ArtemGr · April 9, 2010 10:12
diff --git a/acroread b/acroread
 # Last Modified: Tue Apr 13 15:45:46 2010
 #include <tunables/global>

 /usr/bin/acroread {
  #include <abstractions/base>

  /bin/dash ix,
  /etc/dpkg/dpkg.cfg r,
  /etc/dpkg/dpkg.cfg.d/ r,
  /proc/filesystems r,
  /usr/bin/acroread r,
  /usr/bin/dpkg rix,
  /usr/lib/Adobe/Reader8/bin/acroread-en cx,
  /usr/lib/Adobe/Reader9/bin/acroread-en cx,


 profile /usr/lib/Adobe/Reader{8,9}/bin/acroread-en {
    #include <abstractions/audio>
    #include <abstractions/base>
    #include <abstractions/fonts>
    #include <abstractions/gnome>
    #include <abstractions/nameservice>

    # Acrobat Reader 8 (from "stable").
    /etc/gre.d/1.9.1.system.conf r,
    owner /home/*/.adobe/Acrobat/8.0/{,**} mrwk,
    /usr/lib/Adobe/Reader8/Reader/intellinux/bin/acroread mr,
    /usr/lib/Adobe/Reader8/Reader/intellinux/plug_ins/*.api mr,

    /bin/sed rix,
    /bin/grep rix,
    /bin/cat rix,
    /bin/cp rix,
    /bin/mkdir rix,
    /bin/pwd rix,
    /bin/rm rix,
    /bin/uname rix,
    /bin/which px,
    owner /dev/shm/sem.* mrwl,
    #/etc/passwd mr,
    /etc/gre.d/ r,
    owner /home/*/.Xauthority r,
    owner /home/*/.fontconfig/ rw,
    owner /home/*/.fontconfig/* mrw,
    owner /home/*/.adobe/ rw,
    owner /home/*/.adobe/Acrobat/ rw,
    owner /home/*/.adobe/Acrobat/9.0/ rw,
    owner /home/*/.adobe/Acrobat/9.0/** mrk,
    owner /home/*/.adobe/Acrobat/9.0/Preferences/{,**} w,
    owner /home/*/.adobe/Acrobat/9.0/Cert/curl-ca-bundle.crt w,
    owner /home/*/.adobe/Acrobat/9.0/SharedDataEvents wk,
    owner /home/*/.adobe/Acrobat/9.0/SharedDataEvents-journal w,
    owner /home/*/.adobe/Acrobat/9.0/UserCache.bin w,
    owner /home/*/.adobe/Acrobat/9.0/JavaScripts/{,*} w,
    owner /home/*/.adobe/Acrobat/9.0/{TMGrpPrm,TMDocs}.sav w,
    owner /home/*/.adobe/Acrobat/9.0/Synchronizer/{,*} w,
    owner /home/*/.adobe/Acrobat/9.0/Cache/Search/{,*} w,
    owner /home/*/.adobe/Acrobat/9.0/Collab/{,*} rw,
    owner /home/*/.adobe/Acrobat/9.0/Collab/Temp/{,*} rw,
    owner /home/*/.adobe/Acrobat/9.0/Forms/{,*} rw,
    owner /home/*/.adobe/Acrobat/9.0/Cert/{,*} rw,
    owner /home/*/.mozilla/firefox/*.default/Cache/* r,
    owner /home/*/.local/share/icons/ r,
    owner /home/*/Desktop/{,**} r,
    owner /proc/*/mounts r,
    /proc/filesystems r,
    /proc/meminfo r,
    /usr/bin/basename rix,
    /usr/bin/cut ix,
    /usr/bin/xargs ix,
    /usr/bin/expr ix,
    /usr/bin/dirname rix,
    /usr/bin/gconftool-2 rix,
    /usr/bin/test rix,
    /usr/lib/iceweasel/iceweasel px,
    /usr/lib/Adobe/Reader9/Reader/intellinux/bin/acroread rix,
    /usr/lib/Adobe/Reader9/Reader/intellinux/plug_ins/**.api mr,
    /usr/lib/Adobe/Reader9/Reader/intellinux/SPPlugins/ADMPlugin.apl mr,
    /usr/lib/Adobe/Reader9/Resource/Font/*.{PFB,otf} mr,
    /usr/lib/Adobe/Reader9/Reader/DocSettings/ w,

    /usr/share/ r,
    /usr/share/mime/mime.cache mr,
    /usr/local/share/ r,
    /usr/share/fonts/{,**} mr,
    /usr/share/texmf/fonts/**{/,.pfb,.afm} r,
    /usr/share/icons/hicolor/icon-theme.cache mr,

  }
 }
diff --git a/bin.ps b/bin.ps
 # Last Modified: Fri Apr  9 00:12:39 2010
 #include <tunables/global>

 /bin/ps {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  capability dac_override,
  capability dac_read_search,
  capability sys_ptrace,



  /dev/tty r,
  /proc/ r,
  /proc/*/cmdline r,
  /proc/*/attr/current r,
  /proc/*/stat r,
  /proc/*/status r,
  /proc/*/wchan r,
  /proc/meminfo r,
  /proc/stat r,
  /proc/sys/kernel/pid_max r,
  /proc/tty/drivers r,
  /proc/uptime r,
  /proc/version r,

 }
diff --git a/bin.pwd b/bin.pwd
 # Last Modified: Thu Apr  8 22:43:19 2010
 #include <tunables/global>

 /bin/pwd {
  #include <abstractions/base>

 }
diff --git a/bin.which b/bin.which
 # Last Modified: Thu Apr  8 21:31:38 2010
 #include <tunables/global>

 /bin/which {
  #include <abstractions/base>


  /bin/dash ix,
  /bin/which r,

 }
diff --git a/firefox b/firefox
 # Last Modified: Fri Apr 9 13:06:45 2010
 #include <tunables/global>

 /usr/lib/xulrunner-*/xulrunner-stub {
  #include <abstractions/audio>
  #include <abstractions/base>
  #include <abstractions/gnome>
  #include <abstractions/nameservice>

  network inet stream,

  /bin/dash cx,
  /etc/iceweasel/** r,
  /etc/java-6-sun/logging.properties r,
  /etc/java-6-sun/security/java.security r,
  /etc/mailcap r,
  /etc/mime.types r,
  /etc/mtab r,
  /etc/timezone r,
  owner /home/*/.Xauthority r,
  owner /home/*/.adobe/Flash_Player/** r,
  owner /home/*/.esd_auth r,
  owner /home/*/.java/deployment/deployment.properties rwk,
  owner /home/*/.local/share/icons** r,
  owner /home/*/.local/share/mime/* r,
  owner /home/*/.macromedia/Flash_Player/#SharedObjects/ r,
  owner /home/*/.macromedia/Flash_Player/#SharedObjects/** rw,
  owner /home/*/.macromedia/Flash_Player/macromedia.com/support/** rw,
  owner /home/*/.mozilla/extensions/** r,
  owner /home/*/.mozilla/firefox/** rwk,
  owner /home/*/.gnashrc r,
  owner /home/*/{Downloads,Desktop}/ r,
  owner /home/*/{Downloads,Desktop}/** rwk,
  /proc/filesystems r,
  owner /proc/*/mounts r,
  owner /proc/*/fd/ r,
  /var/lib/dbus/machine-id r,
  /sys/devices/system/cpu/ r,
  /usr/bin/transmission px,
  /usr/lib/jvm/java-6-sun-1.6.*.*/jre/bin/java cx,
  /usr/share/hunspell** r,
  /usr/share/iceweasel/** r,
  /usr/share/mozilla/** r,
  /usr/share/xulrunner-*/** r,
  /usr/share/libthai/thbrk.tri r,

  # Self-restart
  /usr/lib/xulrunner-*/xulrunner-stub px,

  # Adobe Acrobat 9 (via "mozilla-acroread")
  /usr/lib/nspluginwrapper/plugins/npwrapper.nppdf.so mr,
  /usr/lib/nspluginwrapper/i386/linux/npviewer ix,
  /usr/lib/nspluginwrapper/i386/linux/npviewer.bin ix,
  /usr/lib/Adobe/Reader9/Browser/intellinux/nppdf.so mr,
  /bin/uname ix,
  /bin/which px,
  /bin/ps px,
  /bin/grep ix,
  /usr/bin/setarch ix,
  /usr/bin/acroread px,
  /usr/bin/tr ix,

  # Adobe Acrobat 8 (via "mozilla-acroread")
  /usr/lib/Adobe/Reader8/Browser/intellinux/nppdf.so mr,

  # Gnash
  /usr/bin/gtk-gnash ix,
  /etc/gnashrc r,
  /etc/gnashpluginrc r,
  /usr/share/gnash/GnashG.png r,
  /usr/share/gnash/gnash_128_96.ico r,
  owner /home/*/.gnash/SharedObjects/**.sol wr,

  # Iceweasel 4, flash.
  /usr/lib/xulrunner-*/plugin-container ix,

  # External editors for "It's All Text"
  /usr/bin/jedit rix,

 profile /bin/dash {
    #include <abstractions/base>

    /bin/grep rix,
    /bin/ps px,
    /bin/which px,
    /bin/uname ix,

    # Adobe Acrobat 8 (via "mozilla-acroread")
    /usr/lib/nspluginwrapper/i386/linux/npviewer ix,
    /usr/lib/nspluginwrapper/i386/linux/npviewer.bin ix,
    /usr/lib/Adobe/Reader8/Browser/intellinux/nppdf.so mr,
    /usr/bin/setarch ix,

    # Adobe Acrobat 9 (via "mozilla-acroread")
    /usr/lib/Adobe/Reader9/Browser/intellinux/nppdf.so mr,
    /usr/bin/tr ix,
  }

 profile /usr/lib/jvm/java-6-sun-1.6.*.*/jre/bin/java {
    #include <abstractions/base>
    #include <abstractions/gnome>
    #include <abstractions/nameservice>

    /etc/java-6-sun/** r,
    /etc/passwd mr,
    /etc/timezone r,
    owner /home/*/.RealtyAdmin.db rw,
    owner /home/*/.Xauthority r,
    owner /home/*/.java/.userPrefs/** rwk,
    owner /home/*/.java/deployment/** mrwk,
    owner /home/*/.mozilla/appreg r,
    /proc/*/net/if_inet6 r,
    /proc/*/net/ipv6_route r,
    /sys/devices/system/cpu/ r,
    /tmp/hsperfdata_*/* mrwlk,
    /usr/lib/jvm/java-6-sun-1.6.*.*/jre/bin/java rix,
    /usr/lib{,32,64}/** mr,
    /usr/share/fonts/type1/gsfonts/*.pfb r,

    # External editors for "It's All Text"
    /usr/share/jEdit/jedit.jar rm,
    owner /home/*/.jedit/** rmwk,
    /usr/share/jEdit/** rmk,
    owner /home/*/.mozilla/firefox/*/itsalltext/* rwmk,
    /bin/chmod ix,
  }
 }
diff --git a/icedove b/icedove
 # Last Modified: Fri Apr  9 13:26:42 2010
 #include <tunables/global>

 /usr/lib/icedove/icedove-bin {
  #include <abstractions/base>
  #include <abstractions/fonts>
  #include <abstractions/gnome>
  #include <abstractions/nameservice>

  /etc/icedove/pref/ r,
  /etc/icedove/pref/icedove.js r,
  owner /home/*/.Xauthority r,
  owner /home/*/.mozilla-thunderbird/** rwk,
  owner /home/*/{Downloads,Desktop}/ r,
  owner /home/*/{Downloads,Desktop}/** rw,
  owner /home/*/.cache/event-sound-cache* rwk,
  /proc/filesystems r,
  /usr/lib/iceweasel/iceweasel px,
  /usr/lib/icedove/update.test rw,
  /usr/share/hunspell/* r,
  /usr/share/icedove/** r,
  /usr/share/icedove/chrome/app-chrome.manifest rw,
  /usr/share/myspell/** r,

  # Self-restarts.
  /usr/lib/icedove/icedove-bin ix,

  # Upgrade to icedove 3.0.4.

  owner /home/*/.icedove/profiles.ini r,
  owner /home/*/.icedove/*.default/{,**} rwk,
  owner /home/*/.mozilla/extensions/** rw,
  owner /home/*/.local/share/icons/{,*} r,
  owner /home/*/.esd_auth r,
  /etc/{mime.types,mailcap,rpc,mtab} r,
  /usr/share/hunspell/{,*} r,
  /usr/bin/sensible-browser rix,

  owner @{HOME}/.local/share/mime/* r,

  # Generic plugins.
  /usr/lib/nspluginwrapper/plugins/*.so rm,
 }
diff --git a/iceweasel b/iceweasel
 # Last Modified: Sat Apr 10 14:10:21 2010
 #include <tunables/global>

 /usr/lib/iceweasel/iceweasel {
  #include <abstractions/base>
  #include <abstractions/nameservice>



  /bin/dash ix,
  /bin/readlink rix,
  /bin/which rpx,
  /etc/iceweasel/iceweaselrc r,
  owner /home/*/.Xauthority r,
  /proc/cpuinfo r,
  /proc/filesystems r,
  /usr/bin/dirname px,
  /usr/lib/xulrunner-1.9.1/xulrunner-stub px,
  /usr/lib/xulrunner-2.0/xulrunner-stub px, # Firefox 4.

 }
diff --git a/psi b/psi
 # Last Modified: Sat Apr 10 14:10:21 2010
 #include <tunables/global>

 /usr/bin/psi {
  #include <abstractions/base>
  #include <abstractions/fonts>
  #include <abstractions/gnome>
  #include <abstractions/nameservice>

  owner @{HOME}/.config/Trolltech.conf rwk,
  owner @{HOME}/.psi/psirc rwk,
  owner @{HOME}/.psi/profiles/ r,
  owner /home/*/.psi/avatars/* rw,
  owner /home/*/.psi/profiles/default/options.xml{,.backup,.temp} rw,
  owner /home/*/.psi/profiles/default/accounts.xml{,.backup,.temp} rw,
  owner /home/*/.psi/profiles/default/events-gmail.com.xml{,.backup,.temp} rw,
  owner /home/*/.psi/profiles/default/vcard/*.xml{,.backup,.temp} rw,
  owner /home/*/.psi/profiles/default/history/*.history rw,
  owner /home/*/.psi/avatars/* r,
  owner /home/*/.psi/caps.xml rw,
  owner /home/*/.psi/tmp-sounds/ rw,
  /etc/ssl/certs/ca-certificates.crt r,
  /usr/share/icons/hicolor/index.theme r,
  /usr/share/psi/iconsets/roster/*.jisp r,
  /usr/share/psi/certs/{,*} r,
  /etc/debian_version r,

  # Opens a browser for clickable URLs.
  /usr/bin/xdg-open px,

  # Play sounds.
  /usr/bin/aplay px,

  # Language.
  /var/lib/aspell/en-common.rws r,

  # Explicitly deny /proc access in order to keep the audit log clean.
  deny /proc/*/net/ipv6_route r,
  deny /proc/*/net/route r,
  deny /proc/*/net/if_inet6 r,
 }
diff --git a/rsyslogd b/rsyslogd
 # Last Modified: Sun Apr 11 14:16:29 2010
 #include <tunables/global>

 /usr/sbin/rsyslogd {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  capability sys_admin,

  owner /dev/tty rw,
  owner /dev/xconsole rw,
  owner /etc/rsyslog.conf r,
  owner /etc/rsyslog.d/{,**} r,
  owner /proc/kmsg r,
  /usr/lib/rsyslog/*.so mr,
  owner /var/log/** rw,
  /var/spool/postfix/dev/log rw,
  owner /var/run/rsyslogd.pid rwk,

 }
diff --git a/sbin.dhclient3 b/sbin.dhclient3
 # Last Modified: Sun Apr 11 14:29:19 2010
 #include <tunables/global>

 /sbin/dhclient3 {
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <abstractions/consoles>
  #include <abstractions/nameservice>
  #include <abstractions/nis>


  capability net_admin,
  capability net_bind_service,
  capability net_raw,

  network packet packet,


  /bin/chmod rix,
  /bin/chown rix,
  /bin/mv rix,
  /bin/rm rix,
  /bin/run-parts rix,
  owner /etc/dhcp3/dhclient-{enter,exit}-hooks.d/{,*} r,
  owner /etc/dhcp3/dhclient.conf r,
  owner /etc/resolv.conf.dhclient-new rw,
  owner /etc/resolv.conf w,
  owner /proc/*/net/dev r,
  owner /proc/filesystems r,
  owner /proc/meminfo r,
  /sbin/dhclient-script rix,
  /sbin/ifconfig rix,
  /sbin/route rix,
  /usr/sbin/avahi-autoipd rix,
  owner /var/lib/dhcp3/dhclient.leases rw,
  owner /var/lib/wicd/dhclient.conf r,
  owner /var/run/dhclient.pid rw,

 }
diff --git a/skype b/skype
 # Last Modified: Fri Apr  9 15:04:10 2010
 #include <tunables/global>

 /usr/bin/skype {
  #include <abstractions/X>
  #include <abstractions/audio>
  #include <abstractions/base>
  #include <abstractions/fonts>
  #include <abstractions/nameservice>

  /dev/ r,
  /dev/snd/* mrw,
  /dev/video0 mrw,
  /etc/group mr,
  owner /home/*/.Skype/ rw,
  owner /home/*/.Skype/** rwk,
  owner /home/*/.Xauthority r,
  owner /home/*/.config/Trolltech.conf rwk,
  owner /home/*/.fontconfig/* mr,
  owner /home/*/.mozilla/ r,
  owner /home/*/.mozilla/** r,
  /proc/*/net/route r,
  /proc/sys/kernel/os{type,release} r,
  /sys/devices/system/cpu/ r,
  /usr/bin/xdg-open rpx,
  /usr/share/fonts/** mr,
  /usr/share/skype/** mrk,

 }
diff --git a/transmission b/transmission
 # Last Modified: Sat Apr 10 14:10:21 2010
 #include <tunables/global>

 /usr/bin/transmission {
  #include <abstractions/base>
  #include <abstractions/fonts>
  #include <abstractions/gnome>
  #include <abstractions/nameservice>
  #include <abstractions/perl>

  / r,
  /bin/grep rix,
  /bin/which rpx,
  /etc/iceweasel/iceweaselrc r,
  /etc/mailcap r,
  owner /home/*/ r,
  owner /home/*/.Xauthority r,
  owner /home/*/.config/gtk-2.0/* r,
  owner /home/*/.config/transmission/** rwk,
  owner /home/*/.esd_auth r,
  owner /home/*/.local/share/icons/ r,
  owner /home/*/.local/share/mime/* r,
  owner /home/*/{Desktop,Downloads}/ r,
  owner /home/*/{Desktop,Downloads}/** rw,
  owner /home/*/.config/gtk-2.0/gtkfilechooser.ini.SEBGBV rw,
  owner /home/*/.local/share/Trash/** w,
  owner /home/*/.cache/event-sound-cache.* rwk,
  owner /home/*/.cache/transmission/ rw,
  owner /home/*/.cache/transmission/favicons/{,*} rw,
  /proc/cpuinfo r,
  /proc/filesystems r,
  /usr/bin/dbus-send rix,
  /usr/bin/dirname px,
  /usr/bin/run-mailcap rix,
  /usr/bin/sensible-browser rix,
  /usr/bin/xdg-mime rix,
  /usr/bin/xdg-open rpx,
  /usr/bin/xprop rix,
  /usr/lib/iceweasel/iceweasel px,
  /usr/lib/xulrunner-1.9.1/xulrunner-stub px,

 }
diff --git a/usr.bin.aplay b/usr.bin.aplay
 # Last Modified: Sat Apr 10 14:10:21 2010
 #include <tunables/global>

 /usr/bin/aplay {
  #include <abstractions/base>

  /etc/nsswitch.conf r,
  /etc/group r,

  /usr/share/alsa/*.conf r,
  /usr/share/alsa/cards/*.conf r,
  /usr/share/alsa/pcm/*.conf r,

  /dev/snd/* rw,

  /usr/share/psi/sound/*.wav r,
 }
diff --git a/usr.bin.xdg-open b/usr.bin.xdg-open
 # Last Modified: Sat Apr 10 14:10:21 2010
 #include <tunables/global>

 /usr/bin/xdg-open {
  #include <abstractions/base>
  #include <abstractions/perl>

  /bin/egrep rix,
  /bin/sed ix,
  /bin/tempfile ix,
  /bin/dash ix,
  /bin/grep rix,
  /bin/which rpx,
  /etc/mailcap r,
  /etc/magic r,
  /etc/mime.types r,
  owner /home/*/.Xauthority r,
  /proc/filesystems r,
  owner /tmp/file* rw,
  /usr/bin/cut ix,
  /usr/bin/dbus-send rix,
  /usr/bin/file ix,
  /usr/bin/run-mailcap rix,
  /usr/bin/sensible-browser rix,
  /usr/bin/xdg-mime rix,
  /usr/bin/xdg-open r,
  /usr/bin/xprop rix,
  /usr/lib/iceweasel/iceweasel px,
  /usr/share/file/magic.mgc r,
  /usr/share/file/magic r,

 }
	# Last Modified: Tue Apr 13 15:45:46 2010
	#include <tunables/global>

	/usr/bin/acroread {
	#include <abstractions/base>

	/bin/dash ix,
	/etc/dpkg/dpkg.cfg r,
	/etc/dpkg/dpkg.cfg.d/ r,
	/proc/filesystems r,
	/usr/bin/acroread r,
	/usr/bin/dpkg rix,
	/usr/lib/Adobe/Reader8/bin/acroread-en cx,
	/usr/lib/Adobe/Reader9/bin/acroread-en cx,


	profile /usr/lib/Adobe/Reader{8,9}/bin/acroread-en {
	#include <abstractions/audio>
	#include <abstractions/base>
	#include <abstractions/fonts>
	#include <abstractions/gnome>
	#include <abstractions/nameservice>

	# Acrobat Reader 8 (from "stable").
	/etc/gre.d/1.9.1.system.conf r,
	owner /home//.adobe/Acrobat/8.0/{,*} mrwk,
	/usr/lib/Adobe/Reader8/Reader/intellinux/bin/acroread mr,
	/usr/lib/Adobe/Reader8/Reader/intellinux/plug_ins/*.api mr,

	/bin/sed rix,
	/bin/grep rix,
	/bin/cat rix,
	/bin/cp rix,
	/bin/mkdir rix,
	/bin/pwd rix,
	/bin/rm rix,
	/bin/uname rix,
	/bin/which px,
	owner /dev/shm/sem.* mrwl,
	#/etc/passwd mr,
	/etc/gre.d/ r,
	owner /home/*/.Xauthority r,
	owner /home/*/.fontconfig/ rw,
	owner /home//.fontconfig/ mrw,
	owner /home/*/.adobe/ rw,
	owner /home/*/.adobe/Acrobat/ rw,
	owner /home/*/.adobe/Acrobat/9.0/ rw,
	owner /home//.adobe/Acrobat/9.0/* mrk,
	owner /home//.adobe/Acrobat/9.0/Preferences/{,*} w,
	owner /home/*/.adobe/Acrobat/9.0/Cert/curl-ca-bundle.crt w,
	owner /home/*/.adobe/Acrobat/9.0/SharedDataEvents wk,
	owner /home/*/.adobe/Acrobat/9.0/SharedDataEvents-journal w,
	owner /home/*/.adobe/Acrobat/9.0/UserCache.bin w,
	owner /home//.adobe/Acrobat/9.0/JavaScripts/{,} w,
	owner /home/*/.adobe/Acrobat/9.0/{TMGrpPrm,TMDocs}.sav w,
	owner /home//.adobe/Acrobat/9.0/Synchronizer/{,} w,
	owner /home//.adobe/Acrobat/9.0/Cache/Search/{,} w,
	owner /home//.adobe/Acrobat/9.0/Collab/{,} rw,
	owner /home//.adobe/Acrobat/9.0/Collab/Temp/{,} rw,
	owner /home//.adobe/Acrobat/9.0/Forms/{,} rw,
	owner /home//.adobe/Acrobat/9.0/Cert/{,} rw,
	owner /home//.mozilla/firefox/.default/Cache/* r,
	owner /home/*/.local/share/icons/ r,
	owner /home//Desktop/{,*} r,
	owner /proc/*/mounts r,
	/proc/filesystems r,
	/proc/meminfo r,
	/usr/bin/basename rix,
	/usr/bin/cut ix,
	/usr/bin/xargs ix,
	/usr/bin/expr ix,
	/usr/bin/dirname rix,
	/usr/bin/gconftool-2 rix,
	/usr/bin/test rix,
	/usr/lib/iceweasel/iceweasel px,
	/usr/lib/Adobe/Reader9/Reader/intellinux/bin/acroread rix,
	/usr/lib/Adobe/Reader9/Reader/intellinux/plug_ins/**.api mr,
	/usr/lib/Adobe/Reader9/Reader/intellinux/SPPlugins/ADMPlugin.apl mr,
	/usr/lib/Adobe/Reader9/Resource/Font/*.{PFB,otf} mr,
	/usr/lib/Adobe/Reader9/Reader/DocSettings/ w,

	/usr/share/ r,
	/usr/share/mime/mime.cache mr,
	/usr/local/share/ r,
	/usr/share/fonts/{,**} mr,
	/usr/share/texmf/fonts/**{/,.pfb,.afm} r,
	/usr/share/icons/hicolor/icon-theme.cache mr,

	}
	}
	# Last Modified: Fri Apr 9 00:12:39 2010
	#include <tunables/global>

	/bin/ps {
	#include <abstractions/base>
	#include <abstractions/nameservice>

	capability dac_override,
	capability dac_read_search,
	capability sys_ptrace,



	/dev/tty r,
	/proc/ r,
	/proc/*/cmdline r,
	/proc/*/attr/current r,
	/proc/*/stat r,
	/proc/*/status r,
	/proc/*/wchan r,
	/proc/meminfo r,
	/proc/stat r,
	/proc/sys/kernel/pid_max r,
	/proc/tty/drivers r,
	/proc/uptime r,
	/proc/version r,

	}
	# Last Modified: Thu Apr 8 22:43:19 2010
	#include <tunables/global>

	/bin/pwd {
	#include <abstractions/base>

	}
	# Last Modified: Thu Apr 8 21:31:38 2010
	#include <tunables/global>

	/bin/which {
	#include <abstractions/base>


	/bin/dash ix,
	/bin/which r,

	}
	# Last Modified: Fri Apr 9 13:06:45 2010
	#include <tunables/global>

	/usr/lib/xulrunner-*/xulrunner-stub {
	#include <abstractions/audio>
	#include <abstractions/base>
	#include <abstractions/gnome>
	#include <abstractions/nameservice>

	network inet stream,

	/bin/dash cx,
	/etc/iceweasel/** r,
	/etc/java-6-sun/logging.properties r,
	/etc/java-6-sun/security/java.security r,
	/etc/mailcap r,
	/etc/mime.types r,
	/etc/mtab r,
	/etc/timezone r,
	owner /home/*/.Xauthority r,
	owner /home//.adobe/Flash_Player/* r,
	owner /home/*/.esd_auth r,
	owner /home/*/.java/deployment/deployment.properties rwk,
	owner /home//.local/share/icons* r,
	owner /home//.local/share/mime/ r,
	owner /home/*/.macromedia/Flash_Player/#SharedObjects/ r,
	owner /home//.macromedia/Flash_Player/#SharedObjects/* rw,
	owner /home//.macromedia/Flash_Player/macromedia.com/support/* rw,
	owner /home//.mozilla/extensions/* r,
	owner /home//.mozilla/firefox/* rwk,
	owner /home/*/.gnashrc r,
	owner /home/*/{Downloads,Desktop}/ r,
	owner /home//{Downloads,Desktop}/* rwk,
	/proc/filesystems r,
	owner /proc/*/mounts r,
	owner /proc/*/fd/ r,
	/var/lib/dbus/machine-id r,
	/sys/devices/system/cpu/ r,
	/usr/bin/transmission px,
	/usr/lib/jvm/java-6-sun-1.6../jre/bin/java cx,
	/usr/share/hunspell** r,
	/usr/share/iceweasel/** r,
	/usr/share/mozilla/** r,
	/usr/share/xulrunner-/* r,
	/usr/share/libthai/thbrk.tri r,

	# Self-restart
	/usr/lib/xulrunner-*/xulrunner-stub px,

	# Adobe Acrobat 9 (via "mozilla-acroread")
	/usr/lib/nspluginwrapper/plugins/npwrapper.nppdf.so mr,
	/usr/lib/nspluginwrapper/i386/linux/npviewer ix,
	/usr/lib/nspluginwrapper/i386/linux/npviewer.bin ix,
	/usr/lib/Adobe/Reader9/Browser/intellinux/nppdf.so mr,
	/bin/uname ix,
	/bin/which px,
	/bin/ps px,
	/bin/grep ix,
	/usr/bin/setarch ix,
	/usr/bin/acroread px,
	/usr/bin/tr ix,

	# Adobe Acrobat 8 (via "mozilla-acroread")
	/usr/lib/Adobe/Reader8/Browser/intellinux/nppdf.so mr,

	# Gnash
	/usr/bin/gtk-gnash ix,
	/etc/gnashrc r,
	/etc/gnashpluginrc r,
	/usr/share/gnash/GnashG.png r,
	/usr/share/gnash/gnash_128_96.ico r,
	owner /home//.gnash/SharedObjects/*.sol wr,

	# Iceweasel 4, flash.
	/usr/lib/xulrunner-*/plugin-container ix,

	# External editors for "It's All Text"
	/usr/bin/jedit rix,

	profile /bin/dash {
	#include <abstractions/base>

	/bin/grep rix,
	/bin/ps px,
	/bin/which px,
	/bin/uname ix,

	# Adobe Acrobat 8 (via "mozilla-acroread")
	/usr/lib/nspluginwrapper/i386/linux/npviewer ix,
	/usr/lib/nspluginwrapper/i386/linux/npviewer.bin ix,
	/usr/lib/Adobe/Reader8/Browser/intellinux/nppdf.so mr,
	/usr/bin/setarch ix,

	# Adobe Acrobat 9 (via "mozilla-acroread")
	/usr/lib/Adobe/Reader9/Browser/intellinux/nppdf.so mr,
	/usr/bin/tr ix,
	}

	profile /usr/lib/jvm/java-6-sun-1.6../jre/bin/java {
	#include <abstractions/base>
	#include <abstractions/gnome>
	#include <abstractions/nameservice>

	/etc/java-6-sun/** r,
	/etc/passwd mr,
	/etc/timezone r,
	owner /home/*/.RealtyAdmin.db rw,
	owner /home/*/.Xauthority r,
	owner /home//.java/.userPrefs/* rwk,
	owner /home//.java/deployment/* mrwk,
	owner /home/*/.mozilla/appreg r,
	/proc/*/net/if_inet6 r,
	/proc/*/net/ipv6_route r,
	/sys/devices/system/cpu/ r,
	/tmp/hsperfdata_/ mrwlk,
	/usr/lib/jvm/java-6-sun-1.6../jre/bin/java rix,
	/usr/lib{,32,64}/** mr,
	/usr/share/fonts/type1/gsfonts/*.pfb r,

	# External editors for "It's All Text"
	/usr/share/jEdit/jedit.jar rm,
	owner /home//.jedit/* rmwk,
	/usr/share/jEdit/** rmk,
	owner /home//.mozilla/firefox//itsalltext/* rwmk,
	/bin/chmod ix,
	}
	}
	# Last Modified: Fri Apr 9 13:26:42 2010
	#include <tunables/global>

	/usr/lib/icedove/icedove-bin {
	#include <abstractions/base>
	#include <abstractions/fonts>
	#include <abstractions/gnome>
	#include <abstractions/nameservice>

	/etc/icedove/pref/ r,
	/etc/icedove/pref/icedove.js r,
	owner /home/*/.Xauthority r,
	owner /home//.mozilla-thunderbird/* rwk,
	owner /home/*/{Downloads,Desktop}/ r,
	owner /home//{Downloads,Desktop}/* rw,
	owner /home//.cache/event-sound-cache rwk,
	/proc/filesystems r,
	/usr/lib/iceweasel/iceweasel px,
	/usr/lib/icedove/update.test rw,
	/usr/share/hunspell/* r,
	/usr/share/icedove/** r,
	/usr/share/icedove/chrome/app-chrome.manifest rw,
	/usr/share/myspell/** r,

	# Self-restarts.
	/usr/lib/icedove/icedove-bin ix,

	# Upgrade to icedove 3.0.4.

	owner /home/*/.icedove/profiles.ini r,
	owner /home//.icedove/.default/{,**} rwk,
	owner /home//.mozilla/extensions/* rw,
	owner /home//.local/share/icons/{,} r,
	owner /home/*/.esd_auth r,
	/etc/{mime.types,mailcap,rpc,mtab} r,
	/usr/share/hunspell/{,*} r,
	/usr/bin/sensible-browser rix,

	owner @{HOME}/.local/share/mime/* r,

	# Generic plugins.
	/usr/lib/nspluginwrapper/plugins/*.so rm,
	}
	# Last Modified: Sat Apr 10 14:10:21 2010
	#include <tunables/global>

	/usr/lib/iceweasel/iceweasel {
	#include <abstractions/base>
	#include <abstractions/nameservice>



	/bin/dash ix,
	/bin/readlink rix,
	/bin/which rpx,
	/etc/iceweasel/iceweaselrc r,
	owner /home/*/.Xauthority r,
	/proc/cpuinfo r,
	/proc/filesystems r,
	/usr/bin/dirname px,
	/usr/lib/xulrunner-1.9.1/xulrunner-stub px,
	/usr/lib/xulrunner-2.0/xulrunner-stub px, # Firefox 4.

	}
	# Last Modified: Sat Apr 10 14:10:21 2010
	#include <tunables/global>

	/usr/bin/psi {
	#include <abstractions/base>
	#include <abstractions/fonts>
	#include <abstractions/gnome>
	#include <abstractions/nameservice>

	owner @{HOME}/.config/Trolltech.conf rwk,
	owner @{HOME}/.psi/psirc rwk,
	owner @{HOME}/.psi/profiles/ r,
	owner /home//.psi/avatars/ rw,
	owner /home/*/.psi/profiles/default/options.xml{,.backup,.temp} rw,
	owner /home/*/.psi/profiles/default/accounts.xml{,.backup,.temp} rw,
	owner /home/*/.psi/profiles/default/events-gmail.com.xml{,.backup,.temp} rw,
	owner /home//.psi/profiles/default/vcard/.xml{,.backup,.temp} rw,
	owner /home//.psi/profiles/default/history/.history rw,
	owner /home//.psi/avatars/ r,
	owner /home/*/.psi/caps.xml rw,
	owner /home/*/.psi/tmp-sounds/ rw,
	/etc/ssl/certs/ca-certificates.crt r,
	/usr/share/icons/hicolor/index.theme r,
	/usr/share/psi/iconsets/roster/*.jisp r,
	/usr/share/psi/certs/{,*} r,
	/etc/debian_version r,

	# Opens a browser for clickable URLs.
	/usr/bin/xdg-open px,

	# Play sounds.
	/usr/bin/aplay px,

	# Language.
	/var/lib/aspell/en-common.rws r,

	# Explicitly deny /proc access in order to keep the audit log clean.
	deny /proc/*/net/ipv6_route r,
	deny /proc/*/net/route r,
	deny /proc/*/net/if_inet6 r,
	}
	# Last Modified: Sun Apr 11 14:16:29 2010
	#include <tunables/global>

	/usr/sbin/rsyslogd {
	#include <abstractions/base>
	#include <abstractions/nameservice>

	capability sys_admin,

	owner /dev/tty rw,
	owner /dev/xconsole rw,
	owner /etc/rsyslog.conf r,
	owner /etc/rsyslog.d/{,**} r,
	owner /proc/kmsg r,
	/usr/lib/rsyslog/*.so mr,
	owner /var/log/** rw,
	/var/spool/postfix/dev/log rw,
	owner /var/run/rsyslogd.pid rwk,

	}
	# Last Modified: Sun Apr 11 14:29:19 2010
	#include <tunables/global>

	/sbin/dhclient3 {
	#include <abstractions/base>
	#include <abstractions/bash>
	#include <abstractions/consoles>
	#include <abstractions/nameservice>
	#include <abstractions/nis>


	capability net_admin,
	capability net_bind_service,
	capability net_raw,

	network packet packet,


	/bin/chmod rix,
	/bin/chown rix,
	/bin/mv rix,
	/bin/rm rix,
	/bin/run-parts rix,
	owner /etc/dhcp3/dhclient-{enter,exit}-hooks.d/{,*} r,
	owner /etc/dhcp3/dhclient.conf r,
	owner /etc/resolv.conf.dhclient-new rw,
	owner /etc/resolv.conf w,
	owner /proc/*/net/dev r,
	owner /proc/filesystems r,
	owner /proc/meminfo r,
	/sbin/dhclient-script rix,
	/sbin/ifconfig rix,
	/sbin/route rix,
	/usr/sbin/avahi-autoipd rix,
	owner /var/lib/dhcp3/dhclient.leases rw,
	owner /var/lib/wicd/dhclient.conf r,
	owner /var/run/dhclient.pid rw,

	}