diff --git a/policy/modules/services/aisexec.fc b/policy/modules/services/aisexec.fc
new file mode 100644
index 0000000..7b4f4b9
--- /dev/null
+++ b/policy/modules/services/aisexec.fc
@@ -0,0 +1,9 @@
+/etc/rc\.d/init\.d/openais		--	gen_context(system_u:object_r:aisexec_initrc_exec_t,s0)
+
+/usr/sbin/aisexec			--	gen_context(system_u:object_r:aisexec_exec_t,s0)
+
+/var/lib/openais(/.*)?				gen_context(system_u:object_r:aisexec_var_lib_t,s0)
+
+/var/log/cluster/aisexec\.log		--	gen_context(system_u:object_r:aisexec_var_log_t,s0)
+
+/var/run/aisexec\.pid			--	gen_context(system_u:object_r:aisexec_var_run_t,s0)
diff --git a/policy/modules/services/aisexec.if b/policy/modules/services/aisexec.if
new file mode 100644
index 0000000..58acae2
--- /dev/null
+++ b/policy/modules/services/aisexec.if
@@ -0,0 +1,106 @@
+## <summary>SELinux policy for Aisexec Cluster Engine</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run aisexec.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`aisexec_domtrans',`
+	gen_require(`
+		type aisexec_t, aisexec_exec_t;
+	')
+
+	domtrans_pattern($1, aisexec_exec_t, aisexec_t)
+')
+
+#####################################
+## <summary>
+##	Connect to aisexec over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`aisexec_stream_connect',`
+	gen_require(`
+		type aisexec_t, aisexec_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, aisexec_var_run_t, aisexec_var_run_t, aisexec_t)
+')
+
+#######################################
+## <summary>
+##	Allow the specified domain to read aisexec's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`aisexec_read_log',`
+	gen_require(`
+		type aisexec_var_log_t;
+	')
+
+	logging_search_logs($1)
+	list_dirs_pattern($1, aisexec_var_log_t, aisexec_var_log_t)
+	read_files_pattern($1, aisexec_var_log_t, aisexec_var_log_t)
+')
+
+######################################
+## <summary>
+##	All of the rules required to administrate 
+##	an aisexec environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the aisexecd domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`aisexecd_admin',`
+	gen_require(`
+		type aisexec_t, aisexec_var_lib_t, aisexec_var_log_t;
+		type aisexec_var_run_t, aisexec_tmp_t, aisexec_tmpfs_t;
+		type aisexec_initrc_exec_t;
+	')
+
+	allow $1 aisexec_t:process { ptrace signal_perms };
+	ps_process_pattern($1, aisexec_t)
+
+	init_labeled_script_domtrans($1, aisexec_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 aisexec_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_var_lib($1)
+	admin_pattern($1, aisexec_var_lib_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, aisexec_var_log_t)
+
+	files_list_pids($1)
+	admin_pattern($1, aisexec_var_run_t)
+
+	files_list_tmp($1)
+	admin_pattern($1, aisexec_tmp_t)
+
+	admin_pattern($1, aisexec_tmpfs_t)
+')
diff --git a/policy/modules/services/aisexec.te b/policy/modules/services/aisexec.te
new file mode 100644
index 0000000..1b0bba7
--- /dev/null
+++ b/policy/modules/services/aisexec.te
@@ -0,0 +1,115 @@
+
+policy_module(aisexec, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type aisexec_t;
+type aisexec_exec_t;
+init_daemon_domain(aisexec_t, aisexec_exec_t)
+
+type aisexec_initrc_exec_t;
+init_script_file(aisexec_initrc_exec_t);
+
+# tmp files
+type aisexec_tmp_t;
+files_tmp_file(aisexec_tmp_t)
+
+type aisexec_tmpfs_t;
+files_tmpfs_file(aisexec_tmpfs_t)
+
+# var/lib files
+type aisexec_var_lib_t;
+files_type(aisexec_var_lib_t)
+
+# log files
+type aisexec_var_log_t;
+logging_log_file(aisexec_var_log_t)
+
+# pid files
+type aisexec_var_run_t;
+files_pid_file(aisexec_var_run_t)
+
+########################################
+#
+# aisexec local policy
+#
+
+allow aisexec_t self:capability { sys_nice sys_resource ipc_lock };
+allow aisexec_t self:process { setrlimit setsched signal };
+allow aisexec_t self:fifo_file rw_fifo_file_perms;
+allow aisexec_t self:sem create_sem_perms;
+allow aisexec_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow aisexec_t self:unix_dgram_socket create_socket_perms;
+allow aisexec_t self:udp_socket create_socket_perms;
+
+# tmp files
+manage_dirs_pattern(aisexec_t, aisexec_tmp_t, aisexec_tmp_t)
+manage_files_pattern(aisexec_t, aisexec_tmp_t, aisexec_tmp_t)
+files_tmp_filetrans(aisexec_t, aisexec_tmp_t, { file dir })
+
+manage_dirs_pattern(aisexec_t, aisexec_tmpfs_t, aisexec_tmpfs_t)
+manage_files_pattern(aisexec_t, aisexec_tmpfs_t, aisexec_tmpfs_t)
+fs_tmpfs_filetrans(aisexec_t, aisexec_tmpfs_t, { dir file })
+
+# var/lib files
+manage_files_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t)
+manage_dirs_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t)
+manage_sock_files_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t)
+files_var_lib_filetrans(aisexec_t, aisexec_var_lib_t, { file dir sock_file })
+
+# log files
+manage_files_pattern(aisexec_t, aisexec_var_log_t, aisexec_var_log_t)
+manage_sock_files_pattern(aisexec_t, aisexec_var_log_t, aisexec_var_log_t)
+logging_log_filetrans(aisexec_t,aisexec_var_log_t,{ sock_file file })
+
+# pid file
+manage_files_pattern(aisexec_t, aisexec_var_run_t, aisexec_var_run_t)
+manage_sock_files_pattern(aisexec_t, aisexec_var_run_t, aisexec_var_run_t)
+files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file })
+
+kernel_read_system_state(aisexec_t)
+
+corecmd_exec_bin(aisexec_t)
+
+corenet_udp_bind_netsupport_port(aisexec_t)
+corenet_tcp_bind_reserved_port(aisexec_t)
+corenet_udp_bind_cluster_port(aisexec_t)
+
+dev_read_urand(aisexec_t)
+
+files_manage_mounttab(aisexec_t)
+
+auth_use_nsswitch(aisexec_t)
+
+init_rw_script_tmp_files(aisexec_t)
+
+libs_use_ld_so(aisexec_t)
+libs_use_shared_libs(aisexec_t)
+
+logging_send_syslog_msg(aisexec_t)
+
+miscfiles_read_localization(aisexec_t)
+
+optional_policy(`
+	ccs_stream_connect(aisexec_t)
+')
+
+optional_policy(`
+	# to communication with RHCS
+	dlm_controld_manage_tmpfs_files(aisexec_t)
+	dlm_controld_rw_semaphores(aisexec_t)
+
+	fenced_manage_tmpfs_files(aisexec_t)
+	fenced_rw_semaphores(aisexec_t)
+
+	gfs_controld_manage_tmpfs_files(aisexec_t)
+	gfs_controld_rw_semaphores(aisexec_t)
+	gfs_controld_t_rw_shm(aisexec_t)
+
+	groupd_manage_tmpfs_files(aisexec_t)
+	groupd_rw_semaphores(aisexec_t)
+	groupd_rw_shm(aisexec_t)
+')
diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te
index b7e76be..d750656 100644
--- a/policy/modules/services/ccs.te
+++ b/policy/modules/services/ccs.te
@@ -114,5 +114,10 @@ ifdef(`hide_broken_symptoms', `
 ')
 
 optional_policy(`
+	aisexec_stream_connect(ccs_t)
+	corosync_stream_connect(ccs_t)
+')
+
+optional_policy(`
 	unconfined_use_fds(ccs_t)
 ')
diff --git a/policy/modules/services/corosync.fc b/policy/modules/services/corosync.fc
new file mode 100644
index 0000000..3a6d7eb
--- /dev/null
+++ b/policy/modules/services/corosync.fc
@@ -0,0 +1,12 @@
+/etc/rc\.d/init\.d/corosync	--	gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
+
+/usr/sbin/corosync		--	gen_context(system_u:object_r:corosync_exec_t,s0)
+
+/usr/sbin/ccs_tool		--	gen_context(system_u:object_r:corosync_exec_t,s0)
+
+/var/lib/corosync(/.*)?			gen_context(system_u:object_r:corosync_var_lib_t,s0)
+
+/var/log/cluster/corosync\.log	--	gen_context(system_u:object_r:corosync_var_log_t,s0)
+
+/var/run/cman_.*		-s	gen_context(system_u:object_r:corosync_var_run_t,s0)
+/var/run/corosync\.pid		--	gen_context(system_u:object_r:corosync_var_run_t,s0)
diff --git a/policy/modules/services/corosync.if b/policy/modules/services/corosync.if
new file mode 100644
index 0000000..64f4ff9
--- /dev/null
+++ b/policy/modules/services/corosync.if
@@ -0,0 +1,106 @@
+## <summary>SELinux policy for Corosync Cluster Engine</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run corosync.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corosync_domtrans',`
+	gen_require(`
+		type corosync_t, corosync_exec_t;
+	')
+
+	domtrans_pattern($1, corosync_exec_t, corosync_t)
+')
+
+#######################################
+## <summary>
+##	Allow the specified domain to read corosync's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corosync_read_log',`
+	gen_require(`
+		type corosync_var_log_t;
+	')
+
+	logging_search_logs($1)
+	list_dirs_pattern($1, corosync_var_log_t, corosync_var_log_t)
+	read_files_pattern($1, corosync_var_log_t, corosync_var_log_t)
+')
+
+#####################################
+## <summary>
+##	Connect to corosync over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corosync_stream_connect',`
+	gen_require(`
+		type corosync_t, corosync_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t)
+')
+
+######################################
+## <summary>
+##	All of the rules required to administrate 
+##	an corosync environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the corosyncd domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`corosyncd_admin',`
+	gen_require(`
+		type corosync_t, corosync_var_lib_t, corosync_var_log_t;
+		type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t;
+		type corosync_initrc_exec_t;
+	')
+
+	allow $1 corosync_t:process { ptrace signal_perms };
+	ps_process_pattern($1, corosync_t)
+
+	init_labeled_script_domtrans($1, corosync_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 corosync_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, corosync_tmp_t)
+
+	admin_pattern($1, corosync_tmpfs_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, corosync_var_lib_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, corosync_var_log_t)
+
+	files_list_pids($1)
+	admin_pattern($1, corosync_var_run_t)
+')
diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te
new file mode 100644
index 0000000..ddccc21
--- /dev/null
+++ b/policy/modules/services/corosync.te
@@ -0,0 +1,115 @@
+
+policy_module(corosync, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type corosync_t;
+type corosync_exec_t;
+init_daemon_domain(corosync_t, corosync_exec_t)
+
+type corosync_initrc_exec_t;
+init_script_file(corosync_initrc_exec_t);
+
+# tmp files
+type corosync_tmp_t;
+files_tmp_file(corosync_tmp_t)
+
+type corosync_tmpfs_t;
+files_tmpfs_file(corosync_tmpfs_t)
+
+# var/lib files
+type corosync_var_lib_t;
+files_type(corosync_var_lib_t)
+
+# log files
+type corosync_var_log_t;
+logging_log_file(corosync_var_log_t)
+
+# pid files
+type corosync_var_run_t;
+files_pid_file(corosync_var_run_t)
+
+########################################
+#
+# corosync local policy
+#
+
+allow corosync_t self:capability { sys_nice sys_resource ipc_lock };
+allow corosync_t self:process { setrlimit setsched signal };
+
+allow corosync_t self:fifo_file rw_fifo_file_perms;
+allow corosync_t self:sem create_sem_perms;
+allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow corosync_t self:unix_dgram_socket create_socket_perms;
+allow corosync_t self:udp_socket create_socket_perms;
+
+# tmp files
+manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
+manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
+files_tmp_filetrans(corosync_t, corosync_tmp_t, { file dir })
+
+manage_dirs_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
+manage_files_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
+fs_tmpfs_filetrans(corosync_t, corosync_tmpfs_t,{ dir file })
+
+# var/lib files
+manage_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t)
+manage_dirs_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t)
+manage_sock_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t)
+files_var_lib_filetrans(corosync_t, corosync_var_lib_t, { file dir sock_file })
+
+# log files
+manage_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t)
+manage_sock_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t)
+logging_log_filetrans(corosync_t, corosync_var_log_t, { sock_file file })
+
+# pid file
+manage_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
+manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
+files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file })
+
+kernel_read_system_state(corosync_t)
+
+corecmd_exec_bin(corosync_t)
+
+corenet_udp_bind_netsupport_port(corosync_t)
+
+dev_read_urand(corosync_t)
+
+domain_read_all_domains_state(corosync_t)
+
+files_manage_mounttab(corosync_t)
+
+auth_use_nsswitch(corosync_t)
+
+init_read_script_state(corosync_t)
+init_rw_script_tmp_files(corosync_t)
+
+logging_send_syslog_msg(corosync_t)
+
+miscfiles_read_localization(corosync_t)
+
+userdom_rw_user_tmpfs_files(corosync_t)
+
+optional_policy(`
+	ccs_read_config(corosync_t)
+')
+
+optional_policy(`
+	# to communication with RHCS
+	dlm_controld_manage_tmpfs_files(corosync_t)
+	dlm_controld_rw_semaphores(corosync_t)
+
+	fenced_manage_tmpfs_files(corosync_t)
+	fenced_rw_semaphores(corosync_t)
+
+	gfs_controld_manage_tmpfs_files(corosync_t)
+	gfs_controld_rw_semaphores(corosync_t)
+')
+
+optional_policy(`
+	rgmanager_manage_tmpfs_files(corosync_t)
+')
diff --git a/policy/modules/services/rgmanager.fc b/policy/modules/services/rgmanager.fc
new file mode 100644
index 0000000..3c97ef0
--- /dev/null
+++ b/policy/modules/services/rgmanager.fc
@@ -0,0 +1,7 @@
+/usr/sbin/rgmanager			--	gen_context(system_u:object_r:rgmanager_exec_t,s0)
+
+/var/log/cluster/rgmanager\.log		--	gen_context(system_u:object_r:rgmanager_var_log_t,s0)
+
+/var/run/cluster/rgmanager\.sk		-s	gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+
+/var/run/rgmanager\.pid			--	gen_context(system_u:object_r:rgmanager_var_run_t,s0)
diff --git a/policy/modules/services/rgmanager.if b/policy/modules/services/rgmanager.if
new file mode 100644
index 0000000..c220b3d
--- /dev/null
+++ b/policy/modules/services/rgmanager.if
@@ -0,0 +1,95 @@
+## <summary>SELinux policy for rgmanager</summary>
+
+#######################################
+## <summary>
+##	Execute a domain transition to run rgmanager.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rgmanager_domtrans',`
+	gen_require(`
+		type rgmanager_t, rgmanager_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, rgmanager_exec_t, rgmanager_t)
+')
+
+#######################################
+## <summary>
+##	Allow read and write access to rgmanager semaphores.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rgmanager_rw_semaphores',`
+	gen_require(`
+		type rgmanager_t;
+	')
+
+	allow $1 rgmanager_t:sem rw_sem_perms;
+')
+
+########################################
+## <summary>
+##	Connect to rgmanager over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rgmanager_stream_connect',`
+	gen_require(`
+		type rgmanager_t, rgmanager_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t, rgmanager_t)
+')
+
+######################################
+## <summary>
+##	Allow manage rgmanager tmp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rgmanager_manage_tmp_files',`
+	gen_require(`
+		type rgmanager_tmp_t;
+	')
+
+	files_search_tmp($1)
+	manage_files_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t)
+')
+
+######################################
+## <summary>
+##	Allow manage rgmanager tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rgmanager_manage_tmpfs_files',`
+	gen_require(`
+		type rgmanager_tmpfs_t;
+	')
+
+	fs_search_tmpfs($1)
+	manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
+')
diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
new file mode 100644
index 0000000..419da00
--- /dev/null
+++ b/policy/modules/services/rgmanager.te
@@ -0,0 +1,212 @@
+
+policy_module(rgmanager, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow rgmanager domain to connect to the network using TCP.
+## </p>
+## </desc>
+gen_tunable(rgmanager_can_network_connect, false)
+
+type rgmanager_t;
+type rgmanager_exec_t;
+domain_type(rgmanager_t)
+init_daemon_domain(rgmanager_t, rgmanager_exec_t)
+
+# tmp files
+type rgmanager_tmp_t;
+files_tmp_file(rgmanager_tmp_t)
+
+type rgmanager_tmpfs_t;
+files_tmpfs_file(rgmanager_tmpfs_t)
+
+# log files
+type rgmanager_var_log_t;
+logging_log_file(rgmanager_var_log_t)
+
+# pid files
+type rgmanager_var_run_t;
+files_pid_file(rgmanager_var_run_t)
+
+########################################
+#
+# rgmanager local policy
+#
+
+allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
+dontaudit rgmanager_t self:capability { sys_ptrace };
+allow rgmanager_t self:process { setsched signal };
+dontaudit rgmanager_t self:process { ptrace };
+
+allow rgmanager_t self:fifo_file rw_fifo_file_perms;
+allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms };
+allow rgmanager_t self:unix_dgram_socket create_socket_perms;
+allow rgmanager_t self:tcp_socket create_stream_socket_perms;
+
+# tmp files
+manage_dirs_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
+manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
+files_tmp_filetrans(rgmanager_t, rgmanager_tmp_t, { file dir })
+
+manage_dirs_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
+manage_files_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
+fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t,{ dir file })
+
+# log files
+manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t)
+logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file })
+
+# pid file
+manage_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
+manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
+files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctls(rgmanager_t)
+kernel_read_system_state(rgmanager_t)
+kernel_rw_rpc_sysctls(rgmanager_t)
+kernel_search_debugfs(rgmanager_t)
+kernel_search_network_state(rgmanager_t)
+
+corecmd_exec_bin(rgmanager_t)
+corecmd_exec_shell(rgmanager_t)
+consoletype_exec(rgmanager_t)
+
+# need to write to /dev/misc/dlm-control
+dev_rw_dlm_control(rgmanager_t)
+dev_setattr_dlm_control(rgmanager_t)
+dev_search_sysfs(rgmanager_t)
+
+domain_read_all_domains_state(rgmanager_t)
+domain_getattr_all_domains(rgmanager_t)
+domain_dontaudit_ptrace_all_domains(rgmanager_t)
+
+files_list_all(rgmanager_t)
+files_getattr_all_symlinks(rgmanager_t)
+files_manage_mnt_dirs(rgmanager_t)
+files_manage_isid_type_dirs(rgmanager_t)
+
+fs_getattr_xattr_fs(rgmanager_t)
+fs_getattr_all_fs(rgmanager_t)
+
+storage_getattr_fixed_disk_dev(rgmanager_t)
+
+term_getattr_pty_fs(rgmanager_t)
+#term_use_ptmx(rgmanager_t)
+
+# needed by resources scripts
+auth_read_all_files_except_shadow(rgmanager_t)
+auth_dontaudit_getattr_shadow(rgmanager_t)
+auth_use_nsswitch(rgmanager_t)
+
+libs_use_ld_so(rgmanager_t)
+libs_use_shared_libs(rgmanager_t)
+
+logging_send_syslog_msg(rgmanager_t)
+
+miscfiles_read_localization(rgmanager_t)
+
+mount_domtrans(rgmanager_t)
+
+tunable_policy(`rgmanager_can_network_connect',`
+	corenet_tcp_connect_all_ports(rgmanager_t)
+')
+
+# rgmanager can run resource scripts
+optional_policy(`
+	aisexec_stream_connect(rgmanager_t)
+	corosync_stream_connect(rgmanager_t)
+')
+
+optional_policy(`
+	apache_domtrans(rgmanager_t)
+	apache_signal(rgmanager_t)
+')
+
+optional_policy(`
+	fstools_domtrans(rgmanager_t)
+')
+
+optional_policy(`
+	groupd_stream_connect(rgmanager_t)
+')
+
+optional_policy(`
+	hostname_exec(rgmanager_t)
+')
+
+optional_policy(`
+	ccs_manage_config(rgmanager_t)
+	ccs_stream_connect(rgmanager_t)
+	gfs_controld_stream_connect(rgmanager_t)
+')
+
+optional_policy(`
+	lvm_domtrans(rgmanager_t)
+')
+
+optional_policy(`
+	mysql_domtrans_mysql_safe(rgmanager_t)
+	mysql_stream_connect(rgmanager_t)
+')
+
+optional_policy(`
+	netutils_domtrans(rgmanager_t)
+	netutils_domtrans_ping(rgmanager_t)
+')
+
+optional_policy(`
+	postgresql_domtrans(rgmanager_t)
+	postgresql_signal(rgmanager_t)
+')
+
+optional_policy(`
+	rdisc_exec(rgmanager_t)
+')
+
+optional_policy(`
+	ricci_dontaudit_rw_modcluster_pipes(rgmanager_t)
+')
+
+optional_policy(`
+	rpc_initrc_domtrans_nfsd(rgmanager_t)
+	rpc_initrc_domtrans_rpcd(rgmanager_t)
+
+	rpc_domtrans_nfsd(rgmanager_t)
+	rpc_domtrans_rpcd(rgmanager_t)
+	rpc_manage_nfs_state_data(rgmanager_t)
+')
+
+optional_policy(`
+	samba_initrc_domtrans(rgmanager_t)
+	samba_domtrans_smbd(rgmanager_t)
+	samba_domtrans_nmbd(rgmanager_t)
+	samba_manage_var_files(rgmanager_t)
+	samba_rw_config(rgmanager_t)
+	samba_signal_smbd(rgmanager_t)
+	samba_signal_nmbd(rgmanager_t)
+')
+
+optional_policy(`
+	sysnet_domtrans_ifconfig(rgmanager_t)
+')
+
+optional_policy(`
+	udev_read_db(rgmanager_t)
+')
+
+optional_policy(`
+	virt_stream_connect(rgmanager_t)
+')
+
+optional_policy(`
+	unconfined_domain(rgmanager_t)
+')
+
+optional_policy(`
+	xen_domtrans_xm(rgmanager_t)
+')
diff --git a/policy/modules/services/rhcs.fc b/policy/modules/services/rhcs.fc
new file mode 100644
index 0000000..c2ba53b
--- /dev/null
+++ b/policy/modules/services/rhcs.fc
@@ -0,0 +1,22 @@
+/usr/sbin/dlm_controld			--	gen_context(system_u:object_r:dlm_controld_exec_t,s0)
+/usr/sbin/fenced			--	gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_node			--	gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/gfs_controld			--	gen_context(system_u:object_r:gfs_controld_exec_t,s0)
+/usr/sbin/groupd			--	gen_context(system_u:object_r:groupd_exec_t,s0)
+/usr/sbin/qdiskd			--	gen_context(system_u:object_r:qdiskd_exec_t,s0)
+
+/var/lock/fence_manual\.lock		--	gen_context(system_u:object_r:fenced_lock_t,s0)
+
+/var/lib/qdiskd(/.*)?				gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
+
+/var/log/cluster/dlm_controld\.log.*	--	gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
+/var/log/cluster/fenced\.log.*		--	gen_context(system_u:object_r:fenced_var_log_t,s0)
+/var/log/cluster/gfs_controld\.log.*	--	gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
+/var/log/cluster/qdiskd\.log.*		--	gen_context(system_u:object_r:qdiskd_var_log_t,s0)
+
+/var/run/cluster/fenced_override	--	gen_context(system_u:object_r:fenced_var_run_t,s0)
+/var/run/dlm_controld\.pid		--	gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
+/var/run/fenced\.pid			--	gen_context(system_u:object_r:fenced_var_run_t,s0)
+/var/run/gfs_controld\.pid		--	gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
+/var/run/groupd\.pid			--	gen_context(system_u:object_r:groupd_var_run_t,s0)
+/var/run/qdiskd\.pid			--	gen_context(system_u:object_r:qdiskd_var_run_t,s0)
diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if
new file mode 100644
index 0000000..1516fcd
--- /dev/null
+++ b/policy/modules/services/rhcs.if
@@ -0,0 +1,415 @@
+## <summary>SELinux policy for RHCS - Red Hat Cluster Suite </summary>
+
+#######################################
+## <summary>
+##	Creates types and rules for a basic
+##	rhcs init daemon domain.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Prefix for the domain.
+##	</summary>
+## </param>
+#
+template(`rhcs_domain_template',`
+	gen_require(`
+		attribute cluster_domain;
+	')
+
+	##############################
+	#
+	# $1_t declarations
+	#
+
+	type $1_t, cluster_domain;
+	type $1_exec_t;
+	init_daemon_domain($1_t, $1_exec_t)
+
+	type $1_tmpfs_t;
+	files_tmpfs_file($1_tmpfs_t)
+
+	# log files
+	type $1_var_log_t;
+	logging_log_file($1_var_log_t)
+
+	# pid files
+	type $1_var_run_t;
+	files_pid_file($1_var_run_t)
+
+	##############################
+	#
+	# $1_t local policy
+	#
+
+	manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+	manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+	fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file })
+
+	manage_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
+	manage_sock_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
+	logging_log_filetrans($1_t, $1_var_log_t, { file sock_file })
+
+	manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+	manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+	manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+	files_pid_filetrans($1_t, $1_var_run_t, { file fifo_file })
+	
+')
+
+######################################
+## <summary>
+##	Execute a domain transition to run dlm_controld.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dlm_controld_domtrans',`
+	gen_require(`
+	type dlm_controld_t, dlm_controld_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, dlm_controld_exec_t, dlm_controld_t)
+')
+
+#####################################
+## <summary>
+##	Connect to dlm_controld over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dlm_controld_stream_connect',`
+	gen_require(`
+		type dlm_controld_t, dlm_controld_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t)
+')
+
+#####################################
+## <summary>
+##	Allow read and write access to dlm_controld semaphores.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dlm_controld_rw_semaphores',`
+	gen_require(`
+		type dlm_controld_t;
+	')
+
+	allow $1 dlm_controld_t:sem { rw_sem_perms destroy };
+')
+
+#####################################
+## <summary>
+##	Manage dlm_controld tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dlm_controld_manage_tmpfs_files',`
+	gen_require(`
+		type dlm_controld_tmpfs_t;
+	')
+
+	fs_search_tmpfs($1)
+	manage_files_pattern($1, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t)
+')
+
+######################################
+## <summary>
+##	Execute a domain transition to run fenced.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fenced_domtrans',`
+	gen_require(`
+		type fenced_t, fenced_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, fenced_exec_t, fenced_t)
+')
+
+######################################
+## <summary>
+##	Allow read and write access to fenced semaphores.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fenced_rw_semaphores',`
+	gen_require(`
+		type fenced_t;
+	')
+
+	allow $1 fenced_t:sem { rw_sem_perms destroy };
+')
+
+######################################
+## <summary>
+##	Connect to fenced over an unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fenced_stream_connect',`
+	gen_require(`
+		type fenced_var_run_t, fenced_t;
+	')
+
+	allow $1 fenced_t:unix_stream_socket connectto;
+	allow $1 fenced_var_run_t:sock_file { getattr write };
+	files_search_pids($1)
+')
+
+#####################################
+## <summary>
+##	Managed fenced tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fenced_manage_tmpfs_files',`
+	gen_require(`
+		type fenced_tmpfs_t;
+	')
+
+	fs_search_tmpfs($1)
+	manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t)
+')
+
+#####################################
+## <summary>
+##	Execute a domain transition to run gfs_controld.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gfs_controld_domtrans',`
+	gen_require(`
+	type gfs_controld_t, gfs_controld_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, gfs_controld_exec_t, gfs_controld_t)
+')
+
+###################################
+## <summary>
+##	Manage gfs_controld tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gfs_controld_manage_tmpfs_files',`
+	gen_require(`
+	type gfs_controld_tmpfs_t;
+	')
+
+	fs_search_tmpfs($1)
+	manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
+')
+
+####################################
+## <summary>
+##	Allow read and write access to gfs_controld semaphores.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gfs_controld_rw_semaphores',`
+	gen_require(`
+		type gfs_controld_t;
+	')
+
+	allow $1 gfs_controld_t:sem { rw_sem_perms destroy };
+')
+
+########################################
+## <summary>
+##	Read and write to gfs_controld_t shared memory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gfs_controld_t_rw_shm',`
+	gen_require(`
+		type gfs_controld_t;
+	')
+
+	allow $1 gfs_controld_t:shm { rw_shm_perms destroy };
+')
+
+#####################################
+## <summary>
+##	Connect to gfs_controld_t over an unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gfs_controld_stream_connect',`
+	gen_require(`
+		type gfs_controld_t, gfs_controld_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, gfs_controld_var_run_t, gfs_controld_var_run_t, gfs_controld_t)
+')
+
+######################################
+## <summary>
+##	Execute a domain transition to run groupd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`groupd_domtrans',`
+	gen_require(`
+		type groupd_t, groupd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, groupd_exec_t, groupd_t)
+')
+
+#####################################
+## <summary>
+##	Connect to groupd over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`groupd_stream_connect',`
+	gen_require(`
+		type groupd_t, groupd_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t)
+')
+
+#####################################
+## <summary>
+##	Allow read and write access to groupd semaphores.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`groupd_rw_semaphores',`
+	gen_require(`
+		type groupd_t;
+	')
+
+	allow $1 groupd_t:sem { rw_sem_perms destroy };
+')
+
+########################################
+## <summary>
+##	Read and write to group shared memory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`groupd_rw_shm',`
+	gen_require(`
+	type groupd_t;
+	')
+
+	allow $1 groupd_t:shm { rw_shm_perms destroy };
+')
+
+#####################################
+## <summary>
+##	Manage groupd tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`groupd_manage_tmpfs_files',`
+	gen_require(`
+		type groupd_tmpfs_t;
+	')
+
+	fs_search_tmpfs($1)
+	manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+')
+
+######################################
+## <summary>
+##	Execute a domain transition to run qdiskd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`qdiskd_domtrans',`
+	gen_require(`
+		type qdiskd_t, qdiskd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, qdiskd_exec_t, qdiskd_t)
+')
diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te
new file mode 100644
index 0000000..3fa9819
--- /dev/null
+++ b/policy/modules/services/rhcs.te
@@ -0,0 +1,247 @@
+
+policy_module(rhcs, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow fenced domain to connect to the network using TCP.
+## </p>
+## </desc>
+gen_tunable(fenced_can_network_connect, false)
+
+attribute cluster_domain;
+
+rhcs_domain_template(dlm_controld)
+
+rhcs_domain_template(fenced)
+
+type fenced_lock_t;
+files_lock_file(fenced_lock_t)
+
+# tmp files
+type fenced_tmp_t;
+files_tmp_file(fenced_tmp_t)
+
+rhcs_domain_template(gfs_controld)
+
+rhcs_domain_template(groupd)
+
+rhcs_domain_template(qdiskd)
+
+# var/lib files
+type qdiskd_var_lib_t;
+files_type(qdiskd_var_lib_t)
+
+#####################################
+#
+# dlm_controld local policy
+#
+
+allow dlm_controld_t self:capability { net_admin sys_admin sys_resource };
+
+allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
+stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
+
+kernel_read_system_state(dlm_controld_t)
+
+dev_rw_dlm_control(dlm_controld_t)
+dev_rw_sysfs(dlm_controld_t)
+
+fs_manage_configfs_files(dlm_controld_t)
+fs_manage_configfs_dirs(dlm_controld_t)
+
+init_rw_script_tmp_files(dlm_controld_t)
+
+optional_policy(`
+	ccs_stream_connect(dlm_controld_t)
+')
+
+#######################################
+#
+# fenced local policy
+#
+
+allow fenced_t self:capability { sys_rawio sys_resource };
+allow fenced_t self:process getsched;
+
+allow fenced_t self:tcp_socket create_stream_socket_perms;
+allow fenced_t self:udp_socket create_socket_perms;
+
+can_exec(fenced_t, fenced_exec_t)
+
+manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
+files_lock_filetrans(fenced_t, fenced_lock_t, file)
+
+# tmp files
+manage_dirs_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
+manage_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
+manage_fifo_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
+files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+
+stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
+
+corecmd_exec_bin(fenced_t)
+
+corenet_tcp_connect_http_port(fenced_t)
+
+dev_read_sysfs(fenced_t)
+dev_read_urand(fenced_t)
+
+files_read_usr_symlinks(fenced_t)
+
+storage_raw_read_fixed_disk(fenced_t)
+storage_raw_write_fixed_disk(fenced_t)
+storage_raw_read_removable_device(fenced_t)
+
+term_getattr_pty_fs(fenced_t)
+term_use_ptmx(fenced_t)
+
+auth_use_nsswitch(fenced_t)
+
+tunable_policy(`fenced_can_network_connect',`
+	corenet_tcp_connect_all_ports(fenced_t)
+')
+
+optional_policy(`
+	ccs_read_config(fenced_t)
+	ccs_stream_connect(fenced_t)
+')
+
+optional_policy(`
+	lvm_domtrans(fenced_t)
+	lvm_read_config(fenced_t)
+')
+
+######################################
+#
+# gfs_controld local policy
+#
+
+allow gfs_controld_t self:capability { net_admin sys_resource };
+
+allow gfs_controld_t self:shm create_shm_perms;
+allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t)
+stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
+stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
+
+kernel_read_system_state(gfs_controld_t)
+
+dev_rw_dlm_control(gfs_controld_t)
+dev_setattr_dlm_control(gfs_controld_t)
+dev_rw_sysfs(gfs_controld_t)
+
+storage_getattr_removable_dev(gfs_controld_t)
+
+init_rw_script_tmp_files(gfs_controld_t)
+
+optional_policy(`
+	ccs_stream_connect(gfs_controld_t)
+')
+
+optional_policy(`
+	lvm_exec(gfs_controld_t)
+	dev_rw_lvm_control(gfs_controld_t)
+')
+
+#######################################
+#
+# groupd local policy
+#
+
+allow groupd_t self:capability { sys_nice sys_resource };
+allow groupd_t self:process setsched;
+
+allow groupd_t self:shm create_shm_perms;
+
+dev_list_sysfs(groupd_t)
+
+files_read_etc_files(groupd_t)
+
+init_rw_script_tmp_files(groupd_t)
+
+######################################
+#
+# qdiskd local policy
+#
+
+allow qdiskd_t self:capability ipc_lock;
+
+allow qdiskd_t self:tcp_socket create_stream_socket_perms;
+allow qdiskd_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
+manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
+manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
+files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file })
+
+kernel_read_system_state(qdiskd_t)
+kernel_read_software_raid_state(qdiskd_t)
+kernel_getattr_core_if(qdiskd_t)
+
+corecmd_getattr_bin_files(qdiskd_t)
+corecmd_exec_shell(qdiskd_t)
+
+dev_read_sysfs(qdiskd_t)
+dev_list_all_dev_nodes(qdiskd_t)
+dev_getattr_all_blk_files(qdiskd_t)
+dev_getattr_all_chr_files(qdiskd_t)
+dev_manage_generic_blk_files(qdiskd_t)
+dev_manage_generic_chr_files(qdiskd_t)
+
+domain_dontaudit_getattr_all_pipes(qdiskd_t)
+domain_dontaudit_getattr_all_sockets(qdiskd_t)
+
+files_dontaudit_getattr_all_sockets(qdiskd_t)
+files_dontaudit_getattr_all_pipes(qdiskd_t)
+files_read_etc_files(qdiskd_t)
+
+storage_raw_read_removable_device(qdiskd_t)
+storage_raw_write_removable_device(qdiskd_t)
+storage_raw_read_fixed_disk(qdiskd_t)
+storage_raw_write_fixed_disk(qdiskd_t)
+
+auth_use_nsswitch(qdiskd_t)
+
+optional_policy(`
+	ccs_stream_connect(qdiskd_t)
+')
+
+optional_policy(`
+	netutils_domtrans_ping(qdiskd_t)
+')
+
+optional_policy(`
+	udev_read_db(qdiskd_t)
+')
+
+#####################################
+#
+# rhcs domains common policy
+#
+
+allow cluster_domain self:capability { sys_nice };
+allow cluster_domain self:process setsched;
+
+allow cluster_domain self:sem create_sem_perms;
+allow cluster_domain self:fifo_file rw_fifo_file_perms;
+allow cluster_domain self:unix_stream_socket create_stream_socket_perms;
+allow cluster_domain self:unix_dgram_socket create_socket_perms;
+
+libs_use_ld_so(cluster_domain)
+libs_use_shared_libs(cluster_domain)
+
+logging_send_syslog_msg(cluster_domain)
+
+miscfiles_read_localization(cluster_domain)
+
+optional_policy(`
+	corosync_stream_connect(cluster_domain)
+')
diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
index cf414fa..c759445 100644
--- a/policy/modules/services/ricci.te
+++ b/policy/modules/services/ricci.te
@@ -194,7 +194,7 @@ optional_policy(`
 # ricci_modcluster local policy
 #
 
-allow ricci_modcluster_t self:capability sys_nice;
+allow ricci_modcluster_t self:capability { net_bind_service sys_nice };
 allow ricci_modcluster_t self:process setsched;
 allow ricci_modcluster_t self:fifo_file rw_fifo_file_perms;
 
@@ -204,6 +204,9 @@ kernel_read_system_state(ricci_modcluster_t)
 corecmd_exec_shell(ricci_modcluster_t)
 corecmd_exec_bin(ricci_modcluster_t)
 
+corenet_tcp_bind_cluster_port(ricci_modclusterd_t)
+corenet_tcp_bind_reserved_port(ricci_modclusterd_t)
+
 domain_read_all_domains_state(ricci_modcluster_t)
 
 files_search_locks(ricci_modcluster_t)
@@ -216,17 +219,22 @@ init_domtrans_script(ricci_modcluster_t)
 
 logging_send_syslog_msg(ricci_modcluster_t)
 
-consoletype_exec(ricci_modcluster_t)
-
 miscfiles_read_localization(ricci_modcluster_t)
 
 modutils_domtrans_insmod(ricci_modcluster_t)
 
 mount_domtrans(ricci_modcluster_t)
 
+consoletype_exec(ricci_modcluster_t)
+
 ricci_stream_connect_modclusterd(ricci_modcluster_t)
 
 optional_policy(`
+	aisexec_stream_connect(ricci_modcluster_t)
+	corosync_stream_connect(ricci_modcluster_t)
+')
+
+optional_policy(`
 	ccs_stream_connect(ricci_modcluster_t)
 	ccs_domtrans(ricci_modcluster_t)
 	ccs_manage_config(ricci_modcluster_t)
@@ -245,6 +253,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	rgmanager_stream_connect(ricci_modclusterd_t)
+')
+
+optional_policy(`
 	# XXX This has got to go.
 	unconfined_domain(ricci_modcluster_t)
 ')
@@ -259,11 +271,11 @@ allow ricci_modclusterd_t self:process { signal sigkill setsched };
 allow ricci_modclusterd_t self:fifo_file rw_fifo_file_perms;
 allow ricci_modclusterd_t self:unix_stream_socket create_stream_socket_perms;
 allow ricci_modclusterd_t self:tcp_socket create_stream_socket_perms;
-allow ricci_modclusterd_t self:netlink_route_socket r_netlink_socket_perms;
 # cjp: this needs to be fixed for a specific socket type:
 allow ricci_modclusterd_t self:socket create_socket_perms;
 
 allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
+allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms;
 
 # log files
 allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
@@ -294,6 +306,8 @@ files_read_etc_runtime_files(ricci_modclusterd_t)
 
 fs_getattr_xattr_fs(ricci_modclusterd_t)
 
+auth_use_nsswitch(ricci_modclusterd_t)
+
 init_stream_connect_script(ricci_modclusterd_t)
 
 locallogin_dontaudit_use_fds(ricci_modclusterd_t)
@@ -303,7 +317,11 @@ logging_send_syslog_msg(ricci_modclusterd_t)
 miscfiles_read_localization(ricci_modclusterd_t)
 
 sysnet_domtrans_ifconfig(ricci_modclusterd_t)
-sysnet_dns_name_resolve(ricci_modclusterd_t)
+
+optional_policy(`
+	aisexec_stream_connect(ricci_modclusterd_t)
+	corosync_stream_connect(ricci_modclusterd_t)
+')
 
 optional_policy(`
 	ccs_domtrans(ricci_modclusterd_t)
@@ -312,6 +330,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	rgmanager_stream_connect(ricci_modclusterd_t)
+')
+
+optional_policy(`
 	unconfined_use_fds(ricci_modclusterd_t)
 ')
 
@@ -457,6 +479,11 @@ consoletype_exec(ricci_modstorage_t)
 mount_domtrans(ricci_modstorage_t)
 
 optional_policy(`
+	aisexec_stream_connect(ricci_modstorage_t)
+	corosync_stream_connect(ricci_modstorage_t)
+')
+
+optional_policy(`
 	ccs_stream_connect(ricci_modstorage_t)
 	ccs_read_config(ricci_modstorage_t)
 ')