- Allow hal/pm-utils to look at /var/run/video.rom

- Add ulogd policy

booleans-minimum.conf

@@ -229,7 +229,7 @@ user_rw_noexattrfile=true
 
 # Allow qemu to connect fully to the network
 # 
-allow_qemu_full_network=true
+qemu_full_network=true
 
 # Allow nsplugin execmem/execstack for bad plugins
 # 

booleans-targeted.conf

@@ -229,7 +229,7 @@ user_rw_noexattrfile=true
 
 # Allow qemu to connect fully to the network
 # 
-allow_qemu_full_network=true
+qemu_full_network=true
 
 # Allow nsplugin execmem/execstack for bad plugins
 # 

modules-minimum.conf

@@ -1293,6 +1293,13 @@ userdomain = base
 # 
 unconfined = module
 
+# Layer: services
+# Module: ulogd
+#
+# 
+# 
+ulogd = module
+
 # Layer: apps
 # Module: wine
 #

modules-targeted.conf

@@ -1293,6 +1293,13 @@ userdomain = base
 # 
 unconfined = module
 
+# Layer: services
+# Module: ulogd
+#
+# 
+# 
+ulogd = module
+
 # Layer: apps
 # Module: wine
 #

policy-20080710.patch

@@ -16212,7 +16212,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.5.13/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/hal.te	2008-10-28 10:56:19.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/hal.te	2008-11-04 13:26:50.000000000 -0500
 @@ -49,6 +49,9 @@
  type hald_var_lib_t;
  files_type(hald_var_lib_t)
@@ -16244,13 +16244,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	rpc_search_nfs_state_data(hald_t)
  ')
  
-@@ -300,12 +310,16 @@
+@@ -300,12 +310,20 @@
  	vbetool_domtrans(hald_t)
  ')
  
 +optional_policy(`
 +	virt_manage_images(hald_t)
 +')
++
++optional_policy(`
++	xserver_read_pid(hald_t)
++')
 +
  ########################################
  #
@@ -16262,7 +16266,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow hald_acl_t self:process { getattr signal };
  allow hald_acl_t self:fifo_file rw_fifo_file_perms;
  
-@@ -344,13 +358,22 @@
+@@ -344,13 +362,22 @@
  libs_use_ld_so(hald_acl_t)
  libs_use_shared_libs(hald_acl_t)
  
@@ -16285,7 +16289,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t)
  allow hald_t hald_mac_t:process signal;
  allow hald_mac_t hald_t:unix_stream_socket connectto;
-@@ -359,6 +382,8 @@
+@@ -359,6 +386,8 @@
  manage_files_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t)
  files_search_var_lib(hald_mac_t)
  
@@ -16294,7 +16298,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  kernel_read_system_state(hald_mac_t)
  
  dev_read_raw_memory(hald_mac_t)
-@@ -366,6 +391,9 @@
+@@ -366,6 +395,9 @@
  dev_read_sysfs(hald_mac_t)
  
  files_read_usr_files(hald_mac_t)
@@ -16304,7 +16308,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  libs_use_ld_so(hald_mac_t)
  libs_use_shared_libs(hald_mac_t)
-@@ -388,6 +416,8 @@
+@@ -388,6 +420,8 @@
  manage_files_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t)
  files_search_var_lib(hald_sonypic_t)
  
@@ -16313,7 +16317,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  files_read_usr_files(hald_sonypic_t)
  
  libs_use_ld_so(hald_sonypic_t)
-@@ -408,6 +438,8 @@
+@@ -408,6 +442,8 @@
  manage_files_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t)
  files_search_var_lib(hald_keymap_t)
  
@@ -16322,7 +16326,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  dev_rw_input_dev(hald_keymap_t)
  
  files_read_usr_files(hald_keymap_t)
-@@ -419,4 +451,4 @@
+@@ -419,4 +455,4 @@
  
  # This is caused by a bug in hald and PolicyKit.  
  # Should be removed when this is fixed
@@ -18611,16 +18615,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	openct_signull(pcscd_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.5.13/policy/modules/services/pegasus.te
 --- nsaserefpolicy/policy/modules/services/pegasus.te	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/pegasus.te	2008-10-28 10:56:19.000000000 -0400
-@@ -66,6 +66,7 @@
++++ serefpolicy-3.5.13/policy/modules/services/pegasus.te	2008-11-04 12:06:18.000000000 -0500
+@@ -30,7 +30,7 @@
+ # Local policy
+ #
+ 
+-allow pegasus_t self:capability { chown sys_nice setuid setgid dac_override net_bind_service };
++allow pegasus_t self:capability { chown ipc_lock sys_nice setuid setgid dac_override net_bind_service };
+ dontaudit pegasus_t self:capability sys_tty_config;
+ allow pegasus_t self:process signal;
+ allow pegasus_t self:fifo_file rw_fifo_file_perms;
+@@ -66,6 +66,8 @@
  kernel_read_system_state(pegasus_t)
  kernel_search_vm_sysctl(pegasus_t)
  kernel_read_net_sysctls(pegasus_t)
 +kernel_read_xen_state(pegasus_t)
++kernel_write_xen_state(pegasus_t)
  
  corenet_all_recvfrom_unlabeled(pegasus_t)
  corenet_all_recvfrom_netlabel(pegasus_t)
-@@ -96,13 +97,12 @@
+@@ -96,13 +98,12 @@
  
  auth_use_nsswitch(pegasus_t)
  auth_domtrans_chk_passwd(pegasus_t)
@@ -18636,7 +18650,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  files_read_var_lib_symlinks(pegasus_t)
  
  hostname_exec(pegasus_t)
-@@ -118,7 +118,6 @@
+@@ -118,7 +119,6 @@
  
  miscfiles_read_localization(pegasus_t)
  
@@ -18644,6 +18658,35 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  sysnet_domtrans_ifconfig(pegasus_t)
  
  userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
+@@ -130,6 +130,14 @@
+ ')
+ 
+ optional_policy(`
++	samba_manage_config(pegasus_t)
++')
++
++optional_policy(`
++	ssh_exec(pegasus_t)
++')
++
++optional_policy(`
+ 	seutil_sigchld_newrole(pegasus_t)
+ 	seutil_dontaudit_read_config(pegasus_t)
+ ')
+@@ -141,3 +149,13 @@
+ optional_policy(`
+ 	unconfined_signull(pegasus_t)
+ ')
++
++optional_policy(`
++	virt_domtrans(pegasus_t)
++	virt_manage_config(pegasus_t)
++')
++
++optional_policy(`
++	xen_stream_connect(pegasus_t)
++	xen_stream_connect_xenstore(pegasus_t)
++')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.5.13/policy/modules/services/polkit.fc
 --- nsaserefpolicy/policy/modules/services/polkit.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.5.13/policy/modules/services/polkit.fc	2008-10-28 10:56:19.000000000 -0400
@@ -18896,8 +18939,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.5.13/policy/modules/services/polkit.te
 --- nsaserefpolicy/policy/modules/services/polkit.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.13/policy/modules/services/polkit.te	2008-11-04 09:58:08.000000000 -0500
-@@ -0,0 +1,231 @@
++++ serefpolicy-3.5.13/policy/modules/services/polkit.te	2008-11-05 11:49:03.000000000 -0500
+@@ -0,0 +1,232 @@
 +policy_module(polkit_auth, 1.0.0)
 +
 +########################################
@@ -19062,6 +19105,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +logging_send_syslog_msg(polkit_grant_t)
 +
 +polkit_domtrans_auth(polkit_grant_t)
++polkit_domtrans_resolve(polkit_grant_t)
 +
 +manage_files_pattern(polkit_grant_t, polkit_var_run_t, polkit_var_run_t)
 +
@@ -21627,7 +21671,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.5.13/policy/modules/services/samba.if
 --- nsaserefpolicy/policy/modules/services/samba.if	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/samba.if	2008-11-04 10:21:25.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/samba.if	2008-11-04 11:57:02.000000000 -0500
 @@ -44,6 +44,44 @@
  
  ########################################
@@ -22020,7 +22064,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.5.13/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2008-10-16 17:21:16.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/samba.te	2008-10-28 10:56:19.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/samba.te	2008-11-05 12:55:21.000000000 -0500
 @@ -66,6 +66,13 @@
  ## </desc>
  gen_tunable(samba_share_nfs, false)
@@ -22203,7 +22247,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -452,6 +493,7 @@
+@@ -379,8 +420,10 @@
+ 
+ tunable_policy(`samba_export_all_ro',`
+ 	fs_read_noxattr_fs_files(smbd_t) 
++	auth_read_all_dirs_except_shadow(smbd_t)
+ 	auth_read_all_files_except_shadow(smbd_t)
+ 	fs_read_noxattr_fs_files(nmbd_t) 
++	auth_read_all_dirs_except_shadow(nmbd_t)
+ 	auth_read_all_files_except_shadow(nmbd_t)
+ ')
+ 
+@@ -452,6 +495,7 @@
  dev_getattr_mtrr_dev(nmbd_t)
  
  fs_getattr_all_fs(nmbd_t)
@@ -22211,7 +22266,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  fs_search_auto_mountpoints(nmbd_t)
  
  domain_use_interactive_fds(nmbd_t)
-@@ -536,6 +578,7 @@
+@@ -536,6 +580,7 @@
  storage_raw_write_fixed_disk(smbmount_t)
  
  term_list_ptys(smbmount_t)
@@ -22219,7 +22274,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  corecmd_list_bin(smbmount_t)
  
-@@ -547,32 +590,46 @@
+@@ -547,32 +592,46 @@
  
  auth_use_nsswitch(smbmount_t)
  
@@ -22272,7 +22327,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
  
-@@ -592,6 +649,9 @@
+@@ -592,6 +651,9 @@
  files_pid_filetrans(swat_t, swat_var_run_t, file)
  
  allow swat_t winbind_exec_t:file mmap_file_perms;
@@ -22282,7 +22337,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  kernel_read_kernel_sysctls(swat_t)
  kernel_read_system_state(swat_t)
-@@ -616,10 +676,12 @@
+@@ -616,10 +678,12 @@
  
  dev_read_urand(swat_t)
  
@@ -22295,7 +22350,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  auth_domtrans_chk_passwd(swat_t)
  auth_use_nsswitch(swat_t)
-@@ -628,6 +690,7 @@
+@@ -628,6 +692,7 @@
  libs_use_shared_libs(swat_t)
  
  logging_send_syslog_msg(swat_t)
@@ -22303,7 +22358,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  logging_search_logs(swat_t)
  
  miscfiles_read_localization(swat_t)
-@@ -645,6 +708,17 @@
+@@ -645,6 +710,17 @@
  	kerberos_use(swat_t)
  ')
  
@@ -22321,7 +22376,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  #
  # Winbind local policy
-@@ -694,6 +768,8 @@
+@@ -694,6 +770,8 @@
  manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
  files_pid_filetrans(winbind_t, winbind_var_run_t, file)
  
@@ -22330,7 +22385,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  kernel_read_kernel_sysctls(winbind_t)
  kernel_list_proc(winbind_t)
  kernel_read_proc_symlinks(winbind_t)
-@@ -780,8 +856,13 @@
+@@ -780,8 +858,13 @@
  miscfiles_read_localization(winbind_helper_t) 
  
  optional_policy(`
@@ -22344,7 +22399,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -790,6 +871,16 @@
+@@ -790,6 +873,16 @@
  #
  
  optional_policy(`
@@ -22361,7 +22416,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	type samba_unconfined_script_t;
  	type samba_unconfined_script_exec_t;
  	domain_type(samba_unconfined_script_t)
-@@ -800,9 +891,46 @@
+@@ -800,9 +893,46 @@
  	allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
  	allow smbd_t samba_unconfined_script_exec_t:file ioctl;
  
@@ -24432,6 +24487,209 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow tor_t self:fifo_file rw_fifo_file_perms;
  allow tor_t self:unix_stream_socket create_stream_socket_perms;
  allow tor_t self:netlink_route_socket r_netlink_socket_perms;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.fc serefpolicy-3.5.13/policy/modules/services/ulogd.fc
+--- nsaserefpolicy/policy/modules/services/ulogd.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/ulogd.fc	2008-11-05 12:14:57.000000000 -0500
+@@ -0,0 +1,10 @@
++
++/etc/rc\.d/init\.d/ulogd                --              gen_context(system_u:object_r:ulogd_initrc_exec_t,s0)
++
++/etc/ulogd.conf                         --          	gen_context(system_u:object_r:ulogd_etc_t,s0)
++
++/usr/lib/ulogd(/.*)?					gen_context(system_u:object_r:ulogd_modules_t,s0)	
++
++/usr/sbin/ulogd				--		gen_context(system_u:object_r:ulogd_exec_t,s0)
++
++/var/log/ulogd(/.*)?					gen_context(system_u:object_r:ulogd_var_log_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.if serefpolicy-3.5.13/policy/modules/services/ulogd.if
+--- nsaserefpolicy/policy/modules/services/ulogd.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/ulogd.if	2008-11-05 12:14:57.000000000 -0500
+@@ -0,0 +1,127 @@
++## <summary>policy for ulogd</summary>
++
++########################################
++## <summary>
++##	Execute a domain transition to run ulogd.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ulogd_domtrans',`
++	gen_require(`
++		type ulogd_t, ulogd_exec_t;
++	')
++
++	domtrans_pattern($1,ulogd_exec_t,ulogd_t)
++')
++
++########################################
++## <summary>
++##      Allow the specified domain to read
++##      ulogd configuration files.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++## <rolecap/>
++##
++#
++interface(`ulogd_read_config',`
++        gen_require(`
++                type ulogd_etc_t;
++        ')
++
++        files_search_etc($1)
++        read_files_pattern($1, ulogd_etc_t, ulogd_etc_t)
++')
++
++########################################
++## <summary>
++##      Allow the specified domain to read ulogd's log files.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++## <rolecap/>
++##
++#
++interface(`ulogd_read_log',`
++        gen_require(`
++                type ulogd_var_log_t;
++        ')
++
++        logging_search_logs($1)
++        allow $1 ulogd_var_log_t:dir list_dir_perms;
++        read_files_pattern($1, ulogd_var_log_t, ulogd_var_log_t)
++')
++
++########################################
++## <summary>
++##      Allow the specified domain to append to ulogd's log files.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++## <rolecap/>
++##
++#
++interface(`ulogd_append_log',`
++        gen_require(`
++                type ulogd_var_log_t;
++        ')
++
++        logging_search_logs($1)
++        allow $1 ulogd_var_log_t:dir list_dir_perms;
++        allow $1 ulogd_var_log_t:file append_file_perms;
++')
++
++########################################
++## <summary>
++##      All of the rules required to administrate 
++##      an ulogd environment
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++## <param name="role">
++##      <summary>
++##      The role to be allowed to manage the syslog domain.
++##      </summary>
++## </param>
++## <rolecap/>
++#
++interface(`ulogd_admin',`
++        gen_require(`
++                type ulogd_t, ulogd_etc_t;
++                type ulogd_var_log_t, ulogd_initrc_exec_t;
++		type ulogd_modules_t;
++        ')
++
++        allow $1 ulogd_t:process { ptrace signal_perms };
++        ps_process_pattern($1, ulogd_t)
++
++        init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
++        domain_system_change_exemption($1)
++        role_transition $2 ulogd_initrc_exec_t system_r;
++        allow $2 system_r;
++
++	files_search_etc($1)
++        admin_pattern($1, ulogd_etc_t)
++
++        logging_list_logs($1)
++        admin_pattern($1, ulogd_var_log_t)
++
++        files_search_usr($1)
++        admin_pattern($1, ulogd_modules_t)
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.te serefpolicy-3.5.13/policy/modules/services/ulogd.te
+--- nsaserefpolicy/policy/modules/services/ulogd.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/ulogd.te	2008-11-05 12:14:57.000000000 -0500
+@@ -0,0 +1,54 @@
++policy_module(ulogd,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type ulogd_t;
++type ulogd_exec_t;
++init_daemon_domain(ulogd_t, ulogd_exec_t)
++
++type ulogd_initrc_exec_t;
++init_script_file(ulogd_initrc_exec_t)
++
++# /usr/lib files
++type ulogd_modules_t;
++files_type(ulogd_modules_t)
++
++# config files
++type ulogd_etc_t;
++files_type(ulogd_etc_t)
++
++# log files
++type ulogd_var_log_t;
++logging_log_file(ulogd_var_log_t)
++
++########################################
++
++#
++# ulogd local policy
++#
++
++allow ulogd_t self:capability net_admin;
++allow ulogd_t self:netlink_nflog_socket create_socket_perms;
++
++# config files
++read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t)
++
++# modules for ulogd
++list_dirs_pattern(ulogd_t,ulogd_modules_t,ulogd_modules_t)
++mmap_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t)
++
++# log files
++manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
++logging_log_filetrans(ulogd_t,ulogd_var_log_t, file )
++
++files_search_etc(ulogd_t)
++
++libs_use_ld_so(ulogd_t)
++libs_use_shared_libs(ulogd_t)
++
++miscfiles_read_localization(ulogd_t)
++
++permissive ulogd_t;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.5.13/policy/modules/services/virt.fc
 --- nsaserefpolicy/policy/modules/services/virt.fc	2008-08-07 11:15:11.000000000 -0400
 +++ serefpolicy-3.5.13/policy/modules/services/virt.fc	2008-10-28 10:56:19.000000000 -0400
@@ -24445,8 +24703,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.5.13/policy/modules/services/virt.if
 --- nsaserefpolicy/policy/modules/services/virt.if	2008-10-14 11:58:09.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/virt.if	2008-10-28 10:56:19.000000000 -0400
-@@ -78,6 +78,24 @@
++++ serefpolicy-3.5.13/policy/modules/services/virt.if	2008-11-04 11:58:23.000000000 -0500
+@@ -41,6 +41,27 @@
+ 
+ ########################################
+ ## <summary>
++##	manage virt config files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`virt_manage_config',`
++	gen_require(`
++		type virt_etc_t;
++		type virt_etc_rw_t;
++	')
++
++	files_search_etc($1)
++	manage_files_pattern($1, virt_etc_t, virt_etc_t)
++	manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
++')
++
++########################################
++## <summary>
+ ##	Read virt PID files.
+ ## </summary>
+ ## <param name="domain">
+@@ -78,6 +99,24 @@
  
  ########################################
  ## <summary>
@@ -24471,7 +24757,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Search virt lib directories.
  ## </summary>
  ## <param name="domain">
-@@ -196,6 +214,35 @@
+@@ -196,6 +235,35 @@
  
  ########################################
  ## <summary>
@@ -24507,7 +24793,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Allow domain to manage virt image files
  ## </summary>
  ## <param name="domain">
-@@ -214,6 +261,7 @@
+@@ -214,6 +282,7 @@
  	manage_dirs_pattern($1, virt_image_t, virt_image_t)
  	manage_files_pattern($1, virt_image_t, virt_image_t)
  	read_lnk_files_pattern($1, virt_image_t, virt_image_t)
@@ -24515,7 +24801,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  	tunable_policy(`virt_use_nfs',`
  		fs_manage_nfs_dirs($1)
-@@ -243,11 +291,17 @@
+@@ -243,11 +312,17 @@
  interface(`virt_admin',`
  	gen_require(`
  		type virtd_t;
@@ -24779,7 +25065,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.13/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2008-10-08 19:00:27.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/xserver.if	2008-10-28 10:56:19.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/xserver.if	2008-11-04 13:27:32.000000000 -0500
 @@ -16,6 +16,7 @@
  	gen_require(`
  		type xkb_var_lib_t, xserver_exec_t, xserver_log_t;
@@ -24990,11 +25276,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -
 -	files_read_etc_files($1_xauth_t)
 -	files_search_pids($1_xauth_t)
-+	ps_process_pattern($2,xauth_t)
- 
+-
 -	fs_getattr_xattr_fs($1_xauth_t)
 -	fs_search_auto_mountpoints($1_xauth_t)
--
++	ps_process_pattern($2,xauth_t)
+ 
 -	# cjp: why?
 -	term_use_ptmx($1_xauth_t)
 -
@@ -25586,8 +25872,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	gen_require(`
 -		type $1_xauth_t, xauth_exec_t;
 +		type xauth_t, xauth_exec_t;
-+	')
-+
+ 	')
+ 
+-	domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
 +	domtrans_pattern($2, xauth_exec_t, xauth_t)
 +')
 +
@@ -25619,9 +25906,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +template(`xserver_read_user_xauth',`
 +	gen_require(`
 +		type xauth_home_t;
- 	')
- 
--	domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
++	')
++
 +	allow $2 xauth_home_t:file read_file_perms;
 +')
 +
@@ -25871,7 +26157,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Interface to provide X object permissions on a given X server to
  ##	an X client domain.  Gives the domain complete control over the
  ##	display.
-@@ -1710,8 +2020,157 @@
+@@ -1710,8 +2020,176 @@
  #
  interface(`xserver_unconfined',`
  	gen_require(`
@@ -25884,6 +26170,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +########################################
 +## <summary>
++##	Read xserver files created in /var/run
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`xserver_read_pid',`
++	gen_require(`
++		type xserver_var_run_t;
++	')
++
++	files_search_pids($1)
++	read_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
++')
++
++########################################
++## <summary>
 +##	Execute xserver files created in /var/run
 +## </summary>
 +## <param name="domain">
@@ -25995,8 +26300,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +interface(`xserver_dontaudit_rw_xdm_home_files',`
 +	gen_require(`
 +		type xdm_home_t;
-+	')
-+
+ 	')
+ 
+-	typeattribute $1 xserver_unconfined_type;
 +	dontaudit $1 xdm_home_t:file rw_file_perms;
 +')
 +
@@ -26015,9 +26321,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +interface(`xserver_use_xdm',`
 +	gen_require(`
 +		type xdm_t, xdm_tmp_t;
- 	')
- 
--	typeattribute $1 xserver_unconfined_type;
++	')
++
 +	allow $1 xdm_t:fd use;
 +	allow $1 xdm_t:fifo_file rw_fifo_file_perms;
 +	dontaudit $1 xdm_t:tcp_socket { read write };
@@ -27665,6 +27970,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +optional_policy(`
 +	xserver_rw_xdm_home_files(daemon)
 +')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.5.13/policy/modules/system/ipsec.fc
+--- nsaserefpolicy/policy/modules/system/ipsec.fc	2008-08-07 11:15:12.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/system/ipsec.fc	2008-11-05 10:40:04.000000000 -0500
+@@ -26,6 +26,7 @@
+ /usr/local/lib(64)?/ipsec/pluto --	gen_context(system_u:object_r:ipsec_exec_t,s0)
+ /usr/local/lib(64)?/ipsec/spi	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
+ 
++/usr/sbin/ipsec			-- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+ /usr/sbin/racoon		--	gen_context(system_u:object_r:racoon_exec_t,s0)
+ /usr/sbin/setkey		--	gen_context(system_u:object_r:setkey_exec_t,s0)
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.5.13/policy/modules/system/ipsec.te
 --- nsaserefpolicy/policy/modules/system/ipsec.te	2008-10-16 17:21:16.000000000 -0400
 +++ serefpolicy-3.5.13/policy/modules/system/ipsec.te	2008-10-28 10:56:19.000000000 -0400
@@ -27811,7 +28127,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.13/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2008-08-13 15:24:56.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/libraries.fc	2008-10-28 10:56:19.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/system/libraries.fc	2008-11-05 11:29:07.000000000 -0500
 @@ -60,12 +60,15 @@
  #
  # /opt
@@ -27909,7 +28225,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ') dnl end distro_redhat
  
  #
-@@ -310,3 +329,15 @@
+@@ -310,3 +329,18 @@
  /var/spool/postfix/lib(64)?(/.*)? 		gen_context(system_u:object_r:lib_t,s0)
  /var/spool/postfix/usr(/.*)?			gen_context(system_u:object_r:lib_t,s0)
  /var/spool/postfix/lib(64)?/ld.*\.so.*	--	gen_context(system_u:object_r:ld_so_t,s0)
@@ -27925,6 +28241,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/opt/novell/groupwise/client/lib/libgwapijni\.so\.1	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +
 +/usr/lib(64)?/libmpeg2\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib(64)?/libav.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/sse2/libav.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.5.13/policy/modules/system/libraries.te
 --- nsaserefpolicy/policy/modules/system/libraries.te	2008-10-14 11:58:09.000000000 -0400
 +++ serefpolicy-3.5.13/policy/modules/system/libraries.te	2008-10-28 10:56:19.000000000 -0400
@@ -33597,7 +33916,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.5.13/policy/modules/system/xen.if
 --- nsaserefpolicy/policy/modules/system/xen.if	2008-08-07 11:15:12.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/xen.if	2008-10-28 10:56:19.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/system/xen.if	2008-11-04 11:36:33.000000000 -0500
+@@ -155,7 +155,7 @@
+ 	stream_connect_pattern($1,xenstored_var_run_t,xenstored_var_run_t,xenstored_t)
+ ')
+ 
+-########################################
++#######################################
+ ## <summary>
+ ##	Connect to xend over an unix domain stream socket.
+ ## </summary>
 @@ -167,11 +167,14 @@
  #
  interface(`xen_stream_connect',`

selinux-policy.spec

@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.5.13
-Release: 14%{?dist}
+Release: 15%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -457,10 +457,15 @@ exit 0
 %endif
 
 %changelog
+* Tue Nov 3 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-15
+- Allow hal/pm-utils to look at /var/run/video.rom
+- Add ulogd policy
+
 * Tue Nov 3 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-14
 - Additional fixes for cyphesis
 - Fix certmaster file context
 - Add policy for system-config-samba
+- Allow hal to read /var/run/video.rom
 
 * Mon Nov 3 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-13
 - Allow dhcpc to restart ypbind