- More access needed for devicekit

- Add dbadm policy
2010-08-30 11:58:36 -04:00 · 2010-08-30 11:58:36 -04:00 · 6578cf7413
parent acb1aed3a4
commit 6578cf7413
6 changed files with 395 additions and 2312 deletions
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@ -0,0 +1 @@
+modules-targeted.conf
--- a/modules-mls.conf
+++ b/modules-mls.conf
@ -1812,6 +1812,13 @@ telepathy = module
 # 
 vmware = module

+# Layer: role
+# Module: dbadm
+#
+# Minimally prived root role for managing databases
+# 
+dbadm = module
+
 # Layer: role
 # Module: logadm
 #
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@ -2015,6 +2015,13 @@ rssh = module
 # 
 vmware = module

+# Layer: role
+# Module: dbadm
+#
+# Minimally prived root role for managing databases
+# 
+dbadm = module
+
 # Layer: role
 # Module: logadm
 #
--- a/policy-F14.patch
+++ b/policy-F14.patch
@ -502,14 +502,18 @@ index 89b9f2a..9cba75f 100644
 	pcscd_read_pub_files(certwatch_t)
 ')
 diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
-index 2b12a37..ce00934 100644
+index 2b12a37..a370656 100644
 --- a/policy/modules/admin/consoletype.te
 +++ b/policy/modules/admin/consoletype.te
-@@ -85,6 +85,7 @@ optional_policy(`
- 	hal_dontaudit_rw_pipes(consoletype_t)
- 	hal_dontaudit_rw_dgram_sockets(consoletype_t)
- 	hal_dontaudit_write_log(consoletype_t)
-+	hal_dontaudit_read_pid_files(consoletype_t)
+@@ -81,10 +81,7 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	hal_dontaudit_use_fds(consoletype_t)
+-	hal_dontaudit_rw_pipes(consoletype_t)
+-	hal_dontaudit_rw_dgram_sockets(consoletype_t)
+-	hal_dontaudit_write_log(consoletype_t)
+	hal_dontaudit_leaks(consoletype_t)
 ')
 
 optional_policy(`
@ -1672,6 +1676,19 @@ index 6a5004b..50cd538 100644
 	rpm_manage_cache(tmpreaper_t)
 ')
 
+diff --git a/policy/modules/admin/tzdata.te b/policy/modules/admin/tzdata.te
+index aa9636d..7851643 100644
+--- a/policy/modules/admin/tzdata.te
+++ b/policy/modules/admin/tzdata.te
+@@ -15,7 +15,7 @@ application_domain(tzdata_t, tzdata_exec_t)
+ # tzdata local policy
+ #
+ 
+-files_read_etc_files(tzdata_t)
+files_read_config_files(tzdata_t)
+ files_search_spool(tzdata_t)
+ 
+ fs_getattr_xattr_fs(tzdata_t)
 diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
 index aecbf1c..0b5e634 100644
 --- a/policy/modules/admin/usermanage.if
@ -2341,7 +2358,7 @@ index 00a19e3..46db5ff 100644
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 +
 diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..852f36f 100644
+index f5afe78..ffd9870 100644
 --- a/policy/modules/apps/gnome.if
 +++ b/policy/modules/apps/gnome.if
@@ -37,8 +37,26 @@ interface(`gnome_role',`
@ -2520,7 +2537,7 @@ index f5afe78..852f36f 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -122,12 +189,52 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,12 +189,71 @@ interface(`gnome_stream_connect_gconf',`
 ##	</summary>
 ## </param>
 #
@ -2538,6 +2555,25 @@ index f5afe78..852f36f 100644
 +
 +########################################
 +## <summary>
+##	append to generic cache home files (.cache)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_append_generic_cache_files',`
+	gen_require(`
+		type cache_home_t;
+	')
+
+	append_files_pattern($1, cache_home_t, cache_home_t)
+	userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
 +##	write to generic cache home files (.cache)
 +## </summary>
 +## <param name="domain">
@ -2576,7 +2612,7 @@ index f5afe78..852f36f 100644
 ')
 
 ########################################
-@@ -151,40 +258,270 @@ interface(`gnome_setattr_config_dirs',`
+@@ -151,40 +277,288 @@ interface(`gnome_setattr_config_dirs',`
 
 ########################################
 ## <summary>
@ -2694,8 +2730,10 @@ index f5afe78..852f36f 100644
 	gen_require(`
 -		type gnome_home_t;
 +		type gconfd_exec_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 gnome_home_t:dir manage_dir_perms;
+-	allow $1 gnome_home_t:file manage_file_perms;
 +	can_exec($1, gconfd_exec_t)
 +')
 +
@ -2734,10 +2772,8 @@ index f5afe78..852f36f 100644
 +interface(`gnome_search_gconf',`
 +	gen_require(`
 +		type gconf_home_t;
- 	')
- 
-	allow $1 gnome_home_t:dir manage_dir_perms;
-	allow $1 gnome_home_t:file manage_file_perms;
+	')
+
 +	allow $1 gconf_home_t:dir search_dir_perms;
 	userdom_search_user_home_dirs($1)
 ')
@ -2805,7 +2841,7 @@ index f5afe78..852f36f 100644
 +
 +########################################
 +## <summary>
-+##	read gnome homedir content (.config)
+##	list gnome homedir content (.config)
 +## </summary>
 +## <param name="user_domain">
 +##	<summary>
@ -2823,6 +2859,24 @@ index f5afe78..852f36f 100644
 +
 +########################################
 +## <summary>
+##	read gnome homedir content (.config)
+## </summary>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+template(`gnome_read_home_config',`
+	gen_require(`
+		type config_home_t;
+	')
+
+	read_files_pattern($1, config_home_t, config_home_t)
+')
+
+########################################
+## <summary>
 +##	Read/Write all inherited gnome home config 
 +## </summary>
 +## <param name="domain">
@ -6621,7 +6675,7 @@ index 9d24449..9782698 100644
 /opt/google/picasa(/.*)?/bin/notepad --	gen_context(system_u:object_r:wine_exec_t,s0)
 /opt/google/picasa(/.*)?/bin/progman --	gen_context(system_u:object_r:wine_exec_t,s0)
 diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
-index c26662d..9cbfded 100644
+index c26662d..62e455a 100644
 --- a/policy/modules/apps/wine.if
 +++ b/policy/modules/apps/wine.if
@@ -29,12 +29,16 @@
@ -6641,7 +6695,17 @@ index c26662d..9cbfded 100644
 	allow wine_t $2:fd use;
 	allow wine_t $2:process { sigchld signull };
 	allow wine_t $2:unix_stream_socket connectto;
-@@ -86,6 +90,7 @@ template(`wine_role',`
+@@ -44,8 +48,7 @@ template(`wine_role',`
+ 	allow $2 wine_t:process signal_perms;
+ 
+ 	allow $2 wine_t:fd use;
+-	allow $2 wine_t:shm { associate getattr };
+-	allow $2 wine_t:shm { unix_read unix_write };
+	allow $2 wine_t:shm { associate getattr  unix_read unix_write };
+ 	allow $2 wine_t:unix_stream_socket connectto;
+ 
+ 	# X access, Home files
+@@ -86,6 +89,7 @@ template(`wine_role',`
 #
 template(`wine_role_template',`
 	gen_require(`
@ -6649,7 +6713,7 @@ index c26662d..9cbfded 100644
 		type wine_exec_t;
 	')
 
-@@ -101,9 +106,16 @@ template(`wine_role_template',`
+@@ -101,9 +105,16 @@ template(`wine_role_template',`
 	corecmd_bin_domtrans($1_wine_t, $1_t)
 
 	userdom_unpriv_usertype($1, $1_wine_t)
@ -6668,6 +6732,29 @@ index c26662d..9cbfded 100644
 
 	optional_policy(`
 		xserver_role($1_r, $1_wine_t)
+@@ -153,3 +164,22 @@ interface(`wine_run',`
+ 	wine_domtrans($1)
+ 	role $2 types wine_t;
+ ')
+
+########################################
+## <summary>
+##	Read and write wine Shared
+##	memory segments.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`wine_rw_shm',`
+	gen_require(`
+		type wine_t;
+	')
+
+	allow $1 wine_t:shm rw_shm_perms;
+')
 diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te
 index 8af45db..6fe38a1 100644
 --- a/policy/modules/apps/wine.te
@ -7703,7 +7790,7 @@ index 3517db2..bd4c23d 100644
 +/nsr(/.*)?						gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?						gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 5302dac..73e4119 100644
+index 5302dac..96a406d 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@ -8001,7 +8088,32 @@ index 5302dac..73e4119 100644
 ')
 
 ########################################
-@@ -5138,12 +5355,12 @@ interface(`files_getattr_generic_locks',`
+@@ -4718,6 +4935,24 @@ interface(`files_read_var_files',`
+ 
+ ########################################
+ ## <summary>
+##	Append files in the /var directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_append_var_files',`
+	gen_require(`
+		type var_t;
+	')
+
+	append_files_pattern($1, var_t, var_t)
+')
+
+########################################
+## <summary>
+ ##	Read and write files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+@@ -5138,12 +5373,12 @@ interface(`files_getattr_generic_locks',`
 ## </param>
 #
 interface(`files_delete_generic_locks',`
@ -8019,7 +8131,7 @@ index 5302dac..73e4119 100644
 ')
 
 ########################################
-@@ -5317,6 +5534,43 @@ interface(`files_search_pids',`
+@@ -5317,6 +5552,43 @@ interface(`files_search_pids',`
 	search_dirs_pattern($1, var_t, var_run_t)
 ')
 
@ -8063,7 +8175,7 @@ index 5302dac..73e4119 100644
 ########################################
 ## <summary>
 ##	Do not audit attempts to search
-@@ -5524,6 +5778,26 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5524,6 +5796,26 @@ interface(`files_dontaudit_ioctl_all_pids',`
 
 ########################################
 ## <summary>
@ -8090,7 +8202,7 @@ index 5302dac..73e4119 100644
 ##	Read all process ID files.
 ## </summary>
 ## <param name="domain">
-@@ -5541,6 +5815,7 @@ interface(`files_read_all_pids',`
+@@ -5541,6 +5833,7 @@ interface(`files_read_all_pids',`
 
 	list_dirs_pattern($1, var_t, pidfile)
 	read_files_pattern($1, pidfile, pidfile)
@ -8098,7 +8210,7 @@ index 5302dac..73e4119 100644
 ')
 
 ########################################
-@@ -5826,3 +6101,229 @@ interface(`files_unconfined',`
+@@ -5826,3 +6119,229 @@ interface(`files_unconfined',`
 
 	typeattribute $1 files_unconfined_type;
 ')
@ -8610,7 +8722,7 @@ index e3e17ba..3b34959 100644
 +')
 +
 diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index fb63c3a..712e644 100644
+index fb63c3a..3561f03 100644
 --- a/policy/modules/kernel/filesystem.te
 +++ b/policy/modules/kernel/filesystem.te
@@ -52,6 +52,7 @@ type anon_inodefs_t;
@ -8621,7 +8733,7 @@ index fb63c3a..712e644 100644
 
 type bdev_t;
 fs_type(bdev_t)
-@@ -67,7 +68,7 @@ fs_type(capifs_t)
+@@ -67,10 +68,11 @@ fs_type(capifs_t)
 files_mountpoint(capifs_t)
 genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
 
@ -8630,7 +8742,11 @@ index fb63c3a..712e644 100644
 fs_type(cgroup_t)
 files_type(cgroup_t)
 files_mountpoint(cgroup_t)
-@@ -106,6 +107,15 @@ fs_type(ibmasmfs_t)
+dev_associate_sysfs(cgroup_t)
+ genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
+ 
+ type configfs_t;
+@@ -106,6 +108,15 @@ fs_type(ibmasmfs_t)
 allow ibmasmfs_t self:filesystem associate;
 genfscon ibmasmfs / gen_context(system_u:object_r:ibmasmfs_t,s0)
 
@ -8646,7 +8762,7 @@ index fb63c3a..712e644 100644
 type inotifyfs_t;
 fs_type(inotifyfs_t)
 genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
-@@ -148,6 +158,12 @@ fs_type(squash_t)
+@@ -148,6 +159,12 @@ fs_type(squash_t)
 genfscon squash / gen_context(system_u:object_r:squash_t,s0)
 files_mountpoint(squash_t)
 
@ -8659,7 +8775,7 @@ index fb63c3a..712e644 100644
 type vmblock_t;
 fs_noxattr_type(vmblock_t)
 files_mountpoint(vmblock_t)
-@@ -248,6 +264,7 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -248,6 +265,7 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
 type removable_t;
 allow removable_t noxattrfs:filesystem associate;
 fs_noxattr_type(removable_t)
@ -10282,10 +10398,10 @@ index 0000000..8b2cdf3
 +
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
-index 0000000..faef468
+index 0000000..821d0dd
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,458 @@
+@@ -0,0 +1,462 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@ -10474,7 +10590,11 @@ index 0000000..faef468
 +	')
 +
 +	optional_policy(`
-+		xserver_rw_shm(unconfined_usertype)
+		gen_require(`
+			type user_tmpfs_t;
+		')
+	
+		xserver_rw_session(unconfined_usertype, user_tmpfs_t)
 +		xserver_run_xauth(unconfined_usertype, unconfined_r)
 +		xserver_dbus_chat_xdm(unconfined_usertype)
 +	')
@ -12631,7 +12751,7 @@ index 67c91aa..472ddad 100644
 	mta_system_content(apcupsd_tmp_t)
 ')
 diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
-index 1c8c27e..1a44ccb 100644
+index 1c8c27e..c6832b0 100644
 --- a/policy/modules/services/apm.te
 +++ b/policy/modules/services/apm.te
@@ -62,6 +62,7 @@ allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
@ -12650,18 +12770,34 @@ index 1c8c27e..1a44ccb 100644
 dev_read_realtime_clock(apmd_t)
 dev_read_urand(apmd_t)
 dev_rw_apm_bios(apmd_t)
-@@ -144,6 +146,10 @@ ifdef(`distro_redhat',`
+@@ -142,9 +144,8 @@ ifdef(`distro_redhat',`
 
- 	# ifconfig_exec_t needs to be run in its own domain for Red Hat
+ 	can_exec(apmd_t, apmd_var_run_t)
+ 
+-	# ifconfig_exec_t needs to be run in its own domain for Red Hat
 	optional_policy(`
+-		sysnet_domtrans_ifconfig(apmd_t)
+		fstools_domtrans(apmd_t)
+ 	')
+ 
+ 	optional_policy(`
+@@ -155,6 +156,15 @@ ifdef(`distro_redhat',`
+ 		netutils_domtrans(apmd_t)
+ 	')
+ 
+	# ifconfig_exec_t needs to be run in its own domain for Red Hat
+	optional_policy(`
 +		sssd_search_lib(apmd_t)
 +	')
 +
 +	optional_policy(`
- 		sysnet_domtrans_ifconfig(apmd_t)
- 	')
- 
-@@ -218,9 +224,13 @@ optional_policy(`
+		sysnet_domtrans_ifconfig(apmd_t)
+	')
+
+ ',`
+ 	# for ifconfig which is run all the time
+ 	kernel_dontaudit_search_sysctl(apmd_t)
+@@ -218,9 +228,13 @@ optional_policy(`
 	udev_read_state(apmd_t) #necessary?
 ')
 
@ -15329,10 +15465,23 @@ index 1b492ed..286ec9e 100644
 +
 +/usr/local/linuxprinter/ppd(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if
-index 305ddf4..2c2a551 100644
+index 305ddf4..fb3454a 100644
 --- a/policy/modules/services/cups.if
 +++ b/policy/modules/services/cups.if
-@@ -314,7 +314,7 @@ interface(`cups_stream_connect_ptal',`
+@@ -190,10 +190,12 @@ interface(`cups_dbus_chat_config',`
+ interface(`cups_read_config',`
+ 	gen_require(`
+ 		type cupsd_etc_t, cupsd_rw_etc_t;
+		type hplip_etc_t;
+ 	')
+ 
+ 	files_search_etc($1)
+ 	read_files_pattern($1, cupsd_etc_t, cupsd_etc_t)
+	read_files_pattern($1, hplip_etc_t, hplip_etc_t)
+ 	read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
+ ')
+ 
+@@ -314,11 +316,12 @@ interface(`cups_stream_connect_ptal',`
 interface(`cups_admin',`
 	gen_require(`
 		type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
@ -15341,7 +15490,12 @@ index 305ddf4..2c2a551 100644
 		type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
 		type cupsd_var_run_t, ptal_etc_t;
 		type ptal_var_run_t, hplip_var_run_t;
-@@ -341,9 +341,6 @@ interface(`cups_admin',`
+ 		type cupsd_initrc_exec_t;
+		type hplip_etc_t;
+ 	')
+ 
+ 	allow $1 cupsd_t:process { ptrace signal_perms };
+@@ -341,15 +344,14 @@ interface(`cups_admin',`
 
 	admin_pattern($1, cupsd_lpd_var_run_t)
 
@ -15351,6 +15505,14 @@ index 305ddf4..2c2a551 100644
 	admin_pattern($1, cupsd_tmp_t)
 	files_list_tmp($1)
 
+ 	admin_pattern($1, cupsd_var_run_t)
+ 	files_list_pids($1)
+ 
+	admin_pattern($1, hplip_etc_t)
+
+ 	admin_pattern($1, hplip_var_run_t)
+ 
+ 	admin_pattern($1, ptal_etc_t)
 diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
 index 0f28095..11e74af 100644
 --- a/policy/modules/services/cups.te
@ -15706,7 +15868,7 @@ index 8ba9425..d53ee7e 100644
 +    gnome_dontaudit_search_config(denyhosts_t)
 +')
 diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
-index f231f17..a7de603 100644
+index f231f17..ccacea9 100644
 --- a/policy/modules/services/devicekit.te
 +++ b/policy/modules/services/devicekit.te
@@ -75,10 +75,12 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
@ -15734,7 +15896,7 @@ index f231f17..a7de603 100644
 files_manage_isid_type_dirs(devicekit_disk_t)
 files_manage_mnt_dirs(devicekit_disk_t)
 files_read_etc_files(devicekit_disk_t)
-@@ -178,13 +182,25 @@ optional_policy(`
+@@ -178,17 +182,33 @@ optional_policy(`
 	virt_manage_images(devicekit_disk_t)
 ')
 
@ -15761,7 +15923,23 @@ index f231f17..a7de603 100644
 allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
 allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
 allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -225,6 +241,8 @@ auth_use_nsswitch(devicekit_power_t)
+ 
+manage_dirs_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
+manage_files_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
+files_tmp_filetrans(devicekit_power_t, devicekit_tmp_t, { file dir })
+
+ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+ manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+ files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
+@@ -212,6 +232,7 @@ dev_rw_generic_usb_dev(devicekit_power_t)
+ dev_rw_generic_chr_files(devicekit_power_t)
+ dev_rw_netcontrol(devicekit_power_t)
+ dev_rw_sysfs(devicekit_power_t)
+dev_read_rand(devicekit_power_t)
+ 
+ files_read_kernel_img(devicekit_power_t)
+ files_read_etc_files(devicekit_power_t)
+@@ -225,6 +246,8 @@ auth_use_nsswitch(devicekit_power_t)
 
 miscfiles_read_localization(devicekit_power_t)
 
@ -17104,10 +17282,10 @@ index 03742d8..7b9c543 100644
 ')
 
 diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if
-index 7cf6763..d01cab6 100644
+index 7cf6763..5b9771e 100644
 --- a/policy/modules/services/hal.if
 +++ b/policy/modules/services/hal.if
-@@ -377,6 +377,26 @@ interface(`hal_read_pid_files',`
+@@ -377,6 +377,25 @@ interface(`hal_read_pid_files',`
 
 ########################################
 ## <summary>
@ -17125,8 +17303,7 @@ index 7cf6763..d01cab6 100644
 +		type hald_var_run_t;
 +	')
 +
-+	files_search_pids($1)
-+	allow $1 hald_var_run_t:file read_inherited_file_perms;
+	dontaudit $1 hald_var_run_t:file read_inherited_file_perms;
 +')
 +
 +########################################
@ -17134,6 +17311,34 @@ index 7cf6763..d01cab6 100644
 ##	Read/Write hald PID files.
 ## </summary>
 ## <param name="domain">
+@@ -431,3 +450,27 @@ interface(`hal_manage_pid_files',`
+ 	files_search_pids($1)
+ 	manage_files_pattern($1, hald_var_run_t, hald_var_run_t)
+ ')
+
+########################################
+## <summary>
+##	dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hal_dontaudit_leaks',`
+	gen_require(`
+		type hald_log_t;
+		type hald_t;
+		type hald_var_run_t;
+	')
+
+	dontaudit $1 hald_t:fd use; 
+	dontaudit $1 hald_log_t:file rw_inherited_file_perms;
+	dontaudit $1 hald_t:fifo_file rw_inherited_fifo_file_perms; 
+	dontaudit hald_t $1:socket_class_set { read write };
+	dontaudit $1 hald_var_run_t:file read_inherited_file_perms;
+')
 diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
 index 24c6253..0a54d67 100644
 --- a/policy/modules/services/hal.te
@ -17233,19 +17438,21 @@ index 24c6253..0a54d67 100644
 #
 # Local hald dccm policy
 diff --git a/policy/modules/services/icecast.te b/policy/modules/services/icecast.te
-index a57ffc0..fbcdd74 100644
+index a57ffc0..f441c9a 100644
 --- a/policy/modules/services/icecast.te
 +++ b/policy/modules/services/icecast.te
-@@ -37,6 +37,8 @@ manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
+@@ -37,7 +37,10 @@ manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
 manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
 files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir })
 
 +kernel_read_system_state(icecast_t)
 +
 corenet_tcp_bind_soundd_port(icecast_t)
+corenet_tcp_connect_soundd_port(icecast_t)
 
 # Init script handling
-@@ -51,5 +53,9 @@ miscfiles_read_localization(icecast_t)
+ domain_use_interactive_fds(icecast_t)
+@@ -51,5 +54,9 @@ miscfiles_read_localization(icecast_t)
 sysnet_dns_name_resolve(icecast_t)
 
 optional_policy(`
@ -23017,10 +23224,19 @@ index a96249c..ca97ead 100644
 	role_transition $2 rpcbind_initrc_exec_t system_r;
 	allow $2 system_r;
 diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
-index d6d76e1..af3353c 100644
+index d6d76e1..9cb5e25 100644
 --- a/policy/modules/services/rpcbind.te
 +++ b/policy/modules/services/rpcbind.te
-@@ -71,3 +71,7 @@ sysnet_dns_name_resolve(rpcbind_t)
+@@ -43,6 +43,8 @@ kernel_read_system_state(rpcbind_t)
+ kernel_read_network_state(rpcbind_t)
+ kernel_request_load_module(rpcbind_t)
+ 
+corecmd_exec_shell(rpcbind_t)
+
+ corenet_all_recvfrom_unlabeled(rpcbind_t)
+ corenet_all_recvfrom_netlabel(rpcbind_t)
+ corenet_tcp_sendrecv_generic_if(rpcbind_t)
+@@ -71,3 +73,7 @@ sysnet_dns_name_resolve(rpcbind_t)
 ifdef(`hide_broken_symptoms',`
 	dontaudit rpcbind_t self:udp_socket listen;
 ')
@ -26774,7 +26990,7 @@ index da2601a..6ff8f25 100644
 +	manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
 +')
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8084740..288d513 100644
+index 8084740..60da940 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
@@ -35,6 +35,13 @@ gen_tunable(allow_write_xshm, false)
@ -27578,7 +27794,7 @@ index 8084740..288d513 100644
 
 userdom_search_user_home_dirs(xserver_t)
 userdom_use_user_ttys(xserver_t)
-@@ -775,14 +1072,34 @@ optional_policy(`
+@@ -775,20 +1072,44 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -27614,7 +27830,17 @@ index 8084740..288d513 100644
 
 optional_policy(`
 	userhelper_search_config(xserver_t)
-@@ -804,10 +1121,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+ ')
+ 
+ optional_policy(`
+	wine_rw_shm(xserver_t)
+')
+
+optional_policy(`
+ 	xfs_stream_connect(xserver_t)
+ ')
+ 
+@@ -804,10 +1125,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
 
 # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
 # handle of a file inside the dir!!!
@ -27627,7 +27853,7 @@ index 8084740..288d513 100644
 
 # Label pid and temporary files with derived types.
 manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -828,6 +1145,13 @@ init_use_fds(xserver_t)
+@@ -828,6 +1149,13 @@ init_use_fds(xserver_t)
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_user_home_content_files(xserver_t)
@ -27641,7 +27867,7 @@ index 8084740..288d513 100644
 
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(xserver_t)
-@@ -843,11 +1167,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -843,11 +1171,14 @@ tunable_policy(`use_samba_home_dirs',`
 
 optional_policy(`
 	dbus_system_bus_client(xserver_t)
@ -27658,7 +27884,7 @@ index 8084740..288d513 100644
 ')
 
 optional_policy(`
-@@ -993,3 +1320,33 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
+@@ -993,3 +1324,33 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
 allow xserver_unconfined_type xextension_type:x_extension *;
 allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
 allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@ -30291,7 +30517,7 @@ index 9df8c4d..1d2236b 100644
 +/opt/google/picasa/.*\.dll	--  gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/opt/google/picasa/.*\.yti	--  gen_context(system_u:object_r:textrel_shlib_t,s0)
 diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index bf416a4..6f36eca 100644
+index bf416a4..af2af2d 100644
 --- a/policy/modules/system/libraries.te
 +++ b/policy/modules/system/libraries.te
@@ -61,7 +61,7 @@ allow ldconfig_t self:capability { dac_override sys_chroot };
@ -30330,7 +30556,18 @@ index bf416a4..6f36eca 100644
 ifdef(`hide_broken_symptoms',`
 	ifdef(`distro_gentoo',`
 		# leaked fds from portage
-@@ -141,6 +147,10 @@ optional_policy(`
+@@ -131,6 +137,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+	gnome_append_generic_cache_files(ldconfig_t)
+')
+
+optional_policy(`
+ 	puppet_rw_tmp(ldconfig_t)
+ ')
+ 
+@@ -141,6 +151,10 @@ optional_policy(`
 	rpm_manage_script_tmp_files(ldconfig_t)
 ')
 
@ -30963,7 +31200,7 @@ index 9c0faab..def8d5a 100644
 ##	loading modules.
 ## </summary>
 diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index 74a4466..a3b7b0d 100644
+index 74a4466..f39f39f 100644
 --- a/policy/modules/system/modutils.te
 +++ b/policy/modules/system/modutils.te
@@ -18,6 +18,7 @@ type insmod_t;
@ -30974,7 +31211,7 @@ index 74a4466..a3b7b0d 100644
 role system_r types insmod_t;
 
 # module loading config
-@@ -55,12 +56,14 @@ corecmd_search_bin(depmod_t)
+@@ -55,12 +56,15 @@ corecmd_search_bin(depmod_t)
 
 domain_use_interactive_fds(depmod_t)
 
@ -30985,11 +31222,12 @@ index 74a4466..a3b7b0d 100644
 files_read_etc_files(depmod_t)
 files_read_usr_src_files(depmod_t)
 files_list_usr(depmod_t)
+files_append_var_files(depmod_t)
 +files_read_boot_files(depmod_t)
 
 fs_getattr_xattr_fs(depmod_t)
 
-@@ -74,6 +77,7 @@ userdom_use_user_terminals(depmod_t)
+@@ -74,6 +78,7 @@ userdom_use_user_terminals(depmod_t)
 # Read System.map from home directories.
 files_list_home(depmod_t)
 userdom_read_user_home_content_files(depmod_t)
@ -30997,7 +31235,7 @@ index 74a4466..a3b7b0d 100644
 
 ifdef(`distro_ubuntu',`
 	optional_policy(`
-@@ -94,17 +98,21 @@ optional_policy(`
+@@ -94,17 +99,21 @@ optional_policy(`
 	rpm_manage_script_tmp_files(depmod_t)
 ')
 
@ -31020,7 +31258,7 @@ index 74a4466..a3b7b0d 100644
 allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
 
 allow insmod_t self:udp_socket create_socket_perms;
-@@ -125,6 +133,7 @@ kernel_write_proc_files(insmod_t)
+@@ -125,6 +134,7 @@ kernel_write_proc_files(insmod_t)
 kernel_mount_debugfs(insmod_t)
 kernel_mount_kvmfs(insmod_t)
 kernel_read_debugfs(insmod_t)
@ -31028,7 +31266,7 @@ index 74a4466..a3b7b0d 100644
 # Rules for /proc/sys/kernel/tainted
 kernel_read_kernel_sysctls(insmod_t)
 kernel_rw_kernel_sysctl(insmod_t)
-@@ -142,6 +151,7 @@ dev_rw_agp(insmod_t)
+@@ -142,6 +152,7 @@ dev_rw_agp(insmod_t)
 dev_read_sound(insmod_t)
 dev_write_sound(insmod_t)
 dev_rw_apm_bios(insmod_t)
@ -31036,7 +31274,7 @@ index 74a4466..a3b7b0d 100644
 
 domain_signal_all_domains(insmod_t)
 domain_use_interactive_fds(insmod_t)
-@@ -160,11 +170,15 @@ files_write_kernel_modules(insmod_t)
+@@ -160,11 +171,15 @@ files_write_kernel_modules(insmod_t)
 
 fs_getattr_xattr_fs(insmod_t)
 fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
@ -31052,7 +31290,7 @@ index 74a4466..a3b7b0d 100644
 
 logging_send_syslog_msg(insmod_t)
 logging_search_logs(insmod_t)
-@@ -173,8 +187,7 @@ miscfiles_read_localization(insmod_t)
+@@ -173,8 +188,7 @@ miscfiles_read_localization(insmod_t)
 
 seutil_read_file_contexts(insmod_t)
 
@ -31062,7 +31300,7 @@ index 74a4466..a3b7b0d 100644
 userdom_dontaudit_search_user_home_dirs(insmod_t)
 
 if( ! secure_mode_insmod ) {
-@@ -191,6 +204,10 @@ optional_policy(`
+@@ -191,6 +205,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -31073,7 +31311,7 @@ index 74a4466..a3b7b0d 100644
 	hal_write_log(insmod_t)
 ')
 
-@@ -229,10 +246,18 @@ optional_policy(`
+@@ -229,10 +247,18 @@ optional_policy(`
 	rpm_rw_pipes(insmod_t)
 ')
 
@ -31691,10 +31929,21 @@ index 2cc4bda..9e81136 100644
 +/etc/share/selinux/targeted(/.*)?	gen_context(system_u:object_r:semanage_store_t,s0)
 +/etc/share/selinux/mls(/.*)?		gen_context(system_u:object_r:semanage_store_t,s0)
 diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 170e2c7..3f27d1b 100644
+index 170e2c7..bbaa8cf 100644
 --- a/policy/modules/system/selinuxutil.if
 +++ b/policy/modules/system/selinuxutil.if
-@@ -361,6 +361,27 @@ interface(`seutil_exec_restorecon',`
+@@ -85,6 +85,10 @@ interface(`seutil_domtrans_loadpolicy',`
+ 
+ 	corecmd_search_bin($1)
+ 	domtrans_pattern($1, load_policy_exec_t, load_policy_t)
+
+	ifdef(`hide_broken_symptoms', `
+		dontaudit load_policy_t $1:socket_class_set { read write };
+	')
+ ')
+ 
+ ########################################
+@@ -361,6 +365,27 @@ interface(`seutil_exec_restorecon',`
 
 ########################################
 ## <summary>
@ -31722,7 +31971,18 @@ index 170e2c7..3f27d1b 100644
 ##	Execute run_init in the run_init domain.
 ## </summary>
 ## <param name="domain">
-@@ -545,6 +566,53 @@ interface(`seutil_run_setfiles',`
+@@ -514,6 +539,10 @@ interface(`seutil_domtrans_setfiles',`
+ 	files_search_usr($1)
+ 	corecmd_search_bin($1)
+ 	domtrans_pattern($1, setfiles_exec_t, setfiles_t)
+
+	ifdef(`hide_broken_symptoms', `
+		dontaudit setfiles_t $1:socket_class_set { read write };
+	')
+ ')
+ 
+ ########################################
+@@ -545,6 +574,53 @@ interface(`seutil_run_setfiles',`
 
 ########################################
 ## <summary>
@ -31776,7 +32036,7 @@ index 170e2c7..3f27d1b 100644
 ##	Execute setfiles in the caller domain.
 ## </summary>
 ## <param name="domain">
-@@ -690,6 +758,7 @@ interface(`seutil_manage_config',`
+@@ -690,6 +766,7 @@ interface(`seutil_manage_config',`
 	')
 
 	files_search_etc($1)
@ -31784,10 +32044,18 @@ index 170e2c7..3f27d1b 100644
 	manage_files_pattern($1, selinux_config_t, selinux_config_t)
 	read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
 ')
-@@ -1009,6 +1078,26 @@ interface(`seutil_domtrans_semanage',`
- 
- ########################################
- ## <summary>
+@@ -1005,6 +1082,30 @@ interface(`seutil_domtrans_semanage',`
+ 	files_search_usr($1)
+ 	corecmd_search_bin($1)
+ 	domtrans_pattern($1, semanage_exec_t, semanage_t)
+
+	ifdef(`hide_broken_symptoms', `
+		dontaudit semanage_t $1:socket_class_set { read write };
+	')
+')
+
+########################################
+## <summary>
 +##	Execute a domain transition to run setsebool.
 +## </summary>
 +## <param name="domain">
@ -31804,14 +32072,10 @@ index 170e2c7..3f27d1b 100644
 +	files_search_usr($1)
 +	corecmd_search_bin($1)
 +	domtrans_pattern($1, setsebool_exec_t, setsebool_t)
-+')
-+
-+########################################
-+## <summary>
- ##	Execute semanage in the semanage domain, and
- ##	allow the specified role the semanage domain,
- ##	and use the caller's terminal.
-@@ -1038,6 +1127,54 @@ interface(`seutil_run_semanage',`
+ ')
+ 
+ ########################################
+@@ -1038,6 +1139,54 @@ interface(`seutil_run_semanage',`
 
 ########################################
 ## <summary>
@ -31866,7 +32130,7 @@ index 170e2c7..3f27d1b 100644
 ##	Full management of the semanage
 ##	module store.
 ## </summary>
-@@ -1149,3 +1286,194 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1149,3 +1298,194 @@ interface(`seutil_dontaudit_libselinux_linked',`
 	selinux_dontaudit_get_fs_mount($1)
 	seutil_dontaudit_read_config($1)
 ')
@ -33234,7 +33498,7 @@ index 025348a..59bc26b 100644
 
 ########################################
 diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index a054cf5..a5d4a43 100644
+index a054cf5..8451600 100644
 --- a/policy/modules/system/udev.te
 +++ b/policy/modules/system/udev.te
@@ -52,6 +52,7 @@ allow udev_t self:unix_dgram_socket sendto;
@ -33282,7 +33546,7 @@ index a054cf5..a5d4a43 100644
 ')
 
 optional_policy(`
-@@ -216,6 +224,10 @@ optional_policy(`
+@@ -216,11 +224,16 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -33293,7 +33557,24 @@ index a054cf5..a5d4a43 100644
 	consoletype_exec(udev_t)
 ')
 
-@@ -259,6 +271,10 @@ optional_policy(`
+ optional_policy(`
+ 	cups_domtrans_config(udev_t)
+	cups_read_config(udev_t)
+ ')
+ 
+ optional_policy(`
+@@ -233,6 +246,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+	gnome_read_home_config(udev_t)
+')
+
+optional_policy(`
+ 	lvm_domtrans(udev_t)
+ ')
+ 
+@@ -259,6 +276,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -33304,7 +33585,7 @@ index a054cf5..a5d4a43 100644
 	openct_read_pid_files(udev_t)
 	openct_domtrans(udev_t)
 ')
-@@ -273,6 +289,10 @@ optional_policy(`
+@@ -273,6 +294,10 @@ optional_policy(`
 ')
 
 optional_policy(`
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.0
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -469,6 +469,10 @@ exit 0
 %endif

 %changelog
+* Thu Aug 26 2010 Dan Walsh <dwalsh@redhat.com> 3.9.0-2
+- More access needed for devicekit
+- Add dbadm policy
+
 * Thu Aug 26 2010 Dan Walsh <dwalsh@redhat.com> 3.9.0-1
 - Merge with upstream

--- a/1
+++ b/1
@ -1,2 +1 @@
-1f8151f0184945098f3cc3ca0b53e861  serefpolicy-3.8.8.tgz
 9012ab09af5480459942d4a54de91db4  serefpolicy-3.9.0.tgz