add content

2019-05-08 14:53:59 +03:00
parent fdb66ec988
commit 840f37da49
122 changed files with 5873 additions and 0 deletions
--- a/sec-policy/selinux-doveadm/Manifest
+++ b/sec-policy/selinux-doveadm/Manifest
@@ -0,0 +1,6 @@
+AUX lego.fc 135 BLAKE2B f5518e53fe8d8aed6d19f06b53a9117f72c8773387b0a15f6970fa4e1b3ae985a60a37b8520750a7f16c8efff692c60a560fcaa66fd950675fa7a0627c0c8b97 SHA512 5e457469dc4685fa57175f1825bde5c3323fe7dd83ede73a5987086e90e8cf49c541f142ab5b83f63609323f35d2f3016123365f5dd06d7d55b796b95eba5b18
+AUX lego.if 3516 BLAKE2B 2209fb75dce7c5a79423be81c0b66e3295f6ffd9113d60e58cfe90e6b41b8563f019d4aff3f2ce285a25fe2ee199eb4d4a42180c7b785d22d1180d49e4a6bc71 SHA512 c68cfdcedcf858a717c59353c2709a9687703a873048b61de634f5e05b87bcc1682380616a51a2e687dec99a6c6c385a13074668336a9cc0d37be8a2bc9f763d
+AUX lego.te 2266 BLAKE2B d8329f30a1614f3091247c33d0b3e12a48840d44aeff6bdda76fc636840102717c992bdc861305dc7eba81bb9394fa303d0448cd6ff1d0b573d0675b5a631bfd SHA512 42b0b99909831801a5f5f6c3e32cd196e2a069434bcd2493c3776aa14a5292eea82e4708312d00fc62258bd4931a571eecc49e5c8da448d553c0c8fbf8588e36
+DIST patchbundle-selinux-base-policy-2.20180701-r1.tar.bz2 315378 BLAKE2B eeeb0b04c023c40289b6d964aefd1773d2b5d6912f1dffebf9509e6dcdbb39b17e722ee4483fb2b11193d4b987a85f90c7dc7e61cef3cf982fc2ba368d4900ef SHA512 a8b049120f1c420f9bfb55aba9ed0157ff7896ace402cd1b77b01d1ea52b67e49d915f1c00de83ff4d59b1cf8b8aa1f39b50ba312d842ed4850e75fcc7f5be42
+DIST refpolicy-2.20180701.tar.bz2 753050 BLAKE2B 7069a1b9b9bef25950e62bb50ac09f4a9d5ef6fd0acc667d321da396c3935939348534458df129f7bc81687dca240b4c4fc120d1f46d452665d335c9f023da8c SHA512 9dd5a1e10da5d25fea96cc25efb682f8ac866e835a1d940b161c1ce944cac9a90a5836b03c14311acad6bf9acd9a78003f36e050d35d8edb43606575523857b5
+EBUILD selinux-lego-2.20180701-r1.ebuild 377 BLAKE2B 81194e9e7d540735c490a35a783b780bb7ad68d1f8e208c1f54d3c1f8eb688b9fed8c73ebe8abb5f0acb7e62abb77101a12e059809a53437695ca212edcad558 SHA512 5ae9193ce0aae16b0f35a5fdb904c81777eddd6347e776d990c2f562252e7f52018c9b23b470365ae880267069de4e7f5ce6b466fb406c2b86bb7ed83191ce3f
--- a/sec-policy/selinux-doveadm/files/doveadm.fc
+++ b/sec-policy/selinux-doveadm/files/doveadm.fc
@@ -0,0 +1,2 @@
+/var/lib/lego(/.*)?		gen_context(system_u:object_r:lego_data_t,s0)
+/usr/bin/lego	--      gen_context(system_u:object_r:lego_exec_t,s0)
--- a/sec-policy/selinux-doveadm/files/doveadm.if
+++ b/sec-policy/selinux-doveadm/files/doveadm.if
@@ -0,0 +1,193 @@
+
+## <summary>policy for lego</summary>
+
+########################################
+## <summary>
+##	Execute lego_exec_t in the lego domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`lego_domtrans',`
+	gen_require(`
+		type lego_t, lego_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, lego_exec_t, lego_t)
+')
+
+######################################
+## <summary>
+##	Execute lego in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lego_exec',`
+	gen_require(`
+		type lego_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, lego_exec_t)
+')
+
+########################################
+## <summary>
+##	Search lego conf directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lego_search_data',`
+	gen_require(`
+		type lego_data_t;
+	')
+
+	allow $1 lego_data_t:dir search_dir_perms;
+	files_search_etc($1)
+')
+
+########################################
+## <summary>
+##	Read lego conf files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lego_read_data_files',`
+	gen_require(`
+		type lego_data_t;
+	')
+
+	allow $1 lego_data_t:dir list_dir_perms;
+	read_files_pattern($1, lego_data_t, lego_data_t)
+	files_search_etc($1)
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Manage lego conf files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lego_manage_data_files',`
+	gen_require(`
+		type lego_data_t;
+	')
+
+	manage_files_pattern($1, lego_data_t, lego_data_t)
+	files_search_etc($1)
+	files_search_var_lib($1)
+')
+
+
+########################################
+## <summary>
+##	Execute lego in the lego domain, and
+##	allow the specified role the lego domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the lego domain.
+##	</summary>
+## </param>
+#
+interface(`lego_run',`
+	gen_require(`
+		type lego_t;
+		attribute_role lego_roles;
+	')
+
+	lego_domtrans($1)
+	roleattribute $2 lego_roles;
+')
+
+########################################
+## <summary>
+##	Role access for lego
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`lego_role',`
+	gen_require(`
+		type lego_t;
+		attribute_role lego_roles;
+	')
+
+	roleattribute $1 lego_roles;
+
+	lego_domtrans($2)
+
+	ps_process_pattern($2, lego_t)
+	allow $2 lego_t:process { signull signal sigkill };
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an lego environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`lego_admin',`
+	gen_require(`
+		type lego_t;
+	')
+
+	allow $1 lego_t:process { signal_perms };
+	ps_process_pattern($1, lego_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 lego_t:process ptrace;
+    ')
+
+	files_search_etc($1)
+	admin_pattern($1, lego_data_t)
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
--- a/sec-policy/selinux-doveadm/files/doveadm.te
+++ b/sec-policy/selinux-doveadm/files/doveadm.te
@@ -0,0 +1,100 @@
+policy_module(doveadm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role dovecot_adm_roles;
+roleattribute system_r lego_roles;
+
+type dovecot_adm_t, dovecot_domain;
+type dovecot_adm_exec_t;
+domain_type(dovecot_adm_t)
+domain_entry_file(dovecot_adm_t, dovecot_adm_exec_t)
+role system_r types dovecot_adm_t;
+
+########################################
+#
+# lego local policy
+#
+
+allow lego_t self:process getsched;
+sysnet_read_config(lego_t)
+files_search_var_lib(lego_t)
+
+userdom_use_user_ptys(lego_t)
+domain_use_interactive_fds(lego_t)
+
+corenet_tcp_connect_http_port(lego_t)
+allow lego_t self:tcp_socket create_socket_perms;
+allow lego_t self:udp_socket create_socket_perms;
+allow lego_t self:netlink_route_socket r_netlink_socket_perms;
+
+manage_dirs_pattern(lego_t, lego_data_t, lego_data_t)
+manage_files_pattern(lego_t, lego_data_t, lego_data_t)
+manage_lnk_files_pattern(lego_t, lego_data_t, lego_data_t)
+files_etc_filetrans(lego_t, lego_data_t, { dir file lnk_file })
+
+miscfiles_read_generic_certs(lego_t)
+miscfiles_read_localization(lego_t)
+
+tunable_policy(`lego_use_homedirs',`
+	userdom_manage_user_home_content_dirs(lego_t)
+	userdom_manage_user_home_content_files(lego_t)
+')
+
+optional_policy(`
+    gen_require(`
+       type sysadm_t;
+       role sysadm_r;
+    ')
+    lego_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+    gen_require(`
+       role user_r;
+       type user_t;
+    ')
+    lego_role(user_r, user_t)
+')
+
+optional_policy(`
+    gen_require(`
+       role staff_r;
+       type staff_t;
+    ')
+    lego_role(staff_r, staff_t)
+')
+
+optional_policy(`
+    gen_require(`
+       type nginx_t;
+    ')
+    lego_read_data_files(nginx_t)
+')
+
+optional_policy(`
+    gen_require(`
+       type dovecot_t;
+    ')
+    lego_read_data_files(dovecot_t)
+')
+
+optional_policy(`
+    gen_require(`
+       type exim_t;
+    ')
+    lego_read_data_files(exim_t)
+')
+
+optional_policy(`
+    gen_require(`
+       type system_cronjob_t, system_cronjob_tmp_t;
+    ')
+        cron_system_entry(lego_t, lego_exec_t)
+	allow system_cronjob_t lego_data_t:file setattr;
+	allow lego_t system_cronjob_tmp_t:file write;
+')
+
--- a/sec-policy/selinux-doveadm/selinux-doveadm-2.20180701-r1.ebuild
+++ b/sec-policy/selinux-doveadm/selinux-doveadm-2.20180701-r1.ebuild
@@ -0,0 +1,20 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+EAPI="5"
+
+IUSE=""
+MODS="doveadm"
+POLICY_FILES="doveadm.te doveadm.fc doveadm.if"
+
+inherit selinux-policy-2
+
+DESCRIPTION="SELinux policy for doveadm - Dovecot's administration utility"
+
+RDEPEND="sec-policy/selinux-base-policy"
+
+if [[ $PV == 9999* ]] ; then
+        KEYWORDS=""
+else
+        KEYWORDS="amd64 x86"
+fi
--- a/sec-policy/selinux-hostapd/Manifest
+++ b/sec-policy/selinux-hostapd/Manifest
@@ -0,0 +1,5 @@
+AUX hostapd.fc 299 BLAKE2B 57f03ed6b66766688e01ca1aff1dfa6882d11fc2d2e6160426478be49d5b190a945b1d41f8fc02a075a0ee9ccadcfbc23549635a02448fffb2790467df8514c5 SHA512 c403eceead2eca2cb3f525788374681c9800239f57c2403840813e03df755528ae80457dd0c13db27d31b03da3e972f3a9deac63be50eb0cb7e3597cacfe74dd
+AUX hostapd.te 1713 BLAKE2B 69952a4ba1acfd7e9199c60cce4f8a12bc80e8e3e731bca9f0f5aaba04c09fb41a604c20e4dfde223225f949dcb8fbc3466a9b84740bfe1a7eeeba456476f7d7 SHA512 4d6688bb4ee118af5c253a07eda4f3a8e6f56ff37568882599c6bd8060d871ea2228a9318c36c290f941cde4f2059a4f38d6832d2162dce132c6f17820c10e2a
+DIST patchbundle-selinux-base-policy-2.20180701-r1.tar.bz2 315378 BLAKE2B eeeb0b04c023c40289b6d964aefd1773d2b5d6912f1dffebf9509e6dcdbb39b17e722ee4483fb2b11193d4b987a85f90c7dc7e61cef3cf982fc2ba368d4900ef SHA512 a8b049120f1c420f9bfb55aba9ed0157ff7896ace402cd1b77b01d1ea52b67e49d915f1c00de83ff4d59b1cf8b8aa1f39b50ba312d842ed4850e75fcc7f5be42
+DIST refpolicy-2.20180701.tar.bz2 753050 BLAKE2B 7069a1b9b9bef25950e62bb50ac09f4a9d5ef6fd0acc667d321da396c3935939348534458df129f7bc81687dca240b4c4fc120d1f46d452665d335c9f023da8c SHA512 9dd5a1e10da5d25fea96cc25efb682f8ac866e835a1d940b161c1ce944cac9a90a5836b03c14311acad6bf9acd9a78003f36e050d35d8edb43606575523857b5
+EBUILD selinux-hostapd-2.20180701-r1.ebuild 381 BLAKE2B e72b73164969be79643d5b584a57d1bc1ab4724f24d9d8e4d5964dd3193b1402277f6662db461f10d8937fdffea9dadb53f86afb855a3226be760a3df72309d3 SHA512 696ea45e4f5fac01fab8c5c44ca03f28746e9b251bc4e81f2c6c4dfb06d95eda475563bba6f6498bc2290a97cf9db7753b39f7c8178c6dad701ad85acda775b9
--- a/sec-policy/selinux-hostapd/files/hostapd.fc
+++ b/sec-policy/selinux-hostapd/files/hostapd.fc
@@ -0,0 +1,6 @@
+/usr/sbin/hostapd		--	gen_context(system_u:object_r:hostapd_exec_t,s0)
+
+/var/run/hostapd(/.*)?		gen_context(system_u:object_r:hostapd_var_run_t,s0)
+/etc/hostapd(/.*)?          gen_context(system_u:object_r:hostapd_conf_t,s0)
+
+/run/hostapd.pid		--	gen_context(system_u:object_r:hostapd_var_run_t,s0)
--- a/sec-policy/selinux-hostapd/files/hostapd.te
+++ b/sec-policy/selinux-hostapd/files/hostapd.te
@@ -0,0 +1,56 @@
+policy_module(hostapd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type hostapd_t;
+type hostapd_exec_t;
+init_daemon_domain(hostapd_t, hostapd_exec_t)
+
+type hostapd_var_run_t;
+files_pid_file(hostapd_var_run_t)
+
+type hostapd_conf_t;
+files_type(hostapd_conf_t)
+########################################
+#
+# hostapd local policy
+#
+allow hostapd_t self:capability { fsetid chown net_admin net_raw dac_read_search dac_override };
+allow hostapd_t self:fifo_file rw_fifo_file_perms;
+allow hostapd_t self:unix_stream_socket create_stream_socket_perms;
+allow hostapd_t self:netlink_socket create_socket_perms;
+allow hostapd_t self:netlink_generic_socket create_socket_perms;
+allow hostapd_t self:netlink_route_socket create_netlink_socket_perms;
+allow hostapd_t self:packet_socket create_socket_perms;
+
+manage_dirs_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
+manage_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
+manage_lnk_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
+manage_sock_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
+files_pid_filetrans(hostapd_t, hostapd_var_run_t, { dir file lnk_file sock_file })
+
+read_files_pattern(hostapd_t, hostapd_conf_t, hostapd_conf_t)
+
+kernel_read_system_state(hostapd_t)
+kernel_read_network_state(hostapd_t)
+kernel_request_load_module(hostapd_t)
+kernel_rw_net_sysctls(hostapd_t)
+dev_rw_sysfs(hostapd_t)
+
+#allow initrc_t hostapd_conf_t:file read;
+
+dev_read_rand(hostapd_t)
+dev_read_urand(hostapd_t)
+dev_read_sysfs(hostapd_t)
+dev_rw_wireless(hostapd_t)
+
+domain_use_interactive_fds(hostapd_t)
+
+auth_use_nsswitch(hostapd_t)
+
+logging_send_syslog_msg(hostapd_t)
+
+miscfiles_read_localization(hostapd_t)
--- a/sec-policy/selinux-hostapd/selinux-hostapd-2.20180701-r1.ebuild
+++ b/sec-policy/selinux-hostapd/selinux-hostapd-2.20180701-r1.ebuild
@@ -0,0 +1,20 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+EAPI="5"
+
+IUSE=""
+MODS="hostapd"
+POLICY_FILES="hostapd.te hostapd.fc"
+
+inherit selinux-policy-2
+
+DESCRIPTION="SELinux policy for hostapd"
+
+RDEPEND="sec-policy/selinux-base-policy"
+
+if [[ $PV == 9999* ]] ; then
+        KEYWORDS=""
+else
+        KEYWORDS="amd64 x86"
+fi
--- a/sec-policy/selinux-knot/Manifest
+++ b/sec-policy/selinux-knot/Manifest
@@ -0,0 +1,6 @@
+AUX knot.fc 351 BLAKE2B c405546b5b619948a3dffccad17c4ae12dcbfbc9b538e4bb7325fc5d8560e3a1b87ab0ccac4fd3dcc14be02d9112f139fe71b9bcd40e06efd8893ddf88a5c0c8 SHA512 214002c8c118e2320c3839a7e9cfccd4bd71e6fa0140351ff2c398f27609ea8ea0c5988ee30072db2729469bfc56cbc4f16de6ddcba792e1baf428215a4661a6
+AUX knot.if 4627 BLAKE2B f383b3fc55dc7c99d583a0b5d61949e5b2d328586e02db7d2e8e6b3d88d3b4a1ed67c812db38d49f71efd8b89c92d37ac9722b0bfc8f11de952f1e02725d716a SHA512 a967b731a993ecec3a9ff7189bb5866049331209f643daadd951053d29e44d133140f3fecad756dc6a6e3f1b87f880c40cae81c5c685c834d7f268bf990fab2b
+AUX knot.te 2142 BLAKE2B 15de1876243e55ba3ed68ecd5bbbcb8f637e23431b5ac15958096be29dd14a248d029a27134b72d43f93bb3215b5b1f9fab7c6d9464fbdcd2ab21fb030104816 SHA512 41ad8d429d680351186b6b337fd8b122a61eea73b302bb893fe7243531ba375678239fade0496474e4ece45df667669854d3f5d3e858fe9f8b733e4b52070611
+DIST patchbundle-selinux-base-policy-2.20180701-r1.tar.bz2 315378 BLAKE2B eeeb0b04c023c40289b6d964aefd1773d2b5d6912f1dffebf9509e6dcdbb39b17e722ee4483fb2b11193d4b987a85f90c7dc7e61cef3cf982fc2ba368d4900ef SHA512 a8b049120f1c420f9bfb55aba9ed0157ff7896ace402cd1b77b01d1ea52b67e49d915f1c00de83ff4d59b1cf8b8aa1f39b50ba312d842ed4850e75fcc7f5be42
+DIST refpolicy-2.20180701.tar.bz2 753050 BLAKE2B 7069a1b9b9bef25950e62bb50ac09f4a9d5ef6fd0acc667d321da396c3935939348534458df129f7bc81687dca240b4c4fc120d1f46d452665d335c9f023da8c SHA512 9dd5a1e10da5d25fea96cc25efb682f8ac866e835a1d940b161c1ce944cac9a90a5836b03c14311acad6bf9acd9a78003f36e050d35d8edb43606575523857b5
+EBUILD selinux-knot-2.20180701-r1.ebuild 377 BLAKE2B 3e0e81a404c1810ddeedad0ab2af2d6db2270f85492ea39d60992cf0b0015f500b8e70dda185af2341684115adcb580e79fba76665fbe80ba0d1db3305103082 SHA512 18f8f1a16161f4f648cbd346b467bc4bb3c810d156e6ffbdc34d12d7686f08c0911484e8c5304045ae2aef49c71d9586b574f041c1fe337fbacf1d405579c5f4
--- a/sec-policy/selinux-knot/files/knot.fc
+++ b/sec-policy/selinux-knot/files/knot.fc
@@ -0,0 +1,10 @@
+/usr/sbin/knotd		--	gen_context(system_u:object_r:knotd_exec_t,s0)
+
+/usr/sbin/knotc         --      gen_context(system_u:object_r:knotc_exec_t,s0)
+
+/var/run/knot(/.*)?	gen_context(system_u:object_r:knot_var_run_t,s0)
+
+/var/lib/knot(/.*)?	gen_context(system_u:object_r:knot_var_lib_t,s0)
+
+/etc/knot(/.*)?		gen_context(system_u:object_r:knot_etc_t,s0)
+
--- a/sec-policy/selinux-knot/files/knot.if
+++ b/sec-policy/selinux-knot/files/knot.if
@@ -0,0 +1,198 @@
+
+## <summary>policy for knotc</summary>
+
+########################################
+## <summary>
+##	Execute knotd_exec_t in the knotd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`knotd_domtrans',`
+	gen_require(`
+		type knotd_t, knotd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, knotd_exec_t, knotd_t)
+')
+
+######################################
+## <summary>
+##	Execute knotd in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`knotd_exec',`
+	gen_require(`
+		type knotd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, knotd_exec_t)
+')
+
+########################################
+## <summary>
+##      Knotd /run files transitions.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`knot_var_run_trans',`
+        gen_require(`
+		type knot_var_run_t;
+                type var_run_t;
+                type tmpfiles_t;
+        ')
+
+        manage_dirs_pattern($1, knot_var_run_t, knot_var_run_t)
+        manage_files_pattern($1, knot_var_run_t, knot_var_run_t)
+        manage_lnk_files_pattern($1, knot_var_run_t, knot_var_run_t)
+	manage_sock_files_pattern($1, knot_var_run_t, knot_var_run_t)
+	search_dirs_pattern($1, knot_var_run_t, knot_var_run_t)
+	files_pid_filetrans($1, knot_var_run_t, { file dir sock_file})
+        filetrans_pattern(tmpfiles_t, var_run_t, knot_var_run_t, dir, "knot")
+')
+
+########################################
+## <summary>
+##      Knot /var/lib files mamange.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`knot_var_lib_manage',`
+        gen_require(`
+                type knot_var_lib_t;
+        ')
+
+        manage_dirs_pattern($1, knot_var_lib_t, knot_var_lib_t)
+        manage_files_pattern($1, knot_var_lib_t, knot_var_lib_t)
+        manage_lnk_files_pattern($1, knot_var_lib_t, knot_var_lib_t)
+        allow $1 knot_var_lib_t:file map;
+        files_var_lib_filetrans($1, knot_var_lib_t, { file dir })
+')
+
+########################################
+## <summary>
+##      Knotd /var/lib files transitions.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`knot_var_lib_trans',`
+        gen_require(`
+		type knot_var_lib_t;
+                type var_lib_t;
+                type tmpfiles_t;
+        ')
+
+	knot_var_lib_manage($1)
+        filetrans_pattern(tmpfiles_t, var_lib_t, knot_var_lib_t, dir, "knot")
+')
+
+########################################
+## <summary>
+##      Knot /etc/knot files read.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`knot_etc_t_read',`
+        gen_require(`
+                type knot_etc_t;
+                type initrc_t;
+        ')
+
+        mmap_read_files_pattern($1, knot_etc_t, knot_etc_t)
+	read_files_pattern(initrc_t, knot_etc_t, knot_etc_t)
+')
+
+########################################
+## <summary>
+##      Knot /tmp files transitions.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`knot_tmp_trans',`
+        gen_require(`
+                type knot_tmp_t;
+        ')
+
+	files_tmp_filetrans($1, knot_tmp_t, { file dir })
+	allow $1 knot_tmp_t:file map;
+	allow $1 knot_tmp_t:file manage_file_perms;
+	allow $1 knot_tmp_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##      Execute knotc_exec_t in the knotc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`knotc_domtrans',`
+        gen_require(`
+                type knotc_t, knotc_exec_t;
+        ')
+
+        corecmd_search_bin($1)
+        domtrans_pattern($1, knotc_exec_t, knotc_t)
+')
+
+########################################
+## <summary>
+##      Role access for knotc
+## </summary>
+## <param name="role">
+##      <summary>
+##      Role allowed access
+##      </summary>
+## </param>
+## <param name="domain">
+##      <summary>
+##      User domain for the role
+##      </summary>
+## </param>
+#
+interface(`knotc_role',`
+        gen_require(`
+                type knotc_t;
+                attribute_role knotc_roles;
+        ')
+
+        roleattribute $1 knotc_roles;
+
+        knotc_domtrans($2)
+
+        ps_process_pattern($2, knotc_t)
+        allow $2 knotc_t:process { signull signal sigkill };
+')
--- a/sec-policy/selinux-knot/files/knot.te
+++ b/sec-policy/selinux-knot/files/knot.te
@@ -0,0 +1,95 @@
+policy_module(knot, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type knotd_t;
+type knotd_exec_t;
+init_daemon_domain(knotd_t, knotd_exec_t)
+
+type knotc_t;
+type knotc_exec_t;
+application_domain(knotc_t, knotc_exec_t)
+init_daemon_domain(knotc_t, knotc_exec_t)
+role knotc_roles types knotc_t;
+
+attribute_role knotc_roles;
+roleattribute system_r knotc_roles;
+
+type knot_etc_t;
+files_type(knot_etc_t)
+
+type knot_var_run_t;
+files_pid_file(knot_var_run_t)
+
+type knot_var_lib_t;
+files_type(knot_var_lib_t)
+
+type knot_tmp_t;
+files_tmp_file(knot_tmp_t)
+
+########################################
+#
+# knotd local policy
+#
+allow knotd_t self:capability { setgid setuid dac_read_search };
+allow knotd_t self:process { fork signal_perms getcap getsched setsched };
+allow knotd_t self:tcp_socket create_stream_socket_perms;
+allow knotd_t self:udp_socket create_stream_socket_perms;
+allow knotd_t self:unix_stream_socket { listen accept };
+
+corenet_tcp_bind_generic_node(knotd_t)
+corenet_udp_bind_generic_node(knotd_t)
+corenet_tcp_bind_dns_port(knotd_t)
+corenet_udp_bind_dns_port(knotd_t)
+
+knot_etc_t_read(knotd_t)
+knot_var_run_trans(knotd_t)
+knot_var_lib_trans(knotd_t)
+knot_tmp_trans(knotd_t)
+
+kernel_read_kernel_sysctls(knotd_t)
+
+fs_getattr_xattr_fs(knotd_t)
+fs_dontaudit_getattr_tmpfs(knotd_t)
+
+files_read_etc_files(knotd_t)
+
+auth_use_nsswitch(knotd_t)
+
+logging_send_syslog_msg(knotd_t)
+
+miscfiles_read_localization(knotd_t)
+
+########################################
+#
+# knotc local policy
+#
+
+allow knotc_t self:capability { dac_override dac_read_search };
+allow knotc_t knotd_t:unix_stream_socket connectto;
+allow knotc_t knot_var_run_t:dir search;
+allow knotc_t knot_var_run_t:sock_file write_sock_file_perms;
+
+knot_etc_t_read(knotc_t)
+knot_tmp_trans(knotc_t)
+knot_var_lib_manage(knotc_t)
+
+fs_dontaudit_getattr_tmpfs(knotc_t)
+files_dontaudit_search_var_lib(knotc_t)
+
+domain_use_interactive_fds(knotc_t)
+userdom_use_user_ptys(knotc_t)
+
+miscfiles_read_localization(knotc_t)
+
+optional_policy(`
+        gen_require(`
+                type sysadm_t;
+                role sysadm_r;
+        ')
+
+        knotc_role(sysadm_r, sysadm_t)
+')
--- a/sec-policy/selinux-knot/selinux-knot-2.20180701-r1.ebuild
+++ b/sec-policy/selinux-knot/selinux-knot-2.20180701-r1.ebuild
@@ -0,0 +1,20 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+EAPI="5"
+
+IUSE=""
+MODS="knot"
+POLICY_FILES="knot.te knot.fc knot.if"
+
+inherit selinux-policy-2
+
+DESCRIPTION="SELinux policy for knot"
+
+RDEPEND="sec-policy/selinux-base-policy"
+
+if [[ $PV == 9999* ]] ; then
+        KEYWORDS=""
+else
+        KEYWORDS="amd64 x86"
+fi
--- a/sec-policy/selinux-lego/Manifest
+++ b/sec-policy/selinux-lego/Manifest
@@ -0,0 +1,6 @@
+AUX lego.fc 135 BLAKE2B f5518e53fe8d8aed6d19f06b53a9117f72c8773387b0a15f6970fa4e1b3ae985a60a37b8520750a7f16c8efff692c60a560fcaa66fd950675fa7a0627c0c8b97 SHA512 5e457469dc4685fa57175f1825bde5c3323fe7dd83ede73a5987086e90e8cf49c541f142ab5b83f63609323f35d2f3016123365f5dd06d7d55b796b95eba5b18
+AUX lego.if 3516 BLAKE2B 2209fb75dce7c5a79423be81c0b66e3295f6ffd9113d60e58cfe90e6b41b8563f019d4aff3f2ce285a25fe2ee199eb4d4a42180c7b785d22d1180d49e4a6bc71 SHA512 c68cfdcedcf858a717c59353c2709a9687703a873048b61de634f5e05b87bcc1682380616a51a2e687dec99a6c6c385a13074668336a9cc0d37be8a2bc9f763d
+AUX lego.te 2329 BLAKE2B bd04b323a09926b8262b6e1232904f22a5cf5cfc1ad7a54a1812ea5faddc07c974039619baccf657437178f27ef0bb4aba5eec9141c6aa670957ddc47a582a88 SHA512 485cd6449edce49b6e6368c21e9d388bf443c2a19ec782354c6dff16b8c4b8ce7ecd9c89cd45effd2df19edc6ed318851f387a10cd109aaf72698271f3b8da0c
+DIST patchbundle-selinux-base-policy-2.20180701-r1.tar.bz2 315378 BLAKE2B eeeb0b04c023c40289b6d964aefd1773d2b5d6912f1dffebf9509e6dcdbb39b17e722ee4483fb2b11193d4b987a85f90c7dc7e61cef3cf982fc2ba368d4900ef SHA512 a8b049120f1c420f9bfb55aba9ed0157ff7896ace402cd1b77b01d1ea52b67e49d915f1c00de83ff4d59b1cf8b8aa1f39b50ba312d842ed4850e75fcc7f5be42
+DIST refpolicy-2.20180701.tar.bz2 753050 BLAKE2B 7069a1b9b9bef25950e62bb50ac09f4a9d5ef6fd0acc667d321da396c3935939348534458df129f7bc81687dca240b4c4fc120d1f46d452665d335c9f023da8c SHA512 9dd5a1e10da5d25fea96cc25efb682f8ac866e835a1d940b161c1ce944cac9a90a5836b03c14311acad6bf9acd9a78003f36e050d35d8edb43606575523857b5
+EBUILD selinux-lego-2.20180701-r1.ebuild 377 BLAKE2B 81194e9e7d540735c490a35a783b780bb7ad68d1f8e208c1f54d3c1f8eb688b9fed8c73ebe8abb5f0acb7e62abb77101a12e059809a53437695ca212edcad558 SHA512 5ae9193ce0aae16b0f35a5fdb904c81777eddd6347e776d990c2f562252e7f52018c9b23b470365ae880267069de4e7f5ce6b466fb406c2b86bb7ed83191ce3f
--- a/sec-policy/selinux-lego/files/lego.fc
+++ b/sec-policy/selinux-lego/files/lego.fc
@@ -0,0 +1,2 @@
+/var/lib/lego(/.*)?		gen_context(system_u:object_r:lego_data_t,s0)
+/usr/bin/lego	--      gen_context(system_u:object_r:lego_exec_t,s0)
--- a/sec-policy/selinux-lego/files/lego.if
+++ b/sec-policy/selinux-lego/files/lego.if
@@ -0,0 +1,193 @@
+
+## <summary>policy for lego</summary>
+
+########################################
+## <summary>
+##	Execute lego_exec_t in the lego domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`lego_domtrans',`
+	gen_require(`
+		type lego_t, lego_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, lego_exec_t, lego_t)
+')
+
+######################################
+## <summary>
+##	Execute lego in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lego_exec',`
+	gen_require(`
+		type lego_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, lego_exec_t)
+')
+
+########################################
+## <summary>
+##	Search lego conf directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lego_search_data',`
+	gen_require(`
+		type lego_data_t;
+	')
+
+	allow $1 lego_data_t:dir search_dir_perms;
+	files_search_etc($1)
+')
+
+########################################
+## <summary>
+##	Read lego conf files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lego_read_data_files',`
+	gen_require(`
+		type lego_data_t;
+	')
+
+	allow $1 lego_data_t:dir list_dir_perms;
+	read_files_pattern($1, lego_data_t, lego_data_t)
+	files_search_etc($1)
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Manage lego conf files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lego_manage_data_files',`
+	gen_require(`
+		type lego_data_t;
+	')
+
+	manage_files_pattern($1, lego_data_t, lego_data_t)
+	files_search_etc($1)
+	files_search_var_lib($1)
+')
+
+
+########################################
+## <summary>
+##	Execute lego in the lego domain, and
+##	allow the specified role the lego domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the lego domain.
+##	</summary>
+## </param>
+#
+interface(`lego_run',`
+	gen_require(`
+		type lego_t;
+		attribute_role lego_roles;
+	')
+
+	lego_domtrans($1)
+	roleattribute $2 lego_roles;
+')
+
+########################################
+## <summary>
+##	Role access for lego
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`lego_role',`
+	gen_require(`
+		type lego_t;
+		attribute_role lego_roles;
+	')
+
+	roleattribute $1 lego_roles;
+
+	lego_domtrans($2)
+
+	ps_process_pattern($2, lego_t)
+	allow $2 lego_t:process { signull signal sigkill };
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an lego environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`lego_admin',`
+	gen_require(`
+		type lego_t;
+	')
+
+	allow $1 lego_t:process { signal_perms };
+	ps_process_pattern($1, lego_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 lego_t:process ptrace;
+    ')
+
+	files_search_etc($1)
+	admin_pattern($1, lego_data_t)
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
--- a/sec-policy/selinux-lego/files/lego.te
+++ b/sec-policy/selinux-lego/files/lego.te
@@ -0,0 +1,112 @@
+policy_module(lego, 1.0.3)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+##      <p>
+##      Determine whether lego can use
+##      user home directories.
+##      </p>
+## </desc>
+gen_tunable(lego_use_homedirs, false)
+
+attribute_role lego_roles;
+roleattribute system_r lego_roles;
+
+type lego_t;
+type lego_exec_t;
+application_domain(lego_t, lego_exec_t)
+role lego_roles types lego_t;
+
+type lego_data_t;
+files_type(lego_data_t)
+ubac_constrained(lego_data_t)
+
+########################################
+#
+# lego local policy
+#
+
+allow lego_t self:capability { dac_override dac_read_search };
+allow lego_t self:process getsched;
+sysnet_read_config(lego_t)
+files_search_var_lib(lego_t)
+
+userdom_use_user_ptys(lego_t)
+domain_use_interactive_fds(lego_t)
+
+corenet_tcp_connect_http_port(lego_t)
+allow lego_t self:tcp_socket create_socket_perms;
+allow lego_t self:udp_socket create_socket_perms;
+allow lego_t self:netlink_route_socket r_netlink_socket_perms;
+
+manage_dirs_pattern(lego_t, lego_data_t, lego_data_t)
+manage_files_pattern(lego_t, lego_data_t, lego_data_t)
+manage_lnk_files_pattern(lego_t, lego_data_t, lego_data_t)
+files_etc_filetrans(lego_t, lego_data_t, { dir file lnk_file })
+
+miscfiles_read_generic_certs(lego_t)
+miscfiles_read_localization(lego_t)
+
+tunable_policy(`lego_use_homedirs',`
+	userdom_manage_user_home_content_dirs(lego_t)
+	userdom_manage_user_home_content_files(lego_t)
+')
+
+optional_policy(`
+    gen_require(`
+       type sysadm_t;
+       role sysadm_r;
+    ')
+    lego_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+    gen_require(`
+       role user_r;
+       type user_t;
+    ')
+    lego_role(user_r, user_t)
+')
+
+optional_policy(`
+    gen_require(`
+       role staff_r;
+       type staff_t;
+    ')
+    lego_role(staff_r, staff_t)
+')
+
+optional_policy(`
+    gen_require(`
+       type nginx_t;
+    ')
+    lego_read_data_files(nginx_t)
+')
+
+optional_policy(`
+    gen_require(`
+       type dovecot_t;
+    ')
+    lego_read_data_files(dovecot_t)
+')
+
+optional_policy(`
+    gen_require(`
+       type exim_t;
+    ')
+    lego_read_data_files(exim_t)
+')
+
+optional_policy(`
+    gen_require(`
+       type system_cronjob_t, system_cronjob_tmp_t;
+    ')
+        cron_system_entry(lego_t, lego_exec_t)
+	allow system_cronjob_t lego_data_t:file setattr;
+	allow lego_t system_cronjob_tmp_t:file write;
+')
+
--- a/sec-policy/selinux-lego/selinux-lego-2.20180701-r1.ebuild
+++ b/sec-policy/selinux-lego/selinux-lego-2.20180701-r1.ebuild
@@ -0,0 +1,20 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+EAPI="5"
+
+IUSE=""
+MODS="lego"
+POLICY_FILES="lego.te lego.fc lego.if"
+
+inherit selinux-policy-2
+
+DESCRIPTION="SELinux policy for lego"
+
+RDEPEND="sec-policy/selinux-base-policy"
+
+if [[ $PV == 9999* ]] ; then
+        KEYWORDS=""
+else
+        KEYWORDS="amd64 x86"
+fi
--- a/sec-policy/selinux-nextcloud/Manifest
+++ b/sec-policy/selinux-nextcloud/Manifest
@@ -0,0 +1,4 @@
+AUX nextcloud.te 1363 BLAKE2B b18c1a2a3a1cbefba0f0d8e56e38556a7778e4d41c5e8c0cbe7016417fe361a2c0b1a18c72b1c7a587fa81482295e3bf1a226ceb49f42d6ab439a1e6d2b418a6 SHA512 034ee58a7780a2f9ee098accbb2b4e5996153de7d5bf7f95cc932193f963fe7addc58dbb2f805d25bb6ec3ccc72707580ef321053d4d321fc3607d0f9f8d873c
+DIST patchbundle-selinux-base-policy-2.20180701-r1.tar.bz2 315378 BLAKE2B eeeb0b04c023c40289b6d964aefd1773d2b5d6912f1dffebf9509e6dcdbb39b17e722ee4483fb2b11193d4b987a85f90c7dc7e61cef3cf982fc2ba368d4900ef SHA512 a8b049120f1c420f9bfb55aba9ed0157ff7896ace402cd1b77b01d1ea52b67e49d915f1c00de83ff4d59b1cf8b8aa1f39b50ba312d842ed4850e75fcc7f5be42
+DIST refpolicy-2.20180701.tar.bz2 753050 BLAKE2B 7069a1b9b9bef25950e62bb50ac09f4a9d5ef6fd0acc667d321da396c3935939348534458df129f7bc81687dca240b4c4fc120d1f46d452665d335c9f023da8c SHA512 9dd5a1e10da5d25fea96cc25efb682f8ac866e835a1d940b161c1ce944cac9a90a5836b03c14311acad6bf9acd9a78003f36e050d35d8edb43606575523857b5
+EBUILD selinux-nextcloud-2.20180701-r1.ebuild 376 BLAKE2B 582ecbc77d098512f524daf539346819dc6c480a6d7754a6e2a4224485453f19ad1c906cdd42e92e72d1a2093fd47698e13847df575a60e7369b1d80c9d00181 SHA512 d287903678e45839041fcf06e19e2245d20d2ebc4ffea8dcd8b22000ce8bba362f5f943969723926e4b86fca62c885ad2a371273910631a62d2b4b122df6caf2
--- a/sec-policy/selinux-nextcloud/files/nextcloud.te
+++ b/sec-policy/selinux-nextcloud/files/nextcloud.te
@@ -0,0 +1,57 @@
+policy_module(nextcloud, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+########################################
+#
+# lego local policy
+#
+
+gen_require(`
+       type phpfpm_t;
+       type phpfpm_tmp_t;
+       type etc_t;
+       type cert_t;
+       type httpd_sys_content_t;
+       type httpd_sys_rw_content_t;
+       class file { map open read };
+       class process sigkill;
+       class shm { create destroy read unix_read unix_write write };
+')
+
+optional_policy(`
+    gen_require(`
+       type system_cronjob_t;
+       type phpfpm_exec_t;
+    ')
+    cron_system_entry(phpfpm_t, phpfpm_exec_t)
+')
+
+corenet_udp_bind_generic_node(phpfpm_t)
+corenet_tcp_connect_http_port(phpfpm_t)
+# Allow to connect to IMAP/SMTP
+corenet_tcp_connect_pop_port(phpfpm_t)
+corenet_tcp_connect_smtp_port(phpfpm_t)
+
+fs_rw_hugetlbfs_files(phpfpm_t)
+allow phpfpm_t hugetlbfs_t:file map;
+
+allow phpfpm_t etc_t:file map;
+allow phpfpm_t phpfpm_tmp_t:file map;
+allow phpfpm_t httpd_sys_content_t:file map;
+allow phpfpm_t httpd_sys_rw_content_t:file map;
+
+allow phpfpm_t cert_t:file { open read };
+
+allow phpfpm_t self:process sigkill;
+allow phpfpm_t self:shm { create_shm_perms r_shm_perms };
+
+files_search_var(phpfpm_t)
+userdom_list_user_home_content(phpfpm_t)
+userdom_read_user_home_content_files(phpfpm_t)
+files_search_mnt(phpfpm_t)
+
+files_dontaudit_list_var(phpfpm_t)
--- a/sec-policy/selinux-nextcloud/selinux-nextcloud-2.20180701-r1.ebuild
+++ b/sec-policy/selinux-nextcloud/selinux-nextcloud-2.20180701-r1.ebuild
@@ -0,0 +1,20 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+EAPI="5"
+
+IUSE=""
+MODS="nextcloud"
+POLICY_FILES="nextcloud.te"
+
+inherit selinux-policy-2
+
+DESCRIPTION="SELinux policy for nextcloud"
+
+RDEPEND="sec-policy/selinux-base-policy"
+
+if [[ $PV == 9999* ]] ; then
+        KEYWORDS=""
+else
+        KEYWORDS="amd64 x86"
+fi
--- a/sec-policy/selinux-nsd/Manifest
+++ b/sec-policy/selinux-nsd/Manifest
@@ -0,0 +1,4 @@
+DIST patchbundle-selinux-base-policy-2.20180701-r1.tar.bz2 315378 BLAKE2B eeeb0b04c023c40289b6d964aefd1773d2b5d6912f1dffebf9509e6dcdbb39b17e722ee4483fb2b11193d4b987a85f90c7dc7e61cef3cf982fc2ba368d4900ef SHA512 a8b049120f1c420f9bfb55aba9ed0157ff7896ace402cd1b77b01d1ea52b67e49d915f1c00de83ff4d59b1cf8b8aa1f39b50ba312d842ed4850e75fcc7f5be42
+DIST refpolicy-2.20180701.tar.bz2 753050 BLAKE2B 7069a1b9b9bef25950e62bb50ac09f4a9d5ef6fd0acc667d321da396c3935939348534458df129f7bc81687dca240b4c4fc120d1f46d452665d335c9f023da8c SHA512 9dd5a1e10da5d25fea96cc25efb682f8ac866e835a1d940b161c1ce944cac9a90a5836b03c14311acad6bf9acd9a78003f36e050d35d8edb43606575523857b5
+EBUILD selinux-nsd-2.20180701-r1.ebuild 277 BLAKE2B 19b0326fc75c91994ba63b0e410241877e87b81680b9d02458b4896652c93b6b472170543d7f23de1f714f62aee29dfc932c428103b752f6ca9de5e30c92ed8a SHA512 dc3549650228861e51c8b1dda49b0ce0e7403a3e3d004c72e021b31e7987f7227d263e19e3500d6e34ba9d560a3a0876d6428f493aaea7d3ec27c132b03b62f3
+MISC metadata.xml 314 BLAKE2B 804e8fd77ee3d8a8ef928de31a5db28fe522eafed3695574154fd70316f49d793c62a758dd53e5902c322c23bd9edc4f18888258e41b8701d3ae5cf4c573560c SHA512 dec699cdcba4fb0219f7fb71afbfca634d1a5767121078a206289fda39d33a622f2986064e29f16548290f4ca8aa71150667e92fbb4d799ece93209b2f1967c2
--- a/sec-policy/selinux-nsd/metadata.xml
+++ b/sec-policy/selinux-nsd/metadata.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="project">
+		<email>selinux@gentoo.org</email>
+		<name>SELinux Team</name>
+	</maintainer>
+	<longdescription>Gentoo SELinux policy for alsa</longdescription>
+</pkgmetadata>
--- a/sec-policy/selinux-nsd/selinux-nsd-2.20180701-r1.ebuild
+++ b/sec-policy/selinux-nsd/selinux-nsd-2.20180701-r1.ebuild
@@ -0,0 +1,15 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="6"
+
+IUSE=""
+MODS="nsd"
+
+inherit selinux-policy-2
+
+DESCRIPTION="SELinux policy for nsd"
+
+if [[ ${PV} != 9999* ]] ; then
+	KEYWORDS="amd64 -arm ~arm64 ~mips ~x86"
+fi
--- a/sec-policy/selinux-rspamd/Manifest
+++ b/sec-policy/selinux-rspamd/Manifest
@@ -0,0 +1,6 @@
+AUX rspamd.fc 359 BLAKE2B 5b559490f203545c60fdaad7b9b5446c467f73312b5fa62716de5850aaf2b18b2610e36903dce0f3711ef6070c8132752a74b2161b49a1ae2770dfca7bffd4dd SHA512 5b8feaf54ea3437b12b9bad8d9f47fa52dc2f0b8993043c6d37b3e4179b36afdb047eec38294c271adbfc2c7e112f205de64c36aea71055777c3747a9fe25ea0
+AUX rspamd.if 6518 BLAKE2B 3c1a62ab074e8ff0e46aec72804ef67022589cc7d40f9bfce45350b9396fb336d121bd407af2e6dea905e0b71c3609c21ef72d3dd24df46f26f8e22188333552 SHA512 79dd3e7ecf5b80f2e60f28a887ab69b037097427472c2b12a2960b325aec9d3ed60b5c11518287512a9a439b99880857aec3446a30383f30c1be1035e03d9798
+AUX rspamd.te 3621 BLAKE2B b155e0f160627b81be85208950468d483e2a1a6eddb0d43671ca5adb15f637c675f54fe24ff17811d14c0f34211afc4b6c2c8e08077f928b59e5ae36d44d8b61 SHA512 71540931c4e6e1eed253f60d2118df36788fb59a9dfe200ffa03d7be2afcc0eb97773a6cda0e38f91ccd254a53df3e4dbc33e1f0a3529f6ae92f9c689e88e95d
+DIST patchbundle-selinux-base-policy-2.20180701-r1.tar.bz2 315378 BLAKE2B eeeb0b04c023c40289b6d964aefd1773d2b5d6912f1dffebf9509e6dcdbb39b17e722ee4483fb2b11193d4b987a85f90c7dc7e61cef3cf982fc2ba368d4900ef SHA512 a8b049120f1c420f9bfb55aba9ed0157ff7896ace402cd1b77b01d1ea52b67e49d915f1c00de83ff4d59b1cf8b8aa1f39b50ba312d842ed4850e75fcc7f5be42
+DIST refpolicy-2.20180701.tar.bz2 753050 BLAKE2B 7069a1b9b9bef25950e62bb50ac09f4a9d5ef6fd0acc667d321da396c3935939348534458df129f7bc81687dca240b4c4fc120d1f46d452665d335c9f023da8c SHA512 9dd5a1e10da5d25fea96cc25efb682f8ac866e835a1d940b161c1ce944cac9a90a5836b03c14311acad6bf9acd9a78003f36e050d35d8edb43606575523857b5
+EBUILD selinux-rspamd-2.20180701-r1.ebuild 387 BLAKE2B 029838949f858eccc5ffd50ef22ad623253db4494b881e150ecaab40b4c5976a7d483fa96f7591e748f6401bd1fdf270b514f26bd6810034a4084dd9f7029468 SHA512 16894cabddda31b87d354f7a34d4f0877027db0c381bd4347c5a540e34e4b848f5053f037454577c7f2e2e575a2bfeb36106b39107fa442192633662fcd1e4f3
--- a/sec-policy/selinux-rspamd/files/rspamd.fc
+++ b/sec-policy/selinux-rspamd/files/rspamd.fc
@@ -0,0 +1,9 @@
+/usr/bin/rspamd.*		--	gen_context(system_u:object_r:rspamd_exec_t,s0)
+
+/etc/rspamd(/.*)?		gen_context(system_u:object_r:rspamd_conf_t,s0)
+
+/var/lib/rspamd(/.*)?		gen_context(system_u:object_r:rspamd_var_lib_t,s0)
+
+/var/log/rspamd(/.*)?		gen_context(system_u:object_r:rspamd_log_t,s0)
+
+/var/run/rspamd(/.*)?		gen_context(system_u:object_r:rspamd_var_run_t,s0)
--- a/sec-policy/selinux-rspamd/files/rspamd.if
+++ b/sec-policy/selinux-rspamd/files/rspamd.if
@@ -0,0 +1,325 @@
+
+## <summary>policy for rspamd</summary>
+
+########################################
+## <summary>
+##	Execute rspamd_exec_t in the rspamd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rspamd_domtrans',`
+	gen_require(`
+		type rspamd_t, rspamd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, rspamd_exec_t, rspamd_t)
+')
+
+######################################
+## <summary>
+##	Execute rspamd in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rspamd_exec',`
+	gen_require(`
+		type rspamd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, rspamd_exec_t)
+')
+########################################
+## <summary>
+##	Read rspamd's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`rspamd_read_log',`
+	gen_require(`
+		type rspamd_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, rspamd_log_t, rspamd_log_t)
+')
+
+########################################
+## <summary>
+##	Append to rspamd log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rspamd_append_log',`
+	gen_require(`
+		type rspamd_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, rspamd_log_t, rspamd_log_t)
+')
+
+########################################
+## <summary>
+##	Manage rspamd log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rspamd_manage_log',`
+	gen_require(`
+		type rspamd_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_dirs_pattern($1, rspamd_log_t, rspamd_log_t)
+	manage_files_pattern($1, rspamd_log_t, rspamd_log_t)
+	manage_lnk_files_pattern($1, rspamd_log_t, rspamd_log_t)
+')
+
+########################################
+## <summary>
+##	Search rspamd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rspamd_search_lib',`
+	gen_require(`
+		type rspamd_var_lib_t;
+	')
+
+	allow $1 rspamd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read rspamd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rspamd_read_lib_files',`
+	gen_require(`
+		type rspamd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, rspamd_var_lib_t, rspamd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage rspamd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rspamd_manage_lib_files',`
+	gen_require(`
+		type rspamd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, rspamd_var_lib_t, rspamd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage rspamd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rspamd_manage_lib_dirs',`
+	gen_require(`
+		type rspamd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, rspamd_var_lib_t, rspamd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read rspamd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rspamd_read_pid_files',`
+	gen_require(`
+		type rspamd_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, rspamd_var_run_t, rspamd_var_run_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an rspamd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`rspamd_admin',`
+	gen_require(`
+		type rspamd_t;
+		type rspamd_log_t;
+		type rspamd_var_lib_t;
+		type rspamd_var_run_t;
+	')
+
+	allow $1 rspamd_t:process { signal_perms };
+	ps_process_pattern($1, rspamd_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 rspamd_t:process ptrace;
+    ')
+
+	logging_search_logs($1)
+	admin_pattern($1, rspamd_log_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, rspamd_var_lib_t)
+
+	files_search_pids($1)
+	admin_pattern($1, rspamd_var_run_t)
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
+
+############################################################################
+# network.if
+############################################################################
+
+########################################
+## <summary>
+##      Bind TCP sockets to the rspamd worker port.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_rspamd_wrkr_port',`
+        gen_require(`
+                type rspamd_wrkr_port_t;
+        ')
+
+        allow $1 rspamd_wrkr_port_t:tcp_socket name_bind;
+
+')
+
+########################################
+## <summary>
+##      Bind TCP sockets to the rspamd controller port.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_rspamd_cntrllr_port',`
+        gen_require(`
+                type rspamd_cntrllr_port_t;
+        ')
+
+        allow $1 rspamd_cntrllr_port_t:tcp_socket name_bind;
+
+')
+
+########################################
+## <summary>
+##      Bind TCP sockets to the rspamd proxy port.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_rspamd_prx_port',`
+        gen_require(`
+                type rspamd_prx_port_t;
+        ')
+
+        allow $1 rspamd_prx_port_t:tcp_socket name_bind;
+
+')
+
+########################################
+## <summary>
+##      Make a TCP connection to the rspamd worker port.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`corenet_tcp_connect_rspamd_wrkr_port',`
+        gen_require(`
+                type rspamd_wrkr_port_t;
+        ')
+
+        allow $1 rspamd_wrkr_port_t:tcp_socket name_connect;
+')
+
+
--- a/sec-policy/selinux-rspamd/files/rspamd.te
+++ b/sec-policy/selinux-rspamd/files/rspamd.te
@@ -0,0 +1,120 @@
+policy_module(rspamd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type rspamd_t;
+type rspamd_exec_t;
+init_daemon_domain(rspamd_t, rspamd_exec_t)
+
+#permissive rspamd_t;
+
+type rspamd_conf_t;
+files_type(rspamd_conf_t)
+
+type rspamd_tmpfs_t;
+files_tmpfs_file(rspamd_tmpfs_t)
+
+type rspamd_log_t;
+logging_log_file(rspamd_log_t)
+
+type rspamd_var_lib_t;
+files_type(rspamd_var_lib_t)
+
+type rspamd_var_run_t;
+files_pid_file(rspamd_var_run_t)
+
+type rspamd_wrkr_port_t;
+corenet_port(rspamd_wrkr_port_t)
+#portcon tcp     11333   gen_context(system_u:object_r:rspamd_wrkr_port_t,s0)
+
+type rspamd_cntrllr_port_t;
+corenet_port(rspamd_cntrllr_port_t)
+#portcon tcp     11334   gen_context(system_u:object_r:rspamd_cntrllr_port_t,s0)
+
+type rspamd_prx_port_t;
+corenet_port(rspamd_prx_port_t)
+#portcon tcp     11332   gen_context(system_u:object_r:rspamd_prx_port_t,s0)
+
+########################################
+#
+# rspamd local policy
+#
+#allow rspamd_t self:capability { chown setgid setuid };
+#allow rspamd_t self:process { fork setrlimit signal_perms };
+allow rspamd_t self:unix_stream_socket create_stream_socket_perms;
+
+allow rspamd_t self:fifo_file rw_fifo_file_perms;
+allow rspamd_t self:capability { chown dac_override dac_read_search kill net_bind_service setgid setuid };
+allow rspamd_t self:process { getsched setrlimit signal execmem };
+allow rspamd_t self:tcp_socket { listen accept };
+
+corenet_tcp_bind_generic_node(rspamd_t)
+corenet_udp_bind_generic_node(rspamd_t)
+corenet_tcp_bind_rspamd_wrkr_port(rspamd_t)
+corenet_tcp_bind_rspamd_cntrllr_port(rspamd_t)
+corenet_tcp_bind_rspamd_prx_port(rspamd_t)
+corenet_tcp_connect_http_port(rspamd_t)
+corenet_tcp_connect_smtp_port(rspamd_t)
+corenet_tcp_connect_redis_port(rspamd_t)
+
+kernel_read_kernel_sysctls(rspamd_t)
+
+allow rspamd_t rspamd_conf_t:file map;
+list_dirs_pattern(rspamd_t, rspamd_conf_t, rspamd_conf_t)
+read_files_pattern(rspamd_t, rspamd_conf_t, rspamd_conf_t)
+read_lnk_files_pattern(rspamd_t, rspamd_conf_t, rspamd_conf_t)
+
+allow rspamd_t rspamd_tmpfs_t:file map;
+manage_files_pattern(rspamd_t, rspamd_tmpfs_t, rspamd_tmpfs_t)
+fs_tmpfs_filetrans(rspamd_t, rspamd_tmpfs_t, file)
+
+manage_dirs_pattern(rspamd_t, rspamd_log_t, rspamd_log_t)
+manage_files_pattern(rspamd_t, rspamd_log_t, rspamd_log_t)
+manage_lnk_files_pattern(rspamd_t, rspamd_log_t, rspamd_log_t)
+logging_log_filetrans(rspamd_t, rspamd_log_t, { dir file lnk_file })
+
+files_list_var(rspamd_t)
+allow rspamd_t rspamd_var_lib_t:file map;
+manage_dirs_pattern(rspamd_t, rspamd_var_lib_t, rspamd_var_lib_t)
+manage_files_pattern(rspamd_t, rspamd_var_lib_t, rspamd_var_lib_t)
+manage_lnk_files_pattern(rspamd_t, rspamd_var_lib_t, rspamd_var_lib_t)
+manage_sock_files_pattern(rspamd_t, rspamd_var_lib_t, rspamd_var_lib_t)
+files_var_lib_filetrans(rspamd_t, rspamd_var_lib_t, { dir file lnk_file })
+
+manage_dirs_pattern(rspamd_t, rspamd_var_run_t, rspamd_var_run_t)
+manage_files_pattern(rspamd_t, rspamd_var_run_t, rspamd_var_run_t)
+manage_lnk_files_pattern(rspamd_t, rspamd_var_run_t, rspamd_var_run_t)
+files_pid_filetrans(rspamd_t, rspamd_var_run_t, { dir file lnk_file })
+
+userdom_use_user_ptys(rspamd_t)
+domain_use_interactive_fds(rspamd_t)
+
+#files_read_etc_files(rspamd_t)
+files_read_usr_files(rspamd_t)
+files_map_usr_files(rspamd_t)
+
+files_dontaudit_list_var(rspamd_t)
+
+auth_use_nsswitch(rspamd_t)
+
+logging_send_syslog_msg(rspamd_t)
+
+miscfiles_read_localization(rspamd_t)
+
+sysnet_dns_name_resolve(rspamd_t)
+
+optional_policy(`
+        gen_require(`
+                type exim_t;
+        ')
+
+	corenet_tcp_connect_rspamd_wrkr_port(exim_t)
+
+')
+
+optional_policy(`
+	clamav_stream_connect(rspamd_t)
+')
--- a/sec-policy/selinux-rspamd/selinux-rspamd-2.20180701-r1.ebuild
+++ b/sec-policy/selinux-rspamd/selinux-rspamd-2.20180701-r1.ebuild
@@ -0,0 +1,20 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+EAPI="5"
+
+IUSE=""
+MODS="rspamd"
+POLICY_FILES="rspamd.te rspamd.fc rspamd.if"
+
+inherit selinux-policy-2
+
+DESCRIPTION="SELinux policy for rspamd"
+
+RDEPEND="sec-policy/selinux-base-policy"
+
+if [[ $PV == 9999* ]] ; then
+        KEYWORDS=""
+else
+        KEYWORDS="amd64 x86"
+fi
--- a/sec-policy/selinux-server-custom/Manifest
+++ b/sec-policy/selinux-server-custom/Manifest
@@ -0,0 +1,4 @@
+AUX server-custom.te 4534 BLAKE2B 5cda8ae24fdff6101c505139f3b9f2c5003cf5e7231ee2144f8ed04311e5ee2c83ae7a8ba5f33b2d09423077d624b9490c7683f117e6d43f81edddd89022d47a SHA512 699a67ef140ca9cf9f950731e0a788f793a8c2dc11f804967bf5c4cb9760090e6aa631d5e329d1a71d4153dfdbaf9ba39dfe6bf2a7fa2ecc47843813d6b6f161
+DIST patchbundle-selinux-base-policy-2.20180701-r1.tar.bz2 315378 BLAKE2B eeeb0b04c023c40289b6d964aefd1773d2b5d6912f1dffebf9509e6dcdbb39b17e722ee4483fb2b11193d4b987a85f90c7dc7e61cef3cf982fc2ba368d4900ef SHA512 a8b049120f1c420f9bfb55aba9ed0157ff7896ace402cd1b77b01d1ea52b67e49d915f1c00de83ff4d59b1cf8b8aa1f39b50ba312d842ed4850e75fcc7f5be42
+DIST refpolicy-2.20180701.tar.bz2 753050 BLAKE2B 7069a1b9b9bef25950e62bb50ac09f4a9d5ef6fd0acc667d321da396c3935939348534458df129f7bc81687dca240b4c4fc120d1f46d452665d335c9f023da8c SHA512 9dd5a1e10da5d25fea96cc25efb682f8ac866e835a1d940b161c1ce944cac9a90a5836b03c14311acad6bf9acd9a78003f36e050d35d8edb43606575523857b5
+EBUILD selinux-server-custom-2.20180701-r1.ebuild 388 BLAKE2B 7967baa6b3ffbd099510af5cb138a3b309fe70266100aae1f7c34072f2f6fdd1918fb0e8edd24f693b1bedee2c8a47c80e81208f5ad762693add2eba918c1c82 SHA512 da5bde5eb21ab5aa097e9ca8638697af92985774fbe0b91cea5fe1097b24b3703255c3af987ecac2f2d32ae6f894c64dcf54fb99c81ff2fdc230c8a89a3dcdee
--- a/sec-policy/selinux-server-custom/files/server-custom.te
+++ b/sec-policy/selinux-server-custom/files/server-custom.te
@@ -0,0 +1,101 @@
+policy_module(server-custom, 1.0.2)
+
+gen_require(`
+    type ping_t, rsync_t, nginx_t, syncthing_t;
+    type ssh_keygen_t, lvm_t, lvm_metadata_t;
+    type portage_t, portage_ebuild_t;
+    type sysadm_t, tmpfiles_t, syslogd_t, hugetlbfs_t;
+    type kmod_t, tracefs_t, postgresql_t, postgresql_tmp_t;
+    type named_t, dovecot_t, dovecot_auth_t, redis_t;
+    type mail_spool_t, exim_t, dovecot_deliver_t, mailserver_delivery;
+    type freshclam_t, phpfpm_t, kernel_t, iptables_t;
+    role sysadm_r;
+')
+
+####### Policy
+
+# Musl specific requirements for address resolve
+corenet_udp_bind_generic_node(ping_t)
+corenet_udp_bind_generic_node(portage_t)
+corenet_udp_bind_generic_node(rsync_t)
+corenet_udp_bind_generic_node(nginx_t)
+corenet_udp_bind_generic_node(exim_t)
+corenet_udp_bind_generic_node(freshclam_t)
+
+# PHP ROUNDCUBE
+corenet_tcp_connect_sieve_port(phpfpm_t)
+
+# NGINX failed to start without additional permissions
+allow nginx_t self:capability { dac_override dac_read_search };
+allow nginx_t self:process getsched;
+
+# Syncthing failed to start/stop without additional permissions
+corecmd_exec_bin(syncthing_t)
+# WARNING: Failed to lower process priority: set process group: permission denied
+# WARNING: Failed to lower process priority: set niceness: permission denied
+allow syncthing_t self:process { signal_perms setpgid setsched };
+# Able to run "ip ropute show" to determinate gateway for NAT-PMP
+# sysnet_domtrans_ifconfig(syncthing_t)
+# Able to read network state (/proc/*/route) to determinate gateway for NAT-t And to check for cpu capabilities (/proc/cpuinfo).
+kernel_read_network_state(syncthing_t)
+files_search_mnt(syncthing_t)
+
+# Unbound
+allow named_t self:capability net_admin;
+
+# PostgreSQL
+allow postgresql_t hugetlbfs_t:file map;
+allow postgresql_t postgresql_tmp_t:file map;
+
+# Exim
+#allow exim_t self:capability dac_read_search;
+#allow exim_t self:process getsched;
+allow dovecot_deliver_t exim_t:unix_stream_socket { read write };
+
+# Redis
+allow redis_t self:process getsched;
+files_search_var_lib(redis_t)
+
+# DOVECOT
+# dovecot[28606]: Error: imap: Index (in-memory index): Lost log for seq=1 offset=0: Failed to map file seq=2 offset=40..18446744073709551615 (ret=0): Beginning of the log isn't available (initial_mapped=1, reason=in-memory index)
+# dovecot[28606]: imap: Warning: fscking index file (in-memory index)
+# dovecot[28606]: Error: imap: Failed to map transaction log /var/mail/xxx/Maildir/.Drafts/dovecot.index.log at sync_offset=40 after locking: Beginning of the log isn't available
+# avc:  denied  { map } for  pid=28895 comm="imap" path="/var/spool/mail/xxx/Maildir/.Drafts/dovecot.index.cache" dev="dm-0" ino=187521031 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file permissive=0
+allow dovecot_t mail_spool_t:file map;
+# Dovecot SMTP Submission
+corenet_sendrecv_smtp_server_packets(dovecot_t)
+corenet_tcp_bind_smtp_port(dovecot_t)
+corenet_sendrecv_smtp_client_packets(dovecot_t)
+corenet_tcp_connect_smtp_port(dovecot_t)
+# Dovecot DB connect
+corenet_tcp_connect_postgresql_port(dovecot_auth_t)
+
+# NSD failed to work properly without additional permissions
+#allow nsd_t self:capability { dac_read_search net_admin };
+#allow nsd_t self:capability { dac_read_search net_admin };
+#allow nsd_t nsd_zone_t:file { map };
+#allow nsd_t nsd_db_t:file { map };
+
+#allow lvm_t lvm_metadata_t:file map;
+
+# comm="modprobe" name="events" dev="tracefs"
+allow kmod_t tracefs_t:dir search;
+
+# avc:  denied  { dac_read_search } for  pid=9036 comm="checkpath" capability=2
+# avc:  denied  { dac_override } for  pid=9036 comm="checkpath" capability=1
+allow tmpfiles_t self:capability { dac_read_search };
+
+# avc:  denied  { sendto } for  pid=9036 comm="checkpath" path="/dev/log" 
+logging_send_syslog_msg(tmpfiles_t)
+
+# type=AVC msg=audit(1535383674.057:1263): avc:  denied  { write } for  pid=19064 comm="ebuild.sh" name="fd" dev="proc" ino=1054984 scontext=staff_u:sysadm_r:portage_t:s0 tcontext=staff_u:sysadm_r:portage_t:s0 tclass=dir permissive=0
+allow portage_t self:dir write;
+# type=AVC msg=audit(1536753503.662:7355): avc:  denied  { map } for  pid=19388 comm="eix-update" path="/var/lib/layman/musl/sys-apps/sandbox/sandbox-2.12.ebuild" dev="dm-0" ino=749977658 scontext=staff_u:sysadm_r:portage_t:s0 tcontext=system_u:object_r:portage_ebuild_t:s0 tclass=file permissive=0
+allow portage_t portage_ebuild_t:file map;
+
+#optional_policy(`
+#        nsd_admin(sysadm_t, sysadm_r)
+#')
+
+# ssh_keygen_t failed to work with terminal
+userdom_use_user_ptys(ssh_keygen_t)
--- a/sec-policy/selinux-server-custom/selinux-server-custom-2.20180701-r1.ebuild
+++ b/sec-policy/selinux-server-custom/selinux-server-custom-2.20180701-r1.ebuild
@@ -0,0 +1,20 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+EAPI="5"
+
+IUSE=""
+MODS="server-custom"
+POLICY_FILES="server-custom.te"
+
+inherit selinux-policy-2
+
+DESCRIPTION="SELinux policy for custom things"
+
+RDEPEND="sec-policy/selinux-base-policy"
+
+if [[ $PV == 9999* ]] ; then
+        KEYWORDS=""
+else
+        KEYWORDS="amd64 x86"
+fi
--- a/sec-policy/selinux-toe/Manifest
+++ b/sec-policy/selinux-toe/Manifest
@@ -0,0 +1,4 @@
+AUX toe.cil 850 BLAKE2B 868de20c80b2a15e4b9952d238314ff847b094a33e55ca31c77cc63fe585d394c8c46a2a72852cccbd4250d1f6c21f008c3d3946f2ab54422a56aefb8e3ec0a7 SHA512 0985266aa4fd290df95d611d73b6fe1dc821c52a1280485886efdd9696e358442cf7c8016c8fe47fcdbcbddb0fcf0ef511c37f524ee5f83d9a57fba94b61a4f9
+DIST patchbundle-selinux-base-policy-2.20180701-r1.tar.bz2 315378 BLAKE2B eeeb0b04c023c40289b6d964aefd1773d2b5d6912f1dffebf9509e6dcdbb39b17e722ee4483fb2b11193d4b987a85f90c7dc7e61cef3cf982fc2ba368d4900ef SHA512 a8b049120f1c420f9bfb55aba9ed0157ff7896ace402cd1b77b01d1ea52b67e49d915f1c00de83ff4d59b1cf8b8aa1f39b50ba312d842ed4850e75fcc7f5be42
+DIST refpolicy-2.20180701.tar.bz2 753050 BLAKE2B 7069a1b9b9bef25950e62bb50ac09f4a9d5ef6fd0acc667d321da396c3935939348534458df129f7bc81687dca240b4c4fc120d1f46d452665d335c9f023da8c SHA512 9dd5a1e10da5d25fea96cc25efb682f8ac866e835a1d940b161c1ce944cac9a90a5836b03c14311acad6bf9acd9a78003f36e050d35d8edb43606575523857b5
+EBUILD selinux-toe-2.20180701-r1.ebuild 390 BLAKE2B d5f793a0130e6cd1812e83860a1f307142a86d9543e9f5052447297d7f80b11fbe7a1de18e4c121135eb6a7bada6552a36dd8454f7bf2b7a3a62a38a230438a5 SHA512 7597ec58304a19796053339032e0d65e8801372c716388554d6fb2fe7d88207f5cbf1fab842f08449910bcef82bc5d60792200e4e901b3b41dbd0132d56efef9
--- a/sec-policy/selinux-toe/files/toe.cil
+++ b/sec-policy/selinux-toe/files/toe.cil
@@ -0,0 +1,23 @@
+; Name: TOE (Trusted Owner Execution) SELinux module.
+; Author: Alexander Miroshnichenko (alexminder)
+; e-mail: alexminder@gmail.com
+; Purpose: Prevent users to execute untrusted their (non system_u context) or tmp files.
+; License: GPL-3
+;
+(typeattributeset cil_gen_require (user_home_t git_user_content_t portage_tmp_t initrc_tmp_t gcc_config_tmp_t semanage_tmp_t portage_fetch_tmp_t virt_tmp_t))
+(typeattribute toe_insecure_type)
+(typeattribute toe_exclude_type)
+(typeattributeset toe_insecure_type (user_home_t git_user_content_t))
+(typeattributeset toe_exclude_type (portage_tmp_t initrc_tmp_t gcc_config_tmp_t semanage_tmp_t portage_fetch_tmp_t virt_tmp_t))
+(constrain (file (execute))
+  (and
+    (neq t2 toe_insecure_type)
+    (or
+      (eq t2 toe_exclude_type)
+      (and
+        (eq u2 system_u)
+        (neq t2 tmpfile)
+      )
+    )
+  )
+)
--- a/sec-policy/selinux-toe/selinux-toe-2.20180701-r1.ebuild
+++ b/sec-policy/selinux-toe/selinux-toe-2.20180701-r1.ebuild
@@ -0,0 +1,20 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+EAPI="5"
+
+IUSE=""
+MODS="toe"
+POLICY_FILES="toe.cil"
+
+inherit selinux-policy-2
+
+DESCRIPTION="SELinux policy for trusted owner (sysadm_u) execution"
+
+RDEPEND="sec-policy/selinux-base-policy"
+
+if [[ $PV == 9999* ]] ; then
+        KEYWORDS=""
+else
+        KEYWORDS="amd64 x86"
+fi
--- a/sec-policy/selinux-transmission/Manifest
+++ b/sec-policy/selinux-transmission/Manifest
@@ -0,0 +1,6 @@
+AUX transmission.fc 519 BLAKE2B 96edf5ac319fb0ee07c49638321cf91f714c1e1dc977f882cbd756e73ff778c9f1f3fe964e9f3e345b9d73c236b5f235e627c7a14bcd25c0586f6867decf5414 SHA512 815b13e6254b28b073e032a13d2d3d6b3ff50d4085a09f330b5466926cf4b4815f626f3fe008f527eb6e9d23bf3411341ae7c4c6880d48682b1a61dee5c660cf
+AUX transmission.if 7230 BLAKE2B 67581dd8b9583aaec0c65456cc9a14562d838dee46af3e0344f63c94ee39578ac1b9b1d3fda82b051b74f9bc92d17efe4b36170c6d9cf1f15a8e35d0a769071d SHA512 b59c4725478ec2c6257cee4233cd0c1954968c6be8bf5ae4fde44f09f0d2ebbbd6c2b3d630e82030cbe2173d3bdc509d9d40938f14940768e1ccfdad4e3688cb
+AUX transmission.te 3353 BLAKE2B e1a7afb093add23ecacf4e0964d9a386d02a39759cff5a089f3c41d88d63ef2c8d9f0fe00b8c0872d007dc3e80cc3f86be30420760209de5b78ded5811938565 SHA512 66562fa975a6a4524684a83938c34cd6fadf1950cc68c891898f0ddbdba562ebfeea4ced27e63dd65a89c80d4c2022d2393e568e6fa8468711893665703177a7
+DIST patchbundle-selinux-base-policy-2.20180701-r1.tar.bz2 315378 BLAKE2B eeeb0b04c023c40289b6d964aefd1773d2b5d6912f1dffebf9509e6dcdbb39b17e722ee4483fb2b11193d4b987a85f90c7dc7e61cef3cf982fc2ba368d4900ef SHA512 a8b049120f1c420f9bfb55aba9ed0157ff7896ace402cd1b77b01d1ea52b67e49d915f1c00de83ff4d59b1cf8b8aa1f39b50ba312d842ed4850e75fcc7f5be42
+DIST refpolicy-2.20180701.tar.bz2 753050 BLAKE2B 7069a1b9b9bef25950e62bb50ac09f4a9d5ef6fd0acc667d321da396c3935939348534458df129f7bc81687dca240b4c4fc120d1f46d452665d335c9f023da8c SHA512 9dd5a1e10da5d25fea96cc25efb682f8ac866e835a1d940b161c1ce944cac9a90a5836b03c14311acad6bf9acd9a78003f36e050d35d8edb43606575523857b5
+EBUILD selinux-transmission-2.20180701-r1.ebuild 417 BLAKE2B e7c1edd816214b43cc229eb00bf49f618c38583ff433f4afe76c4e2d2deb82d6b83e1799bf87bf8b3252089662ef2697cd58f27a944e452342c639550125aabc SHA512 28d9546192291811e21a2cc346e565c5e580bb1a040b63bdcfde7ba08da6383ed4de932d0e6127548431e0c477717c54c1433236609ad6493d41c2759b0bb781
--- a/sec-policy/selinux-transmission/files/transmission.fc
+++ b/sec-policy/selinux-transmission/files/transmission.fc
@@ -0,0 +1,11 @@
+/usr/bin/transmission-daemon		--	gen_context(system_u:object_r:transmission_exec_t,s0)
+
+/var/lib/transmission(/.*)?		gen_context(system_u:object_r:transmission_var_lib_t,s0)
+
+/var/lib/transmission/(/.*)?		gen_context(system_u:object_r:transmission_var_lib_t,s0)
+
+/var/log/transmission(/.*)?		gen_context(system_u:object_r:transmission_log_t,s0)
+
+/var/run/transmission(/.*)?		gen_context(system_u:object_r:transmission_var_run_t,s0)
+
+/usr/share/transmission(/.*)?		gen_context(system_u:object_r:transmission_share_t,s0)
--- a/sec-policy/selinux-transmission/files/transmission.if
+++ b/sec-policy/selinux-transmission/files/transmission.if
@@ -0,0 +1,326 @@
+
+## <summary>policy for transmission</summary>
+
+########################################
+## <summary>
+##	Execute transmission_exec_t in the transmission domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`transmission_domtrans',`
+	gen_require(`
+		type transmission_t, transmission_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, transmission_exec_t, transmission_t)
+')
+
+######################################
+## <summary>
+##	Execute transmission in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`transmission_exec',`
+	gen_require(`
+		type transmission_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, transmission_exec_t)
+')
+########################################
+## <summary>
+##	Read transmission's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`transmission_read_log',`
+	gen_require(`
+		type transmission_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, transmission_log_t, transmission_log_t)
+')
+
+########################################
+## <summary>
+##	Append to transmission log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`transmission_append_log',`
+	gen_require(`
+		type transmission_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, transmission_log_t, transmission_log_t)
+')
+
+########################################
+## <summary>
+##	Manage transmission log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`transmission_manage_log',`
+	gen_require(`
+		type transmission_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_dirs_pattern($1, transmission_log_t, transmission_log_t)
+	manage_files_pattern($1, transmission_log_t, transmission_log_t)
+	manage_lnk_files_pattern($1, transmission_log_t, transmission_log_t)
+')
+
+########################################
+## <summary>
+##	Search transmission lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`transmission_search_lib',`
+	gen_require(`
+		type transmission_var_lib_t;
+	')
+
+	allow $1 transmission_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read transmission lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`transmission_read_lib_files',`
+	gen_require(`
+		type transmission_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, transmission_var_lib_t, transmission_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage transmission lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`transmission_manage_lib_files',`
+	gen_require(`
+		type transmission_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, transmission_var_lib_t, transmission_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage transmission lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`transmission_manage_lib_dirs',`
+	gen_require(`
+		type transmission_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, transmission_var_lib_t, transmission_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read transmission PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`transmission_read_pid_files',`
+	gen_require(`
+		type transmission_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, transmission_var_run_t, transmission_var_run_t)
+')
+
+
+########################################
+## <summary>
+##      Transmission PID files trsansiotions.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`transmission_pid_trans',`
+        gen_require(`
+                type transmission_t;
+		type var_run_t;
+		type transmission_var_run_t;
+		type initrc_t;
+        ')
+
+        manage_dirs_pattern(transmission_t, transmission_var_run_t, transmission_var_run_t)
+        manage_files_pattern(transmission_t, transmission_var_run_t, transmission_var_run_t)
+        manage_lnk_files_pattern(transmission_t, transmission_var_run_t, transmission_var_run_t)
+        files_pid_filetrans(transmission_t, transmission_var_run_t, { dir file lnk_file })
+        filetrans_pattern(initrc_t, var_run_t, transmission_var_run_t, dir, "transmission")
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an transmission environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`transmission_admin',`
+	gen_require(`
+		type transmission_t;
+		type transmission_log_t;
+		type transmission_var_lib_t;
+		type transmission_var_run_t;
+	')
+
+	allow $1 transmission_t:process { signal_perms };
+	ps_process_pattern($1, transmission_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 transmission_t:process ptrace;
+    ')
+
+	logging_search_logs($1)
+	admin_pattern($1, transmission_log_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, transmission_var_lib_t)
+
+	files_search_pids($1)
+	admin_pattern($1, transmission_var_run_t)
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
+
+########################################
+## <summary>
+##      Bind TCP sockets to the transmission peer port.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_transmission_peer_port',`
+        gen_require(`
+                type transmission_peer_port_t;
+        ')
+
+	allow $1 transmission_peer_port_t:tcp_socket name_bind;
+
+')
+
+########################################
+## <summary>
+##      Bind UDP sockets to the transmission peer port.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_transmission_peer_port',`
+        gen_require(`
+                type transmission_peer_port_t;
+        ')
+
+	allow $1 transmission_peer_port_t:udp_socket name_bind;
+
+')
+
+########################################
+## <summary>
+##      Bind TCP sockets to the transmission rpc port.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_transmission_rpc_port',`
+        gen_require(`
+                type transmission_rpc_port_t;
+        ')
+
+        allow $1 transmission_rpc_port_t:tcp_socket name_bind;
+
+')
--- a/sec-policy/selinux-transmission/files/transmission.te
+++ b/sec-policy/selinux-transmission/files/transmission.te
@@ -0,0 +1,108 @@
+policy_module(transmission, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow transmission to use DHT, uTP and LPD.
+## The correspondig port must be transmission_peer_port_t.
+## </p>
+## </desc>
+gen_tunable(transmission_use_udp, true)
+
+## <desc>
+## <p>
+## Allow transmission to use RPC.
+## The correspondig port must be transmission_rpc_port_t.
+## </p>
+## </desc>
+gen_tunable(transmission_use_rpc, true)
+
+type transmission_t;
+type transmission_exec_t;
+init_daemon_domain(transmission_t, transmission_exec_t)
+
+#permissive transmission_t;
+
+type transmission_log_t;
+logging_log_file(transmission_log_t)
+
+type transmission_var_lib_t;
+files_type(transmission_var_lib_t)
+
+type transmission_var_run_t;
+files_pid_file(transmission_var_run_t)
+
+type transmission_share_t;
+files_type(transmission_share_t)
+
+type transmission_peer_port_t;
+corenet_port(transmission_peer_port_t)
+#portcon tcp     51413   gen_context(system_u:object_r:transmission_peer_port_t,s0)
+#portcon tcp     5413   gen_context(system_u:object_r:transmission_peer_port_t,s0)
+#portcon tcp     6771   gen_context(system_u:object_r:transmission_peer_port_t,s0)
+
+type transmission_rpc_port_t;
+corenet_port(transmission_rpc_port_t)
+#portcon tcp     9091   gen_context(system_u:object_r:transmission_rpc_port_t,s0)
+
+########################################
+#
+# transmission local policy
+#
+allow transmission_t self:process { fork setrlimit };
+allow transmission_t self:fifo_file rw_fifo_file_perms;
+#allow transmission_t self:unix_stream_socket create_stream_socket_perms;
+allow transmission_t self:tcp_socket { accept listen };
+
+corenet_tcp_bind_transmission_peer_port(transmission_t)
+corenet_tcp_bind_rtorrent_port(transmission_t)
+corenet_tcp_bind_generic_node(transmission_t)
+corenet_tcp_connect_all_ports(transmission_t)
+
+kernel_read_kernel_sysctls(transmission_t)
+kernel_read_network_state(transmission_t)
+
+manage_dirs_pattern(transmission_t, transmission_log_t, transmission_log_t)
+manage_files_pattern(transmission_t, transmission_log_t, transmission_log_t)
+manage_lnk_files_pattern(transmission_t, transmission_log_t, transmission_log_t)
+logging_log_filetrans(transmission_t, transmission_log_t, { dir file lnk_file })
+
+manage_dirs_pattern(transmission_t, transmission_var_lib_t, transmission_var_lib_t)
+manage_files_pattern(transmission_t, transmission_var_lib_t, transmission_var_lib_t)
+manage_lnk_files_pattern(transmission_t, transmission_var_lib_t, transmission_var_lib_t)
+files_var_lib_filetrans(transmission_t, transmission_var_lib_t, { dir file lnk_file })
+
+read_files_pattern(transmission_t, transmission_share_t, transmission_share_t)
+
+miscfiles_read_generic_certs(transmission_t)
+
+fs_get_xattr_fs_quotas(transmission_t)
+fs_getattr_xattr_fs(transmission_t)
+
+transmission_pid_trans(transmission_t)
+
+#domain_use_interactive_fds(transmission_t)
+
+#files_read_etc_files(transmission_t)
+
+auth_use_nsswitch(transmission_t)
+
+logging_send_syslog_msg(transmission_t)
+
+miscfiles_read_localization(transmission_t)
+
+sysnet_dns_name_resolve(transmission_t)
+
+tunable_policy(`transmission_use_udp',`
+	corenet_udp_bind_transmission_peer_port(transmission_t)
+	corenet_udp_bind_rtorrent_port(transmission_t)
+	corenet_udp_bind_generic_node(transmission_t)
+')
+
+tunable_policy(`transmission_use_rpc',`
+	corenet_tcp_bind_transmission_rpc_port(transmission_t)
+')
--- a/sec-policy/selinux-transmission/selinux-transmission-2.20180701-r1.ebuild
+++ b/sec-policy/selinux-transmission/selinux-transmission-2.20180701-r1.ebuild
@@ -0,0 +1,20 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+EAPI="5"
+
+IUSE=""
+MODS="transmission"
+POLICY_FILES="transmission.te transmission.fc transmission.if"
+
+inherit selinux-policy-2
+
+DESCRIPTION="SELinux policy for transmission"
+
+RDEPEND="sec-policy/selinux-base-policy"
+
+if [[ $PV == 9999* ]] ; then
+        KEYWORDS=""
+else
+        KEYWORDS="amd64 x86"
+fi
--- a/sec-policy/selinux-wireguard/Manifest
+++ b/sec-policy/selinux-wireguard/Manifest
@@ -0,0 +1,6 @@
+AUX wireguard.fc 250 BLAKE2B 10976a1e72bc8a7962920e4831e25bd8bd36c11d4890d0955e3d85453ebf821d2a1403b68bd178cddc3a8f09c4ce328a9628e0257d72635eb32d6184e18fa2d6 SHA512 248873b7767631ff46f014c8ccc7fcf73077962a037359a1b551a028812e6d2a351ed1f36e5e3717a39612323befa39c5d3c4e6dfc96bcdec08498bcd5f451c5
+AUX wireguard.if 2642 BLAKE2B 292ac6cfda215ffa8b97a2471a42f7e778e84357b268549497ce589e2c9d27ba4e03ee2090618690e6ce34f6436d962eb9fce98a41e37823c63f27d91d9cbc1e SHA512 96a31ab31e57f71bfa7c76a95386e845a50eeb748d9632197e89d3e3d7f7ed3d29d3b30bed668f569bdebebd2803736d1638784fa9195f877b97e55f96701f71
+AUX wireguard.te 2452 BLAKE2B 3408dd5f133978499884236e5fab7480c6be664a82f6862fef7d20d52c9a301fed456520cf61bb9671920d8b2019191a35a1c74702f79ea7c28ca01fa9121d4d SHA512 0af8271f9cfaabbc6f653fa307658cc039f09748972778a6302cc21fd4e9f2023ecd1ff30f2a5ab51f9816c06d6bb2ab3528c94705e582bc3d51b97955296d8b
+DIST patchbundle-selinux-base-policy-2.20180701-r1.tar.bz2 315378 BLAKE2B eeeb0b04c023c40289b6d964aefd1773d2b5d6912f1dffebf9509e6dcdbb39b17e722ee4483fb2b11193d4b987a85f90c7dc7e61cef3cf982fc2ba368d4900ef SHA512 a8b049120f1c420f9bfb55aba9ed0157ff7896ace402cd1b77b01d1ea52b67e49d915f1c00de83ff4d59b1cf8b8aa1f39b50ba312d842ed4850e75fcc7f5be42
+DIST refpolicy-2.20180701.tar.bz2 753050 BLAKE2B 7069a1b9b9bef25950e62bb50ac09f4a9d5ef6fd0acc667d321da396c3935939348534458df129f7bc81687dca240b4c4fc120d1f46d452665d335c9f023da8c SHA512 9dd5a1e10da5d25fea96cc25efb682f8ac866e835a1d940b161c1ce944cac9a90a5836b03c14311acad6bf9acd9a78003f36e050d35d8edb43606575523857b5
+EBUILD selinux-wireguard-2.20180701-r1.ebuild 402 BLAKE2B 0b9fa44a7cd7fdd8408288b2ed754f23591051e75288e9e50e05a36a0e03eaae39f882a4df3ee3a1c367927922a9e8e57900b72297ef445582a68e2ab06bfa4a SHA512 177f53e4fde327213b713ae19e191f11417ab02ce953abb7742ad16ac685cbdf4a1e12ae4c9f4c24e46da82c16624f4fbe52bf27380d399596c5631f7ade6441
--- a/sec-policy/selinux-wireguard/files/wireguard.fc
+++ b/sec-policy/selinux-wireguard/files/wireguard.fc
@@ -0,0 +1,11 @@
+#
+# /etc
+#
+/etc/wireguard(/.*)?			gen_context(system_u:object_r:wireguard_etc_t,s0)
+
+#
+# /usr
+#
+/usr/bin/wg			--	gen_context(system_u:object_r:wireguard_exec_t,s0)
+/usr/bin/wg-quick		--      gen_context(system_u:object_r:wireguard_script_exec_t,s0)
+
--- a/sec-policy/selinux-wireguard/files/wireguard.if
+++ b/sec-policy/selinux-wireguard/files/wireguard.if
@@ -0,0 +1,128 @@
+## <summary>Policy for logical volume management programs.</summary>
+
+########################################
+## <summary>
+##	Execute wireguard programs in the wireguard domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`wireguard_domtrans',`
+	gen_require(`
+		type wireguard_t, wireguard_exec_t;
+		type wireguard_script_t, wireguard_script_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, wireguard_exec_t, wireguard_t)
+	domtrans_pattern($1, wireguard_script_exec_t, wireguard_script_t)
+')
+
+########################################
+## <summary>
+##	Execute wireguard programs in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`wireguard_exec',`
+	gen_require(`
+		type wireguard_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, wireguard_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute wireguard programs in the wireguard domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the Wireguard domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`wireguard_run',`
+	gen_require(`
+		type wireguard_t, wireguard_script_t;
+	')
+
+	wireguard_domtrans($1)
+	role $2 types wireguard_t;
+	role $2 types wireguard_script_t;
+')
+
+########################################
+## <summary>
+##      Send wireguard a null signal.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`wireguard_signull',`
+	gen_require(`
+		type wireguard_t;
+	')
+
+	allow $1 wireguard_t:process signull;
+')
+
+########################################
+## <summary>
+##	Read Wireguard configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`wireguard_read_config',`
+	gen_require(`
+		type wireguard_etc_t;
+	')
+
+	files_search_etc($1)
+	allow $1 wireguard_etc_t:dir list_dir_perms;
+	read_files_pattern($1, wireguard_etc_t, wireguard_etc_t)
+')
+
+########################################
+## <summary>
+##	Manage Wireguard configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`wireguard_manage_config',`
+	gen_require(`
+		type wireguard_etc_t;
+	')
+
+	files_search_etc($1)
+	manage_dirs_pattern($1, wireguard_etc_t, wireguard_etc_t)
+	manage_files_pattern($1, wireguard_etc_t, wireguard_etc_t)
+')
+
--- a/sec-policy/selinux-wireguard/files/wireguard.te
+++ b/sec-policy/selinux-wireguard/files/wireguard.te
@@ -0,0 +1,84 @@
+policy_module(wireguard, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type wireguard_t;
+type wireguard_exec_t;
+init_system_domain(wireguard_t, wireguard_exec_t)
+# needs privowner because it assigns the identity system_u to device nodes
+# but runs as the identity of the sysadmin
+domain_obj_id_change_exemption(wireguard_t)
+role system_r types wireguard_t;
+
+type wireguard_script_t;
+type wireguard_script_exec_t;
+init_system_domain(wireguard_script_t, wireguard_script_exec_t)
+domtrans_pattern(wireguard_script_t, wireguard_exec_t, wireguard_t)
+
+type wireguard_etc_t;
+files_type(wireguard_etc_t)
+
+########################################
+#
+# wireguard Local policy
+#
+
+kernel_request_load_module(wireguard_t)
+
+allow wireguard_t self:capability net_admin;
+allow wireguard_t self:netlink_generic_socket create_socket_perms;
+allow wireguard_t self:netlink_route_socket r_netlink_socket_perms;
+allow wireguard_t self:udp_socket create_socket_perms;
+
+allow wireguard_t wireguard_script_t:fifo_file read_fifo_file_perms;
+
+manage_dirs_pattern(wireguard_t, wireguard_etc_t, wireguard_etc_t)
+manage_files_pattern(wireguard_t, wireguard_etc_t, wireguard_etc_t)
+manage_lnk_files_pattern(wireguard_t, wireguard_etc_t, wireguard_etc_t)
+files_etc_filetrans(wireguard_t, wireguard_etc_t, dir)
+filetrans_pattern(wireguard_t, wireguard_etc_t, wireguard_etc_t, file)
+
+userdom_use_user_ptys(wireguard_t)
+domain_use_interactive_fds(wireguard_t)
+
+########################################
+#
+# wireguard-quick Local policy
+#
+
+files_read_etc_files(wireguard_script_t)
+corecmd_exec_bin(wireguard_script_t)
+corecmd_exec_shell(wireguard_script_t)
+sysnet_domtrans_ifconfig(wireguard_script_t)
+
+manage_dirs_pattern(wireguard_script_t, wireguard_etc_t, wireguard_etc_t)
+manage_files_pattern(wireguard_script_t, wireguard_etc_t, wireguard_etc_t)
+manage_lnk_files_pattern(wireguard_script_t, wireguard_etc_t, wireguard_etc_t)
+filetrans_pattern(wireguard_script_t, wireguard_etc_t, wireguard_etc_t, file)
+
+allow wireguard_script_t self:fifo_file rw_fifo_file_perms;
+
+kernel_read_network_state(wireguard_script_t)
+
+miscfiles_read_localization(wireguard_script_t)
+
+userdom_use_user_ptys(wireguard_script_t)
+domain_use_interactive_fds(wireguard_script_t)
+
+########################################
+#
+# optional policy
+#
+
+optional_policy(`
+        gen_require(`
+                type sysadm_t;
+		role sysadm_r;
+        ')
+
+        wireguard_run(sysadm_t, sysadm_r)
+')
+
--- a/sec-policy/selinux-wireguard/selinux-wireguard-2.20180701-r1.ebuild
+++ b/sec-policy/selinux-wireguard/selinux-wireguard-2.20180701-r1.ebuild
@@ -0,0 +1,20 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+EAPI="5"
+
+IUSE=""
+MODS="wireguard"
+POLICY_FILES="wireguard.te wireguard.fc wireguard.if"
+
+inherit selinux-policy-2
+
+DESCRIPTION="SELinux policy for wireguard"
+
+RDEPEND="sec-policy/selinux-base-policy"
+
+if [[ $PV == 9999* ]] ; then
+        KEYWORDS=""
+else
+        KEYWORDS="amd64 x86"
+fi