diff --git a/ctdb.if b/ctdb.if
index b7cfda7..4f7d237 100644
--- a/ctdb.if
+++ b/ctdb.if
@@ -1,9 +1,144 @@
-## Clustered Database based on Samba Trivial Database.
+
+## policy for ctdbd
+
+########################################
+##
+## Transition to ctdbd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ctdbd_domtrans',`
+ gen_require(`
+ type ctdbd_t, ctdbd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ctdbd_exec_t, ctdbd_t)
+')
+
+########################################
+##
+## Execute ctdbd server in the ctdbd domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ctdbd_initrc_domtrans',`
+ gen_require(`
+ type ctdbd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
+')
+
+########################################
+##
+## Read ctdbd's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`ctdbd_read_log',`
+ gen_require(`
+ type ctdbd_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+')
+
+########################################
+##
+## Append to ctdbd log files.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ctdbd_append_log',`
+ gen_require(`
+ type ctdbd_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+')
+
+########################################
+##
+## Manage ctdbd log files
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`ctdbd_manage_log',`
+ gen_require(`
+ type ctdbd_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, ctdbd_log_t, ctdbd_log_t)
+ manage_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+ manage_lnk_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+')
+
+########################################
+##
+## Search ctdbd lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ctdbd_search_lib',`
+ gen_require(`
+ type ctdbd_var_lib_t;
+ ')
+
+ allow $1 ctdbd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
########################################
##
-## Create, read, write, and delete
-## ctdbd lib files.
+## Read ctdbd lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ctdbd_read_lib_files',`
+ gen_require(`
+ type ctdbd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
+')
+
+########################################
+##
+## Manage ctdbd lib files.
##
##
##
@@ -17,13 +152,12 @@ interface(`ctdbd_manage_lib_files',`
')
files_search_var_lib($1)
- manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
+ manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
')
-#######################################
+########################################
##
-## Connect to ctdbd with a unix
-## domain stream socket.
+## Manage ctdbd lib directories.
##
##
##
@@ -31,19 +165,58 @@ interface(`ctdbd_manage_lib_files',`
##
##
#
-interface(`ctdbd_stream_connect',`
+interface(`ctdbd_manage_lib_dirs',`
+ gen_require(`
+ type ctdbd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
+')
+
+########################################
+##
+## Read ctdbd PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ctdbd_read_pid_files',`
gen_require(`
- type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t;
+ type ctdbd_var_run_t;
')
files_search_pids($1)
- stream_connect_pattern($1, { ctdbd_tmp_t ctdbd_var_run_t }, { ctdbd_tmp_t ctdbd_var_run_t }, ctdbd_t)
+ allow $1 ctdbd_var_run_t:file read_file_perms;
+')
+
+#######################################
+##
+## Connect to ctdbd over a unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ctdbd_stream_connect',`
+ gen_require(`
+ type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, ctdbd_var_run_t, ctdbd_var_run_t, ctdbd_t)
+ stream_connect_pattern($1, ctdbd_tmp_t, ctdbd_tmp_t, ctdbd_t)
')
########################################
##
-## All of the rules required to
-## administrate an ctdb environment.
+## All of the rules required to administrate
+## an ctdbd environment
##
##
##
@@ -57,21 +230,19 @@ interface(`ctdbd_stream_connect',`
##
##
#
-interface(`ctdb_admin',`
+interface(`ctdbd_admin',`
gen_require(`
- type ctdbd_t, ctdbd_initrc_exec_t, ctdbd_tmp_t;
+ type ctdbd_t, ctdbd_initrc_exec_t;
type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t;
')
- allow $1 ctdbd_t:process { signal_perms };
+ allow $1 ctdbd_t:process signal_perms;
ps_process_pattern($1, ctdbd_t)
-
tunable_policy(`deny_ptrace',`',`
allow $1 ctdbd_t:process ptrace;
- ')
-
+ ')
- init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
+ ctdbd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 ctdbd_initrc_exec_t system_r;
allow $2 system_r;
@@ -79,12 +250,10 @@ interface(`ctdb_admin',`
logging_search_logs($1)
admin_pattern($1, ctdbd_log_t)
- files_search_tmp($1)
- admin_pattern($1, ctdbd_tmp_t)
-
files_search_var_lib($1)
admin_pattern($1, ctdbd_var_lib_t)
files_search_pids($1)
admin_pattern($1, ctdbd_var_run_t)
')
+
diff --git a/irc.if b/irc.if
index 58d3f5b..3cbb987 100644
--- a/irc.if
+++ b/irc.if
@@ -43,14 +43,13 @@ interface(`irc_role',`
domtrans_pattern($2, irssi_exec_t, irssi_t)
allow $2 irssi_t:process signal_perms;
- ps_process_pattern($2, irssi_t
+ ps_process_pattern($2, irssi_t)
allow $2 { irc_home_t irc_log_home_t irc_tmp_t irssi_home_t }:dir { manage_dir_perms relabel_dir_perms };
allow $2 { irc_home_t irc_log_home_t irc_tmp_t irssi_home_t }:file { manage_file_perms relabel_file_perms };
allow $2 { irc_home_t irc_log_home_t irc_tmp_t irssi_home_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
irc_filetrans_home_content($2)
-
')
#######################################