diff --git a/cinder.te b/cinder.te
index 488a7a659..a05691d8f 100644
--- a/cinder.te
+++ b/cinder.te
@@ -159,6 +159,8 @@ kernel_read_kernel_sysctls(cinder_volume_t)
logging_send_syslog_msg(cinder_volume_t)
+systemd_dbus_chat_logind(cinder_volume_t)
+
optional_policy(`
lvm_domtrans(cinder_volume_t)
')
diff --git a/ganesha.fc b/ganesha.fc
new file mode 100644
index 000000000..c723bfb97
--- /dev/null
+++ b/ganesha.fc
@@ -0,0 +1,12 @@
+/usr/bin/ganesha.nfsd -- gen_context(system_u:object_r:ganesha_exec_t,s0)
+
+/usr/lib/systemd/system/nfs-ganesha-config.* -- gen_context(system_u:object_r:ganesha_unit_file_t,s0)
+
+/usr/lib/systemd/system/nfs-ganesha-lock.* -- gen_context(system_u:object_r:ganesha_unit_file_t,s0)
+
+/usr/lib/systemd/system/nfs-ganesha.*e -- gen_context(system_u:object_r:ganesha_unit_file_t,s0)
+
+/var/log/ganesha.log.* -- gen_context(system_u:object_r:ganesha_var_log_t,s0)
+/var/log/ganesha-gfapi.log.* -- gen_context(system_u:object_r:ganesha_var_log_t,s0)
+
+/var/run/ganesha(/.*)? gen_context(system_u:object_r:ganesha_var_run_t,s0)
diff --git a/ganesha.if b/ganesha.if
new file mode 100644
index 000000000..4c347e5cc
--- /dev/null
+++ b/ganesha.if
@@ -0,0 +1,146 @@
+## policy for ganesha
+
+########################################
+##
+## Execute ganesha_exec_t in the ganesha domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ganesha_domtrans',`
+ gen_require(`
+ type ganesha_t, ganesha_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ganesha_exec_t, ganesha_t)
+')
+
+######################################
+##
+## Execute ganesha in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ganesha_exec',`
+ gen_require(`
+ type ganesha_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, ganesha_exec_t)
+')
+########################################
+##
+## Read ganesha PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ganesha_read_pid_files',`
+ gen_require(`
+ type ganesha_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, ganesha_var_run_t, ganesha_var_run_t)
+')
+
+########################################
+##
+## Execute ganesha server in the ganesha domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ganesha_systemctl',`
+ gen_require(`
+ type ganesha_t;
+ type ganesha_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 ganesha_unit_file_t:file read_file_perms;
+ allow $1 ganesha_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, ganesha_t)
+')
+
+
+########################################
+##
+## Send and receive messages from
+## ganesha over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ganesha_dbus_chat',`
+ gen_require(`
+ type ganesha_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 ganesha_t:dbus send_msg;
+ allow ganesha_t $1:dbus send_msg;
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an ganesha environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`ganesha_admin',`
+ gen_require(`
+ type ganesha_t;
+ type ganesha_var_run_t;
+ type ganesha_unit_file_t;
+ ')
+
+ allow $1 ganesha_t:process { signal_perms };
+ ps_process_pattern($1, ganesha_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 ganesha_t:process ptrace;
+ ')
+
+ files_search_pids($1)
+ admin_pattern($1, ganesha_var_run_t)
+
+ ganesha_systemctl($1)
+ admin_pattern($1, ganesha_unit_file_t)
+ allow $1 ganesha_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/ganesha.te b/ganesha.te
new file mode 100644
index 000000000..f25a3f34d
--- /dev/null
+++ b/ganesha.te
@@ -0,0 +1,111 @@
+policy_module(ganesha, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow ganesha to read/write fuse files
+##
+##
+gen_tunable(ganesha_use_fusefs, false)
+
+type ganesha_t;
+type ganesha_exec_t;
+init_daemon_domain(ganesha_t, ganesha_exec_t)
+
+type ganesha_var_log_t;
+logging_log_file(ganesha_var_log_t)
+
+type ganesha_var_run_t;
+files_pid_file(ganesha_var_run_t)
+
+type ganesha_tmp_t;
+files_tmp_file(ganesha_tmp_t)
+
+type ganesha_unit_file_t;
+systemd_unit_file(ganesha_unit_file_t)
+
+########################################
+#
+# ganesha local policy
+#
+dontaudit ganesha_t self:capability net_admin;
+
+allow ganesha_t self:capability { dac_read_search dac_override };
+allow ganesha_t self:capability2 block_suspend;
+allow ganesha_t self:process { setcap setrlimit };
+allow ganesha_t self:fifo_file rw_fifo_file_perms;
+allow ganesha_t self:unix_stream_socket create_stream_socket_perms;
+allow ganesha_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t)
+manage_files_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t)
+manage_lnk_files_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t)
+files_pid_filetrans(ganesha_t, ganesha_var_run_t, { dir file lnk_file })
+
+manage_dirs_pattern(ganesha_t, ganesha_var_log_t, ganesha_var_log_t)
+manage_files_pattern(ganesha_t, ganesha_var_log_t, ganesha_var_log_t)
+logging_log_filetrans(ganesha_t, ganesha_var_log_t, { file dir })
+
+manage_dirs_pattern(ganesha_t, ganesha_tmp_t, ganesha_tmp_t)
+manage_files_pattern(ganesha_t, ganesha_tmp_t, ganesha_tmp_t)
+files_tmp_filetrans(ganesha_t, ganesha_tmp_t, { file dir })
+
+kernel_read_system_state(ganesha_t)
+kernel_search_network_sysctl(ganesha_t)
+kernel_read_net_sysctls(ganesha_t)
+
+auth_use_nsswitch(ganesha_t)
+
+corenet_tcp_bind_nfs_port(ganesha_t)
+corenet_tcp_connect_generic_port(ganesha_t)
+corenet_tcp_connect_gluster_port(ganesha_t)
+corenet_udp_bind_dey_keyneg_port(ganesha_t)
+corenet_tcp_bind_dey_keyneg_port(ganesha_t)
+corenet_udp_bind_nfs_port(ganesha_t)
+corenet_udp_bind_all_rpc_ports(ganesha_t)
+corenet_tcp_bind_all_rpc_ports(ganesha_t)
+corenet_tcp_bind_mountd_port(ganesha_t)
+corenet_udp_bind_mountd_port(ganesha_t)
+corenet_tcp_connect_virt_migration_port(ganesha_t)
+corenet_tcp_connect_all_rpc_ports(ganesha_t)
+
+dev_rw_infiniband_dev(ganesha_t)
+dev_read_gpfs(ganesha_t)
+dev_read_rand(ganesha_t)
+
+logging_send_syslog_msg(ganesha_t)
+
+sysnet_dns_name_resolve(ganesha_t)
+
+optional_policy(`
+ dbus_system_bus_client(ganesha_t)
+ dbus_connect_system_bus(ganesha_t)
+ unconfined_dbus_chat(ganesha_t)
+')
+
+optional_policy(`
+ glusterd_read_conf(ganesha_t)
+ glusterd_read_lib_files(ganesha_t)
+ glusterd_manage_pid(ganesha_t)
+')
+
+optional_policy(`
+ kerberos_read_keytab(ganesha_t)
+')
+
+optional_policy(`
+ rpc_manage_nfs_state_data_dir(ganesha_t)
+ rpc_read_nfs_state_data(ganesha_t)
+ rpcbind_stream_connect(ganesha_t)
+')
+
+tunable_policy(`ganesha_use_fusefs',`
+ fs_manage_fusefs_dirs(ganesha_t)
+ fs_manage_fusefs_files(ganesha_t)
+ fs_read_fusefs_symlinks(ganesha_t)
+ fs_getattr_fusefs(ganesha_t)
+')
diff --git a/glusterd.fc b/glusterd.fc
index e42e81f5f..9806f50ae 100644
--- a/glusterd.fc
+++ b/glusterd.fc
@@ -23,8 +23,3 @@
/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
/var/run/glusterd.* -- gen_context(system_u:object_r:glusterd_var_run_t,s0)
/var/run/glusterd.* -s gen_context(system_u:object_r:glusterd_var_run_t,s0)
-
-/var/log/ganesha(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0)
-/var/log/ganesha.log -- gen_context(system_u:object_r:glusterd_log_t,s0)
-/var/log/ganesha-gfapi.log -- gen_context(system_u:object_r:glusterd_log_t,s0)
-
diff --git a/glusterd.if b/glusterd.if
index a62e355ac..291191f17 100644
--- a/glusterd.if
+++ b/glusterd.if
@@ -135,7 +135,6 @@ interface(`glusterd_manage_log',`
manage_dirs_pattern($1, glusterd_log_t, glusterd_log_t)
manage_files_pattern($1, glusterd_log_t, glusterd_log_t)
manage_lnk_files_pattern($1, glusterd_log_t, glusterd_log_t)
- logging_log_named_filetrans($1, glusterd_log_t, file, "ganesha.log")
')
######################################
diff --git a/glusterd.te b/glusterd.te
index 7804cbaf4..2bcedd014 100644
--- a/glusterd.te
+++ b/glusterd.te
@@ -64,8 +64,6 @@ files_type(glusterd_var_lib_t)
type glusterd_brick_t;
files_type(glusterd_brick_t)
-typealias glusterd_log_t alias ganesha_var_log_t;
-
########################################
#
# Local policy
@@ -270,6 +268,11 @@ optional_policy(`
')
')
+optional_policy(`
+ ganesha_systemctl(glusterd_t)
+ ganesha_dbus_chat(glusterd_t)
+')
+
optional_policy(`
hostname_exec(glusterd_t)
')
@@ -310,8 +313,8 @@ optional_policy(`
optional_policy(`
rpc_systemctl_nfsd(glusterd_t)
rpc_systemctl_rpcd(glusterd_t)
+
rpc_domtrans_nfsd(glusterd_t)
- rpc_dbus_chat_nfsd(glusterd_t)
rpc_domtrans_rpcd(glusterd_t)
rpc_manage_nfs_state_data(glusterd_t)
rpc_manage_nfs_state_data_dir(glusterd_t)
diff --git a/modemmanager.te b/modemmanager.te
index 5a177cd5a..c7fd00ea0 100644
--- a/modemmanager.te
+++ b/modemmanager.te
@@ -29,7 +29,7 @@ kernel_read_system_state(modemmanager_t)
corecmd_exec_bin(modemmanager_t)
-dev_read_sysfs(modemmanager_t)
+dev_rw_sysfs(modemmanager_t)
dev_read_urand(modemmanager_t)
dev_rw_modem(modemmanager_t)
diff --git a/nagios.te b/nagios.te
index a5e1cfda8..02b65a000 100644
--- a/nagios.te
+++ b/nagios.te
@@ -115,7 +115,7 @@ userdom_use_inherited_user_ttys(nagios_plugin_domain)
# Nagios local policy
#
-allow nagios_t self:capability { dac_read_search dac_override setgid setuid };
+allow nagios_t self:capability { chown dac_read_search dac_override setgid setuid };
dontaudit nagios_t self:capability sys_tty_config;
allow nagios_t self:process { setpgid signal_perms };
allow nagios_t self:fifo_file rw_fifo_file_perms;
@@ -203,7 +203,7 @@ mta_kill_system_mail(nagios_t)
systemd_exec_systemctl(nagios_t)
tunable_policy(`nagios_run_sudo',`
- allow nagios_t self:capability { setuid setgid sys_resource sys_ptrace };
+ allow nagios_t self:capability { chown setuid setgid sys_resource sys_ptrace };
allow nagios_t self:process { setrlimit setsched };
allow nagios_t self:key write;
@@ -217,6 +217,9 @@ tunable_policy(`nagios_run_sudo',`
selinux_compute_access_vector(nagios_t)
+ systemd_write_inherited_logind_sessions_pipes(nagios_t)
+ systemd_dbus_chat_logind(nagios_t)
+
logging_send_audit_msgs(nagios_t)
')
@@ -224,6 +227,10 @@ optional_policy(`
apache_systemctl(nagios_t)
')
+optional_policy(`
+ dbus_system_bus_client(nagios_t)
+')
+
optional_policy(`
tunable_policy(`nagios_run_sudo',`
sudo_exec(nagios_t)
@@ -231,6 +238,12 @@ optional_policy(`
')
')
+optional_policy(`
+ tunable_policy(`nagios_run_sudo',`
+ init_read_utmp(nagios_t)
+ ')
+')
+
tunable_policy(`nagios_run_pnp4nagios',`
allow nagios_t nagios_log_t:file execute;
')
@@ -365,6 +378,10 @@ tunable_policy(`nagios_run_sudo',`
selinux_compute_access_vector(nrpe_t)
+ systemd_write_inherited_logind_sessions_pipes(nrpe_t)
+ systemd_dbus_chat_logind(nrpe_t)
+ systemd_logind_read_state(nrpe_t)
+
logging_send_audit_msgs(nrpe_t)
')
@@ -375,6 +392,14 @@ optional_policy(`
')
')
+optional_policy(`
+ tunable_policy(`nagios_run_sudo',`
+ sssd_read_config(nrpe_t)
+ sssd_manage_lib_files(nrpe_t)
+ sssd_read_pid_files(nrpe_t)
+ sssd_signull(nrpe_t)
+ ')
+')
tunable_policy(`nagios_use_nfs',`
fs_manage_nfs_files(nrpe_t)
@@ -382,6 +407,10 @@ tunable_policy(`nagios_use_nfs',`
fs_manage_nfs_symlinks(nrpe_t)
')
+optional_policy(`
+ dbus_system_bus_client(nrpe_t)
+')
+
optional_policy(`
inetd_tcp_service_domain(nrpe_t, nrpe_exec_t)
')
@@ -616,3 +645,7 @@ optional_policy(`
optional_policy(`
unconfined_domain(nagios_unconfined_plugin_t)
')
+
+optional_policy(`
+ systemd_dbus_chat_logind(nagios_unconfined_plugin_t)
+')
diff --git a/nova.te b/nova.te
index 2259a5192..af8dd5527 100644
--- a/nova.te
+++ b/nova.te
@@ -124,6 +124,7 @@ corenet_sendrecv_dns_server_packets(nova_domain)
corenet_sendrecv_dhcpd_server_packets(nova_domain)
auth_use_nsswitch(nova_t)
+auth_use_pam(nova_t)
auth_read_passwd(nova_domain)
dev_read_sysfs(nova_domain)
@@ -132,7 +133,7 @@ dev_read_rand(nova_domain)
fs_getattr_all_fs(nova_domain)
-init_read_utmp(nova_domain)
+init_rw_utmp(nova_domain)
libs_exec_ldconfig(nova_domain)
diff --git a/rhcs.te b/rhcs.te
index 0e8b031bb..c029ccd71 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -265,7 +265,7 @@ optional_policy(`
')
optional_policy(`
- rpc_dbus_chat_nfsd(cluster_t)
+ ganesha_dbus_chat(cluster_t)
')
optional_policy(`
diff --git a/rpc.fc b/rpc.fc
index b08ec8d2d..38a2f0911 100644
--- a/rpc.fc
+++ b/rpc.fc
@@ -1,5 +1,3 @@
-
-
#
# /etc
#
@@ -11,10 +9,6 @@
/usr/lib/systemd/system/nfs.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0)
/usr/lib/systemd/system/rpc.* -- gen_context(system_u:object_r:rpcd_unit_file_t,s0)
-/usr/lib/systemd/system/nfs-ganesha-config.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0)
-/usr/lib/systemd/system/nfs-ganesha-lock.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0)
-/usr/lib/systemd/system/nfs-ganesha.*e -- gen_context(system_u:object_r:nfsd_unit_file_t,s0)
-
#
# /sbin
#
@@ -33,15 +27,12 @@
/usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
/usr/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
-/usr/bin/ganesha\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
-
#
# /var
#
/var/lib/nfs(/.*)? gen_context(system_u:object_r:var_lib_nfs_t,s0)
/var/run/sm-notify.* gen_context(system_u:object_r:rpcd_var_run_t,s0)
-/var/run/ganesha.* gen_context(system_u:object_r:rpcd_var_run_t,s0)
/var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0)
/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
diff --git a/rpc.if b/rpc.if
index 2ee527f2a..79a2a9c48 100644
--- a/rpc.if
+++ b/rpc.if
@@ -530,24 +530,3 @@ interface(`rpc_gssd_noatsecure',`
allow $1 gssd_t:process { noatsecure rlimitinh };
')
-
-########################################
-##
-## Send and receive messages from
-## ganesha over dbus.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`rpc_dbus_chat_nfsd',`
- gen_require(`
- type nfsd_t;
- class dbus send_msg;
- ')
-
- allow $1 nfsd_t:dbus send_msg;
- allow nfsd_t $1:dbus send_msg;
-')
diff --git a/rpc.te b/rpc.te
index f4df4fda2..b9665f773 100644
--- a/rpc.te
+++ b/rpc.te
@@ -65,13 +65,6 @@ systemd_unit_file(nfsd_unit_file_t)
type var_lib_nfs_t;
files_mountpoint(var_lib_nfs_t)
-type nfsd_tmp_t;
-files_tmp_file(nfsd_tmp_t)
-
-typealias nfsd_t alias ganesha_t;
-typealias nfsd_exec_t alias ganesha_exec_t;
-typealias nfsd_unit_file_t alias ganesha_unit_file_t;
-
########################################
#
# Common rpc domain local policy
@@ -234,17 +227,8 @@ optional_policy(`
allow nfsd_t self:capability { dac_read_search dac_override sys_admin sys_rawio sys_resource };
-allow nfsd_t self:process { setcap };
-
allow nfsd_t exports_t:file read_file_perms;
-manage_dirs_pattern(nfsd_t, nfsd_tmp_t, nfsd_tmp_t)
-manage_files_pattern(nfsd_t, nfsd_tmp_t, nfsd_tmp_t)
-files_tmp_filetrans(nfsd_t, nfsd_tmp_t, { file dir })
-
-manage_files_pattern(nfsd_t, rpcd_var_run_t, rpcd_var_run_t)
-files_pid_filetrans(nfsd_t, rpcd_var_run_t, { file })
-
# for /proc/fs/nfs/exports - should we have a new type?
kernel_read_system_state(nfsd_t)
kernel_read_network_state(nfsd_t)
@@ -318,16 +302,6 @@ tunable_policy(`nfs_export_all_ro',`
files_read_non_security_files(nfsd_t)
')
-optional_policy(`
- glusterd_manage_log(nfsd_t)
- glusterd_manage_pid(nfsd_t)
-')
-
-optional_policy(`
- dbus_system_bus_client(nfsd_t)
- dbus_acquire_svc_system_dbusd(nfsd_t)
-')
-
optional_policy(`
mount_exec(nfsd_t)
mount_manage_pid_files(nfsd_t)
@@ -357,6 +331,8 @@ kernel_signal(gssd_t)
corecmd_exec_bin(gssd_t)
+domain_manage_all_domains_keyrings(gssd_t)
+
fs_list_rpc(gssd_t)
fs_rw_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
diff --git a/rpm.te b/rpm.te
index 7394a0dfc..4402cbe09 100644
--- a/rpm.te
+++ b/rpm.te
@@ -34,6 +34,7 @@ logging_log_file(rpm_log_t)
type rpm_var_lib_t;
files_type(rpm_var_lib_t)
+files_mountpoint(rpm_var_lib_t)
typealias rpm_var_lib_t alias var_lib_rpm_t;
type rpm_var_cache_t;
diff --git a/sbd.te b/sbd.te
index 202904c19..d415d2c8a 100644
--- a/sbd.te
+++ b/sbd.te
@@ -37,6 +37,8 @@ manage_files_pattern(sbd_t, sbd_tmpfs_t, sbd_tmpfs_t)
manage_dirs_pattern(sbd_t, sbd_tmpfs_t, sbd_tmpfs_t)
fs_tmpfs_filetrans(sbd_t, sbd_tmpfs_t, { file dir })
+auth_use_nsswitch(sbd_t)
+
kernel_read_system_state(sbd_t)
kernel_dgram_send(sbd_t)
kernel_rw_kernel_sysctl(sbd_t)
diff --git a/snapper.fc b/snapper.fc
index 4f4bdb397..0a43846a8 100644
--- a/snapper.fc
+++ b/snapper.fc
@@ -7,6 +7,7 @@
/mnt/(.*/)?\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
+
/usr/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
/var/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
/etc/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
diff --git a/snapper.te b/snapper.te
index 8c9e4a200..5be6d3542 100644
--- a/snapper.te
+++ b/snapper.te
@@ -22,7 +22,7 @@ files_type(snapperd_data_t)
#
# snapperd local policy
#
-allow snapperd_t self:capability { dac_read_search fowner sys_admin };
+allow snapperd_t self:capability { dac_read_search dac_override fowner sys_admin };
allow snapperd_t self:process setsched;
allow snapperd_t self:fifo_file rw_fifo_file_perms;
@@ -57,6 +57,8 @@ files_read_all_files(snapperd_t)
files_read_all_symlinks(snapperd_t)
files_list_all(snapperd_t)
files_manage_isid_type_dirs(snapperd_t)
+files_manage_non_security_dirs(snapperd_t)
+files_relabel_non_security_files(snapperd_t)
fs_getattr_all_fs(snapperd_t)
fs_mount_xattr_fs(snapperd_t)
diff --git a/sssd.if b/sssd.if
index 47530e258..2d4b9b2fa 100644
--- a/sssd.if
+++ b/sssd.if
@@ -502,6 +502,24 @@ interface(`sssd_rw_inherited_pipes',`
allow $1 sssd_t:fifo_file rw_inherited_fifo_file_perms;
')
+########################################
+##
+## Allow caller to signull sssd.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`sssd_signull',`
+ gen_require(`
+ type sssd_t;
+ ')
+
+ allow $1 sssd_t:process signull;
+')
+
########################################
##
## Transition to sssd named content
diff --git a/sysstat.te b/sysstat.te
index a2690e315..efb2f855c 100644
--- a/sysstat.te
+++ b/sysstat.te
@@ -44,6 +44,7 @@ dev_read_urand(sysstat_t)
files_search_var(sysstat_t)
files_read_etc_runtime_files(sysstat_t)
+files_search_all_mountpoints(sysstat_t)
fs_getattr_all_fs(sysstat_t)
fs_list_inotifyfs(sysstat_t)