From b12ede2ac05ff179c19d8236079cc81488dab277 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Aug 11 2010 12:58:16 +0000
Subject: * Tue Aug 10 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-12

- Fix devicekit_power bug
- Allow policykit_auth_t more access.

---

diff --git a/policy-F14.patch b/policy-F14.patch
index bb9a0b2..855dace 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -570,7 +570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc
 +/var/lib/alsa(/.*)?				gen_context(system_u:object_r:alsa_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.8.8/policy/modules/admin/alsa.if
 --- nsaserefpolicy/policy/modules/admin/alsa.if	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/alsa.if	2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/alsa.if	2010-08-11 08:22:58.000000000 -0400
 @@ -1,8 +1,9 @@
 -## <summary>Ainit ALSA configuration tool</summary>
 +## <summary>Advanced Linux Sound Architecture.</summary>
@@ -677,7 +677,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if
 +		type alsa_home_t;
 +	')
 +
-+	allow $1 also_home_t:file read_file_perms;
++	allow $1 alsa_home_t:file read_file_perms;
 +	userdom_search_user_home_dirs($1)
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.8.8/policy/modules/admin/alsa.te
@@ -1591,8 +1591,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.te serefpolicy-3.8.8/policy/modules/admin/ncftool.te
 --- nsaserefpolicy/policy/modules/admin/ncftool.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/admin/ncftool.te	2010-08-10 05:23:35.000000000 -0400
-@@ -0,0 +1,87 @@
++++ serefpolicy-3.8.8/policy/modules/admin/ncftool.te	2010-08-11 08:45:52.000000000 -0400
+@@ -0,0 +1,91 @@
 +policy_module(ncftool, 1.0.0)
 +
 +########################################
@@ -1680,6 +1680,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool
 +optional_policy(`
 +	iptables_initrc_domtrans(ncftool_t)
 +')
++
++optional_policy(`
++	netutils_domtrans(ncftool_t)
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.8.8/policy/modules/admin/netutils.te
 --- nsaserefpolicy/policy/modules/admin/netutils.te	2010-07-27 16:06:04.000000000 -0400
 +++ serefpolicy-3.8.8/policy/modules/admin/netutils.te	2010-07-30 14:06:53.000000000 -0400
@@ -1767,7 +1771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.8.8/policy/modules/admin/prelink.te
 --- nsaserefpolicy/policy/modules/admin/prelink.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/prelink.te	2010-08-10 07:29:36.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/prelink.te	2010-08-11 08:24:20.000000000 -0400
 @@ -59,6 +59,7 @@
  manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
  relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
@@ -1821,6 +1825,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
  
  	domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
  	allow prelink_cron_system_t prelink_t:process noatsecure;
+@@ -158,6 +169,8 @@
+ 
+ 	cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t)
+ 
++	userdom_dontaudit_list_admin_dir(prelink_cron_system_t)
++
+ 	optional_policy(`
+ 		rpm_read_db(prelink_cron_system_t)
+ 	')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.if serefpolicy-3.8.8/policy/modules/admin/quota.if
 --- nsaserefpolicy/policy/modules/admin/quota.if	2010-07-27 16:12:33.000000000 -0400
 +++ serefpolicy-3.8.8/policy/modules/admin/quota.if	2010-07-30 14:06:53.000000000 -0400
@@ -4405,8 +4418,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.8.8/policy/modules/apps/kdumpgui.te
 --- nsaserefpolicy/policy/modules/apps/kdumpgui.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/kdumpgui.te	2010-07-30 14:06:53.000000000 -0400
-@@ -0,0 +1,68 @@
++++ serefpolicy-3.8.8/policy/modules/apps/kdumpgui.te	2010-08-11 08:49:51.000000000 -0400
+@@ -0,0 +1,69 @@
 +policy_module(kdumpgui,1.0.0)
 +
 +########################################
@@ -4453,6 +4466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui
 +files_manage_boot_symlinks(kdumpgui_t)
 +# Needed for running chkconfig
 +files_manage_etc_symlinks(kdumpgui_t)
++files_read_usr_files(kdumpgui_t)
 +
 +auth_use_nsswitch(kdumpgui_t)
 +
@@ -5175,8 +5189,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.8.8/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.te	2010-08-10 11:45:49.000000000 -0400
-@@ -0,0 +1,300 @@
++++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.te	2010-08-11 08:01:15.000000000 -0400
+@@ -0,0 +1,301 @@
 +policy_module(nsplugin, 1.0.0)
 +
 +########################################
@@ -5241,6 +5255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +allow nsplugin_t self:msgq create_msgq_perms;
 +allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
 +allow nsplugin_t self:unix_dgram_socket create_socket_perms;
++allow nsplugin_t nsplugin_rw_t:dir search_dir_perms;
 +
 +tunable_policy(`allow_nsplugin_execmem',`
 +	allow nsplugin_t self:process { execstack execmem };
@@ -5640,7 +5655,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.8.8/policy/modules/apps/podsleuth.te
 --- nsaserefpolicy/policy/modules/apps/podsleuth.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/podsleuth.te	2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/podsleuth.te	2010-08-11 08:27:39.000000000 -0400
+@@ -27,7 +27,7 @@
+ # podsleuth local policy
+ #
+ allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
+-allow podsleuth_t self:process { ptrace signal getsched execheap execmem execstack };
++allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack };
+ allow podsleuth_t self:fifo_file rw_file_perms;
+ allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
+ allow podsleuth_t self:sem create_sem_perms;
 @@ -73,6 +73,7 @@
  sysnet_dns_name_resolve(podsleuth_t)
  
@@ -6687,7 +6711,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.8.8/policy/modules/apps/seunshare.te
 --- nsaserefpolicy/policy/modules/apps/seunshare.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/seunshare.te	2010-08-06 12:05:20.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/seunshare.te	2010-08-11 08:01:44.000000000 -0400
 @@ -5,40 +5,45 @@
  # Declarations
  #
@@ -9885,7 +9909,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.8.8/policy/modules/roles/sysadm.te
 --- nsaserefpolicy/policy/modules/roles/sysadm.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/roles/sysadm.te	2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/roles/sysadm.te	2010-08-11 08:20:53.000000000 -0400
 @@ -27,17 +27,29 @@
  
  corecmd_exec_shell(sysadm_t)
@@ -10022,17 +10046,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  
  optional_policy(`
  	hostname_run(sysadm_t, sysadm_r)
-@@ -199,6 +230,9 @@
+@@ -199,6 +230,13 @@
  	ipsec_stream_connect(sysadm_t)
  	# for lsof
  	ipsec_getattr_key_sockets(sysadm_t)
 +	ipsec_run_setkey(sysadm_t, sysadm_r)
 +	ipsec_run_racoon(sysadm_t, sysadm_r)
 +	ipsec_stream_connect_racoon(sysadm_t)
++
++	optional_policy(`
++		ipsec_mgmt_dbus_chat(sysadm_t)
++	')
  ')
  
  optional_policy(`
-@@ -206,12 +240,18 @@
+@@ -206,12 +244,18 @@
  ')
  
  optional_policy(`
@@ -10051,7 +10079,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  
  optional_policy(`
  	kudzu_run(sysadm_t, sysadm_r)
-@@ -221,9 +261,11 @@
+@@ -221,9 +265,11 @@
  	libs_run_ldconfig(sysadm_t, sysadm_r)
  ')
  
@@ -10063,7 +10091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  
  optional_policy(`
  	logrotate_run(sysadm_t, sysadm_r)
-@@ -246,8 +288,10 @@
+@@ -246,8 +292,10 @@
  
  optional_policy(`
  	mount_run(sysadm_t, sysadm_r)
@@ -10074,7 +10102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  optional_policy(`
  	mozilla_role(sysadm_r, sysadm_t)
  ')
-@@ -255,6 +299,7 @@
+@@ -255,6 +303,7 @@
  optional_policy(`
  	mplayer_role(sysadm_r, sysadm_t)
  ')
@@ -10082,7 +10110,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  
  optional_policy(`
  	mta_role(sysadm_r, sysadm_t)
-@@ -269,6 +314,10 @@
+@@ -269,6 +318,10 @@
  ')
  
  optional_policy(`
@@ -10093,7 +10121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  	netutils_run(sysadm_t, sysadm_r)
  	netutils_run_ping(sysadm_t, sysadm_r)
  	netutils_run_traceroute(sysadm_t, sysadm_r)
-@@ -302,8 +351,14 @@
+@@ -302,8 +355,14 @@
  ')
  
  optional_policy(`
@@ -10108,7 +10136,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  
  optional_policy(`
  	quota_run(sysadm_t, sysadm_r)
-@@ -313,9 +368,11 @@
+@@ -313,9 +372,11 @@
  	raid_domtrans_mdadm(sysadm_t)
  ')
  
@@ -10120,7 +10148,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  
  optional_policy(`
  	rpc_domtrans_nfsd(sysadm_t)
-@@ -325,9 +382,11 @@
+@@ -325,9 +386,11 @@
  	rpm_run(sysadm_t, sysadm_r)
  ')
  
@@ -10132,7 +10160,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  
  optional_policy(`
  	rsync_exec(sysadm_t)
-@@ -352,8 +411,14 @@
+@@ -352,8 +415,14 @@
  ')
  
  optional_policy(`
@@ -10147,7 +10175,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  
  optional_policy(`
  	ssh_role_template(sysadm, sysadm_r, sysadm_t)
-@@ -376,9 +441,11 @@
+@@ -376,9 +445,11 @@
  	sysnet_run_dhcpc(sysadm_t, sysadm_r)
  ')
  
@@ -10159,7 +10187,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  
  optional_policy(`
  	tripwire_run_siggen(sysadm_t, sysadm_r)
-@@ -387,17 +454,21 @@
+@@ -387,17 +458,21 @@
  	tripwire_run_twprint(sysadm_t, sysadm_r)
  ')
  
@@ -10181,7 +10209,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  
  optional_policy(`
  	unconfined_domtrans(sysadm_t)
-@@ -411,9 +482,11 @@
+@@ -411,9 +486,11 @@
  	usbmodules_run(sysadm_t, sysadm_r)
  ')
  
@@ -10193,7 +10221,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  
  optional_policy(`
  	usermanage_run_admin_passwd(sysadm_t, sysadm_r)
-@@ -421,9 +494,15 @@
+@@ -421,9 +498,15 @@
  	usermanage_run_useradd(sysadm_t, sysadm_r)
  ')
  
@@ -10209,7 +10237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  
  optional_policy(`
  	vpn_run(sysadm_t, sysadm_r)
-@@ -434,13 +513,30 @@
+@@ -434,13 +517,30 @@
  ')
  
  optional_policy(`
@@ -10925,7 +10953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.8.8/policy/modules/roles/unconfineduser.te
 --- nsaserefpolicy/policy/modules/roles/unconfineduser.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/roles/unconfineduser.te	2010-08-11 07:44:10.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/roles/unconfineduser.te	2010-08-11 08:23:36.000000000 -0400
 @@ -0,0 +1,453 @@
 +policy_module(unconfineduser, 1.0.0)
 +
@@ -14445,7 +14473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
  corenet_udp_bind_chronyd_port(chronyd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.8.8/policy/modules/services/clamav.te
 --- nsaserefpolicy/policy/modules/services/clamav.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/clamav.te	2010-08-10 08:26:22.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/clamav.te	2010-08-11 08:54:31.000000000 -0400
 @@ -80,6 +80,7 @@
  files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
  
@@ -14466,7 +14494,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
  
  kernel_dontaudit_list_proc(clamd_t)
  kernel_read_sysctl(clamd_t)
-@@ -189,6 +191,7 @@
+@@ -182,6 +184,8 @@
+ allow freshclam_t clamd_var_log_t:dir search_dir_perms;
+ logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)
+ 
++kernel_read_kernel_sysctls(freshclam_t)
++
+ corenet_all_recvfrom_unlabeled(freshclam_t)
+ corenet_all_recvfrom_netlabel(freshclam_t)
+ corenet_tcp_sendrecv_generic_if(freshclam_t)
+@@ -189,6 +193,7 @@
  corenet_tcp_sendrecv_all_ports(freshclam_t)
  corenet_tcp_sendrecv_clamd_port(freshclam_t)
  corenet_tcp_connect_http_port(freshclam_t)
@@ -14474,7 +14511,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
  corenet_sendrecv_http_client_packets(freshclam_t)
  
  dev_read_rand(freshclam_t)
-@@ -207,6 +210,8 @@
+@@ -207,6 +212,8 @@
  
  clamav_stream_connect(freshclam_t)
  
@@ -15231,6 +15268,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
 +	# Something that runs in the cobberd_t domain tries to relabelfrom cobbler_content_t dir to httpd_sys_content_t.
 +	dontaudit cobblerd_t httpdcontent:dir relabel_dir_perms;
 +')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.8.8/policy/modules/services/consolekit.if
+--- nsaserefpolicy/policy/modules/services/consolekit.if	2010-07-27 16:06:05.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/consolekit.if	2010-08-11 08:07:53.000000000 -0400
+@@ -95,3 +95,22 @@
+ 	files_search_pids($1)
+ 	read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
+ ')
++
++########################################
++## <summary>
++##	List consolekit PID files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`consolekit_list_pid_files',`
++	gen_require(`
++		type consolekit_var_run_t;
++	')
++
++	files_search_pids($1)
++	list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.8.8/policy/modules/services/consolekit.te
 --- nsaserefpolicy/policy/modules/services/consolekit.te	2010-07-27 16:06:05.000000000 -0400
 +++ serefpolicy-3.8.8/policy/modules/services/consolekit.te	2010-07-30 14:06:53.000000000 -0400
@@ -16030,7 +16093,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.8.8/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cups.te	2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cups.te	2010-08-11 08:24:50.000000000 -0400
 @@ -15,6 +15,7 @@
  type cupsd_t;
  type cupsd_exec_t;
@@ -16109,7 +16172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  	hal_domtrans(cupsd_config_t)
  	hal_read_tmp_files(cupsd_config_t)
  	hal_dontaudit_use_fds(hplip_t)
-@@ -587,13 +599,18 @@
+@@ -587,13 +599,19 @@
  
  miscfiles_read_localization(cups_pdf_t)
  miscfiles_read_fonts(cups_pdf_t)
@@ -16119,6 +16182,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 +userdom_user_home_dir_filetrans_pattern(cups_pdf_t, { file dir })
  userdom_manage_user_home_content_dirs(cups_pdf_t)
  userdom_manage_user_home_content_files(cups_pdf_t)
++userdom_dontaudit_search_admin_dir(cups_pdf_t)
  
  lpd_manage_spool(cups_pdf_t)
  
@@ -21232,7 +21296,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.8.8/policy/modules/services/policykit.te
 --- nsaserefpolicy/policy/modules/services/policykit.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/policykit.te	2010-08-10 11:37:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/policykit.te	2010-08-11 08:57:21.000000000 -0400
 @@ -24,6 +24,9 @@
  type policykit_reload_t alias polkit_reload_t;
  files_type(policykit_reload_t)
@@ -21277,7 +21341,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
  
  auth_use_nsswitch(policykit_t)
  
-@@ -67,45 +77,84 @@
+@@ -67,45 +77,89 @@
  
  miscfiles_read_localization(policykit_t)
  
@@ -21298,6 +21362,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
 +')
 +
 +optional_policy(`
++	consolekit_list_pid_files(policykit_t)
++	consolekit_read_pid_files(policykit_t)
++')
++
++optional_policy(`
 +	gnome_read_config(policykit_t)
 +')
  
@@ -21368,7 +21437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
  	dbus_session_bus_client(policykit_auth_t)
  
  	optional_policy(`
-@@ -118,6 +167,14 @@
+@@ -118,6 +172,14 @@
  	hal_read_state(policykit_auth_t)
  ')
  
@@ -21383,7 +21452,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
  ########################################
  #
  # polkit_grant local policy
-@@ -125,7 +182,8 @@
+@@ -125,7 +187,8 @@
  
  allow policykit_grant_t self:capability setuid;
  allow policykit_grant_t self:process getattr;
@@ -21393,7 +21462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
  allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
  allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
  
-@@ -155,9 +213,12 @@
+@@ -155,9 +218,12 @@
  userdom_read_all_users_state(policykit_grant_t)
  
  optional_policy(`
@@ -21407,7 +21476,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
  		consolekit_dbus_chat(policykit_grant_t)
  	')
  ')
-@@ -169,7 +230,8 @@
+@@ -169,7 +235,8 @@
  
  allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
  allow policykit_resolve_t self:process getattr;
@@ -27516,7 +27585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.8.8/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/xserver.te	2010-08-05 16:01:15.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/xserver.te	2010-08-11 08:03:36.000000000 -0400
 @@ -35,6 +35,13 @@
  
  ## <desc>
@@ -27863,7 +27932,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +fs_read_noxattr_fs_files(xdm_t)
 +fs_dontaudit_list_fusefs(xdm_t)
 +fs_manage_cgroup_dirs(xdm_t)
-+fs_rw_cgroup_files(xdm_t)
++fs_manage_cgroup_files(xdm_t)
 +
 +manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t)
 +
@@ -29306,7 +29375,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu
  ## <rolecap/>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.8.8/policy/modules/system/hotplug.te
 --- nsaserefpolicy/policy/modules/system/hotplug.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/hotplug.te	2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/hotplug.te	2010-08-11 08:14:12.000000000 -0400
 @@ -23,7 +23,7 @@
  #
  
@@ -29316,7 +29385,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu
  # for access("/etc/bashrc", X_OK) on Red Hat
  dontaudit hotplug_t self:capability { dac_override dac_read_search };
  allow hotplug_t self:process { setpgid getsession getattr signal_perms };
-@@ -39,12 +39,14 @@
+@@ -39,14 +39,16 @@
  
  can_exec(hotplug_t, hotplug_exec_t)
  
@@ -29330,7 +29399,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu
  kernel_read_system_state(hotplug_t)
 +kernel_read_network_state(hotplug_t)
  kernel_read_kernel_sysctls(hotplug_t)
- kernel_read_net_sysctls(hotplug_t)
+-kernel_read_net_sysctls(hotplug_t)
++kernel_rw_net_sysctls(hotplug_t)
+ 
+ files_read_kernel_modules(hotplug_t)
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.8.8/policy/modules/system/init.fc
 --- nsaserefpolicy/policy/modules/system/init.fc	2010-07-27 16:06:06.000000000 -0400
@@ -30500,7 +30572,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.8.8/policy/modules/system/ipsec.te
 --- nsaserefpolicy/policy/modules/system/ipsec.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/ipsec.te	2010-08-10 11:57:19.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/ipsec.te	2010-08-11 08:20:05.000000000 -0400
 @@ -72,7 +72,7 @@
  #
  
@@ -34939,7 +35011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +HOME_DIR/\.gvfs(/.*)?	<<none>>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.8.8/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/userdomain.if	2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/userdomain.if	2010-08-11 08:23:58.000000000 -0400
 @@ -30,8 +30,9 @@
  	')