* Tue Aug 10 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-12

- Fix devicekit_power bug - Allow policykit_auth_t more access.
2010-08-11 08:58:16 -04:00 · 2010-08-11 08:58:16 -04:00 · b12ede2ac0
parent 922cd61e83
commit b12ede2ac0
1 changed files with 118 additions and 46 deletions
--- a/policy-F14.patch
+++ b/policy-F14.patch
@ -570,7 +570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc
 +/var/lib/alsa(/.*)?				gen_context(system_u:object_r:alsa_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.8.8/policy/modules/admin/alsa.if
 --- nsaserefpolicy/policy/modules/admin/alsa.if	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/alsa.if	2010-07-30 14:06:53.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/admin/alsa.if	2010-08-11 08:22:58.000000000 -0400
@@ -1,8 +1,9 @@
 -## <summary>Ainit ALSA configuration tool</summary>
 +## <summary>Advanced Linux Sound Architecture.</summary>
@ -677,7 +677,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if
 +		type alsa_home_t;
 +	')
 +
-+	allow $1 also_home_t:file read_file_perms;
+	allow $1 alsa_home_t:file read_file_perms;
 +	userdom_search_user_home_dirs($1)
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.8.8/policy/modules/admin/alsa.te
@ -1591,8 +1591,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.te serefpolicy-3.8.8/policy/modules/admin/ncftool.te
 --- nsaserefpolicy/policy/modules/admin/ncftool.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/admin/ncftool.te	2010-08-10 05:23:35.000000000 -0400
-@@ -0,0 +1,87 @@
+++ serefpolicy-3.8.8/policy/modules/admin/ncftool.te	2010-08-11 08:45:52.000000000 -0400
+@@ -0,0 +1,91 @@
 +policy_module(ncftool, 1.0.0)
 +
 +########################################
@ -1680,6 +1680,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool
 +optional_policy(`
 +	iptables_initrc_domtrans(ncftool_t)
 +')
+
+optional_policy(`
+	netutils_domtrans(ncftool_t)
+')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.8.8/policy/modules/admin/netutils.te
 --- nsaserefpolicy/policy/modules/admin/netutils.te	2010-07-27 16:06:04.000000000 -0400
 +++ serefpolicy-3.8.8/policy/modules/admin/netutils.te	2010-07-30 14:06:53.000000000 -0400
@ -1767,7 +1771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.8.8/policy/modules/admin/prelink.te
 --- nsaserefpolicy/policy/modules/admin/prelink.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/prelink.te	2010-08-10 07:29:36.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/admin/prelink.te	2010-08-11 08:24:20.000000000 -0400
@@ -59,6 +59,7 @@
 manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
 relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
@ -1821,6 +1825,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
 
 	domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
 	allow prelink_cron_system_t prelink_t:process noatsecure;
+@@ -158,6 +169,8 @@
+ 
+ 	cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t)
+ 
+	userdom_dontaudit_list_admin_dir(prelink_cron_system_t)
+
+ 	optional_policy(`
+ 		rpm_read_db(prelink_cron_system_t)
+ 	')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.if serefpolicy-3.8.8/policy/modules/admin/quota.if
 --- nsaserefpolicy/policy/modules/admin/quota.if	2010-07-27 16:12:33.000000000 -0400
 +++ serefpolicy-3.8.8/policy/modules/admin/quota.if	2010-07-30 14:06:53.000000000 -0400
@ -4405,8 +4418,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.8.8/policy/modules/apps/kdumpgui.te
 --- nsaserefpolicy/policy/modules/apps/kdumpgui.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/kdumpgui.te	2010-07-30 14:06:53.000000000 -0400
-@@ -0,0 +1,68 @@
+++ serefpolicy-3.8.8/policy/modules/apps/kdumpgui.te	2010-08-11 08:49:51.000000000 -0400
+@@ -0,0 +1,69 @@
 +policy_module(kdumpgui,1.0.0)
 +
 +########################################
@ -4453,6 +4466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui
 +files_manage_boot_symlinks(kdumpgui_t)
 +# Needed for running chkconfig
 +files_manage_etc_symlinks(kdumpgui_t)
+files_read_usr_files(kdumpgui_t)
 +
 +auth_use_nsswitch(kdumpgui_t)
 +
@ -5175,8 +5189,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.8.8/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.te	2010-08-10 11:45:49.000000000 -0400
-@@ -0,0 +1,300 @@
+++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.te	2010-08-11 08:01:15.000000000 -0400
+@@ -0,0 +1,301 @@
 +policy_module(nsplugin, 1.0.0)
 +
 +########################################
@ -5241,6 +5255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +allow nsplugin_t self:msgq create_msgq_perms;
 +allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
 +allow nsplugin_t self:unix_dgram_socket create_socket_perms;
+allow nsplugin_t nsplugin_rw_t:dir search_dir_perms;
 +
 +tunable_policy(`allow_nsplugin_execmem',`
 +	allow nsplugin_t self:process { execstack execmem };
@ -5640,7 +5655,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.8.8/policy/modules/apps/podsleuth.te
 --- nsaserefpolicy/policy/modules/apps/podsleuth.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/podsleuth.te	2010-07-30 14:06:53.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/apps/podsleuth.te	2010-08-11 08:27:39.000000000 -0400
+@@ -27,7 +27,7 @@
+ # podsleuth local policy
+ #
+ allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
+-allow podsleuth_t self:process { ptrace signal getsched execheap execmem execstack };
+allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack };
+ allow podsleuth_t self:fifo_file rw_file_perms;
+ allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
+ allow podsleuth_t self:sem create_sem_perms;
@@ -73,6 +73,7 @@
 sysnet_dns_name_resolve(podsleuth_t)
 
@ -6687,7 +6711,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.8.8/policy/modules/apps/seunshare.te
 --- nsaserefpolicy/policy/modules/apps/seunshare.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/seunshare.te	2010-08-06 12:05:20.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/apps/seunshare.te	2010-08-11 08:01:44.000000000 -0400
@@ -5,40 +5,45 @@
 # Declarations
 #
@ -9885,7 +9909,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.8.8/policy/modules/roles/sysadm.te
 --- nsaserefpolicy/policy/modules/roles/sysadm.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/roles/sysadm.te	2010-07-30 14:06:53.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/roles/sysadm.te	2010-08-11 08:20:53.000000000 -0400
@@ -27,17 +27,29 @@
 
 corecmd_exec_shell(sysadm_t)
@ -10022,17 +10046,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
 
 optional_policy(`
 	hostname_run(sysadm_t, sysadm_r)
-@@ -199,6 +230,9 @@
+@@ -199,6 +230,13 @@
 	ipsec_stream_connect(sysadm_t)
 	# for lsof
 	ipsec_getattr_key_sockets(sysadm_t)
 +	ipsec_run_setkey(sysadm_t, sysadm_r)
 +	ipsec_run_racoon(sysadm_t, sysadm_r)
 +	ipsec_stream_connect_racoon(sysadm_t)
+
+	optional_policy(`
+		ipsec_mgmt_dbus_chat(sysadm_t)
+	')
 ')
 
 optional_policy(`
-@@ -206,12 +240,18 @@
+@@ -206,12 +244,18 @@
 ')
 
 optional_policy(`
@ -10051,7 +10079,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
 
 optional_policy(`
 	kudzu_run(sysadm_t, sysadm_r)
-@@ -221,9 +261,11 @@
+@@ -221,9 +265,11 @@
 	libs_run_ldconfig(sysadm_t, sysadm_r)
 ')
 
@ -10063,7 +10091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
 
 optional_policy(`
 	logrotate_run(sysadm_t, sysadm_r)
-@@ -246,8 +288,10 @@
+@@ -246,8 +292,10 @@
 
 optional_policy(`
 	mount_run(sysadm_t, sysadm_r)
@ -10074,7 +10102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
 optional_policy(`
 	mozilla_role(sysadm_r, sysadm_t)
 ')
-@@ -255,6 +299,7 @@
+@@ -255,6 +303,7 @@
 optional_policy(`
 	mplayer_role(sysadm_r, sysadm_t)
 ')
@ -10082,7 +10110,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
 
 optional_policy(`
 	mta_role(sysadm_r, sysadm_t)
-@@ -269,6 +314,10 @@
+@@ -269,6 +318,10 @@
 ')
 
 optional_policy(`
@ -10093,7 +10121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
 	netutils_run(sysadm_t, sysadm_r)
 	netutils_run_ping(sysadm_t, sysadm_r)
 	netutils_run_traceroute(sysadm_t, sysadm_r)
-@@ -302,8 +351,14 @@
+@@ -302,8 +355,14 @@
 ')
 
 optional_policy(`
@ -10108,7 +10136,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
 
 optional_policy(`
 	quota_run(sysadm_t, sysadm_r)
-@@ -313,9 +368,11 @@
+@@ -313,9 +372,11 @@
 	raid_domtrans_mdadm(sysadm_t)
 ')
 
@ -10120,7 +10148,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
 
 optional_policy(`
 	rpc_domtrans_nfsd(sysadm_t)
-@@ -325,9 +382,11 @@
+@@ -325,9 +386,11 @@
 	rpm_run(sysadm_t, sysadm_r)
 ')
 
@ -10132,7 +10160,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
 
 optional_policy(`
 	rsync_exec(sysadm_t)
-@@ -352,8 +411,14 @@
+@@ -352,8 +415,14 @@
 ')
 
 optional_policy(`
@ -10147,7 +10175,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
 
 optional_policy(`
 	ssh_role_template(sysadm, sysadm_r, sysadm_t)
-@@ -376,9 +441,11 @@
+@@ -376,9 +445,11 @@
 	sysnet_run_dhcpc(sysadm_t, sysadm_r)
 ')
 
@ -10159,7 +10187,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
 
 optional_policy(`
 	tripwire_run_siggen(sysadm_t, sysadm_r)
-@@ -387,17 +454,21 @@
+@@ -387,17 +458,21 @@
 	tripwire_run_twprint(sysadm_t, sysadm_r)
 ')
 
@ -10181,7 +10209,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
 
 optional_policy(`
 	unconfined_domtrans(sysadm_t)
-@@ -411,9 +482,11 @@
+@@ -411,9 +486,11 @@
 	usbmodules_run(sysadm_t, sysadm_r)
 ')
 
@ -10193,7 +10221,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
 
 optional_policy(`
 	usermanage_run_admin_passwd(sysadm_t, sysadm_r)
-@@ -421,9 +494,15 @@
+@@ -421,9 +498,15 @@
 	usermanage_run_useradd(sysadm_t, sysadm_r)
 ')
 
@ -10209,7 +10237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
 
 optional_policy(`
 	vpn_run(sysadm_t, sysadm_r)
-@@ -434,13 +513,30 @@
+@@ -434,13 +517,30 @@
 ')
 
 optional_policy(`
@ -10925,7 +10953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.8.8/policy/modules/roles/unconfineduser.te
 --- nsaserefpolicy/policy/modules/roles/unconfineduser.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/roles/unconfineduser.te	2010-08-11 07:44:10.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/roles/unconfineduser.te	2010-08-11 08:23:36.000000000 -0400
@@ -0,0 +1,453 @@
 +policy_module(unconfineduser, 1.0.0)
 +
@ -14445,7 +14473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
 corenet_udp_bind_chronyd_port(chronyd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.8.8/policy/modules/services/clamav.te
 --- nsaserefpolicy/policy/modules/services/clamav.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/clamav.te	2010-08-10 08:26:22.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/clamav.te	2010-08-11 08:54:31.000000000 -0400
@@ -80,6 +80,7 @@
 files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
 
@ -14466,7 +14494,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
 
 kernel_dontaudit_list_proc(clamd_t)
 kernel_read_sysctl(clamd_t)
-@@ -189,6 +191,7 @@
+@@ -182,6 +184,8 @@
+ allow freshclam_t clamd_var_log_t:dir search_dir_perms;
+ logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)
+ 
+kernel_read_kernel_sysctls(freshclam_t)
+
+ corenet_all_recvfrom_unlabeled(freshclam_t)
+ corenet_all_recvfrom_netlabel(freshclam_t)
+ corenet_tcp_sendrecv_generic_if(freshclam_t)
+@@ -189,6 +193,7 @@
 corenet_tcp_sendrecv_all_ports(freshclam_t)
 corenet_tcp_sendrecv_clamd_port(freshclam_t)
 corenet_tcp_connect_http_port(freshclam_t)
@ -14474,7 +14511,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
 corenet_sendrecv_http_client_packets(freshclam_t)
 
 dev_read_rand(freshclam_t)
-@@ -207,6 +210,8 @@
+@@ -207,6 +212,8 @@
 
 clamav_stream_connect(freshclam_t)
 
@ -15231,6 +15268,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
 +	# Something that runs in the cobberd_t domain tries to relabelfrom cobbler_content_t dir to httpd_sys_content_t.
 +	dontaudit cobblerd_t httpdcontent:dir relabel_dir_perms;
 +')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.8.8/policy/modules/services/consolekit.if
+--- nsaserefpolicy/policy/modules/services/consolekit.if	2010-07-27 16:06:05.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/consolekit.if	2010-08-11 08:07:53.000000000 -0400
+@@ -95,3 +95,22 @@
+ 	files_search_pids($1)
+ 	read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
+ ')
+
+########################################
+## <summary>
+##	List consolekit PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`consolekit_list_pid_files',`
+	gen_require(`
+		type consolekit_var_run_t;
+	')
+
+	files_search_pids($1)
+	list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
+')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.8.8/policy/modules/services/consolekit.te
 --- nsaserefpolicy/policy/modules/services/consolekit.te	2010-07-27 16:06:05.000000000 -0400
 +++ serefpolicy-3.8.8/policy/modules/services/consolekit.te	2010-07-30 14:06:53.000000000 -0400
@ -16030,7 +16093,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.8.8/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cups.te	2010-07-30 14:06:53.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/cups.te	2010-08-11 08:24:50.000000000 -0400
@@ -15,6 +15,7 @@
 type cupsd_t;
 type cupsd_exec_t;
@ -16109,7 +16172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 	hal_domtrans(cupsd_config_t)
 	hal_read_tmp_files(cupsd_config_t)
 	hal_dontaudit_use_fds(hplip_t)
-@@ -587,13 +599,18 @@
+@@ -587,13 +599,19 @@
 
 miscfiles_read_localization(cups_pdf_t)
 miscfiles_read_fonts(cups_pdf_t)
@ -16119,6 +16182,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 +userdom_user_home_dir_filetrans_pattern(cups_pdf_t, { file dir })
 userdom_manage_user_home_content_dirs(cups_pdf_t)
 userdom_manage_user_home_content_files(cups_pdf_t)
+userdom_dontaudit_search_admin_dir(cups_pdf_t)
 
 lpd_manage_spool(cups_pdf_t)
 
@ -21232,7 +21296,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.8.8/policy/modules/services/policykit.te
 --- nsaserefpolicy/policy/modules/services/policykit.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/policykit.te	2010-08-10 11:37:04.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/policykit.te	2010-08-11 08:57:21.000000000 -0400
@@ -24,6 +24,9 @@
 type policykit_reload_t alias polkit_reload_t;
 files_type(policykit_reload_t)
@ -21277,7 +21341,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
 
 auth_use_nsswitch(policykit_t)
 
-@@ -67,45 +77,84 @@
+@@ -67,45 +77,89 @@
 
 miscfiles_read_localization(policykit_t)
 
@ -21298,6 +21362,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
 +')
 +
 +optional_policy(`
+	consolekit_list_pid_files(policykit_t)
+	consolekit_read_pid_files(policykit_t)
+')
+
+optional_policy(`
 +	gnome_read_config(policykit_t)
 +')
 
@ -21368,7 +21437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
 	dbus_session_bus_client(policykit_auth_t)
 
 	optional_policy(`
-@@ -118,6 +167,14 @@
+@@ -118,6 +172,14 @@
 	hal_read_state(policykit_auth_t)
 ')
 
@ -21383,7 +21452,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
 ########################################
 #
 # polkit_grant local policy
-@@ -125,7 +182,8 @@
+@@ -125,7 +187,8 @@
 
 allow policykit_grant_t self:capability setuid;
 allow policykit_grant_t self:process getattr;
@ -21393,7 +21462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
 allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
 allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
 
-@@ -155,9 +213,12 @@
+@@ -155,9 +218,12 @@
 userdom_read_all_users_state(policykit_grant_t)
 
 optional_policy(`
@ -21407,7 +21476,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
 		consolekit_dbus_chat(policykit_grant_t)
 	')
 ')
-@@ -169,7 +230,8 @@
+@@ -169,7 +235,8 @@
 
 allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
 allow policykit_resolve_t self:process getattr;
@ -27516,7 +27585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.8.8/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/xserver.te	2010-08-05 16:01:15.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/xserver.te	2010-08-11 08:03:36.000000000 -0400
@@ -35,6 +35,13 @@
 
 ## <desc>
@ -27863,7 +27932,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +fs_read_noxattr_fs_files(xdm_t)
 +fs_dontaudit_list_fusefs(xdm_t)
 +fs_manage_cgroup_dirs(xdm_t)
-+fs_rw_cgroup_files(xdm_t)
+fs_manage_cgroup_files(xdm_t)
 +
 +manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t)
 +
@ -29306,7 +29375,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu
 ## <rolecap/>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.8.8/policy/modules/system/hotplug.te
 --- nsaserefpolicy/policy/modules/system/hotplug.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/hotplug.te	2010-07-30 14:06:53.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/system/hotplug.te	2010-08-11 08:14:12.000000000 -0400
@@ -23,7 +23,7 @@
 #
 
@ -29316,7 +29385,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu
 # for access("/etc/bashrc", X_OK) on Red Hat
 dontaudit hotplug_t self:capability { dac_override dac_read_search };
 allow hotplug_t self:process { setpgid getsession getattr signal_perms };
-@@ -39,12 +39,14 @@
+@@ -39,14 +39,16 @@
 
 can_exec(hotplug_t, hotplug_exec_t)
 
@ -29330,7 +29399,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu
 kernel_read_system_state(hotplug_t)
 +kernel_read_network_state(hotplug_t)
 kernel_read_kernel_sysctls(hotplug_t)
- kernel_read_net_sysctls(hotplug_t)
+-kernel_read_net_sysctls(hotplug_t)
+kernel_rw_net_sysctls(hotplug_t)
+ 
+ files_read_kernel_modules(hotplug_t)
 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.8.8/policy/modules/system/init.fc
 --- nsaserefpolicy/policy/modules/system/init.fc	2010-07-27 16:06:06.000000000 -0400
@ -30500,7 +30572,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.8.8/policy/modules/system/ipsec.te
 --- nsaserefpolicy/policy/modules/system/ipsec.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/ipsec.te	2010-08-10 11:57:19.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/system/ipsec.te	2010-08-11 08:20:05.000000000 -0400
@@ -72,7 +72,7 @@
 #
 
@ -34939,7 +35011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +HOME_DIR/\.gvfs(/.*)?	<<none>>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.8.8/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/userdomain.if	2010-07-30 14:06:53.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/system/userdomain.if	2010-08-11 08:23:58.000000000 -0400
@@ -30,8 +30,9 @@
 	')