diff --git a/apache.te b/apache.te

index 3226dec..e9c7099 100644

--- a/apache.te

+++ b/apache.te

@@ -1028,6 +1028,7 @@ optional_policy(`

 optional_policy(`

 	nagios_read_config(httpd_t)

+    nagios_read_lib(httpd_t)

 	nagios_read_log(httpd_t)

 ')

diff --git a/chrome.te b/chrome.te

index f50b201..5c852ff 100644

--- a/chrome.te

+++ b/chrome.te

@@ -35,7 +35,7 @@ allow chrome_sandbox_t self:capability2 block_suspend;

 allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace };

 dontaudit chrome_sandbox_t self:capability sys_nice;

 allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };

-allow chrome_sandbox_t self:process setsched;

+allow chrome_sandbox_t self:process { setcap setsched };

 allow chrome_sandbox_t self:fifo_file manage_fifo_file_perms;

 allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms;

 allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto };

@@ -60,6 +60,8 @@ fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, { file dir })

 kernel_read_system_state(chrome_sandbox_t)

 kernel_read_kernel_sysctls(chrome_sandbox_t)

+auth_dontaudit_read_passwd(chrome_sandbox_t)

+

 fs_manage_cgroup_dirs(chrome_sandbox_t)

 fs_manage_cgroup_files(chrome_sandbox_t)

 fs_read_dos_files(chrome_sandbox_t)

diff --git a/cron.te b/cron.te

index 0ee059a..9d2cd2d 100644

--- a/cron.te

+++ b/cron.te

@@ -27,6 +27,14 @@ gen_tunable(cron_can_relabel, false)

 gen_tunable(cron_userdomain_transition, true)

 ## <desc>

+##  

+##  Allow system cronjob to be executed on

+##  on NFS, CIFS or FUSE filesystem.

+##  

+## </desc>

+gen_tunable(cron_system_cronjob_use_shares, false)

+

+## <desc>

 ##	

 ##	Enable extra rules in the cron domain

 ##	to support fcron.

@@ -404,6 +412,12 @@ manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)

 # for this purpose.

 allow system_cronjob_t system_cron_spool_t:file entrypoint;

+tunable_policy(`cron_system_cronjob_use_shares',`

+    fs_fusefs_entrypoint(system_cronjob_t)

+    fs_nfs_entrypoint(system_cronjob_t)

+    fs_cifs_entrypoint(system_cronjob_t)

+')

+

 # Permit a transition from the crond_t domain to this domain.

 # The transition is requested explicitly by the modified crond 

 # via setexeccon.  There is no way to set up an automatic

diff --git a/ctdb.if b/ctdb.if

index e99c5c6..ffc5497 100644

--- a/ctdb.if

+++ b/ctdb.if

@@ -38,6 +38,23 @@ interface(`ctdbd_initrc_domtrans',`

 	init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)

 ')

+#######################################

+## <summary>

+##  Allow domain to signal ctdbd.

+## </summary>

+## <param name="domain">

+##  <summary>

+##  Domain allowed access.

+##  </summary>

+## </param>

+#

+interface(`ctdbd_signal',`

+    gen_require(`

+        type ctdbd_t;

+    ')

+        allow $1 ctdbd_t:process signal;

+')

+

 ########################################

 ## <summary>

 ##	Read ctdbd's log files.

@@ -100,26 +117,26 @@ interface(`ctdbd_manage_log',`

 ########################################

 ## <summary>

-##	Search ctdbd lib directories.

+##     Manage ctdbd lib files.

 ## </summary>

 ## <param name="domain">

-##	<summary>

-##	Domain allowed access.

-##	</summary>

+##     <summary>

+##     Domain allowed access.

+##     </summary>

 ## </param>

 #

-interface(`ctdbd_search_lib',`

-	gen_require(`

-		type ctdbd_var_lib_t;

-	')

+interface(`ctdbd_manage_var_files',`

+       gen_require(`

+               type ctdbd_var_t;

+       ')

-	allow $1 ctdbd_var_lib_t:dir search_dir_perms;

-	files_search_var_lib($1)

+       files_search_var_lib($1)

+    manage_files_pattern($1, ctdbd_var_t, ctdbd_var_t)

 ')

 ########################################

 ## <summary>

-##	Read ctdbd lib files.

+##	Search ctdbd lib directories.

 ## </summary>

 ## <param name="domain">

 ##	<summary>

@@ -127,18 +144,18 @@ interface(`ctdbd_search_lib',`

 ##	</summary>

 ## </param>

 #

-interface(`ctdbd_read_lib_files',`

+interface(`ctdbd_search_lib',`

 	gen_require(`

 		type ctdbd_var_lib_t;

 	')

+	allow $1 ctdbd_var_lib_t:dir search_dir_perms;

 	files_search_var_lib($1)

-        read_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)

 ')

 ########################################

 ## <summary>

-##	Manage ctdbd lib files.

+##	Read ctdbd lib files.

 ## </summary>

 ## <param name="domain">

 ##	<summary>

@@ -146,13 +163,13 @@ interface(`ctdbd_read_lib_files',`

 ##	</summary>

 ## </param>

 #

-interface(`ctdbd_manage_lib_files',`

+interface(`ctdbd_read_lib_files',`

 	gen_require(`

 		type ctdbd_var_lib_t;

 	')

 	files_search_var_lib($1)

-        manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)

+        read_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)

 ')

 ########################################

@@ -165,13 +182,13 @@ interface(`ctdbd_manage_lib_files',`

 ##	</summary>

 ## </param>

 #

-interface(`ctdbd_manage_var_files',`

+interface(`ctdbd_manage_lib_files',`

 	gen_require(`

-		type ctdbd_var_t;

+		type ctdbd_var_lib_t;

 	')

 	files_search_var_lib($1)

-    manage_files_pattern($1, ctdbd_var_t, ctdbd_var_t)

+        manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)

 ')

 ########################################

diff --git a/ctdb.te b/ctdb.te

index 2ab29db..4a84c8b 100644

--- a/ctdb.te

+++ b/ctdb.te

@@ -44,6 +44,7 @@ allow ctdbd_t self:netlink_route_socket r_netlink_socket_perms;

 allow ctdbd_t self:packet_socket create_socket_perms;

 allow ctdbd_t self:tcp_socket create_stream_socket_perms;

 allow ctdbd_t self:udp_socket create_socket_perms;

+allow ctdbd_t self:rawip_socket create_socket_perms;

 append_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)

 create_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)

@@ -75,6 +76,8 @@ manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)

 manage_sock_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)

 files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, dir)

+can_exec(ctdbd_t, ctdbd_exec_t)

+

 kernel_read_network_state(ctdbd_t)

 kernel_read_system_state(ctdbd_t)

 kernel_rw_net_sysctls(ctdbd_t)

@@ -89,6 +92,7 @@ corenet_udp_bind_generic_node(ctdbd_t)

 corenet_sendrecv_ctdb_server_packets(ctdbd_t)

 corenet_tcp_bind_ctdb_port(ctdbd_t)

 corenet_udp_bind_ctdb_port(ctdbd_t)

+corenet_tcp_bind_smbd_port(ctdbd_t)

 corenet_tcp_connect_ctdb_port(ctdbd_t)

 corenet_tcp_sendrecv_ctdb_port(ctdbd_t)

@@ -110,6 +114,8 @@ logging_send_syslog_msg(ctdbd_t)

 miscfiles_read_public_files(ctdbd_t)

+userdom_home_manager(ctdbd_t)

+

 optional_policy(`

 	consoletype_exec(ctdbd_t)

 ')

@@ -123,6 +129,7 @@ optional_policy(`

 ')

 optional_policy(`

+    samba_signull_smbd(ctdbd_t)

 	samba_initrc_domtrans(ctdbd_t)

 	samba_domtrans_net(ctdbd_t)

 	samba_rw_var_files(ctdbd_t)

@@ -130,5 +137,10 @@ optional_policy(`

 ')

 optional_policy(`

+    samba_signull_winbind(ctdbd_t)

+    samba_signull_unconfined_net(ctdbd_t)

+')

+

+optional_policy(`

 	sysnet_domtrans_ifconfig(ctdbd_t)

 ')

diff --git a/glusterd.if b/glusterd.if

index c62ad86..fc9bf19 100644

--- a/glusterd.if

+++ b/glusterd.if

@@ -117,7 +117,84 @@ interface(`glusterd_manage_log',`

 	manage_lnk_files_pattern($1, glusterd_log_t, glusterd_log_t)

 ')

-########################################

+######################################

+## <summary>

+##  Allow the specified domain to execute gluster's lib files.

+## </summary>

+## <param name="domain">

+##  <summary>

+##  Domain allowed access.

+##  </summary>

+## </param>

+#

+interface(`gluster_execute_lib',`

+    gen_require(`

+        type glusterd_var_lib_t;

+    ')

+

+    files_list_var_lib($1)

+    allow $1 glusterd_var_lib_t:dir search_dir_perms;

+    can_exec($1, glusterd_var_lib_t)

+')

+

+######################################

+## <summary>

+##  Read glusterd's config files.

+## </summary>

+## <param name="domain">

+##  <summary>

+##  Domain allowed access.

+##  </summary>

+## </param>

+#

+interface(`glusterd_read_conf',`

+       gen_require(`

+               type glusterd_conf_t;

+       ')

+

+    files_search_etc($1)

+    read_files_pattern($1, glusterd_conf_t, glusterd_conf_t)

+')

+

+######################################

+## <summary>

+##  Read and write /var/lib/glusterd files.

+## </summary>

+## <param name="domain">

+##  <summary>

+##  Domain allowed access.

+##  </summary>

+## </param>

+#

+interface(`glusterd_rw_lib',`

+       gen_require(`

+               type glusterd_var_lib_t;

+       ')

+

+    files_search_var_lib($1)

+    rw_files_pattern($1, glusterd_var_lib_t, glusterd_var_lib_t)

+')

+

+######################################

+## <summary>

+## Read and write /var/lib/glusterd files.

+## </summary>

+## <param name="domain">

+##     <summary>

+##     Domain allowed access.

+##     </summary>

+## </param>

+#

+interface(`glusterd_manage_lib_files',`

+       gen_require(`

+               type glusterd_var_lib_t;

+       ')

+

+    files_search_var_lib($1)

+    manage_files_pattern($1, glusterd_var_lib_t, glusterd_var_lib_t)

+')

+

+######################################

 ## <summary>

 ##	All of the rules required to administrate

 ##	an glusterd environment

diff --git a/glusterd.te b/glusterd.te

index fbc6a67..b974353 100644

--- a/glusterd.te

+++ b/glusterd.te

@@ -31,6 +31,7 @@ gen_tunable(gluster_export_all_rw, true)

 type glusterd_t;

 type glusterd_exec_t;

 init_daemon_domain(glusterd_t, glusterd_exec_t)

+domain_obj_id_change_exemption(glusterd_t)

 type glusterd_conf_t;

 files_type(glusterd_conf_t)

@@ -58,13 +59,16 @@ files_type(glusterd_brick_t)

 # Local policy

 #

-allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner fsetid kill setgid setuid net_admin };

+allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid kill setgid setuid net_admin mknod net_raw };

 allow glusterd_t self:capability2 block_suspend;

-allow glusterd_t self:process { getcap setcap setrlimit signal_perms };

+allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched };

+allow glusterd_t self:sem create_sem_perms;

 allow glusterd_t self:fifo_file rw_fifo_file_perms;

 allow glusterd_t self:tcp_socket { accept listen };

 allow glusterd_t self:unix_stream_socket { accept listen connectto };

+allow glusterd_t self:rawip_socket create_socket_perms;

+allow glusterd_t self:unix_stream_socket create_stream_socket_perms;

 manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)

 manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)

@@ -97,9 +101,13 @@ manage_dirs_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)

 manage_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)

 manage_fifo_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)

 manage_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)

+manage_blk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)

+manage_chr_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)

 relabel_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)

 relabel_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)

 relabel_dirs_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)

+relabel_chr_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)

+relabel_blk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)

 can_exec(glusterd_t, glusterd_exec_t)

@@ -121,6 +129,7 @@ corenet_tcp_sendrecv_all_ports(glusterd_t)

 corenet_udp_sendrecv_all_ports(glusterd_t)

 corenet_tcp_bind_generic_node(glusterd_t)

 corenet_udp_bind_generic_node(glusterd_t)

+corenet_raw_bind_generic_node(glusterd_t)

 corenet_tcp_connect_gluster_port(glusterd_t)

 corenet_tcp_bind_gluster_port(glusterd_t)

@@ -141,11 +150,15 @@ corenet_tcp_bind_all_unreserved_ports(glusterd_t)

 corenet_tcp_connect_all_unreserved_ports(glusterd_t)

 corenet_tcp_connect_all_ephemeral_ports(glusterd_t)

 corenet_tcp_connect_ssh_port(glusterd_t)

+corenet_tcp_connect_all_rpc_ports(glusterd_t)

+corenet_tcp_connect_all_ports(glusterd_t)

 dev_read_sysfs(glusterd_t)

 dev_read_urand(glusterd_t)

+dev_read_rand(glusterd_t)

 domain_read_all_domains_state(glusterd_t)

+domain_getattr_all_sockets(glusterd_t)

 domain_use_interactive_fds(glusterd_t)

@@ -155,13 +168,30 @@ fs_getattr_all_fs(glusterd_t)

 files_mounton_non_security(glusterd_t)

+files_dontaudit_read_security_files(glusterd_t)

+files_dontaudit_list_security_dirs(glusterd_t)

+

 storage_rw_fuse(glusterd_t)

+#needed by /usr/sbin/xfs_db

+storage_raw_read_fixed_disk(glusterd_t)

+storage_raw_write_fixed_disk(glusterd_t)

 auth_use_nsswitch(glusterd_t)

 fs_getattr_all_fs(glusterd_t)

+init_domtrans_script(glusterd_t)

+init_initrc_domain(glusterd_t)

+init_read_script_state(glusterd_t)

+init_rw_script_tmp_files(glusterd_t)

+init_manage_script_status_files(glusterd_t)

+

+systemd_config_systemd_services(glusterd_t)

+systemd_signal_passwd_agent(glusterd_t)

+

 logging_send_syslog_msg(glusterd_t)

+logging_dontaudit_search_audit_logs(glusterd_t)

+

 libs_exec_ldconfig(glusterd_t)

 miscfiles_read_localization(glusterd_t)

@@ -169,8 +199,15 @@ miscfiles_read_public_files(glusterd_t)

 userdom_manage_user_home_dirs(glusterd_t)

 userdom_filetrans_home_content(glusterd_t)

+userdom_read_user_tmp_files(glusterd_t)

+userdom_delete_user_tmp_files(glusterd_t)

+userdom_rw_user_tmp_files(glusterd_t)

+userdom_kill_all_users(glusterd_t)

 mount_domtrans(glusterd_t)

+

+fstools_domtrans(glusterd_t)

+

 tunable_policy(`gluster_anon_write',`

 	miscfiles_manage_public_files(glusterd_t)

 ') 

@@ -178,6 +215,8 @@ tunable_policy(`gluster_anon_write',`

 tunable_policy(`gluster_export_all_ro',`

 	fs_read_noxattr_fs_files(glusterd_t) 

 	files_read_non_security_files(glusterd_t) 

+    files_getattr_all_pipes(glusterd_t)

+    files_getattr_all_sockets(glusterd_t)

 ')

 tunable_policy(`gluster_export_all_rw',`

@@ -185,6 +224,45 @@ tunable_policy(`gluster_export_all_rw',`

 	files_manage_non_security_dirs(glusterd_t)

 	files_manage_non_security_files(glusterd_t)

     files_relabel_base_file_types(glusterd_t)

+    files_getattr_all_pipes(glusterd_t)

+    files_getattr_all_sockets(glusterd_t)

+')

+

+optional_policy(`

+    ctdbd_domtrans(glusterd_t)

+    ctdbd_signal(glusterd_t)

+')

+

+optional_policy(`

+    dbus_system_bus_client(glusterd_t)

+    dbus_connect_system_bus(glusterd_t)

+

+    optional_policy(`

+        policykit_dbus_chat(glusterd_t)

+    ')

+')

+

+optional_policy(`

+    hostname_exec(glusterd_t)

+')

+

+optional_policy(`

+    lvm_domtrans(glusterd_t)

+')

+

+optional_policy(`

+    mount_domtrans_showmount(glusterd_t)

+')

+

+optional_policy(`

+    samba_domtrans_smbd(glusterd_t)

+    samba_systemctl(glusterd_t)

+    samba_signal_smbd(glusterd_t)

+    samba_manage_config(glusterd_t)

+')

+

+optional_policy(`

+    ssh_exec_keygen(glusterd_t)

 ')

 optional_policy(`

@@ -197,5 +275,21 @@ optional_policy(`

 ')

 optional_policy(`

+    rpc_systemctl_nfsd(glusterd_t)

+    rpc_systemctl_rpcd(glusterd_t)

+

+    rpc_domtrans_nfsd(glusterd_t)

+    rpc_domtrans_rpcd(glusterd_t)

+    rpc_manage_nfs_state_data(glusterd_t)

+')

+

+optional_policy(`

+    rhcs_dbus_chat_cluster(glusterd_t)

+    rhcs_domtrans_cluster(glusterd_t)

+    rhcs_systemctl_cluster(glusterd_t)

+    rhcs_stream_connect_cluster(glusterd_t)

+')

+

+optional_policy(`

 	ssh_exec(glusterd_t)

 ')

diff --git a/mongodb.fc b/mongodb.fc

index 91adcaf..e9e6bc5 100644

--- a/mongodb.fc

+++ b/mongodb.fc

@@ -1,9 +1,15 @@

 /etc/rc\.d/init\.d/mongod	--	gen_context(system_u:object_r:mongod_initrc_exec_t,s0)

+/etc/rc\.d/init\.d/mongos	--	gen_context(system_u:object_r:mongod_initrc_exec_t,s0)

+

+/usr/lib/systemd/system/mongod.*    --     gen_context(system_u:object_r:mongod_unit_file_t,s0)

+/usr/lib/systemd/system/mongos.*    --     gen_context(system_u:object_r:mongod_unit_file_t,s0)

 /usr/bin/mongod	                                --	gen_context(system_u:object_r:mongod_exec_t,s0)

 /usr/bin/mongos	                                --	gen_context(system_u:object_r:mongod_exec_t,s0)

 /usr/share/aeolus-conductor/dbomatic/dbomatic   --   gen_context(system_u:object_r:mongod_exec_t,s0)

+/usr/libexec/mongodb-scl-helper             --      gen_context(system_u:object_r:mongod_exec_t,s0)

+

 /var/lib/mongo.*	gen_context(system_u:object_r:mongod_var_lib_t,s0)

 /var/log/mongo.*	                                    gen_context(system_u:object_r:mongod_log_t,s0)

diff --git a/mongodb.te b/mongodb.te

index dec8a95..d3fdae4 100644

--- a/mongodb.te

+++ b/mongodb.te

@@ -12,6 +12,9 @@ init_daemon_domain(mongod_t, mongod_exec_t)

 type mongod_initrc_exec_t;

 init_script_file(mongod_initrc_exec_t)

+type mongod_unit_file_t;

+systemd_unit_file(mongod_unit_file_t)

+

 type mongod_log_t;

 logging_log_file(mongod_log_t)

@@ -30,7 +33,7 @@ files_tmp_file(mongod_tmp_t)

 #

-allow mongod_t self:process { setsched signal };

+allow mongod_t self:process { setsched signal execmem };

 allow mongod_t self:fifo_file rw_fifo_file_perms;

 allow mongod_t self:netlink_route_socket r_netlink_socket_perms;

@@ -69,6 +72,8 @@ corenet_tcp_connect_mongod_port(mongod_t)

 corenet_tcp_bind_mongod_port(mongod_t)

 corenet_tcp_bind_generic_node(mongod_t)

+auth_use_nsswitch(mongod_t)

+

 dev_read_sysfs(mongod_t)

 dev_read_urand(mongod_t)

diff --git a/mysql.fc b/mysql.fc

index 4a315d5..c2c13aa 100644

--- a/mysql.fc

+++ b/mysql.fc

@@ -14,6 +14,7 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0)

 #

 /etc/my\.cnf		--	gen_context(system_u:object_r:mysqld_etc_t,s0)

 /etc/mysql(/.*)?		gen_context(system_u:object_r:mysqld_etc_t,s0)

+/etc/my\.cnf\.d(/.*)?		gen_context(system_u:object_r:mysqld_etc_t,s0)

 /etc/rc\.d/init\.d/mysqld --	gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)

 /etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0)

@@ -24,6 +25,8 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0)

 /usr/bin/mysql_upgrade	--	gen_context(system_u:object_r:mysqld_exec_t,s0)

 /usr/libexec/mysqld	--	gen_context(system_u:object_r:mysqld_exec_t,s0)

+/usr/libexec/mysqld_safe-scl-helper --  gen_context(system_u:object_r:mysqld_safe_exec_t,s0)

+

 /usr/sbin/mysqld(-max)?	--	gen_context(system_u:object_r:mysqld_exec_t,s0)

 /usr/sbin/mysqlmanager	--	gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)

diff --git a/mysql.te b/mysql.te

index e14423d..976d57e 100644

--- a/mysql.te

+++ b/mysql.te

@@ -132,7 +132,7 @@ files_search_var_lib(mysqld_t)

 files_search_pids(mysqld_t)

 files_getattr_all_sockets(mysqld_t)

-auth_use_nsswitch(mysqld_t)

+auth_use_pam(mysqld_t)

 logging_send_syslog_msg(mysqld_t)

diff --git a/nagios.if b/nagios.if

index cad402c..438eeb3 100644

--- a/nagios.if

+++ b/nagios.if

@@ -34,6 +34,26 @@ template(`nagios_plugin_template',`

 ########################################

 ## <summary>

+## Execute the nagios unconfined plugins with

+## a domain transition.

+## </summary>

+## <param name="domain">

+## <summary>

+## Domain allowed access.

+## </summary>

+## </param>

+#

+interface(`nagios_domtrans_unconfined_plugins',`

+   gen_require(`

+        type nagios_unconfined_plugin_t;

+        type nagios_unconfined_plugin_exec_t;

+   ')

+

+    domtrans_pattern($1, nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t)

+')

+

+########################################

+## <summary>

 ##	Do not audit attempts to read or write nagios

 ##	unnamed pipes.

 ## </summary>

@@ -72,6 +92,25 @@ interface(`nagios_read_config',`

 	allow $1 nagios_etc_t:file read_file_perms;

 	files_search_etc($1)

 ')

+######################################

+## <summary>

+##	Read nagios lib files.

+## </summary>

+## <param name="domain">

+##	<summary>

+##	Domain allowed access.

+##	</summary>

+## </param>

+#

+interface(`nagios_read_lib',`

+	gen_require(`

+		type nagios_var_lib_t;

+	')

+

+	files_search_var($1)

+    list_dirs_pattern($1, nagios_var_lib_t, nagios_var_lib_t)

+	read_files_pattern($1, nagios_var_lib_t, nagios_var_lib_t)

+')

 ######################################

 ## <summary>

diff --git a/nagios.te b/nagios.te

index 75ed416..e4b8c8a 100644

--- a/nagios.te

+++ b/nagios.te

@@ -5,6 +5,25 @@ policy_module(nagios, 1.13.0)

 # Declarations

 #

+## <desc>

+## 

+## Allow nagios/nrpe to call sudo from NRPE utils scripts.

+## 

+## </desc>

+gen_tunable(nagios_run_sudo, false)

+

+## <desc>

+## 

+## Allow nagios run in conjunction with PNP4Nagios.

+## 

+## </desc>

+gen_tunable(nagios_run_pnp4nagios, false)

+

+gen_require(`

+    class passwd rootok;

+    class passwd passwd;

+')

+

 attribute nagios_plugin_domain;

 type nagios_t;

@@ -124,7 +143,8 @@ files_spool_filetrans(nagios_t, nagios_spool_t, { file fifo_file })

 manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)

 manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)

-files_var_lib_filetrans(nagios_t, nagios_var_lib_t, { file fifo_file })

+manage_dirs_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)

+files_var_lib_filetrans(nagios_t, nagios_var_lib_t, { dir file fifo_file })

 kernel_read_system_state(nagios_t)

 kernel_read_kernel_sysctls(nagios_t)

@@ -168,6 +188,35 @@ mta_send_mail(nagios_t)

 mta_signal_system_mail(nagios_t)

 mta_kill_system_mail(nagios_t)

+tunable_policy(`nagios_run_sudo',`

+    allow nagios_t self:capability { setuid setgid sys_resource sys_ptrace };

+    allow nagios_t self:process { setrlimit setsched };

+