{
#Defines protection level by default
domain global;

#Default access files
allow /dev r,s;
allow /dev/console r,w;
allow /dev/null r,w;
allow /dev/zero r,w;
allow /etc r,s;
allow /lib r,x,s;
allow /usr r,x,s;
allow /tmp s;
allow /usr s;
allow /var s;
allowonly / s;
allowonly /home s;

#Default protected files
deny /dev/kmem;
deny /dev/mem;
deny /dev/port;
deny /etc/selinux/seedit;
deny /etc/audit.rules;
deny /etc/auditd.conf;
deny /etc/httpd;
deny /etc/modules.conf;
deny /etc/shadow-;
deny /etc/shadow;
deny /etc/passwd;
deny /etc/passwd-;
deny /etc/passwd.OLD;
deny /etc/webmin;
deny /lib/modules;
deny /root;
#Cannot access to commands
allow /usr/sbin s;
allow /usr/bin s;
allow /bin s;
allow /sbin s;
deny/bin/sh;
deny /bin/bash;
deny /bin/tcsh;
# Protect logs
deny /var/log;
# protect homepages
deny /var/www;

# allow communication within domain
allowcom -msg self r,w;
allowcom -msgq self r,w;
allowcom -pipe self r,w;
allowcom -sem self r,w;	
allowcom -shm self r,w;
allowcom -sig init_t c;
allowcom -sig self c,k,s,o;
allowcom -tcp self;
allowcom -udp self;
allowcom -unix self;

# can read some proc files by default
allowproc -proc r;
allowproc -self r;

# can acceess 
allowpts general r;
allowtty general r;
}
