- Add policy to make dbus/nm-applet work

2009-01-23 20:35:45 +00:00 · 2009-01-23 20:35:45 +00:00 · 14c9b9cdc6
commit 14c9b9cdc6
parent 40dd24d39b
2 changed files with 289 additions and 45 deletions
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@ -1401,7 +1401,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.if serefpolicy-3.6.3/policy/modules/admin/vbetool.if
 --- nsaserefpolicy/policy/modules/admin/vbetool.if	2008-08-07 11:15:13.000000000 -0400
-+++ serefpolicy-3.6.3/policy/modules/admin/vbetool.if	2009-01-19 13:10:02.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/admin/vbetool.if	2009-01-23 14:46:57.000000000 -0500
@@ -18,3 +18,28 @@
 	corecmd_search_bin($1)
 	domtrans_pattern($1, vbetool_exec_t, vbetool_t)
@ -4058,7 +4058,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +corecmd_executable_file(wm_exec_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.3/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/kernel/corecommands.fc	2009-01-20 14:46:23.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/kernel/corecommands.fc	2009-01-23 15:08:37.000000000 -0500
@@ -58,6 +58,8 @@
 
 /etc/init\.d/functions		--	gen_context(system_u:object_r:bin_t,s0)
@ -4103,7 +4103,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /usr/share/fedora-usermgmt/wrapper --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/hplip/[^/]*		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/hwbrowser/hwbrowser --	gen_context(system_u:object_r:bin_t,s0)
-@@ -293,3 +299,8 @@
+@@ -293,3 +299,10 @@
 ifdef(`distro_suse',`
 /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
 ')
@ -4112,6 +4112,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
 +
 +/usr/lib/oracle/xe/apps(/.*)?  gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/pm-utils/sleep.d(/.*)?  gen_context(system_u:object_r:bin_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.3/policy/modules/kernel/corecommands.if
 --- nsaserefpolicy/policy/modules/kernel/corecommands.if	2009-01-05 15:39:38.000000000 -0500
 +++ serefpolicy-3.6.3/policy/modules/kernel/corecommands.if	2009-01-19 13:10:02.000000000 -0500
@ -6183,7 +6185,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.6.3/policy/modules/kernel/storage.fc
 --- nsaserefpolicy/policy/modules/kernel/storage.fc	2008-10-08 19:00:23.000000000 -0400
-+++ serefpolicy-3.6.3/policy/modules/kernel/storage.fc	2009-01-19 13:53:59.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/kernel/storage.fc	2009-01-23 09:24:07.000000000 -0500
@@ -36,7 +36,7 @@
 /dev/pg[0-3]		-c	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/ps3d.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@ -6193,6 +6195,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /dev/rd.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 ifdef(`distro_redhat', `
 /dev/root		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+@@ -57,7 +57,7 @@
+ 
+ /dev/cciss/[^/]*	-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ 
+-/dev/fuse		-c	gen_context(system_u:object_r:fuse_device_t,mls_systemhigh)
+/dev/fuse		-c	gen_context(system_u:object_r:fuse_device_t,s0)
+ /dev/floppy/[^/]*	-b	gen_context(system_u:object_r:removable_device_t,s0)
+ 
+ /dev/i2o/hd[^/]*	-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@@ -67,6 +67,8 @@
 /dev/md/.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/mapper/.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@ -8502,7 +8513,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.3/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/apache.te	2009-01-21 11:01:33.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/apache.te	2009-01-23 15:14:19.000000000 -0500
@@ -19,6 +19,8 @@
 # Declarations
 #
@ -10134,8 +10145,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.3/policy/modules/services/cron.fc
 --- nsaserefpolicy/policy/modules/services/cron.fc	2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/cron.fc	2009-01-19 13:10:02.000000000 -0500
-@@ -17,9 +17,9 @@
+++ serefpolicy-3.6.3/policy/modules/services/cron.fc	2009-01-23 15:16:30.000000000 -0500
+@@ -1,3 +1,4 @@
+/etc/rc\.d/init\.d/atd		--	gen_context(system_u:object_r:crond_initrc_exec_t,s0)
+ 
+ /etc/cron\.d(/.*)?			gen_context(system_u:object_r:system_cron_spool_t,s0)
+ /etc/crontab			--	gen_context(system_u:object_r:system_cron_spool_t,s0)
+@@ -17,9 +18,9 @@
 /var/run/fcron\.fifo		-s	gen_context(system_u:object_r:crond_var_run_t,s0)
 /var/run/fcron\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
 
@ -10148,7 +10164,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 /var/spool/cron			-d	gen_context(system_u:object_r:cron_spool_t,s0)
 #/var/spool/cron/root		--	gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
-@@ -41,7 +41,11 @@
+@@ -41,7 +42,11 @@
 #/var/spool/cron/crontabs/root	--	gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
 
 /var/spool/fcron		-d	gen_context(system_u:object_r:cron_spool_t,s0)
@ -10163,7 +10179,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/log/rpmpkgs.*		--	gen_context(system_u:object_r:cron_log_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.3/policy/modules/services/cron.if
 --- nsaserefpolicy/policy/modules/services/cron.if	2008-11-11 16:13:47.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/cron.if	2009-01-21 15:20:50.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/cron.if	2009-01-23 15:15:40.000000000 -0500
@@ -12,6 +12,10 @@
 ## </param>
 #
@ -10259,7 +10275,50 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	gen_require(`
 		type crond_t;
 	')
-@@ -481,11 +515,14 @@
+@@ -416,6 +450,42 @@
+ 
+ ########################################
+ ## <summary>
+##	Execute cron in the cron system domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_domtrans',`
+	gen_require(`
+		type system_cronjob_t, crond_exec_t;
+	')
+
+	domtrans_pattern($1,crond_exec_t,system_cronjob_t)
+')
+
+########################################
+## <summary>
+##	Execute crond_exec_t 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_exec',`
+	gen_require(`
+		type crond_exec_t;
+	')
+
+	can_exec($1,crond_exec_t)
+')
+
+########################################
+## <summary>
+ ##	Inherit and use a file descriptor
+ ##	from system cron jobs.
+ ## </summary>
+@@ -481,11 +551,14 @@
 #
 interface(`cron_read_system_job_tmp_files',`
 	gen_require(`
@ -10275,7 +10334,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -506,3 +543,82 @@
+@@ -506,3 +579,101 @@
 
 	dontaudit $1 system_cronjob_tmp_t:file append;
 ')
@ -10358,9 +10417,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	manage_files_pattern($1, crond_var_run_t,  crond_var_run_t)
 +')
+
+########################################
+## <summary>
+##	Execute crond server in the nscd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`cron_initrc_domtrans',`
+	gen_require(`
+		type crond_initrc_exec_t;
+')
+
+	init_labeled_script_domtrans($1, crond_initrc_exec_t)
+')
+
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.3/policy/modules/services/cron.te
 --- nsaserefpolicy/policy/modules/services/cron.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/cron.te	2009-01-21 15:19:17.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/cron.te	2009-01-23 15:14:37.000000000 -0500
@@ -38,6 +38,10 @@
 type cron_var_lib_t;
 files_type(cron_var_lib_t)
@ -10372,8 +10450,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # var/log files
 type cron_log_t;
 logging_log_file(cron_log_t)
-@@ -58,6 +62,8 @@
+@@ -56,8 +60,13 @@
+ domain_interactive_fd(crond_t)
+ domain_cron_exemption_source(crond_t)
 
+type crond_initrc_exec_t;
+init_script_file(crond_initrc_exec_t)
+
 type crond_tmp_t;
 files_tmp_file(crond_tmp_t)
 +files_poly_parent(crond_tmp_t)
@ -10381,7 +10464,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 type crond_var_run_t;
 files_pid_file(crond_var_run_t)
-@@ -70,10 +76,11 @@
+@@ -70,10 +79,11 @@
 typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t;
 
 cron_common_crontab_template(crontab)
@ -10394,7 +10477,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 type system_cron_spool_t, cron_spool_type;
 files_type(system_cron_spool_t)
-@@ -103,6 +110,13 @@
+@@ -103,6 +113,13 @@
 files_type(user_cron_spool_t)
 ubac_constrained(user_cron_spool_t)
 
@ -10408,7 +10491,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # Admin crontab local policy
-@@ -130,7 +144,7 @@
+@@ -130,7 +147,7 @@
 # Cron daemon local policy
 #
 
@ -10417,7 +10500,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 dontaudit crond_t self:capability { sys_resource sys_tty_config };
 allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow crond_t self:process { setexec setfscreate };
-@@ -149,19 +163,19 @@
+@@ -149,19 +166,19 @@
 allow crond_t crond_var_run_t:file manage_file_perms;
 files_pid_filetrans(crond_t,crond_var_run_t,file)
 
@ -10441,7 +10524,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 dev_read_sysfs(crond_t)
 selinux_get_fs_mount(crond_t)
 selinux_validate_context(crond_t)
-@@ -183,6 +197,8 @@
+@@ -183,6 +200,8 @@
 corecmd_read_bin_symlinks(crond_t)
 
 domain_use_interactive_fds(crond_t)
@ -10450,7 +10533,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 files_read_etc_files(crond_t)
 files_read_generic_spool(crond_t)
-@@ -192,10 +208,13 @@
+@@ -192,10 +211,13 @@
 files_search_default(crond_t)
 
 init_rw_utmp(crond_t)
@ -10464,7 +10547,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 seutil_read_config(crond_t)
 seutil_read_default_contexts(crond_t)
-@@ -208,6 +227,7 @@
+@@ -208,6 +230,7 @@
 userdom_list_user_home_dirs(crond_t)
 
 mta_send_mail(crond_t)
@ -10472,7 +10555,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 ifdef(`distro_debian',`
 	# pam_limits is used
-@@ -227,21 +247,45 @@
+@@ -227,21 +250,45 @@
 	')
 ')
 
@ -10519,7 +10602,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -283,7 +327,14 @@
+@@ -283,7 +330,14 @@
 allow system_cronjob_t cron_var_lib_t:file manage_file_perms;
 files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
 
@ -10534,7 +10617,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # The entrypoint interface is not used as this is not
 # a regular entrypoint.  Since crontab files are
 # not directly executed, crond must ensure that
-@@ -314,9 +365,13 @@
+@@ -314,9 +368,13 @@
 filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
 files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
 
@ -10549,7 +10632,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 kernel_read_kernel_sysctls(system_cronjob_t)
 kernel_read_system_state(system_cronjob_t)
-@@ -370,7 +425,8 @@
+@@ -370,7 +428,8 @@
 init_read_utmp(system_cronjob_t)
 init_dontaudit_rw_utmp(system_cronjob_t)
 # prelink tells init to restart it self, we either need to allow or dontaudit
@ -10559,7 +10642,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 auth_use_nsswitch(system_cronjob_t)
 
-@@ -378,6 +434,7 @@
+@@ -378,6 +437,7 @@
 libs_exec_ld_so(system_cronjob_t)
 
 logging_read_generic_logs(system_cronjob_t)
@ -10567,7 +10650,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 logging_send_syslog_msg(system_cronjob_t)
 
 miscfiles_read_localization(system_cronjob_t)
-@@ -428,11 +485,20 @@
+@@ -428,11 +488,20 @@
 ')
 
 optional_policy(`
@ -10588,7 +10671,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -460,8 +526,7 @@
+@@ -460,8 +529,7 @@
 ')
 
 optional_policy(`
@ -10598,7 +10681,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -469,24 +534,17 @@
+@@ -469,24 +537,17 @@
 ')
 
 optional_policy(`
@ -10607,16 +10690,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	unconfined_domain(crond_t)
 	unconfined_domain(system_cronjob_t)
 -	userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
- ')
- 
+-')
+-
 -ifdef(`TODO',`
 -ifdef(`mta.te', `
 -allow system_cronjob_t mail_spool_t:lnk_file read;
 -allow mta_user_agent system_cronjob_t:fd use;
 -r_dir_file(system_mail_t, crond_tmp_t)
-')
+ ')
 -') dnl end TODO
-
+ 
 ########################################
 #
 # User cronjobs local policy
@ -10626,7 +10709,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow cronjob_t self:process { signal_perms setsched };
 allow cronjob_t self:fifo_file rw_fifo_file_perms;
 allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
-@@ -570,6 +628,9 @@
+@@ -570,6 +631,9 @@
 userdom_manage_user_home_content_sockets(cronjob_t)
 #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
 
@ -11606,8 +11689,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/run/devkit(/.*)?			gen_context(system_u:object_r:devicekit_var_run_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.3/policy/modules/services/devicekit.if
 --- nsaserefpolicy/policy/modules/services/devicekit.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/devicekit.if	2009-01-20 17:22:44.000000000 -0500
-@@ -0,0 +1,157 @@
+++ serefpolicy-3.6.3/policy/modules/services/devicekit.if	2009-01-23 09:25:48.000000000 -0500
+@@ -0,0 +1,177 @@
 +
 +## <summary>policy for devicekit</summary>
 +
@ -11765,10 +11848,30 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	devicekit_manage_var_run($1)
 +
 +')
+
+########################################
+## <summary>
+##	Send to devicekit over a unix domain
+##	datagram socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`devicekit_dgram_send',`
+	gen_require(`
+		type devicekit_t;
+	')
+
+	allow $1 devicekit_t:unix_dgram_socket sendto;
+')
+
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.3/policy/modules/services/devicekit.te
 --- nsaserefpolicy/policy/modules/services/devicekit.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/devicekit.te	2009-01-20 17:10:23.000000000 -0500
-@@ -0,0 +1,71 @@
+++ serefpolicy-3.6.3/policy/modules/services/devicekit.te	2009-01-23 15:17:57.000000000 -0500
+@@ -0,0 +1,114 @@
 +policy_module(devicekit,1.0.0)
 +
 +########################################
@ -11816,19 +11919,45 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +#
 +# DeviceKit-Power local policy
 +#
+allow devicekit_power_t self:capability { sys_tty_config dac_override };
+allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
 +allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
 +
+corecmd_exec_bin(devicekit_power_t)
+corecmd_exec_shell(devicekit_power_t)
+
+consoletype_exec(devicekit_power_t)
+
 +dev_rw_generic_usb_dev(devicekit_power_t)
 +dev_rw_netcontrol(devicekit_power_t)
-+dev_read_sysfs(devicekit_power_t)
+dev_rw_sysfs(devicekit_power_t)
 +
 +files_read_etc_files(devicekit_power_t)
+files_read_usr_files(devicekit_t)
 +
 +fs_list_inotifyfs(devicekit_power_t)
 +
+auth_use_nsswitch(devicekit_power_t)
+
 +miscfiles_read_localization(devicekit_power_t)
 +
+userdom_read_all_users_state(devicekit_power_t)
+
 +optional_policy(`
+	hal_domtrans_mac(devicekit_power_t)
+	hal_write_log(devicekit_power_t)
+	hal_manage_pid_dirs(devicekit_power_t)
+	hal_manage_pid_files(devicekit_power_t)
+	hal_dbus_chat(devicekit_power_t)
+')
+
+optional_policy(`
+	cron_initrc_domtrans(devicekit_power_t)
+')
+
+optional_policy(`
+	polkit_domtrans_auth(devicekit_power_t)
+	polkit_read_lib(devicekit_power_t)
 +	polkit_read_reload(devicekit_power_t)
 +')
 +
@ -11836,9 +11965,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	dbus_system_bus_client(devicekit_power_t)
 +	allow devicekit_power_t devicekit_t:dbus send_msg;
 +	allow devicekit_t devicekit_power_t:dbus send_msg;
+
 +	optional_policy(`
 +		consolekit_dbus_chat(devicekit_power_t)
 +	')
+
+	optional_policy(`
+		networkmanager_dbus_chat(devicekit_power_t)
+	')
+
+	optional_policy(`
+		rpm_dbus_chat(devicekit_power_t)
+	')
+')
+
+optional_policy(`
+	bootloader_domtrans(devicekit_power_t)
+')
+
+optional_policy(`
+	vbetool_domtrans(devicekit_power_t)
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.6.3/policy/modules/services/dhcp.if
 --- nsaserefpolicy/policy/modules/services/dhcp.if	2008-11-18 18:57:20.000000000 -0500
@ -12735,8 +12881,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /usr/libexec/hald-addon-macbookpro-backlight --	gen_context(system_u:object_r:hald_mac_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.3/policy/modules/services/hal.if
 --- nsaserefpolicy/policy/modules/services/hal.if	2008-11-19 11:51:44.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/hal.if	2009-01-20 15:29:07.000000000 -0500
-@@ -51,10 +51,7 @@
+++ serefpolicy-3.6.3/policy/modules/services/hal.if	2009-01-23 14:59:53.000000000 -0500
+@@ -20,6 +20,24 @@
+ 
+ ########################################
+ ## <summary>
+##	Execute hal mac in the hal mac domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hal_domtrans_mac',`
+	gen_require(`
+		type hald_mac_t, hald_mac_exec_t;
+	')
+
+	domtrans_pattern($1, hald_mac_exec_t, hald_mac_t)
+')
+
+########################################
+## <summary>
+ ##	Get the attributes of a hal process.
+ ## </summary>
+ ## <param name="domain">
+@@ -51,10 +69,7 @@
 		type hald_t;
 	')
 
@ -12748,6 +12919,67 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
+@@ -340,3 +355,60 @@
+ 	files_search_pids($1)
+ 	allow $1 hald_var_run_t:file rw_file_perms;
+ ')
+
+########################################
+## <summary>
+##	Read/Write hald PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hal_rw_pid_files',`
+	gen_require(`
+		type hald_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 hald_var_run_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Manage hald PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hal_manage_pid_files',`
+	gen_require(`
+		type hald_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_files_pattern($1, hald_var_run_t, hald_var_run_t)
+')
+
+########################################
+## <summary>
+##	Manage hald PID dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hal_manage_pid_dirs',`
+	gen_require(`
+		type hald_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_dirs_pattern($1, hald_var_run_t, hald_var_run_t)
+')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.3/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2009-01-19 11:06:49.000000000 -0500
 +++ serefpolicy-3.6.3/policy/modules/services/hal.te	2009-01-20 11:41:48.000000000 -0500
@ -14776,7 +15008,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.6.3/policy/modules/services/nscd.if
 --- nsaserefpolicy/policy/modules/services/nscd.if	2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/nscd.if	2009-01-19 13:10:02.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/nscd.if	2009-01-23 15:15:06.000000000 -0500
@@ -58,6 +58,42 @@
 
 ########################################
@ -16474,7 +16706,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/lib/misc/PolicyKit.reload			gen_context(system_u:object_r:polkit_reload_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.6.3/policy/modules/services/polkit.if
 --- nsaserefpolicy/policy/modules/services/polkit.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/polkit.if	2009-01-19 14:47:07.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/polkit.if	2009-01-23 14:44:09.000000000 -0500
@@ -0,0 +1,241 @@
 +
 +## <summary>policy for polkit_auth</summary>
@ -22605,7 +22837,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.3/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/xserver.te	2009-01-21 16:14:47.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/xserver.te	2009-01-23 10:14:45.000000000 -0500
@@ -34,6 +34,13 @@
 
 ## <desc>
@ -23043,6 +23275,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 # Device rules
 allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell };
+@@ -622,7 +728,7 @@
+ manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
+ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+ 
+-filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t,sock_file)
+#filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t,sock_file)
+ 
+ manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
+ manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
@@ -635,6 +741,15 @@
 manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 files_search_var_lib(xserver_t)
@ -27411,7 +27652,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.3/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if	2009-01-21 16:19:30.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if	2009-01-23 15:07:13.000000000 -0500
@@ -30,8 +30,9 @@
 	')
 
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.3
-Release: 7%{?dist}
+Release: 8%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -444,6 +444,9 @@ exit 0
 %endif

 %changelog
+* Fri Jan 23 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-8
+- Add policy to make dbus/nm-applet work
+
 * Thu Jan 22 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-7
 - Remove polgen-ifgen from post and add trigger to policycoreutils-python