Debian policykit fixes from Martin Orr.

The policykit binaries on Debian live in /usr/lib/policykit so add file
contexts for that.  Also a couple of policykit rules.

Changelog

@@ -1,3 +1,4 @@
+- Debian policykit fixes from Martin Orr.
 - Fix unconfined_r use of unconfined_java_t.
 - Add missing x_device rules for XI2 functions, from Eamon Walsh.
 - Add missing rules to make unconfined_cronjob_t a valid cron job domain.

policy/modules/services/policykit.fc

@@ -1,3 +1,8 @@
+/usr/lib/policykit/polkit-read-auth-helper --	gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/lib/policykit/polkit-grant-helper.*   --	gen_context(system_u:object_r:policykit_grant_exec_t,s0)
+/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
+/usr/lib/policykit/polkitd		--	gen_context(system_u:object_r:policykit_exec_t,s0)
+
 /usr/libexec/polkit-read-auth-helper	--	gen_context(system_u:object_r:policykit_auth_exec_t,s0)
 /usr/libexec/polkit-grant-helper.*	--	gen_context(system_u:object_r:policykit_grant_exec_t,s0)
 /usr/libexec/polkit-resolve-exe-helper.* --	gen_context(system_u:object_r:policykit_resolve_exec_t,s0)

policy/modules/services/policykit.te

@@ -1,5 +1,5 @@
 
-policy_module(policykit, 1.0.0)
+policy_module(policykit, 1.0.1)
 
 ########################################
 #
@@ -92,6 +92,8 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
 manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
 files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
 
+kernel_read_system_state(policykit_auth_t)
+
 files_read_etc_files(policykit_auth_t)
 files_read_usr_files(policykit_auth_t)
 
@@ -104,6 +106,7 @@ miscfiles_read_localization(policykit_auth_t)
 userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
 
 optional_policy(`
+	dbus_system_bus_client(policykit_auth_t)
 	dbus_session_bus_client(policykit_auth_t)
 
 	optional_policy(`