- Allow initrc_t to dbus chat with consolekit.

2008-03-29 18:36:09 +00:00 · 2008-03-29 18:36:09 +00:00 · 294ea7a213
commit 294ea7a213
parent e54cb216a8
2 changed files with 163 additions and 108 deletions
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@ -5454,8 +5454,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te	2008-03-28 09:20:56.000000000 +0100
-@@ -0,0 +1,179 @@
+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te	2008-03-29 12:28:11.000000000 +0100
+@@ -0,0 +1,183 @@
 +
 +policy_module(nsplugin,1.0.0)
 +
@ -5587,6 +5587,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +')
 +
 +optional_policy(`
+	unconfined_execmem_signull(nsplugin_t)
+')
+
+optional_policy(`
 +	xserver_stream_connect_xdm_xserver(nsplugin_t)
 +	xserver_xdm_rw_shm(nsplugin_t)
 +	xserver_read_xdm_tmp_files(nsplugin_t)
@ -6817,7 +6821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.3.1/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2007-10-29 23:02:31.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/kernel/devices.if	2008-02-26 20:19:56.000000000 +0100
+++ serefpolicy-3.3.1/policy/modules/kernel/devices.if	2008-03-29 13:08:46.000000000 +0100
@@ -65,7 +65,7 @@
 
 	relabelfrom_dirs_pattern($1,device_t,device_node)
@ -7741,7 +7745,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
 #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.3.1/policy/modules/kernel/kernel.if
 --- nsaserefpolicy/policy/modules/kernel/kernel.if	2007-10-29 23:02:31.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/kernel/kernel.if	2008-02-27 22:58:04.000000000 +0100
+++ serefpolicy-3.3.1/policy/modules/kernel/kernel.if	2008-03-29 13:06:34.000000000 +0100
@@ -851,9 +851,8 @@
 		type proc_t, proc_afs_t;
 	')
@ -12733,7 +12737,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.3.1/policy/modules/services/dbus.te
 --- nsaserefpolicy/policy/modules/services/dbus.te	2007-12-19 11:32:17.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/services/dbus.te	2008-03-19 19:48:13.000000000 +0100
+++ serefpolicy-3.3.1/policy/modules/services/dbus.te	2008-03-29 13:18:18.000000000 +0100
@@ -9,6 +9,7 @@
 #
 # Delcarations
@ -12811,7 +12815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 
 libs_use_ld_so(system_dbusd_t)
 libs_use_shared_libs(system_dbusd_t)
-@@ -121,9 +139,26 @@
+@@ -121,9 +139,28 @@
 ')
 
 optional_policy(`
@ -12834,8 +12838,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 +optional_policy(`
 +	gen_require(`
 +		type unconfined_dbusd_t;
+		attribute domain;
 +	')
 +	unconfined_domain(unconfined_dbusd_t)
+	allow dbusd_unconfined domain:consolekit_t:dbus send_msg;
 +')
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.if serefpolicy-3.3.1/policy/modules/services/dcc.if
@ -13746,7 +13752,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.3.1/policy/modules/services/dovecot.te
 --- nsaserefpolicy/policy/modules/services/dovecot.te	2008-02-26 14:17:43.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/services/dovecot.te	2008-02-26 14:29:22.000000000 +0100
+++ serefpolicy-3.3.1/policy/modules/services/dovecot.te	2008-03-29 12:22:39.000000000 +0100
@@ -15,6 +15,12 @@
 domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
 role system_r types dovecot_auth_t;
@ -13838,7 +13844,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
 files_read_usr_symlinks(dovecot_auth_t)
 files_search_tmp(dovecot_auth_t)
 files_read_var_lib_files(dovecot_t)
-@@ -184,5 +205,49 @@
+@@ -184,5 +205,53 @@
 ')
 
 optional_policy(`
@ -13876,6 +13882,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
 +files_read_etc_files(dovecot_deliver_t)
 +files_read_etc_runtime_files(dovecot_deliver_t)
 +
+auth_use_nsswitch(dovecot_deliver_t)
+
 +libs_use_ld_so(dovecot_deliver_t)
 +libs_use_shared_libs(dovecot_deliver_t)
 +
@ -13885,6 +13893,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
 +
 +dovecot_auth_stream_connect(dovecot_deliver_t)
 +
+userdom_priveleged_home_dir_manager(dovecot_deliver_t)
+
 +optional_policy(`
 +	mta_manage_spool(dovecot_deliver_t)
 ')
@ -23614,8 +23624,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.if serefpolicy-3.3.1/policy/modules/services/stunnel.if
 --- nsaserefpolicy/policy/modules/services/stunnel.if	2006-11-16 23:15:20.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/services/stunnel.if	2008-03-18 19:31:14.000000000 +0100
-@@ -1 +1,24 @@
+++ serefpolicy-3.3.1/policy/modules/services/stunnel.if	2008-03-29 17:44:16.000000000 +0100
+@@ -1 +1,25 @@
 ## <summary>SSL Tunneling Proxy</summary>
 +
 +########################################
@ -23639,6 +23649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stun
 +	')
 +
 +	domtrans_pattern(stunnel_t,$2,$1)
+	allow $1 stunnel_t:tcp_socket rw_socket_perms;
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.3.1/policy/modules/services/telnet.te
 --- nsaserefpolicy/policy/modules/services/telnet.te	2007-12-19 11:32:17.000000000 +0100
@ -26939,7 +26950,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.3.1/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2008-02-26 14:17:43.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/system/init.te	2008-03-12 13:37:59.000000000 +0100
+++ serefpolicy-3.3.1/policy/modules/system/init.te	2008-03-29 13:15:04.000000000 +0100
@@ -10,6 +10,20 @@
 # Declarations
 #
@ -27142,22 +27153,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -559,14 +622,6 @@
- ')
+@@ -554,16 +617,12 @@
+ 	dbus_read_config(initrc_t)
 
- optional_policy(`
+ 	optional_policy(`
+-		networkmanager_dbus_chat(initrc_t)
+		consolekit_dbus_chat(initrc_t)
+ 	')
+-')
+ 
+-optional_policy(`
 -	# /var/run/dovecot/login/ssl-parameters.dat is a hard link to
 -	# /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
 -	# the directory. But we do not want to allow this.
 -	# The master process of dovecot will manage this file.
 -	dovecot_dontaudit_unlink_lib_files(initrc_t)
-')
-
-optional_policy(`
- 	ftp_read_config(initrc_t)
+	optional_policy(`
+		networkmanager_dbus_chat(initrc_t)
+	')
 ')
 
-@@ -639,12 +694,6 @@
+ optional_policy(`
+@@ -639,12 +698,6 @@
 	mta_read_config(initrc_t)
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
@ -27170,7 +27187,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 
 optional_policy(`
 	ifdef(`distro_redhat',`
-@@ -705,6 +754,9 @@
+@@ -705,6 +758,9 @@
 
 	# why is this needed:
 	rpm_manage_db(initrc_t)
@ -27180,7 +27197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 ')
 
 optional_policy(`
-@@ -717,9 +769,11 @@
+@@ -717,9 +773,11 @@
 	squid_manage_logs(initrc_t)
 ')
 
@ -27195,7 +27212,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 ')
 
 optional_policy(`
-@@ -738,6 +792,11 @@
+@@ -738,6 +796,11 @@
 	uml_setattr_util_sockets(initrc_t)
 ')
 
@ -27207,7 +27224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 optional_policy(`
 	unconfined_domain(initrc_t)
 
-@@ -752,6 +811,10 @@
+@@ -752,6 +815,10 @@
 ')
 
 optional_policy(`
@ -27218,7 +27235,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 	vmware_read_system_config(initrc_t)
 	vmware_append_system_config(initrc_t)
 ')
-@@ -774,3 +837,4 @@
+@@ -774,3 +841,4 @@
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
@ -29744,7 +29761,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +/usr/sbin/sysreport	 	    --	gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.3.1/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2007-11-16 21:30:49.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/system/unconfined.if	2008-03-04 23:26:54.000000000 +0100
+++ serefpolicy-3.3.1/policy/modules/system/unconfined.if	2008-03-29 12:26:49.000000000 +0100
@@ -12,14 +12,13 @@
 #
 interface(`unconfined_domain_noaudit',`
@ -29806,7 +29823,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 
 ########################################
-@@ -581,7 +587,6 @@
+@@ -372,6 +378,24 @@
+ 
+ ########################################
+ ## <summary>
+##	Send a SIGNULL signal to the unconfined execmem domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_execmem_signull',`
+	gen_require(`
+		type unconfined_execmem_t;
+	')
+
+	allow $1 unconfined_execmem_t:process signull;
+')
+
+########################################
+## <summary>
+ ##	Send generic signals to the unconfined domain.
+ ## </summary>
+ ## <param name="domain">
+@@ -581,7 +605,6 @@
 interface(`unconfined_dbus_connect',`
 	gen_require(`
 		type unconfined_t;
@ -29814,7 +29856,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 	')
 
 	allow $1 unconfined_t:dbus acquire_svc;
-@@ -589,7 +594,139 @@
+@@ -589,7 +612,120 @@
 
 ########################################
 ## <summary>
@ -29933,34 +29975,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +########################################
 +## <summary>
 +##	Allow apps to set rlimits on userdomain
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`unconfined_set_rlimitnh',`
-+	gen_require(`
-+		type unconfined_t;
-+	')
-+
-+	allow $1 unconfined_t:process rlimitinh;
-+')
-+
-+########################################
-+## <summary>
-+##	Allow the specified domain to read/write to
-+##	unconfined with a unix domain stream sockets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -597,41 +734,43 @@
+@@ -597,20 +733,18 @@
 ##	</summary>
 ## </param>
 #
 -interface(`unconfined_read_home_content_files',`
-+interface(`unconfined_rw_stream_sockets',`
+interface(`unconfined_set_rlimitnh',`
 	gen_require(`
 -		type unconfined_home_dir_t, unconfined_home_t;
 +		type unconfined_t;
@ -29970,12 +29993,38 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 -	allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms;
 -	read_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
 -	read_lnk_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
-+	allow $1 unconfined_t:unix_stream_socket { read write };
+	allow $1 unconfined_t:process rlimitinh;
 ')
 
 ########################################
 ## <summary>
 -##	Read unconfined users temporary files.
+##	Allow the specified domain to read/write to
+##	unconfined with a unix domain stream sockets.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -618,31 +752,54 @@
+ ##	</summary>
+ ## </param>
+ #
+-interface(`unconfined_read_tmp_files',`
+interface(`unconfined_rw_stream_sockets',`
+ 	gen_require(`
+-		type unconfined_tmp_t;
+		type unconfined_t;
+ 	')
+ 
+-	files_search_tmp($1)
+-	allow $1 unconfined_tmp_t:dir list_dir_perms;
+-	read_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
+-	read_lnk_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
+	allow $1 unconfined_t:unix_stream_socket { read write };
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Write unconfined users temporary files.
 +##	Read/write unconfined tmpfs files.
 ## </summary>
 +## <desc>
@ -29989,38 +30038,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ##	</summary>
 ## </param>
 #
-interface(`unconfined_read_tmp_files',`
+-interface(`unconfined_write_tmp_files',`
 +interface(`unconfined_rw_tmpfs_files',`
 	gen_require(`
 -		type unconfined_tmp_t;
 +		type unconfined_tmpfs_t;
- 	')
- 
-	files_search_tmp($1)
-	allow $1 unconfined_tmp_t:dir list_dir_perms;
-	read_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
-	read_lnk_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
+	')
+
 +	fs_search_tmpfs($1)
 +	allow $1 unconfined_tmpfs_t:dir list_dir_perms;
 +	rw_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
 +	read_lnk_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
- ')
- 
- ########################################
- ## <summary>
-##	Write unconfined users temporary files.
+')
+
+########################################
+## <summary>
 +##	Get the process group of unconfined.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -639,10 +778,10 @@
- ##	</summary>
- ## </param>
- #
-interface(`unconfined_write_tmp_files',`
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
 +interface(`unconfined_getpgid',`
- 	gen_require(`
-		type unconfined_tmp_t;
+	gen_require(`
 +		type unconfined_t;
 	')
 
@ -30364,7 +30406,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-02-15 15:52:56.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-03-27 23:47:44.000000000 +0100
+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-03-29 13:10:01.000000000 +0100
@@ -29,9 +29,14 @@
 	')
 
@ -30381,7 +30423,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	corecmd_shell_entry_type($1_t)
 	corecmd_bin_entry_type($1_t)
 	domain_user_exemption_target($1_t)
-@@ -45,66 +50,76 @@
+@@ -45,66 +50,78 @@
 	type $1_tty_device_t; 
 	term_user_tty($1_t,$1_tty_device_t)
 
@ -30442,6 +30484,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +	kernel_dontaudit_getattr_unlabeled_sockets($1_usertype)
 +	kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype)
 +	kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype)
+	kernel_dontaudit_list_proc($1_usertype)
 
 	# When the user domain runs ps, there will be a number of access
 	# denials when ps tries to search /proc.  Do not audit these denials.
@ -30491,23 +30534,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +
 +	dev_dontaudit_getattr_all_blk_files($1_usertype)
 +	dev_dontaudit_getattr_all_chr_files($1_usertype)
-+
-+	auth_use_nsswitch($1_usertype)
-+
-+	libs_use_ld_so($1_usertype)
-+	libs_use_shared_libs($1_usertype)
-+	libs_exec_ld_so($1_usertype)
+	dev_getattr_mtrr_dev($1_t)
 
 -	miscfiles_read_localization($1_t)
 -	miscfiles_read_certs($1_t)
-
+	auth_use_nsswitch($1_usertype)
+ 
 -	sysnet_read_config($1_t)
+	libs_use_ld_so($1_usertype)
+	libs_use_shared_libs($1_usertype)
+	libs_exec_ld_so($1_usertype)
+
 +	miscfiles_read_localization($1_usertype)
 +	miscfiles_read_certs($1_usertype)
 
 	tunable_policy(`allow_execmem',`
 		# Allow loading DSOs that require executable stack.
-@@ -115,6 +130,10 @@
+@@ -115,6 +132,10 @@
 		# Allow making the stack executable via mprotect.
 		allow $1_t self:process execstack;
 	')
@ -30518,7 +30561,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 #######################################
-@@ -141,33 +160,13 @@
+@@ -141,33 +162,13 @@
 #
 template(`userdom_ro_home_template',`
 	gen_require(`
@ -30557,7 +30600,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 
 	##############################
 	#
-@@ -175,13 +174,14 @@
+@@ -175,13 +176,14 @@
 	#
 
 	# read-only home directory
@ -30579,7 +30622,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	files_list_home($1_t)
 
 	tunable_policy(`use_nfs_home_dirs',`
-@@ -231,30 +231,14 @@
+@@ -231,30 +233,14 @@
 #
 template(`userdom_manage_home_template',`
 	gen_require(`
@ -30616,7 +30659,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 
 	##############################
 	#
-@@ -262,43 +246,46 @@
+@@ -262,43 +248,46 @@
 	#
 
 	# full control of the home directory
@ -30691,7 +30734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	')
 ')
 
-@@ -316,14 +303,20 @@
+@@ -316,14 +305,20 @@
 ## <rolebase/>
 #
 template(`userdom_exec_home_template',`
@ -30717,7 +30760,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	')
 ')
 
-@@ -341,11 +334,10 @@
+@@ -341,11 +336,10 @@
 ## <rolebase/>
 #
 template(`userdom_poly_home_template',`
@ -30733,7 +30776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 #######################################
-@@ -369,18 +361,18 @@
+@@ -369,18 +363,18 @@
 #
 template(`userdom_manage_tmp_template',`
 	gen_require(`
@ -30762,7 +30805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 #######################################
-@@ -396,7 +388,13 @@
+@@ -396,7 +390,13 @@
 ## <rolebase/>
 #
 template(`userdom_exec_tmp_template',`
@ -30777,7 +30820,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 #######################################
-@@ -445,12 +443,12 @@
+@@ -445,12 +445,12 @@
 	type $1_tmpfs_t, $1_file_type;
 	files_tmpfs_file($1_tmpfs_t)
 
@ -30796,7 +30839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 #######################################
-@@ -510,10 +508,6 @@
+@@ -510,10 +510,6 @@
 ## <rolebase/>
 #
 template(`userdom_exec_generic_pgms_template',`
@ -30807,7 +30850,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	corecmd_exec_bin($1_t)
 ')
 
-@@ -531,27 +525,20 @@
+@@ -531,27 +527,20 @@
 ## <rolebase/>
 #
 template(`userdom_basic_networking_template',`
@ -30847,7 +30890,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 #######################################
-@@ -568,30 +555,32 @@
+@@ -568,30 +557,32 @@
 #
 template(`userdom_xwindows_client_template',`
 	gen_require(`
@ -30896,7 +30939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 #######################################
-@@ -622,13 +611,7 @@
+@@ -622,13 +613,7 @@
 ## <summary>
 ##	The template for allowing the user to change roles.
 ## </summary>
@ -30911,7 +30954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ##	<summary>
 ##	The prefix of the user domain (e.g., user
 ##	is the prefix for user_t).
-@@ -692,183 +675,194 @@
+@@ -692,183 +677,194 @@
 	dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
 	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
 
@ -31187,7 +31230,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	')
 
 	optional_policy(`
-@@ -895,6 +889,8 @@
+@@ -895,6 +891,8 @@
 ## </param>
 #
 template(`userdom_login_user_template', `
@ -31196,7 +31239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	userdom_base_user_template($1)
 
 	userdom_manage_home_template($1)
-@@ -923,70 +919,68 @@
+@@ -923,70 +921,68 @@
 
 	allow $1_t self:context contains;
 
@ -31299,7 +31342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	')
 ')
 
-@@ -1020,9 +1014,6 @@
+@@ -1020,9 +1016,6 @@
 	domain_interactive_fd($1_t)
 
 	typeattribute $1_devpts_t user_ptynode;
@ -31309,7 +31352,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	typeattribute $1_tty_device_t user_ttynode;
 
 	##############################
-@@ -1031,16 +1022,29 @@
+@@ -1031,16 +1024,29 @@
 	#
 
 	# privileged home directory writers
@ -31345,7 +31388,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 #######################################
-@@ -1068,6 +1072,13 @@
+@@ -1068,6 +1074,13 @@
 
 	userdom_restricted_user_template($1)
 
@ -31359,7 +31402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	userdom_xwindows_client_template($1)
 
 	##############################
-@@ -1076,14 +1087,16 @@
+@@ -1076,14 +1089,16 @@
 	#
 
 	authlogin_per_role_template($1, $1_t, $1_r)
@ -31381,7 +31424,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	logging_dontaudit_send_audit_msgs($1_t)
 
 	# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -1091,32 +1104,29 @@
+@@ -1091,32 +1106,29 @@
 	selinux_get_enforce_mode($1_t)
 
 	optional_policy(`
@ -31425,7 +31468,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	')
 ')
 
-@@ -1127,10 +1137,10 @@
+@@ -1127,10 +1139,10 @@
 ## </summary>
 ## <desc>
 ##	<p>
@ -31440,7 +31483,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ##	This template creates a user domain, types, and
 ##	rules for the user's tty, pty, home directories,
 ##	tmp, and tmpfs files.
-@@ -1164,7 +1174,6 @@
+@@ -1164,7 +1176,6 @@
 	# Need the following rule to allow users to run vpnc
 	corenet_tcp_bind_xserver_port($1_t)
 
@ -31448,7 +31491,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	# cjp: why?
 	files_read_kernel_symbol_table($1_t)
 
-@@ -1193,12 +1202,11 @@
+@@ -1193,12 +1204,11 @@
 	# and may change other protocols
 	tunable_policy(`user_tcp_server',`
 		corenet_tcp_bind_all_nodes($1_t)
@ -31463,7 +31506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	')
 
 	# Run pppd in pppd_t by default for user
-@@ -1207,7 +1215,27 @@
+@@ -1207,7 +1217,27 @@
 	')
 
 	optional_policy(`
@ -31492,7 +31535,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	')
 ')
 
-@@ -1284,8 +1312,6 @@
+@@ -1284,8 +1314,6 @@
 	# Manipulate other users crontab.
 	allow $1_t self:passwd crontab;
 
@ -31501,6 +31544,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	kernel_read_software_raid_state($1_t)
 	kernel_getattr_core_if($1_t)
 	kernel_getattr_message_if($1_t)
+@@ -1307,8 +1335,6 @@
+ 
+ 	dev_getattr_generic_blk_files($1_t)
+ 	dev_getattr_generic_chr_files($1_t)
+-	# for lsof
+-	dev_getattr_mtrr_dev($1_t)
+ 	# Allow MAKEDEV to work
+ 	dev_create_all_blk_files($1_t)
+ 	dev_create_all_chr_files($1_t)
@@ -1363,13 +1389,6 @@
 	# But presently necessary for installing the file_contexts file.
 	seutil_manage_bin_policy($1_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.3.1
-Release: 25%{?dist}
+Release: 26%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -387,6 +387,9 @@ exit 0
 %endif

 %changelog
+* Sat Mar 28 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-26
+- Allow initrc_t to dbus chat with consolekit.
+
 * Thu Mar 27 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-25
 - Additional access for nsplugin
 - Allow xdm setcap/getcap until pulseaudio is fixed