- Allow devicekit_disk to list inotify

policy-F12.patch

@@ -1142,6 +1142,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  miscfiles_read_localization(awstats_t)
  
  sysnet_dns_name_resolve(awstats_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/calamaris.te serefpolicy-3.6.26/policy/modules/apps/calamaris.te
+--- nsaserefpolicy/policy/modules/apps/calamaris.te	2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/apps/calamaris.te	2009-08-05 16:42:44.000000000 -0400
+@@ -84,3 +84,7 @@
+ optional_policy(`
+ 	nis_use_ypbind(calamaris_t)
+ ')
++
++optional_policy(`
++	nscd_socket_use(calamaris_t)
++')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.6.26/policy/modules/apps/cpufreqselector.te
 --- nsaserefpolicy/policy/modules/apps/cpufreqselector.te	2009-07-28 13:28:33.000000000 -0400
 +++ serefpolicy-3.6.26/policy/modules/apps/cpufreqselector.te	2009-07-30 15:33:08.000000000 -0400
@@ -4932,7 +4943,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /var/lib/nfs/rpc_pipefs(/.*)?	<<none>>
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.26/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/kernel/files.if	2009-07-30 15:33:08.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/kernel/files.if	2009-08-05 17:20:50.000000000 -0400
 @@ -110,6 +110,11 @@
  ## </param>
  #
@@ -10117,7 +10128,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	allow $1 devicekit_t:process { ptrace signal_perms getattr };
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.26/policy/modules/services/devicekit.te
 --- nsaserefpolicy/policy/modules/services/devicekit.te	2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/devicekit.te	2009-07-30 15:33:08.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/services/devicekit.te	2009-08-05 16:52:16.000000000 -0400
 @@ -36,12 +36,15 @@
  manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
  manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
@@ -10155,7 +10166,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  kernel_setsched(devicekit_disk_t)
  
  corecmd_exec_bin(devicekit_disk_t)
-@@ -79,11 +86,13 @@
+@@ -79,21 +86,26 @@
  dev_rw_sysfs(devicekit_disk_t)
  dev_read_urand(devicekit_disk_t)
  dev_getattr_usbfs_dirs(devicekit_disk_t)
@@ -10167,9 +10178,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  files_read_usr_files(devicekit_disk_t)
 +files_manage_isid_type_dirs(devicekit_disk_t)
  
++fs_list_inotifyfs(devicekit_disk_t)
++fs_manage_fusefs_dirs(devicekit_disk_t)
  fs_mount_all_fs(devicekit_disk_t)
  fs_unmount_all_fs(devicekit_disk_t)
-@@ -94,6 +103,8 @@
+-fs_manage_fusefs_dirs(devicekit_disk_t)
+ 
+ storage_raw_read_fixed_disk(devicekit_disk_t)
+ storage_raw_write_fixed_disk(devicekit_disk_t)
  storage_raw_read_removable_device(devicekit_disk_t)
  storage_raw_write_removable_device(devicekit_disk_t)
  
@@ -10178,7 +10194,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  auth_use_nsswitch(devicekit_disk_t)
  
  miscfiles_read_localization(devicekit_disk_t)
-@@ -110,6 +121,7 @@
+@@ -110,6 +122,7 @@
  ')
  
  optional_policy(`
@@ -10186,7 +10202,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	policykit_domtrans_auth(devicekit_disk_t)
  	policykit_read_lib(devicekit_disk_t)
  	policykit_read_reload(devicekit_disk_t)
-@@ -134,6 +146,19 @@
+@@ -134,6 +147,19 @@
  	udev_read_db(devicekit_disk_t)
  ')
  
@@ -10206,7 +10222,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  #
  # DeviceKit-Power local policy
-@@ -142,6 +167,7 @@
+@@ -142,6 +168,7 @@
  allow devicekit_power_t self:capability { dac_override sys_tty_config sys_nice sys_ptrace };
  allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
  allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
@@ -10214,7 +10230,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
  manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
-@@ -151,6 +177,7 @@
+@@ -151,6 +178,7 @@
  kernel_read_system_state(devicekit_power_t)
  kernel_rw_hotplug_sysctls(devicekit_power_t)
  kernel_rw_kernel_sysctl(devicekit_power_t)
@@ -10222,7 +10238,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  corecmd_exec_bin(devicekit_power_t)
  corecmd_exec_shell(devicekit_power_t)
-@@ -159,6 +186,7 @@
+@@ -159,6 +187,7 @@
  
  domain_read_all_domains_state(devicekit_power_t)
  
@@ -10230,7 +10246,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  dev_rw_generic_usb_dev(devicekit_power_t)
  dev_rw_netcontrol(devicekit_power_t)
  dev_rw_sysfs(devicekit_power_t)
-@@ -180,8 +208,11 @@
+@@ -180,8 +209,11 @@
  ')
  
  optional_policy(`
@@ -10243,7 +10259,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	allow devicekit_power_t devicekit_t:dbus send_msg;
  
  	optional_policy(`
-@@ -203,17 +234,23 @@
+@@ -203,17 +235,23 @@
  
  optional_policy(`
  	hal_domtrans_mac(devicekit_power_t)
@@ -10709,7 +10725,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.26/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/hal.te	2009-08-04 05:57:57.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/services/hal.te	2009-08-05 17:09:21.000000000 -0400
 @@ -55,6 +55,9 @@
  type hald_var_lib_t;
  files_type(hald_var_lib_t)
@@ -10803,10 +10819,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow hald_dccm_t self:process getsched;
  allow hald_dccm_t self:tcp_socket create_stream_socket_perms;
  allow hald_dccm_t self:udp_socket create_socket_perms;
-@@ -469,10 +491,17 @@
+@@ -469,10 +491,22 @@
  manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t)
  files_search_var_lib(hald_dccm_t)
  
++manage_dirs_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t)
++manage_files_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t)
++manage_sock_files_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t)
++files_pid_filetrans(hald_dccm_t, hald_var_run_t, { dir file sock_file })
++
 +manage_sock_files_pattern(hald_dccm_t, hald_tmp_t, hald_tmp_t)
 +files_tmp_filetrans(hald_dccm_t, hald_tmp_t, sock_file)
 +
@@ -10821,7 +10842,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  corenet_all_recvfrom_unlabeled(hald_dccm_t)
  corenet_all_recvfrom_netlabel(hald_dccm_t)
  corenet_tcp_sendrecv_generic_if(hald_dccm_t)
-@@ -484,6 +513,7 @@
+@@ -484,6 +518,7 @@
  corenet_tcp_bind_generic_node(hald_dccm_t)
  corenet_udp_bind_generic_node(hald_dccm_t)
  corenet_udp_bind_dhcpc_port(hald_dccm_t)
@@ -10829,7 +10850,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  corenet_tcp_bind_dccm_port(hald_dccm_t)
  
  logging_send_syslog_msg(hald_dccm_t)
-@@ -491,3 +521,9 @@
+@@ -491,3 +526,9 @@
  files_read_usr_files(hald_dccm_t)
  
  miscfiles_read_localization(hald_dccm_t)
@@ -13953,7 +13974,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.26/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/rpc.te	2009-07-30 15:33:09.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/services/rpc.te	2009-08-05 17:22:27.000000000 -0400
 @@ -91,6 +91,8 @@
  
  seutil_dontaudit_search_config(rpcd_t)
@@ -13990,6 +14011,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  tunable_policy(`nfs_export_all_ro',`
  	dev_getattr_all_blk_files(nfsd_t)
+@@ -189,8 +197,10 @@
+ fs_rw_rpc_sockets(gssd_t) 
+ fs_read_rpc_files(gssd_t) 
+ 
++fs_list_inotifyfs(gssd_t)
+ files_list_tmp(gssd_t) 
+ files_read_usr_symlinks(gssd_t) 
++files_dontaudit_write_var_dirs(gssd_t) 
+ 
+ auth_use_nsswitch(gssd_t)
+ auth_manage_cache(gssd_t) 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.26/policy/modules/services/rsync.te
 --- nsaserefpolicy/policy/modules/services/rsync.te	2009-07-14 14:19:57.000000000 -0400
 +++ serefpolicy-3.6.26/policy/modules/services/rsync.te	2009-07-30 15:33:09.000000000 -0400
@@ -16491,6 +16523,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Send and receive messages from
  ##	sssd over dbus.
  ## </summary>
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.6.26/policy/modules/services/sysstat.te
+--- nsaserefpolicy/policy/modules/services/sysstat.te	2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/services/sysstat.te	2009-08-05 17:06:04.000000000 -0400
+@@ -19,7 +19,7 @@
+ # Local policy
+ #
+ 
+-allow sysstat_t self:capability { sys_resource sys_tty_config };
++allow sysstat_t self:capability { dac_override sys_resource sys_tty_config };
+ dontaudit sysstat_t self:capability sys_admin;
+ allow sysstat_t self:fifo_file rw_fifo_file_perms;
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.26/policy/modules/services/uucp.te
 --- nsaserefpolicy/policy/modules/services/uucp.te	2009-07-14 14:19:57.000000000 -0400
 +++ serefpolicy-3.6.26/policy/modules/services/uucp.te	2009-07-30 15:33:09.000000000 -0400
@@ -16533,7 +16577,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/run/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:svirt_var_run_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.26/policy/modules/services/virt.if
 --- nsaserefpolicy/policy/modules/services/virt.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/virt.if	2009-07-30 15:33:09.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/services/virt.if	2009-08-05 16:59:48.000000000 -0400
 @@ -103,7 +103,7 @@
  
  ########################################
@@ -16631,7 +16675,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	All of the rules required to administrate 
  ##	an virt environment
  ## </summary>
-@@ -327,3 +364,54 @@
+@@ -327,3 +364,56 @@
  
  	virt_manage_log($1)
  ')
@@ -16664,6 +16708,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	files_tmpfs_file($1_tmpfs_t)
 +
 +	type $1_image_t, virt_image_type;
++	files_type($1_image_t)
++	dev_node($1_image_t)
 +
 +	manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
 +	manage_files_pattern($1_t, $1_image_t, $1_image_t)

selinux-policy.spec

@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.26
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -475,6 +475,9 @@ exit 0
 %endif
 
 %changelog
+* Wed Aug 5 2009 Dan Walsh <dwalsh@redhat.com> 3.6.26-6
+- Allow devicekit_disk to list inotify
+
 * Wed Aug 5 2009 Dan Walsh <dwalsh@redhat.com> 3.6.26-5
 - Allow svirt images to create sock_file in svirt_var_run_t