++##
++## Determine whether haproxy can
++## connect to all TCP ports.
++##
++##
++gen_tunable(haproxy_connect_any, false)
++
attribute cluster_domain;
attribute cluster_log;
attribute cluster_pid;
-@@ -44,34 +65,283 @@ type foghorn_initrc_exec_t;
+@@ -44,34 +73,283 @@ type foghorn_initrc_exec_t;
init_script_file(foghorn_initrc_exec_t)
rhcs_domain_template(gfs_controld)
@@ -75448,7 +75897,7 @@ index 2c2de9a..8ea949c 100644
')
#####################################
-@@ -79,9 +349,11 @@ optional_policy(`
+@@ -79,9 +357,11 @@ optional_policy(`
# dlm_controld local policy
#
@@ -75461,7 +75910,7 @@ index 2c2de9a..8ea949c 100644
stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
-@@ -98,16 +370,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
+@@ -98,16 +378,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
init_rw_script_tmp_files(dlm_controld_t)
@@ -75494,7 +75943,7 @@ index 2c2de9a..8ea949c 100644
manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
files_lock_filetrans(fenced_t, fenced_lock_t, file)
-@@ -118,9 +404,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+@@ -118,9 +412,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@@ -75505,7 +75954,7 @@ index 2c2de9a..8ea949c 100644
corecmd_exec_bin(fenced_t)
corecmd_exec_shell(fenced_t)
-@@ -140,6 +425,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
+@@ -140,6 +433,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
corenet_sendrecv_zented_server_packets(fenced_t)
corenet_tcp_bind_zented_port(fenced_t)
@@ -75514,7 +75963,7 @@ index 2c2de9a..8ea949c 100644
corenet_tcp_sendrecv_zented_port(fenced_t)
corenet_sendrecv_http_client_packets(fenced_t)
-@@ -148,9 +435,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
+@@ -148,9 +443,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
dev_read_sysfs(fenced_t)
dev_read_urand(fenced_t)
@@ -75525,7 +75974,7 @@ index 2c2de9a..8ea949c 100644
storage_raw_read_fixed_disk(fenced_t)
storage_raw_write_fixed_disk(fenced_t)
-@@ -160,7 +445,7 @@ term_getattr_pty_fs(fenced_t)
+@@ -160,7 +453,7 @@ term_getattr_pty_fs(fenced_t)
term_use_generic_ptys(fenced_t)
term_use_ptmx(fenced_t)
@@ -75534,7 +75983,7 @@ index 2c2de9a..8ea949c 100644
tunable_policy(`fenced_can_network_connect',`
corenet_sendrecv_all_client_packets(fenced_t)
-@@ -182,7 +467,8 @@ optional_policy(`
+@@ -182,7 +475,8 @@ optional_policy(`
')
optional_policy(`
@@ -75544,7 +75993,7 @@ index 2c2de9a..8ea949c 100644
')
optional_policy(`
-@@ -190,12 +476,12 @@ optional_policy(`
+@@ -190,12 +484,12 @@ optional_policy(`
')
optional_policy(`
@@ -75560,7 +76009,7 @@ index 2c2de9a..8ea949c 100644
')
optional_policy(`
-@@ -203,6 +489,13 @@ optional_policy(`
+@@ -203,6 +497,13 @@ optional_policy(`
snmp_manage_var_lib_dirs(fenced_t)
')
@@ -75574,7 +76023,7 @@ index 2c2de9a..8ea949c 100644
#######################################
#
# foghorn local policy
-@@ -221,16 +514,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
+@@ -221,16 +522,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
corenet_tcp_connect_agentx_port(foghorn_t)
corenet_tcp_sendrecv_agentx_port(foghorn_t)
@@ -75595,7 +76044,7 @@ index 2c2de9a..8ea949c 100644
snmp_stream_connect(foghorn_t)
')
-@@ -257,6 +552,8 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -257,6 +560,8 @@ storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
@@ -75604,7 +76053,7 @@ index 2c2de9a..8ea949c 100644
optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +572,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +580,50 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
dev_list_sysfs(groupd_t)
@@ -75637,16 +76086,27 @@ index 2c2de9a..8ea949c 100644
+corenet_tcp_connect_commplex_link_port(haproxy_t)
+corenet_tcp_connect_commplex_main_port(haproxy_t)
+corenet_tcp_bind_commplex_main_port(haproxy_t)
++corenet_tcp_bind_http_port(haproxy_t)
++corenet_tcp_bind_http_cache_port(haproxy_t)
+
+corenet_tcp_connect_fmpro_internal_port(haproxy_t)
++corenet_tcp_connect_http_port(haproxy_t)
++corenet_tcp_connect_http_cache_port(haproxy_t)
+corenet_tcp_connect_rtp_media_port(haproxy_t)
+
+sysnet_dns_name_resolve(haproxy_t)
+
++tunable_policy(`haproxy_connect_any',`
++ corenet_tcp_connect_all_ports(haproxy_t)
++ corenet_tcp_bind_all_ports(haproxy_t)
++ corenet_sendrecv_all_packets(haproxy_t)
++ corenet_tcp_sendrecv_all_ports(haproxy_t)
++')
++
######################################
#
# qdiskd local policy
-@@ -321,6 +647,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +666,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
@@ -76865,6 +77325,68 @@ index 9702ed2..a265af9 100644
optional_policy(`
ccs_stream_connect(ricci_modstorage_t)
+diff --git a/rkhunter.fc b/rkhunter.fc
+new file mode 100644
+index 0000000..645a9cc
+--- /dev/null
++++ b/rkhunter.fc
+@@ -0,0 +1 @@
++/var/lib/rkhunter(/.*)? gen_context(system_u:object_r:rkhunter_var_lib_t,s0)
+diff --git a/rkhunter.if b/rkhunter.if
+new file mode 100644
+index 0000000..0be4cee
+--- /dev/null
++++ b/rkhunter.if
+@@ -0,0 +1,39 @@
++##