From 3b03e7b7cb6a9267b8bc5cfe655cecda7f20e45a Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Jan 20 2009 15:12:00 +0000
Subject: - Add devicekit policy


---

diff --git a/policy-20090105.patch b/policy-20090105.patch
index 508ddcb..80b808c 100644
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@@ -8349,7 +8349,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.3/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/apache.te	2009-01-19 17:34:22.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/apache.te	2009-01-20 07:55:29.000000000 -0500
 @@ -19,6 +19,8 @@
  # Declarations
  #
@@ -8833,7 +8833,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  tunable_policy(`httpd_can_network_connect',`
  	allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
-@@ -641,12 +788,23 @@
+@@ -641,12 +788,19 @@
  	corenet_sendrecv_all_client_packets(httpd_suexec_t)
  ')
  
@@ -8844,10 +8844,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
  tunable_policy(`httpd_enable_cgi && httpd_unified',`
  	domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
-+	domtrans_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_script_t)
-+	domtrans_pattern(httpd_suexec_t, httpd_user_script_ra_t, httpd_user_script_t)
-+	domtrans_pattern(httpd_suexec_t, httpd_user_script_rw_t, httpd_user_script_t)
-+
 +	manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
 +	manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
 +	manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
@@ -8860,7 +8856,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -655,6 +813,12 @@
+@@ -655,6 +809,12 @@
  	fs_exec_nfs_files(httpd_suexec_t)
  ')
  
@@ -8873,7 +8869,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_suexec_t)
  	fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -672,15 +836,14 @@
+@@ -672,15 +832,14 @@
  	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
  ')
  
@@ -8892,7 +8888,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow httpd_sys_script_t httpd_t:tcp_socket { read write };
  
  dontaudit httpd_sys_script_t httpd_config_t:dir search;
-@@ -699,12 +862,24 @@
+@@ -699,12 +858,24 @@
  # Should we add a boolean?
  apache_domtrans_rotatelogs(httpd_sys_script_t)
  
@@ -8919,7 +8915,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -712,6 +887,35 @@
+@@ -712,6 +883,35 @@
  	fs_read_nfs_symlinks(httpd_sys_script_t)
  ')
  
@@ -8955,7 +8951,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_sys_script_t)
  	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -724,6 +928,10 @@
+@@ -724,6 +924,10 @@
  optional_policy(`
  	mysql_stream_connect(httpd_sys_script_t)
  	mysql_rw_db_sockets(httpd_sys_script_t)
@@ -8966,7 +8962,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -735,6 +943,8 @@
+@@ -735,6 +939,8 @@
  # httpd_rotatelogs local policy
  #
  
@@ -8975,17 +8971,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
  
  kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -754,6 +964,9 @@
+@@ -754,6 +960,12 @@
  
  tunable_policy(`httpd_enable_cgi && httpd_unified',`
  	allow httpd_user_script_t httpdcontent:file entrypoint;
 +	manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
 +	manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
++	manage_dirs_pattern(httpd_user_script_t, httpd_user_content_ra_t, httpd_user_content_ra_t)
 +	manage_files_pattern(httpd_user_script_t, httpd_user_content_ra_t, httpd_user_content_ra_t)
++	manage_dirs_pattern(httpd_user_script_t, httpd_user_content_rw_t, httpd_user_content_rw_t)
++	manage_files_pattern(httpd_user_script_t, httpd_user_content_rw_t, httpd_user_content_rw_t)
  ')
  
  # allow accessing files/dirs below the users home dir
-@@ -762,3 +975,66 @@
+@@ -762,3 +974,66 @@
  	userdom_search_user_home_dirs(httpd_suexec_t)
  	userdom_search_user_home_dirs(httpd_user_script_t)
  ')