diff --git a/policy/modules/services/sssd.fc b/policy/modules/services/sssd.fc
index f2b7dbf..2aad570 100644
--- a/policy/modules/services/sssd.fc
+++ b/policy/modules/services/sssd.fc
@@ -1,6 +1,9 @@
-/etc/rc.d/init.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
+
+/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
+
/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if
index 62d8b99..47913d6 100644
--- a/policy/modules/services/sssd.if
+++ b/policy/modules/services/sssd.if
@@ -20,6 +20,24 @@ interface(`sssd_domtrans',`
########################################
##
+## Execute sssd server in the sssd domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`sssd_initrc_domtrans',`
+ gen_require(`
+ type sssd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, sssd_initrc_exec_t)
+')
+
+########################################
+##
## Read sssd PID files.
##
##
@@ -156,7 +174,7 @@ interface(`sssd_stream_connect',`
########################################
##
-## All of the rules required to administrate
+## All of the rules required to administrate
## an sssd environment
##
##
diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
index 59777c9..059bb6f 100644
--- a/policy/modules/services/sssd.te
+++ b/policy/modules/services/sssd.te
@@ -1,5 +1,5 @@
-policy_module(sssd, 1.0.0)
+policy_module(sssd, 1.0.1)
########################################
#
@@ -16,6 +16,9 @@ init_script_file(sssd_initrc_exec_t)
type sssd_var_lib_t;
files_type(sssd_var_lib_t)
+type sssd_var_log_t;
+logging_log_file(sssd_var_log_t)
+
type sssd_var_run_t;
files_pid_file(sssd_var_run_t)
@@ -23,7 +26,7 @@ files_pid_file(sssd_var_run_t)
#
# sssd local policy
#
-allow sssd_t self:capability { sys_nice setuid };
+allow sssd_t self:capability { sys_nice setgid setuid };
allow sssd_t self:process { setsched signal getsched };
allow sssd_t self:fifo_file rw_file_perms;
allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -33,6 +36,9 @@ manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } )
+manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
+logging_log_filetrans(sssd_t, sssd_var_log_t, file)
+
manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
@@ -47,6 +53,8 @@ files_list_tmp(sssd_t)
files_read_etc_files(sssd_t)
files_read_usr_files(sssd_t)
+fs_list_inotifyfs(sssd_t)
+
auth_use_nsswitch(sssd_t)
auth_domtrans_chk_passwd(sssd_t)
auth_domtrans_upd_passwd(sssd_t)