- Add rtkit policy

2009-06-25 21:43:36 +00:00 · 2009-06-25 21:43:36 +00:00 · 221642f17f
commit 221642f17f
parent d399fb4d25
3 changed files with 285 additions and 108 deletions
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@ -1185,6 +1185,13 @@ rshd = module
 # 
 rsync = module
 # Layer: services
 # Module: rtkit_daemon
 #
 # Real Time Kit Daemon
 # 
 rtkit_daemon = module
 # Layer: services
 # Module: rwho
 #
--- a/policy-F12.patch
+++ b/policy-F12.patch
@ -2058,7 +2058,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.6.18/policy/modules/apps/gnome.te
 --- nsaserefpolicy/policy/modules/apps/gnome.te	2008-11-11 16:13:42.000000000 -0500
-+++ serefpolicy-3.6.18/policy/modules/apps/gnome.te	2009-06-24 16:20:30.000000000 -0400
+++ serefpolicy-3.6.18/policy/modules/apps/gnome.te	2009-06-25 15:55:41.000000000 -0400
@@ -9,16 +9,18 @@
 attribute gnomedomain;
@ -5890,7 +5890,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ## <param name="domain">
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.18/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2009-06-12 09:08:48.000000000 -0400
-+++ serefpolicy-3.6.18/policy/modules/kernel/domain.te	2009-06-22 17:32:55.000000000 -0400
+++ serefpolicy-3.6.18/policy/modules/kernel/domain.te	2009-06-25 09:30:09.000000000 -0400
@@ -5,6 +5,13 @@
 #
 # Declarations
@ -5961,7 +5961,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # Act upon any other process.
 allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -153,3 +174,73 @@
+@@ -153,3 +174,75 @@
 # receive from all domains over labeled networking
 domain_all_recvfrom_all_domains(unconfined_domain_type)
@ -6001,7 +6001,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +ifdef(`hide_broken_symptoms',`
 +	fs_list_inotifyfs(domain)
 +	dontaudit domain self:udp_socket listen;
 +	allow domain domain:key { link search };
 +	dbus_dontaudit_system_bus_rw_tcp_sockets(domain)
 +')
 +')
 +
@ -6070,7 +6072,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /var/lib/nfs/rpc_pipefs(/.*)?	<<none>>
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.18/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2009-06-12 09:08:48.000000000 -0400
-+++ serefpolicy-3.6.18/policy/modules/kernel/files.if	2009-06-20 06:49:47.000000000 -0400
+++ serefpolicy-3.6.18/policy/modules/kernel/files.if	2009-06-25 08:54:01.000000000 -0400
@@ -110,6 +110,11 @@
 ## </param>
 #
@ -6096,7 +6098,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	# satisfy the assertions:
 	seutil_relabelto_bin_policy($1)
-@@ -1715,6 +1718,25 @@
+@@ -1331,6 +1334,24 @@
 ########################################
 ## <summary>
 +##	Remove file entries from the root directory.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`files_delete_root_file',`
 +	gen_require(`
 +		type root_t;
 +	')
 +
 +	allow $1 root_t:file unlink;
 +')
 +
 +########################################
 +## <summary>
 ##	Remove entries from the root directory.
 ## </summary>
 ## <param name="domain">
@@ -1715,6 +1736,25 @@
 ########################################
 ## <summary>
@ -6122,7 +6149,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Mount a filesystem on a directory with the default file type.
 ## </summary>
 ## <param name="domain">
-@@ -1931,6 +1953,27 @@
+@@ -1931,6 +1971,27 @@
 	allow $1 etc_t:dir list_dir_perms;
 	read_files_pattern($1, etc_t, etc_t)
 	read_lnk_files_pattern($1, etc_t, etc_t)
@ -6150,7 +6177,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -2418,6 +2461,11 @@
+@@ -2418,6 +2479,11 @@
 	')
 	delete_files_pattern($1, file_t, file_t)
@ -6162,7 +6189,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -3449,6 +3497,24 @@
+@@ -3449,6 +3515,24 @@
 ########################################
 ## <summary>
@ -6187,7 +6214,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Read all tmp files.
 ## </summary>
 ## <param name="domain">
-@@ -3515,6 +3581,8 @@
+@@ -3515,6 +3599,8 @@
 	delete_lnk_files_pattern($1, tmpfile, tmpfile)
 	delete_fifo_files_pattern($1, tmpfile, tmpfile)
 	delete_sock_files_pattern($1, tmpfile, tmpfile)
@ -6196,7 +6223,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -3623,7 +3691,12 @@
+@@ -3623,7 +3709,12 @@
 		type usr_t;
 	')
@ -6210,7 +6237,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -3662,6 +3735,7 @@
+@@ -3662,6 +3753,7 @@
 	allow $1 usr_t:dir list_dir_perms;
 	read_files_pattern($1, usr_t, usr_t)
 	read_lnk_files_pattern($1, usr_t, usr_t)
@ -6218,7 +6245,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -4955,7 +5029,7 @@
+@@ -4955,7 +5047,7 @@
 	selinux_compute_member($1)
 	# Need sys_admin capability for mounting
@ -6227,7 +6254,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	# Need to give access to the directories to be polyinstantiated
 	allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
-@@ -4977,12 +5051,15 @@
+@@ -4977,12 +5069,15 @@
 	allow $1 poly_t:dir { create mounton };
 	fs_unmount_xattr_fs($1)
@ -6244,7 +6271,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 ')
-@@ -5003,3 +5080,173 @@
+@@ -5003,3 +5098,173 @@
 	typeattribute $1 files_unconfined_type;
 ')
@ -6770,8 +6797,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +gen_user(guest_u, user, guest_r, s0, s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.18/policy/modules/roles/staff.te
 --- nsaserefpolicy/policy/modules/roles/staff.te	2008-11-11 16:13:47.000000000 -0500
-+++ serefpolicy-3.6.18/policy/modules/roles/staff.te	2009-06-20 06:49:47.000000000 -0400
+++ serefpolicy-3.6.18/policy/modules/roles/staff.te	2009-06-25 17:28:57.000000000 -0400
-@@ -15,156 +15,103 @@
+@@ -15,156 +15,107 @@
 # Local policy
 #
@ -6794,11 +6821,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -optional_policy(`
 -	cdrecord_role(staff_r, staff_t)
 -')
-+kernel_read_ring_buffer(staff_t)
+-
 +kernel_getattr_core_if(staff_t)
 +kernel_getattr_message_if(staff_t)
 +kernel_read_software_raid_state(staff_t)
 -optional_policy(`
 -	cron_role(staff_r, staff_t)
 -')
@ -6806,13 +6829,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -optional_policy(`
 -	dbus_role_template(staff, staff_r, staff_t)
 -')
-+auth_domtrans_pam_console(staff_t)
+kernel_read_ring_buffer(staff_t)
 +kernel_getattr_core_if(staff_t)
 +kernel_getattr_message_if(staff_t)
 +kernel_read_software_raid_state(staff_t)
 -optional_policy(`
 -	ethereal_role(staff_r, staff_t)
 -')
-+libs_manage_shared_libs(staff_t)
+-
 -optional_policy(`
 -	evolution_role(staff_r, staff_t)
 -')
@ -6820,100 +6845,103 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -optional_policy(`
 -	games_role(staff_r, staff_t)
 -')
-
+auth_domtrans_pam_console(staff_t)
 -optional_policy(`
 -	gift_role(staff_r, staff_t)
 -')
 +libs_manage_shared_libs(staff_t)
 -optional_policy(`
 -	gnome_role(staff_r, staff_t)
 -')
 +seutil_run_newrole(staff_t, staff_r)
 +netutils_run_ping(staff_t, staff_r)
 optional_policy(`
-	gnome_role(staff_r, staff_t)
+-	gpg_role(staff_r, staff_t)
 +	sudo_role_template(staff, staff_r, staff_t)
 ')
 optional_policy(`
-	gpg_role(staff_r, staff_t)
+-	irc_role(staff_r, staff_t)
 +	auditadm_role_change(staff_r)
 ')
 optional_policy(`
-	irc_role(staff_r, staff_t)
+-	java_role(staff_r, staff_t)
 +	kerneloops_manage_tmp_files(staff_t)
 ')
 optional_policy(`
-	java_role(staff_r, staff_t)
+-	lockdev_role(staff_r, staff_t)
 +	logadm_role_change(staff_r)
 ')
 optional_policy(`
-	lockdev_role(staff_r, staff_t)
+-	lpd_role(staff_r, staff_t)
 +	postgresql_role(staff_r, staff_t)
 ')
 optional_policy(`
 -	lpd_role(staff_r, staff_t)
 +	secadm_role_change(staff_r)
 ')
 optional_policy(`
 -	mozilla_role(staff_r, staff_t)
-+	ssh_role_template(staff, staff_r, staff_t)
+	rtkit_daemon_system_domain(staff_t)
 ')
 optional_policy(`
 -	mplayer_role(staff_r, staff_t)
-+	sysadm_role_change(staff_r)
+	secadm_role_change(staff_r)
 ')
 optional_policy(`
 -	mta_role(staff_r, staff_t)
-+	usernetctl_run(staff_t, staff_r)
+	ssh_role_template(staff, staff_r, staff_t)
 ')
 optional_policy(`
 -	oident_manage_user_content(staff_t)
 -	oident_relabel_user_content(staff_t)
-+	unconfined_role_change(staff_r)
+	sysadm_role_change(staff_r)
 ')
 optional_policy(`
 -	pyzor_role(staff_r, staff_t)
 +	usernetctl_run(staff_t, staff_r)
 ')
 optional_policy(`
 -	razor_role(staff_r, staff_t)
 +	unconfined_role_change(staff_r)
 ')
 optional_policy(`
 -	rssh_role(staff_r, staff_t)
 +	webadm_role_change(staff_r)
 ')
 -optional_policy(`
-	razor_role(staff_r, staff_t)
+-	screen_role_template(staff, staff_r, staff_t)
 -')
 +domain_read_all_domains_state(staff_t)
 +domain_getattr_all_domains(staff_t)
 +domain_obj_id_change_exemption(staff_t)
 -optional_policy(`
-	rssh_role(staff_r, staff_t)
+-	secadm_role_change(staff_r)
 -')
 +files_read_kernel_modules(staff_t)
 -optional_policy(`
-	screen_role_template(staff, staff_r, staff_t)
+-	spamassassin_role(staff_r, staff_t)
 -')
 +kernel_read_fs_sysctls(staff_t)
 -optional_policy(`
-	secadm_role_change(staff_r)
+-	ssh_role_template(staff, staff_r, staff_t)
 -')
 +modutils_read_module_config(staff_t)
 +modutils_read_module_deps(staff_t)
 -optional_policy(`
 -	spamassassin_role(staff_r, staff_t)
 -')
 -
 -optional_policy(`
 -	ssh_role_template(staff, staff_r, staff_t)
 -')
 -
 -optional_policy(`
 -	su_role_template(staff, staff_r, staff_t)
 -')
@ -7937,8 +7965,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.18/policy/modules/roles/unconfineduser.te
 --- nsaserefpolicy/policy/modules/roles/unconfineduser.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.18/policy/modules/roles/unconfineduser.te	2009-06-20 06:49:47.000000000 -0400
+++ serefpolicy-3.6.18/policy/modules/roles/unconfineduser.te	2009-06-25 17:28:35.000000000 -0400
-@@ -0,0 +1,407 @@
+@@ -0,0 +1,411 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@ -8217,6 +8245,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 +optional_policy(`
 +	rtkit_daemon_system_domain(unconfined_t)
 +')
 +
 +optional_policy(`
 +	samba_role_notrans(unconfined_r)
 +	samba_run_unconfined_net(unconfined_t, unconfined_r)
 +	samba_run_winbind_helper(unconfined_t, unconfined_r)
@ -8348,8 +8380,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.18/policy/modules/roles/unprivuser.te
 --- nsaserefpolicy/policy/modules/roles/unprivuser.te	2008-11-11 16:13:47.000000000 -0500
-+++ serefpolicy-3.6.18/policy/modules/roles/unprivuser.te	2009-06-20 06:49:47.000000000 -0400
+++ serefpolicy-3.6.18/policy/modules/roles/unprivuser.te	2009-06-25 17:29:15.000000000 -0400
-@@ -14,142 +14,17 @@
+@@ -14,142 +14,21 @@
 userdom_unpriv_user_template(user)
 optional_policy(`
@ -8364,14 +8396,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 -	bluetooth_role(user_r, user_t)
-+	sandbox_transition(user_t, user_r)
+	rtkit_daemon_system_domain(user_t)
 ')
 optional_policy(`
 -	cdrecord_role(user_r, user_t)
-')
+	sandbox_transition(user_t, user_r)
-
+ ')
-optional_policy(`
+ 
 optional_policy(`
 -	cron_role(user_r, user_t)
 -')
 -
@ -15942,7 +15975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.18/policy/modules/services/nis.te
 --- nsaserefpolicy/policy/modules/services/nis.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.18/policy/modules/services/nis.te	2009-06-20 06:49:47.000000000 -0400
+++ serefpolicy-3.6.18/policy/modules/services/nis.te	2009-06-24 17:22:48.000000000 -0400
@@ -13,6 +13,9 @@
 type ypbind_exec_t;
 init_daemon_domain(ypbind_t, ypbind_exec_t)
@ -15963,7 +15996,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # ypbind local policy
-@@ -111,6 +117,16 @@
+@@ -65,9 +71,8 @@
 manage_files_pattern(ypbind_t, var_yp_t, var_yp_t)
 +kernel_read_system_state(ypbind_t)
 kernel_read_kernel_sysctls(ypbind_t)
 -kernel_list_proc(ypbind_t)
 -kernel_read_proc_symlinks(ypbind_t)
 corenet_all_recvfrom_unlabeled(ypbind_t)
 corenet_all_recvfrom_netlabel(ypbind_t)
@@ -111,6 +116,16 @@
 userdom_dontaudit_search_user_home_dirs(ypbind_t)
 optional_policy(`
@ -15980,7 +16024,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	seutil_sigchld_newrole(ypbind_t)
 ')
-@@ -123,6 +139,7 @@
+@@ -123,6 +138,7 @@
 # yppasswdd local policy
 #
@ -15988,7 +16032,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 dontaudit yppasswdd_t self:capability sys_tty_config;
 allow yppasswdd_t self:fifo_file rw_fifo_file_perms;
 allow yppasswdd_t self:process { setfscreate signal_perms };
-@@ -153,8 +170,8 @@
+@@ -153,8 +169,8 @@
 corenet_udp_sendrecv_all_ports(yppasswdd_t)
 corenet_tcp_bind_generic_node(yppasswdd_t)
 corenet_udp_bind_generic_node(yppasswdd_t)
@ -15999,7 +16043,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t)
 corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t)
 corenet_sendrecv_generic_server_packets(yppasswdd_t)
-@@ -241,6 +258,8 @@
+@@ -241,6 +257,8 @@
 corenet_udp_bind_generic_node(ypserv_t)
 corenet_tcp_bind_reserved_port(ypserv_t)
 corenet_udp_bind_reserved_port(ypserv_t)
@ -16008,7 +16052,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t)
 corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t)
 corenet_sendrecv_generic_server_packets(ypserv_t)
-@@ -306,6 +325,8 @@
+@@ -306,6 +324,8 @@
 corenet_udp_bind_generic_node(ypxfr_t)
 corenet_tcp_bind_reserved_port(ypxfr_t)
 corenet_udp_bind_reserved_port(ypxfr_t)
@ -16970,8 +17014,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/lib/misc/PolicyKit.reload			gen_context(system_u:object_r:polkit_reload_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.6.18/policy/modules/services/polkit.if
 --- nsaserefpolicy/policy/modules/services/polkit.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.18/policy/modules/services/polkit.if	2009-06-24 08:29:05.000000000 -0400
+++ serefpolicy-3.6.18/policy/modules/services/polkit.if	2009-06-25 17:34:50.000000000 -0400
-@@ -0,0 +1,242 @@
+@@ -0,0 +1,245 @@
 +
 +## <summary>policy for polkit_auth</summary>
 +
@ -17187,6 +17231,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +## <rolecap/>
 +#
 +template(`polkit_role',`
 +
 +	polkit_run_auth($2, $1)
 +	polkit_run_grant($2, $1)
 +	polkit_read_lib($2)
@ -17211,12 +17256,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +		class dbus send_msg;
 +	')
 +
 +	ps_process_pattern(polkit_t, $1)
 +
 +	allow $1 polkit_t:dbus send_msg;
 +	allow polkit_t $1:dbus send_msg;
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.6.18/policy/modules/services/polkit.te
 --- nsaserefpolicy/policy/modules/services/polkit.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.18/policy/modules/services/polkit.te	2009-06-20 06:49:47.000000000 -0400
+++ serefpolicy-3.6.18/policy/modules/services/polkit.te	2009-06-25 17:33:00.000000000 -0400
@@ -0,0 +1,235 @@
 +policy_module(polkit_auth, 1.0.0)
 +
@ -17260,7 +17307,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +allow polkit_t self:unix_dgram_socket create_socket_perms;
 +allow polkit_t self:fifo_file rw_file_perms;
-+allow polkit_t self:unix_stream_socket create_stream_socket_perms;
+allow polkit_t self:unix_stream_socket { create_stream_socket_perms connectto };
 +
 +polkit_domtrans_auth(polkit_t)
 +polkit_domtrans_resolve(polkit_t)
@ -19556,6 +19603,117 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 auth_can_read_shadow_passwords(rsync_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.fc serefpolicy-3.6.18/policy/modules/services/rtkit_daemon.fc
 --- nsaserefpolicy/policy/modules/services/rtkit_daemon.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.6.18/policy/modules/services/rtkit_daemon.fc	2009-06-25 17:25:15.000000000 -0400
@@ -0,0 +1,2 @@
 +
 +/usr/libexec/rtkit-daemon	--	gen_context(system_u:object_r:rtkit_daemon_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.if serefpolicy-3.6.18/policy/modules/services/rtkit_daemon.if
 --- nsaserefpolicy/policy/modules/services/rtkit_daemon.if	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.6.18/policy/modules/services/rtkit_daemon.if	2009-06-25 17:27:07.000000000 -0400
@@ -0,0 +1,64 @@
 +
 +## <summary>policy for rtkit_daemon</summary>
 +
 +########################################
 +## <summary>
 +##	Execute a domain transition to run rtkit_daemon.
 +## </summary>
 +## <param name="domain">
 +## <summary>
 +##	Domain allowed to transition.
 +## </summary>
 +## </param>
 +#
 +interface(`rtkit_daemon_domtrans',`
 +	gen_require(`
 +		type rtkit_daemon_t;
 +                type rtkit_daemon_exec_t;
 +	')
 +
 +	domtrans_pattern($1,rtkit_daemon_exec_t,rtkit_daemon_t)
 +')
 +
 +
 +########################################
 +## <summary>
 +##	Send and receive messages from
 +##	rtkit_daemon over dbus.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`rtkit_daemon_dbus_chat',`
 +	gen_require(`
 +		type rtkit_daemon_t;
 +		class dbus send_msg;
 +	')
 +
 +	allow $1 rtkit_daemon_t:dbus send_msg;
 +	allow rtkit_daemon_t $1:dbus send_msg;
 +')
 +
 +########################################
 +## <summary>
 +##	Send and receive messages from
 +##	rtkit_daemon over dbus.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`rtkit_daemon_system_domain',`
 +	gen_require(`
 +		type rtkit_daemon_t;
 +	')
 +
 +	ps_process_pattern(rtkit_daemon_t, $1)
 +	allow rtkit_daemon_t $1:process { getsched setsched };
 +	rtkit_daemon_dbus_chat($1)
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.te serefpolicy-3.6.18/policy/modules/services/rtkit_daemon.te
 --- nsaserefpolicy/policy/modules/services/rtkit_daemon.te	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.6.18/policy/modules/services/rtkit_daemon.te	2009-06-25 17:29:28.000000000 -0400
@@ -0,0 +1,33 @@
 +policy_module(rtkit_daemon,1.0.0)
 +
 +########################################
 +#
 +# Declarations
 +#
 +
 +type rtkit_daemon_t;
 +type rtkit_daemon_exec_t;
 +dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
 +
 +permissive rtkit_daemon_t;
 +
 +########################################
 +#
 +# rtkit_daemon local policy
 +#
 +
 +allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace };
 +allow rtkit_daemon_t self:process { setsched getcap setcap setrlimit };
 +allow rtkit_daemon_t self:capability sys_nice;
 +
 +fs_rw_anon_inodefs_files(rtkit_daemon_t)
 +
 +auth_use_nsswitch(rtkit_daemon_t)
 +
 +logging_send_syslog_msg(rtkit_daemon_t)
 +
 +miscfiles_read_localization(locale_t)
 +
 +optional_policy(`
 +        polkit_dbus_chat(rtkit_daemon_t)
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.6.18/policy/modules/services/samba.fc
 --- nsaserefpolicy/policy/modules/services/samba.fc	2008-08-07 11:15:11.000000000 -0400
 +++ serefpolicy-3.6.18/policy/modules/services/samba.fc	2009-06-20 06:49:47.000000000 -0400
@ -24148,7 +24306,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.18/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.18/policy/modules/services/xserver.te	2009-06-24 16:23:32.000000000 -0400
+++ serefpolicy-3.6.18/policy/modules/services/xserver.te	2009-06-25 17:27:14.000000000 -0400
@@ -34,6 +34,13 @@
 ## <desc>
@ -24573,7 +24731,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	hostname_exec(xdm_t)
 ')
-@@ -542,6 +648,24 @@
+@@ -542,6 +648,28 @@
 ')
 optional_policy(`
@ -24594,11 +24752,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	rpm_dontaudit_manage_db(xdm_t)
 +')
 +
 +optional_policy(`
 +	rtkit_daemon_system_domain(xdm_t)
 +')
 +
 +optional_policy(`
 	seutil_sigchld_newrole(xdm_t)
 ')
-@@ -550,8 +674,9 @@
+@@ -550,8 +678,9 @@
 ')
 optional_policy(`
@ -24610,7 +24772,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	ifndef(`distro_redhat',`
 		allow xdm_t self:process { execheap execmem };
-@@ -560,7 +685,6 @@
+@@ -560,7 +689,6 @@
 	ifdef(`distro_rhel4',`
 		allow xdm_t self:process { execheap execmem };
 	')
@ -24618,7 +24780,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 	userhelper_dontaudit_search_config(xdm_t)
-@@ -571,6 +695,10 @@
+@@ -571,6 +699,10 @@
 ')
 optional_policy(`
@ -24629,7 +24791,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	xfs_stream_connect(xdm_t)
 ')
-@@ -587,7 +715,7 @@
+@@ -587,7 +719,7 @@
 # execheap needed until the X module loader is fixed.
 # NVIDIA Needs execstack
@ -24638,7 +24800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 dontaudit xserver_t self:capability chown;
 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow xserver_t self:memprotect mmap_zero;
-@@ -602,9 +730,11 @@
+@@ -602,9 +734,11 @@
 allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow xserver_t self:tcp_socket create_stream_socket_perms;
 allow xserver_t self:udp_socket create_socket_perms;
@ -24650,7 +24812,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
-@@ -616,13 +746,14 @@
+@@ -616,13 +750,14 @@
 type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
 allow xserver_t { rootwindow_t x_domain }:x_drawable send;
@ -24666,7 +24828,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -635,9 +766,19 @@
+@@ -635,9 +770,19 @@
 manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 files_search_var_lib(xserver_t)
@ -24686,7 +24848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 kernel_read_system_state(xserver_t)
 kernel_read_device_sysctls(xserver_t)
-@@ -680,9 +821,14 @@
+@@ -680,9 +825,14 @@
 dev_rw_xserver_misc(xserver_t)
 # read events - the synaptics touchpad driver reads raw events
 dev_rw_input_dev(xserver_t)
@ -24701,7 +24863,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 files_read_etc_files(xserver_t)
 files_read_etc_runtime_files(xserver_t)
-@@ -697,8 +843,12 @@
+@@ -697,8 +847,12 @@
 fs_search_nfs(xserver_t)
 fs_search_auto_mountpoints(xserver_t)
 fs_search_ramfs(xserver_t)
@ -24714,7 +24876,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 selinux_validate_context(xserver_t)
 selinux_compute_access_vector(xserver_t)
-@@ -720,6 +870,7 @@
+@@ -720,6 +874,7 @@
 miscfiles_read_localization(xserver_t)
 miscfiles_read_fonts(xserver_t)
@ -24722,7 +24884,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 modutils_domtrans_insmod(xserver_t)
-@@ -742,7 +893,7 @@
+@@ -742,7 +897,7 @@
 ')
 ifdef(`enable_mls',`
@ -24731,7 +24893,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
 ')
-@@ -774,12 +925,20 @@
+@@ -774,12 +929,20 @@
 ')
 optional_policy(`
@ -24753,7 +24915,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	unconfined_domtrans(xserver_t)
 ')
-@@ -806,7 +965,7 @@
+@@ -806,7 +969,7 @@
 allow xserver_t xdm_var_lib_t:file { getattr read };
 dontaudit xserver_t xdm_var_lib_t:dir search;
@ -24762,7 +24924,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # Label pid and temporary files with derived types.
 manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -827,9 +986,14 @@
+@@ -827,9 +990,14 @@
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_user_home_content_files(xserver_t)
@ -24777,7 +24939,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(xserver_t)
 	fs_manage_nfs_files(xserver_t)
-@@ -844,11 +1008,14 @@
+@@ -844,11 +1012,14 @@
 optional_policy(`
 	dbus_system_bus_client(xserver_t)
@ -24793,7 +24955,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -856,6 +1023,11 @@
+@@ -856,6 +1027,11 @@
 	rhgb_rw_tmpfs_files(xserver_t)
 ')
@ -24805,7 +24967,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # Rules common to all X window domains
-@@ -881,6 +1053,8 @@
+@@ -881,6 +1057,8 @@
 # X Server
 # can read server-owned resources
 allow x_domain xserver_t:x_resource read;
@ -24814,7 +24976,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # can mess with own clients
 allow x_domain self:x_client { manage destroy };
-@@ -905,6 +1079,8 @@
+@@ -905,6 +1083,8 @@
 # operations allowed on my windows
 allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@ -24823,7 +24985,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # X Colormaps
 # can use the default colormap
 allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -972,17 +1148,49 @@
+@@ -972,17 +1152,49 @@
 allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
 allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@ -25539,7 +25701,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.18/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.18/policy/modules/system/init.te	2009-06-20 06:49:47.000000000 -0400
+++ serefpolicy-3.6.18/policy/modules/system/init.te	2009-06-25 09:03:05.000000000 -0400
@@ -17,6 +17,20 @@
 ## </desc>
 gen_tunable(init_upstart,false)
@ -25701,7 +25863,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 domain_getsession_all_domains(initrc_t)
 domain_use_interactive_fds(initrc_t)
 # for lsof which is used by alsa shutdown:
-@@ -343,14 +384,14 @@
+@@ -343,14 +384,15 @@
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
@ -25709,6 +25871,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +files_manage_all_locks(initrc_t)
 +files_manage_boot_files(initrc_t)
 files_read_all_pids(initrc_t)
 +files_delete_root_file(initrc_t)
 files_delete_all_pids(initrc_t)
 files_delete_all_pid_dirs(initrc_t)
 files_read_etc_files(initrc_t)
@ -25718,7 +25881,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 files_exec_etc_files(initrc_t)
 files_read_usr_files(initrc_t)
 files_manage_urandom_seed(initrc_t)
-@@ -366,7 +407,9 @@
+@@ -366,7 +408,9 @@
 libs_rw_ld_so_cache(initrc_t)
 libs_exec_lib_files(initrc_t)
@ -25728,7 +25891,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 logging_send_syslog_msg(initrc_t)
 logging_manage_generic_logs(initrc_t)
 logging_read_all_logs(initrc_t)
-@@ -451,7 +494,7 @@
+@@ -451,11 +495,9 @@
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
@ -25736,8 +25899,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	kernel_use_fds(initrc_t)
 	files_dontaudit_read_root_files(initrc_t)
- 	selinux_set_enforce_mode(initrc_t)
+-	selinux_set_enforce_mode(initrc_t)
-@@ -465,6 +508,7 @@
+-
 	# These seem to be from the initrd
 	# during device initialization:
 	dev_create_generic_dirs(initrc_t)
@@ -465,6 +507,7 @@
 	storage_raw_read_fixed_disk(initrc_t)
 	storage_raw_write_fixed_disk(initrc_t)
@ -25745,7 +25912,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	files_create_boot_flag(initrc_t)
 	files_rw_boot_symlinks(initrc_t)
 	# wants to read /.fonts directory
-@@ -498,6 +542,7 @@
+@@ -498,6 +541,7 @@
 	optional_policy(`
 		#for /etc/rc.d/init.d/nfs to create /etc/exports
 		rpc_write_exports(initrc_t)
@ -25753,7 +25920,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 	optional_policy(`
-@@ -516,6 +561,33 @@
+@@ -516,6 +560,33 @@
 	')
 ')
@ -25787,7 +25954,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -570,6 +642,10 @@
+@@ -570,6 +641,10 @@
 	dbus_read_config(initrc_t)
 	optional_policy(`
@ -25798,7 +25965,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 		networkmanager_dbus_chat(initrc_t)
 	')
 ')
-@@ -591,6 +667,10 @@
+@@ -591,6 +666,10 @@
 ')
 optional_policy(`
@ -25809,7 +25976,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	dev_read_usbfs(initrc_t)
 	# init scripts run /etc/hotplug/usb.rc
-@@ -647,20 +727,20 @@
+@@ -647,20 +726,20 @@
 ')
 optional_policy(`
@ -25836,7 +26003,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 	ifdef(`distro_redhat',`
-@@ -669,6 +749,7 @@
+@@ -669,6 +748,7 @@
 	mysql_stream_connect(initrc_t)
 	mysql_write_log(initrc_t)
@ -25844,7 +26011,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -719,8 +800,6 @@
+@@ -719,8 +799,6 @@
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
@ -25853,7 +26020,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -733,10 +812,12 @@
+@@ -733,10 +811,12 @@
 	squid_manage_logs(initrc_t)
 ')
@ -25866,7 +26033,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -754,6 +835,11 @@
+@@ -754,6 +834,11 @@
 	uml_setattr_util_sockets(initrc_t)
 ')
@ -25878,7 +26045,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 	unconfined_domain(initrc_t)
-@@ -765,6 +851,13 @@
+@@ -765,6 +850,13 @@
 	optional_policy(`
 		mono_domtrans(initrc_t)
 	')
@ -25892,7 +26059,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -790,3 +883,35 @@
+@@ -790,3 +882,35 @@
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.19
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -473,6 +473,9 @@ exit 0
 %endif
 %changelog
 * Thu Jun 25 2009 Dan Walsh <dwalsh@redhat.com> 3.6.19-5
 - Add rtkit policy
 * Wed Jun 24 2009 Dan Walsh <dwalsh@redhat.com> 3.6.19-4
 - Allow rpcd_t to stream connect to rpcbind