++##
++## Allow sge to access nfs file systems.
++##
++##
++gen_tunable(sge_use_nfs, false)
++
++attribute sge_domain;
++
++type sge_execd_t, sge_domain;
++type sge_execd_exec_t;
++init_daemon_domain(sge_execd_t, sge_execd_exec_t)
++
++type sge_spool_t;
++files_type(sge_spool_t)
++
++type sge_tmp_t;
++files_tmp_file(sge_tmp_t)
++
++type sge_shepherd_t, sge_domain;
++type sge_shepherd_exec_t;
++application_domain(sge_shepherd_t, sge_shepherd_exec_t)
++role system_r types sge_shepherd_t;
++
++type sge_job_t, sge_domain;
++type sge_job_exec_t;
++application_domain(sge_job_t, sge_job_exec_t)
++corecmd_shell_entry_type(sge_job_t)
++role system_r types sge_job_t;
++
++#######################################
++#
++# sge_execd local policy
++#
++
++allow sge_execd_t self:capability { dac_override setuid chown setgid };
++allow sge_execd_t self:process { setsched signal setpgid };
++
++allow sge_execd_t sge_shepherd_t:process signal;
++
++kernel_read_kernel_sysctls(sge_execd_t)
++
++dev_read_sysfs(sge_execd_t)
++
++files_exec_usr_files(sge_execd_t)
++files_search_spool(sge_execd_t)
++
++init_read_utmp(sge_execd_t)
++
++######################################
++#
++# sge_shepherd local policy
++#
++
++allow sge_shepherd_t self:capability { setuid sys_nice chown kill setgid dac_override };
++allow sge_shepherd_t self:process signal_perms;
++
++domtrans_pattern(sge_execd_t, sge_shepherd_exec_t, sge_shepherd_t)
++
++kernel_read_sysctl(sge_shepherd_t)
++kernel_read_kernel_sysctls(sge_shepherd_t)
++
++dev_read_sysfs(sge_shepherd_t)
++
++fs_getattr_all_fs(sge_shepherd_t)
++
++optional_policy(`
++ mta_send_mail(sge_shepherd_t)
++')
++
++#####################################
++#
++# sge_job local policy
++#
++
++allow sge_shepherd_t sge_job_t:process signal_perms;
++
++corecmd_shell_domtrans(sge_shepherd_t, sge_job_t)
++
++kernel_read_kernel_sysctls(sge_job_t)
++
++term_use_all_terms(sge_job_t)
++
++optional_policy(`
++ ssh_basic_client_template(sge_job, sge_job_t, system_r)
++ ssh_domtrans(sge_job_t)
++
++ allow sge_job_t sge_job_ssh_t:process sigkill;
++
++ xserver_exec_xauth(sge_job_ssh_t)
++
++ tunable_policy(`sge_use_nfs',`
++ fs_list_auto_mountpoints(sge_job_ssh_t)
++ fs_manage_nfs_dirs(sge_job_ssh_t)
++ fs_manage_nfs_files(sge_job_ssh_t)
++ fs_read_nfs_symlinks(sge_job_ssh_t)
++ ')
++ ')
++
++optional_policy(`
++ xserver_domtrans_xauth(sge_job_t)
++')
++
++optional_policy(`
++ unconfined_domain(sge_job_t)
++')
++
++#####################################
++#
++# sge_domain local policy
++#
++
++allow sge_domain self:fifo_file rw_fifo_file_perms;
++allow sge_domain self:tcp_socket create_stream_socket_perms;
++
++manage_dirs_pattern(sge_domain, sge_spool_t, sge_spool_t)
++manage_files_pattern(sge_domain, sge_spool_t, sge_spool_t)
++manage_lnk_files_pattern(sge_domain, sge_spool_t, sge_spool_t)
++
++manage_files_pattern(sge_domain, sge_tmp_t, sge_tmp_t)
++manage_dirs_pattern(sge_domain, sge_tmp_t, sge_tmp_t)
++files_tmp_filetrans(sge_domain, sge_tmp_t, { file dir })
++
++kernel_read_network_state(sge_domain)
++kernel_read_system_state(sge_domain)
++
++corecmd_exec_bin(sge_domain)
++corecmd_exec_shell(sge_domain)
++
++domain_read_all_domains_state(sge_domain)
++
++files_read_etc_files(sge_domain)
++files_read_usr_files(sge_domain)
++
++dev_read_urand(sge_domain)
++
++logging_send_syslog_msg(sge_domain)
++
++miscfiles_read_localization(sge_domain)
++
++tunable_policy(`sge_use_nfs',`
++ fs_list_auto_mountpoints(sge_domain)
++ fs_manage_nfs_dirs(sge_domain)
++ fs_manage_nfs_files(sge_domain)
++ fs_read_nfs_symlinks(sge_domain)
++ fs_exec_nfs_files(sge_domain)
++')
++
++optional_policy(`
++ sysnet_dns_name_resolve(sge_domain)
++')
++
++optional_policy(`
++ hostname_exec(sge_domain)
++')
++
++optional_policy(`
++ nslcd_stream_connect(sge_domain)
++')
diff --git a/policy/modules/services/slrnpull.te b/policy/modules/services/slrnpull.te
index e5e72fd..92eecec 100644
--- a/policy/modules/services/slrnpull.te
@@ -61833,7 +62311,7 @@ index adea9f9..145adbd 100644
init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
-index 606a098..5e4d100 100644
+index 606a098..441f753 100644
--- a/policy/modules/services/smartmon.te
+++ b/policy/modules/services/smartmon.te
@@ -35,7 +35,7 @@ ifdef(`enable_mls',`
@@ -61845,7 +62323,15 @@ index 606a098..5e4d100 100644
dontaudit fsdaemon_t self:capability sys_tty_config;
allow fsdaemon_t self:process { getcap setcap signal_perms };
allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
-@@ -73,19 +73,28 @@ files_read_etc_runtime_files(fsdaemon_t)
+@@ -52,6 +52,7 @@ manage_files_pattern(fsdaemon_t, fsdaemon_var_run_t, fsdaemon_var_run_t)
+ files_pid_filetrans(fsdaemon_t, fsdaemon_var_run_t, file)
+
+ kernel_read_kernel_sysctls(fsdaemon_t)
++kernel_read_network_state(fsdaemon_t)
+ kernel_read_software_raid_state(fsdaemon_t)
+ kernel_read_system_state(fsdaemon_t)
+
+@@ -73,19 +74,30 @@ files_read_etc_runtime_files(fsdaemon_t)
files_read_usr_files(fsdaemon_t)
# for config
files_read_etc_files(fsdaemon_t)
@@ -61869,6 +62355,8 @@ index 606a098..5e4d100 100644
+application_signull(fsdaemon_t)
+
++auth_read_passwd(fsdaemon_t)
++
+init_read_utmp(fsdaemon_t)
+
libs_exec_ld_so(fsdaemon_t)
@@ -62042,7 +62530,7 @@ index 275f9fb..f1343b7 100644
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
-index 3d8d1b3..035a27f 100644
+index 3d8d1b3..f4d9c37 100644
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0)
@@ -62132,6 +62620,17 @@ index 3d8d1b3..035a27f 100644
optional_policy(`
rpm_read_db(snmpd_t)
rpm_dontaudit_manage_db(snmpd_t)
+@@ -140,6 +147,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ ricci_stream_connect_modclusterd(snmpd_t)
++')
++
++optional_policy(`
+ rpc_search_nfs_state_data(snmpd_t)
+ ')
+
diff --git a/policy/modules/services/snort.if b/policy/modules/services/snort.if
index c117e8b..e428bb9 100644
--- a/policy/modules/services/snort.if
@@ -67810,7 +68309,7 @@ index 4966c94..cb2e1a3 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..51e7627 100644
+index 130ced9..86143cf 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -68110,10 +68609,30 @@ index 130ced9..51e7627 100644
# Manipulate the global font cache
manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
-@@ -549,6 +606,24 @@ interface(`xserver_domtrans_xauth',`
+@@ -547,6 +604,42 @@ interface(`xserver_domtrans_xauth',`
+ domtrans_pattern($1, xauth_exec_t, xauth_t)
+ ')
- ########################################
- ##