diff --git a/policy/modules/services/corosync.if b/policy/modules/services/corosync.if
index 5220c9d..05f7296 100644
--- a/policy/modules/services/corosync.if
+++ b/policy/modules/services/corosync.if
@@ -18,6 +18,25 @@ interface(`corosync_domtrans',`
domtrans_pattern($1, corosync_exec_t, corosync_t)
')
+######################################
+##
+## Execute corosync in the caller domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`corosync_exec',`
+ gen_require(`
+ type corosync_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, corosync_exec_t)
+')
+
#######################################
##
## Allow the specified domain to read corosync's log files.
diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te
index fdb0dcb..ed9dd2f 100644
--- a/policy/modules/services/corosync.te
+++ b/policy/modules/services/corosync.te
@@ -117,6 +117,7 @@ optional_policy(`
rhcs_rw_cluster_shm(corosync_t)
rhcs_rw_cluster_semaphores(corosync_t)
rhcs_stream_connect_cluster(corosync_t)
+ rhcs_read_cluster_lib_files(corosync_t)
')
optional_policy(`
diff --git a/policy/modules/services/rhcs.fc b/policy/modules/services/rhcs.fc
index b19961e..a8676c7 100644
--- a/policy/modules/services/rhcs.fc
+++ b/policy/modules/services/rhcs.fc
@@ -10,6 +10,7 @@
/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
+/var/log/cluster/.*\.*log <>
/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if
index 6928301..d8b97c2 100644
--- a/policy/modules/services/rhcs.if
+++ b/policy/modules/services/rhcs.if
@@ -434,3 +434,22 @@ interface(`rhcs_read_qdiskd_tmpfs_files',`
allow $1 qdiskd_tmpfs_t:file read_file_perms;
')
+
+######################################
+##
+## Allow domain to read cluster lib files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rhcs_read_cluster_lib_files',`
+ gen_require(`
+ type cluster_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te
index 68f2b99..1ebc84d 100644
--- a/policy/modules/services/rhcs.te
+++ b/policy/modules/services/rhcs.te
@@ -35,6 +35,10 @@ rhcs_domain_template(qdiskd)
type qdiskd_var_lib_t;
files_type(qdiskd_var_lib_t)
+# type for cluster lib files
+type cluster_var_lib_t;
+files_type(cluster_var_lib_t)
+
#####################################
#
# dlm_controld local policy
@@ -105,6 +109,11 @@ tunable_policy(`fenced_can_network_connect',`
corenet_tcp_connect_all_ports(fenced_t)
')
+# needed by fence_scsi
+optional_policy(`
+ corosync_exec(fenced_t)
+')
+
optional_policy(`
ccs_read_config(fenced_t)
')
@@ -223,6 +232,9 @@ allow cluster_domain self:fifo_file rw_fifo_file_perms;
allow cluster_domain self:unix_stream_socket create_stream_socket_perms;
allow cluster_domain self:unix_dgram_socket create_socket_perms;
+manage_files_pattern(cluster_domain, cluster_var_lib_t, cluster_var_lib_t)
+manage_dirs_pattern(cluster_domain, cluster_var_lib_t, cluster_var_lib_t)
+
logging_send_syslog_msg(cluster_domain)
miscfiles_read_localization(cluster_domain)