diff --git a/policy/modules/apps/podsleuth.fc b/policy/modules/apps/podsleuth.fc
index 91397a3..6fbc01c 100644
--- a/policy/modules/apps/podsleuth.fc
+++ b/policy/modules/apps/podsleuth.fc
@@ -1,2 +1,3 @@
-
/usr/bin/podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0)
+/usr/libexec/hal-podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0)
+/var/cache/podsleuth(/.*)? gen_context(system_u:object_r:podsleuth_cache_t,s0)
diff --git a/policy/modules/apps/podsleuth.if b/policy/modules/apps/podsleuth.if
index c35702d..60b8bc2 100644
--- a/policy/modules/apps/podsleuth.if
+++ b/policy/modules/apps/podsleuth.if
@@ -16,4 +16,30 @@ interface(`podsleuth_domtrans',`
')
domtrans_pattern($1, podsleuth_exec_t, podsleuth_t)
+ allow $1 podsleuth_t:process signal;
+')
+
+########################################
+## <summary>
+## Execute podsleuth in the podsleuth domain, and
+## allow the specified role the podsleuth domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the podsleuth domain.
+## </summary>
+## </param>
+#
+interface(`podsleuth_run',`
+ gen_require(`
+ type podsleuth_t;
+ ')
+
+ podsleuth_domtrans($1)
+ role $2 types podsleuth_t;
')
diff --git a/policy/modules/apps/podsleuth.te b/policy/modules/apps/podsleuth.te
index cada433..0136355 100644
--- a/policy/modules/apps/podsleuth.te
+++ b/policy/modules/apps/podsleuth.te
@@ -1,5 +1,5 @@
-policy_module(podsleuth, 1.1.0)
+policy_module(podsleuth, 1.1.1)
########################################
#
@@ -11,25 +11,74 @@ type podsleuth_exec_t;
application_domain(podsleuth_t, podsleuth_exec_t)
role system_r types podsleuth_t;
+type podsleuth_cache_t;
+files_type(podsleuth_cache_t)
+ubac_constrained(podsleuth_cache_t)
+
+type podsleuth_tmp_t;
+files_tmp_file(podsleuth_tmp_t)
+ubac_constrained(podsleuth_tmp_t)
+
+type podsleuth_tmpfs_t;
+files_tmpfs_file(podsleuth_tmpfs_t)
+ubac_constrained(podsleuth_tmpfs_t)
+
########################################
#
# podsleuth local policy
#
-
-allow podsleuth_t self:process { signal getsched execheap execmem };
+allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
+allow podsleuth_t self:process { ptrace signal getsched execheap execmem execstack };
allow podsleuth_t self:fifo_file rw_file_perms;
allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
+allow podsleuth_t self:sem create_sem_perms;
+allow podsleuth_t self:tcp_socket create_stream_socket_perms;
+allow podsleuth_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t)
+manage_files_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t)
+files_var_filetrans(podsleuth_t, podsleuth_cache_t, { file dir })
+
+allow podsleuth_t podsleuth_tmp_t:dir mounton;
+manage_dirs_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t)
+manage_files_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t)
+files_tmp_filetrans(podsleuth_t, podsleuth_tmp_t, { file dir })
+
+manage_dirs_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t)
+manage_files_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t)
+manage_lnk_files_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t)
+fs_tmpfs_filetrans(podsleuth_t, podsleuth_tmpfs_t, { dir file lnk_file })
kernel_read_system_state(podsleuth_t)
+corecmd_exec_bin(podsleuth_t)
+
+corenet_tcp_connect_http_port(podsleuth_t)
+
dev_read_urand(podsleuth_t)
files_read_etc_files(podsleuth_t)
+fs_mount_dos_fs(podsleuth_t)
+fs_unmount_dos_fs(podsleuth_t)
+fs_getattr_dos_fs(podsleuth_t)
+fs_read_dos_files(podsleuth_t)
+fs_search_dos(podsleuth_t)
+fs_getattr_tmpfs(podsleuth_t)
+fs_list_tmpfs(podsleuth_t)
+
miscfiles_read_localization(podsleuth_t)
-dbus_system_bus_client(podsleuth_t)
+sysnet_dns_name_resolve(podsleuth_t)
+
+optional_policy(`
+ dbus_system_bus_client(podsleuth_t)
-mono_exec(podsleuth_t)
+ optional_policy(`
+ hal_dbus_chat(podsleuth_t)
+ ')
+')
-hal_dbus_chat(podsleuth_t)
+optional_policy(`
+ mono_exec(podsleuth_t)
+')