diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index c30a277b..c5beb7e9 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -53,6 +53,7 @@
postgrey
pxe
qmail (Petre Rodan)
+ resmgr
rhgb
snort
speedtouch
diff --git a/refpolicy/policy/modules/apps/cdrecord.if b/refpolicy/policy/modules/apps/cdrecord.if
index 41bb2057..34644d63 100644
--- a/refpolicy/policy/modules/apps/cdrecord.if
+++ b/refpolicy/policy/modules/apps/cdrecord.if
@@ -197,7 +197,7 @@ template(`cdrecord_per_userdomain_template', `
fs_read_nfs_symlinks($1_cdrecord_t)
')
- ifdef(`TODO',`
- can_resmgrd_connect($1_cdrecord_t)
+ optional_policy(`
+ resmgr_stream_connect($1_cdrecord_t)
')
')
diff --git a/refpolicy/policy/modules/apps/cdrecord.te b/refpolicy/policy/modules/apps/cdrecord.te
index 5e410f79..d78c5922 100644
--- a/refpolicy/policy/modules/apps/cdrecord.te
+++ b/refpolicy/policy/modules/apps/cdrecord.te
@@ -1,5 +1,5 @@
-policy_module(cdrecord,1.0.0)
+policy_module(cdrecord,1.0.1)
########################################
#
diff --git a/refpolicy/policy/modules/services/resmgr.fc b/refpolicy/policy/modules/services/resmgr.fc
new file mode 100644
index 00000000..af810b94
--- /dev/null
+++ b/refpolicy/policy/modules/services/resmgr.fc
@@ -0,0 +1,7 @@
+
+/etc/resmgr\.conf -- gen_context(system_u:object_r:resmgrd_etc_t,s0)
+
+/sbin/resmgrd -- gen_context(system_u:object_r:resmgrd_exec_t,s0)
+
+/var/run/\.resmgr_socket -s gen_context(system_u:object_r:resmgrd_var_run_t,s0)
+/var/run/resmgr\.pid -- gen_context(system_u:object_r:resmgrd_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/resmgr.if b/refpolicy/policy/modules/services/resmgr.if
new file mode 100644
index 00000000..d457736d
--- /dev/null
+++ b/refpolicy/policy/modules/services/resmgr.if
@@ -0,0 +1,22 @@
+## Resource management daemon
+
+########################################
+##
+## Connect to resmgrd over a unix domain
+## stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`resmgr_stream_connect',`
+ gen_require(`
+ type resmgrd_var_run_t, resmgrd_t;
+ ')
+
+ allow $1 resmgrd_t:unix_stream_socket connectto;
+ allow $1 resmgrd_var_run_t:sock_file { getattr write };
+ files_search_pids($1)
+')
diff --git a/refpolicy/policy/modules/services/resmgr.te b/refpolicy/policy/modules/services/resmgr.te
new file mode 100644
index 00000000..695d7c6d
--- /dev/null
+++ b/refpolicy/policy/modules/services/resmgr.te
@@ -0,0 +1,81 @@
+
+policy_module(resmgr,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type resmgrd_t;
+type resmgrd_exec_t;
+init_daemon_domain(resmgrd_t,resmgrd_exec_t)
+
+type resmgrd_etc_t;
+files_config_file(resmgrd_etc_t)
+
+type resmgrd_var_run_t;
+files_pid_file(resmgrd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow resmgrd_t self:capability { dac_override sys_admin sys_rawio };
+dontaudit resmgrd_t self:capability sys_tty_config;
+allow resmgrd_t self:process signal_perms;
+
+allow resmgrd_t resmgrd_etc_t:file { getattr read };
+files_search_etc(resmgrd_t)
+
+allow resmgrd_t resmgrd_var_run_t:file manage_file_perms;
+allow resmgrd_t resmgrd_var_run_t:sock_file manage_file_perms;
+files_pid_filetrans(resmgrd_t,resmgrd_var_run_t,{ file sock_file })
+
+kernel_list_proc(resmgrd_t)
+kernel_read_proc_symlinks(resmgrd_t)
+kernel_read_kernel_sysctls(resmgrd_t)
+
+dev_read_sysfs(resmgrd_t)
+dev_getattr_scanner_dev(resmgrd_t)
+
+domain_use_interactive_fds(resmgrd_t)
+
+files_read_etc_files(resmgrd_t)
+
+fs_search_auto_mountpoints(resmgrd_t)
+
+storage_dontaudit_read_fixed_disk(resmgrd_t)
+storage_read_scsi_generic(resmgrd_t)
+storage_raw_read_removable_device(resmgrd_t)
+# not sure if it needs write access, needs to be investigated further...
+storage_write_scsi_generic(resmgrd_t)
+storage_raw_write_removable_device(resmgrd_t)
+
+term_dontaudit_use_console(resmgrd_t)
+
+init_use_fds(resmgrd_t)
+init_use_script_ptys(resmgrd_t)
+
+libs_use_ld_so(resmgrd_t)
+libs_use_shared_libs(resmgrd_t)
+
+logging_send_syslog_msg(resmgrd_t)
+
+miscfiles_read_localization(resmgrd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(resmgrd_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(resmgrd_t)
+ term_dontaudit_use_generic_ptys(resmgrd_t)
+ files_dontaudit_read_root_files(resmgrd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(resmgrd_t)
+')
+
+optional_policy(`
+ udev_read_db(resmgrd_t)
+')
diff --git a/refpolicy/policy/modules/services/xserver.te b/refpolicy/policy/modules/services/xserver.te
index 9918eb5b..b39f586a 100644
--- a/refpolicy/policy/modules/services/xserver.te
+++ b/refpolicy/policy/modules/services/xserver.te
@@ -1,5 +1,5 @@
-policy_module(xserver,1.1.4)
+policy_module(xserver,1.1.5)
########################################
#
@@ -440,14 +440,16 @@ ifdef(`targeted_policy',`
unconfined_domtrans(xdm_xserver_t)
')
+optional_policy(`
+ resmgr_stream_connect(xdm_t)
+')
+
optional_policy(`
rhgb_rw_shm(xdm_xserver_t)
rhgb_rw_tmpfs_files(xdm_xserver_t)
')
ifdef(`TODO',`
-can_resmgrd_connect(xdm_t)
-
# Need to further investigate these permissions and
# perhaps define derived types.
allow xdm_t var_lib_t:dir { write search add_name remove_name create unlink };
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 5a731560..475a7ce7 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -419,6 +419,10 @@ template(`base_user_template',`
quota_dontaudit_getattr_db($1_t)
')
+ optional_policy(`
+ resmgr_stream_connect($1_t)
+ ')
+
optional_policy(`
rpc_dontaudit_getattr_exports($1_t)
rpc_manage_nfs_rw_content($1_t)
@@ -487,8 +491,6 @@ template(`base_user_template',`
allow $1_t usbtty_device_t:chr_file read;
- can_resmgrd_connect($1_t)
-
ifdef(`xdm.te', `
allow $1_t xdm_var_lib_t:file r_file_perms;
')
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 4c95bbf5..00baa24b 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
-policy_module(userdomain,1.3.13)
+policy_module(userdomain,1.3.14)
gen_require(`
role sysadm_r, staff_r, user_r;