diff --git a/policy/modules/services/portreserve.fc b/policy/modules/services/portreserve.fc
index c69d0472c..4313a6f0a 100644
--- a/policy/modules/services/portreserve.fc
+++ b/policy/modules/services/portreserve.fc
@@ -1,5 +1,7 @@
/etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0)
+/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0)
+
/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
/var/run/portreserve(/.*)? gen_context(system_u:object_r:portreserve_var_run_t,s0)
diff --git a/policy/modules/services/portreserve.if b/policy/modules/services/portreserve.if
index 10300a02f..7719d1605 100644
--- a/policy/modules/services/portreserve.if
+++ b/policy/modules/services/portreserve.if
@@ -29,7 +29,6 @@ interface(`portreserve_domtrans',`
##
##
##
-##
#
interface(`portreserve_read_config',`
gen_require(`
@@ -52,7 +51,6 @@ interface(`portreserve_read_config',`
## Domain allowed access.
##
##
-##
#
interface(`portreserve_manage_config',`
gen_require(`
@@ -64,3 +62,59 @@ interface(`portreserve_manage_config',`
manage_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
')
+
+########################################
+##
+## Execute portreserve in the portreserve domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`portreserve_initrc_domtrans',`
+ gen_require(`
+ type portreserve_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, portreserve_initrc_exec_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an portreserve environment.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`portreserve_admin',`
+ gen_require(`
+ type portreserve_t, portreserve_etc_t, portreserve_var_run_t;
+ type portreserve_initrc_exec_t;
+ ')
+
+ allow $1 portreserve_t:process { ptrace signal_perms };
+ ps_process_pattern($1, portreserve_t)
+
+ portreserve_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 portreserve_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, portreserve_etc_t)
+
+ files_list_pids($1)
+ admin_pattern($1, portreserve_var_run_t)
+')
diff --git a/policy/modules/services/portreserve.te b/policy/modules/services/portreserve.te
index 4f2dae122..e091aba78 100644
--- a/policy/modules/services/portreserve.te
+++ b/policy/modules/services/portreserve.te
@@ -9,6 +9,9 @@ type portreserve_t;
type portreserve_exec_t;
init_daemon_domain(portreserve_t, portreserve_exec_t)
+type portreserve_initrc_exec_t;
+init_script_file(portreserve_initrc_exec_t)
+
type portreserve_etc_t;
files_type(portreserve_etc_t)
@@ -35,7 +38,7 @@ read_files_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t)
manage_dirs_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
manage_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
manage_sock_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
-files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file })
+files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir })
corecmd_getattr_bin_files(portreserve_t)
@@ -47,3 +50,5 @@ corenet_tcp_bind_all_ports(portreserve_t)
corenet_udp_bind_all_ports(portreserve_t)
files_read_etc_files(portreserve_t)
+
+userdom_dontaudit_search_user_home_content(portreserve_t)