Ccs patch from Dan Walsh.

policy/modules/services/ccs.fc

@@ -2,9 +2,5 @@
 
 /sbin/ccsd		--	gen_context(system_u:object_r:ccs_exec_t,s0)
 
-/usr/sbin/aisexec 	--	gen_context(system_u:object_r:ccs_exec_t,s0)
-
-/var/lib/openais(/.*)?		gen_context(system_u:object_r:ccs_var_lib_t,s0)
-
-/var/run/cluster(/.*)?		gen_context(system_u:object_r:ccs_var_run_t,s0)
-/var/run/cman_.*	-s	gen_context(system_u:object_r:ccs_var_run_t,s0)
+/var/run/cluster/ccsd\.pid --	gen_context(system_u:object_r:ccs_var_run_t,s0)
+/var/run/cluster/ccsd\.sock -s	gen_context(system_u:object_r:ccs_var_run_t,s0)

policy/modules/services/ccs.te

@@ -1,5 +1,5 @@
 
-policy_module(ccs, 1.4.0)
+policy_module(ccs, 1.4.1)
 
 ########################################
 #
@@ -10,23 +10,21 @@ type ccs_t;
 type ccs_exec_t;
 init_daemon_domain(ccs_t, ccs_exec_t)
 
-# conf files
 type cluster_conf_t;
 files_type(cluster_conf_t)
 
-# tmp files
 type ccs_tmp_t;
 files_tmp_file(ccs_tmp_t)
 
-# log files
-type ccs_var_log_t;
-logging_log_file(ccs_var_log_t)
+type ccs_tmpfs_t;
+files_tmpfs_file(ccs_tmpfs_t)
 
-# var lib files
 type ccs_var_lib_t;
 logging_log_file(ccs_var_lib_t)
 
-# pid files
+type ccs_var_log_t;
+logging_log_file(ccs_var_log_t)
+
 type ccs_var_run_t;
 files_pid_file(ccs_var_run_t)
 
@@ -35,7 +33,7 @@ files_pid_file(ccs_var_run_t)
 # ccs local policy
 #
 
-allow ccs_t self:capability { ipc_lock sys_nice sys_resource sys_admin };
+allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin };
 allow ccs_t self:process { signal setrlimit setsched };
 dontaudit ccs_t self:process ptrace;
 allow ccs_t self:fifo_file rw_fifo_file_perms;
@@ -55,17 +53,20 @@ manage_dirs_pattern(ccs_t, ccs_tmp_t, ccs_tmp_t)
 manage_files_pattern(ccs_t, ccs_tmp_t, ccs_tmp_t)
 files_tmp_filetrans(ccs_t, ccs_tmp_t, { file dir })
 
-# log files
-manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
-manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
-allow ccs_t ccs_var_log_t:dir setattr;
-logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir })
+manage_dirs_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t)
+manage_files_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t)
+fs_tmpfs_filetrans(ccs_t, ccs_tmpfs_t, { dir file })
 
 # var lib files
 manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
 manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
 files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { file dir })
 
+allow ccs_t ccs_var_log_t:dir setattr;
+manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
+manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
+logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir })
+
 # pid file
 manage_dirs_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t)
 manage_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t)
@@ -104,6 +105,9 @@ miscfiles_read_localization(ccs_t)
 
 sysnet_dns_name_resolve(ccs_t)
 
+userdom_manage_unpriv_user_shared_mem(ccs_t)
+userdom_manage_unpriv_user_semaphores(ccs_t)
+
 ifdef(`hide_broken_symptoms', `
 	corecmd_dontaudit_write_bin_dirs(ccs_t)
 	files_manage_isid_type_files(ccs_t)