2 files changed, 30 insertions, 3 deletions

diff --git a/cpp/etc/selinux/qpidd.te b/cpp/etc/selinux/qpidd.te
index 92ff3043bd..322645531e 100644
--- a/cpp/etc/selinux/qpidd.te
+++ b/cpp/etc/selinux/qpidd.te
@@ -1,6 +1,10 @@
-# selinux policy needed to run a qpid cluster with selinux in enforcing mode.
-# To build the compiled .pp file in this directory do:
-#   make -f /usr/share/selinux/devel/Makefile 
+# selinux policy needed to run the qpidd service with clustering
+# enabled and selinux in enforcing mode.
+#
+# To build the qpid.pp module in this directory do:
+#   sudo make -f /usr/share/selinux/devel/Makefile
+# To install the compiled qpidd.pp
+#   sudo semodule -i qpidd.pp
 
 policy_module(qpidd, 1.1)
 require {
diff --git a/cpp/etc/selinux/qpiddevel.te b/cpp/etc/selinux/qpiddevel.te
new file mode 100644
index 0000000000..092b9fc203
--- /dev/null
+++ b/cpp/etc/selinux/qpiddevel.te
@@ -0,0 +1,23 @@
+# selinux policy for qpid developers.
+# If you have configured a qpid source tree with cluster support, you will need
+# this policy to run the make check tests with with selinux in enforcing mode.
+#
+# To build the qpid.pp module in this directory do:
+#   sudo make -f /usr/share/selinux/devel/Makefile
+# To install the compiled qpiddevel.pp
+#   sudo semodule -i qpiddevel.pp
+
+module qpiddevel 1.0;
+
+require {
+	type unconfined_t;
+	type aisexec_t;
+	class capability sys_admin;
+	class sem { write unix_read unix_write associate read destroy };
+	class shm { unix_read write unix_write associate read destroy };
+}
+
+#============= aisexec_t ==============
+allow aisexec_t self:capability sys_admin;
+allow aisexec_t unconfined_t:sem { write unix_read unix_write associate read destroy };
+allow aisexec_t unconfined_t:shm { unix_read write unix_write associate read destroy };