From c753c066d107146ce5aa599866bc949d077d396b Mon Sep 17 00:00:00 2001
From: cgzones <cgzones@googlemail.com>
Date: Mon, 20 Feb 2017 14:20:00 +0100
Subject: [PATCH 1/3] add corecmd_check_exec_bin_files()

useful for monit
---
 policy/modules/kernel/corecommands.if | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index 426122604..24e7c4fd4 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -216,6 +216,25 @@ interface(`corecmd_dontaudit_getattr_bin_files',`
 	dontaudit $1 bin_t:file getattr_file_perms;
 ')
 
+########################################
+## <summary>
+##	Check if files in bin directories are executable (DAC-wise)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corecmd_check_exec_bin_files',`
+	gen_require(`
+		type bin_t;
+	')
+
+	allow $1 bin_t:dir search_dir_perms;
+	allow $1 bin_t:file { execute getattr };
+')
+
 ########################################
 ## <summary>
 ##	Read files in bin directories.

From e4f394072986f7d3e33031fbdbe3b04c2e6da27f Mon Sep 17 00:00:00 2001
From: cgzones <cgzones@googlemail.com>
Date: Mon, 20 Feb 2017 14:20:25 +0100
Subject: [PATCH 2/3] add fs_getattr_dos_dirs()

useful
---
 policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 96fa54d4b..c07f5fb8f 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -1778,6 +1778,24 @@ interface(`fs_relabelfrom_dos_fs',`
 	allow $1 dosfs_t:filesystem relabelfrom;
 ')
 
+########################################
+## <summary>
+##	Get attributes of directories on a dosfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_dos_dirs',`
+	gen_require(`
+		type dosfs_t;
+	')
+
+	allow $1 dosfs_t:dir getattr;
+')
+
 ########################################
 ## <summary>
 ##	Search dosfs filesystem.

From 5770a8ee7ca2c8b30a848169bec4f0f48a5e83af Mon Sep 17 00:00:00 2001
From: cgzones <cgzones@googlemail.com>
Date: Mon, 20 Feb 2017 14:24:56 +0100
Subject: [PATCH 3/3] update init_ACTION_all_units

When with systemd a program does not ship a systemd unit file but only a init script, systemd creates a pseudo service on the fly.
To be able to act on this service, add the target attribute init_script_file_type to the init_ACTION_all_units interfaces.

Useful for monit.
---
 policy/modules/system/init.if | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 7a657f3cf..62bfd4fdc 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -2524,11 +2524,11 @@ interface(`init_reload_generic_units',`
 #
 interface(`init_get_all_units_status',`
 	gen_require(`
-		attribute systemdunit;
+		attribute init_script_file_type, systemdunit;
 		class service status;
 	')
 
-	allow $1 systemdunit:service status;
+	allow $1 { init_script_file_type systemdunit }:service status;
 ')
 
 ########################################
@@ -2543,11 +2543,11 @@ interface(`init_get_all_units_status',`
 #
 interface(`init_start_all_units',`
 	gen_require(`
-		attribute systemdunit;
+		attribute init_script_file_type, systemdunit;
 		class service start;
 	')
 
-	allow $1 systemdunit:service start;
+	allow $1 { init_script_file_type systemdunit }:service start;
 ')
 
 ########################################
@@ -2562,11 +2562,11 @@ interface(`init_start_all_units',`
 #
 interface(`init_stop_all_units',`
 	gen_require(`
-		attribute systemdunit;
+		attribute init_script_file_type, systemdunit;
 		class service stop;
 	')
 
-	allow $1 systemdunit:service stop;
+	allow $1 { init_script_file_type systemdunit }:service stop;
 ')
 
 #######################################
@@ -2581,9 +2581,9 @@ interface(`init_stop_all_units',`
 #
 interface(`init_reload_all_units',`
 	gen_require(`
-		attribute systemdunit;
+		attribute init_script_file_type, systemdunit;
 		class service reload;
 	')
 
-	allow $1 systemdunit:service reload;
+	allow $1 { init_script_file_type systemdunit }:service reload;
 ')