diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index d3265f1..5306a99 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -8,6 +8,7 @@
* Added policies:
acct
mysql
+ quota
su
sudo
tmpreaper
diff --git a/refpolicy/policy/modules/admin/quota.fc b/refpolicy/policy/modules/admin/quota.fc
new file mode 100644
index 0000000..3e367f0
--- /dev/null
+++ b/refpolicy/policy/modules/admin/quota.fc
@@ -0,0 +1,14 @@
+
+/sbin/quota(check|on) -- context_template(system_u:object_r:quota_exec_t,s0)
+
+ifdef(`distro_redhat',`
+/usr/sbin/convertquota -- context_template(system_u:object_r:quota_exec_t,s0)
+',`
+/sbin/convertquota -- context_template(system_u:object_r:quota_exec_t,s0)
+')
+
+HOME_ROOT/a?quota\.(user|group) -- context_template(system_u:object_r:quota_db_t,s0)
+
+/var/a?quota\.(user|group) -- context_template(system_u:object_r:quota_db_t,s0)
+
+/var/lib/quota(/.*)? context_template(system_u:object_r:quota_flag_t,s0)
diff --git a/refpolicy/policy/modules/admin/quota.if b/refpolicy/policy/modules/admin/quota.if
new file mode 100644
index 0000000..ed0e637
--- /dev/null
+++ b/refpolicy/policy/modules/admin/quota.if
@@ -0,0 +1,81 @@
+## File system quota management
+
+########################################
+##
+## Execute quota management tools in the quota domain.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`quota_domtrans',`
+ gen_require(`
+ type quota_t, quota_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
+
+ domain_auto_trans($1,quota_exec_t,quota_t)
+
+ allow $1 quota_t:fd use;
+ allow quota_t $1:fd use;
+ allow quota_t $1:fifo_file rw_file_perms;
+ allow quota_t $1:process sigchld;
+')
+
+########################################
+##
+## Execute quota management tools in the quota domain, and
+## allow the specified role the quota domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+## The role to be allowed the quota domain.
+##
+##
+## The type of the terminal allow the quota domain to use.
+##
+#
+interface(`quota_run',`
+ gen_require(`
+ type quota_t;
+ class chr_file rw_term_perms;
+ ')
+
+ quota_domtrans($1)
+ role $2 types quota_t;
+ allow quota_t $3:chr_file rw_term_perms;
+')
+
+########################################
+##
+## Do not audit attempts to get the attributes
+## of filesystem quota data files.
+##
+##
+## Domain to not audit.
+##
+#
+interface(`quota_dontaudit_getattr_db',`
+ gen_require(`
+ type quota_db_t;
+ class file getattr;
+ ')
+
+ dontaudit $1 quota_db_t:file getattr;
+')
+
+interface(`quota_manage_flags',`
+ gen_require(`
+ type quota_flag_t;
+ class dir rw_dir_perms;
+ class file create_file_perms;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 quota_flag_t:dir rw_dir_perms;
+ allow $1 quota_flag_t:file create_file_perms;
+')
diff --git a/refpolicy/policy/modules/admin/quota.te b/refpolicy/policy/modules/admin/quota.te
new file mode 100644
index 0000000..4005a80
--- /dev/null
+++ b/refpolicy/policy/modules/admin/quota.te
@@ -0,0 +1,89 @@
+
+policy_module(quota,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type quota_t;
+type quota_exec_t;
+init_system_domain(quota_t,quota_exec_t)
+
+type quota_db_t;
+files_type(quota_db_t)
+
+type quota_flag_t;
+files_type(quota_flag_t)
+
+allow quota_t self:capability { sys_admin dac_override };
+dontaudit quota_t self:capability sys_tty_config;
+allow quota_t self:process signal_perms;
+
+# for /quota.*
+allow quota_t quota_db_t:file { read write quotaon };
+
+kernel_list_proc(quota_t)
+kernel_read_proc_symlinks(quota_t)
+kernel_read_kernel_sysctl(quota_t)
+
+dev_read_sysfs(quota_t)
+dev_getattr_all_blk_files(quota_t)
+dev_getattr_all_chr_files(quota_t)
+
+fs_get_xattr_fs_quota(quota_t)
+fs_set_xattr_fs_quota(quota_t)
+fs_getattr_xattr_fs(quota_t)
+fs_remount_xattr_fs(quota_t)
+fs_search_auto_mountpoints(quota_t)
+
+storage_raw_read_fixed_disk(quota_t)
+
+term_dontaudit_use_console(quota_t)
+
+domain_use_wide_inherit_fd(quota_t)
+
+files_list_all_dirs(quota_t)
+files_read_all_files(quota_t)
+files_read_all_symlinks(quota_t)
+files_getattr_all_pipes(quota_t)
+files_getattr_all_sockets(quota_t)
+# Read /etc/mtab.
+files_read_etc_runtime_files(quota_t)
+
+init_use_fd(quota_t)
+init_use_script_pty(quota_t)
+
+libs_use_ld_so(quota_t)
+libs_use_shared_libs(quota_t)
+
+logging_send_syslog_msg(quota_t)
+
+userdom_dontaudit_use_unpriv_user_fd(quota_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_tty(quota_t)
+ term_dontaudit_use_generic_pty(quota_t)
+ files_dontaudit_read_root_file(quota_t)
+')
+
+optional_policy(`rhgb.te',`
+ rhgb_domain(quota_t)
+')
+
+optional_policy(`selinuxutil.te',`
+ seutil_sigchld_newrole(quota_t)
+')
+
+optional_policy(`udev.te', `
+ udev_read_db(quota_t)
+')
+
+ifdef(`TODO',`
+# quotacheck creates new quota_db_t files
+file_type_auto_trans(quota_t, { root_t home_root_t var_t usr_t src_t var_spool_t }, quota_db_t, file)
+
+allow quota_t file_t:file quotaon;
+
+allow quota_t proc_t:file getattr;
+') dnl end TODO
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index 09e1c6b..a9bb42f 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -216,6 +216,42 @@ interface(`fs_relabelfrom_xattr_fs',`
########################################
##
+## Get the filesystem quotas of a filesystem
+## with extended attributes.
+##
+##
+## The type of the domain mounting the filesystem.
+##
+#
+interface(`fs_get_xattr_fs_quota',`
+ gen_require(`
+ type fs_t;
+ class filesystem quotaget;
+ ')
+
+ allow $1 fs_t:filesystem quotaget;
+')
+
+########################################
+##
+## Set the filesystem quotas of a filesystem
+## with extended attributes.
+##
+##
+## The type of the domain mounting the filesystem.
+##
+#
+interface(`fs_set_xattr_fs_quota',`
+ gen_require(`
+ type fs_t;
+ class filesystem quotamod;
+ ')
+
+ allow $1 fs_t:filesystem quotamod;
+')
+
+########################################
+##
## Mount an automount pseudo filesystem.
##
##
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index d62a4ad..ecfc8dd 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -140,8 +140,29 @@ interface(`files_dontaudit_getattr_all_dirs',`
')
########################################
+##
+## List the contents of all directories.
+##
+##
+## Domain allowed access.
+##
#
-# files_getattr_all_files(domain)
+interface(`files_list_all_dirs',`
+ gen_require(`
+ attribute file_type;
+ class dir r_dir_perms;
+ ')
+
+ allow $1 file_type:dir r_dir_perms;
+')
+
+########################################
+##
+## Get the attributes of all files.
+##
+##
+## Domain allowed access.
+##
#
interface(`files_getattr_all_files',`
gen_require(`
@@ -174,6 +195,29 @@ interface(`files_dontaudit_getattr_all_files',`
########################################
##
+## Read all files.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`files_read_all_files',`
+ gen_require(`
+ attribute file_type;
+ class dir search;
+ class file r_file_perms;
+ ')
+
+ allow $1 file_type:dir search;
+ allow $1 file_type:file r_file_perms;
+
+ optional_policy(`authlogin.te',`
+ auth_read_shadow($1)
+ ')
+')
+
+########################################
+##
## Get the attributes of all symbolic links.
##
##
@@ -211,6 +255,25 @@ interface(`files_dontaudit_getattr_all_symlinks',`
########################################
##
+## Read all symbolic links.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`files_read_all_symlinks',`
+ gen_require(`
+ attribute file_type;
+ class dir search;
+ class lnk_file { getattr read };
+ ')
+
+ allow $1 file_type:dir search;
+ allow $1 file_type:lnk_file { getattr read };
+')
+
+########################################
+##
## Get the attributes of all named pipes.
##
##
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 41e33ca..129b41c 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -410,6 +410,10 @@ optional_policy(`raid.te',`
raid_manage_mdadm_pid(initrc_t)
')
+optional_policy(`quota.te',`
+ quota_manage_flags(initrc_t)
+')
+
optional_policy(`rhgb.te',`
corecmd_shell_entry_type(initrc_t)
')
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 3ba5898..cc1a1b4 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -265,6 +265,10 @@ template(`base_user_template',`
pcmcia_read_pid($1_t)
')
+ optional_policy(`quota.te',`
+ quota_dontaudit_getattr_db($1_t)
+ ')
+
optional_policy(`rpm.te',`
files_getattr_var_lib_dir($1_t)
files_search_var_lib($1_t)
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 55d7321..b32e891 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -175,6 +175,10 @@ ifdef(`targeted_policy',`
pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal)
')
+ optional_policy(`quota.te',`
+ quota_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
optional_policy(`rpm.te',`
rpm_run(sysadm_t,sysadm_r,admin_terminal)
')