jabber: allow kernel_read_vm_overcommit_sysctl and extend policy to use a cache directory for httpupload

policy/modules/jabber.fc

@@ -24,3 +24,5 @@
 /var/run/ejabber\.pid	--	gen_context(system_u:object_r:jabberd_var_run_t,s0)
 /var/run/jabber\.pid	--	gen_context(system_u:object_r:jabberd_var_run_t,s0)
 /var/run/ejabberd(/.*)?		gen_context(system_u:object_r:jabberd_var_run_t,s0)
+
+/var/cache/ejabberd(/.*)?	gen_context(system_u:object_r:jabberd_var_cache_t,s0)

policy/modules/jabber.te

@@ -22,6 +22,9 @@ logging_log_file(jabberd_log_t)
 type jabberd_spool_t;
 files_type(jabberd_spool_t)
 
+type jabberd_var_cache_t;
+files_type(jabberd_var_cache_t)
+
 type jabberd_var_lib_t;
 files_type(jabberd_var_lib_t)
 
@@ -98,15 +101,21 @@ read_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
 setattr_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
 logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir })
 
+manage_dirs_pattern(jabberd_t, jabberd_var_cache_t, jabberd_var_cache_t)
+manage_files_pattern(jabberd_t, jabberd_var_cache_t, jabberd_var_cache_t)
+type_transition jabberd_t jabberd_var_cache_t:{ file dir } jabberd_var_cache_t;
+
 manage_files_pattern(jabberd_domain, jabberd_spool_t, jabberd_spool_t)
 
 manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
 files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
 
 files_search_var_lib(jabberd_t)
+files_read_usr_files(jabberd_t)
 
 kernel_read_kernel_sysctls(jabberd_t)
 kernel_read_vm_sysctls(jabberd_t)
+kernel_read_vm_overcommit_sysctl(jabberd_t)
 
 corenet_sendrecv_jabber_client_server_packets(jabberd_t)
 corenet_tcp_bind_jabber_client_port(jabberd_t)