From 4967aaa3207ddc34275bbb9717e11aae130c46fb Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Thu, 3 May 2007 14:15:38 +0000
Subject: [PATCH] Miscellaneous consolekit fixes from Dan Walsh.

---
 Changelog                             |  1 +
 policy/modules/services/consolekit.te | 23 +++++++++++++++--------
 policy/modules/services/xserver.if    | 25 ++++++++++++++++++++++++-
 policy/modules/services/xserver.te    |  3 ++-
 4 files changed, 42 insertions(+), 10 deletions(-)

diff --git a/Changelog b/Changelog
index b2754fc1..943f7f0c 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Miscellaneous consolekit fixes from Dan Walsh.
 - Patch to have avahi use the nsswitch interface rather than individual
   permissions from Dan Walsh.
 - Patch to dontaudit logrotate searching avahi pid directory from Dan Walsh.
diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te
index e54c2626..cfe7fde5 100644
--- a/policy/modules/services/consolekit.te
+++ b/policy/modules/services/consolekit.te
@@ -1,5 +1,5 @@
 
-policy_module(consolekit,1.1.0)
+policy_module(consolekit,1.1.1)
 
 ########################################
 #
@@ -19,15 +19,20 @@ files_pid_file(consolekit_var_run_t)
 # consolekit local policy
 #
 
-allow consolekit_t self:capability { sys_tty_config dac_override sys_nice sys_ptrace };
+allow consolekit_t self:capability { setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
 allow consolekit_t self:process { getsched signal };
 allow consolekit_t self:fifo_file rw_fifo_file_perms;
 allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
+allow consolekit_t self:unix_dgram_socket create_socket_perms;
 
 # pid file
 manage_files_pattern(consolekit_t,consolekit_var_run_t,consolekit_var_run_t)
 files_pid_filetrans(consolekit_t,consolekit_var_run_t, file)
 
+kernel_read_system_state(consolekit_t)
+
+corecmd_exec_bin(consolekit_t)
+
 dev_read_urand(consolekit_t)
 dev_read_sysfs(consolekit_t)
 
@@ -38,18 +43,15 @@ files_read_etc_files(consolekit_t)
 # needs to read /var/lib/dbus/machine-id
 files_read_var_lib_files(consolekit_t)
 
-term_use_console(consolekit_t)
+fs_list_inotifyfs(consolekit_t)
+
+term_use_all_terms(consolekit_t)
 
 libs_use_ld_so(consolekit_t)
 libs_use_shared_libs(consolekit_t)
 
 miscfiles_read_localization(consolekit_t)
 
-ifdef(`targeted_policy',`
-	term_dontaudit_use_unallocated_ttys(consolekit_t)
-	term_dontaudit_use_generic_ptys(consolekit_t)
-')
-
 optional_policy(`
 	dbus_system_bus_client_template(consolekit, consolekit_t)
 	dbus_send_system_bus(consolekit_t)
@@ -61,3 +63,8 @@ optional_policy(`
 		unconfined_dbus_chat(consolekit_t)
 	')
 ')
+
+optional_policy(`
+	xserver_read_all_users_xauth(consolekit_t)
+	xserver_stream_connect_xdm_xserver(consolekit_t)
+')
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 71011956..39512fe1 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -263,7 +263,7 @@ template(`xserver_per_role_template',`
 	domain_entry_file($1_xauth_t,xauth_exec_t)
 	role $3 types $1_xauth_t;
 
-	type $1_xauth_home_t alias $1_xauth_rw_t;
+	type $1_xauth_home_t alias $1_xauth_rw_t, xauth_home_type;
 	files_poly_member($1_xauth_home_t)
 	userdom_user_home_content($1,$1_xauth_home_t)
 
@@ -717,6 +717,29 @@ interface(`xserver_use_all_users_fonts',`
 	userdom_search_all_users_home_dirs($1)
 ')
 
+########################################
+## <summary>
+##	Read all users .Xauthority.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_read_all_users_xauth',`
+	gen_require(`
+		attribute xauth_home_type;
+	')
+
+	ifdef(`strict_policy',`
+		allow $1 xauth_home_type:file read_file_perms;
+		userdom_search_all_users_home_dirs($1)
+	',`
+		userdom_read_generic_user_home_content_files($1)
+	')
+')
+
 ########################################
 ## <summary>
 ##	Set the attributes of the X windows console named pipes.
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index fe433d5b..6493e17f 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,5 +1,5 @@
 
-policy_module(xserver,1.4.0)
+policy_module(xserver,1.4.1)
 
 ########################################
 #
@@ -26,6 +26,7 @@ gen_tunable(xdm_sysadm_login,false)
 attribute fonts_type;
 attribute fonts_cache_type;
 attribute fonts_config_type;
+attribute xauth_home_type;
 
 type iceauth_exec_t;
 corecmd_executable_file(iceauth_exec_t)