diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 0ab624a..7e934e3 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -4,6 +4,7 @@
* Rename inetd connect interface for consistency.
* Misc. cleanups.
* Added policies:
+ acct
mysql
20050802 (2 Aug 2005)
diff --git a/refpolicy/policy/modules/admin/acct.fc b/refpolicy/policy/modules/admin/acct.fc
new file mode 100644
index 0000000..4edd465
--- /dev/null
+++ b/refpolicy/policy/modules/admin/acct.fc
@@ -0,0 +1,8 @@
+
+/etc/cron\.(daily|monthly)/acct -- context_template(system_u:object_r:acct_exec_t,s0)
+
+/sbin/accton -- context_template(system_u:object_r:acct_exec_t,s0)
+
+/usr/sbin/accton -- context_template(system_u:object_r:acct_exec_t,s0)
+
+/var/account(/.*)? context_template(system_u:object_r:acct_data_t,s0)
diff --git a/refpolicy/policy/modules/admin/acct.if b/refpolicy/policy/modules/admin/acct.if
new file mode 100644
index 0000000..fe69889
--- /dev/null
+++ b/refpolicy/policy/modules/admin/acct.if
@@ -0,0 +1,84 @@
+## Berkeley process accounting
+
+########################################
+##
+## Transition to the accounting management domain.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`acct_domtrans',`
+ gen_require(`
+ type acct_t, acct_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,acct_exec_t,acct_t)
+
+ allow $1 acct_t:fd use;
+ allow acct_t $1:fd use;
+ allow acct_t $1:fifo_file rw_file_perms;
+ allow acct_t $1:process sigchld;
+')
+
+########################################
+##
+## Execute accounting management tools in the caller domain.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`acct_exec',`
+ gen_require(`
+ type acct_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ can_exec($1,acct_exec_t)
+')
+
+########################################
+##
+## Execute accounting management data in the caller domain.
+##
+##
+## The type of the process performing this action.
+##
+#
+# cjp: this is added for logrotate, and does
+# not make sense to me.
+interface(`acct_exec_data',`
+ gen_require(`
+ type acct_data_t;
+ ')
+
+ files_search_var($1)
+ can_exec($1,acct_data_t)
+')
+
+########################################
+##
+## Create, read, write, and delete process accounting data.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`acct_manage_data',`
+ gen_require(`
+ type acct_data_t;
+ class dir rw_dir_perms;
+ class file create_file_perms;
+ class lnk_file create_lnk_perms;
+ ')
+
+ files_search_var($1)
+ allow $1 acct_data_t:dir rw_dir_perms;
+ allow $1 acct_data_t:file create_file_perms;
+ allow $1 acct_data_t:lnk_file create_lnk_perms;
+')
diff --git a/refpolicy/policy/modules/admin/acct.te b/refpolicy/policy/modules/admin/acct.te
new file mode 100644
index 0000000..c8098d7
--- /dev/null
+++ b/refpolicy/policy/modules/admin/acct.te
@@ -0,0 +1,98 @@
+
+policy_module(acct,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type acct_t;
+type acct_exec_t;
+init_daemon_domain(acct_t,acct_exec_t)
+
+type acct_data_t;
+files_type(acct_data_t)
+
+########################################
+#
+# Local Policy
+#
+
+# gzip needs chown capability for some reason
+allow acct_t self:capability { sys_pacct chown fsetid };
+# not sure why we need kill, the command "last" is reported as using it
+dontaudit acct_t self:capability { kill sys_tty_config };
+
+allow acct_t self:fifo_file { read write getattr };
+allow acct_t self:process signal_perms;
+
+allow acct_t acct_data_t:dir rw_dir_perms;
+allow acct_t acct_data_t:file create_file_perms;
+allow acct_t acct_data_t:lnk_file create_lnk_perms;
+
+can_exec(acct_t,acct_exec_t)
+
+kernel_list_proc(acct_t)
+kernel_read_system_state(acct_t)
+kernel_read_kernel_sysctl(acct_t)
+
+dev_read_sysfs(acct_t)
+# for SSP
+dev_read_urand(acct_t)
+
+fs_search_auto_mountpoints(acct_t)
+fs_getattr_xattr_fs(acct_t)
+
+term_dontaudit_use_console(acct_t)
+
+corecmd_exec_bin(acct_t)
+corecmd_exec_shell(acct_t)
+
+domain_use_wide_inherit_fd(acct_t)
+
+files_read_etc_files(acct_t)
+files_read_etc_runtime_files(acct_t)
+# for nscd
+files_dontaudit_getattr_pid_dir(acct_t)
+
+init_use_fd(acct_t)
+init_use_script_pty(acct_t)
+init_exec_script(acct_t)
+
+libs_use_ld_so(acct_t)
+libs_use_shared_libs(acct_t)
+
+logging_send_syslog_msg(acct_t)
+
+miscfiles_read_localization(acct_t)
+
+userdom_dontaudit_search_sysadm_home_dir(acct_t)
+userdom_dontaudit_use_unpriv_user_fd(acct_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_tty(acct_t)
+ term_dontaudit_use_generic_pty(acct_t)
+ files_dontaudit_read_root_file(acct_t)
+')
+
+optional_policy(`cron.te',`
+ optional_policy(`authlogin.te',`
+ # for monthly cron job
+ auth_create_login_records(acct_t)
+ auth_manage_login_records(acct_t)
+ ')
+
+ cron_system_entry(acct_t,acct_exec_t)
+')
+
+optional_policy(`rhgb.te',`
+ rhgb_domain(acct_t)
+')
+
+optional_policy(`selinuxutil.te',`
+ seutil_sigchld_newrole(acct_t)
+')
+
+optional_policy(`udev.te', `
+ udev_read_db(acct_t)
+')
diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te
index 16b8130..c11e1a4 100644
--- a/refpolicy/policy/modules/admin/logrotate.te
+++ b/refpolicy/policy/modules/admin/logrotate.te
@@ -113,6 +113,12 @@ ifdef(`distro_debian', `
can_exec(logrotate_t, logrotate_exec_t)
')
+optional_policy(`acct.te',`
+ acct_domtrans(logrotate_t)
+ acct_manage_data(logrotate_t)
+ acct_exec_data(logrotate_t)
+')
+
optional_policy(`consoletype.te',`
consoletype_exec(logrotate_t)
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 9cc216e..cc296e6 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -671,6 +671,18 @@ interface(`auth_rw_login_records',`
#######################################
#
+# auth_create_login_records(domain)
+#
+interface(`auth_create_login_records',`
+ gen_require(`
+ type wtmp_t;
+ ')
+
+ logging_create_log($1,wtmp_t,file)
+')
+
+#######################################
+#
# auth_manage_login_records(domain)
#
interface(`auth_manage_login_records',`