{
#Defines default protection
domain global;

#default search
allow / s;

#read-only to system files
allow /dev r,s;
allow /var r,s;
allow /mnt r,s;
#can use commands and libs
allow /lib r,x,s;
allow /usr r,x,s;
allow /bin r,x,s;
allow /sbin r,x,s;
allow /etc r,x,s;
##can write tmp
allow /tmp r,w,s;

#can use some devices 
allow /dev/console r,w;
allow /dev/null r,w;
allow /dev/zero r,w;

###Default deny  files
#some critical device
deny /dev/kmem;
deny /dev/mem;
deny /dev/port;
#protect SELinux config
deny /etc/selinux/seedit;
#password files
deny /etc/shadow-;
deny /etc/shadow;
#admin's root dir
deny /root;

#Cannot access to shell
deny/bin/sh;
deny /bin/bash;
deny /bin/tcsh;
## logs
deny /var/log;
#SELinux logs
deny /var/log/audit;
#Apache lgos
deny /var/log/httpd;
# protect homepages
deny /var/www;

###
# allow communication within domain
allowcom -msg self r,w;
allowcom -msgq self r,w;
allowcom -pipe self r,w;
allowcom -sem self r,w;	
allowcom -shm self r,w;
allowcom -sig init_t c;
allowcom -sig self c,k,s,o;
allowcom -tcp self;
allowcom -udp self;
allowcom -unix self;

#tmpfs is not protected
allowtmpfs global r,w;

#####
## read some proc files
#misc /proc
allowproc -proc r;
#/proc/<self pid>
allowproc -self r;

###
# everyone can read/write tty/pts, but can not create
allowpts general r;
allowpts general w;
allowtty general r;
allowtty general w;
allowtty global r,w;
allowpts global r,w;

}
