_auth_t nova_scheduler_t dlm_controld_t gfs_controld_t smbmount_t asterisk_t bitlbee_t sepgsql_trusted_proc_t vmware_host_t checkpc_t saslauthd_t awstats_t munin_selinux_plugin_t gitosis_t dnsmasq_t krb5kdc_t openshift_cgroup_read_t sysadm_seunshare_t haproxy_t hotplug_t gpg_pinentry_t hwclock_t newrole_t zos_remote_t dcc_client_t mozilla_t plymouth_t procmail_t sanlock_t setrans_t traceroute_t pegasus_t prelink_t prelude_t privoxy_t staff_java_t staff_mono_t staff_sudo_t staff_wine_t wpa_cli_t httpd_awstats_script_t munin_system_plugin_t qmail_send_t anaconda_t glance_api_t piranha_fos_t piranha_lvs_t sandbox_x_t httpd_apcupsd_cgi_script_t local_login_t hald_dccm_t mysqld_safe_t ricci_modservice_t games_srv_t ricci_modstorage_t samba_net_t afs_bosserver_t httpd_nutups_cgi_script_t hald_sonypic_t openhpid_t boinc_project_t condor_procd_t nagios_mail_plugin_t virt_qemu_ga_t condor_negotiator_t nova_ajax_t nova_cert_t amanda_recover_t chrome_sandbox_t zarafa_spooler_t httpd_munin_script_t telepathy_salut_t rpm_script_t sysadm_passwd_t sysadm_screen_t nsplugin_t xguest_execmem_t zarafa_deliver_t sblim_gatherd_t antivirus_t bluetooth_helper_t dcc_dbclean_t nut_upsd_t staff_execmem_t user_execmem_t podsleuth_t system_cronjob_t sge_job_ssh_t zarafa_monitor_t openshift_initrc_t chroot_user_t httpd_openshift_script_t qmail_remote_t zarafa_indexer_t policykit_t httpd_sys_script_t tmpreaper_t staff_consolehelper_t svc_multilog_t ricci_modclusterd_t logwatch_t mailman_cgi_t pulseaudio_t mailman_mail_t mysqlmanagerd_t samba_unconfined_net_t bluetooth_t mencoder_t httpd_dspam_script_t plymouthd_t smokeping_t cfengine_monitord_t ksmtuned_t unconfined_notrans_t httpd_prewikka_script_t ricci_modlog_t ricci_modrpm_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t setroubleshootd_t nsplugin_config_t chrome_sandbox_nacl_t nagios_checkdisk_plugin_t postfix_master_t postfix_pickup_t devicekit_disk_t regex_milter_t firstboot_t hald_acl_t telepathy_sunshine_t postfix_local_t postfix_smtpd_t zabbix_agent_t samba_unconfined_script_t httpd_git_script_t nagios_services_plugin_t nagios_eventhandler_plugin_t rhsmcertd_t virt_bridgehelper_t munin_unconfined_plugin_t openshift_cron_t unconfined_java_t unconfined_mono_t courier_tcpd_t httpd_unconfined_script_t openvpn_unconfined_script_t NetworkManager_t qmail_queue_t sandbox_web_client_t groupadd_t audisp_t auditd_t chkpwd_t comsat_t dbskkd_t dccifd_t depmod_t dirsrv_t fenced_t gconfd_t groupd_t insmod_t iscsid_t kernel_t kismet_t kpropd_t ktalkd_t livecd_t lldpad_t lsassd_t lwregd_t mongod_t mysqld_t oddjob_t openct_t svc_start_t fail2ban_t passwd_t puppet_t qdiskd_t racoon_t soundd_t telepathy_stream_engine_t updpwd_t xguest_t xm_ssh_t ypbind_t ypserv_t zabbix_t abrt_t acct_t apmd_t bcfg2_t brctl_t cgred_t chfn_t ciped_t clogd_t clvmd_t crond_t ctdbd_t cupsd_t dccd_t dhcpd_t dictd_t drbd_t ftpd_t gpsd_t gssd_t guest_t hald_t howl_t hplip_t httpd_t inetd_t init_t innd_t iwhd_t kdump_t klogd_t l2tpd_t lircd_t lpd_t lpr_t lwiod_t lwsmd_t mount_t mpd_t munin_t named_t nfsd_t nmbd_t nscd_t nslcd_t ntop_t ntpd_t numad_t pcscd_t pingd_t pppd_t pptp_t psad_t ptal_t qpidd_t radvd_t rhgb_t rhnsd_t rpcd_t rshd_t rssh_t slapd_t slpd_t smbd_t smsd_t snmpd_t snort_t spamd_t squid_t ssh_t sshd_t sssd_t staff_t svirt_t swat_t tcpd_t tftpd_t tgtd_t thin_t tor_t tuned_t udev_t ulogd_t uml_t user_t uucpd_t uuidd_t uux_t virtd_t wdmd_t xauth_t xend_t ypxfr_t eventlogd_t nagios_system_plugin_t postfix_qmgr_t postfix_smtp_t prelude_audisp_t courier_authdaemon_t afs_vlserver_t fsdaemon_t watchdog_t abrt_retrace_worker_t mozilla_plugin_config_t jabberd_router_t policykit_resolve_t winbind_helper_t load_policy_t nut_upsmon_t cupsd_config_t hald_keymap_t httpd_helper_t rtkit_daemon_t nagios_unconfined_plugin_t glusterd_t sandbox_min_t sandbox_net_t sandbox_web_t user_seunshare_t xguest_java_t xguest_mono_t logwatch_mail_t cupsd_lpd_t devicekit_t postfix_map_t remote_login_t inetd_child_t automount_t ethereal_t fetchmail_t netlogond_t puppetmaster_t tethereal_t system_mail_t httpd_squid_script_t restorecond_t xdm_dbusd_t gpg_helper_t staff_ssh_agent_t matahari_sysconfigd_t portreserve_t cpufreqselector_t readahead_t abrt_dump_oops_t quota_nld_t staff_screen_t system_dbusd_t entropyd_t rhev_agentd_t xenstored_t sandbox_min_client_t cpuspeed_t nagios_admin_plugin_t svnserve_t guest_dbusd_t qmail_splogger_t xguest_dbusd_t cups_pdf_t postgresql_t mozilla_plugin_t courier_pcp_t courier_pop_t zarafa_server_t nova_direct_t matahari_hostd_t publicfile_t usbmodules_t sambagui_t staff_seunshare_t nx_server_ssh_t certmaster_t certmonger_t setfiles_t user_mail_t cdrecord_t sectoolm_t semanage_t checkpolicy_t portmap_helper_t sge_shepherd_t cobblerd_t consoletype_t unconfined_t xenconsoled_t user_ssh_agent_t cmirrord_t cronjob_t crontab_t logrotate_mail_t matahari_netd_t matahari_rpcd_t passenger_t arpwatch_t cardmgr_t cgclear_t chronyd_t cluster_t apcupsd_t fcoemon_t fingerd_t foghorn_t gpg_web_t rhev_agentd_consolehelper_t fprintd_t ftpdctl_t httpd_cobbler_script_t dcerpcd_t dovecot_t evtchnd_t gpg_agent_t telepathy_msn_t auditctl_t openshift_t jabberd_t kadmind_t hddtemp_t spamass_milter_t iceauth_t icecast_t prelude_correlator_t ncftool_t neutron_t openvpn_t postgrey_t lockdev_t mplayer_t ricci_modcluster_t irqbalance_t radiusd_t rlogind_t roundup_t srvsvcd_t stunnel_t sulogin_t svc_run_t syslogd_t sysstat_t nut_upsdrvctl_t rpcbind_t sandbox_t sensord_t sge_job_t portmap_t yppasswdd_t ptchown_t vbetool_t vdagent_t vhostmd_t zarafa_ical_t winbind_t sysadm_sudo_t telnetd_t usbmuxd_t useradd_t afs_ptserver_t namespace_init_t httpd_mediawiki_script_t xserver_t condor_schedd_t condor_startd_t piranha_web_t user_screen_t condor_master_t greylist_milter_t calamaris_t staff_openoffice_t mailman_queue_t } ==  &&  || );

mlsconstrain { blk_file } { ioctl read getattr  } 
(  h1 h2  dom  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t virtd_lxc_t postfix_showq_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t ada_t fsadm_t kudzu_t lvm_t mdadm_t mono_t postfix_postdrop_t rpm_t wine_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t nova_volume_t nova_scheduler_t vmware_host_t haproxy_t prelink_t anaconda_t glance_api_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t postfix_master_t postfix_pickup_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t depmod_t insmod_t kernel_t livecd_t lldpad_t mongod_t puppet_t apmd_t bcfg2_t cgred_t clvmd_t crond_t ctdbd_t drbd_t hald_t inetd_t init_t iwhd_t l2tpd_t mount_t numad_t rhnsd_t slpd_t smsd_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t matahari_sysconfigd_t readahead_t svnserve_t zarafa_server_t nova_direct_t matahari_hostd_t semanage_t sge_shepherd_t unconfined_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t neutron_t ricci_modcluster_t sensord_t sge_job_t zarafa_ical_t useradd_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  ||  t1 { openshift_app_t qemu_t sandbox_x_t svirt_t user_t sandbox_min_t sandbox_net_t sandbox_web_t openshift_t sandbox_t } !=  t2 { sosreport_t git_session_t cfengine_execd_t bootloader_t netutils_t qmail_tcp_env_t devicekit_power_t sandbox_x_client_t nova_api_t sblim_reposd_t dkim_milter_t virt_qemu_ga_unconfined_t admin_crontab_t consolekit_t nova_compute_t nova_console_t pam_console_t zarafa_gateway_t policykit_grant_t logrotate_t openvswitch_t update_modules_t ssh_keysign_t nova_network_t qmail_rspawn_t uml_switch_t qmail_inject_t qmail_lspawn_t dirsrvadmin_unconfined_script_t gnomeclock_t httpd_cvs_script_t sandbox_net_client_t munin_mail_plugin_t ldconfig_t loadkeys_t smoltclient_t prelude_lml_t nova_objectstore_t dmidecode_t modemmanager_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t httpd_rotatelogs_t afs_kaserver_t munin_disk_plugin_t keystone_t kdumpgui_t httpd_bugzilla_script_t postfix_bounce_t httpd_smokeping_cgi_script_t nx_server_t policykit_auth_t ssh_keygen_t piranha_pulse_t sysadm_su_t virtd_lxc_t hald_mac_t iptables_t cachefilesd_t courier_sqwebmail_t postfix_cleanup_t munin_services_plugin_t postfix_showq_t openshift_app_t hostname_t shorewall_t showmount_t telepathy_gabble_t abrt_handle_event_t postfix_virtual_t dovecot_deliver_t ifconfig_t condor_startd_ssh_t qmail_clean_t qmail_local_t qmail_smtpd_t qmail_start_t sandbox_xserver_t setfiles_mac_t telepathy_sofiasip_t amanda_t initrc_t locate_t logadm_t mcelog_t nagios_t varnishd_t setkey_t sysadm_t tvtime_t tzdata_t vmware_t webadm_t ada_t afs_t aiccu_t aide_t alsa_t amtu_t apm_t avahi_t boinc_t canna_t ccs_t cdcc_t crack_t cvs_t cyrus_t dccm_t dhcpc_t dmesg_t dspam_t exim_t fsadm_t games_t getty_t gpg_t gpm_t ipsec_t irc_t irssi_t java_t kudzu_t lvm_t mdadm_t mono_t mrtg_t ndc_t nrpe_t pads_t pam_t ping_t postfix_postdrop_t postfix_postqueue_t qemu_t quota_t rdisc_t ricci_t rpm_t rsync_t rwho_t spamc_t vpnc_t wine_t xdm_t xfs_t xm_t zebra_t setroubleshoot_fixit_t staff_dbusd_t postfix_pipe_t virt_qmf_t nova_vncproxy_t httpd_nagios_script_t unconfined_dbusd_t unconfined_mount_t afs_fsserver_t prelink_cron_system_t sge_execd_t sysadm_ssh_agent_t cachefiles_kernel_t httpd_dirsrvadmin_script_t git_system_t httpd_suexec_t abrt_helper_t abrt_retrace_coredump_t usernetctl_t certwatch_t updfstab_t deltacloudd_t user_dbusd_t firewallgui_t glance_registry_t utempter_t setsebool_t telepathy_idle_t telepathy_mission_control_t webalizer_t cpucontrol_t gconfdefaultsm_t matahari_serviced_t httpd_php_t openoffice_t denyhosts_t memcached_t xguest_openoffice_t dirsrv_snmp_t dirsrvadmin_t smbcontrol_t oracleasm_t netlabel_mgmt_t oddjob_mkhomedir_t cyphesis_t gnomesystemmm_t kerneloops_t nova_volume_t varnishlog_t httpd_w3c_validator_script_t user_openoffice_t httpd_user_script_t accountsd_t cgconfig_t user_java_t user_mono_t user_wine_t ipsec_mgmt_t run_init_t sendmail_t shutdown_t audisp_remote_t dovecot_auth_t nova_scheduler_t dlm_controld_t gfs_controld_t smbmount_t asterisk_t bitlbee_t sepgsql_trusted_proc_t vmware_host_t checkpc_t saslauthd_t awstats_t munin_selinux_plugin_t gitosis_t dnsmasq_t krb5kdc_t openshift_cgroup_read_t sysadm_seunshare_t haproxy_t hotplug_t gpg_pinentry_t hwclock_t newrole_t zos_remote_t dcc_client_t mozilla_t plymouth_t procmail_t sanlock_t setrans_t traceroute_t pegasus_t prelink_t prelude_t privoxy_t staff_java_t staff_mono_t staff_sudo_t staff_wine_t wpa_cli_t httpd_awstats_script_t munin_system_plugin_t qmail_send_t anaconda_t glance_api_t piranha_fos_t piranha_lvs_t sandbox_x_t httpd_apcupsd_cgi_script_t local_login_t hald_dccm_t mysqld_safe_t ricci_modservice_t games_srv_t ricci_modstorage_t samba_net_t afs_bosserver_t httpd_nutups_cgi_script_t hald_sonypic_t openhpid_t boinc_project_t condor_procd_t nagios_mail_plugin_t virt_qemu_ga_t condor_negotiator_t nova_ajax_t nova_cert_t amanda_recover_t chrome_sandbox_t zarafa_spooler_t httpd_munin_script_t telepathy_salut_t rpm_script_t sysadm_passwd_t sysadm_screen_t nsplugin_t xguest_execmem_t zarafa_deliver_t sblim_gatherd_t antivirus_t bluetooth_helper_t dcc_dbclean_t nut_upsd_t staff_execmem_t user_execmem_t podsleuth_t system_cronjob_t sge_job_ssh_t zarafa_monitor_t openshift_initrc_t chroot_user_t httpd_openshift_script_t qmail_remote_t zarafa_indexer_t policykit_t httpd_sys_script_t tmpreaper_t staff_consolehelper_t svc_multilog_t ricci_modclusterd_t logwatch_t mailman_cgi_t pulseaudio_t mailman_mail_t mysqlmanagerd_t samba_unconfined_net_t bluetooth_t mencoder_t httpd_dspam_script_t plymouthd_t smokeping_t cfengine_monitord_t ksmtuned_t unconfined_notrans_t httpd_prewikka_script_t ricci_modlog_t ricci_modrpm_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t setroubleshootd_t nsplugin_config_t chrome_sandbox_nacl_t nagios_checkdisk_plugin_t postfix_master_t postfix_pickup_t devicekit_disk_t regex_milter_t firstboot_t hald_acl_t telepathy_sunshine_t postfix_local_t postfix_smtpd_t zabbix_agent_t samba_unconfined_script_t httpd_git_script_t nagios_services_plugin_t nagios_eventhandler_plugin_t rhsmcertd_t virt_bridgehelper_t munin_unconfined_plugin_t openshift_cron_t unconfined_java_t unconfined_mono_t courier_tcpd_t httpd_unconfined_script_t openvpn_unconfined_script_t NetworkManager_t qmail_queue_t sandbox_web_client_t groupadd_t audisp_t auditd_t chkpwd_t comsat_t dbskkd_t dccifd_t depmod_t dirsrv_t fenced_t gconfd_t groupd_t insmod_t iscsid_t kernel_t kismet_t kpropd_t ktalkd_t livecd_t lldpad_t lsassd_t lwregd_t mongod_t mysqld_t oddjob_t openct_t svc_start_t fail2ban_t passwd_t puppet_t qdiskd_t racoon_t soundd_t telepathy_stream_engine_t updpwd_t xguest_t xm_ssh_t ypbind_t ypserv_t zabbix_t abrt_t acct_t apmd_t bcfg2_t brctl_t cgred_t chfn_t ciped_t clogd_t clvmd_t crond_t ctdbd_t cupsd_t dccd_t dhcpd_t dictd_t drbd_t ftpd_t gpsd_t gssd_t guest_t hald_t howl_t hplip_t httpd_t inetd_t init_t innd_t iwhd_t kdump_t klogd_t l2tpd_t lircd_t lpd_t lpr_t lwiod_t lwsmd_t mount_t mpd_t munin_t named_t nfsd_t nmbd_t nscd_t nslcd_t ntop_t ntpd_t numad_t pcscd_t pingd_t pppd_t pptp_t psad_t ptal_t qpidd_t radvd_t rhgb_t rhnsd_t rpcd_t rshd_t rssh_t slapd_t slpd_t smbd_t smsd_t snmpd_t snort_t spamd_t squid_t ssh_t sshd_t sssd_t staff_t svirt_t swat_t tcpd_t tftpd_t tgtd_t thin_t tor_t tuned_t udev_t ulogd_t uml_t user_t uucpd_t uuidd_t uux_t virtd_t wdmd_t xauth_t xend_t ypxfr_t eventlogd_t nagios_system_plugin_t postfix_qmgr_t postfix_smtp_t prelude_audisp_t courier_authdaemon_t afs_vlserver_t fsdaemon_t watchdog_t abrt_retrace_worker_t mozilla_plugin_config_t jabberd_router_t policykit_resolve_t winbind_helper_t load_policy_t nut_upsmon_t cupsd_config_t hald_keymap_t httpd_helper_t rtkit_daemon_t nagios_unconfined_plugin_t glusterd_t sandbox_min_t sandbox_net_t sandbox_web_t user_seunshare_t xguest_java_t xguest_mono_t logwatch_mail_t cupsd_lpd_t devicekit_t postfix_map_t remote_login_t inetd_child_t automount_t ethereal_t fetchmail_t netlogond_t puppetmaster_t tethereal_t system_mail_t httpd_squid_script_t restorecond_t xdm_dbusd_t gpg_helper_t staff_ssh_agent_t matahari_sysconfigd_t portreserve_t cpufreqselector_t readahead_t abrt_dump_oops_t quota_nld_t staff_screen_t system_dbusd_t entropyd_t rhev_agentd_t xenstored_t sandbox_min_client_t cpuspeed_t nagios_admin_plugin_t svnserve_t guest_dbusd_t qmail_splogger_t xguest_dbusd_t cups_pdf_t postgresql_t mozilla_plugin_t courier_pcp_t courier_pop_t zarafa_server_t nova_direct_t matahari_hostd_t publicfile_t usbmodules_t sambagui_t staff_seunshare_t nx_server_ssh_t certmaster_t certmonger_t setfiles_t user_mail_t cdrecord_t sectoolm_t semanage_t checkpolicy_t portmap_helper_t sge_shepherd_t cobblerd_t consoletype_t unconfined_t xenconsoled_t user_ssh_agent_t cmirrord_t cronjob_t crontab_t logrotate_mail_t matahari_netd_t matahari_rpcd_t passenger_t arpwatch_t cardmgr_t cgclear_t chronyd_t cluster_t apcupsd_t fcoemon_t fingerd_t foghorn_t gpg_web_t rhev_agentd_consolehelper_t fprintd_t ftpdctl_t httpd_cobbler_script_t dcerpcd_t dovecot_t evtchnd_t gpg_agent_t telepathy_msn_t auditctl_t openshift_t jabberd_t kadmind_t hddtemp_t spamass_milter_t iceauth_t icecast_t prelude_correlator_t ncftool_t neutron_t openvpn_t postgrey_t lockdev_t mplayer_t ricci_modcluster_t irqbalance_t radiusd_t rlogind_t roundup_t srvsvcd_t stunnel_t sulogin_t svc_run_t syslogd_t sysstat_t nut_upsdrvctl_t rpcbind_t sandbox_t sensord_t sge_job_t portmap_t yppasswdd_t ptchown_t vbetool_t vdagent_t vhostmd_t zarafa_ical_t winbind_t sysadm_sudo_t telnetd_t usbmuxd_t useradd_t afs_ptserver_t namespace_init_t httpd_mediawiki_script_t xserver_t condor_schedd_t condor_startd_t piranha_web_t user_screen_t condor_master_t greylist_milter_t calamaris_t staff_openoffice_t mailman_queue_t } ==  &&  || );

constrain { chr_file } { create relabelfrom relabelto  } 
(  u1 u2 ==  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t logrotate_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t sysadm_su_t virtd_lxc_t openshift_app_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t sysadm_t ada_t dhcpc_t fsadm_t kudzu_t lvm_t mdadm_t mono_t rpm_t wine_t xdm_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t cachefiles_kernel_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t oddjob_mkhomedir_t nova_volume_t nova_scheduler_t vmware_host_t saslauthd_t krb5kdc_t haproxy_t newrole_t prelink_t anaconda_t glance_api_t local_login_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t sysadm_passwd_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t staff_consolehelper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t groupadd_t depmod_t dirsrv_t insmod_t kernel_t kpropd_t livecd_t lldpad_t lsassd_t mongod_t oddjob_t passwd_t puppet_t racoon_t updpwd_t apmd_t bcfg2_t chfn_t clvmd_t crond_t ctdbd_t cupsd_t drbd_t ftpd_t inetd_t init_t iwhd_t l2tpd_t numad_t rhnsd_t rshd_t slpd_t smsd_t squid_t sshd_t sssd_t staff_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t puppetmaster_t restorecond_t matahari_sysconfigd_t svnserve_t postgresql_t zarafa_server_t nova_direct_t matahari_hostd_t setfiles_t semanage_t sge_shepherd_t unconfined_t cmirrord_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t rhev_agentd_consolehelper_t openshift_t kadmind_t ncftool_t neutron_t openvpn_t ricci_modcluster_t rlogind_t sulogin_t syslogd_t sensord_t sge_job_t yppasswdd_t zarafa_ical_t telnetd_t useradd_t namespace_init_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  || );

mlsconstrain { chr_file } { create relabelto  } 
(  h1 h2  dom  l2 h2  ==  &&  t1 { openshift_app_t qemu_t sandbox_x_t svirt_t user_t sandbox_min_t sandbox_net_t sandbox_web_t openshift_t sandbox_t } !=  || );

mlsconstrain { chr_file } { relabelfrom  } 
(  h1 h2  dom );

mlsconstrain { chr_file } { write setattr  } 
(  h1 h2  dom  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t virtd_lxc_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t ada_t fsadm_t kudzu_t lvm_t mdadm_t mono_t postfix_postdrop_t rpm_t wine_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t nova_volume_t nova_scheduler_t vmware_host_t haproxy_t prelink_t anaconda_t glance_api_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t postfix_pickup_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t depmod_t insmod_t kernel_t livecd_t lldpad_t mongod_t puppet_t apmd_t bcfg2_t clvmd_t crond_t ctdbd_t drbd_t inetd_t init_t iwhd_t l2tpd_t mount_t numad_t rhnsd_t slpd_t smsd_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t matahari_sysconfigd_t svnserve_t zarafa_server_t nova_direct_t matahari_hostd_t semanage_t sge_shepherd_t unconfined_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t neutron_t ricci_modcluster_t sensord_t sge_job_t zarafa_ical_t useradd_t namespace_init_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  ||  t1 { openshift_app_t qemu_t sandbox_x_t svirt_t user_t sandbox_min_t sandbox_net_t sandbox_web_t openshift_t sandbox_t } !=  t2 { sosreport_t git_session_t cfengine_execd_t bootloader_t netutils_t qmail_tcp_env_t devicekit_power_t sandbox_x_client_t nova_api_t sblim_reposd_t dkim_milter_t virt_qemu_ga_unconfined_t admin_crontab_t consolekit_t nova_compute_t nova_console_t pam_console_t zarafa_gateway_t policykit_grant_t logrotate_t openvswitch_t update_modules_t ssh_keysign_t nova_network_t qmail_rspawn_t uml_switch_t qmail_inject_t qmail_lspawn_t dirsrvadmin_unconfined_script_t gnomeclock_t httpd_cvs_script_t sandbox_net_client_t munin_mail_plugin_t ldconfig_t loadkeys_t smoltclient_t prelude_lml_t nova_objectstore_t dmidecode_t modemmanager_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t httpd_rotatelogs_t afs_kaserver_t munin_disk_plugin_t keystone_t kdumpgui_t httpd_bugzilla_script_t postfix_bounce_t httpd_smokeping_cgi_script_t nx_server_t policykit_auth_t ssh_keygen_t piranha_pulse_t sysadm_su_t virtd_lxc_t hald_mac_t iptables_t cachefilesd_t courier_sqwebmail_t postfix_cleanup_t munin_services_plugin_t postfix_showq_t openshift_app_t hostname_t shorewall_t showmount_t telepathy_gabble_t abrt_handle_event_t postfix_virtual_t dovecot_deliver_t ifconfig_t condor_startd_ssh_t qmail_clean_t qmail_local_t qmail_smtpd_t qmail_start_t sandbox_xserver_t setfiles_mac_t telepathy_sofiasip_t amanda_t initrc_t locate_t logadm_t mcelog_t nagios_t varnishd_t setkey_t sysadm_t tvtime_t tzdata_t vmware_t webadm_t ada_t afs_t aiccu_t aide_t alsa_t amtu_t apm_t avahi_t boinc_t canna_t ccs_t cdcc_t crack_t cvs_t cyrus_t dccm_t dhcpc_t dmesg_t dspam_t exim_t fsadm_t games_t getty_t gpg_t gpm_t ipsec_t irc_t irssi_t java_t kudzu_t lvm_t mdadm_t mono_t mrtg_t ndc_t nrpe_t pads_t pam_t ping_t postfix_postdrop_t postfix_postqueue_t qemu_t quota_t rdisc_t ricci_t rpm_t rsync_t rwho_t spamc_t vpnc_t wine_t xdm_t xfs_t xm_t zebra_t setroubleshoot_fixit_t staff_dbusd_t postfix_pipe_t virt_qmf_t nova_vncproxy_t httpd_nagios_script_t unconfined_dbusd_t unconfined_mount_t afs_fsserver_t prelink_cron_system_t sge_execd_t sysadm_ssh_agent_t cachefiles_kernel_t httpd_dirsrvadmin_script_t git_system_t httpd_suexec_t abrt_helper_t abrt_retrace_coredump_t usernetctl_t certwatch_t updfstab_t deltacloudd_t user_dbusd_t firewallgui_t glance_registry_t utempter_t setsebool_t telepathy_idle_t telepathy_mission_control_t webalizer_t cpucontrol_t gconfdefaultsm_t matahari_serviced_t httpd_php_t openoffice_t denyhosts_t memcached_t xguest_openoffice_t dirsrv_snmp_t dirsrvadmin_t smbcontrol_t oracleasm_t netlabel_mgmt_t oddjob_mkhomedir_t cyphesis_t gnomesystemmm_t kerneloops_t nova_volume_t varnishlog_t httpd_w3c_validator_script_t user_openoffice_t httpd_user_script_t accountsd_t cgconfig_t user_java_t user_mono_t user_wine_t ipsec_mgmt_t run_init_t sendmail_t shutdown_t audisp_remote_t dovecot_auth_t nova_scheduler_t dlm_controld_t gfs_controld_t smbmount_t asterisk_t bitlbee_t sepgsql_trusted_proc_t vmware_host_t checkpc_t saslauthd_t awstats_t munin_selinux_plugin_t gitosis_t dnsmasq_t krb5kdc_t openshift_cgroup_read_t sysadm_seunshare_t haproxy_t hotplug_t gpg_pinentry_t hwclock_t newrole_t zos_remote_t dcc_client_t mozilla_t plymouth_t procmail_t sanlock_t setrans_t traceroute_t pegasus_t prelink_t prelude_t privoxy_t staff_java_t staff_mono_t staff_sudo_t staff_wine_t wpa_cli_t httpd_awstats_script_t munin_system_plugin_t qmail_send_t anaconda_t glance_api_t piranha_fos_t piranha_lvs_t sandbox_x_t httpd_apcupsd_cgi_script_t local_login_t hald_dccm_t mysqld_safe_t ricci_modservice_t games_srv_t ricci_modstorage_t samba_net_t afs_bosserver_t httpd_nutups_cgi_script_t hald_sonypic_t openhpid_t boinc_project_t condor_procd_t nagios_mail_plugin_t virt_qemu_ga_t condor_negotiator_t nova_ajax_t nova_cert_t amanda_recover_t chrome_sandbox_t zarafa_spooler_t httpd_munin_script_t telepathy_salut_t rpm_script_t sysadm_passwd_t sysadm_screen_t nsplugin_t xguest_execmem_t zarafa_deliver_t sblim_gatherd_t antivirus_t bluetooth_helper_t dcc_dbclean_t nut_upsd_t staff_execmem_t user_execmem_t podsleuth_t system_cronjob_t sge_job_ssh_t zarafa_monitor_t openshift_initrc_t chroot_user_t httpd_openshift_script_t qmail_remote_t zarafa_indexer_t policykit_t httpd_sys_script_t tmpreaper_t staff_consolehelper_t svc_multilog_t ricci_modclusterd_t logwatch_t mailman_cgi_t pulseaudio_t mailman_mail_t mysqlmanagerd_t samba_unconfined_net_t bluetooth_t mencoder_t httpd_dspam_script_t plymouthd_t smokeping_t cfengine_monitord_t ksmtuned_t unconfined_notrans_t httpd_prewikka_script_t ricci_modlog_t ricci_modrpm_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t setroubleshootd_t nsplugin_config_t chrome_sandbox_nacl_t nagios_checkdisk_plugin_t postfix_master_t postfix_pickup_t devicekit_disk_t regex_milter_t firstboot_t hald_acl_t telepathy_sunshine_t postfix_local_t postfix_smtpd_t zabbix_agent_t samba_unconfined_script_t httpd_git_script_t nagios_services_plugin_t nagios_eventhandler_plugin_t rhsmcertd_t virt_bridgehelper_t munin_unconfined_plugin_t openshift_cron_t unconfined_java_t unconfined_mono_t courier_tcpd_t httpd_unconfined_script_t openvpn_unconfined_script_t NetworkManager_t qmail_queue_t sandbox_web_client_t groupadd_t audisp_t auditd_t chkpwd_t comsat_t dbskkd_t dccifd_t depmod_t dirsrv_t fenced_t gconfd_t groupd_t insmod_t iscsid_t kernel_t kismet_t kpropd_t ktalkd_t livecd_t lldpad_t lsassd_t lwregd_t mongod_t mysqld_t oddjob_t openct_t svc_start_t fail2ban_t passwd_t puppet_t qdiskd_t racoon_t soundd_t telepathy_stream_engine_t updpwd_t xguest_t xm_ssh_t ypbind_t ypserv_t zabbix_t abrt_t acct_t apmd_t bcfg2_t brctl_t cgred_t chfn_t ciped_t clogd_t clvmd_t crond_t ctdbd_t cupsd_t dccd_t dhcpd_t dictd_t drbd_t ftpd_t gpsd_t gssd_t guest_t hald_t howl_t hplip_t httpd_t inetd_t init_t innd_t iwhd_t kdump_t klogd_t l2tpd_t lircd_t lpd_t lpr_t lwiod_t lwsmd_t mount_t mpd_t munin_t named_t nfsd_t nmbd_t nscd_t nslcd_t ntop_t ntpd_t numad_t pcscd_t pingd_t pppd_t pptp_t psad_t ptal_t qpidd_t radvd_t rhgb_t rhnsd_t rpcd_t rshd_t rssh_t slapd_t slpd_t smbd_t smsd_t snmpd_t snort_t spamd_t squid_t ssh_t sshd_t sssd_t staff_t svirt_t swat_t tcpd_t tftpd_t tgtd_t thin_t tor_t tuned_t udev_t ulogd_t uml_t user_t uucpd_t uuidd_t uux_t virtd_t wdmd_t xauth_t xend_t ypxfr_t eventlogd_t nagios_system_plugin_t postfix_qmgr_t postfix_smtp_t prelude_audisp_t courier_authdaemon_t afs_vlserver_t fsdaemon_t watchdog_t abrt_retrace_worker_t mozilla_plugin_config_t jabberd_router_t policykit_resolve_t winbind_helper_t load_policy_t nut_upsmon_t cupsd_config_t hald_keymap_t httpd_helper_t rtkit_daemon_t nagios_unconfined_plugin_t glusterd_t sandbox_min_t sandbox_net_t sandbox_web_t user_seunshare_t xguest_java_t xguest_mono_t logwatch_mail_t cupsd_lpd_t devicekit_t postfix_map_t remote_login_t inetd_child_t automount_t ethereal_t fetchmail_t netlogond_t puppetmaster_t tethereal_t system_mail_t httpd_squid_script_t restorecond_t xdm_dbusd_t gpg_helper_t staff_ssh_agent_t matahari_sysconfigd_t portreserve_t cpufreqselector_t readahead_t abrt_dump_oops_t quota_nld_t staff_screen_t system_dbusd_t entropyd_t rhev_agentd_t xenstored_t sandbox_min_client_t cpuspeed_t nagios_admin_plugin_t svnserve_t guest_dbusd_t qmail_splogger_t xguest_dbusd_t cups_pdf_t postgresql_t mozilla_plugin_t courier_pcp_t courier_pop_t zarafa_server_t nova_direct_t matahari_hostd_t publicfile_t usbmodules_t sambagui_t staff_seunshare_t nx_server_ssh_t certmaster_t certmonger_t setfiles_t user_mail_t cdrecord_t sectoolm_t semanage_t checkpolicy_t portmap_helper_t sge_shepherd_t cobblerd_t consoletype_t unconfined_t xenconsoled_t user_ssh_agent_t cmirrord_t cronjob_t crontab_t logrotate_mail_t matahari_netd_t matahari_rpcd_t passenger_t arpwatch_t cardmgr_t cgclear_t chronyd_t cluster_t apcupsd_t fcoemon_t fingerd_t foghorn_t gpg_web_t rhev_agentd_consolehelper_t fprintd_t ftpdctl_t httpd_cobbler_script_t dcerpcd_t dovecot_t evtchnd_t gpg_agent_t telepathy_msn_t auditctl_t openshift_t jabberd_t kadmind_t hddtemp_t spamass_milter_t iceauth_t icecast_t prelude_correlator_t ncftool_t neutron_t openvpn_t postgrey_t lockdev_t mplayer_t ricci_modcluster_t irqbalance_t radiusd_t rlogind_t roundup_t srvsvcd_t stunnel_t sulogin_t svc_run_t syslogd_t sysstat_t nut_upsdrvctl_t rpcbind_t sandbox_t sensord_t sge_job_t portmap_t yppasswdd_t ptchown_t vbetool_t vdagent_t vhostmd_t zarafa_ical_t winbind_t sysadm_sudo_t telnetd_t usbmuxd_t useradd_t afs_ptserver_t namespace_init_t httpd_mediawiki_script_t xserver_t condor_schedd_t condor_startd_t piranha_web_t user_screen_t condor_master_t greylist_milter_t calamaris_t staff_openoffice_t mailman_queue_t } ==  &&  || );

mlsconstrain { chr_file } { ioctl read getattr  } 
(  h1 h2  dom  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t virtd_lxc_t postfix_showq_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t ada_t fsadm_t kudzu_t lvm_t mdadm_t mono_t postfix_postdrop_t rpm_t wine_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t nova_volume_t nova_scheduler_t vmware_host_t haproxy_t prelink_t anaconda_t glance_api_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t postfix_master_t postfix_pickup_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t depmod_t insmod_t kernel_t livecd_t lldpad_t mongod_t puppet_t apmd_t bcfg2_t cgred_t clvmd_t crond_t ctdbd_t drbd_t hald_t inetd_t init_t iwhd_t l2tpd_t mount_t numad_t rhnsd_t slpd_t smsd_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t matahari_sysconfigd_t readahead_t svnserve_t zarafa_server_t nova_direct_t matahari_hostd_t semanage_t sge_shepherd_t unconfined_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t neutron_t ricci_modcluster_t sensord_t sge_job_t zarafa_ical_t useradd_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  ||  t1 { openshift_app_t qemu_t sandbox_x_t svirt_t user_t sandbox_min_t sandbox_net_t sandbox_web_t openshift_t sandbox_t } !=  t2 { sosreport_t git_session_t cfengine_execd_t bootloader_t netutils_t qmail_tcp_env_t devicekit_power_t sandbox_x_client_t nova_api_t sblim_reposd_t dkim_milter_t virt_qemu_ga_unconfined_t admin_crontab_t consolekit_t nova_compute_t nova_console_t pam_console_t zarafa_gateway_t policykit_grant_t logrotate_t openvswitch_t update_modules_t ssh_keysign_t nova_network_t qmail_rspawn_t uml_switch_t qmail_inject_t qmail_lspawn_t dirsrvadmin_unconfined_script_t gnomeclock_t httpd_cvs_script_t sandbox_net_client_t munin_mail_plugin_t ldconfig_t loadkeys_t smoltclient_t prelude_lml_t nova_objectstore_t dmidecode_t modemmanager_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t httpd_rotatelogs_t afs_kaserver_t munin_disk_plugin_t keystone_t kdumpgui_t httpd_bugzilla_script_t postfix_bounce_t httpd_smokeping_cgi_script_t nx_server_t policykit_auth_t ssh_keygen_t piranha_pulse_t sysadm_su_t virtd_lxc_t hald_mac_t iptables_t cachefilesd_t courier_sqwebmail_t postfix_cleanup_t munin_services_plugin_t postfix_showq_t openshift_app_t hostname_t shorewall_t showmount_t telepathy_gabble_t abrt_handle_event_t postfix_virtual_t dovecot_deliver_t ifconfig_t condor_startd_ssh_t qmail_clean_t qmail_local_t qmail_smtpd_t qmail_start_t sandbox_xserver_t setfiles_mac_t telepathy_sofiasip_t amanda_t initrc_t locate_t logadm_t mcelog_t nagios_t varnishd_t setkey_t sysadm_t tvtime_t tzdata_t vmware_t webadm_t ada_t afs_t aiccu_t aide_t alsa_t amtu_t apm_t avahi_t boinc_t canna_t ccs_t cdcc_t crack_t cvs_t cyrus_t dccm_t dhcpc_t dmesg_t dspam_t exim_t fsadm_t games_t getty_t gpg_t gpm_t ipsec_t irc_t irssi_t java_t kudzu_t lvm_t mdadm_t mono_t mrtg_t ndc_t nrpe_t pads_t pam_t ping_t postfix_postdrop_t postfix_postqueue_t qemu_t quota_t rdisc_t ricci_t rpm_t rsync_t rwho_t spamc_t vpnc_t wine_t xdm_t xfs_t xm_t zebra_t setroubleshoot_fixit_t staff_dbusd_t postfix_pipe_t virt_qmf_t nova_vncproxy_t httpd_nagios_script_t unconfined_dbusd_t unconfined_mount_t afs_fsserver_t prelink_cron_system_t sge_execd_t sysadm_ssh_agent_t cachefiles_kernel_t httpd_dirsrvadmin_script_t git_system_t httpd_suexec_t abrt_helper_t abrt_retrace_coredump_t usernetctl_t certwatch_t updfstab_t deltacloudd_t user_dbusd_t firewallgui_t glance_registry_t utempter_t setsebool_t telepathy_idle_t telepathy_mission_control_t webalizer_t cpucontrol_t gconfdefaultsm_t matahari_serviced_t httpd_php_t openoffice_t denyhosts_t memcached_t xguest_openoffice_t dirsrv_snmp_t dirsrvadmin_t smbcontrol_t oracleasm_t netlabel_mgmt_t oddjob_mkhomedir_t cyphesis_t gnomesystemmm_t kerneloops_t nova_volume_t varnishlog_t httpd_w3c_validator_script_t user_openoffice_t httpd_user_script_t accountsd_t cgconfig_t user_java_t user_mono_t user_wine_t ipsec_mgmt_t run_init_t sendmail_t shutdown_t audisp_remote_t dovecot_auth_t nova_scheduler_t dlm_controld_t gfs_controld_t smbmount_t asterisk_t bitlbee_t sepgsql_trusted_proc_t vmware_host_t checkpc_t saslauthd_t awstats_t munin_selinux_plugin_t gitosis_t dnsmasq_t krb5kdc_t openshift_cgroup_read_t sysadm_seunshare_t haproxy_t hotplug_t gpg_pinentry_t hwclock_t newrole_t zos_remote_t dcc_client_t mozilla_t plymouth_t procmail_t sanlock_t setrans_t traceroute_t pegasus_t prelink_t prelude_t privoxy_t staff_java_t staff_mono_t staff_sudo_t staff_wine_t wpa_cli_t httpd_awstats_script_t munin_system_plugin_t qmail_send_t anaconda_t glance_api_t piranha_fos_t piranha_lvs_t sandbox_x_t httpd_apcupsd_cgi_script_t local_login_t hald_dccm_t mysqld_safe_t ricci_modservice_t games_srv_t ricci_modstorage_t samba_net_t afs_bosserver_t httpd_nutups_cgi_script_t hald_sonypic_t openhpid_t boinc_project_t condor_procd_t nagios_mail_plugin_t virt_qemu_ga_t condor_negotiator_t nova_ajax_t nova_cert_t amanda_recover_t chrome_sandbox_t zarafa_spooler_t httpd_munin_script_t telepathy_salut_t rpm_script_t sysadm_passwd_t sysadm_screen_t nsplugin_t xguest_execmem_t zarafa_deliver_t sblim_gatherd_t antivirus_t bluetooth_helper_t dcc_dbclean_t nut_upsd_t staff_execmem_t user_execmem_t podsleuth_t system_cronjob_t sge_job_ssh_t zarafa_monitor_t openshift_initrc_t chroot_user_t httpd_openshift_script_t qmail_remote_t zarafa_indexer_t policykit_t httpd_sys_script_t tmpreaper_t staff_consolehelper_t svc_multilog_t ricci_modclusterd_t logwatch_t mailman_cgi_t pulseaudio_t mailman_mail_t mysqlmanagerd_t samba_unconfined_net_t bluetooth_t mencoder_t httpd_dspam_script_t plymouthd_t smokeping_t cfengine_monitord_t ksmtuned_t unconfined_notrans_t httpd_prewikka_script_t ricci_modlog_t ricci_modrpm_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t setroubleshootd_t nsplugin_config_t chrome_sandbox_nacl_t nagios_checkdisk_plugin_t postfix_master_t postfix_pickup_t devicekit_disk_t regex_milter_t firstboot_t hald_acl_t telepathy_sunshine_t postfix_local_t postfix_smtpd_t zabbix_agent_t samba_unconfined_script_t httpd_git_script_t nagios_services_plugin_t nagios_eventhandler_plugin_t rhsmcertd_t virt_bridgehelper_t munin_unconfined_plugin_t openshift_cron_t unconfined_java_t unconfined_mono_t courier_tcpd_t httpd_unconfined_script_t openvpn_unconfined_script_t NetworkManager_t qmail_queue_t sandbox_web_client_t groupadd_t audisp_t auditd_t chkpwd_t comsat_t dbskkd_t dccifd_t depmod_t dirsrv_t fenced_t gconfd_t groupd_t insmod_t iscsid_t kernel_t kismet_t kpropd_t ktalkd_t livecd_t lldpad_t lsassd_t lwregd_t mongod_t mysqld_t oddjob_t openct_t svc_start_t fail2ban_t passwd_t puppet_t qdiskd_t racoon_t soundd_t telepathy_stream_engine_t updpwd_t xguest_t xm_ssh_t ypbind_t ypserv_t zabbix_t abrt_t acct_t apmd_t bcfg2_t brctl_t cgred_t chfn_t ciped_t clogd_t clvmd_t crond_t ctdbd_t cupsd_t dccd_t dhcpd_t dictd_t drbd_t ftpd_t gpsd_t gssd_t guest_t hald_t howl_t hplip_t httpd_t inetd_t init_t innd_t iwhd_t kdump_t klogd_t l2tpd_t lircd_t lpd_t lpr_t lwiod_t lwsmd_t mount_t mpd_t munin_t named_t nfsd_t nmbd_t nscd_t nslcd_t ntop_t ntpd_t numad_t pcscd_t pingd_t pppd_t pptp_t psad_t ptal_t qpidd_t radvd_t rhgb_t rhnsd_t rpcd_t rshd_t rssh_t slapd_t slpd_t smbd_t smsd_t snmpd_t snort_t spamd_t squid_t ssh_t sshd_t sssd_t staff_t svirt_t swat_t tcpd_t tftpd_t tgtd_t thin_t tor_t tuned_t udev_t ulogd_t uml_t user_t uucpd_t uuidd_t uux_t virtd_t wdmd_t xauth_t xend_t ypxfr_t eventlogd_t nagios_system_plugin_t postfix_qmgr_t postfix_smtp_t prelude_audisp_t courier_authdaemon_t afs_vlserver_t fsdaemon_t watchdog_t abrt_retrace_worker_t mozilla_plugin_config_t jabberd_router_t policykit_resolve_t winbind_helper_t load_policy_t nut_upsmon_t cupsd_config_t hald_keymap_t httpd_helper_t rtkit_daemon_t nagios_unconfined_plugin_t glusterd_t sandbox_min_t sandbox_net_t sandbox_web_t user_seunshare_t xguest_java_t xguest_mono_t logwatch_mail_t cupsd_lpd_t devicekit_t postfix_map_t remote_login_t inetd_child_t automount_t ethereal_t fetchmail_t netlogond_t puppetmaster_t tethereal_t system_mail_t httpd_squid_script_t restorecond_t xdm_dbusd_t gpg_helper_t staff_ssh_agent_t matahari_sysconfigd_t portreserve_t cpufreqselector_t readahead_t abrt_dump_oops_t quota_nld_t staff_screen_t system_dbusd_t entropyd_t rhev_agentd_t xenstored_t sandbox_min_client_t cpuspeed_t nagios_admin_plugin_t svnserve_t guest_dbusd_t qmail_splogger_t xguest_dbusd_t cups_pdf_t postgresql_t mozilla_plugin_t courier_pcp_t courier_pop_t zarafa_server_t nova_direct_t matahari_hostd_t publicfile_t usbmodules_t sambagui_t staff_seunshare_t nx_server_ssh_t certmaster_t certmonger_t setfiles_t user_mail_t cdrecord_t sectoolm_t semanage_t checkpolicy_t portmap_helper_t sge_shepherd_t cobblerd_t consoletype_t unconfined_t xenconsoled_t user_ssh_agent_t cmirrord_t cronjob_t crontab_t logrotate_mail_t matahari_netd_t matahari_rpcd_t passenger_t arpwatch_t cardmgr_t cgclear_t chronyd_t cluster_t apcupsd_t fcoemon_t fingerd_t foghorn_t gpg_web_t rhev_agentd_consolehelper_t fprintd_t ftpdctl_t httpd_cobbler_script_t dcerpcd_t dovecot_t evtchnd_t gpg_agent_t telepathy_msn_t auditctl_t openshift_t jabberd_t kadmind_t hddtemp_t spamass_milter_t iceauth_t icecast_t prelude_correlator_t ncftool_t neutron_t openvpn_t postgrey_t lockdev_t mplayer_t ricci_modcluster_t irqbalance_t radiusd_t rlogind_t roundup_t srvsvcd_t stunnel_t sulogin_t svc_run_t syslogd_t sysstat_t nut_upsdrvctl_t rpcbind_t sandbox_t sensord_t sge_job_t portmap_t yppasswdd_t ptchown_t vbetool_t vdagent_t vhostmd_t zarafa_ical_t winbind_t sysadm_sudo_t telnetd_t usbmuxd_t useradd_t afs_ptserver_t namespace_init_t httpd_mediawiki_script_t xserver_t condor_schedd_t condor_startd_t piranha_web_t user_screen_t condor_master_t greylist_milter_t calamaris_t staff_openoffice_t mailman_queue_t } ==  &&  || );

mlsconstrain { db_table } { drop getattr setattr relabelfrom use select update insert delete lock  } 
(  h1 h2  dom );

mlsconstrain { db_table } { create relabelto  } 
(  h1 h2  dom  l2 h2  ==  && );

mlsconstrain { db_tuple } { relabelfrom use select update delete  } 
(  h1 h2  dom );

mlsconstrain { db_tuple } { relabelto insert  } 
(  h1 h2  dom  l2 h2  ==  && );

constrain { lnk_file } { create relabelfrom relabelto  } 
(  u1 u2 ==  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t logrotate_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t sysadm_su_t virtd_lxc_t openshift_app_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t sysadm_t ada_t dhcpc_t fsadm_t kudzu_t lvm_t mdadm_t mono_t rpm_t wine_t xdm_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t cachefiles_kernel_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t oddjob_mkhomedir_t nova_volume_t nova_scheduler_t vmware_host_t saslauthd_t krb5kdc_t haproxy_t newrole_t prelink_t anaconda_t glance_api_t local_login_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t sysadm_passwd_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t staff_consolehelper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t groupadd_t depmod_t dirsrv_t insmod_t kernel_t kpropd_t livecd_t lldpad_t lsassd_t mongod_t oddjob_t passwd_t puppet_t racoon_t updpwd_t apmd_t bcfg2_t chfn_t clvmd_t crond_t ctdbd_t cupsd_t drbd_t ftpd_t inetd_t init_t iwhd_t l2tpd_t numad_t rhnsd_t rshd_t slpd_t smsd_t squid_t sshd_t sssd_t staff_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t puppetmaster_t restorecond_t matahari_sysconfigd_t svnserve_t postgresql_t zarafa_server_t nova_direct_t matahari_hostd_t setfiles_t semanage_t sge_shepherd_t unconfined_t cmirrord_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t rhev_agentd_consolehelper_t openshift_t kadmind_t ncftool_t neutron_t openvpn_t ricci_modcluster_t rlogind_t sulogin_t syslogd_t sensord_t sge_job_t yppasswdd_t zarafa_ical_t telnetd_t useradd_t namespace_init_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  || );

mlsconstrain { lnk_file } { create relabelto  } 
(  h1 h2  dom  l2 h2  ==  &&  t1 { openshift_app_t qemu_t sandbox_x_t svirt_t user_t sandbox_min_t sandbox_net_t sandbox_web_t openshift_t sandbox_t } !=  || );

mlsconstrain { lnk_file } { relabelfrom  } 
(  h1 h2  dom );

mlsconstrain { lnk_file } { write setattr  } 
(  h1 h2  dom  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t virtd_lxc_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t ada_t fsadm_t kudzu_t lvm_t mdadm_t mono_t postfix_postdrop_t rpm_t wine_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t nova_volume_t nova_scheduler_t vmware_host_t haproxy_t prelink_t anaconda_t glance_api_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t postfix_pickup_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t depmod_t insmod_t kernel_t livecd_t lldpad_t mongod_t puppet_t apmd_t bcfg2_t clvmd_t crond_t ctdbd_t drbd_t inetd_t init_t iwhd_t l2tpd_t mount_t numad_t rhnsd_t slpd_t smsd_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t matahari_sysconfigd_t svnserve_t zarafa_server_t nova_direct_t matahari_hostd_t semanage_t sge_shepherd_t unconfined_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t neutron_t ricci_modcluster_t sensord_t sge_job_t zarafa_ical_t useradd_t namespace_init_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  ||  t1 { openshift_app_t qemu_t sandbox_x_t svirt_t user_t sandbox_min_t sandbox_net_t sandbox_web_t openshift_t sandbox_t } !=  t2 { sosreport_t git_session_t cfengine_execd_t bootloader_t netutils_t qmail_tcp_env_t devicekit_power_t sandbox_x_client_t nova_api_t sblim_reposd_t dkim_milter_t virt_qemu_ga_unconfined_t admin_crontab_t consolekit_t nova_compute_t nova_console_t pam_console_t zarafa_gateway_t policykit_grant_t logrotate_t openvswitch_t update_modules_t ssh_keysign_t nova_network_t qmail_rspawn_t uml_switch_t qmail_inject_t qmail_lspawn_t dirsrvadmin_unconfined_script_t gnomeclock_t httpd_cvs_script_t sandbox_net_client_t munin_mail_plugin_t ldconfig_t loadkeys_t smoltclient_t prelude_lml_t nova_objectstore_t dmidecode_t modemmanager_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t httpd_rotatelogs_t afs_kaserver_t munin_disk_plugin_t keystone_t kdumpgui_t httpd_bugzilla_script_t postfix_bounce_t httpd_smokeping_cgi_script_t nx_server_t policykit_auth_t ssh_keygen_t piranha_pulse_t sysadm_su_t virtd_lxc_t hald_mac_t iptables_t cachefilesd_t courier_sqwebmail_t postfix_cleanup_t munin_services_plugin_t postfix_showq_t openshift_app_t hostname_t shorewall_t showmount_t telepathy_gabble_t abrt_handle_event_t postfix_virtual_t dovecot_deliver_t ifconfig_t condor_startd_ssh_t qmail_clean_t qmail_local_t qmail_smtpd_t qmail_start_t sandbox_xserver_t setfiles_mac_t telepathy_sofiasip_t amanda_t initrc_t locate_t logadm_t mcelog_t nagios_t varnishd_t setkey_t sysadm_t tvtime_t tzdata_t vmware_t webadm_t ada_t afs_t aiccu_t aide_t alsa_t amtu_t apm_t avahi_t boinc_t canna_t ccs_t cdcc_t crack_t cvs_t cyrus_t dccm_t dhcpc_t dmesg_t dspam_t exim_t fsadm_t games_t getty_t gpg_t gpm_t ipsec_t irc_t irssi_t java_t kudzu_t lvm_t mdadm_t mono_t mrtg_t ndc_t nrpe_t pads_t pam_t ping_t postfix_postdrop_t postfix_postqueue_t qemu_t quota_t rdisc_t ricci_t rpm_t rsync_t rwho_t spamc_t vpnc_t wine_t xdm_t xfs_t xm_t zebra_t setroubleshoot_fixit_t staff_dbusd_t postfix_pipe_t virt_qmf_t nova_vncproxy_t httpd_nagios_script_t unconfined_dbusd_t unconfined_mount_t afs_fsserver_t prelink_cron_system_t sge_execd_t sysadm_ssh_agent_t cachefiles_kernel_t httpd_dirsrvadmin_script_t git_system_t httpd_suexec_t abrt_helper_t abrt_retrace_coredump_t usernetctl_t certwatch_t updfstab_t deltacloudd_t user_dbusd_t firewallgui_t glance_registry_t utempter_t setsebool_t telepathy_idle_t telepathy_mission_control_t webalizer_t cpucontrol_t gconfdefaultsm_t matahari_serviced_t httpd_php_t openoffice_t denyhosts_t memcached_t xguest_openoffice_t dirsrv_snmp_t dirsrvadmin_t smbcontrol_t oracleasm_t netlabel_mgmt_t oddjob_mkhomedir_t cyphesis_t gnomesystemmm_t kerneloops_t nova_volume_t varnishlog_t httpd_w3c_validator_script_t user_openoffice_t httpd_user_script_t accountsd_t cgconfig_t user_java_t user_mono_t user_wine_t ipsec_mgmt_t run_init_t sendmail_t shutdown_t audisp_remote_t dovecot_auth_t nova_scheduler_t dlm_controld_t gfs_controld_t smbmount_t asterisk_t bitlbee_t sepgsql_trusted_proc_t vmware_host_t checkpc_t saslauthd_t awstats_t munin_selinux_plugin_t gitosis_t dnsmasq_t krb5kdc_t openshift_cgroup_read_t sysadm_seunshare_t haproxy_t hotplug_t gpg_pinentry_t hwclock_t newrole_t zos_remote_t dcc_client_t mozilla_t plymouth_t procmail_t sanlock_t setrans_t traceroute_t pegasus_t prelink_t prelude_t privoxy_t staff_java_t staff_mono_t staff_sudo_t staff_wine_t wpa_cli_t httpd_awstats_script_t munin_system_plugin_t qmail_send_t anaconda_t glance_api_t piranha_fos_t piranha_lvs_t sandbox_x_t httpd_apcupsd_cgi_script_t local_login_t hald_dccm_t mysqld_safe_t ricci_modservice_t games_srv_t ricci_modstorage_t samba_net_t afs_bosserver_t httpd_nutups_cgi_script_t hald_sonypic_t openhpid_t boinc_project_t condor_procd_t nagios_mail_plugin_t virt_qemu_ga_t condor_negotiator_t nova_ajax_t nova_cert_t amanda_recover_t chrome_sandbox_t zarafa_spooler_t httpd_munin_script_t telepathy_salut_t rpm_script_t sysadm_passwd_t sysadm_screen_t nsplugin_t xguest_execmem_t zarafa_deliver_t sblim_gatherd_t antivirus_t bluetooth_helper_t dcc_dbclean_t nut_upsd_t staff_execmem_t user_execmem_t podsleuth_t system_cronjob_t sge_job_ssh_t zarafa_monitor_t openshift_initrc_t chroot_user_t httpd_openshift_script_t qmail_remote_t zarafa_indexer_t policykit_t httpd_sys_script_t tmpreaper_t staff_consolehelper_t svc_multilog_t ricci_modclusterd_t logwatch_t mailman_cgi_t pulseaudio_t mailman_mail_t mysqlmanagerd_t samba_unconfined_net_t bluetooth_t mencoder_t httpd_dspam_script_t plymouthd_t smokeping_t cfengine_monitord_t ksmtuned_t unconfined_notrans_t httpd_prewikka_script_t ricci_modlog_t ricci_modrpm_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t setroubleshootd_t nsplugin_config_t chrome_sandbox_nacl_t nagios_checkdisk_plugin_t postfix_master_t postfix_pickup_t devicekit_disk_t regex_milter_t firstboot_t hald_acl_t telepathy_sunshine_t postfix_local_t postfix_smtpd_t zabbix_agent_t samba_unconfined_script_t httpd_git_script_t nagios_services_plugin_t nagios_eventhandler_plugin_t rhsmcertd_t virt_bridgehelper_t munin_unconfined_plugin_t openshift_cron_t unconfined_java_t unconfined_mono_t courier_tcpd_t httpd_unconfined_script_t openvpn_unconfined_script_t NetworkManager_t qmail_queue_t sandbox_web_client_t groupadd_t audisp_t auditd_t chkpwd_t comsat_t dbskkd_t dccifd_t depmod_t dirsrv_t fenced_t gconfd_t groupd_t insmod_t iscsid_t kernel_t kismet_t kpropd_t ktalkd_t livecd_t lldpad_t lsassd_t lwregd_t mongod_t mysqld_t oddjob_t openct_t svc_start_t fail2ban_t passwd_t puppet_t qdiskd_t racoon_t soundd_t telepathy_stream_engine_t updpwd_t xguest_t xm_ssh_t ypbind_t ypserv_t zabbix_t abrt_t acct_t apmd_t bcfg2_t brctl_t cgred_t chfn_t ciped_t clogd_t clvmd_t crond_t ctdbd_t cupsd_t dccd_t dhcpd_t dictd_t drbd_t ftpd_t gpsd_t gssd_t guest_t hald_t howl_t hplip_t httpd_t inetd_t init_t innd_t iwhd_t kdump_t klogd_t l2tpd_t lircd_t lpd_t lpr_t lwiod_t lwsmd_t mount_t mpd_t munin_t named_t nfsd_t nmbd_t nscd_t nslcd_t ntop_t ntpd_t numad_t pcscd_t pingd_t pppd_t pptp_t psad_t ptal_t qpidd_t radvd_t rhgb_t rhnsd_t rpcd_t rshd_t rssh_t slapd_t slpd_t smbd_t smsd_t snmpd_t snort_t spamd_t squid_t ssh_t sshd_t sssd_t staff_t svirt_t swat_t tcpd_t tftpd_t tgtd_t thin_t tor_t tuned_t udev_t ulogd_t uml_t user_t uucpd_t uuidd_t uux_t virtd_t wdmd_t xauth_t xend_t ypxfr_t eventlogd_t nagios_system_plugin_t postfix_qmgr_t postfix_smtp_t prelude_audisp_t courier_authdaemon_t afs_vlserver_t fsdaemon_t watchdog_t abrt_retrace_worker_t mozilla_plugin_config_t jabberd_router_t policykit_resolve_t winbind_helper_t load_policy_t nut_upsmon_t cupsd_config_t hald_keymap_t httpd_helper_t rtkit_daemon_t nagios_unconfined_plugin_t glusterd_t sandbox_min_t sandbox_net_t sandbox_web_t user_seunshare_t xguest_java_t xguest_mono_t logwatch_mail_t cupsd_lpd_t devicekit_t postfix_map_t remote_login_t inetd_child_t automount_t ethereal_t fetchmail_t netlogond_t puppetmaster_t tethereal_t system_mail_t httpd_squid_script_t restorecond_t xdm_dbusd_t gpg_helper_t staff_ssh_agent_t matahari_sysconfigd_t portreserve_t cpufreqselector_t readahead_t abrt_dump_oops_t quota_nld_t staff_screen_t system_dbusd_t entropyd_t rhev_agentd_t xenstored_t sandbox_min_client_t cpuspeed_t nagios_admin_plugin_t svnserve_t guest_dbusd_t qmail_splogger_t xguest_dbusd_t cups_pdf_t postgresql_t mozilla_plugin_t courier_pcp_t courier_pop_t zarafa_server_t nova_direct_t matahari_hostd_t publicfile_t usbmodules_t sambagui_t staff_seunshare_t nx_server_ssh_t certmaster_t certmonger_t setfiles_t user_mail_t cdrecord_t sectoolm_t semanage_t checkpolicy_t portmap_helper_t sge_shepherd_t cobblerd_t consoletype_t unconfined_t xenconsoled_t user_ssh_agent_t cmirrord_t cronjob_t crontab_t logrotate_mail_t matahari_netd_t matahari_rpcd_t passenger_t arpwatch_t cardmgr_t cgclear_t chronyd_t cluster_t apcupsd_t fcoemon_t fingerd_t foghorn_t gpg_web_t rhev_agentd_consolehelper_t fprintd_t ftpdctl_t httpd_cobbler_script_t dcerpcd_t dovecot_t evtchnd_t gpg_agent_t telepathy_msn_t auditctl_t openshift_t jabberd_t kadmind_t hddtemp_t spamass_milter_t iceauth_t icecast_t prelude_correlator_t ncftool_t neutron_t openvpn_t postgrey_t lockdev_t mplayer_t ricci_modcluster_t irqbalance_t radiusd_t rlogind_t roundup_t srvsvcd_t stunnel_t sulogin_t svc_run_t syslogd_t sysstat_t nut_upsdrvctl_t rpcbind_t sandbox_t sensord_t sge_job_t portmap_t yppasswdd_t ptchown_t vbetool_t vdagent_t vhostmd_t zarafa_ical_t winbind_t sysadm_sudo_t telnetd_t usbmuxd_t useradd_t afs_ptserver_t namespace_init_t httpd_mediawiki_script_t xserver_t condor_schedd_t condor_startd_t piranha_web_t user_screen_t condor_master_t greylist_milter_t calamaris_t staff_openoffice_t mailman_queue_t } ==  &&  || );

mlsconstrain { lnk_file } { ioctl read getattr  } 
(  h1 h2  dom  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t virtd_lxc_t postfix_showq_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t ada_t fsadm_t kudzu_t lvm_t mdadm_t mono_t postfix_postdrop_t rpm_t wine_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t nova_volume_t nova_scheduler_t vmware_host_t haproxy_t prelink_t anaconda_t glance_api_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t postfix_master_t postfix_pickup_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t depmod_t insmod_t kernel_t livecd_t lldpad_t mongod_t puppet_t apmd_t bcfg2_t cgred_t clvmd_t crond_t ctdbd_t drbd_t hald_t inetd_t init_t iwhd_t l2tpd_t mount_t numad_t rhnsd_t slpd_t smsd_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t matahari_sysconfigd_t readahead_t svnserve_t zarafa_server_t nova_direct_t matahari_hostd_t semanage_t sge_shepherd_t unconfined_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t neutron_t ricci_modcluster_t sensord_t sge_job_t zarafa_ical_t useradd_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  ||  t1 { openshift_app_t qemu_t sandbox_x_t svirt_t user_t sandbox_min_t sandbox_net_t sandbox_web_t openshift_t sandbox_t } !=  t2 { sosreport_t git_session_t cfengine_execd_t bootloader_t netutils_t qmail_tcp_env_t devicekit_power_t sandbox_x_client_t nova_api_t sblim_reposd_t dkim_milter_t virt_qemu_ga_unconfined_t admin_crontab_t consolekit_t nova_compute_t nova_console_t pam_console_t zarafa_gateway_t policykit_grant_t logrotate_t openvswitch_t update_modules_t ssh_keysign_t nova_network_t qmail_rspawn_t uml_switch_t qmail_inject_t qmail_lspawn_t dirsrvadmin_unconfined_script_t gnomeclock_t httpd_cvs_script_t sandbox_net_client_t munin_mail_plugin_t ldconfig_t loadkeys_t smoltclient_t prelude_lml_t nova_objectstore_t dmidecode_t modemmanager_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t httpd_rotatelogs_t afs_kaserver_t munin_disk_plugin_t keystone_t kdumpgui_t httpd_bugzilla_script_t postfix_bounce_t httpd_smokeping_cgi_script_t nx_server_t policykit_auth_t ssh_keygen_t piranha_pulse_t sysadm_su_t virtd_lxc_t hald_mac_t iptables_t cachefilesd_t courier_sqwebmail_t postfix_cleanup_t munin_services_plugin_t postfix_showq_t openshift_app_t hostname_t shorewall_t showmount_t telepathy_gabble_t abrt_handle_event_t postfix_virtual_t dovecot_deliver_t ifconfig_t condor_startd_ssh_t qmail_clean_t qmail_local_t qmail_smtpd_t qmail_start_t sandbox_xserver_t setfiles_mac_t telepathy_sofiasip_t amanda_t initrc_t locate_t logadm_t mcelog_t nagios_t varnishd_t setkey_t sysadm_t tvtime_t tzdata_t vmware_t webadm_t ada_t afs_t aiccu_t aide_t alsa_t amtu_t apm_t avahi_t boinc_t canna_t ccs_t cdcc_t crack_t cvs_t cyrus_t dccm_t dhcpc_t dmesg_t dspam_t exim_t fsadm_t games_t getty_t gpg_t gpm_t ipsec_t irc_t irssi_t java_t kudzu_t lvm_t mdadm_t mono_t mrtg_t ndc_t nrpe_t pads_t pam_t ping_t postfix_postdrop_t postfix_postqueue_t qemu_t quota_t rdisc_t ricci_t rpm_t rsync_t rwho_t spamc_t vpnc_t wine_t xdm_t xfs_t xm_t zebra_t setroubleshoot_fixit_t staff_dbusd_t postfix_pipe_t virt_qmf_t nova_vncproxy_t httpd_nagios_script_t unconfined_dbusd_t unconfined_mount_t afs_fsserver_t prelink_cron_system_t sge_execd_t sysadm_ssh_agent_t cachefiles_kernel_t httpd_dirsrvadmin_script_t git_system_t httpd_suexec_t abrt_helper_t abrt_retrace_coredump_t usernetctl_t certwatch_t updfstab_t deltacloudd_t user_dbusd_t firewallgui_t glance_registry_t utempter_t setsebool_t telepathy_idle_t telepathy_mission_control_t webalizer_t cpucontrol_t gconfdefaultsm_t matahari_serviced_t httpd_php_t openoffice_t denyhosts_t memcached_t xguest_openoffice_t dirsrv_snmp_t dirsrvadmin_t smbcontrol_t oracleasm_t netlabel_mgmt_t oddjob_mkhomedir_t cyphesis_t gnomesystemmm_t kerneloops_t nova_volume_t varnishlog_t httpd_w3c_validator_script_t user_openoffice_t httpd_user_script_t accountsd_t cgconfig_t user_java_t user_mono_t user_wine_t ipsec_mgmt_t run_init_t sendmail_t shutdown_t audisp_remote_t dovecot_auth_t nova_scheduler_t dlm_controld_t gfs_controld_t smbmount_t asterisk_t bitlbee_t sepgsql_trusted_proc_t vmware_host_t checkpc_t saslauthd_t awstats_t munin_selinux_plugin_t gitosis_t dnsmasq_t krb5kdc_t openshift_cgroup_read_t sysadm_seunshare_t haproxy_t hotplug_t gpg_pinentry_t hwclock_t newrole_t zos_remote_t dcc_client_t mozilla_t plymouth_t procmail_t sanlock_t setrans_t traceroute_t pegasus_t prelink_t prelude_t privoxy_t staff_java_t staff_mono_t staff_sudo_t staff_wine_t wpa_cli_t httpd_awstats_script_t munin_system_plugin_t qmail_send_t anaconda_t glance_api_t piranha_fos_t piranha_lvs_t sandbox_x_t httpd_apcupsd_cgi_script_t local_login_t hald_dccm_t mysqld_safe_t ricci_modservice_t games_srv_t ricci_modstorage_t samba_net_t afs_bosserver_t httpd_nutups_cgi_script_t hald_sonypic_t openhpid_t boinc_project_t condor_procd_t nagios_mail_plugin_t virt_qemu_ga_t condor_negotiator_t nova_ajax_t nova_cert_t amanda_recover_t chrome_sandbox_t zarafa_spooler_t httpd_munin_script_t telepathy_salut_t rpm_script_t sysadm_passwd_t sysadm_screen_t nsplugin_t xguest_execmem_t zarafa_deliver_t sblim_gatherd_t antivirus_t bluetooth_helper_t dcc_dbclean_t nut_upsd_t staff_execmem_t user_execmem_t podsleuth_t system_cronjob_t sge_job_ssh_t zarafa_monitor_t openshift_initrc_t chroot_user_t httpd_openshift_script_t qmail_remote_t zarafa_indexer_t policykit_t httpd_sys_script_t tmpreaper_t staff_consolehelper_t svc_multilog_t ricci_modclusterd_t logwatch_t mailman_cgi_t pulseaudio_t mailman_mail_t mysqlmanagerd_t samba_unconfined_net_t bluetooth_t mencoder_t httpd_dspam_script_t plymouthd_t smokeping_t cfengine_monitord_t ksmtuned_t unconfined_notrans_t httpd_prewikka_script_t ricci_modlog_t ricci_modrpm_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t setroubleshootd_t nsplugin_config_t chrome_sandbox_nacl_t nagios_checkdisk_plugin_t postfix_master_t postfix_pickup_t devicekit_disk_t regex_milter_t firstboot_t hald_acl_t telepathy_sunshine_t postfix_local_t postfix_smtpd_t zabbix_agent_t samba_unconfined_script_t httpd_git_script_t nagios_services_plugin_t nagios_eventhandler_plugin_t rhsmcertd_t virt_bridgehelper_t munin_unconfined_plugin_t openshift_cron_t unconfined_java_t unconfined_mono_t courier_tcpd_t httpd_unconfined_script_t openvpn_unconfined_script_t NetworkManager_t qmail_queue_t sandbox_web_client_t groupadd_t audisp_t auditd_t chkpwd_t comsat_t dbskkd_t dccifd_t depmod_t dirsrv_t fenced_t gconfd_t groupd_t insmod_t iscsid_t kernel_t kismet_t kpropd_t ktalkd_t livecd_t lldpad_t lsassd_t lwregd_t mongod_t mysqld_t oddjob_t openct_t svc_start_t fail2ban_t passwd_t puppet_t qdiskd_t racoon_t soundd_t telepathy_stream_engine_t updpwd_t xguest_t xm_ssh_t ypbind_t ypserv_t zabbix_t abrt_t acct_t apmd_t bcfg2_t brctl_t cgred_t chfn_t ciped_t clogd_t clvmd_t crond_t ctdbd_t cupsd_t dccd_t dhcpd_t dictd_t drbd_t ftpd_t gpsd_t gssd_t guest_t hald_t howl_t hplip_t httpd_t inetd_t init_t innd_t iwhd_t kdump_t klogd_t l2tpd_t lircd_t lpd_t lpr_t lwiod_t lwsmd_t mount_t mpd_t munin_t named_t nfsd_t nmbd_t nscd_t nslcd_t ntop_t ntpd_t numad_t pcscd_t pingd_t pppd_t pptp_t psad_t ptal_t qpidd_t radvd_t rhgb_t rhnsd_t rpcd_t rshd_t rssh_t slapd_t slpd_t smbd_t smsd_t snmpd_t snort_t spamd_t squid_t ssh_t sshd_t sssd_t staff_t svirt_t swat_t tcpd_t tftpd_t tgtd_t thin_t tor_t tuned_t udev_t ulogd_t uml_t user_t uucpd_t uuidd_t uux_t virtd_t wdmd_t xauth_t xend_t ypxfr_t eventlogd_t nagios_system_plugin_t postfix_qmgr_t postfix_smtp_t prelude_audisp_t courier_authdaemon_t afs_vlserver_t fsdaemon_t watchdog_t abrt_retrace_worker_t mozilla_plugin_config_t jabberd_router_t policykit_resolve_t winbind_helper_t load_policy_t nut_upsmon_t cupsd_config_t hald_keymap_t httpd_helper_t rtkit_daemon_t nagios_unconfined_plugin_t glusterd_t sandbox_min_t sandbox_net_t sandbox_web_t user_seunshare_t xguest_java_t xguest_mono_t logwatch_mail_t cupsd_lpd_t devicekit_t postfix_map_t remote_login_t inetd_child_t automount_t ethereal_t fetchmail_t netlogond_t puppetmaster_t tethereal_t system_mail_t httpd_squid_script_t restorecond_t xdm_dbusd_t gpg_helper_t staff_ssh_agent_t matahari_sysconfigd_t portreserve_t cpufreqselector_t readahead_t abrt_dump_oops_t quota_nld_t staff_screen_t system_dbusd_t entropyd_t rhev_agentd_t xenstored_t sandbox_min_client_t cpuspeed_t nagios_admin_plugin_t svnserve_t guest_dbusd_t qmail_splogger_t xguest_dbusd_t cups_pdf_t postgresql_t mozilla_plugin_t courier_pcp_t courier_pop_t zarafa_server_t nova_direct_t matahari_hostd_t publicfile_t usbmodules_t sambagui_t staff_seunshare_t nx_server_ssh_t certmaster_t certmonger_t setfiles_t user_mail_t cdrecord_t sectoolm_t semanage_t checkpolicy_t portmap_helper_t sge_shepherd_t cobblerd_t consoletype_t unconfined_t xenconsoled_t user_ssh_agent_t cmirrord_t cronjob_t crontab_t logrotate_mail_t matahari_netd_t matahari_rpcd_t passenger_t arpwatch_t cardmgr_t cgclear_t chronyd_t cluster_t apcupsd_t fcoemon_t fingerd_t foghorn_t gpg_web_t rhev_agentd_consolehelper_t fprintd_t ftpdctl_t httpd_cobbler_script_t dcerpcd_t dovecot_t evtchnd_t gpg_agent_t telepathy_msn_t auditctl_t openshift_t jabberd_t kadmind_t hddtemp_t spamass_milter_t iceauth_t icecast_t prelude_correlator_t ncftool_t neutron_t openvpn_t postgrey_t lockdev_t mplayer_t ricci_modcluster_t irqbalance_t radiusd_t rlogind_t roundup_t srvsvcd_t stunnel_t sulogin_t svc_run_t syslogd_t sysstat_t nut_upsdrvctl_t rpcbind_t sandbox_t sensord_t sge_job_t portmap_t yppasswdd_t ptchown_t vbetool_t vdagent_t vhostmd_t zarafa_ical_t winbind_t sysadm_sudo_t telnetd_t usbmuxd_t useradd_t afs_ptserver_t namespace_init_t httpd_mediawiki_script_t xserver_t condor_schedd_t condor_startd_t piranha_web_t user_screen_t condor_master_t greylist_milter_t calamaris_t staff_openoffice_t mailman_queue_t } ==  &&  || );

constrain { process } { dyntransition  } 
(  r1 r2 ==  t1 { xdm_t local_login_t firstboot_t oddjob_t crond_t rshd_t sshd_t virtd_t remote_login_t openshift_t rlogind_t sulogin_t } ==  t2 { nx_server_t openshift_app_t logadm_t sysadm_t webadm_t qemu_t ricci_t oddjob_mkhomedir_t ricci_modservice_t ricci_modstorage_t openshift_initrc_t ricci_modlog_t ricci_modrpm_t xguest_t guest_t rssh_t staff_t svirt_t user_t unconfined_t openshift_t ricci_modcluster_t } ==  &&  || );

constrain { process } { dyntransition  } 
(  u1 u2 ==  t1 { xdm_t local_login_t firstboot_t oddjob_t crond_t rshd_t sshd_t virtd_t remote_login_t openshift_t rlogind_t sulogin_t } ==  t2 { nx_server_t openshift_app_t logadm_t sysadm_t webadm_t qemu_t ricci_t oddjob_mkhomedir_t ricci_modservice_t ricci_modstorage_t openshift_initrc_t ricci_modlog_t ricci_modrpm_t xguest_t guest_t rssh_t staff_t svirt_t user_t unconfined_t openshift_t ricci_modcluster_t } ==  &&  || );

constrain { process } { transition noatsecure siginh rlimitinh  } 
(  r1 r2 ==  t1 { initrc_t rpm_t xdm_t newrole_t staff_sudo_t local_login_t oddjob_t crond_t rshd_t sshd_t remote_login_t rlogind_t sulogin_t sysadm_sudo_t } ==  t2 { nx_server_t openshift_app_t logadm_t sysadm_t webadm_t qemu_t ricci_t oddjob_mkhomedir_t ricci_modservice_t ricci_modstorage_t openshift_initrc_t ricci_modlog_t ricci_modrpm_t xguest_t guest_t rssh_t staff_t svirt_t user_t unconfined_t openshift_t ricci_modcluster_t } ==  &&  ||  t1 crond_t ==  t2 { unconfined_cronjob_t cronjob_t } ==  &&  ||  t1 { logrotate_t logadm_t sysadm_t webadm_t rpm_t run_init_t rpm_script_t semanage_t unconfined_t ncftool_t } ==  r2 system_r ==  &&  ||  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t virtd_lxc_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t ada_t fsadm_t kudzu_t lvm_t mdadm_t mono_t rpm_t wine_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t nova_volume_t nova_scheduler_t vmware_host_t haproxy_t prelink_t anaconda_t glance_api_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t depmod_t insmod_t kernel_t livecd_t lldpad_t mongod_t puppet_t apmd_t bcfg2_t clvmd_t crond_t ctdbd_t drbd_t inetd_t init_t iwhd_t l2tpd_t numad_t rhnsd_t slpd_t smsd_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t matahari_sysconfigd_t svnserve_t zarafa_server_t nova_direct_t matahari_hostd_t semanage_t sge_shepherd_t unconfined_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t neutron_t ricci_modcluster_t sensord_t sge_job_t zarafa_ical_t useradd_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  || );

constrain { process } { transition noatsecure siginh rlimitinh  } 
(  u1 u2 ==  t1 { xdm_t local_login_t firstboot_t oddjob_t crond_t rshd_t sshd_t virtd_t remote_login_t openshift_t rlogind_t sulogin_t } ==  t2 { nx_server_t openshift_app_t logadm_t sysadm_t webadm_t qemu_t ricci_t oddjob_mkhomedir_t ricci_modservice_t ricci_modstorage_t openshift_initrc_t ricci_modlog_t ricci_modrpm_t xguest_t guest_t rssh_t staff_t svirt_t user_t unconfined_t openshift_t ricci_modcluster_t } ==  &&  ||  t1 crond_t ==  t2 { unconfined_cronjob_t cronjob_t } ==  u2 system_u ==  ||  &&  ||  t1 { logrotate_t logadm_t sysadm_t webadm_t rpm_t run_init_t rpm_script_t semanage_t unconfined_t ncftool_t } ==  u2 system_u ==  &&  ||  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t virtd_lxc_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t ada_t fsadm_t kudzu_t lvm_t mdadm_t mono_t rpm_t wine_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t nova_volume_t nova_scheduler_t vmware_host_t haproxy_t prelink_t anaconda_t glance_api_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t depmod_t insmod_t kernel_t livecd_t lldpad_t mongod_t puppet_t apmd_t bcfg2_t clvmd_t crond_t ctdbd_t drbd_t inetd_t init_t iwhd_t l2tpd_t numad_t rhnsd_t slpd_t smsd_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t matahari_sysconfigd_t svnserve_t zarafa_server_t nova_direct_t matahari_hostd_t semanage_t sge_shepherd_t unconfined_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t neutron_t ricci_modcluster_t sensord_t sge_job_t zarafa_ical_t useradd_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  || );

mlsconstrain { process } { signal  } 
(  h1 h2  dom  t1 { openshift_app_t qemu_t sandbox_x_t svirt_t user_t sandbox_min_t sandbox_net_t sandbox_web_t openshift_t sandbox_t } !=  || );

mlsconstrain { process } { sigkill sigstop  } 
(  h1 h2  dom  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t virtd_lxc_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t ada_t fsadm_t kudzu_t lvm_t mdadm_t mono_t rpm_t wine_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t nova_volume_t nova_scheduler_t vmware_host_t haproxy_t prelink_t anaconda_t glance_api_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t depmod_t insmod_t kernel_t livecd_t lldpad_t mongod_t puppet_t apmd_t bcfg2_t clvmd_t crond_t ctdbd_t drbd_t inetd_t init_t iwhd_t l2tpd_t numad_t rhnsd_t slpd_t smsd_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t matahari_sysconfigd_t svnserve_t zarafa_server_t nova_direct_t matahari_hostd_t semanage_t sge_shepherd_t unconfined_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t neutron_t ricci_modcluster_t sensord_t sge_job_t zarafa_ical_t useradd_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  || );

mlsconstrain { process } { ptrace  } 
(  h1 h2  dom  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t consolekit_t nova_compute_t nova_console_t zarafa_gateway_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t virtd_lxc_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t ada_t fsadm_t kudzu_t lvm_t mdadm_t mono_t rpm_t wine_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t nova_volume_t nova_scheduler_t vmware_host_t haproxy_t prelink_t anaconda_t glance_api_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t depmod_t insmod_t kernel_t livecd_t lldpad_t mongod_t puppet_t apmd_t bcfg2_t clvmd_t crond_t ctdbd_t drbd_t inetd_t init_t iwhd_t l2tpd_t numad_t rhnsd_t slpd_t smsd_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t policykit_resolve_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t matahari_sysconfigd_t svnserve_t zarafa_server_t nova_direct_t matahari_hostd_t semanage_t sge_shepherd_t unconfined_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t neutron_t ricci_modcluster_t sensord_t sge_job_t zarafa_ical_t useradd_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  || );

mlsconstrain { process } { transition dyntransition  } 
(  h1 h2  dom  t1 { initrc_t getty_t openshift_initrc_t kernel_t oddjob_t init_t virtd_t condor_startd_t } ==  || );

mlsconstrain { packet } { recv  } 
(  l1 l2  dom  t1 { openshift_app_t qemu_t sandbox_x_t svirt_t user_t sandbox_min_t sandbox_net_t sandbox_web_t openshift_t sandbox_t } !=  t2 { openshift_app_t qemu_t sandbox_x_t svirt_t user_t sandbox_min_t sandbox_net_t sandbox_web_t openshift_t sandbox_t } !=  &&  || );

constrain { socket } { create relabelfrom relabelto  } 
(  u1 u2 ==  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t logrotate_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t sysadm_su_t virtd_lxc_t openshift_app_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t sysadm_t ada_t dhcpc_t fsadm_t kudzu_t lvm_t mdadm_t mono_t rpm_t wine_t xdm_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t cachefiles_kernel_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t oddjob_mkhomedir_t nova_volume_t nova_scheduler_t vmware_host_t saslauthd_t krb5kdc_t haproxy_t newrole_t prelink_t anaconda_t glance_api_t local_login_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t sysadm_passwd_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t staff_consolehelper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t groupadd_t depmod_t dirsrv_t insmod_t kernel_t kpropd_t livecd_t lldpad_t lsassd_t mongod_t oddjob_t passwd_t puppet_t racoon_t updpwd_t apmd_t bcfg2_t chfn_t clvmd_t crond_t ctdbd_t cupsd_t drbd_t ftpd_t inetd_t init_t iwhd_t l2tpd_t numad_t rhnsd_t rshd_t slpd_t smsd_t squid_t sshd_t sssd_t staff_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t puppetmaster_t restorecond_t matahari_sysconfigd_t svnserve_t postgresql_t zarafa_server_t nova_direct_t matahari_hostd_t setfiles_t semanage_t sge_shepherd_t unconfined_t cmirrord_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t rhev_agentd_consolehelper_t openshift_t kadmind_t ncftool_t neutron_t openvpn_t ricci_modcluster_t rlogind_t sulogin_t syslogd_t sensord_t sge_job_t yppasswdd_t zarafa_ical_t telnetd_t useradd_t namespace_init_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  || );

constrain { fifo_file } { create relabelfrom relabelto  } 
(  u1 u2 ==  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t logrotate_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t sysadm_su_t virtd_lxc_t openshift_app_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t sysadm_t ada_t dhcpc_t fsadm_t kudzu_t lvm_t mdadm_t mono_t rpm_t wine_t xdm_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t cachefiles_kernel_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t oddjob_mkhomedir_t nova_volume_t nova_scheduler_t vmware_host_t saslauthd_t krb5kdc_t haproxy_t newrole_t prelink_t anaconda_t glance_api_t local_login_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t sysadm_passwd_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t staff_consolehelper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t groupadd_t depmod_t dirsrv_t insmod_t kernel_t kpropd_t livecd_t lldpad_t lsassd_t mongod_t oddjob_t passwd_t puppet_t racoon_t updpwd_t apmd_t bcfg2_t chfn_t clvmd_t crond_t ctdbd_t cupsd_t drbd_t ftpd_t inetd_t init_t iwhd_t l2tpd_t numad_t rhnsd_t rshd_t slpd_t smsd_t squid_t sshd_t sssd_t staff_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t puppetmaster_t restorecond_t matahari_sysconfigd_t svnserve_t postgresql_t zarafa_server_t nova_direct_t matahari_hostd_t setfiles_t semanage_t sge_shepherd_t unconfined_t cmirrord_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t rhev_agentd_consolehelper_t openshift_t kadmind_t ncftool_t neutron_t openvpn_t ricci_modcluster_t rlogind_t sulogin_t syslogd_t sensord_t sge_job_t yppasswdd_t zarafa_ical_t telnetd_t useradd_t namespace_init_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  || );

mlsconstrain { fifo_file } { create relabelto  } 
(  h1 h2  dom  l2 h2  ==  &&  t1 { openshift_app_t qemu_t sandbox_x_t svirt_t user_t sandbox_min_t sandbox_net_t sandbox_web_t openshift_t sandbox_t } !=  || );

mlsconstrain { fifo_file } { relabelfrom  } 
(  h1 h2  dom );

mlsconstrain { fifo_file } { open  } 
(  h1 h2  dom  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t virtd_lxc_t postfix_showq_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t ada_t fsadm_t kudzu_t lvm_t mdadm_t mono_t postfix_postdrop_t rpm_t wine_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t nova_volume_t nova_scheduler_t vmware_host_t haproxy_t prelink_t anaconda_t glance_api_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t postfix_master_t postfix_pickup_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t depmod_t insmod_t kernel_t livecd_t lldpad_t mongod_t puppet_t apmd_t bcfg2_t cgred_t clvmd_t crond_t ctdbd_t drbd_t hald_t inetd_t init_t iwhd_t l2tpd_t mount_t numad_t rhnsd_t slpd_t smsd_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t matahari_sysconfigd_t readahead_t svnserve_t zarafa_server_t nova_direct_t matahari_hostd_t semanage_t sge_shepherd_t unconfined_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t neutron_t ricci_modcluster_t sensord_t sge_job_t zarafa_ical_t useradd_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  ||  t1 { openshift_app_t qemu_t sandbox_x_t svirt_t user_t sandbox_min_t sandbox_net_t sandbox_web_t openshift_t sandbox_t } !=  t2 { sosreport_t git_session_t cfengine_execd_t bootloader_t netutils_t qmail_tcp_env_t devicekit_power_t sandbox_x_client_t nova_api_t sblim_reposd_t dkim_milter_t virt_qemu_ga_unconfined_t admin_crontab_t consolekit_t nova_compute_t nova_console_t pam_console_t zarafa_gateway_t policykit_grant_t logrotate_t openvswitch_t update_modules_t ssh_keysign_t nova_network_t qmail_rspawn_t uml_switch_t qmail_inject_t qmail_lspawn_t dirsrvadmin_unconfined_script_t gnomeclock_t httpd_cvs_script_t sandbox_net_client_t munin_mail_plugin_t ldconfig_t loadkeys_t smoltclient_t prelude_lml_t nova_objectstore_t dmidecode_t modemmanager_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t httpd_rotatelogs_t afs_kaserver_t munin_disk_plugin_t keystone_t kdumpgui_t httpd_bugzilla_script_t postfix_bounce_t httpd_smokeping_cgi_script_t nx_server_t policykit_auth_t ssh_keygen_t piranha_pulse_t sysadm_su_t virtd_lxc_t hald_mac_t iptables_t cachefilesd_t courier_sqwebmail_t postfix_cleanup_t munin_services_plugin_t postfix_showq_t openshift_app_t hostname_t shorewall_t showmount_t telepathy_gabble_t abrt_handle_event_t postfix_virtual_t dovecot_deliver_t ifconfig_t condor_startd_ssh_t qmail_clean_t qmail_local_t qmail_smtpd_t qmail_start_t sandbox_xserver_t setfiles_mac_t telepathy_sofiasip_t amanda_t initrc_t locate_t logadm_t mcelog_t nagios_t varnishd_t setkey_t sysadm_t tvtime_t tzdata_t vmware_t webadm_t ada_t afs_t aiccu_t aide_t alsa_t amtu_t apm_t avahi_t boinc_t canna_t ccs_t cdcc_t crack_t cvs_t cyrus_t dccm_t dhcpc_t dmesg_t dspam_t exim_t fsadm_t games_t getty_t gpg_t gpm_t ipsec_t irc_t irssi_t java_t kudzu_t lvm_t mdadm_t mono_t mrtg_t ndc_t nrpe_t pads_t pam_t ping_t postfix_postdrop_t postfix_postqueue_t qemu_t quota_t rdisc_t ricci_t rpm_t rsync_t rwho_t spamc_t vpnc_t wine_t xdm_t xfs_t xm_t zebra_t setroubleshoot_fixit_t staff_dbusd_t postfix_pipe_t virt_qmf_t nova_vncproxy_t httpd_nagios_script_t unconfined_dbusd_t unconfined_mount_t afs_fsserver_t prelink_cron_system_t sge_execd_t sysadm_ssh_agent_t cachefiles_kernel_t httpd_dirsrvadmin_script_t git_system_t httpd_suexec_t abrt_helper_t abrt_retrace_coredump_t usernetctl_t certwatch_t updfstab_t deltacloudd_t user_dbusd_t firewallgui_t glance_registry_t utempter_t setsebool_t telepathy_idle_t telepathy_mission_control_t webalizer_t cpucontrol_t gconfdefaultsm_t matahari_serviced_t httpd_php_t openoffice_t denyhosts_t memcached_t xguest_openoffice_t dirsrv_snmp_t dirsrvadmin_t smbcontrol_t oracleasm_t netlabel_mgmt_t oddjob_mkhomedir_t cyphesis_t gnomesystemmm_t kerneloops_t nova_volume_t varnishlog_t httpd_w3c_validator_script_t user_openoffice_t httpd_user_script_t accountsd_t cgconfig_t user_java_t user_mono_t user_wine_t ipsec_mgmt_t run_init_t sendmail_t shutdown_t audisp_remote_t dovecot_auth_t nova_scheduler_t dlm_controld_t gfs_controld_t smbmount_t asterisk_t bitlbee_t sepgsql_trusted_proc_t vmware_host_t checkpc_t saslauthd_t awstats_t munin_selinux_plugin_t gitosis_t dnsmasq_t krb5kdc_t openshift_cgroup_read_t sysadm_seunshare_t haproxy_t hotplug_t gpg_pinentry_t hwclock_t newrole_t zos_remote_t dcc_client_t mozilla_t plymouth_t procmail_t sanlock_t setrans_t traceroute_t pegasus_t prelink_t prelude_t privoxy_t staff_java_t staff_mono_t staff_sudo_t staff_wine_t wpa_cli_t httpd_awstats_script_t munin_system_plugin_t qmail_send_t anaconda_t glance_api_t piranha_fos_t piranha_lvs_t sandbox_x_t httpd_apcupsd_cgi_script_t local_login_t hald_dccm_t mysqld_safe_t ricci_modservice_t games_srv_t ricci_modstorage_t samba_net_t afs_bosserver_t httpd_nutups_cgi_script_t hald_sonypic_t openhpid_t boinc_project_t condor_procd_t nagios_mail_plugin_t virt_qemu_ga_t condor_negotiator_t nova_ajax_t nova_cert_t amanda_recover_t chrome_sandbox_t zarafa_spooler_t httpd_munin_script_t telepathy_salut_t rpm_script_t sysadm_passwd_t sysadm_screen_t nsplugin_t xguest_execmem_t zarafa_deliver_t sblim_gatherd_t antivirus_t bluetooth_helper_t dcc_dbclean_t nut_upsd_t staff_execmem_t user_execmem_t podsleuth_t system_cronjob_t sge_job_ssh_t zarafa_monitor_t openshift_initrc_t chroot_user_t httpd_openshift_script_t qmail_remote_t zarafa_indexer_t policykit_t httpd_sys_script_t tmpreaper_t staff_consolehelper_t svc_multilog_t ricci_modclusterd_t logwatch_t mailman_cgi_t pulseaudio_t mailman_mail_t mysqlmanagerd_t samba_unconfined_net_t bluetooth_t mencoder_t httpd_dspam_script_t plymouthd_t smokeping_t cfengine_monitord_t ksmtuned_t unconfined_notrans_t httpd_prewikka_script_t ricci_modlog_t ricci_modrpm_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t setroubleshootd_t nsplugin_config_t chrome_sandbox_nacl_t nagios_checkdisk_plugin_t postfix_master_t postfix_pickup_t devicekit_disk_t regex_milter_t firstboot_t hald_acl_t telepathy_sunshine_t postfix_local_t postfix_smtpd_t zabbix_agent_t samba_unconfined_script_t httpd_git_script_t nagios_services_plugin_t nagios_eventhandler_plugin_t rhsmcertd_t virt_bridgehelper_t munin_unconfined_plugin_t openshift_cron_t unconfined_java_t unconfined_mono_t courier_tcpd_t httpd_unconfined_script_t openvpn_unconfined_script_t NetworkManager_t qmail_queue_t sandbox_web_client_t groupadd_t audisp_t auditd_t chkpwd_t comsat_t dbskkd_t dccifd_t depmod_t dirsrv_t fenced_t gconfd_t groupd_t insmod_t iscsid_t kernel_t kismet_t kpropd_t ktalkd_t livecd_t lldpad_t lsassd_t lwregd_t mongod_t mysqld_t oddjob_t openct_t svc_start_t fail2ban_t passwd_t puppet_t qdiskd_t racoon_t soundd_t telepathy_stream_engine_t updpwd_t xguest_t xm_ssh_t ypbind_t ypserv_t zabbix_t abrt_t acct_t apmd_t bcfg2_t brctl_t cgred_t chfn_t ciped_t clogd_t clvmd_t crond_t ctdbd_t cupsd_t dccd_t dhcpd_t dictd_t drbd_t ftpd_t gpsd_t gssd_t guest_t hald_t howl_t hplip_t httpd_t inetd_t init_t innd_t iwhd_t kdump_t klogd_t l2tpd_t lircd_t lpd_t lpr_t lwiod_t lwsmd_t mount_t mpd_t munin_t named_t nfsd_t nmbd_t nscd_t nslcd_t ntop_t ntpd_t numad_t pcscd_t pingd_t pppd_t pptp_t psad_t ptal_t qpidd_t radvd_t rhgb_t rhnsd_t rpcd_t rshd_t rssh_t slapd_t slpd_t smbd_t smsd_t snmpd_t snort_t spamd_t squid_t ssh_t sshd_t sssd_t staff_t svirt_t swat_t tcpd_t tftpd_t tgtd_t thin_t tor_t tuned_t udev_t ulogd_t uml_t user_t uucpd_t uuidd_t uux_t virtd_t wdmd_t xauth_t xend_t ypxfr_t eventlogd_t nagios_system_plugin_t postfix_qmgr_t postfix_smtp_t prelude_audisp_t courier_authdaemon_t afs_vlserver_t fsdaemon_t watchdog_t abrt_retrace_worker_t mozilla_plugin_config_t jabberd_router_t policykit_resolve_t winbind_helper_t load_policy_t nut_upsmon_t cupsd_config_t hald_keymap_t httpd_helper_t rtkit_daemon_t nagios_unconfined_plugin_t glusterd_t sandbox_min_t sandbox_net_t sandbox_web_t user_seunshare_t xguest_java_t xguest_mono_t logwatch_mail_t cupsd_lpd_t devicekit_t postfix_map_t remote_login_t inetd_child_t automount_t ethereal_t fetchmail_t netlogond_t puppetmaster_t tethereal_t system_mail_t httpd_squid_script_t restorecond_t xdm_dbusd_t gpg_helper_t staff_ssh_agent_t matahari_sysconfigd_t portreserve_t cpufreqselector_t readahead_t abrt_dump_oops_t quota_nld_t staff_screen_t system_dbusd_t entropyd_t rhev_agentd_t xenstored_t sandbox_min_client_t cpuspeed_t nagios_admin_plugin_t svnserve_t guest_dbusd_t qmail_splogger_t xguest_dbusd_t cups_pdf_t postgresql_t mozilla_plugin_t courier_pcp_t courier_pop_t zarafa_server_t nova_direct_t matahari_hostd_t publicfile_t usbmodules_t sambagui_t staff_seunshare_t nx_server_ssh_t certmaster_t certmonger_t setfiles_t user_mail_t cdrecord_t sectoolm_t semanage_t checkpolicy_t portmap_helper_t sge_shepherd_t cobblerd_t consoletype_t unconfined_t xenconsoled_t user_ssh_agent_t cmirrord_t cronjob_t crontab_t logrotate_mail_t matahari_netd_t matahari_rpcd_t passenger_t arpwatch_t cardmgr_t cgclear_t chronyd_t cluster_t apcupsd_t fcoemon_t fingerd_t foghorn_t gpg_web_t rhev_agentd_consolehelper_t fprintd_t ftpdctl_t httpd_cobbler_script_t dcerpcd_t dovecot_t evtchnd_t gpg_agent_t telepathy_msn_t auditctl_t openshift_t jabberd_t kadmind_t hddtemp_t spamass_milter_t iceauth_t icecast_t prelude_correlator_t ncftool_t neutron_t openvpn_t postgrey_t lockdev_t mplayer_t ricci_modcluster_t irqbalance_t radiusd_t rlogind_t roundup_t srvsvcd_t stunnel_t sulogin_t svc_run_t syslogd_t sysstat_t nut_upsdrvctl_t rpcbind_t sandbox_t sensord_t sge_job_t portmap_t yppasswdd_t ptchown_t vbetool_t vdagent_t vhostmd_t zarafa_ical_t winbind_t sysadm_sudo_t telnetd_t usbmuxd_t useradd_t afs_ptserver_t namespace_init_t httpd_mediawiki_script_t xserver_t condor_schedd_t condor_startd_t piranha_web_t user_screen_t condor_master_t greylist_milter_t calamaris_t staff_openoffice_t mailman_queue_t } ==  &&  || );

constrain { file } { create relabelfrom relabelto  } 
(  u1 u2 ==  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t logrotate_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t sysadm_su_t virtd_lxc_t openshift_app_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t sysadm_t ada_t dhcpc_t fsadm_t kudzu_t lvm_t mdadm_t mono_t rpm_t wine_t xdm_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t cachefiles_kernel_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t oddjob_mkhomedir_t nova_volume_t nova_scheduler_t vmware_host_t saslauthd_t krb5kdc_t haproxy_t newrole_t prelink_t anaconda_t glance_api_t local_login_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t sysadm_passwd_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t staff_consolehelper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t groupadd_t depmod_t dirsrv_t insmod_t kernel_t kpropd_t livecd_t lldpad_t lsassd_t mongod_t oddjob_t passwd_t puppet_t racoon_t updpwd_t apmd_t bcfg2_t chfn_t clvmd_t crond_t ctdbd_t cupsd_t drbd_t ftpd_t inetd_t init_t iwhd_t l2tpd_t numad_t rhnsd_t rshd_t slpd_t smsd_t squid_t sshd_t sssd_t staff_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t puppetmaster_t restorecond_t matahari_sysconfigd_t svnserve_t postgresql_t zarafa_server_t nova_direct_t matahari_hostd_t setfiles_t semanage_t sge_shepherd_t unconfined_t cmirrord_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t rhev_agentd_consolehelper_t openshift_t kadmind_t ncftool_t neutron_t openvpn_t ricci_modcluster_t rlogind_t sulogin_t syslogd_t sensord_t sge_job_t yppasswdd_t zarafa_ical_t telnetd_t useradd_t namespace_init_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  || );

mlsconstrain { file } { create relabelto  } 
(  h1 h2  dom  l2 h2  ==  &&  t1 { openshift_app_t qemu_t sandbox_x_t svirt_t user_t sandbox_min_t sandbox_net_t sandbox_web_t openshift_t sandbox_t } !=  || );

mlsconstrain { file } { relabelfrom  } 
(  h1 h2  dom );

mlsconstrain { file } { create relabelto  } 
(  h1 h2  dom  l2 h2  ==  && );

mlsconstrain { file } { write setattr append unlink link rename  } 
(  h1 h2  dom  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t virtd_lxc_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t ada_t fsadm_t kudzu_t lvm_t mdadm_t mono_t postfix_postdrop_t rpm_t wine_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t nova_volume_t nova_scheduler_t vmware_host_t haproxy_t prelink_t anaconda_t glance_api_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t postfix_pickup_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t depmod_t insmod_t kernel_t livecd_t lldpad_t mongod_t puppet_t apmd_t bcfg2_t clvmd_t crond_t ctdbd_t drbd_t inetd_t init_t iwhd_t l2tpd_t mount_t numad_t rhnsd_t slpd_t smsd_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t matahari_sysconfigd_t svnserve_t zarafa_server_t nova_direct_t matahari_hostd_t semanage_t sge_shepherd_t unconfined_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t neutron_t ricci_modcluster_t sensord_t sge_job_t zarafa_ical_t useradd_t namespace_init_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  ||  t1 { openshift_app_t qemu_t sandbox_x_t svirt_t user_t sandbox_min_t sandbox_net_t sandbox_web_t openshift_t sandbox_t } !=  t2 { sosreport_t git_session_t cfengine_execd_t bootloader_t netutils_t qmail_tcp_env_t devicekit_power_t sandbox_x_client_t nova_api_t sblim_reposd_t dkim_milter_t virt_qemu_ga_unconfined_t admin_crontab_t consolekit_t nova_compute_t nova_console_t pam_console_t zarafa_gateway_t policykit_grant_t logrotate_t openvswitch_t update_modules_t ssh_keysign_t nova_network_t qmail_rspawn_t uml_switch_t qmail_inject_t qmail_lspawn_t dirsrvadmin_unconfined_script_t gnomeclock_t httpd_cvs_script_t sandbox_net_client_t munin_mail_plugin_t ldconfig_t loadkeys_t smoltclient_t prelude_lml_t nova_objectstore_t dmidecode_t modemmanager_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t httpd_rotatelogs_t afs_kaserver_t munin_disk_plugin_t keystone_t kdumpgui_t httpd_bugzilla_script_t postfix_bounce_t httpd_smokeping_cgi_script_t nx_server_t policykit_auth_t ssh_keygen_t piranha_pulse_t sysadm_su_t virtd_lxc_t hald_mac_t iptables_t cachefilesd_t courier_sqwebmail_t postfix_cleanup_t munin_services_plugin_t postfix_showq_t openshift_app_t hostname_t shorewall_t showmount_t telepathy_gabble_t abrt_handle_event_t postfix_virtual_t dovecot_deliver_t ifconfig_t condor_startd_ssh_t qmail_clean_t qmail_local_t qmail_smtpd_t qmail_start_t sandbox_xserver_t setfiles_mac_t telepathy_sofiasip_t amanda_t initrc_t locate_t logadm_t mcelog_t nagios_t varnishd_t setkey_t sysadm_t tvtime_t tzdata_t vmware_t webadm_t ada_t afs_t aiccu_t aide_t alsa_t amtu_t apm_t avahi_t boinc_t canna_t ccs_t cdcc_t crack_t cvs_t cyrus_t dccm_t dhcpc_t dmesg_t dspam_t exim_t fsadm_t games_t getty_t gpg_t gpm_t ipsec_t irc_t irssi_t java_t kudzu_t lvm_t mdadm_t mono_t mrtg_t ndc_t nrpe_t pads_t pam_t ping_t postfix_postdrop_t postfix_postqueue_t qemu_t quota_t rdisc_t ricci_t rpm_t rsync_t rwho_t spamc_t vpnc_t wine_t xdm_t xfs_t xm_t zebra_t setroubleshoot_fixit_t staff_dbusd_t postfix_pipe_t virt_qmf_t nova_vncproxy_t httpd_nagios_script_t unconfined_dbusd_t unconfined_mount_t afs_fsserver_t prelink_cron_system_t sge_execd_t sysadm_ssh_agent_t cachefiles_kernel_t httpd_dirsrvadmin_script_t git_system_t httpd_suexec_t abrt_helper_t abrt_retrace_coredump_t usernetctl_t certwatch_t updfstab_t deltacloudd_t user_dbusd_t firewallgui_t glance_registry_t utempter_t setsebool_t telepathy_idle_t telepathy_mission_control_t webalizer_t cpucontrol_t gconfdefaultsm_t matahari_serviced_t httpd_php_t openoffice_t denyhosts_t memcached_t xguest_openoffice_t dirsrv_snmp_t dirsrvadmin_t smbcontrol_t oracleasm_t netlabel_mgmt_t oddjob_mkhomedir_t cyphesis_t gnomesystemmm_t kerneloops_t nova_volume_t varnishlog_t httpd_w3c_validator_script_t user_openoffice_t httpd_user_script_t accountsd_t cgconfig_t user_java_t user_mono_t user_wine_t ipsec_mgmt_t run_init_t sendmail_t shutdown_t audisp_remote_t dovecot_auth_t nova_scheduler_t dlm_controld_t gfs_controld_t smbmount_t asterisk_t bitlbee_t sepgsql_trusted_proc_t vmware_host_t checkpc_t saslauthd_t awstats_t munin_selinux_plugin_t gitosis_t dnsmasq_t krb5kdc_t openshift_cgroup_read_t sysadm_seunshare_t haproxy_t hotplug_t gpg_pinentry_t hwclock_t newrole_t zos_remote_t dcc_client_t mozilla_t plymouth_t procmail_t sanlock_t setrans_t traceroute_t pegasus_t prelink_t prelude_t privoxy_t staff_java_t staff_mono_t staff_sudo_t staff_wine_t wpa_cli_t httpd_awstats_script_t munin_system_plugin_t qmail_send_t anaconda_t glance_api_t piranha_fos_t piranha_lvs_t sandbox_x_t httpd_apcupsd_cgi_script_t local_login_t hald_dccm_t mysqld_safe_t ricci_modservice_t games_srv_t ricci_modstorage_t samba_net_t afs_bosserver_t httpd_nutups_cgi_script_t hald_sonypic_t openhpid_t boinc_project_t condor_procd_t nagios_mail_plugin_t virt_qemu_ga_t condor_negotiator_t nova_ajax_t nova_cert_t amanda_recover_t chrome_sandbox_t zarafa_spooler_t httpd_munin_script_t telepathy_salut_t rpm_script_t sysadm_passwd_t sysadm_screen_t nsplugin_t xguest_execmem_t zarafa_deliver_t sblim_gatherd_t antivirus_t bluetooth_helper_t dcc_dbclean_t nut_upsd_t staff_execmem_t user_execmem_t podsleuth_t system_cronjob_t sge_job_ssh_t zarafa_monitor_t openshift_initrc_t chroot_user_t httpd_openshift_script_t qmail_remote_t zarafa_indexer_t policykit_t httpd_sys_script_t tmpreaper_t staff_consolehelper_t svc_multilog_t ricci_modclusterd_t logwatch_t mailman_cgi_t pulseaudio_t mailman_mail_t mysqlmanagerd_t samba_unconfined_net_t bluetooth_t mencoder_t httpd_dspam_script_t plymouthd_t smokeping_t cfengine_monitord_t ksmtuned_t unconfined_notrans_t httpd_prewikka_script_t ricci_modlog_t ricci_modrpm_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t setroubleshootd_t nsplugin_config_t chrome_sandbox_nacl_t nagios_checkdisk_plugin_t postfix_master_t postfix_pickup_t devicekit_disk_t regex_milter_t firstboot_t hald_acl_t telepathy_sunshine_t postfix_local_t postfix_smtpd_t zabbix_agent_t samba_unconfined_script_t httpd_git_script_t nagios_services_plugin_t nagios_eventhandler_plugin_t rhsmcertd_t virt_bridgehelper_t munin_unconfined_plugin_t openshift_cron_t unconfined_java_t unconfined_mono_t courier_tcpd_t httpd_unconfined_script_t openvpn_unconfined_script_t NetworkManager_t qmail_queue_t sandbox_web_client_t groupadd_t audisp_t auditd_t chkpwd_t comsat_t dbskkd_t dccifd_t depmod_t dirsrv_t fenced_t gconfd_t groupd_t insmod_t iscsid_t kernel_t kismet_t kpropd_t ktalkd_t livecd_t lldpad_t lsassd_t lwregd_t mongod_t mysqld_t oddjob_t openct_t svc_start_t fail2ban_t passwd_t puppet_t qdiskd_t racoon_t soundd_t telepathy_stream_engine_t updpwd_t xguest_t xm_ssh_t ypbind_t ypserv_t zabbix_t abrt_t acct_t apmd_t bcfg2_t brctl_t cgred_t chfn_t ciped_t clogd_t clvmd_t crond_t ctdbd_t cupsd_t dccd_t dhcpd_t dictd_t drbd_t ftpd_t gpsd_t gssd_t guest_t hald_t howl_t hplip_t httpd_t inetd_t init_t innd_t iwhd_t kdump_t klogd_t l2tpd_t lircd_t lpd_t lpr_t lwiod_t lwsmd_t mount_t mpd_t munin_t named_t nfsd_t nmbd_t nscd_t nslcd_t ntop_t ntpd_t numad_t pcscd_t pingd_t pppd_t pptp_t psad_t ptal_t qpidd_t radvd_t rhgb_t rhnsd_t rpcd_t rshd_t rssh_t slapd_t slpd_t smbd_t smsd_t snmpd_t snort_t spamd_t squid_t ssh_t sshd_t sssd_t staff_t svirt_t swat_t tcpd_t tftpd_t tgtd_t thin_t tor_t tuned_t udev_t ulogd_t uml_t user_t uucpd_t uuidd_t uux_t virtd_t wdmd_t xauth_t xend_t ypxfr_t eventlogd_t nagios_system_plugin_t postfix_qmgr_t postfix_smtp_t prelude_audisp_t courier_authdaemon_t afs_vlserver_t fsdaemon_t watchdog_t abrt_retrace_worker_t mozilla_plugin_config_t jabberd_router_t policykit_resolve_t winbind_helper_t load_policy_t nut_upsmon_t cupsd_config_t hald_keymap_t httpd_helper_t rtkit_daemon_t nagios_unconfined_plugin_t glusterd_t sandbox_min_t sandbox_net_t sandbox_web_t user_seunshare_t xguest_java_t xguest_mono_t logwatch_mail_t cupsd_lpd_t devicekit_t postfix_map_t remote_login_t inetd_child_t automount_t ethereal_t fetchmail_t netlogond_t puppetmaster_t tethereal_t system_mail_t httpd_squid_script_t restorecond_t xdm_dbusd_t gpg_helper_t staff_ssh_agent_t matahari_sysconfigd_t portreserve_t cpufreqselector_t readahead_t abrt_dump_oops_t quota_nld_t staff_screen_t system_dbusd_t entropyd_t rhev_agentd_t xenstored_t sandbox_min_client_t cpuspeed_t nagios_admin_plugin_t svnserve_t guest_dbusd_t qmail_splogger_t xguest_dbusd_t cups_pdf_t postgresql_t mozilla_plugin_t courier_pcp_t courier_pop_t zarafa_server_t nova_direct_t matahari_hostd_t publicfile_t usbmodules_t sambagui_t staff_seunshare_t nx_server_ssh_t certmaster_t certmonger_t setfiles_t user_mail_t cdrecord_t sectoolm_t semanage_t checkpolicy_t portmap_helper_t sge_shepherd_t cobblerd_t consoletype_t unconfined_t xenconsoled_t user_ssh_agent_t cmirrord_t cronjob_t crontab_t logrotate_mail_t matahari_netd_t matahari_rpcd_t passenger_t arpwatch_t cardmgr_t cgclear_t chronyd_t cluster_t apcupsd_t fcoemon_t fingerd_t foghorn_t gpg_web_t rhev_agentd_consolehelper_t fprintd_t ftpdctl_t httpd_cobbler_script_t dcerpcd_t dovecot_t evtchnd_t gpg_agent_t telepathy_msn_t auditctl_t openshift_t jabberd_t kadmind_t hddtemp_t spamass_milter_t iceauth_t icecast_t prelude_correlator_t ncftool_t neutron_t openvpn_t postgrey_t lockdev_t mplayer_t ricci_modcluster_t irqbalance_t radiusd_t rlogind_t roundup_t srvsvcd_t stunnel_t sulogin_t svc_run_t syslogd_t sysstat_t nut_upsdrvctl_t rpcbind_t sandbox_t sensord_t sge_job_t portmap_t yppasswdd_t ptchown_t vbetool_t vdagent_t vhostmd_t zarafa_ical_t winbind_t sysadm_sudo_t telnetd_t usbmuxd_t useradd_t afs_ptserver_t namespace_init_t httpd_mediawiki_script_t xserver_t condor_schedd_t condor_startd_t piranha_web_t user_screen_t condor_master_t greylist_milter_t calamaris_t staff_openoffice_t mailman_queue_t } ==  &&  || );

mlsconstrain { file } { ioctl read lock execute execute_no_trans  } 
(  h1 h2  dom  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t virtd_lxc_t postfix_showq_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t ada_t fsadm_t kudzu_t lvm_t mdadm_t mono_t postfix_postdrop_t rpm_t wine_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t nova_volume_t nova_scheduler_t vmware_host_t haproxy_t prelink_t anaconda_t glance_api_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t postfix_master_t postfix_pickup_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t depmod_t insmod_t kernel_t livecd_t lldpad_t mongod_t puppet_t apmd_t bcfg2_t cgred_t clvmd_t crond_t ctdbd_t drbd_t hald_t inetd_t init_t iwhd_t l2tpd_t mount_t numad_t rhnsd_t slpd_t smsd_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t matahari_sysconfigd_t readahead_t svnserve_t zarafa_server_t nova_direct_t matahari_hostd_t semanage_t sge_shepherd_t unconfined_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t neutron_t ricci_modcluster_t sensord_t sge_job_t zarafa_ical_t useradd_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  ||  t1 { openshift_app_t qemu_t sandbox_x_t svirt_t user_t sandbox_min_t sandbox_net_t sandbox_web_t openshift_t sandbox_t } !=  t2 { sosreport_t git_session_t cfengine_execd_t bootloader_t netutils_t qmail_tcp_env_t devicekit_power_t sandbox_x_client_t nova_api_t sblim_reposd_t dkim_milter_t virt_qemu_ga_unconfined_t admin_crontab_t consolekit_t nova_compute_t nova_console_t pam_console_t zarafa_gateway_t policykit_grant_t logrotate_t openvswitch_t update_modules_t ssh_keysign_t nova_network_t qmail_rspawn_t uml_switch_t qmail_inject_t qmail_lspawn_t dirsrvadmin_unconfined_script_t gnomeclock_t httpd_cvs_script_t sandbox_net_client_t munin_mail_plugin_t ldconfig_t loadkeys_t smoltclient_t prelude_lml_t nova_objectstore_t dmidecode_t modemmanager_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t httpd_rotatelogs_t afs_kaserver_t munin_disk_plugin_t keystone_t kdumpgui_t httpd_bugzilla_script_t postfix_bounce_t httpd_smokeping_cgi_script_t nx_server_t policykit_auth_t ssh_keygen_t piranha_pulse_t sysadm_su_t virtd_lxc_t hald_mac_t iptables_t cachefilesd_t courier_sqwebmail_t postfix_cleanup_t munin_services_plugin_t postfix_showq_t openshift_app_t hostname_t shorewall_t showmount_t telepathy_gabble_t abrt_handle_event_t postfix_virtual_t dovecot_deliver_t ifconfig_t condor_startd_ssh_t qmail_clean_t qmail_local_t qmail_smtpd_t qmail_start_t sandbox_xserver_t setfiles_mac_t telepathy_sofiasip_t amanda_t initrc_t locate_t logadm_t mcelog_t nagios_t varnishd_t setkey_t sysadm_t tvtime_t tzdata_t vmware_t webadm_t ada_t afs_t aiccu_t aide_t alsa_t amtu_t apm_t avahi_t boinc_t canna_t ccs_t cdcc_t crack_t cvs_t cyrus_t dccm_t dhcpc_t dmesg_t dspam_t exim_t fsadm_t games_t getty_t gpg_t gpm_t ipsec_t irc_t irssi_t java_t kudzu_t lvm_t mdadm_t mono_t mrtg_t ndc_t nrpe_t pads_t pam_t ping_t postfix_postdrop_t postfix_postqueue_t qemu_t quota_t rdisc_t ricci_t rpm_t rsync_t rwho_t spamc_t vpnc_t wine_t xdm_t xfs_t xm_t zebra_t setroubleshoot_fixit_t staff_dbusd_t postfix_pipe_t virt_qmf_t nova_vncproxy_t httpd_nagios_script_t unconfined_dbusd_t unconfined_mount_t afs_fsserver_t prelink_cron_system_t sge_execd_t sysadm_ssh_agent_t cachefiles_kernel_t httpd_dirsrvadmin_script_t git_system_t httpd_suexec_t abrt_helper_t abrt_retrace_coredump_t usernetctl_t certwatch_t updfstab_t deltacloudd_t user_dbusd_t firewallgui_t glance_registry_t utempter_t setsebool_t telepathy_idle_t telepathy_mission_control_t webalizer_t cpucontrol_t gconfdefaultsm_t matahari_serviced_t httpd_php_t openoffice_t denyhosts_t memcached_t xguest_openoffice_t dirsrv_snmp_t dirsrvadmin_t smbcontrol_t oracleasm_t netlabel_mgmt_t oddjob_mkhomedir_t cyphesis_t gnomesystemmm_t kerneloops_t nova_volume_t varnishlog_t httpd_w3c_validator_script_t user_openoffice_t httpd_user_script_t accountsd_t cgconfig_t user_java_t user_mono_t user_wine_t ipsec_mgmt_t run_init_t sendmail_t shutdown_t audisp_remote_t dovecot_auth_t nova_scheduler_t dlm_controld_t gfs_controld_t smbmount_t asterisk_t bitlbee_t sepgsql_trusted_proc_t vmware_host_t checkpc_t saslauthd_t awstats_t munin_selinux_plugin_t gitosis_t dnsmasq_t krb5kdc_t openshift_cgroup_read_t sysadm_seunshare_t haproxy_t hotplug_t gpg_pinentry_t hwclock_t newrole_t zos_remote_t dcc_client_t mozilla_t plymouth_t procmail_t sanlock_t setrans_t traceroute_t pegasus_t prelink_t prelude_t privoxy_t staff_java_t staff_mono_t staff_sudo_t staff_wine_t wpa_cli_t httpd_awstats_script_t munin_system_plugin_t qmail_send_t anaconda_t glance_api_t piranha_fos_t piranha_lvs_t sandbox_x_t httpd_apcupsd_cgi_script_t local_login_t hald_dccm_t mysqld_safe_t ricci_modservice_t games_srv_t ricci_modstorage_t samba_net_t afs_bosserver_t httpd_nutups_cgi_script_t hald_sonypic_t openhpid_t boinc_project_t condor_procd_t nagios_mail_plugin_t virt_qemu_ga_t condor_negotiator_t nova_ajax_t nova_cert_t amanda_recover_t chrome_sandbox_t zarafa_spooler_t httpd_munin_script_t telepathy_salut_t rpm_script_t sysadm_passwd_t sysadm_screen_t nsplugin_t xguest_execmem_t zarafa_deliver_t sblim_gatherd_t antivirus_t bluetooth_helper_t dcc_dbclean_t nut_upsd_t staff_execmem_t user_execmem_t podsleuth_t system_cronjob_t sge_job_ssh_t zarafa_monitor_t openshift_initrc_t chroot_user_t httpd_openshift_script_t qmail_remote_t zarafa_indexer_t policykit_t httpd_sys_script_t tmpreaper_t staff_consolehelper_t svc_multilog_t ricci_modclusterd_t logwatch_t mailman_cgi_t pulseaudio_t mailman_mail_t mysqlmanagerd_t samba_unconfined_net_t bluetooth_t mencoder_t httpd_dspam_script_t plymouthd_t smokeping_t cfengine_monitord_t ksmtuned_t unconfined_notrans_t httpd_prewikka_script_t ricci_modlog_t ricci_modrpm_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t setroubleshootd_t nsplugin_config_t chrome_sandbox_nacl_t nagios_checkdisk_plugin_t postfix_master_t postfix_pickup_t devicekit_disk_t regex_milter_t firstboot_t hald_acl_t telepathy_sunshine_t postfix_local_t postfix_smtpd_t zabbix_agent_t samba_unconfined_script_t httpd_git_script_t nagios_services_plugin_t nagios_eventhandler_plugin_t rhsmcertd_t virt_bridgehelper_t munin_unconfined_plugin_t openshift_cron_t unconfined_java_t unconfined_mono_t courier_tcpd_t httpd_unconfined_script_t openvpn_unconfined_script_t NetworkManager_t qmail_queue_t sandbox_web_client_t groupadd_t audisp_t auditd_t chkpwd_t comsat_t dbskkd_t dccifd_t depmod_t dirsrv_t fenced_t gconfd_t groupd_t insmod_t iscsid_t kernel_t kismet_t kpropd_t ktalkd_t livecd_t lldpad_t lsassd_t lwregd_t mongod_t mysqld_t oddjob_t openct_t svc_start_t fail2ban_t passwd_t puppet_t qdiskd_t racoon_t soundd_t telepathy_stream_engine_t updpwd_t xguest_t xm_ssh_t ypbind_t ypserv_t zabbix_t abrt_t acct_t apmd_t bcfg2_t brctl_t cgred_t chfn_t ciped_t clogd_t clvmd_t crond_t ctdbd_t cupsd_t dccd_t dhcpd_t dictd_t drbd_t ftpd_t gpsd_t gssd_t guest_t hald_t howl_t hplip_t httpd_t inetd_t init_t innd_t iwhd_t kdump_t klogd_t l2tpd_t lircd_t lpd_t lpr_t lwiod_t lwsmd_t mount_t mpd_t munin_t named_t nfsd_t nmbd_t nscd_t nslcd_t ntop_t ntpd_t numad_t pcscd_t pingd_t pppd_t pptp_t psad_t ptal_t qpidd_t radvd_t rhgb_t rhnsd_t rpcd_t rshd_t rssh_t slapd_t slpd_t smbd_t smsd_t snmpd_t snort_t spamd_t squid_t ssh_t sshd_t sssd_t staff_t svirt_t swat_t tcpd_t tftpd_t tgtd_t thin_t tor_t tuned_t udev_t ulogd_t uml_t user_t uucpd_t uuidd_t uux_t virtd_t wdmd_t xauth_t xend_t ypxfr_t eventlogd_t nagios_system_plugin_t postfix_qmgr_t postfix_smtp_t prelude_audisp_t courier_authdaemon_t afs_vlserver_t fsdaemon_t watchdog_t abrt_retrace_worker_t mozilla_plugin_config_t jabberd_router_t policykit_resolve_t winbind_helper_t load_policy_t nut_upsmon_t cupsd_config_t hald_keymap_t httpd_helper_t rtkit_daemon_t nagios_unconfined_plugin_t glusterd_t sandbox_min_t sandbox_net_t sandbox_web_t user_seunshare_t xguest_java_t xguest_mono_t logwatch_mail_t cupsd_lpd_t devicekit_t postfix_map_t remote_login_t inetd_child_t automount_t ethereal_t fetchmail_t netlogond_t puppetmaster_t tethereal_t system_mail_t httpd_squid_script_t restorecond_t xdm_dbusd_t gpg_helper_t staff_ssh_agent_t matahari_sysconfigd_t portreserve_t cpufreqselector_t readahead_t abrt_dump_oops_t quota_nld_t staff_screen_t system_dbusd_t entropyd_t rhev_agentd_t xenstored_t sandbox_min_client_t cpuspeed_t nagios_admin_plugin_t svnserve_t guest_dbusd_t qmail_splogger_t xguest_dbusd_t cups_pdf_t postgresql_t mozilla_plugin_t courier_pcp_t courier_pop_t zarafa_server_t nova_direct_t matahari_hostd_t publicfile_t usbmodules_t sambagui_t staff_seunshare_t nx_server_ssh_t certmaster_t certmonger_t setfiles_t user_mail_t cdrecord_t sectoolm_t semanage_t checkpolicy_t portmap_helper_t sge_shepherd_t cobblerd_t consoletype_t unconfined_t xenconsoled_t user_ssh_agent_t cmirrord_t cronjob_t crontab_t logrotate_mail_t matahari_netd_t matahari_rpcd_t passenger_t arpwatch_t cardmgr_t cgclear_t chronyd_t cluster_t apcupsd_t fcoemon_t fingerd_t foghorn_t gpg_web_t rhev_agentd_consolehelper_t fprintd_t ftpdctl_t httpd_cobbler_script_t dcerpcd_t dovecot_t evtchnd_t gpg_agent_t telepathy_msn_t auditctl_t openshift_t jabberd_t kadmind_t hddtemp_t spamass_milter_t iceauth_t icecast_t prelude_correlator_t ncftool_t neutron_t openvpn_t postgrey_t lockdev_t mplayer_t ricci_modcluster_t irqbalance_t radiusd_t rlogind_t roundup_t srvsvcd_t stunnel_t sulogin_t svc_run_t syslogd_t sysstat_t nut_upsdrvctl_t rpcbind_t sandbox_t sensord_t sge_job_t portmap_t yppasswdd_t ptchown_t vbetool_t vdagent_t vhostmd_t zarafa_ical_t winbind_t sysadm_sudo_t telnetd_t usbmuxd_t useradd_t afs_ptserver_t namespace_init_t httpd_mediawiki_script_t xserver_t condor_schedd_t condor_startd_t piranha_web_t user_screen_t condor_master_t greylist_milter_t calamaris_t staff_openoffice_t mailman_queue_t } ==  &&  || );

mlsconstrain { node } { recvfrom sendto  } 
(  l1 l2  dom  t1 { openshift_app_t qemu_t sandbox_x_t svirt_t user_t sandbox_min_t sandbox_net_t sandbox_web_t openshift_t sandbox_t } !=  || );

mlsconstrain { db_view } { drop getattr setattr relabelfrom expand  } 
(  h1 h2  dom );

mlsconstrain { db_view } { create relabelto  } 
(  h1 h2  dom  l2 h2  ==  && );

constrain { netlink_nflog_socket } { create relabelfrom relabelto  } 
(  u1 u2 ==  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t logrotate_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t sysadm_su_t virtd_lxc_t openshift_app_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t sysadm_t ada_t dhcpc_t fsadm_t kudzu_t lvm_t mdadm_t mono_t rpm_t wine_t xdm_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t cachefiles_kernel_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t oddjob_mkhomedir_t nova_volume_t nova_scheduler_t vmware_host_t saslauthd_t krb5kdc_t haproxy_t newrole_t prelink_t anaconda_t glance_api_t local_login_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t sysadm_passwd_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t staff_consolehelper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t groupadd_t depmod_t dirsrv_t insmod_t kernel_t kpropd_t livecd_t lldpad_t lsassd_t mongod_t oddjob_t passwd_t puppet_t racoon_t updpwd_t apmd_t bcfg2_t chfn_t clvmd_t crond_t ctdbd_t cupsd_t drbd_t ftpd_t inetd_t init_t iwhd_t l2tpd_t numad_t rhnsd_t rshd_t slpd_t smsd_t squid_t sshd_t sssd_t staff_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t puppetmaster_t restorecond_t matahari_sysconfigd_t svnserve_t postgresql_t zarafa_server_t nova_direct_t matahari_hostd_t setfiles_t semanage_t sge_shepherd_t unconfined_t cmirrord_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t rhev_agentd_consolehelper_t openshift_t kadmind_t ncftool_t neutron_t openvpn_t ricci_modcluster_t rlogind_t sulogin_t syslogd_t sensord_t sge_job_t yppasswdd_t zarafa_ical_t telnetd_t useradd_t namespace_init_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  || );

constrain { netlink_tcpdiag_socket } { create relabelfrom relabelto  } 
(  u1 u2 ==  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t logrotate_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t sysadm_su_t virtd_lxc_t openshift_app_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t sysadm_t ada_t dhcpc_t fsadm_t kudzu_t lvm_t mdadm_t mono_t rpm_t wine_t xdm_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t cachefiles_kernel_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t oddjob_mkhomedir_t nova_volume_t nova_scheduler_t vmware_host_t saslauthd_t krb5kdc_t haproxy_t newrole_t prelink_t anaconda_t glance_api_t local_login_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t sysadm_passwd_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t staff_consolehelper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t groupadd_t depmod_t dirsrv_t insmod_t kernel_t kpropd_t livecd_t lldpad_t lsassd_t mongod_t oddjob_t passwd_t puppet_t racoon_t updpwd_t apmd_t bcfg2_t chfn_t clvmd_t crond_t ctdbd_t cupsd_t drbd_t ftpd_t inetd_t init_t iwhd_t l2tpd_t numad_t rhnsd_t rshd_t slpd_t smsd_t squid_t sshd_t sssd_t staff_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t puppetmaster_t restorecond_t matahari_sysconfigd_t svnserve_t postgresql_t zarafa_server_t nova_direct_t matahari_hostd_t setfiles_t semanage_t sge_shepherd_t unconfined_t cmirrord_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t rhev_agentd_consolehelper_t openshift_t kadmind_t ncftool_t neutron_t openvpn_t ricci_modcluster_t rlogind_t sulogin_t syslogd_t sensord_t sge_job_t yppasswdd_t zarafa_ical_t telnetd_t useradd_t namespace_init_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  || );

constrain { unix_stream_socket } { create relabelfrom relabelto  } 
(  u1 u2 ==  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t logrotate_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t sysadm_su_t virtd_lxc_t openshift_app_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t sysadm_t ada_t dhcpc_t fsadm_t kudzu_t lvm_t mdadm_t mono_t rpm_t wine_t xdm_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t cachefiles_kernel_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t oddjob_mkhomedir_t nova_volume_t nova_scheduler_t vmware_host_t saslauthd_t krb5kdc_t haproxy_t newrole_t prelink_t anaconda_t glance_api_t local_login_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t sysadm_passwd_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t staff_consolehelper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t groupadd_t depmod_t dirsrv_t insmod_t kernel_t kpropd_t livecd_t lldpad_t lsassd_t mongod_t oddjob_t passwd_t puppet_t racoon_t updpwd_t apmd_t bcfg2_t chfn_t clvmd_t crond_t ctdbd_t cupsd_t drbd_t ftpd_t inetd_t init_t iwhd_t l2tpd_t numad_t rhnsd_t rshd_t slpd_t smsd_t squid_t sshd_t sssd_t staff_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t puppetmaster_t restorecond_t matahari_sysconfigd_t svnserve_t postgresql_t zarafa_server_t nova_direct_t matahari_hostd_t setfiles_t semanage_t sge_shepherd_t unconfined_t cmirrord_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t rhev_agentd_consolehelper_t openshift_t kadmind_t ncftool_t neutron_t openvpn_t ricci_modcluster_t rlogind_t sulogin_t syslogd_t sensord_t sge_job_t yppasswdd_t zarafa_ical_t telnetd_t useradd_t namespace_init_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  || );

mlsconstrain { db_database } { drop getattr setattr relabelfrom access install_module load_module get_param set_param  } 
(  h1 h2  dom );

mlsconstrain { db_database } { create relabelto  } 
(  h1 h2  dom  l2 h2  ==  && );

mlsconstrain { db_language } { drop getattr setattr relabelfrom execute  } 
(  h1 h2  dom );

mlsconstrain { db_language } { drop getattr setattr relabelfrom execute  } 
(  h1 h2  dom );

mlsconstrain { db_language } { create relabelto  } 
(  h1 h2  dom  l2 h2  ==  && );

constrain { netlink_route_socket } { create relabelfrom relabelto  } 
(  u1 u2 ==  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t logrotate_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t sysadm_su_t virtd_lxc_t openshift_app_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t sysadm_t ada_t dhcpc_t fsadm_t kudzu_t lvm_t mdadm_t mono_t rpm_t wine_t xdm_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t cachefiles_kernel_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t oddjob_mkhomedir_t nova_volume_t nova_scheduler_t vmware_host_t saslauthd_t krb5kdc_t haproxy_t newrole_t prelink_t anaconda_t glance_api_t local_login_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t sysadm_passwd_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t staff_consolehelper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t groupadd_t depmod_t dirsrv_t insmod_t kernel_t kpropd_t livecd_t lldpad_t lsassd_t mongod_t oddjob_t passwd_t puppet_t racoon_t updpwd_t apmd_t bcfg2_t chfn_t clvmd_t crond_t ctdbd_t cupsd_t drbd_t ftpd_t inetd_t init_t iwhd_t l2tpd_t numad_t rhnsd_t rshd_t slpd_t smsd_t squid_t sshd_t sssd_t staff_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t puppetmaster_t restorecond_t matahari_sysconfigd_t svnserve_t postgresql_t zarafa_server_t nova_direct_t matahari_hostd_t setfiles_t semanage_t sge_shepherd_t unconfined_t cmirrord_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t rhev_agentd_consolehelper_t openshift_t kadmind_t ncftool_t neutron_t openvpn_t ricci_modcluster_t rlogind_t sulogin_t syslogd_t sensord_t sge_job_t yppasswdd_t zarafa_ical_t telnetd_t useradd_t namespace_init_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  || );

mlsconstrain { db_sequence } { drop getattr setattr relabelfrom get_value next_value set_value  } 
(  h1 h2  dom );

mlsconstrain { db_sequence } { create relabelto  } 
(  h1 h2  dom  l2 h2  ==  && );

constrain { netlink_selinux_socket } { create relabelfrom relabelto  } 
(  u1 u2 ==  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t logrotate_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t sysadm_su_t virtd_lxc_t openshift_app_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t sysadm_t ada_t dhcpc_t fsadm_t kudzu_t lvm_t mdadm_t mono_t rpm_t wine_t xdm_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t cachefiles_kernel_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t oddjob_mkhomedir_t nova_volume_t nova_scheduler_t vmware_host_t saslauthd_t krb5kdc_t haproxy_t newrole_t prelink_t anaconda_t glance_api_t local_login_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t sysadm_passwd_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t staff_consolehelper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t groupadd_t depmod_t dirsrv_t insmod_t kernel_t kpropd_t livecd_t lldpad_t lsassd_t mongod_t oddjob_t passwd_t puppet_t racoon_t updpwd_t apmd_t bcfg2_t chfn_t clvmd_t crond_t ctdbd_t cupsd_t drbd_t ftpd_t inetd_t init_t iwhd_t l2tpd_t numad_t rhnsd_t rshd_t slpd_t smsd_t squid_t sshd_t sssd_t staff_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t puppetmaster_t restorecond_t matahari_sysconfigd_t svnserve_t postgresql_t zarafa_server_t nova_direct_t matahari_hostd_t setfiles_t semanage_t sge_shepherd_t unconfined_t cmirrord_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t rhev_agentd_consolehelper_t openshift_t kadmind_t ncftool_t neutron_t openvpn_t ricci_modcluster_t rlogind_t sulogin_t syslogd_t sensord_t sge_job_t yppasswdd_t zarafa_ical_t telnetd_t useradd_t namespace_init_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  || );

constrain { netlink_ip6fw_socket } { create relabelfrom relabelto  } 
(  u1 u2 ==  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t logrotate_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t sysadm_su_t virtd_lxc_t openshift_app_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t sysadm_t ada_t dhcpc_t fsadm_t kudzu_t lvm_t mdadm_t mono_t rpm_t wine_t xdm_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t cachefiles_kernel_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t oddjob_mkhomedir_t nova_volume_t nova_scheduler_t vmware_host_t saslauthd_t krb5kdc_t haproxy_t newrole_t prelink_t anaconda_t glance_api_t local_login_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t sysadm_passwd_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t staff_consolehelper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t groupadd_t depmod_t dirsrv_t insmod_t kernel_t kpropd_t livecd_t lldpad_t lsassd_t mongod_t oddjob_t passwd_t puppet_t racoon_t updpwd_t apmd_t bcfg2_t chfn_t clvmd_t crond_t ctdbd_t cupsd_t drbd_t ftpd_t inetd_t init_t iwhd_t l2tpd_t numad_t rhnsd_t rshd_t slpd_t smsd_t squid_t sshd_t sssd_t staff_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t puppetmaster_t restorecond_t matahari_sysconfigd_t svnserve_t postgresql_t zarafa_server_t nova_direct_t matahari_hostd_t setfiles_t semanage_t sge_shepherd_t unconfined_t cmirrord_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t rhev_agentd_consolehelper_t openshift_t kadmind_t ncftool_t neutron_t openvpn_t ricci_modcluster_t rlogind_t sulogin_t syslogd_t sensord_t sge_job_t yppasswdd_t zarafa_ical_t telnetd_t useradd_t namespace_init_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  || );

constrain { netlink_firewall_socket } { create relabelfrom relabelto  } 
(  u1 u2 ==  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t logrotate_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t sysadm_su_t virtd_lxc_t openshift_app_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t sysadm_t ada_t dhcpc_t fsadm_t kudzu_t lvm_t mdadm_t mono_t rpm_t wine_t xdm_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t cachefiles_kernel_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t oddjob_mkhomedir_t nova_volume_t nova_scheduler_t vmware_host_t saslauthd_t krb5kdc_t haproxy_t newrole_t prelink_t anaconda_t glance_api_t local_login_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t sysadm_passwd_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t staff_consolehelper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t groupadd_t depmod_t dirsrv_t insmod_t kernel_t kpropd_t livecd_t lldpad_t lsassd_t mongod_t oddjob_t passwd_t puppet_t racoon_t updpwd_t apmd_t bcfg2_t chfn_t clvmd_t crond_t ctdbd_t cupsd_t drbd_t ftpd_t inetd_t init_t iwhd_t l2tpd_t numad_t rhnsd_t rshd_t slpd_t smsd_t squid_t sshd_t sssd_t staff_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t puppetmaster_t restorecond_t matahari_sysconfigd_t svnserve_t postgresql_t zarafa_server_t nova_direct_t matahari_hostd_t setfiles_t semanage_t sge_shepherd_t unconfined_t cmirrord_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t rhev_agentd_consolehelper_t openshift_t kadmind_t ncftool_t neutron_t openvpn_t ricci_modcluster_t rlogind_t sulogin_t syslogd_t sensord_t sge_job_t yppasswdd_t zarafa_ical_t telnetd_t useradd_t namespace_init_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  || );

constrain { sock_file } { create relabelfrom relabelto  } 
(  u1 u2 ==  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t logrotate_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t sysadm_su_t virtd_lxc_t openshift_app_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t sysadm_t ada_t dhcpc_t fsadm_t kudzu_t lvm_t mdadm_t mono_t rpm_t wine_t xdm_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t cachefiles_kernel_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t oddjob_mkhomedir_t nova_volume_t nova_scheduler_t vmware_host_t saslauthd_t krb5kdc_t haproxy_t newrole_t prelink_t anaconda_t glance_api_t local_login_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t sysadm_passwd_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t staff_consolehelper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t groupadd_t depmod_t dirsrv_t insmod_t kernel_t kpropd_t livecd_t lldpad_t lsassd_t mongod_t oddjob_t passwd_t puppet_t racoon_t updpwd_t apmd_t bcfg2_t chfn_t clvmd_t crond_t ctdbd_t cupsd_t drbd_t ftpd_t inetd_t init_t iwhd_t l2tpd_t numad_t rhnsd_t rshd_t slpd_t smsd_t squid_t sshd_t sssd_t staff_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t puppetmaster_t restorecond_t matahari_sysconfigd_t svnserve_t postgresql_t zarafa_server_t nova_direct_t matahari_hostd_t setfiles_t semanage_t sge_shepherd_t unconfined_t cmirrord_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t rhev_agentd_consolehelper_t openshift_t kadmind_t ncftool_t neutron_t openvpn_t ricci_modcluster_t rlogind_t sulogin_t syslogd_t sensord_t sge_job_t yppasswdd_t zarafa_ical_t telnetd_t useradd_t namespace_init_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  || );

mlsconstrain { sock_file } { create relabelto  } 
(  h1 h2  dom  l2 h2  ==  &&  t1 { openshift_app_t qemu_t sandbox_x_t svirt_t user_t sandbox_min_t sandbox_net_t sandbox_web_t openshift_t sandbox_t } !=  || );

mlsconstrain { sock_file } { relabelfrom  } 
(  h1 h2  dom );

mlsconstrain { sock_file } { write setattr  } 
(  h1 h2  dom  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t virtd_lxc_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t ada_t fsadm_t kudzu_t lvm_t mdadm_t mono_t postfix_postdrop_t rpm_t wine_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t nova_volume_t nova_scheduler_t vmware_host_t haproxy_t prelink_t anaconda_t glance_api_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t postfix_pickup_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t depmod_t insmod_t kernel_t livecd_t lldpad_t mongod_t puppet_t apmd_t bcfg2_t clvmd_t crond_t ctdbd_t drbd_t inetd_t init_t iwhd_t l2tpd_t mount_t numad_t rhnsd_t slpd_t smsd_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t matahari_sysconfigd_t svnserve_t zarafa_server_t nova_direct_t matahari_hostd_t semanage_t sge_shepherd_t unconfined_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t neutron_t ricci_modcluster_t sensord_t sge_job_t zarafa_ical_t useradd_t namespace_init_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  ||  t1 { openshift_app_t qemu_t sandbox_x_t svirt_t user_t sandbox_min_t sandbox_net_t sandbox_web_t openshift_t sandbox_t } !=  t2 { sosreport_t git_session_t cfengine_execd_t bootloader_t netutils_t qmail_tcp_env_t devicekit_power_t sandbox_x_client_t nova_api_t sblim_reposd_t dkim_milter_t virt_qemu_ga_unconfined_t admin_crontab_t consolekit_t nova_compute_t nova_console_t pam_console_t zarafa_gateway_t policykit_grant_t logrotate_t openvswitch_t update_modules_t ssh_keysign_t nova_network_t qmail_rspawn_t uml_switch_t qmail_inject_t qmail_lspawn_t dirsrvadmin_unconfined_script_t gnomeclock_t httpd_cvs_script_t sandbox_net_client_t munin_mail_plugin_t ldconfig_t loadkeys_t smoltclient_t prelude_lml_t nova_objectstore_t dmidecode_t modemmanager_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t httpd_rotatelogs_t afs_kaserver_t munin_disk_plugin_t keystone_t kdumpgui_t httpd_bugzilla_script_t postfix_bounce_t httpd_smokeping_cgi_script_t nx_server_t policykit_auth_t ssh_keygen_t piranha_pulse_t sysadm_su_t virtd_lxc_t hald_mac_t iptables_t cachefilesd_t courier_sqwebmail_t postfix_cleanup_t munin_services_plugin_t postfix_showq_t openshift_app_t hostname_t shorewall_t showmount_t telepathy_gabble_t abrt_handle_event_t postfix_virtual_t dovecot_deliver_t ifconfig_t condor_startd_ssh_t qmail_clean_t qmail_local_t qmail_smtpd_t qmail_start_t sandbox_xserver_t setfiles_mac_t telepathy_sofiasip_t amanda_t initrc_t locate_t logadm_t mcelog_t nagios_t varnishd_t setkey_t sysadm_t tvtime_t tzdata_t vmware_t webadm_t ada_t afs_t aiccu_t aide_t alsa_t amtu_t apm_t avahi_t boinc_t canna_t ccs_t cdcc_t crack_t cvs_t cyrus_t dccm_t dhcpc_t dmesg_t dspam_t exim_t fsadm_t games_t getty_t gpg_t gpm_t ipsec_t irc_t irssi_t java_t kudzu_t lvm_t mdadm_t mono_t mrtg_t ndc_t nrpe_t pads_t pam_t ping_t postfix_postdrop_t postfix_postqueue_t qemu_t quota_t rdisc_t ricci_t rpm_t rsync_t rwho_t spamc_t vpnc_t wine_t xdm_t xfs_t xm_t zebra_t setroubleshoot_fixit_t staff_dbusd_t postfix_pipe_t virt_qmf_t nova_vncproxy_t httpd_nagios_script_t unconfined_dbusd_t unconfined_mount_t afs_fsserver_t prelink_cron_system_t sge_execd_t sysadm_ssh_agent_t cachefiles_kernel_t httpd_dirsrvadmin_script_t git_system_t httpd_suexec_t abrt_helper_t abrt_retrace_coredump_t usernetctl_t certwatch_t updfstab_t deltacloudd_t user_dbusd_t firewallgui_t glance_registry_t utempter_t setsebool_t telepathy_idle_t telepathy_mission_control_t webalizer_t cpucontrol_t gconfdefaultsm_t matahari_serviced_t httpd_php_t openoffice_t denyhosts_t memcached_t xguest_openoffice_t dirsrv_snmp_t dirsrvadmin_t smbcontrol_t oracleasm_t netlabel_mgmt_t oddjob_mkhomedir_t cyphesis_t gnomesystemmm_t kerneloops_t nova_volume_t varnishlog_t httpd_w3c_validator_script_t user_openoffice_t httpd_user_script_t accountsd_t cgconfig_t user_java_t user_mono_t user_wine_t ipsec_mgmt_t run_init_t sendmail_t shutdown_t audisp_remote_t dovecot_auth_t nova_scheduler_t dlm_controld_t gfs_controld_t smbmount_t asterisk_t bitlbee_t sepgsql_trusted_proc_t vmware_host_t checkpc_t saslauthd_t awstats_t munin_selinux_plugin_t gitosis_t dnsmasq_t krb5kdc_t openshift_cgroup_read_t sysadm_seunshare_t haproxy_t hotplug_t gpg_pinentry_t hwclock_t newrole_t zos_remote_t dcc_client_t mozilla_t plymouth_t procmail_t sanlock_t setrans_t traceroute_t pegasus_t prelink_t prelude_t privoxy_t staff_java_t staff_mono_t staff_sudo_t staff_wine_t wpa_cli_t httpd_awstats_script_t munin_system_plugin_t qmail_send_t anaconda_t glance_api_t piranha_fos_t piranha_lvs_t sandbox_x_t httpd_apcupsd_cgi_script_t local_login_t hald_dccm_t mysqld_safe_t ricci_modservice_t games_srv_t ricci_modstorage_t samba_net_t afs_bosserver_t httpd_nutups_cgi_script_t hald_sonypic_t openhpid_t boinc_project_t condor_procd_t nagios_mail_plugin_t virt_qemu_ga_t condor_negotiator_t nova_ajax_t nova_cert_t amanda_recover_t chrome_sandbox_t zarafa_spooler_t httpd_munin_script_t telepathy_salut_t rpm_script_t sysadm_passwd_t sysadm_screen_t nsplugin_t xguest_execmem_t zarafa_deliver_t sblim_gatherd_t antivirus_t bluetooth_helper_t dcc_dbclean_t nut_upsd_t staff_execmem_t user_execmem_t podsleuth_t system_cronjob_t sge_job_ssh_t zarafa_monitor_t openshift_initrc_t chroot_user_t httpd_openshift_script_t qmail_remote_t zarafa_indexer_t policykit_t httpd_sys_script_t tmpreaper_t staff_consolehelper_t svc_multilog_t ricci_modclusterd_t logwatch_t mailman_cgi_t pulseaudio_t mailman_mail_t mysqlmanagerd_t samba_unconfined_net_t bluetooth_t mencoder_t httpd_dspam_script_t plymouthd_t smokeping_t cfengine_monitord_t ksmtuned_t unconfined_notrans_t httpd_prewikka_script_t ricci_modlog_t ricci_modrpm_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t setroubleshootd_t nsplugin_config_t chrome_sandbox_nacl_t nagios_checkdisk_plugin_t postfix_master_t postfix_pickup_t devicekit_disk_t regex_milter_t firstboot_t hald_acl_t telepathy_sunshine_t postfix_local_t postfix_smtpd_t zabbix_agent_t samba_unconfined_script_t httpd_git_script_t nagios_services_plugin_t nagios_eventhandler_plugin_t rhsmcertd_t virt_bridgehelper_t munin_unconfined_plugin_t openshift_cron_t unconfined_java_t unconfined_mono_t courier_tcpd_t httpd_unconfined_script_t openvpn_unconfined_script_t NetworkManager_t qmail_queue_t sandbox_web_client_t groupadd_t audisp_t auditd_t chkpwd_t comsat_t dbskkd_t dccifd_t depmod_t dirsrv_t fenced_t gconfd_t groupd_t insmod_t iscsid_t kernel_t kismet_t kpropd_t ktalkd_t livecd_t lldpad_t lsassd_t lwregd_t mongod_t mysqld_t oddjob_t openct_t svc_start_t fail2ban_t passwd_t puppet_t qdiskd_t racoon_t soundd_t telepathy_stream_engine_t updpwd_t xguest_t xm_ssh_t ypbind_t ypserv_t zabbix_t abrt_t acct_t apmd_t bcfg2_t brctl_t cgred_t chfn_t ciped_t clogd_t clvmd_t crond_t ctdbd_t cupsd_t dccd_t dhcpd_t dictd_t drbd_t ftpd_t gpsd_t gssd_t guest_t hald_t howl_t hplip_t httpd_t inetd_t init_t innd_t iwhd_t kdump_t klogd_t l2tpd_t lircd_t lpd_t lpr_t lwiod_t lwsmd_t mount_t mpd_t munin_t named_t nfsd_t nmbd_t nscd_t nslcd_t ntop_t ntpd_t numad_t pcscd_t pingd_t pppd_t pptp_t psad_t ptal_t qpidd_t radvd_t rhgb_t rhnsd_t rpcd_t rshd_t rssh_t slapd_t slpd_t smbd_t smsd_t snmpd_t snort_t spamd_t squid_t ssh_t sshd_t sssd_t staff_t svirt_t swat_t tcpd_t tftpd_t tgtd_t thin_t tor_t tuned_t udev_t ulogd_t uml_t user_t uucpd_t uuidd_t uux_t virtd_t wdmd_t xauth_t xend_t ypxfr_t eventlogd_t nagios_system_plugin_t postfix_qmgr_t postfix_smtp_t prelude_audisp_t courier_authdaemon_t afs_vlserver_t fsdaemon_t watchdog_t abrt_retrace_worker_t mozilla_plugin_config_t jabberd_router_t policykit_resolve_t winbind_helper_t load_policy_t nut_upsmon_t cupsd_config_t hald_keymap_t httpd_helper_t rtkit_daemon_t nagios_unconfined_plugin_t glusterd_t sandbox_min_t sandbox_net_t sandbox_web_t user_seunshare_t xguest_java_t xguest_mono_t logwatch_mail_t cupsd_lpd_t devicekit_t postfix_map_t remote_login_t inetd_child_t automount_t ethereal_t fetchmail_t netlogond_t puppetmaster_t tethereal_t system_mail_t httpd_squid_script_t restorecond_t xdm_dbusd_t gpg_helper_t staff_ssh_agent_t matahari_sysconfigd_t portreserve_t cpufreqselector_t readahead_t abrt_dump_oops_t quota_nld_t staff_screen_t system_dbusd_t entropyd_t rhev_agentd_t xenstored_t sandbox_min_client_t cpuspeed_t nagios_admin_plugin_t svnserve_t guest_dbusd_t qmail_splogger_t xguest_dbusd_t cups_pdf_t postgresql_t mozilla_plugin_t courier_pcp_t courier_pop_t zarafa_server_t nova_direct_t matahari_hostd_t publicfile_t usbmodules_t sambagui_t staff_seunshare_t nx_server_ssh_t certmaster_t certmonger_t setfiles_t user_mail_t cdrecord_t sectoolm_t semanage_t checkpolicy_t portmap_helper_t sge_shepherd_t cobblerd_t consoletype_t unconfined_t xenconsoled_t user_ssh_agent_t cmirrord_t cronjob_t crontab_t logrotate_mail_t matahari_netd_t matahari_rpcd_t passenger_t arpwatch_t cardmgr_t cgclear_t chronyd_t cluster_t apcupsd_t fcoemon_t fingerd_t foghorn_t gpg_web_t rhev_agentd_consolehelper_t fprintd_t ftpdctl_t httpd_cobbler_script_t dcerpcd_t dovecot_t evtchnd_t gpg_agent_t telepathy_msn_t auditctl_t openshift_t jabberd_t kadmind_t hddtemp_t spamass_milter_t iceauth_t icecast_t prelude_correlator_t ncftool_t neutron_t openvpn_t postgrey_t lockdev_t mplayer_t ricci_modcluster_t irqbalance_t radiusd_t rlogind_t roundup_t srvsvcd_t stunnel_t sulogin_t svc_run_t syslogd_t sysstat_t nut_upsdrvctl_t rpcbind_t sandbox_t sensord_t sge_job_t portmap_t yppasswdd_t ptchown_t vbetool_t vdagent_t vhostmd_t zarafa_ical_t winbind_t sysadm_sudo_t telnetd_t usbmuxd_t useradd_t afs_ptserver_t namespace_init_t httpd_mediawiki_script_t xserver_t condor_schedd_t condor_startd_t piranha_web_t user_screen_t condor_master_t greylist_milter_t calamaris_t staff_openoffice_t mailman_queue_t } ==  &&  || );

mlsconstrain { sock_file } { ioctl read getattr  } 
(  h1 h2  dom  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t virtd_lxc_t postfix_showq_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t ada_t fsadm_t kudzu_t lvm_t mdadm_t mono_t postfix_postdrop_t rpm_t wine_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t nova_volume_t nova_scheduler_t vmware_host_t haproxy_t prelink_t anaconda_t glance_api_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t postfix_master_t postfix_pickup_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t depmod_t insmod_t kernel_t livecd_t lldpad_t mongod_t puppet_t apmd_t bcfg2_t cgred_t clvmd_t crond_t ctdbd_t drbd_t hald_t inetd_t init_t iwhd_t l2tpd_t mount_t numad_t rhnsd_t slpd_t smsd_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t matahari_sysconfigd_t readahead_t svnserve_t zarafa_server_t nova_direct_t matahari_hostd_t semanage_t sge_shepherd_t unconfined_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t neutron_t ricci_modcluster_t sensord_t sge_job_t zarafa_ical_t useradd_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  ||  t1 { openshift_app_t qemu_t sandbox_x_t svirt_t user_t sandbox_min_t sandbox_net_t sandbox_web_t openshift_t sandbox_t } !=  t2 { sosreport_t git_session_t cfengine_execd_t bootloader_t netutils_t qmail_tcp_env_t devicekit_power_t sandbox_x_client_t nova_api_t sblim_reposd_t dkim_milter_t virt_qemu_ga_unconfined_t admin_crontab_t consolekit_t nova_compute_t nova_console_t pam_console_t zarafa_gateway_t policykit_grant_t logrotate_t openvswitch_t update_modules_t ssh_keysign_t nova_network_t qmail_rspawn_t uml_switch_t qmail_inject_t qmail_lspawn_t dirsrvadmin_unconfined_script_t gnomeclock_t httpd_cvs_script_t sandbox_net_client_t munin_mail_plugin_t ldconfig_t loadkeys_t smoltclient_t prelude_lml_t nova_objectstore_t dmidecode_t modemmanager_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t httpd_rotatelogs_t afs_kaserver_t munin_disk_plugin_t keystone_t kdumpgui_t httpd_bugzilla_script_t postfix_bounce_t httpd_smokeping_cgi_script_t nx_server_t policykit_auth_t ssh_keygen_t piranha_pulse_t sysadm_su_t virtd_lxc_t hald_mac_t iptables_t cachefilesd_t courier_sqwebmail_t postfix_cleanup_t munin_services_plugin_t postfix_showq_t openshift_app_t hostname_t shorewall_t showmount_t telepathy_gabble_t abrt_handle_event_t postfix_virtual_t dovecot_deliver_t ifconfig_t condor_startd_ssh_t qmail_clean_t qmail_local_t qmail_smtpd_t qmail_start_t sandbox_xserver_t setfiles_mac_t telepathy_sofiasip_t amanda_t initrc_t locate_t logadm_t mcelog_t nagios_t varnishd_t setkey_t sysadm_t tvtime_t tzdata_t vmware_t webadm_t ada_t afs_t aiccu_t aide_t alsa_t amtu_t apm_t avahi_t boinc_t canna_t ccs_t cdcc_t crack_t cvs_t cyrus_t dccm_t dhcpc_t dmesg_t dspam_t exim_t fsadm_t games_t getty_t gpg_t gpm_t ipsec_t irc_t irssi_t java_t kudzu_t lvm_t mdadm_t mono_t mrtg_t ndc_t nrpe_t pads_t pam_t ping_t postfix_postdrop_t postfix_postqueue_t qemu_t quota_t rdisc_t ricci_t rpm_t rsync_t rwho_t spamc_t vpnc_t wine_t xdm_t xfs_t xm_t zebra_t setroubleshoot_fixit_t staff_dbusd_t postfix_pipe_t virt_qmf_t nova_vncproxy_t httpd_nagios_script_t unconfined_dbusd_t unconfined_mount_t afs_fsserver_t prelink_cron_system_t sge_execd_t sysadm_ssh_agent_t cachefiles_kernel_t httpd_dirsrvadmin_script_t git_system_t httpd_suexec_t abrt_helper_t abrt_retrace_coredump_t usernetctl_t certwatch_t updfstab_t deltacloudd_t user_dbusd_t firewallgui_t glance_registry_t utempter_t setsebool_t telepathy_idle_t telepathy_mission_control_t webalizer_t cpucontrol_t gconfdefaultsm_t matahari_serviced_t httpd_php_t openoffice_t denyhosts_t memcached_t xguest_openoffice_t dirsrv_snmp_t dirsrvadmin_t smbcontrol_t oracleasm_t netlabel_mgmt_t oddjob_mkhomedir_t cyphesis_t gnomesystemmm_t kerneloops_t nova_volume_t varnishlog_t httpd_w3c_validator_script_t user_openoffice_t httpd_user_script_t accountsd_t cgconfig_t user_java_t user_mono_t user_wine_t ipsec_mgmt_t run_init_t sendmail_t shutdown_t audisp_remote_t dovecot_auth_t nova_scheduler_t dlm_controld_t gfs_controld_t smbmount_t asterisk_t bitlbee_t sepgsql_trusted_proc_t vmware_host_t checkpc_t saslauthd_t awstats_t munin_selinux_plugin_t gitosis_t dnsmasq_t krb5kdc_t openshift_cgroup_read_t sysadm_seunshare_t haproxy_t hotplug_t gpg_pinentry_t hwclock_t newrole_t zos_remote_t dcc_client_t mozilla_t plymouth_t procmail_t sanlock_t setrans_t traceroute_t pegasus_t prelink_t prelude_t privoxy_t staff_java_t staff_mono_t staff_sudo_t staff_wine_t wpa_cli_t httpd_awstats_script_t munin_system_plugin_t qmail_send_t anaconda_t glance_api_t piranha_fos_t piranha_lvs_t sandbox_x_t httpd_apcupsd_cgi_script_t local_login_t hald_dccm_t mysqld_safe_t ricci_modservice_t games_srv_t ricci_modstorage_t samba_net_t afs_bosserver_t httpd_nutups_cgi_script_t hald_sonypic_t openhpid_t boinc_project_t condor_procd_t nagios_mail_plugin_t virt_qemu_ga_t condor_negotiator_t nova_ajax_t nova_cert_t amanda_recover_t chrome_sandbox_t zarafa_spooler_t httpd_munin_script_t telepathy_salut_t rpm_script_t sysadm_passwd_t sysadm_screen_t nsplugin_t xguest_execmem_t zarafa_deliver_t sblim_gatherd_t antivirus_t bluetooth_helper_t dcc_dbclean_t nut_upsd_t staff_execmem_t user_execmem_t podsleuth_t system_cronjob_t sge_job_ssh_t zarafa_monitor_t openshift_initrc_t chroot_user_t httpd_openshift_script_t qmail_remote_t zarafa_indexer_t policykit_t httpd_sys_script_t tmpreaper_t staff_consolehelper_t svc_multilog_t ricci_modclusterd_t logwatch_t mailman_cgi_t pulseaudio_t mailman_mail_t mysqlmanagerd_t samba_unconfined_net_t bluetooth_t mencoder_t httpd_dspam_script_t plymouthd_t smokeping_t cfengine_monitord_t ksmtuned_t unconfined_notrans_t httpd_prewikka_script_t ricci_modlog_t ricci_modrpm_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t setroubleshootd_t nsplugin_config_t chrome_sandbox_nacl_t nagios_checkdisk_plugin_t postfix_master_t postfix_pickup_t devicekit_disk_t regex_milter_t firstboot_t hald_acl_t telepathy_sunshine_t postfix_local_t postfix_smtpd_t zabbix_agent_t samba_unconfined_script_t httpd_git_script_t nagios_services_plugin_t nagios_eventhandler_plugin_t rhsmcertd_t virt_bridgehelper_t munin_unconfined_plugin_t openshift_cron_t unconfined_java_t unconfined_mono_t courier_tcpd_t httpd_unconfined_script_t openvpn_unconfined_script_t NetworkManager_t qmail_queue_t sandbox_web_client_t groupadd_t audisp_t auditd_t chkpwd_t comsat_t dbskkd_t dccifd_t depmod_t dirsrv_t fenced_t gconfd_t groupd_t insmod_t iscsid_t kernel_t kismet_t kpropd_t ktalkd_t livecd_t lldpad_t lsassd_t lwregd_t mongod_t mysqld_t oddjob_t openct_t svc_start_t fail2ban_t passwd_t puppet_t qdiskd_t racoon_t soundd_t telepathy_stream_engine_t updpwd_t xguest_t xm_ssh_t ypbind_t ypserv_t zabbix_t abrt_t acct_t apmd_t bcfg2_t brctl_t cgred_t chfn_t ciped_t clogd_t clvmd_t crond_t ctdbd_t cupsd_t dccd_t dhcpd_t dictd_t drbd_t ftpd_t gpsd_t gssd_t guest_t hald_t howl_t hplip_t httpd_t inetd_t init_t innd_t iwhd_t kdump_t klogd_t l2tpd_t lircd_t lpd_t lpr_t lwiod_t lwsmd_t mount_t mpd_t munin_t named_t nfsd_t nmbd_t nscd_t nslcd_t ntop_t ntpd_t numad_t pcscd_t pingd_t pppd_t pptp_t psad_t ptal_t qpidd_t radvd_t rhgb_t rhnsd_t rpcd_t rshd_t rssh_t slapd_t slpd_t smbd_t smsd_t snmpd_t snort_t spamd_t squid_t ssh_t sshd_t sssd_t staff_t svirt_t swat_t tcpd_t tftpd_t tgtd_t thin_t tor_t tuned_t udev_t ulogd_t uml_t user_t uucpd_t uuidd_t uux_t virtd_t wdmd_t xauth_t xend_t ypxfr_t eventlogd_t nagios_system_plugin_t postfix_qmgr_t postfix_smtp_t prelude_audisp_t courier_authdaemon_t afs_vlserver_t fsdaemon_t watchdog_t abrt_retrace_worker_t mozilla_plugin_config_t jabberd_router_t policykit_resolve_t winbind_helper_t load_policy_t nut_upsmon_t cupsd_config_t hald_keymap_t httpd_helper_t rtkit_daemon_t nagios_unconfined_plugin_t glusterd_t sandbox_min_t sandbox_net_t sandbox_web_t user_seunshare_t xguest_java_t xguest_mono_t logwatch_mail_t cupsd_lpd_t devicekit_t postfix_map_t remote_login_t inetd_child_t automount_t ethereal_t fetchmail_t netlogond_t puppetmaster_t tethereal_t system_mail_t httpd_squid_script_t restorecond_t xdm_dbusd_t gpg_helper_t staff_ssh_agent_t matahari_sysconfigd_t portreserve_t cpufreqselector_t readahead_t abrt_dump_oops_t quota_nld_t staff_screen_t system_dbusd_t entropyd_t rhev_agentd_t xenstored_t sandbox_min_client_t cpuspeed_t nagios_admin_plugin_t svnserve_t guest_dbusd_t qmail_splogger_t xguest_dbusd_t cups_pdf_t postgresql_t mozilla_plugin_t courier_pcp_t courier_pop_t zarafa_server_t nova_direct_t matahari_hostd_t publicfile_t usbmodules_t sambagui_t staff_seunshare_t nx_server_ssh_t certmaster_t certmonger_t setfiles_t user_mail_t cdrecord_t sectoolm_t semanage_t checkpolicy_t portmap_helper_t sge_shepherd_t cobblerd_t consoletype_t unconfined_t xenconsoled_t user_ssh_agent_t cmirrord_t cronjob_t crontab_t logrotate_mail_t matahari_netd_t matahari_rpcd_t passenger_t arpwatch_t cardmgr_t cgclear_t chronyd_t cluster_t apcupsd_t fcoemon_t fingerd_t foghorn_t gpg_web_t rhev_agentd_consolehelper_t fprintd_t ftpdctl_t httpd_cobbler_script_t dcerpcd_t dovecot_t evtchnd_t gpg_agent_t telepathy_msn_t auditctl_t openshift_t jabberd_t kadmind_t hddtemp_t spamass_milter_t iceauth_t icecast_t prelude_correlator_t ncftool_t neutron_t openvpn_t postgrey_t lockdev_t mplayer_t ricci_modcluster_t irqbalance_t radiusd_t rlogind_t roundup_t srvsvcd_t stunnel_t sulogin_t svc_run_t syslogd_t sysstat_t nut_upsdrvctl_t rpcbind_t sandbox_t sensord_t sge_job_t portmap_t yppasswdd_t ptchown_t vbetool_t vdagent_t vhostmd_t zarafa_ical_t winbind_t sysadm_sudo_t telnetd_t usbmuxd_t useradd_t afs_ptserver_t namespace_init_t httpd_mediawiki_script_t xserver_t condor_schedd_t condor_startd_t piranha_web_t user_screen_t condor_master_t greylist_milter_t calamaris_t staff_openoffice_t mailman_queue_t } ==  &&  || );

constrain { unix_dgram_socket } { create relabelfrom relabelto  } 
(  u1 u2 ==  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t logrotate_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t sysadm_su_t virtd_lxc_t openshift_app_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t sysadm_t ada_t dhcpc_t fsadm_t kudzu_t lvm_t mdadm_t mono_t rpm_t wine_t xdm_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t cachefiles_kernel_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t oddjob_mkhomedir_t nova_volume_t nova_scheduler_t vmware_host_t saslauthd_t krb5kdc_t haproxy_t newrole_t prelink_t anaconda_t glance_api_t local_login_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t sysadm_passwd_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t staff_consolehelper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t groupadd_t depmod_t dirsrv_t insmod_t kernel_t kpropd_t livecd_t lldpad_t lsassd_t mongod_t oddjob_t passwd_t puppet_t racoon_t updpwd_t apmd_t bcfg2_t chfn_t clvmd_t crond_t ctdbd_t cupsd_t drbd_t ftpd_t inetd_t init_t iwhd_t l2tpd_t numad_t rhnsd_t rshd_t slpd_t smsd_t squid_t sshd_t sssd_t staff_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t puppetmaster_t restorecond_t matahari_sysconfigd_t svnserve_t postgresql_t zarafa_server_t nova_direct_t matahari_hostd_t setfiles_t semanage_t sge_shepherd_t unconfined_t cmirrord_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t rhev_agentd_consolehelper_t openshift_t kadmind_t ncftool_t neutron_t openvpn_t ricci_modcluster_t rlogind_t sulogin_t syslogd_t sensord_t sge_job_t yppasswdd_t zarafa_ical_t telnetd_t useradd_t namespace_init_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  || );

constrain { netlink_kobject_uevent_socket } { create relabelfrom relabelto  } 
(  u1 u2 ==  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t logrotate_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t sysadm_su_t virtd_lxc_t openshift_app_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t sysadm_t ada_t dhcpc_t fsadm_t kudzu_t lvm_t mdadm_t mono_t rpm_t wine_t xdm_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t cachefiles_kernel_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t oddjob_mkhomedir_t nova_volume_t nova_scheduler_t vmware_host_t saslauthd_t krb5kdc_t haproxy_t newrole_t prelink_t anaconda_t glance_api_t local_login_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t sysadm_passwd_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t staff_consolehelper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t groupadd_t depmod_t dirsrv_t insmod_t kernel_t kpropd_t livecd_t lldpad_t lsassd_t mongod_t oddjob_t passwd_t puppet_t racoon_t updpwd_t apmd_t bcfg2_t chfn_t clvmd_t crond_t ctdbd_t cupsd_t drbd_t ftpd_t inetd_t init_t iwhd_t l2tpd_t numad_t rhnsd_t rshd_t slpd_t smsd_t squid_t sshd_t sssd_t staff_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t puppetmaster_t restorecond_t matahari_sysconfigd_t svnserve_t postgresql_t zarafa_server_t nova_direct_t matahari_hostd_t setfiles_t semanage_t sge_shepherd_t unconfined_t cmirrord_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t rhev_agentd_consolehelper_t openshift_t kadmind_t ncftool_t neutron_t openvpn_t ricci_modcluster_t rlogind_t sulogin_t syslogd_t sensord_t sge_job_t yppasswdd_t zarafa_ical_t telnetd_t useradd_t namespace_init_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  || );

mlsconstrain { db_blob } { drop getattr setattr relabelfrom read write import export  } 
(  h1 h2  dom );

mlsconstrain { db_blob } { create relabelto  } 
(  h1 h2  dom  l2 h2  ==  && );

constrain { netlink_xfrm_socket } { create relabelfrom relabelto  } 
(  u1 u2 ==  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t logrotate_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t sysadm_su_t virtd_lxc_t openshift_app_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t sysadm_t ada_t dhcpc_t fsadm_t kudzu_t lvm_t mdadm_t mono_t rpm_t wine_t xdm_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t cachefiles_kernel_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t oddjob_mkhomedir_t nova_volume_t nova_scheduler_t vmware_host_t saslauthd_t krb5kdc_t haproxy_t newrole_t prelink_t anaconda_t glance_api_t local_login_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t sysadm_passwd_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t staff_consolehelper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t groupadd_t depmod_t dirsrv_t insmod_t kernel_t kpropd_t livecd_t lldpad_t lsassd_t mongod_t oddjob_t passwd_t puppet_t racoon_t updpwd_t apmd_t bcfg2_t chfn_t clvmd_t crond_t ctdbd_t cupsd_t drbd_t ftpd_t inetd_t init_t iwhd_t l2tpd_t numad_t rhnsd_t rshd_t slpd_t smsd_t squid_t sshd_t sssd_t staff_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t puppetmaster_t restorecond_t matahari_sysconfigd_t svnserve_t postgresql_t zarafa_server_t nova_direct_t matahari_hostd_t setfiles_t semanage_t sge_shepherd_t unconfined_t cmirrord_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t rhev_agentd_consolehelper_t openshift_t kadmind_t ncftool_t neutron_t openvpn_t ricci_modcluster_t rlogind_t sulogin_t syslogd_t sensord_t sge_job_t yppasswdd_t zarafa_ical_t telnetd_t useradd_t namespace_init_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  || );

mlsconstrain { db_schema } { create relabelto  } 
(  h1 h2  dom  l2 h2  ==  && );

constrain { netlink_dnrt_socket } { create relabelfrom relabelto  } 
(  u1 u2 ==  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t logrotate_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t sysadm_su_t virtd_lxc_t openshift_app_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t sysadm_t ada_t dhcpc_t fsadm_t kudzu_t lvm_t mdadm_t mono_t rpm_t wine_t xdm_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t cachefiles_kernel_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t oddjob_mkhomedir_t nova_volume_t nova_scheduler_t vmware_host_t saslauthd_t krb5kdc_t haproxy_t newrole_t prelink_t anaconda_t glance_api_t local_login_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t sysadm_passwd_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t staff_consolehelper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t groupadd_t depmod_t dirsrv_t insmod_t kernel_t kpropd_t livecd_t lldpad_t lsassd_t mongod_t oddjob_t passwd_t puppet_t racoon_t updpwd_t apmd_t bcfg2_t chfn_t clvmd_t crond_t ctdbd_t cupsd_t drbd_t ftpd_t inetd_t init_t iwhd_t l2tpd_t numad_t rhnsd_t rshd_t slpd_t smsd_t squid_t sshd_t sssd_t staff_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t puppetmaster_t restorecond_t matahari_sysconfigd_t svnserve_t postgresql_t zarafa_server_t nova_direct_t matahari_hostd_t setfiles_t semanage_t sge_shepherd_t unconfined_t cmirrord_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t rhev_agentd_consolehelper_t openshift_t kadmind_t ncftool_t neutron_t openvpn_t ricci_modcluster_t rlogind_t sulogin_t syslogd_t sensord_t sge_job_t yppasswdd_t zarafa_ical_t telnetd_t useradd_t namespace_init_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  || );

mlsconstrain { netif } { ingress egress  } 
(  l1 l2  dom  t1 { openshift_app_t qemu_t sandbox_x_t svirt_t user_t sandbox_min_t sandbox_net_t sandbox_web_t openshift_t sandbox_t } !=  || );

constrain { packet_socket } { create relabelfrom relabelto  } 
(  u1 u2 ==  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t logrotate_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t sysadm_su_t virtd_lxc_t openshift_app_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t sysadm_t ada_t dhcpc_t fsadm_t kudzu_t lvm_t mdadm_t mono_t rpm_t wine_t xdm_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t cachefiles_kernel_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t oddjob_mkhomedir_t nova_volume_t nova_scheduler_t vmware_host_t saslauthd_t krb5kdc_t haproxy_t newrole_t prelink_t anaconda_t glance_api_t local_login_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t sysadm_passwd_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t staff_consolehelper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t groupadd_t depmod_t dirsrv_t insmod_t kernel_t kpropd_t livecd_t lldpad_t lsassd_t mongod_t oddjob_t passwd_t puppet_t racoon_t updpwd_t apmd_t bcfg2_t chfn_t clvmd_t crond_t ctdbd_t cupsd_t drbd_t ftpd_t inetd_t init_t iwhd_t l2tpd_t numad_t rhnsd_t rshd_t slpd_t smsd_t squid_t sshd_t sssd_t staff_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t puppetmaster_t restorecond_t matahari_sysconfigd_t svnserve_t postgresql_t zarafa_server_t nova_direct_t matahari_hostd_t setfiles_t semanage_t sge_shepherd_t unconfined_t cmirrord_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t rhev_agentd_consolehelper_t openshift_t kadmind_t ncftool_t neutron_t openvpn_t ricci_modcluster_t rlogind_t sulogin_t syslogd_t sensord_t sge_job_t yppasswdd_t zarafa_ical_t telnetd_t useradd_t namespace_init_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  || );

constrain { tun_socket } { create relabelfrom relabelto  } 
(  u1 u2 ==  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t logrotate_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t sysadm_su_t virtd_lxc_t openshift_app_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t sysadm_t ada_t dhcpc_t fsadm_t kudzu_t lvm_t mdadm_t mono_t rpm_t wine_t xdm_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t cachefiles_kernel_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t oddjob_mkhomedir_t nova_volume_t nova_scheduler_t vmware_host_t saslauthd_t krb5kdc_t haproxy_t newrole_t prelink_t anaconda_t glance_api_t local_login_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t sysadm_passwd_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t staff_consolehelper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t groupadd_t depmod_t dirsrv_t insmod_t kernel_t kpropd_t livecd_t lldpad_t lsassd_t mongod_t oddjob_t passwd_t puppet_t racoon_t updpwd_t apmd_t bcfg2_t chfn_t clvmd_t crond_t ctdbd_t cupsd_t drbd_t ftpd_t inetd_t init_t iwhd_t l2tpd_t numad_t rhnsd_t rshd_t slpd_t smsd_t squid_t sshd_t sssd_t staff_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t puppetmaster_t restorecond_t matahari_sysconfigd_t svnserve_t postgresql_t zarafa_server_t nova_direct_t matahari_hostd_t setfiles_t semanage_t sge_shepherd_t unconfined_t cmirrord_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t rhev_agentd_consolehelper_t openshift_t kadmind_t ncftool_t neutron_t openvpn_t ricci_modcluster_t rlogind_t sulogin_t syslogd_t sensord_t sge_job_t yppasswdd_t zarafa_ical_t telnetd_t useradd_t namespace_init_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  || );

constrain { udp_socket } { create relabelfrom relabelto  } 
(  u1 u2 ==  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t logrotate_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t sysadm_su_t virtd_lxc_t openshift_app_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t sysadm_t ada_t dhcpc_t fsadm_t kudzu_t lvm_t mdadm_t mono_t rpm_t wine_t xdm_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t cachefiles_kernel_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t oddjob_mkhomedir_t nova_volume_t nova_scheduler_t vmware_host_t saslauthd_t krb5kdc_t haproxy_t newrole_t prelink_t anaconda_t glance_api_t local_login_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t sysadm_passwd_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t staff_consolehelper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t groupadd_t depmod_t dirsrv_t insmod_t kernel_t kpropd_t livecd_t lldpad_t lsassd_t mongod_t oddjob_t passwd_t puppet_t racoon_t updpwd_t apmd_t bcfg2_t chfn_t clvmd_t crond_t ctdbd_t cupsd_t drbd_t ftpd_t inetd_t init_t iwhd_t l2tpd_t numad_t rhnsd_t rshd_t slpd_t smsd_t squid_t sshd_t sssd_t staff_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t puppetmaster_t restorecond_t matahari_sysconfigd_t svnserve_t postgresql_t zarafa_server_t nova_direct_t matahari_hostd_t setfiles_t semanage_t sge_shepherd_t unconfined_t cmirrord_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t rhev_agentd_consolehelper_t openshift_t kadmind_t ncftool_t neutron_t openvpn_t ricci_modcluster_t rlogind_t sulogin_t syslogd_t sensord_t sge_job_t yppasswdd_t zarafa_ical_t telnetd_t useradd_t namespace_init_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  || );

mlsconstrain { udp_socket } { node_bind  } 
(  h1 h2  dom  t1 { openshift_app_t qemu_t sandbox_x_t svirt_t user_t sandbox_min_t sandbox_net_t sandbox_web_t openshift_t sandbox_t } !=  || );

constrain { appletalk_socket } { create relabelfrom relabelto  } 
(  u1 u2 ==  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t logrotate_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t sysadm_su_t virtd_lxc_t openshift_app_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t sysadm_t ada_t dhcpc_t fsadm_t kudzu_t lvm_t mdadm_t mono_t rpm_t wine_t xdm_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t cachefiles_kernel_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t oddjob_mkhomedir_t nova_volume_t nova_scheduler_t vmware_host_t saslauthd_t krb5kdc_t haproxy_t newrole_t prelink_t anaconda_t glance_api_t local_login_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t sysadm_passwd_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t staff_consolehelper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t groupadd_t depmod_t dirsrv_t insmod_t kernel_t kpropd_t livecd_t lldpad_t lsassd_t mongod_t oddjob_t passwd_t puppet_t racoon_t updpwd_t apmd_t bcfg2_t chfn_t clvmd_t crond_t ctdbd_t cupsd_t drbd_t ftpd_t inetd_t init_t iwhd_t l2tpd_t numad_t rhnsd_t rshd_t slpd_t smsd_t squid_t sshd_t sssd_t staff_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t puppetmaster_t restorecond_t matahari_sysconfigd_t svnserve_t postgresql_t zarafa_server_t nova_direct_t matahari_hostd_t setfiles_t semanage_t sge_shepherd_t unconfined_t cmirrord_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t rhev_agentd_consolehelper_t openshift_t kadmind_t ncftool_t neutron_t openvpn_t ricci_modcluster_t rlogind_t sulogin_t syslogd_t sensord_t sge_job_t yppasswdd_t zarafa_ical_t telnetd_t useradd_t namespace_init_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  || );

constrain { rawip_socket } { create relabelfrom relabelto  } 
(  u1 u2 ==  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t logrotate_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t sysadm_su_t virtd_lxc_t openshift_app_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t sysadm_t ada_t dhcpc_t fsadm_t kudzu_t lvm_t mdadm_t mono_t rpm_t wine_t xdm_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t cachefiles_kernel_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t oddjob_mkhomedir_t nova_volume_t nova_scheduler_t vmware_host_t saslauthd_t krb5kdc_t haproxy_t newrole_t prelink_t anaconda_t glance_api_t local_login_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t sysadm_passwd_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t staff_consolehelper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t groupadd_t depmod_t dirsrv_t insmod_t kernel_t kpropd_t livecd_t lldpad_t lsassd_t mongod_t oddjob_t passwd_t puppet_t racoon_t updpwd_t apmd_t bcfg2_t chfn_t clvmd_t crond_t ctdbd_t cupsd_t drbd_t ftpd_t inetd_t init_t iwhd_t l2tpd_t numad_t rhnsd_t rshd_t slpd_t smsd_t squid_t sshd_t sssd_t staff_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t puppetmaster_t restorecond_t matahari_sysconfigd_t svnserve_t postgresql_t zarafa_server_t nova_direct_t matahari_hostd_t setfiles_t semanage_t sge_shepherd_t unconfined_t cmirrord_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t rhev_agentd_consolehelper_t openshift_t kadmind_t ncftool_t neutron_t openvpn_t ricci_modcluster_t rlogind_t sulogin_t syslogd_t sensord_t sge_job_t yppasswdd_t zarafa_ical_t telnetd_t useradd_t namespace_init_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  || );

mlsconstrain { rawip_socket } { node_bind  } 
(  h1 h2  dom  t1 { openshift_app_t qemu_t sandbox_x_t svirt_t user_t sandbox_min_t sandbox_net_t sandbox_web_t openshift_t sandbox_t } !=  || );

mlsconstrain { db_column } { drop getattr setattr relabelfrom use select update insert  } 
(  h1 h2  dom );

mlsconstrain { db_column } { create relabelto  } 
(  h1 h2  dom  l2 h2  ==  && );

constrain { netlink_socket } { create relabelfrom relabelto  } 
(  u1 u2 ==  t1 { sosreport_t cfengine_execd_t bootloader_t devicekit_power_t nova_api_t sblim_reposd_t virt_qemu_ga_unconfined_t nova_compute_t nova_console_t zarafa_gateway_t logrotate_t openvswitch_t nova_network_t dirsrvadmin_unconfined_script_t ldconfig_t nova_objectstore_t certmonger_unconfined_t condor_collector_t unconfined_cronjob_t unconfined_sendmail_t keystone_t ssh_keygen_t sysadm_su_t virtd_lxc_t openshift_app_t abrt_handle_event_t condor_startd_ssh_t setfiles_mac_t initrc_t sysadm_t ada_t dhcpc_t fsadm_t kudzu_t lvm_t mdadm_t mono_t rpm_t wine_t xdm_t virt_qmf_t nova_vncproxy_t unconfined_dbusd_t unconfined_mount_t sge_execd_t cachefiles_kernel_t deltacloudd_t glance_registry_t matahari_serviced_t oracleasm_t oddjob_mkhomedir_t nova_volume_t nova_scheduler_t vmware_host_t saslauthd_t krb5kdc_t haproxy_t newrole_t prelink_t anaconda_t glance_api_t local_login_t openhpid_t condor_procd_t condor_negotiator_t nova_ajax_t nova_cert_t zarafa_spooler_t rpm_script_t sysadm_passwd_t zarafa_deliver_t sblim_gatherd_t system_cronjob_t zarafa_monitor_t openshift_initrc_t zarafa_indexer_t tmpreaper_t staff_consolehelper_t samba_unconfined_net_t cfengine_monitord_t unconfined_notrans_t unconfined_execmem_t pkcsslotd_t cfengine_serverd_t devicekit_disk_t firstboot_t samba_unconfined_script_t nagios_eventhandler_plugin_t rhsmcertd_t munin_unconfined_plugin_t unconfined_java_t unconfined_mono_t httpd_unconfined_script_t openvpn_unconfined_script_t groupadd_t depmod_t dirsrv_t insmod_t kernel_t kpropd_t livecd_t lldpad_t lsassd_t mongod_t oddjob_t passwd_t puppet_t racoon_t updpwd_t apmd_t bcfg2_t chfn_t clvmd_t crond_t ctdbd_t cupsd_t drbd_t ftpd_t inetd_t init_t iwhd_t l2tpd_t numad_t rhnsd_t rshd_t slpd_t smsd_t squid_t sshd_t sssd_t staff_t thin_t udev_t uuidd_t virtd_t xend_t watchdog_t nagios_unconfined_plugin_t glusterd_t devicekit_t remote_login_t inetd_child_t puppetmaster_t restorecond_t matahari_sysconfigd_t svnserve_t postgresql_t zarafa_server_t nova_direct_t matahari_hostd_t setfiles_t semanage_t sge_shepherd_t unconfined_t cmirrord_t matahari_netd_t matahari_rpcd_t cluster_t fcoemon_t foghorn_t rhev_agentd_consolehelper_t openshift_t kadmind_t ncftool_t neutron_t openvpn_t ricci_modcluster_t rlogind_t sulogin_t syslogd_t sensord_t sge_job_t yppasswdd_t zarafa_ical_t telnetd_t useradd_t namespace_init_t xserver_t condor_schedd_t condor_startd_t condor_master_t } ==  || );


-- 
Tracy Reed

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: MCS error

[Stephen Smalley]

On 02/20/2015 11:56 AM, Tracy Reed wrote:
> On Fri, Feb 20, 2015 at 05:38:55AM PST, Stephen Smalley spake thusly:
>> Can you show the actual constraints on RHEL6?  seinfo --constrain
>> output, or grab the .src.rpm and pull out the mcs file.
> 
> Here is the seinfo --constrain output from RHEL6. Thanks for having a look!

Sigh. Not preserved in attribute form in that version.  Ok, I grabbed
selinux-policy-3.7.19-231.el6.src.rpm and extracted the mcs file from
it; it has:

mlsconstrain file { read ioctl lock execute execute_no_trans }
        (( h1 dom h2 ) or ( t1 == mcsreadall ) or
        (( t1 != mcsuntrustedproc ) and (t2 == domain)));

which means:

"Only allow read (or the other listed permissions) if the process high
level dominates the file high level or the process type has the
mcsreadall attribute or the process type does not have the
mcsuntrustedproc attribute and the object type has the domain attribute
(i.e. the object is a /proc/pid file)."

So I'm guessing user_t has mcsreadall?  What does seinfo -tuser_t -x |
grep mcs show?

Re: MCS error

[Stephen Smalley]

On 02/20/2015 12:08 PM, Stephen Smalley wrote:
> On 02/20/2015 11:56 AM, Tracy Reed wrote:
>> On Fri, Feb 20, 2015 at 05:38:55AM PST, Stephen Smalley spake thusly:
>>> Can you show the actual constraints on RHEL6?  seinfo --constrain
>>> output, or grab the .src.rpm and pull out the mcs file.
>>
>> Here is the seinfo --constrain output from RHEL6. Thanks for having a look!
> 
> Sigh. Not preserved in attribute form in that version.  Ok, I grabbed
> selinux-policy-3.7.19-231.el6.src.rpm and extracted the mcs file from
> it; it has:
> 
> mlsconstrain file { read ioctl lock execute execute_no_trans }
>         (( h1 dom h2 ) or ( t1 == mcsreadall ) or
>         (( t1 != mcsuntrustedproc ) and (t2 == domain)));
> 
> which means:
> 
> "Only allow read (or the other listed permissions) if the process high
> level dominates the file high level or the process type has the
> mcsreadall attribute or the process type does not have the
> mcsuntrustedproc attribute and the object type has the domain attribute
> (i.e. the object is a /proc/pid file)."
> 
> So I'm guessing user_t has mcsreadall?  What does seinfo -tuser_t -x |
> grep mcs show?

Also, can you confirm that the system is enforcing?  getenforce?

Re: MCS error

[Stephen Smalley]

On 02/19/2015 09:02 PM, Tracy Reed wrote:
> On Thu, Feb 19, 2015 at 04:34:25PM PST, Tracy Reed spake thusly:
>> # semanage login -l
> 
> Ok, part of my confusion here is that I've been confusing semanage login with
> semanage user. It's been a while since I've dealt with SELinux. I understand
> that semanage login -l shows what Linux users map to what selinux users:
> 
>> Login Name                SELinux User              MLS/MCS Range            
>>
>> __default__               unconfined_u              SystemLow-SystemHigh     
>> p16001                    p16001_u                  p16001                   
>> p16002                    appuser_u                 s0:c1.c499-s0:c2         
>> p16003                    appuser_u                 s0:c1.c499-s0:c3         
>> p16004                    unconfined_u              s0-s0:c0.c1023,c4        
>> p16005                    unconfined_u              s0-s0:c0.c1023,c4,c5     
>> p16006                    unconfined_u              s0-s0:c0.c1023,c6        
>> p16007                    unconfined_u              s0-s0:c0.c1023,c7        
>> p16008                    unconfined_u              s0-s0:c0.c1023,c8        
>> p16009                    unconfined_u              s0-s0:c0.c1023,c9        
>> root                      unconfined_u              SystemLow-SystemHigh     
>> system_u                  system_u                  SystemLow-SystemHigh  
> 
> So we are mapping p16002 to appuser_u but appuser_u doesn't exist at the
> moment. But what's with the MLS/MCS range column?  Is this saying p16002 has
> categories s0:c1.c499-s0:c2 is it saying appuser_u (selinux user) has
> categories s0:c1.c499-s0:c2? Given that the selinux user is the same but the
> categories listed are different for Linux login users p16002 and p16003 I would
> think it is saying those categories go with those Linux login users.

The user mapping (i.e. semanage user) is part of the kernel policy; for
each SELinux user, it specifies the maximum range and authorized roles
for the user.  The login mapping (i.e. semanage login) is a purely
userspace policy; it specifies how to map a given Linux login to a
SELinux user and to a more specific range.  The more specific range for
a Linux login should always be a subset of the range authorized for the
underlying SELinux user; the kernel won't let you create a process with
a given SELinux user with a range that exceeds the maximum authorized in
its policy.  So your login mapping is wrong.

> And that is different yet with respect to the output of the chcat command:
> 
> # chcat -L -l p16001 p16002
> p16001: s0:c0.c1023
> p16002: s0:c0.c1023
> 
> This says p16001 and p16002 have access to all categories.

I wouldn't rely on chcat for anything; I'm not sure it is even being
maintained as it only made sense for the original user-centric
discretionary MCS model.  Just use semanage to manage the login and user
mappings, and chcon -l to set levels on files (or, better, add entries
to file contexts via semanage fcontext and use restorecon to set the
labels to match; otherwise a relabel may override them).

Re: MCS error

[Tracy Reed]

[-- Attachment #1: Type: text/plain, Size: 278 bytes --]

On Fri, Feb 20, 2015 at 09:08:10AM PST, Stephen Smalley spake thusly:
> So I'm guessing user_t has mcsreadall?  What does seinfo -tuser_t -x |
> grep mcs show?

# seinfo -tuser_t -x | grep mcs       
      mcsuntrustedproc

That's all. No mcsreadall.

-- 
Tracy Reed

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: MCS error

[Tracy Reed]

[-- Attachment #1: Type: text/plain, Size: 587 bytes --]

On Fri, Feb 20, 2015 at 09:33:09AM PST, Stephen Smalley spake thusly:
> Also, can you confirm that the system is enforcing?  getenforce?

I should have clarified that the system is in permissive mode but no denials
were logged in /var/log/audit/audit.log

[mcstest:/home/users/tracy.reed]# /usr/sbin/sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 24
Policy from config file:        targeted


-- 
Tracy Reed

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: MCS error

[Tracy Reed]

[-- Attachment #1: Type: text/plain, Size: 2926 bytes --]

On Thu, Feb 19, 2015 at 11:33:03PM PST, Dominick Grift spake thusly:
> Right, this table (login table) shows the associations of selinux identities
> and selinux securtity levels with linux users, whereas the "user table" shows
> associations of selinux roles and security levels with selinux users.

Ok, I think I understand that now... Looks like they both can associate
security levels with their respective kinds of users. Seems odd now to be able
to associate security levels with Linux users instead of just SELinux users. 

Now I am wondering which one takes precedence. For example, in the MCS setup I
am attempting do I need to have the security category defined in the login
table or the user table or both?

> You are misunderstanding the concept of associating things with "selinux
> users" (user table) versus the concept of associating things with "linux
> users" (login table), and how the two relate.

Indeed.

> You cannot associate something with a Linux user if that something is not
> associated with the SELinux user first.

Ok...

> For example the error message above complains that you have a "appuser_u"
> identity associated with some "linux user(s)" (p16002, p16003). Howver that
> identity (appuser_u) does not exist in your "user table". 
> 
> So to fix that error: re-add the appuser_u selinux user to the "user table" ,
> then remove the references to "appuser_u" from the "login table" *first* ,
> and then finally remove the appuser_u association from the "user table"
> again.

Your use of "*first*" in the second step is confusing to me but it looks like
the order of operations here is:

1. re-add the appuser_u selinux user to the "user table"

2. remove the references to "appuser_u" from the "login table"

3. remove the appuser_u association from the "user table"


So to do step 1 and re-add appuser_u selinux user to the "user table" I should do this and get this result:

# semanage user -a -R user_r appuser_u
libsemanage.validate_handler: selinux user appuser_u does not exist (No such file or directory).
libsemanage.validate_handler: seuser mapping [p16002 -> (appuser_u, s0:c1.c499-s0:c2)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
/usr/sbin/semanage: Could not commit semanage transaction

Even if I try step 2 first (in case that's what you meant by *first) I get this:

# semanage login -d p16002
libsemanage.validate_handler: selinux user appuser_u does not exist (No such file or directory).
libsemanage.validate_handler: seuser mapping [p16003 -> (appuser_u, s0:c1.c499-s0:c3)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
/usr/sbin/semanage: Could not commit semanage transaction

What am I missing here? Thanks!

-- 
Tracy Reed

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: MCS error

[Joshua Brindle]

Tracy Reed wrote:
> On Thu, Feb 19, 2015 at 11:33:03PM PST, Dominick Grift spake thusly:
>> Right, this table (login table) shows the associations of selinux
>> identities
>> and selinux securtity levels with linux users, whereas the "user
>> table" shows
>> associations of selinux roles and security levels with selinux users.
>
> Ok, I think I understand that now... Looks like they both can associate
> security levels with their respective kinds of users. Seems odd now to
> be able
> to associate security levels with Linux users instead of just SELinux
> users.
>
> Now I am wondering which one takes precedence. For example, in the MCS
> setup I
> am attempting do I need to have the security category defined in the
> login
> table or the user table or both?
>

SELinux users have a strict superset of the levels that Linux users do.

The SELinux kernel policy does not know or care about Linux users. It 
only knows SELinux users, they are defined in the policy and have a set 
of levels associated with them. The tools below adjust those levels as 
they are defined in the kernel binary policy.

Originally there was no Linux user->SELinux user mapping at all, that 
was added so that Linux users didn't need to be added to the SELinux 
binary policy, before these management tools existed.

Nowadays, in the managed policy case, you can associate a subset of the 
levels of an SELinux user to a Linux user. This is enforced by the login 
program and not by the kernel. The kernel will only enforce the SELinux 
user does not gain more levels than assigned in the policy.

Does that make sense?

>> You are misunderstanding the concept of associating things with "selinux
>> users" (user table) versus the concept of associating things with "linux
>> users" (login table), and how the two relate.
>
> Indeed.
>
>> You cannot associate something with a Linux user if that something is
>> not
>> associated with the SELinux user first.
>
> Ok...
>
>> For example the error message above complains that you have a
>> "appuser_u"
>> identity associated with some "linux user(s)" (p16002, p16003).
>> Howver that
>> identity (appuser_u) does not exist in your "user table".
>>
>> So to fix that error: re-add the appuser_u selinux user to the "user
>> table" ,
>> then remove the references to "appuser_u" from the "login table"
>> *first* ,
>> and then finally remove the appuser_u association from the "user table"
>> again.
>
> Your use of "*first*" in the second step is confusing to me but it
> looks like
> the order of operations here is:
>
> 1. re-add the appuser_u selinux user to the "user table"
>
> 2. remove the references to "appuser_u" from the "login table"
>
> 3. remove the appuser_u association from the "user table"
>
>
> So to do step 1 and re-add appuser_u selinux user to the "user table"
> I should do this and get this result:
>
> # semanage user -a -R user_r appuser_u
> libsemanage.validate_handler: selinux user appuser_u does not exist
> (No such file or directory).
> libsemanage.validate_handler: seuser mapping [p16002 -> (appuser_u,
> s0:c1.c499-s0:c2)] is invalid (No such file or directory).
> libsemanage.dbase_llist_iterate: could not iterate over records (No
> such file or directory).
> /usr/sbin/semanage: Could not commit semanage transaction
>
> Even if I try step 2 first (in case that's what you meant by *first) I
> get this:
>
> # semanage login -d p16002
> libsemanage.validate_handler: selinux user appuser_u does not exist
> (No such file or directory).
> libsemanage.validate_handler: seuser mapping [p16003 -> (appuser_u,
> s0:c1.c499-s0:c3)] is invalid (No such file or directory).
> libsemanage.dbase_llist_iterate: could not iterate over records (No
> such file or directory).
> /usr/sbin/semanage: Could not commit semanage transaction
>
> What am I missing here? Thanks!
>
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.

Re: MCS error

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Fri, Feb 20, 2015 at 03:27:50PM -0800, Tracy Reed wrote:
> On Thu, Feb 19, 2015 at 11:33:03PM PST, Dominick Grift spake thusly:
> > Right, this table (login table) shows the associations of selinux identities
> > and selinux securtity levels with linux users, whereas the "user table" shows
> > associations of selinux roles and security levels with selinux users.
> 
> Ok, I think I understand that now... Looks like they both can associate
> security levels with their respective kinds of users. Seems odd now to be able
> to associate security levels with Linux users instead of just SELinux users. 
> 
> Now I am wondering which one takes precedence. For example, in the MCS setup I
> am attempting do I need to have the security category defined in the login
> table or the user table or both?
> 
> > You are misunderstanding the concept of associating things with "selinux
> > users" (user table) versus the concept of associating things with "linux
> > users" (login table), and how the two relate.
> 
> Indeed.
> 
> > You cannot associate something with a Linux user if that something is not
> > associated with the SELinux user first.
> 
> Ok...
> 
> > For example the error message above complains that you have a "appuser_u"
> > identity associated with some "linux user(s)" (p16002, p16003). Howver that
> > identity (appuser_u) does not exist in your "user table". 
> > 
> > So to fix that error: re-add the appuser_u selinux user to the "user table" ,
> > then remove the references to "appuser_u" from the "login table" *first* ,
> > and then finally remove the appuser_u association from the "user table"
> > again.
> 
> Your use of "*first*" in the second step is confusing to me but it looks like
> the order of operations here is:
> 
> 1. re-add the appuser_u selinux user to the "user table"
> 
> 2. remove the references to "appuser_u" from the "login table"
> 
> 3. remove the appuser_u association from the "user table"

Yes the above stepp you have done the trich.

semanage is such a lousy tool in my view, it should not have let you remove the user mapping in the first place if there were references to it in the login table (i.e. if there are login mapping that rely on the selinux user.)

I suppose you could resort to doing it manually by editing files in /etc/selinux. (/etc/selinux/targeted/seusers and some seusers.local file elsewhere which is the one that is actually maintained by libsemanage)

I do not use those tools, as i manually maintain /etc/selinux. So i can't really be of much help here.

> 
> 
> So to do step 1 and re-add appuser_u selinux user to the "user table" I should do this and get this result:
> 
> # semanage user -a -R user_r appuser_u
> libsemanage.validate_handler: selinux user appuser_u does not exist (No such file or directory).
> libsemanage.validate_handler: seuser mapping [p16002 -> (appuser_u, s0:c1.c499-s0:c2)] is invalid (No such file or directory).
> libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
> /usr/sbin/semanage: Could not commit semanage transaction
> 
> Even if I try step 2 first (in case that's what you meant by *first) I get this:
> 
> # semanage login -d p16002
> libsemanage.validate_handler: selinux user appuser_u does not exist (No such file or directory).
> libsemanage.validate_handler: seuser mapping [p16003 -> (appuser_u, s0:c1.c499-s0:c3)] is invalid (No such file or directory).
> libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
> /usr/sbin/semanage: Could not commit semanage transaction
> 
> What am I missing here? Thanks!
> 
> -- 
> Tracy Reed



> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.


- -- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCgAGBQJU6IMOAAoJENAR6kfG5xmcdxAMAMUsfti3W6I/0SKopcHDil24
qEQdyUTvw7L1G/nva/ikDKV/ZJrEXNOiDY0h7nXWHpFeLhMG0MhdkVKDBxw1+D0j
MUc82sZmS/AjXoj3iWf2U/NrZYbnpC1qvZm6abeU2x/Oyb8pfmYO0sP/67R3wSdM
Ii6SpsATzBwJHvdq7BA9YmQE98gaQPRxIQn1boJYCxvOaNnyf25+sRAdDiKSfp1r
w9toTfaxNnjrPWbFxb73pDxtsGfVkbzX+twv8fs+045rWdsYazh8lhZZVMylEJ1C
QNPKjmzqwxr+34bXIjEFwKXIYfkPBWrxGn4nsLuXcRkvD5RyDA9Mi9hRKTB/TC+f
BWEgQ+UiGbACtYiaTYu4veCTiLHNVK/iUOoEUQNwlcLVczCGUKqJeDF3voOtuBD/
n9wbiLvFfV3x4GI36xeMCbWE7XsQU3erPoN1ZVkEp8BvBOSmDhLVKr68y0sRTu6v
GI0K/TjVHdT8+RmhClyMD3WScQ48xDKJ6gNYyJu8GQ==
=oMTr
-----END PGP SIGNATURE-----

Re: MCS error

[Stephen Smalley]

On 02/20/2015 05:10 PM, Tracy Reed wrote:
> On Fri, Feb 20, 2015 at 09:33:09AM PST, Stephen Smalley spake thusly:
>> Also, can you confirm that the system is enforcing?  getenforce?
> 
> I should have clarified that the system is in permissive mode but no denials
> were logged in /var/log/audit/audit.log
> 
> [mcstest:/home/users/tracy.reed]# /usr/sbin/sestatus 
> SELinux status:                 enabled
> SELinuxfs mount:                /selinux
> Current mode:                   permissive
> Mode from config file:          permissive
> Policy version:                 24
> Policy from config file:        targeted

Hmm...I would check /var/log/messages as well (where denials will be
logged if not running auditd), and re-test in enforcing mode just to be
sure.

Can you send me (not the entire list) your
/etc/selinux/targeted/policy/policy.24 file?