diff --git a/policy/modules/services/oddjob.fc b/policy/modules/services/oddjob.fc
index 60b26f4..bdf8c89 100644
--- a/policy/modules/services/oddjob.fc
+++ b/policy/modules/services/oddjob.fc
@@ -1,4 +1,4 @@
-/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+/usr/lib(64)?/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
diff --git a/policy/modules/services/oddjob.if b/policy/modules/services/oddjob.if
index 9bac058..6433998 100644
--- a/policy/modules/services/oddjob.if
+++ b/policy/modules/services/oddjob.if
@@ -84,3 +84,28 @@ interface(`oddjob_domtrans_mkhomedir',`
domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t)
')
+
+########################################
+##
+## Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`oddjob_run_mkhomedir',`
+ gen_require(`
+ type oddjob_mkhomedir_t;
+ ')
+
+ oddjob_domtrans_mkhomedir($1)
+ role $2 types oddjob_mkhomedir_t;
+')
diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te
index 44f5971..258802a 100644
--- a/policy/modules/services/oddjob.te
+++ b/policy/modules/services/oddjob.te
@@ -1,5 +1,5 @@
-policy_module(oddjob, 1.6.0)
+policy_module(oddjob, 1.6.1)
########################################
#
@@ -10,18 +10,25 @@ type oddjob_t;
type oddjob_exec_t;
domain_type(oddjob_t)
init_daemon_domain(oddjob_t, oddjob_exec_t)
+domain_obj_id_change_exemption(oddjob_t)
+domain_role_change_exemption(oddjob_t)
domain_subj_id_change_exemption(oddjob_t)
type oddjob_mkhomedir_t;
type oddjob_mkhomedir_exec_t;
domain_type(oddjob_mkhomedir_t)
-init_daemon_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
+domain_obj_id_change_exemption(oddjob_mkhomedir_t)
+init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
# pid files
type oddjob_var_run_t;
files_pid_file(oddjob_var_run_t)
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(oddjob_t, oddjob_exec_t, s0 - mcs_systemhigh)
+')
+
########################################
#
# oddjob local policy
@@ -65,13 +72,32 @@ optional_policy(`
# oddjob_mkhomedir local policy
#
+allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override };
+allow oddjob_mkhomedir_t self:process setfscreate;
allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms;
allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms;
+kernel_read_system_state(oddjob_mkhomedir_t)
+
files_read_etc_files(oddjob_mkhomedir_t)
+auth_use_nsswitch(oddjob_mkhomedir_t)
+
+logging_send_syslog_msg(oddjob_mkhomedir_t)
+
miscfiles_read_localization(oddjob_mkhomedir_t)
+selinux_get_fs_mount(oddjob_mkhomedir_t)
+selinux_validate_context(oddjob_mkhomedir_t)
+selinux_compute_access_vector(oddjob_mkhomedir_t)
+selinux_compute_create_context(oddjob_mkhomedir_t)
+selinux_compute_relabel_context(oddjob_mkhomedir_t)
+selinux_compute_user_contexts(oddjob_mkhomedir_t)
+
+seutil_read_config(oddjob_mkhomedir_t)
+seutil_read_file_contexts(oddjob_mkhomedir_t)
+seutil_read_default_contexts(oddjob_mkhomedir_t)
+
# Add/remove user home directories
userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t)
userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)