rpms/selinux-policy/devel modules-targeted.conf, 1.131, 1.132 policy-F12.patch, 1.19, 1.20 selinux-policy.spec, 1.872, 1.873

[Daniel J Walsh]

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv17591

Modified Files:
	modules-targeted.conf policy-F12.patch selinux-policy.spec 
Log Message:
* Thu Jun 25 2009 Dan Walsh <dwalsh at redhat.com> 3.6.19-5
- Add rtkit policy



Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.131
retrieving revision 1.132
diff -u -p -r1.131 -r1.132
--- modules-targeted.conf	24 Jun 2009 13:15:55 -0000	1.131
+++ modules-targeted.conf	25 Jun 2009 21:43:35 -0000	1.132
@@ -1186,6 +1186,13 @@ rshd = module
 rsync = module
 
 # Layer: services
+# Module: rtkit_daemon
+#
+# Real Time Kit Daemon
+# 
+rtkit_daemon = module
+
+# Layer: services
 # Module: rwho
 #
 # who is logged in on local machines

policy-F12.patch:

Index: policy-F12.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-F12.patch,v
retrieving revision 1.19
retrieving revision 1.20
diff -u -p -r1.19 -r1.20
--- policy-F12.patch	24 Jun 2009 20:45:26 -0000	1.19
+++ policy-F12.patch	25 Jun 2009 21:43:35 -0000	1.20
@@ -2058,7 +2058,7 @@ diff -b -B --ignore-all-space --exclude-
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.6.18/policy/modules/apps/gnome.te
 --- nsaserefpolicy/policy/modules/apps/gnome.te	2008-11-11 16:13:42.000000000 -0500
-+++ serefpolicy-3.6.18/policy/modules/apps/gnome.te	2009-06-24 16:20:30.000000000 -0400
++++ serefpolicy-3.6.18/policy/modules/apps/gnome.te	2009-06-25 15:55:41.000000000 -0400
 @@ -9,16 +9,18 @@
  attribute gnomedomain;
  
@@ -5890,7 +5890,7 @@ diff -b -B --ignore-all-space --exclude-
  ## <param name="domain">
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.18/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2009-06-12 09:08:48.000000000 -0400
-+++ serefpolicy-3.6.18/policy/modules/kernel/domain.te	2009-06-22 17:32:55.000000000 -0400
++++ serefpolicy-3.6.18/policy/modules/kernel/domain.te	2009-06-25 09:30:09.000000000 -0400
 @@ -5,6 +5,13 @@
  #
  # Declarations
@@ -5961,7 +5961,7 @@ diff -b -B --ignore-all-space --exclude-
  # Act upon any other process.
  allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
  
-@@ -153,3 +174,73 @@
+@@ -153,3 +174,75 @@
  
  # receive from all domains over labeled networking
  domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -6001,7 +6001,9 @@ diff -b -B --ignore-all-space --exclude-
 +
 +ifdef(`hide_broken_symptoms',`
 +	fs_list_inotifyfs(domain)
++	dontaudit domain self:udp_socket listen;
 +	allow domain domain:key { link search };
++	dbus_dontaudit_system_bus_rw_tcp_sockets(domain)
 +')
 +')
 +
@@ -6070,7 +6072,7 @@ diff -b -B --ignore-all-space --exclude-
  /var/lib/nfs/rpc_pipefs(/.*)?	<<none>>
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.18/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2009-06-12 09:08:48.000000000 -0400
-+++ serefpolicy-3.6.18/policy/modules/kernel/files.if	2009-06-20 06:49:47.000000000 -0400
++++ serefpolicy-3.6.18/policy/modules/kernel/files.if	2009-06-25 08:54:01.000000000 -0400
 @@ -110,6 +110,11 @@
  ## </param>
  #
@@ -6096,7 +6098,32 @@ diff -b -B --ignore-all-space --exclude-
  
  	# satisfy the assertions:
  	seutil_relabelto_bin_policy($1)
-@@ -1715,6 +1718,25 @@
+@@ -1331,6 +1334,24 @@
+ 
+ ########################################
+ ## <summary>
++##	Remove file entries from the root directory.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_delete_root_file',`
++	gen_require(`
++		type root_t;
++	')
++
++	allow $1 root_t:file unlink;
++')
++
++########################################
++## <summary>
+ ##	Remove entries from the root directory.
+ ## </summary>
+ ## <param name="domain">
+@@ -1715,6 +1736,25 @@
  
  ########################################
  ## <summary>
@@ -6122,7 +6149,7 @@ diff -b -B --ignore-all-space --exclude-
  ##	Mount a filesystem on a directory with the default file type.
  ## </summary>
  ## <param name="domain">
-@@ -1931,6 +1953,27 @@
+@@ -1931,6 +1971,27 @@
  	allow $1 etc_t:dir list_dir_perms;
  	read_files_pattern($1, etc_t, etc_t)
  	read_lnk_files_pattern($1, etc_t, etc_t)
@@ -6150,7 +6177,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  ########################################
-@@ -2418,6 +2461,11 @@
+@@ -2418,6 +2479,11 @@
  	')
  
  	delete_files_pattern($1, file_t, file_t)
@@ -6162,7 +6189,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  ########################################
-@@ -3449,6 +3497,24 @@
+@@ -3449,6 +3515,24 @@
  
  ########################################
  ## <summary>
@@ -6187,7 +6214,7 @@ diff -b -B --ignore-all-space --exclude-
  ##	Read all tmp files.
  ## </summary>
  ## <param name="domain">
-@@ -3515,6 +3581,8 @@
+@@ -3515,6 +3599,8 @@
  	delete_lnk_files_pattern($1, tmpfile, tmpfile)
  	delete_fifo_files_pattern($1, tmpfile, tmpfile)
  	delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -6196,7 +6223,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  ########################################
-@@ -3623,7 +3691,12 @@
+@@ -3623,7 +3709,12 @@
  		type usr_t;
  	')
  
@@ -6210,7 +6237,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  ########################################
-@@ -3662,6 +3735,7 @@
+@@ -3662,6 +3753,7 @@
  	allow $1 usr_t:dir list_dir_perms;
  	read_files_pattern($1, usr_t, usr_t)
  	read_lnk_files_pattern($1, usr_t, usr_t)
@@ -6218,7 +6245,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  ########################################
-@@ -4955,7 +5029,7 @@
+@@ -4955,7 +5047,7 @@
  	selinux_compute_member($1)
  
  	# Need sys_admin capability for mounting
@@ -6227,7 +6254,7 @@ diff -b -B --ignore-all-space --exclude-
  
  	# Need to give access to the directories to be polyinstantiated
  	allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
-@@ -4977,12 +5051,15 @@
+@@ -4977,12 +5069,15 @@
  	allow $1 poly_t:dir { create mounton };
  	fs_unmount_xattr_fs($1)
  
@@ -6244,7 +6271,7 @@ diff -b -B --ignore-all-space --exclude-
  	')
  ')
  
-@@ -5003,3 +5080,173 @@
+@@ -5003,3 +5098,173 @@
  
  	typeattribute $1 files_unconfined_type;
  ')
@@ -6770,8 +6797,8 @@ diff -b -B --ignore-all-space --exclude-
 +gen_user(guest_u, user, guest_r, s0, s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.18/policy/modules/roles/staff.te
 --- nsaserefpolicy/policy/modules/roles/staff.te	2008-11-11 16:13:47.000000000 -0500
-+++ serefpolicy-3.6.18/policy/modules/roles/staff.te	2009-06-20 06:49:47.000000000 -0400
-@@ -15,156 +15,103 @@
++++ serefpolicy-3.6.18/policy/modules/roles/staff.te	2009-06-25 17:28:57.000000000 -0400
+@@ -15,156 +15,107 @@
  # Local policy
  #
  
@@ -6794,11 +6821,7 @@ diff -b -B --ignore-all-space --exclude-
 -optional_policy(`
 -	cdrecord_role(staff_r, staff_t)
 -')
-+kernel_read_ring_buffer(staff_t)
-+kernel_getattr_core_if(staff_t)
-+kernel_getattr_message_if(staff_t)
-+kernel_read_software_raid_state(staff_t)
- 
+-
 -optional_policy(`
 -	cron_role(staff_r, staff_t)
 -')
@@ -6806,13 +6829,15 @@ diff -b -B --ignore-all-space --exclude-
 -optional_policy(`
 -	dbus_role_template(staff, staff_r, staff_t)
 -')
-+auth_domtrans_pam_console(staff_t)
++kernel_read_ring_buffer(staff_t)
++kernel_getattr_core_if(staff_t)
++kernel_getattr_message_if(staff_t)
++kernel_read_software_raid_state(staff_t)
  
 -optional_policy(`
 -	ethereal_role(staff_r, staff_t)
 -')
-+libs_manage_shared_libs(staff_t)
- 
+-
 -optional_policy(`
 -	evolution_role(staff_r, staff_t)
 -')
@@ -6820,101 +6845,104 @@ diff -b -B --ignore-all-space --exclude-
 -optional_policy(`
 -	games_role(staff_r, staff_t)
 -')
--
++auth_domtrans_pam_console(staff_t)
+ 
 -optional_policy(`
 -	gift_role(staff_r, staff_t)
 -')
++libs_manage_shared_libs(staff_t)
+ 
+-optional_policy(`
+-	gnome_role(staff_r, staff_t)
+-')
 +seutil_run_newrole(staff_t, staff_r)
 +netutils_run_ping(staff_t, staff_r)
  
  optional_policy(`
--	gnome_role(staff_r, staff_t)
+-	gpg_role(staff_r, staff_t)
 +	sudo_role_template(staff, staff_r, staff_t)
  ')
  
  optional_policy(`
--	gpg_role(staff_r, staff_t)
+-	irc_role(staff_r, staff_t)
 +	auditadm_role_change(staff_r)
  ')
  
  optional_policy(`
--	irc_role(staff_r, staff_t)
+-	java_role(staff_r, staff_t)
 +	kerneloops_manage_tmp_files(staff_t)
  ')
  
  optional_policy(`
--	java_role(staff_r, staff_t)
+-	lockdev_role(staff_r, staff_t)
 +	logadm_role_change(staff_r)
  ')
  
  optional_policy(`
--	lockdev_role(staff_r, staff_t)
+-	lpd_role(staff_r, staff_t)
 +	postgresql_role(staff_r, staff_t)
  ')
  
  optional_policy(`
--	lpd_role(staff_r, staff_t)
+-	mozilla_role(staff_r, staff_t)
++	rtkit_daemon_system_domain(staff_t)
+ ')
+ 
+ optional_policy(`
+-	mplayer_role(staff_r, staff_t)
 +	secadm_role_change(staff_r)
  ')
  
  optional_policy(`
--	mozilla_role(staff_r, staff_t)
+-	mta_role(staff_r, staff_t)
 +	ssh_role_template(staff, staff_r, staff_t)
  ')
  
  optional_policy(`
--	mplayer_role(staff_r, staff_t)
+-	oident_manage_user_content(staff_t)
+-	oident_relabel_user_content(staff_t)
 +	sysadm_role_change(staff_r)
  ')
  
  optional_policy(`
--	mta_role(staff_r, staff_t)
+-	pyzor_role(staff_r, staff_t)
 +	usernetctl_run(staff_t, staff_r)
  ')
  
  optional_policy(`
--	oident_manage_user_content(staff_t)
--	oident_relabel_user_content(staff_t)
+-	razor_role(staff_r, staff_t)
 +	unconfined_role_change(staff_r)
  ')
  
  optional_policy(`
--	pyzor_role(staff_r, staff_t)
+-	rssh_role(staff_r, staff_t)
 +	webadm_role_change(staff_r)
  ')
  
 -optional_policy(`
--	razor_role(staff_r, staff_t)
+-	screen_role_template(staff, staff_r, staff_t)
 -')
 +domain_read_all_domains_state(staff_t)
 +domain_getattr_all_domains(staff_t)
 +domain_obj_id_change_exemption(staff_t)
  
 -optional_policy(`
--	rssh_role(staff_r, staff_t)
+-	secadm_role_change(staff_r)
 -')
 +files_read_kernel_modules(staff_t)
  
 -optional_policy(`
--	screen_role_template(staff, staff_r, staff_t)
+-	spamassassin_role(staff_r, staff_t)
 -')
 +kernel_read_fs_sysctls(staff_t)
  
 -optional_policy(`
--	secadm_role_change(staff_r)
+-	ssh_role_template(staff, staff_r, staff_t)
 -')
 +modutils_read_module_config(staff_t)
 +modutils_read_module_deps(staff_t)
  
 -optional_policy(`
--	spamassassin_role(staff_r, staff_t)
--')
--
--optional_policy(`
--	ssh_role_template(staff, staff_r, staff_t)
--')
--
--optional_policy(`
 -	su_role_template(staff, staff_r, staff_t)
 -')
 +miscfiles_read_hwdata(staff_t)
@@ -7937,8 +7965,8 @@ diff -b -B --ignore-all-space --exclude-
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.18/policy/modules/roles/unconfineduser.te
 --- nsaserefpolicy/policy/modules/roles/unconfineduser.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.18/policy/modules/roles/unconfineduser.te	2009-06-20 06:49:47.000000000 -0400
-@@ -0,0 +1,407 @@
++++ serefpolicy-3.6.18/policy/modules/roles/unconfineduser.te	2009-06-25 17:28:35.000000000 -0400
+@@ -0,0 +1,411 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@@ -8217,6 +8245,10 @@ diff -b -B --ignore-all-space --exclude-
 +')
 +
 +optional_policy(`
++	rtkit_daemon_system_domain(unconfined_t)
++')
++
++optional_policy(`
 +	samba_role_notrans(unconfined_r)
 +	samba_run_unconfined_net(unconfined_t, unconfined_r)
 +	samba_run_winbind_helper(unconfined_t, unconfined_r)
@@ -8348,8 +8380,8 @@ diff -b -B --ignore-all-space --exclude-
 +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.18/policy/modules/roles/unprivuser.te
 --- nsaserefpolicy/policy/modules/roles/unprivuser.te	2008-11-11 16:13:47.000000000 -0500
-+++ serefpolicy-3.6.18/policy/modules/roles/unprivuser.te	2009-06-20 06:49:47.000000000 -0400
-@@ -14,142 +14,17 @@
++++ serefpolicy-3.6.18/policy/modules/roles/unprivuser.te	2009-06-25 17:29:15.000000000 -0400
+@@ -14,142 +14,21 @@
  userdom_unpriv_user_template(user)
  
  optional_policy(`
@@ -8364,14 +8396,15 @@ diff -b -B --ignore-all-space --exclude-
  
  optional_policy(`
 -	bluetooth_role(user_r, user_t)
-+	sandbox_transition(user_t, user_r)
++	rtkit_daemon_system_domain(user_t)
  ')
  
  optional_policy(`
 -	cdrecord_role(user_r, user_t)
--')
--
--optional_policy(`
++	sandbox_transition(user_t, user_r)
+ ')
+ 
+ optional_policy(`
 -	cron_role(user_r, user_t)
 -')
 -
@@ -15942,7 +15975,7 @@ diff -b -B --ignore-all-space --exclude-
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.18/policy/modules/services/nis.te
 --- nsaserefpolicy/policy/modules/services/nis.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.18/policy/modules/services/nis.te	2009-06-20 06:49:47.000000000 -0400
++++ serefpolicy-3.6.18/policy/modules/services/nis.te	2009-06-24 17:22:48.000000000 -0400
 @@ -13,6 +13,9 @@
  type ypbind_exec_t;
  init_daemon_domain(ypbind_t, ypbind_exec_t)
@@ -15963,7 +15996,18 @@ diff -b -B --ignore-all-space --exclude-
  ########################################
  #
  # ypbind local policy
-@@ -111,6 +117,16 @@
+@@ -65,9 +71,8 @@
+ 
+ manage_files_pattern(ypbind_t, var_yp_t, var_yp_t)
+ 
++kernel_read_system_state(ypbind_t)
+ kernel_read_kernel_sysctls(ypbind_t)
+-kernel_list_proc(ypbind_t)
+-kernel_read_proc_symlinks(ypbind_t)
+ 
+ corenet_all_recvfrom_unlabeled(ypbind_t)
+ corenet_all_recvfrom_netlabel(ypbind_t)
+@@ -111,6 +116,16 @@
  userdom_dontaudit_search_user_home_dirs(ypbind_t)
  
  optional_policy(`
@@ -15980,7 +16024,7 @@ diff -b -B --ignore-all-space --exclude-
  	seutil_sigchld_newrole(ypbind_t)
  ')
  
-@@ -123,6 +139,7 @@
+@@ -123,6 +138,7 @@
  # yppasswdd local policy
  #
  
@@ -15988,7 +16032,7 @@ diff -b -B --ignore-all-space --exclude-
  dontaudit yppasswdd_t self:capability sys_tty_config;
  allow yppasswdd_t self:fifo_file rw_fifo_file_perms;
  allow yppasswdd_t self:process { setfscreate signal_perms };
-@@ -153,8 +170,8 @@
+@@ -153,8 +169,8 @@
  corenet_udp_sendrecv_all_ports(yppasswdd_t)
  corenet_tcp_bind_generic_node(yppasswdd_t)
  corenet_udp_bind_generic_node(yppasswdd_t)
@@ -15999,7 +16043,7 @@ diff -b -B --ignore-all-space --exclude-
  corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t)
  corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t)
  corenet_sendrecv_generic_server_packets(yppasswdd_t)
-@@ -241,6 +258,8 @@
+@@ -241,6 +257,8 @@
  corenet_udp_bind_generic_node(ypserv_t)
  corenet_tcp_bind_reserved_port(ypserv_t)
  corenet_udp_bind_reserved_port(ypserv_t)
@@ -16008,7 +16052,7 @@ diff -b -B --ignore-all-space --exclude-
  corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t)
  corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t)
  corenet_sendrecv_generic_server_packets(ypserv_t)
-@@ -306,6 +325,8 @@
+@@ -306,6 +324,8 @@
  corenet_udp_bind_generic_node(ypxfr_t)
  corenet_tcp_bind_reserved_port(ypxfr_t)
  corenet_udp_bind_reserved_port(ypxfr_t)
@@ -16970,8 +17014,8 @@ diff -b -B --ignore-all-space --exclude-
 +/var/lib/misc/PolicyKit.reload			gen_context(system_u:object_r:polkit_reload_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.6.18/policy/modules/services/polkit.if
 --- nsaserefpolicy/policy/modules/services/polkit.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.18/policy/modules/services/polkit.if	2009-06-24 08:29:05.000000000 -0400
-@@ -0,0 +1,242 @@
++++ serefpolicy-3.6.18/policy/modules/services/polkit.if	2009-06-25 17:34:50.000000000 -0400
+@@ -0,0 +1,245 @@
 +
 +## <summary>policy for polkit_auth</summary>
 +
@@ -17187,6 +17231,7 @@ diff -b -B --ignore-all-space --exclude-
 +## <rolecap/>
 +#
 +template(`polkit_role',`
++
 +	polkit_run_auth($2, $1)
 +	polkit_run_grant($2, $1)
 +	polkit_read_lib($2)
@@ -17211,12 +17256,14 @@ diff -b -B --ignore-all-space --exclude-
 +		class dbus send_msg;
 +	')
 +
++	ps_process_pattern(polkit_t, $1)
++
 +	allow $1 polkit_t:dbus send_msg;
 +	allow polkit_t $1:dbus send_msg;
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.6.18/policy/modules/services/polkit.te
 --- nsaserefpolicy/policy/modules/services/polkit.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.18/policy/modules/services/polkit.te	2009-06-20 06:49:47.000000000 -0400
++++ serefpolicy-3.6.18/policy/modules/services/polkit.te	2009-06-25 17:33:00.000000000 -0400
 @@ -0,0 +1,235 @@
 +policy_module(polkit_auth, 1.0.0)
 +
@@ -17260,7 +17307,7 @@ diff -b -B --ignore-all-space --exclude-
 +
 +allow polkit_t self:unix_dgram_socket create_socket_perms;
 +allow polkit_t self:fifo_file rw_file_perms;
-+allow polkit_t self:unix_stream_socket create_stream_socket_perms;
++allow polkit_t self:unix_stream_socket { create_stream_socket_perms connectto };
 +
 +polkit_domtrans_auth(polkit_t)
 +polkit_domtrans_resolve(polkit_t)
@@ -19556,6 +19603,117 @@ diff -b -B --ignore-all-space --exclude-
 +')
 +
  auth_can_read_shadow_passwords(rsync_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.fc serefpolicy-3.6.18/policy/modules/services/rtkit_daemon.fc
+--- nsaserefpolicy/policy/modules/services/rtkit_daemon.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.18/policy/modules/services/rtkit_daemon.fc	2009-06-25 17:25:15.000000000 -0400
+@@ -0,0 +1,2 @@
++
++/usr/libexec/rtkit-daemon	--	gen_context(system_u:object_r:rtkit_daemon_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.if serefpolicy-3.6.18/policy/modules/services/rtkit_daemon.if
+--- nsaserefpolicy/policy/modules/services/rtkit_daemon.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.18/policy/modules/services/rtkit_daemon.if	2009-06-25 17:27:07.000000000 -0400
+@@ -0,0 +1,64 @@
++
++## <summary>policy for rtkit_daemon</summary>
++
++########################################
++## <summary>
++##	Execute a domain transition to run rtkit_daemon.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`rtkit_daemon_domtrans',`
++	gen_require(`
++		type rtkit_daemon_t;
++                type rtkit_daemon_exec_t;
++	')
++
++	domtrans_pattern($1,rtkit_daemon_exec_t,rtkit_daemon_t)
++')
++
++
++########################################
++## <summary>
++##	Send and receive messages from
++##	rtkit_daemon over dbus.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`rtkit_daemon_dbus_chat',`
++	gen_require(`
++		type rtkit_daemon_t;
++		class dbus send_msg;
++	')
++
++	allow $1 rtkit_daemon_t:dbus send_msg;
++	allow rtkit_daemon_t $1:dbus send_msg;
++')
++
++########################################
++## <summary>
++##	Send and receive messages from
++##	rtkit_daemon over dbus.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`rtkit_daemon_system_domain',`
++	gen_require(`
++		type rtkit_daemon_t;
++	')
++
++	ps_process_pattern(rtkit_daemon_t, $1)
++	allow rtkit_daemon_t $1:process { getsched setsched };
++	rtkit_daemon_dbus_chat($1)
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.te serefpolicy-3.6.18/policy/modules/services/rtkit_daemon.te
+--- nsaserefpolicy/policy/modules/services/rtkit_daemon.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.18/policy/modules/services/rtkit_daemon.te	2009-06-25 17:29:28.000000000 -0400
+@@ -0,0 +1,33 @@
++policy_module(rtkit_daemon,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type rtkit_daemon_t;
++type rtkit_daemon_exec_t;
++dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
++
++permissive rtkit_daemon_t;
++
++########################################
++#
++# rtkit_daemon local policy
++#
++
++allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace };
++allow rtkit_daemon_t self:process { setsched getcap setcap setrlimit };
++allow rtkit_daemon_t self:capability sys_nice;
++
++fs_rw_anon_inodefs_files(rtkit_daemon_t)
++
++auth_use_nsswitch(rtkit_daemon_t)
++
++logging_send_syslog_msg(rtkit_daemon_t)
++
++miscfiles_read_localization(locale_t)
++
++optional_policy(`
++        polkit_dbus_chat(rtkit_daemon_t)
++')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.6.18/policy/modules/services/samba.fc
 --- nsaserefpolicy/policy/modules/services/samba.fc	2008-08-07 11:15:11.000000000 -0400
 +++ serefpolicy-3.6.18/policy/modules/services/samba.fc	2009-06-20 06:49:47.000000000 -0400
@@ -24148,7 +24306,7 @@ diff -b -B --ignore-all-space --exclude-
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.18/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.18/policy/modules/services/xserver.te	2009-06-24 16:23:32.000000000 -0400
++++ serefpolicy-3.6.18/policy/modules/services/xserver.te	2009-06-25 17:27:14.000000000 -0400
 @@ -34,6 +34,13 @@
  
  ## <desc>
@@ -24573,7 +24731,7 @@ diff -b -B --ignore-all-space --exclude-
  	hostname_exec(xdm_t)
  ')
  
-@@ -542,6 +648,24 @@
+@@ -542,6 +648,28 @@
  ')
  
  optional_policy(`
@@ -24595,10 +24753,14 @@ diff -b -B --ignore-all-space --exclude-
 +')
 +
 +optional_policy(`
++	rtkit_daemon_system_domain(xdm_t)
++')
++
++optional_policy(`
  	seutil_sigchld_newrole(xdm_t)
  ')
  
-@@ -550,8 +674,9 @@
+@@ -550,8 +678,9 @@
  ')
  
  optional_policy(`
@@ -24610,7 +24772,7 @@ diff -b -B --ignore-all-space --exclude-
  
  	ifndef(`distro_redhat',`
  		allow xdm_t self:process { execheap execmem };
-@@ -560,7 +685,6 @@
+@@ -560,7 +689,6 @@
  	ifdef(`distro_rhel4',`
  		allow xdm_t self:process { execheap execmem };
  	')
@@ -24618,7 +24780,7 @@ diff -b -B --ignore-all-space --exclude-
  
  optional_policy(`
  	userhelper_dontaudit_search_config(xdm_t)
-@@ -571,6 +695,10 @@
+@@ -571,6 +699,10 @@
  ')
  
  optional_policy(`
@@ -24629,7 +24791,7 @@ diff -b -B --ignore-all-space --exclude-
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -587,7 +715,7 @@
+@@ -587,7 +719,7 @@
  # execheap needed until the X module loader is fixed.
  # NVIDIA Needs execstack
  
@@ -24638,7 +24800,7 @@ diff -b -B --ignore-all-space --exclude-
  dontaudit xserver_t self:capability chown;
  allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow xserver_t self:memprotect mmap_zero;
-@@ -602,9 +730,11 @@
+@@ -602,9 +734,11 @@
  allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow xserver_t self:tcp_socket create_stream_socket_perms;
  allow xserver_t self:udp_socket create_socket_perms;
@@ -24650,7 +24812,7 @@ diff -b -B --ignore-all-space --exclude-
  
  allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
  
-@@ -616,13 +746,14 @@
+@@ -616,13 +750,14 @@
  type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
  
  allow xserver_t { rootwindow_t x_domain }:x_drawable send;
@@ -24666,7 +24828,7 @@ diff -b -B --ignore-all-space --exclude-
  
  manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
  manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -635,9 +766,19 @@
+@@ -635,9 +770,19 @@
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -24686,7 +24848,7 @@ diff -b -B --ignore-all-space --exclude-
  
  kernel_read_system_state(xserver_t)
  kernel_read_device_sysctls(xserver_t)
-@@ -680,9 +821,14 @@
+@@ -680,9 +825,14 @@
  dev_rw_xserver_misc(xserver_t)
  # read events - the synaptics touchpad driver reads raw events
  dev_rw_input_dev(xserver_t)
@@ -24701,7 +24863,7 @@ diff -b -B --ignore-all-space --exclude-
  
  files_read_etc_files(xserver_t)
  files_read_etc_runtime_files(xserver_t)
-@@ -697,8 +843,12 @@
+@@ -697,8 +847,12 @@
  fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
@@ -24714,7 +24876,7 @@ diff -b -B --ignore-all-space --exclude-
  
  selinux_validate_context(xserver_t)
  selinux_compute_access_vector(xserver_t)
-@@ -720,6 +870,7 @@
+@@ -720,6 +874,7 @@
  
  miscfiles_read_localization(xserver_t)
  miscfiles_read_fonts(xserver_t)
@@ -24722,7 +24884,7 @@ diff -b -B --ignore-all-space --exclude-
  
  modutils_domtrans_insmod(xserver_t)
  
-@@ -742,7 +893,7 @@
+@@ -742,7 +897,7 @@
  ')
  
  ifdef(`enable_mls',`
@@ -24731,7 +24893,7 @@ diff -b -B --ignore-all-space --exclude-
  	range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
  ')
  
-@@ -774,12 +925,20 @@
+@@ -774,12 +929,20 @@
  ')
  
  optional_policy(`
@@ -24753,7 +24915,7 @@ diff -b -B --ignore-all-space --exclude-
  	unconfined_domtrans(xserver_t)
  ')
  
-@@ -806,7 +965,7 @@
+@@ -806,7 +969,7 @@
  allow xserver_t xdm_var_lib_t:file { getattr read };
  dontaudit xserver_t xdm_var_lib_t:dir search;
  
@@ -24762,7 +24924,7 @@ diff -b -B --ignore-all-space --exclude-
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -827,9 +986,14 @@
+@@ -827,9 +990,14 @@
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -24777,7 +24939,7 @@ diff -b -B --ignore-all-space --exclude-
  tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_dirs(xserver_t)
  	fs_manage_nfs_files(xserver_t)
-@@ -844,11 +1008,14 @@
+@@ -844,11 +1012,14 @@
  
  optional_policy(`
  	dbus_system_bus_client(xserver_t)
@@ -24793,7 +24955,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  optional_policy(`
-@@ -856,6 +1023,11 @@
+@@ -856,6 +1027,11 @@
  	rhgb_rw_tmpfs_files(xserver_t)
  ')
  
@@ -24805,7 +24967,7 @@ diff -b -B --ignore-all-space --exclude-
  ########################################
  #
  # Rules common to all X window domains
-@@ -881,6 +1053,8 @@
+@@ -881,6 +1057,8 @@
  # X Server
  # can read server-owned resources
  allow x_domain xserver_t:x_resource read;
@@ -24814,7 +24976,7 @@ diff -b -B --ignore-all-space --exclude-
  # can mess with own clients
  allow x_domain self:x_client { manage destroy };
  
-@@ -905,6 +1079,8 @@
+@@ -905,6 +1083,8 @@
  # operations allowed on my windows
  allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
  
@@ -24823,7 +24985,7 @@ diff -b -B --ignore-all-space --exclude-
  # X Colormaps
  # can use the default colormap
  allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -972,17 +1148,49 @@
+@@ -972,17 +1152,49 @@
  allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
  allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
  
@@ -25539,7 +25701,7 @@ diff -b -B --ignore-all-space --exclude-
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.18/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.18/policy/modules/system/init.te	2009-06-20 06:49:47.000000000 -0400
++++ serefpolicy-3.6.18/policy/modules/system/init.te	2009-06-25 09:03:05.000000000 -0400
 @@ -17,6 +17,20 @@
  ## </desc>
  gen_tunable(init_upstart,false)
@@ -25701,7 +25863,7 @@ diff -b -B --ignore-all-space --exclude-
  domain_getsession_all_domains(initrc_t)
  domain_use_interactive_fds(initrc_t)
  # for lsof which is used by alsa shutdown:
-@@ -343,14 +384,14 @@
+@@ -343,14 +384,15 @@
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -25709,6 +25871,7 @@ diff -b -B --ignore-all-space --exclude-
 +files_manage_all_locks(initrc_t)
 +files_manage_boot_files(initrc_t)
  files_read_all_pids(initrc_t)
++files_delete_root_file(initrc_t)
  files_delete_all_pids(initrc_t)
  files_delete_all_pid_dirs(initrc_t)
  files_read_etc_files(initrc_t)
@@ -25718,7 +25881,7 @@ diff -b -B --ignore-all-space --exclude-
  files_exec_etc_files(initrc_t)
  files_read_usr_files(initrc_t)
  files_manage_urandom_seed(initrc_t)
-@@ -366,7 +407,9 @@
+@@ -366,7 +408,9 @@
  
  libs_rw_ld_so_cache(initrc_t)
  libs_exec_lib_files(initrc_t)
@@ -25728,7 +25891,7 @@ diff -b -B --ignore-all-space --exclude-
  logging_send_syslog_msg(initrc_t)
  logging_manage_generic_logs(initrc_t)
  logging_read_all_logs(initrc_t)
-@@ -451,7 +494,7 @@
+@@ -451,11 +495,9 @@
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -25736,8 +25899,12 @@ diff -b -B --ignore-all-space --exclude-
 +	kernel_use_fds(initrc_t)
  	files_dontaudit_read_root_files(initrc_t)
  
- 	selinux_set_enforce_mode(initrc_t)
-@@ -465,6 +508,7 @@
+-	selinux_set_enforce_mode(initrc_t)
+-
+ 	# These seem to be from the initrd
+ 	# during device initialization:
+ 	dev_create_generic_dirs(initrc_t)
+@@ -465,6 +507,7 @@
  	storage_raw_read_fixed_disk(initrc_t)
  	storage_raw_write_fixed_disk(initrc_t)
  
@@ -25745,7 +25912,7 @@ diff -b -B --ignore-all-space --exclude-
  	files_create_boot_flag(initrc_t)
  	files_rw_boot_symlinks(initrc_t)
  	# wants to read /.fonts directory
-@@ -498,6 +542,7 @@
+@@ -498,6 +541,7 @@
  	optional_policy(`
  		#for /etc/rc.d/init.d/nfs to create /etc/exports
  		rpc_write_exports(initrc_t)
@@ -25753,7 +25920,7 @@ diff -b -B --ignore-all-space --exclude-
  	')
  
  	optional_policy(`
-@@ -516,6 +561,33 @@
+@@ -516,6 +560,33 @@
  	')
  ')
  
@@ -25787,7 +25954,7 @@ diff -b -B --ignore-all-space --exclude-
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -570,6 +642,10 @@
+@@ -570,6 +641,10 @@
  	dbus_read_config(initrc_t)
  
  	optional_policy(`
@@ -25798,7 +25965,7 @@ diff -b -B --ignore-all-space --exclude-
  		networkmanager_dbus_chat(initrc_t)
  	')
  ')
-@@ -591,6 +667,10 @@
+@@ -591,6 +666,10 @@
  ')
  
  optional_policy(`
@@ -25809,7 +25976,7 @@ diff -b -B --ignore-all-space --exclude-
  	dev_read_usbfs(initrc_t)
  
  	# init scripts run /etc/hotplug/usb.rc
-@@ -647,20 +727,20 @@
+@@ -647,20 +726,20 @@
  ')
  
  optional_policy(`
@@ -25836,7 +26003,7 @@ diff -b -B --ignore-all-space --exclude-
  
  optional_policy(`
  	ifdef(`distro_redhat',`
-@@ -669,6 +749,7 @@
+@@ -669,6 +748,7 @@
  
  	mysql_stream_connect(initrc_t)
  	mysql_write_log(initrc_t)
@@ -25844,7 +26011,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  optional_policy(`
-@@ -719,8 +800,6 @@
+@@ -719,8 +799,6 @@
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -25853,7 +26020,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  optional_policy(`
-@@ -733,10 +812,12 @@
+@@ -733,10 +811,12 @@
  	squid_manage_logs(initrc_t)
  ')
  
@@ -25866,7 +26033,7 @@ diff -b -B --ignore-all-space --exclude-
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -754,6 +835,11 @@
+@@ -754,6 +834,11 @@
  	uml_setattr_util_sockets(initrc_t)
  ')
  
@@ -25878,7 +26045,7 @@ diff -b -B --ignore-all-space --exclude-
  optional_policy(`
  	unconfined_domain(initrc_t)
  
-@@ -765,6 +851,13 @@
+@@ -765,6 +850,13 @@
  	optional_policy(`
  		mono_domtrans(initrc_t)
  	')
@@ -25892,7 +26059,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  optional_policy(`
-@@ -790,3 +883,35 @@
+@@ -790,3 +882,35 @@
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.872
retrieving revision 1.873
diff -u -p -r1.872 -r1.873
--- selinux-policy.spec	24 Jun 2009 20:45:26 -0000	1.872
+++ selinux-policy.spec	25 Jun 2009 21:43:36 -0000	1.873
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.19
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -473,6 +473,9 @@ exit 0
 %endif
 
 %changelog
+* Thu Jun 25 2009 Dan Walsh <dwalsh at redhat.com> 3.6.19-5
+- Add rtkit policy
+
 * Wed Jun 24 2009 Dan Walsh <dwalsh at redhat.com> 3.6.19-4
 - Allow rpcd_t to stream connect to rpcbind